feat: add markdown generation to config generator (#652 )

feat: optimize vite chunks (#651 )
feat: auto generate example env file (#647 )
2026-02-22 17:02:01 +00:00 · 2026-02-17 15:46:38 +02:00 · 2026-02-17 14:46:03 +02:00 · 2026-02-16 23:39:05 +02:00 · 2026-02-16 19:18:40 +02:00 · 2026-02-15 19:58:05 +02:00
152 changed files with 7638 additions and 2951 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,3 @@
 issue_enrichment:
  auto_enrich:
    enabled: false
--- a/.env.example
+++ b/.env.example
@@ -1,22 +1,172 @@
-PORT=3000
+# Tinyauth example configuration
-ADDRESS=0.0.0.0
+
-APP_URL=http://localhost:3000
+# The base URL where the app is hosted.
-USERS=your_user_password_hash
+TINYAUTH_APPURL=
-USERS_FILE=users_file
+# The directory where resources are stored.
-SECURE_COOKIE=false
+TINYAUTH_RESOURCESDIR="./resources"
-OAUTH_WHITELIST=
+# The path to the database file.
-GENERIC_NAME=My OAuth
+TINYAUTH_DATABASEPATH="./tinyauth.db"
-SESSION_EXPIRY=7200
+# Disable analytics.
-LOGIN_TIMEOUT=300
+TINYAUTH_DISABLEANALYTICS=false
-LOGIN_MAX_RETRIES=5
+# Disable resources server.
-LOG_LEVEL=debug
+TINYAUTH_DISABLERESOURCES=false
-APP_TITLE=Tinyauth SSO
+
-FORGOT_PASSWORD_MESSAGE=Some message about resetting the password
+# server config
-OAUTH_AUTO_REDIRECT=none
+
-BACKGROUND_IMAGE=some_image_url
+# The port on which the server listens.
-GENERIC_SKIP_SSL=false
+TINYAUTH_SERVER_PORT=3000
-RESOURCES_DIR=/data/resources
+# The address on which the server listens.
-DATABASE_PATH=/data/tinyauth.db
+TINYAUTH_SERVER_ADDRESS="0.0.0.0"
-DISABLE_ANALYTICS=false
+# The path to the Unix socket.
-DISABLE_RESOURCES=false
+TINYAUTH_SERVER_SOCKETPATH=
-TRUSTED_PROXIES=
+
 # auth config
 # List of allowed IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_AUTH_IP_BLOCK=
 # Comma-separated list of users (username:hashed_password).
 TINYAUTH_AUTH_USERS=
 # Path to the users file.
 TINYAUTH_AUTH_USERSFILE=
 # Enable secure cookies.
 TINYAUTH_AUTH_SECURECOOKIE=false
 # Session expiry time in seconds.
 TINYAUTH_AUTH_SESSIONEXPIRY=86400
 # Maximum session lifetime in seconds.
 TINYAUTH_AUTH_SESSIONMAXLIFETIME=0
 # Login timeout in seconds.
 TINYAUTH_AUTH_LOGINTIMEOUT=300
 # Maximum login retries.
 TINYAUTH_AUTH_LOGINMAXRETRIES=3
 # Comma-separated list of trusted proxy addresses.
 TINYAUTH_AUTH_TRUSTEDPROXIES=
 # apps config
 # The domain of the app.
 TINYAUTH_APPS_name_CONFIG_DOMAIN=
 # Comma-separated list of allowed users.
 TINYAUTH_APPS_name_USERS_ALLOW=
 # Comma-separated list of blocked users.
 TINYAUTH_APPS_name_USERS_BLOCK=
 # Comma-separated list of allowed OAuth groups.
 TINYAUTH_APPS_name_OAUTH_WHITELIST=
 # Comma-separated list of required OAuth groups.
 TINYAUTH_APPS_name_OAUTH_GROUPS=
 # List of allowed IPs or CIDR ranges.
 TINYAUTH_APPS_name_IP_ALLOW=
 # List of blocked IPs or CIDR ranges.
 TINYAUTH_APPS_name_IP_BLOCK=
 # List of IPs or CIDR ranges that bypass authentication.
 TINYAUTH_APPS_name_IP_BYPASS=
 # Custom headers to add to the response.
 TINYAUTH_APPS_name_RESPONSE_HEADERS=
 # Basic auth username.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_USERNAME=
 # Basic auth password.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORD=
 # Path to the file containing the basic auth password.
 TINYAUTH_APPS_name_RESPONSE_BASICAUTH_PASSWORDFILE=
 # Comma-separated list of allowed paths.
 TINYAUTH_APPS_name_PATH_ALLOW=
 # Comma-separated list of blocked paths.
 TINYAUTH_APPS_name_PATH_BLOCK=
 # Comma-separated list of required LDAP groups.
 TINYAUTH_APPS_name_LDAP_GROUPS=
 # oauth config
 # Comma-separated list of allowed OAuth domains.
 TINYAUTH_OAUTH_WHITELIST=
 # The OAuth provider to use for automatic redirection.
 TINYAUTH_OAUTH_AUTOREDIRECT=
 # OAuth client ID.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTID=
 # OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRET=
 # Path to the file containing the OAuth client secret.
 TINYAUTH_OAUTH_PROVIDERS_name_CLIENTSECRETFILE=
 # OAuth scopes.
 TINYAUTH_OAUTH_PROVIDERS_name_SCOPES=
 # OAuth redirect URL.
 TINYAUTH_OAUTH_PROVIDERS_name_REDIRECTURL=
 # OAuth authorization URL.
 TINYAUTH_OAUTH_PROVIDERS_name_AUTHURL=
 # OAuth token URL.
 TINYAUTH_OAUTH_PROVIDERS_name_TOKENURL=
 # OAuth userinfo URL.
 TINYAUTH_OAUTH_PROVIDERS_name_USERINFOURL=
 # Allow insecure OAuth connections.
 TINYAUTH_OAUTH_PROVIDERS_name_INSECURE=false
 # Provider name in UI.
 TINYAUTH_OAUTH_PROVIDERS_name_NAME=
 # oidc config
 # Path to the private key file.
 TINYAUTH_OIDC_PRIVATEKEYPATH="./tinyauth_oidc_key"
 # Path to the public key file.
 TINYAUTH_OIDC_PUBLICKEYPATH="./tinyauth_oidc_key.pub"
 # OIDC client ID.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTID=
 # OIDC client secret.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRET=
 # Path to the file containing the OIDC client secret.
 TINYAUTH_OIDC_CLIENTS_name_CLIENTSECRETFILE=
 # List of trusted redirect URIs.
 TINYAUTH_OIDC_CLIENTS_name_TRUSTEDREDIRECTURIS=
 # Client name in UI.
 TINYAUTH_OIDC_CLIENTS_name_NAME=
 # ui config
 # The title of the UI.
 TINYAUTH_UI_TITLE="Tinyauth"
 # Message displayed on the forgot password page.
 TINYAUTH_UI_FORGOTPASSWORDMESSAGE="You can change your password by changing the configuration."
 # Path to the background image.
 TINYAUTH_UI_BACKGROUNDIMAGE="/background.jpg"
 # Disable UI warnings.
 TINYAUTH_UI_DISABLEWARNINGS=false
 # ldap config
 # LDAP server address.
 TINYAUTH_LDAP_ADDRESS=
 # Bind DN for LDAP authentication.
 TINYAUTH_LDAP_BINDDN=
 # Bind password for LDAP authentication.
 TINYAUTH_LDAP_BINDPASSWORD=
 # Base DN for LDAP searches.
 TINYAUTH_LDAP_BASEDN=
 # Allow insecure LDAP connections.
 TINYAUTH_LDAP_INSECURE=false
 # LDAP search filter.
 TINYAUTH_LDAP_SEARCHFILTER="(uid=%s)"
 # Certificate for mTLS authentication.
 TINYAUTH_LDAP_AUTHCERT=
 # Certificate key for mTLS authentication.
 TINYAUTH_LDAP_AUTHKEY=
 # Cache duration for LDAP group membership in seconds.
 TINYAUTH_LDAP_GROUPCACHETTL=900
 # log config
 # Log level (trace, debug, info, warn, error).
 TINYAUTH_LOG_LEVEL="info"
 # Enable JSON formatted logs.
 TINYAUTH_LOG_JSON=false
 # Enable this log stream.
 TINYAUTH_LOG_STREAMS_HTTP_ENABLED=true
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_HTTP_LEVEL=
 # Enable this log stream.
 TINYAUTH_LOG_STREAMS_APP_ENABLED=true
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_APP_LEVEL=
 # Enable this log stream.
 TINYAUTH_LOG_STREAMS_AUDIT_ENABLED=false
 # Log level for this stream. Use global if empty.
 TINYAUTH_LOG_STREAMS_AUDIT_LEVEL=
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -18,7 +18,16 @@ jobs:
      - name: Setup go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -61,7 +61,16 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
@@ -80,7 +89,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -107,7 +116,16 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
@@ -126,7 +144,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -147,6 +165,15 @@ jobs:
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -205,6 +232,15 @@ jobs:
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -263,6 +299,15 @@ jobs:
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -321,6 +366,15 @@ jobs:
        with:
          ref: nightly
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,7 +39,16 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
@@ -58,7 +67,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -82,7 +91,16 @@ jobs:
      - name: Install go
        uses: actions/setup-go@v5
        with:
-          go-version: "^1.23.2"
+          go-version: "^1.24.0"
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Install frontend dependencies
        run: |
@@ -101,7 +119,7 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64
+          go build -ldflags "-s -w -X github.com/steveiliop56/tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
        env:
          CGO_ENABLED: 0
@@ -119,6 +137,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -174,6 +201,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -229,6 +265,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
@@ -284,6 +329,15 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Initialize submodules
        run: |
          git submodule init
          git submodule update
      - name: Apply patches
        run: |
          git apply --directory paerser/ patches/nested_maps.diff
      - name: Docker meta
        id: meta
        uses: docker/metadata-action@v5
--- a/.gitignore
+++ b/.gitignore
@@ -1,29 +1,47 @@
 # dist
-internal/assets/dist
+/internal/assets/dist
 # binaries
-tinyauth
+/tinyauth
 /tinyauth-arm64
 /tinyauth-amd64
 # test docker compose
-docker-compose.test*
+/docker-compose.test*
 # users file
-users.txt
+/users.txt
 # secret test file
-secret*
+/secret*
 # apple stuff
 .DS_Store
 # env
-.env
+/.env
 # tmp directory
-tmp
+/tmp
 # version files
 internal/assets/version
 # data directory
-data
+/data
 # config file
 /config.yml
 # binary out
 /tinyauth.db
 /resources
 # debug files
 __debug_*
 # infisical
 /.infisical.json
 # traefik data
 /traefik
 # generated markdown (for docs)
 /config.gen.md
--- a/.gitmodules
+++ b/.gitmodules
@@ -0,0 +1,4 @@
 [submodule "paerser"]
 	path = paerser
 	url = https://github.com/traefik/paerser
 	ignore = all
--- a/.zed/debug.json
+++ b/.zed/debug.json
@@ -0,0 +1,13 @@
 [
  {
    "label": "Attach to remote Delve",
    "adapter": "Delve",
    "mode": "remote",
    "remotePath": "/tinyauth",
    "request": "attach",
    "tcp_connection": {
      "host": "127.0.0.1",
      "port": 4000,
    },
  },
 ]
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -5,7 +5,7 @@ Contributing is relatively easy, you just need to follow the steps below and you
 ## Requirements
 - Bun
- Golang v1.23.2 and above
+- Golang 1.24.0+
 - Git
 - Docker
@@ -18,12 +18,21 @@ git clone https://github.com/steveiliop56/tinyauth
 cd tinyauth
 ```
-## Install requirements
+## Initialize submodules
-Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:
+The project uses Git submodules for some dependencies, so you need to initialize them with:
 ```sh
-go mod tidy
+git submodule init
 git submodule update
 ```
 ## Install requirements
 Although you will not need the requirements in your machine since the development will happen in Docker, I still recommend to install them because this way you will not have import errors. To install the Go requirements run:
 ```sh
 go mod download
 ```
 You also need to download the frontend dependencies, this can be done like so:
@@ -33,13 +42,21 @@ cd frontend/
 bun install
 ```
 ## Apply patches
 Some of the dependencies need to be patched in order to work correctly with the project, you can apply the patches by running:
 ```sh
 git apply --directory paerser/ patches/nested_maps.diff
 ```
 ## Create your `.env` file
 In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.
 ## Developing
-I have designed the development workflow to be entirely in docker, this is because it will directly work with traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
+I have designed the development workflow to be entirely in Docker, this is because it will directly work with Traefik and you will not need to do any building in your host machine. The recommended development setup is to have a subdomain pointing to your machine like this:
 ```
 *.dev.example.com -> 127.0.0.1
@@ -49,7 +66,7 @@ dev.example.com -> 127.0.0.1
 > [!TIP]
 > You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
-Then you can just make sure the domains are correct in the development docker compose file and run:
+Then you can just make sure the domains are correct in the development Docker compose file and run:
 ```sh
 docker compose -f docker-compose.dev.yml up --build
--- a/18
+++ b/18
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.4-alpine AS frontend-builder
+FROM oven/bun:1.3.9-alpine AS frontend-builder
 WORKDIR /frontend
@@ -28,18 +28,22 @@ ARG BUILD_TIMESTAMP
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 COPY ./main.go ./
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
-RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" 
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
- 
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
 FROM alpine:3.23 AS runner
@@ -53,10 +57,12 @@ EXPOSE 3000
 VOLUME ["/data"]
-ENV GIN_MODE=release
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 ENV PATH=$PATH:/tinyauth
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -2,6 +2,8 @@ FROM golang:1.25-alpine3.21
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
@@ -12,9 +14,12 @@ RUN go install github.com/go-delve/delve/cmd/dlv@latest
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY ./main.go ./
 COPY ./air.toml ./
 EXPOSE 3000
-ENTRYPOINT ["air", "-c", "air.toml"]
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 ENTRYPOINT ["air", "-c", "air.toml"]
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@@ -1,5 +1,5 @@
 # Site builder
-FROM oven/bun:1.3.4-alpine AS frontend-builder
+FROM oven/bun:1.3.9-alpine AS frontend-builder
 WORKDIR /frontend
@@ -28,20 +28,24 @@ ARG BUILD_TIMESTAMP
 WORKDIR /tinyauth
 COPY ./paerser ./paerser
 COPY go.mod ./
 COPY go.sum ./
 RUN go mod download
 COPY ./main.go ./
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
 RUN mkdir -p data
-RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" 
+RUN CGO_ENABLED=0 go build -ldflags "-s -w \
- 
+    -X github.com/steveiliop56/tinyauth/internal/config.Version=${VERSION} \
    -X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
    -X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 # Runner
 FROM gcr.io/distroless/static-debian12:latest AS runner
@@ -56,10 +60,12 @@ EXPOSE 3000
 VOLUME ["/data"]
-ENV GIN_MODE=release
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
 ENV TINYAUTH_RESOURCESDIR=/data/resources
 ENV PATH=$PATH:/tinyauth
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
-ENTRYPOINT ["tinyauth"]
+ENTRYPOINT ["tinyauth"]
--- a/85
+++ b/85
@@ -0,0 +1,85 @@
 # Go specific stuff
 CGO_ENABLED := 0
 GOOS := $(shell go env GOOS)
 GOARCH := $(shell go env GOARCH)
 # Build out
 TAG_NAME := $(shell git describe --abbrev=0 --exact-match 2> /dev/null || echo "main")
 COMMIT_HASH := $(shell git rev-parse HEAD)
 BUILD_TIMESTAMP := $(shell date '+%Y-%m-%dT%H:%M:%S')
 BIN_NAME := tinyauth-$(GOARCH)
 # Development vars
 DEV_COMPOSE := $(shell test -f "docker-compose.test.yml" && echo "docker-compose.test.yml" || echo "docker-compose.dev.yml" )
 PROD_COMPOSE := $(shell test -f "docker-compose.test.prod.yml" && echo "docker-compose.test.prod.yml" || echo "docker-compose.example.yml" )
 # Deps
 deps:
 	bun install --cwd frontend
 	go mod download
 # Clean data
 clean-data:
 	rm -rf data/
 # Clean web UI build
 clean-webui:
 	rm -rf internal/assets/dist
 	rm -rf frontend/dist
 # Build the web UI
 webui: clean-webui
 	bun run --cwd frontend build
 	cp -r frontend/dist internal/assets
 # Build the binary
 binary: webui
 	CGO_ENABLED=$(CGO_ENABLED) go build -ldflags "-s -w \
 	-X github.com/steveiliop56/tinyauth/internal/config.Version=${TAG_NAME} \
 	-X github.com/steveiliop56/tinyauth/internal/config.CommitHash=${COMMIT_HASH} \
 	-X github.com/steveiliop56/tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" \
 	-o ${BIN_NAME} ./cmd/tinyauth
 # Build for amd64
 binary-linux-amd64:
 	export BIN_NAME=tinyauth-amd64
 	export GOARCH=amd64
 	export GOOS=linux
 	$(MAKE) binary
 # Build for arm64
 binary-linux-arm64:
 	export BIN_NAME=tinyauth-arm64
 	export GOARCH=arm64
 	export GOOS=linux
 	$(MAKE) binary
 # Go test
 .PHONY: test
 test:
 	go test -v ./...
 # Development
 dev:
 	docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
 # Development - Infisical
 dev-infisical:
 	infisical run --env=dev -- docker compose -f $(DEV_COMPOSE) up --force-recreate --pull=always --remove-orphans --build
 # Production
 prod:
 	docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # Production - Infisical
 prod-infisical:
 	infisical run --env=dev -- docker compose -f $(PROD_COMPOSE) up --force-recreate --pull=always --remove-orphans
 # SQL
 .PHONY: sql
 sql:
 	sqlc generate
 # Go gen
 generate:
 	go run ./gen
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ If you are still not sure if Tinyauth suits your needs you can try out the [demo
 You can find documentation and guides on all of the available configuration of Tinyauth in the [website](https://tinyauth.app).
 If you wish to contribute to the documentation head over to the [repository](https://github.com/steveiliop56/tinyauth-docs).
 ## Discord
 Tinyauth has a [discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!
@@ -53,7 +55,7 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma
 A big thank you to the following people for providing me with more coffee:
-<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<a href="https://github.com/NEANC"><img src="https:&#x2F;&#x2F;github.com&#x2F;NEANC.png" width="64px" alt="User avatar: NEANC" /></a>&nbsp;&nbsp;<a href="https://github.com/algorist-ahmad"><img src="https:&#x2F;&#x2F;github.com&#x2F;algorist-ahmad.png" width="64px" alt="User avatar: algorist-ahmad" /></a>&nbsp;&nbsp;<!-- sponsors -->
 ## Acknowledgements
--- a/air.toml
+++ b/air.toml
@@ -3,7 +3,7 @@ tmp_dir = "tmp"
 [build]
 pre_cmd = ["mkdir -p internal/assets/dist", "mkdir -p /data", "echo 'backend running' > internal/assets/dist/index.html"]
-cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ."
+cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ./cmd/tinyauth"
 bin = "tmp/tinyauth"
 full_bin = "dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue --check-go-version=false"
 include_ext = ["go"]
--- a/cmd/create.go
+++ b/cmd/create.go
@@ -1,99 +0,0 @@
 package cmd
 import (
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/charmbracelet/huh"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
 )
 type createUserCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 	interactive bool
 	docker      bool
 	username    string
 	password    string
 }
 func newCreateUserCmd(root *cobra.Command) *createUserCmd {
 	return &createUserCmd{
 		root: root,
 	}
 }
 func (c *createUserCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "create",
 		Short: "Create a user",
 		Long:  `Create a user either interactively or by passing flags.`,
 		Run:   c.run,
 	}
 	c.cmd.Flags().BoolVarP(&c.interactive, "interactive", "i", false, "Create a user interactively")
 	c.cmd.Flags().BoolVar(&c.docker, "docker", false, "Format output for docker")
 	c.cmd.Flags().StringVar(&c.username, "username", "", "Username")
 	c.cmd.Flags().StringVar(&c.password, "password", "", "Password")
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *createUserCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *createUserCmd) run(cmd *cobra.Command, args []string) {
 	log.Logger = log.Level(zerolog.InfoLevel)
 	if c.interactive {
 		form := huh.NewForm(
 			huh.NewGroup(
 				huh.NewInput().Title("Username").Value(&c.username).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("username cannot be empty")
 					}
 					return nil
 				})),
 				huh.NewInput().Title("Password").Value(&c.password).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("password cannot be empty")
 					}
 					return nil
 				})),
 				huh.NewSelect[bool]().Title("Format the output for Docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&c.docker),
 			),
 		)
 		var baseTheme *huh.Theme = huh.ThemeBase()
 		err := form.WithTheme(baseTheme).Run()
 		if err != nil {
 			log.Fatal().Err(err).Msg("Form failed")
 		}
 	}
 	if c.username == "" || c.password == "" {
 		log.Fatal().Err(errors.New("error invalid input")).Msg("Username and password cannot be empty")
 	}
 	log.Info().Str("username", c.username).Msg("Creating user")
 	passwd, err := bcrypt.GenerateFromPassword([]byte(c.password), bcrypt.DefaultCost)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to hash password")
 	}
 	// If docker format is enabled, escape the dollar sign
 	passwdStr := string(passwd)
 	if c.docker {
 		passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 	}
 	log.Info().Str("user", fmt.Sprintf("%s:%s", c.username, passwdStr)).Msg("User created")
 }
--- a/cmd/generate.go
+++ b/cmd/generate.go
@@ -1,120 +0,0 @@
 package cmd
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/mdp/qrterminal/v3"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 )
 type generateTotpCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 	interactive bool
 	user        string
 }
 func newGenerateTotpCmd(root *cobra.Command) *generateTotpCmd {
 	return &generateTotpCmd{
 		root: root,
 	}
 }
 func (c *generateTotpCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "generate",
 		Short: "Generate a totp secret",
 		Long:  `Generate a totp secret for a user either interactively or by passing flags.`,
 		Run:   c.run,
 	}
 	c.cmd.Flags().BoolVarP(&c.interactive, "interactive", "i", false, "Run in interactive mode")
 	c.cmd.Flags().StringVar(&c.user, "user", "", "Your current user (username:hash)")
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *generateTotpCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *generateTotpCmd) run(cmd *cobra.Command, args []string) {
 	log.Logger = log.Level(zerolog.InfoLevel)
 	if c.interactive {
 		form := huh.NewForm(
 			huh.NewGroup(
 				huh.NewInput().Title("Current user (username:hash)").Value(&c.user).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("user cannot be empty")
 					}
 					return nil
 				})),
 			),
 		)
 		var baseTheme *huh.Theme = huh.ThemeBase()
 		err := form.WithTheme(baseTheme).Run()
 		if err != nil {
 			log.Fatal().Err(err).Msg("Form failed")
 		}
 	}
 	user, err := utils.ParseUser(c.user)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to parse user")
 	}
 	docker := false
 	if strings.Contains(c.user, "$$") {
 		docker = true
 	}
 	if user.TotpSecret != "" {
 		log.Fatal().Msg("User already has a TOTP secret")
 	}
 	key, err := totp.Generate(totp.GenerateOpts{
 		Issuer:      "Tinyauth",
 		AccountName: user.Username,
 	})
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to generate TOTP secret")
 	}
 	secret := key.Secret()
 	log.Info().Str("secret", secret).Msg("Generated TOTP secret")
 	log.Info().Msg("Generated QR code")
 	config := qrterminal.Config{
 		Level:     qrterminal.L,
 		Writer:    os.Stdout,
 		BlackChar: qrterminal.BLACK,
 		WhiteChar: qrterminal.WHITE,
 		QuietZone: 2,
 	}
 	qrterminal.GenerateWithConfig(key.URL(), config)
 	user.TotpSecret = secret
 	// If using docker escape re-escape it
 	if docker {
 		user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 	}
 	log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 }
--- a/cmd/healthcheck.go
+++ b/cmd/healthcheck.go
@@ -1,112 +0,0 @@
 package cmd
 import (
 	"encoding/json"
 	"errors"
 	"io"
 	"net/http"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 type healthzResponse struct {
 	Status  string `json:"status"`
 	Message string `json:"message"`
 }
 type healthcheckCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 	viper *viper.Viper
 }
 func newHealthcheckCmd(root *cobra.Command) *healthcheckCmd {
 	return &healthcheckCmd{
 		root:  root,
 		viper: viper.New(),
 	}
 }
 func (c *healthcheckCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "healthcheck [app-url]",
 		Short: "Perform a health check",
 		Long:  `Use the health check endpoint to verify that Tinyauth is running and it's healthy.`,
 		Run:   c.run,
 	}
 	c.viper.AutomaticEnv()
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *healthcheckCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *healthcheckCmd) run(cmd *cobra.Command, args []string) {
 	log.Logger = log.Level(zerolog.InfoLevel)
 	var appUrl string
 	port := c.viper.GetString("PORT")
 	address := c.viper.GetString("ADDRESS")
 	if port == "" {
 		port = "3000"
 	}
 	if address == "" {
 		address = "127.0.0.1"
 	}
 	appUrl = "http://" + address + ":" + port
 	if len(args) > 0 {
 		appUrl = args[0]
 	}
 	log.Info().Str("app_url", appUrl).Msg("Performing health check")
 	client := http.Client{}
 	req, err := http.NewRequest("GET", appUrl+"/api/healthz", nil)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to create request")
 	}
 	resp, err := client.Do(req)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to perform request")
 	}
 	if resp.StatusCode != http.StatusOK {
 		log.Fatal().Err(errors.New("service is not healthy")).Msgf("Service is not healthy. Status code: %d", resp.StatusCode)
 	}
 	defer resp.Body.Close()
 	var healthResp healthzResponse
 	body, err := io.ReadAll(resp.Body)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to read response")
 	}
 	err = json.Unmarshal(body, &healthResp)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to decode response")
 	}
 	log.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 }
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,162 +0,0 @@
 package cmd
 import (
 	"strings"
 	"tinyauth/internal/bootstrap"
 	"tinyauth/internal/config"
 	"tinyauth/internal/utils"
 	"github.com/go-playground/validator/v10"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
 )
 type rootCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 	viper *viper.Viper
 }
 func newRootCmd() *rootCmd {
 	return &rootCmd{
 		viper: viper.New(),
 	}
 }
 func (c *rootCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "tinyauth",
 		Short: "The simplest way to protect your apps with a login screen",
 		Long:  `Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your docker apps.`,
 		Run:   c.run,
 	}
 	// Ignore unknown flags to allow --providers-*
 	c.cmd.FParseErrWhitelist.UnknownFlags = true
 	c.viper.AutomaticEnv()
 	configOptions := []struct {
 		name        string
 		defaultVal  any
 		description string
 	}{
 		{"port", 3000, "Port to run the server on."},
 		{"address", "0.0.0.0", "Address to bind the server to."},
 		{"app-url", "", "The Tinyauth URL."},
 		{"users", "", "Comma separated list of users in the format username:hash."},
 		{"users-file", "", "Path to a file containing users in the format username:hash."},
 		{"secure-cookie", false, "Send cookie over secure connection only."},
 		{"oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth."},
 		{"oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)"},
 		{"session-expiry", 86400, "Session (cookie) expiration time in seconds."},
 		{"login-timeout", 300, "Login timeout in seconds after max retries reached (0 to disable)."},
 		{"login-max-retries", 5, "Maximum login attempts before timeout (0 to disable)."},
 		{"log-level", "info", "Log level."},
 		{"app-title", "Tinyauth", "Title of the app."},
 		{"forgot-password-message", "", "Message to show on the forgot password page."},
 		{"background-image", "/background.jpg", "Background image URL for the login page."},
 		{"ldap-address", "", "LDAP server address (e.g. ldap://localhost:389)."},
 		{"ldap-bind-dn", "", "LDAP bind DN (e.g. uid=user,dc=example,dc=com)."},
 		{"ldap-bind-password", "", "LDAP bind password."},
 		{"ldap-base-dn", "", "LDAP base DN (e.g. dc=example,dc=com)."},
 		{"ldap-insecure", false, "Skip certificate verification for the LDAP server."},
 		{"ldap-search-filter", "(uid=%s)", "LDAP search filter for user lookup."},
 		{"resources-dir", "/data/resources", "Path to a directory containing custom resources (e.g. background image)."},
 		{"database-path", "/data/tinyauth.db", "Path to the Sqlite database file. Directory will be created if it doesn't exist."},
 		{"trusted-proxies", "", "Comma separated list of trusted proxies (IP addresses or CIDRs) for correct client IP detection."},
 		{"disable-analytics", false, "Disable anonymous version collection."},
 		{"disable-resources", false, "Disable the resources server."},
 		{"socket-path", "", "Path to the Unix socket to bind the server to."},
 		{"disable-ui-warnings", false, "Disable UI warnings about insecure configurations."},
 	}
 	for _, opt := range configOptions {
 		switch v := opt.defaultVal.(type) {
 		case bool:
 			c.cmd.Flags().Bool(opt.name, v, opt.description)
 		case int:
 			c.cmd.Flags().Int(opt.name, v, opt.description)
 		case string:
 			c.cmd.Flags().String(opt.name, v, opt.description)
 		}
 		// Create uppercase env var name
 		envVar := strings.ReplaceAll(strings.ToUpper(opt.name), "-", "_")
 		c.viper.BindEnv(opt.name, envVar)
 	}
 	c.viper.BindPFlags(c.cmd.Flags())
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *rootCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *rootCmd) run(cmd *cobra.Command, args []string) {
 	var conf config.Config
 	err := c.viper.Unmarshal(&conf)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to parse config")
 	}
 	v := validator.New()
 	err = v.Struct(conf)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Invalid config")
 	}
 	log.Logger = log.Level(zerolog.Level(utils.GetLogLevel(conf.LogLevel)))
 	log.Info().Str("version", strings.TrimSpace(config.Version)).Msg("Starting Tinyauth")
 	if log.Logger.GetLevel() == zerolog.TraceLevel {
 		log.Warn().Msg("Log level set to trace, this will log sensitive information!")
