Fix translation issue with targets

remove duplicate yargs

.dockerignore

@@ -26,3 +26,4 @@ install/
 bruno/
 LICENSE
 CONTRIBUTING.md
+dist

.github/dependabot.yml

@@ -0,0 +1,35 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+          
+  - package-ecosystem: "docker"
+    directory: "/"
+    schedule:
+      interval: "daily"
+    groups:
+      patch-updates:
+        update-types:
+          - "patch"
+      minor-updates:
+        update-types:
+          - "minor"

.github/workflows/linting.yml

@@ -0,0 +1,34 @@
+name: ESLint
+
+on:
+    pull_request:
+        paths:
+            - '**/*.js'
+            - '**/*.jsx'
+            - '**/*.ts'
+            - '**/*.tsx'
+            - '.eslintrc*'
+            - 'package.json'
+            - 'yarn.lock'
+            - 'pnpm-lock.yaml'
+            - 'package-lock.json'
+
+jobs:
+    Linter:
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout code
+              uses: actions/checkout@v4
+
+            - name: Set up Node.js
+              uses: actions/setup-node@v4
+              with:
+                node-version: '20'
+
+            - name: Install dependencies
+              run: |
+                npm ci
+
+            - name: Run ESLint
+              run: |
+                npx eslint . --ext .js,.jsx,.ts,.tsx

.github/workflows/stale-bot.yml

@@ -0,0 +1,37 @@
+name: Mark and Close Stale Issues
+
+on:
+  schedule:
+    - cron: '0 0 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+permissions:
+  contents: write # only for delete-branch option
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 14
+          days-before-close: 14
+          stale-issue-message: 'This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.'
+          close-issue-message: 'This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.'
+          stale-issue-label: 'stale'
+          
+          exempt-issue-labels: 'needs investigating, networking, new feature, reverse proxy, bug, api, authentication, documentation, enhancement, help wanted, good first issue, question'
+          
+          exempt-all-issue-assignees: true
+          
+          only-labels: ''
+          exempt-pr-labels: ''
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          
+          operations-per-run: 100
+          remove-stale-when-updated: true
+          delete-branch: false
+          enable-statistics: true

.github/workflows/test.yml

@@ -0,0 +1,49 @@
+name: Run Tests
+
+on:
+  pull_request:
+    branches:
+      - main
+      - dev
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+
+      - name: Copy config file
+        run: cp config/config.example.yml config/config.yml
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Generate database migrations
+        run: npm run db:sqlite:generate
+
+      - name: Apply database migrations
+        run: npm run db:sqlite:push
+
+      - name: Start app in background
+        run: nohup npm run dev &
+
+      - name: Wait for app availability
+        run: |
+          for i in {1..5}; do
+            if curl --silent --fail http://localhost:3002/auth/login; then
+              echo "App is up"
+              exit 0
+            fi
+            echo "Waiting for the app... attempt $i"
+            sleep 5
+          done
+          echo "App failed to start"
+          exit 1
+
+      - name: Build Docker image
+        run: make build

.gitignore

@@ -32,3 +32,5 @@ installer
 bin
 .secrets
 test_event.json
+.idea/
+server/db/index.ts

Dockerfile

@@ -2,32 +2,40 @@ FROM node:20-alpine AS builder
 
 WORKDIR /app
 
-COPY package.json package-lock.json ./
+# COPY package.json package-lock.json ./
+COPY package*.json ./
 RUN npm ci
 
 COPY . .
 
-RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/schema.ts --out init
+RUN echo 'export * from "./sqlite";' > server/db/index.ts
 
-RUN npm run build
+RUN npx drizzle-kit generate --dialect sqlite --schema ./server/db/sqlite/schema.ts --out init
+
+RUN npm run build:sqlite
+RUN npm run build:cli
 
 FROM node:20-alpine AS runner
 
 WORKDIR /app
 
 # Curl used for the health checks
-RUN apk add --no-cache curl 
+RUN apk add --no-cache curl
 
-COPY package.json package-lock.json ./
-RUN npm ci --only=production && npm cache clean --force
+# COPY package.json package-lock.json ./
+COPY package*.json ./
+RUN npm ci --omit=dev && npm cache clean --force
 
 COPY --from=builder /app/.next/standalone ./
 COPY --from=builder /app/.next/static ./.next/static
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/init ./dist/init
 
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
+
 COPY server/db/names.json ./dist/names.json
 
 COPY public ./public
 
-CMD ["npm", "start"]
+CMD ["npm", "run", "start:sqlite"]

Dockerfile.pg

@@ -0,0 +1,41 @@
+FROM node:20-alpine AS builder
+
+WORKDIR /app
+
+# COPY package.json package-lock.json ./
+COPY package*.json ./
+RUN npm ci
+
+COPY . .
+
+RUN echo 'export * from "./pg";' > server/db/index.ts
+
+RUN npx drizzle-kit generate --dialect postgresql --schema ./server/db/pg/schema.ts --out init
+
+RUN npm run build:pg
+RUN npm run build:cli
+
+FROM node:20-alpine AS runner
+
+WORKDIR /app
+
+# Curl used for the health checks
+RUN apk add --no-cache curl
+
+# COPY package.json package-lock.json ./
+COPY package*.json ./
+RUN npm ci --omit=dev && npm cache clean --force
+
+COPY --from=builder /app/.next/standalone ./
+COPY --from=builder /app/.next/static ./.next/static
+COPY --from=builder /app/dist ./dist
+COPY --from=builder /app/init ./dist/init
+
+COPY ./cli/wrapper.sh /usr/local/bin/pangctl
+RUN chmod +x /usr/local/bin/pangctl ./dist/cli.mjs
+
+COPY server/db/names.json ./dist/names.json
+
+COPY public ./public
+
+CMD ["npm", "run", "start:pg"]

Makefile

@@ -1,10 +1,14 @@
+.PHONY: build build-release build-arm build-x86 test clean
+
 build-release:
 	@if [ -z "$(tag)" ]; then \
-		echo "Error: tag is required. Usage: make build-all tag=<tag>"; \
+		echo "Error: tag is required. Usage: make build-release tag=<tag>"; \
 		exit 1; \
 	fi
 	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:latest -f Dockerfile --push .
 	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:$(tag) -f Dockerfile --push .
+	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-latest -f Dockerfile.pg --push .
+	docker buildx build --platform linux/arm64,linux/amd64 -t fosrl/pangolin:postgresql-$(tag) -f Dockerfile.pg --push .
 
 build-arm:
 	docker buildx build --platform linux/arm64 -t fosrl/pangolin:latest .

README.md

@@ -1,15 +1,13 @@
 <div align="center">
-    <h2 align="center"><a href="https://fossorial.io"><img alt="pangolin" src="public/logo//word_mark.png" width="400" /></a></h2>
-
-[![Documentation](https://img.shields.io/badge/docs-latest-blue.svg?style=flat-square)](https://docs.fossorial.io/)
-[![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
-![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
-[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
-[![Youtube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
-
+    <h2>
+      <picture>
+          <source media="(prefers-color-scheme: dark)" srcset="public/logo/word_mark_white.png">
+          <img alt="Pangolin Logo" src="public/logo/word_mark_black.png" width="250">
+        </picture>
+    </h2>
 </div>
 
-<h3 align="center">Tunneled Mesh Reverse Proxy Server with Access Control</h3>
+<h4 align="center">Tunneled Reverse Proxy Server with Access Control</h4>
 <div align="center">
 
 _Your own self-hosted zero trust tunnel._
@@ -30,57 +28,68 @@ _Your own self-hosted zero trust tunnel._
         Contact Us
       </a>
   </h5>
+
+[![Docker](https://img.shields.io/docker/pulls/fosrl/pangolin?style=flat-square)](https://hub.docker.com/r/fosrl/pangolin)
+![Stars](https://img.shields.io/github/stars/fosrl/pangolin?style=flat-square)
+[![Discord](https://img.shields.io/discord/1325658630518865980?logo=discord&style=flat-square)](https://discord.gg/HCJR8Xhme4)
+[![Youtube](https://img.shields.io/badge/YouTube-red?logo=youtube&logoColor=white&style=flat-square)](https://www.youtube.com/@fossorial-app)
+
 </div>
 
 Pangolin is a self-hosted tunneled reverse proxy server with identity and access control, designed to securely expose private resources on distributed networks. Acting as a central hub, it connects isolated networks — even those behind restrictive firewalls — through encrypted tunnels, enabling easy access to remote services without opening ports.
 
-<img src="public/screenshots/sites.png" alt="Preview"/>
+<img src="public/screenshots/hero.png" alt="Preview"/>
 
-_Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected to the central server._
+_Resources page of Pangolin dashboard (dark mode) showing multiple resources available to connect._
 
 ## Key Features
 
 ### Reverse Proxy Through WireGuard Tunnel
 
--   Expose private resources on your network **without opening ports** (firewall punching).
--   Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
--   Built-in support for any WireGuard client.
--   Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
--   Support for HTTP/HTTPS and **raw TCP/UDP services**.
--   Load balancing.
+- Expose private resources on your network **without opening ports** (firewall punching).
+- Secure and easy to configure site-to-site connectivity via a custom **user space WireGuard client**, [Newt](https://github.com/fosrl/newt).
+- Built-in support for any WireGuard client.
+- Automated **SSL certificates** (https) via [LetsEncrypt](https://letsencrypt.org/).
+- Support for HTTP/HTTPS and **raw TCP/UDP services**.
+- Load balancing.
 
 ### Identity & Access Management
 
--   Centralized authentication system using platform SSO. **Users will only have to manage one login.**
--   **Define access control rules for IPs, IP ranges, and URL paths per resource.**
--   TOTP with backup codes for two-factor authentication.
--   Create organizations, each with multiple sites, users, and roles.
--   **Role-based access control** to manage resource access permissions.
--   Additional authentication options include:
-    -   Email whitelisting with **one-time passcodes.**
-    -   **Temporary, self-destructing share links.**
-    -   Resource specific pin codes.
-    -   Resource specific passwords.
+- Centralized authentication system using platform SSO. **Users will only have to manage one login.**
+- **Define access control rules for IPs, IP ranges, and URL paths per resource.**
+- TOTP with backup codes for two-factor authentication.
+- Create organizations, each with multiple sites, users, and roles.
+- **Role-based access control** to manage resource access permissions.
+- Additional authentication options include:
+    - Email whitelisting with **one-time passcodes.**
+    - **Temporary, self-destructing share links.**
+    - Resource specific pin codes.
+    - Resource specific passwords.
+- External identity provider (IdP) support with OAuth2/OIDC, such as Authentik, Keycloak, Okta, and others.
+    - Auto-provision users and roles from your IdP.
 
 ### Simple Dashboard UI
 
--   Manage sites, users, and roles with a clean and intuitive UI.
--   Monitor site usage and connectivity.
--   Light and dark mode options.
--   Mobile friendly.
+- Manage sites, users, and roles with a clean and intuitive UI.
+- Monitor site usage and connectivity.
+- Light and dark mode options.
+- Mobile friendly.
 
 ### Easy Deployment
 
--   Run on any cloud provider or on-premises.
--   **Docker Compose based setup** for simplified deployment.
--   Future-proof installation script for streamlined setup and feature additions.
--   Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience.
+- Run on any cloud provider or on-premises.
+- **Docker Compose based setup** for simplified deployment.
+- Future-proof installation script for streamlined setup and feature additions.
+- Use any WireGuard client to connect, or use **Newt, our custom user space client** for the best experience.
+- Use the API to create custom integrations and scripts.
+    - Fine-grained access control to the API via scoped API keys.
+    - Comprehensive Swagger documentation for the API.
 
 ### Modular Design
 
--   Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](github.com/PascalMinder/geoblock).
+- Extend functionality with existing [Traefik](https://github.com/traefik/traefik) plugins, such as [CrowdSec](https://plugins.traefik.io/plugins/6335346ca4caa9ddeffda116/crowdsec-bouncer-traefik-plugin) and [Geoblock](https://github.com/PascalMinder/geoblock).
     - **Automatically install and configure Crowdsec via Pangolin's installer script.**
--   Attach as many sites to the central server as you wish.
+- Attach as many sites to the central server as you wish.
 
 <img src="public/screenshots/collage.png" alt="Collage"/>
 
@@ -88,22 +97,22 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected
 
 1. **Deploy the Central Server**:
 
-   - Deploy the Docker Compose stack onto a VPS hosted on a cloud platform like RackNerd, Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs.
-   
+    - Deploy the Docker Compose stack onto a VPS hosted on a cloud platform like RackNerd, Amazon EC2, DigitalOcean Droplet, or similar. There are many cheap VPS hosting options available to suit your needs.
+
 > [!TIP]
-> Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can likely get a **VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**. That's a great deal!
+> Many of our users have had a great experience with [RackNerd](https://my.racknerd.com/aff.php?aff=13788). Depending on promotions, you can get a [**VPS with 1 vCPU, 1GB RAM, and ~20GB SSD for just around $12/year**](https://my.racknerd.com/aff.php?aff=13788&pid=912). That's a great deal!
 > We are part of the [RackNerd](https://my.racknerd.com/aff.php?aff=13788) affiliate program, so if you purchase through [our link](https://my.racknerd.com/aff.php?aff=13788), we receive a small commission which helps us maintain the project and keep it free for everyone.
 
-2. **Domain Configuration**:
+1. **Domain Configuration**:
 
     - Point your domain name to the VPS and configure Pangolin with your preferred settings.
 
-3. **Connect Private Sites**:
+2. **Connect Private Sites**:
 
     - Install Newt or use another WireGuard client on private sites.
     - Automatically establish a connection from these sites to the central server.
 
-4. **Expose Resources**:
+3. **Expose Resources**:
 
     - Add resources to the central server and configure access control rules.
     - Access these resources securely from anywhere.
@@ -111,21 +120,19 @@ _Sites page of Pangolin dashboard (dark mode) showing multiple tunnels connected
 **Use Case Example - Bypassing Port Restrictions in Home Lab**:  
  Imagine private sites where the ISP restricts port forwarding. By connecting these sites to Pangolin via WireGuard, you can securely expose HTTP and HTTPS resources on the private network without any networking complexity.
 
+**Use Case Example - Deploying Services For Your Business**:
+You can use Pangolin as an easy way to expose your business applications to your users behind a safe authentication portal you can integrate into your IdP solution. Expose resources on prem and on the cloud.
+
 **Use Case Example - IoT Networks**:  
  IoT networks are often fragmented and difficult to manage. By deploying Pangolin on a central server, you can connect all your IoT sites via Newt or another WireGuard client. This creates a simple, secure, and centralized way to access IoT resources without the need for intricate networking setups.
 
-
-<img src="public/screenshots/resources.png" alt="Resources"/>
-
-_Resources page of Pangolin dashboard (dark mode) showing HTTPS and TCP resources with access control rules._
-
 ## Similar Projects and Inspirations
 
 **Cloudflare Tunnels**:  
-    A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.
+ A similar approach to proxying private resources securely, but Pangolin is a self-hosted alternative, giving you full control over your infrastructure.
 
-**Authentik and Authelia**:  
-    These projects inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management.
+**Authelia**:  
+ This inspired Pangolin’s centralized authentication system for proxies, enabling robust user and role management.
 
 ## Project Development / Roadmap
 
@@ -136,7 +143,7 @@ View the [project board](https://github.com/orgs/fosrl/projects/1) for more deta
 
 ## Licensing
 
-Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. To see our commercial offerings, please see our [website](https://fossorial.io) for details. For inquiries about commercial licensing, please contact us at [numbat@fossorial.io](mailto:numbat@fossorial.io).
+Pangolin is dual licensed under the AGPL-3 and the Fossorial Commercial license. Please see the [LICENSE](./LICENSE) file in the repository for details. For inquiries about commercial licensing, please contact us at [numbat@fossorial.io](mailto:numbat@fossorial.io).
 
 ## Contributions
 

cli/commands/setAdminCredentials.ts

@@ -0,0 +1,141 @@
+import { CommandModule } from "yargs";
+import { hashPassword, verifyPassword } from "@server/auth/password";
+import { db, resourceSessions, sessions } from "@server/db";
+import { users } from "@server/db";
+import { eq, inArray } from "drizzle-orm";
+import moment from "moment";
+import { fromError } from "zod-validation-error";
+import { passwordSchema } from "@server/auth/passwordSchema";
+import { UserType } from "@server/types/UserTypes";
+import { generateRandomString, RandomReader } from "@oslojs/crypto/random";
+
+type SetAdminCredentialsArgs = {
+    email: string;
+    password: string;
+};
+
+export const setAdminCredentials: CommandModule<{}, SetAdminCredentialsArgs> = {
+    command: "set-admin-credentials",
+    describe: "Set the server admin credentials",
+    builder: (yargs) => {
+        return yargs
+            .option("email", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin email address"
+            })
+            .option("password", {
+                type: "string",
+                demandOption: true,
+                describe: "Admin password"
+            });
+    },
+    handler: async (argv: { email: string; password: string }) => {
+        try {
+            const { email, password } = argv;
+
+            const parsed = passwordSchema.safeParse(password);
+
+            if (!parsed.success) {
+                throw Error(
+                    `Invalid server admin password: ${fromError(parsed.error).toString()}`
+                );
+            }
+
+            const passwordHash = await hashPassword(password);
+
+            await db.transaction(async (trx) => {
+                try {
+                    const [existing] = await trx
+                        .select()
+                        .from(users)
+                        .where(eq(users.serverAdmin, true));
+
+                    if (existing) {
+                        const passwordChanged = !(await verifyPassword(
+                            password,
+                            existing.passwordHash!
+                        ));
+
+                        if (passwordChanged) {
+                            await trx
+                                .update(users)
+                                .set({ passwordHash })
+                                .where(eq(users.userId, existing.userId));
+
+                            await invalidateAllSessions(existing.userId);
+                            console.log("Server admin password updated");
+                        }
+
+                        if (existing.email !== email) {
+                            await trx
+                                .update(users)
+                                .set({ email, username: email })
+                                .where(eq(users.userId, existing.userId));
+
+                            console.log("Server admin email updated");
+                        }
+                    } else {
+                        const userId = generateId(15);
+
+                        await trx.update(users).set({ serverAdmin: false });
+
+                        await db.insert(users).values({
+                            userId: userId,
+                            email: email,
+                            type: UserType.Internal,
+                            username: email,
+                            passwordHash,
+                            dateCreated: moment().toISOString(),
+                            serverAdmin: true,
+                            emailVerified: true
+                        });
+
+                        console.log("Server admin created");
+                    }
+                } catch (e) {
+                    console.error("Failed to set admin credentials", e);
+                    trx.rollback();
+                    throw e;
+                }
+            });
+
+            console.log("Admin credentials updated successfully");
+            process.exit(0);
+        } catch (error) {
+            console.error("Error:", error);
+            process.exit(1);
+        }
+    }
+};
+
+export async function invalidateAllSessions(userId: string): Promise<void> {
+    try {
+        await db.transaction(async (trx) => {
+            const userSessions = await trx
+                .select()
+                .from(sessions)
+                .where(eq(sessions.userId, userId));
+            await trx.delete(resourceSessions).where(
+                inArray(
+                    resourceSessions.userSessionId,
+                    userSessions.map((s) => s.sessionId)
+                )
+            );
+            await trx.delete(sessions).where(eq(sessions.userId, userId));
+        });
+    } catch (e) {
+        console.log("Failed to all invalidate user sessions", e);
+    }
+}
+
+const random: RandomReader = {
+    read(bytes: Uint8Array): void {
+        crypto.getRandomValues(bytes);
+    }
+};
+
+export function generateId(length: number): string {
+    const alphabet = "abcdefghijklmnopqrstuvwxyz0123456789";
+    return generateRandomString(random, alphabet, length);
+}

cli/index.ts

@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+
+import yargs from "yargs";
+import { hideBin } from "yargs/helpers";
+import { setAdminCredentials } from "@cli/commands/setAdminCredentials";
+
+yargs(hideBin(process.argv))
+    .scriptName("pangctl")
+    .command(setAdminCredentials)
+    .demandCommand()
+    .help().argv;

cli/wrapper.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+cd /app/
+./dist/cli.mjs "$@"

config/config.example.yml

@@ -18,6 +18,10 @@ server:
     internal_hostname: "pangolin"
     session_cookie_name: "p_session_token"
     resource_access_token_param: "p_token"
+    secret: "your_secret_key_here"
+    resource_access_token_headers:
+        id: "P-Access-Token-Id"
+        token: "P-Access-Token"
     resource_session_request_param: "p_session_request"
 
 traefik:
@@ -35,12 +39,7 @@ gerbil:
 rate_limits:
     global:
         window_minutes: 1
-        max_requests: 100
-
-users:
-    server_admin:
-        email: "admin@example.com"
-        password: "Password123!"
+        max_requests: 500
 
 flags:
     require_email_verification: false

crowdin.yml

@@ -0,0 +1,3 @@
+files:
+  - source: /messages/en-US.json
+    translation: /messages/%locale%.json

docker-compose.example.yml

@@ -10,7 +10,7 @@ services:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
       interval: "3s"
       timeout: "3s"
-      retries: 5
+      retries: 15
 
   gerbil:
     image: fosrl/gerbil:latest
@@ -35,7 +35,7 @@ services:
       - 80:80 # Port for traefik because of the network_mode
 
   traefik:
-    image: traefik:v3.3.3
+    image: traefik:v3.4.0
     container_name: traefik
     restart: unless-stopped
     network_mode: service:gerbil # Ports appear on the gerbil service

drizzle.pg.config.ts

@@ -0,0 +1,12 @@
+import { defineConfig } from "drizzle-kit";
+import path from "path";
+
+export default defineConfig({
+    dialect: "postgresql",
+    schema: path.join("server", "db", "pg", "schema.ts"),
+    out: path.join("server", "migrations"),
+    verbose: true,
+    dbCredentials: {
+        url: process.env.DATABASE_URL as string
+    }
+});

drizzle.sqlite.config.ts

@@ -4,10 +4,10 @@ import path from "path";
 
 export default defineConfig({
     dialect: "sqlite",
-    schema: path.join("server", "db", "schema.ts"),
+    schema: path.join("server", "db", "sqlite", "schema.ts"),
     out: path.join("server", "migrations"),
     verbose: true,
     dbCredentials: {
-        url: path.join(APP_PATH, "db", "db.sqlite"),
-    },
+        url: path.join(APP_PATH, "db", "db.sqlite")
+    }
 });

esbuild.mjs

@@ -52,6 +52,7 @@ esbuild
         bundle: true,
         outfile: argv.out,
         format: "esm",
+        minify: true,
         banner: {
             js: banner,
         },

eslint.config.js

@@ -1,9 +1,19 @@
-// eslint.config.js
-export default [
-    {
-        rules: {
-            semi: "error",
-            "prefer-const": "error"
-        }
+import tseslint from 'typescript-eslint';
+
+export default tseslint.config({
+  files: ["**/*.{ts,tsx,js,jsx}"],
+  languageOptions: {
+    parser: tseslint.parser,
+    parserOptions: {
+      ecmaVersion: "latest",
+      sourceType: "module",
+      ecmaFeatures: {
+        jsx: true
+      }
     }
-];
+  },
+  rules: {
+    "semi": "error",
+    "prefer-const": "warn"
+  }
+});

install/Makefile

@@ -21,4 +21,4 @@ update-versions:
 	echo "Updated main.go with latest versions"
 
 put-back:
-	mv main.go.bak main.go
+	mv main.go.bak main.go

install/config/config.yml

@@ -4,7 +4,6 @@
 app:
     dashboard_url: "https://{{.DashboardDomain}}"
     log_level: "info"
-    save_logs: false
 
 domains:
     domain1:
@@ -12,36 +11,17 @@ domains:
         cert_resolver: "letsencrypt"
 
 server:
-    external_port: 3000
-    internal_port: 3001
-    next_port: 3002
-    internal_hostname: "pangolin"
-    session_cookie_name: "p_session_token"
-    resource_access_token_param: "p_token"
-    resource_session_request_param: "p_session_request"
+    secret: "{{.Secret}}"
     cors:
         origins: ["https://{{.DashboardDomain}}"]
         methods: ["GET", "POST", "PUT", "DELETE", "PATCH"]
-        headers: ["X-CSRF-Token", "Content-Type"]
+        allowed_headers: ["X-CSRF-Token", "Content-Type"]
         credentials: false
 
-traefik:
-    cert_resolver: "letsencrypt"
-    http_entrypoint: "web"
-    https_entrypoint: "websecure"
-
 gerbil:
     start_port: 51820
     base_endpoint: "{{.DashboardDomain}}"
-    use_subdomain: false
-    block_size: 24
-    site_block_size: 30
-    subnet_group: 100.89.137.0/20
 
