feat: retrieve and store groups from ldap provider

refactor: remove useless session struct abstraction
Merge branch 'main' into feat/ldap-groups
2026-01-13 19:02:29 +00:00 · 2026-01-09 23:23:36 +02:00 · 2026-01-09 22:43:30 +02:00 · 2026-01-09 22:35:20 +02:00 · 2026-01-08 16:03:37 +02:00 · 2026-01-08 15:35:58 +02:00
163 changed files with 9085 additions and 5537 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,3 @@
 issue_enrichment:
  auto_enrich:
    enabled: false
--- a/.env.example
+++ b/.env.example
@@ -1,33 +1,88 @@
-PORT=3000
+# Base Configuration
-ADDRESS=0.0.0.0
+
-SECRET=app_secret
+# The base URL where Tinyauth is accessible
-SECRET_FILE=app_secret_file
+TINYAUTH_APPURL="https://auth.example.com"
-APP_URL=http://localhost:3000
+# Log level: trace, debug, info, warn, error
-USERS=your_user_password_hash
+TINYAUTH_LOGLEVEL="info"
-USERS_FILE=users_file
+# Directory for static resources
-COOKIE_SECURE=false
+TINYAUTH_RESOURCESDIR="/data/resources"
-GITHUB_CLIENT_ID=github_client_id
+# Path to SQLite database file
-GITHUB_CLIENT_SECRET=github_client_secret
+TINYAUTH_DATABASEPATH="/data/tinyauth.db"
-GITHUB_CLIENT_SECRET_FILE=github_client_secret_file
+# Disable version heartbeat
-GOOGLE_CLIENT_ID=google_client_id
+TINYAUTH_DISABLEANALYTICS="false"
-GOOGLE_CLIENT_SECRET=google_client_secret
+# Disable static resource serving
-GOOGLE_CLIENT_SECRET_FILE=google_client_secret_file
+TINYAUTH_DISABLERESOURCES="false"
-GENERIC_CLIENT_ID=generic_client_id
+# Disable UI warning messages
-GENERIC_CLIENT_SECRET=generic_client_secret
+TINYAUTH_DISABLEUIWARNINGS="false"
-GENERIC_CLIENT_SECRET_FILE=generic_client_secret_file
+# Enable JSON formatted logs
-GENERIC_SCOPES=generic_scopes
+TINYAUTH_LOGJSON="false"
-GENERIC_AUTH_URL=generic_auth_url
+
-GENERIC_TOKEN_URL=generic_token_url
+# Server Configuration
-GENERIC_USER_URL=generic_user_url
+
-DISABLE_CONTINUE=false
+# Port to listen on
-OAUTH_WHITELIST=
+TINYAUTH_SERVER_PORT="3000"
-GENERIC_NAME=My OAuth
+# Interface to bind to (0.0.0.0 for all interfaces)
-SESSION_EXPIRY=7200
+TINYAUTH_SERVER_ADDRESS="0.0.0.0"
-LOGIN_TIMEOUT=300
+# Unix socket path (optional, overrides port/address if set)
-LOGIN_MAX_RETRIES=5
+TINYAUTH_SERVER_SOCKETPATH=""
-LOG_LEVEL=0
+# Comma-separated list of trusted proxy IPs/CIDRs
-APP_TITLE=Tinyauth SSO
+TINYAUTH_SERVER_TRUSTEDPROXIES=""
-FORGOT_PASSWORD_MESSAGE=Some message about resetting the password
+
-OAUTH_AUTO_REDIRECT=none
+# Authentication Configuration
-BACKGROUND_IMAGE=some_image_url
+
-GENERIC_SKIP_SSL=false
+# Format: username:bcrypt_hash (use bcrypt to generate hash)
 TINYAUTH_AUTH_USERS="admin:$2a$10$example_bcrypt_hash_here"
 # Path to external users file (optional)
 TINYAUTH_AUTH_USERSFILE=""
 # Enable secure cookies (requires HTTPS)
 TINYAUTH_AUTH_SECURECOOKIE="true"
 # Session expiry in seconds (7200 = 2 hours)
 TINYAUTH_AUTH_SESSIONEXPIRY="7200"
 # Session maximum lifetime in seconds (0 = unlimited)
 TINYAUTH_AUTH_SESSIONMAXLIFETIME="0"
 # Login timeout in seconds (300 = 5 minutes)
 TINYAUTH_AUTH_LOGINTIMEOUT="300"
 # Maximum login retries before lockout
 TINYAUTH_AUTH_LOGINMAXRETRIES="5"
 # OAuth Configuration
 # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
 TINYAUTH_OAUTH_WHITELIST=""
 # Provider ID to auto-redirect to (skips login page)
 TINYAUTH_OAUTH_AUTOREDIRECT=""
 # OAuth Provider Configuration (replace MYPROVIDER with your provider name)
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID="your_client_id_here"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET="your_client_secret_here"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL="https://provider.example.com/oauth/authorize"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL="https://provider.example.com/oauth/token"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL="https://provider.example.com/oauth/userinfo"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL="https://auth.example.com/oauth/callback/myprovider"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES="openid email profile"
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME="My OAuth Provider"
 # Allow self-signed certificates
 TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE="false"
 # UI Customization
 # Custom title for login page
 TINYAUTH_UI_TITLE="Tinyauth"
 # Message shown on forgot password page
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="Contact your administrator to reset your password"
 # Background image URL for login page
 TINYAUTH_UI_BACKGROUNDIMAGE=""
 # LDAP Configuration
 # LDAP server address
 TINYAUTH_LDAP_ADDRESS="ldap://ldap.example.com:389"
 # DN for binding to LDAP server
 TINYAUTH_LDAP_BINDDN="cn=readonly,dc=example,dc=com"
 # Password for bind DN
 TINYAUTH_LDAP_BINDPASSWORD="your_bind_password"
 # Base DN for user searches
 TINYAUTH_LDAP_BASEDN="dc=example,dc=com"
 # Search filter (%s will be replaced with username)
 TINYAUTH_LDAP_SEARCHFILTER="(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
 # Allow insecure LDAP connections
 TINYAUTH_LDAP_INSECURE="false"
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,17 +18,31 @@ jobs:
      - name: Setup go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
      - name: Set version
        run: |
          echo testing > internal/assets/version
      - name: Lint frontend
        run: |
          cd frontend
          bun run lint
      - name: Build frontend
        run: |
          cd frontend
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -61,12 +61,21 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
      - name: Install backend dependencies
        run: |
@@ -80,7 +89,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/constants.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/constants.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/constants.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -107,12 +116,21 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
      - name: Install backend dependencies
        run: |
@@ -126,7 +144,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/constants.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/constants.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/constants.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -147,6 +165,15 @@ jobs:
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -171,6 +198,9 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
@@ -190,17 +220,27 @@ jobs:
          if-no-files-found: error
          retention-days: 1
-  image-build-arm:
+  image-build-distroless:
-    runs-on: ubuntu-24.04-arm
+    runs-on: ubuntu-latest
    needs:
      - create-release
      - generate-metadata
      - image-build
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -217,9 +257,72 @@ jobs:
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
-      - name: Set version
+      - name: Build and push
        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
      - name: Export digest
        run: |
-          echo nightly > internal/assets/version
+          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
  image-build-arm:
    runs-on: ubuntu-24.04-arm
    needs:
      - create-release
      - generate-metadata
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v6
@@ -229,6 +332,9 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
@@ -248,6 +354,74 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  image-build-arm-distroless:
    runs-on: ubuntu-24.04-arm
    needs:
      - create-release
      - generate-metadata
      - image-build-arm
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
  image-merge:
    runs-on: ubuntu-latest
    needs:
@@ -276,6 +450,8 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
            latest=false
          tags: |
            type=raw,nightly
@@ -285,6 +461,45 @@ jobs:
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
  image-merge-distroless:
    runs-on: ubuntu-latest
    needs:
      - image-build-distroless
      - image-build-arm-distroless
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
            latest=false
          tags: |
            type=raw,nightly-distroless
      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
  update-release:
    runs-on: ubuntu-latest
    needs:
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,12 +39,21 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
      - name: Install backend dependencies
        run: |
@@ -58,7 +67,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/constants.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/constants.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/constants.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -82,12 +91,21 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
      - name: Install backend dependencies
        run: |
@@ -101,7 +119,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/constants.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/constants.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/constants.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -119,6 +137,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -143,6 +170,9 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
@@ -162,6 +192,71 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  image-build-distroless:
    runs-on: ubuntu-latest
    needs:
      - generate-metadata
      - image-build
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/amd64
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-amd64
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
  image-build-arm:
    runs-on: ubuntu-24.04-arm
    needs:
@@ -170,6 +265,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -194,6 +298,9 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
@@ -213,6 +320,71 @@ jobs:
          if-no-files-found: error
          retention-days: 1
  image-build-arm-distroless:
    runs-on: ubuntu-24.04-arm
    needs:
      - generate-metadata
      - image-build-arm
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build and push
        uses: docker/build-push-action@v6
        id: build
        with:
          platforms: linux/arm64
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
          file: Dockerfile.distroless
          cache-from: type=gha
          cache-to: type=gha,mode=max
          github-token: ${{ secrets.GITHUB_TOKEN }}
          build-args: |
            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
      - name: Export digest
        run: |
          mkdir -p ${{ runner.temp }}/digests
          digest="${{ steps.build.outputs.digest }}"
          touch "${{ runner.temp }}/digests/${digest#sha256:}"
      - name: Upload digest
        uses: actions/upload-artifact@v4
        with:
          name: digests-distroless-linux-arm64
          path: ${{ runner.temp }}/digests/*
          if-no-files-found: error
          retention-days: 1
  image-merge:
    runs-on: ubuntu-latest
    needs:
@@ -241,10 +413,55 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
            prefix=v,onlatest=false
          tags: |
-            type=semver,pattern={{version}},prefix=v
+            type=semver,pattern={{version}}
-            type=semver,pattern={{major}},prefix=v
+            type=semver,pattern={{major}}
-            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{major}}.{{minor}}
      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
        run: |
          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
  image-merge-distroless:
    runs-on: ubuntu-latest
    needs:
      - image-build-distroless
      - image-build-arm-distroless
    steps:
      - name: Download digests
        uses: actions/download-artifact@v4
        with:
          path: ${{ runner.temp }}/digests
          pattern: digests-distroless-*
          merge-multiple: true
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
          flavor: |
            latest=false
            prefix=v
            suffix=-distroless
          tags: |
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}
            type=semver,pattern={{major}}.{{minor}}
      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
--- a/.gitignore
+++ b/.gitignore
@@ -1,26 +1,38 @@
 # dist
-internal/assets/dist
+/internal/assets/dist
 # binaries
-tinyauth
+/tinyauth
 /tinyauth-arm64
 /tinyauth-amd64
 # test docker compose
-docker-compose.test*
+/docker-compose.test*
 # users file
-users.txt
+/users.txt
 # secret test file
-secret*
+/secret*
 # apple stuff
 .DS_Store
 # env
-.env
+/.env
 # tmp directory
-tmp
+/tmp
-# version files
+# data directory
-internal/assets/version
+/data
 # config file
 /config.yml
 # binary out
 /tinyauth.db
 /resources
 # debug files
 __debug_*
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,4 @@
 [submodule "paerser"]
 	path = paerser
 	url = https://github.com/traefik/paerser
 	ignore = all
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,7 +5,7 @@ Contributing is relatively easy, you just need to follow the steps below and you
 ## Requirements
 - Bun
- Golang v1.23.2 and above
+- Golang 1.24.0+
 - Git
 - Docker
@@ -18,12 +18,21 @@ git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
-## Install requirements
+## Initialize submodules
-Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:
+The project uses Git submodules for some dependencies, so you need to initialize them with:
 ```sh
-go mod tidy
+git submodule init
 git submodule update
 ```
 ## Install requirements
 Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
 ```sh
 go mod download
 ```
 You also need to download the frontend dependencies, this can be done like so:
@@ -33,13 +42,21 @@ cd frontend/
 bun install
 ```
 ## Apply patches
 Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
 ```sh
 git apply --directory paerser/ patches/nested_maps.diff
 ```
 ## Create your `.env` file
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 ## Developing
-I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 ```
 *.dev.example.com -> 127.0.0.1
@@ -49,7 +66,7 @@ dev.example.com -> 127.0.0.1
 > [!TIP]
 > You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
-Then you can just make sure the domains are correct in the development docker compose file and run:
+Then you can just make sure the domains are correct in the development Docker compose file and run:
 ```sh
 docker compose -f docker-compose.dev.yml up --build
--- a/33
+++ b/33
@@ -1,12 +1,12 @@
 # Site builder
-FROM oven/bun:1.2.18-alpine AS frontend-builder
+FROM oven/bun:1.3.5-alpine AS frontend-builder
 WORKDIR /frontend
 COPY ./frontend/package.json ./
 COPY ./frontend/bun.lock ./
-RUN bun install
+RUN bun install --frozen-lockfile
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -20,7 +20,7 @@ COPY ./frontend/vite.config.ts ./
 RUN bun run build
 # Builder
-FROM golang:1.24-alpine3.21 AS builder
+FROM golang:1.25-alpine3.21 AS builder
 ARG VERSION
 ARG COMMIT_HASH
@@ -28,27 +28,40 @@ ARG BUILD_TIMESTAMP
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 COPY ./main.go ./
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
-RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/constants.Version=${VERSION} -X tinyauth/internal/constants.CommitHash=${COMMIT_HASH} -X tinyauth/internal/constants.BuildTimestamp=${BUILD_TIMESTAMP}" 
+RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
- 
+
 # Runner
-FROM alpine:3.22 AS runner
+FROM alpine:3.23 AS runner
 WORKDIR /tinyauth
 RUN apk add --no-cache curl
 COPY --from=builder /tinyauth/tinyauth ./
 RUN mkdir -p /data
 EXPOSE 3000
-ENTRYPOINT ["./tinyauth"]
+VOLUME ["/data"]
 ENV DATABASEPATH=/data/tinyauth.db
 ENV RESOURCESDIR=/data/resources
 ENV GIN_MODE=release
 ENV PATH=$PATH:/tinyauth
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 ENTRYPOINT ["tinyauth"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,19 +1,25 @@
-FROM golang:1.24-alpine3.21
+FROM golang:1.25-alpine3.21
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 RUN go install github.com/air-verse/air@v1.61.7
 RUN go install github.com/go-delve/delve/cmd/dlv@latest
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY ./main.go ./
 COPY ./air.toml ./
 RUN go install github.com/air-verse/air@v1.61.7
 EXPOSE 3000
-ENTRYPOINT ["air", "-c", "air.toml"]
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 ENTRYPOINT ["air", "-c", "air.toml"]
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@@ -0,0 +1,70 @@
 # Site builder
 FROM oven/bun:1.3.5-alpine AS frontend-builder
 WORKDIR /frontend
 COPY ./frontend/package.json ./
 COPY ./frontend/bun.lock ./
 RUN bun install --frozen-lockfile
 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
 COPY ./frontend/eslint.config.js ./
 COPY ./frontend/index.html ./
 COPY ./frontend/tsconfig.json ./
 COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
 RUN bun run build
 # Builder
 FROM golang:1.25-alpine3.21 AS builder
 ARG VERSION
 ARG COMMIT_HASH
 ARG BUILD_TIMESTAMP
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
 RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
 WORKDIR /tinyauth
 COPY --from=builder /tinyauth/tinyauth ./
 # Since it's distroless, we need to copy the data directory from the builder stage
 COPY --from=builder /tinyauth/data /data
 EXPOSE 3000
 VOLUME ["/data"]
 ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 ENV GIN_MODE=release
 ENV PATH=$PATH:/tinyauth
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
 ENTRYPOINT ["tinyauth"]
--- a/64
+++ b/64
@@ -0,0 +1,64 @@
 # Go specific stuff
 CGO_ENABLED := 0
 GOOS := $(shell go env GOOS)
 GOARCH := $(shell go env GOARCH)
 # Build out
 TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "main")
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.yml" )
 PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-compose.test.prod.yml" || echo "docker-compose.example.yml" )
 # Deps
 deps:
 	bun install --cwd frontend
 	go mod download
 # Clean web UI build
 clean-webui:
 	rm -rf internal/assets/dist
 	rm -rf frontend/dist
 # Build the web UI
 webui: clean-webui
 	bun run --cwd frontend build
 	cp -r frontend/dist internal/assets
 # Build the binary
 binary: webui
 	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
 	-X tinyauth/internal/config.Version=${TAG_NAME} \
 	-X tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
 	-X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth
 # Build for amd64
 binary-linux-amd64:
 	export BIN_NAME=tinyauth-amd64
 	export GOARCH=amd64
 	export GOOS=linux
 	$(MAKE) binary
 # Build for arm64
 binary-linux-arm64:
 	export BIN_NAME=tinyauth-arm64
 	export GOARCH=arm64
 	export GOOS=linux
 	$(MAKE) binary
 # Go test
 .PHONY: test
 test:
 	go test -v ./...
 # Development
 develop:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # Production
 prod:
 	docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <div align="center">
    <img alt="Tinyauth" title="Tinyauth" width="96" src="assets/logo-rounded.png">
    <h1>Tinyauth</h1>
-    <p>The easiest way to secure your apps with a login screen.</p>
+    <p>The simplest way to protect your apps with a login screen.</p>
 </div>
 <div align="center">
@@ -14,7 +14,7 @@
 <br />
-Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.
+Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your apps. It supports all the popular proxies like Traefik, Nginx and Caddy.
 ![Screenshot](assets/screenshot.png)
@@ -23,7 +23,7 @@ Tinyauth is a simple authentication middleware that adds a simple login screen o
 ## Getting Started
-You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
+You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
 ## Demo
@@ -33,6 +33,8 @@ If you are still not sure if Tinyauth suits your needs you can try out the [demo
 You can find documentation and guides on all of the available configuration of Tinyauth in the [website](https://tinyauth.app).
 If you wish to contribute to the documentation head over to the [repository](https://github.com/steveiliop56/tinyauth-docs).
 ## Discord
 Tinyauth has a [discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
@@ -53,7 +55,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
 A big thank you to the following people for providing me with more coffee:
-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<!-- sponsors -->
 ## Acknowledgements
--- a/air.toml
+++ b/air.toml
@@ -2,9 +2,10 @@ root = "/tinyauth"
 tmp_dir = "tmp"
 [build]
-pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html", "go install github.com/go-delve/delve/cmd/dlv@v1.25.0"]
+pre_cmd = ["mkdir -p internal/assets/dist", "mkdir -p /data", "echo 'backend running' > internal/assets/dist/index.html"]
-cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ."
+cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ./cmd/tinyauth"
-bin = "/go/bin/dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue"
+bin = "tmp/tinyauth"
 full_bin = "dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue --check-go-version=false"
 include_ext = ["go"]
 exclude_dir = ["internal/assets/dist"]
 exclude_regex = [".*_test\\.go"]
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,263 +0,0 @@
 package cmd
 import (
 	"errors"
 	"fmt"
 	"strings"
 	totpCmd "tinyauth/cmd/totp"
 	userCmd "tinyauth/cmd/user"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/constants"
 	"tinyauth/internal/docker"
 	"tinyauth/internal/handlers"
 	"tinyauth/internal/hooks"
 	"tinyauth/internal/ldap"
 	"tinyauth/internal/providers"
 	"tinyauth/internal/server"
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 	"github.com/go-playground/validator/v10"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 var rootCmd = &cobra.Command{
 	Use:   "tinyauth",
 	Short: "The simplest way to protect your apps with a login screen.",
 	Long:  `Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		var config types.Config
 		err := viper.Unmarshal(&config)
 		HandleError(err, "Failed to parse config")
 		// Check if secrets have a file associated with them
 		config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
 		config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
 		config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
 		config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
 		validator := validator.New()
 		err = validator.Struct(config)
 		HandleError(err, "Failed to validate config")
 		log.Logger = log.Level(zerolog.Level(config.LogLevel))
 		log.Info().Str("version", strings.TrimSpace(constants.Version)).Msg("Starting tinyauth")
 		log.Info().Msg("Parsing users")
 		users, err := utils.GetUsers(config.Users, config.UsersFile)
 		HandleError(err, "Failed to parse users")
 		log.Debug().Msg("Getting domain")
 		domain, err := utils.GetUpperDomain(config.AppURL)
 		HandleError(err, "Failed to get upper domain")
 		log.Info().Str("domain", domain).Msg("Using domain for cookie store")
 		cookieId := utils.GenerateIdentifier(strings.Split(domain, ".")[0])
 		sessionCookieName := fmt.Sprintf("%s-%s", constants.SessionCookieName, cookieId)
 		csrfCookieName := fmt.Sprintf("%s-%s", constants.CsrfCookieName, cookieId)
 		redirectCookieName := fmt.Sprintf("%s-%s", constants.RedirectCookieName, cookieId)
 		log.Debug().Msg("Deriving HMAC and encryption secrets")
 		hmacSecret, err := utils.DeriveKey(config.Secret, "hmac")
 		HandleError(err, "Failed to derive HMAC secret")
 		encryptionSecret, err := utils.DeriveKey(config.Secret, "encryption")
 		HandleError(err, "Failed to derive encryption secret")
 		// Split the config into service-specific sub-configs
 		oauthConfig := types.OAuthConfig{
 			GithubClientId:      config.GithubClientId,
 			GithubClientSecret:  config.GithubClientSecret,
 			GoogleClientId:      config.GoogleClientId,
 			GoogleClientSecret:  config.GoogleClientSecret,
 			GenericClientId:     config.GenericClientId,
 			GenericClientSecret: config.GenericClientSecret,
 			GenericScopes:       strings.Split(config.GenericScopes, ","),
 			GenericAuthURL:      config.GenericAuthURL,
 			GenericTokenURL:     config.GenericTokenURL,
 			GenericUserURL:      config.GenericUserURL,
 			GenericSkipSSL:      config.GenericSkipSSL,
 			AppURL:              config.AppURL,
 		}
 		handlersConfig := types.HandlersConfig{
 			AppURL:                config.AppURL,
 			DisableContinue:       config.DisableContinue,
 			Title:                 config.Title,
 			GenericName:           config.GenericName,
 			CookieSecure:          config.CookieSecure,
 			Domain:                domain,
 			ForgotPasswordMessage: config.FogotPasswordMessage,
 			BackgroundImage:       config.BackgroundImage,
 			OAuthAutoRedirect:     config.OAuthAutoRedirect,
 			CsrfCookieName:        csrfCookieName,
 			RedirectCookieName:    redirectCookieName,
 		}
 		serverConfig := types.ServerConfig{
 			Port:    config.Port,
 			Address: config.Address,
 		}
 		authConfig := types.AuthConfig{
 			Users:             users,
 			OauthWhitelist:    config.OAuthWhitelist,
 			CookieSecure:      config.CookieSecure,
 			SessionExpiry:     config.SessionExpiry,
 			Domain:            domain,
 			LoginTimeout:      config.LoginTimeout,
 			LoginMaxRetries:   config.LoginMaxRetries,
 			SessionCookieName: sessionCookieName,
 			HMACSecret:        hmacSecret,
 			EncryptionSecret:  encryptionSecret,
 		}
 		hooksConfig := types.HooksConfig{
 			Domain: domain,
 		}
 		var ldapService *ldap.LDAP
 		if config.LdapAddress != "" {
 			log.Info().Msg("Using LDAP for authentication")
 			ldapConfig := types.LdapConfig{
 				Address:      config.LdapAddress,
 				BindDN:       config.LdapBindDN,
 				BindPassword: config.LdapBindPassword,
 				BaseDN:       config.LdapBaseDN,
 				Insecure:     config.LdapInsecure,
 				SearchFilter: config.LdapSearchFilter,
 			}
 			ldapService, err = ldap.NewLDAP(ldapConfig)
 			if err != nil {
 				log.Error().Err(err).Msg("Failed to initialize LDAP service, disabling LDAP authentication")
 				ldapService = nil
 			}
 		} else {
 			log.Info().Msg("LDAP not configured, using local users or OAuth")
 		}
 		// Check if we have a source of users
 		if len(users) == 0 && !utils.OAuthConfigured(config) && ldapService == nil {
 			HandleError(errors.New("err no users"), "Unable to find a source of users")
 		}
 		// Setup the services
 		docker, err := docker.NewDocker()
 		HandleError(err, "Failed to initialize docker")
 		auth := auth.NewAuth(authConfig, docker, ldapService)
 		providers := providers.NewProviders(oauthConfig)
 		hooks := hooks.NewHooks(hooksConfig, auth, providers)
 		handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
 		srv, err := server.NewServer(serverConfig, handlers)
 		HandleError(err, "Failed to create server")
 		// Start up
 		err = srv.Start()
 		HandleError(err, "Failed to start server")
 	},
 }
 func Execute() {
 	err := rootCmd.Execute()
 	HandleError(err, "Failed to execute root command")
 }
 func HandleError(err error, msg string) {
 	if err != nil {
 		log.Fatal().Err(err).Msg(msg)
 	}
 }
 func init() {
 	rootCmd.AddCommand(userCmd.UserCmd())
 	rootCmd.AddCommand(totpCmd.TotpCmd())
 	viper.AutomaticEnv()
 	rootCmd.Flags().Int("port", 3000, "Port to run the server on.")
 	rootCmd.Flags().String("address", "0.0.0.0", "Address to bind the server to.")
 	rootCmd.Flags().String("secret", "", "Secret to use for the cookie.")
 	rootCmd.Flags().String("secret-file", "", "Path to a file containing the secret.")
 	rootCmd.Flags().String("app-url", "", "The tinyauth URL.")
 	rootCmd.Flags().String("users", "", "Comma separated list of users in the format username:hash.")
 	rootCmd.Flags().String("users-file", "", "Path to a file containing users in the format username:hash.")
 	rootCmd.Flags().Bool("cookie-secure", false, "Send cookie over secure connection only.")
 	rootCmd.Flags().String("github-client-id", "", "Github OAuth client ID.")
 	rootCmd.Flags().String("github-client-secret", "", "Github OAuth client secret.")
 	rootCmd.Flags().String("github-client-secret-file", "", "Github OAuth client secret file.")
 	rootCmd.Flags().String("google-client-id", "", "Google OAuth client ID.")
 	rootCmd.Flags().String("google-client-secret", "", "Google OAuth client secret.")
 	rootCmd.Flags().String("google-client-secret-file", "", "Google OAuth client secret file.")
 	rootCmd.Flags().String("generic-client-id", "", "Generic OAuth client ID.")
 	rootCmd.Flags().String("generic-client-secret", "", "Generic OAuth client secret.")
 	rootCmd.Flags().String("generic-client-secret-file", "", "Generic OAuth client secret file.")
 	rootCmd.Flags().String("generic-scopes", "", "Generic OAuth scopes.")
