feat: forward sub from oidc providers (#543 )

* feat: forward sub from oidc providers * fix: review comments
feat: refresh session cookie when session is active (#540 )
2026-01-25 08:42:30 +00:00 · 2025-12-26 19:02:51 +02:00 · 2025-12-26 17:55:54 +02:00 · 2025-12-26 17:53:24 +02:00 · 2025-12-23 23:10:33 +02:00 · 2025-12-22 22:28:34 +02:00
219 changed files with 12248 additions and 11427 deletions
--- a/.coderabbit.yaml
+++ b/.coderabbit.yaml
@@ -0,0 +1,3 @@
+issue_enrichment:
+  auto_enrich:
+    enabled: false
--- a/.env.example
+++ b/.env.example
@@ -1,31 +1,86 @@
-PORT=3000
-ADDRESS=0.0.0.0
-SECRET=app_secret
-SECRET_FILE=app_secret_file
-APP_URL=http://localhost:3000
-USERS=your_user_password_hash
-USERS_FILE=users_file
-COOKIE_SECURE=false
-GITHUB_CLIENT_ID=github_client_id
-GITHUB_CLIENT_SECRET=github_client_secret
-GITHUB_CLIENT_SECRET_FILE=github_client_secret_file
-GOOGLE_CLIENT_ID=google_client_id
-GOOGLE_CLIENT_SECRET=google_client_secret
-GOOGLE_CLIENT_SECRET_FILE=google_client_secret_file
-GENERIC_CLIENT_ID=generic_client_id
-GENERIC_CLIENT_SECRET=generic_client_secret
-GENERIC_CLIENT_SECRET_FILE=generic_client_secret_file
-GENERIC_SCOPES=generic_scopes
-GENERIC_AUTH_URL=generic_auth_url
-GENERIC_TOKEN_URL=generic_token_url
-GENERIC_USER_URL=generic_user_url
-DISABLE_CONTINUE=false
-OAUTH_WHITELIST=
-GENERIC_NAME=My OAuth
-SESSION_EXPIRY=7200
-LOGIN_TIMEOUT=300
-LOGIN_MAX_RETRIES=5
-LOG_LEVEL=0
-APP_TITLE=Tinyauth SSO
-FORGOT_PASSWORD_MESSAGE=Some message about resetting the password
-OAUTH_AUTO_REDIRECT=none
+# Base Configuration
+
+# The base URL where Tinyauth is accessible
+TINYAUTH_APPURL="https://auth.example.com"
+# Log level: trace, debug, info, warn, error
+TINYAUTH_LOGLEVEL="info"
+# Directory for static resources
+TINYAUTH_RESOURCESDIR="/data/resources"
+# Path to SQLite database file
+TINYAUTH_DATABASEPATH="/data/tinyauth.db"
+# Disable version heartbeat
+TINYAUTH_DISABLEANALYTICS="false"
+# Disable static resource serving
+TINYAUTH_DISABLERESOURCES="false"
+# Disable UI warning messages
+TINYAUTH_DISABLEUIWARNINGS="false"
+# Enable JSON formatted logs
+TINYAUTH_LOGJSON="false"
+
+# Server Configuration
+
+# Port to listen on
+TINYAUTH_SERVER_PORT="3000"
+# Interface to bind to (0.0.0.0 for all interfaces)
+TINYAUTH_SERVER_ADDRESS="0.0.0.0"
+# Unix socket path (optional, overrides port/address if set)
+TINYAUTH_SERVER_SOCKETPATH=""
+# Comma-separated list of trusted proxy IPs/CIDRs
+TINYAUTH_SERVER_TRUSTEDPROXIES=""
+
+# Authentication Configuration
+
+# Format: username:bcrypt_hash (use bcrypt to generate hash)
+TINYAUTH_AUTH_USERS="admin:$2a$10$example_bcrypt_hash_here"
+# Path to external users file (optional)
+TINYAUTH_USERSFILE=""
+# Enable secure cookies (requires HTTPS)
+TINYAUTH_SECURECOOKIE="true"
+# Session expiry in seconds (7200 = 2 hours)
+TINYAUTH_SESSIONEXPIRY="7200"
+# Login timeout in seconds (300 = 5 minutes)
+TINYAUTH_LOGINTIMEOUT="300"
+# Maximum login retries before lockout
+TINYAUTH_LOGINMAXRETRIES="5"
+
+# OAuth Configuration
+
+# Regex pattern for allowed email addresses (e.g., /@example\.com$/)
+TINYAUTH_OAUTH_WHITELIST=""
+# Provider ID to auto-redirect to (skips login page)
+TINYAUTH_OAUTH_AUTOREDIRECT=""
+# OAuth Provider Configuration (replace MYPROVIDER with your provider name)
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTID="your_client_id_here"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_CLIENTSECRET="your_client_secret_here"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_AUTHURL="https://provider.example.com/oauth/authorize"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_TOKENURL="https://provider.example.com/oauth/token"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_USERINFOURL="https://provider.example.com/oauth/userinfo"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_REDIRECTURL="https://auth.example.com/oauth/callback/myprovider"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_SCOPES="openid email profile"
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_NAME="My OAuth Provider"
+# Allow self-signed certificates
+TINYAUTH_OAUTH_PROVIDERS_MYPROVIDER_INSECURE="false"
+
+# UI Customization
+
+# Custom title for login page
+TINYAUTH_UI_TITLE="Tinyauth"
+# Message shown on forgot password page
+TINYAUTH_UI_FORGOTPASSWORDMESSAGE="Contact your administrator to reset your password"
+# Background image URL for login page
+TINYAUTH_UI_BACKGROUNDIMAGE=""
+
+# LDAP Configuration
+
+# LDAP server address
+TINYAUTH_LDAP_ADDRESS="ldap://ldap.example.com:389"
+# DN for binding to LDAP server
+TINYAUTH_LDAP_BINDDN="cn=readonly,dc=example,dc=com"
+# Password for bind DN
+TINYAUTH_LDAP_BINDPASSWORD="your_bind_password"
+# Base DN for user searches
+TINYAUTH_LDAP_BASEDN="dc=example,dc=com"
+# Search filter (%s will be replaced with username)
+TINYAUTH_LDAP_SEARCHFILTER="(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
+# Allow insecure LDAP connections
+TINYAUTH_LDAP_INSECURE="false"
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -2,12 +2,24 @@ version: 2
 updates:
  - package-ecosystem: "bun"
    directory: "/frontend"
+    groups:
+      minor-patch:
+        update-types:
+          - "patch"
+          - "minor"
    schedule:
      interval: "daily"
+
  - package-ecosystem: "gomod"
    directory: "/"
+    groups:
+      minor-patch:
+        update-types:
+          - "patch"
+          - "minor"
    schedule:
      interval: "daily"
+
  - package-ecosystem: "docker"
    directory: "/"
    schedule:
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -12,20 +12,27 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

-      - name: Setup Go
+      - name: Setup bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Setup go
        uses: actions/setup-go@v5
        with:
          go-version: "^1.23.2"

-      - name: Setup bun
-        uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
-
      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile
+
+      - name: Set version
+        run: |
+          echo testing > internal/assets/version
+
+      - name: Lint frontend
+        run: |
+          cd frontend
+          bun run lint

      - name: Build frontend
        run: |
@@ -37,4 +44,9 @@ jobs:
          cp -r frontend/dist internal/assets/dist

      - name: Run tests
-        run: go test -v ./...
+        run: go test -coverprofile=coverage.txt -v ./...
+
+      - name: Upload coverage reports to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
--- a/.github/workflows/nightly.yml
+++ b/.github/workflows/nightly.yml
@@ -0,0 +1,465 @@
+name: Nightly Release
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  create-release:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Delete old release
+        run: gh release delete --cleanup-tag --yes nightly || echo release not found
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OWNER: ${{ github.repository_owner }}
+          REPO: ${{ github.event.repository.name }}
+
+      - name: Create release
+        uses: softprops/action-gh-release@v2
+        with:
+          prerelease: true
+          tag_name: nightly
+
+  generate-metadata:
+    runs-on: ubuntu-latest
+    needs: create-release
+    outputs:
+      VERSION: ${{ steps.metadata.outputs.VERSION }}
+      COMMIT_HASH: ${{ steps.metadata.outputs.COMMIT_HASH }}
+      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Generate metadata
+        id: metadata
+        run: |
+          echo "VERSION=nightly" >> "$GITHUB_OUTPUT"
+          echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+          echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
+
+  binary-build:
+    runs-on: ubuntu-latest
+    needs:
+      - create-release
+      - generate-metadata
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "^1.23.2"
+
+      - name: Install frontend dependencies
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
+
+      - name: Install backend dependencies
+        run: |
+          go mod download
+
+      - name: Build frontend
+        run: |
+          cd frontend
+          bun run build
+
+      - name: Build
+        run: |
+          cp -r frontend/dist internal/assets/dist
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+        env:
+          CGO_ENABLED: 0
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tinyauth-amd64
+          path: tinyauth-amd64
+
+  binary-build-arm:
+    runs-on: ubuntu-24.04-arm
+    needs:
+      - create-release
+      - generate-metadata
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2
+
+      - name: Install go
+        uses: actions/setup-go@v5
+        with:
+          go-version: "^1.23.2"
+
+      - name: Install frontend dependencies
+        run: |
+          cd frontend
+          bun install --frozen-lockfile
+
+      - name: Install backend dependencies
+        run: |
+          go mod download
+
+      - name: Build frontend
+        run: |
+          cd frontend
+          bun run build
+
+      - name: Build
+        run: |
+          cp -r frontend/dist internal/assets/dist
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+        env:
+          CGO_ENABLED: 0
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: tinyauth-arm64
+          path: tinyauth-arm64
+
+  image-build:
+    runs-on: ubuntu-latest
+    needs:
+      - create-release
+      - generate-metadata
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/amd64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-linux-amd64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  image-build-distroless:
+    runs-on: ubuntu-latest
+    needs:
+      - create-release
+      - generate-metadata
+      - image-build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/amd64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          file: Dockerfile.distroless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-distroless-linux-amd64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  image-build-arm:
+    runs-on: ubuntu-24.04-arm
+    needs:
+      - create-release
+      - generate-metadata
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-linux-arm64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  image-build-arm-distroless:
+    runs-on: ubuntu-24.04-arm
+    needs:
+      - create-release
+      - generate-metadata
+      - image-build-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          file: Dockerfile.distroless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-distroless-linux-arm64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
+  image-merge:
+    runs-on: ubuntu-latest
+    needs:
+      - image-build
+      - image-build-arm
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          flavor: |
+            latest=false
+          tags: |
+            type=raw,nightly
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
+
+  image-merge-distroless:
+    runs-on: ubuntu-latest
+    needs:
+      - image-build-distroless
+      - image-build-arm-distroless
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-distroless-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          flavor: |
+            latest=false
+          tags: |
+            type=raw,nightly-distroless
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
+
+  update-release:
+    runs-on: ubuntu-latest
+    needs:
+      - binary-build
+      - binary-build-arm
+    steps:
+      - uses: actions/download-artifact@v4
+        with:
+          pattern: tinyauth-*
+          path: binaries
+          merge-multiple: true
+
+      - name: Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: binaries/*
+          tag_name: nightly
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,28 +6,49 @@ on:
      - "v*"

 jobs:
+  generate-metadata:
+    runs-on: ubuntu-latest
+    outputs:
+      VERSION: ${{ steps.metadata.outputs.VERSION }}
+      COMMIT_HASH: ${{ steps.metadata.outputs.COMMIT_HASH }}
+      BUILD_TIMESTAMP: ${{ steps.metadata.outputs.BUILD_TIMESTAMP }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: nightly
+
+      - name: Generate metadata
+        id: metadata
+        run: |
+          echo "VERSION=${{ github.ref_name }}" >> "$GITHUB_OUTPUT"
+          echo "COMMIT_HASH=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT"
+          echo "BUILD_TIMESTAMP=$(date '+%Y-%m-%dT%H:%M:%S')" >> "$GITHUB_OUTPUT"
+
  binary-build:
    runs-on: ubuntu-latest
+    needs:
+      - generate-metadata
    steps:
      - name: Checkout
        uses: actions/checkout@v4

-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

-      - uses: actions/setup-go@v5
+      - name: Install go
+        uses: actions/setup-go@v5
        with:
          go-version: "^1.23.2"

      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile

      - name: Install backend dependencies
        run: |
-          go mod tidy
+          go mod download

      - name: Build frontend
        run: |
@@ -37,7 +58,9 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          CGO_ENABLED=0 go build -ldflags "-s -w" -o tinyauth-amd64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-amd64 ./cmd/tinyauth
+        env:
+          CGO_ENABLED: 0

      - name: Upload artifact
        uses: actions/upload-artifact@v4
@@ -47,26 +70,28 @@ jobs:

  binary-build-arm:
    runs-on: ubuntu-24.04-arm
+    needs:
+      - generate-metadata
    steps:
      - name: Checkout
        uses: actions/checkout@v4

-      - uses: oven-sh/setup-bun@v2
-        with:
-          bun-version: latest
+      - name: Install bun
+        uses: oven-sh/setup-bun@v2

-      - uses: actions/setup-go@v5
+      - name: Install go
+        uses: actions/setup-go@v5
        with:
          go-version: "^1.23.2"

      - name: Install frontend dependencies
        run: |
          cd frontend
-          bun install
+          bun install --frozen-lockfile

      - name: Install backend dependencies
        run: |
-          go mod tidy
+          go mod download

      - name: Build frontend
        run: |
@@ -76,7 +101,9 @@ jobs:
      - name: Build
        run: |
          cp -r frontend/dist internal/assets/dist
-          CGO_ENABLED=0 go build -ldflags "-s -w" -o tinyauth-arm64
+          go build -ldflags "-s -w -X tinyauth/internal/config.Version=${{ needs.generate-metadata.outputs.VERSION }} -X tinyauth/internal/config.CommitHash=${{ needs.generate-metadata.outputs.COMMIT_HASH }} -X tinyauth/internal/config.BuildTimestamp=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}" -o tinyauth-arm64 ./cmd/tinyauth
+        env:
+          CGO_ENABLED: 0

      - name: Upload artifact
        uses: actions/upload-artifact@v4
@@ -86,6 +113,8 @@ jobs:

  image-build:
    runs-on: ubuntu-latest
+    needs:
+      - generate-metadata
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -114,6 +143,13 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}

      - name: Export digest
        run: |
@@ -129,8 +165,66 @@ jobs:
          if-no-files-found: error
          retention-days: 1

+  image-build-distroless:
+    runs-on: ubuntu-latest
+    needs:
+      - generate-metadata
+      - image-build
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/amd64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          file: Dockerfile.distroless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-distroless-linux-amd64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
  image-build-arm:
    runs-on: ubuntu-24.04-arm
+    needs:
+      - generate-metadata
    steps:
      - name: Checkout
        uses: actions/checkout@v4
@@ -159,6 +253,13 @@ jobs:
          labels: ${{ steps.meta.outputs.labels }}
          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}

      - name: Export digest
        run: |
@@ -174,6 +275,62 @@ jobs:
          if-no-files-found: error
          retention-days: 1

+  image-build-arm-distroless:
+    runs-on: ubuntu-24.04-arm
+    needs:
+      - generate-metadata
+      - image-build-arm
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        id: build
+        with:
+          platforms: linux/arm64
+          labels: ${{ steps.meta.outputs.labels }}
+          tags: ghcr.io/${{ github.repository_owner }}/tinyauth
+          outputs: type=image,push-by-digest=true,name-canonical=true,push=true
+          file: Dockerfile.distroless
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          build-args: |
+            VERSION=${{ needs.generate-metadata.outputs.VERSION }}
+            COMMIT_HASH=${{ needs.generate-metadata.outputs.COMMIT_HASH }}
+            BUILD_TIMESTAMP=${{ needs.generate-metadata.outputs.BUILD_TIMESTAMP }}
+
+      - name: Export digest
+        run: |
+          mkdir -p ${{ runner.temp }}/digests
+          digest="${{ steps.build.outputs.digest }}"
+          touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
+      - name: Upload digest
+        uses: actions/upload-artifact@v4
+        with:
+          name: digests-distroless-linux-arm64
+          path: ${{ runner.temp }}/digests/*
+          if-no-files-found: error
+          retention-days: 1
+
  image-merge:
    runs-on: ubuntu-latest
    needs:
@@ -202,10 +359,55 @@ jobs:
        uses: docker/metadata-action@v5
        with:
          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          flavor: |
+            prefix=v,onlatest=false
          tags: |
-            type=semver,pattern={{version}},prefix=v
-            type=semver,pattern={{major}},prefix=v
-            type=semver,pattern={{major}}.{{minor}},prefix=v
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}
+
+      - name: Create manifest list and push
+        working-directory: ${{ runner.temp }}/digests
+        run: |
+          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
+            $(printf 'ghcr.io/${{ github.repository_owner }}/tinyauth@sha256:%s ' *)
+
+  image-merge-distroless:
+    runs-on: ubuntu-latest
+    needs:
+      - image-build-distroless
+      - image-build-arm-distroless
+    steps:
+      - name: Download digests
+        uses: actions/download-artifact@v4
+        with:
+          path: ${{ runner.temp }}/digests
+          pattern: digests-distroless-*
+          merge-multiple: true
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/${{ github.repository_owner }}/tinyauth
+          flavor: |
+            latest=false
+            prefix=v
+            suffix=-distroless
+          tags: |
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}
+            type=semver,pattern={{major}}.{{minor}}

      - name: Create manifest list and push
        working-directory: ${{ runner.temp }}/digests
--- a/.github/workflows/sponsors.yml
+++ b/.github/workflows/sponsors.yml
@@ -13,7 +13,8 @@ jobs:
        uses: JamesIves/github-sponsors-readme-action@v1
        with:
          token: ${{ secrets.SPONSORS_GENERATOR_PAT }}
-          file: README.md
+          active-only: false
+          file: "README.md"
          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="64px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'

      - name: Create Pull Request
--- a/.github/workflows/translations.yml
+++ b/.github/workflows/translations.yml
@@ -1,98 +0,0 @@
-name: Publish translations
-
-on:
-  push:
-    branches:
-      - i18n_v*
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pages: write
-  id-token: write
-
-concurrency:
-  group: pages
-  cancel-in-progress: false
-
-jobs:
-  get-branches:
-    runs-on: ubuntu-latest
-    outputs:
-      i18n-branches: ${{ steps.get-branches.outputs.result }}
-    steps:
-      - name: Get branches
-        id: get-branches
-        uses: actions/github-script@v7
-        with:
-          script: |
-            const { data: repos } = await github.rest.repos.listBranches({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-            })
-
-            const i18nBranches = repos.filter((branch) => branch.name.startsWith("i18n_v"))
-            const i18nBranchNames = i18nBranches.map((branch) => branch.name)
-
-            return i18nBranchNames
-
-  get-translations:
-    needs: get-branches
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        branch: ${{ fromJson(needs.get-branches.outputs.i18n-branches) }}
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          ref: ${{ matrix.branch }}
-
-      - name: Get translation version
-        id: get-version
-        run: |
-          branch=${{ matrix.branch }}
-          version=${branch#i18n_}
-          echo "version=$version" >> $GITHUB_OUTPUT
-
-      - name: Upload translations
-        uses: actions/upload-artifact@v4
-        with:
-          name: ${{ steps.get-version.outputs.version }}
-          path: frontend/src/lib/i18n/locales
-
-  build:
-    needs: get-translations
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Setup Pages
-        uses: actions/configure-pages@v4
-
-      - name: Prepare output directory
-        run: |
-          mkdir -p dist/i18n/
-
-      - name: Download translations
-        uses: actions/download-artifact@v4
-        with:
-          path: dist/i18n/
-
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
-        with:
-          path: dist
-
-  deploy:
-    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    needs: build
-    runs-on: ubuntu-latest
-    name: Deploy
-    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
--- a/.gitignore
+++ b/.gitignore
@@ -1,27 +1,39 @@
 # dist
-internal/assets/dist
+/internal/assets/dist

 # binaries
-tinyauth
+/tinyauth

 # test docker compose
-docker-compose.test*
+/docker-compose.test*

 # users file
-users.txt
+/users.txt

 # secret test file
-secret.txt
-secret_oauth.txt
-
-# vscode
-.vscode
+/secret*

 # apple stuff
 .DS_Store

 # env
-.env
+/.env

 # tmp directory
-tmp
+/tmp
+
+# version files
+/internal/assets/version
+
+# data directory
+/data
+
+# config file
+/config.yml
+
+# binary out
+/tinyauth.db
+/resources
+
+# debug files
+__debug_*
--- a/.vscode/launch.json
+++ b/.vscode/launch.json
@@ -0,0 +1,15 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Connect to server",
+      "type": "go",
+      "request": "attach",
+      "mode": "remote",
+      "remotePath": "/tinyauth",
+      "port": 4000,
+      "host": "127.0.0.1",
+      "debugAdapter": "legacy"
+    }
+  ]
+}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,6 +1,6 @@
 # Contributing

-Contributing is relatively easy, you just need to follow the steps carefully and you will be up and running with a development server in less than 5 minutes.
+Contributing is relatively easy, you just need to follow the steps below and you will be up and running with a development server in less than five minutes.

