release: 1.9.1

Co-authored-by: Elias Schneider <login@eliasschneider.com>

.github/ISSUE_TEMPLATE/bug.yml

@@ -36,13 +36,29 @@ body:
       value: |
         ### Additional Information
   - type: textarea
-    id: extra-information
+    id: version
     validations:
       required: true
     attributes:
-      label: "Version and Environment"
+      label: "Pocket ID Version"
-      description: "Please specify the version of Pocket ID, along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      description: "Please specify the version of Pocket ID."
       placeholder: "e.g., v0.24.1"
+  - type: textarea
+    id: database
+    validations:
+      required: true
+    attributes:
+      label: "Database"
+      description: "Please specify the database in use: SQLite or Postgres (including version)."
+      placeholder: "e.g., SQLite or Postgres 17"
+  - type: textarea
+    id: environment
+    validations:
+      required: true
+    attributes:
+      label: "OS and Environment"
+      description: "Please include the OS, whether you're using containers (Docker, Podman, etc) along with any environment-specific configurations, such your reverse proxy, that might be relevant."
+      placeholder: "e.g., Docker on Ubuntu 24.04, served using Traefik"
   - type: textarea
     id: log-files
     validations:

.github/workflows/e2e-tests.yml

@@ -3,15 +3,15 @@ on:
   push:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
-      - '**.md'
+      - "**.md"
-      - '.github/**'
+      - ".github/**"
   pull_request:
     branches: [main]
     paths-ignore:
-      - 'docs/**'
+      - "docs/**"
-      - '**.md'
+      - "**.md"
-      - '.github/**'
+      - ".github/**"
 
 jobs:
   build:
@@ -45,23 +45,29 @@ jobs:
           path: /tmp/docker-image.tar
           retention-days: 1
 
-  test-sqlite:
+  test:
     if: github.event.pull_request.head.ref != 'i18n_crowdin'
     permissions:
       contents: read
       actions: write
     runs-on: ubuntu-latest
     needs: build
+    strategy:
+      fail-fast: false
+      matrix:
+        db: [sqlite, postgres]
     steps:
       - uses: actions/checkout@v4
+
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
         with:
           version: 10
+
       - uses: actions/setup-node@v4
         with:
           node-version: 22
-          cache: 'pnpm'
+          cache: "pnpm"
           cache-dependency-path: pnpm-lock.yaml
 
       - name: Cache Playwright Browsers
@@ -70,100 +76,8 @@ jobs:
         with:
           path: ~/.cache/ms-playwright
           key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
-      - name: Download Docker image artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: docker-image
-          path: /tmp
-
-      - name: Load Docker image
-        run: docker load -i /tmp/docker-image.tar
-
-      - name: Cache LLDAP Docker image
-        uses: actions/cache@v3
-        id: lldap-cache
-        with:
-          path: /tmp/lldap-image.tar
-          key: lldap-stable-${{ runner.os }}
-
-      - name: Pull and save LLDAP image
-        if: steps.lldap-cache.outputs.cache-hit != 'true'
-        run: |
-          docker pull nitnelave/lldap:stable
-          docker save nitnelave/lldap:stable > /tmp/lldap-image.tar
-
-      - name: Load LLDAP image from cache
-        if: steps.lldap-cache.outputs.cache-hit == 'true'
-        run: docker load < /tmp/lldap-image.tar
-
-      - name: Install test dependencies
-        run: pnpm --filter pocket-id-tests install --frozen-lockfile
-
-      - name: Install Playwright Browsers
-        working-directory: ./tests
-        if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm dlx playwright install --with-deps chromium
-
-      - name: Run Docker Container with Sqlite DB and LDAP
-        working-directory: ./tests/setup
-        run: |
-          docker compose up -d
-          docker compose logs -f pocket-id &> /tmp/backend.log &
-
-      - name: Run Playwright tests
-        working-directory: tests
-        run: pnpm exec playwright test
-
-      - name: Upload Test Report
-        uses: actions/upload-artifact@v4
-        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
-        with:
-          name: playwright-report-sqlite
-          path: tests/.report
-          include-hidden-files: true
-          retention-days: 15
-
-      - name: Upload Backend Test Report
-        uses: actions/upload-artifact@v4
-        if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
-        with:
-          name: backend-sqlite
-          path: /tmp/backend.log
-          include-hidden-files: true
-          retention-days: 15
-
-  test-postgres:
-    if: github.event.pull_request.head.ref != 'i18n_crowdin'
-    permissions:
-      contents: read
-      actions: write
-    runs-on: ubuntu-latest
-    needs: build
-    steps:
-      - uses: actions/checkout@v4
-      - name: Setup pnpm
-        uses: pnpm/action-setup@v4
-        with:
-          version: 10
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 22
-          cache: 'pnpm'
-          cache-dependency-path: pnpm-lock.yaml
-
-      - name: Cache Playwright Browsers
-        uses: actions/cache@v3
-        id: playwright-cache
-        with:
-          path: ~/.cache/ms-playwright
-          key: ${{ runner.os }}-playwright-${{ hashFiles('pnpm-lock.yaml') }}
-          restore-keys: |
-            ${{ runner.os }}-playwright-
-
       - name: Cache PostgreSQL Docker image
+        if: matrix.db == 'postgres'
         uses: actions/cache@v3
         id: postgres-cache
         with:
@@ -171,15 +85,14 @@ jobs:
           key: postgres-17-${{ runner.os }}
 
       - name: Pull and save PostgreSQL image
-        if: steps.postgres-cache.outputs.cache-hit != 'true'
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit != 'true'
         run: |
           docker pull postgres:17
           docker save postgres:17 > /tmp/postgres-image.tar
 
       - name: Load PostgreSQL image from cache
-        if: steps.postgres-cache.outputs.cache-hit == 'true'
+        if: matrix.db == 'postgres' && steps.postgres-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/postgres-image.tar
-
       - name: Cache LLDAP Docker image
         uses: actions/cache@v3
         id: lldap-cache
@@ -196,7 +109,6 @@ jobs:
       - name: Load LLDAP image from cache
         if: steps.lldap-cache.outputs.cache-hit == 'true'
         run: docker load < /tmp/lldap-image.tar
-
       - name: Download Docker image artifact
         uses: actions/download-artifact@v4
         with:
@@ -207,14 +119,21 @@ jobs:
         run: docker load -i /tmp/docker-image.tar
 
       - name: Install test dependencies
-        run: pnpm --filter pocket-id-tests install
+        run: pnpm --filter pocket-id-tests install --frozen-lockfile
 
       - name: Install Playwright Browsers
         working-directory: ./tests
         if: steps.playwright-cache.outputs.cache-hit != 'true'
-        run: pnpm dlx playwright install --with-deps chromium
+        run: pnpm exec playwright install --with-deps chromium
+      - name: Run Docker Container (sqlite) with LDAP
+        if: matrix.db == 'sqlite'
+        working-directory: ./tests/setup
+        run: |
+          docker compose up -d
+          docker compose logs -f pocket-id &> /tmp/backend.log &
 
-      - name: Run Docker Container with Postgres DB and LDAP
+      - name: Run Docker Container (postgres) with LDAP
+        if: matrix.db == 'postgres'
         working-directory: ./tests/setup
         run: |
           docker compose -f docker-compose-postgres.yml up -d
@@ -228,8 +147,8 @@ jobs:
         uses: actions/upload-artifact@v4
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
-          name: playwright-report-postgres
+          name: playwright-report-${{ matrix.db }}
-          path: frontend/tests/.report
+          path: tests/.report
           include-hidden-files: true
           retention-days: 15
 
@@ -237,7 +156,7 @@ jobs:
         uses: actions/upload-artifact@v4
         if: always() && github.event.pull_request.head.ref != 'i18n_crowdin'
         with:
-          name: backend-postgres
+          name: backend-${{ matrix.db }}
           path: /tmp/backend.log
           include-hidden-files: true
           retention-days: 15

.version

@@ -1 +1 @@
-1.8.0
+1.9.1

CHANGELOG.md

@@ -1,3 +1,32 @@
+## [](https://github.com/pocket-id/pocket-id/compare/v1.9.0...v) (2025-08-24)
+
+
+### Bug Fixes
+
+* sqlite migration drops allowed user groups ([d6d1a4c](https://github.com/pocket-id/pocket-id/commit/d6d1a4ced23886f255a9c2048d19ad3599a17f26))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v1.8.1...v) (2025-08-24)
+
+
+### Features
+
+* support automatic db migration rollbacks ([#874](https://github.com/pocket-id/pocket-id/issues/874)) ([c114a2e](https://github.com/pocket-id/pocket-id/commit/c114a2edaae4c007c75c34c02e8b0bb011845cae))
+
+
+### Bug Fixes
+
+* don't force uuid for client id in postgres ([2ffc6ba](https://github.com/pocket-id/pocket-id/commit/2ffc6ba42af4742a13b77543142b66b3e826ab88))
+* ensure SQLite has a writable temporary directory ([#876](https://github.com/pocket-id/pocket-id/issues/876)) ([1f3550c](https://github.com/pocket-id/pocket-id/commit/1f3550c9bd3aafd3bd2272ef47f3ed8736037d81))
+* sort order incorrect for apps when using postgres ([d0392d2](https://github.com/pocket-id/pocket-id/commit/d0392d25edcaa5f3c7da2aad70febf63b47763fa))
+
+## [](https://github.com/pocket-id/pocket-id/compare/v1.8.0...v) (2025-08-24)
+
+
+### Bug Fixes
+
+* migration clears allowed users groups ([5971bfb](https://github.com/pocket-id/pocket-id/commit/5971bfbfa66ecfebf2b1c08d34fcbd8c18cdc046))
+* wrong column type for reauthentication tokens in Postgres ([#869](https://github.com/pocket-id/pocket-id/issues/869)) ([1283314](https://github.com/pocket-id/pocket-id/commit/1283314f776a0ba43be7d796e7e2243e31f860de))
+
 ## [](https://github.com/pocket-id/pocket-id/compare/v1.7.0...v) (2025-08-23)
 
 

backend/go.mod

@@ -74,6 +74,8 @@ require (
 	github.com/go-webauthn/x v0.1.23 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.3 // indirect
+	github.com/google/go-github/v39 v39.2.0 // indirect
+	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/go-tpm v0.9.5 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
@@ -132,6 +134,7 @@ require (
 	golang.org/x/arch v0.20.0 // indirect
 	golang.org/x/exp v0.0.0-20250813145105-42675adae3e6 // indirect
 	golang.org/x/net v0.43.0 // indirect
+	golang.org/x/oauth2 v0.27.0 // indirect
 	golang.org/x/sync v0.16.0 // indirect
 	golang.org/x/sys v0.35.0 // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a // indirect

backend/go.sum

@@ -95,11 +95,19 @@ github.com/golang-jwt/jwt/v5 v5.2.3 h1:kkGXqQOBSDDWRhWNXTFpqGSCMyh/PLnqUvMGJPDJD
 github.com/golang-jwt/jwt/v5 v5.2.3/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-migrate/migrate/v4 v4.18.3 h1:EYGkoOsvgHHfm5U/naS1RP/6PL/Xv3S4B/swMiAmDLs=
 github.com/golang-migrate/migrate/v4 v4.18.3/go.mod h1:99BKpIi6ruaaXRM1A77eqZ+FWPQ3cfRa+ZVy5bmWMaY=
+github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.5.2/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/go-github/v39 v39.2.0 h1:rNNM311XtPOz5rDdsJXAp2o8F67X9FnROXTvto3aSnQ=
+github.com/google/go-github/v39 v39.2.0/go.mod h1:C1s8C5aCC9L+JXIYpJM5GYytdX52vC1bLvHEF1IhBrE=
+github.com/google/go-querystring v1.1.0 h1:AnCroh3fv4ZBgVIf1Iwtovgjaw/GiKJo8M8yD/fhyJ8=
+github.com/google/go-querystring v1.1.0/go.mod h1:Kcdr2DB4koayq7X8pmAG4sNG59So17icRSOU623lUBU=
 github.com/google/go-tpm v0.9.5 h1:ocUmnDebX54dnW+MQWGQRbdaAcJELsa6PqZhJ48KwVU=
 github.com/google/go-tpm v0.9.5/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -319,6 +327,7 @@ go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 golang.org/x/arch v0.20.0 h1:dx1zTU0MAE98U+TQ8BLl7XsJbgze2WnNKF/8tGp/Q6c=
 golang.org/x/arch v0.20.0/go.mod h1:bdwinDaKcfZUGpH09BB7ZmOfhalA8lQdzl62l8gGWsk=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210817164053-32db794688a5/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
@@ -339,6 +348,7 @@ golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.27.0 h1:kb+q2PyFnEADO2IEF935ehFUXlWiNjJWtRNgBLSfbxQ=
 golang.org/x/mod v0.27.0/go.mod h1:rWI627Fq0DEoudcK+MBkNkCe0EetEaDSwJJkCcjpazc=
+golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -352,6 +362,9 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/net v0.43.0 h1:lat02VYK2j4aLzMzecihNvTlJNQUq316m2Mr9rnM6YE=
 golang.org/x/net v0.43.0/go.mod h1:vhO1fvI4dGsIjh73sWfUVjj3N7CA9WkKJNQm2svM6Jg=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
+golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -385,6 +398,7 @@ golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
 golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
@@ -406,6 +420,8 @@ golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxb
 golang.org/x/tools v0.36.0 h1:kWS0uv/zsvHEle1LbV5LE8QujrxB3wfQyxHfhOk0Qkg=
 golang.org/x/tools v0.36.0/go.mod h1:WBDiHKJK8YgLHlcQPYQzNCkUxUypCaa5ZegCVutKm+s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a h1:nwKuGPlUAt+aR+pcrkfFRrTU1BVrSmYyYMxYbUIVHr0=
 google.golang.org/genproto/googleapis/api v0.0.0-20250218202821-56aae31c358a/go.mod h1:3kWAYMk1I75K4vykHtKt2ycnOgpA6974V7bREqbsenU=
 google.golang.org/genproto/googleapis/rpc v0.0.0-20250218202821-56aae31c358a h1:51aaUVRocpvUOSQKM6Q7VuoaktNIaMCLuhZB6DKksq4=

backend/internal/bootstrap/db_bootstrap.go

@@ -5,6 +5,8 @@ import (
 	"fmt"
 	"log/slog"
 	"net/url"
+	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -13,6 +15,7 @@ import (
 	"github.com/golang-migrate/migrate/v4/database"
 	postgresMigrate "github.com/golang-migrate/migrate/v4/database/postgres"
 	sqliteMigrate "github.com/golang-migrate/migrate/v4/database/sqlite3"
+	_ "github.com/golang-migrate/migrate/v4/source/github"
 	"github.com/golang-migrate/migrate/v4/source/iofs"
 	slogGorm "github.com/orandin/slog-gorm"
 	"gorm.io/driver/postgres"
@@ -20,6 +23,7 @@ import (
 	gormLogger "gorm.io/gorm/logger"
 