-rate_limits:
-    global:
-        window_minutes: 1
-        max_requests: 500
 {{if .EnableEmail}}
 email:
     smtp_host: "{{.EmailSMTPHost}}"
@@ -50,14 +30,10 @@ email:
     smtp_pass: "{{.EmailSMTPPass}}"
     no_reply: "{{.EmailNoReply}}"
 {{end}}
-users:
-    server_admin:
-        email: "{{.AdminUserEmail}}"
-        password: "{{.AdminUserPassword}}"
 
 flags:
     require_email_verification: {{.EnableEmail}}
-    disable_signup_without_invite: {{.DisableSignupWithoutInvite}}
-    disable_user_create_org: {{.DisableUserCreateOrg}}
+    disable_signup_without_invite: true
+    disable_user_create_org: false
     allow_raw_resources: true
     allow_base_domain_resources: true

install/config/crowdsec/acquis.d/appsec.yaml

@@ -0,0 +1,6 @@
+listen_addr: 0.0.0.0:7422
+appsec_config: crowdsecurity/appsec-default
+name: myAppSecComponent
+source: appsec
+labels:
+  type: appsec

install/config/crowdsec/acquis.d/traefik.yaml

@@ -0,0 +1,5 @@
+poll_without_inotify: false
+filenames:
+  - /var/log/traefik/*.log
+labels:
+  type: traefik

install/config/crowdsec/acquis.yaml

@@ -1,18 +0,0 @@
-filenames:
- - /var/log/auth.log
- - /var/log/syslog
-labels:
-  type: syslog
----
-poll_without_inotify: false
-filenames:
-  - /var/log/traefik/*.log
-labels:
-  type: traefik
----
-listen_addr: 0.0.0.0:7422
-appsec_config: crowdsecurity/appsec-default
-name: myAppSecComponent
-source: appsec
-labels:
-  type: appsec

install/config/crowdsec/docker-compose.yml

@@ -7,9 +7,11 @@ services:
       COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules
       ENROLL_INSTANCE_NAME: "pangolin-crowdsec"
       PARSERS: crowdsecurity/whitelists
-      ACQUIRE_FILES: "/var/log/traefik/*.log"
       ENROLL_TAGS: docker
     healthcheck:
+      interval: 10s
+      retries: 15
+      timeout: 10s
       test: ["CMD", "cscli", "capi", "status"]
     labels:
       - "traefik.enable=false" # Disable traefik for crowdsec
@@ -18,13 +20,8 @@ services:
       - ./config/crowdsec:/etc/crowdsec # crowdsec config
       - ./config/crowdsec/db:/var/lib/crowdsec/data # crowdsec db
       # log bind mounts into crowdsec
-      - ./config/crowdsec_logs/auth.log:/var/log/auth.log:ro # auth.log
-      - ./config/crowdsec_logs/syslog:/var/log/syslog:ro # syslog
-      - ./config/crowdsec_logs:/var/log # crowdsec logs
       - ./config/traefik/logs:/var/log/traefik # traefik logs
     ports:
       - 6060:6060 # metrics endpoint for prometheus
-    expose:
-      - 6060 # metrics endpoint for prometheus
     restart: unless-stopped
-    command: -t # Add test config flag to verify configuration
+    command: -t # Add test config flag to verify configuration

install/config/crowdsec/dynamic_config.yml

@@ -42,6 +42,7 @@ http:
           crowdsecAppsecHost: crowdsec:7422 # CrowdSec IP address which you noted down later
           crowdsecAppsecFailureBlock: true # Block on failure
           crowdsecAppsecUnreachableBlock: true # Block on unreachable
+          crowdsecAppsecBodyLimit: 10485760
           crowdsecLapiKey: "PUT_YOUR_BOUNCER_KEY_HERE_OR_IT_WILL_NOT_WORK" # CrowdSec API key which you noted down later
           crowdsecLapiHost: crowdsec:8080 # CrowdSec  
           crowdsecLapiScheme: http # CrowdSec API scheme

install/config/crowdsec/traefik_config.yml

@@ -16,11 +16,15 @@ experimental:
       version: "{{.BadgerVersion}}"
     crowdsec: # CrowdSec plugin configuration added
       moduleName: "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin"
-      version: "v1.3.5"
+      version: "v1.4.2"
 
 log:
   level: "INFO"
   format: "json" # Log format changed to json for better parsing
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
 
 accessLog: # We enable access logs as json
   filePath: "/var/log/traefik/access.log"

install/config/docker-compose.yml

@@ -8,9 +8,9 @@ services:
       - ./config:/app/config
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3001/api/v1/"]
-      interval: "3s"
-      timeout: "3s"
-      retries: 5
+      interval: "10s"
+      timeout: "10s"
+      retries: 15
 {{if .InstallGerbil}}
   gerbil:
     image: fosrl/gerbil:{{.GerbilVersion}}
@@ -35,7 +35,7 @@ services:
       - 80:80 # Port for traefik because of the network_mode
 {{end}}
   traefik:
-    image: traefik:v3.3.3
+    image: traefik:v3.4.1
     container_name: traefik
     restart: unless-stopped
 {{if .InstallGerbil}}
@@ -58,4 +58,4 @@ services:
 networks:
   default:
     driver: bridge
-    name: pangolin
+    name: pangolin

install/config/traefik/traefik_config.yml

@@ -18,6 +18,10 @@ experimental:
 log:
   level: "INFO"
   format: "common"
+  maxSize: 100
+  maxBackups: 3
+  maxAge: 3
+  compress: true
 
 certificatesResolvers:
   letsencrypt:

install/crowdsec.go

@@ -3,9 +3,12 @@ package main
 import (
 	"bytes"
 	"fmt"
+	"log"
 	"os"
 	"os/exec"
 	"strings"
+
+	"gopkg.in/yaml.v3"
 )
 
 func installCrowdsec(config Config) error {
@@ -25,7 +28,7 @@ func installCrowdsec(config Config) error {
 	}
 
 	os.MkdirAll("config/crowdsec/db", 0755)
-	os.MkdirAll("config/crowdsec_logs/syslog", 0755)
+	os.MkdirAll("config/crowdsec/acquis.d", 0755)
 	os.MkdirAll("config/traefik/logs", 0755)
 
 	if err := copyDockerService("config/crowdsec/docker-compose.yml", "docker-compose.yml", "crowdsec"); err != nil {
@@ -63,6 +66,12 @@ func installCrowdsec(config Config) error {
 		os.Exit(1)
 	}
 
+	// check and add the service dependency of crowdsec to traefik
+	if err := CheckAndAddCrowdsecDependency("docker-compose.yml"); err != nil {
+		fmt.Printf("Error adding crowdsec dependency to traefik: %v\n", err)
+		os.Exit(1)
+	}
+
 	if err := startContainers(); err != nil {
 		return fmt.Errorf("failed to start containers: %v", err)
 	}
@@ -135,3 +144,58 @@ func checkIfTextInFile(file, text string) bool {
 	// Check for text
 	return bytes.Contains(content, []byte(text))
 }
+
+func CheckAndAddCrowdsecDependency(composePath string) error {
+	// Read the docker-compose.yml file
+	data, err := os.ReadFile(composePath)
+	if err != nil {
+		return fmt.Errorf("error reading compose file: %w", err)
+	}
+
+	// Parse YAML into a generic map
+	var compose map[string]interface{}
+	if err := yaml.Unmarshal(data, &compose); err != nil {
+		return fmt.Errorf("error parsing compose file: %w", err)
+	}
+
+	// Get services section
+	services, ok := compose["services"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("services section not found or invalid")
+	}
+
+	// Get traefik service
+	traefik, ok := services["traefik"].(map[string]interface{})
+	if !ok {
+		return fmt.Errorf("traefik service not found or invalid")
+	}
+
+	// Get dependencies
+	dependsOn, ok := traefik["depends_on"].(map[string]interface{})
+	if ok {
+		// Append the new block for crowdsec
+		dependsOn["crowdsec"] = map[string]interface{}{
+			"condition": "service_healthy",
+		}
+	} else {
+		// No dependencies exist, create it
+		traefik["depends_on"] = map[string]interface{}{
+			"crowdsec": map[string]interface{}{
+				"condition": "service_healthy",
+			},
+		}
+	}
+
+	// Marshal the modified data back to YAML with indentation
+	modifiedData, err := MarshalYAMLWithIndent(compose, 2) // Set indentation to 2 spaces
+	if err != nil {
+		log.Fatalf("error marshaling YAML: %v", err)
+	}
+
+	if err := os.WriteFile(composePath, modifiedData, 0644); err != nil {
+		return fmt.Errorf("error writing updated compose file: %w", err)
+	}
+
+	fmt.Println("Added dependency of crowdsec to traefik")
+	return nil
+}

install/go.mod

@@ -3,7 +3,8 @@ module installer
 go 1.23.0
 
 require (
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/term v0.28.0 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
+	golang.org/x/term v0.28.0
+	gopkg.in/yaml.v3 v3.0.1
 )
+
+require golang.org/x/sys v0.29.0 // indirect

install/go.sum

@@ -2,6 +2,7 @@ golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
 golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.28.0 h1:/Ts8HFuMR2E6IP/jlo7QVLZHggjKQbhu/7H0LJFr3Gg=
 golang.org/x/term v0.28.0/go.mod h1:Sw/lC2IAUZ92udQNf3WodGtn4k/XoLyZoh8v/8uiwek=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

install/main.go

@@ -9,13 +9,15 @@ import (
 	"io/fs"
 	"os"
 	"os/exec"
+	"os/user"
 	"path/filepath"
 	"runtime"
 	"strings"
 	"syscall"
 	"text/template"
 	"time"
-	"unicode"
+	"math/rand"
+	"strconv"
 
 	"golang.org/x/term"
 )
@@ -37,10 +39,6 @@ type Config struct {
 	BaseDomain                 string
 	DashboardDomain            string
 	LetsEncryptEmail           string
-	AdminUserEmail             string
-	AdminUserPassword          string
-	DisableSignupWithoutInvite bool
-	DisableUserCreateOrg       bool
 	EnableEmail                bool
 	EmailSMTPHost              string
 	EmailSMTPPort              int
@@ -50,25 +48,36 @@ type Config struct {
 	InstallGerbil              bool
 	TraefikBouncerKey          string
 	DoCrowdsecInstall          bool
+	Secret                string
 }
 
 func main() {
 	reader := bufio.NewReader(os.Stdin)
 
-	// check if the user is root
-	if os.Geteuid() != 0 {
-		fmt.Println("This script must be run as root")
+	// check if docker is not installed and the user is root
+	if !isDockerInstalled() {
+		if os.Geteuid() != 0 {
+			fmt.Println("Docker is not installed. Please install Docker manually or run this installer as root.")
+			os.Exit(1)
+		}
+	}
+
+	// check if the user is in the docker group (linux only)
+	if !isUserInDockerGroup() {
+		fmt.Println("You are not in the docker group.")
+		fmt.Println("The installer will not be able to run docker commands without running it as root.")
 		os.Exit(1)
 	}
 
 	var config Config
-	config.DoCrowdsecInstall = false
 
 	// check if there is already a config file
 	if _, err := os.Stat("config/config.yml"); err != nil {
 		config = collectUserInput(reader)
 
 		loadVersions(&config)
+		config.DoCrowdsecInstall = false
+		config.Secret = generateRandomSecretKey()
 
 		if err := createConfigFiles(config); err != nil {
 			fmt.Printf("Error creating config files: %v\n", err)
@@ -80,6 +89,27 @@ func main() {
 		if !isDockerInstalled() && runtime.GOOS == "linux" {
 			if readBool(reader, "Docker is not installed. Would you like to install it?", true) {
 				installDocker()
+				// try to start docker service but ignore errors
+				if err := startDockerService(); err != nil {
+					fmt.Println("Error starting Docker service:", err)
+				} else {
+					fmt.Println("Docker service started successfully!")
+				}
+				// wait 10 seconds for docker to start checking if docker is running every 2 seconds
+				fmt.Println("Waiting for Docker to start...")
+				for i := 0; i < 5; i++ {
+					if isDockerRunning() {
+						fmt.Println("Docker is running!")
+						break
+					}
+					fmt.Println("Docker is not running yet, waiting...")
+					time.Sleep(2 * time.Second)
+				}
+				if !isDockerRunning() {
+					fmt.Println("Docker is still not running after 10 seconds. Please check the installation.")
+					os.Exit(1)
+				}
+				fmt.Println("Docker installed successfully!")
 			}
 		}
 
@@ -87,7 +117,15 @@ func main() {
 
 		if isDockerInstalled() {
 			if readBool(reader, "Would you like to install and start the containers?", true) {
-				pullAndStartContainers()
+				if err := pullContainers(); err != nil {
+					fmt.Println("Error: ", err)
+					return
+				}
+
+				if err := startContainers(); err != nil {
+					fmt.Println("Error: ", err)
+					return
+				}
 			}
 		}
 	} else {
@@ -128,6 +166,7 @@ func main() {
 	}
 
 	fmt.Println("Installation complete!")
+	fmt.Printf("\nTo complete the initial setup, please visit:\nhttps://%s/auth/initial-setup\n", config.DashboardDomain)
 }
 
 func readString(reader *bufio.Reader, prompt string, defaultValue string) string {
@@ -191,40 +230,11 @@ func collectUserInput(reader *bufio.Reader) Config {
 	config.BaseDomain = readString(reader, "Enter your base domain (no subdomain e.g. example.com)", "")
 	config.DashboardDomain = readString(reader, "Enter the domain for the Pangolin dashboard", "pangolin."+config.BaseDomain)
 	config.LetsEncryptEmail = readString(reader, "Enter email for Let's Encrypt certificates", "")
-	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunned connections", true)
-
-	// Admin user configuration
-	fmt.Println("\n=== Admin User Configuration ===")
-	config.AdminUserEmail = readString(reader, "Enter admin user email", "admin@"+config.BaseDomain)
-	for {
-		pass1 := readPassword("Create admin user password", reader)
-		pass2 := readPassword("Confirm admin user password", reader)
-
-		if pass1 != pass2 {
-			fmt.Println("Passwords do not match")
-		} else {
-			config.AdminUserPassword = pass1
-			if valid, message := validatePassword(config.AdminUserPassword); valid {
-				break
-			} else {
-				fmt.Println("Invalid password:", message)
-				fmt.Println("Password requirements:")
-				fmt.Println("- At least one uppercase English letter")
-				fmt.Println("- At least one lowercase English letter")
-				fmt.Println("- At least one digit")
-				fmt.Println("- At least one special character")
-			}
-		}
-	}
-
-	// Security settings
-	fmt.Println("\n=== Security Settings ===")
-	config.DisableSignupWithoutInvite = readBool(reader, "Disable signup without invite", true)
-	config.DisableUserCreateOrg = readBool(reader, "Disable users from creating organizations", false)
+	config.InstallGerbil = readBool(reader, "Do you want to use Gerbil to allow tunneled connections", true)
 
 	// Email configuration
 	fmt.Println("\n=== Email Configuration ===")
-	config.EnableEmail = readBool(reader, "Enable email functionality", false)
+	config.EnableEmail = readBool(reader, "Enable email functionality (SMTP)", false)
 
 	if config.EnableEmail {
 		config.EmailSMTPHost = readString(reader, "Enter SMTP host", "")
@@ -247,60 +257,10 @@ func collectUserInput(reader *bufio.Reader) Config {
 		fmt.Println("Error: Let's Encrypt email is required")
 		os.Exit(1)
 	}
-	if config.AdminUserEmail == "" || config.AdminUserPassword == "" {
-		fmt.Println("Error: Admin user email and password are required")
-		os.Exit(1)
-	}
 
 	return config
 }
 
-func validatePassword(password string) (bool, string) {
-	if len(password) == 0 {
-		return false, "Password cannot be empty"
-	}
-
-	var (
-		hasUpper   bool
-		hasLower   bool
-		hasDigit   bool
-		hasSpecial bool
-	)
-
-	for _, char := range password {
-		switch {
-		case unicode.IsUpper(char):
-			hasUpper = true
-		case unicode.IsLower(char):
-			hasLower = true
-		case unicode.IsDigit(char):
-			hasDigit = true
-		case unicode.IsPunct(char) || unicode.IsSymbol(char):
-			hasSpecial = true
-		}
-	}
-
-	var missing []string
-	if !hasUpper {
-		missing = append(missing, "an uppercase letter")
-	}
-	if !hasLower {
-		missing = append(missing, "a lowercase letter")
-	}
-	if !hasDigit {
-		missing = append(missing, "a digit")
-	}
-	if !hasSpecial {
-		missing = append(missing, "a special character")
-	}
-
-	if len(missing) > 0 {
-		return false, fmt.Sprintf("Password must contain %s", strings.Join(missing, ", "))
-	}
-
-	return true, ""
-}
-
 func createConfigFiles(config Config) error {
 	os.MkdirAll("config", 0755)
 	os.MkdirAll("config/letsencrypt", 0755)
@@ -427,24 +387,44 @@ func installDocker() error {
 			apt-get install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
 		`, dockerArch))
 	case strings.Contains(osRelease, "ID=fedora"):
+		// Detect Fedora version to handle DNF 5 changes
+		versionCmd := exec.Command("bash", "-c", "grep VERSION_ID /etc/os-release | cut -d'=' -f2 | tr -d '\"'")
+		versionOutput, err := versionCmd.Output()
+		var fedoraVersion int
+		if err == nil {
+			if v, parseErr := strconv.Atoi(strings.TrimSpace(string(versionOutput))); parseErr == nil {
+				fedoraVersion = v
+			}
+		}
+
+		// Use appropriate DNF syntax based on version
+		var repoCmd string
+		if fedoraVersion >= 41 {
+			// DNF 5 syntax for Fedora 41+
+			repoCmd = "dnf config-manager addrepo --from-repofile=https://download.docker.com/linux/fedora/docker-ce.repo"
+		} else {
+			// DNF 4 syntax for Fedora < 41
+			repoCmd = "dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo"
+		}
+
 		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
 			dnf -y install dnf-plugins-core &&
-			dnf config-manager --add-repo https://download.docker.com/linux/fedora/docker-ce.repo &&
+			%s &&
 			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin
-		`))
+		`, repoCmd))
 	case strings.Contains(osRelease, "ID=opensuse") || strings.Contains(osRelease, "ID=\"opensuse-"):
 		installCmd = exec.Command("bash", "-c", `
 			zypper install -y docker docker-compose &&
 			systemctl enable docker
 		`)
 	case strings.Contains(osRelease, "ID=rhel") || strings.Contains(osRelease, "ID=\"rhel"):
-		installCmd = exec.Command("bash", "-c", fmt.Sprintf(`
+		installCmd = exec.Command("bash", "-c", `
 			dnf remove -y runc &&
 			dnf -y install yum-utils &&
 			dnf config-manager --add-repo https://download.docker.com/linux/rhel/docker-ce.repo &&
 			dnf install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin &&
 			systemctl enable docker
-		`))
+		`)
 	case strings.Contains(osRelease, "ID=amzn"):
 		installCmd = exec.Command("bash", "-c", `
 			yum update -y &&
@@ -455,11 +435,26 @@ func installDocker() error {
 	default:
 		return fmt.Errorf("unsupported Linux distribution")
 	}
+
 	installCmd.Stdout = os.Stdout
 	installCmd.Stderr = os.Stderr
 	return installCmd.Run()
 }
 
+func startDockerService() error {
+	if runtime.GOOS == "linux" {
+		cmd := exec.Command("systemctl", "enable", "--now", "docker")
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		return cmd.Run()
+	} else if runtime.GOOS == "darwin" {
+		// On macOS, Docker is usually started via the Docker Desktop application
+		fmt.Println("Please start Docker Desktop manually on macOS.")
+		return nil
+	}
+	return fmt.Errorf("unsupported operating system for starting Docker service")
+}
+
 func isDockerInstalled() bool {
 	cmd := exec.Command("docker", "--version")
 	if err := cmd.Run(); err != nil {
@@ -468,162 +463,113 @@ func isDockerInstalled() bool {
 	return true
 }
 
-func getCommandString(useNewStyle bool) string {
-	if useNewStyle {
-		return "'docker compose'"
+func isUserInDockerGroup() bool {
+	if runtime.GOOS == "darwin" {
+		// Docker group is not applicable on macOS
+		// So we assume that the user can run Docker commands
+		return true
 	}
-	return "'docker-compose'"
+
+	if os.Geteuid() == 0 {
+		return true // Root user can run Docker commands anyway
+	}
+
+	// Check if the current user is in the docker group
+	if dockerGroup, err := user.LookupGroup("docker"); err == nil {
+		if currentUser, err := user.Current(); err == nil {
+			if currentUserGroupIds, err := currentUser.GroupIds(); err == nil {
+				for _, groupId := range currentUserGroupIds {
+					if groupId == dockerGroup.Gid {
+						return true
+					}
+				}
+			}
+		}
+	}
+
+	// Eventually, if any of the checks fail, we assume the user cannot run Docker commands
+	return false
 }
 
-func pullAndStartContainers() error {
-	fmt.Println("Starting containers...")
+// isDockerRunning checks if the Docker daemon is running by using the `docker info` command.
+func isDockerRunning() bool {
+	cmd := exec.Command("docker", "info")
+	if err := cmd.Run(); err != nil {
+		return false
+	}
+	return true
+}
 
-	// Check which docker compose command is available
+// executeDockerComposeCommandWithArgs executes the appropriate docker command with arguments supplied
+func executeDockerComposeCommandWithArgs(args ...string) error {
+	var cmd *exec.Cmd
 	var useNewStyle bool
+
+	if !isDockerInstalled() {
+		return fmt.Errorf("docker is not installed")
+	}
+
 	checkCmd := exec.Command("docker", "compose", "version")
 	if err := checkCmd.Run(); err == nil {
 		useNewStyle = true
 	} else {
-		// Check if docker-compose (old style) is available
 		checkCmd = exec.Command("docker-compose", "version")
-		if err := checkCmd.Run(); err != nil {
-			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available: %v", err)
-		}
-	}
-
-	// Helper function to execute docker compose commands
-	executeCommand := func(args ...string) error {
-		var cmd *exec.Cmd
-		if useNewStyle {
-			cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
+		if err := checkCmd.Run(); err == nil {
+			useNewStyle = false
 		} else {
-			cmd = exec.Command("docker-compose", args...)
+			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available")
 		}
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		return cmd.Run()
 	}
 
-	// Pull containers
-	fmt.Printf("Using %s command to pull containers...\n", getCommandString(useNewStyle))
-	if err := executeCommand("-f", "docker-compose.yml", "pull"); err != nil {
-		return fmt.Errorf("failed to pull containers: %v", err)
+	if useNewStyle {
+		cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
+	} else {
+		cmd = exec.Command("docker-compose", args...)
 	}
 
-	// Start containers
-	fmt.Printf("Using %s command to start containers...\n", getCommandString(useNewStyle))
-	if err := executeCommand("-f", "docker-compose.yml", "up", "-d"); err != nil {
+    cmd.Stdout = os.Stdout
+    cmd.Stderr = os.Stderr
+    return cmd.Run()
+}
+
+// pullContainers pulls the containers using the appropriate command.
+func pullContainers() error {
+	fmt.Println("Pulling the container images...")
+
+	if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "pull", "--policy", "always"); err != nil {
+		return fmt.Errorf("failed to pull the containers: %v", err)
+	}
+
+	return nil
+}
+
+// startContainers starts the containers using the appropriate command.
+func startContainers() error {
+	fmt.Println("Starting containers...")
+	if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "up", "-d", "--force-recreate"); err != nil {
 		return fmt.Errorf("failed to start containers: %v", err)
 	}
 
 	return nil
 }
 
-// bring containers down
+// stopContainers stops the containers using the appropriate command.
 func stopContainers() error {
 	fmt.Println("Stopping containers...")
 
-	// Check which docker compose command is available
-	var useNewStyle bool
-	checkCmd := exec.Command("docker", "compose", "version")
-	if err := checkCmd.Run(); err == nil {
-		useNewStyle = true
-	} else {
-		// Check if docker-compose (old style) is available
-		checkCmd = exec.Command("docker-compose", "version")
-		if err := checkCmd.Run(); err != nil {
-			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available: %v", err)
-		}
-	}
-
-	// Helper function to execute docker compose commands
-	executeCommand := func(args ...string) error {
-		var cmd *exec.Cmd
-		if useNewStyle {
-			cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
-		} else {
-			cmd = exec.Command("docker-compose", args...)
-		}
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		return cmd.Run()
-	}
-
-	if err := executeCommand("-f", "docker-compose.yml", "down"); err != nil {
+	if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "down"); err != nil {
 		return fmt.Errorf("failed to stop containers: %v", err)
 	}
 
 	return nil
 }
 
-// just start containers
-func startContainers() error {
-	fmt.Println("Starting containers...")
-
-	// Check which docker compose command is available
-	var useNewStyle bool
-	checkCmd := exec.Command("docker", "compose", "version")
-	if err := checkCmd.Run(); err == nil {
-		useNewStyle = true
-	} else {
-		// Check if docker-compose (old style) is available
-		checkCmd = exec.Command("docker-compose", "version")
-		if err := checkCmd.Run(); err != nil {
-			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available: %v", err)
-		}
-	}
-
-	// Helper function to execute docker compose commands
-	executeCommand := func(args ...string) error {
-		var cmd *exec.Cmd
-		if useNewStyle {
-			cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
-		} else {
-			cmd = exec.Command("docker-compose", args...)
-		}
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		return cmd.Run()
-	}
-
-	if err := executeCommand("-f", "docker-compose.yml", "up", "-d"); err != nil {
-		return fmt.Errorf("failed to start containers: %v", err)
-	}
-
-	return nil
-}
-
+// restartContainer restarts a specific container using the appropriate command.
 func restartContainer(container string) error {
-	fmt.Printf("Restarting %s container...\n", container)
+	fmt.Println("Restarting containers...")
 
