release: 0.51.1

refactor: fix type errors
fix: allow LDAP users to update their locale
2026-03-31 11:46:37 +00:00 · 2025-05-03 23:42:47 +02:00 · 2025-05-03 23:42:17 +02:00 · 2025-05-03 23:32:56 +02:00 · 2025-05-03 23:25:22 +02:00 · 2025-05-03 22:53:55 +02:00
46 changed files with 6773 additions and 6188 deletions
--- a/.version
+++ b/.version
@@ -1 +1 @@
-0.50.0
+0.51.1
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,27 @@
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.51.0...v) (2025-05-03)
 ### Bug Fixes
 * allow LDAP users to update their locale ([0b9cbf4](https://github.com/pocket-id/pocket-id/commit/0b9cbf47e36a332cfd854aa92e761264fb3e4795))
 * last name still showing as required on account form ([#492](https://github.com/pocket-id/pocket-id/issues/492)) ([cf3fe0b](https://github.com/pocket-id/pocket-id/commit/cf3fe0be84f6365f5d4eb08c1b47905962a48a0d))
 * non admin users weren't able to call the end session endpoint ([6bd6cef](https://github.com/pocket-id/pocket-id/commit/6bd6cefaa6dc571a319a6a1c2b2facc2404eadd3))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.50.0...v) (2025-04-28)
 ### Features
 * new login code card position for mobile devices ([#452](https://github.com/pocket-id/pocket-id/issues/452)) ([02cacba](https://github.com/pocket-id/pocket-id/commit/02cacba5c5524481684cb0e1790811df113a9481))
 ### Bug Fixes
 * do not require PKCE for public clients ([ce24372](https://github.com/pocket-id/pocket-id/commit/ce24372c571cc3b277095dc6a4107663d64f45b3))
 * hide global audit log switch for non admin users ([1efd1d1](https://github.com/pocket-id/pocket-id/commit/1efd1d182dbb6190d3c7e27034426c9e48781b4a))
 * return correct error message if user isn't authorized ([86d2b5f](https://github.com/pocket-id/pocket-id/commit/86d2b5f59f26cb944017826cbd8df915cdc986f1))
 * updating scopes of an authorized client fails with Postgres ([0a24ab8](https://github.com/pocket-id/pocket-id/commit/0a24ab80010eb5a15d99915802c6698274a5c57c))
 ## [](https://github.com/pocket-id/pocket-id/compare/v0.49.0...v) (2025-04-27)
--- a/backend/cmd/main.go
+++ b/backend/cmd/main.go
@@ -1,6 +1,8 @@
 package main
 import (
 	"log"
 	"github.com/pocket-id/pocket-id/backend/internal/bootstrap"
 )
@@ -9,5 +11,8 @@ import (
 // @description.markdown
 func main() {
-	bootstrap.Bootstrap()
+	err := bootstrap.Bootstrap()
 	if err != nil {
 		log.Fatal(err.Error())
 	}
 }
--- a/backend/internal/bootstrap/application_images_bootstrap.go
+++ b/backend/internal/bootstrap/application_images_bootstrap.go
@@ -38,7 +38,6 @@ func initApplicationImages() {
 			log.Fatalf("Error copying file: %v", err)
 		}
 	}
 }
 func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
@@ -55,6 +54,11 @@ func imageAlreadyExists(fileName string, destinationFiles []os.DirEntry) bool {
 }
 func getImageNameWithoutExtension(fileName string) string {
-	splitted := strings.Split(fileName, ".")
+	idx := strings.LastIndexByte(fileName, '.')
-	return strings.Join(splitted[:len(splitted)-1], ".")
+	if idx < 1 {
 		// No dot found, or fileName starts with a dot
 		return fileName
 	}
 	return fileName[:idx]
 }
--- a/backend/internal/bootstrap/bootstrap.go
+++ b/backend/internal/bootstrap/bootstrap.go
@@ -2,23 +2,69 @@ package bootstrap
 import (
 	"context"
 	"fmt"
 	"log"
 	"time"
 	_ "github.com/golang-migrate/migrate/v4/source/file"
-	"github.com/pocket-id/pocket-id/backend/internal/service"
+	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/signals"
 )
-func Bootstrap() {
+func Bootstrap() error {
-	ctx := context.TODO()
+	// Get a context that is canceled when the application is stopping
 	ctx := signals.SignalContext(context.Background())
 	initApplicationImages()
 	// Perform migrations for changes
 	migrateConfigDBConnstring()
 	db := newDatabase()
 	appConfigService := service.NewAppConfigService(ctx, db)
 	migrateKey()
-	initRouter(ctx, db, appConfigService)
+	// Connect to the database
 	db := newDatabase()
 	// Create all services
 	svc, err := initServices(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to initialize services: %w", err)
 	}
 	// Init the job scheduler
 	scheduler, err := job.NewScheduler()
 	if err != nil {
 		return fmt.Errorf("failed to create job scheduler: %w", err)
 	}
 	err = registerScheduledJobs(ctx, db, svc, scheduler)
 	if err != nil {
 		return fmt.Errorf("failed to register scheduled jobs: %w", err)
 	}
 	// Init the router
 	router := initRouter(db, svc)
 	// Run all background serivces
 	// This call blocks until the context is canceled
 	err = utils.
 		NewServiceRunner(router, scheduler.Run).
 		Run(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to run services: %w", err)
 	}
 	// Invoke all shutdown functions
 	// We give these a timeout of 5s
 	shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer shutdownCancel()
 	err = utils.
 		// TODO: Add shutdown services here
 		NewServiceRunner().
 		Run(shutdownCtx)
 	if err != nil {
 		log.Printf("Error shutting down services: %v", err)
 	}
 	return nil
 }
--- a/backend/internal/bootstrap/e2etest_router_bootstrap.go
+++ b/backend/internal/bootstrap/e2etest_router_bootstrap.go
@@ -12,9 +12,9 @@ import (
 // When building for E2E tests, add the e2etest controller
 func init() {
-	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService){
+	registerTestControllers = []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services){
-		func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService) {
+		func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services) {
-			testService := service.NewTestService(db, appConfigService, jwtService)
+			testService := service.NewTestService(db, svc.appConfigService, svc.jwtService)
 			controller.NewTestController(apiGroup, testService)
 		},
 	}
--- a/backend/internal/bootstrap/router_bootstrap.go
+++ b/backend/internal/bootstrap/router_bootstrap.go
@@ -2,25 +2,35 @@ package bootstrap
 import (
 	"context"
 	"fmt"
 	"log"
 	"net"
 	"net/http"
 	"time"
 	"github.com/gin-gonic/gin"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/controller"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 	"golang.org/x/time/rate"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/controller"
 	"github.com/pocket-id/pocket-id/backend/internal/middleware"
 	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	"github.com/pocket-id/pocket-id/backend/internal/utils/systemd"
 )
 // This is used to register additional controllers for tests
-var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, appConfigService *service.AppConfigService, jwtService *service.JwtService)
+var registerTestControllers []func(apiGroup *gin.RouterGroup, db *gorm.DB, svc *services)
-func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppConfigService) {
+func initRouter(db *gorm.DB, svc *services) utils.Service {
 	runner, err := initRouterInternal(db, svc)
 	if err != nil {
 		log.Fatalf("failed to init router: %v", err)
 	}
 	return runner
 }
 func initRouterInternal(db *gorm.DB, svc *services) (utils.Service, error) {
 	// Set the appropriate Gin mode based on the environment
 	switch common.EnvConfig.AppEnv {
 	case "production":
@@ -34,23 +44,6 @@ func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppC
 	r := gin.Default()
 	r.Use(gin.Logger())
 	// Initialize services
 	emailService, err := service.NewEmailService(appConfigService, db)
 	if err != nil {
 		log.Fatalf("Unable to create email service: %v", err)
 	}
 	geoLiteService := service.NewGeoLiteService(ctx)
 	auditLogService := service.NewAuditLogService(db, appConfigService, emailService, geoLiteService)
 	jwtService := service.NewJwtService(appConfigService)
 	webauthnService := service.NewWebAuthnService(db, jwtService, auditLogService, appConfigService)
 	userService := service.NewUserService(db, jwtService, auditLogService, emailService, appConfigService)
 	customClaimService := service.NewCustomClaimService(db)
 	oidcService := service.NewOidcService(db, jwtService, appConfigService, auditLogService, customClaimService)
 	userGroupService := service.NewUserGroupService(db, appConfigService)
 	ldapService := service.NewLdapService(db, appConfigService, userService, userGroupService)
 	apiKeyService := service.NewApiKeyService(db, emailService)
 	rateLimitMiddleware := middleware.NewRateLimitMiddleware()
 	// Setup global middleware
@@ -58,51 +51,83 @@ func initRouter(ctx context.Context, db *gorm.DB, appConfigService *service.AppC
 	r.Use(middleware.NewErrorHandlerMiddleware().Add())
 	r.Use(rateLimitMiddleware.Add(rate.Every(time.Second), 60))
 	job.RegisterLdapJobs(ctx, ldapService, appConfigService)
 	job.RegisterDbCleanupJobs(ctx, db)
 	job.RegisterFileCleanupJobs(ctx, db)
 	job.RegisterApiKeyExpiryJob(ctx, apiKeyService, appConfigService)
 	// Initialize middleware for specific routes
-	authMiddleware := middleware.NewAuthMiddleware(apiKeyService, userService, jwtService)
+	authMiddleware := middleware.NewAuthMiddleware(svc.apiKeyService, svc.userService, svc.jwtService)
 	fileSizeLimitMiddleware := middleware.NewFileSizeLimitMiddleware()
 	// Set up API routes
 	apiGroup := r.Group("/api")
-	controller.NewApiKeyController(apiGroup, authMiddleware, apiKeyService)
+	controller.NewApiKeyController(apiGroup, authMiddleware, svc.apiKeyService)
-	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), webauthnService, appConfigService)
+	controller.NewWebauthnController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.webauthnService, svc.appConfigService)
-	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, oidcService, jwtService)
+	controller.NewOidcController(apiGroup, authMiddleware, fileSizeLimitMiddleware, svc.oidcService, svc.jwtService)
-	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), userService, appConfigService)
+	controller.NewUserController(apiGroup, authMiddleware, middleware.NewRateLimitMiddleware(), svc.userService, svc.appConfigService)
-	controller.NewAppConfigController(apiGroup, authMiddleware, appConfigService, emailService, ldapService)
+	controller.NewAppConfigController(apiGroup, authMiddleware, svc.appConfigService, svc.emailService, svc.ldapService)
-	controller.NewAuditLogController(apiGroup, auditLogService, authMiddleware)
+	controller.NewAuditLogController(apiGroup, svc.auditLogService, authMiddleware)
-	controller.NewUserGroupController(apiGroup, authMiddleware, userGroupService)
+	controller.NewUserGroupController(apiGroup, authMiddleware, svc.userGroupService)
-	controller.NewCustomClaimController(apiGroup, authMiddleware, customClaimService)
+	controller.NewCustomClaimController(apiGroup, authMiddleware, svc.customClaimService)
 	// Add test controller in non-production environments
 	if common.EnvConfig.AppEnv != "production" {
 		for _, f := range registerTestControllers {
-			f(apiGroup, db, appConfigService, jwtService)
+			f(apiGroup, db, svc)
 		}
 	}
 	// Set up base routes
 	baseGroup := r.Group("/")
-	controller.NewWellKnownController(baseGroup, jwtService)
+	controller.NewWellKnownController(baseGroup, svc.jwtService)
-	// Get the listener
+	// Set up the server
-	l, err := net.Listen("tcp", common.EnvConfig.Host+":"+common.EnvConfig.Port)
+	srv := &http.Server{
-	if err != nil {
+		Addr:              net.JoinHostPort(common.EnvConfig.Host, common.EnvConfig.Port),
-		log.Fatal(err)
+		MaxHeaderBytes:    1 << 20,
 		ReadHeaderTimeout: 10 * time.Second,
 		Handler:           r,
 	}
 	// Set up the listener
 	listener, err := net.Listen("tcp", srv.Addr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create TCP listener: %w", err)
 	}
 	// Service runner function
 	runFn := func(ctx context.Context) error {
 		log.Printf("Server listening on %s", srv.Addr)
 		// Start the server in a background goroutine
 		go func() {
 			defer listener.Close()
 			// Next call blocks until the server is shut down
 			srvErr := srv.Serve(listener)
 			if srvErr != http.ErrServerClosed {
 				log.Fatalf("Error starting app server: %v", srvErr)
 			}
 		}()
 		// Notify systemd that we are ready
-	if err := systemd.SdNotifyReady(); err != nil {