 	"github.com/pocket-id/pocket-id/backend/internal/common"
+	"github.com/pocket-id/pocket-id/backend/internal/utils"
 	sqliteutil "github.com/pocket-id/pocket-id/backend/internal/utils/sqlite"
 	"github.com/pocket-id/pocket-id/backend/resources"
 )
@@ -38,7 +42,9 @@ func NewDatabase() (db *gorm.DB, err error) {
 	var driver database.Driver
 	switch common.EnvConfig.DbProvider {
 	case common.DbProviderSqlite:
-		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{})
+		driver, err = sqliteMigrate.WithInstance(sqlDb, &sqliteMigrate.Config{
+			NoTxWrap: true,
+		})
 	case common.DbProviderPostgres:
 		driver, err = postgresMigrate.WithInstance(sqlDb, &postgresMigrate.Config{})
 	default:
@@ -58,8 +64,9 @@ func NewDatabase() (db *gorm.DB, err error) {
 }
 
 func migrateDatabase(driver database.Driver) error {
-	// Use the embedded migrations
+	// Embedded migrations via iofs
-	source, err := iofs.New(resources.FS, "migrations/"+string(common.EnvConfig.DbProvider))
+	path := "migrations/" + string(common.EnvConfig.DbProvider)
+	source, err := iofs.New(resources.FS, path)
 	if err != nil {
 		return fmt.Errorf("failed to create embedded migration source: %w", err)
 	}
@@ -69,14 +76,66 @@ func migrateDatabase(driver database.Driver) error {
 		return fmt.Errorf("failed to create migration instance: %w", err)
 	}
 
-	err = m.Up()
+	requiredVersion, err := getRequiredMigrationVersion(path)
-	if err != nil && !errors.Is(err, migrate.ErrNoChange) {
+	if err != nil {
-		return fmt.Errorf("failed to apply migrations: %w", err)
+		return fmt.Errorf("failed to get last migration version: %w", err)
 	}
 
+	currentVersion, _, _ := m.Version()
+	if currentVersion > requiredVersion {
+		slog.Warn("Database version is newer than the application supports, possible downgrade detected", slog.Uint64("db_version", uint64(currentVersion)), slog.Uint64("app_version", uint64(requiredVersion)))
+		if !common.EnvConfig.AllowDowngrade {
+			return fmt.Errorf("database version (%d) is newer than application version (%d), downgrades are not allowed (set ALLOW_DOWNGRADE=true to enable)", currentVersion, requiredVersion)
+		}
+		slog.Info("Fetching migrations from GitHub to handle possible downgrades")
+		return migrateDatabaseFromGitHub(driver, requiredVersion)
+	}
+
+	if err := m.Migrate(requiredVersion); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply embedded migrations: %w", err)
+	}
 	return nil
 }
 
+func migrateDatabaseFromGitHub(driver database.Driver, version uint) error {
+	srcURL := "github://pocket-id/pocket-id/backend/resources/migrations/" + string(common.EnvConfig.DbProvider)
+
+	m, err := migrate.NewWithDatabaseInstance(srcURL, "pocket-id", driver)
+	if err != nil {
+		return fmt.Errorf("failed to create GitHub migration instance: %w", err)
+	}
+
+	if err := m.Migrate(version); err != nil && !errors.Is(err, migrate.ErrNoChange) {
+		return fmt.Errorf("failed to apply GitHub migrations: %w", err)
+	}
+	return nil
+}
+
+// getRequiredMigrationVersion reads the embedded migration files and returns the highest version number found.
+func getRequiredMigrationVersion(path string) (uint, error) {
+	entries, err := resources.FS.ReadDir(path)
+	if err != nil {
+		return 0, fmt.Errorf("failed to read migration directory: %w", err)
+	}
+
+	var maxVersion uint
+	for _, entry := range entries {
+		if entry.IsDir() {
+			continue
+		}
+		name := entry.Name()
+		var version uint
+		n, err := fmt.Sscanf(name, "%d_", &version)
+		if err == nil && n == 1 {
+			if version > maxVersion {
+				maxVersion = version
+			}
+		}
+	}
+
+	return maxVersion, nil
+}
+
 func connectDatabase() (db *gorm.DB, err error) {
 	var dialector gorm.Dialector
 
@@ -86,11 +145,20 @@ func connectDatabase() (db *gorm.DB, err error) {
 		if common.EnvConfig.DbConnectionString == "" {
 			return nil, errors.New("missing required env var 'DB_CONNECTION_STRING' for SQLite database")
 		}
+
 		sqliteutil.RegisterSqliteFunctions()
-		connString, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
+
+		connString, dbPath, err := parseSqliteConnectionString(common.EnvConfig.DbConnectionString)
 		if err != nil {
 			return nil, err
 		}
+
+		// Before we connect, also make sure that there's a temporary folder for SQLite to write its data
+		err = ensureSqliteTempDir(filepath.Dir(dbPath))
+		if err != nil {
+			return nil, err
+		}
+
 		dialector = sqlite.Open(connString)
 	case common.DbProviderPostgres:
 		if common.EnvConfig.DbConnectionString == "" {
@@ -120,7 +188,7 @@ func connectDatabase() (db *gorm.DB, err error) {
 	return nil, err
 }
 
-func parseSqliteConnectionString(connString string) (string, error) {
+func parseSqliteConnectionString(connString string) (parsedConnString string, dbPath string, err error) {
 	if !strings.HasPrefix(connString, "file:") {
 		connString = "file:" + connString
 	}
@@ -131,7 +199,7 @@ func parseSqliteConnectionString(connString string) (string, error) {
 	// Parse the connection string
 	connStringUrl, err := url.Parse(connString)
 	if err != nil {
-		return "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
+		return "", "", fmt.Errorf("failed to parse SQLite connection string: %w", err)
 	}
 
 	// Convert options for the old SQLite driver to the new one
@@ -140,10 +208,19 @@ func parseSqliteConnectionString(connString string) (string, error) {
 	// Add the default and required params
 	err = addSqliteDefaultParameters(connStringUrl, isMemoryDB)
 	if err != nil {
-		return "", fmt.Errorf("invalid SQLite connection string: %w", err)
+		return "", "", fmt.Errorf("invalid SQLite connection string: %w", err)
 	}
 
-	return connStringUrl.String(), nil
+	// Get the absolute path to the database
+	// Here, we know for a fact that the ? is present
+	parsedConnString = connStringUrl.String()
+	idx := strings.IndexRune(parsedConnString, '?')
+	dbPath, err = filepath.Abs(parsedConnString[len("file:"):idx])
+	if err != nil {
+		return "", "", fmt.Errorf("failed to determine absolute path to the database: %w", err)
+	}
+
+	return parsedConnString, dbPath, nil
 }
 
 // The official C implementation of SQLite allows some additional properties in the connection string
@@ -296,6 +373,48 @@ func isSqliteInMemory(connString string) bool {
 	return len(qs["mode"]) > 0 && qs["mode"][0] == "memory"
 }
 
+// ensureSqliteTempDir ensures that SQLite has a directory where it can write temporary files if needed
+// The default directory may not be writable when using a container with a read-only root file system
+// See: https://www.sqlite.org/tempfiles.html
+func ensureSqliteTempDir(dbPath string) error {
+	// Per docs, SQLite tries these folders in order (excluding those that aren't applicable to us):
+	//
+	// - The SQLITE_TMPDIR environment variable
+	// - The TMPDIR environment variable
+	// - /var/tmp
+	// - /usr/tmp
+	// - /tmp
+	//
+	// Source: https://www.sqlite.org/tempfiles.html#temporary_file_storage_locations
+	//
+	// First, let's check if SQLITE_TMPDIR or TMPDIR are set, in which case we trust the user has taken care of the problem already
+	if os.Getenv("SQLITE_TMPDIR") != "" || os.Getenv("TMPDIR") != "" {
+		return nil
+	}
+
+	// Now, let's check if /var/tmp, /usr/tmp, or /tmp exist and are writable
+	for _, dir := range []string{"/var/tmp", "/usr/tmp", "/tmp"} {
+		ok, err := utils.IsWritableDir(dir)
+		if err != nil {
+			return fmt.Errorf("failed to check if %s is writable: %w", dir, err)
+		}
+		if ok {
+			// We found a folder that's writable
+			return nil
+		}
+	}
+
+	// If we're here, there's no temporary directory that's writable (not unusual for containers with a read-only root file system), so we set SQLITE_TMPDIR to the folder where the SQLite database is set
+	err := os.Setenv("SQLITE_TMPDIR", dbPath)
+	if err != nil {
+		return fmt.Errorf("failed to set SQLITE_TMPDIR environmental variable: %w", err)
+	}
+
+	slog.Debug("Set SQLITE_TMPDIR to the database directory", "path", dbPath)
+
+	return nil
+}
+
 func getGormLogger() gormLogger.Interface {
 	loggerOpts := make([]slogGorm.Option, 0, 5)
 	loggerOpts = append(loggerOpts,

backend/internal/common/env_config.go

@@ -52,6 +52,7 @@ type EnvConfigSchema struct {
 	LogJSON            bool       `env:"LOG_JSON"`
 	TrustProxy         bool       `env:"TRUST_PROXY"`
 	AnalyticsDisabled  bool       `env:"ANALYTICS_DISABLED"`
+	AllowDowngrade     bool       `env:"ALLOW_DOWNGRADE"`
 }
 
 var EnvConfig = defaultConfig()
@@ -87,6 +88,7 @@ func defaultConfig() EnvConfigSchema {
 		TracingEnabled:     false,
 		TrustProxy:         false,
 		AnalyticsDisabled:  false,
+		AllowDowngrade:     false,
 	}
 }
 

backend/internal/service/e2etest_service.go

@@ -343,7 +343,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "b2c3d4e5-f6g7-8901-bcde-f12345678901",
+					ID: "dc3c9c96-714e-48eb-926e-2d7c7858e6cf",
 				},
 				Token:      "PARTIAL567890ABC",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(7 * 24 * time.Hour)),
@@ -352,7 +352,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "c3d4e5f6-g7h8-9012-cdef-123456789012",
+					ID: "44de1863-ffa5-4db1-9507-4887cd7a1e3f",
 				},
 				Token:      "EXPIRED34567890B",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(-24 * time.Hour)), // Expired
@@ -361,7 +361,7 @@ func (s *TestService) SeedDatabase(baseURL string) error {
 			},
 			{
 				Base: model.Base{
-					ID: "d4e5f6g7-h8i9-0123-def0-234567890123",
+					ID: "f1b1678b-7720-4d8b-8f91-1dbff1e2d02b",
 				},
 				Token:      "FULLYUSED567890C",
 				ExpiresAt:  datatype.DateTime(time.Now().Add(24 * time.Hour)),

backend/internal/service/oidc_service.go

@@ -1379,8 +1379,7 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 	query := tx.
 		WithContext(ctx).
 		Model(&model.OidcClient{}).
-		Preload("UserAuthorizedOidcClients", "user_id = ?", userID).
+		Preload("UserAuthorizedOidcClients", "user_id = ?", userID)
-		Distinct()
 