 ## Requirements

@@ -20,7 +20,7 @@ cd tinyauth

 ## Install requirements

-Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors, to install the go requirements, run:
+Although you will not need the requirements in your machine since the development will happen in docker, I still recommend to install them because this way you will not have import errors. To install the go requirements run:

 ```sh
 go mod tidy
@@ -35,7 +35,7 @@ bun install

 ## Create your `.env` file

-In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables inside to suit your needs.
+In order to configure the app you need to create an environment file, this can be done by copying the `.env.example` file to `.env` and modifying the environment variables to suit your needs.

 ## Developing

@@ -46,11 +46,14 @@ I have designed the development workflow to be entirely in docker, this is becau
 dev.example.com -> 127.0.0.1
 ```

-Then you can just make sure the domains are correct in the example docker compose file and run:
+> [!TIP]
+> You can use [sslip.io](https://sslip.io) as a domain if you don't have one to develop with.
+
+Then you can just make sure the domains are correct in the development docker compose file and run:

 ```sh
 docker compose -f docker-compose.dev.yml up --build
 ```

 > [!NOTE]
-> I would recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
+> I recommend copying the example `docker-compose.dev.yml` into a `docker-compose.test.yml` file, so as you don't accidentally commit any sensitive information.
--- a/37
+++ b/37
@@ -1,12 +1,12 @@
 # Site builder
-FROM oven/bun:1.2.11-alpine AS frontend-builder
+FROM oven/bun:1.3.5-alpine AS frontend-builder

 WORKDIR /frontend

 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lockb ./
+COPY ./frontend/bun.lock ./

-RUN bun install
+RUN bun install --frozen-lockfile

 COPY ./frontend/public ./public
 COPY ./frontend/src ./src
@@ -16,12 +16,15 @@ COPY ./frontend/tsconfig.json ./
 COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-COPY ./frontend/postcss.config.cjs ./

 RUN bun run build

 # Builder
-FROM golang:1.24-alpine3.21 AS builder
+FROM golang:1.25-alpine3.21 AS builder
+
+ARG VERSION
+ARG COMMIT_HASH
+ARG BUILD_TIMESTAMP

 WORKDIR /tinyauth

@@ -30,25 +33,33 @@ COPY go.sum ./

 RUN go mod download

-COPY ./main.go ./
 COPY ./cmd ./cmd
 COPY ./internal ./internal
 COPY --from=frontend-builder /frontend/dist ./internal/assets/dist

-RUN CGO_ENABLED=0 go build -ldflags "-s -w"
+RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
 
 # Runner
-FROM alpine:3.21 AS runner
+FROM alpine:3.23 AS runner

 WORKDIR /tinyauth

-RUN apk add --no-cache curl
-
 COPY --from=builder /tinyauth/tinyauth ./

+RUN mkdir -p /data
+
 EXPOSE 3000

-HEALTHCHECK --interval=10s --timeout=5s \
-    CMD curl -f http://localhost:3000/api/healthcheck || exit 1
+VOLUME ["/data"]

-ENTRYPOINT ["./tinyauth"]
+ENV DATABASEPATH=/data/tinyauth.db
+
+ENV RESOURCESDIR=/data/resources
+
+ENV GIN_MODE=release
+
+ENV PATH=$PATH:/tinyauth
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
+
+ENTRYPOINT ["tinyauth"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -1,4 +1,4 @@
-FROM golang:1.24-alpine3.21
+FROM golang:1.25-alpine3.21

 WORKDIR /tinyauth

@@ -7,13 +7,17 @@ COPY go.sum ./

 RUN go mod download

+RUN go install github.com/air-verse/air@v1.61.7
+RUN go install github.com/go-delve/delve/cmd/dlv@latest
+
 COPY ./cmd ./cmd
 COPY ./internal ./internal
-COPY ./main.go ./
 COPY ./air.toml ./

-RUN go install github.com/air-verse/air@v1.61.7
-
 EXPOSE 3000

+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+
+ENV TINYAUTH_RESOURCESDIR=/data/resources
+
 ENTRYPOINT ["air", "-c", "air.toml"]
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@@ -0,0 +1,68 @@
+# Site builder
+FROM oven/bun:1.3.5-alpine AS frontend-builder
+
+WORKDIR /frontend
+
+COPY ./frontend/package.json ./
+COPY ./frontend/bun.lock ./
+
+RUN bun install --frozen-lockfile
+
+COPY ./frontend/public ./public
+COPY ./frontend/src ./src
+COPY ./frontend/eslint.config.js ./
+COPY ./frontend/index.html ./
+COPY ./frontend/tsconfig.json ./
+COPY ./frontend/tsconfig.app.json ./
+COPY ./frontend/tsconfig.node.json ./
+COPY ./frontend/vite.config.ts ./
+
+RUN bun run build
+
+# Builder
+FROM golang:1.25-alpine3.21 AS builder
+
+ARG VERSION
+ARG COMMIT_HASH
+ARG BUILD_TIMESTAMP
+
+WORKDIR /tinyauth
+
+COPY go.mod ./
+COPY go.sum ./
+
+RUN go mod download
+
+COPY ./cmd ./cmd
+COPY ./internal ./internal
+COPY --from=frontend-builder /frontend/dist ./internal/assets/dist
+
+RUN mkdir -p data
+
+RUN CGO_ENABLED=0 go build -ldflags "-s -w -X tinyauth/internal/config.Version=${VERSION} -X tinyauth/internal/config.CommitHash=${COMMIT_HASH} -X tinyauth/internal/config.BuildTimestamp=${BUILD_TIMESTAMP}" ./cmd/tinyauth
+ 
+# Runner
+FROM gcr.io/distroless/static-debian12:latest AS runner
+
+WORKDIR /tinyauth
+
+COPY --from=builder /tinyauth/tinyauth ./
+
+# Since it's distroless, we need to copy the data directory from the builder stage
+COPY --from=builder /tinyauth/data /data
+
+EXPOSE 3000
+
+VOLUME ["/data"]
+
+ENV TINYAUTH_DATABASEPATH=/data/tinyauth.db
+
+ENV TINYAUTH_RESOURCESDIR=/data/resources
+
+ENV GIN_MODE=release
+
+ENV PATH=$PATH:/tinyauth
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 CMD ["tinyauth", "healthcheck"]
+
+ENTRYPOINT ["tinyauth"]
--- a/README.md
+++ b/README.md
@@ -1,13 +1,12 @@
 <div align="center">
-    <img alt="Tinyauth" title="Tinyauth" height="256" src="frontend/public/logo.png">
+    <img alt="Tinyauth" title="Tinyauth" width="96" src="assets/logo-rounded.png">
    <h1>Tinyauth</h1>
-    <p>The easiest way to secure your apps with a login screen.</p>
+    <p>The simplest way to protect your apps with a login screen.</p>
 </div>

 <div align="center">
    <img alt="License" src="https://img.shields.io/github/license/steveiliop56/tinyauth">
    <img alt="Release" src="https://img.shields.io/github/v/release/steveiliop56/tinyauth">
-    <img alt="Commit activity" src="https://img.shields.io/github/commit-activity/w/steveiliop56/tinyauth">
    <img alt="Issues" src="https://img.shields.io/github/issues/steveiliop56/tinyauth">
    <img alt="Tinyauth CI" src="https://github.com/steveiliop56/tinyauth/actions/workflows/ci.yml/badge.svg">
    <a title="Crowdin" target="_blank" href="https://crowdin.com/project/tinyauth"><img src="https://badges.crowdin.net/tinyauth/localized.svg"></a>
@@ -15,35 +14,38 @@

 <br />

-Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic provider to all of your docker apps. It is designed for traefik but it can be extended to work with all reverse proxies like caddy and nginx.
+Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github or any other provider to all of your apps. It supports all the popular proxies like Traefik, Nginx and Caddy.

-![Login](assets/screenshot.png)
+![Screenshot](assets/screenshot.png)

 > [!WARNING]
 > Tinyauth is in active development and configuration may change often. Please make sure to carefully read the release notes before updating.

-> [!NOTE]
-> Tinyauth is intended for homelab use and it is not made for production use cases. If you are looking for something production ready please use [authentik](https://goauthentik.io).
-
-## Discord
-
-I just made a Discord server for Tinyauth! It is not only for Tinyauth but general self-hosting because I just like chatting with people! The link is [here](https://discord.gg/eHzVaCzRRd), see you there!
-
 ## Getting Started

-You can easily get started with tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started.html). There is also an available [docker compose file](./docker-compose.example.yml) that has traefik, whoami and tinyauth to demonstrate its capabilities.
+You can easily get started with Tinyauth by following the guide in the [documentation](https://tinyauth.app/docs/getting-started). There is also an available [docker compose](./docker-compose.example.yml) file that has Traefik, Whoami and Tinyauth to demonstrate its capabilities.
+
+## Demo
+
+If you are still not sure if Tinyauth suits your needs you can try out the [demo](https://demo.tinyauth.app). The default username is `user` and the default password is `password`.

 ## Documentation

-You can find documentation and guides on all of the available configuration of tinyauth [here](https://tinyauth.app).
+You can find documentation and guides on all of the available configuration of Tinyauth in the [website](https://tinyauth.app).
+
+If you wish to contribute to the documentation head over to the [repository](https://github.com/steveiliop56/tinyauth-docs).
+
+## Discord
+
+Tinyauth has a [discord](https://discord.gg/eHzVaCzRRd) server. Feel free to hop in to chat about self-hosting, homelabs and of course Tinyauth. See you there!

 ## Contributing

-All contributions to the codebase are welcome! If you have any recommendations on how to improve security or find a security issue in tinyauth please open an issue or pull request so it can be fixed as soon as possible!
+All contributions to the codebase are welcome! If you have any free time feel free to pick up an [issue](https://github.com/steveiliop56/tinyauth/issues) or add your own missing features. Make sure to check out the [contributing guide](./CONTRIBUTING.md) for instructions on how to get the development server up and running.

 ## Localization

-If you would like to help translating the project in more languages you can do so by visiting the [Crowdin](https://crowdin.com/project/tinyauth) page.
+If you would like to help translate Tinyauth into more languages, visit the [Crowdin](https://crowdin.com/project/tinyauth) page.

 ## License

@@ -51,16 +53,16 @@ Tinyauth is licensed under the GNU General Public License v3.0. TL;DR — You ma

 ## Sponsors

-Thanks a lot to the following people for providing me with more coffee:
+A big thank you to the following people for providing me with more coffee:

-<!-- sponsors --><a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<!-- sponsors -->
+<!-- sponsors --><a href="https://github.com/erwinkramer"><img src="https:&#x2F;&#x2F;github.com&#x2F;erwinkramer.png" width="64px" alt="User avatar: erwinkramer" /></a>&nbsp;&nbsp;<a href="https://github.com/nicotsx"><img src="https:&#x2F;&#x2F;github.com&#x2F;nicotsx.png" width="64px" alt="User avatar: nicotsx" /></a>&nbsp;&nbsp;<a href="https://github.com/SimpleHomelab"><img src="https:&#x2F;&#x2F;github.com&#x2F;SimpleHomelab.png" width="64px" alt="User avatar: SimpleHomelab" /></a>&nbsp;&nbsp;<a href="https://github.com/jmadden91"><img src="https:&#x2F;&#x2F;github.com&#x2F;jmadden91.png" width="64px" alt="User avatar: jmadden91" /></a>&nbsp;&nbsp;<a href="https://github.com/tribor"><img src="https:&#x2F;&#x2F;github.com&#x2F;tribor.png" width="64px" alt="User avatar: tribor" /></a>&nbsp;&nbsp;<a href="https://github.com/eliasbenb"><img src="https:&#x2F;&#x2F;github.com&#x2F;eliasbenb.png" width="64px" alt="User avatar: eliasbenb" /></a>&nbsp;&nbsp;<a href="https://github.com/afunworm"><img src="https:&#x2F;&#x2F;github.com&#x2F;afunworm.png" width="64px" alt="User avatar: afunworm" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="64px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/Lancelot-Enguerrand"><img src="https:&#x2F;&#x2F;github.com&#x2F;Lancelot-Enguerrand.png" width="64px" alt="User avatar: Lancelot-Enguerrand" /></a>&nbsp;&nbsp;<a href="https://github.com/allgoewer"><img src="https:&#x2F;&#x2F;github.com&#x2F;allgoewer.png" width="64px" alt="User avatar: allgoewer" /></a>&nbsp;&nbsp;<!-- sponsors -->

 ## Acknowledgements

-Credits for the logo of this app go to:
-
 - **Freepik** for providing the police hat and badge.
 - **Renee French** for the original gopher logo.
+- **Coderabbit AI** for providing free AI code reviews.
+- **Syrhu** for providing the background image of the app.

 ## Star History

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -2,8 +2,8 @@

 ## Supported Versions

-Please always use the latest available Tinyauth version which can be found [here](https://github.com/steveiliop56/tinyauth/releases/latest). Older versions (especially major) may contain security issues which I cannot go back and fix.
+It is recommended to use the [latest](https://github.com/steveiliop56/tinyauth/releases/latest) available version of tinyauth. This is because it includes security fixes, new features and dependency updates. Older versions, especially major ones, are not supported and won't receive security or patch updates.

 ## Reporting a Vulnerability

-Due to the nature of this app, it needs to be secure. If you find any security issues in the OAuth or login flow of the app please contact me at <steve@doesmycode.work> and include a concise description of the issue. Please do not use the issues section for reporting major security issues.
+Due to the nature of this app, it needs to be secure. If you discover any security issues or vulnerabilities in the app please contact me as soon as possible at <steve@doesmycode.work>. Please do not use the issues section to report security issues as I won't be able to patch them in time and they may get exploited by malicious actors.
--- a/air.toml
+++ b/air.toml
@@ -2,9 +2,10 @@ root = "/tinyauth"
 tmp_dir = "tmp"