+		err = systemd.SdNotifyReady()
-		log.Println("Unable to notify systemd that the service is ready: ", err)
+		if err != nil {
-		// continue to serve anyway since it's not that important
+			// Log the error only
 			log.Printf("[WARN] Unable to notify systemd that the service is ready: %v", err)
 		}
-	// Serve requests
+		// Block until the context is canceled
-	if err := r.RunListener(l); err != nil {
+		<-ctx.Done()
-		log.Fatal(err)
+
 		// Handle graceful shutdown
 		// Note we use the background context here as ctx has been canceled already
 		shutdownCtx, shutdownCancel := context.WithTimeout(context.Background(), 5*time.Second)
 		shutdownErr := srv.Shutdown(shutdownCtx) //nolint:contextcheck
 		shutdownCancel()
 		if shutdownErr != nil {
 			// Log the error only (could be context canceled)
 			log.Printf("[WARN] App server shutdown error: %v", shutdownErr)
 		}
 		return nil
 	}
 	return runFn, nil
 }
--- a/backend/internal/bootstrap/scheduler_bootstrap.go
+++ b/backend/internal/bootstrap/scheduler_bootstrap.go
@@ -0,0 +1,35 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/job"
 )
 func registerScheduledJobs(ctx context.Context, db *gorm.DB, svc *services, scheduler *job.Scheduler) error {
 	err := scheduler.RegisterLdapJobs(ctx, svc.ldapService, svc.appConfigService)
 	if err != nil {
 		return fmt.Errorf("failed to register LDAP jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterGeoLiteUpdateJobs(ctx, svc.geoLiteService)
 	if err != nil {
 		return fmt.Errorf("failed to register GeoLite DB update service: %w", err)
 	}
 	err = scheduler.RegisterDbCleanupJobs(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to register DB cleanup jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterFileCleanupJobs(ctx, db)
 	if err != nil {
 		return fmt.Errorf("failed to register file cleanup jobs in scheduler: %w", err)
 	}
 	err = scheduler.RegisterApiKeyExpiryJob(ctx, svc.apiKeyService, svc.appConfigService)
 	if err != nil {
 		return fmt.Errorf("failed to register API key expiration jobs in scheduler: %w", err)
 	}
 	return nil
 }
--- a/backend/internal/bootstrap/services_bootstrap.go
+++ b/backend/internal/bootstrap/services_bootstrap.go
@@ -0,0 +1,51 @@
 package bootstrap
 import (
 	"context"
 	"fmt"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 type services struct {
 	appConfigService   *service.AppConfigService
 	emailService       *service.EmailService
 	geoLiteService     *service.GeoLiteService
 	auditLogService    *service.AuditLogService
 	jwtService         *service.JwtService
 	webauthnService    *service.WebAuthnService
 	userService        *service.UserService
 	customClaimService *service.CustomClaimService
 	oidcService        *service.OidcService
 	userGroupService   *service.UserGroupService
 	ldapService        *service.LdapService
 	apiKeyService      *service.ApiKeyService
 }
 // Initializes all services
 // The context should be used by services only for initialization, and not for running
 func initServices(initCtx context.Context, db *gorm.DB) (svc *services, err error) {
 	svc = &services{}
 	svc.appConfigService = service.NewAppConfigService(initCtx, db)
 	svc.emailService, err = service.NewEmailService(db, svc.appConfigService)
 	if err != nil {
 		return nil, fmt.Errorf("unable to create email service: %w", err)
 	}
 	svc.geoLiteService = service.NewGeoLiteService()
 	svc.auditLogService = service.NewAuditLogService(db, svc.appConfigService, svc.emailService, svc.geoLiteService)
 	svc.jwtService = service.NewJwtService(svc.appConfigService)
 	svc.userService = service.NewUserService(db, svc.jwtService, svc.auditLogService, svc.emailService, svc.appConfigService)
 	svc.customClaimService = service.NewCustomClaimService(db)
 	svc.oidcService = service.NewOidcService(db, svc.jwtService, svc.appConfigService, svc.auditLogService, svc.customClaimService)
 	svc.userGroupService = service.NewUserGroupService(db, svc.appConfigService)
 	svc.ldapService = service.NewLdapService(db, svc.appConfigService, svc.userService, svc.userGroupService)
 	svc.apiKeyService = service.NewApiKeyService(db, svc.emailService)
 	svc.webauthnService = service.NewWebAuthnService(db, svc.jwtService, svc.auditLogService, svc.appConfigService)
 	return svc, nil
 }
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -30,8 +30,8 @@ func NewOidcController(group *gin.RouterGroup, authMiddleware *middleware.AuthMi
 	group.POST("/oidc/token", oc.createTokensHandler)
 	group.GET("/oidc/userinfo", oc.userInfoHandler)
 	group.POST("/oidc/userinfo", oc.userInfoHandler)
-	group.POST("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.POST("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
-	group.GET("/oidc/end-session", authMiddleware.WithSuccessOptional().Add(), oc.EndSessionHandler)
+	group.GET("/oidc/end-session", authMiddleware.WithAdminNotRequired().WithSuccessOptional().Add(), oc.EndSessionHandler)
 	group.POST("/oidc/introspect", oc.introspectTokenHandler)
 	group.GET("/oidc/clients", authMiddleware.Add(), oc.listClientsHandler)
--- a/backend/internal/job/api_key_expiry_job.go
+++ b/backend/internal/job/api_key_expiry_job.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
@@ -13,20 +12,13 @@ type ApiKeyEmailJobs struct {
 	appConfigService *service.AppConfigService
 }
-func RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) {
+func (s *Scheduler) RegisterApiKeyExpiryJob(ctx context.Context, apiKeyService *service.ApiKeyService, appConfigService *service.AppConfigService) error {
 	jobs := &ApiKeyEmailJobs{
 		apiKeyService:    apiKeyService,
 		appConfigService: appConfigService,
 	}
-	scheduler, err := gocron.NewScheduler()
+	return s.registerJob(ctx, "ExpiredApiKeyEmailJob", "0 0 * * *", jobs.checkAndNotifyExpiringApiKeys)
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %v", err)
 	}
 	registerJob(ctx, scheduler, "ExpiredApiKeyEmailJob", "0 0 * * *", jobs.checkAndNotifyExpiringApiKeys)
 	scheduler.Start()
 }
 func (j *ApiKeyEmailJobs) checkAndNotifyExpiringApiKeys(ctx context.Context) error {
--- a/backend/internal/job/db_cleanup_job.go
+++ b/backend/internal/job/db_cleanup_job.go
@@ -2,30 +2,25 @@ package job
 import (
 	"context"
-	"log"
+	"errors"
 	"time"
 	"github.com/go-co-op/gocron/v2"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 	datatype "github.com/pocket-id/pocket-id/backend/internal/model/types"
 )
-func RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) {
+func (s *Scheduler) RegisterDbCleanupJobs(ctx context.Context, db *gorm.DB) error {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)
 	}
 	jobs := &DbCleanupJobs{db: db}
-	registerJob(ctx, scheduler, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions)
+	return errors.Join(
-	registerJob(ctx, scheduler, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens)
+		s.registerJob(ctx, "ClearWebauthnSessions", "0 3 * * *", jobs.clearWebauthnSessions),
-	registerJob(ctx, scheduler, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes)
+		s.registerJob(ctx, "ClearOneTimeAccessTokens", "0 3 * * *", jobs.clearOneTimeAccessTokens),
-	registerJob(ctx, scheduler, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens)
+		s.registerJob(ctx, "ClearOidcAuthorizationCodes", "0 3 * * *", jobs.clearOidcAuthorizationCodes),
-	registerJob(ctx, scheduler, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs)
+		s.registerJob(ctx, "ClearOidcRefreshTokens", "0 3 * * *", jobs.clearOidcRefreshTokens),
-	scheduler.Start()
+		s.registerJob(ctx, "ClearAuditLogs", "0 3 * * *", jobs.clearAuditLogs),
 	)
 }
 type DbCleanupJobs struct {
--- a/backend/internal/job/file_cleanup_job.go
+++ b/backend/internal/job/file_cleanup_job.go
@@ -8,24 +8,16 @@ import (
 	"path/filepath"
 	"strings"
 	"github.com/go-co-op/gocron/v2"
 	"gorm.io/gorm"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/model"
 )
-func RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) {
+func (s *Scheduler) RegisterFileCleanupJobs(ctx context.Context, db *gorm.DB) error {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %s", err)
 	}
 	jobs := &FileCleanupJobs{db: db}
-	registerJob(ctx, scheduler, "ClearUnusedDefaultProfilePictures", "0 2 * * 0", jobs.clearUnusedDefaultProfilePictures)
+	return s.registerJob(ctx, "ClearUnusedDefaultProfilePictures", "0 2 * * 0", jobs.clearUnusedDefaultProfilePictures)
 	scheduler.Start()
 }
 type FileCleanupJobs struct {
--- a/backend/internal/job/geoloite_update_job.go
+++ b/backend/internal/job/geoloite_update_job.go
@@ -0,0 +1,45 @@
 package job
 import (
 	"context"
 	"log"
 	"time"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
 type GeoLiteUpdateJobs struct {
 	geoLiteService *service.GeoLiteService
 }
 func (s *Scheduler) RegisterGeoLiteUpdateJobs(ctx context.Context, geoLiteService *service.GeoLiteService) error {
 	// Check if the service needs periodic updating
 	if geoLiteService.DisableUpdater() {
 		// Nothing to do
 		return nil
 	}
 	jobs := &GeoLiteUpdateJobs{geoLiteService: geoLiteService}
 	// Register the job to run every day, at 5 minutes past midnight
 	err := s.registerJob(ctx, "UpdateGeoLiteDB", "5 * */1 * *", jobs.updateGoeLiteDB)
 	if err != nil {
 		return err
 	}
 	// Run the job immediately on startup, with a 1s delay
 	go func() {
 		time.Sleep(time.Second)
 		err = jobs.updateGoeLiteDB(ctx)
 		if err != nil {
 			// Log the error only, but don't return it
 			log.Printf("Failed to Update GeoLite database: %v", err)
 		}
 	}()
 	return nil
 }
 func (j *GeoLiteUpdateJobs) updateGoeLiteDB(ctx context.Context) error {
 	return j.geoLiteService.UpdateDatabase(ctx)
 }
--- a/backend/internal/job/job.go
+++ b/backend/internal/job/job.go
@@ -1,29 +0,0 @@
 package job
 import (
 	"context"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/google/uuid"
 )
 func registerJob(ctx context.Context, scheduler gocron.Scheduler, name string, interval string, job func(ctx context.Context) error) {
 	_, err := scheduler.NewJob(
 		gocron.CronJob(interval, false),
 		gocron.NewTask(job),
 		gocron.WithContext(ctx),
 		gocron.WithEventListeners(
 			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
 				log.Printf("Job %q run successfully", name)
 			}),
 			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
 				log.Printf("Job %q failed with error: %v", name, err)
 			}),
 		),
 	)
 	if err != nil {
 		log.Fatalf("Failed to register job %q: %v", name, err)
 	}
 }
--- a/backend/internal/job/ldap_job.go
+++ b/backend/internal/job/ldap_job.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
@@ -13,24 +12,23 @@ type LdapJobs struct {
 	appConfigService *service.AppConfigService
 }
-func RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) {
+func (s *Scheduler) RegisterLdapJobs(ctx context.Context, ldapService *service.LdapService, appConfigService *service.AppConfigService) error {
 	jobs := &LdapJobs{ldapService: ldapService, appConfigService: appConfigService}
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		log.Fatalf("Failed to create a new scheduler: %v", err)
 	}
 	// Register the job to run every hour
-	registerJob(ctx, scheduler, "SyncLdap", "0 * * * *", jobs.syncLdap)
+	err := s.registerJob(ctx, "SyncLdap", "0 * * * *", jobs.syncLdap)
 	if err != nil {
 		return err
 	}
 	// Run the job immediately on startup
 	err = jobs.syncLdap(ctx)
 	if err != nil {
 		// Log the error only, but don't return it
 		log.Printf("Failed to sync LDAP: %v", err)
 	}
-	scheduler.Start()
+	return nil
 }
 func (j *LdapJobs) syncLdap(ctx context.Context) error {
--- a/backend/internal/job/scheduler.go
+++ b/backend/internal/job/scheduler.go
@@ -0,0 +1,66 @@
 package job
 import (
 	"context"
 	"fmt"
 	"log"
 	"github.com/go-co-op/gocron/v2"
 	"github.com/google/uuid"
 )
 type Scheduler struct {
 	scheduler gocron.Scheduler
 }
 func NewScheduler() (*Scheduler, error) {
 	scheduler, err := gocron.NewScheduler()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create a new scheduler: %w", err)
 	}
 	return &Scheduler{
 		scheduler: scheduler,
 	}, nil
 }
 // Run the scheduler.