-	// Check which docker compose command is available
-	var useNewStyle bool
-	checkCmd := exec.Command("docker", "compose", "version")
-	if err := checkCmd.Run(); err == nil {
-		useNewStyle = true
-	} else {
-		// Check if docker-compose (old style) is available
-		checkCmd = exec.Command("docker-compose", "version")
-		if err := checkCmd.Run(); err != nil {
-			return fmt.Errorf("neither 'docker compose' nor 'docker-compose' command is available: %v", err)
-		}
-	}
-
-	// Helper function to execute docker compose commands
-	executeCommand := func(args ...string) error {
-		var cmd *exec.Cmd
-		if useNewStyle {
-			cmd = exec.Command("docker", append([]string{"compose"}, args...)...)
-		} else {
-			cmd = exec.Command("docker-compose", args...)
-		}
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		return cmd.Run()
-	}
-
-	if err := executeCommand("-f", "docker-compose.yml", "restart", container); err != nil {
-		return fmt.Errorf("failed to restart %s container: %v", container, err)
+	if err := executeDockerComposeCommandWithArgs("-f", "docker-compose.yml", "restart", container); err != nil {
+		return fmt.Errorf("failed to stop the container \"%s\": %v", container, err)
 	}
 
 	return nil
@@ -681,3 +627,17 @@ func waitForContainer(containerName string) error {
 
 	return fmt.Errorf("container %s did not start within %v seconds", containerName, maxAttempts*int(retryInterval.Seconds()))
 }
+
+func generateRandomSecretKey() string {
+	const charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
+	const length = 32
+
+	var seededRand *rand.Rand = rand.New(
+		rand.NewSource(time.Now().UnixNano()))
+
+	b := make([]byte, length)
+	for i := range b {
+		b[i] = charset[seededRand.Intn(len(charset))]
+	}
+	return string(b)
+}

internationalization/de.md

@@ -1,267 +0,0 @@
-## Login site
-
-| EN                    | DE                                 | Notes       |
-| --------------------- | ---------------------------------- | ----------- |
-| Welcome to Pangolin   | Willkommen bei Pangolin            |             |
-| Log in to get started | Melden Sie sich an, um zu beginnen |             |
-| Email                 | E-Mail                             |             |
-| Enter your email      | Geben Sie Ihre E-Mail-Adresse ein  | placeholder |
-| Password              | Passwort                           |             |
-| Enter your password   | Geben Sie Ihr Passwort ein         | placeholder |
-| Forgot your password? | Passwort vergessen?                |             |
-| Log in                | Anmelden                           |             |
-
-# Ogranization site after successful login
-
-| EN                                        | DE                                           | Notes |
-| ----------------------------------------- | -------------------------------------------- | ----- |
-| Welcome to Pangolin                       | Willkommen bei Pangolin                      |       |
-| You're a member of {number} organization. | Sie sind Mitglied von {number} Organisation. |       |
-
-## Shared Header, Navbar and Footer
-##### Header
-
-| EN                  | DE                  | Notes |
-| ------------------- | ------------------- | ----- |
-| Documentation       | Dokumentation       |       |
-| Support             | Support             |       |
-| Organization {name} | Organisation {name} |       |
-##### Organization selector
-
-| EN               | DE                | Notes |
-| ---------------- | ----------------- | ----- |
-| Search…          | Suchen…           |       |
-| Create           | Erstellen         |       |
-| New Organization | Neue Organisation |       |
-| Organizations    | Organisationen    |       |
-
-##### Navbar
-
-| EN              | DE                | Notes |
-| --------------- | ----------------- | ----- |
-| Sites           | Websites          |       |
-| Resources       | Ressourcen        |       |
-| User & Roles    | Benutzer & Rollen |       |
-| Shareable Links | Teilbare Links    |       |
-| General         | Allgemein         |       |
-##### Footer
-| EN                        | DE                          |                     |
-| ------------------------- | --------------------------- | ------------------- |
-| Page {number} of {number} | Seite {number} von {number} |                     |
-| Rows per page             | Zeilen pro Seite            |                     |
-| Pangolin                  | Pangolin                    | unten auf der Seite |
-| Built by Fossorial        | Erstellt von Fossorial      | unten auf der Seite |
-| Open Source               | Open Source                 | unten auf der Seite |
-| Documentation             | Dokumentation               | unten auf der Seite |
-| {version}                 | {version}                   | unten auf der Seite |
-
-## Main “Sites”
-##### “Hero” section
-
-| EN                                                           | DE                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Newt (Recommended)                                           | Newt (empfohlen)                                             |       |
-| For the best user experience, use Newt. It uses WireGuard under the hood and allows you to address your private resources by their LAN address on your private network from within the Pangolin dashboard. | Für das beste Benutzererlebnis verwenden Sie Newt. Es nutzt WireGuard im Hintergrund und ermöglicht es Ihnen, auf Ihre privaten Ressourcen über ihre LAN-Adresse in Ihrem privaten Netzwerk direkt aus dem Pangolin-Dashboard zuzugreifen. |       |
-| Runs in Docker                                               | Läuft in Docker                                              |       |
-| Runs in shell on macOS, Linux, and Windows                   | Läuft in der Shell auf macOS, Linux und Windows              |       |
-| Install Newt                                                 | Newt installieren                                            |       |
-| Basic WireGuard<br>                                          | Verwenden Sie einen beliebigen WireGuard-Client, um eine Verbindung herzustellen. Sie müssen auf Ihre internen Ressourcen über die Peer-IP-Adresse zugreifen. |       |
-| Compatible with all WireGuard clients<br>                    | Kompatibel mit allen WireGuard-Clients<br>                   |       |
-| Manual configuration required                                | Manuelle Konfiguration erforderlich<br>                      |       |
-##### Content
-
-| EN                                                        | DE                                                           | Notes                            |
-| --------------------------------------------------------- | ------------------------------------------------------------ | -------------------------------- |
-| Manage Sites                                              | Seiten verwalten                                             |                                  |
-| Allow connectivity to your network through secure tunnels | Ermöglichen Sie die Verbindung zu Ihrem Netzwerk über ein sicheren Tunnel |                                  |
-| Search sites                                              | Seiten suchen                                                | placeholder                      |
-| Add Site                                                  | Seite hinzufügen                                             |                                  |
-| Name                                                      | Name                                                         | table header                     |
-| Online                                                    | Status                                                       | table header                     |
-| Site                                                      | Seite                                                        | table header                     |
-| Data In                                                   | Eingehende Daten                                             | table header                     |
-| Data Out                                                  | Ausgehende Daten                                             | table header                     |
-| Connection Type                                           | Verbindungstyp                                               | table header                     |
-| Online                                                    | Online                                                       | site state                       |
-| Offline                                                   | Offline                                                      | site state                       |
-| Edit →                                                    | Bearbeiten →                                                 |                                  |
-| View settings                                             | Einstellungen anzeigen                                       | Popup after clicking “…” on site |
-| Delete                                                    | Löschen                                                      | Popup after clicking “…” on site |
-##### Add Site Popup
-
-| EN                                                     | DE                                                          | Notes       |
-| ------------------------------------------------------ | ----------------------------------------------------------- | ----------- |
-| Create Site                                            | Seite erstellen                                             |             |
-| Create a new site to start connection for this site    | Erstellen Sie eine neue Seite, um die Verbindung zu starten |             |
-| Name                                                   | Name                                                        |             |
-| Site name                                              | Seiten-Name                                                 | placeholder |
-| This is the name that will be displayed for this site. | So wird Ihre Seite angezeigt                                | desc        |
-| Method                                                 | Methode                                                     |             |
-| Local                                                  | Lokal                                                       |             |
-| Newt                                                   | Newt                                                        |             |
-| WireGuard                                              | WireGuard                                                   |             |
-| This is how you will expose connections.               | So werden Verbindungen freigegeben.                         |             |
-| You will only be able to see the configuration once.   | Diese Konfiguration können Sie nur einmal sehen.            |             |
-| Learn how to install Newt on your system               | Erfahren Sie, wie Sie Newt auf Ihrem System installieren    |             |
-| I have copied the config                               | Ich habe die Konfiguration kopiert                          |             |
-| Create Site                                            | Website erstellen                                           |             |
-| Close                                                  | Schließen                                                   |             |
-
-## Main “Resources”
-
-##### “Hero” section
-
-| EN                                                           | DE                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Resources                                                    | Ressourcen                                                   |       |
-| Ressourcen sind Proxy-Server für Anwendungen, die in Ihrem privaten Netzwerk laufen. Erstellen Sie eine Ressource für jede HTTP- oder HTTPS-Anwendung in Ihrem privaten Netzwerk. Jede Ressource muss mit einer Website verbunden sein, um eine private und sichere Verbindung über den verschlüsselten WireGuard-Tunnel zu ermöglichen. | Ressourcen sind Proxy-Server für Anwendungen, die in Ihrem privaten Netzwerk laufen. Erstellen Sie eine Ressource für jede HTTP- oder HTTPS-Anwendung in Ihrem privaten Netzwerk. Jede Ressource muss mit einer Website verbunden sein, um eine private und sichere Verbindung über den verschlüsselten WireGuard-Tunnel zu ermöglichen. |       |
-| Secure connectivity with WireGuard encryption                | Sichere Verbindung mit WireGuard-Verschlüsselung             |       |
-| Configure multiple authentication methods                    | Konfigurieren Sie mehrere Authentifizierungsmethoden         |       |
-| User and role-based access control                           | Benutzer- und rollenbasierte Zugriffskontrolle               |       |
-##### Content
-
-| EN                                                 | DE                                                         | Notes                |
-| -------------------------------------------------- | ---------------------------------------------------------- | -------------------- |
-| Manage Resources                                   | Ressourcen verwalten                                       |                      |
-| Create secure proxies to your private applications | Erstellen Sie sichere Proxys für Ihre privaten Anwendungen |                      |
-| Search resources                                   | Ressourcen durchsuchen                                     | placeholder          |
-| Name                                               | Name                                                       |                      |
-| Site                                               | Website                                                    |                      |
-| Full URL                                           | Vollständige URL                                           |                      |
-| Authentication                                     | Authentifizierung                                          |                      |
-| Not Protected                                      | Nicht geschützt                                            | authentication state |
-| Protected                                          | Geschützt                                                  | authentication state |
-| Edit →                                             | Bearbeiten →                                               |                      |
-| Add Resource                                       | Ressource hinzufügen                                       |                      |
-##### Add Resource Popup
-
-| EN                                                           | DE                                                           | Notes               |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------- |
-| Create Resource                                              | Ressource erstellen                                          |                     |
-| Create a new resource to proxy request to your app           | Erstellen Sie eine neue Ressource, um Anfragen an Ihre App zu proxen |                     |
-| Name                                                         | Name                                                         |                     |
-| My Resource                                                  | Neue Ressource                                               | name placeholder    |
-| This is the name that will be displayed for this resource.   | Dies ist der Name, der für diese Ressource angezeigt wird    |                     |
-| Subdomain                                                    | Subdomain                                                    |                     |
-| Enter subdomain                                              | Subdomain eingeben                                           |                     |
-| This is the fully qualified domain name that will be used to access the resource. | Dies ist der vollständige Domainname, der für den Zugriff auf die Ressource verwendet wird. |                     |
-| Site                                                         | Website                                                      |                     |
-| Search site…                                                 | Website suchen…                                              | Site selector popup |
-| This is the site that will be used in the dashboard.         | Dies ist die Website, die im Dashboard verwendet wird.       |                     |
-| Create Resource                                              | Ressource erstellen                                          |                     |
-| Close                                                        | Schließen                                                    |                     |
-
-
-## Main “User & Roles”
-##### Content
-
-| EN                                                           | DE                                                           | Notes                         |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------- |
-| Manage User & Roles                                          | Benutzer & Rollen verwalten                                  |                               |
-| Invite users and add them to roles to manage access to your organization | Laden Sie Benutzer ein und weisen Sie ihnen Rollen zu, um den Zugriff auf Ihre Organisation zu verwalten |                               |
-| Users                                                        | Benutzer                                                     | sidebar item                  |
-| Roles                                                        | Rollen                                                       | sidebar item                  |
-| **User tab**                                                 |                                                              |                               |
-| Search users                                                 | Benutzer suchen                                              | placeholder                   |
-| Invite User                                                  | Benutzer einladen                                            | addbutton                     |
-| Email                                                        | E-Mail                                                       | table header                  |
-| Status                                                       | Status                                                       | table header                  |
-| Role                                                         | Rolle                                                        | table header                  |
-| Confirmed                                                    | Bestätigt                                                    | account status                |
-| Not confirmed (?)                                            | Nicht bestätigt (?)                                          | unknown for me account status |
-| Owner                                                        | Besitzer                                                     | role                          |
-| Admin                                                        | Administrator                                                | role                          |
-| Member                                                       | Mitglied                                                     | role                          |
-| **Roles Tab**                                                |                                                              |                               |
-| Search roles                                                 | Rollen suchen                                                | placeholder                   |
-| Add Role                                                     | Rolle hinzufügen                                             | addbutton                     |
-| Name                                                         | Name                                                         | table header                  |
-| Description                                                  | Beschreibung                                                 | table header                  |
-| Admin                                                        | Administrator                                                | role                          |
-| Member                                                       | Mitglied                                                     | role                          |
-| Admin role with the most permissions                         | Administratorrolle mit den meisten Berechtigungen            | admin role desc               |
-| Members can only view resources                              | Mitglieder können nur Ressourcen anzeigen                    | member role desc              |
-
-##### Invite User popup
-
-| EN                | DE                                                      | Notes       |
-| ----------------- | ------------------------------------------------------- | ----------- |
-| Invite User       | Geben Sie neuen Benutzern Zugriff auf Ihre Organisation |             |
-| Email             | E-Mail                                                  |             |
-| Enter an email    | E-Mail eingeben                                         | placeholder |
-| Role              | Rolle                                                   |             |
-| Select role       | Rolle auswählen                                         | placeholder |
-| Gültig für        | Gültig bis                                              |             |
-| 1 day             | Tag                                                     |             |
-| 2 days            | 2 Tage                                                  |             |
-| 3 days            | 3 Tage                                                  |             |
-| 4 days            | 4 Tage                                                  |             |
-| 5 days            | 5 Tage                                                  |             |
-| 6 days            | 6 Tage                                                  |             |
-| 7 days            | 7 Tage                                                  |             |
-| Create Invitation | Einladung erstellen                                     |             |
-| Close             | Schließen                                               |             |
-
-
-## Main “Shareable Links”
-##### “Hero” section
-
-| EN                                                           | DE                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Shareable Links                                              | Teilbare Links                                               |       |
-| Create shareable links to your resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one. | Erstellen Sie teilbare Links zu Ihren Ressourcen. Links bieten temporären oder unbegrenzten Zugriff auf Ihre Ressource. Sie können die Gültigkeitsdauer des Links beim Erstellen konfigurieren. |       |
-| Easy to create and share                                     | Einfach zu erstellen und zu teilen                           |       |
-| Configurable expiration duration                             | Konfigurierbare Gültigkeitsdauer                             |       |
-| Secure and revocable                                         | Sicher und widerrufbar                                       |       |
-##### Content
-
-| EN                                                           | DE                                                           | Notes             |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------- |
-| Manage Shareable Links                                       | Teilbare Links verwalten                                     |                   |
-| Create shareable links to grant temporary or permanent access to your resources | Erstellen Sie teilbare Links, um temporären oder permanenten Zugriff auf Ihre Ressourcen zu gewähren |                   |
-| Search links                                                 | Links suchen                                                 | placeholder       |
-| Create Share Link                                            | Neuen Link erstellen                                         | addbutton         |
-| Resource                                                     | Ressource                                                    | table header      |
-| Title                                                        | Titel                                                        | table header      |
-| Created                                                      | Erstellt                                                     | table header      |
-| Expires                                                      | Gültig bis                                                   | table header      |
-| No links. Create one to get started.                         | Keine Links. Erstellen Sie einen, um zu beginnen.            | table placeholder |
-
-##### Create Shareable Link popup
-
-| EN                                                           | DE                                                           | Notes                   |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------- |
-| Create Shareable Link                                        | Teilbaren Link erstellen                                     |                         |
-| Anyone with this link can access the resource                | Jeder mit diesem Link kann auf die Ressource zugreifen       |                         |
-| Resource                                                     | Ressource                                                    |                         |
-| Select resource                                              | Ressource auswählen                                          |                         |
-| Search resources…                                            | Ressourcen suchen…                                           | resource selector popup |
-| Title (optional)                                             | Titel (optional)                                             |                         |
-| Enter title                                                  | Titel eingeben                                               | placeholder             |
-| Expire in                                                    | Gültig bis                                                   |                         |
-| Minutes                                                      | Minuten                                                      |                         |
-| Hours                                                        | Stunden                                                      |                         |
-| Days                                                         | Tage                                                         |                         |
-| Months                                                       | Monate                                                       |                         |
-| Years                                                        | Jahre                                                        |                         |
-| Never expire                                                 | Nie ablaufen                                                 |                         |
-| Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource. | Die Gültigkeitsdauer bestimmt, wie lange der Link nutzbar ist und Zugriff auf die Ressource bietet. Nach Ablauf dieser Zeit funktioniert der Link nicht mehr, und Benutzer, die diesen Link verwendet haben, verlieren den Zugriff auf die Ressource. |                         |
-| Create Link                                                  | Link erstellen                                               |                         |
-| Close                                                        | Schließen                                                    |                         |
-
-
-## Main “General”
-
-| EN                                                           | DE                                                           | Notes        |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------ |
-| General                                                      | Allgemein                                                    |              |
-| Configure your organization’s general settings               | Konfigurieren Sie die allgemeinen Einstellungen Ihrer Organisation |              |
-| General                                                      | Allgemein                                                    | sidebar item |
-| Organization Settings                                        | Organisationseinstellungen                                   |              |
-| Manage your organization details and configuration           | Verwalten Sie die Details und Konfiguration Ihrer Organisation |              |
-| Name                                                         | Name                                                         |              |
-| This is the display name of the org                          | Dies ist der Anzeigename Ihrer Organisation                  |              |
-| Save Settings                                                | Einstellungen speichern                                      |              |
-| Danger Zone                                                  | Gefahrenzone                                                 |              |
-| Once you delete this org, there is no going back. Please be certain. | Wenn Sie diese Organisation löschen, gibt es kein Zurück. Bitte seien Sie sicher. |              |
-| Delete Organization Data                                     | Organisationsdaten löschen                                   |              |

internationalization/es.md

@@ -1,291 +0,0 @@
-## Authentication Site
-
-
-| EN                                                       | ES                                                           | Notes      |
-| -------------------------------------------------------- | ------------------------------------------------------------ | ---------- |
-| Powered by [Pangolin](https://github.com/fosrl/pangolin) | Desarrollado por [Pangolin](https://github.com/fosrl/pangolin)  |            |
-| Authentication Required                                  | Se requiere autenticación                                    |            |
-| Choose your preferred method to access {resource}        | Elije tu método requerido para acceder a {resource}          |            |
-| PIN                                                      | PIN                                                          |            |
-| User                                                     | Usuario                                                      |            |
-| 6-digit PIN Code                                         | Código PIN de 6 dígitos                                      | pin login  |
-| Login in with PIN                                        | Registrate con PIN                                           | pin login  |
-| Email                                                    | Email                                                        | user login |
-| Enter your email                                         | Introduce tu email                                           | user login |
-| Password                                                 | Contraseña                                                   | user login |
-| Enter your password                                      | Introduce tu contraseña                                      | user login |
-| Forgot your password?                                    | ¿Olvidaste tu contraseña?                                    | user login |
-| Log in                                                   | Iniciar sesión                                               | user login |
-
-
-## Login site
-
-| EN                    | ES                                 | Notes       |
-| --------------------- | ---------------------------------- | ----------- |
-| Welcome to Pangolin   | Binvenido a Pangolin               |             |
-| Log in to get started | Registrate para comenzar           |             |
-| Email                 | Email                              |             |
-| Enter your email      | Introduce tu email                 | placeholder |
-| Password              | Contraseña                         |             |
-| Enter your password   | Introduce tu contraseña            | placeholder |
-| Forgot your password? | ¿Olvidaste tu contraseña?          |             |
-| Log in                | Iniciar sesión                     |             |
-
-# Ogranization site after successful login
-
-| EN                                        | ES                                           | Notes |
-| ----------------------------------------- | -------------------------------------------- | ----- |
-| Welcome to Pangolin                       | Binvenido a Pangolin                         |       |
-| You're a member of {number} organization. | Eres miembro de la organización {number}.    |       |
-
-## Shared Header, Navbar and Footer
-##### Header
-
-| EN                  | ES                  | Notes |
-| ------------------- | ------------------- | ----- |
-| Documentation       | Documentación       |       |
-| Support             | Soporte             |       |
-| Organization {name} | Organización {name} |       |
-##### Organization selector
-
-| EN               | ES                | Notes |
-| ---------------- | ----------------- | ----- |
-| Search…          | Buscar…           |       |
-| Create           | Crear             |       |
-| New Organization | Nueva Organización|       |
-| Organizations    | Organizaciones    |       |
-
-##### Navbar
-
-| EN              | ES                     | Notes |
-| --------------- | -----------------------| ----- |
-| Sites           | Sitios                 |       |
-| Resources       | Recursos               |       |
-| User & Roles    | Usuarios y roles       |       |
-| Shareable Links | Enlaces para compartir |       |
-| General         | General                |       |
-
-##### Footer
-| EN                        | ES                          |                             |
-| ------------------------- | --------------------------- | -------|
-| Page {number} of {number} | Página {number} de {number} | footer |        
-| Rows per page             | Filas por página            | footer |
-| Pangolin                  | Pangolin                    | footer |
-| Built by Fossorial        | Construido por Fossorial    | footer |
-| Open Source               | Código abierto              | footer |
-| Documentation             | Documentación               | footer |
-| {version}                 | {version}                   | footer |
-
-## Main “Sites”
-##### “Hero” section
-
-| EN                                                           | ES                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Newt (Recommended)                                           | Newt (Recomendado)                                           |       |
-| For the best user experience, use Newt. It uses WireGuard under the hood and allows you to address your private resources by their LAN address on your private network from within the Pangolin dashboard. | Para obtener la mejor experiencia de usuario, utiliza Newt. Utiliza WireGuard internamente y te permite abordar tus recursos privados mediante tu dirección LAN en tu red privada desde el panel de Pangolin. |       |
-| Runs in Docker                                               | Se ejecuta en Docker                                         |       |
-| Runs in shell on macOS, Linux, and Windows                   | Se ejecuta en shell en macOS, Linux y Windows                |       |
-| Install Newt                                                 | Instalar Newt                                                |       |
-| Basic WireGuard<br>                                          | WireGuard básico<br>                                         |       | 
-| Compatible with all WireGuard clients<br>                    | Compatible con todos los clientes WireGuard<br>              |       |
-| Manual configuration required                                | Se requiere configuración manual                             |       |
-
-##### Content
-
-| EN                                                        | ES                                                           | Notes                            |
-| --------------------------------------------------------- | ------------------------------------------------------------ | -------------------------------- |
-| Manage Sites                                              | Administrar sitios                                           |                                  |
-| Allow connectivity to your network through secure tunnels | Permitir la conectividad a tu red a través de túneles seguros|                                  |
-| Search sites                                              | Buscar sitios                                                | placeholder                      |
-| Add Site                                                  | Agregar sitio                                                |                                  |
-| Name                                                      | Nombre                                                       | table header                     |
-| Online                                                    | Conectado                                                    | table header                     |
-| Site                                                      | Sitio                                                        | table header                     |
-| Data In                                                   | Datos en                                                     | table header                     |
-| Data Out                                                  | Datos de salida                                              | table header                     |
-| Connection Type                                           | Tipo de conexión                                             | table header                     |
-| Online                                                    | Conectado                                                    | site state                       |
-| Offline                                                   | Desconectado                                                 | site state                       |
-| Edit →                                                    | Editar →                                                     |                                  |
-| View settings                                             | Ver configuración                                            | Popup after clicking “…” on site |
-| Delete                                                    | Borrar                                                       | Popup after clicking “…” on site |
-
-##### Add Site Popup
-
-| EN                                                     | ES                                                          | Notes       |
-| ------------------------------------------------------ | ----------------------------------------------------------- | ----------- |
-| Create Site                                            | Crear sitio                                                 |             |
-| Create a new site to start connection for this site    | Crear un nuevo sitio para iniciar la conexión para este sitio |             |
-| Name                                                   | Nombre                                                      |             |
-| Site name                                              | Nombre del sitio                                            | placeholder |
-| This is the name that will be displayed for this site. | Este es el nombre que se mostrará para este sitio.          | desc        |
-| Method                                                 | Método                                                      |             |
-| Local                                                  | Local                                                       |             |
-| Newt                                                   | Newt                                                        |             |
-| WireGuard                                              | WireGuard                                                   |             |
-| This is how you will expose connections.               | Así es como expondrás las conexiones.                       |             |
-| You will only be able to see the configuration once.   | Solo podrás ver la configuración una vez.                   |             |
-| Learn how to install Newt on your system               | Aprende a instalar Newt en tu sistema                       |             |
-| I have copied the config                               | He copiado la configuración                                 |             |
-| Create Site                                            | Crear sitio                                                 |             |
-| Close                                                  | Cerrar                                                      |             |
-
-## Main “Resources”
-
-##### “Hero” section
-
-| EN                                                           | ES                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Resources                                                    | Recursos                                                     |       |
-| Ressourcen sind Proxy-Server für Anwendungen, die in Ihrem privaten Netzwerk laufen. Erstellen Sie eine Ressource für jede HTTP- oder HTTPS-Anwendung in Ihrem privaten Netzwerk. Jede Ressource muss mit einer Website verbunden sein, um eine private und sichere Verbindung über den verschlüsselten WireGuard-Tunnel zu ermöglichen. |Los recursos son servidores proxy para aplicaciones que se ejecutan en su red privada. Cree un recurso para cada aplicación HTTP o HTTPS en su red privada. Cada recurso debe estar conectado a un sitio web para proporcionar una conexión privada y segura a través del túnel cifrado WireGuard. |       |
-| Secure connectivity with WireGuard encryption                | Conectividad segura con encriptación WireGuard               |       |
-| Configure multiple authentication methods                    | Configura múltiples métodos de autenticación                 |       |
-| User and role-based access control                           | Control de acceso basado en usuarios y roles                 |       |
-
-##### Content
-
-| EN                                                 | ES                                                         | Notes                |
-| -------------------------------------------------- | ---------------------------------------------------------- | -------------------- |
-| Manage Resources                                   | Administrar recursos                                       |                      |
-| Create secure proxies to your private applications | Crea servidores proxy seguros para tus aplicaciones privadas |                      |
-| Search resources                                   | Buscar recursos                                            | placeholder          |
-| Name                                               | Nombre                                                     |                      |
-| Site                                               | Sitio                                                      |                      |
-| Full URL                                           | URL completa                                               |                      |
-| Authentication                                     | Autenticación                                              |                      |
-| Not Protected                                      | No protegido                                               | authentication state |
-| Protected                                          | Protegido                                                  | authentication state |
-| Edit →                                             | Editar →                                                   |                      |
-| Add Resource                                       | Agregar recurso                                            |                      |
-
-##### Add Resource Popup
-
-| EN                                                           | ES                                                           | Notes               |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------------- |
-| Create Resource                                              | Crear recurso                                                |                     |
-| Create a new resource to proxy request to your app           | Crea un nuevo recurso para enviar solicitudes a tu aplicación |                     |
-| Name                                                         | Nombre                                                        |                     |
-| My Resource                                                  | Mi recurso                                                    | name placeholder    |
-| This is the name that will be displayed for this resource.   | Este es el nombre que se mostrará para este recurso.         |                     |
-| Subdomain                                                    | Subdominio                                                    |                     |
-| Enter subdomain                                              | Ingresar subdominio                                           |                     |
-| This is the fully qualified domain name that will be used to access the resource. | Este es el nombre de dominio completo que se utilizará para acceder al recurso. |                     |
-| Site                                                         | Sitio                                                        |                     |
-| Search site…                                                 | Buscar sitio…                                                | Site selector popup |
-| This is the site that will be used in the dashboard.         | Este es el sitio que se utilizará en el panel de control.    |                     |
-| Create Resource                                              | Crear recurso                                                |                     |
-| Close                                                        | Cerrar                                                       |                     |
-
-## Main “User & Roles”
-##### Content
-
-| EN                                                           | ES                                                           | Notes                         |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------------- |
-| Manage User & Roles                                          | Administrar usuarios y roles                                 |                               |
-| Invite users and add them to roles to manage access to your organization | Invita a usuarios y agrégalos a roles para administrar el acceso a tu organización |                               |
-| Users                                                        | Usuarios                                                     | sidebar item                  |
-| Roles                                                        | Roles                                                        | sidebar item                  |
-| **User tab**                                                 | **Pestaña de usuario**                                                            |                               |
-| Search users                                                 | Buscar usuarios                                              | placeholder                   |
-| Invite User                                                  | Invitar usuario                                           | addbutton                     |
-| Email                                                        | Email                                                       | table header                  |
-| Status                                                       | Estado                                                       | table header                  |
-| Role                                                         | Role                                                         | table header                  |
-| Confirmed                                                    | Confirmado                                                   | account status                |
-| Not confirmed (?)                                            | No confirmado (?)                                            | unknown for me account status |
-| Owner                                                        | Dueño                                                        | role                          |
-| Admin                                                        | Administrador                                                | role                          |
-| Member                                                       | Miembro                                                      | role                          |
-| **Roles Tab**                                                | **Pestaña Roles**                                            |                               |
-| Search roles                                                 | Buscar roles                                                 | placeholder                   |
-| Add Role                                                     | Agregar rol                                                  | addbutton                     |
-| Name                                                         | Nombre                                                       | table header                  |
-| Description                                                  | Descripción                                                  | table header                  |
-| Admin                                                        | Administrador                                                | role                          |
-| Member                                                       | Miembro                                                      | role                          |
-| Admin role with the most permissions                         | Rol de administrador con más permisos                        | admin role desc               |
-| Members can only view resources                              | Los miembros sólo pueden ver los recursos                    | member role desc              |
-
-##### Invite User popup
-
-| EN                | ES                                                      | Notes       |
-| ----------------- | ------------------------------------------------------- | ----------- |
-| Invite User       | Invitar usuario                                         |             |
-| Email             | Email                                                   |             |
-| Enter an email    | Introduzca un email                                     | placeholder |
-| Role              | Rol                                                     |             |
-| Select role       | Seleccionar rol                                         | placeholder |
-| Gültig für        | Válido para                                             |             |
-| 1 day             | 1 día                                                   |             |
-| 2 days            | 2 días                                                  |             |
-| 3 days            | 3 días                                                  |             |
-| 4 days            | 4 días                                                  |             |
-| 5 days            | 5 días                                                  |             |
-| 6 days            | 6 días                                                  |             |
-| 7 days            | 7 días                                                  |             |
-| Create Invitation | Crear invitación                                        |             |
-| Close             | Cerrar                                                  |             |
-
-
-## Main “Shareable Links”
-##### “Hero” section
-
-| EN                                                           | ES                                                           | Notes |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----- |
-| Shareable Links                                              | Enlaces para compartir                                       |       |
-| Create shareable links to your resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one. | Crear enlaces que se puedan compartir a tus recursos. Los enlaces proporcionan acceso temporal o ilimitado a tu recurso. Puedes configurar la duración de caducidad del enlace cuando lo creas.                                |       |
-| Easy to create and share                                     | Fácil de crear y compartir                                   |       |
-| Configurable expiration duration                             | Duración de expiración configurable                          |       |
-| Secure and revocable                                         | Seguro y revocable                                           |       |
-##### Content
-
-| EN                                                           | ES                                                           | Notes             |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------- |
-| Manage Shareable Links                                       | Administrar enlaces compartibles                             |                   |
-| Create shareable links to grant temporary or permanent access to your resources | Crear enlaces compartibles para otorgar acceso temporal o permanente a tus recursos |                   |
-| Search links                                                 | Buscar enlaces                                               | placeholder       |
-| Create Share Link                                            | Crear enlace para compartir                                  | addbutton         |
-| Resource                                                     | Recurso                                                      | table header      |
-| Title                                                        | Título                                                       | table header      |
-| Created                                                      | Creado                                                       | table header      |
-| Expires                                                      | Caduca                                                       | table header      |
-| No links. Create one to get started.                         | No hay enlaces. Crea uno para comenzar.                      | table placeholder |
-
-##### Create Shareable Link popup
-
-| EN                                                           | ES                                                           | Notes                   |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ----------------------- |
-| Create Shareable Link                                        | Crear un enlace para compartir                               |                         |
-| Anyone with this link can access the resource                | Cualquier persona con este enlace puede acceder al recurso.  |                         |
-| Resource                                                     | Recurso                                                      |                         |
-| Select resource                                              | Seleccionar recurso                                          |                         |
-| Search resources…                                            | Buscar recursos…                                             | resource selector popup |
-| Title (optional)                                             | Título (opcional)                                            |                         |
-| Enter title                                                  | Introducir título                                            | placeholder             |
-| Expire in                                                    | Caduca en                                                    |                         |
-| Minutes                                                      | Minutos                                                      |                         |
-| Hours                                                        | Horas                                                        |                         |
-| Days                                                         | Días                                                         |                         |
-| Months                                                       | Meses                                                        |                         |
-| Years                                                        | Años                                                         |                         |
-| Never expire                                                 | Nunca caduca                                                 |                         |
-| Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource. | El tiempo de expiración es el tiempo durante el cual el enlace se podrá utilizar y brindará acceso al recurso. Después de este tiempo, el enlace dejará de funcionar y los usuarios que lo hayan utilizado perderán el acceso al recurso. |                         |
-| Create Link                                                  | Crear enlace                                                |                         |
-| Close                                                        | Cerrar                                                      |                         |
-
-
-## Main “General”
-
-| EN                                                           | ES                                                           | Notes        |
-| ------------------------------------------------------------ | ------------------------------------------------------------ | ------------ |
-| General                                                      | General                                                      |              |
-| Configure your organization’s general settings               | Configura los ajustes generales de tu organización           |              |
-| General                                                      | General                                                      | sidebar item |
-| Organization Settings                                        | Configuración de la organización                             |              |
-| Manage your organization details and configuration           | Administra los detalles y la configuración de tu organización|              |
-| Name                                                         | Nombre                                                       |              |
-| This is the display name of the org                          | Este es el nombre para mostrar de la organización.           |              |
-| Save Settings                                                | Guardar configuración                                        |              |
-| Danger Zone                                                  | Zona de peligro                                              |              |
-| Once you delete this org, there is no going back. Please be certain. | Una vez que elimines esta organización, no habrá vuelta atrás. Asegúrate de hacerlo. |              |
-| Delete Organization Data                                     | Eliminar datos de la organización                             |              |