 	// If user has no groups, only return clients with no allowed user groups
 	if len(userGroupIDs) == 0 {
@@ -1401,7 +1400,7 @@ func (s *OidcService) ListAccessibleOidcClients(ctx context.Context, userID stri
 	if sortedPaginationRequest.Sort.Column == "lastUsedAt" && utils.IsValidSortDirection(sortedPaginationRequest.Sort.Direction) {
 		query = query.
 			Joins("LEFT JOIN user_authorized_oidc_clients ON oidc_clients.id = user_authorized_oidc_clients.client_id AND user_authorized_oidc_clients.user_id = ?", userID).
-			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction)
+			Order("user_authorized_oidc_clients.last_used_at " + sortedPaginationRequest.Sort.Direction + " NULLS LAST")
 	}
 
 	response, err = utils.PaginateAndSort(sortedPaginationRequest, query, &clients)

backend/internal/utils/file_util.go

@@ -1,12 +1,15 @@
 package utils
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
 	"mime/multipart"
 	"os"
 	"path/filepath"
+	"syscall"
 
 	"github.com/google/uuid"
 	"github.com/pocket-id/pocket-id/backend/resources"
@@ -136,3 +139,41 @@ func FileExists(path string) (bool, error) {
 	}
 	return !s.IsDir(), nil
 }
+
+// IsWritableDir checks if a directory exists and is writable
+func IsWritableDir(dir string) (bool, error) {
+	// Check if directory exists and it's actually a directory
+	info, err := os.Stat(dir)
+	if os.IsNotExist(err) {
+		return false, nil
+	} else if err != nil {
+		return false, fmt.Errorf("failed to stat '%s': %w", dir, err)
+	}
+	if !info.IsDir() {
+		return false, nil
+	}
+
+	// Generate a random suffix for the test file to avoid conflicts
+	randomBytes := make([]byte, 8)
+	_, err = io.ReadFull(rand.Reader, randomBytes)
+	if err != nil {
+		return false, fmt.Errorf("failed to generate random bytes: %w", err)
+	}
+
+	// Check if directory is writable by trying to create a temporary file
+	testFile := filepath.Join(dir, ".pocketid_test_write_"+hex.EncodeToString(randomBytes))
+	defer os.Remove(testFile)
+
+	file, err := os.Create(testFile)
+	if err != nil {
+		if os.IsPermission(err) || errors.Is(err, syscall.EROFS) {
+			return false, nil
+		}
+
+		return false, fmt.Errorf("failed to create test file: %w", err)
+	}
+
+	_ = file.Close()
+
+	return true, nil
+}

backend/internal/utils/testing/database.go

@@ -55,7 +55,9 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	// Perform migrations with the embedded migrations
 	sqlDB, err := db.DB()
 	require.NoError(t, err, "Failed to get sql.DB")
-	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{})
+	driver, err := sqliteMigrate.WithInstance(sqlDB, &sqliteMigrate.Config{
+		NoTxWrap: true,
+	})
 	require.NoError(t, err, "Failed to create migration driver")
 	source, err := iofs.New(resources.FS, "migrations/sqlite")
 	require.NoError(t, err, "Failed to create embedded migration source")
@@ -63,6 +65,8 @@ func NewDatabaseForTest(t *testing.T) *gorm.DB {
 	require.NoError(t, err, "Failed to create migration instance")
 	err = m.Up()
 	require.NoError(t, err, "Failed to perform migrations")
+	_, err = sqlDB.Exec("PRAGMA foreign_keys = OFF;")
+	require.NoError(t, err, "Failed to disable foreign keys")
 
 	return db
 }

backend/resources/migrations/postgres/20250814121300_requires_reauthentication.up.sql

@@ -5,7 +5,7 @@ CREATE TABLE reauthentication_tokens (
     created_at TIMESTAMPTZ NOT NULL DEFAULT CURRENT_TIMESTAMP,
     token TEXT NOT NULL UNIQUE,
     expires_at TIMESTAMPTZ NOT NULL,
-    user_id TEXT NOT NULL REFERENCES users ON DELETE CASCADE
+    user_id uuid NOT NULL REFERENCES users ON DELETE CASCADE
 );
 
 CREATE INDEX idx_reauthentication_tokens_token ON reauthentication_tokens(token);

backend/resources/migrations/postgres/20250822000000_foreign_keys_improvements.down.sql

@@ -1 +1,7 @@
--- No-op
+ALTER TABLE public.audit_logs
+    DROP CONSTRAINT IF EXISTS audit_logs_user_id_fkey,
+    ADD CONSTRAINT audit_logs_user_id_fkey
+        FOREIGN KEY (user_id) REFERENCES public.users (id);
+
+ALTER TABLE public.oidc_authorization_codes
+    DROP CONSTRAINT IF EXISTS oidc_authorization_codes_client_fk;

backend/resources/migrations/postgres/20250824164821_client_id_type.down.sql

@@ -0,0 +1 @@
+-- No-op because strings can't be converted to UUIDs

backend/resources/migrations/postgres/20250824164821_client_id_type.up.sql

@@ -0,0 +1,57 @@
+-- Drop foreign keys that reference oidc_clients(id)
+ALTER TABLE oidc_authorization_codes
+    DROP CONSTRAINT IF EXISTS oidc_authorization_codes_client_fk;
+ALTER TABLE user_authorized_oidc_clients
+    DROP CONSTRAINT IF EXISTS user_authorized_oidc_clients_client_id_fkey;
+ALTER TABLE oidc_refresh_tokens
+    DROP CONSTRAINT IF EXISTS oidc_refresh_tokens_client_id_fkey;
+ALTER TABLE oidc_device_codes
+    DROP CONSTRAINT IF EXISTS oidc_device_codes_client_id_fkey;
+ALTER TABLE oidc_clients_allowed_user_groups
+    DROP CONSTRAINT IF EXISTS oidc_clients_allowed_user_groups_oidc_client_id_fkey;
+
+-- Alter child columns to TEXT
+ALTER TABLE oidc_authorization_codes
+    ALTER COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE user_authorized_oidc_clients
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_refresh_tokens
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_device_codes
+    ALTER
+        COLUMN client_id TYPE TEXT USING client_id::text;
+
+ALTER TABLE oidc_clients_allowed_user_groups
+    ALTER
+        COLUMN oidc_client_id TYPE TEXT USING oidc_client_id::text;
+
+-- Alter parent primary key column to TEXT
+ALTER TABLE oidc_clients
+    ALTER
+        COLUMN id TYPE TEXT USING id::text;
+
+-- Recreate foreign keys with the new type
+ALTER TABLE oidc_authorization_codes
+    ADD CONSTRAINT oidc_authorization_codes_client_fk
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE user_authorized_oidc_clients
+    ADD CONSTRAINT user_authorized_oidc_clients_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_refresh_tokens
+    ADD CONSTRAINT oidc_refresh_tokens_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_device_codes
+    ADD CONSTRAINT oidc_device_codes_client_id_fkey
+        FOREIGN KEY (client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;
+
+ALTER TABLE oidc_clients_allowed_user_groups
+    ADD CONSTRAINT oidc_clients_allowed_user_groups_oidc_client_id_fkey
+        FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE;

backend/resources/migrations/sqlite/20240731203656_init.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE users
 (
     id         TEXT                  NOT NULL PRIMARY KEY,
@@ -78,3 +80,5 @@ CREATE TABLE application_configuration_variables
     is_public   NUMERIC DEFAULT FALSE NOT NULL,
     is_internal NUMERIC DEFAULT FALSE NOT NULL
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags..up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials ADD COLUMN backup_eligible BOOLEAN NOT NULL DEFAULT FALSE;
 ALTER TABLE webauthn_credentials ADD COLUMN backup_state BOOLEAN NOT NULL DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240813211251_passkey_backup_flags.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE webauthn_credentials DROP COLUMN backup_eligible;
 ALTER TABLE webauthn_credentials DROP COLUMN backup_state;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240817191051_rename_config_table.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables
     RENAME TO application_configuration_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240817191051_rename_config_table.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE application_configuration_variables
     RENAME TO app_config_variables;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients
 (
     id            TEXT not null primary key,
@@ -21,3 +23,5 @@ select id,
 from oidc_clients_dg_tmp;
 
 drop table oidc_clients_dg_tmp;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240820205521_multiple_callback_urls.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 create table oidc_clients_dg_tmp
 (
     id            TEXT not null primary key,
@@ -24,3 +26,5 @@ drop table oidc_clients;
 
 alter table oidc_clients_dg_tmp
     rename to oidc_clients;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240908123031_audit_log.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE audit_logs;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240908123031_audit_log.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE audit_logs
 (
     id               TEXT NOT NULL PRIMARY KEY,
@@ -8,3 +10,5 @@ CREATE TABLE audit_logs
     data             BLOB NOT NULL,
     user_id          TEXT REFERENCES users
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240924202721_user_groups.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE user_groups;
 DROP TABLE user_groups_users;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20240924202721_user_groups.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE user_groups
 (
     id           TEXT NOT NULL PRIMARY KEY,
@@ -14,3 +16,5 @@ CREATE TABLE user_groups_users
     FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
     FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241004092030_audit_log_location.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs DROP COLUMN country;
 ALTER TABLE audit_logs DROP COLUMN city;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241004092030_audit_log_location.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE audit_logs ADD COLUMN country TEXT;
 ALTER TABLE audit_logs ADD COLUMN city TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241023072742_unix-timestamps.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the Unix timestamps back to DATETIME format
 
 UPDATE user_groups
@@ -26,3 +28,5 @@ SET created_at = datetime(created_at, 'unixepoch');
 UPDATE webauthn_sessions
 SET created_at = datetime(created_at, 'unixepoch'),
     expires_at = datetime(expires_at, 'unixepoch');
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241023072742_unix-timestamps.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Convert the DATETIME fields to Unix timestamps (in seconds)
 UPDATE user_groups
 SET created_at = strftime('%s', created_at);
@@ -25,3 +27,5 @@ SET created_at = strftime('%s', created_at);
 UPDATE webauthn_sessions
 SET created_at = strftime('%s', created_at),
     expires_at = strftime('%s', expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241025214824_app_config_default_value.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables DROP COLUMN default_value;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241025214824_app_config_default_value.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables ADD COLUMN default_value TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241028064959_custom_claims.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE custom_claims;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241028064959_custom_claims.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE custom_claims
 (
     id            TEXT NOT NULL PRIMARY KEY,
@@ -13,3 +15,5 @@ CREATE TABLE custom_claims
     CONSTRAINT custom_claims_unique UNIQUE (key, user_id, user_group_id),
     CHECK (user_id IS NOT NULL OR user_group_id IS NOT NULL)
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241115131129_pkce.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge;
 ALTER TABLE oidc_authorization_codes DROP COLUMN code_challenge_method_sha256;
 ALTER TABLE oidc_clients DROP COLUMN is_public;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20241115131129_pkce.up.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge TEXT;
 ALTER TABLE oidc_authorization_codes ADD COLUMN code_challenge_method_sha256 NUMERIC;
 ALTER TABLE oidc_clients ADD COLUMN is_public BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250103145821_pkce_column.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN pkce_enabled;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250103145821_pkce_column.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN pkce_enabled BOOLEAN DEFAULT FALSE;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250115155817_ldap.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users DROP COLUMN ldap_id;
 ALTER TABLE user_groups DROP COLUMN ldap_id;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250115155817_ldap.up.sql

@@ -1,5 +1,9 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users ADD COLUMN ldap_id TEXT;
 ALTER TABLE user_groups ADD COLUMN ldap_id TEXT;
 
 CREATE UNIQUE INDEX users_ldap_id ON users (ldap_id);
 CREATE UNIQUE INDEX user_groups_ldap_id ON user_groups (ldap_id);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE app_config_variables SET key = 'emailEnabled' WHERE key = 'emailLoginNotificationEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250118180712_rename_email_config_variable.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE app_config_variables SET key = 'emailLoginNotificationEnabled' WHERE key = 'emailEnabled';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = '' WHERE ldap_id IS NULL;
 UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250120102531_fix_empty_ldap_id_string.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE users SET ldap_id = null WHERE ldap_id = '';
 UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE oidc_clients_allowed_user_groups;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250131154719_oidc_user_group_restriction.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_clients_allowed_user_groups
 (
     user_group_id  TEXT NOT NULL,
@@ -6,3 +8,5 @@ CREATE TABLE oidc_clients_allowed_user_groups
     FOREIGN KEY (oidc_client_id) REFERENCES oidc_clients (id) ON DELETE CASCADE,
     FOREIGN KEY (user_group_id) REFERENCES user_groups (id) ON DELETE CASCADE
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE user_groups SET ldap_id = '' WHERE ldap_id IS NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250203082527_fix_empty_user_group_ldap_id_string.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE user_groups SET ldap_id = null WHERE ldap_id = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250210152631_post_logout_url.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN logout_callback_urls;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250210152631_post_logout_url.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN logout_callback_urls BLOB;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE app_config_variables SET value = 'true' WHERE key = 'smtpTls';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250225182112_manual_smtp_tls_selection.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 UPDATE app_config_variables
 SET value = CASE
                 WHEN value = 'true' AND (SELECT value FROM app_config_variables WHERE key = 'smtpPort' LIMIT 1) = '587' THEN 'starttls'
@@ -5,3 +7,5 @@ SET value = CASE
                 ELSE 'none'
     END
 WHERE key = 'smtpTls';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250302220732_api_key_auth.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_api_keys_key;
 DROP TABLE IF EXISTS api_keys;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250302220732_api_key_auth.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE api_keys (
     id TEXT PRIMARY KEY,
     name TEXT NOT NULL,
@@ -10,3 +12,5 @@ CREATE TABLE api_keys (
 );
 