 // This function blocks until the context is canceled.
 func (s *Scheduler) Run(ctx context.Context) error {
 	log.Println("Starting job scheduler")
 	s.scheduler.Start()
 	// Block until context is canceled
 	<-ctx.Done()
 	err := s.scheduler.Shutdown()
 	if err != nil {
 		log.Printf("[WARN] Error shutting down job scheduler: %v", err)
 	} else {
 		log.Println("Job scheduler shut down")
 	}
 	return nil
 }
 func (s *Scheduler) registerJob(ctx context.Context, name string, interval string, job func(ctx context.Context) error) error {
 	_, err := s.scheduler.NewJob(
 		gocron.CronJob(interval, false),
 		gocron.NewTask(job),
 		gocron.WithContext(ctx),
 		gocron.WithEventListeners(
 			gocron.AfterJobRuns(func(jobID uuid.UUID, jobName string) {
 				log.Printf("Job %q run successfully", name)
 			}),
 			gocron.AfterJobRunsWithError(func(jobID uuid.UUID, jobName string, err error) {
 				log.Printf("Job %q failed with error: %v", name, err)
 			}),
 		),
 	)
 	if err != nil {
 		return fmt.Errorf("failed to register job %q: %w", name, err)
 	}
 	return nil
 }
--- a/backend/internal/middleware/auth_middleware.go
+++ b/backend/internal/middleware/auth_middleware.go
@@ -1,7 +1,10 @@
 package middleware
 import (
 	"errors"
 	"github.com/gin-gonic/gin"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
 	"github.com/pocket-id/pocket-id/backend/internal/service"
 )
@@ -69,6 +72,13 @@ func (m *AuthMiddleware) Add() gin.HandlerFunc {
 			return
 		}
 		// If JWT auth failed and the error is not a NotSignedInError, abort the request
 		if !errors.Is(err, &common.NotSignedInError{}) {
 			c.Abort()
 			_ = c.Error(err)
 			return
 		}
 		// JWT auth failed, try API key auth
 		userID, isAdmin, err = m.apiKeyMiddleware.Verify(c, m.options.AdminRequired)
 		if err == nil {
--- a/backend/internal/service/app_config_service.go
+++ b/backend/internal/service/app_config_service.go
@@ -26,12 +26,12 @@ type AppConfigService struct {
 	db       *gorm.DB
 }
-func NewAppConfigService(ctx context.Context, db *gorm.DB) *AppConfigService {
+func NewAppConfigService(initCtx context.Context, db *gorm.DB) *AppConfigService {
 	service := &AppConfigService{
 		db: db,
 	}
-	err := service.LoadDbConfig(ctx)
+	err := service.LoadDbConfig(initCtx)
 	if err != nil {
 		log.Fatalf("Failed to initialize app config service: %v", err)
 	}
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -33,7 +33,7 @@ type EmailService struct {
 	textTemplates    map[string]*ttemplate.Template
 }
-func NewEmailService(appConfigService *AppConfigService, db *gorm.DB) (*EmailService, error) {
+func NewEmailService(db *gorm.DB, appConfigService *AppConfigService) (*EmailService, error) {
 	htmlTemplates, err := email.PrepareHTMLTemplates(emailTemplatesPaths)
 	if err != nil {
 		return nil, fmt.Errorf("prepare html templates: %w", err)
--- a/backend/internal/service/geolite_service.go
+++ b/backend/internal/service/geolite_service.go
@@ -23,7 +23,7 @@ import (
 type GeoLiteService struct {
 	disableUpdater bool
-	mutex          sync.Mutex
+	mutex          sync.RWMutex
 }
 var localhostIPNets = []*net.IPNet{
@@ -42,25 +42,22 @@ var tailscaleIPNets = []*net.IPNet{
 }
 // NewGeoLiteService initializes a new GeoLiteService instance and starts a goroutine to update the GeoLite2 City database.
-func NewGeoLiteService(ctx context.Context) *GeoLiteService {
+func NewGeoLiteService() *GeoLiteService {
 	service := &GeoLiteService{}
 	if common.EnvConfig.MaxMindLicenseKey == "" && common.EnvConfig.GeoLiteDBUrl == common.MaxMindGeoLiteCityUrl {
-		// Warn the user, and disable the updater.
+		// Warn the user, and disable the periodic updater
 		log.Println("MAXMIND_LICENSE_KEY environment variable is empty. The GeoLite2 City database won't be updated.")
 		service.disableUpdater = true
 	}
 	go func() {
 		err := service.updateDatabase(ctx)
 		if err != nil {
 			log.Printf("Failed to update GeoLite2 City database: %v", err)
 		}
 	}()
 	return service
 }
 func (s *GeoLiteService) DisableUpdater() bool {
 	return s.disableUpdater
 }
 // GetLocationByIP returns the country and city of the given IP address.
 func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string, err error) {
 	// Check the IP address against known private IP ranges
@@ -83,8 +80,8 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	// Race condition between reading and writing the database.
-	s.mutex.Lock()
+	s.mutex.RLock()
-	defer s.mutex.Unlock()
+	defer s.mutex.RUnlock()
 	db, err := maxminddb.Open(common.EnvConfig.GeoLiteDBPath)
 	if err != nil {
@@ -92,7 +89,10 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 	}
 	defer db.Close()
-	addr := netip.MustParseAddr(ipAddress)
+	addr, err := netip.ParseAddr(ipAddress)
 	if err != nil {
 		return "", "", fmt.Errorf("failed to parse IP address: %w", err)
 	}
 	var record struct {
 		City struct {
@@ -112,18 +112,13 @@ func (s *GeoLiteService) GetLocationByIP(ipAddress string) (country, city string
 }
 // UpdateDatabase checks the age of the database and updates it if it's older than 14 days.
-func (s *GeoLiteService) updateDatabase(parentCtx context.Context) error {
+func (s *GeoLiteService) UpdateDatabase(parentCtx context.Context) error {
 	if s.disableUpdater {
 		// Avoid updating the GeoLite2 City database.
 		return nil
 	}
 	if s.isDatabaseUpToDate() {
-		log.Println("GeoLite2 City database is up-to-date.")
+		log.Println("GeoLite2 City database is up-to-date")
 		return nil
 	}
-	log.Println("Updating GeoLite2 City database...")
+	log.Println("Updating GeoLite2 City database")
 	downloadUrl := fmt.Sprintf(common.EnvConfig.GeoLiteDBUrl, common.EnvConfig.MaxMindLicenseKey)
 	ctx, cancel := context.WithTimeout(parentCtx, 10*time.Minute)
@@ -145,7 +140,8 @@ func (s *GeoLiteService) updateDatabase(parentCtx context.Context) error {
 	}
 	// Extract the database file directly to the target path
-	if err := s.extractDatabase(resp.Body); err != nil {
+	err = s.extractDatabase(resp.Body)
 	if err != nil {
 		return fmt.Errorf("failed to extract database: %w", err)
 	}
@@ -179,10 +175,9 @@ func (s *GeoLiteService) extractDatabase(reader io.Reader) error {
 	// Iterate over the files in the tar archive
 	for {
 		header, err := tarReader.Next()
-		if err == io.EOF {
+		if errors.Is(err, io.EOF) {
 			break
-		}
+		} else if err != nil {
 		if err != nil {
 			return fmt.Errorf("failed to read tar archive: %w", err)
 		}
--- a/backend/internal/service/oidc_service.go
+++ b/backend/internal/service/oidc_service.go
@@ -15,6 +15,8 @@ import (
 	"strings"
 	"time"
 	"gorm.io/gorm/clause"
 	"github.com/lestrrat-go/jwx/v3/jwt"
 	"github.com/pocket-id/pocket-id/backend/internal/common"
@@ -94,24 +96,8 @@ func (s *OidcService) Authorize(ctx context.Context, input dto.AuthorizeOidcClie
 	// If the user has not authorized the client, create a new authorization in the database
 	if !hasAuthorizedClient {
-		userAuthorizedClient := model.UserAuthorizedOidcClient{
+		err := s.createAuthorizedClientInternal(ctx, userID, input.ClientID, input.Scope, tx)
-			UserID:   userID,
+		if err != nil {
 			ClientID: input.ClientID,
 			Scope:    input.Scope,
 		}
 		err = tx.
 			WithContext(ctx).
 			Create(&userAuthorizedClient).
 			Error
 		if errors.Is(err, gorm.ErrDuplicatedKey) {
 			// The client has already been authorized but with a different scope so we need to update the scope
 			if err := tx.
 				WithContext(ctx).
 				Model(&userAuthorizedClient).Update("scope", input.Scope).Error; err != nil {
 				return "", "", err
 			}
 		} else if err != nil {
 			return "", "", err
 		}
 	}
@@ -201,7 +187,7 @@ func (s *OidcService) createTokenFromDeviceCode(ctx context.Context, deviceCode,
 		tx.Rollback()
 	}()
-	_, err = s.VerifyClientCredentials(ctx, clientID, clientSecret, tx)
+	_, err = s.verifyClientCredentialsInternal(ctx, clientID, clientSecret, tx)
 	if err != nil {
 		return "", "", "", 0, err
 	}
@@ -269,7 +255,7 @@ func (s *OidcService) createTokenFromAuthorizationCode(ctx context.Context, code
 		tx.Rollback()
 	}()
-	client, err := s.VerifyClientCredentials(ctx, clientID, clientSecret, tx)
+	client, err := s.verifyClientCredentialsInternal(ctx, clientID, clientSecret, tx)
 	if err != nil {
 		return "", "", "", 0, err
 	}
@@ -342,7 +328,7 @@ func (s *OidcService) createTokenFromRefreshToken(ctx context.Context, refreshTo
 		tx.Rollback()
 	}()
-	_, err = s.VerifyClientCredentials(ctx, clientID, clientSecret, tx)
+	_, err = s.verifyClientCredentialsInternal(ctx, clientID, clientSecret, tx)
 	if err != nil {
 		return "", "", 0, err
 	}
@@ -401,7 +387,7 @@ func (s *OidcService) IntrospectToken(ctx context.Context, clientID, clientSecre
 		return introspectDto, &common.OidcMissingClientCredentialsError{}
 	}
-	_, err = s.VerifyClientCredentials(ctx, clientID, clientSecret, s.db)
+	_, err = s.verifyClientCredentialsInternal(ctx, clientID, clientSecret, s.db)
 	if err != nil {
 		return introspectDto, err
 	}
@@ -520,7 +506,7 @@ func (s *OidcService) CreateClient(ctx context.Context, input dto.OidcClientCrea
 		LogoutCallbackURLs: input.LogoutCallbackURLs,
 		CreatedByID:        userID,
 		IsPublic:           input.IsPublic,
-		PkceEnabled:        input.IsPublic || input.PkceEnabled,
+		PkceEnabled:        input.PkceEnabled,
 	}
 	err := s.db.
@@ -999,7 +985,7 @@ func (s *OidcService) getCallbackURL(urls []string, inputCallbackURL string) (ca
 }
 func (s *OidcService) CreateDeviceAuthorization(ctx context.Context, input dto.OidcDeviceAuthorizationRequestDto) (*dto.OidcDeviceAuthorizationResponseDto, error) {
-	client, err := s.VerifyClientCredentials(ctx, input.ClientID, input.ClientSecret, s.db)
+	client, err := s.verifyClientCredentialsInternal(ctx, input.ClientID, input.ClientSecret, s.db)
 	if err != nil {
 		return nil, err
 	}
@@ -1095,23 +1081,11 @@ func (s *OidcService) VerifyDeviceCode(ctx context.Context, userCode string, use
 	}
 	if !hasAuthorizedClient {
-		userAuthorizedClient := model.UserAuthorizedOidcClient{
+		err := s.createAuthorizedClientInternal(ctx, userID, deviceAuth.ClientID, deviceAuth.Scope, tx)
-			UserID:   userID,
+		if err != nil {
-			ClientID: deviceAuth.ClientID,
+			return err
 			Scope:    deviceAuth.Scope,
 		}
 		if err := tx.WithContext(ctx).Create(&userAuthorizedClient).Error; err != nil {
 			if !errors.Is(err, gorm.ErrDuplicatedKey) {
 				return err
 			}
 			// If duplicate, update scope
 			if err := tx.WithContext(ctx).Model(&model.UserAuthorizedOidcClient{}).
 				Where("user_id = ? AND client_id = ?", userID, deviceAuth.ClientID).
 				Update("scope", deviceAuth.Scope).Error; err != nil {
 				return err
 			}
 		}
 		s.auditLogService.Create(ctx, model.AuditLogEventNewDeviceCodeAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": deviceAuth.Client.Name}, tx)
 	} else {
 		s.auditLogService.Create(ctx, model.AuditLogEventDeviceCodeAuthorization, ipAddress, userAgent, userID, model.AuditLogData{"clientName": deviceAuth.Client.Name}, tx)
@@ -1188,7 +1162,25 @@ func (s *OidcService) createRefreshToken(ctx context.Context, clientID string, u
 	return refreshToken, nil
 }
-func (s *OidcService) VerifyClientCredentials(ctx context.Context, clientID, clientSecret string, tx *gorm.DB) (model.OidcClient, error) {
+func (s *OidcService) createAuthorizedClientInternal(ctx context.Context, userID string, clientID string, scope string, tx *gorm.DB) error {
 	userAuthorizedClient := model.UserAuthorizedOidcClient{
 		UserID:   userID,
 		ClientID: clientID,
 		Scope:    scope,
 	}
 	err := tx.WithContext(ctx).