internationalization/pl.md

@@ -1,287 +0,0 @@
-## Authentication Site
-
-
-| EN                                                       | PL                                                           | Notes      |
-| -------------------------------------------------------- | ------------------------------------------------------------ | ---------- |
-| Powered by [Pangolin](https://github.com/fosrl/pangolin) | Zasilane przez [Pangolin](https://github.com/fosrl/pangolin) |            |
-| Authentication Required                                  | Wymagane uwierzytelnienie                                    |            |
-| Choose your preferred method to access {resource}        | Wybierz preferowaną metodę dostępu do {resource}             |            |
-| PIN                                                      | PIN                                                          |            |
-| User                                                     | Zaloguj                                                      |            |
-| 6-digit PIN Code                                         | 6-cyfrowy kod PIN                                            | pin login  |
-| Login in with PIN                                        | Zaloguj się PIN’em                                           | pin login  |
-| Email                                                    | Email                                                        | user login |
-| Enter your email                                         | Wprowadź swój email                                          | user login |
-| Password                                                 | Hasło                                                        | user login |
-| Enter your password                                      | Wprowadź swoje hasło                                         | user login |
-| Forgot your password?                                    | Zapomniałeś hasła?                                           | user login |
-| Log in                                                   | Zaloguj                                                      | user login |
-
-
-## Login site
-
-| EN                    | PL                             | Notes       |
-| --------------------- | ------------------------------ | ----------- |
-| Welcome to Pangolin   | Witaj w Pangolin               |             |
-| Log in to get started | Zaloguj się, aby rozpocząć<br> |             |
-| Email                 | Email                          |             |
-| Enter your email      | Wprowadź swój adres e-mail<br> | placeholder |
-| Password              | Hasło                          |             |
-| Enter your password   | Wprowadź swoje hasło           | placeholder |
-| Forgot your password? | Nie pamiętasz hasła?           |             |
-| Log in                | Zaloguj                        |             |
-
-# Ogranization site after successful login
-
-
-| EN                                        | PL                                         | Notes |
-| ----------------------------------------- | ------------------------------------------ | ----- |
-| Welcome to Pangolin                       | Witaj w Pangolin                           |       |
-| You're a member of {number} organization. | Jesteś użytkownikiem {number} organizacji. |       |
-
-## Shared Header, Navbar and Footer
-##### Header
-
-| EN                  | PL                 | Notes |
-| ------------------- | ------------------ | ----- |
-| Documentation       | Dokumentacja       |       |
-| Support             | Wsparcie           |       |
-| Organization {name} | Organizacja {name} |       |
-##### Organization selector
-
-| EN               | PL               | Notes |
-| ---------------- | ---------------- | ----- |
-| Search…          | Szukaj…          |       |
-| Create           | Utwórz           |       |
-| New Organization | Nowa organizacja |       |
-| Organizations    | Organizacje      |       |
-
-##### Navbar
-
-| EN              | PL                     | Notes |
-| --------------- | ---------------------- | ----- |
-| Sites           | Witryny                |       |
-| Resources       | Zasoby                 |       |
-| User & Roles    | Użytkownicy i Role     |       |
-| Shareable Links | Łącza do udostępniania |       |
-| General         | Ogólne                 |       |
-##### Footer
-| EN                        | PL                         |                |
-| ------------------------- | -------------------------- | -------------- |
-| Page {number} of {number} | Strona {number} z {number} |                |
-| Rows per page             | Wierszy na stronę          |                |
-| Pangolin                  | Pangolin                   | bottom of site |
-| Built by Fossorial        | Stworzone przez Fossorial  | bottom of site |
-| Open Source               | Open source                | bottom of site |
-| Documentation             | Dokumentacja               | bottom of site |
-| {version}                 | {version}                  | bottom of site |
-## Main “Sites”
-##### “Hero” section
-
-| EN                                                                                                                                                                                                         | PL                                                                                                                                                                                                                                                                 | Notes |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- |
-| Newt (Recommended)                                                                                                                                                                                         | Newt (zalecane)                                                                                                                                                                                                                                                    |       |
-| For the best user experience, use Newt. It uses WireGuard under the hood and allows you to address your private resources by their LAN address on your private network from within the Pangolin dashboard. | Aby zapewnić najlepsze doświadczenie użytkownika, korzystaj z Newt. Wykorzystuje on technologię WireGuard w tle i pozwala na dostęp do Twoich prywatnych zasobów za pomocą ich adresu LAN w prywatnej sieci bezpośrednio z poziomu pulpitu nawigacyjnego Pangolin. |       |
-| Runs in Docker                                                                                                                                                                                             | Działa w Dockerze                                                                                                                                                                                                                                                  |       |
-| Runs in shell on macOS, Linux, and Windows                                                                                                                                                                 | Działa w powłoce na systemach macOS, Linux i Windows                                                                                                                                                                                                               |       |
-| Install Newt                                                                                                                                                                                               | Zainstaluj Newt                                                                                                                                                                                                                                                    |       |
-| Podstawowy WireGuard<br>                                                                                                                                                                                   | Użyj dowolnego klienta WireGuard, aby się połączyć. Będziesz musiał uzyskiwać dostęp do swoich wewnętrznych zasobów za pomocą adresu IP równorzędnego                                                                                                              |       |
-| Compatible with all WireGuard clients<br>                                                                                                                                                                  | Kompatybilny ze wszystkimi klientami WireGuard<br>                                                                                                                                                                                                                 |       |
-| Manual configuration required                                                                                                                                                                              | Wymagana ręczna konfiguracja<br>                                                                                                                                                                                                                                   |       |
-##### Content
-
-| EN                                                        | PL                                                                       | Notes                            |
-| --------------------------------------------------------- | ------------------------------------------------------------------------ | -------------------------------- |
-| Manage Sites                                              | Zarządzanie witrynami                                                    |                                  |
-| Allow connectivity to your network through secure tunnels | Zezwalaj na łączność z Twoją siecią za pośrednictwem bezpiecznych tuneli |                                  |
-| Search sites                                              | Szukaj witryny                                                           | placeholder                      |
-| Add Site                                                  | Dodaj witrynę                                                            |                                  |
-| Name                                                      | Nazwa                                                                    | table header                     |
-| Online                                                    | Status                                                                   | table header                     |
-| Site                                                      | Witryna                                                                  | table header                     |
-| Data In                                                   | Dane wchodzące                                                           | table header                     |
-| Data Out                                                  | Dane wychodzące                                                          | table header                     |
-| Connection Type                                           | Typ połączenia                                                           | table header                     |
-| Online                                                    | Online                                                                   | site state                       |
-| Offline                                                   | Poza siecią                                                              | site state                       |
-| Edit →                                                    | Edytuj →                                                                 |                                  |
-| View settings                                             | Pokaż ustawienia                                                         | Popup after clicking “…” on site |
-| Delete                                                    | Usuń                                                                     | Popup after clicking “…” on site |
-##### Add Site Popup
-
-| EN                                                     | PL                                                  | Notes       |
-| ------------------------------------------------------ | --------------------------------------------------- | ----------- |
-| Create Site                                            | Utwórz witrynę                                      |             |
-| Create a new site to start connection for this site    | Utwórz nową witrynę aby rozpocząć połączenie        |             |
-| Name                                                   | Nazwa                                               |             |
-| Site name                                              | Nazwa witryny                                       | placeholder |
-| This is the name that will be displayed for this site. | Tak będzie wyświetlana twoja witryna                | desc        |
-| Method                                                 | Metoda                                              |             |
-| Local                                                  | Lokalna                                             |             |
-| Newt                                                   | Newt                                                |             |
-| WireGuard                                              | WireGuard                                           |             |
-| This is how you will expose connections.               | Tak będą eksponowane połączenie.                    |             |
-| You will only be able to see the configuration once.   | Tą konfigurację możesz zobaczyć tylko raz.          |             |
-| Learn how to install Newt on your system               | Dowiedz się jak zainstalować Newt na twoim systemie |             |
-| I have copied the config                               | Skopiowałem konfigurację                            |             |
-| Create Site                                            | Utwórz witrynę                                      |             |
-| Close                                                  | Zamknij                                             |             |
-
-## Main “Resources”
-
-##### “Hero” section
-
-| EN                                                                                                                                                                                                                                                                                   | PL                                                                                                                                                                                                                                                                                   | Notes |
-| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- |
-| Resources                                                                                                                                                                                                                                                                            | Zasoby                                                                                                                                                                                                                                                                               |       |
-| Zasoby to serwery proxy dla aplikacji działających w Twojej prywatnej sieci. Utwórz zasób dla dowolnej aplikacji HTTP lub HTTPS w swojej prywatnej sieci. Każdy zasób musi być połączony z witryną, aby umożliwić prywatne i bezpieczne połączenie przez szyfrowany tunel WireGuard. | Zasoby to serwery proxy dla aplikacji działających w Twojej prywatnej sieci. Utwórz zasób dla dowolnej aplikacji HTTP lub HTTPS w swojej prywatnej sieci. Każdy zasób musi być połączony z witryną, aby umożliwić prywatne i bezpieczne połączenie przez szyfrowany tunel WireGuard. |       |
-| Secure connectivity with WireGuard encryption                                                                                                                                                                                                                                        | Bezpieczna łączność z szyfrowaniem WireGuard                                                                                                                                                                                                                                         |       |
-| Configure multiple authentication methods                                                                                                                                                                                                                                            | Konfigurowanie wielu metod uwierzytelniania                                                                                                                                                                                                                                          |       |
-| User and role-based access control                                                                                                                                                                                                                                                   | Kontrola dostępu oparta na użytkownikach i rolach                                                                                                                                                                                                                                    |       |
-##### Content
-
-| EN                                                 | PL                                                             | Notes                |
-| -------------------------------------------------- | -------------------------------------------------------------- | -------------------- |
-| Manage Resources                                   | Zarządzaj zasobami                                             |                      |
-| Create secure proxies to your private applications | Twórz bezpieczne serwery proxy dla swoich prywatnych aplikacji |                      |
-| Search resources                                   | Szukaj w zasobach                                              | placeholder          |
-| Name                                               | Nazwa                                                          |                      |
-| Site                                               | Witryna                                                        |                      |
-| Full URL                                           | Pełny URL                                                      |                      |
-| Authentication                                     | Uwierzytelnianie                                               |                      |
-| Not Protected                                      | Niezabezpieczony                                               | authentication state |
-| Protected                                          | Zabezpieczony                                                  | authentication state |
-| Edit →                                             | Edytuj →                                                       |                      |
-| Add Resource                                       | Dodaj zasób                                                    |                      |
-##### Add Resource Popup
-
-| EN                                                                                | PL                                                                     | Notes               |
-| --------------------------------------------------------------------------------- | ---------------------------------------------------------------------- | ------------------- |
-| Create Resource                                                                   | Utwórz zasób                                                           |                     |
-| Create a new resource to proxy request to your app                                | Utwórz nowy zasób, aby przekazywać żądania do swojej aplikacji         |                     |
-| Name                                                                              | Nazwa                                                                  |                     |
-| My Resource                                                                       | Nowy zasób                                                             | name placeholder    |
-| This is the name that will be displayed for this resource.                        | To jest nazwa, która będzie wyświetlana dla tego zasobu                |                     |
-| Subdomain                                                                         | Subdomena                                                              |                     |
-| Enter subdomain                                                                   | Wprowadź subdomenę                                                     |                     |
-| This is the fully qualified domain name that will be used to access the resource. | To jest pełna nazwa domeny, która będzie używana do dostępu do zasobu. |                     |
-| Site                                                                              | Witryna                                                                |                     |
-| Search site…                                                                      | Szukaj witryny…                                                        | Site selector popup |
-| This is the site that will be used in the dashboard.                              | To jest witryna, która będzie używana w pulpicie nawigacyjnym.         |                     |
-| Create Resource                                                                   | Utwórz zasób                                                           |                     |
-| Close                                                                             | Zamknij                                                                |                     |
-
-
-## Main “User & Roles”
-##### Content
-
-| EN                                                                       | PL                                                                                   | Notes                         |
-| ------------------------------------------------------------------------ | ------------------------------------------------------------------------------------ | ----------------------------- |
-| Manage User & Roles                                                      | Zarządzanie użytkownikami i rolami                                                   |                               |
-| Invite users and add them to roles to manage access to your organization | Zaproś użytkowników i przypisz im role, aby zarządzać dostępem do Twojej organizacji |                               |
-| Users                                                                    | Użytkownicy                                                                          | sidebar item                  |
-| Roles                                                                    | Role                                                                                 | sidebar item                  |
-| **User tab**                                                             |                                                                                      |                               |
-| Search users                                                             | Wyszukaj użytkownika                                                                 | placeholder                   |
-| Invite User                                                              | Zaproś użytkownika                                                                   | addbutton                     |
-| Email                                                                    | Email                                                                                | table header                  |
-| Status                                                                   | Status                                                                               | table header                  |
-| Role                                                                     | Rola                                                                                 | table header                  |
-| Confirmed                                                                | Zatwierdzony                                                                         | account status                |
-| Not confirmed (?)                                                        | Niezatwierdzony (?)                                                                  | unknown for me account status |
-| Owner                                                                    | Właściciel                                                                           | role                          |
-| Admin                                                                    | Administrator                                                                        | role                          |
-| Member                                                                   | Użytkownik                                                                           | role                          |
-| **Roles Tab**                                                            |                                                                                      |                               |
-| Search roles                                                             | Wyszukaj role                                                                        | placeholder                   |
-| Add Role                                                                 | Dodaj role                                                                           | addbutton                     |
-| Name                                                                     | Nazwa                                                                                | table header                  |
-| Description                                                              | Opis                                                                                 | table header                  |
-| Admin                                                                    | Administrator                                                                        | role                          |
-| Member                                                                   | Użytkownik                                                                           | role                          |
-| Admin role with the most permissions                                     | Rola administratora z najszerszymi uprawnieniami                                     | admin role desc               |
-| Members can only view resources                                          | Członkowie mogą jedynie przeglądać zasoby                                            | member role desc              |
-
-##### Invite User popup
-
-| EN                | PL                                         | Notes       |
-| ----------------- | ------------------------------------------ | ----------- |
-| Invite User       | Give new users access to your organization |             |
-| Email             | Email                                      |             |
-| Enter an email    | Wprowadź email                             | placeholder |
-| Role              | Rola                                       |             |
-| Select role       | Wybierz role                               | placeholder |
-| Vaild for         | Ważne do                                   |             |
-| 1 day             | Dzień                                      |             |
-| 2 days            | 2 dni                                      |             |
-| 3 days            | 3 dni                                      |             |
-| 4 days            | 4 dni                                      |             |
-| 5 days            | 5 dni                                      |             |
-| 6 days            | 6 dni                                      |             |
-| 7 days            | 7 dni                                      |             |
-| Create Invitation | Utwórz zaproszenie                         |             |
-| Close             | Zamknij                                    |             |
-
-
-## Main “Shareable Links”
-##### “Hero” section
-
-| EN                                                                                                                                                                                 | PL                                                                                                                                                                                | Notes |
-| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
-| Shareable Links                                                                                                                                                                    | Łącza do udostępniania                                                                                                                                                            |       |
-| Create shareable links to your resources. Links provide temporary or unlimited access to your resource. You can configure the expiration duration of the link when you create one. | Twórz linki do udostępniania swoich zasobów. Linki zapewniają tymczasowy lub nieograniczony dostęp do zasobu. Możesz skonfigurować czas wygaśnięcia linku podczas jego tworzenia. |       |
-| Easy to create and share                                                                                                                                                           | Łatwe tworzenie i udostępnianie                                                                                                                                                   |       |
-| Configurable expiration duration                                                                                                                                                   | Konfigurowalny czas wygaśnięcia                                                                                                                                                   |       |
-| Secure and revocable                                                                                                                                                               | Bezpieczne i odwołalne                                                                                                                                                            |       |
-##### Content
-
-| EN                                                                              | PL                                                                                          | Notes             |
-| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------- | ----------------- |
-| Manage Shareable Links                                                          | Zarządzaj łączami do udostępniania                                                          |                   |
-| Create shareable links to grant temporary or permament access to your resources | Utwórz łącze do udostępniania w celu przyznania tymczasowego lub stałego dostępu do zasobów |                   |
-| Search links                                                                    | Szukaj łączy                                                                                | placeholder       |
-| Create Share Link                                                               | Utwórz nowe łącze                                                                           | addbutton         |
-| Resource                                                                        | Zasób                                                                                       | table header      |
-| Title                                                                           | Tytuł                                                                                       | table header      |
-| Created                                                                         | Utworzone                                                                                   | table header      |
-| Expires                                                                         | Wygasa                                                                                      | table header      |
-| No links. Create one to get started.                                            | Brak łączy. Utwórz, aby rozpocząć.                                                          | table placeholder |
-
-##### Create Shareable Link popup
-
-| EN                                                                                                                                                                                                    | PL                                                                                                                                                                                             | Notes                   |
-| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------- |
-| Create Shareable Link                                                                                                                                                                                 | Utwórz łącze do udostępnienia                                                                                                                                                                  |                         |
-| Anyone with this link can access the resource                                                                                                                                                         | Każdy kto ma ten link może korzystać z zasobu                                                                                                                                                  |                         |
-| Resource                                                                                                                                                                                              | Zasób                                                                                                                                                                                          |                         |
-| Select resource                                                                                                                                                                                       | Wybierz zasób                                                                                                                                                                                  |                         |
-| Search resources…                                                                                                                                                                                     | Szukaj zasobów…                                                                                                                                                                                | resource selector popup |
-| Title (optional)                                                                                                                                                                                      | Tytuł (opcjonalny)                                                                                                                                                                             |                         |
-| Enter title                                                                                                                                                                                           | Wprowadź tytuł                                                                                                                                                                                 | placeholder             |
-| Expire in                                                                                                                                                                                             | Wygasa za                                                                                                                                                                                      |                         |
-| Minutes                                                                                                                                                                                               | Minut                                                                                                                                                                                          |                         |
-| Hours                                                                                                                                                                                                 | Godzin                                                                                                                                                                                         |                         |
-| Days                                                                                                                                                                                                  | Dni                                                                                                                                                                                            |                         |
-| Months                                                                                                                                                                                                | Miesięcy                                                                                                                                                                                       |                         |
-| Years                                                                                                                                                                                                 | Lat                                                                                                                                                                                            |                         |
-| Never expire                                                                                                                                                                                          | Nie wygasa                                                                                                                                                                                     |                         |
-| Expiration time is how long the link will be usable and provide access to the resource. After this time, the link will no longer work, and users who used this link will lose access to the resource. | Czas wygaśnięcia to okres, przez który link będzie aktywny i zapewni dostęp do zasobu. Po upływie tego czasu link przestanie działać, a użytkownicy, którzy go użyli, stracą dostęp do zasobu. |                         |
-| Create Link                                                                                                                                                                                           | Utwórz łącze                                                                                                                                                                                   |                         |
-| Close                                                                                                                                                                                                 | Zamknij                                                                                                                                                                                        |                         |
-
-
-## Main “General”
-
-| EN                                                                   | PL                                                                  | Notes        |
-| -------------------------------------------------------------------- | ------------------------------------------------------------------- | ------------ |
-| General                                                              | Ogólne                                                              |              |
-| Configure your organization’s general settings                       | Zarządzaj ogólnymi ustawieniami twoich organizacji                  |              |
-| General                                                              | Ogólne                                                              | sidebar item |
-| Organization Settings                                                | Ustawienia organizacji                                              |              |
-| Manage your organization details and configuration                   | Zarządzaj szczegółami i konfiguracją organizacji                    |              |
-| Name                                                                 | Nazwa                                                               |              |
-| This is the display name of the org                                  | To jest wyświetlana nazwa Twojej organizacji                        |              |
-| Save Settings                                                        | Zapisz ustawienia                                                   |              |
-| Danger Zone                                                          | Niebezpieczna strefa                                                |              |
-| Once you delete this org, there is no going back. Please be certain. | Jeśli usuniesz swoją tą organizację, nie ma odwrotu. Bądź ostrożny! |              |
-| Delete Organization Data                                             | Usuń dane organizacji                                               |              |

next.config.mjs

@@ -1,9 +1,13 @@
-/** @type {import('next').NextConfig} */
+import createNextIntlPlugin from "next-intl/plugin";
+
+const withNextIntl = createNextIntlPlugin();
+
+/** @type {import("next").NextConfig} */
 const nextConfig = {
     eslint: {
-        ignoreDuringBuilds: true,
+        ignoreDuringBuilds: true
     },
     output: "standalone"
 };
 