 	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
 	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
 	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
 	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
 	rootCmd.Flags().Bool("generic-skip-ssl", false, "Skip SSL verification for the generic OAuth provider.")
 	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
 	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
 	rootCmd.Flags().String("oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)")
 	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
 	rootCmd.Flags().Int("login-timeout", 300, "Login timeout in seconds after max retries reached (0 to disable).")
 	rootCmd.Flags().Int("login-max-retries", 5, "Maximum login attempts before timeout (0 to disable).")
 	rootCmd.Flags().Int("log-level", 1, "Log level.")
 	rootCmd.Flags().String("app-title", "Tinyauth", "Title of the app.")
 	rootCmd.Flags().String("forgot-password-message", "", "Message to show on the forgot password page.")
 	rootCmd.Flags().String("background-image", "/background.jpg", "Background image URL for the login page.")
 	rootCmd.Flags().String("ldap-address", "", "LDAP server address (e.g. ldap://localhost:389).")
 	rootCmd.Flags().String("ldap-bind-dn", "", "LDAP bind DN (e.g. uid=user,dc=example,dc=com).")
 	rootCmd.Flags().String("ldap-bind-password", "", "LDAP bind password.")
 	rootCmd.Flags().String("ldap-base-dn", "", "LDAP base DN (e.g. dc=example,dc=com).")
 	rootCmd.Flags().Bool("ldap-insecure", false, "Skip certificate verification for the LDAP server.")
 	rootCmd.Flags().String("ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup.")
 	viper.BindEnv("port", "PORT")
 	viper.BindEnv("address", "ADDRESS")
 	viper.BindEnv("secret", "SECRET")
 	viper.BindEnv("secret-file", "SECRET_FILE")
 	viper.BindEnv("app-url", "APP_URL")
 	viper.BindEnv("users", "USERS")
 	viper.BindEnv("users-file", "USERS_FILE")
 	viper.BindEnv("cookie-secure", "COOKIE_SECURE")
 	viper.BindEnv("github-client-id", "GITHUB_CLIENT_ID")
 	viper.BindEnv("github-client-secret", "GITHUB_CLIENT_SECRET")
 	viper.BindEnv("github-client-secret-file", "GITHUB_CLIENT_SECRET_FILE")
 	viper.BindEnv("google-client-id", "GOOGLE_CLIENT_ID")
 	viper.BindEnv("google-client-secret", "GOOGLE_CLIENT_SECRET")
 	viper.BindEnv("google-client-secret-file", "GOOGLE_CLIENT_SECRET_FILE")
 	viper.BindEnv("generic-client-id", "GENERIC_CLIENT_ID")
 	viper.BindEnv("generic-client-secret", "GENERIC_CLIENT_SECRET")
 	viper.BindEnv("generic-client-secret-file", "GENERIC_CLIENT_SECRET_FILE")
 	viper.BindEnv("generic-scopes", "GENERIC_SCOPES")
 	viper.BindEnv("generic-auth-url", "GENERIC_AUTH_URL")
 	viper.BindEnv("generic-token-url", "GENERIC_TOKEN_URL")
 	viper.BindEnv("generic-user-url", "GENERIC_USER_URL")
 	viper.BindEnv("generic-name", "GENERIC_NAME")
 	viper.BindEnv("generic-skip-ssl", "GENERIC_SKIP_SSL")
 	viper.BindEnv("disable-continue", "DISABLE_CONTINUE")
 	viper.BindEnv("oauth-whitelist", "OAUTH_WHITELIST")
 	viper.BindEnv("oauth-auto-redirect", "OAUTH_AUTO_REDIRECT")
 	viper.BindEnv("session-expiry", "SESSION_EXPIRY")
 	viper.BindEnv("log-level", "LOG_LEVEL")
 	viper.BindEnv("app-title", "APP_TITLE")
 	viper.BindEnv("login-timeout", "LOGIN_TIMEOUT")
 	viper.BindEnv("login-max-retries", "LOGIN_MAX_RETRIES")
 	viper.BindEnv("forgot-password-message", "FORGOT_PASSWORD_MESSAGE")
 	viper.BindEnv("background-image", "BACKGROUND_IMAGE")
 	viper.BindEnv("ldap-address", "LDAP_ADDRESS")
 	viper.BindEnv("ldap-bind-dn", "LDAP_BIND_DN")
 	viper.BindEnv("ldap-bind-password", "LDAP_BIND_PASSWORD")
 	viper.BindEnv("ldap-base-dn", "LDAP_BASE_DN")
 	viper.BindEnv("ldap-insecure", "LDAP_INSECURE")
 	viper.BindEnv("ldap-search-filter", "LDAP_SEARCH_FILTER")
 	viper.BindPFlags(rootCmd.Flags())
 }
--- a/cmd/tinyauth/create.go
+++ b/cmd/tinyauth/create.go
@@ -0,0 +1,98 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"time"
 	"github.com/charmbracelet/huh"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )
 type CreateUserConfig struct {
 	Interactive bool   `description:"Create a user interactively."`
 	Docker      bool   `description:"Format output for docker."`
 	Username    string `description:"Username."`
 	Password    string `description:"Password."`
 }
 func NewCreateUserConfig() *CreateUserConfig {
 	return &CreateUserConfig{
 		Interactive: false,
 		Docker:      false,
 		Username:    "",
 		Password:    "",
 	}
 }
 func createUserCmd() *cli.Command {
 	tCfg := NewCreateUserConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "create",
 		Description:   "Create a user",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("username cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("password cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewSelect[bool]().Title("Format the output for Docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&tCfg.Docker),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			if tCfg.Username == "" || tCfg.Password == "" {
 				return errors.New("username and password cannot be empty")
 			}
 			log.Info().Str("username", tCfg.Username).Msg("Creating user")
 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
 				return fmt.Errorf("failed to hash password: %w", err)
 			}
 			// If docker format is enabled, escape the dollar sign
 			passwdStr := string(passwd)
 			if tCfg.Docker {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}
 			log.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/generate.go
+++ b/cmd/tinyauth/generate.go
@@ -0,0 +1,120 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/mdp/qrterminal/v3"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 )
 type GenerateTotpConfig struct {
 	Interactive bool   `description:"Generate a TOTP secret interactively."`
 	User        string `description:"Your current user (username:hash)."`
 }
 func NewGenerateTotpConfig() *GenerateTotpConfig {
 	return &GenerateTotpConfig{
 		Interactive: false,
 		User:        "",
 	}
 }
 func generateTotpCmd() *cli.Command {
 	tCfg := NewGenerateTotpConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "generate",
 		Description:   "Generate a TOTP secret",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("Current user (username:hash)").Value(&tCfg.User).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("user cannot be empty")
 							}
 							return nil
 						})),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			user, err := utils.ParseUser(tCfg.User)
 			if err != nil {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}
 			docker := false
 			if strings.Contains(tCfg.User, "$$") {
 				docker = true
 			}
 			if user.TotpSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
 			}
 			key, err := totp.Generate(totp.GenerateOpts{
 				Issuer:      "Tinyauth",
 				AccountName: user.Username,
 			})
 			if err != nil {
 				return fmt.Errorf("failed to generate TOTP secret: %w", err)
 			}
 			secret := key.Secret()
 			log.Info().Str("secret", secret).Msg("Generated TOTP secret")
 			log.Info().Msg("Generated QR code")
 			config := qrterminal.Config{
 				Level:     qrterminal.L,
 				Writer:    os.Stdout,
 				BlackChar: qrterminal.BLACK,
 				WhiteChar: qrterminal.WHITE,
 				QuietZone: 2,
 			}
 			qrterminal.GenerateWithConfig(key.URL(), config)
 			user.TotpSecret = secret
 			// If using docker escape re-escape it
 			if docker {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
 			log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/healthcheck.go
+++ b/cmd/tinyauth/healthcheck.go
@@ -0,0 +1,85 @@
 package main
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 )
 type healthzResponse struct {
 	Status  string `json:"status"`
 	Message string `json:"message"`
 }
 func healthcheckCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "healthcheck",
 		Description:   "Perform a health check",
 		Configuration: nil,
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
 			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
 			appUrl := os.Getenv("TINYAUTH_APPURL")
 			if len(args) > 0 {
 				appUrl = args[0]
 			}
 			if appUrl == "" {
 				return errors.New("TINYAUTH_APPURL is not set and no argument was provided")
 			}
 			log.Info().Str("app_url", appUrl).Msg("Performing health check")
 			client := http.Client{
 				Timeout: 30 * time.Second,
 			}
 			req, err := http.NewRequest("GET", appUrl+"/api/healthz", nil)
 			if err != nil {
 				return fmt.Errorf("failed to create request: %w", err)
 			}
 			resp, err := client.Do(req)
 			if err != nil {
 				return fmt.Errorf("failed to perform request: %w", err)
 			}
 			if resp.StatusCode != http.StatusOK {
 				return fmt.Errorf("service is not healthy, got: %s", resp.Status)
 			}
 			defer resp.Body.Close()
 			var healthResp healthzResponse
 			body, err := io.ReadAll(resp.Body)
 			if err != nil {
 				return fmt.Errorf("failed to read response: %w", err)
 			}
 			err = json.Unmarshal(body, &healthResp)
 			if err != nil {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}
 			log.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/tinyauth.go
+++ b/cmd/tinyauth/tinyauth.go
@@ -0,0 +1,130 @@
 package main
 import (
 	"fmt"
 	"os"
 	"strings"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/utils/loaders"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 )
 func NewTinyauthCmdConfiguration() *config.Config {
 	return &config.Config{
 		LogLevel:     "info",
 		ResourcesDir: "./resources",
 		DatabasePath: "./tinyauth.db",
 		Server: config.ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
 		},
 		Auth: config.AuthConfig{
 			SessionExpiry:      3600,
 			SessionMaxLifetime: 0,
 			LoginTimeout:       300,
 			LoginMaxRetries:    3,
 		},
 		UI: config.UIConfig{
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
 		Ldap: config.LdapConfig{
 			Insecure:     false,
 			SearchFilter: "(uid=%s)",
 		},
 		Experimental: config.ExperimentalConfig{
 			ConfigFile: "",
 		},
 	}
 }
 func main() {
 	tConfig := NewTinyauthCmdConfiguration()
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
 		&loaders.FlagLoader{},
 		&loaders.EnvLoader{},
 	}
 	cmdTinyauth := &cli.Command{
 		Name:          "tinyauth",
 		Description:   "The simplest way to protect your apps with a login screen.",
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			return runCmd(*tConfig)
 		},
 	}
 	err := cmdTinyauth.AddCommand(versionCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add version command")
 	}
 	err = cmdTinyauth.AddCommand(verifyUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add verify command")
 	}
 	err = cmdTinyauth.AddCommand(healthcheckCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add healthcheck command")
 	}
 	err = cmdTinyauth.AddCommand(generateTotpCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add generate command")
 	}
 	err = cmdTinyauth.AddCommand(createUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 	err = cli.Execute(cmdTinyauth)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute command")
 	}
 }
 func runCmd(cfg config.Config) error {
 	logLevel, err := zerolog.ParseLevel(strings.ToLower(cfg.LogLevel))
 	if err != nil {
 		log.Error().Err(err).Msg("Invalid or missing log level, defaulting to info")
 	} else {
 		zerolog.SetGlobalLevel(logLevel)
 	}
 	log.Logger = log.With().Caller().Logger()
 	if !cfg.LogJSON {
 		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339})
 	}
 	log.Info().Str("version", config.Version).Msg("Starting tinyauth")
 	app := bootstrap.NewBootstrapApp(cfg)
 	err = app.Setup()
 	if err != nil {
 		return fmt.Errorf("failed to bootstrap app: %w", err)
 	}
 	return nil
 }
--- a/cmd/tinyauth/verify.go
+++ b/cmd/tinyauth/verify.go
@@ -0,0 +1,121 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"os"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )
 type VerifyUserConfig struct {
 	Interactive bool   `description:"Validate a user interactively."`
 	Username    string `description:"Username."`
 	Password    string `description:"Password."`
 	Totp        string `description:"TOTP code."`
 	User        string `description:"Hash (username:hash:totp)."`
 }
 func NewVerifyUserConfig() *VerifyUserConfig {
 	return &VerifyUserConfig{
 		Interactive: false,
 		Username:    "",
 		Password:    "",
 		Totp:        "",
 		User:        "",
 	}
 }
 func verifyUserCmd() *cli.Command {
 	tCfg := NewVerifyUserConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "verify",
 		Description:   "Verify a user is set up correctly.",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("User (username:hash:totp)").Value(&tCfg.User).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("user cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("username cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("password cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("TOTP Code (optional)").Value(&tCfg.Totp),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			user, err := utils.ParseUser(tCfg.User)
 			if err != nil {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}
 			if user.Username != tCfg.Username {
 				return fmt.Errorf("username is incorrect")
 			}
 			err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(tCfg.Password))
 			if err != nil {
 				return fmt.Errorf("password is incorrect: %w", err)
 			}
 			if user.TotpSecret == "" {
 				if tCfg.Totp != "" {
 					log.Warn().Msg("User does not have TOTP secret")
 				}
 				log.Info().Msg("User verified")
 				return nil
 			}
 			ok := totp.Validate(tCfg.Totp, user.TotpSecret)
 			if !ok {
 				return fmt.Errorf("TOTP code incorrect")
 			}
 			log.Info().Msg("User verified")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/version.go
+++ b/cmd/tinyauth/version.go
@@ -0,0 +1,24 @@
 package main
 import (
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/traefik/paerser/cli"
 )
 func versionCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
 		Description:   "Print the version number of Tinyauth.",
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
 			fmt.Printf("Version: %s\n", config.Version)
 			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
 			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
 			return nil
 		},
 	}
 }
--- a/cmd/totp/generate/generate.go
+++ b/cmd/totp/generate/generate.go
@@ -1,99 +0,0 @@
 package generate
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/mdp/qrterminal/v3"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
 var interactive bool
 // Input user
 var iUser string
 var GenerateCmd = &cobra.Command{
 	Use:   "generate",
 	Short: "Generate a totp secret",
 	Run: func(cmd *cobra.Command, args []string) {
 		log.Logger = log.Level(zerolog.InfoLevel)
 		if interactive {
 			form := huh.NewForm(
 				huh.NewGroup(
 					huh.NewInput().Title("Current username:hash").Value(&iUser).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("user cannot be empty")
 						}
 						return nil
 					})),
 				),
 			)
 			var baseTheme *huh.Theme = huh.ThemeBase()
 			err := form.WithTheme(baseTheme).Run()
 			if err != nil {
 				log.Fatal().Err(err).Msg("Form failed")
 			}
 		}
 		user, err := utils.ParseUser(iUser)
 		if err != nil {
 			log.Fatal().Err(err).Msg("Failed to parse user")
 		}
 		dockerEscape := false
 		if strings.Contains(iUser, "$$") {
 			dockerEscape = true
 		}
 		if user.TotpSecret != "" {
 			log.Fatal().Msg("User already has a totp secret")
 		}
 		key, err := totp.Generate(totp.GenerateOpts{
 			Issuer:      "Tinyauth",
 			AccountName: user.Username,
 		})
 		if err != nil {
 			log.Fatal().Err(err).Msg("Failed to generate totp secret")
 		}
 		secret := key.Secret()
 		log.Info().Str("secret", secret).Msg("Generated totp secret")
 		log.Info().Msg("Generated QR code")
 		config := qrterminal.Config{
 			Level:     qrterminal.L,
 			Writer:    os.Stdout,
 			BlackChar: qrterminal.BLACK,
 			WhiteChar: qrterminal.WHITE,
 			QuietZone: 2,
 		}
 		qrterminal.GenerateWithConfig(key.URL(), config)
 		user.TotpSecret = secret
 		// If using docker escape re-escape it
 		if dockerEscape {
 			user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 		}
 		log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 	},
 }
 func init() {
 	GenerateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Run in interactive mode")
 	GenerateCmd.Flags().StringVar(&iUser, "user", "", "Your current username:hash")
 }
--- a/cmd/totp/totp.go
+++ b/cmd/totp/totp.go
@@ -1,17 +0,0 @@
 package cmd
 import (
 	"tinyauth/cmd/totp/generate"
 	"github.com/spf13/cobra"
 )
 func TotpCmd() *cobra.Command {
 	totpCmd := &cobra.Command{
 		Use:   "totp",
 		Short: "Totp utilities",
 		Long:  `Utilities for creating and verifying totp codes.`,
 	}
 	totpCmd.AddCommand(generate.GenerateCmd)
 	return totpCmd
 }
--- a/cmd/user/create/create.go
+++ b/cmd/user/create/create.go
@@ -1,80 +0,0 @@
 package create
 import (
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/charmbracelet/huh"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
 )
 var interactive bool
 var docker bool
 // i stands for input
 var iUsername string
 var iPassword string
 var CreateCmd = &cobra.Command{
 	Use:   "create",
 	Short: "Create a user",
 	Long:  `Create a user either interactively or by passing flags.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		log.Logger = log.Level(zerolog.InfoLevel)
 		if interactive {
 			form := huh.NewForm(
 				huh.NewGroup(
 					huh.NewInput().Title("Username").Value(&iUsername).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("username cannot be empty")
 						}
 						return nil
 					})),
 					huh.NewInput().Title("Password").Value(&iPassword).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("password cannot be empty")
 						}
 						return nil
 					})),
 					huh.NewSelect[bool]().Title("Format the output for docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&docker),
 				),
 			)
 			var baseTheme *huh.Theme = huh.ThemeBase()
 			err := form.WithTheme(baseTheme).Run()
 			if err != nil {
 				log.Fatal().Err(err).Msg("Form failed")
 			}
 		}
 		if iUsername == "" || iPassword == "" {
 			log.Fatal().Err(errors.New("error invalid input")).Msg("Username and password cannot be empty")
 		}
 		log.Info().Str("username", iUsername).Str("password", iPassword).Bool("docker", docker).Msg("Creating user")
 		password, err := bcrypt.GenerateFromPassword([]byte(iPassword), bcrypt.DefaultCost)
 		if err != nil {
 			log.Fatal().Err(err).Msg("Failed to hash password")
 		}
 		// If docker format is enabled, escape the dollar sign
 		passwordString := string(password)
 		if docker {
 			passwordString = strings.ReplaceAll(passwordString, "$", "$$")
 		}
 		log.Info().Str("user", fmt.Sprintf("%s:%s", iUsername, passwordString)).Msg("User created")
 	},
 }
 func init() {
 	CreateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
 	CreateCmd.Flags().BoolVar(&docker, "docker", false, "Format output for docker")
 	CreateCmd.Flags().StringVar(&iUsername, "username", "", "Username")
 	CreateCmd.Flags().StringVar(&iPassword, "password", "", "Password")
 }
--- a/cmd/user/user.go
+++ b/cmd/user/user.go
@@ -1,19 +0,0 @@
 package cmd
 import (
 	"tinyauth/cmd/user/create"
 	"tinyauth/cmd/user/verify"
 	"github.com/spf13/cobra"
 )
 func UserCmd() *cobra.Command {
 	userCmd := &cobra.Command{
 		Use:   "user",
 		Short: "User utilities",
 		Long:  `Utilities for creating and verifying tinyauth compatible users.`,
 	}
 	userCmd.AddCommand(create.CreateCmd)
 	userCmd.AddCommand(verify.VerifyCmd)
 	return userCmd
 }
--- a/cmd/user/verify/verify.go
+++ b/cmd/user/verify/verify.go
@@ -1,101 +0,0 @@
 package verify
 import (
 	"errors"
 	"tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
 )
 var interactive bool
 var docker bool
 // i stands for input
 var iUsername string
 var iPassword string
 var iTotp string
 var iUser string
 var VerifyCmd = &cobra.Command{
 	Use:   "verify",
 	Short: "Verify a user is set up correctly",
 	Long:  `Verify a user is set up correctly meaning that it has a correct username, password and totp code.`,
 	Run: func(cmd *cobra.Command, args []string) {
 		log.Logger = log.Level(zerolog.InfoLevel)
 		if interactive {
 			form := huh.NewForm(
 				huh.NewGroup(
 					huh.NewInput().Title("User (username:hash:totp)").Value(&iUser).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("user cannot be empty")
 						}
 						return nil
 					})),
 					huh.NewInput().Title("Username").Value(&iUsername).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("username cannot be empty")
 						}
 						return nil
 					})),
 					huh.NewInput().Title("Password").Value(&iPassword).Validate((func(s string) error {
 						if s == "" {
 							return errors.New("password cannot be empty")
 						}
 						return nil
 					})),
 					huh.NewInput().Title("Totp Code (if setup)").Value(&iTotp),
 				),
 			)
 			var baseTheme *huh.Theme = huh.ThemeBase()
 			err := form.WithTheme(baseTheme).Run()
 			if err != nil {
 				log.Fatal().Err(err).Msg("Form failed")
 			}
 		}
 		user, err := utils.ParseUser(iUser)
 		if err != nil {
 			log.Fatal().Err(err).Msg("Failed to parse user")
 		}
 		if user.Username != iUsername {
 			log.Fatal().Msg("Username is incorrect")
 		}
 		err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(iPassword))
 		if err != nil {
 			log.Fatal().Msg("Ppassword is incorrect")
 		}
 		if user.TotpSecret == "" {
 			if iTotp != "" {
 				log.Warn().Msg("User does not have 2fa secret")
 			}
 			log.Info().Msg("User verified")
 			return
 		}
 		ok := totp.Validate(iTotp, user.TotpSecret)
 		if !ok {
 			log.Fatal().Msg("Totp code incorrect")
 		}
 		log.Info().Msg("User verified")
 	},
 }
 func init() {
 	VerifyCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
 	VerifyCmd.Flags().BoolVar(&docker, "docker", false, "Is the user formatted for docker?")