 		Clauses(clause.OnConflict{
 			Columns:   []clause.Column{{Name: "user_id"}, {Name: "client_id"}},
 			DoUpdates: clause.AssignmentColumns([]string{"scope"}),
 		}).
 		Create(&userAuthorizedClient).
 		Error
 	return err
 }
 func (s *OidcService) verifyClientCredentialsInternal(ctx context.Context, clientID, clientSecret string, tx *gorm.DB) (model.OidcClient, error) {
 	if clientID == "" {
 		return model.OidcClient{}, &common.OidcMissingClientCredentialsError{}
 	}
--- a/backend/internal/service/user_service.go
+++ b/backend/internal/service/user_service.go
@@ -262,13 +262,13 @@ func (s *UserService) createUserInternal(ctx context.Context, input dto.UserCrea
 	return user, nil
 }
-func (s *UserService) UpdateUser(ctx context.Context, userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, allowLdapUpdate bool) (model.User, error) {
+func (s *UserService) UpdateUser(ctx context.Context, userID string, updatedUser dto.UserCreateDto, updateOwnUser bool, isLdapSync bool) (model.User, error) {
 	tx := s.db.Begin()
 	defer func() {
 		tx.Rollback()
 	}()
-	user, err := s.updateUserInternal(ctx, userID, updatedUser, updateOwnUser, allowLdapUpdate, tx)
+	user, err := s.updateUserInternal(ctx, userID, updatedUser, updateOwnUser, isLdapSync, tx)
 	if err != nil {
 		return model.User{}, err
 	}
@@ -292,11 +292,14 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 		return model.User{}, err
 	}
-	// Disallow updating the user if it is an LDAP group and LDAP is enabled
+	// Check if this is an LDAP user and LDAP is enabled
-	if !isLdapSync && user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue() {
+	isLdapUser := user.LdapID != nil && s.appConfigService.GetDbConfig().LdapEnabled.IsTrue()
 		return model.User{}, &common.LdapUserUpdateError{}
 	}
 	// For LDAP users, only allow updating the locale unless it's an LDAP sync
 	if !isLdapSync && isLdapUser {
 		// Only update the locale for LDAP users
 		user.Locale = updatedUser.Locale
 	} else {
 		user.FirstName = updatedUser.FirstName
 		user.LastName = updatedUser.LastName
 		user.Email = updatedUser.Email
@@ -306,6 +309,7 @@ func (s *UserService) updateUserInternal(ctx context.Context, userID string, upd
 			user.IsAdmin = updatedUser.IsAdmin
 			user.Disabled = updatedUser.Disabled
 		}
 	}
 	err = tx.
 		WithContext(ctx).
--- a/backend/internal/utils/servicerunner.go
+++ b/backend/internal/utils/servicerunner.go
@@ -0,0 +1,58 @@
 package utils
 import (
 	"context"
 	"errors"
 )
 // Source:
 // https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/pkg/utils/servicerunner.go
 // Copyright (c) 2018, Thom Seddon & Contributors Copyright (c) 2023, Alessandro Segala & Contributors
 // License: MIT (https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/LICENSE.md)
 // Service is a background service
 type Service func(ctx context.Context) error
 // ServiceRunner oversees a number of services running in background
 type ServiceRunner struct {
 	services []Service
 }
 // NewServiceRunner creates a new ServiceRunner
 func NewServiceRunner(services ...Service) *ServiceRunner {
 	return &ServiceRunner{
 		services: services,
 	}
 }
 // Run all background services
 func (r *ServiceRunner) Run(ctx context.Context) error {
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
 	errCh := make(chan error)
 	for _, service := range r.services {
 		go func(service Service) {
 			// Run the service
 			rErr := service(ctx)
 			// Ignore context canceled errors here as they generally indicate that the service is stopping
 			if rErr != nil && !errors.Is(rErr, context.Canceled) {
 				errCh <- rErr
 				return
 			}
 			errCh <- nil
 		}(service)
 	}
 	// Wait for all services to return
 	errs := make([]error, 0)
 	for range len(r.services) {
 		err := <-errCh
 		if err != nil {
 			errs = append(errs, err)
 		}
 	}
 	return errors.Join(errs...)
 }
--- a/backend/internal/utils/servicerunner_test.go
+++ b/backend/internal/utils/servicerunner_test.go
@@ -0,0 +1,125 @@
 package utils
 import (
 	"context"
 	"errors"
 	"testing"
 	"time"
 	"github.com/stretchr/testify/require"
 )
 // Source:
 // https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/pkg/utils/servicerunner.go
 // Copyright (c) 2018, Thom Seddon & Contributors Copyright (c) 2023, Alessandro Segala & Contributors
 // License: MIT (https://github.com/ItalyPaleAle/traefik-forward-auth/blob/v3.5.1/LICENSE.md)
 func TestServiceRunner_Run(t *testing.T) {
 	t.Run("successful services", func(t *testing.T) {
 		// Create a service that just returns no error after 0.2s
 		successService := func(ctx context.Context) error {
 			time.Sleep(200 * time.Millisecond)
 			return nil
 		}
 		// Create a service runner with two success services
 		runner := NewServiceRunner(successService, successService)
 		// Run the services with a timeout to avoid hanging if something goes wrong
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should return nil when all services succeed
 		err := runner.Run(ctx)
 		require.NoError(t, err)
 	})
 	t.Run("service with error", func(t *testing.T) {
 		// Create a service that returns an error
 		expectedErr := errors.New("service failed")
 		errorService := func(ctx context.Context) error {
 			return expectedErr
 		}
 		// Create a service runner with one error service and one success service
 		successService := func(ctx context.Context) error {
 			time.Sleep(200 * time.Millisecond)
 			return nil
 		}
 		runner := NewServiceRunner(errorService, successService)
 		// Run the services with a timeout
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should return the error
 		err := runner.Run(ctx)
 		require.Error(t, err)
 		// The error should contain our expected error
 		require.ErrorIs(t, err, expectedErr)
 	})
 	t.Run("context canceled", func(t *testing.T) {
 		// Create a service that waits until context is canceled
 		waitingService := func(ctx context.Context) error {
 			<-ctx.Done()
 			return ctx.Err()
 		}
 		// Create another service that returns no error quickly
 		quickService := func(ctx context.Context) error {
 			return nil
 		}
 		runner := NewServiceRunner(waitingService, quickService)
 		// Create a context that we can cancel
 		ctx, cancel := context.WithCancel(t.Context())
 		// Run the runner in a goroutine
 		errCh := make(chan error)
 		go func() {
 			errCh <- runner.Run(ctx)
 		}()
 		// Cancel the context to trigger service shutdown
 		cancel()
 		// Wait for the runner to finish with a timeout
 		select {
 		case err := <-errCh:
 			require.NoError(t, err, "expected nil error (context.Canceled should be ignored)")
 		case <-time.After(5 * time.Second):
 			t.Fatal("test timed out waiting for runner to finish")
 		}
 	})
 	t.Run("multiple errors", func(t *testing.T) {
 		// Create two services that return different errors
 		err1 := errors.New("error 1")
 		err2 := errors.New("error 2")
 		service1 := func(ctx context.Context) error {
 			return err1
 		}
 		service2 := func(ctx context.Context) error {
 			return err2
 		}
 		runner := NewServiceRunner(service1, service2)
 		// Run the services
 		ctx, cancel := context.WithTimeout(t.Context(), 5*time.Second)
 		defer cancel()
 		// Run should join all errors
 		err := runner.Run(ctx)
 		require.Error(t, err)
 		// Check that both errors are included
 		require.ErrorIs(t, err, err1)
 		require.ErrorIs(t, err, err2)
 	})
 }
--- a/backend/internal/utils/signals/signal.go
+++ b/backend/internal/utils/signals/signal.go
@@ -0,0 +1,40 @@
 package signals
 import (
 	"context"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
 )
 /*
 This code is adapted from:
 https://github.com/kubernetes-sigs/controller-runtime/blob/8499b67e316a03b260c73f92d0380de8cd2e97a1/pkg/manager/signals/signal.go
 Copyright 2017 The Kubernetes Authors.
 License: Apache2 (https://github.com/kubernetes-sigs/controller-runtime/blob/8499b67e316a03b260c73f92d0380de8cd2e97a1/LICENSE)
 */
 var onlyOneSignalHandler = make(chan struct{})
 // SignalContext returns a context that is canceled when the application receives an interrupt signal.
 // A second signal forces an immediate shutdown.
 func SignalContext(parentCtx context.Context) context.Context {
 	close(onlyOneSignalHandler) // Panics when called twice
 	ctx, cancel := context.WithCancel(parentCtx)
 	sigCh := make(chan os.Signal, 2)
 	signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM)
 	go func() {
 		<-sigCh
 		log.Println("Received interrupt signal. Shutting down…")
 		cancel()
 		<-sigCh
 		log.Println("Received a second interrupt signal. Forcing an immediate shutdown.")
 		os.Exit(1)
 	}()
 	return ctx
 }
--- a/frontend/messages/cs-CZ.json
+++ b/frontend/messages/cs-CZ.json
@@ -276,7 +276,7 @@
 	"callback_urls": "URL zpětného volání",
 	"logout_callback_urls": "URL zpětného volání při odhlášení",
 	"public_client": "Veřejný klient",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Veřejní klienti nemají client secret a místo toho používají PKCE. Povolte to, pokud je váš klient SPA nebo mobilní aplikace.",
+	"public_clients_description": "Veřejní klienti nemají client secret a místo toho používají PKCE. Povolte to, pokud je váš klient SPA nebo mobilní aplikace.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Exchange je bezpečnostní funkce, která zabraňuje útokům CSRF a narušení autorizačních kódů.",
 	"name_logo": "Logo {name}",
@@ -342,5 +342,9 @@
 	"show_code": "Zobrazit kód",
 	"callback_url_description": "URL poskytnuté klientem. Klientské zástupné znaky (*) jsou podporovány, ale raději se jim vyhýbejte, pro lepší bezpečnost.",
 	"api_key_expiration": "Vypršení platnosti API klíče",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Pošlete uživateli e-mail, jakmile jejich API klíč brzy vyprší."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Pošlete uživateli e-mail, jakmile jejich API klíč brzy vyprší.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/de-DE.json
+++ b/frontend/messages/de-DE.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Abmelde Callback URLs",
 	"public_client": "Öffentlicher Client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Öffentliche Clients haben kein Client-Geheimnis und verwenden stattdessen PKCE. Aktiviere dies, wenn dein Client eine SPA oder mobile App ist.",
+	"public_clients_description": "Öffentliche Clients haben kein Client-Geheimnis und verwenden stattdessen PKCE. Aktiviere dies, wenn dein Client eine SPA oder mobile App ist.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Der Public Key Code Exchange (öffentlicher Schlüsselaustausch) ist eine Sicherheitsfunktion, um CSRF Angriffe und Angriffe zum Abfangen von Autorisierungscodes zu verhindern.",
 	"name_logo": "{name} Logo",
@@ -327,20 +327,24 @@
 	"client_authorization": "Client-Autorisierung",
 	"new_client_authorization": "Neue Client-Autorisierung",
 	"disable_animations": "Animationen deaktivieren",
-	"turn_off_all_animations_throughout_the_admin_ui": "Schalte alle Animationen im Admin UI aus.",
+	"turn_off_all_animations_throughout_the_admin_ui": "Deaktiviert alle Animationen in der Benutzeroberfläche.",
 	"user_disabled": "Account deaktiviert",
-	"disabled_users_cannot_log_in_or_use_services": "Disabled users cannot log in or use services.",
+	"disabled_users_cannot_log_in_or_use_services": "Deaktivierte Benutzer können sich nicht anmelden oder Dienste nutzen.",
-	"user_disabled_successfully": "User has been disabled successfully.",
+	"user_disabled_successfully": "Der Benutzer wurde erfolgreich deaktiviert.",