-export default nextConfig;
+export default withNextIntl(nextConfig);

package.json

@@ -12,105 +12,134 @@
     "license": "SEE LICENSE IN LICENSE AND README.md",
     "scripts": {
         "dev": "NODE_ENV=development ENVIRONMENT=dev tsx watch server/index.ts",
-        "db:generate": "drizzle-kit generate",
-        "db:push": "npx tsx server/db/migrate.ts",
-        "db:studio": "drizzle-kit studio",
-        "build": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrations.ts -o dist/migrations.mjs",
-        "start": "NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'",
-        "email": "email dev --dir server/emails/templates --port 3005"
+        "db:pg:generate": "drizzle-kit generate --config=./drizzle.pg.config.ts",
+        "db:sqlite:generate": "drizzle-kit generate --config=./drizzle.sqlite.config.ts",
+        "db:pg:push": "npx tsx server/db/pg/migrate.ts",
+        "db:sqlite:push": "npx tsx server/db/sqlite/migrate.ts",
+        "db:sqlite:studio": "drizzle-kit studio --config=./drizzle.sqlite.config.ts",
+        "db:pg:studio": "drizzle-kit studio --config=./drizzle.pg.config.ts",
+        "db:clear-migrations": "rm -rf server/migrations",
+        "build:sqlite": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsSqlite.ts -o dist/migrations.mjs",
+        "build:pg": "mkdir -p dist && next build && node esbuild.mjs -e server/index.ts -o dist/server.mjs && node esbuild.mjs -e server/setup/migrationsPg.ts -o dist/migrations.mjs",
+        "start:sqlite": "DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'",
+        "start:pg": "DB_TYPE=pg NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'",
+        "email": "email dev --dir server/emails/templates --port 3005",
+        "build:cli": "node esbuild.mjs -e cli/index.ts -o dist/cli.mjs"
     },
     "dependencies": {
+        "@asteasolutions/zod-to-openapi": "^7.3.4",
         "@hookform/resolvers": "3.9.1",
-        "@node-rs/argon2": "2.0.2",
+        "@node-rs/argon2": "^2.0.2",
         "@oslojs/crypto": "1.0.1",
         "@oslojs/encoding": "1.1.0",
-        "@radix-ui/react-avatar": "1.1.2",
-        "@radix-ui/react-checkbox": "1.1.3",
-        "@radix-ui/react-collapsible": "1.1.2",
-        "@radix-ui/react-dialog": "1.1.4",
-        "@radix-ui/react-dropdown-menu": "2.1.4",
+        "@radix-ui/react-avatar": "1.1.10",
+        "@radix-ui/react-checkbox": "1.3.2",
+        "@radix-ui/react-collapsible": "1.1.11",
+        "@radix-ui/react-dialog": "1.1.14",
+        "@radix-ui/react-dropdown-menu": "2.1.15",
         "@radix-ui/react-icons": "1.3.2",
-        "@radix-ui/react-label": "2.1.1",
-        "@radix-ui/react-popover": "1.1.4",
-        "@radix-ui/react-radio-group": "1.2.2",
-        "@radix-ui/react-select": "2.1.4",
-        "@radix-ui/react-separator": "1.1.1",
-        "@radix-ui/react-slot": "1.1.1",
-        "@radix-ui/react-switch": "1.1.2",
-        "@radix-ui/react-tabs": "1.1.2",
-        "@radix-ui/react-toast": "1.2.4",
-        "@react-email/components": "0.0.31",
-        "@react-email/tailwind": "1.0.4",
-        "@tanstack/react-table": "8.20.6",
-        "axios": "1.7.9",
+        "@radix-ui/react-label": "2.1.7",
+        "@radix-ui/react-popover": "1.1.14",
+        "@radix-ui/react-progress": "^1.1.7",
+        "@radix-ui/react-radio-group": "1.3.7",
+        "@radix-ui/react-scroll-area": "^1.2.9",
+        "@radix-ui/react-select": "2.2.5",
+        "@radix-ui/react-separator": "1.1.7",
+        "@radix-ui/react-slot": "1.2.3",
+        "@radix-ui/react-switch": "1.2.5",
+        "@radix-ui/react-tabs": "1.1.12",
+        "@radix-ui/react-toast": "1.2.14",
+        "@react-email/components": "0.1.0",
+        "@react-email/render": "^1.1.2",
+        "@react-email/tailwind": "1.0.5",
+        "@tailwindcss/forms": "^0.5.10",
+        "@tanstack/react-table": "8.21.3",
+        "arctic": "^3.7.0",
+        "axios": "1.10.0",
         "better-sqlite3": "11.7.0",
+        "canvas-confetti": "1.9.3",
         "class-variance-authority": "0.7.1",
         "clsx": "2.1.1",
-        "cmdk": "1.0.4",
+        "cmdk": "1.1.1",
+        "cookie": "^1.0.2",
         "cookie-parser": "1.4.7",
+        "cookies": "^0.9.1",
         "cors": "2.8.5",
-        "drizzle-orm": "0.38.3",
-        "eslint": "9.17.0",
-        "eslint-config-next": "15.1.3",
+        "crypto-js": "^4.2.0",
+        "drizzle-orm": "0.44.2",
+        "eslint": "9.29.0",
+        "eslint-config-next": "15.3.4",
         "express": "4.21.2",
-        "express-rate-limit": "7.5.0",
-        "glob": "11.0.0",
-        "helmet": "8.0.0",
+        "express-rate-limit": "7.5.1",
+        "glob": "11.0.3",
+        "helmet": "8.1.0",
         "http-errors": "2.0.0",
         "i": "^0.3.7",
-        "input-otp": "1.4.1",
+        "input-otp": "1.4.2",
+        "jmespath": "^0.16.0",
         "js-yaml": "4.1.0",
-        "lucide-react": "0.469.0",
+        "jsonwebtoken": "^9.0.2",
+        "lucide-react": "0.522.0",
         "moment": "2.30.1",
-        "next": "15.1.3",
-        "next-themes": "0.4.4",
+        "next": "15.3.4",
+        "next-intl": "^4.1.0",
+        "next-themes": "0.4.6",
         "node-cache": "5.1.2",
         "node-fetch": "3.3.2",
-        "nodemailer": "6.9.16",
-        "npm": "^11.2.0",
+        "nodemailer": "7.0.3",
+        "npm": "^11.4.2",
         "oslo": "1.2.1",
+        "pg": "^8.16.2",
         "qrcode.react": "4.2.0",
-        "react": "19.0.0",
-        "react-dom": "19.0.0",
+        "react": "19.1.0",
+        "react-dom": "19.1.0",
         "react-easy-sort": "^1.6.0",
-        "react-hook-form": "7.54.2",
+        "react-hook-form": "7.58.1",
         "react-icons": "^5.5.0",
         "rebuild": "0.1.2",
-        "semver": "7.6.3",
-        "tailwind-merge": "2.6.0",
-        "tailwindcss-animate": "1.0.7",
+        "semver": "7.7.2",
+        "swagger-ui-express": "^5.0.1",
+        "tailwind-merge": "3.3.1",
+        "tw-animate-css": "^1.3.3",
+        "uuid": "^11.1.0",
         "vaul": "1.1.2",
         "winston": "3.17.0",
         "winston-daily-rotate-file": "5.0.0",
-        "ws": "8.18.0",
-        "zod": "3.24.1",
-        "zod-validation-error": "3.4.0"
+        "ws": "8.18.2",
+        "zod": "3.25.67",
+        "zod-validation-error": "3.5.2",
+        "yargs": "18.0.0"
     },
     "devDependencies": {
-        "@dotenvx/dotenvx": "1.32.0",
+        "@dotenvx/dotenvx": "1.45.1",
         "@esbuild-plugins/tsconfig-paths": "0.1.2",
+        "@tailwindcss/postcss": "^4.1.10",
         "@types/better-sqlite3": "7.6.12",
-        "@types/cookie-parser": "1.4.8",
-        "@types/cors": "2.8.17",
+        "@types/cookie-parser": "1.4.9",
+        "@types/cors": "2.8.19",
+        "@types/crypto-js": "^4.2.2",
         "@types/express": "5.0.0",
+        "@types/jmespath": "^0.15.2",
         "@types/js-yaml": "4.0.9",
-        "@types/node": "^22",
+        "@types/jsonwebtoken": "^9.0.10",
+        "@types/node": "^24",
         "@types/nodemailer": "6.4.17",
-        "@types/react": "19.0.2",
-        "@types/react-dom": "19.0.2",
-        "@types/semver": "7.5.8",
-        "@types/ws": "8.5.13",
+        "@types/react": "19.1.8",
+        "@types/react-dom": "19.1.6",
+        "@types/semver": "7.7.0",
+        "@types/swagger-ui-express": "^4.1.8",
+        "@types/ws": "8.18.1",
         "@types/yargs": "17.0.33",
-        "drizzle-kit": "0.30.1",
-        "esbuild": "0.24.2",
-        "esbuild-node-externals": "1.16.0",
+        "drizzle-kit": "0.31.2",
+        "esbuild": "0.25.5",
+        "esbuild-node-externals": "1.18.0",
         "postcss": "^8",
-        "react-email": "3.0.4",
-        "tailwindcss": "^3.4.17",
-        "tsc-alias": "1.8.10",
-        "tsx": "4.19.2",
+        "react-email": "4.0.16",
+        "tailwindcss": "^4.1.4",
+        "tsc-alias": "1.8.16",
+        "tsx": "4.20.3",
         "typescript": "^5",
-        "yargs": "17.7.2"
+        "typescript-eslint": "^8.35.0"
     },
     "overrides": {
         "emblor": {

postcss.config.mjs

@@ -1,7 +1,7 @@
 /** @type {import('postcss-load-config').Config} */
 const config = {
     plugins: {
-        tailwindcss: {},
+        "@tailwindcss/postcss": {},
     },
 };
 

public/logo/pangolin_black.svg

@@ -1,22 +1,21 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
 <svg
+   width="900.82861"
+   height="955.20648"
+   viewBox="0 0 238.34422 252.7317"
    version="1.1"
-   x="0px"
-   y="0px"
-   viewBox="0 0 399.99999 400.00002"
-   enable-background="new 0 0 419.528 419.528"
-   xml:space="preserve"
-   id="svg52"
-   sodipodi:docname="noun-pangolin-1798092.svg"
-   width="400"
-   height="400"
-   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
+   id="svg420"
+   inkscape:export-filename="logo.svg"
+   inkscape:export-xdpi="221.14999"
+   inkscape:export-ydpi="221.14999"
    xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
    xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
    xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"><defs
-     id="defs56" /><sodipodi:namedview
-     id="namedview54"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <sodipodi:namedview
+     id="namedview422"
      pagecolor="#ffffff"
      bordercolor="#666666"
      borderopacity="1.0"
@@ -24,15 +23,18 @@
      inkscape:pageopacity="0.0"
      inkscape:pagecheckerboard="0"
      inkscape:deskcolor="#d1d1d1"
-     showgrid="false"
-     inkscape:zoom="1.9583914"
-     inkscape:cx="209.86611"
-     inkscape:cy="262.20499"
-     inkscape:window-width="3840"
-     inkscape:window-height="2136"
-     inkscape:window-x="0"
-     inkscape:window-y="0"
-     inkscape:window-maximized="1"
-     inkscape:current-layer="svg52" /><path
-     d="m 62.232921,184.91974 c 0,2.431 -1.97,4.402 -4.399,4.402 -2.429,0 -4.399,-1.972 -4.399,-4.402 0,-2.429 1.97,-4.399 4.399,-4.399 2.429,-10e-4 4.399,1.97 4.399,4.399 z m 58.993999,-4.821 c -25.943999,-2.826 -38.978999,7.453 -71.181999,31.357 -27.572,20.467 -32.767,4.381 -31.748,-2.614 1.499,-10.282 25.222,-58.573 48.079,-88.461 28.273,7.34 49.869999,30.727 54.850999,59.718 z m -55.915999,4.821 c 0,-4.131 -3.349,-7.478 -7.478,-7.478 -4.129,0 -7.478,3.347 -7.478,7.478 0,4.131 3.349,7.481 7.478,7.481 4.13,0 7.478,-3.35 7.478,-7.481 z m -15.032,48.424 -0.234,14.041 20.413,22.687 -9.818,7.353 33.306,27.492 -11.759,8.124 42.631999,19.939 -10.825,9.747 48.291,8.078 -7.526,10.307 48.758,-4.531 -3.997,11.725 53.916,-18.153 -2.76,13.357 48.077,-34.345 1.479,13.562 34.087,-48.576 7.478,14.206 15.187,-58.89 10.391,8.533 -2.14,-57.884 13.814,5.13 -21.082,-51.204 13.404,0.048 -33.696,-42.131 15.312,-1.366 -47.026,-32.831002 14.255,-8.399 -54.817,-14.682 9.257,-11.695 -49.625,0.352 0.6,-13.337 -38.537,14.084 -1.597,-12.689 -29.984,21.429 -6.446,-10.852 -22.59,26.504 -7.021,-9.572 -18.923,30.294 -9.595999,-8.744 -16.754,30.138002 c 31.509999,10.197 54.979999,37.951 59.126999,71.547 0.404,0.087 -22.37,31.257 10.955,57.85 -0.576,-2.985 -6.113,-53.902 47.496,-57.61 26.668,-1.844 48.4,21.666 48.4,48.399 0,8.184 -2.05,15.883 -5.636,22.64 -15.927,29.611 -64.858,30.755 -80.429,30.596 -45.154,-0.459 -104.051999,-51.521 -104.051999,-51.521 z"
-     id="path46" /></svg>
+     inkscape:document-units="mm"
+     showgrid="false" />
+  <defs
+     id="defs417" />
+  <g
+     inkscape:label="Layer 1"
+     inkscape:groupmode="layer"
+     id="layer1"
+     transform="translate(-13.119542,-5.9258171)">
+    <path
+       d="m 213.66176,90.072122 c 4.95655,0 8.97383,4.018046 8.97383,8.973827 0,4.956581 -4.01728,8.974621 -8.97383,8.974621 -4.95657,0 -8.97462,-4.01804 -8.97462,-8.974621 0,-4.955781 4.01805,-8.973827 8.97462,-8.973827 z m 35.2316,37.450998 c -0.90048,29.80928 -23.66033,69.21262 -54.51292,79.34466 -36.04206,11.836 -63.40991,-5.92226 -72.08409,-26.74061 -6.75754,-16.21966 -1.65117,-35.62363 10.96266,-43.83669 10.6506,-6.93533 30.48543,-8.76736 47.15454,2.19144 -5.85627,-15.34246 -21.62491,-25.4256 -35.59101,-28.49424 -13.96613,-3.06867 -28.38324,0.43858 -38.74504,5.69946 13.29071,-14.68572 44.40801,-28.946049 78.24077,-10.95958 22.67676,12.05491 32.43775,28.93208 42.0489,51.72763 C 251.59637,117.87858 234.026,71.411066 203.39074,43.794029 172.15544,15.636686 129.95516,4.340214 97.668803,6.103155 108.32483,12.678273 120.84625,22.06586 132.41209,33.053363 81.298533,26.697169 39.174705,38.314245 13.119542,73.749217 27.67508,70.878527 46.868833,69.073666 65.974711,70.016861 28.737658,96.252107 7.1124298,140.38147 18.105298,186.43137 c 6.718497,-11.74129 16.767711,-25.84558 28.726275,-38.62863 -3.677175,34.36994 1.42836,80.83745 45.62293,110.85478 -2.25587,-9.42394 -4.08014,-20.88443 -4.91466,-33.0154 20.673197,16.1282 50.685067,29.42205 87.917917,20.24096 65.77679,-16.21975 83.34719,-79.78335 73.4356,-118.35996"
+       style="fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.0776283"
+       id="path32" />
+  </g>
+</svg>

public/logo/pangolin_orange.svg

@@ -1,39 +1,22 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
 <svg
+   width="900.82861"
+   height="955.20648"
+   viewBox="0 0 238.34422 252.7317"
    version="1.1"
-   x="0px"
-   y="0px"
-   viewBox="0 0 399.99999 400.00002"
-   enable-background="new 0 0 419.528 419.528"
-   xml:space="preserve"
-   id="svg52"
-   sodipodi:docname="pangolin_orange.svg"
-   width="400"
-   height="400"
-   inkscape:version="1.2.2 (b0a8486541, 2022-12-01)"
-   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
-   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   id="svg420"
    xmlns="http://www.w3.org/2000/svg"
-   xmlns:svg="http://www.w3.org/2000/svg"><defs
-     id="defs56" /><sodipodi:namedview
-     id="namedview54"
-     pagecolor="#ffffff"
-     bordercolor="#666666"
-     borderopacity="1.0"
-     inkscape:showpageshadow="2"
-     inkscape:pageopacity="0.0"
-     inkscape:pagecheckerboard="0"
-     inkscape:deskcolor="#d1d1d1"
-     showgrid="false"
-     inkscape:zoom="1.9583914"
-     inkscape:cx="127.40048"
-     inkscape:cy="262.71561"
-     inkscape:window-width="1436"
-     inkscape:window-height="1236"
-     inkscape:window-x="2208"
-     inkscape:window-y="511"
-     inkscape:window-maximized="0"
-     inkscape:current-layer="svg52" /><path
-     d="m 62.232921,184.91974 c 0,2.431 -1.97,4.402 -4.399,4.402 -2.429,0 -4.399,-1.972 -4.399,-4.402 0,-2.429 1.97,-4.399 4.399,-4.399 2.429,-10e-4 4.399,1.97 4.399,4.399 z m 58.993999,-4.821 c -25.943999,-2.826 -38.978999,7.453 -71.181999,31.357 -27.572,20.467 -32.767,4.381 -31.748,-2.614 1.499,-10.282 25.222,-58.573 48.079,-88.461 28.273,7.34 49.869999,30.727 54.850999,59.718 z m -55.915999,4.821 c 0,-4.131 -3.349,-7.478 -7.478,-7.478 -4.129,0 -7.478,3.347 -7.478,7.478 0,4.131 3.349,7.481 7.478,7.481 4.13,0 7.478,-3.35 7.478,-7.481 z m -15.032,48.424 -0.234,14.041 20.413,22.687 -9.818,7.353 33.306,27.492 -11.759,8.124 42.631999,19.939 -10.825,9.747 48.291,8.078 -7.526,10.307 48.758,-4.531 -3.997,11.725 53.916,-18.153 -2.76,13.357 48.077,-34.345 1.479,13.562 34.087,-48.576 7.478,14.206 15.187,-58.89 10.391,8.533 -2.14,-57.884 13.814,5.13 -21.082,-51.204 13.404,0.048 -33.696,-42.131 15.312,-1.366 -47.026,-32.831002 14.255,-8.399 -54.817,-14.682 9.257,-11.695 -49.625,0.352 0.6,-13.337 -38.537,14.084 -1.597,-12.689 -29.984,21.429 -6.446,-10.852 -22.59,26.504 -7.021,-9.572 -18.923,30.294 -9.595999,-8.744 -16.754,30.138002 c 31.509999,10.197 54.979999,37.951 59.126999,71.547 0.404,0.087 -22.37,31.257 10.955,57.85 -0.576,-2.985 -6.113,-53.902 47.496,-57.61 26.668,-1.844 48.4,21.666 48.4,48.399 0,8.184 -2.05,15.883 -5.636,22.64 -15.927,29.611 -64.858,30.755 -80.429,30.596 -45.154,-0.459 -104.051999,-51.521 -104.051999,-51.521 z"
-     id="path46"
-     style="fill:#f97315;fill-opacity:1" /></svg>
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs417" />
+  <g
+     id="layer1"
+     transform="translate(-13.119542,-5.9258171)">
+    <path
+       d="m 213.66176,90.072122 c 4.95655,0 8.97383,4.018046 8.97383,8.973827 0,4.956581 -4.01728,8.974621 -8.97383,8.974621 -4.95657,0 -8.97462,-4.01804 -8.97462,-8.974621 0,-4.955781 4.01805,-8.973827 8.97462,-8.973827 z m 35.2316,37.450998 c -0.90048,29.80928 -23.66033,69.21262 -54.51292,79.34466 -36.04206,11.836 -63.40991,-5.92226 -72.08409,-26.74061 -6.75754,-16.21966 -1.65117,-35.62363 10.96266,-43.83669 10.6506,-6.93533 30.48543,-8.76736 47.15454,2.19144 -5.85627,-15.34246 -21.62491,-25.4256 -35.59101,-28.49424 -13.96613,-3.06867 -28.38324,0.43858 -38.74504,5.69946 13.29071,-14.68572 44.40801,-28.946049 78.24077,-10.95958 22.67676,12.05491 32.43775,28.93208 42.0489,51.72763 C 251.59637,117.87858 234.026,71.411066 203.39074,43.794029 172.15544,15.636686 129.95516,4.340214 97.668803,6.103155 108.32483,12.678273 120.84625,22.06586 132.41209,33.053363 81.298533,26.697169 39.174705,38.314245 13.119542,73.749217 27.67508,70.878527 46.868833,69.073666 65.974711,70.016861 28.737658,96.252107 7.1124298,140.38147 18.105298,186.43137 c 6.718497,-11.74129 16.767711,-25.84558 28.726275,-38.62863 -3.677175,34.36994 1.42836,80.83745 45.62293,110.85478 -2.25587,-9.42394 -4.08014,-20.88443 -4.91466,-33.0154 20.673197,16.1282 50.685067,29.42205 87.917917,20.24096 65.77679,-16.21975 83.34719,-79.78335 73.4356,-118.35996"
+       style="fill:#f36118;fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:0.0776283"
+       id="path32" />
+  </g>
+</svg>

server/apiServer.ts

@@ -14,14 +14,15 @@ import { logIncomingMiddleware } from "./middlewares/logIncoming";
 import { csrfProtectionMiddleware } from "./middlewares/csrfProtection";
 import helmet from "helmet";
 
-const dev = process.env.ENVIRONMENT !== "prod";
+const dev = config.isDev;
 const externalPort = config.getRawConfig().server.external_port;
 
 export function createApiServer() {
     const apiServer = express();
 