 	VerifyCmd.Flags().StringVar(&iUsername, "username", "", "Username")
 	VerifyCmd.Flags().StringVar(&iPassword, "password", "", "Password")
 	VerifyCmd.Flags().StringVar(&iTotp, "totp", "", "Totp code")
 	VerifyCmd.Flags().StringVar(&iUser, "user", "", "Hash (username:hash:totp combination)")
 }
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -1,23 +0,0 @@
 package cmd
 import (
 	"fmt"
 	"tinyauth/internal/constants"
 	"github.com/spf13/cobra"
 )
 var versionCmd = &cobra.Command{
 	Use:   "version",
 	Short: "Print the version number of Tinyauth",
 	Long:  `All software has versions. This is Tinyauth's`,
 	Run: func(cmd *cobra.Command, args []string) {
 		fmt.Printf("Version: %s\n", constants.Version)
 		fmt.Printf("Commit Hash: %s\n", constants.CommitHash)
 		fmt.Printf("Build Timestamp: %s\n", constants.BuildTimestamp)
 	},
 }
 func init() {
 	rootCmd.AddCommand(versionCmd)
 }
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -0,0 +1,90 @@
 # Tinyauth Example Configuration
 # The base URL where Tinyauth is accessible
 appUrl: "https://auth.example.com"
 # Log level: trace, debug, info, warn, error
 logLevel: "info"
 # Directory for static resources
 resourcesDir: "./resources"
 # Path to SQLite database file
 databasePath: "./tinyauth.db"
 # Disable usage analytics
 disableAnalytics: false
 # Disable static resource serving
 disableResources: false
 # Disable UI warning messages
 disableUIWarnings: false
 # Enable JSON formatted logs
 logJSON: false
 # Server Configuration
 server:
  # Port to listen on
  port: 3000
  # Interface to bind to (0.0.0.0 for all interfaces)
  address: "0.0.0.0"
  # Unix socket path (optional, overrides port/address if set)
  socketPath: ""
  # Comma-separated list of trusted proxy IPs/CIDRs
  trustedProxies: ""
 # Authentication Configuration
 auth:
  # Format: username:bcrypt_hash (use bcrypt to generate hash)
  users: "admin:$2a$10$example_bcrypt_hash_here"
  # Path to external users file (optional)
  usersFile: ""
  # Enable secure cookies (requires HTTPS)
  secureCookie: false
  # Session expiry in seconds (3600 = 1 hour)
  sessionExpiry: 3600
  # Session maximum lifetime in seconds (0 = unlimited)
  sessionMaxLifetime: 0
  # Login timeout in seconds (300 = 5 minutes)
  loginTimeout: 300
  # Maximum login retries before lockout
  loginMaxRetries: 3
 # OAuth Configuration
 oauth:
  # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
  whitelist: ""
  # Provider ID to auto-redirect to (skips login page)
  autoRedirect: ""
  # OAuth Provider Configuration (replace myprovider with your provider name)
  providers:
    myprovider:
      clientId: "your_client_id_here"
      clientSecret: "your_client_secret_here"
      authUrl: "https://provider.example.com/oauth/authorize"
      tokenUrl: "https://provider.example.com/oauth/token"
      userInfoUrl: "https://provider.example.com/oauth/userinfo"
      redirectUrl: "https://auth.example.com/api/oauth/callback/myprovider"
      scopes: "openid email profile"
      name: "My OAuth Provider"
      # Allow insecure connections (self-signed certificates)
      insecure: false
 # UI Customization
 ui:
  # Custom title for login page
  title: "Tinyauth"
  # Message shown on forgot password page
  forgotPasswordMessage: "Contact your administrator to reset your password"
  # Background image URL for login page
  backgroundImage: ""
 # LDAP Configuration (optional)
 ldap:
  # LDAP server address
  address: "ldap://ldap.example.com:389"
  # DN for binding to LDAP server
  bindDn: "cn=readonly,dc=example,dc=com"
  # Password for bind DN
  bindPassword: "your_bind_password"
  # Base DN for user searches
  baseDn: "dc=example,dc=com"
  # Search filter (%s will be replaced with username)
  searchFilter: "(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
  # Allow insecure LDAP connections
  insecure: false
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -13,8 +13,8 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
-      traefik.http.routers.nginx.middlewares: tinyauth
+      traefik.http.routers.whoami.middlewares: tinyauth
  tinyauth-frontend:
    container_name: tinyauth-frontend
@@ -34,12 +34,16 @@ services:
    build:
      context: .
      dockerfile: Dockerfile.dev
      args:
        - VERSION=development
        - COMMIT_HASH=development
        - BUILD_TIMESTAMP=000-00-00T00:00:00Z
    env_file: .env
    volumes:
      - ./internal:/tinyauth/internal
      - ./cmd:/tinyauth/cmd
      - ./main.go:/tinyauth/main.go
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
    ports:
      - 3000:3000
      - 4000:4000
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -13,16 +13,17 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
-      traefik.http.routers.nginx.middlewares: tinyauth
+      traefik.http.routers.whoami.middlewares: tinyauth
  tinyauth:
    container_name: tinyauth
    image: ghcr.io/steveiliop56/tinyauth:v3
    environment:
-      - SECRET=some-random-32-chars-string
+      - TINYAUTH_APPURL=https://tinyauth.example.com
-      - APP_URL=https://tinyauth.example.com
+      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
-      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+    volumes:
      - ./data:/data
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -8,10 +8,11 @@
    <link rel="shortcut icon" href="/favicon.ico" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
    <meta name="apple-mobile-web-app-title" content="Tinyauth" />
    <meta name="robots" content="nofollow, noindex" />
    <link rel="manifest" href="/site.webmanifest" />
    <title>Tinyauth</title>
  </head>
-  <body class="dark">
+  <body>
    <div id="root"></div>
    <script type="module" src="/src/main.tsx"></script>
  </body>
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "tinyauth-shadcn",
+  "name": "tinyauth",
  "private": true,
  "version": "0.0.0",
  "type": "module",
@@ -7,52 +7,53 @@
    "dev": "vite",
    "build": "tsc -b && vite build",
    "lint": "eslint .",
-    "preview": "vite preview"
+    "preview": "vite preview",
    "tsc": "tsc -b"
  },
  "dependencies": {
-    "@hookform/resolvers": "^5.1.1",
+    "@hookform/resolvers": "^5.2.2",
-    "@radix-ui/react-label": "^2.1.7",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
-    "@radix-ui/react-select": "^2.2.5",
+    "@radix-ui/react-label": "^2.1.8",
-    "@radix-ui/react-separator": "^1.1.7",
+    "@radix-ui/react-select": "^2.2.6",
-    "@radix-ui/react-slot": "^1.2.3",
+    "@radix-ui/react-separator": "^1.1.8",
-    "@tailwindcss/vite": "^4.1.11",
+    "@radix-ui/react-slot": "^1.2.4",
-    "@tanstack/react-query": "^5.83.0",
+    "@tailwindcss/vite": "^4.1.18",
-    "axios": "^1.10.0",
+    "@tanstack/react-query": "^5.90.16",
    "axios": "^1.13.2",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "dompurify": "^3.2.6",
+    "i18next": "^25.7.4",
    "i18next": "^25.3.2",
    "i18next-browser-languagedetector": "^8.2.0",
    "i18next-resources-to-backend": "^1.2.1",
    "input-otp": "^1.4.2",
-    "lucide-react": "^0.525.0",
+    "lucide-react": "^0.562.0",
    "next-themes": "^0.4.6",
-    "react": "^19.0.0",
+    "react": "^19.2.3",
-    "react-dom": "^19.0.0",
+    "react-dom": "^19.2.3",
-    "react-hook-form": "^7.60.0",
+    "react-hook-form": "^7.70.0",
-    "react-i18next": "^15.6.0",
+    "react-i18next": "^16.5.1",
    "react-markdown": "^10.1.0",
-    "react-router": "^7.7.0",
+    "react-router": "^7.12.0",
-    "sonner": "^2.0.6",
+    "sonner": "^2.0.7",
-    "tailwind-merge": "^3.3.1",
+    "tailwind-merge": "^3.4.0",
-    "tailwindcss": "^4.1.11",
+    "tailwindcss": "^4.1.18",
-    "zod": "^4.0.5"
+    "zod": "^4.3.5"
  },
  "devDependencies": {
-    "@eslint/js": "^9.31.0",
+    "@eslint/js": "^9.39.2",
-    "@tanstack/eslint-plugin-query": "^5.81.2",
+    "@tanstack/eslint-plugin-query": "^5.91.2",
-    "@types/node": "^24.0.14",
+    "@types/node": "^25.0.3",
-    "@types/react": "^19.1.8",
+    "@types/react": "^19.2.7",
-    "@types/react-dom": "^19.1.6",
+    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^4.6.0",
+    "@vitejs/plugin-react": "^5.1.2",
-    "eslint": "^9.31.0",
+    "eslint": "^9.39.2",
-    "eslint-plugin-react-hooks": "^5.2.0",
+    "eslint-plugin-react-hooks": "^7.0.1",
-    "eslint-plugin-react-refresh": "^0.4.19",
+    "eslint-plugin-react-refresh": "^0.4.26",
-    "globals": "^16.3.0",
+    "globals": "^17.0.0",
-    "prettier": "3.6.2",
+    "prettier": "3.7.4",
-    "tw-animate-css": "^1.3.5",
+    "tw-animate-css": "^1.4.0",
-    "typescript": "~5.8.3",
+    "typescript": "~5.9.3",
-    "typescript-eslint": "^8.37.0",
+    "typescript-eslint": "^8.52.0",
-    "vite": "^7.0.5"
+    "vite": "^7.3.1"
  }
-}
+}
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -5,8 +5,8 @@ export const App = () => {
  const { isLoggedIn } = useUserContext();
  if (isLoggedIn) {
-    return <Navigate to="/logout" />;
+    return <Navigate to="/logout" replace />;
  }
-  return <Navigate to="/login" />;
+  return <Navigate to="/login" replace />;
 };
--- a/frontend/src/components/auth/totp-form.tsx
+++ b/frontend/src/components/auth/totp-form.tsx
@@ -44,6 +44,7 @@ export const TotpForm = (props: Props) => {
                  disabled={loading}
                  {...field}
                  autoComplete="one-time-code"
                  autoFocus
                >
                  <InputOTPGroup>
                    <InputOTPSlot index={0} />
--- a/frontend/src/components/domain-warning/domain-warning.tsx
+++ b/frontend/src/components/domain-warning/domain-warning.tsx
@@ -0,0 +1,56 @@
 import {
  Card,
  CardDescription,
  CardFooter,
  CardHeader,
  CardTitle,
 } from "../ui/card";
 import { Button } from "../ui/button";
 import { Trans, useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 interface Props {
  onClick: () => void;
  appUrl: string;
  currentUrl: string;
 }
 export const DomainWarning = (props: Props) => {
  const { onClick, appUrl, currentUrl } = props;
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
  return (
    <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
      <CardHeader>
        <CardTitle className="text-3xl">{t("domainWarningTitle")}</CardTitle>
        <CardDescription>
          <Trans
            t={t}
            i18nKey="domainWarningSubtitle"
            values={{ appUrl, currentUrl }}
            components={{ code: <code /> }}
          />
        </CardDescription>
      </CardHeader>
      <CardFooter className="flex flex-col items-stretch gap-2">
        <Button onClick={onClick} variant="warning">
          {t("ignoreTitle")}
        </Button>
        <Button
          onClick={() =>
            window.location.assign(
              `${appUrl}/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`,
            )
          }
          variant="outline"
        >
          {t("goToCorrectDomainTitle")}
        </Button>
      </CardFooter>
    </Card>
  );
 };
--- a/frontend/src/components/icons/microsoft.tsx
+++ b/frontend/src/components/icons/microsoft.tsx
@@ -0,0 +1,18 @@
 import type { SVGProps } from "react";
 export function MicrosoftIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      xmlns="http://www.w3.org/2000/svg"
      width="2em"
      height="2em"
      viewBox="0 0 256 256"
      {...props}
    >
      <path fill="#f1511b" d="M121.666 121.666H0V0h121.666z"></path>
      <path fill="#80cc28" d="M256 121.666H134.335V0H256z"></path>
      <path fill="#00adef" d="M121.663 256.002H0V134.336h121.663z"></path>
      <path fill="#fbbc09" d="M256 256.002H134.335V134.336H256z"></path>
    </svg>
  );
 }
--- a/frontend/src/components/icons/generic.tsx
+++ b/frontend/src/components/icons/generic.tsx
@@ -1,6 +1,6 @@
 import type { SVGProps } from "react";
-export function GenericIcon(props: SVGProps<SVGSVGElement>) {
+export function OAuthIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      xmlns="http://www.w3.org/2000/svg"
--- a/frontend/src/components/icons/pocket-id.tsx
+++ b/frontend/src/components/icons/pocket-id.tsx
@@ -0,0 +1,20 @@
 import type { SVGProps } from "react";
 export function PocketIDIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      xmlns="http://www.w3.org/2000/svg"
      xmlSpace="preserve"
      width={512}
      height={512}
      viewBox="0 0 512 512"
      {...props}
    >
      <circle cx="256" cy="256" r="256" />
      <path
        d="M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z"
        className="fill-white"
      />
    </svg>
  );
 }
--- a/frontend/src/components/icons/tailscale.tsx
+++ b/frontend/src/components/icons/tailscale.tsx
@@ -0,0 +1,26 @@
 import type { SVGProps } from "react";
 export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
  return (
    <svg
      xmlns="http://www.w3.org/2000/svg"
      xmlSpace="preserve"
      width={512}
      height={512}
      viewBox="0 0 512 512"
      {...props}
    >
      <path
        className="opacity-80"
        fill="currentColor"
        d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
      />
      <path
        d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
        className="opacity-20"
        fill="currentColor"
      />
    </svg>
  );
 }
--- a/frontend/src/components/language/language.tsx
+++ b/frontend/src/components/language/language.tsx
@@ -18,9 +18,10 @@ export const LanguageSelector = () => {
    setLanguage(option as SupportedLanguage);
    i18n.changeLanguage(option as SupportedLanguage);
  };
  return (
    <Select onValueChange={handleSelect} value={language}>
-      <SelectTrigger className="absolute top-5 right-5">
+      <SelectTrigger>
        <SelectValue placeholder="Select language" />
      </SelectTrigger>
      <SelectContent>
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -1,9 +1,16 @@
 import { useAppContext } from "@/context/app-context";
 import { LanguageSelector } from "../language/language";
 import { Outlet } from "react-router";
 import { useCallback, useEffect, useState } from "react";
 import { DomainWarning } from "../domain-warning/domain-warning";
 import { ThemeToggle } from "../theme-toggle/theme-toggle";
-export const Layout = () => {
+const BaseLayout = ({ children }: { children: React.ReactNode }) => {
-  const { backgroundImage } = useAppContext();
+  const { backgroundImage, title } = useAppContext();
  useEffect(() => {
    document.title = title;
  }, [title]);
  return (
    <div
@@ -14,8 +21,42 @@ export const Layout = () => {
        backgroundPosition: "center",
      }}
    >
-      <LanguageSelector />
+      <div className="absolute top-5 right-5 flex flex-row gap-2">
-      <Outlet />
+        <ThemeToggle />
        <LanguageSelector />
      </div>
      {children}
    </div>
  );
 };
 export const Layout = () => {
  const { appUrl, disableUiWarnings } = useAppContext();
  const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
    return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
  });
  const currentUrl = window.location.origin;
  const handleIgnore = useCallback(() => {
    window.sessionStorage.setItem("ignoreDomainWarning", "true");
    setIgnoreDomainWarning(true);
  }, [setIgnoreDomainWarning]);
  if (!ignoreDomainWarning && !disableUiWarnings && appUrl !== currentUrl) {
    return (
      <BaseLayout>
        <DomainWarning
          appUrl={appUrl}
          currentUrl={currentUrl}
          onClick={() => handleIgnore()}
        />
      </BaseLayout>
    );
  }
  return (
    <BaseLayout>
      <Outlet />
    </BaseLayout>
  );
 };
--- a/frontend/src/components/providers/theme-provider.tsx
+++ b/frontend/src/components/providers/theme-provider.tsx
@@ -0,0 +1,73 @@
 import { createContext, useContext, useEffect, useState } from "react";
 type Theme = "dark" | "light" | "system";
 type ThemeProviderProps = {
  children: React.ReactNode;
  defaultTheme?: Theme;
  storageKey?: string;
 };
 type ThemeProviderState = {
  theme: Theme;
  setTheme: (theme: Theme) => void;
 };
 const initialState: ThemeProviderState = {
  theme: "system",
  setTheme: () => null,
 };
 const ThemeProviderContext = createContext<ThemeProviderState>(initialState);
 export function ThemeProvider({
  children,
  defaultTheme = "system",
  storageKey = "vite-ui-theme",
  ...props
 }: ThemeProviderProps) {
  const [theme, setTheme] = useState<Theme>(
    () => (localStorage.getItem(storageKey) as Theme) || defaultTheme,
  );
  useEffect(() => {
    const root = window.document.documentElement;
    root.classList.remove("light", "dark");
    if (theme === "system") {
      const systemTheme = window.matchMedia("(prefers-color-scheme: dark)")
        .matches
        ? "dark"
        : "light";
      root.classList.add(systemTheme);
      return;
    }
    root.classList.add(theme);
  }, [theme]);
  const value = {
    theme,
    setTheme: (theme: Theme) => {
      localStorage.setItem(storageKey, theme);
      setTheme(theme);
    },
  };
  return (
    <ThemeProviderContext.Provider {...props} value={value}>
      {children}
    </ThemeProviderContext.Provider>
  );
 }
 export const useTheme = () => {
  const context = useContext(ThemeProviderContext);
  if (context === undefined)
    throw new Error("useTheme must be used within a ThemeProvider");
  return context;
 };
--- a/frontend/src/components/theme-toggle/theme-toggle.tsx
+++ b/frontend/src/components/theme-toggle/theme-toggle.tsx
@@ -0,0 +1,40 @@
 import { Moon, Sun } from "lucide-react";
 import { Button } from "@/components/ui/button";
 import {
  DropdownMenu,
  DropdownMenuContent,
  DropdownMenuItem,
  DropdownMenuTrigger,
 } from "@/components/ui/dropdown-menu";
 import { useTheme } from "@/components/providers/theme-provider";
 export function ThemeToggle() {
  const { setTheme } = useTheme();
  return (
    <DropdownMenu>
      <DropdownMenuTrigger asChild>
        <Button
          className="bg-card text-card-foreground hover:bg-card/90"
          size="icon"
        >
          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
          <span className="sr-only">Toggle theme</span>
        </Button>
      </DropdownMenuTrigger>
      <DropdownMenuContent align="end">
        <DropdownMenuItem onClick={() => setTheme("light")}>
          Light
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("dark")}>
          Dark
        </DropdownMenuItem>
        <DropdownMenuItem onClick={() => setTheme("system")}>
          System
        </DropdownMenuItem>
      </DropdownMenuContent>
    </DropdownMenu>
  );
 }
--- a/frontend/src/components/ui/button.tsx
+++ b/frontend/src/components/ui/button.tsx
@@ -6,7 +6,7 @@ import { cn } from "@/lib/utils";
 import { Loader2 } from "lucide-react";
 const buttonVariants = cva(
-  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive hover:cursor-pointer",
  {
    variants: {
      variant: {
@@ -22,7 +22,7 @@ const buttonVariants = cva(
          "hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50",
        link: "text-primary underline-offset-4 hover:underline",
        warning:
-          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40 dark:bg-amber-600",
+          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40",
      },
      size: {
        default: "h-9 px-4 py-2 has-[>svg]:px-3",
--- a/frontend/src/components/ui/dropdown-menu.tsx
+++ b/frontend/src/components/ui/dropdown-menu.tsx
@@ -0,0 +1,255 @@
 import * as React from "react"
 import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu"
 import { CheckIcon, ChevronRightIcon, CircleIcon } from "lucide-react"
 import { cn } from "@/lib/utils"
 function DropdownMenu({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Root>) {
  return <DropdownMenuPrimitive.Root data-slot="dropdown-menu" {...props} />
 }
 function DropdownMenuPortal({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Portal>) {
  return (
    <DropdownMenuPrimitive.Portal data-slot="dropdown-menu-portal" {...props} />
  )
 }
 function DropdownMenuTrigger({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Trigger>) {
  return (
    <DropdownMenuPrimitive.Trigger
      data-slot="dropdown-menu-trigger"
      {...props}
    />
  )
 }
 function DropdownMenuContent({
  className,
  sideOffset = 4,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Content>) {
  return (
    <DropdownMenuPrimitive.Portal>
      <DropdownMenuPrimitive.Content
        data-slot="dropdown-menu-content"
        sideOffset={sideOffset}
        className={cn(
          "bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 max-h-(--radix-dropdown-menu-content-available-height) min-w-[8rem] origin-(--radix-dropdown-menu-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-md border p-1 shadow-md",
          className
        )}
        {...props}
      />
    </DropdownMenuPrimitive.Portal>
  )
 }
 function DropdownMenuGroup({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Group>) {
  return (
    <DropdownMenuPrimitive.Group data-slot="dropdown-menu-group" {...props} />
  )
 }
 function DropdownMenuItem({
  className,
  inset,
  variant = "default",
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Item> & {
  inset?: boolean
  variant?: "default" | "destructive"
 }) {
  return (
    <DropdownMenuPrimitive.Item
      data-slot="dropdown-menu-item"
      data-inset={inset}
      data-variant={variant}
      className={cn(
        "focus:bg-accent focus:text-accent-foreground data-[variant=destructive]:text-destructive data-[variant=destructive]:focus:bg-destructive/10 dark:data-[variant=destructive]:focus:bg-destructive/20 data-[variant=destructive]:focus:text-destructive data-[variant=destructive]:*:[svg]:!text-destructive [&_svg:not([class*='text-'])]:text-muted-foreground relative flex cursor-default items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 data-[inset]:pl-8 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
        className
      )}
      {...props}
    />
  )
 }
 function DropdownMenuCheckboxItem({
  className,
  children,
  checked,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.CheckboxItem>) {
  return (
    <DropdownMenuPrimitive.CheckboxItem
      data-slot="dropdown-menu-checkbox-item"
      className={cn(
        "focus:bg-accent focus:text-accent-foreground relative flex cursor-default items-center gap-2 rounded-sm py-1.5 pr-2 pl-8 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
        className
      )}
      checked={checked}
      {...props}
    >
      <span className="pointer-events-none absolute left-2 flex size-3.5 items-center justify-center">
        <DropdownMenuPrimitive.ItemIndicator>
          <CheckIcon className="size-4" />
        </DropdownMenuPrimitive.ItemIndicator>
      </span>
      {children}
    </DropdownMenuPrimitive.CheckboxItem>
  )
 }
 function DropdownMenuRadioGroup({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.RadioGroup>) {
  return (
    <DropdownMenuPrimitive.RadioGroup
      data-slot="dropdown-menu-radio-group"
      {...props}
    />
  )
 }
 function DropdownMenuRadioItem({
  className,
  children,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.RadioItem>) {
  return (
    <DropdownMenuPrimitive.RadioItem
      data-slot="dropdown-menu-radio-item"
      className={cn(
        "focus:bg-accent focus:text-accent-foreground relative flex cursor-default items-center gap-2 rounded-sm py-1.5 pr-2 pl-8 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
        className
      )}
      {...props}
    >
      <span className="pointer-events-none absolute left-2 flex size-3.5 items-center justify-center">
        <DropdownMenuPrimitive.ItemIndicator>
          <CircleIcon className="size-2 fill-current" />
        </DropdownMenuPrimitive.ItemIndicator>
      </span>
      {children}
    </DropdownMenuPrimitive.RadioItem>
  )
 }
 function DropdownMenuLabel({
  className,
  inset,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Label> & {
  inset?: boolean
 }) {
  return (
    <DropdownMenuPrimitive.Label
      data-slot="dropdown-menu-label"
      data-inset={inset}
      className={cn(
        "px-2 py-1.5 text-sm font-medium data-[inset]:pl-8",
        className
      )}
      {...props}
    />
  )
 }
 function DropdownMenuSeparator({
  className,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Separator>) {
  return (
    <DropdownMenuPrimitive.Separator
      data-slot="dropdown-menu-separator"
      className={cn("bg-border -mx-1 my-1 h-px", className)}
      {...props}
    />
  )
 }
 function DropdownMenuShortcut({
  className,
  ...props
 }: React.ComponentProps<"span">) {
  return (
    <span
      data-slot="dropdown-menu-shortcut"
      className={cn(
        "text-muted-foreground ml-auto text-xs tracking-widest",
        className
      )}
      {...props}
    />
  )
 }
 function DropdownMenuSub({
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.Sub>) {
  return <DropdownMenuPrimitive.Sub data-slot="dropdown-menu-sub" {...props} />
 }
 function DropdownMenuSubTrigger({
  className,
  inset,
  children,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.SubTrigger> & {
  inset?: boolean
 }) {
  return (
    <DropdownMenuPrimitive.SubTrigger
      data-slot="dropdown-menu-sub-trigger"
      data-inset={inset}
      className={cn(
        "focus:bg-accent focus:text-accent-foreground data-[state=open]:bg-accent data-[state=open]:text-accent-foreground [&_svg:not([class*='text-'])]:text-muted-foreground flex cursor-default items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-hidden select-none data-[inset]:pl-8 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
        className
      )}
      {...props}
    >
      {children}
      <ChevronRightIcon className="ml-auto size-4" />
    </DropdownMenuPrimitive.SubTrigger>
  )
 }