-	"user_enabled_successfully": "User has been enabled successfully.",
+	"user_enabled_successfully": "Der Benutzer wurde erfolgreich aktiviert.",
 	"status": "Status",
-	"disable_firstname_lastname": "Disable {firstName} {lastName}",
+	"disable_firstname_lastname": "Deaktiviere {firstName} {lastName}",
-	"are_you_sure_you_want_to_disable_this_user": "Are you sure you want to disable this user? They will not be able to log in or access any services.",
+	"are_you_sure_you_want_to_disable_this_user": "Bist du sicher, dass du diesen Benutzer deaktivieren möchtest? Er kann sich dann nicht mehr anmelden, oder auf Dienste zugreifen.",
-	"ldap_soft_delete_users": "Keep disabled users from LDAP.",
+	"ldap_soft_delete_users": "Deaktivierte Benutzer von LDAP behalten.",
-	"ldap_soft_delete_users_description": "When enabled, users removed from LDAP will be disabled rather than deleted from the system.",
+	"ldap_soft_delete_users_description": "Wenn aktiviert, werden vom LDAP gelöschte Benutzer deaktivert und nicht aus dem System gelöscht.",
-	"login_code_email_success": "The login code has been sent to the user.",
+	"login_code_email_success": "Der Login-Code wurde an den Benutzer gesendet.",
-	"send_email": "Send Email",
+	"send_email": "E-Mail senden",
-	"show_code": "Show Code",
+	"show_code": "Code anzeigen",
-	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
+	"callback_url_description": "URL(s) die von deinem Client bereitgestellt werden. Wildcards (*) werden unterstützt, sollten für bessere Sicherheit jedoch lieber vermieden werden.",
-	"api_key_expiration": "API Key Expiration",
+	"api_key_expiration": "API Key Ablauf",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Sende eine E-Mail an den Benutzer, wenn sein API Key ablaufen wird.",
 	"authorize_device": "Gerät autorisieren",
 	"the_device_has_been_authorized": "Das Gerät wurde autorisiert.",
 	"enter_code_displayed_in_previous_step": "Gib den Code ein, der im vorherigen Schritt angezeigt wurde.",
 	"authorize": "Autorisieren"
 }
--- a/frontend/messages/en-US.json
+++ b/frontend/messages/en-US.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Public Client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
+	"public_clients_description": "Public clients do not have a client secret. They are designed for mobile, web, and native applications where secrets cannot be securely stored.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is a security feature to prevent CSRF and authorization code interception attacks.",
 	"name_logo": "{name} logo",
--- a/frontend/messages/es-ES.json
+++ b/frontend/messages/es-ES.json
@@ -1,108 +1,108 @@
 {
 	"$schema": "https://inlang.com/schema/inlang-message-format",
-	"my_account": "My Account",
+	"my_account": "Mi Cuenta",
-	"logout": "Logout",
+	"logout": "Cerrar sesión",
-	"confirm": "Confirm",
+	"confirm": "Confirmar",
-	"key": "Key",
+	"key": "Clave",
-	"value": "Value",
+	"value": "Valor",
-	"remove_custom_claim": "Remove custom claim",
+	"remove_custom_claim": "Eliminar reclamo personalizado",
-	"add_custom_claim": "Add custom claim",
+	"add_custom_claim": "Añadir reclamo personalizado",
-	"add_another": "Add another",
+	"add_another": "Añadir otro",
-	"select_a_date": "Select a date",
+	"select_a_date": "Seleccione una fecha",
-	"select_file": "Select File",
+	"select_file": "Seleccione Archivo:",
-	"profile_picture": "Profile Picture",
+	"profile_picture": "Foto de perfil",
-	"profile_picture_is_managed_by_ldap_server": "The profile picture is managed by the LDAP server and cannot be changed here.",
+	"profile_picture_is_managed_by_ldap_server": "La imagen de perfil es administrada por el servidor LDAP y no puede ser cambiada aquí.",
-	"click_profile_picture_to_upload_custom": "Click on the profile picture to upload a custom one from your files.",
+	"click_profile_picture_to_upload_custom": "Haga clic en la imagen de perfil para subir una personalizada desde sus archivos.",
-	"image_should_be_in_format": "The image should be in PNG or JPEG format.",
+	"image_should_be_in_format": "La imagen debe ser en formato PNG o JPEG.",
-	"items_per_page": "Items per page",
+	"items_per_page": "Elementos por página",
-	"no_items_found": "No items found",
+	"no_items_found": "No se encontraron elementos",
-	"search": "Search...",
+	"search": "Buscar...",
-	"expand_card": "Expand card",
+	"expand_card": "Ampliar tarjeta",
-	"copied": "Copied",
+	"copied": "Copiado",
-	"click_to_copy": "Click to copy",
+	"click_to_copy": "Haz clic para copiar",
-	"something_went_wrong": "Something went wrong",
+	"something_went_wrong": "Algo ha salido mal",
-	"go_back_to_home": "Go back to home",
+	"go_back_to_home": "Volver al Inicio",
-	"dont_have_access_to_your_passkey": "Don't have access to your passkey?",
+	"dont_have_access_to_your_passkey": "¿No tiene acceso a su Passkey?",
-	"login_background": "Login background",
+	"login_background": "Fondo de página de acceso",
 	"logo": "Logo",
-	"login_code": "Login Code",
+	"login_code": "Código de inicio de sesión",
-	"create_a_login_code_to_sign_in_without_a_passkey_once": "Create a login code that the user can use to sign in without a passkey once.",
+	"create_a_login_code_to_sign_in_without_a_passkey_once": "Crear un código de acceso que el usuario pueda utilizar para iniciar sesión sin un Passkey una vez.",
-	"one_hour": "1 hour",
+	"one_hour": "1 hora",
-	"twelve_hours": "12 hours",
+	"twelve_hours": "12 horas",
-	"one_day": "1 day",
+	"one_day": "1 día",
-	"one_week": "1 week",
+	"one_week": "1 semana",
-	"one_month": "1 month",
+	"one_month": "1 mes",
-	"expiration": "Expiration",
+	"expiration": "Expiración",
-	"generate_code": "Generate Code",
+	"generate_code": "Gerar Código",
-	"name": "Name",
+	"name": "Nombre",
-	"browser_unsupported": "Browser unsupported",
+	"browser_unsupported": "Navegador no soportado",
-	"this_browser_does_not_support_passkeys": "This browser doesn't support passkeys. Please use an alternative sign in method.",
+	"this_browser_does_not_support_passkeys": "Este navegador no soporta Passkeys. Por favor, utilice un método de inicio de sesión alternativo.",
-	"an_unknown_error_occurred": "An unknown error occurred",
+	"an_unknown_error_occurred": "Ocurrió un error desconocido",
-	"authentication_process_was_aborted": "The authentication process was aborted",
+	"authentication_process_was_aborted": "El proceso de autenticación fue abortado",
-	"error_occurred_with_authenticator": "An error occurred with the authenticator",
+	"error_occurred_with_authenticator": "Ha ocurrido un error con el autenticador",
-	"authenticator_does_not_support_discoverable_credentials": "The authenticator does not support discoverable credentials",
+	"authenticator_does_not_support_discoverable_credentials": "El autenticador no soporta credenciales detectables",
-	"authenticator_does_not_support_resident_keys": "The authenticator does not support resident keys",
+	"authenticator_does_not_support_resident_keys": "El autenticador no soporta claves residentes",
-	"passkey_was_previously_registered": "This passkey was previously registered",
+	"passkey_was_previously_registered": "Esta Passkey ha sido registrado previamente",
-	"authenticator_does_not_support_any_of_the_requested_algorithms": "The authenticator does not support any of the requested algorithms",
+	"authenticator_does_not_support_any_of_the_requested_algorithms": "El autenticador no soporta ninguno de los algoritmos solicitados",
-	"authenticator_timed_out": "The authenticator timed out",
+	"authenticator_timed_out": "Se agotó el tiempo de espera del autenticador",
-	"critical_error_occurred_contact_administrator": "A critical error occurred. Please contact your administrator.",
+	"critical_error_occurred_contact_administrator": "Ha ocurrido un error crítico. Por favor, contacte a su administrador.",
-	"sign_in_to": "Sign in to {name}",
+	"sign_in_to": "Iniciar sesión en {name}",
-	"client_not_found": "Client not found",
+	"client_not_found": "Cliente no encontrado",
-	"client_wants_to_access_the_following_information": "<b>{client}</b> wants to access the following information:",
+	"client_wants_to_access_the_following_information": "<b>{client}</b> quiere acceder a la siguiente información:",
-	"do_you_want_to_sign_in_to_client_with_your_app_name_account": "Do you want to sign in to <b>{client}</b> with your <b>{appName}</b> account?",
+	"do_you_want_to_sign_in_to_client_with_your_app_name_account": "¿Quieres iniciar sesión en <b>{client}</b> con tu cuenta <b>{appName}</b>?",
-	"email": "Email",
+	"email": "Correo electrónico",
-	"view_your_email_address": "View your email address",
+	"view_your_email_address": "Ver su dirección de correo electrónico",
-	"profile": "Profile",
+	"profile": "Perfil",
-	"view_your_profile_information": "View your profile information",
+	"view_your_profile_information": "Ver información de su perfil",
-	"groups": "Groups",
+	"groups": "Grupos",
-	"view_the_groups_you_are_a_member_of": "View the groups you are a member of",
+	"view_the_groups_you_are_a_member_of": "Ver los grupos de los que usted es miembro",
-	"cancel": "Cancel",
+	"cancel": "Cancelar",
-	"sign_in": "Sign in",
+	"sign_in": "Iniciar sesión",
-	"try_again": "Try again",
+	"try_again": "Intentar de nuevo",
-	"client_logo": "Client Logo",
+	"client_logo": "Logo del cliente",
-	"sign_out": "Sign out",
+	"sign_out": "Cerrar sesión",
-	"do_you_want_to_sign_out_of_pocketid_with_the_account": "Do you want to sign out of Pocket ID with the account <b>{username}</b>?",
+	"do_you_want_to_sign_out_of_pocketid_with_the_account": "¿Quieres cerrar sesión de Pocket ID con la cuenta <b>{username}</b>?",
-	"sign_in_to_appname": "Sign in to {appName}",
+	"sign_in_to_appname": "Iniciar sesión en {appName}",
-	"please_try_to_sign_in_again": "Please try to sign in again.",
+	"please_try_to_sign_in_again": "Por favor, intente iniciar sesión de nuevo.",
-	"authenticate_yourself_with_your_passkey_to_access_the_admin_panel": "Authenticate yourself with your passkey to access the admin panel.",
+	"authenticate_yourself_with_your_passkey_to_access_the_admin_panel": "Autenticar con tu Passkey para acceder al panel de administración.",
-	"authenticate": "Authenticate",
+	"authenticate": "Autenticar",
-	"appname_setup": "{appName} Setup",
+	"appname_setup": "Configuración de {appName}",
-	"please_try_again": "Please try again.",
+	"please_try_again": "Por favor intente nuevamente.",
-	"you_are_about_to_sign_in_to_the_initial_admin_account": "You're about to sign in to the initial admin account. Anyone with this link can access the account until a passkey is added. Please set up a passkey as soon as possible to prevent unauthorized access.",
+	"you_are_about_to_sign_in_to_the_initial_admin_account": "Estás a punto de iniciar sesión en la cuenta de administrador inicial. Cualquiera con este enlace puede acceder a la cuenta hasta que se agregue un Passkey. Por favor, configure un Passkey lo antes posible para evitar acceso no autorizado.",
-	"continue": "Continue",
+	"continue": "Continuar",
-	"alternative_sign_in": "Alternative Sign In",
+	"alternative_sign_in": "Inicio de sesión alternativa",
-	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "If you don't have access to your passkey, you can sign in using one of the following methods.",
+	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Si no tiene acceso a su Passkey, puede iniciar sesión usando uno de los siguientes métodos.",
-	"use_your_passkey_instead": "Use your passkey instead?",