 [build]
-pre_cmd = ["mkdir -p internal/assets/dist", "echo 'backend running' > internal/assets/dist/index.html"]
-cmd = "go build -o ./tmp/tinyauth ."
+pre_cmd = ["mkdir -p internal/assets/dist", "mkdir -p /data", "echo 'backend running' > internal/assets/dist/index.html"]
+cmd = "CGO_ENABLED=0 go build -gcflags=\"all=-N -l\" -o tmp/tinyauth ./cmd/tinyauth"
 bin = "tmp/tinyauth"
+full_bin = "dlv --listen :4000 --headless=true --api-version=2 --accept-multiclient --log=true exec tmp/tinyauth --continue --check-go-version=false"
 include_ext = ["go"]
 exclude_dir = ["internal/assets/dist"]
 exclude_regex = [".*_test\\.go"]
--- a/assets/discohook.json
+++ b/assets/discohook.json
@@ -3,7 +3,7 @@
  "embeds": [
    {
      "title": "Welcome to Tinyauth Discord!",
-      "description": "Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
+      "description": "Tinyauth is a simple authentication middleware that adds a simple login screen or OAuth with Google, Github and any provider to all of your docker apps. It supports all the popular proxies like Traefik, Nginx and Caddy.\n\n**Information**\n\n• Github: <https://github.com/steveiliop56/tinyauth>\n• Website: <https://tinyauth.app>",
      "url": "https://tinyauth.app",
      "color": 7002085,
      "author": {
@@ -12,9 +12,9 @@
      "footer": {
        "text": "Updated at"
      },
-      "timestamp": "2025-03-10T19:00:00.000Z",
+      "timestamp": "2025-06-06T12:25:27.629Z",
      "thumbnail": {
-        "url": "https://github.com/steveiliop56/tinyauth/blob/main/frontend/public/logo.png?raw=true"
+        "url": "https://github.com/steveiliop56/tinyauth/blob/main/assets/logo.png?raw=true"
      }
    }
  ],
--- a/assets/logo-rounded.png
+++ b/assets/logo-rounded.png
--- a/assets/logo-solid.jpg
+++ b/assets/logo-solid.jpg
--- a/frontend/public/logo.png
+++ b/frontend/public/logo.png
--- a/assets/screenshot.png
+++ b/assets/screenshot.png
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,244 +0,0 @@
-package cmd
-
-import (
-	"errors"
-	"os"
-	"strings"
-	"time"
-	totpCmd "tinyauth/cmd/totp"
-	userCmd "tinyauth/cmd/user"
-	"tinyauth/internal/api"
-	"tinyauth/internal/assets"
-	"tinyauth/internal/auth"
-	"tinyauth/internal/docker"
-	"tinyauth/internal/handlers"
-	"tinyauth/internal/hooks"
-	"tinyauth/internal/providers"
-	"tinyauth/internal/types"
-	"tinyauth/internal/utils"
-
-	"github.com/go-playground/validator/v10"
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-	"github.com/spf13/viper"
-)
-
-var rootCmd = &cobra.Command{
-	Use:   "tinyauth",
-	Short: "The simplest way to protect your apps with a login screen.",
-	Long:  `Tinyauth is a simple authentication middleware that adds simple username/password login or OAuth with Google, Github and any generic OAuth provider to all of your docker apps.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		// Logger
-		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Timestamp().Logger().Level(zerolog.FatalLevel)
-
-		// Get config
-		var config types.Config
-		err := viper.Unmarshal(&config)
-		HandleError(err, "Failed to parse config")
-
-		// Secrets
-		config.Secret = utils.GetSecret(config.Secret, config.SecretFile)
-		config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
-		config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
-		config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
-
-		// Validate config
-		validator := validator.New()
-		err = validator.Struct(config)
-		HandleError(err, "Failed to validate config")
-
-		// Logger
-		log.Logger = log.Level(zerolog.Level(config.LogLevel))
-		log.Info().Str("version", assets.Version).Msg("Starting tinyauth")
-
-		// Users
-		log.Info().Msg("Parsing users")
-		users, err := utils.GetUsers(config.Users, config.UsersFile)
-		HandleError(err, "Failed to parse users")
-
-		if len(users) == 0 && !utils.OAuthConfigured(config) {
-			HandleError(errors.New("no users or OAuth configured"), "No users or OAuth configured")
-		}
-
-		// Get domain
-		log.Debug().Msg("Getting domain")
-		domain, err := utils.GetUpperDomain(config.AppURL)
-		HandleError(err, "Failed to get upper domain")
-		log.Info().Str("domain", domain).Msg("Using domain for cookie store")
-
-		// Create OAuth config
-		oauthConfig := types.OAuthConfig{
-			GithubClientId:      config.GithubClientId,
-			GithubClientSecret:  config.GithubClientSecret,
-			GoogleClientId:      config.GoogleClientId,
-			GoogleClientSecret:  config.GoogleClientSecret,
-			GenericClientId:     config.GenericClientId,
-			GenericClientSecret: config.GenericClientSecret,
-			GenericScopes:       strings.Split(config.GenericScopes, ","),
-			GenericAuthURL:      config.GenericAuthURL,
-			GenericTokenURL:     config.GenericTokenURL,
-			GenericUserURL:      config.GenericUserURL,
-			AppURL:              config.AppURL,
-		}
-
-		// Create handlers config
-		handlersConfig := types.HandlersConfig{
-			AppURL:                config.AppURL,
-			DisableContinue:       config.DisableContinue,
-			Title:                 config.Title,
-			GenericName:           config.GenericName,
-			CookieSecure:          config.CookieSecure,
-			Domain:                domain,
-			ForgotPasswordMessage: config.FogotPasswordMessage,
-			OAuthAutoRedirect:     config.OAuthAutoRedirect,
-		}
-
-		// Create api config
-		apiConfig := types.APIConfig{
-			Port:    config.Port,
-			Address: config.Address,
-		}
-
-		// Create auth config
-		authConfig := types.AuthConfig{
-			Users:           users,
-			OauthWhitelist:  config.OAuthWhitelist,
-			Secret:          config.Secret,
-			CookieSecure:    config.CookieSecure,
-			SessionExpiry:   config.SessionExpiry,
-			Domain:          domain,
-			LoginTimeout:    config.LoginTimeout,
-			LoginMaxRetries: config.LoginMaxRetries,
-		}
-
-		// Create hooks config
-		hooksConfig := types.HooksConfig{
-			Domain: domain,
-		}
-
-		// Create docker service
-		docker := docker.NewDocker()
-
-		// Initialize docker
-		err = docker.Init()
-		HandleError(err, "Failed to initialize docker")
-
-		// Create auth service
-		auth := auth.NewAuth(authConfig, docker)
-
-		// Create OAuth providers service
-		providers := providers.NewProviders(oauthConfig)
-
-		// Initialize providers
-		providers.Init()
-
-		// Create hooks service
-		hooks := hooks.NewHooks(hooksConfig, auth, providers)
-
-		// Create handlers
-		handlers := handlers.NewHandlers(handlersConfig, auth, hooks, providers, docker)
-
-		// Create API
-		api := api.NewAPI(apiConfig, handlers)
-
-		// Setup routes
-		api.Init()
-		api.SetupRoutes()
-
-		// Start
-		api.Run()
-	},
-}
-
-func Execute() {
-	err := rootCmd.Execute()
-	HandleError(err, "Failed to execute root command")
-}
-
-func HandleError(err error, msg string) {
-	// If error, log it and exit
-	if err != nil {
-		log.Fatal().Err(err).Msg(msg)
-	}
-}
-
-func init() {
-	// Add user command
-	rootCmd.AddCommand(userCmd.UserCmd())
-
-	// Add totp command
-	rootCmd.AddCommand(totpCmd.TotpCmd())
-
-	// Read environment variables
-	viper.AutomaticEnv()
-
-	// Flags
-	rootCmd.Flags().Int("port", 3000, "Port to run the server on.")
-	rootCmd.Flags().String("address", "0.0.0.0", "Address to bind the server to.")
-	rootCmd.Flags().String("secret", "", "Secret to use for the cookie.")
-	rootCmd.Flags().String("secret-file", "", "Path to a file containing the secret.")
-	rootCmd.Flags().String("app-url", "", "The tinyauth URL.")
-	rootCmd.Flags().String("users", "", "Comma separated list of users in the format username:hash.")
-	rootCmd.Flags().String("users-file", "", "Path to a file containing users in the format username:hash.")
-	rootCmd.Flags().Bool("cookie-secure", false, "Send cookie over secure connection only.")
-	rootCmd.Flags().String("github-client-id", "", "Github OAuth client ID.")
-	rootCmd.Flags().String("github-client-secret", "", "Github OAuth client secret.")
-	rootCmd.Flags().String("github-client-secret-file", "", "Github OAuth client secret file.")
-	rootCmd.Flags().String("google-client-id", "", "Google OAuth client ID.")
-	rootCmd.Flags().String("google-client-secret", "", "Google OAuth client secret.")
-	rootCmd.Flags().String("google-client-secret-file", "", "Google OAuth client secret file.")
-	rootCmd.Flags().String("generic-client-id", "", "Generic OAuth client ID.")
-	rootCmd.Flags().String("generic-client-secret", "", "Generic OAuth client secret.")
-	rootCmd.Flags().String("generic-client-secret-file", "", "Generic OAuth client secret file.")
-	rootCmd.Flags().String("generic-scopes", "", "Generic OAuth scopes.")
-	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
-	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
-	rootCmd.Flags().String("generic-user-url", "", "Generic OAuth user info URL.")
-	rootCmd.Flags().String("generic-name", "Generic", "Generic OAuth provider name.")
-	rootCmd.Flags().Bool("disable-continue", false, "Disable continue screen and redirect to app directly.")
-	rootCmd.Flags().String("oauth-whitelist", "", "Comma separated list of email addresses to whitelist when using OAuth.")
-	rootCmd.Flags().String("oauth-auto-redirect", "none", "Auto redirect to the specified OAuth provider if configured. (available providers: github, google, generic)")
-	rootCmd.Flags().Int("session-expiry", 86400, "Session (cookie) expiration time in seconds.")
-	rootCmd.Flags().Int("login-timeout", 300, "Login timeout in seconds after max retries reached (0 to disable).")
-	rootCmd.Flags().Int("login-max-retries", 5, "Maximum login attempts before timeout (0 to disable).")
-	rootCmd.Flags().Int("log-level", 1, "Log level.")
-	rootCmd.Flags().String("app-title", "Tinyauth", "Title of the app.")
-	rootCmd.Flags().String("forgot-password-message", "You can reset your password by changing the `USERS` environment variable.", "Message to show on the forgot password page.")
-
-	// Bind flags to environment
-	viper.BindEnv("port", "PORT")
-	viper.BindEnv("address", "ADDRESS")
-	viper.BindEnv("secret", "SECRET")
-	viper.BindEnv("secret-file", "SECRET_FILE")
-	viper.BindEnv("app-url", "APP_URL")
-	viper.BindEnv("users", "USERS")
-	viper.BindEnv("users-file", "USERS_FILE")
-	viper.BindEnv("cookie-secure", "COOKIE_SECURE")
-	viper.BindEnv("github-client-id", "GITHUB_CLIENT_ID")
-	viper.BindEnv("github-client-secret", "GITHUB_CLIENT_SECRET")
-	viper.BindEnv("github-client-secret-file", "GITHUB_CLIENT_SECRET_FILE")
-	viper.BindEnv("google-client-id", "GOOGLE_CLIENT_ID")
-	viper.BindEnv("google-client-secret", "GOOGLE_CLIENT_SECRET")
-	viper.BindEnv("google-client-secret-file", "GOOGLE_CLIENT_SECRET_FILE")
-	viper.BindEnv("generic-client-id", "GENERIC_CLIENT_ID")
-	viper.BindEnv("generic-client-secret", "GENERIC_CLIENT_SECRET")
-	viper.BindEnv("generic-client-secret-file", "GENERIC_CLIENT_SECRET_FILE")
-	viper.BindEnv("generic-scopes", "GENERIC_SCOPES")
-	viper.BindEnv("generic-auth-url", "GENERIC_AUTH_URL")
-	viper.BindEnv("generic-token-url", "GENERIC_TOKEN_URL")
-	viper.BindEnv("generic-user-url", "GENERIC_USER_URL")
-	viper.BindEnv("generic-name", "GENERIC_NAME")
-	viper.BindEnv("disable-continue", "DISABLE_CONTINUE")
-	viper.BindEnv("oauth-whitelist", "OAUTH_WHITELIST")
-	viper.BindEnv("oauth-auto-redirect", "OAUTH_AUTO_REDIRECT")
-	viper.BindEnv("session-expiry", "SESSION_EXPIRY")
-	viper.BindEnv("log-level", "LOG_LEVEL")
-	viper.BindEnv("app-title", "APP_TITLE")
-	viper.BindEnv("login-timeout", "LOGIN_TIMEOUT")
-	viper.BindEnv("login-max-retries", "LOGIN_MAX_RETRIES")
-	viper.BindEnv("forgot-password-message", "FORGOT_PASSWORD_MESSAGE")
-
-	// Bind flags to viper
-	viper.BindPFlags(rootCmd.Flags())
-}
--- a/cmd/tinyauth/create.go
+++ b/cmd/tinyauth/create.go
@@ -0,0 +1,98 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/charmbracelet/huh"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/paerser/cli"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type CreateUserConfig struct {
+	Interactive bool   `description:"Create a user interactively."`
+	Docker      bool   `description:"Format output for docker."`
+	Username    string `description:"Username."`
+	Password    string `description:"Password."`
+}
+
+func NewCreateUserConfig() *CreateUserConfig {
+	return &CreateUserConfig{
+		Interactive: false,
+		Docker:      false,
+		Username:    "",
+		Password:    "",
+	}
+}
+
+func createUserCmd() *cli.Command {
+	tCfg := NewCreateUserConfig()
+
+	loaders := []cli.ResourceLoader{
+		&cli.FlagLoader{},
+	}
+
+	return &cli.Command{
+		Name:          "create",
+		Description:   "Create a user",
+		Configuration: tCfg,
+		Resources:     loaders,
+		Run: func(_ []string) error {
+			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
+
+			if tCfg.Interactive {
+				form := huh.NewForm(
+					huh.NewGroup(
+						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("username cannot be empty")
+							}
+							return nil
+						})),
+						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("password cannot be empty")
+							}
+							return nil
+						})),
+						huh.NewSelect[bool]().Title("Format the output for Docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&tCfg.Docker),
+					),
+				)
+
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()
+
+				if err != nil {
+					return fmt.Errorf("failed to run interactive prompt: %w", err)
+				}
+			}
+
+			if tCfg.Username == "" || tCfg.Password == "" {
+				return errors.New("username and password cannot be empty")
+			}
+
+			log.Info().Str("username", tCfg.Username).Msg("Creating user")
+
+			passwd, err := bcrypt.GenerateFromPassword([]byte(tCfg.Password), bcrypt.DefaultCost)
+			if err != nil {
+				return fmt.Errorf("failed to hash password: %w", err)
+			}
+
+			// If docker format is enabled, escape the dollar sign
+			passwdStr := string(passwd)
+			if tCfg.Docker {
+				passwdStr = strings.ReplaceAll(passwdStr, "$", "$$")
+			}
+
+			log.Info().Str("user", fmt.Sprintf("%s:%s", tCfg.Username, passwdStr)).Msg("User created")
+
+			return nil
+		},
+	}
+}
--- a/cmd/tinyauth/generate.go
+++ b/cmd/tinyauth/generate.go
@@ -0,0 +1,120 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/steveiliop56/tinyauth/internal/utils"
+
+	"github.com/charmbracelet/huh"
+	"github.com/mdp/qrterminal/v3"
+	"github.com/pquerna/otp/totp"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/paerser/cli"
+)
+
+type GenerateTotpConfig struct {
+	Interactive bool   `description:"Generate a TOTP secret interactively."`
+	User        string `description:"Your current user (username:hash)."`
+}
+
+func NewGenerateTotpConfig() *GenerateTotpConfig {
+	return &GenerateTotpConfig{
+		Interactive: false,
+		User:        "",
+	}
+}
+
+func generateTotpCmd() *cli.Command {
+	tCfg := NewGenerateTotpConfig()
+
+	loaders := []cli.ResourceLoader{
+		&cli.FlagLoader{},
+	}
+
+	return &cli.Command{
+		Name:          "generate",
+		Description:   "Generate a TOTP secret",
+		Configuration: tCfg,
+		Resources:     loaders,
+		Run: func(_ []string) error {
+			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
+
+			if tCfg.Interactive {
+				form := huh.NewForm(
+					huh.NewGroup(
+						huh.NewInput().Title("Current user (username:hash)").Value(&tCfg.User).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("user cannot be empty")
+							}
+							return nil
+						})),
+					),
+				)
+
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()
+
+				if err != nil {
+					return fmt.Errorf("failed to run interactive prompt: %w", err)
+				}
+			}
+
+			user, err := utils.ParseUser(tCfg.User)
+
+			if err != nil {
+				return fmt.Errorf("failed to parse user: %w", err)
+			}
+
+			docker := false
+			if strings.Contains(tCfg.User, "$$") {
+				docker = true
+			}
+
+			if user.TotpSecret != "" {
+				return fmt.Errorf("user already has a TOTP secret")
+			}
+
+			key, err := totp.Generate(totp.GenerateOpts{
+				Issuer:      "Tinyauth",
+				AccountName: user.Username,
+			})
+
+			if err != nil {
+				return fmt.Errorf("failed to generate TOTP secret: %w", err)
+			}
+
+			secret := key.Secret()
+
+			log.Info().Str("secret", secret).Msg("Generated TOTP secret")
+
+			log.Info().Msg("Generated QR code")
+
+			config := qrterminal.Config{
+				Level:     qrterminal.L,
+				Writer:    os.Stdout,
+				BlackChar: qrterminal.BLACK,
+				WhiteChar: qrterminal.WHITE,
+				QuietZone: 2,
+			}
+
+			qrterminal.GenerateWithConfig(key.URL(), config)
+
+			user.TotpSecret = secret
+
+			// If using docker escape re-escape it
+			if docker {
+				user.Password = strings.ReplaceAll(user.Password, "$", "$$")
+			}
+
+			log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
+
+			return nil
+		},
+	}
+}
--- a/cmd/tinyauth/healthcheck.go
+++ b/cmd/tinyauth/healthcheck.go
@@ -0,0 +1,85 @@
+package main
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/paerser/cli"
+)
+
+type healthzResponse struct {
+	Status  string `json:"status"`
+	Message string `json:"message"`
+}
+
+func healthcheckCmd() *cli.Command {
+	return &cli.Command{
+		Name:          "healthcheck",
+		Description:   "Perform a health check",
+		Configuration: nil,
+		Resources:     nil,
+		AllowArg:      true,
+		Run: func(args []string) error {
+			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
+
+			appUrl := os.Getenv("TINYAUTH_APPURL")
+
+			if len(args) > 0 {
+				appUrl = args[0]
+			}
+
+			if appUrl == "" {
+				return errors.New("TINYAUTH_APPURL is not set and no argument was provided")
+			}
+
+			log.Info().Str("app_url", appUrl).Msg("Performing health check")
+
+			client := http.Client{
+				Timeout: 30 * time.Second,
+			}
+
+			req, err := http.NewRequest("GET", appUrl+"/api/healthz", nil)
+
+			if err != nil {
+				return fmt.Errorf("failed to create request: %w", err)
+			}
+
+			resp, err := client.Do(req)
+
+			if err != nil {
+				return fmt.Errorf("failed to perform request: %w", err)
+			}
+
+			if resp.StatusCode != http.StatusOK {
+				return fmt.Errorf("service is not healthy, got: %s", resp.Status)
+			}
+
+			defer resp.Body.Close()
+
+			var healthResp healthzResponse
+
+			body, err := io.ReadAll(resp.Body)
+
+			if err != nil {
+				return fmt.Errorf("failed to read response: %w", err)
+			}
+
+			err = json.Unmarshal(body, &healthResp)
+
+			if err != nil {
+				return fmt.Errorf("failed to decode response: %w", err)
+			}
+
+			log.Info().Interface("response", healthResp).Msg("Tinyauth is healthy")
+
+			return nil
+		},
+	}
+}
--- a/cmd/tinyauth/tinyauth.go
+++ b/cmd/tinyauth/tinyauth.go
@@ -0,0 +1,125 @@
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/steveiliop56/tinyauth/internal/bootstrap"
+	"github.com/steveiliop56/tinyauth/internal/config"
+	"github.com/steveiliop56/tinyauth/internal/utils/loaders"
+
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/paerser/cli"
+)
+
+func NewTinyauthCmdConfiguration() *config.Config {
+	return &config.Config{
+		LogLevel:     "info",
+		ResourcesDir: "./resources",
+		DatabasePath: "./tinyauth.db",
+		Server: config.ServerConfig{
+			Port:    3000,
+			Address: "0.0.0.0",
+		},
+		Auth: config.AuthConfig{
+			SessionExpiry:   3600,
+			LoginTimeout:    300,
+			LoginMaxRetries: 3,
+		},
+		UI: config.UIConfig{
+			Title:                 "Tinyauth",
+			ForgotPasswordMessage: "You can change your password by changing the configuration.",
+			BackgroundImage:       "/background.jpg",
+		},
+		Experimental: config.ExperimentalConfig{
+			ConfigFile: "",
+		},
+	}
+}
+
+func main() {
+	tConfig := NewTinyauthCmdConfiguration()
+
+	loaders := []cli.ResourceLoader{
+		&loaders.FileLoader{},
+		&loaders.FlagLoader{},
+		&loaders.EnvLoader{},
+	}
+
+	cmdTinyauth := &cli.Command{
+		Name:          "tinyauth",
+		Description:   "The simplest way to protect your apps with a login screen.",
+		Configuration: tConfig,
+		Resources:     loaders,
+		Run: func(_ []string) error {
+			return runCmd(*tConfig)
+		},
+	}
+
+	err := cmdTinyauth.AddCommand(versionCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add version command")
+	}
+
+	err = cmdTinyauth.AddCommand(verifyUserCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add verify command")
+	}
+
+	err = cmdTinyauth.AddCommand(healthcheckCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add healthcheck command")
+	}
+
+	err = cmdTinyauth.AddCommand(generateTotpCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add generate command")
+	}
+
+	err = cmdTinyauth.AddCommand(createUserCmd())
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to add create command")
+	}
+
+	err = cli.Execute(cmdTinyauth)
+
+	if err != nil {
+		log.Fatal().Err(err).Msg("Failed to execute command")
+	}
+}
+
+func runCmd(cfg config.Config) error {
+	logLevel, err := zerolog.ParseLevel(strings.ToLower(cfg.LogLevel))
+
+	if err != nil {
+		log.Error().Err(err).Msg("Invalid or missing log level, defaulting to info")
+	} else {
+		zerolog.SetGlobalLevel(logLevel)
+	}
+
+	log.Logger = log.With().Caller().Logger()
+
+	if !cfg.LogJSON {
+		log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339})
+	}
+
+	log.Info().Str("version", config.Version).Msg("Starting tinyauth")
+
+	app := bootstrap.NewBootstrapApp(cfg)
+
+	err = app.Setup()
+
+	if err != nil {
+		return fmt.Errorf("failed to bootstrap app: %w", err)
+	}
+
+	return nil
+}
--- a/cmd/tinyauth/verify.go
+++ b/cmd/tinyauth/verify.go
@@ -0,0 +1,121 @@
+package main
+
+import (
+	"errors"
+	"fmt"
+	"os"
+	"time"
+
+	"github.com/steveiliop56/tinyauth/internal/utils"
+
+	"github.com/charmbracelet/huh"
+	"github.com/pquerna/otp/totp"
+	"github.com/rs/zerolog"
+	"github.com/rs/zerolog/log"
+	"github.com/traefik/paerser/cli"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type VerifyUserConfig struct {
+	Interactive bool   `description:"Validate a user interactively."`
+	Username    string `description:"Username."`
+	Password    string `description:"Password."`
+	Totp        string `description:"TOTP code."`
+	User        string `description:"Hash (username:hash:totp)."`
+}
+
+func NewVerifyUserConfig() *VerifyUserConfig {
+	return &VerifyUserConfig{
+		Interactive: false,
+		Username:    "",
+		Password:    "",
+		Totp:        "",
+		User:        "",
+	}
+}
+
+func verifyUserCmd() *cli.Command {
+	tCfg := NewVerifyUserConfig()
+
+	loaders := []cli.ResourceLoader{
+		&cli.FlagLoader{},
+	}
+
+	return &cli.Command{
+		Name:          "verify",
+		Description:   "Verify a user is set up correctly.",
+		Configuration: tCfg,
+		Resources:     loaders,
+		Run: func(_ []string) error {
+			log.Logger = log.Output(zerolog.ConsoleWriter{Out: os.Stderr, TimeFormat: time.RFC3339}).With().Caller().Logger().Level(zerolog.InfoLevel)
+
+			if tCfg.Interactive {
+				form := huh.NewForm(
+					huh.NewGroup(
+						huh.NewInput().Title("User (username:hash:totp)").Value(&tCfg.User).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("user cannot be empty")
+							}
+							return nil
+						})),
+						huh.NewInput().Title("Username").Value(&tCfg.Username).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("username cannot be empty")
+							}
+							return nil
+						})),
+						huh.NewInput().Title("Password").Value(&tCfg.Password).Validate((func(s string) error {
+							if s == "" {
+								return errors.New("password cannot be empty")
+							}
+							return nil
+						})),
+						huh.NewInput().Title("TOTP Code (optional)").Value(&tCfg.Totp),
+					),
+				)
+
+				var baseTheme *huh.Theme = huh.ThemeBase()
+
+				err := form.WithTheme(baseTheme).Run()
+
+				if err != nil {
+					return fmt.Errorf("failed to run interactive prompt: %w", err)
+				}
+			}
+
+			user, err := utils.ParseUser(tCfg.User)
+
+			if err != nil {
+				return fmt.Errorf("failed to parse user: %w", err)
+			}
+
+			if user.Username != tCfg.Username {
+				return fmt.Errorf("username is incorrect")
+			}
+
+			err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(tCfg.Password))
+
+			if err != nil {
+				return fmt.Errorf("password is incorrect: %w", err)
+			}
+
+			if user.TotpSecret == "" {
+				if tCfg.Totp != "" {
+					log.Warn().Msg("User does not have TOTP secret")
+				}
+				log.Info().Msg("User verified")
+				return nil
+			}
+
+			ok := totp.Validate(tCfg.Totp, user.TotpSecret)
+
+			if !ok {
+				return fmt.Errorf("TOTP code incorrect")
+			}
+
+			log.Info().Msg("User verified")
+
+			return nil
+		},
+	}
+}
--- a/cmd/tinyauth/version.go
+++ b/cmd/tinyauth/version.go
@@ -0,0 +1,24 @@
+package main
+
+import (
+	"fmt"
+
+	"github.com/steveiliop56/tinyauth/internal/config"
+
+	"github.com/traefik/paerser/cli"
+)
+
+func versionCmd() *cli.Command {
+	return &cli.Command{
+		Name:          "version",
+		Description:   "Print the version number of Tinyauth.",
+		Configuration: nil,
+		Resources:     nil,
+		Run: func(_ []string) error {
+			fmt.Printf("Version: %s\n", config.Version)
+			fmt.Printf("Commit Hash: %s\n", config.CommitHash)
+			fmt.Printf("Build Timestamp: %s\n", config.BuildTimestamp)
+			return nil
+		},
+	}
+}
--- a/cmd/totp/generate/generate.go
+++ b/cmd/totp/generate/generate.go
@@ -1,121 +0,0 @@
-package generate
-
-import (
-	"errors"
-	"fmt"
-	"os"
-	"strings"
-	"tinyauth/internal/utils"
-
-	"github.com/charmbracelet/huh"
-	"github.com/mdp/qrterminal/v3"
-	"github.com/pquerna/otp/totp"
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-)
-
-// Interactive flag
-var interactive bool
-
-// Input user
-var iUser string
-
-var GenerateCmd = &cobra.Command{
-	Use:   "generate",
-	Short: "Generate a totp secret",
-	Run: func(cmd *cobra.Command, args []string) {
-		// Setup logger
-		log.Logger = log.Level(zerolog.InfoLevel)
-
-		// Use simple theme
-		var baseTheme *huh.Theme = huh.ThemeBase()
-
-		// Interactive
-		if interactive {
-			// Create huh form
-			form := huh.NewForm(
-				huh.NewGroup(
-					huh.NewInput().Title("Current username:hash").Value(&iUser).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("user cannot be empty")
-						}
-						return nil
-					})),
-				),
-			)
-
-			// Run form
-			err := form.WithTheme(baseTheme).Run()
-
-			if err != nil {
-				log.Fatal().Err(err).Msg("Form failed")
-			}
-		}
-
-		// Parse user
-		user, err := utils.ParseUser(iUser)
-
-		if err != nil {
-			log.Fatal().Err(err).Msg("Failed to parse user")
-		}
-
-		// Check if user was using docker escape
-		dockerEscape := false
-
-		if strings.Contains(iUser, "$$") {
-			dockerEscape = true
-		}
-
-		// Check it has totp
-		if user.TotpSecret != "" {
-			log.Fatal().Msg("User already has a totp secret")
-		}
-
-		// Generate totp secret
-		key, err := totp.Generate(totp.GenerateOpts{
-			Issuer:      "Tinyauth",
-			AccountName: user.Username,
-		})
-
-		if err != nil {
-			log.Fatal().Err(err).Msg("Failed to generate totp secret")
-		}
-
-		// Create secret
-		secret := key.Secret()
-
-		// Print secret and image
-		log.Info().Str("secret", secret).Msg("Generated totp secret")
-
-		// Print QR code
-		log.Info().Msg("Generated QR code")
-
-		config := qrterminal.Config{
-			Level:     qrterminal.L,
-			Writer:    os.Stdout,
-			BlackChar: qrterminal.BLACK,
-			WhiteChar: qrterminal.WHITE,
-			QuietZone: 2,
-		}
-
-		qrterminal.GenerateWithConfig(key.URL(), config)
-
-		// Add the secret to the user
-		user.TotpSecret = secret
-
-		// If using docker escape re-escape it
-		if dockerEscape {
-			user.Password = strings.ReplaceAll(user.Password, "$", "$$")
-		}
-
-		// Print success
-		log.Info().Str("user", fmt.Sprintf("%s:%s:%s", user.Username, user.Password, user.TotpSecret)).Msg("Add the totp secret to your authenticator app then use the verify command to ensure everything is working correctly.")
-	},
-}
-
-func init() {
-	// Add interactive flag
-	GenerateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Run in interactive mode")
-	GenerateCmd.Flags().StringVar(&iUser, "user", "", "Your current username:hash")
-}
--- a/cmd/totp/totp.go
+++ b/cmd/totp/totp.go
@@ -1,22 +0,0 @@
-package cmd
-
-import (
-	"tinyauth/cmd/totp/generate"
-
-	"github.com/spf13/cobra"
-)
-
-func TotpCmd() *cobra.Command {
-	// Create the totp command
-	totpCmd := &cobra.Command{
-		Use:   "totp",
-		Short: "Totp utilities",
-		Long:  `Utilities for creating and verifying totp codes.`,
-	}
-
-	// Add the generate command
-	totpCmd.AddCommand(generate.GenerateCmd)
-
-	// Return the totp command
-	return totpCmd
-}
--- a/cmd/user/create/create.go
+++ b/cmd/user/create/create.go
@@ -1,97 +0,0 @@
-package create
-
-import (
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/charmbracelet/huh"
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-	"golang.org/x/crypto/bcrypt"
-)
-
-// Interactive flag
-var interactive bool
-
-// Docker flag
-var docker bool
-
-// i stands for input
-var iUsername string
-var iPassword string
-
-var CreateCmd = &cobra.Command{
-	Use:   "create",
-	Short: "Create a user",
-	Long:  `Create a user either interactively or by passing flags.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		// Setup logger
-		log.Logger = log.Level(zerolog.InfoLevel)
-
-		// Check if interactive
-		if interactive {
-			// Create huh form
-			form := huh.NewForm(
-				huh.NewGroup(
-					huh.NewInput().Title("Username").Value(&iUsername).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("username cannot be empty")
-						}
-						return nil
-					})),
-					huh.NewInput().Title("Password").Value(&iPassword).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("password cannot be empty")
-						}
-						return nil
-					})),
-					huh.NewSelect[bool]().Title("Format the output for docker?").Options(huh.NewOption("Yes", true), huh.NewOption("No", false)).Value(&docker),
-				),
-			)
-
-			// Use simple theme
-			var baseTheme *huh.Theme = huh.ThemeBase()
-
-			err := form.WithTheme(baseTheme).Run()
-
-			if err != nil {
-				log.Fatal().Err(err).Msg("Form failed")
-			}
-		}
-
-		// Do we have username and password?
-		if iUsername == "" || iPassword == "" {
-			log.Fatal().Err(errors.New("error invalid input")).Msg("Username and password cannot be empty")
-		}
-
-		log.Info().Str("username", iUsername).Str("password", iPassword).Bool("docker", docker).Msg("Creating user")
-
-		// Hash password
-		password, err := bcrypt.GenerateFromPassword([]byte(iPassword), bcrypt.DefaultCost)
-
-		if err != nil {
-			log.Fatal().Err(err).Msg("Failed to hash password")
-		}
-
-		// Convert password to string
-		passwordString := string(password)
-
-		// Escape $ for docker
-		if docker {
-			passwordString = strings.ReplaceAll(passwordString, "$", "$$")
-		}
-
-		// Log user created
-		log.Info().Str("user", fmt.Sprintf("%s:%s", iUsername, passwordString)).Msg("User created")
-	},
-}
-
-func init() {
-	// Flags
-	CreateCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
-	CreateCmd.Flags().BoolVar(&docker, "docker", false, "Format output for docker")
-	CreateCmd.Flags().StringVar(&iUsername, "username", "", "Username")
-	CreateCmd.Flags().StringVar(&iPassword, "password", "", "Password")
-}
--- a/cmd/user/user.go
+++ b/cmd/user/user.go
@@ -1,24 +0,0 @@
-package cmd
-
-import (
-	"tinyauth/cmd/user/create"
-	"tinyauth/cmd/user/verify"
-
-	"github.com/spf13/cobra"
-)
-
-func UserCmd() *cobra.Command {
-	// Create the user command
-	userCmd := &cobra.Command{
-		Use:   "user",
-		Short: "User utilities",
-		Long:  `Utilities for creating and verifying tinyauth compatible users.`,
-	}
-
-	// Add subcommands
-	userCmd.AddCommand(create.CreateCmd)
-	userCmd.AddCommand(verify.VerifyCmd)
-
-	// Return the user command
-	return userCmd
-}
--- a/cmd/user/verify/verify.go
+++ b/cmd/user/verify/verify.go
@@ -1,122 +0,0 @@
-package verify
-
-import (
-	"errors"
-	"tinyauth/internal/utils"
-
-	"github.com/charmbracelet/huh"
-	"github.com/pquerna/otp/totp"
-	"github.com/rs/zerolog"
-	"github.com/rs/zerolog/log"
-	"github.com/spf13/cobra"
-	"golang.org/x/crypto/bcrypt"
-)
-
-// Interactive flag
-var interactive bool
-
-// Docker flag
-var docker bool
-
-// i stands for input
-var iUsername string
-var iPassword string
-var iTotp string
-var iUser string
-
-var VerifyCmd = &cobra.Command{
-	Use:   "verify",
-	Short: "Verify a user is set up correctly",
-	Long:  `Verify a user is set up correctly meaning that it has a correct username, password and totp code.`,
-	Run: func(cmd *cobra.Command, args []string) {
-		// Setup logger
-		log.Logger = log.Level(zerolog.InfoLevel)
-
-		// Use simple theme
-		var baseTheme *huh.Theme = huh.ThemeBase()
-
-		// Check if interactive
-		if interactive {
-			// Create huh form
-			form := huh.NewForm(
-				huh.NewGroup(
-					huh.NewInput().Title("User (username:hash:totp)").Value(&iUser).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("user cannot be empty")
-						}
-						return nil
-					})),
-					huh.NewInput().Title("Username").Value(&iUsername).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("username cannot be empty")
-						}
-						return nil
-					})),
-					huh.NewInput().Title("Password").Value(&iPassword).Validate((func(s string) error {
-						if s == "" {
-							return errors.New("password cannot be empty")
-						}
-						return nil
-					})),
-					huh.NewInput().Title("Totp Code (if setup)").Value(&iTotp),
-				),
-			)
-
-			// Run form
-			err := form.WithTheme(baseTheme).Run()
-
-			if err != nil {
-				log.Fatal().Err(err).Msg("Form failed")
-			}
-		}
-
-		// Parse user
-		user, err := utils.ParseUser(iUser)
-
-		if err != nil {
-			log.Fatal().Err(err).Msg("Failed to parse user")
-		}
-
-		// Compare username
-		if user.Username != iUsername {
-			log.Fatal().Msg("Username is incorrect")
-		}
-
-		// Compare password
-		err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(iPassword))
-
-		if err != nil {
-			log.Fatal().Msg("Ppassword is incorrect")
-		}
-
-		// Check if user has 2fa code
-		if user.TotpSecret == "" {
-			if iTotp != "" {
-				log.Warn().Msg("User does not have 2fa secret")
-			}
-			log.Info().Msg("User verified")
-			return
-		}
-
-		// Check totp code
-		ok := totp.Validate(iTotp, user.TotpSecret)
-
-		if !ok {
-			log.Fatal().Msg("Totp code incorrect")
-
-		}
-
-		// Done
-		log.Info().Msg("User verified")
-	},
-}
-
-func init() {
-	// Flags
-	VerifyCmd.Flags().BoolVarP(&interactive, "interactive", "i", false, "Create a user interactively")
-	VerifyCmd.Flags().BoolVar(&docker, "docker", false, "Is the user formatted for docker?")
-	VerifyCmd.Flags().StringVar(&iUsername, "username", "", "Username")
-	VerifyCmd.Flags().StringVar(&iPassword, "password", "", "Password")
-	VerifyCmd.Flags().StringVar(&iTotp, "totp", "", "Totp code")
-	VerifyCmd.Flags().StringVar(&iUser, "user", "", "Hash (username:hash:totp combination)")
-}
--- a/codecov.yml
+++ b/codecov.yml
@@ -0,0 +1,8 @@
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+    patch:
+      default:
+        informational: true
--- a/config.example.yaml
+++ b/config.example.yaml
@@ -0,0 +1,88 @@
+# Tinyauth Example Configuration
+
+# The base URL where Tinyauth is accessible
+appUrl: "https://auth.example.com"
+# Log level: trace, debug, info, warn, error
+logLevel: "info"
+# Directory for static resources
+resourcesDir: "./resources"
+# Path to SQLite database file
+databasePath: "./tinyauth.db"
+# Disable usage analytics
+disableAnalytics: false
+# Disable static resource serving
+disableResources: false
+# Disable UI warning messages
+disableUIWarnings: false
+# Enable JSON formatted logs
+logJSON: false
+
+# Server Configuration
+server:
+  # Port to listen on
+  port: 3000
+  # Interface to bind to (0.0.0.0 for all interfaces)
+  address: "0.0.0.0"
+  # Unix socket path (optional, overrides port/address if set)
+  socketPath: ""
+  # Comma-separated list of trusted proxy IPs/CIDRs
+  trustedProxies: ""
+
+# Authentication Configuration
+auth:
+  # Format: username:bcrypt_hash (use bcrypt to generate hash)
+  users: "admin:$2a$10$example_bcrypt_hash_here"
+  # Path to external users file (optional)
+  usersFile: ""
+  # Enable secure cookies (requires HTTPS)
+  secureCookie: false
+  # Session expiry in seconds (3600 = 1 hour)
+  sessionExpiry: 3600
+  # Login timeout in seconds (300 = 5 minutes)
+  loginTimeout: 300
+  # Maximum login retries before lockout
+  loginMaxRetries: 3
+
+# OAuth Configuration
+oauth:
+  # Regex pattern for allowed email addresses (e.g., /@example\.com$/)
+  whitelist: ""
+  # Provider ID to auto-redirect to (skips login page)
+  autoRedirect: ""
+  # OAuth Provider Configuration (replace myprovider with your provider name)
+  providers:
+    myprovider:
+      clientId: "your_client_id_here"
+      clientSecret: "your_client_secret_here"
+      authUrl: "https://provider.example.com/oauth/authorize"
+      tokenUrl: "https://provider.example.com/oauth/token"
+      userInfoUrl: "https://provider.example.com/oauth/userinfo"
+      redirectUrl: "https://auth.example.com/api/oauth/callback/myprovider"
+      scopes: "openid email profile"
+      name: "My OAuth Provider"
+      # Allow insecure connections (self-signed certificates)
+      insecure: false
+
+# UI Customization
+ui:
+  # Custom title for login page
+  title: "Tinyauth"
+  # Message shown on forgot password page
+  forgotPasswordMessage: "Contact your administrator to reset your password"
+  # Background image URL for login page
+  backgroundImage: ""
+
+# LDAP Configuration (optional)
+ldap:
+  # LDAP server address
+  address: "ldap://ldap.example.com:389"
+  # DN for binding to LDAP server
+  bindDn: "cn=readonly,dc=example,dc=com"
+  # Password for bind DN
+  bindPassword: "your_bind_password"
+  # Base DN for user searches
+  baseDn: "dc=example,dc=com"
+  # Search filter (%s will be replaced with username)
+  searchFilter: "(&(uid=%s)(memberOf=cn=users,ou=groups,dc=example,dc=com))"
+  # Allow insecure LDAP connections
+  insecure: false
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -13,8 +13,8 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
-      traefik.http.routers.nginx.middlewares: tinyauth
+      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth-frontend:
    container_name: tinyauth-frontend
@@ -34,14 +34,20 @@ services:
    build:
      context: .
      dockerfile: Dockerfile.dev
+      args:
+        - VERSION=development
+        - COMMIT_HASH=development
+        - BUILD_TIMESTAMP=000-00-00T00:00:00Z
    env_file: .env
    volumes:
      - ./internal:/tinyauth/internal
      - ./cmd:/tinyauth/cmd
      - ./main.go:/tinyauth/main.go
      - /var/run/docker.sock:/var/run/docker.sock
+      - ./data:/data
    ports:
      - 3000:3000
+      - 4000:4000
    labels:
      traefik.enable: true
      traefik.http.middlewares.tinyauth.forwardauth.address: http://tinyauth-backend:3000/api/auth/traefik
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -13,16 +13,17 @@ services:
    image: traefik/whoami:latest
    labels:
      traefik.enable: true
-      traefik.http.routers.nginx.rule: Host(`whoami.example.com`)
-      traefik.http.routers.nginx.middlewares: tinyauth
+      traefik.http.routers.whoami.rule: Host(`whoami.example.com`)
+      traefik.http.routers.whoami.middlewares: tinyauth