 function DropdownMenuSubContent({
  className,
  ...props
 }: React.ComponentProps<typeof DropdownMenuPrimitive.SubContent>) {
  return (
    <DropdownMenuPrimitive.SubContent
      data-slot="dropdown-menu-sub-content"
      className={cn(
        "bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 min-w-[8rem] origin-(--radix-dropdown-menu-content-transform-origin) overflow-hidden rounded-md border p-1 shadow-lg",
        className
      )}
      {...props}
    />
  )
 }
 export {
  DropdownMenu,
  DropdownMenuPortal,
  DropdownMenuTrigger,
  DropdownMenuContent,
  DropdownMenuGroup,
  DropdownMenuLabel,
  DropdownMenuItem,
  DropdownMenuCheckboxItem,
  DropdownMenuRadioGroup,
  DropdownMenuRadioItem,
  DropdownMenuSeparator,
  DropdownMenuShortcut,
  DropdownMenuSub,
  DropdownMenuSubTrigger,
  DropdownMenuSubContent,
 }
--- a/frontend/src/components/ui/select.tsx
+++ b/frontend/src/components/ui/select.tsx
@@ -35,7 +35,7 @@ function SelectTrigger({
      data-slot="select-trigger"
      data-size={size}
      className={cn(
-        "border-input data-[placeholder]:text-muted-foreground [&_svg:not([class*='text-'])]:text-muted-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive dark:bg-card dark:hover:bg-card/90 flex w-fit items-center justify-between gap-2 rounded-md border bg-card hover:bg-card/90 px-3 py-2 text-sm whitespace-nowrap shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 data-[size=default]:h-9 data-[size=sm]:h-8 *:data-[slot=select-value]:line-clamp-1 *:data-[slot=select-value]:flex *:data-[slot=select-value]:items-center *:data-[slot=select-value]:gap-2 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        "hover:cursor-pointer border-input data-[placeholder]:text-card-foreground [&_svg:not([class*='text-'])]:text-card-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive flex w-fit items-center justify-between gap-2 rounded-md border bg-card hover:bg-card/90 px-3 py-2 text-sm whitespace-nowrap shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 data-[size=default]:h-9 data-[size=sm]:h-8 *:data-[slot=select-value]:line-clamp-1 *:data-[slot=select-value]:flex *:data-[slot=select-value]:items-center *:data-[slot=select-value]:gap-2 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
        className,
      )}
      {...props}
--- a/frontend/src/components/ui/sonner.tsx
+++ b/frontend/src/components/ui/sonner.tsx
@@ -1,8 +1,8 @@
-import { useTheme } from "next-themes";
+import { useTheme } from "../providers/theme-provider";
 import { Toaster as Sonner, ToasterProps } from "sonner";
 const Toaster = ({ ...props }: ToasterProps) => {
-  const { theme = "system" } = useTheme();
+  const { theme } = useTheme();
  return (
    <Sonner
--- a/frontend/src/context/app-context.tsx
+++ b/frontend/src/context/app-context.tsx
@@ -15,7 +15,7 @@ export const AppContextProvider = ({
 }) => {
  const { isFetching, data, error } = useSuspenseQuery({
    queryKey: ["app"],
-    queryFn: () => axios.get("/api/app").then((res) => res.data),
+    queryFn: () => axios.get("/api/context/app").then((res) => res.data),
  });
  if (error && !isFetching) {
--- a/frontend/src/context/user-context.tsx
+++ b/frontend/src/context/user-context.tsx
@@ -15,7 +15,7 @@ export const UserContextProvider = ({
 }) => {
  const { isFetching, data, error } = useSuspenseQuery({
    queryKey: ["user"],
-    queryFn: () => axios.get("/api/user").then((res) => res.data),
+    queryFn: () => axios.get("/api/context/user").then((res) => res.data),
  });
  if (error && !isFetching) {
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -156,7 +156,7 @@ ul {
 }
 code {
-  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold;
+  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
 }
 .lead {
--- a/frontend/src/lib/hooks/use-is-mounted.ts
+++ b/frontend/src/lib/hooks/use-is-mounted.ts
@@ -1,15 +0,0 @@
 import { useCallback, useEffect, useRef } from "react";
 export function useIsMounted(): () => boolean {
  const isMounted = useRef(false);
  useEffect(() => {
    isMounted.current = true;
    return () => {
      isMounted.current = false;
    };
  }, []);
  return useCallback(() => isMounted.current, []);
 }
--- a/frontend/src/lib/i18n/i18n.ts
+++ b/frontend/src/lib/i18n/i18n.ts
@@ -14,12 +14,11 @@ i18n
  .init({
    fallbackLng: "en",
    debug: import.meta.env.MODE === "development",
-
+    nonExplicitSupportedLngs: true,
    interpolation: {
      escapeValue: false,
    },
    load: "currentOnly",
    detection: {
      lookupLocalStorage: "tinyauth-lang",
    },
  });
 export default i18n;
--- a/frontend/src/lib/i18n/locales.ts
+++ b/frontend/src/lib/i18n/locales.ts
@@ -18,8 +18,8 @@ export const languages = {
  "nl-NL": "Nederlands",
  "no-NO": "Norsk",
  "pl-PL": "Polski",
-  "pt-BR": "Português",
+  "pt-BR": "Português (Brasil)",
-  "pt-PT": "Português",
+  "pt-PT": "Português (Portugal)",
  "ro-RO": "Română",
  "ru-RU": "Русский",
  "sr-SP": "Српски",
@@ -28,7 +28,7 @@ export const languages = {
  "uk-UA": "Українська",
  "vi-VN": "Tiếng Việt",
  "zh-CN": "简体中文",
-  "zh-TW": "繁體中文（台灣）",
+  "zh-TW": "繁體中文",
 };
 export type SupportedLanguage = keyof typeof languages;
--- a/frontend/src/lib/i18n/locales/ar-SA.json
+++ b/frontend/src/lib/i18n/locales/ar-SA.json
@@ -57,6 +57,6 @@
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "تجاهل",
    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/frontend/src/lib/i18n/locales/el-GR.json
+++ b/frontend/src/lib/i18n/locales/el-GR.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Αποτυχία λήψης OAuth URL",
    "loginOauthSuccessTitle": "Ανακατεύθυνση",
    "loginOauthSuccessSubtitle": "Ανακατεύθυνση στον πάροχο OAuth σας",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Αυτόματη Ανακατεύθυνση OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Θα ανακατευθυνθείτε αυτόματα στον πάροχο OAuth σας για να επαληθευτείτε.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Ανακατεύθυνση τώρα",
    "continueTitle": "Συνέχεια",
    "continueRedirectingTitle": "Ανακατεύθυνση...",
    "continueRedirectingSubtitle": "Θα πρέπει να μεταφερθείτε σύντομα στην εφαρμογή σας",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Χειροκίνητη ανακατεύθυνση",
    "continueInsecureRedirectTitle": "Μη ασφαλής ανακατεύθυνση",
    "continueInsecureRedirectSubtitle": "Προσπαθείτε να ανακατευθύνετε από <code>https</code> σε <code>http</code> το οποίο δεν είναι ασφαλές. Είστε σίγουροι ότι θέλετε να συνεχίσετε;",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Μη έμπιστη ανακατεύθυνση",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Προσπαθείτε να ανακατευθύνετε σε ένα domain που δεν ταιριάζει με το ρυθμισμένο domain σας (<code>{{cookieDomain}}</code>). Είστε βέβαιοι ότι θέλετε να συνεχίσετε;",
    "logoutFailTitle": "Αποτυχία αποσύνδεσης",
    "logoutFailSubtitle": "Παρακαλώ δοκιμάστε ξανά",
    "logoutSuccessTitle": "Αποσυνδεδεμένος",
@@ -55,8 +55,8 @@
    "forgotPasswordMessage": "Μπορείτε να επαναφέρετε τον κωδικό πρόσβασής σας αλλάζοντας τη μεταβλητή περιβάλλοντος `USERS`.",
    "fieldRequired": "Αυτό το πεδίο είναι υποχρεωτικό",
    "invalidInput": "Μη έγκυρη καταχώρηση",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Μη έγκυρο domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Αυτή η εφαρμογή έχει ρυθμιστεί για πρόσβαση από <code>{{appUrl}}</code>, αλλά <code>{{currentUrl}}</code> χρησιμοποιείται. Αν συνεχίσετε, μπορεί να αντιμετωπίσετε προβλήματα με την ταυτοποίηση.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Παράβλεψη",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain"
 }
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -14,14 +14,17 @@
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Continue",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
+    "continueRedirectManually": "Redirect me manually",
    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
    "continueInsecureRedirectTitle": "Insecure redirect",
    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
-    "continueTitle": "Continue",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
-    "continueSubtitle": "Click the button to continue to your app.",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Please try again",
    "logoutSuccessTitle": "Logged out",
@@ -44,8 +47,6 @@
    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "Try again",
    "untrustedRedirectTitle": "Untrusted redirect",
    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{domain}}</code>). Are you sure you want to continue?",
    "cancelTitle": "Cancel",
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
@@ -53,5 +54,9 @@
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
-    "invalidInput": "Invalid input"
+    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/frontend/src/lib/i18n/locales/fi-FI.json
+++ b/frontend/src/lib/i18n/locales/fi-FI.json
@@ -1,62 +1,62 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "Tervetuloa takaisin, kirjaudu sisään käyttäen",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Tervetuloa takaisin, ole hyvä ja kirjaudu",
-    "loginDivider": "Or",
+    "loginDivider": "Tai",
-    "loginUsername": "Username",
+    "loginUsername": "Käyttäjätunnus",
-    "loginPassword": "Password",
+    "loginPassword": "Salasana",
-    "loginSubmit": "Login",
+    "loginSubmit": "Kirjaudu",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Kirjautuminen epäonnistui",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Tarkista käyttäjätunnuksesi ja salasanasi",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Kirjautuminen epäonnistui liian monta kertaa. Yritä myöhemmin uudelleen",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Olet kirjautunut sisään",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Tervetuloa takaisin!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Tapahtui virhe",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "OAuthin URL-osoitteen haku epäonnistui",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Uudelleenohjataan",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Uudelleenohjaus OAuth -palveluntarjoajallesi",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automaattinen OAuth -uudelleenohjaus",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Sinut ohjataan automaattisesti OAuth -palveluntarjoajallesi todentamista varten.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Siirry nyt",
-    "continueTitle": "Continue",
+    "continueTitle": "Jatka",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Uudelleenohjataan...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "Sinun pitäisi ohjautua sovellukseen pian",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Siirrä minut manuaalisesti",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Turvaton uudelleenohjaus",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Yrität siirtyä suojatusta <code>https</code> -sivusta suojaamattomalle <code>http</code> -sivulle. Oletko varma, että haluat jatkaa?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Ei-luotettu uudelleenohjaus",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Yrität uudelleenohjata domainiin, joka ei vastaa määritettyä verkkotunnusta (<code>{{cookieDomain}}</code>). Oletko varma, että haluat jatkaa?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Uloskirjautuminen epäonnistui",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Ole hyvä ja yritä uudelleen",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Kirjauduttu ulos",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Sinut on kirjattu ulos",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Kirjaudu ulos",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Olet kirjautuneena sisään tunnuksella <code>{{username}}</code>. Kirjaudu ulos alla olevasta painikkeesta.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Olet kirjautuneena sisään tunnuksella <code>{{username}}</code> OAuth palvelun {{provider}} kautta. Kirjaudu ulos alla olevasta painikkeesta.",
-    "notFoundTitle": "Page not found",
+    "notFoundTitle": "Sivua ei löydy",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "Sivua, jota etsit ei ole olemassa.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "Palaa kotinäkymään",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Koodin vahvistus epäonnistui",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Tarkista koodisi ja yritä uudelleen",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Vahvistettu",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Uudelleenohjataan sovelluksellesi",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Syötä TOTP -koodisi",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Ole hyvä ja syötä koodi todennussovelluksestasi.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Ei sallittu",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "Käyttäjällä <code>{{username}}</code> ei ole pääsyä kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "Käyttäjällä <code>{{username}}</code> ei ole lupaa kirjautua.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "Käyttäjä <code>{{username}}</code> ei ole ryhmässä, joka vaaditaan pääsyyn kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "IP osoitteestasi <code>{{ip}}</code> ei ole pääsyä kohteeseen <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Yritä uudelleen",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Peruuta",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Unohditko salasanasi?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Todennuspalvelujen tarjoajien lataaminen epäonnistui. Tarkista määrityksesi.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Tapahtui virhe",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitle": "Tapahtui virhe yritettäessä suorittaa tämä toiminto. Ole hyvä ja tarkista konsoli saadaksesi lisätietoja.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Voit nollata salasanasi vaihtamalla ympäristömuuttujan `USERS`.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Tämä kenttä on pakollinen",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Virheellinen syöte",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Virheellinen verkkotunnus",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Jätä huomiotta",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen"
 }
--- a/frontend/src/lib/i18n/locales/fr-FR.json
+++ b/frontend/src/lib/i18n/locales/fr-FR.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Impossible d'obtenir l'URL OAuth",
    "loginOauthSuccessTitle": "Redirection",
    "loginOauthSuccessSubtitle": "Redirection vers votre fournisseur OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Redirection automatique OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Vous allez être automatiquement redirigé vers votre fournisseur OAuth pour vous authentifier.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Rediriger",
    "continueTitle": "Continuer",
    "continueRedirectingTitle": "Redirection...",
    "continueRedirectingSubtitle": "Vous devriez être redirigé vers l'application bientôt",
    "continueRedirectManually": "Redirection manuelle",
    "continueInsecureRedirectTitle": "Redirection non sécurisée",
    "continueInsecureRedirectSubtitle": "Vous tentez de rediriger de <code>https</code> vers <code>http</code>, ce qui n'est pas sécurisé. Êtes-vous sûr de vouloir continuer ?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Redirection non sécurisée",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Vous essayez de rediriger vers un domaine qui ne correspond pas à votre domaine configuré (<code>{{cookieDomain}}</code>). Êtes-vous sûr de vouloir continuer ?",
    "logoutFailTitle": "Échec de la déconnexion",
    "logoutFailSubtitle": "Veuillez réessayer",
    "logoutSuccessTitle": "Déconnecté",
@@ -55,8 +55,8 @@
    "forgotPasswordMessage": "Vous pouvez réinitialiser votre mot de passe en modifiant la variable d'environnement `USERS`.",
    "fieldRequired": "Ce champ est obligatoire",
    "invalidInput": "Saisie non valide",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Domaine invalide",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignorer",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Aller au bon domaine"
 }
--- a/frontend/src/lib/i18n/locales/pl-PL.json
+++ b/frontend/src/lib/i18n/locales/pl-PL.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Nie udało się uzyskać adresu URL OAuth",
    "loginOauthSuccessTitle": "Przekierowywanie",
    "loginOauthSuccessSubtitle": "Przekierowywanie do Twojego dostawcy OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automatyczne przekierowanie OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Nastąpi automatyczne przekierowanie do dostawcy OAuth w celu uwierzytelnienia.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Przekieruj teraz",
    "continueTitle": "Kontynuuj",
    "continueRedirectingTitle": "Przekierowywanie...",
    "continueRedirectingSubtitle": "Wkrótce powinieneś zostać przekierowany do aplikacji",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Przekieruj mnie ręcznie",
    "continueInsecureRedirectTitle": "Niezabezpieczone przekierowanie",
    "continueInsecureRedirectSubtitle": "Próbujesz przekierować z <code>https</code> do <code>http</code>, co nie jest bezpieczne. Czy na pewno chcesz kontynuować?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Niezaufane przekierowanie",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Próbujesz przekierować do domeny, która nie pasuje do skonfigurowanej domeny (<code>{{cookieDomain}}</code>). Czy na pewno chcesz kontynuować?",
    "logoutFailTitle": "Nie udało się wylogować",
    "logoutFailSubtitle": "Spróbuj ponownie",
    "logoutSuccessTitle": "Wylogowano",
@@ -55,8 +55,8 @@
    "forgotPasswordMessage": "Możesz zresetować hasło, zmieniając zmienną środowiskową `USERS`.",
    "fieldRequired": "To pole jest wymagane",
    "invalidInput": "Nieprawidłowe dane wejściowe",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Nieprawidłowa domena",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Zignoruj",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny"
 }
--- a/frontend/src/lib/i18n/locales/pt-BR.json
+++ b/frontend/src/lib/i18n/locales/pt-BR.json
@@ -1,37 +1,37 @@
 {
    "loginTitle": "Bem-vindo de volta, acesse com",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Bem-vindo de volta, faça o login",
-    "loginDivider": "Or",
+    "loginDivider": "Ou",
    "loginUsername": "Nome de usuário",
    "loginPassword": "Senha",
    "loginSubmit": "Entrar",
    "loginFailTitle": "Falha ao iniciar sessão",
    "loginFailSubtitle": "Por favor, verifique seu usuário e senha",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Você falhou em iniciar sessão muitas vezes, por favor tente novamente mais tarde",
    "loginSuccessTitle": "Sessão Iniciada",
    "loginSuccessSubtitle": "Bem-vindo de volta!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Ocorreu um erro",
    "loginOauthFailSubtitle": "Falha ao obter URL de OAuth",
    "loginOauthSuccessTitle": "Redirecionando",
    "loginOauthSuccessSubtitle": "Redirecionando para seu provedor OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Redirecionamento automático do OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Você será automaticamente redirecionado para seu provedor OAuth para autenticar.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirecionar agora",
    "continueTitle": "Continuar",
    "continueRedirectingTitle": "Redirecionando...",
    "continueRedirectingSubtitle": "Você deve ser redirecionado para o aplicativo em breve",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirecionar-me manualmente",
    "continueInsecureRedirectTitle": "Redirecionamento inseguro",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Você está tentando redirecionar de <code>https</code> para <code>http</code>, você tem certeza que deseja continuar?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Redirecionamento não confiável",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Você está tentando redirecionar para um domínio que não corresponde ao seu domínio configurado (<code>{{cookieDomain}}</code>). Tem certeza que deseja continuar?",
    "logoutFailTitle": "Falha ao encerrar sessão",
    "logoutFailSubtitle": "Por favor, tente novamente",
    "logoutSuccessTitle": "Sessão encerrada",
    "logoutSuccessSubtitle": "Você foi desconectado",
    "logoutTitle": "Sair",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Você está atualmente logado como <code>{{username}}</code>, clique no botão abaixo para sair.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Você está atualmente logado como <code>{{username}}</code> usando o provedor {{provider}} OAuth, clique no botão abaixo para sair.",
    "notFoundTitle": "Página não encontrada",
    "notFoundSubtitle": "A página que você está procurando não existe.",
    "notFoundButton": "Voltar para a tela inicial",
@@ -40,23 +40,23 @@
    "totpSuccessTitle": "Verificado",
    "totpSuccessSubtitle": "Redirecionando para o seu aplicativo",
    "totpTitle": "Insira o seu código TOTP",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Por favor, insira o código do seu aplicativo de autenticação.",
    "unauthorizedTitle": "Não autorizado",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "O usuário com nome de usuário <code>{{username}}</code> não está autorizado a acessar o recurso <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "O usuário com o nome <code>{{username}}</code> não está autorizado a acessar.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "O usuário  <code>{{username}}</code> não está autorizado a acessar o recurso <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Seu endereço IP <code>{{ip}}</code> não está autorizado a acessar o recurso <code>{{resource}}</code>.",
    "unauthorizedButton": "Tentar novamente",
    "cancelTitle": "Cancelar",
    "forgotPasswordTitle": "Esqueceu sua senha?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Falha ao carregar provedores de autenticação. Verifique sua configuração.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Ocorreu um erro",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Por favor, verifique o console para mais informações.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Você pode redefinir sua senha alterando a variável de ambiente `USERS`.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Este campo é obrigatório",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Entrada Inválida",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Domínio inválido",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignorar",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Ir para o domínio correto"
 }
--- a/frontend/src/lib/i18n/locales/ru-RU.json
+++ b/frontend/src/lib/i18n/locales/ru-RU.json
@@ -11,24 +11,24 @@
    "loginSuccessTitle": "Вход выполнен",
    "loginSuccessSubtitle": "С возвращением!",
    "loginOauthFailTitle": "Произошла ошибка",
-    "loginOauthFailSubtitle": "Не удалось получить OAuth URL",
+    "loginOauthFailSubtitle": "Не удалось получить ссылку OAuth",
    "loginOauthSuccessTitle": "Перенаправление",
    "loginOauthSuccessSubtitle": "Перенаправление к поставщику OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth автоматическое перенаправление",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Вы будете автоматически перенаправлены для авторизации у вашего поставщика OAuth.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Перенаправить сейчас",
    "continueTitle": "Продолжить",
    "continueRedirectingTitle": "Перенаправление...",
    "continueRedirectingSubtitle": "Скоро вы будете перенаправлены в приложение",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Перенаправить вручную",
    "continueInsecureRedirectTitle": "Небезопасное перенаправление",
    "continueInsecureRedirectSubtitle": "Попытка перенаправления с <code>https</code> на <code>http</code>, уверены, что хотите продолжить?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Недоверенное перенаправление",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Вы пытаетесь перенаправить на домен, который не соответствует вашему настроенному домену (<code>{{cookieDomain}}</code>). Вы уверены, что хотите продолжить?",
    "logoutFailTitle": "Не удалось выйти",
    "logoutFailSubtitle": "Попробуйте ещё раз",
    "logoutSuccessTitle": "Выход",
-    "logoutSuccessSubtitle": "Вы вышли из системы",
+    "logoutSuccessSubtitle": "Вы вышли",
    "logoutTitle": "Выйти",
    "logoutUsernameSubtitle": "Вход выполнен как <code>{{username}}</code>, нажмите на кнопку ниже, чтобы выйти.",
    "logoutOauthSubtitle": "Вход выполнен как <code>{{username}}</code> с использованием {{provider}} OAuth, нажмите кнопку ниже, чтобы выйти.",
@@ -40,23 +40,23 @@
    "totpSuccessTitle": "Подтверждён",
    "totpSuccessSubtitle": "Перенаправление в приложение",
    "totpTitle": "Введите код TOTP",
-    "totpSubtitle": "Пожалуйста, введите код из вашего приложения-аутентификатора.",
+    "totpSubtitle": "Пожалуйста, введите код из вашего приложения авторизации.",
-    "unauthorizedTitle": "Доступ запрещен",
+    "unauthorizedTitle": "Доступ запрещён",
-    "unauthorizedResourceSubtitle": "Пользователю <code>{{username}}</code> не разрешен доступ к <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "Пользователю <code>{{username}}</code> не разрешён доступ к <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "Пользователю <code>{{username}}</code> не разрешен вход.",
+    "unauthorizedLoginSubtitle": "Пользователю <code>{{username}}</code> не разрешён вход.",