-    if (config.getRawConfig().server.trust_proxy) {
-        apiServer.set("trust proxy", 1);
+    const trustProxy = config.getRawConfig().server.trust_proxy;
+    if (trustProxy) {
+        apiServer.set("trust proxy", trustProxy);
     }
 
     const corsConfig = config.getRawConfig().server.cors;

server/auth/actions.ts

@@ -1,11 +1,14 @@
 import { Request } from "express";
 import { db } from "@server/db";
-import { userActions, roleActions, userOrgs } from "@server/db/schema";
+import { userActions, roleActions, userOrgs } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import createHttpError from "http-errors";
 import HttpCode from "@server/types/HttpCode";
 
 export enum ActionsEnum {
+    createOrgUser = "createOrgUser",
+    listOrgs = "listOrgs",
+    listUserOrgs = "listUserOrgs",
     createOrg = "createOrg",
     // deleteOrg = "deleteOrg",
     getOrg = "getOrg",
@@ -32,6 +35,8 @@ export enum ActionsEnum {
     listRoles = "listRoles",
     updateRole = "updateRole",
     inviteUser = "inviteUser",
+    listInvitations = "listInvitations",
+    removeInvitation = "removeInvitation",
     removeUser = "removeUser",
     listUsers = "listUsers",
     listSiteRoles = "listSiteRoles",
@@ -63,6 +68,24 @@ export enum ActionsEnum {
     listResourceRules = "listResourceRules",
     updateResourceRule = "updateResourceRule",
     listOrgDomains = "listOrgDomains",
+    createNewt = "createNewt",
+    createIdp = "createIdp",
+    updateIdp = "updateIdp",
+    deleteIdp = "deleteIdp",
+    listIdps = "listIdps",
+    getIdp = "getIdp",
+    createIdpOrg = "createIdpOrg",
+    deleteIdpOrg = "deleteIdpOrg",
+    listIdpOrgs = "listIdpOrgs",
+    updateIdpOrg = "updateIdpOrg",
+    checkOrgId = "checkOrgId",
+    createApiKey = "createApiKey",
+    deleteApiKey = "deleteApiKey",
+    setApiKeyActions = "setApiKeyActions",
+    setApiKeyOrgs = "setApiKeyOrgs",
+    listApiKeyActions = "listApiKeyActions",
+    listApiKeys = "listApiKeys",
+    getApiKey = "getApiKey"
 }
 
 export async function checkUserActionPermission(

server/auth/canUserAccessResource.ts

@@ -1,6 +1,6 @@
-import db from "@server/db";
+import { db } from "@server/db";
 import { and, eq } from "drizzle-orm";
-import { roleResources, userResources } from "@server/db/schema";
+import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,

server/auth/checkValidInvite.ts

@@ -1,5 +1,5 @@
-import db from "@server/db";
-import { UserInvite, userInvites } from "@server/db/schema";
+import { db } from "@server/db";
+import { UserInvite, userInvites } from "@server/db";
 import { isWithinExpirationDate } from "oslo";
 import { verifyPassword } from "./password";
 import { eq } from "drizzle-orm";

server/auth/limits.ts

@@ -1,5 +1,5 @@
 import { db } from '@server/db';
-import { limitsTable } from '@server/db/schema';
+import { limitsTable } from '@server/db';
 import { and, eq } from 'drizzle-orm';
 import createHttpError from 'http-errors';
 import HttpCode from '@server/types/HttpCode';
@@ -37,4 +37,4 @@ export async function checkOrgLimit({ orgId, limitName, currentValue, increment
         }
         throw createHttpError(HttpCode.INTERNAL_SERVER_ERROR, 'Unknown error occurred while checking limit');
     }
-}
+}

server/auth/resourceOtp.ts

@@ -1,5 +1,5 @@
-import db from "@server/db";
-import { resourceOtp } from "@server/db/schema";
+import { db } from "@server/db";
+import { resourceOtp } from "@server/db";
 import { and, eq } from "drizzle-orm";
 import { createDate, isWithinExpirationDate, TimeSpan } from "oslo";
 import { alphabet, generateRandomString, sha256 } from "oslo/crypto";

server/auth/sendEmailVerificationCode.ts

@@ -1,7 +1,7 @@
 import { TimeSpan, createDate } from "oslo";
 import { generateRandomString, alphabet } from "oslo/crypto";
-import db from "@server/db";
-import { users, emailVerificationCodes } from "@server/db/schema";
+import { db } from "@server/db";
+import { users, emailVerificationCodes } from "@server/db";
 import { eq } from "drizzle-orm";
 import { sendEmail } from "@server/emails";
 import config from "@server/lib/config";

server/auth/sessions/app.ts

@@ -9,8 +9,8 @@ import {
     sessions,
     User,
     users
-} from "@server/db/schema";
-import db from "@server/db";
+} from "@server/db";
+import { db } from "@server/db";
 import { eq, inArray } from "drizzle-orm";
 import config from "@server/lib/config";
 import type { RandomReader } from "@oslojs/crypto/random";

server/auth/sessions/newt.ts

@@ -2,8 +2,8 @@ import {
     encodeHexLowerCase,
 } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import { Newt, newts, newtSessions, NewtSession } from "@server/db/schema";
-import db from "@server/db";
+import { Newt, newts, newtSessions, NewtSession } from "@server/db";
+import { db } from "@server/db";
 import { eq } from "drizzle-orm";
 
 export const EXPIRES = 1000 * 60 * 60 * 24 * 30;

server/auth/sessions/resource.ts

@@ -1,7 +1,7 @@
 import { encodeHexLowerCase } from "@oslojs/encoding";
 import { sha256 } from "@oslojs/crypto/sha2";
-import { resourceSessions, ResourceSession } from "@server/db/schema";
-import db from "@server/db";
+import { resourceSessions, ResourceSession } from "@server/db";
+import { db } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import config from "@server/lib/config";
 

server/auth/totp.ts

@@ -1,6 +1,6 @@
 import { verify } from "@node-rs/argon2";
-import db from "@server/db";
-import { twoFactorBackupCodes } from "@server/db/schema";
+import { db } from "@server/db";
+import { twoFactorBackupCodes } from "@server/db";
 import { eq } from "drizzle-orm";
 import { decodeHex } from "oslo/encoding";
 import { TOTPController } from "oslo/otp";

server/auth/verifyResourceAccessToken.ts

@@ -1,55 +1,97 @@
-import db from "@server/db";
+import { db } from "@server/db";
 import {
     Resource,
     ResourceAccessToken,
     resourceAccessToken,
-} from "@server/db/schema";
+    resources
+} from "@server/db";
 import { and, eq } from "drizzle-orm";
 import { isWithinExpirationDate } from "oslo";
 import { verifyPassword } from "./password";
+import { encodeHexLowerCase } from "@oslojs/encoding";
+import { sha256 } from "@oslojs/crypto/sha2";
 
 export async function verifyResourceAccessToken({
-    resource,
+    accessToken,
     accessTokenId,
-    accessToken
+    resourceId
 }: {
-    resource: Resource;
-    accessTokenId: string;
     accessToken: string;
+    accessTokenId?: string;
+    resourceId?: number; // IF THIS IS NOT SET, THE TOKEN IS VALID FOR ALL RESOURCES
 }): Promise<{
     valid: boolean;
     error?: string;
     tokenItem?: ResourceAccessToken;
+    resource?: Resource;
 }> {
-    const [result] = await db
-        .select()
-        .from(resourceAccessToken)
-        .where(
-            and(
-                eq(resourceAccessToken.resourceId, resource.resourceId),
-                eq(resourceAccessToken.accessTokenId, accessTokenId)
-            )
-        )
-        .limit(1);
+    const accessTokenHash = encodeHexLowerCase(
+        sha256(new TextEncoder().encode(accessToken))
+    );
 
-    const tokenItem = result;
+    let tokenItem: ResourceAccessToken | undefined;
+    let resource: Resource | undefined;
 
-    if (!tokenItem) {
+    if (!accessTokenId) {
+        const [res] = await db
+            .select()
+            .from(resourceAccessToken)
+            .where(and(eq(resourceAccessToken.tokenHash, accessTokenHash)))
+            .innerJoin(
+                resources,
+                eq(resourceAccessToken.resourceId, resources.resourceId)
+            );
+
+        tokenItem = res?.resourceAccessToken;
+        resource = res?.resources;
+    } else {
+        const [res] = await db
+            .select()
+            .from(resourceAccessToken)
+            .where(and(eq(resourceAccessToken.accessTokenId, accessTokenId)))
+            .innerJoin(
+                resources,
+                eq(resourceAccessToken.resourceId, resources.resourceId)
+            );
+
+        if (res && res.resourceAccessToken) {
+            if (res.resourceAccessToken.tokenHash?.startsWith("$argon")) {
+                const validCode = await verifyPassword(
+                    accessToken,
+                    res.resourceAccessToken.tokenHash
+                );
+
+                if (!validCode) {
+                    return {
+                        valid: false,
+                        error: "Invalid access token"
+                    };
+                }
+            } else {
+                const tokenHash = encodeHexLowerCase(
+                    sha256(new TextEncoder().encode(accessToken))
+                );
+
+                if (res.resourceAccessToken.tokenHash !== tokenHash) {
+                    return {
+                        valid: false,
+                        error: "Invalid access token"
+                    };
+                }
+            }
+        }
+
+        tokenItem = res?.resourceAccessToken;
+        resource = res?.resources;
+    }
+
+    if (!tokenItem || !resource) {
         return {
             valid: false,
             error: "Access token does not exist for resource"
         };
     }
 
-    const validCode = await verifyPassword(accessToken, tokenItem.tokenHash);
-
-    if (!validCode) {
-        return {
-            valid: false,
-            error: "Invalid access token"
-        };
-    }
-
     if (
         tokenItem.expiresAt &&
         !isWithinExpirationDate(new Date(tokenItem.expiresAt))
@@ -60,8 +102,16 @@ export async function verifyResourceAccessToken({
         };
     }
 
+    if (resourceId && resource.resourceId !== resourceId) {
+        return {
+            valid: false,
+            error: "Resource ID does not match"
+        };
+    }
+
     return {
         valid: true,
-        tokenItem
+        tokenItem,
+        resource
     };
 }

server/db/README.md

@@ -0,0 +1,72 @@
+# Database
+
+Pangolin can use a Postgres or SQLite database to store its data.
+
+## Development
+
+### Postgres
+
+To use Postgres, edit `server/db/index.ts` to export all from `server/db/pg/index.ts`:
+
+```typescript
+export * from "./pg";
+```
+
+Make sure you have a valid config file with a connection string:
+
+```yaml
+postgres:
+    connection_string: postgresql://postgres:postgres@localhost:5432
+```
+
+You can run an ephemeral Postgres database for local development using Docker:
+
+```bash
+docker run -d \
+  --name postgres \
+  --rm \
+  -p 5432:5432 \
+  -e POSTGRES_PASSWORD=postgres \
+  -v $(mktemp -d):/var/lib/postgresql/data \
+  postgres:17
+```
+
+### Schema
+
+`server/db/pg/schema.ts` and `server/db/sqlite/schema.ts` contain the database schema definitions. These need to be kept in sync with with each other.
+
+Stick to common data types and avoid Postgres-specific features to ensure compatibility with SQLite.
+
+### SQLite
+
+To use SQLite, edit `server/db/index.ts` to export all from `server/db/sqlite/index.ts`:
+
+```typescript
+export * from "./sqlite";
+```
+
+No edits to the config are needed. If you keep the Postgres config, it will be ignored.
+
+## Generate and Push Migrations
+
+Ensure drizzle-kit is installed.
+
+### Postgres
+
+You must have a connection string in your config file, as shown above.
+
+```bash
+npm run db:pg:generate
+npm run db:pg:push
+```
+
+### SQLite
+
+```bash
+npm run db:sqlite:generate
+npm run db:sqlite:push
+```
+
+## Build Time
+
+There is a dockerfile for each database type. The dockerfile swaps out the `server/db/index.ts` file to use the correct database type.

server/db/names.ts

@@ -1,7 +1,7 @@
 import { join } from "path";
 import { readFileSync } from "fs";
 import { db } from "@server/db";
-import { exitNodes, sites } from "./schema";
+import { exitNodes, sites } from "@server/db";
 import { eq, and } from "drizzle-orm";
 import { __DIRNAME } from "@server/lib/consts";
 

server/db/pg/driver.ts

@@ -0,0 +1,39 @@
+import { drizzle as DrizzlePostgres } from "drizzle-orm/node-postgres";
+import { readConfigFile } from "@server/lib/readConfigFile";
+import { withReplicas } from "drizzle-orm/pg-core";
+
+function createDb() {
+    const config = readConfigFile();
+
+    if (!config.postgres) {
+        throw new Error(
+            "Postgres configuration is missing in the configuration file."
+        );
+    }
+
+    const connectionString = config.postgres?.connection_string;
+    const replicaConnections = config.postgres?.replicas || [];
+
+    if (!connectionString) {
+        throw new Error(
+            "A primary db connection string is required in the configuration file."
+        );
+    }
+
+    const primary = DrizzlePostgres(connectionString);
+    const replicas = [];
+
+    if (!replicaConnections.length) {
+        replicas.push(primary);
+    } else {
+        for (const conn of replicaConnections) {
+            const replica = DrizzlePostgres(conn.connection_string);
+            replicas.push(replica);
+        }
+    }
+
+    return withReplicas(primary, replicas as any);
+}
+
+export const db = createDb();
+export default db;

server/db/pg/index.ts

@@ -0,0 +1,2 @@
+export * from "./driver";
+export * from "./schema";

server/db/pg/migrate.ts

@@ -0,0 +1,20 @@
+import { migrate } from "drizzle-orm/node-postgres/migrator";
+import db from "./driver";
+import path from "path";
+
+const migrationsFolder = path.join("server/migrations");
+
+const runMigrations = async () => {
+    console.log("Running migrations...");
+    try {
+        await migrate(db as any, {
+            migrationsFolder: migrationsFolder
+        });
+        console.log("Migrations completed successfully.");
+    } catch (error) {
+        console.error("Error running migrations:", error);
+        process.exit(1);
+    }
+};
+
+runMigrations();

server/db/pg/schema.ts

@@ -0,0 +1,532 @@
+import {
+    pgTable,
+    serial,
+    varchar,
+    boolean,
+    integer,
+    bigint,
+    real
+} from "drizzle-orm/pg-core";
+import { InferSelectModel } from "drizzle-orm";
+
+export const domains = pgTable("domains", {
+    domainId: varchar("domainId").primaryKey(),
+    baseDomain: varchar("baseDomain").notNull(),
+    configManaged: boolean("configManaged").notNull().default(false)
+});
+
+export const orgs = pgTable("orgs", {
+    orgId: varchar("orgId").primaryKey(),
+    name: varchar("name").notNull()
+});
+
+export const orgDomains = pgTable("orgDomains", {
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    domainId: varchar("domainId")
+        .notNull()
+        .references(() => domains.domainId, { onDelete: "cascade" })
+});
+
+export const sites = pgTable("sites", {
+    siteId: serial("siteId").primaryKey(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    niceId: varchar("niceId").notNull(),
+    exitNodeId: integer("exitNode").references(() => exitNodes.exitNodeId, {
+        onDelete: "set null"
+    }),
+    name: varchar("name").notNull(),
+    pubKey: varchar("pubKey"),
+    subnet: varchar("subnet").notNull(),
+    megabytesIn: real("bytesIn"),
+    megabytesOut: real("bytesOut"),
+    lastBandwidthUpdate: varchar("lastBandwidthUpdate"),
+    type: varchar("type").notNull(), // "newt" or "wireguard"
+    online: boolean("online").notNull().default(false),
+    dockerSocketEnabled: boolean("dockerSocketEnabled").notNull().default(true)
+});
+
+export const resources = pgTable("resources", {
+    resourceId: serial("resourceId").primaryKey(),
+    siteId: integer("siteId")
+        .references(() => sites.siteId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    name: varchar("name").notNull(),
+    subdomain: varchar("subdomain"),
+    fullDomain: varchar("fullDomain"),
+    domainId: varchar("domainId").references(() => domains.domainId, {
+        onDelete: "set null"
+    }),
+    ssl: boolean("ssl").notNull().default(false),
+    blockAccess: boolean("blockAccess").notNull().default(false),
+    sso: boolean("sso").notNull().default(true),
+    http: boolean("http").notNull().default(true),
+    protocol: varchar("protocol").notNull(),
+    proxyPort: integer("proxyPort"),
+    emailWhitelistEnabled: boolean("emailWhitelistEnabled")
+        .notNull()
+        .default(false),
+    isBaseDomain: boolean("isBaseDomain"),
+    applyRules: boolean("applyRules").notNull().default(false),
+    enabled: boolean("enabled").notNull().default(true),
+    stickySession: boolean("stickySession").notNull().default(false),
+    tlsServerName: varchar("tlsServerName"),
+    setHostHeader: varchar("setHostHeader")
+});
+
+export const targets = pgTable("targets", {
+    targetId: serial("targetId").primaryKey(),
+    resourceId: integer("resourceId")
+        .references(() => resources.resourceId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    ip: varchar("ip").notNull(),
+    method: varchar("method"),
+    port: integer("port").notNull(),
+    internalPort: integer("internalPort"),
+    enabled: boolean("enabled").notNull().default(true)
+});
+
+export const exitNodes = pgTable("exitNodes", {
+    exitNodeId: serial("exitNodeId").primaryKey(),
+    name: varchar("name").notNull(),
+    address: varchar("address").notNull(),
+    endpoint: varchar("endpoint").notNull(),
+    publicKey: varchar("publicKey").notNull(),
+    listenPort: integer("listenPort").notNull(),
+    reachableAt: varchar("reachableAt")
+});
+
+export const users = pgTable("user", {
+    userId: varchar("id").primaryKey(),
+    email: varchar("email"),
+    username: varchar("username").notNull(),
+    name: varchar("name"),
+    type: varchar("type").notNull(), // "internal", "oidc"
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "cascade"
+    }),
+    passwordHash: varchar("passwordHash"),
+    twoFactorEnabled: boolean("twoFactorEnabled").notNull().default(false),
+    twoFactorSecret: varchar("twoFactorSecret"),
+    emailVerified: boolean("emailVerified").notNull().default(false),
+    dateCreated: varchar("dateCreated").notNull(),
+    serverAdmin: boolean("serverAdmin").notNull().default(false)
+});
+
+export const newts = pgTable("newt", {
+    newtId: varchar("id").primaryKey(),
+    secretHash: varchar("secretHash").notNull(),
+    dateCreated: varchar("dateCreated").notNull(),
+    siteId: integer("siteId").references(() => sites.siteId, {
+        onDelete: "cascade"
+    })
+});
+
+export const twoFactorBackupCodes = pgTable("twoFactorBackupCodes", {
+    codeId: serial("id").primaryKey(),
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    codeHash: varchar("codeHash").notNull()
+});
+
+export const sessions = pgTable("session", {
+    sessionId: varchar("id").primaryKey(),
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const newtSessions = pgTable("newtSession", {
+    sessionId: varchar("id").primaryKey(),
+    newtId: varchar("newtId")
+        .notNull()
+        .references(() => newts.newtId, { onDelete: "cascade" }),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const userOrgs = pgTable("userOrgs", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId),
+    isOwner: boolean("isOwner").notNull().default(false)
+});
+
+export const emailVerificationCodes = pgTable("emailVerificationCodes", {
+    codeId: serial("id").primaryKey(),
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    email: varchar("email").notNull(),
+    code: varchar("code").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const passwordResetTokens = pgTable("passwordResetTokens", {
+    tokenId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    tokenHash: varchar("tokenHash").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const actions = pgTable("actions", {
+    actionId: varchar("actionId").primaryKey(),
+    name: varchar("name"),
+    description: varchar("description")
+});
+
+export const roles = pgTable("roles", {
+    roleId: serial("roleId").primaryKey(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    isAdmin: boolean("isAdmin"),
+    name: varchar("name").notNull(),
+    description: varchar("description")
+});
+
+export const roleActions = pgTable("roleActions", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    actionId: varchar("actionId")
+        .notNull()
+        .references(() => actions.actionId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const userActions = pgTable("userActions", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    actionId: varchar("actionId")
+        .notNull()
+        .references(() => actions.actionId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" })
+});
+
+export const roleSites = pgTable("roleSites", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    siteId: integer("siteId")
+        .notNull()
+        .references(() => sites.siteId, { onDelete: "cascade" })
+});
+
+export const userSites = pgTable("userSites", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    siteId: integer("siteId")
+        .notNull()
+        .references(() => sites.siteId, { onDelete: "cascade" })
+});
+
+export const roleResources = pgTable("roleResources", {
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" }),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" })
+});
+
+export const userResources = pgTable("userResources", {
+    userId: varchar("userId")
+        .notNull()
+        .references(() => users.userId, { onDelete: "cascade" }),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" })
+});
+
+export const limitsTable = pgTable("limits", {
+    limitId: serial("limitId").primaryKey(),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull(),
+    name: varchar("name").notNull(),
+    value: bigint("value", { mode: "number" }).notNull(),
+    description: varchar("description")
+});
+
+export const userInvites = pgTable("userInvites", {
+    inviteId: varchar("inviteId").primaryKey(),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    email: varchar("email").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    tokenHash: varchar("token").notNull(),
+    roleId: integer("roleId")
+        .notNull()
+        .references(() => roles.roleId, { onDelete: "cascade" })
+});
+
+export const resourcePincode = pgTable("resourcePincode", {
+    pincodeId: serial("pincodeId").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    pincodeHash: varchar("pincodeHash").notNull(),
+    digitLength: integer("digitLength").notNull()
+});
+
+export const resourcePassword = pgTable("resourcePassword", {
+    passwordId: serial("passwordId").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    passwordHash: varchar("passwordHash").notNull()
+});
+
+export const resourceAccessToken = pgTable("resourceAccessToken", {
+    accessTokenId: varchar("accessTokenId").primaryKey(),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    tokenHash: varchar("tokenHash").notNull(),
+    sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }),
+    title: varchar("title"),
+    description: varchar("description"),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull()
+});
+
+export const resourceSessions = pgTable("resourceSessions", {
+    sessionId: varchar("id").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull(),
+    sessionLength: bigint("sessionLength", { mode: "number" }).notNull(),
+    doNotExtend: boolean("doNotExtend").notNull().default(false),
+    isRequestToken: boolean("isRequestToken"),
+    userSessionId: varchar("userSessionId").references(
+        () => sessions.sessionId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    passwordId: integer("passwordId").references(
+        () => resourcePassword.passwordId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    pincodeId: integer("pincodeId").references(
+        () => resourcePincode.pincodeId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    whitelistId: integer("whitelistId").references(
+        () => resourceWhitelist.whitelistId,
+        {
+            onDelete: "cascade"
+        }
+    ),
+    accessTokenId: varchar("accessTokenId").references(
+        () => resourceAccessToken.accessTokenId,
+        {
+            onDelete: "cascade"
+        }
+    )
+});
+
+export const resourceWhitelist = pgTable("resourceWhitelist", {
+    whitelistId: serial("id").primaryKey(),
+    email: varchar("email").notNull(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" })
+});
+
+export const resourceOtp = pgTable("resourceOtp", {
+    otpId: serial("otpId").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    email: varchar("email").notNull(),
+    otpHash: varchar("otpHash").notNull(),
+    expiresAt: bigint("expiresAt", { mode: "number" }).notNull()
+});
+
+export const versionMigrations = pgTable("versionMigrations", {
+    version: varchar("version").primaryKey(),
+    executedAt: bigint("executedAt", { mode: "number" }).notNull()
+});
+
+export const resourceRules = pgTable("resourceRules", {
+    ruleId: serial("ruleId").primaryKey(),
+    resourceId: integer("resourceId")
+        .notNull()
+        .references(() => resources.resourceId, { onDelete: "cascade" }),
+    enabled: boolean("enabled").notNull().default(true),
+    priority: integer("priority").notNull(),
+    action: varchar("action").notNull(), // ACCEPT, DROP
+    match: varchar("match").notNull(), // CIDR, PATH, IP
+    value: varchar("value").notNull()
+});
+
+export const supporterKey = pgTable("supporterKey", {
+    keyId: serial("keyId").primaryKey(),
+    key: varchar("key").notNull(),
+    githubUsername: varchar("githubUsername").notNull(),
+    phrase: varchar("phrase"),
+    tier: varchar("tier"),
+    valid: boolean("valid").notNull().default(false)
+});
+
+export const idp = pgTable("idp", {
+    idpId: serial("idpId").primaryKey(),
+    name: varchar("name").notNull(),
+    type: varchar("type").notNull(),
+    defaultRoleMapping: varchar("defaultRoleMapping"),
+    defaultOrgMapping: varchar("defaultOrgMapping"),
+    autoProvision: boolean("autoProvision").notNull().default(false)
+});
+
+export const idpOidcConfig = pgTable("idpOidcConfig", {
+    idpOauthConfigId: serial("idpOauthConfigId").primaryKey(),
+    idpId: integer("idpId")
+        .notNull()
+        .references(() => idp.idpId, { onDelete: "cascade" }),
+    clientId: varchar("clientId").notNull(),
+    clientSecret: varchar("clientSecret").notNull(),
+    authUrl: varchar("authUrl").notNull(),
+    tokenUrl: varchar("tokenUrl").notNull(),
+    identifierPath: varchar("identifierPath").notNull(),
+    emailPath: varchar("emailPath"),
+    namePath: varchar("namePath"),
+    scopes: varchar("scopes").notNull()
+});
+
+export const licenseKey = pgTable("licenseKey", {
+    licenseKeyId: varchar("licenseKeyId").primaryKey().notNull(),
+    instanceId: varchar("instanceId").notNull(),
+    token: varchar("token").notNull()
+});
+
+export const hostMeta = pgTable("hostMeta", {
+    hostMetaId: varchar("hostMetaId").primaryKey().notNull(),
+    createdAt: bigint("createdAt", { mode: "number" }).notNull()
+});
+
+export const apiKeys = pgTable("apiKeys", {
+    apiKeyId: varchar("apiKeyId").primaryKey(),
+    name: varchar("name").notNull(),
+    apiKeyHash: varchar("apiKeyHash").notNull(),
+    lastChars: varchar("lastChars").notNull(),
+    createdAt: varchar("dateCreated").notNull(),
+    isRoot: boolean("isRoot").notNull().default(false)
+});
+
+export const apiKeyActions = pgTable("apiKeyActions", {
+    apiKeyId: varchar("apiKeyId")
+        .notNull()
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
+    actionId: varchar("actionId")
+        .notNull()
+        .references(() => actions.actionId, { onDelete: "cascade" })
+});
+
+export const apiKeyOrg = pgTable("apiKeyOrg", {
+    apiKeyId: varchar("apiKeyId")
+        .notNull()
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const idpOrg = pgTable("idpOrg", {
+    idpId: integer("idpId")
+        .notNull()
+        .references(() => idp.idpId, { onDelete: "cascade" }),
+    orgId: varchar("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    roleMapping: varchar("roleMapping"),
+    orgMapping: varchar("orgMapping")
+});
+
+export type Org = InferSelectModel<typeof orgs>;
+export type User = InferSelectModel<typeof users>;
+export type Site = InferSelectModel<typeof sites>;
+export type Resource = InferSelectModel<typeof resources>;
+export type ExitNode = InferSelectModel<typeof exitNodes>;
+export type Target = InferSelectModel<typeof targets>;
+export type Session = InferSelectModel<typeof sessions>;
+export type Newt = InferSelectModel<typeof newts>;
+export type NewtSession = InferSelectModel<typeof newtSessions>;
+export type EmailVerificationCode = InferSelectModel<
+    typeof emailVerificationCodes
+>;
+export type TwoFactorBackupCode = InferSelectModel<typeof twoFactorBackupCodes>;
+export type PasswordResetToken = InferSelectModel<typeof passwordResetTokens>;
+export type Role = InferSelectModel<typeof roles>;
+export type Action = InferSelectModel<typeof actions>;
+export type RoleAction = InferSelectModel<typeof roleActions>;
+export type UserAction = InferSelectModel<typeof userActions>;
+export type RoleSite = InferSelectModel<typeof roleSites>;
+export type UserSite = InferSelectModel<typeof userSites>;
+export type RoleResource = InferSelectModel<typeof roleResources>;
+export type UserResource = InferSelectModel<typeof userResources>;
+export type Limit = InferSelectModel<typeof limitsTable>;
+export type UserInvite = InferSelectModel<typeof userInvites>;
+export type UserOrg = InferSelectModel<typeof userOrgs>;
+export type ResourceSession = InferSelectModel<typeof resourceSessions>;
+export type ResourcePincode = InferSelectModel<typeof resourcePincode>;
+export type ResourcePassword = InferSelectModel<typeof resourcePassword>;
+export type ResourceOtp = InferSelectModel<typeof resourceOtp>;
+export type ResourceAccessToken = InferSelectModel<typeof resourceAccessToken>;
+export type ResourceWhitelist = InferSelectModel<typeof resourceWhitelist>;
+export type VersionMigration = InferSelectModel<typeof versionMigrations>;
+export type ResourceRule = InferSelectModel<typeof resourceRules>;
+export type Domain = InferSelectModel<typeof domains>;
+export type SupporterKey = InferSelectModel<typeof supporterKey>;
+export type Idp = InferSelectModel<typeof idp>;
+export type ApiKey = InferSelectModel<typeof apiKeys>;
+export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
+export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;

server/db/sqlite/driver.ts

@@ -1,6 +1,6 @@
-import { drizzle } from "drizzle-orm/better-sqlite3";
+import { drizzle as DrizzleSqlite } from "drizzle-orm/better-sqlite3";
 import Database from "better-sqlite3";
-import * as schema from "@server/db/schema";
+import * as schema from "./schema";
 import path from "path";
 import fs from "fs/promises";
 import { APP_PATH } from "@server/lib/consts";
@@ -11,9 +11,12 @@ export const exists = await checkFileExists(location);
 
 bootstrapVolume();
 