 CREATE INDEX idx_api_keys_key ON api_keys(key);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250320171311_user_locale.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users DROP COLUMN locale;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250320171311_user_locale.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users ADD COLUMN locale TEXT;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250323184520_oidc_refresh_tokens.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_oidc_refresh_tokens_token;
 DROP TABLE IF EXISTS oidc_refresh_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250323184520_oidc_refresh_tokens.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_refresh_tokens (
     id TEXT NOT NULL PRIMARY KEY,
     created_at DATETIME,
@@ -9,3 +11,5 @@ CREATE TABLE oidc_refresh_tokens (
 );
 
 CREATE INDEX idx_oidc_refresh_tokens_token ON oidc_refresh_tokens(token);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250403082322_audit_logs_indexes.down.sql

@@ -1,3 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_audit_logs_event;
 DROP INDEX IF EXISTS idx_audit_logs_user_id;
 DROP INDEX IF EXISTS idx_audit_logs_client_name;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250403082322_audit_logs_indexes.up.sql

@@ -1,3 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE INDEX idx_audit_logs_event ON audit_logs(event);
 CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250408120918_app_config_cols.down.sql

@@ -1,4 +1,9 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables ADD type VARCHAR(20) NOT NULL,;
 ALTER TABLE app_config_variables ADD is_public BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD is_internal BOOLEAN DEFAULT FALSE NOT NULL,;
 ALTER TABLE app_config_variables ADD default_value TEXT;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250408120918_app_config_cols.up.sql

@@ -1,4 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE app_config_variables DROP type;
 ALTER TABLE app_config_variables DROP is_public;
 ALTER TABLE app_config_variables DROP is_internal;
 ALTER TABLE app_config_variables DROP default_value;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.down.sql

@@ -1,4 +1,8 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX idx_users_disabled;
 
 ALTER TABLE users
 DROP COLUMN disabled;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250412000000_add_user_disabled_field.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE users
 ADD COLUMN disabled NUMERIC DEFAULT FALSE NOT NULL;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.down.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE api_keys
 DROP COLUMN expiration_email_sent;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250417120000_add_expiration_email_sent_to_api_keys.up.sql

@@ -1,2 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE api_keys
 ADD COLUMN expiration_email_sent BOOLEAN NOT NULL DEFAULT 0;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250421221059_add_device_codes.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE oidc_device_codes;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250421221059_add_device_codes.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE oidc_device_codes
 (
     id             TEXT     NOT NULL PRIMARY KEY,
@@ -10,3 +12,5 @@ CREATE TABLE oidc_device_codes
     user_id        TEXT REFERENCES users ON DELETE CASCADE,
     client_id      TEXT     NOT NULL REFERENCES oidc_clients ON DELETE CASCADE
 );
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250601204251_clear_default_app_config_variables.down.sql

@@ -1 +1 @@
--- No rollback is needed for this migration.
+-- No-op

backend/resources/migrations/sqlite/20250601204251_clear_default_app_config_variables.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DELETE FROM app_config_variables WHERE value = '';
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250609202611_client_credentials.down.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN credentials;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250609202611_client_credentials.up.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN credentials TEXT NULL;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250619115053_add_country_index.down.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX idx_audit_logs_country;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250619115053_add_country_index.up.sql

@@ -1 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250622151258_add_signup_tokens.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP INDEX IF EXISTS idx_signup_tokens_expires_at;
 DROP INDEX IF EXISTS idx_signup_tokens_token;
 DROP TABLE IF EXISTS signup_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250622151258_add_signup_tokens.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 CREATE TABLE signup_tokens (
     id TEXT NOT NULL PRIMARY KEY,
     created_at DATETIME NOT NULL,
@@ -9,3 +11,5 @@ CREATE TABLE signup_tokens (
 
 CREATE INDEX idx_signup_tokens_token ON signup_tokens(token);
 CREATE INDEX idx_signup_tokens_expires_at ON signup_tokens(expires_at);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250628000000_audit_logs_ip_null.down.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Re-create the table with non-nullable ip_address
 -- We then move the data and rename the table
 CREATE TABLE audit_logs_new
@@ -28,3 +30,6 @@ CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_user_agent ON audit_logs(user_agent);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
 CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250628000000_audit_logs_ip_null.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Re-create the table with nullable ip_address
 -- We then move the data and rename the table
 CREATE TABLE audit_logs_new
@@ -28,3 +30,6 @@ CREATE INDEX idx_audit_logs_user_id ON audit_logs(user_id);
 CREATE INDEX idx_audit_logs_user_agent ON audit_logs(user_agent);
 CREATE INDEX idx_audit_logs_client_name ON audit_logs((json_extract(data, '$.clientName')));
 CREATE INDEX idx_audit_logs_country ON audit_logs(country);
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250630000000_kv_table.down.sql

@@ -1 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 DROP TABLE kv;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250630000000_kv_table.up.sql

@@ -1,6 +1,11 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- The "kv" tables contains miscellaneous key-value pairs
 CREATE TABLE kv
 (
     "key"  TEXT NOT NULL PRIMARY KEY,
     "value" TEXT NOT NULL
 );
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250705000000_normalize.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 -- Normalize (form NFC) all existing values in the database
 UPDATE api_keys SET
     name = normalize(name, 'nfc'),
@@ -23,3 +25,6 @@ UPDATE users SET
 UPDATE user_groups SET
     friendly_name = normalize(friendly_name, 'nfc'),
     "name" = normalize("name", 'nfc');
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250810144214_apps_dashboard.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN launch_url;
 
 ALTER TABLE user_authorized_oidc_clients DROP COLUMN created_at;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250810144214_apps_dashboard.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN launch_url TEXT;
 
 CREATE TABLE user_authorized_oidc_clients_new
@@ -14,3 +16,6 @@ SELECT scope, user_id, client_id, unixepoch() FROM user_authorized_oidc_clients;
 
 DROP TABLE user_authorized_oidc_clients;
 ALTER TABLE user_authorized_oidc_clients_new RENAME TO user_authorized_oidc_clients;
+
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.down.sql

@@ -1,3 +1,7 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients DROP COLUMN requires_reauthentication;
 DROP INDEX IF EXISTS idx_reauthentication_tokens_token;
 DROP TABLE IF EXISTS reauthentication_tokens;
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250814121300_requires_reauthentication.up.sql

@@ -1,3 +1,5 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
 ALTER TABLE oidc_clients ADD COLUMN requires_reauthentication BOOLEAN NOT NULL DEFAULT FALSE;
 
 CREATE TABLE reauthentication_tokens (
@@ -9,3 +11,5 @@ CREATE TABLE reauthentication_tokens (
 );
 
 CREATE INDEX idx_reauthentication_tokens_token ON reauthentication_tokens(token);
+COMMIT;
+PRAGMA foreign_keys=ON;

backend/resources/migrations/sqlite/20250822000000_foreign_keys_improvements.up.sql

@@ -1,3 +1,6 @@
+PRAGMA foreign_keys=OFF;
+BEGIN;
+PRAGMA foreign_keys=OFF;
 ---------------------------
 -- Delete all orphaned rows
 ---------------------------
@@ -171,3 +174,8 @@ SELECT id, created_at, name, credential_id, public_key, attestation_type,
 FROM webauthn_credentials;
 DROP TABLE webauthn_credentials;
 ALTER TABLE webauthn_credentials_new RENAME TO webauthn_credentials;
+
+PRAGMA foreign_keys=ON;
+PRAGMA foreign_key_check;
+COMMIT;
+PRAGMA foreign_keys=ON;

frontend/messages/cs.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Kliknutím zkopírujete",
 	"something_went_wrong": "Něco se pokazilo",
 	"go_back_to_home": "Přejít zpět domů",
-	"dont_have_access_to_your_passkey": "Nemáte přístup k Vašemu přístupovému klíči?",
+	"alternative_sign_in_methods": "Alternativní způsoby přihlášení",
 	"login_background": "Pozadí přihlašovací stránky",
 	"logo": "Logo",
 	"login_code": "Přihlašovací kód",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Veřejní klienti nemají client secret a místo toho používají PKCE. Povolte to, pokud je váš klient SPA nebo mobilní aplikace.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Exchange je bezpečnostní funkce, která zabraňuje útokům CSRF a narušení autorizačních kódů.",
+	"requires_reauthentication": "Vyžaduje opětovné ověření",
+	"requires_users_to_authenticate_again_on_each_authorization": "Vyžaduje, aby se uživatelé při každém autorizačním pokusu znovu ověřili, i když jsou již přihlášeni.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Změnit logo",
 	"upload_logo": "Nahrát logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Kolikrát lze použít registrační token.",
 	"expires": "Vyprší",
 	"signup": "Zaregistrovat se",
+	"user_creation": "Vytvoření uživatele",
+	"configure_user_creation": "Spravujte nastavení vytváření uživatelů, včetně metod registrace a výchozích oprávnění pro nové uživatele.",
+	"user_creation_groups_description": "Při registraci automaticky přiřaďte tyto skupiny novým uživatelům.",
+	"user_creation_claims_description": "Při registraci automaticky přiřaďte tyto vlastní nároky novým uživatelům.",
+	"user_creation_updated_successfully": "Nastavení pro vytváření uživatelů bylo úspěšně aktualizováno.",
+	"signup_disabled_description": "Registrace uživatelů jsou kompletně zakázány. Nové uživatelské účty mohou vytvářet pouze správci.",
 	"signup_requires_valid_token": "Pro vytvoření účtu je vyžadován platný registrační token",
 	"validating_signup_token": "Ověřování registračního tokenu",
 	"go_to_login": "Přejít na přihlášení",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Prozatím přeskočit",
 	"account_created": "Účet vytvořen",
 	"enable_user_signups": "Povolit registraci uživatelů",
-	"enable_user_signups_description": "Určuje, zda by měla být funkce registrace uživatele povolena.",
+	"enable_user_signups_description": "Rozhodněte, jak se uživatelé mohou registrovat pro nové účty v Pocket ID.",
 	"user_signups_are_disabled": "Registrace uživatelů jsou v současné době zakázány",
 	"create_signup_token": "Vytvořit registrační token",
 	"view_active_signup_tokens": "Zobrazit aktivní registrační tokeny",
@@ -412,7 +420,6 @@
 	"loading": "Načítání",
 	"delete_signup_token": "Odstranit registrační token",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Jste si jisti, že chcete odstranit tento registrační token? Tuto akci nelze vrátit zpět.",
-	"signup_disabled_description": "Registrace uživatelů jsou kompletně zakázány. Nové uživatelské účty mohou vytvářet pouze správci.",
 	"signup_with_token": "Zaregistrovat se s tokenem",
 	"signup_with_token_description": "Uživatelé se mohou zaregistrovat pouze pomocí platného registračního tokenu který byl vytvořen správcem.",
 	"signup_open": "Otevřená registrace",
@@ -430,5 +437,8 @@
 	"revoke_access": "Zrušit přístup",
 	"revoke_access_description": "Zrušit přístup k <b>{clientName}</b>. <b>{clientName}</b> už nebude mít přístup k informacím o vašem účtu.",
 	"revoke_access_successful": "Přístup k {clientName} byl úspěšně zrušen.",
-	"last_signed_in_ago": "Naposledy přihlášen {time} před"
+	"last_signed_in_ago": "Naposledy přihlášen {time} před",
+	"invalid_client_id": "ID klienta může obsahovat pouze písmena, číslice, podtržítka a pomlčky.",
+	"custom_client_id_description": "Nastavte vlastní ID klienta, pokud to vyžaduje vaše aplikace. V opačném případě pole nechte prázdné, aby bylo vygenerováno náhodné ID.",
+	"generated": "Vygenerováno"
 }