-    "unauthorizedGroupsSubtitle": "Пользователь <code>{{username}}</code> не состоит в группах, которым разрешен доступ к <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "Пользователь <code>{{username}}</code> не состоит в группах, которым разрешён доступ к <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Ваш IP адрес <code>{{ip}}</code> не авторизован для доступа к ресурсу <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Вашему IP-адресу <code>{{ip}}</code> не разрешён доступ к ресурсу <code>{{resource}}</code>.",
    "unauthorizedButton": "Повторить",
    "cancelTitle": "Отмена",
    "forgotPasswordTitle": "Забыли пароль?",
-    "failedToFetchProvidersTitle": "Не удалось загрузить провайдеров аутентификации. Пожалуйста, проверьте конфигурацию.",
+    "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
    "errorTitle": "Произошла ошибка",
    "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
    "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
    "fieldRequired": "Это поле является обязательным",
    "invalidInput": "Недопустимый ввод",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Неверный домен",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Игнорировать",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Перейти к правильному домену"
 }
--- a/frontend/src/lib/i18n/locales/vi-VN.json
+++ b/frontend/src/lib/i18n/locales/vi-VN.json
@@ -48,10 +48,10 @@
    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "Try again",
    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Bạn quên mật khẩu?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Không tải được nhà cung cấp xác thực. Vui lòng kiểm tra cấu hình của bạn.",
    "errorTitle": "An error occurred",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitle": "Đã xảy ra lỗi khi thực hiện thao tác này. Vui lòng kiểm tra bảng điều khiển để biết thêm thông tin.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
--- a/frontend/src/lib/i18n/locales/zh-CN.json
+++ b/frontend/src/lib/i18n/locales/zh-CN.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "获取 OAuth URL 失败",
    "loginOauthSuccessTitle": "重定向中",
    "loginOauthSuccessSubtitle": "重定向到您的 OAuth 提供商",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth自动重定向",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "您将被自动重定向到您的 OAuth 提供商进行身份验证。",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "立即跳转",
    "continueTitle": "继续",
    "continueRedirectingTitle": "正在重定向……",
    "continueRedirectingSubtitle": "您应该很快被重定向到应用",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "请手动跳转",
    "continueInsecureRedirectTitle": "不安全的重定向",
    "continueInsecureRedirectSubtitle": "您正在尝试从<code>https</code>重定向到<code>http</code>可能存在风险。您确定要继续吗？",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "不可信的重定向",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "您尝试跳转的域名与配置的域名（<code>{{cookieDomain}}</code>）不匹配。是否继续？",
    "logoutFailTitle": "注销失败",
    "logoutFailSubtitle": "请重试",
    "logoutSuccessTitle": "已登出",
@@ -55,8 +55,8 @@
    "forgotPasswordMessage": "您可以通过更改 `USERS ` 环境变量重置您的密码。",
    "fieldRequired": "必添字段",
    "invalidInput": "无效的输入",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "无效域名",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "当前实例配置的访问地址为 <code>{{appUrl}}</code>，但您正在使用 <code>{{currentUrl}}</code>。若继续操作，可能会遇到身份验证问题。",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "转到正确的域名"
 }
--- a/frontend/src/lib/i18n/locales/zh-TW.json
+++ b/frontend/src/lib/i18n/locales/zh-TW.json
@@ -1,5 +1,5 @@
 {
-    "loginTitle": "歡迎回來，請用以下方式登入",
+    "loginTitle": "歡迎回來，請使用以下方式登入",
    "loginTitleSimple": "歡迎回來，請登入",
    "loginDivider": "或",
    "loginUsername": "帳號",
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "無法取得 OAuth 網址",
    "loginOauthSuccessTitle": "重新導向中",
    "loginOauthSuccessSubtitle": "正在將您重新導向至 OAuth 供應商",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth 自動跳轉",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "自動跳轉到 OAuth 供應商進行身份驗證。",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "立即重新導向",
    "continueTitle": "繼續",
    "continueRedirectingTitle": "重新導向中……",
    "continueRedirectingSubtitle": "您即將被重新導向至應用程式",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "手動重新導向",
    "continueInsecureRedirectTitle": "不安全的重新導向",
    "continueInsecureRedirectSubtitle": "您正嘗試從安全的 <code>https</code> 重新導向至不安全的 <code>http</code>。您確定要繼續嗎？",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "不受信任的重新導向",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "你嘗試重新導向的域名與設定不符(<code>{{cookieDomain}}</code>)。你確定要繼續嗎？",
    "logoutFailTitle": "登出失敗",
    "logoutFailSubtitle": "請再試一次",
    "logoutSuccessTitle": "登出成功",
@@ -52,11 +52,11 @@
    "failedToFetchProvidersTitle": "載入驗證供應商失敗。請檢查您的設定。",
    "errorTitle": "發生錯誤",
    "errorSubtitle": "執行此操作時發生錯誤。請檢查主控台以獲取更多資訊。",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "透過修改 `USERS` 環境變數，你可以重設你的密碼。",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "此為必填欄位",
-    "invalidInput": "Invalid input",
+    "invalidInput": "無效的輸入",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "無效的網域",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "前往正確域名"
 }
--- a/frontend/src/lib/utils.ts
+++ b/frontend/src/lib/utils.ts
@@ -9,7 +9,7 @@ export const isValidUrl = (url: string) => {
  try {
    new URL(url);
    return true;
-  } catch (e) {
+  } catch {
    return false;
  }
 };
--- a/frontend/src/main.tsx
+++ b/frontend/src/main.tsx
@@ -16,6 +16,7 @@ import { QueryClient, QueryClientProvider } from "@tanstack/react-query";
 import { AppContextProvider } from "./context/app-context.tsx";
 import { UserContextProvider } from "./context/user-context.tsx";
 import { Toaster } from "@/components/ui/sonner";
 import { ThemeProvider } from "./components/providers/theme-provider.tsx";
 const queryClient = new QueryClient();
@@ -24,25 +25,27 @@ createRoot(document.getElementById("root")!).render(
    <QueryClientProvider client={queryClient}>
      <AppContextProvider>
        <UserContextProvider>
-          <BrowserRouter>
+          <ThemeProvider defaultTheme="system" storageKey="tinyauth-theme">
-            <Routes>
+            <BrowserRouter>
-              <Route element={<Layout />} errorElement={<ErrorPage />}>
+              <Routes>
-                <Route path="/" element={<App />} />
+                <Route element={<Layout />} errorElement={<ErrorPage />}>
-                <Route path="/login" element={<LoginPage />} />
+                  <Route path="/" element={<App />} />
-                <Route path="/logout" element={<LogoutPage />} />
+                  <Route path="/login" element={<LoginPage />} />
-                <Route path="/continue" element={<ContinuePage />} />
+                  <Route path="/logout" element={<LogoutPage />} />
-                <Route path="/totp" element={<TotpPage />} />
+                  <Route path="/continue" element={<ContinuePage />} />
-                <Route
+                  <Route path="/totp" element={<TotpPage />} />
-                  path="/forgot-password"
+                  <Route
-                  element={<ForgotPasswordPage />}
+                    path="/forgot-password"
-                />
+                    element={<ForgotPasswordPage />}
-                <Route path="/unauthorized" element={<UnauthorizedPage />} />
+                  />
-                <Route path="/error" element={<ErrorPage />} />
+                  <Route path="/unauthorized" element={<UnauthorizedPage />} />
-                <Route path="*" element={<NotFoundPage />} />
+                  <Route path="/error" element={<ErrorPage />} />
-              </Route>
+                  <Route path="*" element={<NotFoundPage />} />
-            </Routes>
+                </Route>
-          </BrowserRouter>
+              </Routes>
-          <Toaster />
+            </BrowserRouter>
            <Toaster />
          </ThemeProvider>
        </UserContextProvider>
      </AppContextProvider>
    </QueryClientProvider>
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -11,60 +11,105 @@ import { useUserContext } from "@/context/user-context";
 import { isValidUrl } from "@/lib/utils";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
-import DOMPurify from "dompurify";
+import { useEffect, useState } from "react";
 import { useState } from "react";
 export const ContinuePage = () => {
  const { cookieDomain, disableUiWarnings } = useAppContext();
  const { isLoggedIn } = useUserContext();
  if (!isLoggedIn) {
    return <Navigate to="/login" />;
  }
  const { domain, disableContinue } = useAppContext();
  const { search } = useLocation();
  const [loading, setLoading] = useState(false);
  const searchParams = new URLSearchParams(search);
  const redirectURI = searchParams.get("redirect_uri");
  if (!redirectURI) {
    return <Navigate to="/logout" />;
  }
  if (!isValidUrl(DOMPurify.sanitize(redirectURI))) {
    return <Navigate to="/logout" />;
  }
  const handleRedirect = () => {
    setLoading(true);
    window.location.href = DOMPurify.sanitize(redirectURI);
  }
  if (disableContinue) {
    handleRedirect();
  }
  const { t } = useTranslation();
  const navigate = useNavigate();
-  const url = new URL(redirectURI);
+  const [loading, setLoading] = useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
-  if (!(url.hostname == domain) && !url.hostname.endsWith(`.${domain}`)) {
+  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
  const isValidRedirectUri =
    redirectUri !== null ? isValidUrl(redirectUri) : false;
  const redirectUriObj = isValidRedirectUri
    ? new URL(redirectUri as string)
    : null;
  const isTrustedRedirectUri =
    redirectUriObj !== null
      ? redirectUriObj.hostname === cookieDomain ||
        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
      : false;
  const isAllowedRedirectProto =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "https:" ||
        redirectUriObj.protocol === "http:"
      : false;
  const isHttpsDowngrade =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "http:" &&
        window.location.protocol === "https:"
      : false;
  const handleRedirect = () => {
    setLoading(true);
    window.location.assign(redirectUriObj!.toString());
  };
  useEffect(() => {
    if (!isLoggedIn) {
      return;
    }
    if (
      (!isValidRedirectUri ||
        !isAllowedRedirectProto ||
        !isTrustedRedirectUri ||
        isHttpsDowngrade) &&
      !disableUiWarnings
    ) {
      return;
    }
    const auto = setTimeout(() => {
      handleRedirect();
    }, 100);
    const reveal = setTimeout(() => {
      setLoading(false);
      setShowRedirectButton(true);
    }, 5000);
    return () => {
      clearTimeout(auto);
      clearTimeout(reveal);
    };
  }, []);
  if (!isLoggedIn) {
    return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Navigate
        to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
        replace
      />
    );
  }
  if (!isValidRedirectUri || !isAllowedRedirectProto) {
    return <Navigate to="/logout" replace />;
  }
  if (!isTrustedRedirectUri && !disableUiWarnings) {
    return (
      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
        <CardHeader>
          <CardTitle className="text-3xl">
-            {t("untrustedRedirectTitle")}
+            {t("continueUntrustedRedirectTitle")}
          </CardTitle>
          <CardDescription>
            <Trans
-              i18nKey="untrustedRedirectSubtitle"
+              i18nKey="continueUntrustedRedirectSubtitle"
              t={t}
              components={{
                code: <code />,
              }}
-              values={{ domain }}
+              values={{ cookieDomain }}
            />
          </CardDescription>
        </CardHeader>
@@ -76,7 +121,11 @@ export const ContinuePage = () => {
          >
            {t("continueTitle")}
          </Button>
-          <Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
+          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
            disabled={loading}
          >
            {t("cancelTitle")}
          </Button>
        </CardFooter>
@@ -84,9 +133,9 @@ export const ContinuePage = () => {
    );
  }
-  if (url.protocol === "http:" && window.location.protocol === "https:") {
+  if (isHttpsDowngrade && !disableUiWarnings) {
    return (
-      <Card className="min-w-xs sm:min-w-sm">
+      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
        <CardHeader>
          <CardTitle className="text-3xl">
            {t("continueInsecureRedirectTitle")}
@@ -102,14 +151,14 @@ export const ContinuePage = () => {
          </CardDescription>
        </CardHeader>
        <CardFooter className="flex flex-col items-stretch gap-2">
-          <Button
+          <Button onClick={handleRedirect} loading={loading} variant="warning">
            onClick={handleRedirect}
            loading={loading}
            variant="warning"
          >
            {t("continueTitle")}
          </Button>
-          <Button onClick={() => navigate("/logout")} variant="outline" disabled={loading}>
+          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
            disabled={loading}
          >
            {t("cancelTitle")}
          </Button>
        </CardFooter>
@@ -120,17 +169,18 @@ export const ContinuePage = () => {
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
-        <CardTitle className="text-3xl">{t("continueTitle")}</CardTitle>
+        <CardTitle className="text-3xl">
-        <CardDescription>{t("continueSubtitle")}</CardDescription>
+          {t("continueRedirectingTitle")}
        </CardTitle>
        <CardDescription>{t("continueRedirectingSubtitle")}</CardDescription>
      </CardHeader>
-      <CardFooter className="flex flex-col items-stretch">
+      {showRedirectButton && (
-        <Button
+        <CardFooter className="flex flex-col items-stretch">
-          onClick={handleRedirect}
+          <Button onClick={handleRedirect}>
-          loading={loading}
+            {t("continueRedirectManually")}
-        >
+          </Button>
-          {t("continueTitle")}
+        </CardFooter>
-        </Button>
+      )}
      </CardFooter>
    </Card>
  );
 };
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -1,46 +1,59 @@
 import { LoginForm } from "@/components/auth/login-form";
 import { GenericIcon } from "@/components/icons/generic";
 import { GithubIcon } from "@/components/icons/github";
 import { GoogleIcon } from "@/components/icons/google";
 import { MicrosoftIcon } from "@/components/icons/microsoft";
 import { OAuthIcon } from "@/components/icons/oauth";
 import { PocketIDIcon } from "@/components/icons/pocket-id";
 import { TailscaleIcon } from "@/components/icons/tailscale";
 import { Button } from "@/components/ui/button";
 import {
  Card,
  CardHeader,
  CardTitle,
  CardDescription,
  CardContent,
  CardFooter,
 } from "@/components/ui/card";
 import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { useIsMounted } from "@/lib/hooks/use-is-mounted";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
-import { useEffect } from "react";
+import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 const iconMap: Record<string, React.ReactNode> = {
  google: <GoogleIcon />,
  github: <GithubIcon />,
  tailscale: <TailscaleIcon />,
  microsoft: <MicrosoftIcon />,
  pocketid: <PocketIDIcon />,
 };
 export const LoginPage = () => {
  const { isLoggedIn } = useUserContext();
-
+  const { providers, title, oauthAutoRedirect } = useAppContext();
  if (isLoggedIn) {
    return <Navigate to="/logout" />;
  }
  const { configuredProviders, title, oauthAutoRedirect, genericName } = useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();
-  const isMounted = useIsMounted();
+  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
    useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
  const redirectTimer = useRef<number | null>(null);
  const redirectButtonTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
-  const oauthConfigured =
+  const oauthProviders = providers.filter(
-    configuredProviders.filter((provider) => provider !== "username").length >
+    (provider) => provider.id !== "username",
-    0;
+  );
-  const userAuthConfigured = configuredProviders.includes("username");
+  const userAuthConfigured =
    providers.find((provider) => provider.id === "username") !== undefined;
  const oauthMutation = useMutation({
    mutationFn: (provider: string) =>
@@ -53,11 +66,12 @@ export const LoginPage = () => {
        description: t("loginOauthSuccessSubtitle"),
      });
-      setTimeout(() => {
+      redirectTimer.current = window.setTimeout(() => {
-        window.location.href = data.data.url;
+        window.location.replace(data.data.url);
      }, 500);
    },
    onError: () => {
      setOauthAutoRedirectHandover(false);
      toast.error(t("loginOauthFailTitle"), {
        description: t("loginOauthFailSubtitle"),
      });
@@ -65,7 +79,7 @@ export const LoginPage = () => {
  });
  const loginMutation = useMutation({
-    mutationFn: (values: LoginSchema) => axios.post("/api/login", values),
+    mutationFn: (values: LoginSchema) => axios.post("/api/user/login", values),
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
@@ -79,7 +93,7 @@ export const LoginPage = () => {
        description: t("loginSuccessSubtitle"),
      });
-      setTimeout(() => {
+      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(
          `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
        );
@@ -96,63 +110,100 @@ export const LoginPage = () => {
  });
  useEffect(() => {
-    if (isMounted()) {
+    if (
-      if (
+      providers.find((provider) => provider.id === oauthAutoRedirect) &&
-        oauthConfigured &&
+      !isLoggedIn &&
-        configuredProviders.includes(oauthAutoRedirect) &&
+      redirectUri
-        redirectUri
+    ) {
-      ) {
+      // Not sure of a better way to do this
-        oauthMutation.mutate(oauthAutoRedirect);
+      // eslint-disable-next-line react-hooks/set-state-in-effect
-      }
+      setOauthAutoRedirectHandover(true);
      oauthMutation.mutate(oauthAutoRedirect);
      redirectButtonTimer.current = window.setTimeout(() => {
        setShowRedirectButton(true);
      }, 5000);
    }
  }, []);
  useEffect(
    () => () => {
      if (redirectTimer.current) clearTimeout(redirectTimer.current);
      if (redirectButtonTimer.current)
        clearTimeout(redirectButtonTimer.current);
    },
    [],
  );
  if (isLoggedIn && redirectUri) {
    return (
      <Navigate
        to={`/continue?redirect_uri=${encodeURIComponent(redirectUri)}`}
        replace
      />
    );
  }
  if (isLoggedIn) {
    return <Navigate to="/logout" replace />;
  }
  if (oauthAutoRedirectHandover) {
    return (
      <Card className="min-w-xs sm:min-w-sm">
        <CardHeader>
          <CardTitle className="text-3xl">
            {t("loginOauthAutoRedirectTitle")}
          </CardTitle>
          <CardDescription>
            {t("loginOauthAutoRedirectSubtitle")}
          </CardDescription>
        </CardHeader>
        {showRedirectButton && (
          <CardFooter className="flex flex-col items-stretch">
            <Button
              onClick={() => {
                window.location.replace(oauthMutation.data?.data.url);
              }}
            >
              {t("loginOauthAutoRedirectButton")}
            </Button>
          </CardFooter>
        )}
      </Card>
    );
  }
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
        <CardTitle className="text-center text-3xl">{title}</CardTitle>
-        {configuredProviders.length > 0 && (
+        {providers.length > 0 && (
          <CardDescription className="text-center">
-            {oauthConfigured ? t("loginTitle") : t("loginTitleSimple")}
+            {oauthProviders.length !== 0
              ? t("loginTitle")
              : t("loginTitleSimple")}
          </CardDescription>
        )}
      </CardHeader>
      <CardContent className="flex flex-col gap-4">
-        {oauthConfigured && (
+        {oauthProviders.length !== 0 && (
          <div className="flex flex-col gap-2 items-center justify-center">
-            {configuredProviders.includes("google") && (
+            {oauthProviders.map((provider) => (
              <OAuthButton
-                title="Google"
+                key={provider.id}
-                icon={<GoogleIcon />}
+                title={provider.name}
                icon={iconMap[provider.id] ?? <OAuthIcon />}
                className="w-full"
-                onClick={() => oauthMutation.mutate("google")}
+                onClick={() => oauthMutation.mutate(provider.id)}
-                loading={oauthMutation.isPending && oauthMutation.variables === "google"}
+                loading={
                  oauthMutation.isPending &&
                  oauthMutation.variables === provider.id
                }
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
-            )}
+            ))}
            {configuredProviders.includes("github") && (
              <OAuthButton
                title="Github"
                icon={<GithubIcon />}
                className="w-full"
                onClick={() => oauthMutation.mutate("github")}
                loading={oauthMutation.isPending && oauthMutation.variables === "github"}
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
            )}
            {configuredProviders.includes("generic") && (
              <OAuthButton
                title={genericName}
                icon={<GenericIcon />}
                className="w-full"
                onClick={() => oauthMutation.mutate("generic")}
                loading={oauthMutation.isPending && oauthMutation.variables === "generic"}
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
            )}
          </div>
        )}
-        {userAuthConfigured && oauthConfigured && (
+        {userAuthConfigured && oauthProviders.length !== 0 && (
          <SeperatorWithChildren>{t("loginDivider")}</SeperatorWithChildren>
        )}
        {userAuthConfigured && (
@@ -161,7 +212,7 @@ export const LoginPage = () => {
            loading={loginMutation.isPending || oauthMutation.isPending}
          />
        )}
-        {configuredProviders.length == 0 && (
+        {providers.length == 0 && (
          <p className="text-center text-red-600 max-w-sm">
            {t("failedToFetchProvidersTitle")}
          </p>
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -6,35 +6,30 @@ import {
  CardHeader,
  CardTitle,
 } from "@/components/ui/card";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { capitalize } from "@/lib/utils";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
 import { useEffect, useRef } from "react";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate } from "react-router";
 import { toast } from "sonner";
 export const LogoutPage = () => {
-  const { provider, username, isLoggedIn, email } = useUserContext();
+  const { provider, username, isLoggedIn, email, oauthName } = useUserContext();
  if (!isLoggedIn) {
    return <Navigate to="/login" />;
  }
  const { genericName } = useAppContext();
  const { t } = useTranslation();
  const redirectTimer = useRef<number | null>(null);
  const logoutMutation = useMutation({
-    mutationFn: () => axios.post("/api/logout"),
+    mutationFn: () => axios.post("/api/user/logout"),
    mutationKey: ["logout"],
    onSuccess: () => {
      toast.success(t("logoutSuccessTitle"), {
        description: t("logoutSuccessSubtitle"),
      });
-      setTimeout(async () => {
+      redirectTimer.current = window.setTimeout(() => {
-        window.location.replace("/login");
+        window.location.assign("/login");
      }, 500);
    },
    onError: () => {
@@ -44,6 +39,17 @@ export const LogoutPage = () => {
    },
  });
  useEffect(
    () => () => {
      if (redirectTimer.current) clearTimeout(redirectTimer.current);
    },
    [],
  );
  if (!isLoggedIn) {
    return <Navigate to="/login" replace />;
  }
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
@@ -58,8 +64,7 @@ export const LogoutPage = () => {
              }}
              values={{
                username: email,
-                provider:
+                provider: oauthName,
                  provider === "generic" ? genericName : capitalize(provider),
              }}
            />
          ) : (
--- a/frontend/src/pages/totp-page.tsx
+++ b/frontend/src/pages/totp-page.tsx
@@ -12,34 +12,31 @@ import { useUserContext } from "@/context/user-context";
 import { TotpSchema } from "@/schemas/totp-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios from "axios";
-import { useId } from "react";
+import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 export const TotpPage = () => {
  const { totpPending } = useUserContext();
  if (!totpPending) {
    return <Navigate to="/" />;
  }
  const { t } = useTranslation();
  const { search } = useLocation();
  const formId = useId();
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
  const totpMutation = useMutation({
-    mutationFn: (values: TotpSchema) => axios.post("/api/totp", values),
+    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
    mutationKey: ["totp"],
    onSuccess: () => {
      toast.success(t("totpSuccessTitle"), {
        description: t("totpSuccessSubtitle"),
      });
-      setTimeout(() => {
+      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(
          `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
        );
@@ -52,6 +49,17 @@ export const TotpPage = () => {
    },
  });
  useEffect(
    () => () => {
      if (redirectTimer.current) clearTimeout(redirectTimer.current);
    },
    [],
  );
  if (!totpPending) {
    return <Navigate to="/" replace />;
  }