-const sqlite = new Database(location);
-export const db = drizzle(sqlite, { schema });
+function createDb() {
+    const sqlite = new Database(location);
+    return DrizzleSqlite(sqlite, { schema });
+}
 
+export const db = createDb();
 export default db;
 
 async function checkFileExists(filePath: string): Promise<boolean> {

server/db/sqlite/index.ts

@@ -0,0 +1,2 @@
+export * from "./driver";
+export * from "./schema";

server/db/sqlite/migrate.ts

@@ -1,5 +1,5 @@
 import { migrate } from "drizzle-orm/better-sqlite3/migrator";
-import db from "@server/db";
+import db from "./driver";
 import path from "path";
 
 const migrationsFolder = path.join("server/migrations");
@@ -7,7 +7,7 @@ const migrationsFolder = path.join("server/migrations");
 const runMigrations = async () => {
     console.log("Running migrations...");
     try {
-        migrate(db, {
+        migrate(db as any, {
             migrationsFolder: migrationsFolder,
         });
         console.log("Migrations completed successfully.");

server/db/sqlite/schema.ts

@@ -41,7 +41,10 @@ export const sites = sqliteTable("sites", {
     megabytesOut: integer("bytesOut"),
     lastBandwidthUpdate: text("lastBandwidthUpdate"),
     type: text("type").notNull(), // "newt" or "wireguard"
-    online: integer("online", { mode: "boolean" }).notNull().default(false)
+    online: integer("online", { mode: "boolean" }).notNull().default(false),
+    dockerSocketEnabled: integer("dockerSocketEnabled", { mode: "boolean" })
+        .notNull()
+        .default(true)
 });
 
 export const resources = sqliteTable("resources", {
@@ -76,7 +79,13 @@ export const resources = sqliteTable("resources", {
     isBaseDomain: integer("isBaseDomain", { mode: "boolean" }),
     applyRules: integer("applyRules", { mode: "boolean" })
         .notNull()
-        .default(false)
+        .default(false),
+    enabled: integer("enabled", { mode: "boolean" }).notNull().default(true),
+    stickySession: integer("stickySession", { mode: "boolean" })
+        .notNull()
+        .default(false),
+    tlsServerName: text("tlsServerName"),
+    setHostHeader: text("setHostHeader")
 });
 
 export const targets = sqliteTable("targets", {
@@ -98,15 +107,21 @@ export const exitNodes = sqliteTable("exitNodes", {
     name: text("name").notNull(),
     address: text("address").notNull(), // this is the address of the wireguard interface in gerbil
     endpoint: text("endpoint").notNull(), // this is how to reach gerbil externally - gets put into the wireguard config
-    publicKey: text("pubicKey").notNull(),
+    publicKey: text("publicKey").notNull(),
     listenPort: integer("listenPort").notNull(),
     reachableAt: text("reachableAt") // this is the internal address of the gerbil http server for command control
 });
 
 export const users = sqliteTable("user", {
     userId: text("id").primaryKey(),
-    email: text("email").notNull().unique(),
-    passwordHash: text("passwordHash").notNull(),
+    email: text("email"),
+    username: text("username").notNull(),
+    name: text("name"),
+    type: text("type").notNull(), // "internal", "oidc"
+    idpId: integer("idpId").references(() => idp.idpId, {
+        onDelete: "cascade"
+    }),
+    passwordHash: text("passwordHash"),
     twoFactorEnabled: integer("twoFactorEnabled", { mode: "boolean" })
         .notNull()
         .default(false),
@@ -414,6 +429,89 @@ export const supporterKey = sqliteTable("supporterKey", {
     valid: integer("valid", { mode: "boolean" }).notNull().default(false)
 });
 
+// Identity Providers
+export const idp = sqliteTable("idp", {
+    idpId: integer("idpId").primaryKey({ autoIncrement: true }),
+    name: text("name").notNull(),
+    type: text("type").notNull(),
+    defaultRoleMapping: text("defaultRoleMapping"),
+    defaultOrgMapping: text("defaultOrgMapping"),
+    autoProvision: integer("autoProvision", {
+        mode: "boolean"
+    })
+        .notNull()
+        .default(false)
+});
+
+// Identity Provider OAuth Configuration
+export const idpOidcConfig = sqliteTable("idpOidcConfig", {
+    idpOauthConfigId: integer("idpOauthConfigId").primaryKey({
+        autoIncrement: true
+    }),
+    idpId: integer("idpId")
+        .notNull()
+        .references(() => idp.idpId, { onDelete: "cascade" }),
+    clientId: text("clientId").notNull(),
+    clientSecret: text("clientSecret").notNull(),
+    authUrl: text("authUrl").notNull(),
+    tokenUrl: text("tokenUrl").notNull(),
+    identifierPath: text("identifierPath").notNull(),
+    emailPath: text("emailPath"),
+    namePath: text("namePath"),
+    scopes: text("scopes").notNull()
+});
+
+export const licenseKey = sqliteTable("licenseKey", {
+    licenseKeyId: text("licenseKeyId").primaryKey().notNull(),
+    instanceId: text("instanceId").notNull(),
+    token: text("token").notNull()
+});
+
+export const hostMeta = sqliteTable("hostMeta", {
+    hostMetaId: text("hostMetaId").primaryKey().notNull(),
+    createdAt: integer("createdAt").notNull()
+});
+
+export const apiKeys = sqliteTable("apiKeys", {
+    apiKeyId: text("apiKeyId").primaryKey(),
+    name: text("name").notNull(),
+    apiKeyHash: text("apiKeyHash").notNull(),
+    lastChars: text("lastChars").notNull(),
+    createdAt: text("dateCreated").notNull(),
+    isRoot: integer("isRoot", { mode: "boolean" }).notNull().default(false)
+});
+
+export const apiKeyActions = sqliteTable("apiKeyActions", {
+    apiKeyId: text("apiKeyId")
+        .notNull()
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
+    actionId: text("actionId")
+        .notNull()
+        .references(() => actions.actionId, { onDelete: "cascade" })
+});
+
+export const apiKeyOrg = sqliteTable("apiKeyOrg", {
+    apiKeyId: text("apiKeyId")
+        .notNull()
+        .references(() => apiKeys.apiKeyId, { onDelete: "cascade" }),
+    orgId: text("orgId")
+        .references(() => orgs.orgId, {
+            onDelete: "cascade"
+        })
+        .notNull()
+});
+
+export const idpOrg = sqliteTable("idpOrg", {
+    idpId: integer("idpId")
+        .notNull()
+        .references(() => idp.idpId, { onDelete: "cascade" }),
+    orgId: text("orgId")
+        .notNull()
+        .references(() => orgs.orgId, { onDelete: "cascade" }),
+    roleMapping: text("roleMapping"),
+    orgMapping: text("orgMapping")
+});
+
 export type Org = InferSelectModel<typeof orgs>;
 export type User = InferSelectModel<typeof users>;
 export type Site = InferSelectModel<typeof sites>;
@@ -449,3 +547,7 @@ export type VersionMigration = InferSelectModel<typeof versionMigrations>;
 export type ResourceRule = InferSelectModel<typeof resourceRules>;
 export type Domain = InferSelectModel<typeof domains>;
 export type SupporterKey = InferSelectModel<typeof supporterKey>;
+export type Idp = InferSelectModel<typeof idp>;
+export type ApiKey = InferSelectModel<typeof apiKeys>;
+export type ApiKeyAction = InferSelectModel<typeof apiKeyActions>;
+export type ApiKeyOrg = InferSelectModel<typeof apiKeyOrg>;

server/extendZod.ts

@@ -0,0 +1,6 @@
+import { extendZodWithOpenApi } from "@asteasolutions/zod-to-openapi";
+import { z } from "zod";
+
+extendZodWithOpenApi(z);
+
+export default function extendZod() {}

server/index.ts

@@ -1,8 +1,12 @@
+import "./extendZod.ts";
+
 import { runSetupFunctions } from "./setup";
 import { createApiServer } from "./apiServer";
 import { createNextServer } from "./nextServer";
 import { createInternalServer } from "./internalServer";
-import { Session, User, UserOrg } from "./db/schema";
+import { ApiKey, ApiKeyOrg, Session, User, UserOrg } from "@server/db";
+import { createIntegrationApiServer } from "./integrationApiServer";
+import config from "@server/lib/config";
 
 async function startServers() {
     await runSetupFunctions();
@@ -12,10 +16,16 @@ async function startServers() {
     const internalServer = createInternalServer();
     const nextServer = await createNextServer();
 
+    let integrationServer;
+    if (config.getRawConfig().flags?.enable_integration_api) {
+        integrationServer = createIntegrationApiServer();
+    }
+
     return {
         apiServer,
         nextServer,
         internalServer,
+        integrationServer
     };
 }
 
@@ -23,9 +33,11 @@ async function startServers() {
 declare global {
     namespace Express {
         interface Request {
+            apiKey?: ApiKey;
             user?: User;
             session?: Session;
             userOrg?: UserOrg;
+            apiKeyOrg?: ApiKeyOrg;
             userOrgRoleId?: number;
             userOrgId?: string;
             userOrgIds?: string[];

server/integrationApiServer.ts

@@ -0,0 +1,102 @@
+import express from "express";
+import cors from "cors";
+import cookieParser from "cookie-parser";
+import config from "@server/lib/config";
+import logger from "@server/logger";
+import {
+    errorHandlerMiddleware,
+    notFoundMiddleware,
+} from "@server/middlewares";
+import { authenticated, unauthenticated } from "@server/routers/integration";
+import { logIncomingMiddleware } from "./middlewares/logIncoming";
+import helmet from "helmet";
+import swaggerUi from "swagger-ui-express";
+import { OpenApiGeneratorV3 } from "@asteasolutions/zod-to-openapi";
+import { registry } from "./openApi";
+
+const dev = process.env.ENVIRONMENT !== "prod";
+const externalPort = config.getRawConfig().server.integration_port;
+
+export function createIntegrationApiServer() {
+    const apiServer = express();
+
+    if (config.getRawConfig().server.trust_proxy) {
+        apiServer.set("trust proxy", 1);
+    }
+
+    apiServer.use(cors());
+
+    if (!dev) {
+        apiServer.use(helmet());
+    }
+
+    apiServer.use(cookieParser());
+    apiServer.use(express.json());
+
+    apiServer.use(
+        "/v1/docs",
+        swaggerUi.serve,
+        swaggerUi.setup(getOpenApiDocumentation())
+    );
+
+    // API routes
+    const prefix = `/v1`;
+    apiServer.use(logIncomingMiddleware);
+    apiServer.use(prefix, unauthenticated);
+    apiServer.use(prefix, authenticated);
+
+    // Error handling
+    apiServer.use(notFoundMiddleware);
+    apiServer.use(errorHandlerMiddleware);
+
+    // Create HTTP server
+    const httpServer = apiServer.listen(externalPort, (err?: any) => {
+        if (err) throw err;
+        logger.info(
+            `Integration API server is running on http://localhost:${externalPort}`
+        );
+    });
+
+    return httpServer;
+}
+
+function getOpenApiDocumentation() {
+    const bearerAuth = registry.registerComponent(
+        "securitySchemes",
+        "Bearer Auth",
+        {
+            type: "http",
+            scheme: "bearer"
+        }
+    );
+
+    for (const def of registry.definitions) {
+        if (def.type === "route") {
+            def.route.security = [
+                {
+                    [bearerAuth.name]: []
+                }
+            ];
+        }
+    }
+
+    registry.registerPath({
+        method: "get",
+        path: "/",
+        description: "Health check",
+        tags: [],
+        request: {},
+        responses: {}
+    });
+
+    const generator = new OpenApiGeneratorV3(registry.definitions);
+
+    return generator.generateDocument({
+        openapi: "3.0.0",
+        info: {
+            version: "v1",
+            title: "Pangolin Integration API"
+        },
+        servers: [{ url: "/v1" }]
+    });
+}

server/lib/canUserAccessResource.ts

@@ -1,6 +1,6 @@
-import db from "@server/db";
+import { db } from "@server/db";
 import { and, eq } from "drizzle-orm";
-import { roleResources, userResources } from "@server/db/schema";
+import { roleResources, userResources } from "@server/db";
 
 export async function canUserAccessResource({
     userId,

server/lib/config.ts

@@ -1,160 +1,11 @@
-import fs from "fs";
-import yaml from "js-yaml";
 import { z } from "zod";
-import { fromError } from "zod-validation-error";
-import {
-    __DIRNAME,
-    APP_VERSION,
-    configFilePath1,
-    configFilePath2
-} from "@server/lib/consts";
-import { passwordSchema } from "@server/auth/passwordSchema";
-import stoi from "./stoi";
-import db from "@server/db";
-import { SupporterKey, supporterKey } from "@server/db/schema";
-import { suppressDeprecationWarnings } from "moment";
+import { __DIRNAME, APP_VERSION } from "@server/lib/consts";
+import { db } from "@server/db";
+import { SupporterKey, supporterKey } from "@server/db";
 import { eq } from "drizzle-orm";
-
-const portSchema = z.number().positive().gt(0).lte(65535);
-
-const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
-    return process.env[envVar] ?? valFromYaml;
-};
-
-const configSchema = z.object({
-    app: z.object({
-        dashboard_url: z
-            .string()
-            .url()
-            .optional()
-            .pipe(z.string().url())
-            .transform((url) => url.toLowerCase()),
-        log_level: z.enum(["debug", "info", "warn", "error"]),
-        save_logs: z.boolean(),
-        log_failed_attempts: z.boolean().optional()
-    }),
-    domains: z
-        .record(
-            z.string(),
-            z.object({
-                base_domain: z
-                    .string()
-                    .nonempty("base_domain must not be empty")
-                    .transform((url) => url.toLowerCase()),
-                cert_resolver: z.string().optional(),
-                prefer_wildcard_cert: z.boolean().optional()
-            })
-        )
-        .refine(
-            (domains) => {
-                const keys = Object.keys(domains);
-
-                if (keys.length === 0) {
-                    return false;
-                }
-
-                return true;
-            },
-            {
-                message: "At least one domain must be defined"
-            }
-        ),
-    server: z.object({
-        external_port: portSchema.optional().transform(stoi).pipe(portSchema),
-        internal_port: portSchema.optional().transform(stoi).pipe(portSchema),
-        next_port: portSchema.optional().transform(stoi).pipe(portSchema),
-        internal_hostname: z.string().transform((url) => url.toLowerCase()),
-        session_cookie_name: z.string(),
-        resource_access_token_param: z.string(),
-        resource_session_request_param: z.string(),
-        dashboard_session_length_hours: z
-            .number()
-            .positive()
-            .gt(0)
-            .optional()
-            .default(720),
-        resource_session_length_hours: z
-            .number()
-            .positive()
-            .gt(0)
-            .optional()
-            .default(720),
-        cors: z
-            .object({
-                origins: z.array(z.string()).optional(),
-                methods: z.array(z.string()).optional(),
-                allowed_headers: z.array(z.string()).optional(),
-                credentials: z.boolean().optional()
-            })
-            .optional(),
-        trust_proxy: z.boolean().optional().default(true)
-    }),
-    traefik: z.object({
-        http_entrypoint: z.string(),
-        https_entrypoint: z.string().optional(),
-        additional_middlewares: z.array(z.string()).optional()
-    }),
-    gerbil: z.object({
-        start_port: portSchema.optional().transform(stoi).pipe(portSchema),
-        base_endpoint: z
-            .string()
-            .optional()
-            .pipe(z.string())
-            .transform((url) => url.toLowerCase()),
-        use_subdomain: z.boolean(),
-        subnet_group: z.string(),
-        block_size: z.number().positive().gt(0),
-        site_block_size: z.number().positive().gt(0)
-    }),
-    rate_limits: z.object({
-        global: z.object({
-            window_minutes: z.number().positive().gt(0),
-            max_requests: z.number().positive().gt(0)
-        }),
-        auth: z
-            .object({
-                window_minutes: z.number().positive().gt(0),
-                max_requests: z.number().positive().gt(0)
-            })
-            .optional()
-    }),
-    email: z
-        .object({
-            smtp_host: z.string().optional(),
-            smtp_port: portSchema.optional(),
-            smtp_user: z.string().optional(),
-            smtp_pass: z.string().optional(),
-            smtp_secure: z.boolean().optional(),
-            smtp_tls_reject_unauthorized: z.boolean().optional(),
-            no_reply: z.string().email().optional()
-        })
-        .optional(),
-    users: z.object({
-        server_admin: z.object({
-            email: z
-                .string()
-                .email()
-                .optional()
-                .transform(getEnvOrYaml("USERS_SERVERADMIN_EMAIL"))
-                .pipe(z.string().email())
-                .transform((v) => v.toLowerCase()),
-            password: passwordSchema
-                .optional()
-                .transform(getEnvOrYaml("USERS_SERVERADMIN_PASSWORD"))
-                .pipe(passwordSchema)
-        })
-    }),
-    flags: z
-        .object({
-            require_email_verification: z.boolean().optional(),
-            disable_signup_without_invite: z.boolean().optional(),
-            disable_user_create_org: z.boolean().optional(),
-            allow_raw_resources: z.boolean().optional(),
-            allow_base_domain_resources: z.boolean().optional(),
-            allow_local_sites: z.boolean().optional()
-        })
-        .optional()
-});
+import { license } from "@server/license/license";
+import { configSchema, readConfigFile } from "./readConfigFile";
+import { fromError } from "zod-validation-error";
 
 export class Config {
     private rawConfig!: z.infer<typeof configSchema>;
@@ -163,91 +14,95 @@ export class Config {
 
     supporterHiddenUntil: number | null = null;
 
+    isDev: boolean = process.env.ENVIRONMENT !== "prod";
+
     constructor() {
-        this.loadConfig();
+        this.load();
     }
 
-    public loadConfig() {
-        const loadConfig = (configPath: string) => {
-            try {
-                const yamlContent = fs.readFileSync(configPath, "utf8");
-                const config = yaml.load(yamlContent);
-                return config;
-            } catch (error) {
-                if (error instanceof Error) {
-                    throw new Error(
-                        `Error loading configuration file: ${error.message}`
-                    );
-                }
-                throw error;
-            }
-        };
+    public load() {
+        const environment = readConfigFile();
 
-        let environment: any;
-        if (fs.existsSync(configFilePath1)) {
-            environment = loadConfig(configFilePath1);
-        } else if (fs.existsSync(configFilePath2)) {
-            environment = loadConfig(configFilePath2);
+        const {
+            data: parsedConfig,
+            success,
+            error
+        } = configSchema.safeParse(environment);
+
+        if (!success) {
+            const errors = fromError(error);
+            throw new Error(`Invalid configuration file: ${errors}`);
         }
 
         if (process.env.APP_BASE_DOMAIN) {
             console.log(
-                "You're using deprecated environment variables. Transition to the configuration file. https://docs.fossorial.io/"
+                "WARNING: You're using deprecated environment variables. Transition to the configuration file. https://docs.fossorial.io/"
             );
         }
 
-        if (!environment) {
-            throw new Error(
-                "No configuration file found. Please create one. https://docs.fossorial.io/"
+        if (
+            // @ts-ignore
+            parsedConfig.users ||
+            process.env.USERS_SERVERADMIN_EMAIL ||
+            process.env.USERS_SERVERADMIN_PASSWORD
+        ) {
+            console.log(
+                "WARNING: Your admin credentials are still in the config file or environment variables. This method of setting admin credentials is no longer supported. It is recommended to remove them."
             );
         }
 
-        const parsedConfig = configSchema.safeParse(environment);
-
-        if (!parsedConfig.success) {
-            const errors = fromError(parsedConfig.error);
-            throw new Error(`Invalid configuration file: ${errors}`);
-        }
-
         process.env.APP_VERSION = APP_VERSION;
 
-        process.env.NEXT_PORT = parsedConfig.data.server.next_port.toString();
+        process.env.NEXT_PORT = parsedConfig.server.next_port.toString();
         process.env.SERVER_EXTERNAL_PORT =
-            parsedConfig.data.server.external_port.toString();
+            parsedConfig.server.external_port.toString();
         process.env.SERVER_INTERNAL_PORT =
-            parsedConfig.data.server.internal_port.toString();
-        process.env.FLAGS_EMAIL_VERIFICATION_REQUIRED = parsedConfig.data.flags
+            parsedConfig.server.internal_port.toString();
+        process.env.FLAGS_EMAIL_VERIFICATION_REQUIRED = parsedConfig.flags
             ?.require_email_verification
             ? "true"
             : "false";
-        process.env.FLAGS_ALLOW_RAW_RESOURCES = parsedConfig.data.flags
+        process.env.FLAGS_ALLOW_RAW_RESOURCES = parsedConfig.flags
             ?.allow_raw_resources
             ? "true"
             : "false";
         process.env.SESSION_COOKIE_NAME =
-            parsedConfig.data.server.session_cookie_name;
-        process.env.EMAIL_ENABLED = parsedConfig.data.email ? "true" : "false";
-        process.env.DISABLE_SIGNUP_WITHOUT_INVITE = parsedConfig.data.flags
+            parsedConfig.server.session_cookie_name;
+        process.env.EMAIL_ENABLED = parsedConfig.email ? "true" : "false";
+        process.env.DISABLE_SIGNUP_WITHOUT_INVITE = parsedConfig.flags
             ?.disable_signup_without_invite
             ? "true"
             : "false";
-        process.env.DISABLE_USER_CREATE_ORG = parsedConfig.data.flags
+        process.env.DISABLE_USER_CREATE_ORG = parsedConfig.flags
             ?.disable_user_create_org
             ? "true"
             : "false";
         process.env.RESOURCE_ACCESS_TOKEN_PARAM =
-            parsedConfig.data.server.resource_access_token_param;
+            parsedConfig.server.resource_access_token_param;
+        process.env.RESOURCE_ACCESS_TOKEN_HEADERS_ID =
+            parsedConfig.server.resource_access_token_headers.id;
+        process.env.RESOURCE_ACCESS_TOKEN_HEADERS_TOKEN =
+            parsedConfig.server.resource_access_token_headers.token;
         process.env.RESOURCE_SESSION_REQUEST_PARAM =
-            parsedConfig.data.server.resource_session_request_param;
-        process.env.FLAGS_ALLOW_BASE_DOMAIN_RESOURCES = parsedConfig.data.flags
+            parsedConfig.server.resource_session_request_param;
+        process.env.FLAGS_ALLOW_BASE_DOMAIN_RESOURCES = parsedConfig.flags
             ?.allow_base_domain_resources
             ? "true"
             : "false";
-        process.env.DASHBOARD_URL = parsedConfig.data.app.dashboard_url;
+        process.env.DASHBOARD_URL = parsedConfig.app.dashboard_url;
 
-        this.checkSupporterKey();
+        license.setServerSecret(parsedConfig.server.secret);
 