frontend/messages/da.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Klik for at kopiere",
 	"something_went_wrong": "Noget gik galt",
 	"go_back_to_home": "Gå tilbage til hjem",
-	"dont_have_access_to_your_passkey": "Har du ikke adgang til din adgangsnøgle?",
+	"alternative_sign_in_methods": "Alternative login-metoder",
 	"login_background": "Log ind baggrund",
 	"logo": "Logo",
 	"login_code": "Loginkode",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public-klienter har ikke en klienthemmelighed. De er designet til mobil-, web- og native-apps, hvor hemmeligheder ikke kan opbevares sikkert.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange er en sikkerhedsfunktion, der beskytter mod CSRF- og authorization code-angreb.",
+	"requires_reauthentication": "Kræver genbekræftelse",
+	"requires_users_to_authenticate_again_on_each_authorization": "Kræver, at brugerne skal godkende igen ved hver autorisation, selvom de allerede er logget ind.",
 	"name_logo": "Logo for {name}",
 	"change_logo": "Skift logo",
 	"upload_logo": "Upload logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Antal gange, som tilmeldingstokenet kan bruges.",
 	"expires": "Udløber",
 	"signup": "Tilmeld",
+	"user_creation": "Oprettelse af bruger",
+	"configure_user_creation": "Administrer indstillinger for brugeroprettelse, herunder tilmeldingsmetoder og standardtilladelser for nye brugere.",
+	"user_creation_groups_description": "Tildel disse grupper automatisk til nye brugere ved tilmelding.",
+	"user_creation_claims_description": "Tildel disse brugerdefinerede krav automatisk til nye brugere ved tilmelding.",
+	"user_creation_updated_successfully": "Indstillinger for brugeroprettelse opdateret.",
+	"signup_disabled_description": "Brugerregistreringer er fuldstændigt deaktiveret. Kun administratorer kan oprette nye brugerkonti.",
 	"signup_requires_valid_token": "Der kræves en gyldig tilmeldingstoken for at oprette en konto.",
 	"validating_signup_token": "Validering af tilmeldingstoken",
 	"go_to_login": "Gå til login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Spring over for nu",
 	"account_created": "Konto oprettet",
 	"enable_user_signups": "Aktiver brugerregistrering",
-	"enable_user_signups_description": "Om brugerregistreringsfunktionen skal være aktiveret.",
+	"enable_user_signups_description": "Bestem, hvordan brugere kan oprette nye konti i Pocket ID.",
 	"user_signups_are_disabled": "Brugerregistrering er i øjeblikket deaktiveret.",
 	"create_signup_token": "Opret tilmeldingstoken",
 	"view_active_signup_tokens": "Vis aktive tilmeldingstokener",
@@ -412,7 +420,6 @@
 	"loading": "Indlæsning",
 	"delete_signup_token": "Slet tilmeldingstoken",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Er du sikker på, at du vil slette denne tilmeldingstoken? Denne handling kan ikke fortrydes.",
-	"signup_disabled_description": "Brugerregistreringer er fuldstændigt deaktiveret. Kun administratorer kan oprette nye brugerkonti.",
 	"signup_with_token": "Tilmeld dig med token",
 	"signup_with_token_description": "Brugere kan kun tilmelde sig ved hjælp af en gyldig tilmeldingstoken, der er oprettet af en administrator.",
 	"signup_open": "Åben tilmelding",
@@ -430,5 +437,8 @@
 	"revoke_access": "Tilbagekald adgang",
 	"revoke_access_description": "Tilbagekald adgang til <b>{clientName}</b>. <b>{clientName}</b> vil ikke længere kunne få adgang til dine kontooplysninger.",
 	"revoke_access_successful": "Adgangen til {clientName} er blevet ophævet.",
-	"last_signed_in_ago": "Sidst logget ind {time} siden"
+	"last_signed_in_ago": "Sidst logget ind {time} siden",
+	"invalid_client_id": "Kunde-ID må kun indeholde bogstaver, tal, understregninger og bindestreger.",
+	"custom_client_id_description": "Indstil et brugerdefineret klient-id, hvis dette kræves af din applikation. Ellers skal du lade feltet være tomt for at generere et tilfældigt id.",
+	"generated": "Genereret"
 }

frontend/messages/de.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Zum Kopieren klicken",
 	"something_went_wrong": "Etwas ist schiefgelaufen",
 	"go_back_to_home": "Zurück zur Startseite",
-	"dont_have_access_to_your_passkey": "Du hast keinen Zugriff auf deinen Passkey?",
+	"alternative_sign_in_methods": "Andere Anmeldemöglichkeiten",
 	"login_background": "Login Hintergrund",
 	"logo": "Logo",
 	"login_code": "Anmeldecode",
@@ -387,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Wie oft der Anmeldetoken benutzt werden kann.",
 	"expires": "Läuft ab",
 	"signup": "Anmelden",
+	"user_creation": "Benutzererstellung",
+	"configure_user_creation": "Verwalte die Einstellungen für die Benutzererstellung, einschließlich der Anmeldemethoden und Standardberechtigungen für neue Benutzer.",
+	"user_creation_groups_description": "Weise diese Gruppen neuen Benutzern bei der Anmeldung automatisch zu.",
+	"user_creation_claims_description": "Weise diese benutzerdefinierten Ansprüche neuen Benutzern bei der Anmeldung automatisch zu.",
+	"user_creation_updated_successfully": "Einstellungen für die Benutzererstellung erfolgreich aktualisiert.",
+	"signup_disabled_description": "Benutzeranmeldungen sind komplett deaktiviert. Nur Admins können neue Benutzerkonten erstellen.",
 	"signup_requires_valid_token": "Zum Erstellen eines Kontos brauchst du einen gültigen Anmeldetoken.",
 	"validating_signup_token": "Anmeldungstoken bestätigen",
 	"go_to_login": "Zum Login gehen",
@@ -398,7 +404,7 @@
 	"skip_for_now": "Jetzt überspringen",
 	"account_created": "Konto erstellt",
 	"enable_user_signups": "Benutzeranmeldungen aktivieren",
-	"enable_user_signups_description": "Ob die Funktion zur Benutzeranmeldung aktiviert werden soll.",
+	"enable_user_signups_description": "Entscheide, wie sich Leute für neue Konten in Pocket ID anmelden können.",
 	"user_signups_are_disabled": "Benutzeranmeldungen sind im Moment deaktiviert.",
 	"create_signup_token": "Anmeldungstoken erstellen",
 	"view_active_signup_tokens": "Aktive Anmeldetoken anzeigen",
@@ -414,7 +420,6 @@
 	"loading": "Laden",
 	"delete_signup_token": "Anmeldungstoken löschen",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Willst du diesen Anmeldetoken wirklich löschen? Das kannst du nicht rückgängig machen.",
-	"signup_disabled_description": "Benutzeranmeldungen sind komplett deaktiviert. Nur Admins können neue Benutzerkonten erstellen.",
 	"signup_with_token": "Mit Token anmelden",
 	"signup_with_token_description": "Benutzer können sich nur mit einem gültigen Anmeldetoken anmelden, das von einem Administrator erstellt wurde.",
 	"signup_open": "Anmeldung offen",
@@ -432,5 +437,8 @@
 	"revoke_access": "Zugriff widerrufen",
 	"revoke_access_description": "Zugriff widerrufen <b>{clientName}</b>. <b>{clientName}</b> kann nicht mehr auf deine Kontoinfos zugreifen.",
 	"revoke_access_successful": "Der Zugriff auf „ {clientName} “ wurde erfolgreich gesperrt.",
-	"last_signed_in_ago": "Zuletzt angemeldet vor {time} Stunden"
+	"last_signed_in_ago": "Zuletzt angemeldet vor {time} Stunden",
+	"invalid_client_id": "Die Kunden-ID darf nur Buchstaben, Zahlen, Unterstriche und Bindestriche haben.",
+	"custom_client_id_description": "Gib eine eigene Client-ID ein, wenn deine App das braucht. Ansonsten lass das Feld leer, damit eine zufällige ID generiert wird.",
+	"generated": "Generiert"
 }

frontend/messages/es.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Haz clic para copiar",
 	"something_went_wrong": "Algo ha salido mal",
 	"go_back_to_home": "Volver al Inicio",
-	"dont_have_access_to_your_passkey": "¿No tiene acceso a su Passkey?",
+	"alternative_sign_in_methods": "Métodos alternativos de inicio de sesión",
 	"login_background": "Fondo de página de acceso",
 	"logo": "Logotipo",
 	"login_code": "Código de inicio de sesión",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "El intercambio de claves públicas es una función de seguridad que evita los ataques CSRF y la interceptación de códigos de autorización.",
+	"requires_reauthentication": "Requiere reautenticación",
+	"requires_users_to_authenticate_again_on_each_authorization": "Requiere que los usuarios se autentiquen de nuevo en cada autorización, incluso si ya han iniciado sesión.",
 	"name_logo": "{name} logotipo",
 	"change_logo": "Cambiar logotipo",
 	"upload_logo": "Subir Logo",
@@ -435,5 +437,8 @@
 	"revoke_access": "Revocar acceso",
 	"revoke_access_description": "Revocar el acceso a <b>{clientName}</b>. <b>{clientName}</b> ya no podrás acceder a la información de tu cuenta.",
 	"revoke_access_successful": "El acceso a {clientName} ha sido revocado correctamente.",
-	"last_signed_in_ago": "Último inicio de sesión en {time} hace"
+	"last_signed_in_ago": "Último inicio de sesión en {time} hace",
+	"invalid_client_id": "El ID de cliente solo puede contener letras, números, guiones bajos y guiones.",
+	"custom_client_id_description": "Establece un ID de cliente personalizado si tu aplicación lo requiere. De lo contrario, déjalo en blanco para generar uno aleatorio.",
+	"generated": "Generado"
 }

frontend/messages/fr.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Cliquer pour copier",
 	"something_went_wrong": "Quelque chose n'a pas fonctionné",
 	"go_back_to_home": "Retourner à l'accueil",
-	"dont_have_access_to_your_passkey": "Vous n'avez pas accès à votre clé d'accès ?",
+	"alternative_sign_in_methods": "Autres façons de se connecter",
 	"login_background": "Arrière-plan de connexion",
 	"logo": "Logo",
 	"login_code": "Code de connexion",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Les clients publics n'ont pas de secret client et utilisent PKCE à la place. Activez cette option si votre client est une application SPA ou une application mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Le Public Key Code Exchange est une fonctionnalité de sécurité conçue pour prévenir les attaques CSRF et l’interception de code d’autorisation.",
+	"requires_reauthentication": "Nécessite une nouvelle authentification",
+	"requires_users_to_authenticate_again_on_each_authorization": "Demande aux utilisateurs de se connecter à nouveau à chaque autorisation, même s'ils sont déjà connectés.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Changer le logo",
 	"upload_logo": "Télécharger un logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Nombre de fois que le jeton d'inscription peut être utilisé.",
 	"expires": "Expire",
 	"signup": "S'inscrire",
+	"user_creation": "Création d'un utilisateur",
+	"configure_user_creation": "Gère les paramètres de création des utilisateurs, comme les méthodes d'inscription et les autorisations par défaut pour les nouveaux utilisateurs.",
+	"user_creation_groups_description": "Attribuez automatiquement ces groupes aux nouveaux utilisateurs lors de leur inscription.",
+	"user_creation_claims_description": "Attribuez automatiquement ces revendications personnalisées aux nouveaux utilisateurs lors de leur inscription.",
+	"user_creation_updated_successfully": "Les paramètres de création d'utilisateur ont été mis à jour.",
+	"signup_disabled_description": "Les inscriptions utilisateur sont complètement désactivées. Seuls les administrateurs peuvent créer de nouveaux comptes utilisateur.",
 	"signup_requires_valid_token": "Un jeton d'inscription valide est requis pour créer un compte.",
 	"validating_signup_token": "Validation du jeton d'inscription",
 	"go_to_login": "Aller à la connexion",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Ignorer pour le moment",
 	"account_created": "Compte créé",
 	"enable_user_signups": "Activer les inscriptions utilisateur",
-	"enable_user_signups_description": "Détermine si la fonctionnalité d'inscription des utilisateurs doit être activée.",
+	"enable_user_signups_description": "Décide comment les utilisateurs peuvent créer de nouveaux comptes dans Pocket ID.",
 	"user_signups_are_disabled": "Les inscriptions utilisateur sont actuellement désactivées",
 	"create_signup_token": "Créer un jeton d'inscription",
 	"view_active_signup_tokens": "Voir les jetons d'inscription actifs",
@@ -412,7 +420,6 @@
 	"loading": "Chargement",
 	"delete_signup_token": "Supprimer le jeton d'inscription",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Êtes-vous sûr de vouloir supprimer ce jeton d'inscription ? Cette action est irréversible.",
-	"signup_disabled_description": "Les inscriptions utilisateur sont complètement désactivées. Seuls les administrateurs peuvent créer de nouveaux comptes utilisateur.",
 	"signup_with_token": "Inscription avec jeton",
 	"signup_with_token_description": "Les utilisateurs ne peuvent s'inscrire qu'en utilisant un jeton d'inscription valide créé par un administrateur.",
 	"signup_open": "Inscription ouverte",
@@ -430,5 +437,8 @@
 	"revoke_access": "Supprimer l'accès",
 	"revoke_access_description": "Supprimer l'accès à <b>{clientName}</b>. <b>{clientName}</b> ne pourra plus accéder aux infos de ton compte.",
 	"revoke_access_successful": "L'accès à {clientName} a été supprimé.",
-	"last_signed_in_ago": "Dernière connexion il y a {time} il y a"
+	"last_signed_in_ago": "Dernière connexion il y a {time} il y a",
+	"invalid_client_id": "L'ID client ne peut contenir que des lettres, des chiffres, des traits de soulignement et des tirets.",
+	"custom_client_id_description": "Définissez un identifiant client personnalisé si votre application l'exige. Sinon, laissez ce champ vide pour qu'un identifiant aléatoire soit généré.",
+	"generated": "Généré"
 }