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
--- a/frontend/src/pages/unauthorized-page.tsx
+++ b/frontend/src/pages/unauthorized-page.tsx
@@ -12,6 +12,10 @@ import { Navigate, useLocation, useNavigate } from "react-router";
 export const UnauthorizedPage = () => {
  const { search } = useLocation();
  const { t } = useTranslation();
  const navigate = useNavigate();
  const [loading, setLoading] = useState(false);
  const searchParams = new URLSearchParams(search);
  const username = searchParams.get("username");
@@ -19,19 +23,15 @@ export const UnauthorizedPage = () => {
  const groupErr = searchParams.get("groupErr");
  const ip = searchParams.get("ip");
  if (!username && !ip) {
    return <Navigate to="/" />;
  }
  const { t } = useTranslation();
  const navigate = useNavigate();
  const [loading, setLoading] = useState(false);
  const handleRedirect = () => {
    setLoading(true);
    navigate("/login");
  };
  if (!username && !ip) {
    return <Navigate to="/" />;
  }
  let i18nKey = "unauthorizedLoginSubtitle";
  if (resource) {
--- a/frontend/src/schemas/app-context-schema.ts
+++ b/frontend/src/schemas/app-context-schema.ts
@@ -1,14 +1,20 @@
 import { z } from "zod";
 export const providerSchema = z.object({
  id: z.string(),
  name: z.string(),
  oauth: z.boolean(),
 });
 export const appContextSchema = z.object({
-  configuredProviders: z.array(z.string()),
+  providers: z.array(providerSchema),
  disableContinue: z.boolean(),
  title: z.string(),
-  genericName: z.string(),
+  appUrl: z.string(),
-  domain: z.string(),
+  cookieDomain: z.string(),
  forgotPasswordMessage: z.string(),
  oauthAutoRedirect: z.enum(["none", "github", "google", "generic"]),
  backgroundImage: z.string(),
  oauthAutoRedirect: z.string(),
  disableUiWarnings: z.boolean(),
 });
 export type AppContextSchema = z.infer<typeof appContextSchema>;
--- a/frontend/src/schemas/user-context-schema.ts
+++ b/frontend/src/schemas/user-context-schema.ts
@@ -8,6 +8,7 @@ export const userContextSchema = z.object({
  provider: z.string(),
  oauth: z.boolean(),
  totpPending: z.boolean(),
  oauthName: z.string(),
 });
 export type UserContextSchema = z.infer<typeof userContextSchema>;
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -19,6 +19,11 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/api/, ""),
      },
      "/resources": {
        target: "http://tinyauth-backend:3000/resources",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/resources/, ""),
      },
    },
    allowedHosts: true,
  },
--- a/go.mod
+++ b/go.mod
@@ -1,120 +1,126 @@
-module tinyauth
+module github.com/steveiliop56/tinyauth
-go 1.23.2
+go 1.24.0
 toolchain go1.24.3
 replace github.com/traefik/paerser v0.2.2 => ./paerser
 require (
-	github.com/gin-gonic/gin v1.10.1
+	github.com/cenkalti/backoff/v5 v5.0.3
-	github.com/go-playground/validator/v10 v10.27.0
+	github.com/charmbracelet/huh v0.8.0
-	github.com/google/go-querystring v1.1.0
+	github.com/docker/docker v28.5.2+incompatible
 	github.com/gin-gonic/gin v1.11.0
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/golang-migrate/migrate/v4 v4.19.1
 	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
 	github.com/traefik/paerser v0.2.2
-	golang.org/x/crypto v0.40.0
+	github.com/weppos/publicsuffix-go v0.50.2
 	golang.org/x/crypto v0.46.0
 	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
 	golang.org/x/oauth2 v0.34.0
 	gotest.tools/v3 v3.5.2
 	modernc.org/sqlite v1.42.2
 )
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-viper/mapstructure/v2 v2.3.0 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.34.0 // indirect
 	golang.org/x/term v0.33.0 // indirect
 	gotest.tools/v3 v3.5.2 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
 require (
 	github.com/Microsoft/go-winio v0.4.14 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/boombuler/barcode v1.0.2 // indirect
-	github.com/bytedance/sonic v1.12.7 // indirect
+	github.com/bytedance/sonic v1.14.0 // indirect
-	github.com/bytedance/sonic/loader v0.2.3 // indirect
+	github.com/bytedance/sonic/loader v0.3.0 // indirect
 	github.com/catppuccin/go v0.3.0 // indirect
-	github.com/charmbracelet/bubbles v0.21.0 // indirect
+	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
-	github.com/charmbracelet/bubbletea v1.3.4 // indirect
+	github.com/charmbracelet/bubbletea v1.3.6 // indirect
-	github.com/charmbracelet/huh v0.7.0
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
-	github.com/cloudwego/base64x v0.1.4 // indirect
+	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/docker v28.3.2+incompatible
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.8 // indirect
+	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/gin-contrib/sse v1.0.0 // indirect
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.11
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.28.0 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
-	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
-	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/gorilla/sessions v1.4.0
+	github.com/huandu/xstrings v1.5.0 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/imdario/mergo v0.3.11 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
 	github.com/magiconair/properties v1.8.10
 	github.com/mattn/go-colorable v0.1.14 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pquerna/otp v1.5.0
+	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.57.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/sagikazarmark/locafero v0.7.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
-	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
 	github.com/spf13/afero v1.12.0 // indirect
 	github.com/spf13/cast v1.7.1 // indirect
 	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
-	github.com/ugorji/go/codec v1.2.12 // indirect
+	github.com/ugorji/go/codec v1.3.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
-	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
-	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	go.opentelemetry.io/otel v1.37.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
-	go.uber.org/multierr v1.9.0 // indirect
+	go.opentelemetry.io/otel/metric v1.37.0 // indirect
-	golang.org/x/arch v0.13.0 // indirect
+	go.opentelemetry.io/otel/trace v1.37.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
+	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/oauth2 v0.30.0
+	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
+	golang.org/x/term v0.38.0 // indirect
-	google.golang.org/protobuf v1.36.3 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.66.10 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -2,44 +2,52 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEK
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
-github.com/Microsoft/go-winio v0.4.14 h1:+hMXMk01us9KgxGb7ftKQt2Xpf5hH/yky+TDA+qxleU=
+github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
-github.com/Microsoft/go-winio v0.4.14/go.mod h1:qXqCSQ3Xa7+6tgxaGTIe4Kpcdsi+P8jBhyzoq1bpyYA=
+github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
+github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
-github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
+github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
 github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
-github.com/aymanbagabas/go-udiff v0.2.0 h1:TK0fH4MteXUDspT88n8CKzvK0X9O2xu9yQjWpi6yML8=
+github.com/aymanbagabas/go-udiff v0.3.1 h1:LV+qyBQ2pqe0u42ZsUEtPiCaUoqgA9gYRDs3vj1nolY=
-github.com/aymanbagabas/go-udiff v0.2.0/go.mod h1:RE4Ex0qsGkTAJoQdQQCA0uG+nAzJO/pI/QwceO5fgrA=
+github.com/aymanbagabas/go-udiff v0.3.1/go.mod h1:G0fsKmG+P6ylD0r6N/KgQD/nWzgfnl8ZBcNLgcbrw8E=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
 github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/bytedance/sonic v1.12.7 h1:CQU8pxOy9HToxhndH0Kx/S1qU/CuS9GnKYrGioDcU1Q=
+github.com/bytedance/sonic v1.14.0 h1:/OfKt8HFw0kh2rj8N0F6C/qPGRESq0BbaNZgcNXXzQQ=
-github.com/bytedance/sonic v1.12.7/go.mod h1:tnbal4mxOMju17EGfknm2XyYcpyCnIROYOEYuemj13I=
+github.com/bytedance/sonic v1.14.0/go.mod h1:WoEbx8WTcFJfzCe0hbmyTGrfjt8PzNEBdxlNUO24NhA=
-github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
+github.com/bytedance/sonic/loader v0.3.0 h1:dskwH8edlzNMctoruo8FPTJDF3vLtDT0sXZwvZJyqeA=
-github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
+github.com/bytedance/sonic/loader v0.3.0/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
 github.com/catppuccin/go v0.3.0 h1:d+0/YicIq+hSTo5oPuRi5kOpqkVA5tAsU6dNhvRu+aY=
 github.com/catppuccin/go v0.3.0/go.mod h1:8IHJuMGaUUjQM82qBrGNBv7LFq6JI3NnQCF6MOlZjpc=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
-github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
+github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 h1:JFgG/xnwFfbezlUnFMJy0nusZvytYysV4SCS2cYbvws=
-github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
+github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7/go.mod h1:ISC1gtLcVilLOf23wvTfoQuYbW2q0JevFxPfUzZ9Ybw=
-github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
+github.com/charmbracelet/bubbletea v1.3.6 h1:VkHIxPJQeDt0aFJIsVxw8BQdh/F/L2KKZGsK6et5taU=
-github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
+github.com/charmbracelet/bubbletea v1.3.6/go.mod h1:oQD9VCRQFF8KplacJLo28/jofOI2ToOfGYeFgBBxHOc=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
 github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
-github.com/charmbracelet/huh v0.7.0 h1:W8S1uyGETgj9Tuda3/JdVkc3x7DBLZYPZc4c+/rnRdc=
+github.com/charmbracelet/huh v0.8.0 h1:Xz/Pm2h64cXQZn/Jvele4J3r7DDiqFCNIVteYukxDvY=
-github.com/charmbracelet/huh v0.7.0/go.mod h1:UGC3DZHlgOKHvHC07a5vHag41zzhpPFj34U92sOmyuk=
+github.com/charmbracelet/huh v0.8.0/go.mod h1:5YVc+SlZ1IhQALxRPpkGwwEKftN/+OlJlnJYlDRFqN4=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.9.3 h1:BXt5DHS/MKF+LjuK4huWrC6NCvHtexww7dMayh6GXd0=
-github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/ansi v0.9.3/go.mod h1:3RQDQ6lDnROptfpWuUVIUG64bD2g2BgntdxH0Ya5TeE=
 github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
 github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
 github.com/charmbracelet/x/conpty v0.1.0 h1:4zc8KaIcbiL4mghEON8D72agYtSeIgq8FSThSPQIb+U=
@@ -56,9 +64,8 @@ github.com/charmbracelet/x/termios v0.1.1 h1:o3Q2bT8eqzGnGPOYheoYS8eEleT5ZVNYNy8
 github.com/charmbracelet/x/termios v0.1.1/go.mod h1:rB7fnv1TgOPOyyKRJ9o+AsTU/vK5WHJ2ivHeut/Pcwo=
 github.com/charmbracelet/x/xpty v0.1.2 h1:Pqmu4TEJ8KeA9uSkISKMU3f+C1F6OGBn8ABuGlqCbtI=
 github.com/charmbracelet/x/xpty v0.1.2/go.mod h1:XK2Z0id5rtLWcpeNiMYBccNNBrP2IJnzHI0Lq13Xzq4=
-github.com/cloudwego/base64x v0.1.4 h1:jwCgWpFanWmN8xoIUHa2rtzmkd5J2plF/dnLS6Xd/0Y=
+github.com/cloudwego/base64x v0.1.6 h1:t11wG9AECkCDk5fMSoxmufanudBtJ+/HemLstXDLI2M=
-github.com/cloudwego/base64x v0.1.4/go.mod h1:0zlkT4Wn5C6NdauXdJRhSKRlJvmclQ1hhJgA0rcu/8w=
+github.com/cloudwego/base64x v0.1.6/go.mod h1:OFcloc187FXDaYHvrNIjxSe8ncn0OOM8gEHfghB2IPU=
 github.com/cloudwego/iasm v0.2.0/go.mod h1:8rXZaNYT2n95jn+zTI1sDr+IgcD2GVs0nlbbQPiEFhY=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
 github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
 github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
@@ -66,16 +73,16 @@ github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmC
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
 github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
-github.com/docker/docker v28.3.2+incompatible h1:wn66NJ6pWB1vBZIilP8G3qQPqHy5XymfYn5vsqeA5oA=
+github.com/docker/docker v28.5.2+incompatible h1:DBX0Y0zAjZbSrm1uzOkdr1onVghKaftjlSWt4AFexzM=
-github.com/docker/docker v28.3.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
+github.com/docker/docker v28.5.2+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/go-connections v0.5.0 h1:USnMq7hx7gwdVZq1L49hLXaFtUdTADjXGp+uj1Br63c=
 github.com/docker/go-connections v0.5.0/go.mod h1:ov60Kzw0kKElRwhNs9UlUHAE/F9Fe6GLaXnqyDdmEXc=
 github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
@@ -88,21 +95,19 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
-github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
-github.com/gabriel-vasile/mimetype v1.4.8 h1:FfZ3gj38NjllZIeJAmMhr+qKL8Wu+nOoI3GqacKw1NM=
+github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
-github.com/gabriel-vasile/mimetype v1.4.8/go.mod h1:ByKUIKGjh1ODkGM1asKUbQZOLGrPjydw3hYPU2YU9t8=
+github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
-github.com/gin-contrib/sse v1.0.0 h1:y3bT1mUWUxDpW4JLQg/HnTqV4rozuW4tC9eFKTxYI9E=
+github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
-github.com/gin-contrib/sse v1.0.0/go.mod h1:zNuFdwarAygJBht0NTKiSi3jRf6RbqeILZ9Sp6Slhe0=
+github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
 github.com/gin-gonic/gin v1.10.1 h1:T0ujvqyCSqRopADpgPgiTT63DUQVSfojyME59Ei63pQ=
 github.com/gin-gonic/gin v1.10.1/go.mod h1:4PMNQiOhvDRa013RKVbsiNwoyezlm2rm0uX/T7kzp5Y=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-ldap/ldap/v3 v3.4.11 h1:4k0Yxweg+a3OyBLjdYn5OKglv18JNvfDykSoI8bW0gU=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
-github.com/go-ldap/ldap/v3 v3.4.11/go.mod h1:bY7t0FLK8OAVpp/vV6sSlpz3EQDGcQwc8pF0ujLgKvM=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -111,35 +116,35 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.27.0 h1:w8+XrWVMhGkxOaaowyKH35gFydVHOvC0/uWoy2Fzwn4=
+github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
-github.com/go-playground/validator/v10 v10.27.0/go.mod h1:I5QpIEbmr8On7W0TktmJAumgzX4CA1XNl4ZmDuVHKKo=
+github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
 github.com/go-viper/mapstructure/v2 v2.3.0 h1:27XbWsHIqhbdR5TIC911OfYvgSaW93HM+dX7970Q7jk=
 github.com/go-viper/mapstructure/v2 v2.3.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
-github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
 github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
 github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
-github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
 github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
-github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -154,23 +159,18 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
-github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
 github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
 github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/magiconair/properties v1.8.10 h1:s31yESBquKXCV9a/ScB3ESkOjUYYv+X0rg8SYxI99mE=
 github.com/magiconair/properties v1.8.10/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
 github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
@@ -182,10 +182,18 @@ github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2J
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
 github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuErjs=
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
 github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -207,19 +215,27 @@ github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELU
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
 github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
 github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
 github.com/opencontainers/image-spec v1.1.0/go.mod h1:W4s4sFTMaBeK1BQLXbG4AdM2szdn85PY75RI83NrTrM=
-github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
-github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
 github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
 github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
 github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -228,140 +244,156 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sagikazarmark/locafero v0.7.0 h1:5MqpDsTGNDhY8sGp0Aowyf0qKsPrhewaLSsFaodPcyo=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
-github.com/sagikazarmark/locafero v0.7.0/go.mod h1:2za3Cg5rMaTMoG/2Ulr9AwtFaIppKXTRYnozin4aB5k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
-github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
-github.com/spf13/afero v1.12.0 h1:UcOPyRBYczmFn6yvphxkn9ZEOY65cpwGKb5mL36mrqs=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/afero v1.12.0/go.mod h1:ZTlWwG4/ahT8W7T0WQ5uYmjI9duaLQGy3Q2OAl4sk/4=
 github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
 github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
 github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
 github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
 github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
 github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
 github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
-github.com/ugorji/go/codec v1.2.12 h1:9LC83zGrHhuUA9l16C9AHXAqEV/2wBQ4nkvumAE65EE=
+github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
-github.com/ugorji/go/codec v1.2.12/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZgYf6w6lg=
+github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
 github.com/weppos/publicsuffix-go v0.50.2 h1:KsJFc8IEKTJovM46SRCnGNsM+rFShxcs6VEHjOJcXzE=
 github.com/weppos/publicsuffix-go v0.50.2/go.mod h1:CbQCKDtXF8UcT7hrxeMa0MDjwhpOI9iYOU7cfq+yo8k=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
-github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0 h1:TT4fX+nBOA/+LUkobKGW1ydGcn+G3vRw9+g5HwCphpk=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.54.0/go.mod h1:L7UH0GbB0p47T4Rri3uHjbpCFYrVrwc1I25QhNPiGK8=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0/go.mod h1:UHB22Z8QsdRDrnAtX4PntOl36ajSxcdUMt1sF7Y6E7Q=
-go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
+go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
-go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
+go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0 h1:OeNbIYk/2C15ckl7glBlOBp5+WlYsOElzTNmiPW/x60=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.34.0/go.mod h1:7Bept48yIeqxP2OZ9/AqIpYS94h2or0aB4FypJTc8ZM=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 h1:BEj3SPM81McUZHYjRS5pEgNgnmzGJ5tRpU5krWnV8Bs=
 go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0/go.mod h1:9cKLGBDzI/F3NoHLQGm4ZrYdIHsvGt6ej6hUowxY0J4=
-go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
-go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
-go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
+go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
+go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
-go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
-go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
+go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
 go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
-go.uber.org/multierr v1.9.0 h1:7fIwc/ZtS0q++VgcfqFDxSBZVv/Xo49/SYnDFupUwlI=
+golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
-go.uber.org/multierr v1.9.0/go.mod h1:X2jQV1h+kxSjClGpnseKVIxpmcjrj7MNnI0bnlfKTVQ=
+golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/arch v0.13.0 h1:KCkqVVV1kGg0X87TFysjCJ8MxtZEIU4Ja/yXGeoECdA=
 golang.org/x/arch v0.13.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d h1:jtJma62tbqLibJ5sFQz8bKtEM8rJBtfilJ2qTU199MI=
+golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
-golang.org/x/exp v0.0.0-20231006140011-7918f672742d/go.mod h1:ldy0pHrwJyGW56pPQzzkH36rKxoZW1tw7ZJpeKx+hdo=
+golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
-golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
-golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
-golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.41.0 h1:vBTly1HeNPEn3wtREYfy4GZ/NECgw2Cnl+nK6Nz3uvw=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
-golang.org/x/net v0.41.0/go.mod h1:B/K4NNqkfmg07DQYrbwvSluqCJOOXwUjeb/5lOisjbA=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
 golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
-golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
 golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
 golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
-golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
 golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
-golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
-google.golang.org/genproto v0.0.0-20241118233622-e639e219e697 h1:ToEetK57OidYuqD4Q5w+vfEnPvPpuTwedCNVohYJfNk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c h1:qXWI/sQtv5UKboZ/zUk7h+mrf/lXORyI+n9DKDAusdg=
-google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f h1:gap6+3Gk41EItBuyi4XX/bp4oqJ3UwuIMl25yGinuAA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c/go.mod h1:gw1tLEfykwDz2ET4a12jcXt4couGAm7IwsVaTy0Sflo=
-google.golang.org/genproto/googleapis/api v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:Ic02D47M+zbarjYYUlK57y316f2MoN0gjAwI3f2S95o=
+google.golang.org/grpc v1.74.2 h1:WoosgB65DlWVC9FqI82dGsZhWFNBSLjQ84bjROOpMu4=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f h1:OxYkA3wjPsZyBylwymxSHa7ViiW1Sml4ToBrncvFehI=
+google.golang.org/grpc v1.74.2/go.mod h1:CtQ+BGjaAIXHs/5YS3i473GqwBBa1zGQNevxdeBEXrM=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f/go.mod h1:+2Yz8+CLJbIfL9z73EW45avw8Lmge3xVElCP9zEKi50=
+google.golang.org/protobuf v1.36.9 h1:w2gp2mA27hUeUzj9Ex9FBjsBm40zfaDtEWow293U7Iw=
-google.golang.org/grpc v1.69.4 h1:MF5TftSMkd8GLw/m0KM6V8CMOCY6NZ1NQDPGFgbTt4A=
+google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
 google.golang.org/grpc v1.69.4/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v1.36.3 h1:82DV7MYdb8anAVi3qge1wSnMDrnKK7ebr+I0hHRN1BU=
 google.golang.org/protobuf v1.36.3/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-nullprogram.com/x/optparse v1.0.0/go.mod h1:KdyPE+Igbe0jQUrVfMqDMeJQIJZEuyV7pjYmp6pbG50=
+modernc.org/cc/v4 v4.26.5 h1:xM3bX7Mve6G8K8b+T11ReenJOT+BmVqQj0FY5T4+5Y4=
 modernc.org/cc/v4 v4.26.5/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
 modernc.org/ccgo/v4 v4.28.1 h1:wPKYn5EC/mYTqBO373jKjvX2n+3+aK7+sICCv4Fjy1A=
 modernc.org/ccgo/v4 v4.28.1/go.mod h1:uD+4RnfrVgE6ec9NGguUNdhqzNIeeomeXf6CL0GTE5Q=
 modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
 modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
 modernc.org/libc v1.66.10 h1:yZkb3YeLx4oynyR+iUsXsybsX4Ubx7MQlSYEw4yj59A=
 modernc.org/libc v1.66.10/go.mod h1:8vGSEwvoUoltr4dlywvHqjtAqHBaw0j1jI7iFBTAr2I=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
 modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
 modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
 modernc.org/sqlite v1.42.2 h1:7hkZUNJvJFN2PgfUdjni9Kbvd4ef4mNLOu0B9FGxM74=
 modernc.org/sqlite v1.42.2/go.mod h1:+VkC6v3pLOAE0A0uVucQEcbVW0I5nHCeDaBf+DpsQT8=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
 modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 rsc.io/qr v0.2.0 h1:6vBLea5/NRMVTz8V66gipeLycZMl/+UlFmk8DvqQ6WY=
 rsc.io/qr v0.2.0/go.mod h1:IF+uZjkb9fqyeF/4tlBoynqmQxUoPfWEKh921coOuXs=
--- a/internal/assets/assets.go
+++ b/internal/assets/assets.go
@@ -4,7 +4,12 @@ import (
 	"embed"
 )
-// UI assets
+// Frontend
 //
 //go:embed dist
-var Assets embed.FS
+var FrontendAssets embed.FS
 // Migrations
 //
 //go:embed migrations/*.sql
 var Migrations embed.FS
--- a/internal/assets/migrations/000001_init_sqlite.down.sql
+++ b/internal/assets/migrations/000001_init_sqlite.down.sql
@@ -0,0 +1 @@
 DROP TABLE IF EXISTS "sessions";
--- a/internal/assets/migrations/000001_init_sqlite.up.sql
+++ b/internal/assets/migrations/000001_init_sqlite.up.sql
@@ -0,0 +1,10 @@
 CREATE TABLE IF NOT EXISTS "sessions" (
    "uuid" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "username" TEXT NOT NULL,
    "email" TEXT NOT NULL,
    "name" TEXT NOT NULL,
    "provider" TEXT NOT NULL,
    "totp_pending" BOOLEAN NOT NULL,
    "oauth_groups" TEXT NULL,
    "expiry" INTEGER NOT NULL
 );
--- a/internal/assets/migrations/000002_oauth_name.down.sql
+++ b/internal/assets/migrations/000002_oauth_name.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "oauth_name";
--- a/internal/assets/migrations/000002_oauth_name.up.sql
+++ b/internal/assets/migrations/000002_oauth_name.up.sql
@@ -0,0 +1,10 @@
 ALTER TABLE "sessions" ADD COLUMN "oauth_name" TEXT;
 UPDATE "sessions"
 SET "oauth_name" = CASE
  WHEN LOWER("provider") = 'github' THEN 'GitHub'
  WHEN LOWER("provider") = 'google' THEN 'Google'
  ELSE UPPER(SUBSTR("provider", 1, 1)) || SUBSTR("provider", 2)
 END
 WHERE "oauth_name" IS NULL AND "provider" IS NOT NULL;
--- a/internal/assets/migrations/000003_oauth_sub.down.sql
+++ b/internal/assets/migrations/000003_oauth_sub.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "oauth_sub";
--- a/internal/assets/migrations/000003_oauth_sub.up.sql
+++ b/internal/assets/migrations/000003_oauth_sub.up.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;
--- a/internal/assets/migrations/000004_created_at.down.sql
+++ b/internal/assets/migrations/000004_created_at.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "created_at";
--- a/internal/assets/migrations/000004_created_at.up.sql
+++ b/internal/assets/migrations/000004_created_at.up.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" ADD COLUMN "created_at" INTEGER NOT NULL DEFAULT 0;
--- a/internal/assets/migrations/000005_ldap_groups.down.sql
+++ b/internal/assets/migrations/000005_ldap_groups.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "ldap_groups";
--- a/internal/assets/migrations/000005_ldap_groups.up.sql
+++ b/internal/assets/migrations/000005_ldap_groups.up.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" ADD COLUMN "ldap_groups" TEXT;
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -1,452 +0,0 @@
 package auth
 import (
 	"fmt"
 	"regexp"
 	"strings"
 	"sync"
 	"time"
 	"tinyauth/internal/docker"
 	"tinyauth/internal/ldap"
 	"tinyauth/internal/types"
 	"tinyauth/internal/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/gorilla/sessions"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/bcrypt"