 	}
 	app := bootstrap.NewBootstrapApp(conf)
 	err = app.Setup()
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to setup app")
 	}
 }
 func Run() {
 	rootCmd := newRootCmd()
 	rootCmd.Register()
 	root := rootCmd.GetCmd()
 	userCmd := &cobra.Command{
 		Use:   "user",
 		Short: "User utilities",
 		Long:  `Utilities for creating and verifying tinyauth compatible users.`,
 	}
 	totpCmd := &cobra.Command{
 		Use:   "totp",
 		Short: "Totp utilities",
 		Long:  `Utilities for creating and verifying totp codes.`,
 	}
 	newCreateUserCmd(userCmd).Register()
 	newVerifyUserCmd(userCmd).Register()
 	newGenerateTotpCmd(totpCmd).Register()
 	newVersionCmd(root).Register()
 	newHealthcheckCmd(root).Register()
 	root.AddCommand(userCmd)
 	root.AddCommand(totpCmd)
 	err := root.Execute()
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute root command")
 	}
 }
--- a/cmd/tinyauth/create.go
+++ b/cmd/tinyauth/create.go
@@ -0,0 +1,95 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"strings"
 	"github.com/charmbracelet/huh"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )
 type CreateUserConfig struct {
 	Interactive bool   `description:"Create a user interactively."`
 	Docker      bool   `description:"Format output for docker."`
 	Username    string `description:"Username."`
 	Password    string `description:"Password."`
 }
 func NewCreateUserConfig() *CreateUserConfig {
 	return &CreateUserConfig{
 		Interactive: false,
 		Docker:      false,
 		Username:    "",
 		Password:    "",
 	}
 }
 func createUserCmd() *cli.Command {
 	tCfg := NewCreateUserConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "create",
 		Description:   "Create a user",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			tlog.NewSimpleLogger().Init()
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("username cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("password cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewSelect[bool]().Title("Format the output for Docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&tCfg.Docker),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			if tCfg.Username == "" || tCfg.Password == "" {
 				return errors.New("username and password cannot be empty")
 			}
 			tlog.App.Info().Str("username", tCfg.Username).Msg("Creating user")
 			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
 			if err != nil {
 				return fmt.Errorf("failed to hash password: %w", err)
 			}
 			// If docker format is enabled, escape the dollar sign
 			passwdStr := string(passwd)
 			if tCfg.Docker {
 				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
 			}
 			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/generate.go
+++ b/cmd/tinyauth/generate.go
@@ -0,0 +1,118 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/charmbracelet/huh"
 	"github.com/mdp/qrterminal/v3"
 	"github.com/pquerna/otp/totp"
 	"github.com/traefik/paerser/cli"
 )
 type GenerateTotpConfig struct {
 	Interactive bool   `description:"Generate a TOTP secret interactively."`
 	User        string `description:"Your current user (username:hash)."`
 }
 func NewGenerateTotpConfig() *GenerateTotpConfig {
 	return &GenerateTotpConfig{
 		Interactive: false,
 		User:        "",
 	}
 }
 func generateTotpCmd() *cli.Command {
 	tCfg := NewGenerateTotpConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "generate",
 		Description:   "Generate a TOTP secret",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			tlog.NewSimpleLogger().Init()
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("Current user (username:hash)").Value(&tCfg.User).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("user cannot be empty")
 							}
 							return nil
 						})),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			user, err := utils.ParseUser(tCfg.User)
 			if err != nil {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}
 			docker := false
 			if strings.Contains(tCfg.User, "$$") {
 				docker = true
 			}
 			if user.TotpSecret != "" {
 				return fmt.Errorf("user already has a TOTP secret")
 			}
 			key, err := totp.Generate(totp.GenerateOpts{
 				Issuer:      "Tinyauth",
 				AccountName: user.Username,
 			})
 			if err != nil {
 				return fmt.Errorf("failed to generate TOTP secret: %w", err)
 			}
 			secret := key.Secret()
 			tlog.App.Info().Str("secret", secret).Msg("Generated TOTP secret")
 			tlog.App.Info().Msg("Generated QR code")
 			config := qrterminal.Config{
 				Level:     qrterminal.L,
 				Writer:    os.Stdout,
 				BlackChar: qrterminal.BLACK,
 				WhiteChar: qrterminal.WHITE,
 				QuietZone: 2,
 			}
 			qrterminal.GenerateWithConfig(key.URL(), config)
 			user.TotpSecret = secret
 			// If using docker escape re-escape it
 			if docker {
 				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
 			}
 			tlog.App.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/healthcheck.go
+++ b/cmd/tinyauth/healthcheck.go
@@ -0,0 +1,91 @@
 package main
 import (
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net/http"
 	"os"
 	"time"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/traefik/paerser/cli"
 )
 type healthzResponse struct {
 	Status  string `json:"status"`
 	Message string `json:"message"`
 }
 func healthcheckCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "healthcheck",
 		Description:   "Perform a health check",
 		Configuration: nil,
 		Resources:     nil,
 		AllowArg:      true,
 		Run: func(args []string) error {
 			tlog.NewSimpleLogger().Init()
 			appUrl := "http://127.0.0.1:3000"
 			srvAddr := os.Getenv("TINYAUTH_SERVER_ADDRESS")
 			srvPort := os.Getenv("TINYAUTH_SERVER_PORT")
 			if srvAddr != "" && srvPort != "" {
 				appUrl = fmt.Sprintf("http://%s:%s", srvAddr, srvPort)
 			}
 			if len(args) > 0 {
 				appUrl = args[0]
 			}
 			if appUrl == "" {
 				return errors.New("Could not determine app URL")
 			}
 			tlog.App.Info().Str("app_url", appUrl).Msg("Performing health check")
 			client := http.Client{
 				Timeout: 30 * time.Second,
 			}
 			req, err := http.NewRequest("GET", appUrl+"/api/healthz", nil)
 			if err != nil {
 				return fmt.Errorf("failed to create request: %w", err)
 			}
 			resp, err := client.Do(req)
 			if err != nil {
 				return fmt.Errorf("failed to perform request: %w", err)
 			}
 			if resp.StatusCode != http.StatusOK {
 				return fmt.Errorf("service is not healthy, got: %s", resp.Status)
 			}
 			defer resp.Body.Close()
 			var healthResp healthzResponse
 			body, err := io.ReadAll(resp.Body)
 			if err != nil {
 				return fmt.Errorf("failed to read response: %w", err)
 			}
 			err = json.Unmarshal(body, &healthResp)
 			if err != nil {
 				return fmt.Errorf("failed to decode response: %w", err)
 			}
 			tlog.App.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/tinyauth.go
+++ b/cmd/tinyauth/tinyauth.go
@@ -0,0 +1,108 @@
 package main
 import (
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/utils/loaders"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/rs/zerolog/log"
 	"github.com/traefik/paerser/cli"
 )
 func main() {
 	tConfig := config.NewDefaultConfiguration()
 	loaders := []cli.ResourceLoader{
 		&loaders.FileLoader{},
 		&loaders.FlagLoader{},
 		&loaders.EnvLoader{},
 	}
 	cmdTinyauth := &cli.Command{
 		Name:          "tinyauth",
 		Description:   "The simplest way to protect your apps with a login screen.",
 		Configuration: tConfig,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			return runCmd(*tConfig)
 		},
 	}
 	cmdUser := &cli.Command{
 		Name:        "user",
 		Description: "Utilities for creating and verifying Tinyauth users.",
 	}
 	cmdTotp := &cli.Command{
 		Name:        "totp",
 		Description: "Utilities for creating Tinyauth TOTP users.",
 	}
 	err := cmdTinyauth.AddCommand(versionCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add version command")
 	}
 	err = cmdUser.AddCommand(verifyUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add verify command")
 	}
 	err = cmdTinyauth.AddCommand(healthcheckCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add healthcheck command")
 	}
 	err = cmdTotp.AddCommand(generateTotpCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add generate command")
 	}
 	err = cmdUser.AddCommand(createUserCmd())
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add create command")
 	}
 	err = cmdTinyauth.AddCommand(cmdUser)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add user command")
 	}
 	err = cmdTinyauth.AddCommand(cmdTotp)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to add totp command")
 	}
 	err = cli.Execute(cmdTinyauth)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to execute command")
 	}
 }
 func runCmd(cfg config.Config) error {
 	logger := tlog.NewLogger(cfg.Log)
 	logger.Init()
 	tlog.App.Info().Str("version", config.Version).Msg("Starting tinyauth")
 	app := bootstrap.NewBootstrapApp(cfg)
 	err := app.Setup()
 	if err != nil {
 		return fmt.Errorf("failed to bootstrap app: %w", err)
 	}
 	return nil
 }
--- a/cmd/tinyauth/verify.go
+++ b/cmd/tinyauth/verify.go
@@ -0,0 +1,118 @@
 package main
 import (
 	"errors"
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/charmbracelet/huh"
 	"github.com/pquerna/otp/totp"
 	"github.com/traefik/paerser/cli"
 	"golang.org/x/crypto/bcrypt"
 )
 type VerifyUserConfig struct {
 	Interactive bool   `description:"Validate a user interactively."`
 	Username    string `description:"Username."`
 	Password    string `description:"Password."`
 	Totp        string `description:"TOTP code."`
 	User        string `description:"Hash (username:hash:totp)."`
 }
 func NewVerifyUserConfig() *VerifyUserConfig {
 	return &VerifyUserConfig{
 		Interactive: false,
 		Username:    "",
 		Password:    "",
 		Totp:        "",
 		User:        "",
 	}
 }
 func verifyUserCmd() *cli.Command {
 	tCfg := NewVerifyUserConfig()
 	loaders := []cli.ResourceLoader{
 		&cli.FlagLoader{},
 	}
 	return &cli.Command{
 		Name:          "verify",
 		Description:   "Verify a user is set up correctly.",
 		Configuration: tCfg,
 		Resources:     loaders,
 		Run: func(_ []string) error {
 			tlog.NewSimpleLogger().Init()
 			if tCfg.Interactive {
 				form := huh.NewForm(
 					huh.NewGroup(
 						huh.NewInput().Title("User (username:hash:totp)").Value(&tCfg.User).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("user cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("username cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
 							if s == "" {
 								return errors.New("password cannot be empty")
 							}
 							return nil
 						})),
 						huh.NewInput().Title("TOTP Code (optional)").Value(&tCfg.Totp),
 					),
 				)
 				var baseTheme *huh.Theme = huh.ThemeBase()
 				err := form.WithTheme(baseTheme).Run()
 				if err != nil {
 					return fmt.Errorf("failed to run interactive prompt: %w", err)
 				}
 			}
 			user, err := utils.ParseUser(tCfg.User)
 			if err != nil {
 				return fmt.Errorf("failed to parse user: %w", err)
 			}
 			if user.Username != tCfg.Username {
 				return fmt.Errorf("username is incorrect")
 			}
 			err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(tCfg.Password))
 			if err != nil {
 				return fmt.Errorf("password is incorrect: %w", err)
 			}
 			if user.TotpSecret == "" {
 				if tCfg.Totp != "" {
 					tlog.App.Warn().Msg("User does not have TOTP secret")
 				}
 				tlog.App.Info().Msg("User verified")
 				return nil
 			}
 			ok := totp.Validate(tCfg.Totp, user.TotpSecret)
 			if !ok {
 				return fmt.Errorf("TOTP code incorrect")
 			}
 			tlog.App.Info().Msg("User verified")
 			return nil
 		},
 	}
 }
--- a/cmd/tinyauth/version.go
+++ b/cmd/tinyauth/version.go
@@ -0,0 +1,24 @@
 package main
 import (
 	"fmt"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/traefik/paerser/cli"
 )
 func versionCmd() *cli.Command {
 	return &cli.Command{
 		Name:          "version",
 		Description:   "Print the version number of Tinyauth.",
 		Configuration: nil,
 		Resources:     nil,
 		Run: func(_ []string) error {
 			fmt.Printf("Version: %s\n", config.Version)
 			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
 			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
 			return nil
 		},
 	}
 }
--- a/cmd/verify.go
+++ b/cmd/verify.go
@@ -1,118 +0,0 @@
 package cmd
 import (
 	"errors"
 	"tinyauth/internal/utils"
 	"github.com/charmbracelet/huh"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/cobra"
 	"golang.org/x/crypto/bcrypt"
 )
 type verifyUserCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 	interactive bool
 	username    string
 	password    string
 	totp        string
 	user        string
 }
 func newVerifyUserCmd(root *cobra.Command) *verifyUserCmd {
 	return &verifyUserCmd{
 		root: root,
 	}
 }
 func (c *verifyUserCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "verify",
 		Short: "Verify a user is set up correctly",
 		Long:  `Verify a user is set up correctly meaning that it has a correct username, password and TOTP code.`,
 		Run:   c.run,
 	}
 	c.cmd.Flags().BoolVarP(&c.interactive, "interactive", "i", false, "Validate a user interactively")
 	c.cmd.Flags().StringVar(&c.username, "username", "", "Username")
 	c.cmd.Flags().StringVar(&c.password, "password", "", "Password")
 	c.cmd.Flags().StringVar(&c.totp, "totp", "", "TOTP code")
 	c.cmd.Flags().StringVar(&c.user, "user", "", "Hash (username:hash:totp)")
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *verifyUserCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *verifyUserCmd) run(cmd *cobra.Command, args []string) {
 	log.Logger = log.Level(zerolog.InfoLevel)
 	if c.interactive {
 		form := huh.NewForm(
 			huh.NewGroup(
 				huh.NewInput().Title("User (username:hash:totp)").Value(&c.user).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("user cannot be empty")
 					}
 					return nil
 				})),
 				huh.NewInput().Title("Username").Value(&c.username).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("username cannot be empty")
 					}
 					return nil
 				})),
 				huh.NewInput().Title("Password").Value(&c.password).Validate((func(s string) error {
 					if s == "" {
 						return errors.New("password cannot be empty")
 					}
 					return nil
 				})),
 				huh.NewInput().Title("TOTP Code (optional)").Value(&c.totp),
 			),
 		)
 		var baseTheme *huh.Theme = huh.ThemeBase()
 		err := form.WithTheme(baseTheme).Run()
 		if err != nil {
 			log.Fatal().Err(err).Msg("Form failed")
 		}
 	}
 	user, err := utils.ParseUser(c.user)
 	if err != nil {
 		log.Fatal().Err(err).Msg("Failed to parse user")
 	}
 	if user.Username != c.username {
 		log.Fatal().Msg("Username is incorrect")
 	}
 	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(c.password))
 	if err != nil {
 		log.Fatal().Msg("Password is incorrect")
 	}
 	if user.TotpSecret == "" {
 		if c.totp != "" {
 			log.Warn().Msg("User does not have TOTP secret")
 		}
 		log.Info().Msg("User verified")
 		return
 	}
 	ok := totp.Validate(c.totp, user.TotpSecret)
 	if !ok {
 		log.Fatal().Msg("TOTP code incorrect")
 	}
 	log.Info().Msg("User verified")
 }
--- a/cmd/version.go
+++ b/cmd/version.go
@@ -1,42 +0,0 @@
 package cmd
 import (
 	"fmt"
 	"tinyauth/internal/config"
 	"github.com/spf13/cobra"
 )
 type versionCmd struct {
 	root *cobra.Command
 	cmd  *cobra.Command
 }
 func newVersionCmd(root *cobra.Command) *versionCmd {
 	return &versionCmd{
 		root: root,
 	}
 }
 func (c *versionCmd) Register() {
 	c.cmd = &cobra.Command{
 		Use:   "version",
 		Short: "Print the version number of Tinyauth",
 		Long:  `All software has versions. This is Tinyauth's.`,
 		Run:   c.run,
 	}
 	if c.root != nil {
 		c.root.AddCommand(c.cmd)
 	}
 }
 func (c *versionCmd) GetCmd() *cobra.Command {
 	return c.cmd
 }
 func (c *versionCmd) run(cmd *cobra.Command, args []string) {
 	fmt.Printf("Version: %s\n", config.Version)
 	fmt.Printf("Commit Hash: %s\n", config.CommitHash)
 	fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
 }
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -1,7 +1,7 @@
 services:
  traefik:
    container_name: traefik
-    image: traefik:v3.3
+    image: traefik:v3.6
    command: --api.insecure=true --providers.docker
    ports:
      - 80:80
@@ -13,7 +13,7 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.rule: Host(`whoami.127.0.0.1.sslip.io`)
      traefik.http.routers.whoami.middlewares: tinyauth
  tinyauth-frontend:
@@ -27,7 +27,7 @@ services:
      - 5173:5173
    labels:
      traefik.enable: true
-      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
+      traefik.http.routers.tinyauth.rule: Host(`tinyauth.127.0.0.1.sslip.io`)
  tinyauth-backend:
    container_name: tinyauth-backend
@@ -42,7 +42,6 @@ services:
    volumes:
      - ./internal:/tinyauth/internal
      - ./cmd:/tinyauth/cmd
      - ./main.go:/tinyauth/main.go
      - /var/run/docker.sock:/var/run/docker.sock
      - ./data:/data
    ports:
@@ -51,3 +50,4 @@ services:
    labels:
      traefik.enable: true
      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth-backend:3000/api/auth/traefik
      traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: remote-user, remote-sub, remote-name, remote-email, remote-groups
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -1,7 +1,7 @@
 services:
  traefik:
    container_name: traefik
-    image: traefik:v3.3
+    image: traefik:v3.6
    command: --api.insecure=true --providers.docker
    ports:
      - 80:80
@@ -20,8 +20,8 @@ services:
    container_name: tinyauth
    image: ghcr.io/steveiliop56/tinyauth:v3
    environment:
-      - APP_URL=https://tinyauth.example.com
+      - TINYAUTH_APPURL=https://tinyauth.example.com
-      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
    volumes:
      - ./data:/data
    labels:
--- a/frontend/.gitignore
+++ b/frontend/.gitignore
@@ -22,3 +22,6 @@ dist-ssr
 *.njsproj
 *.sln
 *.sw?
 # Stats out
 stats.html
--- a/frontend/bun.lock
+++ b/frontend/bun.lock
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -17,43 +17,44 @@
    "@radix-ui/react-select": "^2.2.6",
    "@radix-ui/react-separator": "^1.1.8",
    "@radix-ui/react-slot": "^1.2.4",
-    "@tailwindcss/vite": "^4.1.17",
+    "@tailwindcss/vite": "^4.1.18",
-    "@tanstack/react-query": "^5.90.12",
+    "@tanstack/react-query": "^5.90.21",
-    "axios": "^1.13.2",
+    "axios": "^1.13.5",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
-    "i18next": "^25.7.2",
+    "i18next": "^25.8.7",
-    "i18next-browser-languagedetector": "^8.2.0",
+    "i18next-browser-languagedetector": "^8.2.1",
    "i18next-resources-to-backend": "^1.2.1",
    "input-otp": "^1.4.2",
-    "lucide-react": "^0.556.0",
+    "lucide-react": "^0.564.0",
    "next-themes": "^0.4.6",
-    "react": "^19.2.1",
+    "react": "^19.2.4",
-    "react-dom": "^19.2.1",
+    "react-dom": "^19.2.4",
-    "react-hook-form": "^7.68.0",
+    "react-hook-form": "^7.71.1",
-    "react-i18next": "^16.4.0",
+    "react-i18next": "^16.5.4",
    "react-markdown": "^10.1.0",
-    "react-router": "^7.10.1",
+    "react-router": "^7.13.0",
    "sonner": "^2.0.7",
-    "tailwind-merge": "^3.4.0",
+    "tailwind-merge": "^3.4.1",
-    "tailwindcss": "^4.1.17",
+    "tailwindcss": "^4.1.18",
-    "zod": "^4.1.13"
+    "zod": "^4.3.6"
  },
  "devDependencies": {
-    "@eslint/js": "^9.39.1",
+    "@eslint/js": "^10.0.1",
-    "@tanstack/eslint-plugin-query": "^5.91.2",
+    "@tanstack/eslint-plugin-query": "^5.91.4",
-    "@types/node": "^24.10.2",
+    "@types/node": "^25.2.3",
-    "@types/react": "^19.2.7",
+    "@types/react": "^19.2.14",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.2",
+    "@vitejs/plugin-react": "^5.1.4",
-    "eslint": "^9.39.1",
+    "eslint": "^10.0.0",
    "eslint-plugin-react-hooks": "^7.0.1",
-    "eslint-plugin-react-refresh": "^0.4.24",
+    "eslint-plugin-react-refresh": "^0.5.0",
-    "globals": "^16.5.0",
+    "globals": "^17.3.0",
-    "prettier": "3.7.4",
+    "prettier": "3.8.1",
    "rollup-plugin-visualizer": "^6.0.5",
    "tw-animate-css": "^1.4.0",
    "typescript": "~5.9.3",
-    "typescript-eslint": "^8.49.0",
+    "typescript-eslint": "^8.55.0",
-    "vite": "^7.2.7"
+    "vite": "^7.3.1"
  }
 }
--- a/frontend/src/components/auth/totp-form.tsx
+++ b/frontend/src/components/auth/totp-form.tsx
@@ -14,11 +14,10 @@ import z from "zod";
 interface Props {
  formId: string;
  onSubmit: (code: TotpSchema) => void;
  loading?: boolean;
 }
 export const TotpForm = (props: Props) => {
-  const { formId, onSubmit, loading } = props;
+  const { formId, onSubmit } = props;
  const { t } = useTranslation();
  z.config({
@@ -30,6 +29,14 @@ export const TotpForm = (props: Props) => {
    resolver: zodResolver(totpSchema),
  });
  const handleChange = (value: string) => {
    form.setValue("code", value, { shouldDirty: true, shouldValidate: true });
    if (value.length === 6) {
      onSubmit({ code: value });
    }
  };
  return (
    <Form {...form}>
      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
@@ -41,10 +48,10 @@ export const TotpForm = (props: Props) => {
              <FormControl>
                <InputOTP
                  maxLength={6}
                  disabled={loading}
                  {...field}
                  autoComplete="one-time-code"
                  autoFocus
                  onChange={handleChange}
                >
                  <InputOTPGroup>
                    <InputOTPSlot index={0} />
--- a/frontend/src/components/domain-warning/domain-warning.tsx
+++ b/frontend/src/components/domain-warning/domain-warning.tsx
@@ -33,6 +33,7 @@ export const DomainWarning = (props: Props) => {
            i18nKey="domainWarningSubtitle"
            values={{ appUrl, currentUrl }}
            components={{ code: <code /> }}
            shouldUnescape={true}
          />
        </CardDescription>
      </CardHeader>
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -159,6 +159,10 @@ code {
  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
 }
 pre {
  @apply bg-accent border border-border rounded-md p-2 whitespace-break-spaces;
 }
 .lead {
  @apply text-xl text-muted-foreground;
 }
--- a/frontend/src/lib/hooks/oidc.ts
+++ b/frontend/src/lib/hooks/oidc.ts
@@ -0,0 +1,53 @@
 export type OIDCValues = {
  scope: string;
  response_type: string;
  client_id: string;
  redirect_uri: string;
  state: string;
 };
 interface IuseOIDCParams {
  values: OIDCValues;
  compiled: string;
  isOidc: boolean;
  missingParams: string[];
 }
 const optionalParams: string[] = ["state"];
 export function useOIDCParams(params: URLSearchParams): IuseOIDCParams {
  let compiled: string = "";
  let isOidc = false;
  const missingParams: string[] = [];
  const values: OIDCValues = {
    scope: params.get("scope") ?? "",
    response_type: params.get("response_type") ?? "",
    client_id: params.get("client_id") ?? "",
    redirect_uri: params.get("redirect_uri") ?? "",
    state: params.get("state") ?? "",
  };
  for (const key of Object.keys(values)) {
    if (!values[key as keyof OIDCValues]) {
      if (!optionalParams.includes(key)) {
        missingParams.push(key);
      }
    }
  }
  if (missingParams.length === 0) {
    isOidc = true;
  }
  if (isOidc) {
    compiled = new URLSearchParams(values).toString();
  }
  return {
    values,
    compiled,
    isOidc,
    missingParams,
  };
 }
--- a/frontend/src/lib/hooks/redirect-uri.ts
+++ b/frontend/src/lib/hooks/redirect-uri.ts
@@ -0,0 +1,64 @@
 type IuseRedirectUri = {
  url?: URL;
  valid: boolean;
  trusted: boolean;
  allowedProto: boolean;
  httpsDowngrade: boolean;
 };
 export const useRedirectUri = (
  redirect_uri: string | null,
  cookieDomain: string,
 ): IuseRedirectUri => {
  let isValid = false;
  let isTrusted = false;
  let isAllowedProto = false;
  let isHttpsDowngrade = false;
  if (!redirect_uri) {
    return {
      valid: isValid,
      trusted: isTrusted,
      allowedProto: isAllowedProto,
      httpsDowngrade: isHttpsDowngrade,
    };
  }
  let url: URL;
  try {
    url = new URL(redirect_uri);
  } catch {
    return {
      valid: isValid,
      trusted: isTrusted,
      allowedProto: isAllowedProto,
      httpsDowngrade: isHttpsDowngrade,
    };
  }
  isValid = true;
  if (
    url.hostname == cookieDomain ||
    url.hostname.endsWith(`.${cookieDomain}`)
  ) {
    isTrusted = true;
  }
  if (url.protocol == "http:" || url.protocol == "https:") {
    isAllowedProto = true;
  }
  if (window.location.protocol == "https:" && url.protocol == "http:") {
    isHttpsDowngrade = true;
  }
  return {
    url,
    valid: isValid,
    trusted: isTrusted,
    allowedProto: isAllowedProto,
    httpsDowngrade: isHttpsDowngrade,
  };
 };
--- a/frontend/src/lib/i18n/i18n.ts
+++ b/frontend/src/lib/i18n/i18n.ts
@@ -2,7 +2,6 @@ import i18n from "i18next";
 import { initReactI18next } from "react-i18next";
 import LanguageDetector from "i18next-browser-languagedetector";
 import resourcesToBackend from "i18next-resources-to-backend";
 import { languages } from "./locales";
 i18n
  .use(LanguageDetector)
@@ -16,7 +15,6 @@ i18n
    fallbackLng: "en",
    debug: import.meta.env.MODE === "development",
    nonExplicitSupportedLngs: true,
    supportedLngs: Object.keys(languages),
    load: "currentOnly",
    detection: {
      lookupLocalStorage: "tinyauth-lang",
--- a/frontend/src/lib/i18n/locales/af-ZA.json
+++ b/frontend/src/lib/i18n/locales/af-ZA.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ar-SA.json
+++ b/frontend/src/lib/i18n/locales/ar-SA.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "نسيت كلمة المرور؟",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "حدث خطأ",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "تجاهل",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ca-ES.json
+++ b/frontend/src/lib/i18n/locales/ca-ES.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/cs-CZ.json
+++ b/frontend/src/lib/i18n/locales/cs-CZ.json
@@ -14,7 +14,7 @@
    "loginOauthFailSubtitle": "Nepodařilo se získat OAuth URL",
    "loginOauthSuccessTitle": "Přesměrování",
    "loginOauthSuccessSubtitle": "Přesměrování k poskytovateli OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automatické přesměrování OAuth",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Pokračovat",
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Zapomněli jste heslo?",
    "failedToFetchProvidersTitle": "Nepodařilo se načíst poskytovatele ověřování. Zkontrolujte prosím konfiguraci.",
    "errorTitle": "Došlo k chybě",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Nastala chyba při pokusu o provedení této akce. Pro více informací prosím zkontrolujte konzolu.",
    "forgotPasswordMessage": "Heslo můžete obnovit změnou proměnné `USERS`.",
    "fieldRequired": "Toto pole je povinné",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/da-DK.json
+++ b/frontend/src/lib/i18n/locales/da-DK.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Glemt din adgangskode?",
    "failedToFetchProvidersTitle": "Kunne ikke indlæse godkendelsesudbydere. Tjek venligst din konfiguration.",
    "errorTitle": "Der opstod en fejl",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Der opstod en fejl under forsøget på at udføre denne handling. Tjek venligst konsollen for mere information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/de-DE.json
+++ b/frontend/src/lib/i18n/locales/de-DE.json
@@ -14,17 +14,17 @@
    "loginOauthFailSubtitle": "Fehler beim Abrufen der OAuth-URL",
    "loginOauthSuccessTitle": "Leite weiter",
    "loginOauthSuccessSubtitle": "Weiterleitung zu Ihrem OAuth-Provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Automatische OAuth-Weiterleitung",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Sie werden automatisch zu Ihrem OAuth-Anbieter weitergeleitet, um sich zu authentifizieren.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Jetzt weiterleiten",
    "continueTitle": "Weiter",
    "continueRedirectingTitle": "Leite weiter...",
    "continueRedirectingSubtitle": "Sie sollten in Kürze zur App weitergeleitet werden",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Manuell weiterleiten",
    "continueInsecureRedirectTitle": "Unsichere Weiterleitung",
    "continueInsecureRedirectSubtitle": "Sie versuchen von <code>https</code> auf <code>http</code> weiterzuleiten, was unsicher ist. Sind Sie sicher, dass Sie fortfahren möchten?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Nicht vertrauenswürdige Weiterleitung",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Sie versuchen auf eine Domain umzuleiten, die nicht mit Ihrer konfigurierten Domain übereinstimmt (<code>{{cookieDomain}}</code>). Sind Sie sicher, dass Sie fortfahren möchten?",
    "logoutFailTitle": "Abmelden fehlgeschlagen",
    "logoutFailSubtitle": "Bitte versuchen Sie es erneut",
    "logoutSuccessTitle": "Abgemeldet",
@@ -51,12 +51,31 @@
    "forgotPasswordTitle": "Passwort vergessen?",
    "failedToFetchProvidersTitle": "Fehler beim Laden der Authentifizierungsanbieter. Bitte überprüfen Sie Ihre Konfiguration.",
    "errorTitle": "Ein Fehler ist aufgetreten",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Beim Versuch, diese Aktion auszuführen, ist ein Fehler aufgetreten. Bitte überprüfen Sie die Konsole für weitere Informationen.",
    "forgotPasswordMessage": "Das Passwort kann durch Änderung der 'USERS' Variable zurückgesetzt werden.",
    "fieldRequired": "Dieses Feld ist notwendig",
    "invalidInput": "Ungültige Eingabe",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Ungültige Domain",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Diese Instanz ist so konfiguriert, dass sie von <code>{{appUrl}}</code> aufgerufen werden kann, aber <code>{{currentUrl}}</code> wird verwendet. Wenn Sie fortfahren, können Probleme bei der Authentifizierung auftreten.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignorieren",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Zur korrekten Domain gehen",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/el-GR.json
+++ b/frontend/src/lib/i18n/locales/el-GR.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Ξεχάσατε το συνθηματικό σας;",
    "failedToFetchProvidersTitle": "Αποτυχία φόρτωσης παρόχων πιστοποίησης. Παρακαλώ ελέγξτε τις ρυθμίσεις σας.",
    "errorTitle": "Παρουσιάστηκε ένα σφάλμα",
    "errorSubtitleInfo": "Το ακόλουθο σφάλμα προέκυψε κατά την επεξεργασία του αιτήματός σας:",
    "errorSubtitle": "Παρουσιάστηκε σφάλμα κατά την προσπάθεια εκτέλεσης αυτής της ενέργειας. Ελέγξτε την κονσόλα για περισσότερες πληροφορίες.",
    "forgotPasswordMessage": "Μπορείτε να επαναφέρετε τον κωδικό πρόσβασής σας αλλάζοντας τη μεταβλητή περιβάλλοντος `USERS`.",
    "fieldRequired": "Αυτό το πεδίο είναι υποχρεωτικό",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Μη έγκυρο domain",
    "domainWarningSubtitle": "Αυτή η εφαρμογή έχει ρυθμιστεί για πρόσβαση από <code>{{appUrl}}</code>, αλλά <code>{{currentUrl}}</code> χρησιμοποιείται. Αν συνεχίσετε, μπορεί να αντιμετωπίσετε προβλήματα με την ταυτοποίηση.",
    "ignoreTitle": "Παράβλεψη",
-    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain"
+    "goToCorrectDomainTitle": "Μεταβείτε στο σωστό domain",
-}
+    "authorizeTitle": "Εξουσιοδότηση",
    "authorizeCardTitle": "Συνέχεια στην εφαρμογή {{app}};",
    "authorizeSubtitle": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή; Παρακαλώ ελέγξτε προσεκτικά τα δικαιώματα που ζητούνται από την εφαρμογή.",
    "authorizeSubtitleOAuth": "Θα θέλατε να συνεχίσετε σε αυτή την εφαρμογή;",
    "authorizeLoadingTitle": "Φόρτωση...",
    "authorizeLoadingSubtitle": "Παρακαλώ περιμένετε όσο φορτώνουμε τις απαραίτητες πληροφορίες.",
    "authorizeSuccessTitle": "Εξουσιοδοτημένος",
    "authorizeSuccessSubtitle": "Θα μεταφερθείτε στην εφαρμογή σε λίγα δευτερόλεπτα.",
    "authorizeErrorClientInfo": "Παρουσιάστηκε σφάλμα κατά τη φόρτωση των πληροφοριών. Παρακαλώ προσπαθήστε ξανά αργότερα.",
    "authorizeErrorMissingParams": "Οι παρακάτω απαραίτητες πληροφορίες λείπουν από το αίτημά σας: {{missingParams}}",
    "openidScopeName": "Σύνδεση OpenID",
    "openidScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες σύνδεσης OpenID.",
    "emailScopeName": "Διεύθυνση ηλεκτρονικού ταχυδρομείου",
    "emailScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στη διεύθυνση ηλεκτρονικού ταχυδρομείου σας.",
    "profileScopeName": "Προφίλ",
    "profileScopeDescription": "Επιτρέπει στην εφαρμογή να έχει πρόσβαση στις πληροφορίες του προφίλ σας.",
    "groupsScopeName": "Ομάδες",
    "groupsScopeDescription": "Επιτρέπει στην εφαρμογή την πρόσβαση στις πληροφορίες ομάδας σας."