frontend/messages/it.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Clicca per copiare",
 	"something_went_wrong": "Qualcosa è andato storto",
 	"go_back_to_home": "Torna alla home",
-	"dont_have_access_to_your_passkey": "Non hai accesso alla tua passkey?",
+	"alternative_sign_in_methods": "Metodi di accesso alternativi",
 	"login_background": "Sfondo di accesso",
 	"logo": "Logo",
 	"login_code": "Codice di accesso",
@@ -276,6 +276,8 @@
 	"public_clients_description": "I client pubblici non hanno un client secret e utilizzano PKCE. Abilita questa opzione se il tuo client è una SPA o un'app mobile.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Il Public Key Code Exchange è una funzionalità di sicurezza per prevenire attacchi CSRF e intercettazione del codice di autorizzazione.",
+	"requires_reauthentication": "È necessario effettuare nuovamente l'autenticazione",
+	"requires_users_to_authenticate_again_on_each_authorization": "Chiede agli utenti di fare di nuovo l'autenticazione ogni volta che autorizzano qualcosa, anche se hanno già fatto l'accesso.",
 	"name_logo": "Logo di {name}",
 	"change_logo": "Cambia Logo",
 	"upload_logo": "Carica Logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Numero di volte che il codice d'iscrizione può essere usato.",
 	"expires": "Scadenza",
 	"signup": "Registrati",
+	"user_creation": "Creazione utente",
+	"configure_user_creation": "Gestisci le impostazioni per creare nuovi utenti, come i metodi di registrazione e i permessi di default per quelli nuovi.",
+	"user_creation_groups_description": "Assegna automaticamente questi gruppi ai nuovi utenti al momento della registrazione.",
+	"user_creation_claims_description": "Assegna automaticamente queste richieste personalizzate ai nuovi utenti al momento della registrazione.",
+	"user_creation_updated_successfully": "Le impostazioni per creare un utente sono state aggiornate.",
+	"signup_disabled_description": "Le iscrizioni utente sono completamente disabilitate. Solo gli amministratori possono creare nuovi account utente.",
 	"signup_requires_valid_token": "È necessario un codice d'iscrizione valido per creare un account",
 	"validating_signup_token": "Convalida codice d'iscrizione",
 	"go_to_login": "Vai alla login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Salta per ora",
 	"account_created": "Account creato",
 	"enable_user_signups": "Abilita Iscrizioni Utente",
-	"enable_user_signups_description": "Indica se la funzionalità di registrazione utente deve essere abilitata.",
+	"enable_user_signups_description": "Decidi come gli utenti possono registrarsi per creare nuovi account in Pocket ID.",
 	"user_signups_are_disabled": "Le iscrizioni utente sono attualmente disattivate",
 	"create_signup_token": "Crea Codice d'iscrizione",
 	"view_active_signup_tokens": "Visualizza codici d'iscrizione attivi",
@@ -412,7 +420,6 @@
 	"loading": "Caricamento",
 	"delete_signup_token": "Elimina Codice d'iscrizione",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Sei sicuro di voler eliminare questo codice d'iscrizione? Questa azione non può essere annullata.",
-	"signup_disabled_description": "Le iscrizioni utente sono completamente disabilitate. Solo gli amministratori possono creare nuovi account utente.",
 	"signup_with_token": "Registrati con codice",
 	"signup_with_token_description": "Gli utenti possono registrarsi solo usando un codice d'iscrizione valido, creato da un amministratore.",
 	"signup_open": "Apri Registrazione",
@@ -430,5 +437,8 @@
 	"revoke_access": "Revoca accesso",
 	"revoke_access_description": "Revoca l'accesso a <b>{clientName}</b>. <b>{clientName}</b> non potrà più accedere alle informazioni del tuo account.",
 	"revoke_access_successful": "L'accesso a {clientName} è stato revocato con successo.",
-	"last_signed_in_ago": "Ultimo accesso {time} fa"
+	"last_signed_in_ago": "Ultimo accesso {time} fa",
+	"invalid_client_id": "L'ID cliente può contenere solo lettere, numeri, trattini bassi e trattini.",
+	"custom_client_id_description": "Imposta un ID cliente personalizzato se la tua app lo richiede. Altrimenti, lascia vuoto per generarne uno casuale.",
+	"generated": "Generato"
 }

frontend/messages/ko.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "클릭하여 복사",
 	"something_went_wrong": "문제가 발생했습니다",
 	"go_back_to_home": "홈으로 돌아가기",
-	"dont_have_access_to_your_passkey": "패스키에 접근할 수 없나요?",
+	"alternative_sign_in_methods": "대체 로그인 방법",
 	"login_background": "로그인 배경",
 	"logo": "로고",
 	"login_code": "로그인 코드",
@@ -276,6 +276,8 @@
 	"public_clients_description": "공개 클라이언트는 클라이언트 시크릿이 없습니다. 이들은 시크릿을 안전하게 보관할 수 없는 모바일, 웹, 네이티브 애플리케이션을 위해 설계되었습니다.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "공개 키 코드 교환은 CSRF 및 승인 코드 가로채기 공격을 방지하기 위한 보안 기능입니다.",
+	"requires_reauthentication": "재인증 요구",
+	"requires_users_to_authenticate_again_on_each_authorization": "사용자가 이미 로그인한 상태에서도 승인할 때마다 다시 인증을 요구합니다.",
 	"name_logo": "{name} 로고",
 	"change_logo": "로고 변경",
 	"upload_logo": "로고 업로드",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "계정 생성 토큰을 사용할 수 있는 횟수.",
 	"expires": "만료일",
 	"signup": "계정 생성",
+	"user_creation": "사용자 생성",
+	"configure_user_creation": "사용자 생성 설정을 관리합니다. 이에는 신규 사용자 등록 방법 및 신규 사용자의 기본 권한이 포함됩니다.",
+	"user_creation_groups_description": "새 사용자가 가입할 때 이 그룹을 자동으로 할당합니다.",
+	"user_creation_claims_description": "새 사용자가 가입할 때 이 사용자 정의 클레임을 자동으로 할당합니다.",
+	"user_creation_updated_successfully": "사용자 생성 설정 업데이트가 성공적으로 완료되었습니다.",
+	"signup_disabled_description": "계정 생성이 완전히 비활성화됩니다. 새로운 사용자 계정은 관리자만 생성할 수 있습니다.",
 	"signup_requires_valid_token": "계정을 생성하려면 유효한 계정 생성 토큰이 필요합니다",
 	"validating_signup_token": "계정 생성 토큰 검증",
 	"go_to_login": "로그인으로 이동",
@@ -396,7 +404,7 @@
 	"skip_for_now": "지금은 건너뛰기",
 	"account_created": "계정 생성됨",
 	"enable_user_signups": "계정 생성 활성화",
-	"enable_user_signups_description": "계정 생성 기능이 활성화됩니다.",
+	"enable_user_signups_description": "Pocket ID에서 사용자가 새로운 계정을 생성하는 방법을 결정하세요.",
 	"user_signups_are_disabled": "계정 생성이 현재 비활성화되었습니다",
 	"create_signup_token": "계정 생성 토큰 생성",
 	"view_active_signup_tokens": "활성 계정 생성 토큰 보기",
@@ -412,7 +420,6 @@
 	"loading": "불러오는 중",
 	"delete_signup_token": "계정 생성 토큰 삭제",
 	"are_you_sure_you_want_to_delete_this_signup_token": "이 계정 생성 토큰을 정말로 삭제하시겠습니까? 이 작업은 되돌릴 수 없습니다.",
-	"signup_disabled_description": "계정 생성이 완전히 비활성화됩니다. 새로운 사용자 계정은 관리자만 생성할 수 있습니다.",
 	"signup_with_token": "토큰으로 계정 생성",
 	"signup_with_token_description": "사용자는 관리자가 생성한 유효한 계정 생성 토큰을 사용해야 가입할 수 있습니다.",
 	"signup_open": "계정 생성 허용",
@@ -430,5 +437,8 @@
 	"revoke_access": "접근 권한 취소",
 	"revoke_access_description": "<b>{clientName}</b>의 접근 권한을 취소합니다. <b>{clientName}</b>은 더 이상 계정 정보에 접근할 수 없습니다.",
 	"revoke_access_successful": "{clientName}의 접근이 성공적으로 취소되었습니다.",
-	"last_signed_in_ago": "{time} 전에 로그인함"
+	"last_signed_in_ago": "{time} 전에 로그인함",
+	"invalid_client_id": "고객 ID에는 영문자, 숫자, 밑줄, 하이픈만 포함될 수 있습니다.",
+	"custom_client_id_description": "애플리케이션에서 사용자 정의 클라이언트 ID가 요구되는 경우 설정하세요. 그렇지 않으면 빈 상태로 두어서 무작위로 생성할 수 있습니다.",
+	"generated": "생성됨"
 }

frontend/messages/nl.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Klik om te kopiëren",
 	"something_went_wrong": "Er is iets misgegaan",
 	"go_back_to_home": "Terug naar beginpagina",
-	"dont_have_access_to_your_passkey": "Heb je geen toegang tot je passkey?",
+	"alternative_sign_in_methods": "Andere manieren om in te loggen",
 	"login_background": "Inlogachtergrond",
 	"logo": "Logo",
 	"login_code": "Inlogcode",
@@ -43,7 +43,7 @@
 	"error_occurred_with_authenticator": "Er is een fout opgetreden met de authenticator",
 	"authenticator_does_not_support_discoverable_credentials": "De authenticator ondersteunt geen vindbare referenties",
 	"authenticator_does_not_support_resident_keys": "De authenticator ondersteunt geen vaste sleutels",
-	"passkey_was_previously_registered": "Deze toegangscode is eerder geregistreerd",
+	"passkey_was_previously_registered": "Deze passkey is eerder geregistreerd",
 	"authenticator_does_not_support_any_of_the_requested_algorithms": "De authenticator ondersteunt geen van de gevraagde algoritmen",
 	"authenticator_timed_out": "De authenticator is verlopen",
 	"critical_error_occurred_contact_administrator": "Er is een kritieke fout opgetreden. Neem contact op met de beheerder.",
@@ -70,8 +70,8 @@
 	"please_try_again": "Probeer het opnieuw.",
 	"continue": "Doorgaan",
 	"alternative_sign_in": "Alternatieve aanmelding",
-	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Als je geen toegang hebt tot je passkeys, kun je je op een van de volgende manieren aanmelden.",
+	"if_you_do_not_have_access_to_your_passkey_you_can_sign_in_using_one_of_the_following_methods": "Als je geen toegang hebt tot je passkey, kun je je op een van de volgende manieren aanmelden.",
-	"use_your_passkey_instead": "Wil je in plaats daarvan je toegangscode gebruiken?",
+	"use_your_passkey_instead": "Wil je in plaats daarvan je passkey gebruiken?",
 	"email_login": "E-mail inloggen",
 	"enter_a_login_code_to_sign_in": "Voer een inlogcode in om in te loggen.",
 	"request_a_login_code_via_email": "Vraag een inlogcode aan via e-mail.",
@@ -84,7 +84,7 @@
 	"enter_the_code_you_received_to_sign_in": "Voer de code in die je hebt ontvangen om in te loggen.",
 	"code": "Code",
 	"invalid_redirect_url": "Ongeldige omleidings-URL",
-	"audit_log": "Audit logboek",
+	"audit_log": "Activiteitenlogboek",
 	"users": "Gebruikers",
 	"user_groups": "Gebruikersgroepen",
 	"oidc_clients": "OIDC-clients",
@@ -95,7 +95,7 @@
 	"powered_by": "Aangedreven door",
 	"see_your_account_activities_from_the_last_3_months": "Bekijk je accountactiviteiten van de afgelopen 3 maanden.",
 	"time": "Tijd",
-	"event": "Evenement",
+	"event": "Activiteit",
 	"approximate_location": "Geschatte locatie",
 	"ip_address": "IP-adres",
 	"device": "Apparaat",
@@ -106,11 +106,11 @@
 	"account_settings": "Accountinstellingen",
 	"passkey_missing": "Passkey ontbreekt",
 	"please_provide_a_passkey_to_prevent_losing_access_to_your_account": "Voeg een passkey toe om te voorkomen dat je de toegang tot je account verliest.",
-	"single_passkey_configured": "Eén enkele toegangscode geconfigureerd",
+	"single_passkey_configured": "Eén enkele passkey geconfigureerd",
-	"it_is_recommended_to_add_more_than_one_passkey": "Het is raadzaam om meer dan één toegangscode toe te voegen om te voorkomen dat je de toegang tot uw account verliest.",
+	"it_is_recommended_to_add_more_than_one_passkey": "Het is raadzaam om meer dan één passkey toe te voegen om te voorkomen dat je de toegang tot uw account verliest.",
 	"account_details": "Accountgegevens",
-	"passkeys": "Toegangscodes",
+	"passkeys": "Passkeys",
-	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Beheer de toegangscodes waarmee je jezelf kunt verifiëren.",
+	"manage_your_passkeys_that_you_can_use_to_authenticate_yourself": "Beheer de passkeys waarmee je jezelf kunt verifiëren.",
 	"add_passkey": "Passkey toevoegen",
 	"create_a_one_time_login_code_to_sign_in_from_a_different_device_without_a_passkey": "Maak een eenmalige inlogcode aan om in te loggen vanaf een ander apparaat zonder passkey.",
 	"create": "Aanmaken",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Publieke clients hebben geen client secret en gebruiken in plaats daarvan PKCE. Schakel dit in als je client een SPA of mobiele app is.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange is een beveiligingsfunctie om CSRF- en autorisatiecode-onderscheppingsaanvallen te voorkomen.",
+	"requires_reauthentication": "Je moet opnieuw inloggen",
+	"requires_users_to_authenticate_again_on_each_authorization": "Gebruikers moeten bij elke autorisatie opnieuw inloggen, zelfs als ze al ingelogd zijn.",
 	"name_logo": "{name} logo",
 	"change_logo": "Logo wijzigen",
 	"upload_logo": "Logo uploaden",
@@ -320,7 +322,7 @@
 	"all_events": "Alle activiteiten",
 	"all_clients": "Alle clients",
 	"all_locations": "Alle locaties",
-	"global_audit_log": "Algemeen audit logboek",
+	"global_audit_log": "Globaal activiteitenlogboek",
 	"see_all_account_activities_from_the_last_3_months": "Bekijk alle gebruikersactiviteit van de afgelopen 3 maanden.",
 	"token_sign_in": "Inloggen met token",
 	"client_authorization": "Client autorisatie",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Hoe vaak het aanmeldingstoken gebruikt kan worden.",
 	"expires": "Verloopt",
 	"signup": "Aanmelden",
+	"user_creation": "Gebruikers aanmaken",
+	"configure_user_creation": "Beheer de instellingen voor het aanmaken van gebruikers, zoals hoe mensen zich kunnen aanmelden en wat nieuwe gebruikers standaard kunnen doen.",
+	"user_creation_groups_description": "Wijs deze groepen automatisch toe aan nieuwe gebruikers bij aanmelding.",
+	"user_creation_claims_description": "Wijs deze aangepaste claims automatisch toe aan nieuwe gebruikers bij aanmelding.",
+	"user_creation_updated_successfully": "Instellingen voor het aanmaken van gebruikers zijn bijgewerkt.",
+	"signup_disabled_description": "Gebruikersregistraties zijn helemaal uitgeschakeld. Alleen beheerders kunnen nieuwe gebruikersaccounts aanmaken.",
 	"signup_requires_valid_token": "U heeft een geldige registratietoken nodig om een account aan te maken.",
 	"validating_signup_token": "Inlogtoken checken",
 	"go_to_login": "Ga naar inloggen",
@@ -392,11 +400,11 @@
 	"create_your_account_to_get_started": "Om te beginnen moet u een account aanmaken.",
 	"initial_account_creation_description": "Maak een account aan om te beginnen. U kunt later een wachtwoord instellen.",
 	"setup_your_passkey": "Stel uw passkey in",
-	"create_a_passkey_to_securely_access_your_account": "Maak een toegangscode aan om veilig toegang te krijgen tot je account. Dit is je primaire manier om in te loggen.",
+	"create_a_passkey_to_securely_access_your_account": "Maak een passkey aan om veilig toegang te krijgen tot je account. Dit is je primaire manier om in te loggen.",
 	"skip_for_now": "Voor nu even overslaan",
 	"account_created": "Account aangemaakt",
 	"enable_user_signups": "Gebruikersregistratie inschakelen",
-	"enable_user_signups_description": "Of de functie voor gebruikersregistratie moet worden ingeschakeld.",
+	"enable_user_signups_description": "Bepaal hoe mensen zich kunnen aanmelden voor nieuwe accounts in Pocket ID.",
 	"user_signups_are_disabled": "Gebruikersregistraties zijn nu uitgeschakeld.",
 	"create_signup_token": "Aanmeldingstoken maken",
 	"view_active_signup_tokens": "Actieve aanmeldingstokens bekijken",
@@ -412,7 +420,6 @@
 	"loading": "Bezig met laden",
 	"delete_signup_token": "Registratietoken verwijderen",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Weet u zeker dat u dit aanmeldingstoken wilt verwijderen? Deze actie kan niet ongedaan worden gemaakt.",
-	"signup_disabled_description": "Gebruikersregistraties zijn helemaal uitgeschakeld. Alleen beheerders kunnen nieuwe gebruikersaccounts aanmaken.",
 	"signup_with_token": "Aanmelden met token",
 	"signup_with_token_description": "U kunt zich alleen aanmelden met een geldige aanmeldtoken die door een beheerder is aangemaakt.",
 	"signup_open": "Open inschrijving",
@@ -429,6 +436,9 @@
 	"client_name_description": "De naam van de client die wordt getoond in de Pocket ID UI.",
 	"revoke_access": "Toegang intrekken",
 	"revoke_access_description": "Toegang intrekken tot <b>{clientName}</b>. <b>{clientName}</b> kun je accountgegevens niet meer gebruiken.",
-	"revoke_access_successful": "De toegang tot {clientName} is nu echt geblokkeerd.",
+	"revoke_access_successful": "De toegang tot {clientName} is nu succesvol geblokkeerd.",
-	"last_signed_in_ago": "Laatst ingelogd {time} geleden"
+	"last_signed_in_ago": "Laatst ingelogd {time} geleden",
+	"invalid_client_id": "De klant-ID mag alleen letters, cijfers, onderstrepingstekens en koppeltekens bevatten.",
+	"custom_client_id_description": "Stel een aangepaste client-ID in als je app dit nodig heeft. Anders laat je het gewoon leeg en wordt er een willekeurige ID gegenereerd.",
+	"generated": "Gemaakt"
 }