  tinyauth:
    container_name: tinyauth
    image: ghcr.io/steveiliop56/tinyauth:v3
    environment:
-      - SECRET=some-random-32-chars-string
-      - APP_URL=https://tinyauth.example.com
-      - USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+      - TINYAUTH_APPURL=https://tinyauth.example.com
+      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password
+    volumes:
+      - ./data:/data
    labels:
      traefik.enable: true
      traefik.http.routers.tinyauth.rule: Host(`tinyauth.example.com`)
--- a/frontend/.prettierignore
+++ b/frontend/.prettierignore
@@ -1,3 +1,6 @@
 # Ignore artifacts:
 dist
 node_modules
+bun.lock
+package.json
+src/lib/i18n/locales
--- a/frontend/Dockerfile.dev
+++ b/frontend/Dockerfile.dev
@@ -1,9 +1,9 @@
-FROM oven/bun:1.1.45-alpine
+FROM oven/bun:1.2.16-alpine

 WORKDIR /frontend

 COPY ./frontend/package.json ./
-COPY ./frontend/bun.lockb ./
+COPY ./frontend/bun.lock ./

 RUN bun install

@@ -16,7 +16,6 @@ COPY ./frontend/tsconfig.json ./
 COPY ./frontend/tsconfig.app.json ./
 COPY ./frontend/tsconfig.node.json ./
 COPY ./frontend/vite.config.ts ./
-COPY ./frontend/postcss.config.cjs ./

 EXPOSE 5173

--- a/frontend/bun.lock
+++ b/frontend/bun.lock
--- a/frontend/bun.lockb
+++ b/frontend/bun.lockb
--- a/frontend/components.json
+++ b/frontend/components.json
@@ -0,0 +1,21 @@
+{
+  "$schema": "https://ui.shadcn.com/schema.json",
+  "style": "new-york",
+  "rsc": false,
+  "tsx": true,
+  "tailwind": {
+    "config": "",
+    "css": "src/index.css",
+    "baseColor": "neutral",
+    "cssVariables": true,
+    "prefix": ""
+  },
+  "aliases": {
+    "components": "@/components",
+    "utils": "@/lib/utils",
+    "ui": "@/components/ui",
+    "lib": "@/lib",
+    "hooks": "@/hooks"
+  },
+  "iconLibrary": "lucide"
+}
--- a/frontend/eslint.config.js
+++ b/frontend/eslint.config.js
@@ -3,6 +3,7 @@ import globals from "globals";
 import reactHooks from "eslint-plugin-react-hooks";
 import reactRefresh from "eslint-plugin-react-refresh";
 import tseslint from "typescript-eslint";
+import pluginQuery from "@tanstack/eslint-plugin-query";

 export default tseslint.config(
  { ignores: ["dist"] },
@@ -16,6 +17,7 @@ export default tseslint.config(
    plugins: {
      "react-hooks": reactHooks,
      "react-refresh": reactRefresh,
+      "@tanstack/query": pluginQuery,
    },
    rules: {
      ...reactHooks.configs.recommended.rules,
@@ -23,6 +25,7 @@ export default tseslint.config(
        "warn",
        { allowConstantExport: true },
      ],
+      "@tanstack/query/exhaustive-deps": "error",
    },
  },
 );
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -3,10 +3,13 @@
  <head>
    <meta charset="UTF-8" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+    <link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96" />
+    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
+    <link rel="shortcut icon" href="/favicon.ico" />
    <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
-    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
-    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
-    <link rel="manifest" href="/frontend.webmanifest" />
+    <meta name="apple-mobile-web-app-title" content="Tinyauth" />
+    <meta name="robots" content="nofollow, noindex" />
+    <link rel="manifest" href="/site.webmanifest" />
    <title>Tinyauth</title>
  </head>
  <body>
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,5 +1,5 @@
 {
-  "name": "frontend",
+  "name": "tinyauth",
  "private": true,
  "version": "0.0.0",
  "type": "module",
@@ -7,42 +7,53 @@
    "dev": "vite",
    "build": "tsc -b && vite build",
    "lint": "eslint .",
-    "preview": "vite preview"
+    "preview": "vite preview",
+    "tsc": "tsc -b"
  },
  "dependencies": {
-    "@mantine/core": "^7.16.0",
-    "@mantine/form": "^7.16.0",
-    "@mantine/hooks": "^7.16.0",
-    "@mantine/notifications": "^7.16.0",
-    "@tanstack/react-query": "5",
-    "axios": "^1.7.9",
-    "i18next": "^25.0.0",
-    "i18next-browser-languagedetector": "^8.0.4",
-    "i18next-chained-backend": "^4.6.2",
-    "i18next-http-backend": "^3.0.2",
+    "@hookform/resolvers": "^5.2.2",
+    "@radix-ui/react-dropdown-menu": "^2.1.16",
+    "@radix-ui/react-label": "^2.1.8",
+    "@radix-ui/react-select": "^2.2.6",
+    "@radix-ui/react-separator": "^1.1.8",
+    "@radix-ui/react-slot": "^1.2.4",
+    "@tailwindcss/vite": "^4.1.18",
+    "@tanstack/react-query": "^5.90.12",
+    "axios": "^1.13.2",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "i18next": "^25.7.3",
+    "i18next-browser-languagedetector": "^8.2.0",
    "i18next-resources-to-backend": "^1.2.1",
-    "react": "^19.1.0",
-    "react-dom": "^19.1.0",
-    "react-i18next": "^15.4.1",
+    "input-otp": "^1.4.2",
+    "lucide-react": "^0.562.0",
+    "next-themes": "^0.4.6",
+    "react": "^19.2.3",
+    "react-dom": "^19.2.3",
+    "react-hook-form": "^7.68.0",
+    "react-i18next": "^16.5.0",
    "react-markdown": "^10.1.0",
-    "react-router": "^7.5.2",
-    "zod": "^3.24.1"
+    "react-router": "^7.11.0",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.4.0",
+    "tailwindcss": "^4.1.18",
+    "zod": "^4.2.1"
  },
  "devDependencies": {
-    "@eslint/js": "^9.17.0",
-    "@types/react": "^19.1.1",
-    "@types/react-dom": "^19.1.2",
-    "@vitejs/plugin-react-swc": "^3.5.0",
-    "eslint": "^9.17.0",
-    "eslint-plugin-react-hooks": "^5.0.0",
-    "eslint-plugin-react-refresh": "^0.4.16",
-    "globals": "^16.0.0",
-    "postcss": "^8.5.1",
-    "postcss-preset-mantine": "^1.17.0",
-    "postcss-simple-vars": "^7.0.1",
-    "prettier": "3.5.3",
-    "typescript": "~5.8.3",
-    "typescript-eslint": "^8.18.2",
-    "vite": "^6.3.4"
+    "@eslint/js": "^9.39.2",
+    "@tanstack/eslint-plugin-query": "^5.91.2",
+    "@types/node": "^25.0.3",
+    "@types/react": "^19.2.7",
+    "@types/react-dom": "^19.2.3",
+    "@vitejs/plugin-react": "^5.1.2",
+    "eslint": "^9.39.2",
+    "eslint-plugin-react-hooks": "^7.0.1",
+    "eslint-plugin-react-refresh": "^0.4.26",
+    "globals": "^16.5.0",
+    "prettier": "3.7.4",
+    "tw-animate-css": "^1.4.0",
+    "typescript": "~5.9.3",
+    "typescript-eslint": "^8.50.0",
+    "vite": "^7.3.0"
  }
 }
--- a/frontend/postcss.config.cjs
+++ b/frontend/postcss.config.cjs
@@ -1,14 +0,0 @@
-module.exports = {
-  plugins: {
-    "postcss-preset-mantine": {},
-    "postcss-simple-vars": {
-      variables: {
-        "mantine-breakpoint-xs": "36em",
-        "mantine-breakpoint-sm": "48em",
-        "mantine-breakpoint-md": "62em",
-        "mantine-breakpoint-lg": "75em",
-        "mantine-breakpoint-xl": "88em",
-      },
-    },
-  },
-};
--- a/frontend/public/android-chrome-192x192.png
+++ b/frontend/public/android-chrome-192x192.png
--- a/frontend/public/android-chrome-512x512.png
+++ b/frontend/public/android-chrome-512x512.png
--- a/frontend/public/apple-touch-icon.png
+++ b/frontend/public/apple-touch-icon.png
--- a/frontend/public/background.jpg
+++ b/frontend/public/background.jpg
--- a/frontend/public/favicon-16x16.png
+++ b/frontend/public/favicon-16x16.png
--- a/frontend/public/favicon-32x32.png
+++ b/frontend/public/favicon-32x32.png
--- a/frontend/public/favicon-96x96.png
+++ b/frontend/public/favicon-96x96.png
--- a/frontend/public/favicon.ico
+++ b/frontend/public/favicon.ico
--- a/frontend/public/favicon.svg
+++ b/frontend/public/favicon.svg
--- a/frontend/public/site.webmanifest
+++ b/frontend/public/site.webmanifest
@@ -1 +1,21 @@
-{"name":"","short_name":"","icons":[{"src":"/android-chrome-192x192.png","sizes":"192x192","type":"image/png"},{"src":"/android-chrome-512x512.png","sizes":"512x512","type":"image/png"}],"theme_color":"#ffffff","background_color":"#ffffff","display":"standalone"}
+{
+  "name": "Tinyauth",
+  "short_name": "Tinyauth",
+  "icons": [
+    {
+      "src": "/web-app-manifest-192x192.png",
+      "sizes": "192x192",
+      "type": "image/png",
+      "purpose": "maskable"
+    },
+    {
+      "src": "/web-app-manifest-512x512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "maskable"
+    }
+  ],
+  "theme_color": "#171717",
+  "background_color": "#171717",
+  "display": "standalone"
+}
--- a/frontend/public/web-app-manifest-192x192.png
+++ b/frontend/public/web-app-manifest-192x192.png
--- a/frontend/public/web-app-manifest-512x512.png
+++ b/frontend/public/web-app-manifest-512x512.png
--- a/frontend/src/App.tsx
+++ b/frontend/src/App.tsx
@@ -1,17 +1,12 @@
 import { Navigate } from "react-router";
 import { useUserContext } from "./context/user-context";
-import { LogoutPage } from "./pages/logout-page";

 export const App = () => {
-  const queryString = window.location.search;
-  const params = new URLSearchParams(queryString);
-  const redirectUri = params.get("redirect_uri");
-
  const { isLoggedIn } = useUserContext();