 }
--- a/frontend/src/lib/i18n/locales/en-US.json
+++ b/frontend/src/lib/i18n/locales/en-US.json
@@ -51,12 +51,31 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/en.json
+++ b/frontend/src/lib/i18n/locales/en.json
@@ -51,12 +51,31 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check your browser console or the app logs for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/es-ES.json
+++ b/frontend/src/lib/i18n/locales/es-ES.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "¿Olvidó su contraseña?",
    "failedToFetchProvidersTitle": "Error al cargar los proveedores de autenticación. Por favor revise su configuración.",
    "errorTitle": "Ha ocurrido un error",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Ocurrió un error mientras se trataba de realizar esta acción. Por favor, revise la consola para más información.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/fi-FI.json
+++ b/frontend/src/lib/i18n/locales/fi-FI.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Unohditko salasanasi?",
    "failedToFetchProvidersTitle": "Todennuspalvelujen tarjoajien lataaminen epäonnistui. Tarkista määrityksesi.",
    "errorTitle": "Tapahtui virhe",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Tapahtui virhe yritettäessä suorittaa tämä toiminto. Ole hyvä ja tarkista konsoli saadaksesi lisätietoja.",
    "forgotPasswordMessage": "Voit nollata salasanasi vaihtamalla ympäristömuuttujan `USERS`.",
    "fieldRequired": "Tämä kenttä on pakollinen",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Virheellinen verkkotunnus",
    "domainWarningSubtitle": "Tämä instanssi on määritelty käyttämään osoitetta <code>{{appUrl}}</code>, mutta nykyinen osoite on <code>{{currentUrl}}</code>. Jos jatkat, saatat törmätä ongelmiin autentikoinnissa.",
    "ignoreTitle": "Jätä huomiotta",
-    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen"
+    "goToCorrectDomainTitle": "Siirry oikeaan verkkotunnukseen",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/fr-FR.json
+++ b/frontend/src/lib/i18n/locales/fr-FR.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Mot de passe oublié ?",
    "failedToFetchProvidersTitle": "Échec du chargement des fournisseurs d'authentification. Veuillez vérifier votre configuration.",
    "errorTitle": "Une erreur est survenue",
    "errorSubtitleInfo": "L'erreur suivante s'est produite lors du traitement de votre requête :",
    "errorSubtitle": "Une erreur est survenue lors de l'exécution de cette action. Veuillez consulter la console pour plus d'informations.",
    "forgotPasswordMessage": "Vous pouvez réinitialiser votre mot de passe en modifiant la variable d'environnement `USERS`.",
    "fieldRequired": "Ce champ est obligatoire",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Domaine invalide",
    "domainWarningSubtitle": "Cette instance est configurée pour être accédée depuis <code>{{appUrl}}</code>, mais <code>{{currentUrl}}</code> est utilisé. Si vous continuez, vous pourriez rencontrer des problèmes d'authentification.",
    "ignoreTitle": "Ignorer",
-    "goToCorrectDomainTitle": "Aller au bon domaine"
+    "goToCorrectDomainTitle": "Aller au bon domaine",
-}
+    "authorizeTitle": "Autoriser",
    "authorizeCardTitle": "Continuer vers {{app}} ?",
    "authorizeSubtitle": "Voulez-vous continuer vers cette application ? Veuillez examiner attentivement les autorisations demandées par l'application.",
    "authorizeSubtitleOAuth": "Voulez-vous continuer vers cette application ?",
    "authorizeLoadingTitle": "Chargement...",
    "authorizeLoadingSubtitle": "Veuillez patienter pendant que nous chargeons les informations du client.",
    "authorizeSuccessTitle": "Autorisé",
    "authorizeSuccessSubtitle": "Vous allez être redirigé vers l'application dans quelques secondes.",
    "authorizeErrorClientInfo": "Une erreur est survenue lors du chargement des informations du client. Veuillez réessayer plus tard.",
    "authorizeErrorMissingParams": "Les paramètres suivants sont manquants : {{missingParams}}",
    "openidScopeName": "Connexion OpenID",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Autorise l'application à accéder à votre adresse e-mail.",
    "profileScopeName": "Profil",
    "profileScopeDescription": "Autorise l'application à accéder aux informations de votre profil.",
    "groupsScopeName": "Groupes",
    "groupsScopeDescription": "Autorise une application à accéder aux informations de votre groupe."
 }
--- a/frontend/src/lib/i18n/locales/he-IL.json
+++ b/frontend/src/lib/i18n/locales/he-IL.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/hu-HU.json
+++ b/frontend/src/lib/i18n/locales/hu-HU.json
@@ -1,42 +1,42 @@
 {
    "loginTitle": "Welcome back, login with",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Üdvözöljük, kérem jelentkezzen be",
-    "loginDivider": "Or",
+    "loginDivider": "Vagy",
-    "loginUsername": "Username",
+    "loginUsername": "Felhasználónév",
-    "loginPassword": "Password",
+    "loginPassword": "Jelszó",
-    "loginSubmit": "Login",
+    "loginSubmit": "Bejelentkezés",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Sikertelen bejelentkezés",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Kérjük, ellenőrizze a felhasználónevét és jelszavát",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Túl sokszor próbálkoztál bejelentkezni. Próbáld újra később",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Bejelentkezve",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Üdvözöljük!",
    "loginOauthFailTitle": "An error occurred",
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Átirányítás",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
    "continueTitle": "Continue",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Átirányítás...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Insecure redirect",
    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
    "continueUntrustedRedirectTitle": "Untrusted redirect",
    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Sikertelen kijelentkezés",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Próbálja újra",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Kijelentkezve",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Kijelentkeztél",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Kijelentkezés",
    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Page not found",
    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "Ugrás a kezdőlapra",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Érvénytelen kód",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Kérjük ellenőrizze a kódot és próbálja újra",
    "totpSuccessTitle": "Verified",
    "totpSuccessSubtitle": "Redirecting to your app",
    "totpTitle": "Enter your TOTP code",
@@ -46,17 +46,36 @@
    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Próbálja újra",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Mégse",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Elfelejtette jelszavát?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Hiba történt",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Ez egy kötelező mező",
    "invalidInput": "Invalid input",
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/it-IT.json
+++ b/frontend/src/lib/i18n/locales/it-IT.json
@@ -1,23 +1,23 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "Bentornato, accedi con",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Bentornato, accedi al tuo account",
-    "loginDivider": "Or",
+    "loginDivider": "Oppure",
-    "loginUsername": "Username",
+    "loginUsername": "Nome utente",
    "loginPassword": "Password",
-    "loginSubmit": "Login",
+    "loginSubmit": "Accesso",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Accesso non riuscito",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Verifica che il nome utente e la password siano corretti",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Hai effettuato troppi tentativi errati. Riprova più tardi",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Accesso effettuato",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Bentornato!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Si è verificato un errore",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Impossibile ottenere l'URL di OAuth",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
    "loginOauthAutoRedirectButton": "Redirect now",
-    "continueTitle": "Continue",
+    "continueTitle": "Prosegui",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
    "continueRedirectManually": "Redirect me manually",
@@ -34,29 +34,48 @@
    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Page not found",
    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "Vai alla home",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Errore nella verifica del codice",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Si prega di controllare il codice e riprovare",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verificato",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Reindirizzamento alla tua app",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Inserisci il tuo codice TOTP",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Inserisci il codice dalla tua app di autenticazione.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Non Autorizzato",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "L'utente con username <code>{{username}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "L'utente con username <code>{{username}}</code> non è autorizzato a effettuare l'accesso.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "L'utente con nome utente <code>{{username}}</code> non fa parte dei gruppi richiesti dalla risorsa <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Il tuo indirizzo IP <code>{{ip}}</code> non è autorizzato ad accedere alla risorsa <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Riprova",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Annulla",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Password dimenticata?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Impossibile caricare i provider di autenticazione. Si prega di controllare la configurazione.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Si è verificato un errore",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Puoi reimpostare la tua password modificando la variabile d'ambiente `USERS`.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Questo campo è obbligatorio",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Input non valido",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Dominio non valido",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Questa istanza è configurata per essere accessibile da <code>{{appUrl}}</code>, ma <code>{{currentUrl}}</code> è in uso. Se procedi, potresti incorrere in problemi di autenticazione.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ignora",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Vai al dominio corretto",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ja-JP.json
+++ b/frontend/src/lib/i18n/locales/ja-JP.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ko-KR.json
+++ b/frontend/src/lib/i18n/locales/ko-KR.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/nl-NL.json
+++ b/frontend/src/lib/i18n/locales/nl-NL.json
@@ -1,37 +1,37 @@
 {
    "loginTitle": "Welkom terug, log in met",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Welkom terug, log in",
-    "loginDivider": "Or",
+    "loginDivider": "Of",
    "loginUsername": "Gebruikersnaam",
    "loginPassword": "Wachtwoord",
    "loginSubmit": "Log in",
    "loginFailTitle": "Mislukt om in te loggen",
    "loginFailSubtitle": "Controleer je gebruikersnaam en wachtwoord",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Inloggen is te vaak mislukt. Probeer het later opnieuw",
    "loginSuccessTitle": "Ingelogd",
    "loginSuccessSubtitle": "Welkom terug!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Er is een fout opgetreden",
    "loginOauthFailSubtitle": "Fout bij het ophalen van OAuth URL",
    "loginOauthSuccessTitle": "Omleiden",
    "loginOauthSuccessSubtitle": "Omleiden naar je OAuth provider",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth automatische omleiding",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Je wordt automatisch omgeleid naar je OAuth provider om te authenticeren.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Nu omleiden",
    "continueTitle": "Ga verder",
    "continueRedirectingTitle": "Omleiden...",
    "continueRedirectingSubtitle": "Je wordt naar de app doorgestuurd",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Stuur mij handmatig door",
    "continueInsecureRedirectTitle": "Onveilige doorverwijzing",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Je probeert door te verwijzen van <code>https</code> naar <code>http</code> die niet veilig is. Weet je zeker dat je wilt doorgaan?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Niet-vertrouwde doorverwijzing",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Je probeert door te sturen naar een domein dat niet overeenkomt met je geconfigureerde domein (<code>{{cookieDomain}}</code>). Weet je zeker dat je wilt doorgaan?",
    "logoutFailTitle": "Afmelden mislukt",
    "logoutFailSubtitle": "Probeer het opnieuw",
    "logoutSuccessTitle": "Afgemeld",
    "logoutSuccessSubtitle": "Je bent afgemeld",
    "logoutTitle": "Afmelden",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code>. Klik op de onderstaande knop om uit te loggen.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Je bent momenteel ingelogd als <code>{{username}}</code> met behulp van de {{provider}} OAuth provider. Klik op de onderstaande knop om uit te loggen.",
    "notFoundTitle": "Pagina niet gevonden",
    "notFoundSubtitle": "De pagina die je zoekt bestaat niet.",
    "notFoundButton": "Naar startpagina",
@@ -40,23 +40,42 @@
    "totpSuccessTitle": "Geverifiëerd",
    "totpSuccessSubtitle": "Omleiden naar je app",
    "totpTitle": "Voer je TOTP-code in",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Voer de code van je authenticator-app in.",
    "unauthorizedTitle": "Ongeautoriseerd",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> is niet gemachtigd om in te loggen.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "De gebruiker met gebruikersnaam <code>{{username}}</code> maakt geen deel uit van de groepen die vereist zijn door de bron <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Jouw IP-adres <code>{{ip}}</code> is niet gemachtigd om de bron <code>{{resource}}</code> te gebruiken.",
    "unauthorizedButton": "Opnieuw proberen",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Annuleren",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Wachtwoord vergeten?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Fout bij het laden van de authenticatie-providers. Controleer je configuratie.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Er is een fout opgetreden",
    "errorSubtitleInfo": "De volgende fout is opgetreden bij het verwerken van het verzoek:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Je kunt je wachtwoord opnieuw instellen door de `USERS` omgevingsvariabele te wijzigen.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Dit veld is verplicht",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Ongeldige invoer",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Ongeldig domein",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Deze instantie is geconfigureerd voor toegang tot <code>{{appUrl}}</code>, maar <code>{{currentUrl}}</code> wordt gebruikt. Als je doorgaat, kun je problemen ondervinden met authenticatie.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Negeren",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Ga naar het juiste domein",
-}
+    "authorizeTitle": "Autoriseren",
    "authorizeCardTitle": "Doorgaan naar {{app}}?",
    "authorizeSubtitle": "Doorgaan naar deze app? Controleer de machtigingen die door de app worden gevraagd.",
    "authorizeSubtitleOAuth": "Doorgaan naar deze app?",
    "authorizeLoadingTitle": "Laden...",
    "authorizeLoadingSubtitle": "Even geduld bij het laden van de cliëntinformatie.",
    "authorizeSuccessTitle": "Geautoriseerd",
    "authorizeSuccessSubtitle": "Je wordt binnen enkele seconden doorgestuurd naar de app.",
    "authorizeErrorClientInfo": "Er is een fout opgetreden tijdens het laden van de cliëntinformatie. Probeer het later opnieuw.",
    "authorizeErrorMissingParams": "De volgende parameters ontbreken: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Hiermee kan de app toegang krijgen tot jouw OpenID Connect-informatie.",
    "emailScopeName": "E-mail",
    "emailScopeDescription": "Hiermee kan de app toegang krijgen tot jouw e-mailadres.",
    "profileScopeName": "Profiel",
    "profileScopeDescription": "Hiermee kan de app toegang krijgen tot je profielinformatie.",
    "groupsScopeName": "Groepen",
    "groupsScopeDescription": "Hiermee kan de app toegang krijgen tot jouw groepsinformatie."
 }
--- a/frontend/src/lib/i18n/locales/no-NO.json
+++ b/frontend/src/lib/i18n/locales/no-NO.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/pl-PL.json
+++ b/frontend/src/lib/i18n/locales/pl-PL.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Nie pamiętasz hasła?",
    "failedToFetchProvidersTitle": "Nie udało się załadować dostawców uwierzytelniania. Sprawdź swoją konfigurację.",
    "errorTitle": "Wystąpił błąd",
    "errorSubtitleInfo": "Podczas przetwarzania żądania wystąpił następujący błąd:",
    "errorSubtitle": "Wystąpił błąd podczas próby wykonania tej czynności. Sprawdź konsolę, aby uzyskać więcej informacji.",
    "forgotPasswordMessage": "Możesz zresetować hasło, zmieniając zmienną środowiskową `USERS`.",
    "fieldRequired": "To pole jest wymagane",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Nieprawidłowa domena",
    "domainWarningSubtitle": "Ta instancja jest skonfigurowana do uzyskania dostępu z <code>{{appUrl}}</code>, ale <code>{{currentUrl}}</code> jest w użyciu. Jeśli będziesz kontynuować, mogą wystąpić problemy z uwierzytelnianiem.",
    "ignoreTitle": "Zignoruj",
-    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny"
+    "goToCorrectDomainTitle": "Przejdź do prawidłowej domeny",
-}
+    "authorizeTitle": "Autoryzuj",
    "authorizeCardTitle": "Kontynuować do {{app}}?",
    "authorizeSubtitle": "Czy chcesz kontynuować do tej aplikacji? Uważnie zapoznaj się z uprawnieniami żądanymi przez aplikację.",
    "authorizeSubtitleOAuth": "Czy chcesz kontynuować do tej aplikacji?",
    "authorizeLoadingTitle": "Wczytywanie...",
    "authorizeLoadingSubtitle": "Proszę czekać, aż załadujemy informacje o kliencie.",
    "authorizeSuccessTitle": "Autoryzowano",
    "authorizeSuccessSubtitle": "Za kilka sekund nastąpi przekierowanie do aplikacji.",
    "authorizeErrorClientInfo": "Wystąpił błąd podczas ładowania informacji o kliencie. Spróbuj ponownie później.",
    "authorizeErrorMissingParams": "Brakuje następujących parametrów: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Zezwala aplikacji na dostęp do informacji o OpenID Connect.",
    "emailScopeName": "E-mail",
    "emailScopeDescription": "Zezwala aplikacji na dostęp do adresów e-mail.",
    "profileScopeName": "Profil",
    "profileScopeDescription": "Zezwala aplikacji na dostęp do informacji o porfilu.",
    "groupsScopeName": "Grupy",
    "groupsScopeDescription": "Zezwala aplikacji na dostęp do informacji o grupie."