+	"use_your_passkey_instead": "¿Utilizar su Passkey en su lugar?",
-	"email_login": "Email Login",
+	"email_login": "Ingreso con Email",
-	"enter_a_login_code_to_sign_in": "Enter a login code to sign in.",
+	"enter_a_login_code_to_sign_in": "Introduzca un código de acceso para iniciar sesión.",
-	"request_a_login_code_via_email": "Request a login code via email.",
+	"request_a_login_code_via_email": "Solicitar un código de acceso por correo electrónico.",
-	"go_back": "Go back",
+	"go_back": "Volver atrás",
-	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "An email has been sent to the provided email, if it exists in the system.",
+	"an_email_has_been_sent_to_the_provided_email_if_it_exists_in_the_system": "Se ha enviado un correo electrónico al correo proporcionado, si existe en el sistema.",
-	"enter_code": "Enter code",
+	"enter_code": "Ingresa el código",
-	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Enter your email address to receive an email with a login code.",
+	"enter_your_email_address_to_receive_an_email_with_a_login_code": "Introduzca su dirección de correo electrónico para recibir un correo electrónico con un código de acceso.",
-	"your_email": "Your email",
+	"your_email": "Su correo electrónico",
-	"submit": "Submit",
+	"submit": "Enviar",
-	"enter_the_code_you_received_to_sign_in": "Enter the code you received to sign in.",
+	"enter_the_code_you_received_to_sign_in": "Ingrese el código que recibió para iniciar sesión.",
-	"code": "Code",
+	"code": "Código",
-	"invalid_redirect_url": "Invalid redirect URL",
+	"invalid_redirect_url": "URL de redirección no válido",
-	"audit_log": "Audit Log",
+	"audit_log": "Registro de Auditoría",
-	"users": "Users",
+	"users": "Usuarios",
-	"user_groups": "User Groups",
+	"user_groups": "Grupos de usuario",
-	"oidc_clients": "OIDC Clients",
+	"oidc_clients": "Clientes OIDC",
-	"api_keys": "API Keys",
+	"api_keys": "Llaves API",
-	"application_configuration": "Application Configuration",
+	"application_configuration": "Configuración de la aplicación",
-	"settings": "Settings",
+	"settings": "Configuración",
-	"update_pocket_id": "Update Pocket ID",
+	"update_pocket_id": "Actualizar Pocket ID",
-	"powered_by": "Powered by",
+	"powered_by": "Producido por Pocket ID",
-	"see_your_account_activities_from_the_last_3_months": "See your account activities from the last 3 months.",
+	"see_your_account_activities_from_the_last_3_months": "Vea las actividad de su cuenta de los últimos 3 meses.",
-	"time": "Time",
+	"time": "Tiempo",
-	"event": "Event",
+	"event": "Evento",
-	"approximate_location": "Approximate Location",
+	"approximate_location": "Ubicación aproximada",
-	"ip_address": "IP Address",
+	"ip_address": "Dirección IP",
-	"device": "Device",
+	"device": "Dispositivo",
-	"client": "Client",
+	"client": "Cliente",
-	"unknown": "Unknown",
+	"unknown": "Desconocido",
-	"account_details_updated_successfully": "Account details updated successfully",
+	"account_details_updated_successfully": "Detalles de la cuenta actualizados exitosamente",
 	"profile_picture_updated_successfully": "Profile picture updated successfully. It may take a few minutes to update.",
 	"account_settings": "Account Settings",
 	"passkey_missing": "Passkey missing",
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Public Client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
+	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is a security feature to prevent CSRF and authorization code interception attacks.",
 	"name_logo": "{name} logo",
@@ -342,5 +342,9 @@
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/fr-FR.json
+++ b/frontend/messages/fr-FR.json
@@ -276,7 +276,7 @@
 	"callback_urls": "URL de callback",
 	"logout_callback_urls": "URL de callback de déconnexion",
 	"public_client": "Client public",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Les clients publics n'ont pas de secret client et utilisent PKCE à la place. Activez cette option si votre client est une application SPA ou une application mobile.",
+	"public_clients_description": "Les clients publics n'ont pas de secret client et utilisent PKCE à la place. Activez cette option si votre client est une application SPA ou une application mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Le Public Key Code Exchange est une fonctionnalité de sécurité conçue pour prévenir les attaques CSRF et l’interception de code d’autorisation.",
 	"name_logo": "Logo {name}",
@@ -342,5 +342,9 @@
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/it-IT.json
+++ b/frontend/messages/it-IT.json
@@ -93,7 +93,7 @@
 	"application_configuration": "Configurazione dell'applicazione",
 	"settings": "Impostazioni",
 	"update_pocket_id": "Aggiorna Pocket ID",
-	"powered_by": "Alimentato da",
+	"powered_by": "Powered by",
 	"see_your_account_activities_from_the_last_3_months": "Visualizza le attività del tuo account degli ultimi 3 mesi.",
 	"time": "Ora",
 	"event": "Evento",
@@ -276,7 +276,7 @@
 	"callback_urls": "URL di callback",
 	"logout_callback_urls": "URL di callback per il logout",
 	"public_client": "Client pubblico",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "I client pubblici non hanno un client secret e utilizzano PKCE. Abilita questa opzione se il tuo client è una SPA o un'app mobile.",
+	"public_clients_description": "I client pubblici non hanno un client secret e utilizzano PKCE. Abilita questa opzione se il tuo client è una SPA o un'app mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Il Public Key Code Exchange è una funzionalità di sicurezza per prevenire attacchi CSRF e intercettazione del codice di autorizzazione.",
 	"name_logo": "Logo di {name}",
@@ -342,5 +342,9 @@
 	"show_code": "Mostra codice",
 	"callback_url_description": "URL forniti dal tuo client. Wildcard (*) sono supportati, ma meglio evitarli per una migliore sicurezza.",
 	"api_key_expiration": "Scadenza Chiave API",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Invia un'email all'utente quando la sua chiave API sta per scadere."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Invia un'email all'utente quando la sua chiave API sta per scadere.",
 	"authorize_device": "Autorizza Dispositivo",
 	"the_device_has_been_authorized": "Il dispositivo è stato autorizzato.",
 	"enter_code_displayed_in_previous_step": "Inserisci il codice visualizzato nel passaggio precedente.",
 	"authorize": "Autorizza"
 }
--- a/frontend/messages/nl-NL.json
+++ b/frontend/messages/nl-NL.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback-URL's",
 	"logout_callback_urls": "Callback-URL's voor afmelden",
 	"public_client": "Publieke client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Publieke clients hebben geen client secret en gebruiken in plaats daarvan PKCE. Schakel dit in als uw client een SPA of mobiele app is.",
+	"public_clients_description": "Publieke clients hebben geen client secret en gebruiken in plaats daarvan PKCE. Schakel dit in als uw client een SPA of mobiele app is.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is een beveiligingsfunctie om CSRF- en autorisatiecode-onderscheppingsaanvallen te voorkomen.",
 	"name_logo": "{name} logo",
@@ -342,5 +342,9 @@
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/pt-BR.json
+++ b/frontend/messages/pt-BR.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Public Client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
+	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is a security feature to prevent CSRF and authorization code interception attacks.",
 	"name_logo": "{name} logo",
@@ -342,5 +342,9 @@
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/pt-PT.json
+++ b/frontend/messages/pt-PT.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Public Client",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
+	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is a security feature to prevent CSRF and authorization code interception attacks.",
 	"name_logo": "{name} logo",
@@ -342,5 +342,9 @@
 	"show_code": "Show Code",
 	"callback_url_description": "URL(s) provided by your client. Wildcards (*) are supported, but best avoided for better security.",
 	"api_key_expiration": "API Key Expiration",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Send an email to the user when their API key is about to expire.",
 	"authorize_device": "Authorize Device",
 	"the_device_has_been_authorized": "The device has been authorized.",
 	"enter_code_displayed_in_previous_step": "Enter the code that was displayed in the previous step.",
 	"authorize": "Authorize"
 }
--- a/frontend/messages/ru-RU.json
+++ b/frontend/messages/ru-RU.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URLs",
 	"logout_callback_urls": "Logout Callback URLs",
 	"public_client": "Публичный клиент",
-	"public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "Публичные клиенты не имеют клиентского секрета и вместо этого используют PKCE. Включите, если ваш клиент является SPA или мобильным приложением.",
+	"public_clients_description": "Публичные клиенты не имеют клиентского секрета и вместо этого используют PKCE. Включите, если ваш клиент является SPA или мобильным приложением.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange — это функция безопасности для предотвращения атак CSRF и перехвата кода авторизации.",
 	"name_logo": "Логотип {name}",
@@ -342,5 +342,9 @@
 	"show_code": "Показать код",
 	"callback_url_description": "URL-адреса, предоставленные клиентом. Поддерживаются wildcard-адреса (*), но лучше всего избегать их для лучшей безопасности.",
 	"api_key_expiration": "Истечение срока действия API ключа",
-	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Отправлять пользователю письмо, когда истечет срок действия API ключа."
+	"send_an_email_to_the_user_when_their_api_key_is_about_to_expire": "Отправлять пользователю письмо, когда истечет срок действия API ключа.",
 	"authorize_device": "Авторизовать устройство",
 	"the_device_has_been_authorized": "Устройство авторизовано.",
 	"enter_code_displayed_in_previous_step": "Введите код, который был отображен на предыдущем шаге.",
 	"authorize": "Авторизируйте"
 }
--- a/frontend/messages/zh-CN.json
+++ b/frontend/messages/zh-CN.json
@@ -276,7 +276,7 @@
 	"callback_urls": "Callback URL",
 	"logout_callback_urls": "Logout Callback URL",
 	"public_client": "公共客户端",
-    "public_clients_do_not_have_a_client_secret_and_use_pkce_instead": "公共客户端没有客户端密钥，而是使用 PKCE。如果您的客户端是 SPA 或移动应用，请启用此选项。",
+	"public_clients_description": "公共客户端没有客户端密钥，而是使用 PKCE。如果您的客户端是 SPA 或移动应用，请启用此选项。",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "公钥代码交换是一种安全功能，可防止 CSRF 和授权代码拦截攻击。",
 	"name_logo": "{name} Logo",
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pocket-id-frontend",
-	"version": "0.46.0",
+  "version": "0.51.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pocket-id-frontend",
-			"version": "0.46.0",
+      "version": "0.51.0",
      "dependencies": {
        "@simplewebauthn/browser": "^13.1.0",
        "@tailwindcss/vite": "^4.0.0",
@@ -52,7 +52,7 @@
        "tslib": "^2.8.1",
        "typescript": "^5.7.3",
        "typescript-eslint": "^8.21.0",
-				"vite": "^6.2.6"
+        "vite": "^6.3.4"
      }
    },
    "node_modules/@ampproject/remapping": {
@@ -1112,228 +1112,260 @@
      }
    },
    "node_modules/@rollup/rollup-android-arm-eabi": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm-eabi/-/rollup-android-arm-eabi-4.40.1.tgz",