-  if (!isLoggedIn) {
-    return <Navigate to={`/login?redirect_uri=${redirectUri}`} />;
+  if (isLoggedIn) {
+    return <Navigate to="/logout" replace />;
  }

-  return <LogoutPage />;
+  return <Navigate to="/login" replace />;
 };
--- a/frontend/src/components/auth/login-form.tsx
+++ b/frontend/src/components/auth/login-form.tsx
@@ -0,0 +1,89 @@
+import { useTranslation } from "react-i18next";
+import { Input } from "../ui/input";
+import { useForm } from "react-hook-form";
+import { zodResolver } from "@hookform/resolvers/zod";
+import {
+  Form,
+  FormControl,
+  FormField,
+  FormItem,
+  FormLabel,
+  FormMessage,
+} from "../ui/form";
+import { Button } from "../ui/button";
+import { loginSchema, LoginSchema } from "@/schemas/login-schema";
+import z from "zod";
+
+interface Props {
+  onSubmit: (data: LoginSchema) => void;
+  loading?: boolean;
+}
+
+export const LoginForm = (props: Props) => {
+  const { onSubmit, loading } = props;
+  const { t } = useTranslation();
+
+  z.config({
+    customError: (iss) =>
+      iss.input === undefined ? t("fieldRequired") : t("invalidInput"),
+  });
+
+  const form = useForm<LoginSchema>({
+    resolver: zodResolver(loginSchema),
+  });
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)}>
+        <FormField
+          control={form.control}
+          name="username"
+          render={({ field }) => (
+            <FormItem className="mb-4 gap-0">
+              <FormLabel className="mb-2">{t("loginUsername")}</FormLabel>
+              <FormControl className="mb-1">
+                <Input
+                  placeholder={t("loginUsername")}
+                  disabled={loading}
+                  autoComplete="username"
+                  {...field}
+                />
+              </FormControl>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+        <FormField
+          control={form.control}
+          name="password"
+          render={({ field }) => (
+            <FormItem className="mb-4 gap-0">
+              <div className="relative mb-1">
+                <FormLabel className="mb-2">{t("loginPassword")}</FormLabel>
+                <FormControl>
+                  <Input
+                    placeholder={t("loginPassword")}
+                    type="password"
+                    disabled={loading}
+                    autoComplete="current-password"
+                    {...field}
+                  />
+                </FormControl>
+                <a
+                  href="/forgot-password"
+                  className="text-muted-foreground text-sm absolute right-0 bottom-[2.565rem]" // 2.565 is *just* perfect
+                >
+                  {t("forgotPasswordTitle")}
+                </a>
+              </div>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+        <Button className="w-full" type="submit" loading={loading}>
+          {t("loginSubmit")}
+        </Button>
+      </form>
+    </Form>
+  );
+};
--- a/frontend/src/components/auth/login-forn.tsx
+++ b/frontend/src/components/auth/login-forn.tsx
@@ -1,57 +0,0 @@
-import { TextInput, PasswordInput, Button, Anchor, Group, Text } from "@mantine/core";
-import { useForm, zodResolver } from "@mantine/form";
-import { LoginFormValues, loginSchema } from "../../schemas/login-schema";
-import { useTranslation } from "react-i18next";
-
-interface LoginFormProps {
-  isPending: boolean;
-  onSubmit: (values: LoginFormValues) => void;
-}
-
-export const LoginForm = (props: LoginFormProps) => {
-  const { isPending, onSubmit } = props;
-  const { t } = useTranslation();
-
-  const form = useForm({
-    mode: "uncontrolled",
-    initialValues: {
-      username: "",
-      password: "",
-    },
-    validate: zodResolver(loginSchema),
-  });
-
-  return (
-    <form onSubmit={form.onSubmit(onSubmit)}>
-      <TextInput
-        label={t("loginUsername")}
-        placeholder="Username"
-        disabled={isPending}
-        required
-        withAsterisk={false}
-        key={form.key("username")}
-        {...form.getInputProps("username")}
-      />
-      <Group justify="space-between" mb={5} mt="md">
-        <Text component="label" htmlFor=".password-input" size="sm" fw={500}>
-        {t("loginPassword")}
-        </Text>
-
-        <Anchor href="#" onClick={() => window.location.replace("/forgot-password")} pt={2} fw={500} fz="xs">
-          {t('forgotPasswordTitle')}
-        </Anchor>
-      </Group>
-      <PasswordInput
-        className="password-input"
-        placeholder="Password"
-        required
-        disabled={isPending}
-        key={form.key("password")}
-        {...form.getInputProps("password")}
-      />
-      <Button fullWidth mt="xl" type="submit" loading={isPending}>
-        {t("loginSubmit")}
-      </Button>
-    </form>
-  );
-};
--- a/frontend/src/components/auth/oauth-buttons.tsx
+++ b/frontend/src/components/auth/oauth-buttons.tsx
@@ -1,58 +0,0 @@
-import { Grid, Button } from "@mantine/core";
-import { GithubIcon } from "../../icons/github";
-import { GoogleIcon } from "../../icons/google";
-import { OAuthIcon } from "../../icons/oauth";
-
-interface OAuthButtonsProps {
-  oauthProviders: string[];
-  isPending: boolean;
-  mutate: (provider: string) => void;
-  genericName: string;
-}
-
-export const OAuthButtons = (props: OAuthButtonsProps) => {
-  const { oauthProviders, isPending, genericName, mutate } = props;
-  return (
-    <Grid mb="md" mt="md" align="center" justify="center">
-      {oauthProviders.includes("google") && (
-        <Grid.Col span="content">
-          <Button
-            radius="xl"
-            leftSection={<GoogleIcon style={{ width: 14, height: 14 }} />}
-            variant="default"
-            onClick={() => mutate("google")}
-            loading={isPending}
-          >
-            Google
-          </Button>
-        </Grid.Col>
-      )}
-      {oauthProviders.includes("github") && (
-        <Grid.Col span="content">
-          <Button
-            radius="xl"
-            leftSection={<GithubIcon style={{ width: 14, height: 14 }} />}
-            variant="default"
-            onClick={() => mutate("github")}
-            loading={isPending}
-          >
-            Github
-          </Button>
-        </Grid.Col>
-      )}
-      {oauthProviders.includes("generic") && (
-        <Grid.Col span="content">
-          <Button
-            radius="xl"
-            leftSection={<OAuthIcon style={{ width: 14, height: 14 }} />}
-            variant="default"
-            onClick={() => mutate("generic")}
-            loading={isPending}
-          >
-            {genericName}
-          </Button>
-        </Grid.Col>
-      )}
-    </Grid>
-  );
-};
--- a/frontend/src/components/auth/totp-form.tsx
+++ b/frontend/src/components/auth/totp-form.tsx
@@ -1,40 +1,68 @@
-import { Button, PinInput } from "@mantine/core";
-import { useForm, zodResolver } from "@mantine/form";
-import { z } from "zod";
+import { Form, FormControl, FormField, FormItem } from "../ui/form";
+import {
+  InputOTP,
+  InputOTPGroup,
+  InputOTPSeparator,
+  InputOTPSlot,
+} from "../ui/input-otp";
+import { zodResolver } from "@hookform/resolvers/zod";
+import { useForm } from "react-hook-form";
+import { totpSchema, TotpSchema } from "@/schemas/totp-schema";
+import { useTranslation } from "react-i18next";
+import z from "zod";

-const schema = z.object({
-  code: z.string(),
-});
-
-type FormValues = z.infer<typeof schema>;
-
-interface TotpFormProps {
-  onSubmit: (values: FormValues) => void;
-  isPending: boolean;
+interface Props {
+  formId: string;
+  onSubmit: (code: TotpSchema) => void;
+  loading?: boolean;
 }

-export const TotpForm = (props: TotpFormProps) => {
-  const { onSubmit, isPending } = props;
+export const TotpForm = (props: Props) => {
+  const { formId, onSubmit, loading } = props;
+  const { t } = useTranslation();

-  const form = useForm({
-    mode: "uncontrolled",
-    initialValues: {
-      code: "",
-    },
-    validate: zodResolver(schema),
+  z.config({
+    customError: (iss) =>
+      iss.input === undefined ? t("fieldRequired") : t("invalidInput"),
+  });
+
+  const form = useForm<TotpSchema>({
+    resolver: zodResolver(totpSchema),
  });