 }
--- a/frontend/src/lib/i18n/locales/pt-BR.json
+++ b/frontend/src/lib/i18n/locales/pt-BR.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Esqueceu sua senha?",
    "failedToFetchProvidersTitle": "Falha ao carregar provedores de autenticação. Verifique sua configuração.",
    "errorTitle": "Ocorreu um erro",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Por favor, verifique o console para mais informações.",
    "forgotPasswordMessage": "Você pode redefinir sua senha alterando a variável de ambiente `USERS`.",
    "fieldRequired": "Este campo é obrigatório",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Domínio inválido",
    "domainWarningSubtitle": "Esta instância está configurada para ser acessada de <code>{{appUrl}}</code>, mas <code>{{currentUrl}}</code> está sendo usado. Se você continuar, você pode encontrar problemas com a autenticação.",
    "ignoreTitle": "Ignorar",
-    "goToCorrectDomainTitle": "Ir para o domínio correto"
+    "goToCorrectDomainTitle": "Ir para o domínio correto",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/pt-PT.json
+++ b/frontend/src/lib/i18n/locales/pt-PT.json
@@ -1,62 +1,81 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "Bem-vindo de volta, inicia sessão com",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Bem-vindo de volta, inicia sessão",
-    "loginDivider": "Or",
+    "loginDivider": "Ou",
-    "loginUsername": "Username",
+    "loginUsername": "Nome de utilizador",
-    "loginPassword": "Password",
+    "loginPassword": "Palavra-passe",
-    "loginSubmit": "Login",
+    "loginSubmit": "Iniciar sessão",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Falha ao iniciar sessão",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Verifica o nome de utilizador e a palavra-passe",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Falhaste o início de sessão demasiadas vezes. Tenta novamente mais tarde",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Sessão iniciada",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "Bem-vindo de volta!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Ocorreu um erro",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Não foi possível obter o URL OAuth",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "A redirecionar",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "A redirecionar para o teu fornecedor OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Redirecionamento automático OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Vais ser redirecionado automaticamente para o teu fornecedor OAuth para autenticação.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Redirecionar agora",
-    "continueTitle": "Continue",
+    "continueTitle": "Continuar",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "A redirecionar...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "Deverás ser redirecionado para a aplicação em breve",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Redirecionar manualmente",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Redirecionamento inseguro",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Estás a tentar redirecionar de <code>https</code> para <code>http</code>, o que não é seguro. Tens a certeza de que queres continuar?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Redirecionamento não fidedigno",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Estás a tentar redirecionar para um domínio que não corresponde ao domínio configurado (<code>{{cookieDomain}}</code>). Tens a certeza de que queres continuar?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Falha ao terminar sessão",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Tenta novamente",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Sessão terminada",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Terminaste a sessão com sucesso",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Terminar sessão",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Estás com sessão iniciada como <code>{{username}}</code>. Clica no botão abaixo para terminar sessão.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Estás com sessão iniciada como <code>{{username}}</code> através do fornecedor OAuth {{provider}}. Clica no botão abaixo para terminar sessão.",
-    "notFoundTitle": "Page not found",
+    "notFoundTitle": "Página não encontrada",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "A página que procuras não existe.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "Ir para o início",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Falha na verificação do código",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Verifica o código e tenta novamente",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Verificado",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "A redirecionar para a tua aplicação",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Introduz o teu código TOTP",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Introduz o código da tua aplicação de autenticação.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Não autorizado",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "O utilizador com o nome <code>{{username}}</code> não tem autorização para iniciar sessão.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "O utilizador com o nome <code>{{username}}</code> não pertence aos grupos exigidos pelo recurso <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "O teu endereço IP <code>{{ip}}</code> não tem autorização para aceder ao recurso <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Tentar novamente",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Cancelar",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Esqueceste-te da palavra-passe?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Falha ao carregar os fornecedores de autenticação. Verifica a configuração.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Ocorreu um erro",
-    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "errorSubtitleInfo": "The following error occurred while processing your request:",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "errorSubtitle": "Ocorreu um erro ao tentar executar esta ação. Consulta a consola para mais informações.",
-    "fieldRequired": "This field is required",
+    "forgotPasswordMessage": "Podes redefinir a tua palavra-passe alterando a variável de ambiente `USERS`.",
-    "invalidInput": "Invalid input",
+    "fieldRequired": "Este campo é obrigatório",
-    "domainWarningTitle": "Invalid Domain",
+    "invalidInput": "Entrada inválida",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningTitle": "Domínio inválido",
-    "ignoreTitle": "Ignore",
+    "domainWarningSubtitle": "Esta instância está configurada para ser acedida a partir de <code>{{appUrl}}</code>, mas está a ser usado <code>{{currentUrl}}</code>. Se continuares, poderás ter problemas de autenticação.",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "ignoreTitle": "Ignorar",
-}
+    "goToCorrectDomainTitle": "Ir para o domínio correto",
    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ro-RO.json
+++ b/frontend/src/lib/i18n/locales/ro-RO.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/ru-RU.json
+++ b/frontend/src/lib/i18n/locales/ru-RU.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Забыли пароль?",
    "failedToFetchProvidersTitle": "Не удалось загрузить поставщика авторизации. Пожалуйста, проверьте конфигурацию.",
    "errorTitle": "Произошла ошибка",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Произошла ошибка при попытке выполнить это действие. Проверьте консоль для дополнительной информации.",
    "forgotPasswordMessage": "Вы можете сбросить свой пароль, изменив переменную окружения `USERS`.",
    "fieldRequired": "Это поле является обязательным",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Неверный домен",
    "domainWarningSubtitle": "Этот экземпляр настроен на доступ к нему из <code>{{appUrl}}</code>, но <code>{{currentUrl}}</code> в настоящее время используется. Если вы продолжите, то могут возникнуть проблемы с авторизацией.",
    "ignoreTitle": "Игнорировать",
-    "goToCorrectDomainTitle": "Перейти к правильному домену"
+    "goToCorrectDomainTitle": "Перейти к правильному домену",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/sr-SP.json
+++ b/frontend/src/lib/i18n/locales/sr-SP.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Заборавили сте лозинку?",
    "failedToFetchProvidersTitle": "Није успело учитавање провајдера аутентификације. Молим вас проверите ваша подешавања.",
    "errorTitle": "Појавила се грешка",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Појавила се грешка при покушају извршавања ове радње. Молим вас проверите конзолу за додатне информације.",
    "forgotPasswordMessage": "Можете поништити вашу лозинку променом `USERS` променљиве окружења.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/sv-SE.json
+++ b/frontend/src/lib/i18n/locales/sv-SE.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Forgot your password?",
    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/tr-TR.json
+++ b/frontend/src/lib/i18n/locales/tr-TR.json
@@ -1,62 +1,81 @@
 {
-    "loginTitle": "Welcome back, login with",
+    "loginTitle": "Tekrar Hoş Geldiniz, giriş yapın",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "Tekrar hoş geldiniz, lütfen giriş yapın",
-    "loginDivider": "Or",
+    "loginDivider": "Ya da",
    "loginUsername": "Kullanıcı Adı",
    "loginPassword": "Şifre",
    "loginSubmit": "Giriş Yap",
    "loginFailTitle": "Giriş yapılamadı",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Lütfen kullanıcı adınızı ve şifrenizi kontrol edin",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Çok fazla kez giriş yapma girişiminde bulundunuz. Lütfen daha sonra tekrar deneyin",
    "loginSuccessTitle": "Giriş yapıldı",
    "loginSuccessSubtitle": "Tekrar hoş geldiniz!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Hata oluştu",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "OAuth URL'si alınamadı",
    "loginOauthSuccessTitle": "Yönlendiriliyor",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "OAuth sağlayıcınıza yönlendiriliyor",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "OAuth Otomatik Yönlendirme",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Kimlik doğrulama işlemi için otomatik olarak OAuth sağlayıcınıza yönlendirileceksiniz.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Şimdi Yönlendir",
    "continueTitle": "Devam et",
    "continueRedirectingTitle": "Yönlendiriliyor...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "Kısa süre içinde uygulamaya yönlendirileceksiniz",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Beni manuel olarak yönlendir",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Güvenli olmayan yönlendirme",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "<code>http</code> adresinden <code>http</code> adresine yönlendirme yapmaya çalışıyorsunuz, bu güvenli değil. Devam etmek istediğinizden emin misiniz?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Güvenilmeyen yönlendirme",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Yapılandırdığınız alan adıyla eşleşmeyen bir alana yönlendirme yapmaya çalışıyorsunuz (<code>{{cookieDomain}}</code>). Devam etmek istediğinize emin misiniz?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Çıkış Yapılamadı",
    "logoutFailSubtitle": "Lütfen tekrar deneyin",
    "logoutSuccessTitle": "Çıkış yapıldı",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Çıkış yaptınız",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Çıkış yap",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "<code>{{username}}</code> olarak giriş yapmış durumdasınız. Çıkış yapmak için aşağıdaki düğmeye tıklayın.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Şu anda {{provider}} OAuth sağlayıcısını kullanarak <code>{{username}}</code> olarak oturum açmış durumdasınız. Oturumunuzu kapatmak için aşağıdaki düğmeye tıklayın.",
    "notFoundTitle": "Sayfa bulunamadı",
    "notFoundSubtitle": "Aradığınız sayfa mevcut değil.",
    "notFoundButton": "Ana sayfaya git",
    "totpFailTitle": "Kod doğrulanamadı",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Lütfen kodunuzu kontrol edin ve tekrar deneyin",
    "totpSuccessTitle": "Doğrulandı",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Uygulamanıza yönlendiriliyor",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "TOTP kodunuzu girin",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Lütfen kimlik doğrulama uygulamanızdan aldığınız kodu girin.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Yetkisiz",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının <code>{{resource}}</code> kaynağına erişim yetkisi bulunmamaktadır.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcının oturum açma yetkisi yok.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "Kullanıcı adı <code>{{username}}</code> olan kullanıcı, <code>{{resource}}</code> kaynağının gerektirdiği gruplarda bulunmuyor.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "IP adresiniz <code>{{ip}}</code>, <code>{{resource}}</code> kaynağına erişim yetkisine sahip değil.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Tekrar deneyin",
    "cancelTitle": "İptal",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Şifrenizi mi unuttunuz?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Kimlik doğrulama sağlayıcıları yüklenemedi. Lütfen yapılandırmanızı kontrol edin.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Bir hata oluştu",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Parolanızı `USERS` ortam değişkenini değiştirerek sıfırlayabilirsiniz.",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Bu alan zorunludur",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Geçersiz girdi",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Geçersiz alan adı",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Bu örnek, <code>{{appUrl}}</code> adresinden erişilecek şekilde yapılandırılmıştır, ancak <code>{{currentUrl}}</code> kullanılmaktadır. Devam ederseniz, kimlik doğrulama ile ilgili sorunlarla karşılaşabilirsiniz.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Yoksay",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Doğru alana gidin",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/uk-UA.json
+++ b/frontend/src/lib/i18n/locales/uk-UA.json
@@ -1,62 +1,81 @@
 {
    "loginTitle": "З поверненням, увійдіть через",
-    "loginTitleSimple": "Welcome back, please login",
+    "loginTitleSimple": "З поверненням, будь ласка, авторизуйтесь",
-    "loginDivider": "Or",
+    "loginDivider": "Або",
-    "loginUsername": "Username",
+    "loginUsername": "Ім'я користувача",
-    "loginPassword": "Password",
+    "loginPassword": "Пароль",
-    "loginSubmit": "Login",
+    "loginSubmit": "Увійти",
-    "loginFailTitle": "Failed to log in",
+    "loginFailTitle": "Не вдалося авторизуватися",
-    "loginFailSubtitle": "Please check your username and password",
+    "loginFailSubtitle": "Перевірте ім'я користувача та пароль",
-    "loginFailRateLimit": "You failed to login too many times. Please try again later",
+    "loginFailRateLimit": "Ви не змогли увійти занадто багато разів. Будь ласка, спробуйте ще раз пізніше",
-    "loginSuccessTitle": "Logged in",
+    "loginSuccessTitle": "Вхід здійснено",
-    "loginSuccessSubtitle": "Welcome back!",
+    "loginSuccessSubtitle": "З поверненням!",
-    "loginOauthFailTitle": "An error occurred",
+    "loginOauthFailTitle": "Виникла помилка",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
+    "loginOauthFailSubtitle": "Не вдалося отримати OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
+    "loginOauthSuccessTitle": "Перенаправляємо",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthSuccessSubtitle": "Перенаправляємо до вашого провайдера OAuth",
-    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectTitle": "Автоматичне переспрямування OAuth",
-    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectSubtitle": "Ви будете автоматично перенаправлені до вашого провайдера OAuth для автентифікації.",
-    "loginOauthAutoRedirectButton": "Redirect now",
+    "loginOauthAutoRedirectButton": "Перейти зараз",
-    "continueTitle": "Continue",
+    "continueTitle": "Продовжити",
-    "continueRedirectingTitle": "Redirecting...",
+    "continueRedirectingTitle": "Перенаправлення...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
+    "continueRedirectingSubtitle": "Незабаром ви будете перенаправлені в додаток",
-    "continueRedirectManually": "Redirect me manually",
+    "continueRedirectManually": "Перенаправити мене вручну",
-    "continueInsecureRedirectTitle": "Insecure redirect",
+    "continueInsecureRedirectTitle": "Небезпечне перенаправлення",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueInsecureRedirectSubtitle": "Ви намагаєтесь перенаправити з <code>https</code> на <code>http</code> який не є безпечним. Ви впевнені, що хочете продовжити?",
-    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectTitle": "Недовірене перенаправлення",
-    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "continueUntrustedRedirectSubtitle": "Ви намагаєтесь перенаправити на домен, який не збігається з вашим налаштованим доменом (<code>{{cookieDomain}}</code>). Впевнені, що хочете продовжити?",
-    "logoutFailTitle": "Failed to log out",
+    "logoutFailTitle": "Не вдалося вийти",
-    "logoutFailSubtitle": "Please try again",
+    "logoutFailSubtitle": "Будь ласка, спробуйте знову",
-    "logoutSuccessTitle": "Logged out",
+    "logoutSuccessTitle": "Ви вийшли",
-    "logoutSuccessSubtitle": "You have been logged out",
+    "logoutSuccessSubtitle": "Ви вийшли з системи",
-    "logoutTitle": "Logout",
+    "logoutTitle": "Вийти",
-    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutUsernameSubtitle": "Зараз ви увійшли як <code>{{username}}</code>. Натисніть кнопку нижче для виходу.",
-    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
+    "logoutOauthSubtitle": "Наразі ви увійшли як <code>{{username}}</code> використовуючи провайдера {{provider}} OAuth. Натисніть кнопку нижче, щоб вийти.",
-    "notFoundTitle": "Page not found",
+    "notFoundTitle": "Сторінку не знайдено",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
+    "notFoundSubtitle": "Сторінка, яку ви шукаєте, не існує.",
-    "notFoundButton": "Go home",
+    "notFoundButton": "На головну",
-    "totpFailTitle": "Failed to verify code",
+    "totpFailTitle": "Не вдалося перевірити код",
-    "totpFailSubtitle": "Please check your code and try again",
+    "totpFailSubtitle": "Перевірте ваш код і спробуйте ще раз",
-    "totpSuccessTitle": "Verified",
+    "totpSuccessTitle": "Перевірено",
-    "totpSuccessSubtitle": "Redirecting to your app",
+    "totpSuccessSubtitle": "Перенаправлення до вашого додатку",
-    "totpTitle": "Enter your TOTP code",
+    "totpTitle": "Введіть ваш TOTP код",
-    "totpSubtitle": "Please enter the code from your authenticator app.",
+    "totpSubtitle": "Будь ласка, введіть код з вашого додатку для автентифікації.",
-    "unauthorizedTitle": "Unauthorized",
+    "unauthorizedTitle": "Доступ обмежено",
-    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedResourceSubtitle": "Користувач з ім'ям користувача <code>{{username}}</code> не має права доступу до ресурсу <code>{{resource}}</code>.",
-    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedLoginSubtitle": "Користувач з іменем <code>{{username}}</code> не авторизований для входу.",
-    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedGroupsSubtitle": "Користувач з іменем <code>{{username}}</code> не входить до груп, що необхідні для ресурсу <code>{{resource}}</code>.",
-    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Ваша IP-адреса <code>{{ip}}</code> не авторизована для доступу до ресурсу <code>{{resource}}</code>.",
-    "unauthorizedButton": "Try again",
+    "unauthorizedButton": "Спробуйте ще раз",
-    "cancelTitle": "Cancel",
+    "cancelTitle": "Скасовувати",
-    "forgotPasswordTitle": "Forgot your password?",
+    "forgotPasswordTitle": "Забули пароль?",
-    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "failedToFetchProvidersTitle": "Не вдалося завантажити провайдерів автентифікації. Будь ласка, перевірте вашу конфігурацію.",
-    "errorTitle": "An error occurred",
+    "errorTitle": "Виникла помилка",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
-    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "forgotPasswordMessage": "Ви можете скинути пароль, змінивши змінну середовища \"USERS\".",
-    "fieldRequired": "This field is required",
+    "fieldRequired": "Це поле обов'язкове для заповнення",
-    "invalidInput": "Invalid input",
+    "invalidInput": "Невірне введення",
-    "domainWarningTitle": "Invalid Domain",
+    "domainWarningTitle": "Невірний домен",
-    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "domainWarningSubtitle": "Даний ресурс налаштований для доступу з <code>{{appUrl}}</code>, але використовується <code>{{currentUrl}}</code>. Якщо ви продовжите, можуть виникнути проблеми з автентифікацією.",
-    "ignoreTitle": "Ignore",
+    "ignoreTitle": "Ігнорувати",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Перейти за коректним доменом",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/vi-VN.json
+++ b/frontend/src/lib/i18n/locales/vi-VN.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "Bạn quên mật khẩu?",
    "failedToFetchProvidersTitle": "Không tải được nhà cung cấp xác thực. Vui lòng kiểm tra cấu hình của bạn.",
    "errorTitle": "An error occurred",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "Đã xảy ra lỗi khi thực hiện thao tác này. Vui lòng kiểm tra bảng điều khiển để biết thêm thông tin.",
    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
    "fieldRequired": "This field is required",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "Invalid Domain",
    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
    "ignoreTitle": "Ignore",
-    "goToCorrectDomainTitle": "Go to correct domain"
+    "goToCorrectDomainTitle": "Go to correct domain",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/zh-CN.json
+++ b/frontend/src/lib/i18n/locales/zh-CN.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "忘记密码？",
    "failedToFetchProvidersTitle": "加载身份验证提供程序失败，请检查您的配置。",
    "errorTitle": "发生了错误",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "执行此操作时发生错误，请检查控制台以获取更多信息。",
    "forgotPasswordMessage": "您可以通过更改 `USERS ` 环境变量重置您的密码。",
    "fieldRequired": "必添字段",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "无效域名",
    "domainWarningSubtitle": "当前实例配置的访问地址为 <code>{{appUrl}}</code>，但您正在使用 <code>{{currentUrl}}</code>。若继续操作，可能会遇到身份验证问题。",
    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "转到正确的域名"
+    "goToCorrectDomainTitle": "转到正确的域名",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/i18n/locales/zh-TW.json
+++ b/frontend/src/lib/i18n/locales/zh-TW.json
@@ -51,6 +51,7 @@
    "forgotPasswordTitle": "忘記密碼？",
    "failedToFetchProvidersTitle": "載入驗證供應商失敗。請檢查您的設定。",
    "errorTitle": "發生錯誤",
    "errorSubtitleInfo": "The following error occurred while processing your request:",
    "errorSubtitle": "執行此操作時發生錯誤。請檢查主控台以獲取更多資訊。",
    "forgotPasswordMessage": "透過修改 `USERS` 環境變數，你可以重設你的密碼。",
    "fieldRequired": "此為必填欄位",
@@ -58,5 +59,23 @@
    "domainWarningTitle": "無效的網域",
    "domainWarningSubtitle": "此服務設定為透過 <code>{{appUrl}}</code> 存取，但目前使用的是 <code>{{currentUrl}}</code>。若繼續操作，可能會遇到驗證問題。",
    "ignoreTitle": "忽略",
-    "goToCorrectDomainTitle": "前往正確域名"
+    "goToCorrectDomainTitle": "前往正確域名",
-}
+    "authorizeTitle": "Authorize",
    "authorizeCardTitle": "Continue to {{app}}?",
    "authorizeSubtitle": "Would you like to continue to this app? Please carefully review the permissions requested by the app.",
    "authorizeSubtitleOAuth": "Would you like to continue to this app?",
    "authorizeLoadingTitle": "Loading...",
    "authorizeLoadingSubtitle": "Please wait while we load the client information.",
    "authorizeSuccessTitle": "Authorized",
    "authorizeSuccessSubtitle": "You will be redirected to the app in a few seconds.",
    "authorizeErrorClientInfo": "An error occurred while loading the client information. Please try again later.",
    "authorizeErrorMissingParams": "The following parameters are missing: {{missingParams}}",
    "openidScopeName": "OpenID Connect",
    "openidScopeDescription": "Allows the app to access your OpenID Connect information.",
    "emailScopeName": "Email",
    "emailScopeDescription": "Allows the app to access your email address.",
    "profileScopeName": "Profile",
    "profileScopeDescription": "Allows the app to access your profile information.",
    "groupsScopeName": "Groups",
    "groupsScopeDescription": "Allows the app to access your group information."
 }
--- a/frontend/src/lib/utils.ts
+++ b/frontend/src/lib/utils.ts
@@ -5,15 +5,6 @@ export function cn(...inputs: ClassValue[]) {
  return twMerge(clsx(inputs));
 }
 export const isValidUrl = (url: string) => {
  try {
    new URL(url);
    return true;
  } catch {
    return false;
  }
 };
 export const capitalize = (str: string) => {
  return str.charAt(0).toUpperCase() + str.slice(1);
 };
--- a/frontend/src/main.tsx
+++ b/frontend/src/main.tsx
@@ -17,6 +17,7 @@ import { AppContextProvider } from "./context/app-context.tsx";
 import { UserContextProvider } from "./context/user-context.tsx";
 import { Toaster } from "@/components/ui/sonner";
 import { ThemeProvider } from "./components/providers/theme-provider.tsx";
 import { AuthorizePage } from "./pages/authorize-page.tsx";
 const queryClient = new QueryClient();
@@ -31,6 +32,7 @@ createRoot(document.getElementById("root")!).render(
                <Route element={<Layout />} errorElement={<ErrorPage />}>
                  <Route path="/" element={<App />} />
                  <Route path="/login" element={<LoginPage />} />
                  <Route path="/authorize" element={<AuthorizePage />} />
                  <Route path="/logout" element={<LogoutPage />} />
                  <Route path="/continue" element={<ContinuePage />} />
                  <Route path="/totp" element={<TotpPage />} />
--- a/frontend/src/pages/authorize-page.tsx
+++ b/frontend/src/pages/authorize-page.tsx
@@ -0,0 +1,199 @@
 import { useUserContext } from "@/context/user-context";
 import { useMutation, useQuery } from "@tanstack/react-query";
 import { Navigate, useNavigate } from "react-router";
 import { useLocation } from "react-router";
 import {
  Card,
  CardHeader,
  CardTitle,
  CardDescription,
  CardFooter,
  CardContent,
 } from "@/components/ui/card";
 import { getOidcClientInfoSchema } from "@/schemas/oidc-schemas";
 import { Button } from "@/components/ui/button";
 import axios from "axios";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { useTranslation } from "react-i18next";
 import { TFunction } from "i18next";
 import { Mail, Shield, User, Users } from "lucide-react";
 type Scope = {
  id: string;
  name: string;
  description: string;
  icon: React.ReactNode;
 };
 const scopeMapIconProps = {
  className: "stroke-card stroke-2.5",
 };
 const createScopeMap = (t: TFunction<"translation", undefined>): Scope[] => {
  return [
    {
      id: "openid",
      name: t("openidScopeName"),
      description: t("openidScopeDescription"),
      icon: <Shield {...scopeMapIconProps} />,
    },
    {
      id: "email",
      name: t("emailScopeName"),
      description: t("emailScopeDescription"),
      icon: <Mail {...scopeMapIconProps} />,
    },
    {
      id: "profile",
      name: t("profileScopeName"),
      description: t("profileScopeDescription"),
      icon: <User {...scopeMapIconProps} />,
    },
    {
      id: "groups",
      name: t("groupsScopeName"),
      description: t("groupsScopeDescription"),
      icon: <Users {...scopeMapIconProps} />,
    },
  ];
 };
 export const AuthorizePage = () => {
  const { isLoggedIn } = useUserContext();
  const { search } = useLocation();
  const { t } = useTranslation();
  const navigate = useNavigate();
  const scopeMap = createScopeMap(t);
  const searchParams = new URLSearchParams(search);
  const {
    values: props,
    missingParams,
    isOidc,
    compiled: compiledOIDCParams,
  } = useOIDCParams(searchParams);
  const scopes = props.scope ? props.scope.split(" ").filter(Boolean) : [];
  const getClientInfo = useQuery({
    queryKey: ["client", props.client_id],
    queryFn: async () => {
      const res = await fetch(`/api/oidc/clients/${props.client_id}`);
      const data = await getOidcClientInfoSchema.parseAsync(await res.json());
      return data;
    },
    enabled: isOidc,
  });
  const authorizeMutation = useMutation({
    mutationFn: () => {
      return axios.post("/api/oidc/authorize", {
        scope: props.scope,
        response_type: props.response_type,
        client_id: props.client_id,