frontend/messages/pl.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Kliknij, aby skopiować",
 	"something_went_wrong": "Coś poszło nie tak",
 	"go_back_to_home": "Wróć do strony głównej",
-	"dont_have_access_to_your_passkey": "Nie masz dostępu do swojego klucza?",
+	"alternative_sign_in_methods": "Alternatywne metody logowania",
 	"login_background": "Tło logowania",
 	"logo": "Logo",
 	"login_code": "Kod logowania",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Klienci publiczni nie mają tajnego klucza. Są zaprojektowane dla aplikacji mobilnych, webowych i natywnych, gdzie tajne klucze nie mogą być bezpiecznie przechowywane.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Wymiana kodu publicznego klucza to funkcja zabezpieczająca, która zapobiega atakom CSRF i przechwytywaniu kodu autoryzacyjnego.",
+	"requires_reauthentication": "Wymagane ponowne uwierzytelnienie",
+	"requires_users_to_authenticate_again_on_each_authorization": "Wymaga od użytkowników ponownego uwierzytelniania przy każdej autoryzacji, nawet jeśli są już zalogowani.",
 	"name_logo": "Logo {name}",
 	"change_logo": "Zmień logo",
 	"upload_logo": "Prześlij logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Liczba przypadków, w których można użyć tokenu rejestracji.",
 	"expires": "Wygasają",
 	"signup": "Zarejestruj się",
+	"user_creation": "Tworzenie użytkowników",
+	"configure_user_creation": "Zarządzaj ustawieniami tworzenia użytkowników, w tym metodami rejestracji i domyślnymi uprawnieniami dla nowych użytkowników.",
+	"user_creation_groups_description": "Przypisz te grupy automatycznie nowym użytkownikom podczas rejestracji.",
+	"user_creation_claims_description": "Przypisuj te niestandardowe oświadczenia automatycznie nowym użytkownikom podczas rejestracji.",
+	"user_creation_updated_successfully": "Ustawienia tworzenia użytkowników zostały pomyślnie zaktualizowane.",
+	"signup_disabled_description": "Rejestracja użytkowników jest całkowicie wyłączona. Tylko administratorzy mogą tworzyć nowe konta użytkowników.",
 	"signup_requires_valid_token": "Aby utworzyć konto, wymagany jest ważny token rejestracyjny.",
 	"validating_signup_token": "Weryfikacja tokenu rejestracji",
 	"go_to_login": "Przejdź do logowania",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Pomiń na razie",
 	"account_created": "Konto utworzone",
 	"enable_user_signups": "Włącz rejestrację użytkowników",
-	"enable_user_signups_description": "Czy funkcja rejestracji użytkowników powinna być włączona.",
+	"enable_user_signups_description": "Zdecyduj, w jaki sposób użytkownicy mogą rejestrować nowe konta w Pocket ID.",
 	"user_signups_are_disabled": "Rejestracja użytkowników jest obecnie wyłączona.",
 	"create_signup_token": "Utwórz token rejestracji",
 	"view_active_signup_tokens": "Wyświetl aktywne tokeny rejestracji",
@@ -412,7 +420,6 @@
 	"loading": "Ładowanie",
 	"delete_signup_token": "Usuń token rejestracji",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Czy na pewno chcesz usunąć ten token rejestracji? Tego działania nie można cofnąć.",
-	"signup_disabled_description": "Rejestracja użytkowników jest całkowicie wyłączona. Tylko administratorzy mogą tworzyć nowe konta użytkowników.",
 	"signup_with_token": "Zarejestruj się za pomocą tokenu",
 	"signup_with_token_description": "Użytkownicy mogą zarejestrować się wyłącznie przy użyciu ważnego tokenu rejestracyjnego utworzonego przez administratora.",
 	"signup_open": "Otwórz rejestrację",
@@ -430,5 +437,8 @@
 	"revoke_access": "Cofnij dostęp",
 	"revoke_access_description": "Cofnij dostęp do <b>{clientName}</b>. <b>{clientName}</b> nie będzie już mógł uzyskać dostępu do informacji o Twoim koncie.",
 	"revoke_access_successful": "Dostęp do strony {clientName} został pomyślnie cofnięty.",
-	"last_signed_in_ago": "Ostatnio zalogowany {time} temu"
+	"last_signed_in_ago": "Ostatnio zalogowany {time} temu",
+	"invalid_client_id": "Identyfikator klienta może zawierać wyłącznie litery, cyfry, znaki podkreślenia i łączniki.",
+	"custom_client_id_description": "Ustaw niestandardowy identyfikator klienta, jeśli jest to wymagane przez twoją aplikację. W przeciwnym razie pozostaw to pole puste, aby wygenerować losowy identyfikator.",
+	"generated": "Wygenerowano"
 }

frontend/messages/pt-BR.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Clique para copiar",
 	"something_went_wrong": "Algo deu errado",
 	"go_back_to_home": "Voltar para o início",
-	"dont_have_access_to_your_passkey": "Não tem acesso à sua chave de acesso?",
+	"alternative_sign_in_methods": "Outras formas de entrar",
 	"login_background": "Histórico de login",
 	"logo": "Logotipo",
 	"login_code": "Código de Login:",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public clients do not have a client secret and use PKCE instead. Enable this if your client is a SPA or mobile app.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "A troca de chaves públicas é um recurso de segurança que evita ataques CSRF e interceptação de códigos de autorização.",
+	"requires_reauthentication": "Precisa autenticar de novo",
+	"requires_users_to_authenticate_again_on_each_authorization": "Pede que os usuários se autentiquem de novo em cada autorização, mesmo que já estejam conectados.",
 	"name_logo": "{name} logotipo",
 	"change_logo": "Alterar logotipo",
 	"upload_logo": "Carregar logotipo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Número de vezes que o token de inscrição pode ser usado.",
 	"expires": "Vence",
 	"signup": "Cadastre-se",
+	"user_creation": "Criação de usuário",
+	"configure_user_creation": "Gerencie as configurações de criação de usuários, incluindo métodos de inscrição e permissões padrão para novos usuários.",
+	"user_creation_groups_description": "Atribuir esses grupos automaticamente aos novos usuários quando eles se cadastrarem.",
+	"user_creation_claims_description": "Atribua essas reivindicações personalizadas automaticamente aos novos usuários no momento da inscrição.",
+	"user_creation_updated_successfully": "As configurações de criação do usuário foram atualizadas com sucesso.",
+	"signup_disabled_description": "As inscrições de usuários estão totalmente desativadas. Só os administradores podem criar novas contas de usuário.",
 	"signup_requires_valid_token": "É preciso um token de inscrição válido pra criar uma conta.",
 	"validating_signup_token": "Validando o token de inscrição",
 	"go_to_login": "Vá para o login",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Pular por enquanto",
 	"account_created": "Conta criada",
 	"enable_user_signups": "Ativar inscrições de usuários",
-	"enable_user_signups_description": "Se a funcionalidade de cadastro de usuários deve ser ativada.",
+	"enable_user_signups_description": "Decida como os usuários podem se cadastrar para novas contas no Pocket ID.",
 	"user_signups_are_disabled": "As inscrições de usuários estão desativadas no momento.",
 	"create_signup_token": "Criar token de inscrição",
 	"view_active_signup_tokens": "Ver tokens de inscrição ativos",
@@ -412,7 +420,6 @@
 	"loading": "Carregando",
 	"delete_signup_token": "Apagar token de inscrição",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Tem certeza que quer apagar esse token de inscrição? Não dá pra voltar atrás.",
-	"signup_disabled_description": "As inscrições de usuários estão totalmente desativadas. Só os administradores podem criar novas contas de usuário.",
 	"signup_with_token": "Cadastre-se com token",
 	"signup_with_token_description": "Os usuários só podem se cadastrar usando um token de cadastro válido criado por um administrador.",
 	"signup_open": "Inscrição aberta",
@@ -430,5 +437,8 @@
 	"revoke_access": "Revogar acesso",
 	"revoke_access_description": "Revogar acesso a <b>{clientName}</b>. <b>{clientName}</b> não vai mais conseguir acessar as informações da sua conta.",
 	"revoke_access_successful": "O acesso a {clientName} foi revogado com sucesso.",
-	"last_signed_in_ago": "Último login em {time} atrás"
+	"last_signed_in_ago": "Último login em {time} atrás",
+	"invalid_client_id": "A ID do cliente só pode ter letras, números, sublinhados e hífens.",
+	"custom_client_id_description": "Defina um ID de cliente personalizado se for necessário para o seu aplicativo. Caso contrário, deixe em branco para gerar um aleatório.",
+	"generated": "Gerado"
 }