  return (
-    <form onSubmit={form.onSubmit(onSubmit)}>
-      <PinInput
-        length={6}
-        type={"number"}
-        placeholder=""
-        {...form.getInputProps("code")}
-      />
-      <Button type="submit" mt="xl" loading={isPending} fullWidth>
-        Verify
-      </Button>
-    </form>
+    <Form {...form}>
+      <form id={formId} onSubmit={form.handleSubmit(onSubmit)}>
+        <FormField
+          control={form.control}
+          name="code"
+          render={({ field }) => (
+            <FormItem>
+              <FormControl>
+                <InputOTP
+                  maxLength={6}
+                  disabled={loading}
+                  {...field}
+                  autoComplete="one-time-code"
+                  autoFocus
+                >
+                  <InputOTPGroup>
+                    <InputOTPSlot index={0} />
+                    <InputOTPSlot index={1} />
+                    <InputOTPSlot index={2} />
+                  </InputOTPGroup>
+                  <InputOTPSeparator />
+                  <InputOTPGroup>
+                    <InputOTPSlot index={3} />
+                    <InputOTPSlot index={4} />
+                    <InputOTPSlot index={5} />
+                  </InputOTPGroup>
+                </InputOTP>
+              </FormControl>
+            </FormItem>
+          )}
+        />
+      </form>
+    </Form>
  );
 };
--- a/frontend/src/components/domain-warning/domain-warning.tsx
+++ b/frontend/src/components/domain-warning/domain-warning.tsx
@@ -0,0 +1,56 @@
+import {
+  Card,
+  CardDescription,
+  CardFooter,
+  CardHeader,
+  CardTitle,
+} from "../ui/card";
+import { Button } from "../ui/button";
+import { Trans, useTranslation } from "react-i18next";
+import { useLocation } from "react-router";
+
+interface Props {
+  onClick: () => void;
+  appUrl: string;
+  currentUrl: string;
+}
+
+export const DomainWarning = (props: Props) => {
+  const { onClick, appUrl, currentUrl } = props;
+  const { t } = useTranslation();
+  const { search } = useLocation();
+
+  const searchParams = new URLSearchParams(search);
+  const redirectUri = searchParams.get("redirect_uri");
+
+  return (
+    <Card role="alert" aria-live="assertive" className="min-w-xs sm:min-w-sm">
+      <CardHeader>
+        <CardTitle className="text-3xl">{t("domainWarningTitle")}</CardTitle>
+        <CardDescription>
+          <Trans
+            t={t}
+            i18nKey="domainWarningSubtitle"
+            values={{ appUrl, currentUrl }}
+            components={{ code: <code /> }}
+          />
+        </CardDescription>
+      </CardHeader>
+      <CardFooter className="flex flex-col items-stretch gap-2">
+        <Button onClick={onClick} variant="warning">
+          {t("ignoreTitle")}
+        </Button>
+        <Button
+          onClick={() =>
+            window.location.assign(
+              `${appUrl}/login?redirect_uri=${encodeURIComponent(redirectUri || "")}`,
+            )
+          }
+          variant="outline"
+        >
+          {t("goToCorrectDomainTitle")}
+        </Button>
+      </CardFooter>
+    </Card>
+  );
+};
--- a/frontend/src/components/icons/github.tsx
+++ b/frontend/src/components/icons/github.tsx
--- a/frontend/src/components/icons/google.tsx
+++ b/frontend/src/components/icons/google.tsx
@@ -0,0 +1,30 @@
+import type { SVGProps } from "react";
+
+export function GoogleIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width={256}
+      height={262}
+      viewBox="0 0 256 262"
+      {...props}
+    >
+      <path
+        fill="#4285f4"
+        d="M255.878 133.451c0-10.734-.871-18.567-2.756-26.69H130.55v48.448h71.947c-1.45 12.04-9.283 30.172-26.69 42.356l-.244 1.622l38.755 30.023l2.685.268c24.659-22.774 38.875-56.282 38.875-96.027"
+      ></path>
+      <path
+        fill="#34a853"
+        d="M130.55 261.1c35.248 0 64.839-11.605 86.453-31.622l-41.196-31.913c-11.024 7.688-25.82 13.055-45.257 13.055c-34.523 0-63.824-22.773-74.269-54.25l-1.531.13l-40.298 31.187l-.527 1.465C35.393 231.798 79.49 261.1 130.55 261.1"
+      ></path>
+      <path
+        fill="#fbbc05"
+        d="M56.281 156.37c-2.756-8.123-4.351-16.827-4.351-25.82c0-8.994 1.595-17.697 4.206-25.82l-.073-1.73L15.26 71.312l-1.335.635C5.077 89.644 0 109.517 0 130.55s5.077 40.905 13.925 58.602z"
+      ></path>
+      <path
+        fill="#eb4335"
+        d="M130.55 50.479c24.514 0 41.05 10.589 50.479 19.438l36.844-35.974C195.245 12.91 165.798 0 130.55 0C79.49 0 35.393 29.301 13.925 71.947l42.211 32.783c10.59-31.477 39.891-54.251 74.414-54.251"
+      ></path>
+    </svg>
+  );
+}
--- a/frontend/src/components/icons/microsoft.tsx
+++ b/frontend/src/components/icons/microsoft.tsx
@@ -0,0 +1,18 @@
+import type { SVGProps } from "react";
+
+export function MicrosoftIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      width="2em"
+      height="2em"
+      viewBox="0 0 256 256"
+      {...props}
+    >
+      <path fill="#f1511b" d="M121.666 121.666H0V0h121.666z"></path>
+      <path fill="#80cc28" d="M256 121.666H134.335V0H256z"></path>
+      <path fill="#00adef" d="M121.663 256.002H0V134.336h121.663z"></path>
+      <path fill="#fbbc09" d="M256 256.002H134.335V134.336H256z"></path>
+    </svg>
+  );
+}
--- a/frontend/src/components/icons/oauth.tsx
+++ b/frontend/src/components/icons/oauth.tsx
--- a/frontend/src/components/icons/pocket-id.tsx
+++ b/frontend/src/components/icons/pocket-id.tsx
@@ -0,0 +1,20 @@
+import type { SVGProps } from "react";
+
+export function PocketIDIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      xmlSpace="preserve"
+      width={512}
+      height={512}
+      viewBox="0 0 512 512"
+      {...props}
+    >
+      <circle cx="256" cy="256" r="256" />
+      <path
+        d="M268.6 102.4c64.4 0 116.8 52.4 116.8 116.7 0 25.3-8 49.4-23 69.6-14.8 19.9-35 34.3-58.4 41.7l-6.5 2-15.5-76.2 4.3-2c14-6.7 23-21.1 23-36.6 0-22.4-18.2-40.6-40.6-40.6S228 195.2 228 217.6c0 15.5 9 29.8 23 36.6l4.2 2-25 153.4h-69.5V102.4z"
+        className="fill-white"
+      />
+    </svg>
+  );
+}
--- a/frontend/src/components/icons/tailscale.tsx
+++ b/frontend/src/components/icons/tailscale.tsx
@@ -0,0 +1,26 @@
+import type { SVGProps } from "react";
+
+export function TailscaleIcon(props: SVGProps<SVGSVGElement>) {
+  return (
+    <svg
+      xmlns="http://www.w3.org/2000/svg"
+      xmlSpace="preserve"
+      width={512}
+      height={512}
+      viewBox="0 0 512 512"
+      {...props}
+    >
+      <path
+        className="opacity-80"
+        fill="currentColor"
+        d="M65.6 318.1c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9S1.8 219 1.8 254.2s28.6 63.9 63.8 63.9m191.6 0c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m0 193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9m189.2-193.9c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
+      />
+
+      <path
+        d="M65.6 127.7c35.3 0 63.9-28.6 63.9-63.9S100.9 0 65.6 0 1.8 28.6 1.8 63.9s28.6 63.8 63.8 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.8 28.7-63.8 63.9S30.4 512 65.6 512m191.6-384.3c35.3 0 63.9-28.6 63.9-63.9S292.5 0 257.2 0s-63.9 28.6-63.9 63.9 28.6 63.8 63.9 63.8m189.2 0c35.3 0 63.9-28.6 63.9-63.9S481.6 0 446.4 0c-35.3 0-63.9 28.6-63.9 63.9s28.6 63.8 63.9 63.8m0 384.3c35.3 0 63.9-28.6 63.9-63.9s-28.6-63.9-63.9-63.9-63.9 28.6-63.9 63.9 28.6 63.9 63.9 63.9"
+        className="opacity-20"
+        fill="currentColor"
+      />
+    </svg>
+  );
+}
--- a/frontend/src/components/language-selector/language-selector.tsx
+++ b/frontend/src/components/language-selector/language-selector.tsx
@@ -1,40 +0,0 @@
-import { ComboboxItem, Select } from "@mantine/core";
-import { useState } from "react";
-import i18n from "../../lib/i18n/i18n";
-import {
-  SupportedLanguage,
-  getLanguageName,
-  languages,
-} from "../../lib/i18n/locales";
-
-export const LanguageSelector = () => {
-  const [language, setLanguage] = useState<ComboboxItem>({
-    value: i18n.language,
-    label: getLanguageName(i18n.language as SupportedLanguage),
-  });
-
-  const languageOptions = Object.entries(languages).map(([code, name]) => ({
-    value: code,
-    label: name,
-  }));
-
-  const handleLanguageChange = (option: string) => {
-    i18n.changeLanguage(option as SupportedLanguage);
-    setLanguage({
-      value: option,
-      label: getLanguageName(option as SupportedLanguage),
-    });
-  };
-
-  return (
-    <Select
-      data={languageOptions}
-      value={language ? language.value : null}
-      onChange={(_value, option) => handleLanguageChange(option.value)}
-      allowDeselect={false}
-      pos="absolute"
-      right={10}
-      top={10}
-    />
-  );
-};
--- a/frontend/src/components/language/language.tsx
+++ b/frontend/src/components/language/language.tsx
@@ -0,0 +1,36 @@
+import { languages, SupportedLanguage } from "@/lib/i18n/locales";
+import {
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
+} from "../ui/select";
+import { useState } from "react";
+import i18n from "@/lib/i18n/i18n";
+
+export const LanguageSelector = () => {
+  const [language, setLanguage] = useState<SupportedLanguage>(
+    i18n.language as SupportedLanguage,
+  );
+
+  const handleSelect = (option: string) => {
+    setLanguage(option as SupportedLanguage);
+    i18n.changeLanguage(option as SupportedLanguage);
+  };
+
+  return (
+    <Select onValueChange={handleSelect} value={language}>
+      <SelectTrigger>
+        <SelectValue placeholder="Select language" />
+      </SelectTrigger>
+      <SelectContent>
+        {Object.entries(languages).map(([key, value]) => (
+          <SelectItem key={key} value={key}>
+            {value}
+          </SelectItem>
+        ))}
+      </SelectContent>
+    </Select>
+  );
+};
--- a/frontend/src/components/layout/layout.tsx
+++ b/frontend/src/components/layout/layout.tsx
@@ -0,0 +1,62 @@
+import { useAppContext } from "@/context/app-context";
+import { LanguageSelector } from "../language/language";
+import { Outlet } from "react-router";
+import { useCallback, useEffect, useState } from "react";
+import { DomainWarning } from "../domain-warning/domain-warning";
+import { ThemeToggle } from "../theme-toggle/theme-toggle";
+
+const BaseLayout = ({ children }: { children: React.ReactNode }) => {
+  const { backgroundImage, title } = useAppContext();
+
+  useEffect(() => {
+    document.title = title;
+  }, [title]);
+
+  return (
+    <div
+      className="relative flex flex-col justify-center items-center min-h-svh"
+      style={{
+        backgroundImage: `url(${backgroundImage})`,
+        backgroundSize: "cover",
+        backgroundPosition: "center",
+      }}
+    >
+      <div className="absolute top-5 right-5 flex flex-row gap-2">
+        <ThemeToggle />
+        <LanguageSelector />
+      </div>
+      {children}
+    </div>
+  );
+};
+
+export const Layout = () => {
+  const { appUrl, disableUiWarnings } = useAppContext();
+  const [ignoreDomainWarning, setIgnoreDomainWarning] = useState(() => {
+    return window.sessionStorage.getItem("ignoreDomainWarning") === "true";
+  });
+  const currentUrl = window.location.origin;
+
+  const handleIgnore = useCallback(() => {
+    window.sessionStorage.setItem("ignoreDomainWarning", "true");
+    setIgnoreDomainWarning(true);
+  }, [setIgnoreDomainWarning]);
+
+  if (!ignoreDomainWarning && !disableUiWarnings && appUrl !== currentUrl) {
+    return (
+      <BaseLayout>
+        <DomainWarning
+          appUrl={appUrl}
+          currentUrl={currentUrl}
+          onClick={() => handleIgnore()}
+        />
+      </BaseLayout>
+    );
+  }
+
+  return (
+    <BaseLayout>
+      <Outlet />
+    </BaseLayout>
+  );
+};
--- a/frontend/src/components/layouts/layout.tsx
+++ b/frontend/src/components/layouts/layout.tsx
@@ -1,16 +0,0 @@
-import { Center, Flex } from "@mantine/core";
-import { ReactNode } from "react";
-import { LanguageSelector } from "../language-selector/language-selector";
-
-export const Layout = ({ children }: { children: ReactNode }) => {
-  return (
-    <>
-      <LanguageSelector />
-      <Center style={{ minHeight: "100vh" }}>
-        <Flex direction="column" flex="1" maw={340}>
-          {children}
-        </Flex>
-      </Center>
-    </>
-  );
-};
--- a/frontend/src/components/providers/theme-provider.tsx
+++ b/frontend/src/components/providers/theme-provider.tsx
@@ -0,0 +1,73 @@
+import { createContext, useContext, useEffect, useState } from "react";
+
+type Theme = "dark" | "light" | "system";
+
+type ThemeProviderProps = {
+  children: React.ReactNode;
+  defaultTheme?: Theme;
+  storageKey?: string;
+};
+
+type ThemeProviderState = {
+  theme: Theme;
+  setTheme: (theme: Theme) => void;
+};
+
+const initialState: ThemeProviderState = {
+  theme: "system",
+  setTheme: () => null,
+};
+
+const ThemeProviderContext = createContext<ThemeProviderState>(initialState);
+
+export function ThemeProvider({
+  children,
+  defaultTheme = "system",
+  storageKey = "vite-ui-theme",
+  ...props
+}: ThemeProviderProps) {
+  const [theme, setTheme] = useState<Theme>(
+    () => (localStorage.getItem(storageKey) as Theme) || defaultTheme,
+  );
+
+  useEffect(() => {
+    const root = window.document.documentElement;
+
+    root.classList.remove("light", "dark");
+
+    if (theme === "system") {
+      const systemTheme = window.matchMedia("(prefers-color-scheme: dark)")
+        .matches
+        ? "dark"
+        : "light";
+
+      root.classList.add(systemTheme);
+      return;
+    }
+
+    root.classList.add(theme);
+  }, [theme]);
+
+  const value = {
+    theme,
+    setTheme: (theme: Theme) => {
+      localStorage.setItem(storageKey, theme);
+      setTheme(theme);
+    },
+  };
+
+  return (
+    <ThemeProviderContext.Provider {...props} value={value}>
+      {children}
+    </ThemeProviderContext.Provider>
+  );
+}
+
+export const useTheme = () => {
+  const context = useContext(ThemeProviderContext);
+
+  if (context === undefined)
+    throw new Error("useTheme must be used within a ThemeProvider");
+
+  return context;
+};
--- a/frontend/src/components/theme-toggle/theme-toggle.tsx
+++ b/frontend/src/components/theme-toggle/theme-toggle.tsx
@@ -0,0 +1,40 @@
+import { Moon, Sun } from "lucide-react";
+
+import { Button } from "@/components/ui/button";
+import {
+  DropdownMenu,
+  DropdownMenuContent,
+  DropdownMenuItem,
+  DropdownMenuTrigger,
+} from "@/components/ui/dropdown-menu";
+import { useTheme } from "@/components/providers/theme-provider";
+
+export function ThemeToggle() {
+  const { setTheme } = useTheme();
+
+  return (
+    <DropdownMenu>
+      <DropdownMenuTrigger asChild>
+        <Button
+          className="bg-card text-card-foreground hover:bg-card/90"
+          size="icon"
+        >
+          <Sun className="h-[1.2rem] w-[1.2rem] scale-100 rotate-0 transition-all dark:scale-0 dark:-rotate-90" />
+          <Moon className="absolute h-[1.2rem] w-[1.2rem] scale-0 rotate-90 transition-all dark:scale-100 dark:rotate-0" />
+          <span className="sr-only">Toggle theme</span>
+        </Button>
+      </DropdownMenuTrigger>
+      <DropdownMenuContent align="end">
+        <DropdownMenuItem onClick={() => setTheme("light")}>
+          Light
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("dark")}>
+          Dark
+        </DropdownMenuItem>
+        <DropdownMenuItem onClick={() => setTheme("system")}>
+          System
+        </DropdownMenuItem>
+      </DropdownMenuContent>
+    </DropdownMenu>
+  );
+}
--- a/frontend/src/components/ui/button.tsx
+++ b/frontend/src/components/ui/button.tsx
@@ -0,0 +1,77 @@
+import * as React from "react";
+import { Slot } from "@radix-ui/react-slot";
+import { cva, type VariantProps } from "class-variance-authority";
+
+import { cn } from "@/lib/utils";
+import { Loader2 } from "lucide-react";
+
+const buttonVariants = cva(
+  "inline-flex items-center justify-center gap-2 whitespace-nowrap rounded-md text-sm font-medium transition-all disabled:pointer-events-none disabled:opacity-50 [&_svg]:pointer-events-none [&_svg:not([class*='size-'])]:size-4 shrink-0 [&_svg]:shrink-0 outline-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive hover:cursor-pointer",
+  {
+    variants: {
+      variant: {
+        default:
+          "bg-primary text-primary-foreground shadow-xs hover:bg-primary/90",
+        destructive:
+          "bg-destructive text-white shadow-xs hover:bg-destructive/90 focus-visible:ring-destructive/20 dark:focus-visible:ring-destructive/40 dark:bg-destructive/60",
+        outline:
+          "border bg-background shadow-xs hover:bg-accent hover:text-accent-foreground dark:bg-input/30 dark:border-input dark:hover:bg-input/50",
+        secondary:
+          "bg-secondary text-secondary-foreground shadow-xs hover:bg-secondary/80",
+        ghost:
+          "hover:bg-accent hover:text-accent-foreground dark:hover:bg-accent/50",
+        link: "text-primary underline-offset-4 hover:underline",
+        warning:
+          "bg-amber-500 text-white shadow-xs hover:bg-amber-400 focus-visible:ring-amber-200/20 dark:focus-visible:ring-amber-400/40",
+      },
+      size: {
+        default: "h-9 px-4 py-2 has-[>svg]:px-3",
+        sm: "h-8 rounded-md gap-1.5 px-3 has-[>svg]:px-2.5",
+        lg: "h-10 rounded-md px-6 has-[>svg]:px-4",
+        icon: "size-9",
+      },
+    },
+    defaultVariants: {
+      variant: "default",
+      size: "default",
+    },
+  },
+);
+
+function Button({
+  className,
+  variant,
+  size,
+  asChild = false,
+  loading = false,
+  ...props
+}: React.ComponentProps<"button"> &
+  VariantProps<typeof buttonVariants> & {
+    asChild?: boolean;
+    loading?: boolean;
+  }) {
+  const Comp = asChild ? Slot : "button";
+
+  if (loading) {
+    return (
+      <Comp
+        data-slot="button"
+        className={cn(buttonVariants({ variant, size, className }))}
+        disabled
+        {...props}
+      >
+        <Loader2 className="animate-spin" />
+      </Comp>
+    );
+  }
+
+  return (
+    <Comp
+      data-slot="button"
+      className={cn(buttonVariants({ variant, size, className }))}
+      {...props}
+    />
+  );
+}
+
+export { Button, buttonVariants };
--- a/frontend/src/components/ui/card.tsx
+++ b/frontend/src/components/ui/card.tsx
@@ -0,0 +1,92 @@
+import * as React from "react";
+
+import { cn } from "@/lib/utils";
+
+function Card({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card"
+      className={cn(
+        "bg-card text-card-foreground flex flex-col gap-6 rounded-xl border py-6 shadow-sm",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+function CardHeader({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-header"
+      className={cn(
+        "@container/card-header grid auto-rows-min grid-rows-[auto_auto] items-start gap-1.5 px-6 has-data-[slot=card-action]:grid-cols-[1fr_auto] [.border-b]:pb-6",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+function CardTitle({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-title"
+      className={cn("leading-none font-semibold", className)}
+      {...props}
+    />
+  );
+}
+
+function CardDescription({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-description"
+      className={cn("text-muted-foreground text-sm", className)}
+      {...props}
+    />
+  );
+}
+
+function CardAction({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-action"
+      className={cn(
+        "col-start-2 row-span-2 row-start-1 self-start justify-self-end",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+function CardContent({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-content"
+      className={cn("px-6", className)}
+      {...props}
+    />
+  );
+}
+
+function CardFooter({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="card-footer"
+      className={cn("flex items-center px-6 [.border-t]:pt-6", className)}
+      {...props}
+    />
+  );
+}
+
+export {
+  Card,
+  CardHeader,
+  CardFooter,
+  CardTitle,
+  CardAction,
+  CardDescription,
+  CardContent,
+};
--- a/frontend/src/components/ui/dropdown-menu.tsx
+++ b/frontend/src/components/ui/dropdown-menu.tsx
@@ -0,0 +1,255 @@
+import * as React from "react"
+import * as DropdownMenuPrimitive from "@radix-ui/react-dropdown-menu"
+import { CheckIcon, ChevronRightIcon, CircleIcon } from "lucide-react"
+
+import { cn } from "@/lib/utils"
+
+function DropdownMenu({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Root>) {
+  return <DropdownMenuPrimitive.Root data-slot="dropdown-menu" {...props} />
+}
+
+function DropdownMenuPortal({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Portal>) {
+  return (
+    <DropdownMenuPrimitive.Portal data-slot="dropdown-menu-portal" {...props} />
+  )
+}
+
+function DropdownMenuTrigger({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Trigger>) {
+  return (
+    <DropdownMenuPrimitive.Trigger
+      data-slot="dropdown-menu-trigger"
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuContent({
+  className,
+  sideOffset = 4,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Content>) {
+  return (
+    <DropdownMenuPrimitive.Portal>
+      <DropdownMenuPrimitive.Content
+        data-slot="dropdown-menu-content"
+        sideOffset={sideOffset}
+        className={cn(
+          "bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 max-h-(--radix-dropdown-menu-content-available-height) min-w-[8rem] origin-(--radix-dropdown-menu-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-md border p-1 shadow-md",
+          className
+        )}
+        {...props}
+      />
+    </DropdownMenuPrimitive.Portal>
+  )
+}
+
+function DropdownMenuGroup({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Group>) {
+  return (
+    <DropdownMenuPrimitive.Group data-slot="dropdown-menu-group" {...props} />
+  )
+}
+
+function DropdownMenuItem({
+  className,
+  inset,
+  variant = "default",
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Item> & {
+  inset?: boolean
+  variant?: "default" | "destructive"
+}) {
+  return (
+    <DropdownMenuPrimitive.Item
+      data-slot="dropdown-menu-item"
+      data-inset={inset}
+      data-variant={variant}
+      className={cn(
+        "focus:bg-accent focus:text-accent-foreground data-[variant=destructive]:text-destructive data-[variant=destructive]:focus:bg-destructive/10 dark:data-[variant=destructive]:focus:bg-destructive/20 data-[variant=destructive]:focus:text-destructive data-[variant=destructive]:*:[svg]:!text-destructive [&_svg:not([class*='text-'])]:text-muted-foreground relative flex cursor-default items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 data-[inset]:pl-8 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuCheckboxItem({
+  className,
+  children,
+  checked,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.CheckboxItem>) {
+  return (
+    <DropdownMenuPrimitive.CheckboxItem
+      data-slot="dropdown-menu-checkbox-item"
+      className={cn(
+        "focus:bg-accent focus:text-accent-foreground relative flex cursor-default items-center gap-2 rounded-sm py-1.5 pr-2 pl-8 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      checked={checked}
+      {...props}
+    >
+      <span className="pointer-events-none absolute left-2 flex size-3.5 items-center justify-center">
+        <DropdownMenuPrimitive.ItemIndicator>
+          <CheckIcon className="size-4" />
+        </DropdownMenuPrimitive.ItemIndicator>
+      </span>
+      {children}
+    </DropdownMenuPrimitive.CheckboxItem>
+  )
+}
+
+function DropdownMenuRadioGroup({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.RadioGroup>) {
+  return (
+    <DropdownMenuPrimitive.RadioGroup
+      data-slot="dropdown-menu-radio-group"
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuRadioItem({
+  className,
+  children,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.RadioItem>) {
+  return (
+    <DropdownMenuPrimitive.RadioItem
+      data-slot="dropdown-menu-radio-item"
+      className={cn(
+        "focus:bg-accent focus:text-accent-foreground relative flex cursor-default items-center gap-2 rounded-sm py-1.5 pr-2 pl-8 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    >
+      <span className="pointer-events-none absolute left-2 flex size-3.5 items-center justify-center">
+        <DropdownMenuPrimitive.ItemIndicator>
+          <CircleIcon className="size-2 fill-current" />
+        </DropdownMenuPrimitive.ItemIndicator>
+      </span>
+      {children}
+    </DropdownMenuPrimitive.RadioItem>
+  )
+}
+
+function DropdownMenuLabel({
+  className,
+  inset,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Label> & {
+  inset?: boolean
+}) {
+  return (
+    <DropdownMenuPrimitive.Label
+      data-slot="dropdown-menu-label"
+      data-inset={inset}
+      className={cn(
+        "px-2 py-1.5 text-sm font-medium data-[inset]:pl-8",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuSeparator({
+  className,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Separator>) {
+  return (
+    <DropdownMenuPrimitive.Separator
+      data-slot="dropdown-menu-separator"
+      className={cn("bg-border -mx-1 my-1 h-px", className)}
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuShortcut({
+  className,
+  ...props
+}: React.ComponentProps<"span">) {
+  return (
+    <span
+      data-slot="dropdown-menu-shortcut"
+      className={cn(
+        "text-muted-foreground ml-auto text-xs tracking-widest",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+function DropdownMenuSub({
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.Sub>) {
+  return <DropdownMenuPrimitive.Sub data-slot="dropdown-menu-sub" {...props} />
+}
+
+function DropdownMenuSubTrigger({
+  className,
+  inset,
+  children,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.SubTrigger> & {
+  inset?: boolean
+}) {
+  return (
+    <DropdownMenuPrimitive.SubTrigger
+      data-slot="dropdown-menu-sub-trigger"
+      data-inset={inset}
+      className={cn(
+        "focus:bg-accent focus:text-accent-foreground data-[state=open]:bg-accent data-[state=open]:text-accent-foreground [&_svg:not([class*='text-'])]:text-muted-foreground flex cursor-default items-center gap-2 rounded-sm px-2 py-1.5 text-sm outline-hidden select-none data-[inset]:pl-8 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className
+      )}
+      {...props}
+    >
+      {children}
+      <ChevronRightIcon className="ml-auto size-4" />
+    </DropdownMenuPrimitive.SubTrigger>
+  )
+}
+
+function DropdownMenuSubContent({
+  className,
+  ...props
+}: React.ComponentProps<typeof DropdownMenuPrimitive.SubContent>) {
+  return (
+    <DropdownMenuPrimitive.SubContent
+      data-slot="dropdown-menu-sub-content"
+      className={cn(
+        "bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 z-50 min-w-[8rem] origin-(--radix-dropdown-menu-content-transform-origin) overflow-hidden rounded-md border p-1 shadow-lg",
+        className
+      )}
+      {...props}
+    />
+  )
+}
+
+export {
+  DropdownMenu,
+  DropdownMenuPortal,
+  DropdownMenuTrigger,
+  DropdownMenuContent,
+  DropdownMenuGroup,
+  DropdownMenuLabel,
+  DropdownMenuItem,
+  DropdownMenuCheckboxItem,
+  DropdownMenuRadioGroup,
+  DropdownMenuRadioItem,
+  DropdownMenuSeparator,
+  DropdownMenuShortcut,
+  DropdownMenuSub,
+  DropdownMenuSubTrigger,
+  DropdownMenuSubContent,
+}
--- a/frontend/src/components/ui/form.tsx
+++ b/frontend/src/components/ui/form.tsx
@@ -0,0 +1,166 @@
+import * as React from "react";
+import * as LabelPrimitive from "@radix-ui/react-label";
+import { Slot } from "@radix-ui/react-slot";
+import {
+  Controller,
+  FormProvider,
+  useFormContext,
+  useFormState,
+  type ControllerProps,
+  type FieldPath,
+  type FieldValues,
+} from "react-hook-form";
+
+import { cn } from "@/lib/utils";
+import { Label } from "@/components/ui/label";
+
+const Form = FormProvider;
+
+type FormFieldContextValue<
+  TFieldValues extends FieldValues = FieldValues,
+  TName extends FieldPath<TFieldValues> = FieldPath<TFieldValues>,
+> = {
+  name: TName;
+};
+
+const FormFieldContext = React.createContext<FormFieldContextValue>(
+  {} as FormFieldContextValue,
+);
+
+const FormField = <
+  TFieldValues extends FieldValues = FieldValues,
+  TName extends FieldPath<TFieldValues> = FieldPath<TFieldValues>,
+>({
+  ...props
+}: ControllerProps<TFieldValues, TName>) => {
+  return (
+    <FormFieldContext.Provider value={{ name: props.name }}>
+      <Controller {...props} />
+    </FormFieldContext.Provider>
+  );
+};
+
+const useFormField = () => {
+  const fieldContext = React.useContext(FormFieldContext);
+  const itemContext = React.useContext(FormItemContext);
+  const { getFieldState } = useFormContext();
+  const formState = useFormState({ name: fieldContext.name });
+  const fieldState = getFieldState(fieldContext.name, formState);
+
+  if (!fieldContext) {
+    throw new Error("useFormField should be used within <FormField>");
+  }
+
+  const { id } = itemContext;
+
+  return {
+    id,
+    name: fieldContext.name,
+    formItemId: `${id}-form-item`,
+    formDescriptionId: `${id}-form-item-description`,
+    formMessageId: `${id}-form-item-message`,
+    ...fieldState,
+  };
+};
+
+type FormItemContextValue = {
+  id: string;
+};
+
+const FormItemContext = React.createContext<FormItemContextValue>(
+  {} as FormItemContextValue,
+);
+
+function FormItem({ className, ...props }: React.ComponentProps<"div">) {
+  const id = React.useId();
+
+  return (
+    <FormItemContext.Provider value={{ id }}>
+      <div
+        data-slot="form-item"
+        className={cn("grid gap-2", className)}
+        {...props}
+      />
+    </FormItemContext.Provider>
+  );
+}
+
+function FormLabel({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  const { error, formItemId } = useFormField();
+
+  return (
+    <Label
+      data-slot="form-label"
+      data-error={!!error}
+      className={cn("data-[error=true]:text-destructive", className)}
+      htmlFor={formItemId}
+      {...props}
+    />
+  );
+}
+
+function FormControl({ ...props }: React.ComponentProps<typeof Slot>) {
+  const { error, formItemId, formDescriptionId, formMessageId } =
+    useFormField();
+
+  return (
+    <Slot
+      data-slot="form-control"
+      id={formItemId}
+      aria-describedby={
+        !error
+          ? `${formDescriptionId}`
+          : `${formDescriptionId} ${formMessageId}`
+      }
+      aria-invalid={!!error}
+      {...props}
+    />
+  );
+}
+
+function FormDescription({ className, ...props }: React.ComponentProps<"p">) {
+  const { formDescriptionId } = useFormField();
+
+  return (
+    <p
+      data-slot="form-description"
+      id={formDescriptionId}
+      className={cn("text-muted-foreground text-sm", className)}
+      {...props}
+    />
+  );
+}
+
+function FormMessage({ className, ...props }: React.ComponentProps<"p">) {
+  const { error, formMessageId } = useFormField();
+  const body = error ? String(error?.message ?? "") : props.children;
+
+  if (!body) {
+    return null;
+  }
+
+  return (
+    <p
+      data-slot="form-message"
+      id={formMessageId}
+      className={cn("text-destructive text-sm", className)}
+      {...props}
+    >
+      {body}
+    </p>
+  );
+}
+
+export {
+  useFormField,
+  Form,
+  FormItem,
+  FormLabel,
+  FormControl,
+  FormDescription,
+  FormMessage,
+  FormField,
+};
--- a/frontend/src/components/ui/input-otp.tsx
+++ b/frontend/src/components/ui/input-otp.tsx
@@ -0,0 +1,75 @@
+import * as React from "react";
+import { OTPInput, OTPInputContext } from "input-otp";
+import { MinusIcon } from "lucide-react";
+
+import { cn } from "@/lib/utils";
+
+function InputOTP({
+  className,
+  containerClassName,
+  ...props
+}: React.ComponentProps<typeof OTPInput> & {
+  containerClassName?: string;
+}) {
+  return (
+    <OTPInput
+      data-slot="input-otp"
+      containerClassName={cn(
+        "flex items-center gap-2 has-disabled:opacity-50",
+        containerClassName,
+      )}
+      className={cn("disabled:cursor-not-allowed", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPGroup({ className, ...props }: React.ComponentProps<"div">) {
+  return (
+    <div
+      data-slot="input-otp-group"
+      className={cn("flex items-center", className)}
+      {...props}
+    />
+  );
+}
+
+function InputOTPSlot({
+  index,
+  className,
+  ...props
+}: React.ComponentProps<"div"> & {
+  index: number;
+}) {
+  const inputOTPContext = React.useContext(OTPInputContext);
+  const { char, hasFakeCaret, isActive } = inputOTPContext?.slots[index] ?? {};
+
+  return (
+    <div
+      data-slot="input-otp-slot"
+      data-active={isActive}
+      className={cn(
+        "data-[active=true]:border-ring data-[active=true]:ring-ring/50 data-[active=true]:aria-invalid:ring-destructive/20 dark:data-[active=true]:aria-invalid:ring-destructive/40 aria-invalid:border-destructive data-[active=true]:aria-invalid:border-destructive dark:bg-input/30 border-input relative flex h-9 w-9 items-center justify-center border-y border-r text-sm shadow-xs transition-all outline-none first:rounded-l-md first:border-l last:rounded-r-md data-[active=true]:z-10 data-[active=true]:ring-[3px]",
+        className,
+      )}
+      {...props}
+    >
+      {char}
+      {hasFakeCaret && (
+        <div className="pointer-events-none absolute inset-0 flex items-center justify-center">
+          <div className="animate-caret-blink bg-foreground h-4 w-px duration-1000" />
+        </div>
+      )}
+    </div>
+  );
+}
+
+function InputOTPSeparator({ ...props }: React.ComponentProps<"div">) {
+  return (
+    <div data-slot="input-otp-separator" role="separator" {...props}>
+      <MinusIcon />
+    </div>
+  );
+}
+
+export { InputOTP, InputOTPGroup, InputOTPSlot, InputOTPSeparator };
--- a/frontend/src/components/ui/input.tsx
+++ b/frontend/src/components/ui/input.tsx
@@ -0,0 +1,21 @@
+import * as React from "react";
+
+import { cn } from "@/lib/utils";
+
+function Input({ className, type, ...props }: React.ComponentProps<"input">) {
+  return (
+    <input
+      type={type}
+      data-slot="input"
+      className={cn(
+        "file:text-foreground placeholder:text-muted-foreground selection:bg-primary selection:text-primary-foreground dark:bg-input/30 border-input flex h-9 w-full min-w-0 rounded-md border bg-transparent px-3 py-1 text-base shadow-xs transition-[color,box-shadow] outline-none file:inline-flex file:h-7 file:border-0 file:bg-transparent file:text-sm file:font-medium disabled:pointer-events-none disabled:cursor-not-allowed disabled:opacity-50 md:text-sm",
+        "focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px]",
+        "aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+export { Input };
--- a/frontend/src/components/ui/label.tsx
+++ b/frontend/src/components/ui/label.tsx
@@ -0,0 +1,22 @@
+import * as React from "react";
+import * as LabelPrimitive from "@radix-ui/react-label";
+
+import { cn } from "@/lib/utils";
+
+function Label({
+  className,
+  ...props
+}: React.ComponentProps<typeof LabelPrimitive.Root>) {
+  return (
+    <LabelPrimitive.Root
+      data-slot="label"
+      className={cn(
+        "flex items-center gap-2 text-sm leading-none font-medium select-none group-data-[disabled=true]:pointer-events-none group-data-[disabled=true]:opacity-50 peer-disabled:cursor-not-allowed peer-disabled:opacity-50",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+export { Label };
--- a/frontend/src/components/ui/oauth-button.tsx
+++ b/frontend/src/components/ui/oauth-button.tsx
@@ -0,0 +1,33 @@
+import { Loader2 } from "lucide-react";
+import { Button } from "./button";
+import React from "react";
+import { twMerge } from "tailwind-merge";
+
+interface Props extends React.ComponentProps<typeof Button> {
+  title: string;
+  icon: React.ReactNode;
+  onClick?: () => void;
+  loading?: boolean;
+}
+
+export const OAuthButton = (props: Props) => {
+  const { title, icon, onClick, loading, className, ...rest } = props;
+
+  return (
+    <Button
+      onClick={onClick}
+      className={twMerge("rounded-md", className)}
+      variant="outline"
+      {...rest}
+    >
+      {loading ? (
+        <Loader2 className="animate-spin" />
+      ) : (
+        <>
+          {icon}
+          {title}
+        </>
+      )}
+    </Button>
+  );
+};
--- a/frontend/src/components/ui/select.tsx
+++ b/frontend/src/components/ui/select.tsx
@@ -0,0 +1,183 @@
+import * as React from "react";
+import * as SelectPrimitive from "@radix-ui/react-select";
+import { CheckIcon, ChevronDownIcon, ChevronUpIcon } from "lucide-react";
+
+import { cn } from "@/lib/utils";
+
+function Select({
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Root>) {
+  return <SelectPrimitive.Root data-slot="select" {...props} />;
+}
+
+function SelectGroup({
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Group>) {
+  return <SelectPrimitive.Group data-slot="select-group" {...props} />;
+}
+
+function SelectValue({
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Value>) {
+  return <SelectPrimitive.Value data-slot="select-value" {...props} />;
+}
+
+function SelectTrigger({
+  className,
+  size = "default",
+  children,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Trigger> & {
+  size?: "sm" | "default";
+}) {
+  return (
+    <SelectPrimitive.Trigger
+      data-slot="select-trigger"
+      data-size={size}
+      className={cn(
+        "hover:cursor-pointer border-input data-[placeholder]:text-card-foreground [&_svg:not([class*='text-'])]:text-card-foreground focus-visible:border-ring focus-visible:ring-ring/50 aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive flex w-fit items-center justify-between gap-2 rounded-md border bg-card hover:bg-card/90 px-3 py-2 text-sm whitespace-nowrap shadow-xs transition-[color,box-shadow] outline-none focus-visible:ring-[3px] disabled:cursor-not-allowed disabled:opacity-50 data-[size=default]:h-9 data-[size=sm]:h-8 *:data-[slot=select-value]:line-clamp-1 *:data-[slot=select-value]:flex *:data-[slot=select-value]:items-center *:data-[slot=select-value]:gap-2 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4",
+        className,
+      )}
+      {...props}
+    >
+      {children}
+      <SelectPrimitive.Icon asChild>
+        <ChevronDownIcon className="size-4" />
+      </SelectPrimitive.Icon>
+    </SelectPrimitive.Trigger>
+  );
+}
+
+function SelectContent({
+  className,
+  children,
+  position = "popper",
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Content>) {
+  return (
+    <SelectPrimitive.Portal>
+      <SelectPrimitive.Content
+        data-slot="select-content"
+        className={cn(
+          "bg-popover text-popover-foreground data-[state=open]:animate-in data-[state=closed]:animate-out data-[state=closed]:fade-out-0 data-[state=open]:fade-in-0 data-[state=closed]:zoom-out-95 data-[state=open]:zoom-in-95 data-[side=bottom]:slide-in-from-top-2 data-[side=left]:slide-in-from-right-2 data-[side=right]:slide-in-from-left-2 data-[side=top]:slide-in-from-bottom-2 relative z-50 max-h-(--radix-select-content-available-height) min-w-[8rem] origin-(--radix-select-content-transform-origin) overflow-x-hidden overflow-y-auto rounded-md border shadow-md",
+          position === "popper" &&
+            "data-[side=bottom]:translate-y-1 data-[side=left]:-translate-x-1 data-[side=right]:translate-x-1 data-[side=top]:-translate-y-1",
+          className,
+        )}
+        position={position}
+        {...props}
+      >
+        <SelectScrollUpButton />
+        <SelectPrimitive.Viewport
+          className={cn(
+            "p-1",
+            position === "popper" &&
+              "h-[var(--radix-select-trigger-height)] w-full min-w-[var(--radix-select-trigger-width)] scroll-my-1",
+          )}
+        >
+          {children}
+        </SelectPrimitive.Viewport>
+        <SelectScrollDownButton />
+      </SelectPrimitive.Content>
+    </SelectPrimitive.Portal>
+  );
+}
+
+function SelectLabel({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Label>) {
+  return (
+    <SelectPrimitive.Label
+      data-slot="select-label"
+      className={cn("text-muted-foreground px-2 py-1.5 text-xs", className)}
+      {...props}
+    />
+  );
+}
+
+function SelectItem({
+  className,
+  children,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Item>) {
+  return (
+    <SelectPrimitive.Item
+      data-slot="select-item"
+      className={cn(
+        "focus:bg-accent focus:text-accent-foreground [&_svg:not([class*='text-'])]:text-muted-foreground relative flex w-full cursor-default items-center gap-2 rounded-sm py-1.5 pr-8 pl-2 text-sm outline-hidden select-none data-[disabled]:pointer-events-none data-[disabled]:opacity-50 [&_svg]:pointer-events-none [&_svg]:shrink-0 [&_svg:not([class*='size-'])]:size-4 *:[span]:last:flex *:[span]:last:items-center *:[span]:last:gap-2",
+        className,
+      )}
+      {...props}
+    >
+      <span className="absolute right-2 flex size-3.5 items-center justify-center">
+        <SelectPrimitive.ItemIndicator>
+          <CheckIcon className="size-4" />
+        </SelectPrimitive.ItemIndicator>
+      </span>
+      <SelectPrimitive.ItemText>{children}</SelectPrimitive.ItemText>
+    </SelectPrimitive.Item>
+  );
+}
+
+function SelectSeparator({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.Separator>) {
+  return (
+    <SelectPrimitive.Separator
+      data-slot="select-separator"
+      className={cn("bg-border pointer-events-none -mx-1 my-1 h-px", className)}
+      {...props}
+    />
+  );
+}
+
+function SelectScrollUpButton({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.ScrollUpButton>) {
+  return (
+    <SelectPrimitive.ScrollUpButton
+      data-slot="select-scroll-up-button"
+      className={cn(
+        "flex cursor-default items-center justify-center py-1",
+        className,
+      )}
+      {...props}
+    >
+      <ChevronUpIcon className="size-4" />
+    </SelectPrimitive.ScrollUpButton>
+  );
+}
+
+function SelectScrollDownButton({
+  className,
+  ...props
+}: React.ComponentProps<typeof SelectPrimitive.ScrollDownButton>) {
+  return (
+    <SelectPrimitive.ScrollDownButton
+      data-slot="select-scroll-down-button"
+      className={cn(
+        "flex cursor-default items-center justify-center py-1",
+        className,
+      )}
+      {...props}
+    >
+      <ChevronDownIcon className="size-4" />
+    </SelectPrimitive.ScrollDownButton>
+  );
+}
+
+export {
+  Select,
+  SelectContent,
+  SelectGroup,
+  SelectItem,
+  SelectLabel,
+  SelectScrollDownButton,
+  SelectScrollUpButton,
+  SelectSeparator,
+  SelectTrigger,
+  SelectValue,
+};
--- a/frontend/src/components/ui/separator.tsx
+++ b/frontend/src/components/ui/separator.tsx
@@ -0,0 +1,38 @@
+"use client";
+
+import * as React from "react";
+import * as SeparatorPrimitive from "@radix-ui/react-separator";
+
+import { cn } from "@/lib/utils";
+
+function Separator({
+  className,
+  orientation = "horizontal",
+  decorative = true,
+  ...props
+}: React.ComponentProps<typeof SeparatorPrimitive.Root>) {
+  return (
+    <SeparatorPrimitive.Root
+      data-slot="separator-root"
+      decorative={decorative}
+      orientation={orientation}
+      className={cn(
+        "bg-border shrink-0 data-[orientation=horizontal]:h-px data-[orientation=horizontal]:w-full data-[orientation=vertical]:h-full data-[orientation=vertical]:w-px",
+        className,
+      )}
+      {...props}
+    />
+  );
+}
+
+function SeperatorWithChildren({ children }: { children: React.ReactNode }) {
+  return (
+    <div className="flex items-center gap-4">
+      <Separator className="flex-1" />
+      <span className="text-sm text-muted-foreground">{children}</span>
+      <Separator className="flex-1" />
+    </div>
+  );
+}
+
+export { Separator, SeperatorWithChildren };
--- a/frontend/src/components/ui/sonner.tsx
+++ b/frontend/src/components/ui/sonner.tsx
@@ -0,0 +1,23 @@
+import { useTheme } from "../providers/theme-provider";
+import { Toaster as Sonner, ToasterProps } from "sonner";
+
+const Toaster = ({ ...props }: ToasterProps) => {
+  const { theme } = useTheme();
+
+  return (
+    <Sonner
+      theme={theme as ToasterProps["theme"]}
+      className="toaster group"
+      style={
+        {
+          "--normal-bg": "var(--popover)",
+          "--normal-text": "var(--popover-foreground)",
+          "--normal-border": "var(--border)",
+        } as React.CSSProperties
+      }
+      {...props}
+    />
+  );
+};
+
+export { Toaster };
--- a/frontend/src/context/app-context.tsx
+++ b/frontend/src/context/app-context.tsx
@@ -1,40 +1,42 @@
+import {
+  appContextSchema,
+  AppContextSchema,
+} from "@/schemas/app-context-schema";
+import { createContext, useContext } from "react";
 import { useSuspenseQuery } from "@tanstack/react-query";
-import React, { createContext, useContext } from "react";
 import axios from "axios";
-import { AppContextSchemaType } from "../schemas/app-context-schema";