        redirect_uri: props.redirect_uri,
        state: props.state,
      });
    },
    mutationKey: ["authorize", props.client_id],
    onSuccess: (data) => {
      toast.info(t("authorizeSuccessTitle"), {
        description: t("authorizeSuccessSubtitle"),
      });
      window.location.replace(data.data.redirect_uri);
    },
    onError: (error) => {
      window.location.replace(
        `/error?error=${encodeURIComponent(error.message)}`,
      );
    },
  });
  if (missingParams.length > 0) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorMissingParams", { missingParams: missingParams.join(", ") }))}`}
        replace
      />
    );
  }
  if (!isLoggedIn) {
    return <Navigate to={`/login?${compiledOIDCParams}`} replace />;
  }
  if (getClientInfo.isLoading) {
    return (
      <Card className="min-w-xs sm:min-w-sm">
        <CardHeader>
          <CardTitle className="text-3xl">
            {t("authorizeLoadingTitle")}
          </CardTitle>
          <CardDescription>{t("authorizeLoadingSubtitle")}</CardDescription>
        </CardHeader>
      </Card>
    );
  }
  if (getClientInfo.isError) {
    return (
      <Navigate
        to={`/error?error=${encodeURIComponent(t("authorizeErrorClientInfo"))}`}
        replace
      />
    );
  }
  return (
    <Card className="min-w-xs sm:min-w-sm mx-4">
      <CardHeader>
        <CardTitle className="text-3xl">
          {t("authorizeCardTitle", {
            app: getClientInfo.data?.name || "Unknown",
          })}
        </CardTitle>
        <CardDescription>
          {scopes.includes("openid")
            ? t("authorizeSubtitle")
            : t("authorizeSubtitleOAuth")}
        </CardDescription>
      </CardHeader>
      {scopes.includes("openid") && (
        <CardContent className="flex flex-col gap-4">
          {scopes.map((id) => {
            const scope = scopeMap.find((s) => s.id === id);
            if (!scope) return null;
            return (
              <div key={scope.id} className="flex flex-row items-center gap-3">
                <div className="p-2 flex flex-col items-center justify-center bg-card-foreground rounded-md">
                  {scope.icon}
                </div>
                <div className="flex flex-col gap-0.5">
                  <div className="text-md">{scope.name}</div>
                  <div className="text-sm text-muted-foreground">
                    {scope.description}
                  </div>
                </div>
              </div>
            );
          })}
        </CardContent>
      )}
      <CardFooter className="flex flex-col items-stretch gap-2">
        <Button
          onClick={() => authorizeMutation.mutate()}
          loading={authorizeMutation.isPending}
        >
          {t("authorizeTitle")}
        </Button>
        <Button
          onClick={() => navigate("/")}
          disabled={authorizeMutation.isPending}
          variant="outline"
        >
          {t("cancelTitle")}
        </Button>
      </CardFooter>
    </Card>
  );
 };
--- a/frontend/src/pages/continue-page.tsx
+++ b/frontend/src/pages/continue-page.tsx
@@ -8,10 +8,10 @@ import {
 } from "@/components/ui/card";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { isValidUrl } from "@/lib/utils";
 import { Trans, useTranslation } from "react-i18next";
 import { Navigate, useLocation, useNavigate } from "react-router";
-import { useEffect, useState } from "react";
+import { useCallback, useEffect, useRef, useState } from "react";
 import { useRedirectUri } from "@/lib/hooks/redirect-uri";
 export const ContinuePage = () => {
  const { cookieDomain, disableUiWarnings } = useAppContext();
@@ -20,59 +20,55 @@ export const ContinuePage = () => {
  const { t } = useTranslation();
  const navigate = useNavigate();
-  const [loading, setLoading] = useState(false);
+  const [isLoading, setIsLoading] = useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
  const hasRedirected = useRef(false);
  const searchParams = new URLSearchParams(search);
  const redirectUri = searchParams.get("redirect_uri");
-  const isValidRedirectUri =
+  const { url, valid, trusted, allowedProto, httpsDowngrade } = useRedirectUri(
-    redirectUri !== null ? isValidUrl(redirectUri) : false;
+    redirectUri,
-  const redirectUriObj = isValidRedirectUri
+    cookieDomain,
-    ? new URL(redirectUri as string)
+  );
    : null;
  const isTrustedRedirectUri =
    redirectUriObj !== null
      ? redirectUriObj.hostname === cookieDomain ||
        redirectUriObj.hostname.endsWith(`.${cookieDomain}`)
      : false;
  const isAllowedRedirectProto =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "https:" ||
        redirectUriObj.protocol === "http:"
      : false;
  const isHttpsDowngrade =
    redirectUriObj !== null
      ? redirectUriObj.protocol === "http:" &&
        window.location.protocol === "https:"
      : false;
-  const handleRedirect = () => {
+  const urlHref = url?.href;
    setLoading(true);
    window.location.assign(redirectUriObj!.toString());
  };
-  useEffect(() => {
+  const hasValidRedirect = valid && allowedProto;
-    if (!isLoggedIn) {
+  const showUntrustedWarning =
    hasValidRedirect && !trusted && !disableUiWarnings;
  const showInsecureWarning =
    hasValidRedirect && httpsDowngrade && !disableUiWarnings;
  const shouldAutoRedirect =
    isLoggedIn &&
    hasValidRedirect &&
    !showUntrustedWarning &&
    !showInsecureWarning;
  const redirectToTarget = useCallback(() => {
    if (!urlHref || hasRedirected.current) {
      return;
    }
-    if (
+    hasRedirected.current = true;
-      (!isValidRedirectUri ||
+    window.location.assign(urlHref);
-        !isAllowedRedirectProto ||
+  }, [urlHref]);
-        !isTrustedRedirectUri ||
+
-        isHttpsDowngrade) &&
+  const handleRedirect = useCallback(() => {
-      !disableUiWarnings
+    setIsLoading(true);
-    ) {
+    redirectToTarget();
  }, [redirectToTarget]);
  useEffect(() => {
    if (!shouldAutoRedirect) {
      return;
    }
    const auto = setTimeout(() => {
-      handleRedirect();
+      redirectToTarget();
    }, 100);
    const reveal = setTimeout(() => {
      setLoading(false);
      setShowRedirectButton(true);
    }, 5000);
@@ -80,22 +76,22 @@ export const ContinuePage = () => {
      clearTimeout(auto);
      clearTimeout(reveal);
    };
-  }, []);
+  }, [shouldAutoRedirect, redirectToTarget]);
  if (!isLoggedIn) {
    return (
      <Navigate
-        to={`/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`}
+        to={`/login${redirectUri ? `?redirect_uri=${encodeURIComponent(redirectUri)}` : ""}`}
        replace
      />
    );
  }
-  if (!isValidRedirectUri || !isAllowedRedirectProto) {
+  if (!hasValidRedirect) {
    return <Navigate to="/logout" replace />;
  }
-  if (!isTrustedRedirectUri && !disableUiWarnings) {
+  if (showUntrustedWarning) {
    return (
      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
        <CardHeader>
@@ -110,13 +106,14 @@ export const ContinuePage = () => {
                code: <code />,
              }}
              values={{ cookieDomain }}
              shouldUnescape={true}
            />
          </CardDescription>
        </CardHeader>
        <CardFooter className="flex flex-col items-stretch gap-2">
          <Button
            onClick={handleRedirect}
-            loading={loading}
+            loading={isLoading}
            variant="destructive"
          >
            {t("continueTitle")}
@@ -124,7 +121,7 @@ export const ContinuePage = () => {
          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
-            disabled={loading}
+            disabled={isLoading}
          >
            {t("cancelTitle")}
          </Button>
@@ -133,7 +130,7 @@ export const ContinuePage = () => {
    );
  }
-  if (isHttpsDowngrade && !disableUiWarnings) {
+  if (showInsecureWarning) {
    return (
      <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
        <CardHeader>
@@ -151,13 +148,17 @@ export const ContinuePage = () => {
          </CardDescription>
        </CardHeader>
        <CardFooter className="flex flex-col items-stretch gap-2">
-          <Button onClick={handleRedirect} loading={loading} variant="warning">
+          <Button
            onClick={handleRedirect}
            loading={isLoading}
            variant="warning"
          >
            {t("continueTitle")}
          </Button>
          <Button
            onClick={() => navigate("/logout")}
            variant="outline"
-            disabled={loading}
+            disabled={isLoading}
          >
            {t("cancelTitle")}
          </Button>
--- a/frontend/src/pages/error-page.tsx
+++ b/frontend/src/pages/error-page.tsx
@@ -5,15 +5,30 @@ import {
  CardTitle,
 } from "@/components/ui/card";
 import { useTranslation } from "react-i18next";
 import { useLocation } from "react-router";
 export const ErrorPage = () => {
  const { t } = useTranslation();
  const { search } = useLocation();
  const searchParams = new URLSearchParams(search);
  const error = searchParams.get("error") ?? "";
  return (
    <Card className="min-w-xs sm:min-w-sm">
      <CardHeader>
        <CardTitle className="text-3xl">{t("errorTitle")}</CardTitle>
-        <CardDescription>{t("errorSubtitle")}</CardDescription>
+        <CardDescription className="flex flex-col gap-1.5">
          {error ? (
            <>
              <p>{t("errorSubtitleInfo")}</p>
              <pre>{error}</pre>
            </>
          ) : (
            <>
              <p>{t("errorSubtitle")}</p>
            </>
          )}
        </CardDescription>
      </CardHeader>
    </Card>
  );
--- a/frontend/src/pages/login-page.tsx
+++ b/frontend/src/pages/login-page.tsx
@@ -18,6 +18,7 @@ import { OAuthButton } from "@/components/ui/oauth-button";
 import { SeperatorWithChildren } from "@/components/ui/separator";
 import { useAppContext } from "@/context/app-context";
 import { useUserContext } from "@/context/user-context";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 import { LoginSchema } from "@/schemas/login-schema";
 import { useMutation } from "@tanstack/react-query";
 import axios, { AxiosError } from "axios";
@@ -39,26 +40,43 @@ export const LoginPage = () => {
  const { providers, title, oauthAutoRedirect } = useAppContext();
  const { search } = useLocation();
  const { t } = useTranslation();
-  const [oauthAutoRedirectHandover, setOauthAutoRedirectHandover] =
+
    useState(false);
  const [showRedirectButton, setShowRedirectButton] = useState(false);
  const hasAutoRedirectedRef = useRef(false);
  const redirectTimer = useRef<number | null>(null);
  const redirectButtonTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri");
+  const {
    values: props,
    isOidc,
    compiled: compiledOIDCParams,
  } = useOIDCParams(searchParams);
  const [isOauthAutoRedirect, setIsOauthAutoRedirect] = useState(
    providers.find((provider) => provider.id === oauthAutoRedirect) !==
      undefined && props.redirect_uri,
  );
  const oauthProviders = providers.filter(
-    (provider) => provider.id !== "username",
+    (provider) => provider.id !== "local" && provider.id !== "ldap",
  );
  const userAuthConfigured =
-    providers.find((provider) => provider.id === "username") !== undefined;
+    providers.find(
      (provider) => provider.id === "local" || provider.id === "ldap",
    ) !== undefined;
-  const oauthMutation = useMutation({
+  const {
    mutate: oauthMutate,
    data: oauthData,
    isPending: oauthIsPending,
    variables: oauthVariables,
  } = useMutation({
    mutationFn: (provider: string) =>
      axios.get(
-        `/api/oauth/url/${provider}?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
+        `/api/oauth/url/${provider}${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
      ),
    mutationKey: ["oauth"],
    onSuccess: (data) => {
@@ -69,22 +87,28 @@ export const LoginPage = () => {
      redirectTimer.current = window.setTimeout(() => {
        window.location.replace(data.data.url);
      }, 500);
      if (isOauthAutoRedirect) {
        redirectButtonTimer.current = window.setTimeout(() => {
          setShowRedirectButton(true);
        }, 5000);
      }
    },
    onError: () => {
-      setOauthAutoRedirectHandover(false);
+      setIsOauthAutoRedirect(false);
      toast.error(t("loginOauthFailTitle"), {
        description: t("loginOauthFailSubtitle"),
      });
    },
  });
-  const loginMutation = useMutation({
+  const { mutate: loginMutate, isPending: loginIsPending } = useMutation({
    mutationFn: (values: LoginSchema) => axios.post("/api/user/login", values),
    mutationKey: ["login"],
    onSuccess: (data) => {
      if (data.data.totpPending) {
        window.location.replace(
-          `/totp?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
+          `/totp${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
        );
        return;
      }
@@ -94,8 +118,12 @@ export const LoginPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
        if (isOidc) {
          window.location.replace(`/authorize?${compiledOIDCParams}`);
          return;
        }
        window.location.replace(
-          `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
        );
      }, 500);
    },
@@ -111,33 +139,43 @@ export const LoginPage = () => {
  useEffect(() => {
    if (
      providers.find((provider) => provider.id === oauthAutoRedirect) &&
      !isLoggedIn &&
-      redirectUri
+      isOauthAutoRedirect &&
      !hasAutoRedirectedRef.current &&
      props.redirect_uri
    ) {
-      // Not sure of a better way to do this
+      hasAutoRedirectedRef.current = true;
-      // eslint-disable-next-line react-hooks/set-state-in-effect
+      oauthMutate(oauthAutoRedirect);
      setOauthAutoRedirectHandover(true);
      oauthMutation.mutate(oauthAutoRedirect);
      redirectButtonTimer.current = window.setTimeout(() => {
        setShowRedirectButton(true);
      }, 5000);
    }
-  }, []);
+  }, [
    isLoggedIn,
    oauthMutate,
    hasAutoRedirectedRef,
    oauthAutoRedirect,
    isOauthAutoRedirect,
    props.redirect_uri,
  ]);
-  useEffect(
+  useEffect(() => {
-    () => () => {
+    return () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+      if (redirectTimer.current) {
-      if (redirectButtonTimer.current)
+        clearTimeout(redirectTimer.current);
      }
      if (redirectButtonTimer.current) {
        clearTimeout(redirectButtonTimer.current);
-    },
+      }
-    [],
+    };
-  );
+  }, [redirectTimer, redirectButtonTimer]);
-  if (isLoggedIn && redirectUri) {
+  if (isLoggedIn && isOidc) {
    return <Navigate to={`/authorize?${compiledOIDCParams}`} replace />;
  }
  if (isLoggedIn && props.redirect_uri !== "") {
    return (
      <Navigate
-        to={`/continue?redirect_uri=${encodeURIComponent(redirectUri)}`}
+        to={`/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`}
        replace
      />
    );
@@ -147,7 +185,7 @@ export const LoginPage = () => {
    return <Navigate to="/logout" replace />;
  }
-  if (oauthAutoRedirectHandover) {
+  if (isOauthAutoRedirect) {
    return (
      <Card className="min-w-xs sm:min-w-sm">
        <CardHeader>
@@ -162,7 +200,14 @@ export const LoginPage = () => {
          <CardFooter className="flex flex-col items-stretch">
            <Button
              onClick={() => {
-                window.location.replace(oauthMutation.data?.data.url);
+                if (oauthData?.data.url) {
                  window.location.replace(oauthData.data.url);
                } else {
                  setIsOauthAutoRedirect(false);
                  toast.error(t("loginOauthFailTitle"), {
                    description: t("loginOauthFailSubtitle"),
                  });
                }
              }}
            >
              {t("loginOauthAutoRedirectButton")}
@@ -193,12 +238,9 @@ export const LoginPage = () => {
                title={provider.name}
                icon={iconMap[provider.id] ?? <OAuthIcon />}
                className="w-full"
-                onClick={() => oauthMutation.mutate(provider.id)}
+                onClick={() => oauthMutate(provider.id)}
-                loading={
+                loading={oauthIsPending && oauthVariables === provider.id}
-                  oauthMutation.isPending &&
+                disabled={oauthIsPending || loginIsPending}
                  oauthMutation.variables === provider.id
                }
                disabled={oauthMutation.isPending || loginMutation.isPending}
              />
            ))}
          </div>
@@ -208,8 +250,8 @@ export const LoginPage = () => {
        )}
        {userAuthConfigured && (
          <LoginForm
-            onSubmit={(values) => loginMutation.mutate(values)}
+            onSubmit={(values) => loginMutate(values)}
-            loading={loginMutation.isPending || oauthMutation.isPending}
+            loading={loginIsPending || oauthIsPending}
          />
        )}
        {providers.length == 0 && (
--- a/frontend/src/pages/logout-page.tsx
+++ b/frontend/src/pages/logout-page.tsx
@@ -29,7 +29,7 @@ export const LogoutPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
-        window.location.assign("/login");
+        window.location.replace("/login");
      }, 500);
    },
    onError: () => {
@@ -39,12 +39,13 @@ export const LogoutPage = () => {
    },
  });
-  useEffect(
+  useEffect(() => {
-    () => () => {
+    return () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+      if (redirectTimer.current) {
-    },
+        clearTimeout(redirectTimer.current);
-    [],
+      }
-  );
+    };
  }, [redirectTimer]);
  if (!isLoggedIn) {
    return <Navigate to="/login" replace />;
@@ -55,7 +56,7 @@ export const LogoutPage = () => {
      <CardHeader>
        <CardTitle className="text-3xl">{t("logoutTitle")}</CardTitle>
        <CardDescription>
-          {provider !== "username" ? (
+          {provider !== "local" && provider !== "ldap" ? (
            <Trans
              i18nKey="logoutOauthSubtitle"
              t={t}
@@ -66,6 +67,7 @@ export const LogoutPage = () => {
                username: email,
                provider: oauthName,
              }}
              shouldUnescape={true}
            />
          ) : (
            <Trans
@@ -77,6 +79,7 @@ export const LogoutPage = () => {
              values={{
                username,
              }}
              shouldUnescape={true}
            />
          )}
        </CardDescription>
--- a/frontend/src/pages/totp-page.tsx
+++ b/frontend/src/pages/totp-page.tsx
@@ -16,6 +16,7 @@ import { useEffect, useId, useRef } from "react";
 import { useTranslation } from "react-i18next";
 import { Navigate, useLocation } from "react-router";
 import { toast } from "sonner";
 import { useOIDCParams } from "@/lib/hooks/oidc";
 export const TotpPage = () => {
  const { totpPending } = useUserContext();
@@ -26,7 +27,11 @@ export const TotpPage = () => {
  const redirectTimer = useRef<number | null>(null);
  const searchParams = new URLSearchParams(search);
-  const redirectUri = searchParams.get("redirect_uri");
+  const {
    values: props,
    isOidc,
    compiled: compiledOIDCParams,
  } = useOIDCParams(searchParams);
  const totpMutation = useMutation({
    mutationFn: (values: TotpSchema) => axios.post("/api/user/totp", values),
@@ -37,8 +42,13 @@ export const TotpPage = () => {
      });
      redirectTimer.current = window.setTimeout(() => {
        if (isOidc) {
          window.location.replace(`/authorize?${compiledOIDCParams}`);
          return;
        }
        window.location.replace(
-          `/continue?redirect_uri=${encodeURIComponent(redirectUri ?? "")}`,
+          `/continue${props.redirect_uri ? `?redirect_uri=${encodeURIComponent(props.redirect_uri)}` : ""}`,
        );
      }, 500);
    },
@@ -49,12 +59,13 @@ export const TotpPage = () => {
    },
  });
-  useEffect(
+  useEffect(() => {
-    () => () => {
+    return () => {
-      if (redirectTimer.current) clearTimeout(redirectTimer.current);
+      if (redirectTimer.current) {
-    },
+        clearTimeout(redirectTimer.current);
-    [],
+      }
-  );
+    };
  }, [redirectTimer]);
  if (!totpPending) {
    return <Navigate to="/" replace />;
@@ -70,7 +81,6 @@ export const TotpPage = () => {
        <TotpForm
          formId={formId}
          onSubmit={(values) => totpMutation.mutate(values)}
          loading={totpMutation.isPending}
        />
      </CardContent>
      <CardFooter className="flex flex-col items-stretch">
--- a/frontend/src/schemas/oidc-schemas.ts
+++ b/frontend/src/schemas/oidc-schemas.ts
@@ -0,0 +1,5 @@
 import { z } from "zod";
 export const getOidcClientInfoSchema = z.object({
  name: z.string(),
 });
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -2,15 +2,43 @@ import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 import path from "path";
 import tailwindcss from "@tailwindcss/vite";
 import { visualizer } from "rollup-plugin-visualizer";
 // https://vite.dev/config/
 export default defineConfig({
-  plugins: [react(), tailwindcss()],
+  plugins: [react(), tailwindcss(), visualizer()],
  resolve: {
    alias: {
      "@": path.resolve(__dirname, "./src"),
    },
  },
  build: {
    rollupOptions: {
      output: {
        manualChunks(id) {
          if (id.includes("node_modules")) {
            if (id.includes("/react")) {
              return "vendor-react";
            }
            if (id.includes("/@radix-ui")) {
              return "vendor-radix";
            }
            if (id.includes("/i18next")) {
              return "vendor-i18next";
            }
            if (id.includes("/zod")) {
              return "vendor-zod";
            }
            return "vendor";
          }
        },
      },
    },
  },
  server: {
    host: "0.0.0.0",
    proxy: {
@@ -24,6 +52,11 @@ export default defineConfig({
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/resources/, ""),
      },
      "/.well-known": {
        target: "http://tinyauth-backend:3000/.well-known",
        changeOrigin: true,
        rewrite: (path) => path.replace(/^\/\.well-known/, ""),
      },
    },
    allowedHosts: true,
  },
--- a/gen/gen.go
+++ b/gen/gen.go
@@ -0,0 +1,38 @@
 package main
 import (
 	"log/slog"
 	"reflect"
 )
 func main() {
 	slog.Info("generating example env file")
 	generateExampleEnv()
 	slog.Info("generating config reference markdown file")
 	generateMarkdown()
 }
 func walkAndBuild[T any](parent reflect.Type, parentValue reflect.Value,
 	parentPath string, entries *[]T,
 	buildEntry func(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]T),
 	buildMap func(child reflect.StructField, parentPath string, entries *[]T),
 	buildChildPath func(parentPath string, childName string) string,
 ) {
 	for i := 0; i < parent.NumField(); i++ {
 		field := parent.Field(i)
 		fieldType := field.Type
 		fieldValue := parentValue.Field(i)
 		switch fieldType.Kind() {
 		case reflect.Struct:
 			childPath := buildChildPath(parentPath, field.Name)
 			walkAndBuild[T](fieldType, fieldValue, childPath, entries, buildEntry, buildMap, buildChildPath)
 		case reflect.Map:
 			buildMap(field, parentPath, entries)
 		case reflect.Bool, reflect.String, reflect.Slice, reflect.Int:
 			buildEntry(field, fieldValue, parentPath, entries)
 		default:
 			slog.Info("unknown type", "type", fieldType.Kind())
 		}
 	}
 }
--- a/gen/gen_env.go
+++ b/gen/gen_env.go
@@ -0,0 +1,131 @@
 package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io/fs"
 	"log/slog"
 	"os"
 	"reflect"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type EnvEntry struct {
 	Name        string
 	Description string
 	Value       any
 }
 func generateExampleEnv() {
 	cfg := config.NewDefaultConfiguration()
 	entries := make([]EnvEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
 	rootValue := reflect.ValueOf(cfg).Elem()
 	rootPath := "TINYAUTH_"
 	walkAndBuild(root, rootValue, rootPath, &entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
 	compiled := compileEnv(entries)
 	err := os.Remove(".env.example")
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		slog.Error("failed to remove example env file", "error", err)
 		os.Exit(1)
 	}
 	err = os.WriteFile(".env.example", compiled, 0644)
 	if err != nil {
 		slog.Error("failed to write example env file", "error", err)
 		os.Exit(1)
 	}
 }
 func buildEnvEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]EnvEntry) {
 	desc := child.Tag.Get("description")
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	value := childValue.Interface()
 	entry := EnvEntry{
 		Name:        parentPath + strings.ToUpper(child.Name),
 		Description: desc,
 	}
 	switch childValue.Kind() {
 	case reflect.Slice:
 		sl, ok := value.([]string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		entry.Value = strings.Join(sl, ",")
 	case reflect.String:
 		st, ok := value.(string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		if st != "" {
 			entry.Value = fmt.Sprintf(`"%s"`, st)
 		} else {
 			entry.Value = ""
 		}
 	default:
 		entry.Value = value
 	}
 	*entries = append(*entries, entry)
 }
 func buildEnvMapEntry(child reflect.StructField, parentPath string, entries *[]EnvEntry) {
 	fieldType := child.Type
 	if fieldType.Key().Kind() != reflect.String {
 		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
 		return
 	}
 	mapPath := parentPath + strings.ToUpper(child.Name) + "_name_"
 	valueType := fieldType.Elem()
 	if valueType.Kind() == reflect.Struct {
 		zeroValue := reflect.New(valueType).Elem()
 		walkAndBuild(valueType, zeroValue, mapPath, entries, buildEnvEntry, buildEnvMapEntry, buildEnvChildPath)
 	}
 }
 func buildEnvChildPath(parent string, child string) string {
 	return parent + strings.ToUpper(child) + "_"
 }
 func compileEnv(entries []EnvEntry) []byte {
 	buffer := bytes.Buffer{}
 	buffer.WriteString("# Tinyauth example configuration\n\n")
 	previousSection := ""
 	for _, entry := range entries {
 		if strings.Count(entry.Name, "_") > 1 {
 			section := strings.Split(strings.TrimPrefix(entry.Name, "TINYAUTH_"), "_")[0]
 			if section != previousSection {
 				buffer.WriteString("\n# " + strings.ToLower(section) + " config\n\n")
 				previousSection = section
 			}
 		}
 		buffer.WriteString("# ")
 		buffer.WriteString(entry.Description)
 		buffer.WriteString("\n")
 		buffer.WriteString(entry.Name)
 		buffer.WriteString("=")
 		fmt.Fprintf(&buffer, "%v", entry.Value)
 		buffer.WriteString("\n")
 	}
 	return buffer.Bytes()
 }
--- a/gen/gen_md.go
+++ b/gen/gen_md.go
@@ -0,0 +1,127 @@
 package main
 import (
 	"bytes"
 	"errors"
 	"fmt"
 	"io/fs"
 	"log/slog"
 	"os"
 	"reflect"
 	"strings"
 	"github.com/steveiliop56/tinyauth/internal/config"
 )
 type MarkdownEntry struct {
 	Env         string
 	Flag        string
 	Description string
 	Default     any
 }
 func generateMarkdown() {
 	cfg := config.NewDefaultConfiguration()
 	entries := make([]MarkdownEntry, 0)
 	root := reflect.TypeOf(cfg).Elem()
 	rootValue := reflect.ValueOf(cfg).Elem()
 	rootPath := "tinyauth."
 	walkAndBuild(root, rootValue, rootPath, &entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
 	compiled := compileMd(entries)
 	err := os.Remove("config.gen.md")
 	if err != nil && !errors.Is(err, fs.ErrNotExist) {
 		slog.Error("failed to remove example env file", "error", err)
 		os.Exit(1)
 	}
 	err = os.WriteFile("config.gen.md", compiled, 0644)
 	if err != nil {
 		slog.Error("failed to write example env file", "error", err)
 		os.Exit(1)
 	}
 }
 func buildMdEntry(child reflect.StructField, childValue reflect.Value, parentPath string, entries *[]MarkdownEntry) {
 	desc := child.Tag.Get("description")
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	value := childValue.Interface()
 	entry := MarkdownEntry{
 		Env:         strings.ToUpper(strings.ReplaceAll(parentPath, ".", "_")) + strings.ToUpper(child.Name),
 		Flag:        fmt.Sprintf("--%s%s", strings.TrimPrefix(parentPath, "tinyauth."), tag),
 		Description: desc,
 	}
 	switch childValue.Kind() {
 	case reflect.Slice:
 		sl, ok := value.([]string)
 		if !ok {
 			slog.Error("invalid default value", "value", value)
 			return
 		}
 		entry.Default = fmt.Sprintf("`%s`", strings.Join(sl, ","))
 	default:
 		entry.Default = fmt.Sprintf("`%v`", value)
 	}
 	*entries = append(*entries, entry)
 }
 func buildMdMapEntry(child reflect.StructField, parentPath string, entries *[]MarkdownEntry) {
 	fieldType := child.Type
 	if fieldType.Key().Kind() != reflect.String {
 		slog.Info("unsupported map key type", "type", fieldType.Key().Kind())
 		return
 	}
 	tag := child.Tag.Get("yaml")
 	if tag == "-" {
 		return
 	}
 	mapPath := parentPath + tag + ".[name]."
 	valueType := fieldType.Elem()
 	if valueType.Kind() == reflect.Struct {
 		zeroValue := reflect.New(valueType).Elem()
 		walkAndBuild(valueType, zeroValue, mapPath, entries, buildMdEntry, buildMdMapEntry, buildMdChildPath)
 	}
 }
 func buildMdChildPath(parent string, child string) string {
 	return parent + strings.ToLower(child) + "."