-			"integrity": "sha512-G2fUQQANtBPsNwiVFg4zKiPQyjVKZCUdQUol53R8E71J7AsheRMV/Yv/nB8giOcOVqP7//eB5xPqieBYZe9bGg==",
+      "integrity": "sha512-kxz0YeeCrRUHz3zyqvd7n+TVRlNyTifBsmnmNPtk3hQURUyG9eAB+usz6DAwagMusjx/zb3AjvDUvhFGDAexGw==",
      "cpu": [
        "arm"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "android"
      ]
    },
    "node_modules/@rollup/rollup-android-arm64": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-android-arm64/-/rollup-android-arm64-4.40.1.tgz",
-			"integrity": "sha512-qhFwQ+ljoymC+j5lXRv8DlaJYY/+8vyvYmVx074zrLsu5ZGWYsJNLjPPVJJjhZQpyAKUGPydOq9hRLLNvh1s3A==",
+      "integrity": "sha512-PPkxTOisoNC6TpnDKatjKkjRMsdaWIhyuMkA4UsBXT9WEZY4uHezBTjs6Vl4PbqQQeu6oION1w2voYZv9yquCw==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "android"
      ]
    },
    "node_modules/@rollup/rollup-darwin-arm64": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-arm64/-/rollup-darwin-arm64-4.40.1.tgz",
-			"integrity": "sha512-44n/X3lAlWsEY6vF8CzgCx+LQaoqWGN7TzUfbJDiTIOjJm4+L2Yq+r5a8ytQRGyPqgJDs3Rgyo8eVL7n9iW6AQ==",
+      "integrity": "sha512-VWXGISWFY18v/0JyNUy4A46KCFCb9NVsH+1100XP31lud+TzlezBbz24CYzbnA4x6w4hx+NYCXDfnvDVO6lcAA==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "darwin"
      ]
    },
    "node_modules/@rollup/rollup-darwin-x64": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-darwin-x64/-/rollup-darwin-x64-4.40.1.tgz",
-			"integrity": "sha512-F9ct0+ZX5Np6+ZDztxiGCIvlCaW87HBdHcozUfsHnj1WCUTBUubAoanhHUfnUHZABlElyRikI0mgcw/qdEm2VQ==",
+      "integrity": "sha512-nIwkXafAI1/QCS7pxSpv/ZtFW6TXcNUEHAIA9EIyw5OzxJZQ1YDrX+CL6JAIQgZ33CInl1R6mHet9Y/UZTg2Bw==",
      "cpu": [
        "x64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "darwin"
      ]
    },
    "node_modules/@rollup/rollup-freebsd-arm64": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-arm64/-/rollup-freebsd-arm64-4.40.1.tgz",
-			"integrity": "sha512-JpsGxLBB2EFXBsTLHfkZDsXSpSmKD3VxXCgBQtlPcuAqB8TlqtLcbeMhxXQkCDv1avgwNjF8uEIbq5p+Cee0PA==",
+      "integrity": "sha512-BdrLJ2mHTrIYdaS2I99mriyJfGGenSaP+UwGi1kB9BLOCu9SR8ZpbkmmalKIALnRw24kM7qCN0IOm6L0S44iWw==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "freebsd"
      ]
    },
    "node_modules/@rollup/rollup-freebsd-x64": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-freebsd-x64/-/rollup-freebsd-x64-4.40.1.tgz",
-			"integrity": "sha512-wegiyBT6rawdpvnD9lmbOpx5Sph+yVZKHbhnSP9MqUEDX08G4UzMU+D87jrazGE7lRSyTRs6NEYHtzfkJ3FjjQ==",
+      "integrity": "sha512-VXeo/puqvCG8JBPNZXZf5Dqq7BzElNJzHRRw3vjBE27WujdzuOPecDPc/+1DcdcTptNBep3861jNq0mYkT8Z6Q==",
      "cpu": [
        "x64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "freebsd"
      ]
    },
    "node_modules/@rollup/rollup-linux-arm-gnueabihf": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-gnueabihf/-/rollup-linux-arm-gnueabihf-4.40.1.tgz",
-			"integrity": "sha512-3pA7xecItbgOs1A5H58dDvOUEboG5UfpTq3WzAdF54acBbUM+olDJAPkgj1GRJ4ZqE12DZ9/hNS2QZk166v92A==",
+      "integrity": "sha512-ehSKrewwsESPt1TgSE/na9nIhWCosfGSFqv7vwEtjyAqZcvbGIg4JAcV7ZEh2tfj/IlfBeZjgOXm35iOOjadcg==",
      "cpu": [
        "arm"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-arm-musleabihf": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm-musleabihf/-/rollup-linux-arm-musleabihf-4.40.1.tgz",
-			"integrity": "sha512-Y7XUZEVISGyge51QbYyYAEHwpGgmRrAxQXO3siyYo2kmaj72USSG8LtlQQgAtlGfxYiOwu+2BdbPjzEpcOpRmQ==",
+      "integrity": "sha512-m39iO/aaurh5FVIu/F4/Zsl8xppd76S4qoID8E+dSRQvTyZTOI2gVk3T4oqzfq1PtcvOfAVlwLMK3KRQMaR8lg==",
      "cpu": [
        "arm"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-arm64-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-gnu/-/rollup-linux-arm64-gnu-4.40.1.tgz",
-			"integrity": "sha512-r7/OTF5MqeBrZo5omPXcTnjvv1GsrdH8a8RerARvDFiDwFpDVDnJyByYM/nX+mvks8XXsgPUxkwe/ltaX2VH7w==",
+      "integrity": "sha512-Y+GHnGaku4aVLSgrT0uWe2o2Rq8te9hi+MwqGF9r9ORgXhmHK5Q71N757u0F8yU1OIwUIFy6YiJtKjtyktk5hg==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-arm64-musl": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-arm64-musl/-/rollup-linux-arm64-musl-4.40.1.tgz",
-			"integrity": "sha512-HJbifC9vex9NqnlodV2BHVFNuzKL5OnsV2dvTw6e1dpZKkNjPG6WUq+nhEYV6Hv2Bv++BXkwcyoGlXnPrjAKXw==",
+      "integrity": "sha512-jEwjn3jCA+tQGswK3aEWcD09/7M5wGwc6+flhva7dsQNRZZTe30vkalgIzV4tjkopsTS9Jd7Y1Bsj6a4lzz8gQ==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-loongarch64-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loongarch64-gnu/-/rollup-linux-loongarch64-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-loongarch64-gnu/-/rollup-linux-loongarch64-gnu-4.40.1.tgz",
-			"integrity": "sha512-VAEzZTD63YglFlWwRj3taofmkV1V3xhebDXffon7msNz4b14xKsz7utO6F8F4cqt8K/ktTl9rm88yryvDpsfOw==",
+      "integrity": "sha512-ySyWikVhNzv+BV/IDCsrraOAZ3UaC8SZB67FZlqVwXwnFhPihOso9rPOxzZbjp81suB1O2Topw+6Ug3JNegejQ==",
      "cpu": [
        "loong64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-powerpc64le-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-powerpc64le-gnu/-/rollup-linux-powerpc64le-gnu-4.40.1.tgz",
-			"integrity": "sha512-Sts5DST1jXAc9YH/iik1C9QRsLcCoOScf3dfbY5i4kH9RJpKxiTBXqm7qU5O6zTXBTEZry69bGszr3SMgYmMcQ==",
+      "integrity": "sha512-BvvA64QxZlh7WZWqDPPdt0GH4bznuL6uOO1pmgPnnv86rpUpc8ZxgZwcEgXvo02GRIZX1hQ0j0pAnhwkhwPqWg==",
      "cpu": [
        "ppc64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-riscv64-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-gnu/-/rollup-linux-riscv64-gnu-4.40.1.tgz",
-			"integrity": "sha512-qhlXeV9AqxIyY9/R1h1hBD6eMvQCO34ZmdYvry/K+/MBs6d1nRFLm6BOiITLVI+nFAAB9kUB6sdJRKyVHXnqZw==",
+      "integrity": "sha512-EQSP+8+1VuSulm9RKSMKitTav89fKbHymTf25n5+Yr6gAPZxYWpj3DzAsQqoaHAk9YX2lwEyAf9S4W8F4l3VBQ==",
      "cpu": [
        "riscv64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-riscv64-musl": {
      "version": "4.40.1",
      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-riscv64-musl/-/rollup-linux-riscv64-musl-4.40.1.tgz",
      "integrity": "sha512-n/vQ4xRZXKuIpqukkMXZt9RWdl+2zgGNx7Uda8NtmLJ06NL8jiHxUawbwC+hdSq1rrw/9CghCpEONor+l1e2gA==",
      "cpu": [
        "riscv64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-s390x-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-s390x-gnu/-/rollup-linux-s390x-gnu-4.40.1.tgz",
-			"integrity": "sha512-8ZGN7ExnV0qjXa155Rsfi6H8M4iBBwNLBM9lcVS+4NcSzOFaNqmt7djlox8pN1lWrRPMRRQ8NeDlozIGx3Omsw==",
+      "integrity": "sha512-h8d28xzYb98fMQKUz0w2fMc1XuGzLLjdyxVIbhbil4ELfk5/orZlSTpF/xdI9C8K0I8lCkq+1En2RJsawZekkg==",
      "cpu": [
        "s390x"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-x64-gnu": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-gnu/-/rollup-linux-x64-gnu-4.40.1.tgz",
-			"integrity": "sha512-VDzNHtLLI5s7xd/VubyS10mq6TxvZBp+4NRWoW+Hi3tgV05RtVm4qK99+dClwTN1McA6PHwob6DEJ6PlXbY83A==",
+      "integrity": "sha512-XiK5z70PEFEFqcNj3/zRSz/qX4bp4QIraTy9QjwJAb/Z8GM7kVUsD0Uk8maIPeTyPCP03ChdI+VVmJriKYbRHQ==",
      "cpu": [
        "x64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-linux-x64-musl": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-linux-x64-musl/-/rollup-linux-x64-musl-4.40.1.tgz",
-			"integrity": "sha512-qcb9qYDlkxz9DxJo7SDhWxTWV1gFuwznjbTiov289pASxlfGbaOD54mgbs9+z94VwrXtKTu+2RqwlSTbiOqxGg==",
+      "integrity": "sha512-2BRORitq5rQ4Da9blVovzNCMaUlyKrzMSvkVR0D4qPuOy/+pMCrh1d7o01RATwVy+6Fa1WBw+da7QPeLWU/1mQ==",
      "cpu": [
        "x64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "linux"
      ]
    },
    "node_modules/@rollup/rollup-win32-arm64-msvc": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-arm64-msvc/-/rollup-win32-arm64-msvc-4.40.1.tgz",
-			"integrity": "sha512-pFDdotFDMXW2AXVbfdUEfidPAk/OtwE/Hd4eYMTNVVaCQ6Yl8et0meDaKNL63L44Haxv4UExpv9ydSf3aSayDg==",
+      "integrity": "sha512-b2bcNm9Kbde03H+q+Jjw9tSfhYkzrDUf2d5MAd1bOJuVplXvFhWz7tRtWvD8/ORZi7qSCy0idW6tf2HgxSXQSg==",
      "cpu": [
        "arm64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "win32"
      ]
    },
    "node_modules/@rollup/rollup-win32-ia32-msvc": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-ia32-msvc/-/rollup-win32-ia32-msvc-4.40.1.tgz",
-			"integrity": "sha512-/TG7WfrCAjeRNDvI4+0AAMoHxea/USWhAzf9PVDFHbcqrQ7hMMKp4jZIy4VEjk72AAfN5k4TiSMRXRKf/0akSw==",
+      "integrity": "sha512-DfcogW8N7Zg7llVEfpqWMZcaErKfsj9VvmfSyRjCyo4BI3wPEfrzTtJkZG6gKP/Z92wFm6rz2aDO7/JfiR/whA==",
      "cpu": [
        "ia32"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "win32"
      ]
    },
    "node_modules/@rollup/rollup-win32-x64-msvc": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/@rollup/rollup-win32-x64-msvc/-/rollup-win32-x64-msvc-4.40.1.tgz",
-			"integrity": "sha512-5hqO5S3PTEO2E5VjCePxv40gIgyS2KvO7E7/vvC/NbIW4SIRamkMr1hqj+5Y67fbBWv/bQLB6KelBQmXlyCjWA==",
+      "integrity": "sha512-ECyOuDeH3C1I8jH2MK1RtBJW+YPMvSfT0a5NN0nHfQYnDSJ6tUiZH3gzwVP5/Kfh/+Tt7tpWVF9LXNTnhTJ3kA==",
      "cpu": [
        "x64"
      ],
      "license": "MIT",
      "optional": true,
      "os": [
        "win32"
@@ -1709,9 +1741,10 @@
      }
    },
    "node_modules/@types/estree": {
-			"version": "1.0.6",
+      "version": "1.0.7",
-			"resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.6.tgz",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.7.tgz",
-			"integrity": "sha512-AYnb1nQyY49te+VRAVgmzfcgjYS91mY5P0TKUDCLEM+gNnA+3T6rWITXRLYCpahpqSQbN5cE+gHpnPyXjHWxcw=="
+      "integrity": "sha512-w28IoSUCJpidD/TGviZwwMJckNESJZXFu7NBZ5YJ4mEUnNraUn9Pm8HSZm/jDF1pDWYKspWE7oVphigUPRakIQ==",
      "license": "MIT"
    },
    "node_modules/@types/json-schema": {
      "version": "7.0.15",
@@ -2970,10 +3003,10 @@
      }
    },
    "node_modules/fdir": {
-			"version": "6.4.3",
+      "version": "6.4.4",
-			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.3.tgz",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.4.4.tgz",
-			"integrity": "sha512-PMXmW2y1hDDfTSRc9gaXIuCCRpuoz3Kaz8cUelp3smouvfT632ozg2vrT6lJsHKKOF59YLbOGfAWGUcKEfRMQw==",
+      "integrity": "sha512-1NZP+GK4GfuAv3PqKvxQRDMjdSRZjnkq7KfhlNrCNNlZ0ygQFpebfrnfnq/W7fpUnAv9aGWmY1zKx7FYL3gwhg==",
-			"dev": true,
+      "license": "MIT",
      "peerDependencies": {
        "picomatch": "^3 || ^4"
      },
@@ -3979,7 +4012,6 @@
      "version": "4.0.2",
      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.2.tgz",
      "integrity": "sha512-M7BAV6Rlcy5u+m6oPhAPFgJTzAioX/6B0DxyvDlo9l8+T3nLKbrczg2WLUyzd45L8RqfUMyGPzekbMvX2Ldkwg==",
 			"dev": true,
      "engines": {
        "node": ">=12"
      },
@@ -4432,11 +4464,12 @@
      }
    },
    "node_modules/rollup": {
-			"version": "4.32.0",
+      "version": "4.40.1",
-			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.32.0.tgz",
+      "resolved": "https://registry.npmjs.org/rollup/-/rollup-4.40.1.tgz",
-			"integrity": "sha512-JmrhfQR31Q4AuNBjjAX4s+a/Pu/Q8Q9iwjWBsjRH1q52SPFE2NqRMK6fUZKKnvKO6id+h7JIRf0oYsph53eATg==",
+      "integrity": "sha512-C5VvvgCCyfyotVITIAv+4efVytl5F7wt+/I2i9q9GZcEXW9BP52YYOXC58igUi+LFZVHukErIIqQSWwv/M3WRw==",
      "license": "MIT",
      "dependencies": {
-				"@types/estree": "1.0.6"
+        "@types/estree": "1.0.7"
      },
      "bin": {
        "rollup": "dist/bin/rollup"
@@ -4446,25 +4479,26 @@
        "npm": ">=8.0.0"
      },
      "optionalDependencies": {
-				"@rollup/rollup-android-arm-eabi": "4.32.0",
+        "@rollup/rollup-android-arm-eabi": "4.40.1",
-				"@rollup/rollup-android-arm64": "4.32.0",
+        "@rollup/rollup-android-arm64": "4.40.1",
-				"@rollup/rollup-darwin-arm64": "4.32.0",
+        "@rollup/rollup-darwin-arm64": "4.40.1",
-				"@rollup/rollup-darwin-x64": "4.32.0",