-const AppContext = createContext<AppContextSchemaType | null>(null);
+const AppContext = createContext<AppContextSchema | null>(null);

 export const AppContextProvider = ({
  children,
 }: {
  children: React.ReactNode;
 }) => {
-  const {
-    data: userContext,
-    isLoading,
-    error,
-  } = useSuspenseQuery({
-    queryKey: ["appContext"],
-    queryFn: async () => {
-      const res = await axios.get("/api/app");
-      return res.data;
-    },
+  const { isFetching, data, error } = useSuspenseQuery({
+    queryKey: ["app"],
+    queryFn: () => axios.get("/api/context/app").then((res) => res.data),
  });

-  if (error && !isLoading) {
+  if (error && !isFetching) {
    throw error;
  }

+  const validated = appContextSchema.safeParse(data);
+
+  if (validated.success === false) {
+    throw validated.error;
+  }
+
  return (
-    <AppContext.Provider value={userContext}>{children}</AppContext.Provider>
+    <AppContext.Provider value={validated.data}>{children}</AppContext.Provider>
  );
 };

 export const useAppContext = () => {
  const context = useContext(AppContext);

-  if (context === null) {
+  if (!context) {
    throw new Error("useAppContext must be used within an AppContextProvider");
  }

--- a/frontend/src/context/user-context.tsx
+++ b/frontend/src/context/user-context.tsx
@@ -1,41 +1,47 @@
+import {
+  userContextSchema,
+  UserContextSchema,
+} from "@/schemas/user-context-schema";
+import { createContext, useContext } from "react";
 import { useSuspenseQuery } from "@tanstack/react-query";
-import React, { createContext, useContext } from "react";
 import axios from "axios";
-import { UserContextSchemaType } from "../schemas/user-context-schema";

-const UserContext = createContext<UserContextSchemaType | null>(null);
+const UserContext = createContext<UserContextSchema | null>(null);

 export const UserContextProvider = ({
  children,
 }: {
  children: React.ReactNode;
 }) => {
-  const {
-    data: userContext,
-    isLoading,
-    error,
-  } = useSuspenseQuery({
-    queryKey: ["userContext"],
-    queryFn: async () => {
-      const res = await axios.get("/api/user");
-      return res.data;
-    },
+  const { isFetching, data, error } = useSuspenseQuery({
+    queryKey: ["user"],
+    queryFn: () => axios.get("/api/context/user").then((res) => res.data),
  });

-  if (error && !isLoading) {
+  if (error && !isFetching) {
    throw error;
  }

+  const validated = userContextSchema.safeParse(data);
+
+  if (validated.success === false) {
+    throw validated.error;
+  }
+
  return (
-    <UserContext.Provider value={userContext}>{children}</UserContext.Provider>
+    <UserContext.Provider value={validated.data}>
+      {children}
+    </UserContext.Provider>
  );
 };

 export const useUserContext = () => {
  const context = useContext(UserContext);

-  if (context === null) {
-    throw new Error("useUserContext must be used within a UserContextProvider");
+  if (!context) {
+    throw new Error(
+      "useUserContext must be used within an UserContextProvider",
+    );
  }

  return context;
--- a/frontend/src/icons/google.tsx
+++ b/frontend/src/icons/google.tsx
@@ -1,30 +0,0 @@
-import type { SVGProps } from "react";
-
-export function GoogleIcon(props: SVGProps<SVGSVGElement>) {
-  return (
-    <svg
-      xmlns="http://www.w3.org/2000/svg"
-      width={48}
-      height={48}
-      viewBox="0 0 48 48"
-      {...props}
-    >
-      <path
-        fill="#ffc107"
-        d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8c-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4C12.955 4 4 12.955 4 24s8.955 20 20 20s20-8.955 20-20c0-1.341-.138-2.65-.389-3.917"
-      ></path>
-      <path
-        fill="#ff3d00"
-        d="m6.306 14.691l6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4C16.318 4 9.656 8.337 6.306 14.691"
-      ></path>
-      <path
-        fill="#4caf50"
-        d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.9 11.9 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44"
-      ></path>
-      <path
-        fill="#1976d2"
-        d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002l6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917"
-      ></path>
-    </svg>
-  );
-}
--- a/frontend/src/index.css
+++ b/frontend/src/index.css
@@ -1,4 +1,176 @@
-span,
-p {
-  word-break: break-word;
+@import "tailwindcss";
+@import "tw-animate-css";
+
+@custom-variant dark (&:is(.dark *));
+
+@theme inline {
+  --radius-sm: calc(var(--radius) - 4px);
+  --radius-md: calc(var(--radius) - 2px);
+  --radius-lg: var(--radius);
+  --radius-xl: calc(var(--radius) + 4px);
+  --color-background: var(--background);
+  --color-foreground: var(--foreground);
+  --color-card: var(--card);
+  --color-card-foreground: var(--card-foreground);
+  --color-popover: var(--popover);
+  --color-popover-foreground: var(--popover-foreground);
+  --color-primary: var(--primary);
+  --color-primary-foreground: var(--primary-foreground);
+  --color-secondary: var(--secondary);
+  --color-secondary-foreground: var(--secondary-foreground);
+  --color-muted: var(--muted);
+  --color-muted-foreground: var(--muted-foreground);
+  --color-accent: var(--accent);
+  --color-accent-foreground: var(--accent-foreground);
+  --color-destructive: var(--destructive);
+  --color-border: var(--border);
+  --color-input: var(--input);
+  --color-ring: var(--ring);
+  --color-chart-1: var(--chart-1);
+  --color-chart-2: var(--chart-2);
+  --color-chart-3: var(--chart-3);
+  --color-chart-4: var(--chart-4);
+  --color-chart-5: var(--chart-5);
+  --color-sidebar: var(--sidebar);
+  --color-sidebar-foreground: var(--sidebar-foreground);
+  --color-sidebar-primary: var(--sidebar-primary);
+  --color-sidebar-primary-foreground: var(--sidebar-primary-foreground);
+  --color-sidebar-accent: var(--sidebar-accent);
+  --color-sidebar-accent-foreground: var(--sidebar-accent-foreground);
+  --color-sidebar-border: var(--sidebar-border);
+  --color-sidebar-ring: var(--sidebar-ring);
+}
+
+:root {
+  --radius: 0.625rem;
+  --background: oklch(1 0 0);
+  --foreground: oklch(0.145 0 0);
+  --card: oklch(1 0 0);
+  --card-foreground: oklch(0.145 0 0);
+  --popover: oklch(1 0 0);
+  --popover-foreground: oklch(0.145 0 0);
+  --primary: oklch(0.205 0 0);
+  --primary-foreground: oklch(0.985 0 0);
+  --secondary: oklch(0.97 0 0);
+  --secondary-foreground: oklch(0.205 0 0);
+  --muted: oklch(0.97 0 0);
+  --muted-foreground: oklch(0.556 0 0);
+  --accent: oklch(0.97 0 0);
+  --accent-foreground: oklch(0.205 0 0);
+  --destructive: oklch(0.577 0.245 27.325);
+  --border: oklch(0.922 0 0);
+  --input: oklch(0.922 0 0);
+  --ring: oklch(0.708 0 0);
+  --chart-1: oklch(0.646 0.222 41.116);
+  --chart-2: oklch(0.6 0.118 184.704);
+  --chart-3: oklch(0.398 0.07 227.392);
+  --chart-4: oklch(0.828 0.189 84.429);
+  --chart-5: oklch(0.769 0.188 70.08);
+  --sidebar: oklch(0.985 0 0);
+  --sidebar-foreground: oklch(0.145 0 0);
+  --sidebar-primary: oklch(0.205 0 0);
+  --sidebar-primary-foreground: oklch(0.985 0 0);
+  --sidebar-accent: oklch(0.97 0 0);
+  --sidebar-accent-foreground: oklch(0.205 0 0);
+  --sidebar-border: oklch(0.922 0 0);
+  --sidebar-ring: oklch(0.708 0 0);
+}
+
+.dark {
+  --background: oklch(0.145 0 0);
+  --foreground: oklch(0.985 0 0);
+  --card: oklch(0.205 0 0);
+  --card-foreground: oklch(0.985 0 0);
+  --popover: oklch(0.205 0 0);
+  --popover-foreground: oklch(0.985 0 0);
+  --primary: oklch(0.922 0 0);
+  --primary-foreground: oklch(0.205 0 0);
+  --secondary: oklch(0.269 0 0);
+  --secondary-foreground: oklch(0.985 0 0);
+  --muted: oklch(0.269 0 0);
+  --muted-foreground: oklch(0.708 0 0);
+  --accent: oklch(0.269 0 0);
+  --accent-foreground: oklch(0.985 0 0);
+  --destructive: oklch(0.704 0.191 22.216);
+  --border: oklch(1 0 0 / 10%);
+  --input: oklch(1 0 0 / 15%);
+  --ring: oklch(0.556 0 0);
+  --chart-1: oklch(0.488 0.243 264.376);
+  --chart-2: oklch(0.696 0.17 162.48);
+  --chart-3: oklch(0.769 0.188 70.08);
+  --chart-4: oklch(0.627 0.265 303.9);
+  --chart-5: oklch(0.645 0.246 16.439);
+  --sidebar: oklch(0.205 0 0);
+  --sidebar-foreground: oklch(0.985 0 0);
+  --sidebar-primary: oklch(0.488 0.243 264.376);
+  --sidebar-primary-foreground: oklch(0.985 0 0);
+  --sidebar-accent: oklch(0.269 0 0);
+  --sidebar-accent-foreground: oklch(0.985 0 0);
+  --sidebar-border: oklch(1 0 0 / 10%);
+  --sidebar-ring: oklch(0.556 0 0);
+}
+
+@layer base {
+  * {
+    @apply border-border outline-ring/50;
+  }
+  body {
+    @apply bg-background text-foreground;
+  }
+}
+
+h1 {
+  @apply scroll-m-20 text-4xl font-extrabold tracking-tight lg:text-5xl;
+}
+
+h2 {
+  @apply scroll-m-20 border-b pb-2 text-3xl font-semibold tracking-tight first:mt-0;
+}
+
+h3 {
+  @apply scroll-m-20 text-2xl font-semibold tracking-tight;
+}
+
+h4 {
+  @apply scroll-m-20 text-xl font-semibold tracking-tight;
+}
+
+p {
+  @apply leading-6;
+}
+
+blockquote {
+  @apply mt-6 border-l-2 pl-6 italic;
+}
+
+tr {
+  @apply m-0 border-t p-0 even:bg-muted;
+}
+
+th {
+  @apply border px-4 py-2 text-left font-bold [&[align=center]]:text-center [&[align=right]]:text-right;
+}
+
+ul {
+  @apply my-6 ml-6 list-disc [&>li]:mt-2;
+}
+
+code {
+  @apply relative rounded bg-muted px-[0.2rem] py-[0.1rem] font-mono text-sm font-semibold break-all;
+}
+
+.lead {
+  @apply text-xl text-muted-foreground;
+}
+
+.large {
+  @apply text-lg font-semibold;
+}
+
+small {
+  @apply text-sm font-medium leading-none;
+}
+
+.muted {
+  @apply text-sm text-muted-foreground;
 }
--- a/frontend/src/lib/hooks/use-is-mounted.ts
+++ b/frontend/src/lib/hooks/use-is-mounted.ts
@@ -1,26 +0,0 @@
-import { useCallback, useEffect, useRef } from 'react'
-
-/**
- * Custom hook that determines if the component is currently mounted.
- * @returns {() => boolean} A function that returns a boolean value indicating whether the component is mounted.
- * @public
- * @see [Documentation](https://usehooks-ts.com/react-hook/use-is-mounted)
- * @example
- * ```tsx
- * const isComponentMounted = useIsMounted();
- * // Use isComponentMounted() to check if the component is currently mounted before performing certain actions.
- * ```
- */
-export function useIsMounted(): () => boolean {
-  const isMounted = useRef(false)
-
-  useEffect(() => {
-    isMounted.current = true
-
-    return () => {
-      isMounted.current = false
-    }
-  }, [])
-
-  return useCallback(() => isMounted.current, [])
-}
--- a/frontend/src/lib/i18n/i18n.ts
+++ b/frontend/src/lib/i18n/i18n.ts
@@ -1,41 +1,23 @@
 import i18n from "i18next";
 import { initReactI18next } from "react-i18next";
 import LanguageDetector from "i18next-browser-languagedetector";
-import ChainedBackend from "i18next-chained-backend";
 import resourcesToBackend from "i18next-resources-to-backend";
-import HttpBackend from "i18next-http-backend";
-
-const backends = [
-  HttpBackend,
-  resourcesToBackend(
-    (language: string) => import(`./locales/${language}.json`),
-  ),
-]
-
-const backendOptions =  [
-  {
-    loadPath: "https://cdn.tinyauth.app/i18n/v1/{{lng}}.json",
-  },
-  {}
-]

 i18n
-  .use(ChainedBackend)
  .use(LanguageDetector)
  .use(initReactI18next)
+  .use(
+    resourcesToBackend(
+      (language: string) => import(`./locales/${language}.json`),
+    ),
+  )
  .init({
    fallbackLng: "en",
    debug: import.meta.env.MODE === "development",
-
-    interpolation: {
-      escapeValue: false,
-    },
-
+    nonExplicitSupportedLngs: true,
    load: "currentOnly",
-
-    backend: {
-      backends: import.meta.env.MODE !== "development" ? backends : backends.reverse(),
-      backendOptions: import.meta.env.MODE !== "development" ? backendOptions : backendOptions.reverse()
+    detection: {
+      lookupLocalStorage: "tinyauth-lang",
    },
  });