 }
 func compileMd(entries []MarkdownEntry) []byte {
 	buffer := bytes.Buffer{}
 	buffer.WriteString("# Tinyauth configuration reference\n\n")
 	buffer.WriteString("| Environment | Flag | Description | Default |\n")
 	buffer.WriteString("| - | - | - | - |\n")
 	previousSection := ""
 	for _, entry := range entries {
 		if strings.Count(entry.Env, "_") > 1 {
 			section := strings.Split(strings.TrimPrefix(entry.Env, "TINYAUTH_"), "_")[0]
 			if section != previousSection {
 				buffer.WriteString("\n## " + strings.ToLower(section) + "\n\n")
 				buffer.WriteString("| Environment | Flag | Description | Default |\n")
 				buffer.WriteString("| - | - | - | - |\n")
 				previousSection = section
 			}
 		}
 		fmt.Fprintf(&buffer, "| `%s` | `%s` | %s | %s |\n", entry.Env, entry.Flag, entry.Description, entry.Default)
 	}
 	return buffer.Bytes()
 }
--- a/go.mod
+++ b/go.mod
@@ -1,67 +1,39 @@
-module tinyauth
+module github.com/steveiliop56/tinyauth
 go 1.24.0
 toolchain go1.24.3
 replace github.com/traefik/paerser v0.2.2 => ./paerser
 require (
 	github.com/cenkalti/backoff/v5 v5.0.3
 	github.com/charmbracelet/huh v0.8.0
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/gin-gonic/gin v1.11.0
-	github.com/glebarez/sqlite v1.11.0
+	github.com/go-jose/go-jose/v4 v4.1.3
-	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/golang-migrate/migrate/v4 v4.19.1
-	github.com/google/go-querystring v1.1.0
+	github.com/google/go-querystring v1.2.0
 	github.com/google/uuid v1.6.0
 	github.com/mdp/qrterminal/v3 v3.2.1
 	github.com/pquerna/otp v1.5.0
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cobra v1.10.2
 	github.com/spf13/viper v1.21.0
 	github.com/stoewer/go-strcase v1.3.1
 	github.com/traefik/paerser v0.2.2
-	github.com/weppos/publicsuffix-go v0.50.1
+	github.com/weppos/publicsuffix-go v0.50.2
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.48.0
-	golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b
+	golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546
-	gorm.io/gorm v1.31.1
+	golang.org/x/oauth2 v0.35.0
 	gotest.tools/v3 v3.5.2
 	modernc.org/sqlite v1.45.0
 )
 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
-	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/Masterminds/goutils v1.1.1 // indirect
-	github.com/containerd/errdefs v1.0.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
-	github.com/containerd/errdefs/pkg v0.3.0 // indirect
+	github.com/Masterminds/sprig/v3 v3.2.3 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/glebarez/go-sqlite v1.21.2 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/ncruces/go-strftime v0.1.9 // indirect
 	github.com/quic-go/qpack v0.5.1 // indirect
 	github.com/quic-go/quic-go v0.54.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/mod v0.30.0 // indirect
 	golang.org/x/term v0.38.0 // indirect
 	golang.org/x/tools v0.39.0 // indirect
 	modernc.org/libc v1.66.3 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	modernc.org/sqlite v1.38.2 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
 require (
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
@@ -71,29 +43,35 @@ require (
 	github.com/catppuccin/go v0.3.0 // indirect
 	github.com/charmbracelet/bubbles v0.21.1-0.20250623103423-23b8fd6302d7 // indirect
 	github.com/charmbracelet/bubbletea v1.3.6 // indirect
-	github.com/charmbracelet/huh v0.8.0
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/x/ansi v0.9.3 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/exp/strings v0.0.0-20240722160745-212f7b056ed0 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cloudwego/base64x v0.1.6 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/distribution/reference v0.6.0 // indirect
 	github.com/docker/docker v28.5.2+incompatible
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.10 // indirect
 	github.com/gin-contrib/sse v1.1.0 // indirect
-	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.28.0 // indirect
 	github.com/goccy/go-json v0.10.4 // indirect
-	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/goccy/go-yaml v1.18.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/huandu/xstrings v1.5.0 // indirect
 	github.com/imdario/mergo v0.3.11 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
@@ -102,36 +80,48 @@ require (
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-sqlite3 v1.14.32 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/hashstructure/v2 v2.0.2 // indirect
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pquerna/otp v1.5.0
+	github.com/quic-go/qpack v0.6.0 // indirect
 	github.com/quic-go/quic-go v0.57.0 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
-	github.com/sagikazarmark/locafero v0.11.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 // indirect
 	github.com/spf13/afero v1.15.0 // indirect
 	github.com/spf13/cast v1.10.0 // indirect
 	github.com/spf13/pflag v1.0.10 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 // indirect
 	go.opentelemetry.io/otel v1.37.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.34.0 // indirect
 	go.opentelemetry.io/otel/metric v1.37.0 // indirect
 	go.opentelemetry.io/otel/trace v1.37.0 // indirect
 	golang.org/x/arch v0.20.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/oauth2 v0.34.0
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
 	golang.org/x/text v0.34.0 // indirect
 	google.golang.org/protobuf v1.36.9 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	modernc.org/libc v1.67.6 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
 	rsc.io/qr v0.2.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -2,8 +2,17 @@ github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c h1:udKWzYgxTojEK
 github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 h1:mFRzDkZVAjdal+s7s0MwaRv9igoPqLRdzOLzw/8Xvq8=
 github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358/go.mod h1:chxPXzSsl7ZWRAuOIE23GDNzjWuZquvFlgA8xmpunjU=
 github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
 github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ=
 github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE=
 github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI=
 github.com/Masterminds/goutils v1.1.1/go.mod h1:8cTjp+g8YejhMuvIA5y2vz3BpJxksy863GQaJW2MFNU=
 github.com/Masterminds/semver/v3 v3.2.0/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/semver/v3 v3.2.1 h1:RN9w6+7QoMeJVGyfmbcgs28Br8cvmnucEXnY0rYXWg0=
 github.com/Masterminds/semver/v3 v3.2.1/go.mod h1:qvl/7zhW3nngYb5+80sSMF+FG2BjYrf8m9wsX0PNOMQ=
 github.com/Masterminds/sprig/v3 v3.2.3 h1:eL2fZNezLomi0uOLqjQoN6BfsDD+fyLtgbJMAj9n6YA=
 github.com/Masterminds/sprig/v3 v3.2.3/go.mod h1:rXcFaZ2zZbLRJv/xSysmlgIM1u11eBaRMhvYXJNkGuM=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/alexbrainman/sspi v0.0.0-20250919150558-7d374ff0d59e h1:4dAU9FXIyQktpoUAgOJK3OTFc/xug0PCXYCqU0FgDKI=
@@ -64,7 +73,6 @@ github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmC
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.24 h1:bJrF4RRfyJnbTJqzRLHzcGaZK1NeM5kTC9jGgovnR1s=
 github.com/creack/pty v1.1.24/go.mod h1:08sCNb52WyoAwi2QDyzUCTgcvVFhUzewun7wtTfvcwE=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -87,20 +95,16 @@ github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.10 h1:zyueNbySn/z8mJZHLt6IPw0KoZsiQNszIpU+bX4+ZK0=
 github.com/gabriel-vasile/mimetype v1.4.10/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/gin-contrib/sse v1.1.0 h1:n0w2GMuUpWDVp7qSpvze6fAu9iRxJY4Hmj6AmBOU05w=
 github.com/gin-contrib/sse v1.1.0/go.mod h1:hxRZ5gVpWMT7Z0B0gSNYqqsSCNIJMjzvm6fqCz9vjwM=
 github.com/gin-gonic/gin v1.11.0 h1:OW/6PLjyusp2PPXtyxKHU0RbX6I/l28FTdDlae5ueWk=
 github.com/gin-gonic/gin v1.11.0/go.mod h1:+iq/FyxlGzII0KHiBGjuNn4UNENUlKbGlNmc+W50Dls=
 github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo=
 github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
 github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
 github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
@@ -116,8 +120,6 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
 github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
 github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
@@ -125,22 +127,28 @@ github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7Lk
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-migrate/migrate/v4 v4.19.1 h1:OCyb44lFuQfYXYLx1SCxPZQGU7mcaZ7gH9yH4jSFbBA=
 github.com/golang-migrate/migrate/v4 v4.19.1/go.mod h1:CTcgfjxhaUtsLipnLoQRWCrjYXycRz/g5+RWDuYgPrE=
-github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.2.0 h1:yhqkPbu2/OH+V9BfpCVPZkNmUXhb2gBxJArfhIxNtP0=
-github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
+github.com/google/go-querystring v1.2.0/go.mod h1:8IFJqpSRITyJ8QhQ13bmbeMBDfmeEJZD5A0egEOmkqU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 h1:VNqngBF40hVlDloBruUehVYC3ArSgIyScOAyMRqBxRg=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1/go.mod h1:RBRO7fro65R6tjKzYgLAFo0t1QEXY1Dp+i/bvpRiqiQ=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
-github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
-github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/huandu/xstrings v1.5.0 h1:2ag3IFq9ZDANvthTwTiqSSZLjDc+BedvHPAp5tJy2TI=
 github.com/huandu/xstrings v1.5.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE=
 github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
 github.com/jcmturner/dnsutils/v2 v2.0.0 h1:lltnkeZGL0wILNvrNiVCR6Ro5PGU/SeBvVO/8c/iPbo=
@@ -153,10 +161,6 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
 github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
 github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
 github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
@@ -186,8 +190,14 @@ github.com/mattn/go-sqlite3 v1.14.32 h1:JD12Ag3oLy1zQA+BNn74xRgaBbdhbNIDYvQUEuuE
 github.com/mattn/go-sqlite3 v1.14.32/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mdp/qrterminal/v3 v3.2.1 h1:6+yQjiiOsSuXT5n9/m60E54vdgFsw0zhADHhHLrFet4=
 github.com/mdp/qrterminal/v3 v3.2.1/go.mod h1:jOTmXvnBsMy5xqLniO0R++Jmjs2sTm9dFSuQ5kpz/SU=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
 github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s=
 github.com/mitchellh/hashstructure/v2 v2.0.2 h1:vGKWl0YJqUNxE8d+h8f6NJLcCJrgbhC4NcD46KavDd4=
 github.com/mitchellh/hashstructure/v2 v2.0.2/go.mod h1:MG3aRVU/N29oo/V/IhBX8GR/zz4kQkprJgF2EVszyDE=
 github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ=
 github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw=
 github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
 github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
 github.com/moby/sys/atomicwriter v0.1.0 h1:kw5D/EqkBwsBFi0ss9v1VG3wIkVhzGvLklJ+w3A14Sw=
@@ -209,8 +219,8 @@ github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELU
 github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
 github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
 github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
-github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
-github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
 github.com/opencontainers/image-spec v1.1.0 h1:8SG7/vwALn54lVB/0yZ/MMwhFrPYtpEHQb2IpWsCzug=
@@ -224,10 +234,10 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
 github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
-github.com/quic-go/qpack v0.5.1 h1:giqksBPnT/HDtZ6VhtFKgoLOWmlyo9Ei6u9PqzIMbhI=
+github.com/quic-go/qpack v0.6.0 h1:g7W+BMYynC1LbYLSqRt8PBg5Tgwxn214ZZR34VIOjz8=
-github.com/quic-go/qpack v0.5.1/go.mod h1:+PC4XFrEskIVkcLzpEkbLqq1uCoxPhQuvK5rH1ZgaEg=
+github.com/quic-go/qpack v0.6.0/go.mod h1:lUpLKChi8njB4ty2bFLX2x4gzDqXwUpaO1DP9qMDZII=
-github.com/quic-go/quic-go v0.54.1 h1:4ZAWm0AhCb6+hE+l5Q1NAL0iRn/ZrMwqHRGQiFwj2eg=
+github.com/quic-go/quic-go v0.57.0 h1:AsSSrrMs4qI/hLrKlTH/TGQeTMY0ib1pAOX7vA3AdqE=
-github.com/quic-go/quic-go v0.54.1/go.mod h1:e68ZEaCdyviluZmy44P6Iey98v/Wfz6HCjQEm+l8zTY=
+github.com/quic-go/quic-go v0.57.0/go.mod h1:ly4QBAjHA2VhdnxhojRsCUOeJwKYg+taDlos92xb1+s=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
@@ -238,47 +248,34 @@ github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWN
 github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
 github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY=
 github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ=
-github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
-github.com/sagikazarmark/locafero v0.11.0 h1:1iurJgmM9G3PA/I+wWYIOw/5SyBtxapeHDcg+AAIFXc=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
-github.com/sagikazarmark/locafero v0.11.0/go.mod h1:nVIGvgyzw595SUSUE6tvCp3YYTeHs15MvlmU87WwIik=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
 github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
 github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
-github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8 h1:+jumHNA0Wrelhe64i8F6HNlS8pkoyMv5sreGx2Ry5Rw=
+github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/sourcegraph/conc v0.3.1-0.20240121214520-5f936abd7ae8/go.mod h1:3n1Cwaq1E1/1lhQhtRK2ts/ZwZEhjcQeJQ1RuC6Q/8U=
 github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
 github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
 github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
 github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
 github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
 github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
 github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
 github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs=
 github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/traefik/paerser v0.2.2 h1:cpzW/ZrQrBh3mdwD/jnp6aXASiUFKOVr6ldP+keJTcQ=
 github.com/traefik/paerser v0.2.2/go.mod h1:7BBDd4FANoVgaTZG+yh26jI6CA2nds7D/4VTEdIsh24=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
 github.com/twitchyliquid64/golang-asm v0.15.1/go.mod h1:a1lVb/DtPvCB8fslRZhAngC2+aY1QWCk3Cedj/Gdt08=
 github.com/ugorji/go/codec v1.3.0 h1:Qd2W2sQawAfG8XSvzwhBeoGq71zXOC/Q1E9y/wUcsUA=
 github.com/ugorji/go/codec v1.3.0/go.mod h1:pRBVtBSKl77K30Bv8R2P+cLSGaTtex6fsA2Wjqmfxj4=
-github.com/weppos/publicsuffix-go v0.50.1 h1:elrBHeSkS/eIb169+DnLrknqmdP4AjT0Q0tEdytz1Og=
+github.com/weppos/publicsuffix-go v0.50.2 h1:KsJFc8IEKTJovM46SRCnGNsM+rFShxcs6VEHjOJcXzE=
-github.com/weppos/publicsuffix-go v0.50.1/go.mod h1:znn0JVXjcR5hpUl9pbEogwH6I710rA1AX0QQPT0bf+k=
+github.com/weppos/publicsuffix-go v0.50.2/go.mod h1:CbQCKDtXF8UcT7hrxeMa0MDjwhpOI9iYOU7cfq+yo8k=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.61.0 h1:F7Jx+6hwnZ41NSFTO5q4LYDtJRXBf2PD0rNBkeB/lus=
@@ -299,39 +296,63 @@ go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mx
 go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
 go.opentelemetry.io/proto/otlp v1.5.0 h1:xJvq7gMzB31/d406fB8U5CBdyQGw4P399D1aQWU/3i4=
 go.opentelemetry.io/proto/otlp v1.5.0/go.mod h1:keN8WnHxOy8PG0rQZjJJ5A2ebUoafqWp0eVQ4yIXvJ4=
-go.uber.org/mock v0.5.0 h1:KAMbZvZPyBPWgD14IrIQ38QCyjwpvVVV6K/bHl1IwQU=
+go.uber.org/mock v0.5.2 h1:LbtPTcP8A5k9WPXj54PPPbjcI4Y6lhyOZXn+VS7wNko=
-go.uber.org/mock v0.5.0/go.mod h1:ge71pBPLYDk7QIi1LupWxdAykm7KIEFchiOqd6z7qMM=
+go.uber.org/mock v0.5.2/go.mod h1:wLlUxC2vVTPTaE3UD51E0BGOAElKrILxhVSDYQLld5o=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
 golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b h1:M2rDM6z3Fhozi9O7NWsxAkg/yqS/lQJ6PmkyIV3YP+o=
+golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
-golang.org/x/exp v0.0.0-20250620022241-b7579e27df2b/go.mod h1:3//PLf8L/X+8b4vuAfHzxeRUl04Adcb341+IGKfnqS8=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
-golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
-golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546 h1:mgKeJMpvi0yx/sU5GsxQ7p6s2wtOnGAHZWCHUM4KGzY=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/exp v0.0.0-20251023183803-a4bb9ffd2546/go.mod h1:j/pmGrbnkbPtQfxEe5D0VQhZC6qKbfKifgD0oM7sR70=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
-golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
 golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
 golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
 golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
 golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
-golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
 golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
 golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
-golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
-golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
-golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
 golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/genproto v0.0.0-20250603155806-513f23925822 h1:rHWScKit0gvAPuOnu87KpaYtjK5zBMLcULh7gxkCXu4=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c h1:AtEkQdl5b6zsybXcbz00j1LwNodDuH6hVifIaNqk7NQ=
 google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c/go.mod h1:ea2MjsO70ssTfCjiwHgI0ZFqcw45Ksuk2ckf9G468GA=
@@ -344,25 +365,28 @@ google.golang.org/protobuf v1.36.9/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXn
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
 gotest.tools/v3 v3.5.2 h1:7koQfIKdy+I8UTetycgUqXWSDwpgv193Ka+qRsmBY8Q=
 gotest.tools/v3 v3.5.2/go.mod h1:LtdLGcnqToBH83WByAAi/wiwSFCArdFIUV/xxN4pcjA=
-modernc.org/cc/v4 v4.26.2 h1:991HMkLjJzYBIfha6ECZdjrIYz2/1ayr+FL8GN+CNzM=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-modernc.org/cc/v4 v4.26.2/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.28.0 h1:rjznn6WWehKq7dG4JtLRKxb52Ecv8OUGah8+Z/SfpNU=
+modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
-modernc.org/ccgo/v4 v4.28.0/go.mod h1:JygV3+9AV6SmPhDasu4JgquwU81XAKLd3OKTUDNOiKE=
+modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
-modernc.org/fileutil v1.3.8 h1:qtzNm7ED75pd1C7WgAGcK4edm4fvhtBsEiI/0NQ54YM=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
-modernc.org/fileutil v1.3.8/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
 modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
 modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.66.3 h1:cfCbjTUcdsKyyZZfEUKfoHcP3S0Wkvz3jgSzByEWVCQ=
+modernc.org/libc v1.67.6 h1:eVOQvpModVLKOdT+LvBPjdQqfrZq+pC39BygcT+E7OI=
-modernc.org/libc v1.66.3/go.mod h1:XD9zO8kt59cANKvHPXpx7yS2ELPheAey0vjIuZOhOU8=
+modernc.org/libc v1.67.6/go.mod h1:JAhxUVlolfYDErnwiqaLvUqc8nfb2r6S6slAgZOnaiE=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -371,8 +395,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.38.2 h1:Aclu7+tgjgcQVShZqim41Bbw9Cho0y/7WzYptXqkEek=
+modernc.org/sqlite v1.45.0 h1:r51cSGzKpbptxnby+EIIz5fop4VuE4qFoVEjNvWoObs=
-modernc.org/sqlite v1.38.2/go.mod h1:cPTJYSlgg3Sfg046yBShXENNtPrWrDX8bsbAQBzgQ5E=
+modernc.org/sqlite v1.45.0/go.mod h1:CzbrU2lSB1DKUusvwGz7rqEKIq+NUd8GWuBBZDs9/nA=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/internal/assets/migrations/000003_oauth_sub.down.sql
+++ b/internal/assets/migrations/000003_oauth_sub.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "oauth_sub";
--- a/internal/assets/migrations/000003_oauth_sub.up.sql
+++ b/internal/assets/migrations/000003_oauth_sub.up.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;
--- a/internal/assets/migrations/000004_created_at.down.sql
+++ b/internal/assets/migrations/000004_created_at.down.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" DROP COLUMN "created_at";
--- a/internal/assets/migrations/000004_created_at.up.sql
+++ b/internal/assets/migrations/000004_created_at.up.sql
@@ -0,0 +1 @@
 ALTER TABLE "sessions" ADD COLUMN "created_at" INTEGER NOT NULL DEFAULT 0;
--- a/internal/assets/migrations/000005_oidc_session.down.sql
+++ b/internal/assets/migrations/000005_oidc_session.down.sql
@@ -0,0 +1,3 @@
 DROP TABLE IF EXISTS "oidc_tokens";
 DROP TABLE IF EXISTS "oidc_userinfo";
 DROP TABLE IF EXISTS "oidc_codes";
--- a/internal/assets/migrations/000005_oidc_session.up.sql
+++ b/internal/assets/migrations/000005_oidc_session.up.sql
@@ -0,0 +1,27 @@
 CREATE TABLE IF NOT EXISTS "oidc_codes" (
    "sub" TEXT NOT NULL UNIQUE,
    "code_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "scope" TEXT NOT NULL,
    "redirect_uri" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "expires_at" INTEGER NOT NULL
 );
 CREATE TABLE IF NOT EXISTS "oidc_tokens" (
    "sub" TEXT NOT NULL UNIQUE,
    "access_token_hash" TEXT NOT NULL PRIMARY KEY UNIQUE,
    "refresh_token_hash" TEXT NOT NULL,
    "scope" TEXT NOT NULL,
    "client_id" TEXT NOT NULL,
    "token_expires_at" INTEGER NOT NULL,
    "refresh_token_expires_at" INTEGER NOT NULL
 );
 CREATE TABLE IF NOT EXISTS "oidc_userinfo" (
    "sub" TEXT NOT NULL UNIQUE PRIMARY KEY,
    "name" TEXT NOT NULL,
    "preferred_username" TEXT NOT NULL,
    "email" TEXT NOT NULL,
    "groups" TEXT NOT NULL,
    "updated_at" INTEGER NOT NULL
 );
--- a/internal/bootstrap/app_bootstrap.go
+++ b/internal/bootstrap/app_bootstrap.go
@@ -11,34 +11,29 @@ import (
 	"sort"
 	"strings"
 	"time"
 	"tinyauth/internal/config"
 	"tinyauth/internal/controller"
 	"tinyauth/internal/middleware"
 	"tinyauth/internal/model"
 	"tinyauth/internal/service"
 	"tinyauth/internal/utils"
-	"github.com/gin-gonic/gin"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"github.com/rs/zerolog/log"
+	"github.com/steveiliop56/tinyauth/internal/controller"
-	"gorm.io/gorm"
+	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 type Controller interface {
 	SetupRoutes()
 }
 type Middleware interface {
 	Middleware() gin.HandlerFunc
 	Init() error
 }
 type Service interface {
 	Init() error
 }
 type BootstrapApp struct {
-	config config.Config
+	config  config.Config
-	uuid   string
+	context struct {
 		appUrl              string
 		uuid                string
 		cookieDomain        string
 		sessionCookieName   string
 		csrfCookieName      string
 		redirectCookieName  string
 		users               []config.User
 		oauthProviders      map[string]config.OAuthServiceConfig
 		configuredProviders []controller.Provider
 		oidcClients         []config.OIDCClientConfig
 	}
 	services Services
 }
 func NewBootstrapApp(config config.Config) *BootstrapApp {
@@ -48,123 +43,109 @@ func NewBootstrapApp(config config.Config) *BootstrapApp {
 }
 func (app *BootstrapApp) Setup() error {
-	// Parse users
+	// get app url
-	users, err := utils.GetUsers(app.config.Users, app.config.UsersFile)
+	appUrl, err := url.Parse(app.config.AppURL)
 	if err != nil {
 		return err
 	}
-	// Get OAuth configs
+	app.context.appUrl = appUrl.Scheme + "://" + appUrl.Host
-	oauthProviders, err := utils.GetOAuthProvidersConfig(os.Environ(), os.Args, app.config.AppURL)
+
 	// validate session config
 	if app.config.Auth.SessionMaxLifetime != 0 && app.config.Auth.SessionMaxLifetime < app.config.Auth.SessionExpiry {
 		return fmt.Errorf("session max lifetime cannot be less than session expiry")
 	}
 	// Parse users
 	users, err := utils.GetUsers(app.config.Auth.Users, app.config.Auth.UsersFile)
 	if err != nil {
 		return err
 	}
 	app.context.users = users
 	// Setup OAuth providers
 	app.context.oauthProviders = app.config.OAuth.Providers
 	for name, provider := range app.context.oauthProviders {
 		secret := utils.GetSecret(provider.ClientSecret, provider.ClientSecretFile)
 		provider.ClientSecret = secret
 		provider.ClientSecretFile = ""
 		if provider.RedirectURL == "" {
 			provider.RedirectURL = app.context.appUrl + "/api/oauth/callback/" + name
 		}
 		app.context.oauthProviders[name] = provider
 	}
 	for id, provider := range app.context.oauthProviders {
 		if provider.Name == "" {
 			if name, ok := config.OverrideProviders[id]; ok {
 				provider.Name = name
 			} else {
 				provider.Name = utils.Capitalize(id)
 			}
 		}
 		app.context.oauthProviders[id] = provider
 	}
 	// Setup OIDC clients
 	for id, client := range app.config.OIDC.Clients {
 		client.ID = id
 		app.context.oidcClients = append(app.context.oidcClients, client)
 	}
 	// Get cookie domain
-	cookieDomain, err := utils.GetCookieDomain(app.config.AppURL)
+	cookieDomain, err := utils.GetCookieDomain(app.context.appUrl)
 	if err != nil {
 		return err
 	}
 	app.context.cookieDomain = cookieDomain
 	// Cookie names
-	appUrl, _ := url.Parse(app.config.AppURL) // Already validated
+	app.context.uuid = utils.GenerateUUID(appUrl.Hostname())
-	uuid := utils.GenerateUUID(appUrl.Hostname())
+	cookieId := strings.Split(app.context.uuid, "-")[0]
-	app.uuid = uuid
+	app.context.sessionCookieName = fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
-	cookieId := strings.Split(uuid, "-")[0]
+	app.context.csrfCookieName = fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
-	sessionCookieName := fmt.Sprintf("%s-%s", config.SessionCookieName, cookieId)
+	app.context.redirectCookieName = fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
 	csrfCookieName := fmt.Sprintf("%s-%s", config.CSRFCookieName, cookieId)
 	redirectCookieName := fmt.Sprintf("%s-%s", config.RedirectCookieName, cookieId)
 	// Dumps
-	log.Trace().Interface("config", app.config).Msg("Config dump")
+	tlog.App.Trace().Interface("config", app.config).Msg("Config dump")
-	log.Trace().Interface("users", users).Msg("Users dump")
+	tlog.App.Trace().Interface("users", app.context.users).Msg("Users dump")
-	log.Trace().Interface("oauthProviders", oauthProviders).Msg("OAuth providers dump")
+	tlog.App.Trace().Interface("oauthProviders", app.context.oauthProviders).Msg("OAuth providers dump")
-	log.Trace().Str("cookieDomain", cookieDomain).Msg("Cookie domain")
+	tlog.App.Trace().Str("cookieDomain", app.context.cookieDomain).Msg("Cookie domain")
-	log.Trace().Str("sessionCookieName", sessionCookieName).Msg("Session cookie name")
+	tlog.App.Trace().Str("sessionCookieName", app.context.sessionCookieName).Msg("Session cookie name")
-	log.Trace().Str("csrfCookieName", csrfCookieName).Msg("CSRF cookie name")
+	tlog.App.Trace().Str("csrfCookieName", app.context.csrfCookieName).Msg("CSRF cookie name")
-	log.Trace().Str("redirectCookieName", redirectCookieName).Msg("Redirect cookie name")
+	tlog.App.Trace().Str("redirectCookieName", app.context.redirectCookieName).Msg("Redirect cookie name")
-	// Create configs
+	// Database
-	authConfig := service.AuthServiceConfig{
+	db, err := app.SetupDatabase(app.config.DatabasePath)
 		Users:             users,
 		OauthWhitelist:    app.config.OAuthWhitelist,
 		SessionExpiry:     app.config.SessionExpiry,
 		SecureCookie:      app.config.SecureCookie,
 		CookieDomain:      cookieDomain,
 		LoginTimeout:      app.config.LoginTimeout,
 		LoginMaxRetries:   app.config.LoginMaxRetries,
 		SessionCookieName: sessionCookieName,
 	}
 	// Setup services
 	var ldapService *service.LdapService
 	if app.config.LdapAddress != "" {
 		ldapConfig := service.LdapServiceConfig{
 			Address:      app.config.LdapAddress,
 			BindDN:       app.config.LdapBindDN,
 			BindPassword: app.config.LdapBindPassword,
 			BaseDN:       app.config.LdapBaseDN,
 			Insecure:     app.config.LdapInsecure,
 			SearchFilter: app.config.LdapSearchFilter,
 		}
 		ldapService = service.NewLdapService(ldapConfig)
 		err := ldapService.Init()
 		if err != nil {
 			log.Warn().Err(err).Msg("Failed to initialize LDAP service, continuing without LDAP")
 			ldapService = nil
 		}
 	}
 	// Bootstrap database
 	databaseService := service.NewDatabaseService(service.DatabaseServiceConfig{
 		DatabasePath: app.config.DatabasePath,
 	})
 	log.Debug().Str("service", fmt.Sprintf("%T", databaseService)).Msg("Initializing service")
 	err = databaseService.Init()
 	if err != nil {
-		return fmt.Errorf("failed to initialize database service: %w", err)
+		return fmt.Errorf("failed to setup database: %w", err)
 	}
-	database := databaseService.GetDatabase()
+	// Queries
 	queries := repository.New(db)
-	// Create services
+	// Services
-	dockerService := service.NewDockerService()
+	services, err := app.initServices(queries)
 	aclsService := service.NewAccessControlsService(dockerService)
 	authService := service.NewAuthService(authConfig, dockerService, ldapService, database)
 	oauthBrokerService := service.NewOAuthBrokerService(oauthProviders)
-	// Initialize services (order matters)
+	if err != nil {
-	services := []Service{
+		return fmt.Errorf("failed to initialize services: %w", err)
 		dockerService,
 		aclsService,
 		authService,
 		oauthBrokerService,
 	}
-	for _, svc := range services {
+	app.services = services
 		if svc != nil {
 			log.Debug().Str("service", fmt.Sprintf("%T", svc)).Msg("Initializing service")
 			err := svc.Init()
 			if err != nil {
 				return err
 			}
 		}
 	}
 	// Configured providers
 	configuredProviders := make([]controller.Provider, 0)
-	for id, provider := range oauthProviders {
+	for id, provider := range app.context.oauthProviders {
 		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  provider.Name,
 			ID:    id,
@@ -176,142 +157,70 @@ func (app *BootstrapApp) Setup() error {
 		return configuredProviders[i].Name < configuredProviders[j].Name
 	})
-	if authService.UserAuthConfigured() || ldapService != nil {
+	if services.authService.LocalAuthConfigured() {
 		configuredProviders = append(configuredProviders, controller.Provider{
-			Name:  "Username",
+			Name:  "Local",
-			ID:    "username",
+			ID:    "local",
 			OAuth: false,
 		})
 	}
-	log.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
+	if services.authService.LdapAuthConfigured() {
 		configuredProviders = append(configuredProviders, controller.Provider{
 			Name:  "LDAP",
 			ID:    "ldap",
 			OAuth: false,
 		})
 	}
 	tlog.App.Debug().Interface("providers", configuredProviders).Msg("Authentication providers")
 	if len(configuredProviders) == 0 {
 		return fmt.Errorf("no authentication providers configured")
 	}
-	// Create engine
+	app.context.configuredProviders = configuredProviders
 	engine := gin.New()
 	engine.Use(gin.Recovery())
-	if len(app.config.TrustedProxies) > 0 {
+	// Setup router
-		err := engine.SetTrustedProxies(strings.Split(app.config.TrustedProxies, ","))
+	router, err := app.setupRouter()
-		if err != nil {
+	if err != nil {
-			return fmt.Errorf("failed to set trusted proxies: %w", err)
+		return fmt.Errorf("failed to setup routes: %w", err)
 		}
 	}
-	// Create middlewares
+	// Start db cleanup routine
-	var middlewares []Middleware
+	tlog.App.Debug().Msg("Starting database cleanup routine")