+        "@rollup/rollup-darwin-x64": "4.40.1",
-				"@rollup/rollup-freebsd-arm64": "4.32.0",
+        "@rollup/rollup-freebsd-arm64": "4.40.1",
-				"@rollup/rollup-freebsd-x64": "4.32.0",
+        "@rollup/rollup-freebsd-x64": "4.40.1",
-				"@rollup/rollup-linux-arm-gnueabihf": "4.32.0",
+        "@rollup/rollup-linux-arm-gnueabihf": "4.40.1",
-				"@rollup/rollup-linux-arm-musleabihf": "4.32.0",
+        "@rollup/rollup-linux-arm-musleabihf": "4.40.1",
-				"@rollup/rollup-linux-arm64-gnu": "4.32.0",
+        "@rollup/rollup-linux-arm64-gnu": "4.40.1",
-				"@rollup/rollup-linux-arm64-musl": "4.32.0",
+        "@rollup/rollup-linux-arm64-musl": "4.40.1",
-				"@rollup/rollup-linux-loongarch64-gnu": "4.32.0",
+        "@rollup/rollup-linux-loongarch64-gnu": "4.40.1",
-				"@rollup/rollup-linux-powerpc64le-gnu": "4.32.0",
+        "@rollup/rollup-linux-powerpc64le-gnu": "4.40.1",
-				"@rollup/rollup-linux-riscv64-gnu": "4.32.0",
+        "@rollup/rollup-linux-riscv64-gnu": "4.40.1",
-				"@rollup/rollup-linux-s390x-gnu": "4.32.0",
+        "@rollup/rollup-linux-riscv64-musl": "4.40.1",
-				"@rollup/rollup-linux-x64-gnu": "4.32.0",
+        "@rollup/rollup-linux-s390x-gnu": "4.40.1",
-				"@rollup/rollup-linux-x64-musl": "4.32.0",
+        "@rollup/rollup-linux-x64-gnu": "4.40.1",
-				"@rollup/rollup-win32-arm64-msvc": "4.32.0",
+        "@rollup/rollup-linux-x64-musl": "4.40.1",
-				"@rollup/rollup-win32-ia32-msvc": "4.32.0",
+        "@rollup/rollup-win32-arm64-msvc": "4.40.1",
-				"@rollup/rollup-win32-x64-msvc": "4.32.0",
+        "@rollup/rollup-win32-ia32-msvc": "4.40.1",
        "@rollup/rollup-win32-x64-msvc": "4.40.1",
        "fsevents": "~2.3.2"
      }
    },
@@ -4957,6 +4991,22 @@
      "integrity": "sha512-Eet/eeMhkO6TX8mnUteS9zgPbUMQa4I6Kkp5ORiBD5476/m+PIRiumP5tmh5ioJpH7k51Kehawy2UDfsnxxY8Q==",
      "optional": true
    },
    "node_modules/tinyglobby": {
      "version": "0.2.13",
      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.13.tgz",
      "integrity": "sha512-mEwzpUgrLySlveBwEVDMKk5B57bhLPYovRfPAXD5gA/98Opn0rCDj3GtLwFvCvH5RK9uPCExUROW5NjDwvqkxw==",
      "license": "MIT",
      "dependencies": {
        "fdir": "^6.4.4",
        "picomatch": "^4.0.2"
      },
      "engines": {
        "node": ">=12.0.0"
      },
      "funding": {
        "url": "https://github.com/sponsors/SuperchupuDev"
      }
    },
    "node_modules/to-regex-range": {
      "version": "5.0.1",
      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -5154,14 +5204,17 @@
      }
    },
    "node_modules/vite": {
-			"version": "6.2.6",
+      "version": "6.3.4",
-			"resolved": "https://registry.npmjs.org/vite/-/vite-6.2.6.tgz",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-6.3.4.tgz",
-			"integrity": "sha512-9xpjNl3kR4rVDZgPNdTL0/c6ao4km69a/2ihNQbcANz8RuCOK3hQBmLSJf3bRKVQjVMda+YvizNE8AwvogcPbw==",
+      "integrity": "sha512-BiReIiMS2fyFqbqNT/Qqt4CVITDU9M9vE+DKcVAsB+ZV0wvTKd+3hMbkpxz1b+NmEDMegpVbisKiAZOnvO92Sw==",
      "license": "MIT",
      "dependencies": {
        "esbuild": "^0.25.0",
        "fdir": "^6.4.4",
        "picomatch": "^4.0.2",
        "postcss": "^8.5.3",
-				"rollup": "^4.30.1"
+        "rollup": "^4.34.9",
        "tinyglobby": "^0.2.13"
      },
      "bin": {
        "vite": "bin/vite.js"
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pocket-id-frontend",
-  "version": "0.50.0",
+  "version": "0.51.1",
  "private": true,
  "type": "module",
  "scripts": {
@@ -57,6 +57,6 @@
    "tslib": "^2.8.1",
    "typescript": "^5.7.3",
    "typescript-eslint": "^8.21.0",
-    "vite": "^6.2.6"
+    "vite": "^6.3.4"
  }
 }
--- a/frontend/src/lib/components/form/form-input.svelte
+++ b/frontend/src/lib/components/form/form-input.svelte
@@ -17,7 +17,7 @@
 		onInput,
 		...restProps
 	}: HTMLAttributes<HTMLDivElement> & {
-		input?: FormInput<string | boolean | number | Date>;
+		input?: FormInput<string | boolean | number | Date | undefined>;
 		label?: string;
 		description?: string;
 		placeholder?: string;
--- a/frontend/src/routes/settings/account/+page.svelte
+++ b/frontend/src/routes/settings/account/+page.svelte
@@ -93,6 +93,30 @@
 	</Alert.Root>
 {/if}
 <!-- Login code card mobile -->
 <div class="block sm:hidden">
 	<Card.Root>
 		<Card.Header>
 			<div class="flex flex-col items-start justify-between gap-3 sm:flex-row sm:items-center">
 				<div>
 					<Card.Title>
 						<RectangleEllipsis class="text-primary/80 h-5 w-5" />
 						{m.login_code()}
 					</Card.Title>
 					<Card.Description>
 						{m.create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey()}
 					</Card.Description>
 				</div>
 				<Button variant="outline" class="w-full" on:click={() => (showLoginCodeModal = true)}>
 					{m.create()}
 				</Button>
 			</div>
 		</Card.Header>
 	</Card.Root>
 </div>
 <!-- Account details card -->
 <fieldset
 	disabled={!$appConfigStore.allowOwnAccountEdit ||
@@ -143,8 +167,9 @@
 	</Card.Root>
 </div>
 <!-- Login code card -->
-<div>
+<div class="hidden sm:block">
 	<Card.Root>
 		<Card.Header>
 			<div class="flex flex-col items-start justify-between gap-3 sm:flex-row sm:items-center">
--- a/frontend/src/routes/settings/account/account-form.svelte
+++ b/frontend/src/routes/settings/account/account-form.svelte
@@ -7,7 +7,6 @@
 	import type { UserCreate } from '$lib/types/user.type';
 	import { axiosErrorToast } from '$lib/utils/error-util';
 	import { createForm } from '$lib/utils/form-util';
 	import { BookUser } from 'lucide-svelte';
 	import { toast } from 'svelte-sonner';
 	import { z } from 'zod';
@@ -29,7 +28,7 @@
 	const formSchema = z.object({
 		firstName: z.string().min(1).max(50),
-		lastName: z.string().min(1).max(50),
+		lastName: z.string().max(50).optional(),
 		username: z
 			.string()
 			.min(2)
--- a/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
+++ b/frontend/src/routes/settings/admin/oidc-clients/oidc-client-form.svelte
@@ -33,7 +33,7 @@
 		callbackURLs: existingClient?.callbackURLs || [''],
 		logoutCallbackURLs: existingClient?.logoutCallbackURLs || [],
 		isPublic: existingClient?.isPublic || false,
-		pkceEnabled: existingClient?.isPublic == true || existingClient?.pkceEnabled || false
+		pkceEnabled: existingClient?.pkceEnabled || false
 	};
 	const formSchema = z.object({
@@ -98,17 +98,13 @@
 		<CheckboxWithLabel
 			id="public-client"
 			label={m.public_client()}
-			description={m.public_clients_do_not_have_a_client_secret_and_use_pkce_instead()}
+			description={m.public_clients_description()}
 			onCheckedChange={(v) => {
 				if (v == true) form.setValue('pkceEnabled', true);
 			}}
 			bind:checked={$inputs.isPublic.value}
 		/>
 		<CheckboxWithLabel
 			id="pkce"
 			label={m.pkce()}
 			description={m.public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks()}
 			disabled={$inputs.isPublic.value}
 			bind:checked={$inputs.pkceEnabled.value}
 		/>
 	</div>
--- a/frontend/src/routes/settings/admin/users/[id]/+page.svelte
+++ b/frontend/src/routes/settings/admin/users/[id]/+page.svelte
@@ -6,6 +6,7 @@
 	import { Button } from '$lib/components/ui/button';
 	import * as Card from '$lib/components/ui/card';
 	import UserGroupSelection from '$lib/components/user-group-selection.svelte';
 	import { m } from '$lib/paraglide/messages';
 	import CustomClaimService from '$lib/services/custom-claim-service';
 	import UserService from '$lib/services/user-service';
 	import appConfigStore from '$lib/stores/application-configuration-store';
@@ -14,7 +15,6 @@
 	import { LucideChevronLeft } from 'lucide-svelte';
 	import { toast } from 'svelte-sonner';
 	import UserForm from '../user-form.svelte';
 	import { m } from '$lib/paraglide/messages';
 	let { data } = $props();
 	let user = $state({
@@ -75,7 +75,7 @@
 	<title
 		>{m.user_details_firstname_lastname({
 			firstName: user.firstName,
-			lastName: user.lastName
+			lastName: user.lastName ?? ''
 		})}</title
 	>
 </svelte:head>
--- a/frontend/src/routes/settings/admin/users/user-list.svelte
+++ b/frontend/src/routes/settings/admin/users/user-list.svelte
@@ -34,7 +34,7 @@
 	async function deleteUser(user: User) {
 		openConfirmDialog({
-			title: m.delete_firstname_lastname({ firstName: user.firstName, lastName: user.lastName }),
+			title: m.delete_firstname_lastname({ firstName: user.firstName, lastName: user.lastName ?? "" }),
 			message: m.are_you_sure_you_want_to_delete_this_user(),
 			confirm: {
 				label: m.delete(),
@@ -67,7 +67,7 @@
 	async function disableUser(user: User) {
 		openConfirmDialog({
-			title: m.disable_firstname_lastname({ firstName: user.firstName, lastName: user.lastName }),
+			title: m.disable_firstname_lastname({ firstName: user.firstName, lastName: user.lastName ?? "" }),
 			message: m.are_you_sure_you_want_to_disable_this_user(),
 			confirm: {
 				label: m.disable(),
--- a/frontend/src/routes/settings/audit-log/+page.svelte
+++ b/frontend/src/routes/settings/audit-log/+page.svelte
@@ -2,6 +2,7 @@
 	import AuditLogList from '$lib/components/audit-log-list.svelte';
 	import * as Card from '$lib/components/ui/card';
 	import { m } from '$lib/paraglide/messages';
 	import userStore from '$lib/stores/user-store';
 	import { LogsIcon } from 'lucide-svelte';
 	import AuditLogSwitcher from './audit-log-switcher.svelte';
@@ -13,7 +14,9 @@
 	<title>{m.audit_log()}</title>
 </svelte:head>
-<AuditLogSwitcher currentPage="personal" />
+{#if $userStore?.isAdmin}
 	<AuditLogSwitcher currentPage="personal" />
 {/if}
 <div>
 	<Card.Root>
Author	SHA1	Message	Date
Elias Schneider	dbacdb5bf0	release: 0.51.1	2025-05-03 23:42:47 +02:00
Elias Schneider	f4c6cff461	refactor: fix type errors	2025-05-03 23:42:17 +02:00
Elias Schneider	0b9cbf47e3	fix: allow LDAP users to update their locale	2025-05-03 23:32:56 +02:00
Alessandro (Ale) Segala	bda178c2bb	refactor: complete graceful shutdown implementation and add service runner (#493 )	2025-05-03 23:25:22 +02:00
Elias Schneider	6bd6cefaa6	fix: non admin users weren't able to call the end session endpoint	2025-05-03 22:53:55 +02:00
dependabot[bot]	83be1e0b49	chore(deps-dev): bump vite from 6.2.6 to 6.3.4 in /frontend in the npm_and_yarn group across 1 directory (#496 ) Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2025-04-30 14:53:30 -05:00
Kyle Mendell	cf3fe0be84	fix: last name still showing as required on account form (#492 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-29 20:24:16 +02:00
Elias Schneider	ec76e1c111	chore(translations): update translations via Crowdin (#491 )	2025-04-29 00:04:12 -05:00
Elias Schneider	6004f84845	release: 0.51.0	2025-04-28 11:15:52 +02:00
Alessandro (Ale) Segala	3ec98736cf	refactor: graceful shutdown for server (#482 )	2025-04-28 11:13:50 +02:00
Elias Schneider	ce24372c57	fix: do not require PKCE for public clients	2025-04-28 11:02:35 +02:00
Elias Schneider	4614769b84	refactor: reorganize imports	2025-04-28 10:49:54 +02:00
Elias Schneider	86d2b5f59f	fix: return correct error message if user isn't authorized	2025-04-28 10:39:17 +02:00
Elias Schneider	1efd1d182d	fix: hide global audit log switch for non admin users	2025-04-28 10:38:53 +02:00
Elias Schneider	0a24ab8001	fix: updating scopes of an authorized client fails with Postgres	2025-04-28 09:29:18 +02:00
James18232	02cacba5c5	feat: new login code card position for mobile devices (#452 ) Co-authored-by: Kyle Mendell <kmendell@ofkm.us>	2025-04-28 04:04:48 +00:00
Elias Schneider	38653e2aa4	chore(translations): update translations via Crowdin (#485 )	2025-04-27 23:00:37 -05:00