--- a/frontend/src/lib/i18n/locales.ts
+++ b/frontend/src/lib/i18n/locales.ts
@@ -1,36 +1,37 @@
 export const languages = {
-    "af-ZA": "Afrikaans",
-    "ar-SA": "العربية",
-    "ca-ES": "Català",
-    "cs-CZ": "Čeština",
-    "da-DK": "Dansk",
-    "de-DE": "Deutsch",
-    "el-GR": "Ελληνικά",
-    "en-US": "English",
-    "es-ES": "Español",
-    "fi-FI": "Suomi",
-    "fr-FR": "Français",
-    "he-IL": "עברית",
-    "hu-HU": "Magyar",
-    "it-IT": "Italiano",
-    "ja-JP": "日本語",
-    "ko-KR": "한국어",
-    "nl-NL": "Nederlands",
-    "no-NO": "Norsk",
-    "pl-PL": "Polski",
-    "pt-BR": "Português",
-    "pt-PT": "Português",
-    "ro-RO": "Română",
-    "ru-RU": "Русский",
-    "sr-SP": "Српски",
-    "sv-SE": "Svenska",
-    "tr-TR": "Türkçe",
-    "uk-UA": "Українська",
-    "vi-VN": "Tiếng Việt",
-    "zh-CN": "中文",
-    "zh-TW": "中文"
-}
+  "af-ZA": "Afrikaans",
+  "ar-SA": "العربية",
+  "ca-ES": "Català",
+  "cs-CZ": "Čeština",
+  "da-DK": "Dansk",
+  "de-DE": "Deutsch",
+  "el-GR": "Ελληνικά",
+  "en-US": "English",
+  "es-ES": "Español",
+  "fi-FI": "Suomi",
+  "fr-FR": "Français",
+  "he-IL": "עברית",
+  "hu-HU": "Magyar",
+  "it-IT": "Italiano",
+  "ja-JP": "日本語",
+  "ko-KR": "한국어",
+  "nl-NL": "Nederlands",
+  "no-NO": "Norsk",
+  "pl-PL": "Polski",
+  "pt-BR": "Português (Brasil)",
+  "pt-PT": "Português (Portugal)",
+  "ro-RO": "Română",
+  "ru-RU": "Русский",
+  "sr-SP": "Српски",
+  "sv-SE": "Svenska",
+  "tr-TR": "Türkçe",
+  "uk-UA": "Українська",
+  "vi-VN": "Tiếng Việt",
+  "zh-CN": "简体中文",
+  "zh-TW": "繁體中文",
+};

 export type SupportedLanguage = keyof typeof languages;

-export const getLanguageName = (language: SupportedLanguage): string => languages[language];
+export const getLanguageName = (language: SupportedLanguage): string =>
+  languages[language];
--- a/frontend/src/lib/i18n/locales/af-ZA.json
+++ b/frontend/src/lib/i18n/locales/af-ZA.json
@@ -1,36 +1,37 @@
 {
    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
+    "loginTitleSimple": "Welcome back, please login",
+    "loginDivider": "Or",
    "loginUsername": "Username",
    "loginPassword": "Password",
    "loginSubmit": "Login",
    "loginFailTitle": "Failed to log in",
    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
    "loginSuccessTitle": "Logged in",
    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
+    "loginOauthFailTitle": "An error occurred",
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "Continue",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Please try again",
    "logoutSuccessTitle": "Logged out",
    "logoutSuccessSubtitle": "You have been logged out",
    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Page not found",
    "notFoundSubtitle": "The page you are looking for does not exist.",
    "notFoundButton": "Go home",
@@ -39,13 +40,23 @@
    "totpSuccessTitle": "Verified",
    "totpSuccessSubtitle": "Redirecting to your app",
    "totpTitle": "Enter your TOTP code",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "Try again",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?"
+    "forgotPasswordTitle": "Forgot your password?",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "errorTitle": "An error occurred",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "fieldRequired": "This field is required",
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/frontend/src/lib/i18n/locales/ar-SA.json
+++ b/frontend/src/lib/i18n/locales/ar-SA.json
@@ -1,51 +1,62 @@
 {
-    "loginTitle": "مرحبا بعودتك، قم بتسجيل الدخول باستخدام",
-    "loginDivider": "أو المتابعة بكلمة المرور",
+    "loginTitle": "مرحبا بعودتك، ادخل باستخدام",
+    "loginTitleSimple": "مرحبا بعودتك، سجل دخولك",
+    "loginDivider": "أو",
    "loginUsername": "اسم المستخدم",
    "loginPassword": "كلمة المرور",
    "loginSubmit": "تسجيل الدخول",
    "loginFailTitle": "فشل تسجيل الدخول",
    "loginFailSubtitle": "الرجاء التحقق من اسم المستخدم وكلمة المرور",
-    "loginFailRateLimit": "فشلت في تسجيل الدخول عدة مرات، الرجاء المحاولة مرة أخرى لاحقا",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
    "loginSuccessTitle": "تم تسجيل الدخول",
    "loginSuccessSubtitle": "مرحبا بعودتك!",
-    "loginOauthFailTitle": "خطأ داخلي",
-    "loginOauthFailSubtitle": "فشل في الحصول على رابط OAuth",
+    "loginOauthFailTitle": "حدث خطأ",
+    "loginOauthFailSubtitle": "أخفق الحصول على رابط OAuth",
    "loginOauthSuccessTitle": "إعادة توجيه",
    "loginOauthSuccessSubtitle": "إعادة توجيه إلى مزود OAuth الخاص بك",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "متابعة",
    "continueRedirectingTitle": "إعادة توجيه...",
    "continueRedirectingSubtitle": "يجب إعادة توجيهك إلى التطبيق قريبا",
-    "continueInvalidRedirectTitle": "إعادة توجيه غير صالحة",
-    "continueInvalidRedirectSubtitle": "رابط إعادة التوجيه غير صالح",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "إعادة توجيه غير آمنة",
-    "continueInsecureRedirectSubtitle": "أنت تحاول إعادة التوجيه من <Code>https</Code> إلى <Code>http</Code>، هل أنت متأكد أنك تريد المتابعة؟",
-    "continueTitle": "متابعة",
-    "continueSubtitle": "انقر الزر للمتابعة إلى التطبيق الخاص بك.",
-    "internalErrorTitle": "خطأ داخلي في الخادم",
-    "internalErrorSubtitle": "حدث خطأ على الخادم ولا يمكن حاليا تلبية طلبك.",
-    "internalErrorButton": "حاول مجددا",
+    "continueInsecureRedirectSubtitle": "أنت تحاول إعادة التوجيه من <code>https</code> إلى <code>http</code>، هل أنت متأكد أنك تريد المتابعة؟",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "فشل تسجيل الخروج",
    "logoutFailSubtitle": "يرجى إعادة المحاولة",
    "logoutSuccessTitle": "تم تسجيل الخروج",
    "logoutSuccessSubtitle": "تم تسجيل خروجك",
    "logoutTitle": "تسجيل الخروج",
-    "logoutUsernameSubtitle": "أنت حاليا مسجل الدخول ك <Code>{{username}}</Code>، انقر الزر أدناه لتسجيل الخروج.",
-    "logoutOauthSubtitle": "أنت حاليا مسجل الدخول ك <Code>{{username}}</Code> باستخدام مزود OAuth {{provider}} ، انقر الزر أدناه لتسجيل الخروج.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "الصفحة غير موجودة",
    "notFoundSubtitle": "الصفحة التي تبحث عنها غير موجودة.",
    "notFoundButton": "انتقل إلى الرئيسية",
-    "totpFailTitle": "فشل في التحقق من الرمز",
+    "totpFailTitle": "أخفق التحقق من الرمز",
    "totpFailSubtitle": "الرجاء التحقق من الرمز الخاص بك وحاول مرة أخرى",
    "totpSuccessTitle": "تم التحقق",
    "totpSuccessSubtitle": "إعادة توجيه إلى تطبيقك",
    "totpTitle": "أدخل رمز TOTP الخاص بك",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
    "unauthorizedTitle": "غير مرخص",
-    "unauthorizedResourceSubtitle": "المستخدم الذي يحمل اسم المستخدم <Code>{{username}}</Code> غير مصرح له بالوصول إلى المورد <Code>{{resource}}</Code>.",
-    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "حاول مجددا",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
    "cancelTitle": "إلغاء",
-    "forgotPasswordTitle": "Forgot your password?"
+    "forgotPasswordTitle": "نسيت كلمة المرور؟",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "errorTitle": "حدث خطأ",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "fieldRequired": "This field is required",
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "تجاهل",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/frontend/src/lib/i18n/locales/ca-ES.json
+++ b/frontend/src/lib/i18n/locales/ca-ES.json
@@ -1,36 +1,37 @@
 {
    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
+    "loginTitleSimple": "Welcome back, please login",
+    "loginDivider": "Or",
    "loginUsername": "Username",
    "loginPassword": "Password",
    "loginSubmit": "Login",
    "loginFailTitle": "Failed to log in",
    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
+    "loginFailRateLimit": "You failed to login too many times. Please try again later",
    "loginSuccessTitle": "Logged in",
    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
+    "loginOauthFailTitle": "An error occurred",
    "loginOauthFailSubtitle": "Failed to get OAuth URL",
    "loginOauthSuccessTitle": "Redirecting",
    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "Continue",
    "continueRedirectingTitle": "Redirecting...",
    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
+    "continueRedirectManually": "Redirect me manually",
    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
+    "continueInsecureRedirectSubtitle": "You are trying to redirect from <code>https</code> to <code>http</code> which is not secure. Are you sure you want to continue?",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
    "logoutFailTitle": "Failed to log out",
    "logoutFailSubtitle": "Please try again",
    "logoutSuccessTitle": "Logged out",
    "logoutSuccessSubtitle": "You have been logged out",
    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
+    "logoutUsernameSubtitle": "You are currently logged in as <code>{{username}}</code>. Click the button below to logout.",
+    "logoutOauthSubtitle": "You are currently logged in as <code>{{username}}</code> using the {{provider}} OAuth provider. Click the button below to logout.",
    "notFoundTitle": "Page not found",
    "notFoundSubtitle": "The page you are looking for does not exist.",
    "notFoundButton": "Go home",
@@ -39,13 +40,23 @@
    "totpSuccessTitle": "Verified",
    "totpSuccessSubtitle": "Redirecting to your app",
    "totpTitle": "Enter your TOTP code",
+    "totpSubtitle": "Please enter the code from your authenticator app.",
    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
+    "unauthorizedResourceSubtitle": "The user with username <code>{{username}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "The user with username <code>{{username}}</code> is not authorized to login.",
+    "unauthorizedGroupsSubtitle": "The user with username <code>{{username}}</code> is not in the groups required by the resource <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Your IP address <code>{{ip}}</code> is not authorized to access the resource <code>{{resource}}</code>.",
    "unauthorizedButton": "Try again",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?"
+    "forgotPasswordTitle": "Forgot your password?",
+    "failedToFetchProvidersTitle": "Failed to load authentication providers. Please check your configuration.",
+    "errorTitle": "An error occurred",
+    "errorSubtitle": "An error occurred while trying to perform this action. Please check the console for more information.",
+    "forgotPasswordMessage": "You can reset your password by changing the `USERS` environment variable.",
+    "fieldRequired": "This field is required",
+    "invalidInput": "Invalid input",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/frontend/src/lib/i18n/locales/cs-CZ.json
+++ b/frontend/src/lib/i18n/locales/cs-CZ.json
@@ -1,51 +1,62 @@
 {
-    "loginTitle": "Welcome back, login with",
-    "loginDivider": "Or continue with password",
-    "loginUsername": "Username",
-    "loginPassword": "Password",
-    "loginSubmit": "Login",
-    "loginFailTitle": "Failed to log in",
-    "loginFailSubtitle": "Please check your username and password",
-    "loginFailRateLimit": "You failed to login too many times, please try again later",
-    "loginSuccessTitle": "Logged in",
-    "loginSuccessSubtitle": "Welcome back!",
-    "loginOauthFailTitle": "Internal error",
-    "loginOauthFailSubtitle": "Failed to get OAuth URL",
-    "loginOauthSuccessTitle": "Redirecting",
-    "loginOauthSuccessSubtitle": "Redirecting to your OAuth provider",
-    "continueRedirectingTitle": "Redirecting...",
-    "continueRedirectingSubtitle": "You should be redirected to the app soon",
-    "continueInvalidRedirectTitle": "Invalid redirect",
-    "continueInvalidRedirectSubtitle": "The redirect URL is invalid",
-    "continueInsecureRedirectTitle": "Insecure redirect",
-    "continueInsecureRedirectSubtitle": "You are trying to redirect from <Code>https</Code> to <Code>http</Code>, are you sure you want to continue?",
-    "continueTitle": "Continue",
-    "continueSubtitle": "Click the button to continue to your app.",
-    "internalErrorTitle": "Internal Server Error",
-    "internalErrorSubtitle": "An error occurred on the server and it currently cannot serve your request.",
-    "internalErrorButton": "Try again",
-    "logoutFailTitle": "Failed to log out",
-    "logoutFailSubtitle": "Please try again",
-    "logoutSuccessTitle": "Logged out",
-    "logoutSuccessSubtitle": "You have been logged out",
-    "logoutTitle": "Logout",
-    "logoutUsernameSubtitle": "You are currently logged in as <Code>{{username}}</Code>, click the button below to logout.",
-    "logoutOauthSubtitle": "You are currently logged in as <Code>{{username}}</Code> using the {{provider}} OAuth provider, click the button below to logout.",
-    "notFoundTitle": "Page not found",
-    "notFoundSubtitle": "The page you are looking for does not exist.",
-    "notFoundButton": "Go home",
-    "totpFailTitle": "Failed to verify code",
-    "totpFailSubtitle": "Please check your code and try again",
-    "totpSuccessTitle": "Verified",
-    "totpSuccessSubtitle": "Redirecting to your app",
-    "totpTitle": "Enter your TOTP code",
-    "unauthorizedTitle": "Unauthorized",
-    "unauthorizedResourceSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to access the resource <Code>{{resource}}</Code>.",
-    "unauthorizedLoginSubtitle": "The user with username <Code>{{username}}</Code> is not authorized to login.",
-    "unauthorizedGroupsSubtitle": "The user with username <Code>{{username}}</Code> is not in the groups required by the resource <Code>{{resource}}</Code>.",
-    "unauthorizedButton": "Try again",
-    "untrustedRedirectTitle": "Untrusted redirect",
-    "untrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<Code>{{domain}}</Code>). Are you sure you want to continue?",
-    "cancelTitle": "Cancel",
-    "forgotPasswordTitle": "Forgot your password?"
+    "loginTitle": "Vítejte zpět, přihlaste se pomocí",
+    "loginTitleSimple": "Vítejte zpět, přihlaste se prosím",
+    "loginDivider": "Nebo",
+    "loginUsername": "Uživatelské jméno",
+    "loginPassword": "Heslo",
+    "loginSubmit": "Přihlásit",
+    "loginFailTitle": "Přihlášení se nezdařilo",
+    "loginFailSubtitle": "Zkontrolujte prosím své uživatelské jméno a heslo",
+    "loginFailRateLimit": "Přiliš mnoho neúspěšných pokusů přihlášení. Zkuste to prosím později",
+    "loginSuccessTitle": "Přihlášen",
+    "loginSuccessSubtitle": "Vítejte zpět!",
+    "loginOauthFailTitle": "Došlo k chybě",
+    "loginOauthFailSubtitle": "Nepodařilo se získat OAuth URL",
+    "loginOauthSuccessTitle": "Přesměrování",
+    "loginOauthSuccessSubtitle": "Přesměrování k poskytovateli OAuth",
+    "loginOauthAutoRedirectTitle": "OAuth Auto Redirect",
+    "loginOauthAutoRedirectSubtitle": "You will be automatically redirected to your OAuth provider to authenticate.",
+    "loginOauthAutoRedirectButton": "Redirect now",
+    "continueTitle": "Pokračovat",
+    "continueRedirectingTitle": "Přesměrování...",
+    "continueRedirectingSubtitle": "Brzy budete přesměrováni do aplikace",
+    "continueRedirectManually": "Redirect me manually",
+    "continueInsecureRedirectTitle": "Nezabezpečené přesměrování",
+    "continueInsecureRedirectSubtitle": "Pokoušíte se přesměrovat z <code>https</code> na <code>http</code>, které není bezpečné. Opravdu chcete pokračovat?",
+    "continueUntrustedRedirectTitle": "Untrusted redirect",
+    "continueUntrustedRedirectSubtitle": "You are trying to redirect to a domain that does not match your configured domain (<code>{{cookieDomain}}</code>). Are you sure you want to continue?",
+    "logoutFailTitle": "Odhlášení se nezdařilo",
+    "logoutFailSubtitle": "Zkuste to prosím znovu",
+    "logoutSuccessTitle": "Odhlášen",
+    "logoutSuccessSubtitle": "Byl jste odhlášen",
+    "logoutTitle": "Odhlásit",
+    "logoutUsernameSubtitle": "Jste přihlášen jako <code>{{username}}</code>. Pro odhlášení klikněte na tlačítko níže.",
+    "logoutOauthSubtitle": "Jste přihlášen jako <code>{{username}}</code> pomocí {{provider}} poskytovatele OAuth. Pro odhlášení klikněte na tlačítko níže.",
+    "notFoundTitle": "Stránka nenalezena",
+    "notFoundSubtitle": "Stránka, kterou hledáte, neexistuje.",
+    "notFoundButton": "Jít domů",
+    "totpFailTitle": "Nepodařilo se ověřit kód",
+    "totpFailSubtitle": "Zkontrolujte prosím kód a zkuste to znovu",
+    "totpSuccessTitle": "Ověřeno",
+    "totpSuccessSubtitle": "Přesměrování do aplikace",
+    "totpTitle": "Zadejte TOTP kód",
+    "totpSubtitle": "Zadejte prosím kód z ověřovací aplikace.",
+    "unauthorizedTitle": "Nepovoleno",
+    "unauthorizedResourceSubtitle": "Uživatel s uživatelským jménem <code>{{username}}</code> není oprávněn k přístupu ke zdroji <code>{{resource}}</code>.",
+    "unauthorizedLoginSubtitle": "Uživatel s uživatelským jménem <code>{{username}}</code> není oprávněn k přihlášení.",
+    "unauthorizedGroupsSubtitle": "Uživatel s uživatelským jménem <code>{{username}}</code> není ve skupině potřebné k přístupu ke zdroji <code>{{resource}}</code>.",
+    "unauthorizedIpSubtitle": "Vaše IP adresa <code>{{ip}}</code> není oprávněna k přístupu ke zdroji <code>{{resource}}</code>.",
+    "unauthorizedButton": "Zkusit znovu",
+    "cancelTitle": "Zrušit",
+    "forgotPasswordTitle": "Zapomněli jste heslo?",
+    "failedToFetchProvidersTitle": "Nepodařilo se načíst poskytovatele ověřování. Zkontrolujte prosím konfiguraci.",
+    "errorTitle": "Došlo k chybě",
+    "errorSubtitle": "Nastala chyba při pokusu o provedení této akce. Pro více informací prosím zkontrolujte konzolu.",
+    "forgotPasswordMessage": "Heslo můžete obnovit změnou proměnné `USERS`.",
+    "fieldRequired": "Toto pole je povinné",
+    "invalidInput": "Neplatný údaj",
+    "domainWarningTitle": "Invalid Domain",
+    "domainWarningSubtitle": "This instance is configured to be accessed from <code>{{appUrl}}</code>, but <code>{{currentUrl}}</code> is being used. If you proceed, you may encounter issues with authentication.",
+    "ignoreTitle": "Ignore",
+    "goToCorrectDomainTitle": "Go to correct domain"
 }
--- a/Show More
+++ b/Show More