-
+	go app.dbCleanup(queries)
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
 		CookieDomain: cookieDomain,
 	}, authService, oauthBrokerService)
 	uiMiddleware := middleware.NewUIMiddleware()
 	zerologMiddleware := middleware.NewZerologMiddleware()
 	middlewares = append(middlewares, contextMiddleware, uiMiddleware, zerologMiddleware)
 	for _, middleware := range middlewares {
 		log.Debug().Str("middleware", fmt.Sprintf("%T", middleware)).Msg("Initializing middleware")
 		err := middleware.Init()
 		if err != nil {
 			return fmt.Errorf("failed to initialize middleware %T: %w", middleware, err)
 		}
 		engine.Use(middleware.Middleware())
 	}
 	// Create routers
 	mainRouter := engine.Group("")
 	apiRouter := engine.Group("/api")
 	// Create controllers
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
 		Providers:             configuredProviders,
 		Title:                 app.config.Title,
 		AppURL:                app.config.AppURL,
 		CookieDomain:          cookieDomain,
 		ForgotPasswordMessage: app.config.ForgotPasswordMessage,
 		BackgroundImage:       app.config.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuthAutoRedirect,
 		DisableUIWarnings:     app.config.DisableUIWarnings,
 	}, apiRouter)
 	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
 		AppURL:             app.config.AppURL,
 		SecureCookie:       app.config.SecureCookie,
 		CSRFCookieName:     csrfCookieName,
 		RedirectCookieName: redirectCookieName,
 		CookieDomain:       cookieDomain,
 	}, apiRouter, authService, oauthBrokerService)
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
 		AppURL: app.config.AppURL,
 	}, apiRouter, aclsService, authService)
 	userController := controller.NewUserController(controller.UserControllerConfig{
 		CookieDomain: cookieDomain,
 	}, apiRouter, authService)
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
 		ResourcesDir:      app.config.ResourcesDir,
 		ResourcesDisabled: app.config.DisableResources,
 	}, mainRouter)
 	healthController := controller.NewHealthController(apiRouter)
 	// Setup routes
 	controller := []Controller{
 		contextController,
 		oauthController,
 		proxyController,
 		userController,
 		healthController,
 		resourcesController,
 	}
 	for _, ctrl := range controller {
 		log.Debug().Msgf("Setting up %T controller", ctrl)
 		ctrl.SetupRoutes()
 	}
 	// If analytics are not disabled, start heartbeat
 	if !app.config.DisableAnalytics {
-		log.Debug().Msg("Starting heartbeat routine")
+		tlog.App.Debug().Msg("Starting heartbeat routine")
 		go app.heartbeat()
 	}
 	// Start DB cleanup routine
 	log.Debug().Msg("Starting database cleanup routine")
 	go app.dbCleanup(database)
 	// If we have an socket path, bind to it
-	if app.config.SocketPath != "" {
+	if app.config.Server.SocketPath != "" {
-		// Remove existing socket file
+		if _, err := os.Stat(app.config.Server.SocketPath); err == nil {
-		if _, err := os.Stat(app.config.SocketPath); err == nil {
+			tlog.App.Info().Msgf("Removing existing socket file %s", app.config.Server.SocketPath)
-			log.Info().Msgf("Removing existing socket file %s", app.config.SocketPath)
+			err := os.Remove(app.config.Server.SocketPath)
 			err := os.Remove(app.config.SocketPath)
 			if err != nil {
 				return fmt.Errorf("failed to remove existing socket file: %w", err)
 			}
 		}
-		// Start server with unix socket
+		tlog.App.Info().Msgf("Starting server on unix socket %s", app.config.Server.SocketPath)
-		log.Info().Msgf("Starting server on unix socket %s", app.config.SocketPath)
+		if err := router.RunUnix(app.config.Server.SocketPath); err != nil {
-		if err := engine.RunUnix(app.config.SocketPath); err != nil {
+			tlog.App.Fatal().Err(err).Msg("Failed to start server")
 			log.Fatal().Err(err).Msg("Failed to start server")
 		}
 		return nil
 	}
 	// Start server
-	address := fmt.Sprintf("%s:%d", app.config.Address, app.config.Port)
+	address := fmt.Sprintf("%s:%d", app.config.Server.Address, app.config.Server.Port)
-	log.Info().Msgf("Starting server on %s", address)
+	tlog.App.Info().Msgf("Starting server on %s", address)
-	if err := engine.Run(address); err != nil {
+	if err := router.Run(address); err != nil {
-		log.Fatal().Err(err).Msg("Failed to start server")
+		tlog.App.Fatal().Err(err).Msg("Failed to start server")
 	}
 	return nil
@@ -328,27 +237,29 @@ func (app *BootstrapApp) heartbeat() {
 	var body heartbeat
-	body.UUID = app.uuid
+	body.UUID = app.context.uuid
 	body.Version = config.Version
 	bodyJson, err := json.Marshal(body)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to marshal heartbeat body")
+		tlog.App.Error().Err(err).Msg("Failed to marshal heartbeat body")
 		return
 	}
-	client := &http.Client{}
+	client := &http.Client{
 		Timeout: 30 * time.Second, // The server should never take more than 30 seconds to respond
 	}
 	heartbeatURL := config.ApiServer + "/v1/instances/heartbeat"
-	for ; true; <-ticker.C {
+	for range ticker.C {
-		log.Debug().Msg("Sending heartbeat")
+		tlog.App.Debug().Msg("Sending heartbeat")
 		req, err := http.NewRequest(http.MethodPost, heartbeatURL, bytes.NewReader(bodyJson))
 		if err != nil {
-			log.Error().Err(err).Msg("Failed to create heartbeat request")
+			tlog.App.Error().Err(err).Msg("Failed to create heartbeat request")
 			continue
 		}
@@ -357,28 +268,28 @@ func (app *BootstrapApp) heartbeat() {
 		res, err := client.Do(req)
 		if err != nil {
-			log.Error().Err(err).Msg("Failed to send heartbeat")
+			tlog.App.Error().Err(err).Msg("Failed to send heartbeat")
 			continue
 		}
 		res.Body.Close()
 		if res.StatusCode != 200 && res.StatusCode != 201 {
-			log.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
+			tlog.App.Debug().Str("status", res.Status).Msg("Heartbeat returned non-200/201 status")
 		}
 	}
 }
-func (app *BootstrapApp) dbCleanup(db *gorm.DB) {
+func (app *BootstrapApp) dbCleanup(queries *repository.Queries) {
 	ticker := time.NewTicker(time.Duration(30) * time.Minute)
 	defer ticker.Stop()
 	ctx := context.Background()
-	for ; true; <-ticker.C {
+	for range ticker.C {
-		log.Debug().Msg("Cleaning up old database sessions")
+		tlog.App.Debug().Msg("Cleaning up old database sessions")
-		_, err := gorm.G[model.Session](db).Where("expiry < ?", time.Now().Unix()).Delete(ctx)
+		err := queries.DeleteExpiredSessions(ctx, time.Now().Unix())
 		if err != nil {
-			log.Error().Err(err).Msg("Failed to cleanup old sessions")
+			tlog.App.Error().Err(err).Msg("Failed to clean up old database sessions")
 		}
 	}
 }
--- a/internal/bootstrap/db_bootstrap.go
+++ b/internal/bootstrap/db_bootstrap.go
@@ -0,0 +1,57 @@
 package bootstrap
 import (
 	"database/sql"
 	"fmt"
 	"os"
 	"path/filepath"
 	"github.com/steveiliop56/tinyauth/internal/assets"
 	"github.com/golang-migrate/migrate/v4"
 	"github.com/golang-migrate/migrate/v4/database/sqlite3"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	_ "modernc.org/sqlite"
 )
 func (app *BootstrapApp) SetupDatabase(databasePath string) (*sql.DB, error) {
 	dir := filepath.Dir(databasePath)
 	if err := os.MkdirAll(dir, 0750); err != nil {
 		return nil, fmt.Errorf("failed to create database directory %s: %w", dir, err)
 	}
 	db, err := sql.Open("sqlite", databasePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open database: %w", err)
 	}
 	// Limit to 1 connection to sequence writes, this may need to be revisited in the future
 	// if the sqlite connection starts being a bottleneck
 	db.SetMaxOpenConns(1)
 	migrations, err := iofs.New(assets.Migrations, "migrations")
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrations: %w", err)
 	}
 	target, err := sqlite3.WithInstance(db, &sqlite3.Config{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to create sqlite3 instance: %w", err)
 	}
 	migrator, err := migrate.NewWithInstance("iofs", migrations, "sqlite3", target)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create migrator: %w", err)
 	}
 	if err := migrator.Up(); err != nil && err != migrate.ErrNoChange {
 		return nil, fmt.Errorf("failed to migrate database: %w", err)
 	}
 	return db, nil
 }
--- a/internal/bootstrap/router_bootstrap.go
+++ b/internal/bootstrap/router_bootstrap.go
@@ -0,0 +1,121 @@
 package bootstrap
 import (
 	"fmt"
 	"slices"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/middleware"
 	"github.com/gin-gonic/gin"
 )
 var DEV_MODES = []string{"main", "test", "development"}
 func (app *BootstrapApp) setupRouter() (*gin.Engine, error) {
 	if !slices.Contains(DEV_MODES, config.Version) {
 		gin.SetMode(gin.ReleaseMode)
 	}
 	engine := gin.New()
 	engine.Use(gin.Recovery())
 	if len(app.config.Auth.TrustedProxies) > 0 {
 		err := engine.SetTrustedProxies(app.config.Auth.TrustedProxies)
 		if err != nil {
 			return nil, fmt.Errorf("failed to set trusted proxies: %w", err)
 		}
 	}
 	contextMiddleware := middleware.NewContextMiddleware(middleware.ContextMiddlewareConfig{
 		CookieDomain: app.context.cookieDomain,
 	}, app.services.authService, app.services.oauthBrokerService)
 	err := contextMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize context middleware: %w", err)
 	}
 	engine.Use(contextMiddleware.Middleware())
 	uiMiddleware := middleware.NewUIMiddleware()
 	err = uiMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize UI middleware: %w", err)
 	}
 	engine.Use(uiMiddleware.Middleware())
 	zerologMiddleware := middleware.NewZerologMiddleware()
 	err = zerologMiddleware.Init()
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize zerolog middleware: %w", err)
 	}
 	engine.Use(zerologMiddleware.Middleware())
 	apiRouter := engine.Group("/api")
 	contextController := controller.NewContextController(controller.ContextControllerConfig{
 		Providers:             app.context.configuredProviders,
 		Title:                 app.config.UI.Title,
 		AppURL:                app.config.AppURL,
 		CookieDomain:          app.context.cookieDomain,
 		ForgotPasswordMessage: app.config.UI.ForgotPasswordMessage,
 		BackgroundImage:       app.config.UI.BackgroundImage,
 		OAuthAutoRedirect:     app.config.OAuth.AutoRedirect,
 		DisableUIWarnings:     app.config.UI.DisableWarnings,
 	}, apiRouter)
 	contextController.SetupRoutes()
 	oauthController := controller.NewOAuthController(controller.OAuthControllerConfig{
 		AppURL:             app.config.AppURL,
 		SecureCookie:       app.config.Auth.SecureCookie,
 		CSRFCookieName:     app.context.csrfCookieName,
 		RedirectCookieName: app.context.redirectCookieName,
 		CookieDomain:       app.context.cookieDomain,
 	}, apiRouter, app.services.authService, app.services.oauthBrokerService)
 	oauthController.SetupRoutes()
 	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, app.services.oidcService, apiRouter)
 	oidcController.SetupRoutes()
 	proxyController := controller.NewProxyController(controller.ProxyControllerConfig{
 		AppURL: app.config.AppURL,
 	}, apiRouter, app.services.accessControlService, app.services.authService)
 	proxyController.SetupRoutes()
 	userController := controller.NewUserController(controller.UserControllerConfig{
 		CookieDomain: app.context.cookieDomain,
 	}, apiRouter, app.services.authService)
 	userController.SetupRoutes()
 	resourcesController := controller.NewResourcesController(controller.ResourcesControllerConfig{
 		ResourcesDir:      app.config.ResourcesDir,
 		ResourcesDisabled: app.config.DisableResources,
 	}, &engine.RouterGroup)
 	resourcesController.SetupRoutes()
 	healthController := controller.NewHealthController(apiRouter)
 	healthController.SetupRoutes()
 	wellknownController := controller.NewWellKnownController(controller.WellKnownControllerConfig{}, app.services.oidcService, engine)
 	wellknownController.SetupRoutes()
 	return engine, nil
 }
--- a/internal/bootstrap/service_bootstrap.go
+++ b/internal/bootstrap/service_bootstrap.go
@@ -0,0 +1,110 @@
 package bootstrap
 import (
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 type Services struct {
 	accessControlService *service.AccessControlsService
 	authService          *service.AuthService
 	dockerService        *service.DockerService
 	ldapService          *service.LdapService
 	oauthBrokerService   *service.OAuthBrokerService
 	oidcService          *service.OIDCService
 }
 func (app *BootstrapApp) initServices(queries *repository.Queries) (Services, error) {
 	services := Services{}
 	ldapService := service.NewLdapService(service.LdapServiceConfig{
 		Address:      app.config.Ldap.Address,
 		BindDN:       app.config.Ldap.BindDN,
 		BindPassword: app.config.Ldap.BindPassword,
 		BaseDN:       app.config.Ldap.BaseDN,
 		Insecure:     app.config.Ldap.Insecure,
 		SearchFilter: app.config.Ldap.SearchFilter,
 		AuthCert:     app.config.Ldap.AuthCert,
 		AuthKey:      app.config.Ldap.AuthKey,
 	})
 	err := ldapService.Init()
 	if err != nil {
 		tlog.App.Warn().Err(err).Msg("Failed to setup LDAP service, starting without it")
 		ldapService.Unconfigure()
 	}
 	services.ldapService = ldapService
 	dockerService := service.NewDockerService()
 	err = dockerService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.dockerService = dockerService
 	accessControlsService := service.NewAccessControlsService(dockerService, app.config.Apps)
 	err = accessControlsService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.accessControlService = accessControlsService
 	authService := service.NewAuthService(service.AuthServiceConfig{
 		Users:              app.context.users,
 		OauthWhitelist:     app.config.OAuth.Whitelist,
 		SessionExpiry:      app.config.Auth.SessionExpiry,
 		SessionMaxLifetime: app.config.Auth.SessionMaxLifetime,
 		SecureCookie:       app.config.Auth.SecureCookie,
 		CookieDomain:       app.context.cookieDomain,
 		LoginTimeout:       app.config.Auth.LoginTimeout,
 		LoginMaxRetries:    app.config.Auth.LoginMaxRetries,
 		SessionCookieName:  app.context.sessionCookieName,
 		IP:                 app.config.Auth.IP,
 		LDAPGroupsCacheTTL: app.config.Ldap.GroupCacheTTL,
 	}, dockerService, services.ldapService, queries)
 	err = authService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.authService = authService
 	oauthBrokerService := service.NewOAuthBrokerService(app.context.oauthProviders)
 	err = oauthBrokerService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.oauthBrokerService = oauthBrokerService
 	oidcService := service.NewOIDCService(service.OIDCServiceConfig{
 		Clients:        app.config.OIDC.Clients,
 		PrivateKeyPath: app.config.OIDC.PrivateKeyPath,
 		PublicKeyPath:  app.config.OIDC.PublicKeyPath,
 		Issuer:         app.config.AppURL,
 		SessionExpiry:  app.config.Auth.SessionExpiry,
 	}, queries)
 	err = oidcService.Init()
 	if err != nil {
 		return Services{}, err
 	}
 	services.oidcService = oidcService
 	return services, nil
 }
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -1,5 +1,58 @@
 package config
 // Default configuration
 func NewDefaultConfiguration() *Config {
 	return &Config{
 		ResourcesDir: "./resources",
 		DatabasePath: "./tinyauth.db",
 		Server: ServerConfig{
 			Port:    3000,
 			Address: "0.0.0.0",
 		},
 		Auth: AuthConfig{
 			SessionExpiry:      86400, // 1 day
 			SessionMaxLifetime: 0,     // disabled
 			LoginTimeout:       300,   // 5 minutes
 			LoginMaxRetries:    3,
 		},
 		UI: UIConfig{
 			Title:                 "Tinyauth",
 			ForgotPasswordMessage: "You can change your password by changing the configuration.",
 			BackgroundImage:       "/background.jpg",
 		},
 		Ldap: LdapConfig{
 			Insecure:      false,
 			SearchFilter:  "(uid=%s)",
 			GroupCacheTTL: 900, // 15 minutes
 		},
 		Log: LogConfig{
 			Level: "info",
 			Json:  false,
 			Streams: LogStreams{
 				HTTP: LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				App: LogStreamConfig{
 					Enabled: true,
 					Level:   "",
 				},
 				Audit: LogStreamConfig{
 					Enabled: false,
 					Level:   "",
 				},
 			},
 		},
 		OIDC: OIDCConfig{
 			PrivateKeyPath: "./tinyauth_oidc_key",
 			PublicKeyPath:  "./tinyauth_oidc_key.pub",
 		},
 		Experimental: ExperimentalConfig{
 			ConfigFile: "",
 		},
 	}
 }
 // Version information, set at build time
 var Version = "development"
@@ -15,39 +68,105 @@ var RedirectCookieName = "tinyauth-redirect"
 // Main app config
 type Config struct {
-	Port                  int    `mapstructure:"port" validate:"required"`
+	AppURL           string             `description:"The base URL where the app is hosted." yaml:"appUrl"`
-	Address               string `validate:"required,ip4_addr" mapstructure:"address"`
+	ResourcesDir     string             `description:"The directory where resources are stored." yaml:"resourcesDir"`
-	AppURL                string `validate:"required,url" mapstructure:"app-url"`
+	DatabasePath     string             `description:"The path to the database file." yaml:"databasePath"`
-	Users                 string `mapstructure:"users"`
+	DisableAnalytics bool               `description:"Disable analytics." yaml:"disableAnalytics"`
-	UsersFile             string `mapstructure:"users-file"`
+	DisableResources bool               `description:"Disable resources server." yaml:"disableResources"`
-	SecureCookie          bool   `mapstructure:"secure-cookie"`
+	Server           ServerConfig       `description:"Server configuration." yaml:"server"`
-	OAuthWhitelist        string `mapstructure:"oauth-whitelist"`
+	Auth             AuthConfig         `description:"Authentication configuration." yaml:"auth"`
-	OAuthAutoRedirect     string `mapstructure:"oauth-auto-redirect"`
+	Apps             map[string]App     `description:"Application ACLs configuration." yaml:"apps"`
-	SessionExpiry         int    `mapstructure:"session-expiry"`
+	OAuth            OAuthConfig        `description:"OAuth configuration." yaml:"oauth"`
-	LogLevel              string `mapstructure:"log-level" validate:"oneof=trace debug info warn error fatal panic"`
+	OIDC             OIDCConfig         `description:"OIDC configuration." yaml:"oidc"`
-	Title                 string `mapstructure:"app-title"`
+	UI               UIConfig           `description:"UI customization." yaml:"ui"`
-	LoginTimeout          int    `mapstructure:"login-timeout"`
+	Ldap             LdapConfig         `description:"LDAP configuration." yaml:"ldap"`
-	LoginMaxRetries       int    `mapstructure:"login-max-retries"`
+	Experimental     ExperimentalConfig `description:"Experimental features, use with caution." yaml:"experimental"`
-	ForgotPasswordMessage string `mapstructure:"forgot-password-message"`
+	Log              LogConfig          `description:"Logging configuration." yaml:"log"`
 	BackgroundImage       string `mapstructure:"background-image" validate:"required"`
 	LdapAddress           string `mapstructure:"ldap-address"`
 	LdapBindDN            string `mapstructure:"ldap-bind-dn"`
 	LdapBindPassword      string `mapstructure:"ldap-bind-password"`
 	LdapBaseDN            string `mapstructure:"ldap-base-dn"`
 	LdapInsecure          bool   `mapstructure:"ldap-insecure"`
 	LdapSearchFilter      string `mapstructure:"ldap-search-filter"`
 	ResourcesDir          string `mapstructure:"resources-dir"`
 	DatabasePath          string `mapstructure:"database-path"`
 	TrustedProxies        string `mapstructure:"trusted-proxies"`
 	DisableAnalytics      bool   `mapstructure:"disable-analytics"`
 	DisableResources      bool   `mapstructure:"disable-resources"`
 	DisableUIWarnings     bool   `mapstructure:"disable-ui-warnings"`
 	SocketPath            string `mapstructure:"socket-path"`
 }
 type ServerConfig struct {
 	Port       int    `description:"The port on which the server listens." yaml:"port"`
 	Address    string `description:"The address on which the server listens." yaml:"address"`
 	SocketPath string `description:"The path to the Unix socket." yaml:"socketPath"`
 }
 type AuthConfig struct {
 	IP                 IPConfig `description:"IP whitelisting config options." yaml:"ip"`
 	Users              []string `description:"Comma-separated list of users (username:hashed_password)." yaml:"users"`
 	UsersFile          string   `description:"Path to the users file." yaml:"usersFile"`
 	SecureCookie       bool     `description:"Enable secure cookies." yaml:"secureCookie"`
 	SessionExpiry      int      `description:"Session expiry time in seconds." yaml:"sessionExpiry"`
 	SessionMaxLifetime int      `description:"Maximum session lifetime in seconds." yaml:"sessionMaxLifetime"`
 	LoginTimeout       int      `description:"Login timeout in seconds." yaml:"loginTimeout"`
 	LoginMaxRetries    int      `description:"Maximum login retries." yaml:"loginMaxRetries"`
 	TrustedProxies     []string `description:"Comma-separated list of trusted proxy addresses." yaml:"trustedProxies"`
 }
 type IPConfig struct {
 	Allow []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
 	Block []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
 }
 type OAuthConfig struct {
 	Whitelist    []string                      `description:"Comma-separated list of allowed OAuth domains." yaml:"whitelist"`
 	AutoRedirect string                        `description:"The OAuth provider to use for automatic redirection." yaml:"autoRedirect"`
 	Providers    map[string]OAuthServiceConfig `description:"OAuth providers configuration." yaml:"providers"`
 }
 type OIDCConfig struct {
 	PrivateKeyPath string                      `description:"Path to the private key file." yaml:"privateKeyPath"`
 	PublicKeyPath  string                      `description:"Path to the public key file." yaml:"publicKeyPath"`
 	Clients        map[string]OIDCClientConfig `description:"OIDC clients configuration." yaml:"clients"`
 }
 type UIConfig struct {
 	Title                 string `description:"The title of the UI." yaml:"title"`
 	ForgotPasswordMessage string `description:"Message displayed on the forgot password page." yaml:"forgotPasswordMessage"`
 	BackgroundImage       string `description:"Path to the background image." yaml:"backgroundImage"`
 	DisableWarnings       bool   `description:"Disable UI warnings." yaml:"disableWarnings"`
 }
 type LdapConfig struct {
 	Address       string `description:"LDAP server address." yaml:"address"`
 	BindDN        string `description:"Bind DN for LDAP authentication." yaml:"bindDn"`
 	BindPassword  string `description:"Bind password for LDAP authentication." yaml:"bindPassword"`
 	BaseDN        string `description:"Base DN for LDAP searches." yaml:"baseDn"`
 	Insecure      bool   `description:"Allow insecure LDAP connections." yaml:"insecure"`
 	SearchFilter  string `description:"LDAP search filter." yaml:"searchFilter"`
 	AuthCert      string `description:"Certificate for mTLS authentication." yaml:"authCert"`
 	AuthKey       string `description:"Certificate key for mTLS authentication." yaml:"authKey"`
 	GroupCacheTTL int    `description:"Cache duration for LDAP group membership in seconds." yaml:"groupCacheTTL"`
 }
 type LogConfig struct {
 	Level   string     `description:"Log level (trace, debug, info, warn, error)." yaml:"level"`
 	Json    bool       `description:"Enable JSON formatted logs." yaml:"json"`
 	Streams LogStreams `description:"Configuration for specific log streams." yaml:"streams"`
 }
 type LogStreams struct {
 	HTTP  LogStreamConfig `description:"HTTP request logging." yaml:"http"`
 	App   LogStreamConfig `description:"Application logging." yaml:"app"`
 	Audit LogStreamConfig `description:"Audit logging." yaml:"audit"`
 }
 type LogStreamConfig struct {
 	Enabled bool   `description:"Enable this log stream." yaml:"enabled"`
 	Level   string `description:"Log level for this stream. Use global if empty." yaml:"level"`
 }
 type ExperimentalConfig struct {
 	ConfigFile string `description:"Path to config file." yaml:"-"`
 }
 // Config loader options
 const DefaultNamePrefix = "TINYAUTH_"
 // OAuth/OIDC config
 type Claims struct {
 	Sub               string `json:"sub"`
 	Name              string `json:"name"`
 	Email             string `json:"email"`
 	PreferredUsername string `json:"preferred_username"`
@@ -55,16 +174,25 @@ type Claims struct {
 }
 type OAuthServiceConfig struct {
-	ClientID           string `field:"client-id"`
+	ClientID         string   `description:"OAuth client ID." yaml:"clientId"`
-	ClientSecret       string
+	ClientSecret     string   `description:"OAuth client secret." yaml:"clientSecret"`
-	ClientSecretFile   string
+	ClientSecretFile string   `description:"Path to the file containing the OAuth client secret." yaml:"clientSecretFile"`
-	Scopes             []string
+	Scopes           []string `description:"OAuth scopes." yaml:"scopes"`
-	RedirectURL        string `field:"redirect-url"`
+	RedirectURL      string   `description:"OAuth redirect URL." yaml:"redirectUrl"`
-	AuthURL            string `field:"auth-url"`
+	AuthURL          string   `description:"OAuth authorization URL." yaml:"authUrl"`
-	TokenURL           string `field:"token-url"`
+	TokenURL         string   `description:"OAuth token URL." yaml:"tokenUrl"`
-	UserinfoURL        string `field:"user-info-url"`
+	UserinfoURL      string   `description:"OAuth userinfo URL." yaml:"userinfoUrl"`
-	InsecureSkipVerify bool
+	Insecure         bool     `description:"Allow insecure OAuth connections." yaml:"insecure"`
-	Name               string
+	Name             string   `description:"Provider name in UI." yaml:"name"`
 }
 type OIDCClientConfig struct {
 	ID                  string   `description:"OIDC client ID." yaml:"-"`
 	ClientID            string   `description:"OIDC client ID." yaml:"clientId"`
 	ClientSecret        string   `description:"OIDC client secret." yaml:"clientSecret"`
 	ClientSecretFile    string   `description:"Path to the file containing the OIDC client secret." yaml:"clientSecretFile"`
 	TrustedRedirectURIs []string `description:"List of trusted redirect URIs." yaml:"trustedRedirectUris"`
 	Name                string   `description:"Client name in UI." yaml:"name"`
 }
 var OverrideProviders = map[string]string{
@@ -80,33 +208,30 @@ type User struct {
 	TotpSecret string
 }
 type LdapUser struct {
 	DN     string
 	Groups []string
 }
 type UserSearch struct {
 	Username string
 	Type     string // local, ldap or unknown
 }
 type SessionCookie struct {
 	UUID        string
 	Username    string
 	Name        string
 	Email       string
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	OAuthName   string
 }
 type UserContext struct {
 	Username    string
 	Name        string
 	Email       string
 	IsLoggedIn  bool
 	IsBasicAuth bool
 	OAuth       bool
 	Provider    string
 	TotpPending bool
 	OAuthGroups string
 	TotpEnabled bool
 	OAuthName   string
 	OAuthSub    string
 	LdapGroups  string
 }
 // API responses and queries
@@ -122,61 +247,60 @@ type RedirectQuery struct {
 	RedirectURI string `url:"redirect_uri"`
 }
-// Labels
+// ACLs
 type Apps struct {
-	Apps map[string]App
+	Apps map[string]App `description:"App ACLs configuration." yaml:"apps"`
 }
 type App struct {
-	Config   AppConfig
+	Config   AppConfig   `description:"App configuration." yaml:"config"`
-	Users    AppUsers
+	Users    AppUsers    `description:"User access configuration." yaml:"users"`
-	OAuth    AppOAuth
+	OAuth    AppOAuth    `description:"OAuth access configuration." yaml:"oauth"`
-	IP       AppIP
+	IP       AppIP       `description:"IP access configuration." yaml:"ip"`
-	Response AppResponse
+	Response AppResponse `description:"Response customization." yaml:"response"`
-	Path     AppPath
+	Path     AppPath     `description:"Path access configuration." yaml:"path"`
 	LDAP     AppLDAP     `description:"LDAP access configuration." yaml:"ldap"`
 }
 type AppConfig struct {
-	Domain string
+	Domain string `description:"The domain of the app." yaml:"domain"`
 }
 type AppUsers struct {
-	Allow string
+	Allow string `description:"Comma-separated list of allowed users." yaml:"allow"`
-	Block string
+	Block string `description:"Comma-separated list of blocked users." yaml:"block"`
 }
 type AppOAuth struct {
-	Whitelist string
+	Whitelist string `description:"Comma-separated list of allowed OAuth groups." yaml:"whitelist"`
-	Groups    string
+	Groups    string `description:"Comma-separated list of required OAuth groups." yaml:"groups"`
 }
 type AppLDAP struct {
 	Groups string `description:"Comma-separated list of required LDAP groups." yaml:"groups"`
 }
 type AppIP struct {
-	Allow  []string
+	Allow  []string `description:"List of allowed IPs or CIDR ranges." yaml:"allow"`
-	Block  []string
+	Block  []string `description:"List of blocked IPs or CIDR ranges." yaml:"block"`
-	Bypass []string
+	Bypass []string `description:"List of IPs or CIDR ranges that bypass authentication." yaml:"bypass"`
 }
 type AppResponse struct {
-	Headers   []string
+	Headers   []string     `description:"Custom headers to add to the response." yaml:"headers"`
-	BasicAuth AppBasicAuth
+	BasicAuth AppBasicAuth `description:"Basic authentication for the app." yaml:"basicAuth"`
 }
 type AppBasicAuth struct {
-	Username     string
+	Username     string `description:"Basic auth username." yaml:"username"`
-	Password     string
+	Password     string `description:"Basic auth password." yaml:"password"`
-	PasswordFile string
+	PasswordFile string `description:"Path to the file containing the basic auth password." yaml:"passwordFile"`
 }
 type AppPath struct {
-	Allow string
+	Allow string `description:"Comma-separated list of allowed paths." yaml:"allow"`
-	Block string
+	Block string `description:"Comma-separated list of blocked paths." yaml:"block"`
 }
 // Flags
 type Providers struct {
 	Providers map[string]OAuthServiceConfig
 }
 // API server
--- a/internal/controller/context_controller.go
+++ b/internal/controller/context_controller.go
@@ -3,10 +3,11 @@ package controller
 import (
 	"fmt"
 	"net/url"
-	"tinyauth/internal/utils"
+
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"github.com/rs/zerolog/log"
 )
 type UserContextResponse struct {
@@ -59,7 +60,7 @@ type ContextController struct {
 func NewContextController(config ContextControllerConfig, router *gin.RouterGroup) *ContextController {
 	if config.DisableUIWarnings {
-		log.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
+		tlog.App.Warn().Msg("UI warnings are disabled. This may expose users to security risks. Proceed with caution.")