 )
 type Auth struct {
 	Config        types.AuthConfig
 	Docker        *docker.Docker
 	LoginAttempts map[string]*types.LoginAttempt
 	LoginMutex    sync.RWMutex
 	Store         *sessions.CookieStore
 	LDAP          *ldap.LDAP
 }
 func NewAuth(config types.AuthConfig, docker *docker.Docker, ldap *ldap.LDAP) *Auth {
 	// Setup cookie store and create the auth service
 	store := sessions.NewCookieStore([]byte(config.HMACSecret), []byte(config.EncryptionSecret))
 	store.Options = &sessions.Options{
 		Path:     "/",
 		MaxAge:   config.SessionExpiry,
 		Secure:   config.CookieSecure,
 		HttpOnly: true,
 		Domain:   fmt.Sprintf(".%s", config.Domain),
 	}
 	return &Auth{
 		Config:        config,
 		Docker:        docker,
 		LoginAttempts: make(map[string]*types.LoginAttempt),
 		Store:         store,
 		LDAP:          ldap,
 	}
 }
 func (auth *Auth) GetSession(c *gin.Context) (*sessions.Session, error) {
 	session, err := auth.Store.Get(c.Request, auth.Config.SessionCookieName)
 	// If there was an error getting the session, it might be invalid so let's clear it and retry
 	if err != nil {
 		log.Error().Err(err).Msg("Invalid session, clearing cookie and retrying")
 		c.SetCookie(auth.Config.SessionCookieName, "", -1, "/", fmt.Sprintf(".%s", auth.Config.Domain), auth.Config.CookieSecure, true)
 		session, err = auth.Store.Get(c.Request, auth.Config.SessionCookieName)
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to get session")
 			return nil, err
 		}
 	}
 	return session, nil
 }
 func (auth *Auth) SearchUser(username string) types.UserSearch {
 	log.Debug().Str("username", username).Msg("Searching for user")
 	// Check local users first
 	if auth.GetLocalUser(username).Username != "" {
 		log.Debug().Str("username", username).Msg("Found local user")
 		return types.UserSearch{
 			Username: username,
 			Type:     "local",
 		}
 	}
 	// If no user found, check LDAP
 	if auth.LDAP != nil {
 		log.Debug().Str("username", username).Msg("Checking LDAP for user")
 		userDN, err := auth.LDAP.Search(username)
 		if err != nil {
 			log.Warn().Err(err).Str("username", username).Msg("Failed to find user in LDAP")
 			return types.UserSearch{}
 		}
 		return types.UserSearch{
 			Username: userDN,
 			Type:     "ldap",
 		}
 	}
 	return types.UserSearch{
 		Type: "unknown",
 	}
 }
 func (auth *Auth) VerifyUser(search types.UserSearch, password string) bool {
 	// Authenticate the user based on the type
 	switch search.Type {
 	case "local":
 		// If local user, get the user and check the password
 		user := auth.GetLocalUser(search.Username)
 		return auth.CheckPassword(user, password)
 	case "ldap":
 		// If LDAP is configured, bind to the LDAP server with the user DN and password
 		if auth.LDAP != nil {
 			log.Debug().Str("username", search.Username).Msg("Binding to LDAP for user authentication")
 			err := auth.LDAP.Bind(search.Username, password)
 			if err != nil {
 				log.Warn().Err(err).Str("username", search.Username).Msg("Failed to bind to LDAP")
 				return false
 			}
 			// Rebind with the service account to reset the connection
 			err = auth.LDAP.Bind(auth.LDAP.Config.BindDN, auth.LDAP.Config.BindPassword)
 			if err != nil {
 				log.Error().Err(err).Msg("Failed to rebind with service account after user authentication")
 				return false
 			}
 			log.Debug().Str("username", search.Username).Msg("LDAP authentication successful")
 			return true
 		}
 	default:
 		log.Warn().Str("type", search.Type).Msg("Unknown user type for authentication")
 		return false
 	}
 	// If no user found or authentication failed, return false
 	log.Warn().Str("username", search.Username).Msg("User authentication failed")
 	return false
 }
 func (auth *Auth) GetLocalUser(username string) types.User {
 	// Loop through users and return the user if the username matches
 	log.Debug().Str("username", username).Msg("Searching for local user")
 	for _, user := range auth.Config.Users {
 		if user.Username == username {
 			return user
 		}
 	}
 	// If no user found, return an empty user
 	log.Warn().Str("username", username).Msg("Local user not found")
 	return types.User{}
 }
 func (auth *Auth) CheckPassword(user types.User, password string) bool {
 	return bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)) == nil
 }
 func (auth *Auth) IsAccountLocked(identifier string) (bool, int) {
 	auth.LoginMutex.RLock()
 	defer auth.LoginMutex.RUnlock()
 	// Return false if rate limiting is not configured
 	if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
 		return false, 0
 	}
 	// Check if the identifier exists in the map
 	attempt, exists := auth.LoginAttempts[identifier]
 	if !exists {
 		return false, 0
 	}
 	// If account is locked, check if lock time has expired
 	if attempt.LockedUntil.After(time.Now()) {
 		// Calculate remaining lockout time in seconds
 		remaining := int(time.Until(attempt.LockedUntil).Seconds())
 		return true, remaining
 	}
 	// Lock has expired
 	return false, 0
 }
 func (auth *Auth) RecordLoginAttempt(identifier string, success bool) {
 	// Skip if rate limiting is not configured
 	if auth.Config.LoginMaxRetries <= 0 || auth.Config.LoginTimeout <= 0 {
 		return
 	}
 	auth.LoginMutex.Lock()
 	defer auth.LoginMutex.Unlock()
 	// Get current attempt record or create a new one
 	attempt, exists := auth.LoginAttempts[identifier]
 	if !exists {
 		attempt = &types.LoginAttempt{}
 		auth.LoginAttempts[identifier] = attempt
 	}
 	// Update last attempt time
 	attempt.LastAttempt = time.Now()
 	// If successful login, reset failed attempts
 	if success {
 		attempt.FailedAttempts = 0
 		attempt.LockedUntil = time.Time{} // Reset lock time
 		return
 	}
 	// Increment failed attempts
 	attempt.FailedAttempts++
 	// If max retries reached, lock the account
 	if attempt.FailedAttempts >= auth.Config.LoginMaxRetries {
 		attempt.LockedUntil = time.Now().Add(time.Duration(auth.Config.LoginTimeout) * time.Second)
 		log.Warn().Str("identifier", identifier).Int("timeout", auth.Config.LoginTimeout).Msg("Account locked due to too many failed login attempts")
 	}
 }
 func (auth *Auth) EmailWhitelisted(email string) bool {
 	return utils.CheckFilter(auth.Config.OauthWhitelist, email)
 }
 func (auth *Auth) CreateSessionCookie(c *gin.Context, data *types.SessionCookie) error {
 	log.Debug().Msg("Creating session cookie")
 	session, err := auth.GetSession(c)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get session")
 		return err
 	}
 	log.Debug().Msg("Setting session cookie")
 	var sessionExpiry int
 	if data.TotpPending {
 		sessionExpiry = 3600
 	} else {
 		sessionExpiry = auth.Config.SessionExpiry
 	}
 	session.Values["username"] = data.Username
 	session.Values["name"] = data.Name
 	session.Values["email"] = data.Email
 	session.Values["provider"] = data.Provider
 	session.Values["expiry"] = time.Now().Add(time.Duration(sessionExpiry) * time.Second).Unix()
 	session.Values["totpPending"] = data.TotpPending
 	session.Values["oauthGroups"] = data.OAuthGroups
 	err = session.Save(c.Request, c.Writer)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to save session")
 		return err
 	}
 	return nil
 }
 func (auth *Auth) DeleteSessionCookie(c *gin.Context) error {
 	log.Debug().Msg("Deleting session cookie")
 	session, err := auth.GetSession(c)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get session")
 		return err
 	}
 	// Delete all values in the session
 	for key := range session.Values {
 		delete(session.Values, key)
 	}
 	err = session.Save(c.Request, c.Writer)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to save session")
 		return err
 	}
 	return nil
 }
 func (auth *Auth) GetSessionCookie(c *gin.Context) (types.SessionCookie, error) {
 	log.Debug().Msg("Getting session cookie")
 	session, err := auth.GetSession(c)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get session")
 		return types.SessionCookie{}, err
 	}
 	log.Debug().Msg("Got session")
 	username, usernameOk := session.Values["username"].(string)
 	email, emailOk := session.Values["email"].(string)
 	name, nameOk := session.Values["name"].(string)
 	provider, providerOK := session.Values["provider"].(string)
 	expiry, expiryOk := session.Values["expiry"].(int64)
 	totpPending, totpPendingOk := session.Values["totpPending"].(bool)
 	oauthGroups, oauthGroupsOk := session.Values["oauthGroups"].(string)
 	// If any data is missing, delete the session cookie
 	if !usernameOk || !providerOK || !expiryOk || !totpPendingOk || !emailOk || !nameOk || !oauthGroupsOk {
 		log.Warn().Msg("Session cookie is invalid")
 		auth.DeleteSessionCookie(c)
 		return types.SessionCookie{}, nil
 	}
 	// If the session cookie has expired, delete it
 	if time.Now().Unix() > expiry {
 		log.Warn().Msg("Session cookie expired")
 		auth.DeleteSessionCookie(c)
 		return types.SessionCookie{}, nil
 	}
 	log.Debug().Str("username", username).Str("provider", provider).Int64("expiry", expiry).Bool("totpPending", totpPending).Str("name", name).Str("email", email).Str("oauthGroups", oauthGroups).Msg("Parsed cookie")
 	return types.SessionCookie{
 		Username:    username,
 		Name:        name,
 		Email:       email,
 		Provider:    provider,
 		TotpPending: totpPending,
 		OAuthGroups: oauthGroups,
 	}, nil
 }
 func (auth *Auth) UserAuthConfigured() bool {
 	// If there are users or LDAP is configured, return true
 	return len(auth.Config.Users) > 0 || auth.LDAP != nil
 }
 func (auth *Auth) ResourceAllowed(c *gin.Context, context types.UserContext, labels types.Labels) bool {
 	if context.OAuth {
 		log.Debug().Msg("Checking OAuth whitelist")
 		return utils.CheckFilter(labels.OAuth.Whitelist, context.Email)
 	}
 	log.Debug().Msg("Checking users")
 	return utils.CheckFilter(labels.Users, context.Username)
 }
 func (auth *Auth) OAuthGroup(c *gin.Context, context types.UserContext, labels types.Labels) bool {
 	if labels.OAuth.Groups == "" {
 		return true
 	}
 	// Check if we are using the generic oauth provider
 	if context.Provider != "generic" {
 		log.Debug().Msg("Not using generic provider, skipping group check")
 		return true
 	}
 	// Split the groups by comma (no need to parse since they are from the API response)
 	oauthGroups := strings.Split(context.OAuthGroups, ",")
 	// For every group check if it is in the required groups
 	for _, group := range oauthGroups {
 		if utils.CheckFilter(labels.OAuth.Groups, group) {
 			log.Debug().Str("group", group).Msg("Group is in required groups")
 			return true
 		}
 	}
 	// No groups matched
 	log.Debug().Msg("No groups matched")
 	return false
 }
 func (auth *Auth) AuthEnabled(uri string, labels types.Labels) (bool, error) {
 	// If the label is empty, auth is enabled
 	if labels.Allowed == "" {
 		return true, nil
 	}
 	// Compile regex
 	regex, err := regexp.Compile(labels.Allowed)
 	// If there is an error, invalid regex, auth enabled
 	if err != nil {
 		log.Error().Err(err).Msg("Invalid regex")
 		return true, err
 	}
 	// If the regex matches the URI, auth is not enabled
 	if regex.MatchString(uri) {
 		return false, nil
 	}
 	// Auth enabled
 	return true, nil
 }
 func (auth *Auth) GetBasicAuth(c *gin.Context) *types.User {
 	username, password, ok := c.Request.BasicAuth()
 	if !ok {
 		return nil
 	}
 	return &types.User{
 		Username: username,
 		Password: password,
 	}
 }
 func (auth *Auth) CheckIP(labels types.Labels, ip string) bool {
 	// Check if the IP is in block list
 	for _, blocked := range labels.IP.Block {
 		res, err := utils.FilterIP(blocked, ip)
 		if err != nil {
 			log.Error().Err(err).Str("item", blocked).Msg("Invalid IP/CIDR in block list")
 			continue
 		}
 		if res {
 			log.Warn().Str("ip", ip).Str("item", blocked).Msg("IP is in blocked list, denying access")
 			return false
 		}
 	}
 	// For every IP in the allow list, check if the IP matches
 	for _, allowed := range labels.IP.Allow {
 		res, err := utils.FilterIP(allowed, ip)
 		if err != nil {
 			log.Error().Err(err).Str("item", allowed).Msg("Invalid IP/CIDR in allow list")
 			continue
 		}
 		if res {
 			log.Debug().Str("ip", ip).Str("item", allowed).Msg("IP is in allowed list, allowing access")
 			return true
 		}
 	}
 	// If not in allowed range and allowed range is not empty, deny access
 	if len(labels.IP.Allow) > 0 {
 		log.Warn().Str("ip", ip).Msg("IP not in allow list, denying access")
 		return false
 	}
 	log.Debug().Str("ip", ip).Msg("IP not in allow or block list, allowing by default")
 	return true
 }
 func (auth *Auth) BypassedIP(labels types.Labels, ip string) bool {
 	// For every IP in the bypass list, check if the IP matches
 	for _, bypassed := range labels.IP.Bypass {
 		res, err := utils.FilterIP(bypassed, ip)
 		if err != nil {
 			log.Error().Err(err).Str("item", bypassed).Msg("Invalid IP/CIDR in bypass list")
 			continue
 		}
 		if res {
 			log.Debug().Str("ip", ip).Str("item", bypassed).Msg("IP is in bypass list, allowing access")
 			return true
 		}
 	}
 	log.Debug().Str("ip", ip).Msg("IP not in bypass list, continuing with authentication")
 	return false
 }
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -1,146 +0,0 @@
 package auth_test
 import (
 	"testing"
 	"time"
 	"tinyauth/internal/auth"
 	"tinyauth/internal/types"
 )
 var config = types.AuthConfig{
 	Users:          types.Users{},
 	OauthWhitelist: "",
 	SessionExpiry:  3600,
 }
 func TestLoginRateLimiting(t *testing.T) {
 	// Initialize a new auth service with 3 max retries and 5 seconds timeout
 	config.LoginMaxRetries = 3
 	config.LoginTimeout = 5
 	authService := auth.NewAuth(config, nil, nil)
 	// Test identifier
 	identifier := "test_user"
 	// Test successful login - should not lock account
 	t.Log("Testing successful login")
 	authService.RecordLoginAttempt(identifier, true)
 	locked, _ := authService.IsAccountLocked(identifier)
 	if locked {
 		t.Fatalf("Account should not be locked after successful login")
 	}
 	// Test 2 failed attempts - should not lock account yet
 	t.Log("Testing 2 failed login attempts")
 	authService.RecordLoginAttempt(identifier, false)
 	authService.RecordLoginAttempt(identifier, false)
 	locked, _ = authService.IsAccountLocked(identifier)
 	if locked {
 		t.Fatalf("Account should not be locked after only 2 failed attempts")
 	}
 	// Add one more failed attempt (total 3) - should lock account with maxRetries=3
 	t.Log("Testing 3 failed login attempts")
 	authService.RecordLoginAttempt(identifier, false)
 	locked, remainingTime := authService.IsAccountLocked(identifier)
 	if !locked {
 		t.Fatalf("Account should be locked after reaching max retries")
 	}
 	if remainingTime <= 0 || remainingTime > 5 {
 		t.Fatalf("Expected remaining time between 1-5 seconds, got %d", remainingTime)
 	}
 	// Test reset after waiting for timeout - use 1 second timeout for fast testing
 	t.Log("Testing unlocking after timeout")
 	// Reinitialize auth service with a shorter timeout for testing
 	config.LoginTimeout = 1
 	config.LoginMaxRetries = 3
 	authService = auth.NewAuth(config, nil, nil)
 	// Add enough failed attempts to lock the account
 	for i := 0; i < 3; i++ {
 		authService.RecordLoginAttempt(identifier, false)
 	}
 	// Verify it's locked
 	locked, _ = authService.IsAccountLocked(identifier)
 	if !locked {
 		t.Fatalf("Account should be locked initially")
 	}
 	// Wait a bit and verify it gets unlocked after timeout
 	time.Sleep(1500 * time.Millisecond) // Wait longer than the timeout
 	locked, _ = authService.IsAccountLocked(identifier)
 	if locked {
 		t.Fatalf("Account should be unlocked after timeout period")
 	}
 	// Test disabled rate limiting
 	t.Log("Testing disabled rate limiting")
 	config.LoginMaxRetries = 0
 	config.LoginTimeout = 0
 	authService = auth.NewAuth(config, nil, nil)
 	for i := 0; i < 10; i++ {
 		authService.RecordLoginAttempt(identifier, false)
 	}
 	locked, _ = authService.IsAccountLocked(identifier)
 	if locked {
 		t.Fatalf("Account should not be locked when rate limiting is disabled")
 	}
 }
 func TestConcurrentLoginAttempts(t *testing.T) {
 	// Initialize a new auth service with 2 max retries and 5 seconds timeout
 	config.LoginMaxRetries = 2
 	config.LoginTimeout = 5
 	authService := auth.NewAuth(config, nil, nil)
 	// Test multiple identifiers
 	identifiers := []string{"user1", "user2", "user3"}
 	// Test that locking one identifier doesn't affect others
 	t.Log("Testing multiple identifiers")
 	// Add enough failed attempts to lock first user (2 attempts with maxRetries=2)
 	authService.RecordLoginAttempt(identifiers[0], false)
 	authService.RecordLoginAttempt(identifiers[0], false)
 	// Check if first user is locked
 	locked, _ := authService.IsAccountLocked(identifiers[0])
 	if !locked {
 		t.Fatalf("User1 should be locked after reaching max retries")
 	}
 	// Check that other users are not affected
 	for i := 1; i < len(identifiers); i++ {
 		locked, _ := authService.IsAccountLocked(identifiers[i])
 		if locked {
 			t.Fatalf("User%d should not be locked", i+1)
 		}
 	}
 	// Test successful login after failed attempts (but before lock)
 	t.Log("Testing successful login after failed attempts but before lock")
 	// One failed attempt for user2
 	authService.RecordLoginAttempt(identifiers[1], false)
 	// Successful login should reset the counter
 	authService.RecordLoginAttempt(identifiers[1], true)
 	// Now try a failed login again - should not be locked as counter was reset
 	authService.RecordLoginAttempt(identifiers[1], false)
 	locked, _ = authService.IsAccountLocked(identifiers[1])
 	if locked {
 		t.Fatalf("User2 should not be locked after successful login reset")
 	}
 }
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -0,0 +1,275 @@
 package bootstrap
 import (
 	"bytes"
 	"context"
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"sort"
 	"strings"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/rs/zerolog/log"
 )
 type BootstrapApp struct {
 	config  config.Config
 	context struct {
 		uuid                string
 		cookieDomain        string
 		sessionCookieName   string
 		csrfCookieName      string
 		redirectCookieName  string
 		users               []config.User
 		oauthProviders      map[string]config.OAuthServiceConfig
 		configuredProviders []controller.Provider
 	}
 	services Services
 }
 func NewBootstrapApp(config config.Config) *BootstrapApp {
 	return &BootstrapApp{
 		config: config,
 	}
 }
 func (app *BootstrapApp) Setup() error {
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
 		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 	if err != nil {
 		return err
 	}
 	app.context.users = users
 	// Setup OAuth providers
 	app.context.oauthProviders = app.config.OAuth.Providers
 	for name, provider := range app.context.oauthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 		app.context.oauthProviders[name] = provider
 	}
 	for id := range config.OverrideProviders {
 		if provider, exists := app.context.oauthProviders[id]; exists {
 			if provider.RedirectURL == "" {
 				provider.RedirectURL = app.config.AppURL + "/api/oauth/callback/" + id
 				app.context.oauthProviders[id] = provider
 			}
 		}
 	}
 	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
 			if name, ok := config.OverrideProviders[id]; ok {
 				provider.Name = name
 			} else {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
 		app.context.oauthProviders[id] = provider
 	}
 	// Get cookie domain
 	cookieDomain, err := utils.GetCookieDomain(app.config.AppURL)
 	if err != nil {
 		return err
 	}
 	app.context.cookieDomain = cookieDomain
 	// Cookie names
 	appUrl, _ := url.Parse(app.config.AppURL) // Already validated
 	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
 	cookieId := strings.Split(app.context.uuid, "-")[0]
 	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
 	app.context.csrfCookieName = fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
 	app.context.redirectCookieName = fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
 	// Dumps
 	log.Trace().Interface("config", app.config).Msg("Config dump")
 	log.Trace().Interface("users", app.context.users).Msg("Users dump")
 	log.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
 	log.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
 	log.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
 	log.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
 	log.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
 	// Database
 	db, err := app.SetupDatabase(app.config.DatabasePath)
 	if err != nil {
 		return fmt.Errorf("failed to setup database: %w", err)
 	}
 	// Queries
 	queries := repository.New(db)
 	// Services
 	services, err := app.initServices(queries)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 	app.services = services
 	// Configured providers
 	configuredProviders := make([]controller.Provider, 0)
 	for id, provider := range app.context.oauthProviders {
 		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  provider.Name,
 			ID:    id,
 			OAuth: true,
 		})
 	}
 	sort.Slice(configuredProviders, func(i, j int) bool {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
 	if services.authService.UserAuthConfigured() {
 		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "Username",
 			ID:    "username",
 			OAuth: false,
 		})
 	}
 	log.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
 	if len(configuredProviders) == 0 {
 		return fmt.Errorf("no authentication providers configured")
 	}
 	app.context.configuredProviders = configuredProviders
 	// Setup router
 	router, err := app.setupRouter()
 	if err != nil {
 		return fmt.Errorf("failed to setup routes: %w", err)
 	}
 	// Start db cleanup routine
 	log.Debug().Msg("Starting database cleanup routine")
 	go app.dbCleanup(queries)
 	// If analytics are not disabled, start heartbeat
 	if !app.config.DisableAnalytics {
 		log.Debug().Msg("Starting heartbeat routine")
 		go app.heartbeat()
 	}
 	// If we have an socket path, bind to it
 	if app.config.Server.SocketPath != "" {
 		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
 			log.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
 			err := os.Remove(app.config.Server.SocketPath)
 			if err != nil {
 				return fmt.Errorf("failed to remove existing socket file: %w", err)
 			}
 		}
 		log.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
 		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
 			log.Fatal().Err(err).Msg("Failed to start server")
 		}
 		return nil
 	}
 	// Start server
 	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
 	log.Info().Msgf("Starting server on %s", address)
 	if err := router.Run(address); err != nil {
 		log.Fatal().Err(err).Msg("Failed to start server")
 	}
 	return nil
 }
 func (app *BootstrapApp) heartbeat() {
 	ticker := time.NewTicker(time.Duration(12) * time.Hour)
 	defer ticker.Stop()
 	type heartbeat struct {
 		UUID    string `json:"uuid"`
 		Version string `json:"version"`
 	}
 	var body heartbeat
 	body.UUID = app.context.uuid
 	body.Version = config.Version
 	bodyJson, err := json.Marshal(body)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to marshal heartbeat body")
 		return
 	}
 	client := &http.Client{
 		Timeout: 30 * time.Second, // The server should never take more than 30 seconds to respond
 	}
 	heartbeatURL := config.ApiServer + "/v1/instances/heartbeat"
 	for ; true; <-ticker.C {
 		log.Debug().Msg("Sending heartbeat")
 		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to create heartbeat request")
 			continue
 		}
 		req.Header.Add("Content-Type", "application/json")
 		res, err := client.Do(req)
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to send heartbeat")
 			continue
 		}
 		res.Body.Close()
 		if res.StatusCode != 200 && res.StatusCode != 201 {
 			log.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 		}
 	}
 }
 func (app *BootstrapApp) dbCleanup(queries *repository.Queries) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	ctx := context.Background()
 	for ; true; <-ticker.C {
 		log.Debug().Msg("Cleaning up old database sessions")
 		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to clean up old database sessions")
 		}
 	}
 }
--- a/internal/bootstrap/db_bootstrap.go
+++ b/internal/bootstrap/db_bootstrap.go
@@ -0,0 +1,57 @@
 package bootstrap
 import (
 	"database/sql"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/steveiliop56/tinyauth/internal/assets"
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	_ "modernc.org/sqlite"
 )
 func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 	dir := filepath.Dir(databasePath)
 	if err := os.MkdirAll(dir, 0750); err != nil {
 		return nil, fmt.Errorf("failed to create database directory %s: %w", dir, err)
 	}
 	db, err := sql.Open("sqlite", databasePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
 	migrations, err := iofs.New(assets.Migrations, "migrations")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
 	}
 	target, err := sqlite3.WithInstance(db, &sqlite3.Config{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sqlite3 instance: %w", err)
 	}
 	migrator, err := migrate.NewWithInstance("iofs", migrations, "sqlite3", target)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}
 	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 	return db, nil
 }
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -0,0 +1,105 @@
 package bootstrap
 import (
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/middleware"
 	"github.com/gin-gonic/gin"
 )
 func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	engine := gin.New()
 	engine.Use(gin.Recovery())
 	if len(app.config.Server.TrustedProxies) > 0 {
 		err := engine.SetTrustedProxies(app.config.Server.TrustedProxies)
 		if err != nil {
 			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
 		CookieDomain: app.context.cookieDomain,