frontend/messages/ru.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Нажмите, чтобы скопировать",
 	"something_went_wrong": "Что-то пошло не так",
 	"go_back_to_home": "Вернуться на главную",
-	"dont_have_access_to_your_passkey": "Нет доступа к вашему пасскею?",
+	"alternative_sign_in_methods": "Альтернативные способы входа",
 	"login_background": "Фон страницы входа",
 	"logo": "Логотип",
 	"login_code": "Код входа",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Публичные клиенты не имеют клиентского секрета. Они предназначены для мобильных, SPA и нативных приложений, где секретные данные нельзя надежно хранить.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange — это функция безопасности для предотвращения атак CSRF и перехвата кода авторизации.",
+	"requires_reauthentication": "Требуется повторная аутентификация",
+	"requires_users_to_authenticate_again_on_each_authorization": "Требует от пользователей повторной аутентификации при каждой авторизации, даже если они уже вошли в систему",
 	"name_logo": "Логотип {name}",
 	"change_logo": "Изменить логотип",
 	"upload_logo": "Загрузить логотип",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Количество раз, которое может быть использован токен регистрации.",
 	"expires": "Истекает",
 	"signup": "Зарегистрироваться",
+	"user_creation": "Создание пользователя",
+	"configure_user_creation": "Управляйте настройками создания пользователя, включая способы регистрации и разрешения по умолчанию для новых пользователей.",
+	"user_creation_groups_description": "Назначать эти группы автоматически новым пользователям при регистрации.",
+	"user_creation_claims_description": "Назначить эти пользовательские claims автоматически новым пользователям при регистрации.",
+	"user_creation_updated_successfully": "Настройки создания пользователя обновлены.",
+	"signup_disabled_description": "Регистрация пользователей полностью отключена. Только администраторы могут создавать новые учетные записи пользователей.",
 	"signup_requires_valid_token": "Для создания учетной записи необходим действительный токен регистрации",
 	"validating_signup_token": "Проверка токена регистрации",
 	"go_to_login": "Перейти ко входу",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Пока пропустить",
 	"account_created": "Учетная запись создана",
 	"enable_user_signups": "Включить регистрацию пользователей",
-	"enable_user_signups_description": "Должна ли быть включена функция регистрации пользователя.",
+	"enable_user_signups_description": "Решите, как пользователи могут регистрировать новые учетные записи в Pocket ID.",
 	"user_signups_are_disabled": "Регистрация пользователей в настоящее время отключена",
 	"create_signup_token": "Создать токен регистрации",
 	"view_active_signup_tokens": "Показать активные токены регистрации",
@@ -412,7 +420,6 @@
 	"loading": "Загрузка",
 	"delete_signup_token": "Удалить токен регистрации",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Вы уверены, что хотите удалить этот токен регистрации? Это действие нельзя отменить.",
-	"signup_disabled_description": "Регистрация пользователей полностью отключена. Только администраторы могут создавать новые учетные записи пользователей.",
 	"signup_with_token": "Регистрация с токеном",
 	"signup_with_token_description": "Пользователи могут зарегистрироваться только с помощью действительного токена регистрации, созданного администратором.",
 	"signup_open": "Открытая регистрация",
@@ -430,5 +437,8 @@
 	"revoke_access": "Отозвать доступ",
 	"revoke_access_description": "Отозвать доступ к <b>{clientName}</b>. <b>{clientName}</b> больше не сможет получить доступ к информации вашей учетной записи.",
 	"revoke_access_successful": "Доступ к {clientName} успешно отозван.",
-	"last_signed_in_ago": "Последний вход {time} назад"
+	"last_signed_in_ago": "Последний вход {time} назад",
+	"invalid_client_id": "ID клиента может содержать только буквы, цифры, подчеркивания и дефисы",
+	"custom_client_id_description": "Установите пользовательский ID клиента, если это нужно для вашего приложения. Если нет, оставьте поле пустым, чтобы он был сгенерирован случайным образом.",
+	"generated": "Сгенерированный"
 }

frontend/messages/uk.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Натисніть, щоб скопіювати",
 	"something_went_wrong": "Щось пішло не так",
 	"go_back_to_home": "Повернутися на головну сторінку",
-	"dont_have_access_to_your_passkey": "Не маєте доступу до свого ключа доступу?",
+	"alternative_sign_in_methods": "Альтернативні способи входу",
 	"login_background": "Фон сторінки входу",
 	"logo": "Логотип",
 	"login_code": "Код входу",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Публічні клієнти не мають секретного ключа. Вони призначені для мобільних, веб та нативних додатків, де секретний ключ не може надійно зберігатись.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange — це функція безпеки, що запобігає атакам типу CSRF та перехопленню коду авторизації.",
+	"requires_reauthentication": "Потрібна повторна автентифікація",
+	"requires_users_to_authenticate_again_on_each_authorization": "Вимагає від користувачів повторної автентифікації при кожній авторизації, навіть якщо вони вже ввійшли в систему.",
 	"name_logo": "Логотип {name}",
 	"change_logo": "Змінити логотип",
 	"upload_logo": "Вивантажити логотип",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Скільки разів можна використовувати реєстраційний токен.",
 	"expires": "Термін дії",
 	"signup": "Зареєструватися",
+	"user_creation": "Створення користувача",
+	"configure_user_creation": "Керуйте налаштуваннями створення користувачів, включаючи методи реєстрації та права доступу за замовчуванням для нових користувачів.",
+	"user_creation_groups_description": "Призначте ці групи автоматично новим користувачам під час реєстрації.",
+	"user_creation_claims_description": "Призначте ці власні вимоги автоматично новим користувачам під час реєстрації.",
+	"user_creation_updated_successfully": "Налаштування створення користувача успішно оновлено.",
+	"signup_disabled_description": "Реєстрація користувачів повністю вимкнена. Нові облікові записи можуть створювати лише адміністратори.",
 	"signup_requires_valid_token": "Для створення облікового запису потрібен дійсний токен реєстрації",
 	"validating_signup_token": "Перевірка токена реєстрації",
 	"go_to_login": "Перейти до входу",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Пропустити наразі",
 	"account_created": "Обліковий запис створено",
 	"enable_user_signups": "Дозволити реєстрацію користувачів",
-	"enable_user_signups_description": "Чи слід увімкнути можливість реєстрації користувачів.",
+	"enable_user_signups_description": "Визначте, як користувачі можуть реєструвати нові облікові записи в Pocket ID.",
 	"user_signups_are_disabled": "Реєстрація користувачів наразі вимкнена",
 	"create_signup_token": "Створити токен реєстрації",
 	"view_active_signup_tokens": "Переглянути активні токени реєстрації",
@@ -412,7 +420,6 @@
 	"loading": "Завантаження",
 	"delete_signup_token": "Видалити токен реєстрації",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Ви впевнені, що хочете видалити цей токен реєстрації? Цю дію неможливо скасувати.",
-	"signup_disabled_description": "Реєстрація користувачів повністю вимкнена. Нові облікові записи можуть створювати лише адміністратори.",
 	"signup_with_token": "Зареєструватися за допомогою токену",
 	"signup_with_token_description": "Користувачі можуть зареєструватися лише за допомогою дійсного токена реєстрації, створеного адміністратором.",
 	"signup_open": "Відкрита реєстрація",
@@ -430,5 +437,8 @@
 	"revoke_access": "Скасувати доступ",
 	"revoke_access_description": "Скасувати доступ для <b>{clientName}</b>. <b>{clientName}</b> більше не зможе отримати доступ до інформації вашого облікового запису.",
 	"revoke_access_successful": "Доступ для {clientName} було успішно скасовано.",
-	"last_signed_in_ago": "Останній вхід {time} тому"
+	"last_signed_in_ago": "Останній вхід {time} тому",
+	"invalid_client_id": "Ідентифікатор клієнта може містити тільки літери, цифри, підкреслення та дефіси.",
+	"custom_client_id_description": "Встановіть власний ідентифікатор клієнта, якщо це потрібно для вашої програми. В іншому випадку залиште поле порожнім, щоб створити випадковий ідентифікатор.",
+	"generated": "Створено"
 }

frontend/messages/vi.json

@@ -23,7 +23,7 @@
 	"click_to_copy": "Nhấn để sao chép",
 	"something_went_wrong": "Đã xảy ra lỗi",
 	"go_back_to_home": "Quay lại trang chủ",
-	"dont_have_access_to_your_passkey": "Không có passkey?",
+	"alternative_sign_in_methods": "Các phương thức đăng nhập thay thế",
 	"login_background": "Hình nền đăng nhập",
 	"logo": "Logo",
 	"login_code": "Mã đăng nhập",
@@ -276,6 +276,8 @@
 	"public_clients_description": "Public client không có client secret. Chúng được thiết kế cho các ứng dụng di động, web và ứng dụng gốc, nơi các khóa bí mật không thể được lưu trữ một cách an toàn.",
 	"pkce": "PKCE",
 	"public_key_code_exchange_is_a_security_feature_to_prevent_csrf_and_authorization_code_interception_attacks": "Public Key Code Exchange là một tính năng bảo mật nhằm ngăn chặn các cuộc tấn công CSRF và đánh cắp mã xác thực.",
+	"requires_reauthentication": "Yêu cầu xác thực lại",
+	"requires_users_to_authenticate_again_on_each_authorization": "Yêu cầu người dùng xác thực lại mỗi lần ủy quyền, ngay cả khi đã đăng nhập.",
 	"name_logo": "{name} logo",
 	"change_logo": "Đổi Logo",
 	"upload_logo": "Tải logo",
@@ -385,6 +387,12 @@
 	"number_of_times_token_can_be_used": "Số lần token đăng ký có thể được sử dụng.",
 	"expires": "Hết hạn",
 	"signup": "Đăng ký",
+	"user_creation": "Tạo tài khoản người dùng",
+	"configure_user_creation": "Quản lý cài đặt tạo tài khoản người dùng, bao gồm các phương thức đăng ký và quyền truy cập mặc định cho người dùng mới.",
+	"user_creation_groups_description": "Tự động gán các nhóm này cho người dùng mới khi họ đăng ký.",
+	"user_creation_claims_description": "Tự động gán các yêu cầu tùy chỉnh này cho người dùng mới khi họ đăng ký.",
+	"user_creation_updated_successfully": "Cài đặt tạo người dùng đã được cập nhật thành công.",
+	"signup_disabled_description": "Đăng ký người dùng đã bị vô hiệu hóa hoàn toàn. Chỉ quản trị viên mới có thể tạo tài khoản người dùng mới.",
 	"signup_requires_valid_token": "Yêu cầu mã đăng ký hợp lệ để tạo tài khoản",
 	"validating_signup_token": "Xác thực token đăng ký",
 	"go_to_login": "Đi tới đăng nhập",
@@ -396,7 +404,7 @@
 	"skip_for_now": "Tạm thời bỏ qua",
 	"account_created": "Tài khoản đã được tạo",
 	"enable_user_signups": "Bật đăng ký người dùng",
-	"enable_user_signups_description": "Có nên kích hoạt tính năng Đăng ký người dùng hay không.",
+	"enable_user_signups_description": "Quyết định cách người dùng có thể đăng ký tài khoản mới trong Pocket ID.",
 	"user_signups_are_disabled": "Đăng ký người dùng hiện đang bị vô hiệu hóa",
 	"create_signup_token": "Tạo Signup Token",
 	"view_active_signup_tokens": "Xem các Signup Tokens đang hoạt động",
@@ -412,7 +420,6 @@
 	"loading": "Đang tải",
 	"delete_signup_token": "Xóa mã Signup Token",
 	"are_you_sure_you_want_to_delete_this_signup_token": "Bạn có chắc muốn xoá signup token này không? Thao tác này không thể được hoàn lại.",
-	"signup_disabled_description": "Đăng ký người dùng đã bị vô hiệu hóa hoàn toàn. Chỉ quản trị viên mới có thể tạo tài khoản người dùng mới.",
 	"signup_with_token": "Đăng ký bằng token",
 	"signup_with_token_description": "Người dùng chỉ có thể đăng ký bằng mã đăng ký hợp lệ do quản trị viên tạo ra.",
 	"signup_open": "Mở Đăng Ký",
@@ -430,5 +437,8 @@
 	"revoke_access": "Hủy quyền truy cập",
 	"revoke_access_description": "Hủy quyền truy cập vào <b>{clientName}</b>. <b>{clientName}</b> sẽ không còn có thể truy cập thông tin tài khoản của bạn.",
 	"revoke_access_successful": "Quyền truy cập vào {clientName} đã bị thu hồi thành công.",
-	"last_signed_in_ago": "Lần đăng nhập cuối cùng cách đây {time}"
+	"last_signed_in_ago": "Lần đăng nhập cuối cùng cách đây {time}",
+	"invalid_client_id": "ID khách hàng chỉ có thể chứa các ký tự chữ cái, số, dấu gạch dưới và dấu gạch ngang.",
+	"custom_client_id_description": "Đặt ID khách hàng tùy chỉnh nếu ứng dụng của bạn yêu cầu. Nếu không, hãy để trống để hệ thống tự động tạo một ID ngẫu nhiên.",
+	"generated": "Được tạo ra"
 }