 	}
 	return &ContextController{
@@ -91,7 +92,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 	}
 	if err != nil {
-		log.Debug().Err(err).Msg("No user context found in request")
+		tlog.App.Debug().Err(err).Msg("No user context found in request")
 		userContext.Status = 401
 		userContext.Message = "Unauthorized"
 		userContext.IsLoggedIn = false
@@ -105,7 +106,7 @@ func (controller *ContextController) userContextHandler(c *gin.Context) {
 func (controller *ContextController) appContextHandler(c *gin.Context) {
 	appUrl, err := url.Parse(controller.config.AppURL)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to parse app URL")
+		tlog.App.Error().Err(err).Msg("Failed to parse app URL")
 		c.JSON(500, gin.H{
 			"status":  500,
 			"message": "Internal Server Error",
--- a/internal/controller/context_controller_test.go
+++ b/internal/controller/context_controller_test.go
@@ -4,18 +4,20 @@ import (
 	"encoding/json"
 	"net/http/httptest"
 	"testing"
-	"tinyauth/internal/config"
+
-	"tinyauth/internal/controller"
+	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"gotest.tools/v3/assert"
 )
-var controllerCfg = controller.ContextControllerConfig{
+var contextControllerCfg = controller.ContextControllerConfig{
 	Providers: []controller.Provider{
 		{
-			Name:  "Username",
+			Name:  "Local",
-			ID:    "username",
+			ID:    "local",
 			OAuth: false,
 		},
 		{
@@ -33,19 +35,23 @@ var controllerCfg = controller.ContextControllerConfig{
 	DisableUIWarnings:     false,
 }
-var userContext = config.UserContext{
+var contextCtrlTestContext = config.UserContext{
 	Username:    "testuser",
 	Name:        "testuser",
 	Email:       "test@example.com",
 	IsLoggedIn:  true,
 	IsBasicAuth: false,
 	OAuth:       false,
-	Provider:    "username",
+	Provider:    "local",
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
 	OAuthSub:    "",
 }
 func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httptest.ResponseRecorder) {
 	tlog.NewSimpleLogger().Init()
 	// Setup
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
@@ -59,7 +65,7 @@ func setupContextController(middlewares *[]gin.HandlerFunc) (*gin.Engine, *httpt
 	group := router.Group("/api")
-	ctrl := controller.NewContextController(controllerCfg, group)
+	ctrl := controller.NewContextController(contextControllerCfg, group)
 	ctrl.SetupRoutes()
 	return router, recorder
@@ -69,14 +75,14 @@ func TestAppContextHandler(t *testing.T) {
 	expectedRes := controller.AppContextResponse{
 		Status:                200,
 		Message:               "Success",
-		Providers:             controllerCfg.Providers,
+		Providers:             contextControllerCfg.Providers,
-		Title:                 controllerCfg.Title,
+		Title:                 contextControllerCfg.Title,
-		AppURL:                controllerCfg.AppURL,
+		AppURL:                contextControllerCfg.AppURL,
-		CookieDomain:          controllerCfg.CookieDomain,
+		CookieDomain:          contextControllerCfg.CookieDomain,
-		ForgotPasswordMessage: controllerCfg.ForgotPasswordMessage,
+		ForgotPasswordMessage: contextControllerCfg.ForgotPasswordMessage,
-		BackgroundImage:       controllerCfg.BackgroundImage,
+		BackgroundImage:       contextControllerCfg.BackgroundImage,
-		OAuthAutoRedirect:     controllerCfg.OAuthAutoRedirect,
+		OAuthAutoRedirect:     contextControllerCfg.OAuthAutoRedirect,
-		DisableUIWarnings:     controllerCfg.DisableUIWarnings,
+		DisableUIWarnings:     contextControllerCfg.DisableUIWarnings,
 	}
 	router, recorder := setupContextController(nil)
@@ -97,20 +103,20 @@ func TestUserContextHandler(t *testing.T) {
 	expectedRes := controller.UserContextResponse{
 		Status:      200,
 		Message:     "Success",
-		IsLoggedIn:  userContext.IsLoggedIn,
+		IsLoggedIn:  contextCtrlTestContext.IsLoggedIn,
-		Username:    userContext.Username,
+		Username:    contextCtrlTestContext.Username,
-		Name:        userContext.Name,
+		Name:        contextCtrlTestContext.Name,
-		Email:       userContext.Email,
+		Email:       contextCtrlTestContext.Email,
-		Provider:    userContext.Provider,
+		Provider:    contextCtrlTestContext.Provider,
-		OAuth:       userContext.OAuth,
+		OAuth:       contextCtrlTestContext.OAuth,
-		TotpPending: userContext.TotpPending,
+		TotpPending: contextCtrlTestContext.TotpPending,
-		OAuthName:   userContext.OAuthName,
+		OAuthName:   contextCtrlTestContext.OAuthName,
 	}
 	// Test with context
 	router, recorder := setupContextController(&[]gin.HandlerFunc{
 		func(c *gin.Context) {
-			c.Set("context", &userContext)
+			c.Set("context", &contextCtrlTestContext)
 			c.Next()
 		},
 	})
--- a/internal/controller/oauth_controller.go
+++ b/internal/controller/oauth_controller.go
@@ -5,13 +5,15 @@ import (
 	"net/http"
 	"strings"
 	"time"
-	"tinyauth/internal/config"
+
-	"tinyauth/internal/service"
+	"github.com/steveiliop56/tinyauth/internal/config"
-	"tinyauth/internal/utils"
+	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/rs/zerolog/log"
 )
 type OAuthRequest struct {
@@ -53,7 +55,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	err := c.BindUri(&req)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -64,7 +66,7 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	service, exists := controller.broker.GetService(req.Provider)
 	if !exists {
-		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
+		tlog.App.Warn().Msgf("OAuth provider not found: %s", req.Provider)
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Not Found",
@@ -81,12 +83,12 @@ func (controller *OAuthController) oauthURLHandler(c *gin.Context) {
 	isRedirectSafe := utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain)
 	if !isRedirectSafe {
-		log.Warn().Str("redirect_uri", redirectURI).Msg("Unsafe redirect URI detected, ignoring")
+		tlog.App.Warn().Str("redirect_uri", redirectURI).Msg("Unsafe redirect URI detected, ignoring")
 		redirectURI = ""
 	}
 	if redirectURI != "" && isRedirectSafe {
-		log.Debug().Msg("Setting redirect URI cookie")
+		tlog.App.Debug().Msg("Setting redirect URI cookie")
 		c.SetCookie(controller.config.RedirectCookieName, redirectURI, int(time.Hour.Seconds()), "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 	}
@@ -102,7 +104,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	err := c.BindUri(&req)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to bind URI")
+		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
@@ -114,7 +116,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	csrfCookie, err := c.Cookie(controller.config.CSRFCookieName)
 	if err != nil || state != csrfCookie {
-		log.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
+		tlog.App.Warn().Err(err).Msg("CSRF token mismatch or cookie missing")
 		c.SetCookie(controller.config.CSRFCookieName, "", -1, "/", fmt.Sprintf(".%s", controller.config.CookieDomain), controller.config.SecureCookie, true)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
@@ -126,14 +128,14 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	service, exists := controller.broker.GetService(req.Provider)
 	if !exists {
-		log.Warn().Msgf("OAuth provider not found: %s", req.Provider)
+		tlog.App.Warn().Msgf("OAuth provider not found: %s", req.Provider)
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	err = service.VerifyCode(code)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to verify OAuth code")
+		tlog.App.Error().Err(err).Msg("Failed to verify OAuth code")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
@@ -141,26 +143,27 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	user, err := controller.broker.GetUser(req.Provider)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to get user from OAuth provider")
+		tlog.App.Error().Err(err).Msg("Failed to get user from OAuth provider")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	if user.Email == "" {
-		log.Error().Msg("OAuth provider did not return an email")
+		tlog.App.Error().Msg("OAuth provider did not return an email")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	if !controller.auth.IsEmailWhitelisted(user.Email) {
-		log.Warn().Str("email", user.Email).Msg("Email not whitelisted")
+		tlog.App.Warn().Str("email", user.Email).Msg("Email not whitelisted")
 		tlog.AuditLoginFailure(c, user.Email, req.Provider, "email not whitelisted")
 		queries, err := query.Values(config.UnauthorizedQuery{
 			Username: user.Email,
 		})
 		if err != nil {
-			log.Error().Err(err).Msg("Failed to encode unauthorized query")
+			tlog.App.Error().Err(err).Msg("Failed to encode unauthorized query")
 			c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 			return
 		}
@@ -172,46 +175,49 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	var name string
 	if strings.TrimSpace(user.Name) != "" {
-		log.Debug().Msg("Using name from OAuth provider")
+		tlog.App.Debug().Msg("Using name from OAuth provider")
 		name = user.Name
 	} else {
-		log.Debug().Msg("No name from OAuth provider, using pseudo name")
+		tlog.App.Debug().Msg("No name from OAuth provider, using pseudo name")
 		name = fmt.Sprintf("%s (%s)", utils.Capitalize(strings.Split(user.Email, "@")[0]), strings.Split(user.Email, "@")[1])
 	}
 	var username string
 	if strings.TrimSpace(user.PreferredUsername) != "" {
-		log.Debug().Msg("Using preferred username from OAuth provider")
+		tlog.App.Debug().Msg("Using preferred username from OAuth provider")
 		username = user.PreferredUsername
 	} else {
-		log.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
+		tlog.App.Debug().Msg("No preferred username from OAuth provider, using pseudo username")
-		username = strings.Replace(user.Email, "@", "_", -1)
+		username = strings.Replace(user.Email, "@", "_", 1)
 	}
-	sessionCookie := config.SessionCookie{
+	sessionCookie := repository.Session{
 		Username:    username,
 		Name:        name,
 		Email:       user.Email,
 		Provider:    req.Provider,
 		OAuthGroups: utils.CoalesceToString(user.Groups),
 		OAuthName:   service.GetName(),
 		OAuthSub:    user.Sub,
 	}
-	log.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
+	tlog.App.Trace().Interface("session_cookie", sessionCookie).Msg("Creating session cookie")
 	err = controller.auth.CreateSessionCookie(c, &sessionCookie)
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to create session cookie")
+		tlog.App.Error().Err(err).Msg("Failed to create session cookie")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
 	tlog.AuditLoginSuccess(c, sessionCookie.Username, sessionCookie.Provider)
 	redirectURI, err := c.Cookie(controller.config.RedirectCookieName)
 	if err != nil || !utils.IsRedirectSafe(redirectURI, controller.config.CookieDomain) {
-		log.Debug().Msg("No redirect URI cookie found, redirecting to app root")
+		tlog.App.Debug().Msg("No redirect URI cookie found, redirecting to app root")
 		c.Redirect(http.StatusTemporaryRedirect, controller.config.AppURL)
 		return
 	}
@@ -221,7 +227,7 @@ func (controller *OAuthController) oauthCallbackHandler(c *gin.Context) {
 	})
 	if err != nil {
-		log.Error().Err(err).Msg("Failed to encode redirect URI query")
+		tlog.App.Error().Err(err).Msg("Failed to encode redirect URI query")
 		c.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s/error", controller.config.AppURL))
 		return
 	}
--- a/internal/controller/oidc_controller.go
+++ b/internal/controller/oidc_controller.go
@@ -0,0 +1,458 @@
 package controller
 import (
 	"crypto/rand"
 	"errors"
 	"fmt"
 	"net/http"
 	"slices"
 	"strings"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 )
 type OIDCControllerConfig struct{}
 type OIDCController struct {
 	config OIDCControllerConfig
 	router *gin.RouterGroup
 	oidc   *service.OIDCService
 }
 type AuthorizeCallback struct {
 	Code  string `url:"code"`
 	State string `url:"state"`
 }
 type TokenRequest struct {
 	GrantType    string `form:"grant_type" binding:"required" url:"grant_type"`
 	Code         string `form:"code" url:"code"`
 	RedirectURI  string `form:"redirect_uri" url:"redirect_uri"`
 	RefreshToken string `form:"refresh_token" url:"refresh_token"`
 	ClientSecret string `form:"client_secret" url:"client_secret"`
 	ClientID     string `form:"client_id" url:"client_id"`
 }
 type CallbackError struct {
 	Error            string `url:"error"`
 	ErrorDescription string `url:"error_description"`
 	State            string `url:"state"`
 }
 type ErrorScreen struct {
 	Error string `url:"error"`
 }
 type ClientRequest struct {
 	ClientID string `uri:"id" binding:"required"`
 }
 type ClientCredentials struct {
 	ClientID     string
 	ClientSecret string
 }
 func NewOIDCController(config OIDCControllerConfig, oidcService *service.OIDCService, router *gin.RouterGroup) *OIDCController {
 	return &OIDCController{
 		config: config,
 		oidc:   oidcService,
 		router: router,
 	}
 }
 func (controller *OIDCController) SetupRoutes() {
 	oidcGroup := controller.router.Group("/oidc")
 	oidcGroup.GET("/clients/:id", controller.GetClientInfo)
 	oidcGroup.POST("/authorize", controller.Authorize)
 	oidcGroup.POST("/token", controller.Token)
 	oidcGroup.GET("/userinfo", controller.Userinfo)
 }
 func (controller *OIDCController) GetClientInfo(c *gin.Context) {
 	var req ClientRequest
 	err := c.BindUri(&req)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to bind URI")
 		c.JSON(400, gin.H{
 			"status":  400,
 			"message": "Bad Request",
 		})
 		return
 	}
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		tlog.App.Warn().Str("client_id", req.ClientID).Msg("Client not found")
 		c.JSON(404, gin.H{
 			"status":  404,
 			"message": "Client not found",
 		})
 		return
 	}
 	c.JSON(200, gin.H{
 		"status": 200,
 		"client": client.ClientID,
 		"name":   client.Name,
 	})
 }
 func (controller *OIDCController) Authorize(c *gin.Context) {
 	if !controller.oidc.IsConfigured() {
 		controller.authorizeError(c, errors.New("err_oidc_not_configured"), "OIDC not configured", "This instance is not configured for OIDC", "", "", "")
 		return
 	}
 	userContext, err := utils.GetContext(c)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to get user context", "User is not logged in or the session is invalid", "", "", "")
 		return
 	}
 	var req service.AuthorizeRequest
 	err = c.BindJSON(&req)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to bind JSON", "The client provided an invalid authorization request", "", "", "")
 		return
 	}
 	client, ok := controller.oidc.GetClient(req.ClientID)
 	if !ok {
 		controller.authorizeError(c, err, "Client not found", "The client ID is invalid", "", "", "")
 		return
 	}
 	err = controller.oidc.ValidateAuthorizeParams(req)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to validate authorize params")
 		if err.Error() != "invalid_request_uri" {
 			controller.authorizeError(c, err, "Failed validate authorize params", "Invalid request parameters", req.RedirectURI, err.Error(), req.State)
 			return
 		}
 		controller.authorizeError(c, err, "Redirect URI not trusted", "The provided redirect URI is not trusted", "", "", "")
 		return
 	}
 	// WARNING: Since Tinyauth is stateless, we cannot have a sub that never changes. We will just create a uuid out of the username and client name which remains stable, but if username or client name changes then sub changes too.
 	sub := utils.GenerateUUID(fmt.Sprintf("%s:%s", userContext.Username, client.ID))
 	code := rand.Text()
 	// Before storing the code, delete old session
 	err = controller.oidc.DeleteOldSession(c, sub)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to delete old sessions", "Failed to delete old sessions", req.RedirectURI, "server_error", req.State)
 		return
 	}
 	err = controller.oidc.StoreCode(c, sub, code, req)
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to store code", "Failed to store code", req.RedirectURI, "server_error", req.State)
 		return
 	}
 	// We also need a snapshot of the user that authorized this (skip if no openid scope)
 	if slices.Contains(strings.Fields(req.Scope), "openid") {
 		err = controller.oidc.StoreUserinfo(c, sub, userContext, req)
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to insert user info into database")
 			controller.authorizeError(c, err, "Failed to store user info", "Failed to store user info", req.RedirectURI, "server_error", req.State)
 			return
 		}
 	}
 	queries, err := query.Values(AuthorizeCallback{
 		Code:  code,
 		State: req.State,
 	})
 	if err != nil {
 		controller.authorizeError(c, err, "Failed to build query", "Failed to build query", req.RedirectURI, "server_error", req.State)
 		return
 	}
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s?%s", req.RedirectURI, queries.Encode()),
 	})
 }
 func (controller *OIDCController) Token(c *gin.Context) {
 	if !controller.oidc.IsConfigured() {
 		tlog.App.Warn().Msg("OIDC not configured")
 		c.JSON(404, gin.H{
 			"error": "not_found",
 		})
 		return
 	}
 	var req TokenRequest
 	err := c.Bind(&req)
 	if err != nil {
 		tlog.App.Error().Err(err).Msg("Failed to bind token request")
 		c.JSON(400, gin.H{
 			"error": "invalid_request",
 		})
 		return
 	}
 	err = controller.oidc.ValidateGrantType(req.GrantType)
 	if err != nil {
 		tlog.App.Warn().Str("grant_type", req.GrantType).Msg("Unsupported grant type")
 		c.JSON(400, gin.H{
 			"error": err.Error(),
 		})
 		return
 	}
 	// First we try form values
 	creds := ClientCredentials{
 		ClientID:     req.ClientID,
 		ClientSecret: req.ClientSecret,
 	}
 	// If it fails, we try basic auth
 	if creds.ClientID == "" || creds.ClientSecret == "" {
 		tlog.App.Debug().Msg("Tried form values and they are empty, trying basic auth")
 		clientId, clientSecret, ok := c.Request.BasicAuth()
 		if !ok {
 			tlog.App.Error().Msg("Missing authorization header")
 			c.Header("www-authenticate", "basic")
 			c.JSON(401, gin.H{
 				"error": "invalid_client",
 			})
 			return
 		}
 		creds.ClientID = clientId
 		creds.ClientSecret = clientSecret
 	}
 	// END - we don't support other authentication methods
 	client, ok := controller.oidc.GetClient(creds.ClientID)
 	if !ok {
 		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Client not found")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
 		return
 	}
 	if client.ClientSecret != creds.ClientSecret {
 		tlog.App.Warn().Str("client_id", creds.ClientID).Msg("Invalid client secret")
 		c.JSON(400, gin.H{
 			"error": "invalid_client",
 		})
 		return
 	}
 	var tokenResponse service.TokenResponse
 	switch req.GrantType {
 	case "authorization_code":
 		entry, err := controller.oidc.GetCodeEntry(c, controller.oidc.Hash(req.Code))
 		if err != nil {
 			if errors.Is(err, service.ErrCodeNotFound) {
 				tlog.App.Warn().Msg("Code not found")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrCodeExpired) {
 				tlog.App.Warn().Msg("Code expired")
 				c.JSON(400, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			tlog.App.Warn().Err(err).Msg("Failed to get OIDC code entry")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		if entry.RedirectURI != req.RedirectURI {
 			tlog.App.Warn().Str("redirect_uri", req.RedirectURI).Msg("Redirect URI mismatch")
 			c.JSON(400, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 		tokenRes, err := controller.oidc.GenerateAccessToken(c, client, entry.Sub, entry.Scope)
 		if err != nil {
 			tlog.App.Error().Err(err).Msg("Failed to generate access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		tokenResponse = tokenRes
 	case "refresh_token":
 		tokenRes, err := controller.oidc.RefreshAccessToken(c, req.RefreshToken, creds.ClientID)
 		if err != nil {
 			if errors.Is(err, service.ErrTokenExpired) {
 				tlog.App.Error().Err(err).Msg("Refresh token expired")
 				c.JSON(401, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			if errors.Is(err, service.ErrInvalidClient) {
 				tlog.App.Error().Err(err).Msg("Invalid client")
 				c.JSON(401, gin.H{
 					"error": "invalid_grant",
 				})
 				return
 			}
 			tlog.App.Error().Err(err).Msg("Failed to refresh access token")
 			c.JSON(400, gin.H{
 				"error": "server_error",
 			})
 			return
 		}
 		tokenResponse = tokenRes
 	}
 	c.JSON(200, tokenResponse)
 }
 func (controller *OIDCController) Userinfo(c *gin.Context) {
 	if !controller.oidc.IsConfigured() {
 		tlog.App.Warn().Msg("OIDC not configured")
 		c.JSON(404, gin.H{
 			"error": "not_found",
 		})
 		return
 	}
 	authorization := c.GetHeader("Authorization")
 	tokenType, token, ok := strings.Cut(authorization, " ")
 	if !ok {
 		tlog.App.Warn().Msg("OIDC userinfo accessed without authorization header")
 		c.JSON(401, gin.H{
 			"error": "invalid_grant",
 		})
 		return
 	}
 	if strings.ToLower(tokenType) != "bearer" {
 		tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token type")
 		c.JSON(401, gin.H{
 			"error": "invalid_grant",
 		})
 		return
 	}
 	entry, err := controller.oidc.GetAccessToken(c, controller.oidc.Hash(token))
 	if err != nil {
 		if err == service.ErrTokenNotFound {
 			tlog.App.Warn().Msg("OIDC userinfo accessed with invalid token")
 			c.JSON(401, gin.H{
 				"error": "invalid_grant",
 			})
 			return
 		}
 		tlog.App.Err(err).Msg("Failed to get token entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
 		return
 	}
 	// If we don't have the openid scope, return an error
 	if !slices.Contains(strings.Split(entry.Scope, ","), "openid") {
 		tlog.App.Warn().Msg("OIDC userinfo accessed without openid scope")
 		c.JSON(401, gin.H{
 			"error": "invalid_scope",
 		})
 		return
 	}
 	user, err := controller.oidc.GetUserinfo(c, entry.Sub)
 	if err != nil {
 		tlog.App.Err(err).Msg("Failed to get user entry")
 		c.JSON(401, gin.H{
 			"error": "server_error",
 		})
 		return
 	}
 	c.JSON(200, controller.oidc.CompileUserinfo(user, entry.Scope))
 }
 func (controller *OIDCController) authorizeError(c *gin.Context, err error, reason string, reasonUser string, callback string, callbackError string, state string) {
 	tlog.App.Error().Err(err).Msg(reason)
 	if callback != "" {
 		errorQueries := CallbackError{
 			Error: callbackError,
 		}
 		if reasonUser != "" {
 			errorQueries.ErrorDescription = reasonUser
 		}
 		if state != "" {
 			errorQueries.State = state
 		}
 		queries, err := query.Values(errorQueries)
 		if err != nil {
 			c.AbortWithStatus(http.StatusInternalServerError)
 			return
 		}
 		c.JSON(200, gin.H{
 			"status":       200,
 			"redirect_uri": fmt.Sprintf("%s?%s", callback, queries.Encode()),
 		})
 		return
 	}
 	errorQueries := ErrorScreen{
 		Error: reasonUser,
 	}
 	queries, err := query.Values(errorQueries)
 	if err != nil {
 		c.AbortWithStatus(http.StatusInternalServerError)
 		return
 	}
 	c.JSON(200, gin.H{
 		"status":       200,
 		"redirect_uri": fmt.Sprintf("%s/error?%s", controller.oidc.GetIssuer(), queries.Encode()),
 	})
 }
--- a/internal/controller/oidc_controller_test.go
+++ b/internal/controller/oidc_controller_test.go
@@ -0,0 +1,281 @@
 package controller_test
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"net/url"
 	"strings"
 	"testing"
 	"github.com/gin-gonic/gin"
 	"github.com/google/go-querystring/query"
 	"github.com/steveiliop56/tinyauth/internal/bootstrap"
 	"github.com/steveiliop56/tinyauth/internal/config"
 	"github.com/steveiliop56/tinyauth/internal/controller"
 	"github.com/steveiliop56/tinyauth/internal/repository"
 	"github.com/steveiliop56/tinyauth/internal/service"
 	"github.com/steveiliop56/tinyauth/internal/utils/tlog"
 	"gotest.tools/v3/assert"
 )
 var oidcServiceConfig = service.OIDCServiceConfig{
 	Clients: map[string]config.OIDCClientConfig{
 		"client1": {
 			ClientID:         "some-client-id",
 			ClientSecret:     "some-client-secret",
 			ClientSecretFile: "",
 			TrustedRedirectURIs: []string{
 				"https://example.com/oauth/callback",
 			},
 			Name: "Client 1",
 		},
 	},
 	PrivateKeyPath: "/tmp/tinyauth_oidc_key",
 	PublicKeyPath:  "/tmp/tinyauth_oidc_key.pub",
 	Issuer:         "https://example.com",
 	SessionExpiry:  3600,
 }
 var oidcCtrlTestContext = config.UserContext{
 	Username:    "test",
 	Name:        "Test",
 	Email:       "test@example.com",
 	IsLoggedIn:  true,
 	IsBasicAuth: false,
 	OAuth:       false,
 	Provider:    "ldap", // ldap in order to test the groups
 	TotpPending: false,
 	OAuthGroups: "",
 	TotpEnabled: false,
 	OAuthName:   "",
 	OAuthSub:    "",
 	LdapGroups:  "test1,test2",
 }
 // Test is not amazing, but it will confirm the OIDC server works
 func TestOIDCController(t *testing.T) {
 	tlog.NewSimpleLogger().Init()
 	// Create an app instance
 	app := bootstrap.NewBootstrapApp(config.Config{})
 	// Get db
 	db, err := app.SetupDatabase("/tmp/tinyauth.db")
 	assert.NilError(t, err)
 	// Create queries
 	queries := repository.New(db)
 	// Create a new OIDC Servicee
 	oidcService := service.NewOIDCService(oidcServiceConfig, queries)
 	err = oidcService.Init()
 	assert.NilError(t, err)
 	// Create test router
 	gin.SetMode(gin.TestMode)
 	router := gin.Default()
 	router.Use(func(c *gin.Context) {
 		c.Set("context", &oidcCtrlTestContext)
 		c.Next()
 	})
 	group := router.Group("/api")
 	// Register oidc controller
 	oidcController := controller.NewOIDCController(controller.OIDCControllerConfig{}, oidcService, group)
 	oidcController.SetupRoutes()
 	// Get redirect URL test
 	recorder := httptest.NewRecorder()
 	marshalled, err := json.Marshal(service.AuthorizeRequest{
 		Scope:        "openid profile email groups",
 		ResponseType: "code",
 		ClientID:     "some-client-id",
 		RedirectURI:  "https://example.com/oauth/callback",
 		State:        "some-state",
 	})
 	assert.NilError(t, err)
 	req, err := http.NewRequest("POST", "/api/oidc/authorize", strings.NewReader(string(marshalled)))
 	assert.NilError(t, err)
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson := map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	redirect_uri, ok := resJson["redirect_uri"].(string)
 	assert.Assert(t, ok)
 	u, err := url.Parse(redirect_uri)
 	assert.NilError(t, err)
 	m, err := url.ParseQuery(u.RawQuery)
 	assert.NilError(t, err)
 	assert.Equal(t, m["state"][0], "some-state")
 	code := m["code"][0]
 	// Exchange code for token
 	recorder = httptest.NewRecorder()
 	params, err := query.Values(controller.TokenRequest{
 		GrantType:   "authorization_code",
 		Code:        code,
 		RedirectURI: "https://example.com/oauth/callback",
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	accessToken, ok := resJson["access_token"].(string)
 	assert.Assert(t, ok)
 	_, ok = resJson["id_token"].(string)
 	assert.Assert(t, ok)
 	refreshToken, ok := resJson["refresh_token"].(string)
 	assert.Assert(t, ok)
 	expires_in, ok := resJson["expires_in"].(float64)
 	assert.Assert(t, ok)
 	assert.Equal(t, expires_in, float64(oidcServiceConfig.SessionExpiry))
 	// Ensure code is expired
 	recorder = httptest.NewRecorder()
 	params, err = query.Values(controller.TokenRequest{
 		GrantType:   "authorization_code",
 		Code:        code,
 		RedirectURI: "https://example.com/oauth/callback",
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("content-type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusBadRequest, recorder.Code)
 	// Test userinfo
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	_, ok = resJson["sub"].(string)
 	assert.Assert(t, ok)
 	name, ok := resJson["name"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, name, oidcCtrlTestContext.Name)
 	email, ok := resJson["email"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, email, oidcCtrlTestContext.Email)
 	preferred_username, ok := resJson["preferred_username"].(string)
 	assert.Assert(t, ok)
 	assert.Equal(t, preferred_username, oidcCtrlTestContext.Username)
 	// Not sure why this is failing, will look into it later
 	igroups, ok := resJson["groups"].([]any)
 	assert.Assert(t, ok)
 	groups := make([]string, len(igroups))
 	for i, group := range igroups {
 		groups[i], ok = group.(string)
 		assert.Assert(t, ok)
 	}
 	assert.DeepEqual(t, strings.Split(oidcCtrlTestContext.LdapGroups, ","), groups)
 	// Test refresh token
 	recorder = httptest.NewRecorder()
 	params, err = query.Values(controller.TokenRequest{
 		GrantType:    "refresh_token",
 		RefreshToken: refreshToken,
 	})
 	assert.NilError(t, err)
 	req, err = http.NewRequest("POST", "/api/oidc/token", strings.NewReader(params.Encode()))
 	assert.NilError(t, err)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.SetBasicAuth("some-client-id", "some-client-secret")
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 	resJson = map[string]any{}
 	err = json.Unmarshal(recorder.Body.Bytes(), &resJson)
 	assert.NilError(t, err)
 	newToken, ok := resJson["access_token"].(string)
 	assert.Assert(t, ok)
 	assert.Assert(t, newToken != accessToken)
 	// Ensure old token is invalid
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", accessToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusUnauthorized, recorder.Code)
 	// Test new token
 	recorder = httptest.NewRecorder()
 	req, err = http.NewRequest("GET", "/api/oidc/userinfo", nil)
 	assert.NilError(t, err)
 	req.Header.Set("authorization", fmt.Sprintf("Bearer %s", newToken))
 	router.ServeHTTP(recorder, req)
 	assert.Equal(t, http.StatusOK, recorder.Code)
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" DROP COLUMN "oauth_sub";`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" ADD COLUMN "oauth_sub" TEXT;`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" DROP COLUMN "created_at";`
		`@@ -0,0 +1 @@`
							`ALTER TABLE "sessions" ADD COLUMN "created_at" INTEGER NOT NULL DEFAULT 0;`