 	}, app.services.authService, app.services.oauthBrokerService)
 	err := contextMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
 	}
 	engine.Use(contextMiddleware.Middleware())
 	uiMiddleware := middleware.NewUIMiddleware()
 	err = uiMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
 	engine.Use(uiMiddleware.Middleware())
 	zerologMiddleware := middleware.NewZerologMiddleware()
 	err = zerologMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
 	}
 	engine.Use(zerologMiddleware.Middleware())
 	apiRouter := engine.Group("/api")
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
 		Providers:             app.context.configuredProviders,
 		Title:                 app.config.UI.Title,
 		AppURL:                app.config.AppURL,
 		CookieDomain:          app.context.cookieDomain,
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
 		DisableUIWarnings:     app.config.DisableUIWarnings,
 	}, apiRouter)
 	contextController.SetupRoutes()
 	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
 		AppURL:             app.config.AppURL,
 		SecureCookie:       app.config.Auth.SecureCookie,
 		CSRFCookieName:     app.context.csrfCookieName,
 		RedirectCookieName: app.context.redirectCookieName,
 		CookieDomain:       app.context.cookieDomain,
 	}, apiRouter, app.services.authService, app.services.oauthBrokerService)
 	oauthController.SetupRoutes()
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
 		AppURL: app.config.AppURL,
 	}, apiRouter, app.services.accessControlService, app.services.authService)
 	proxyController.SetupRoutes()
 	userController := controller.NewUserController(controller.UserControllerConfig{
 		CookieDomain: app.context.cookieDomain,
 	}, apiRouter, app.services.authService)
 	userController.SetupRoutes()
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
 		ResourcesDir:      app.config.ResourcesDir,
 		ResourcesDisabled: app.config.DisableResources,
 	}, &engine.RouterGroup)
 	resourcesController.SetupRoutes()
 	healthController := controller.NewHealthController(apiRouter)
 	healthController.SetupRoutes()
 	return engine, nil
 }
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -0,0 +1,92 @@
 package bootstrap
 import (
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/rs/zerolog/log"
 )
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
 	dockerService        *service.DockerService
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
 }
 func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
 	services := Services{}
 	ldapService := service.NewLdapService(service.LdapServiceConfig{
 		Address:      app.config.Ldap.Address,
 		BindDN:       app.config.Ldap.BindDN,
 		BindPassword: app.config.Ldap.BindPassword,
 		BaseDN:       app.config.Ldap.BaseDN,
 		Insecure:     app.config.Ldap.Insecure,
 		SearchFilter: app.config.Ldap.SearchFilter,
 		AuthCert:     app.config.Ldap.AuthCert,
 		AuthKey:      app.config.Ldap.AuthKey,
 	})
 	err := ldapService.Init()
 	if err == nil {
 		services.ldapService = ldapService
 	} else {
 		log.Warn().Err(err).Msg("Failed to initialize LDAP service, continuing without it")
 	}
 	dockerService := service.NewDockerService()
 	err = dockerService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.dockerService = dockerService
 	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
 	err = accessControlsService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.accessControlService = accessControlsService
 	authService := service.NewAuthService(service.AuthServiceConfig{
 		Users:              app.context.users,
 		OauthWhitelist:     app.config.OAuth.Whitelist,
 		SessionExpiry:      app.config.Auth.SessionExpiry,
 		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
 		SecureCookie:       app.config.Auth.SecureCookie,
 		CookieDomain:       app.context.cookieDomain,
 		LoginTimeout:       app.config.Auth.LoginTimeout,
 		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
 		SessionCookieName:  app.context.sessionCookieName,
 		IP:                 app.config.Auth.IP,
 	}, dockerService, services.ldapService, queries)
 	err = authService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.authService = authService
 	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
 	err = oauthBrokerService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.oauthBrokerService = oauthBrokerService
 	return services, nil
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -0,0 +1,216 @@
 package config
 // Version information, set at build time
 var Version = "development"
 var CommitHash = "development"
 var BuildTimestamp = "0000-00-00T00:00:00Z"
 // Cookie name templates
 var SessionCookieName = "tinyauth-session"
 var CSRFCookieName = "tinyauth-csrf"
 var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 type Config struct {
 	AppURL            string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
 	LogLevel          string             `description:"Log level (trace, debug, info, warn, error)." yaml:"logLevel"`
 	ResourcesDir      string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
 	DatabasePath      string             `description:"The path to the database file." yaml:"databasePath"`
 	DisableAnalytics  bool               `description:"Disable analytics." yaml:"disableAnalytics"`
 	DisableResources  bool               `description:"Disable resources server." yaml:"disableResources"`
 	DisableUIWarnings bool               `description:"Disable UI warnings." yaml:"disableUIWarnings"`
 	LogJSON           bool               `description:"Enable JSON formatted logs." yaml:"logJSON"`
 	Server            ServerConfig       `description:"Server configuration." yaml:"server"`
 	Auth              AuthConfig         `description:"Authentication configuration." yaml:"auth"`
 	Apps              map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
 	OAuth             OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
 	UI                UIConfig           `description:"UI customization." yaml:"ui"`
 	Ldap              LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
 	Experimental      ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
 }
 type ServerConfig struct {
 	Port           int      `description:"The port on which the server listens." yaml:"port"`
 	Address        string   `description:"The address on which the server listens." yaml:"address"`
 	SocketPath     string   `description:"The path to the Unix socket." yaml:"socketPath"`
 	TrustedProxies []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 type AuthConfig struct {
 	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
 	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
 	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
 	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
 	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
 	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
 }
 type IPConfig struct {
 	Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
 	Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
 }
 type OAuthConfig struct {
 	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
 	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
 	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
 type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
 }
 type LdapConfig struct {
 	Address      string `description:"LDAP server address." yaml:"address"`
 	BindDN       string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
 	BindPassword string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
 	BaseDN       string `description:"Base DN for LDAP searches." yaml:"baseDn"`
 	Insecure     bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
 	SearchFilter string `description:"LDAP search filter." yaml:"searchFilter"`
 	AuthCert     string `description:"Certificate for mTLS authentication." yaml:"authCert"`
 	AuthKey      string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
 }
 type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 // Config loader options
 const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 type Claims struct {
 	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
 	Groups            any    `json:"groups"`
 }
 type OAuthServiceConfig struct {
 	ClientID         string   `description:"OAuth client ID."`
 	ClientSecret     string   `description:"OAuth client secret."`
 	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret."`
 	Scopes           []string `description:"OAuth scopes."`
 	RedirectURL      string   `description:"OAuth redirect URL."`
 	AuthURL          string   `description:"OAuth authorization URL."`
 	TokenURL         string   `description:"OAuth token URL."`
 	UserinfoURL      string   `description:"OAuth userinfo URL."`
 	Insecure         bool     `description:"Allow insecure OAuth connections."`
 	Name             string   `description:"Provider name in UI."`
 }
 var OverrideProviders = map[string]string{
 	"google": "Google",
 	"github": "GitHub",
 }
 // User/session related stuff
 type User struct {
 	Username   string
 	Password   string
 	TotpSecret string
 }
 type LdapUser struct {
 	DN     string
 	Groups []string
 }
 type UserSearch struct {
 	Username string
 	Type     string // local, ldap or unknown
 }
 type UserContext struct {
 	Username    string
 	Name        string
 	Email       string
 	IsLoggedIn  bool
 	OAuth       bool
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
 	OAuthSub    string
 	LdapGroups  string
 }
 // API responses and queries
 type UnauthorizedQuery struct {
 	Username string `url:"username"`
 	Resource string `url:"resource"`
 	GroupErr bool   `url:"groupErr"`
 	IP       string `url:"ip"`
 }
 type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
 // ACLs
 type Apps struct {
 	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
 }
 type App struct {
 	Config   AppConfig   `description:"App configuration." yaml:"config"`
 	Users    AppUsers    `description:"User access configuration." yaml:"users"`
 	OAuth    AppOAuth    `description:"OAuth access configuration." yaml:"oauth"`
 	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
 	Response AppResponse `description:"Response customization." yaml:"response"`
 	Path     AppPath     `description:"Path access configuration." yaml:"path"`
 }
 type AppConfig struct {
 	Domain string `description:"The domain of the app." yaml:"domain"`
 }
 type AppUsers struct {
 	Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
 	Block string `description:"Comma-separated list of blocked users." yaml:"block"`
 }
 type AppOAuth struct {
 	Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
 	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
 }
 type AppIP struct {
 	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
 	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
 	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
 }
 type AppResponse struct {
 	Headers   []string     `description:"Custom headers to add to the response." yaml:"headers"`
 	BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
 }
 type AppBasicAuth struct {
 	Username     string `description:"Basic auth username." yaml:"username"`
 	Password     string `description:"Basic auth password." yaml:"password"`
 	PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
 }
 type AppPath struct {
 	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
 	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
 }
 // API server
 var ApiServer = "https://api.tinyauth.app"
--- a/internal/constants/constants.go
+++ b/internal/constants/constants.go
@@ -1,19 +0,0 @@
 package constants
 // Claims are the OIDC supported claims (prefered username is included for convinience)
 type Claims struct {
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
 	Groups            any    `json:"groups"`
 }
 // Version information
 var Version = "development"
 var CommitHash = "n/a"
 var BuildTimestamp = "n/a"
 // Base cookie names
 var SessionCookieName = "tinyauth-session"
 var CsrfCookieName = "tinyauth-csrf"
 var RedirectCookieName = "tinyauth-redirect"
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -0,0 +1,131 @@
 package controller
 import (
 	"fmt"
 	"net/url"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )
 type UserContextResponse struct {
 	Status      int    `json:"status"`
 	Message     string `json:"message"`
 	IsLoggedIn  bool   `json:"isLoggedIn"`
 	Username    string `json:"username"`
 	Name        string `json:"name"`
 	Email       string `json:"email"`
 	Provider    string `json:"provider"`
 	OAuth       bool   `json:"oauth"`
 	TotpPending bool   `json:"totpPending"`
 	OAuthName   string `json:"oauthName"`
 	OAuthSub    string `json:"oauthSub"`
 }
 type AppContextResponse struct {
 	Status                int        `json:"status"`
 	Message               string     `json:"message"`
 	Providers             []Provider `json:"providers"`
 	Title                 string     `json:"title"`
 	AppURL                string     `json:"appUrl"`
 	CookieDomain          string     `json:"cookieDomain"`
 	ForgotPasswordMessage string     `json:"forgotPasswordMessage"`
 	BackgroundImage       string     `json:"backgroundImage"`
 	OAuthAutoRedirect     string     `json:"oauthAutoRedirect"`
 	DisableUIWarnings     bool       `json:"disableUiWarnings"`
 }
 type Provider struct {
 	Name  string `json:"name"`
 	ID    string `json:"id"`
 	OAuth bool   `json:"oauth"`
 }
 type ContextControllerConfig struct {
 	Providers             []Provider
 	Title                 string
 	AppURL                string
 	CookieDomain          string
 	ForgotPasswordMessage string
 	BackgroundImage       string
 	OAuthAutoRedirect     string
 	DisableUIWarnings     bool
 }
 type ContextController struct {
 	config ContextControllerConfig
 	router *gin.RouterGroup
 }
 func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
 	if config.DisableUIWarnings {
 		log.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}
 	return &ContextController{
 		config: config,
 		router: router,
 	}
 }
 func (controller *ContextController) SetupRoutes() {
 	contextGroup := controller.router.Group("/context")
 	contextGroup.GET("/user", controller.userContextHandler)
 	contextGroup.GET("/app", controller.appContextHandler)
 }
 func (controller *ContextController) userContextHandler(c *gin.Context) {
 	context, err := utils.GetContext(c)
 	userContext := UserContextResponse{
 		Status:      200,
 		Message:     "Success",
 		IsLoggedIn:  context.IsLoggedIn,
 		Username:    context.Username,
 		Name:        context.Name,
 		Email:       context.Email,
 		Provider:    context.Provider,
 		OAuth:       context.OAuth,
 		TotpPending: context.TotpPending,
 		OAuthName:   context.OAuthName,
 		OAuthSub:    context.OAuthSub,
 	}
 	if err != nil {
 		log.Debug().Err(err).Msg("No user context found in request")
 		userContext.Status = 401
 		userContext.Message = "Unauthorized"
 		userContext.IsLoggedIn = false
 		c.JSON(200, userContext)
 		return
 	}
 	c.JSON(200, userContext)
 }
 func (controller *ContextController) appContextHandler(c *gin.Context) {
 	appUrl, err := url.Parse(controller.config.AppURL)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to parse app URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
 		})
 		return
 	}
 	c.JSON(200, AppContextResponse{
 		Status:                200,
 		Message:               "Success",
 		Providers:             controller.config.Providers,
 		Title:                 controller.config.Title,
 		AppURL:                fmt.Sprintf("%s://%s", appUrl.Scheme, appUrl.Host),
 		CookieDomain:          controller.config.CookieDomain,
 		ForgotPasswordMessage: controller.config.ForgotPasswordMessage,
 		BackgroundImage:       controller.config.BackgroundImage,
 		OAuthAutoRedirect:     controller.config.OAuthAutoRedirect,
 		DisableUIWarnings:     controller.config.DisableUIWarnings,
 	})
 }
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -0,0 +1,149 @@
 package controller_test
 import (
 	"encoding/json"
 	"net/http/httptest"
 	"testing"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
 var controllerCfg = controller.ContextControllerConfig{
 	Providers: []controller.Provider{
 		{
 			Name:  "Username",
 			ID:    "username",
 			OAuth: false,
 		},
 		{
 			Name:  "Google",
 			ID:    "google",
 			OAuth: true,
 		},
 	},
 	Title:                 "Test App",
 	AppURL:                "http://localhost:8080",
 	CookieDomain:          "localhost",
 	ForgotPasswordMessage: "Contact admin to reset your password.",
 	BackgroundImage:       "/assets/bg.jpg",
 	OAuthAutoRedirect:     "google",
 	DisableUIWarnings:     false,
 }
 var userContext = config.UserContext{
 	Username:    "testuser",
 	Name:        "testuser",
 	Email:       "test@example.com",
 	IsLoggedIn:  true,
 	OAuth:       false,
 	Provider:    "username",
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
 	OAuthSub:    "",
 }
 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
 	// Setup
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 	recorder := httptest.NewRecorder()
 	if middlewares != nil {
 		for _, m := range *middlewares {
 			router.Use(m)
 		}
 	}
 	group := router.Group("/api")
 	ctrl := controller.NewContextController(controllerCfg, group)
 	ctrl.SetupRoutes()
 	return router, recorder
 }
 func TestAppContextHandler(t *testing.T) {
 	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
 		Providers:             controllerCfg.Providers,
 		Title:                 controllerCfg.Title,
 		AppURL:                controllerCfg.AppURL,
 		CookieDomain:          controllerCfg.CookieDomain,
 		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
 		BackgroundImage:       controllerCfg.BackgroundImage,
 		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
 		DisableUIWarnings:     controllerCfg.DisableUIWarnings,
 	}
 	router, recorder := setupContextController(nil)
 	req := httptest.NewRequest("GET", "/api/context/app", nil)
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, 200, recorder.Code)
 	var ctrlRes controller.AppContextResponse
 	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
 	assert.NilError(t, err)
 	assert.DeepEqual(t, expectedRes, ctrlRes)
 }
 func TestUserContextHandler(t *testing.T) {
 	expectedRes := controller.UserContextResponse{
 		Status:      200,
 		Message:     "Success",
 		IsLoggedIn:  userContext.IsLoggedIn,
 		Username:    userContext.Username,
 		Name:        userContext.Name,
 		Email:       userContext.Email,
 		Provider:    userContext.Provider,
 		OAuth:       userContext.OAuth,
 		TotpPending: userContext.TotpPending,
 		OAuthName:   userContext.OAuthName,
 	}
 	// Test with context
 	router, recorder := setupContextController(&[]gin.HandlerFunc{
 		func(c *gin.Context) {
 			c.Set("context", &userContext)
 			c.Next()
 		},
 	})
 	req := httptest.NewRequest("GET", "/api/context/user", nil)
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, 200, recorder.Code)
 	var ctrlRes controller.UserContextResponse
 	err := json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
 	assert.NilError(t, err)
 	assert.DeepEqual(t, expectedRes, ctrlRes)
 	// Test no context
 	expectedRes = controller.UserContextResponse{
 		Status:     401,
 		Message:    "Unauthorized",
 		IsLoggedIn: false,
 	}
 	router, recorder = setupContextController(nil)
 	req = httptest.NewRequest("GET", "/api/context/user", nil)
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, 200, recorder.Code)
 	err = json.Unmarshal(recorder.Body.Bytes(), &ctrlRes)
 	assert.NilError(t, err)
 	assert.DeepEqual(t, expectedRes, ctrlRes)
 }
--- a/internal/controller/health_controller.go
+++ b/internal/controller/health_controller.go
@@ -0,0 +1,25 @@
 package controller
 import "github.com/gin-gonic/gin"
 type HealthController struct {
 	router *gin.RouterGroup
 }
 func NewHealthController(router *gin.RouterGroup) *HealthController {
 	return &HealthController{
 		router: router,
 	}
 }
 func (controller *HealthController) SetupRoutes() {
 	controller.router.GET("/healthz", controller.healthHandler)
 	controller.router.HEAD("/healthz", controller.healthHandler)
 }
 func (controller *HealthController) healthHandler(c *gin.Context) {
 	c.JSON(200, gin.H{
 		"status":  "ok",
 		"message": "Healthy",
 	})
 }
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -0,0 +1,234 @@
 package controller
 import (
 	"fmt"
 	"net/http"
 	"strings"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/rs/zerolog/log"
 )
 type OAuthRequest struct {
 	Provider string `uri:"provider" binding:"required"`
 }
 type OAuthControllerConfig struct {
 	CSRFCookieName     string
 	RedirectCookieName string
 	SecureCookie       bool
 	AppURL             string
 	CookieDomain       string
 }
 type OAuthController struct {
 	config OAuthControllerConfig
 	router *gin.RouterGroup
 	auth   *service.AuthService
 	broker *service.OAuthBrokerService
 }
 func NewOAuthController(config OAuthControllerConfig, router *gin.RouterGroup, auth *service.AuthService, broker *service.OAuthBrokerService) *OAuthController {
 	return &OAuthController{
 		config: config,
 		router: router,
 		auth:   auth,
 		broker: broker,
 	}
 }
 func (controller *OAuthController) SetupRoutes() {
 	oauthGroup := controller.router.Group("/oauth")
 	oauthGroup.GET("/url/:provider", controller.oauthURLHandler)
 	oauthGroup.GET("/callback/:provider", controller.oauthCallbackHandler)
 }
 func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	var req OAuthRequest
 	err := c.BindUri(&req)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
 		})
 		return
 	}
 	service, exists := controller.broker.GetService(req.Provider)
 	if !exists {
 		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Not Found",
 		})
 		return
 	}
 	service.GenerateVerifier()
 	state := service.GenerateState()
 	authURL := service.GetAuthURL(state)
 	c.SetCookie(controller.config.CSRFCookieName, state, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	redirectURI := c.Query("redirect_uri")
 	isRedirectSafe := utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain)
 	if !isRedirectSafe {
 		log.Warn().Str("redirect_uri", redirectURI).Msg("Unsafe redirect URI detected, ignoring")
 		redirectURI = ""
 	}
 	if redirectURI != "" && isRedirectSafe {
 		log.Debug().Msg("Setting redirect URI cookie")
 		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	}
 	c.JSON(200, gin.H{
 		"status":  200,
 		"message": "OK",
 		"url":     authURL,
 	})
 }
 func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	var req OAuthRequest
 	err := c.BindUri(&req)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
 		})
 		return
 	}
 	state := c.Query("state")
 	csrfCookie, err := c.Cookie(controller.config.CSRFCookieName)
 	if err != nil || state != csrfCookie {
 		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
 		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	code := c.Query("code")
 	service, exists := controller.broker.GetService(req.Provider)
 	if !exists {
 		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	err = service.VerifyCode(code)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to verify OAuth code")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	user, err := controller.broker.GetUser(req.Provider)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to get user from OAuth provider")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	if user.Email == "" {
 		log.Error().Msg("OAuth provider did not return an email")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	if !controller.auth.IsEmailWhitelisted(user.Email) {
 		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 		queries, err := query.Values(config.UnauthorizedQuery{
 			Username: user.Email,
 		})
 		if err != nil {
 			log.Error().Err(err).Msg("Failed to encode unauthorized query")
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/unauthorized?%s", controller.config.AppURL, queries.Encode()))
 		return
 	}
 	var name string
 	if strings.TrimSpace(user.Name) != "" {
 		log.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
 		log.Debug().Msg("No name from OAuth provider, using pseudo name")
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}
 	var username string
 	if strings.TrimSpace(user.PreferredUsername) != "" {
 		log.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
 		log.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
 		username = strings.Replace(user.Email, "@", "_", -1)
 	}
 	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,
 		Email:       user.Email,
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
 		OAuthSub:    user.Sub,
 	}
 	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
 	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to create session cookie")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
 	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
 		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
 	}
 	queries, err := query.Values(config.RedirectQuery{
 		RedirectURI: redirectURI,
 	})
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to encode redirect URI query")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	c.SetCookie(controller.config.RedirectCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/continue?%s", controller.config.AppURL, queries.Encode()))
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" DROP COLUMN "oauth_name";`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" DROP COLUMN "created_at";`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" ADD COLUMN "created_at" INTEGER NOT NULL DEFAULT 0;`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" DROP COLUMN "ldap_groups";`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" ADD COLUMN "ldap_groups" TEXT;`