-        this.rawConfig = parsedConfig.data;
+        this.checkKeyStatus();
+
+        this.rawConfig = parsedConfig;
+    }
+
+    private async checkKeyStatus() {
+        const licenseStatus = await license.check();
+        if (!licenseStatus.isHostLicensed) {
+            this.checkSupporterKey();
+        }
     }
 
     public getRawConfig() {
@@ -295,7 +150,7 @@ export class Config {
 
         try {
             const response = await fetch(
-                "https://api.dev.fossorial.io/api/v1/license/validate",
+                "https://api.fossorial.io/api/v1/license/validate",
                 {
                     method: "POST",
                     headers: {
@@ -331,13 +186,13 @@ export class Config {
 
             // update the supporter key in the database
             await db
-            .update(supporterKey)
-            .set({
-                tier: data.data.tier || null,
-                phrase: data.data.cutePhrase || null,
-                valid: true
-            })
-            .where(eq(supporterKey.keyId, key.keyId));
+                .update(supporterKey)
+                .set({
+                    tier: data.data.tier || null,
+                    phrase: data.data.cutePhrase || null,
+                    valid: true
+                })
+                .where(eq(supporterKey.keyId, key.keyId));
         } catch (e) {
             this.supporterData = key;
             console.error("Failed to validate supporter key", e);

server/lib/consts.ts

@@ -2,7 +2,7 @@ import path from "path";
 import { fileURLToPath } from "url";
 
 // This is a placeholder value replaced by the build process
-export const APP_VERSION = "1.1.0";
+export const APP_VERSION = "1.6.0";
 
 export const __FILENAME = fileURLToPath(import.meta.url);
 export const __DIRNAME = path.dirname(__FILENAME);

server/lib/crypto.ts

@@ -0,0 +1,12 @@
+import CryptoJS from "crypto-js";
+
+export function encrypt(value: string, key: string): string {
+    const ciphertext = CryptoJS.AES.encrypt(value, key).toString();
+    return ciphertext;
+}
+
+export function decrypt(encryptedValue: string, key: string): string {
+    const bytes = CryptoJS.AES.decrypt(encryptedValue, key);
+    const originalText = bytes.toString(CryptoJS.enc.Utf8);
+    return originalText;
+}

server/lib/idp/generateRedirectUrl.ts

@@ -0,0 +1,8 @@
+import config from "@server/lib/config";
+
+export function generateOidcRedirectUrl(idpId: number) {
+    const dashboardUrl = config.getRawConfig().app.dashboard_url;
+    const redirectPath = `/auth/idp/${idpId}/oidc/callback`;
+    const redirectUrl = new URL(redirectPath, dashboardUrl).toString();
+    return redirectUrl;
+}

server/lib/ip.ts

@@ -17,7 +17,7 @@ function detectIpVersion(ip: string): IPVersion {
  */
 function ipToBigInt(ip: string): bigint {
     const version = detectIpVersion(ip);
-    
+
     if (version === 4) {
         return ip.split('.')
             .reduce((acc, octet) => {
@@ -105,7 +105,7 @@ export function cidrToRange(cidr: string): IPRange {
     const version = detectIpVersion(ip);
     const prefixBits = parseInt(prefix);
     const ipBigInt = ipToBigInt(ip);
-    
+
     // Validate prefix length
     const maxPrefix = version === 4 ? 32 : 128;
     if (prefixBits < 0 || prefixBits > maxPrefix) {
@@ -116,7 +116,7 @@ export function cidrToRange(cidr: string): IPRange {
     const mask = BigInt.asUintN(version === 4 ? 64 : 128, (BigInt(1) << shiftBits) - BigInt(1));
     const start = ipBigInt & ~mask;
     const end = start | mask;
-    
+
     return { start, end };
 }
 
@@ -136,17 +136,17 @@ export function findNextAvailableCidr(
     if (!startCidr && existingCidrs.length === 0) {
         return null;
     }
-        
+
     // If no existing CIDRs, use the IP version from startCidr
-    const version = startCidr 
+    const version = startCidr
         ? detectIpVersion(startCidr.split('/')[0])
         : 4; // Default to IPv4 if no startCidr provided
-    
+
     // Use appropriate default startCidr if none provided
     startCidr = startCidr || (version === 4 ? "0.0.0.0/0" : "::/0");
-    
+
     // If there are existing CIDRs, ensure all are same version
-    if (existingCidrs.length > 0 && 
+    if (existingCidrs.length > 0 &&
         existingCidrs.some(cidr => detectIpVersion(cidr.split('/')[0]) !== version)) {
         throw new Error('All CIDRs must be of the same IP version');
     }
@@ -196,12 +196,14 @@ export function findNextAvailableCidr(
 export function isIpInCidr(ip: string, cidr: string): boolean {
     const ipVersion = detectIpVersion(ip);
     const cidrVersion = detectIpVersion(cidr.split('/')[0]);
-    
+
+    // If IP versions don't match, the IP cannot be in the CIDR range
     if (ipVersion !== cidrVersion) {
-        throw new Error('IP address and CIDR must be of the same version');
+        // throw new Erorr
+        return false;
     }
 
     const ipBigInt = ipToBigInt(ip);
     const range = cidrToRange(cidr);
     return ipBigInt >= range.start && ipBigInt <= range.end;
-}
+}

server/lib/readConfigFile.ts

@@ -0,0 +1,243 @@
+import fs from "fs";
+import yaml from "js-yaml";
+import { configFilePath1, configFilePath2 } from "./consts";
+import { z } from "zod";
+import stoi from "./stoi";
+import { passwordSchema } from "@server/auth/passwordSchema";
+import { fromError } from "zod-validation-error";
+
+const portSchema = z.number().positive().gt(0).lte(65535);
+
+const getEnvOrYaml = (envVar: string) => (valFromYaml: any) => {
+    return process.env[envVar] ?? valFromYaml;
+};
+
+export const configSchema = z.object({
+    app: z.object({
+        dashboard_url: z
+            .string()
+            .url()
+            .optional()
+            .pipe(z.string().url())
+            .transform((url) => url.toLowerCase()),
+        log_level: z
+            .enum(["debug", "info", "warn", "error"])
+            .optional()
+            .default("info"),
+        save_logs: z.boolean().optional().default(false),
+        log_failed_attempts: z.boolean().optional().default(false)
+    }),
+    domains: z
+        .record(
+            z.string(),
+            z.object({
+                base_domain: z
+                    .string()
+                    .nonempty("base_domain must not be empty")
+                    .transform((url) => url.toLowerCase()),
+                cert_resolver: z.string().optional().default("letsencrypt"),
+                prefer_wildcard_cert: z.boolean().optional().default(false)
+            })
+        )
+        .refine(
+            (domains) => {
+                const keys = Object.keys(domains);
+
+                if (keys.length === 0) {
+                    return false;
+                }
+
+                return true;
+            },
+            {
+                message: "At least one domain must be defined"
+            }
+        ),
+    server: z.object({
+        integration_port: portSchema
+            .optional()
+            .default(3003)
+            .transform(stoi)
+            .pipe(portSchema.optional()),
+        external_port: portSchema
+            .optional()
+            .default(3000)
+            .transform(stoi)
+            .pipe(portSchema),
+        internal_port: portSchema
+            .optional()
+            .default(3001)
+            .transform(stoi)
+            .pipe(portSchema),
+        next_port: portSchema
+            .optional()
+            .default(3002)
+            .transform(stoi)
+            .pipe(portSchema),
+        internal_hostname: z
+            .string()
+            .optional()
+            .default("pangolin")
+            .transform((url) => url.toLowerCase()),
+        session_cookie_name: z.string().optional().default("p_session_token"),
+        resource_access_token_param: z.string().optional().default("p_token"),
+        resource_access_token_headers: z
+            .object({
+                id: z.string().optional().default("P-Access-Token-Id"),
+                token: z.string().optional().default("P-Access-Token")
+            })
+            .optional()
+            .default({}),
+        resource_session_request_param: z
+            .string()
+            .optional()
+            .default("resource_session_request_param"),
+        dashboard_session_length_hours: z
+            .number()
+            .positive()
+            .gt(0)
+            .optional()
+            .default(720),
+        resource_session_length_hours: z
+            .number()
+            .positive()
+            .gt(0)
+            .optional()
+            .default(720),
+        cors: z
+            .object({
+                origins: z.array(z.string()).optional(),
+                methods: z.array(z.string()).optional(),
+                allowed_headers: z.array(z.string()).optional(),
+                credentials: z.boolean().optional()
+            })
+            .optional(),
+        trust_proxy: z.number().int().gte(0).optional().default(1),
+        secret: z
+            .string()
+            .optional()
+            .transform(getEnvOrYaml("SERVER_SECRET"))
+            .pipe(z.string().min(8))
+    }),
+    postgres: z
+        .object({
+            connection_string: z.string(),
+            replicas: z
+                .array(
+                    z.object({
+                        connection_string: z.string()
+                    })
+                )
+                .optional()
+        })
+        .optional(),
+    traefik: z
+        .object({
+            http_entrypoint: z.string().optional().default("web"),
+            https_entrypoint: z.string().optional().default("websecure"),
+            additional_middlewares: z.array(z.string()).optional()
+        })
+        .optional()
+        .default({}),
+    gerbil: z
+        .object({
+            start_port: portSchema
+                .optional()
+                .default(51820)
+                .transform(stoi)
+                .pipe(portSchema),
+            base_endpoint: z
+                .string()
+                .optional()
+                .pipe(z.string())
+                .transform((url) => url.toLowerCase()),
+            use_subdomain: z.boolean().optional().default(false),
+            subnet_group: z.string().optional().default("100.89.137.0/20"),
+            block_size: z.number().positive().gt(0).optional().default(24),
+            site_block_size: z.number().positive().gt(0).optional().default(30)
+        })
+        .optional()
+        .default({}),
+    rate_limits: z
+        .object({
+            global: z
+                .object({
+                    window_minutes: z
+                        .number()
+                        .positive()
+                        .gt(0)
+                        .optional()
+                        .default(1),
+                    max_requests: z
+                        .number()
+                        .positive()
+                        .gt(0)
+                        .optional()
+                        .default(500)
+                })
+                .optional()
+                .default({}),
+            auth: z
+                .object({
+                    window_minutes: z.number().positive().gt(0),
+                    max_requests: z.number().positive().gt(0)
+                })
+                .optional()
+        })
+        .optional()
+        .default({}),
+    email: z
+        .object({
+            smtp_host: z.string().optional(),
+            smtp_port: portSchema.optional(),
+            smtp_user: z.string().optional(),
+            smtp_pass: z.string().optional(),
+            smtp_secure: z.boolean().optional(),
+            smtp_tls_reject_unauthorized: z.boolean().optional(),
+            no_reply: z.string().email().optional()
+        })
+        .optional(),
+    flags: z
+        .object({
+            require_email_verification: z.boolean().optional(),
+            disable_signup_without_invite: z.boolean().optional(),
+            disable_user_create_org: z.boolean().optional(),
+            allow_raw_resources: z.boolean().optional(),
+            allow_base_domain_resources: z.boolean().optional(),
+            allow_local_sites: z.boolean().optional(),
+            enable_integration_api: z.boolean().optional()
+        })
+        .optional()
+});
+
+export function readConfigFile() {
+    const loadConfig = (configPath: string) => {
+        try {
+            const yamlContent = fs.readFileSync(configPath, "utf8");
+            const config = yaml.load(yamlContent);
+            return config;
+        } catch (error) {
+            if (error instanceof Error) {
+                throw new Error(
+                    `Error loading configuration file: ${error.message}`
+                );
+            }
+            throw error;
+        }
+    };
+
+    let environment: any;
+    if (fs.existsSync(configFilePath1)) {
+        environment = loadConfig(configFilePath1);
+    } else if (fs.existsSync(configFilePath2)) {
+        environment = loadConfig(configFilePath2);
+    }
+
+    if (!environment) {
+        throw new Error(
+            "No configuration file found. Please create one. https://docs.fossorial.io/"
+        );
+    }
+
+    return environment;
+}

server/lib/schemas.ts

@@ -9,3 +9,10 @@ export const subdomainSchema = z
     .min(1, "Subdomain must be at least 1 character long")
     .transform((val) => val.toLowerCase());
 
+export const tlsNameSchema = z
+    .string()
+    .regex(
+        /^(?!:\/\/)([a-zA-Z0-9-_]+\.)*[a-zA-Z0-9-_]+$|^$/,
+        "Invalid subdomain format"
+    )
+    .transform((val) => val.toLowerCase());

server/lib/stoi.ts

@@ -1,6 +1,6 @@
 export default function stoi(val: any) {
     if (typeof val === "string") {
-        return parseInt(val) 
+        return parseInt(val); 
     }
     else {
         return val;  

server/lib/validators.ts

@@ -9,6 +9,10 @@ export function isValidIP(ip: string): boolean {
 }
 
 export function isValidUrlGlobPattern(pattern: string): boolean {
+    if (pattern === "/") {
+        return true;
+    }
+
     // Remove leading slash if present
     pattern = pattern.startsWith("/") ? pattern.slice(1) : pattern;
 

server/license/license.ts

@@ -0,0 +1,488 @@
+import { db } from "@server/db";
+import { hostMeta, licenseKey, sites } from "@server/db";
+import logger from "@server/logger";
+import NodeCache from "node-cache";
+import { validateJWT } from "./licenseJwt";
+import { count, eq } from "drizzle-orm";
+import moment from "moment";
+import { setHostMeta } from "@server/setup/setHostMeta";
+import { encrypt, decrypt } from "@server/lib/crypto";
+
+const keyTypes = ["HOST", "SITES"] as const;
+type KeyType = (typeof keyTypes)[number];
+
+const keyTiers = ["PROFESSIONAL", "ENTERPRISE"] as const;
+type KeyTier = (typeof keyTiers)[number];
+
+export type LicenseStatus = {
+    isHostLicensed: boolean; // Are there any license keys?
+    isLicenseValid: boolean; // Is the license key valid?
+    hostId: string; // Host ID
+    maxSites?: number;
+    usedSites?: number;
+    tier?: KeyTier;
+};
+
+export type LicenseKeyCache = {
+    licenseKey: string;
+    licenseKeyEncrypted: string;
+    valid: boolean;
+    iat?: Date;
+    type?: KeyType;
+    tier?: KeyTier;
+    numSites?: number;
+};
+
+type ActivateLicenseKeyAPIResponse = {
+    data: {
+        instanceId: string;
+    };
+    success: boolean;
+    error: string;
+    message: string;
+    status: number;
+};
+
+type ValidateLicenseAPIResponse = {
+    data: {
+        licenseKeys: {
+            [key: string]: string;
+        };
+    };
+    success: boolean;
+    error: string;
+    message: string;
+    status: number;
+};
+
+type TokenPayload = {
+    valid: boolean;
+    type: KeyType;
+    tier: KeyTier;
+    quantity: number;
+    terminateAt: string; // ISO
+    iat: number; // Issued at
+};
+
+export class License {
+    private phoneHomeInterval = 6 * 60 * 60; // 6 hours = 6 * 60 * 60 = 21600 seconds
+    private validationServerUrl =
+        "https://api.fossorial.io/api/v1/license/professional/validate";
+    private activationServerUrl =
+        "https://api.fossorial.io/api/v1/license/professional/activate";
+
+    private statusCache = new NodeCache({ stdTTL: this.phoneHomeInterval });
+    private licenseKeyCache = new NodeCache();
+
+    private ephemeralKey!: string;
+    private statusKey = "status";
+    private serverSecret!: string;
+
+    private publicKey = `-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx9RKc8cw+G8r7h/xeozF
+FNkRDggQfYO6Ae+EWHGujZ9WYAZ10spLh9F/zoLhhr3XhsjpoRXwMfgNuO5HstWf
+CYM20I0l7EUUMWEyWd4tZLd+5XQ4jY5xWOCWyFJAGQSp7flcRmxdfde+l+xg9eKl
+apbY84aVp09/GqM96hCS+CsQZrhohu/aOqYVB/eAhF01qsbmiZ7Y3WtdhTldveYt
+h4mZWGmjf8d/aEgePf/tk1gp0BUxf+Ae5yqoAqU+6aiFbjJ7q1kgxc18PWFGfE9y
+zSk+OZk887N5ThQ52154+oOUCMMR2Y3t5OH1hVZod51vuY2u5LsQXsf+87PwB91y
+LQIDAQAB
+-----END PUBLIC KEY-----`;
+
+    constructor(private hostId: string) {
+        this.ephemeralKey = Buffer.from(
+            JSON.stringify({ ts: new Date().toISOString() })
+        ).toString("base64");
+
+        setInterval(
+            async () => {
+                await this.check();
+            },
+            1000 * 60 * 60
+        ); // 1 hour = 60 * 60 = 3600 seconds
+    }
+
+    public listKeys(): LicenseKeyCache[] {
+        const keys = this.licenseKeyCache.keys();
+        return keys.map((key) => {
+            return this.licenseKeyCache.get<LicenseKeyCache>(key)!;
+        });
+    }
+
+    public setServerSecret(secret: string) {
+        this.serverSecret = secret;
+    }
+
+    public async forceRecheck() {
+        this.statusCache.flushAll();
+        this.licenseKeyCache.flushAll();
+
+        return await this.check();
+    }
+
+    public async isUnlocked(): Promise<boolean> {
+        const status = await this.check();
+        if (status.isHostLicensed) {
+            if (status.isLicenseValid) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    public async check(): Promise<LicenseStatus> {
+        // Set used sites
+        const [siteCount] = await db
+            .select({
+                value: count()
+            })
+            .from(sites);
+
+        const status: LicenseStatus = {
+            hostId: this.hostId,
+            isHostLicensed: true,
+            isLicenseValid: false,
+            maxSites: undefined,
+            usedSites: siteCount.value
+        };
+
+        try {
+            if (this.statusCache.has(this.statusKey)) {
+                const res = this.statusCache.get("status") as LicenseStatus;
+                res.usedSites = status.usedSites;
+                return res;
+            }
+
+            // Invalidate all
+            this.licenseKeyCache.flushAll();
+
+            const allKeysRes = await db.select().from(licenseKey);
+
+            if (allKeysRes.length === 0) {
+                status.isHostLicensed = false;
+                return status;
+            }
+
+            let foundHostKey = false;
+            // Validate stored license keys
+            for (const key of allKeysRes) {
+                try {
+                    // Decrypt the license key and token
+                    const decryptedKey = decrypt(
+                        key.licenseKeyId,
+                        this.serverSecret
+                    );
+                    const decryptedToken = decrypt(
+                        key.token,
+                        this.serverSecret
+                    );
+
+                    const payload = validateJWT<TokenPayload>(
+                        decryptedToken,
+                        this.publicKey
+                    );
+
+                    this.licenseKeyCache.set<LicenseKeyCache>(decryptedKey, {
+                        licenseKey: decryptedKey,
+                        licenseKeyEncrypted: key.licenseKeyId,
+                        valid: payload.valid,
+                        type: payload.type,
+                        tier: payload.tier,
+                        numSites: payload.quantity,
+                        iat: new Date(payload.iat * 1000)
+                    });
+
+                    if (payload.type === "HOST") {
+                        foundHostKey = true;
+                    }
+                } catch (e) {
+                    logger.error(
+                        `Error validating license key: ${key.licenseKeyId}`
+                    );
+                    logger.error(e);
+
+                    this.licenseKeyCache.set<LicenseKeyCache>(
+                        key.licenseKeyId,
+                        {
+                            licenseKey: key.licenseKeyId,
+                            licenseKeyEncrypted: key.licenseKeyId,
+                            valid: false
+                        }
+                    );
+                }
+            }
+
+            if (!foundHostKey && allKeysRes.length) {
+                logger.debug("No host license key found");
+                status.isHostLicensed = false;
+            }
+
+            const keys = allKeysRes.map((key) => ({
+                licenseKey: decrypt(key.licenseKeyId, this.serverSecret),
+                instanceId: decrypt(key.instanceId, this.serverSecret)
+            }));
+
+            let apiResponse: ValidateLicenseAPIResponse | undefined;
+            try {
+                // Phone home to validate license keys
+                apiResponse = await this.phoneHome(keys);
+
+                if (!apiResponse?.success) {
+                    throw new Error(apiResponse?.error);
+                }
+            } catch (e) {
+                logger.error("Error communicating with license server:");
+                logger.error(e);
+            }
+
+            logger.debug("Validate response", apiResponse);
+
+            // Check and update all license keys with server response
+            for (const key of keys) {
+                try {
+                    const cached = this.licenseKeyCache.get<LicenseKeyCache>(
+                        key.licenseKey
+                    )!;
+                    const licenseKeyRes =
+                        apiResponse?.data?.licenseKeys[key.licenseKey];
+
+                    if (!apiResponse || !licenseKeyRes) {
+                        logger.debug(
+                            `No response from server for license key: ${key.licenseKey}`
+                        );
+                        if (cached.iat) {
+                            const exp = moment(cached.iat)
+                                .add(7, "days")
+                                .toDate();
+                            if (exp > new Date()) {
+                                logger.debug(
+                                    `Using cached license key: ${key.licenseKey}, valid ${cached.valid}`
+                                );
+                                continue;
+                            }
+                        }
+
+                        logger.debug(
+                            `Can't trust license key: ${key.licenseKey}`
+                        );
+                        cached.valid = false;
+                        this.licenseKeyCache.set<LicenseKeyCache>(
+                            key.licenseKey,
+                            cached
+                        );
+                        continue;
+                    }
+
+                    const payload = validateJWT<TokenPayload>(
+                        licenseKeyRes,
+                        this.publicKey
+                    );
+                    cached.valid = payload.valid;
+                    cached.type = payload.type;
+                    cached.tier = payload.tier;
+                    cached.numSites = payload.quantity;
+                    cached.iat = new Date(payload.iat * 1000);
+
+                    // Encrypt the updated token before storing
+                    const encryptedKey = encrypt(
+                        key.licenseKey,
+                        this.serverSecret
+                    );
+                    const encryptedToken = encrypt(
+                        licenseKeyRes,
+                        this.serverSecret
+                    );
+
+                    await db
+                        .update(licenseKey)
+                        .set({
+                            token: encryptedToken
+                        })
+                        .where(eq(licenseKey.licenseKeyId, encryptedKey));
+
+                    this.licenseKeyCache.set<LicenseKeyCache>(
+                        key.licenseKey,
+                        cached
+                    );
+                } catch (e) {
+                    logger.error(`Error validating license key: ${key}`);
+                    logger.error(e);
+                }
+            }
+
+            // Compute host status
+            for (const key of keys) {
+                const cached = this.licenseKeyCache.get<LicenseKeyCache>(
+                    key.licenseKey
+                )!;
+
+                logger.debug("Checking key", cached);
+
+                if (cached.type === "HOST") {
+                    status.isLicenseValid = cached.valid;
+                    status.tier = cached.tier;
+                }
+
+                if (!cached.valid) {
+                    continue;
+                }
+
+                if (!status.maxSites) {
+                    status.maxSites = 0;
+                }
+
+                status.maxSites += cached.numSites || 0;
+            }
+        } catch (error) {
+            logger.error("Error checking license status:");
+            logger.error(error);
+        }
+
+        this.statusCache.set(this.statusKey, status);
+        return status;
+    }
+
+    public async activateLicenseKey(key: string) {
+        // Encrypt the license key before storing
+        const encryptedKey = encrypt(key, this.serverSecret);
+
+        const [existingKey] = await db
+            .select()
+            .from(licenseKey)
+            .where(eq(licenseKey.licenseKeyId, encryptedKey))
+            .limit(1);
+
+        if (existingKey) {
+            throw new Error("License key already exists");
+        }
+
+        let instanceId: string | undefined;
+        try {
+            // Call activate
+            const apiResponse = await fetch(this.activationServerUrl, {
+                method: "POST",
+                headers: {
+                    "Content-Type": "application/json"
+                },
+                body: JSON.stringify({
+                    licenseKey: key,
+                    instanceName: this.hostId
+                })
+            });
+
+            const data = await apiResponse.json();
+
+            if (!data.success) {
+                throw new Error(`${data.message || data.error}`);
+            }
+
+            const response = data as ActivateLicenseKeyAPIResponse;
+
+            if (!response.data) {
+                throw new Error("No response from server");
+            }
+
+            if (!response.data.instanceId) {
+                throw new Error("No instance ID in response");
+            }
+
+            instanceId = response.data.instanceId;
+        } catch (error) {
+            throw Error(`Error activating license key: ${error}`);
+        }
+
+        // Phone home to validate license key
+        const keys = [
+            {
+                licenseKey: key,
+                instanceId: instanceId!
+            }
+        ];
+
+        let validateResponse: ValidateLicenseAPIResponse;
+        try {
+            validateResponse = await this.phoneHome(keys);
+
+            if (!validateResponse) {
+                throw new Error("No response from server");
+            }
+
+            if (!validateResponse.success) {
+                throw new Error(validateResponse.error);
+            }
+
+            // Validate the license key
+            const licenseKeyRes = validateResponse.data.licenseKeys[key];
+            if (!licenseKeyRes) {
+                throw new Error("Invalid license key");
+            }
+
+            const payload = validateJWT<TokenPayload>(
+                licenseKeyRes,
+                this.publicKey
+            );
+
+            if (!payload.valid) {
+                throw new Error("Invalid license key");
+            }
+
+            const encryptedToken = encrypt(licenseKeyRes, this.serverSecret);
+            // Encrypt the instanceId before storing
+            const encryptedInstanceId = encrypt(instanceId!, this.serverSecret);
+
+            // Store the license key in the database
+            await db.insert(licenseKey).values({
+                licenseKeyId: encryptedKey,
+                token: encryptedToken,
+                instanceId: encryptedInstanceId
+            });
+        } catch (error) {
+            throw Error(`Error validating license key: ${error}`);
+        }
+
+        // Invalidate the cache and re-compute the status
+        return await this.forceRecheck();
+    }
+
+    private async phoneHome(
+        keys: {
+            licenseKey: string;
+            instanceId: string;
+        }[]
+    ): Promise<ValidateLicenseAPIResponse> {
+        // Decrypt the instanceIds before sending to the server
+        const decryptedKeys = keys.map((key) => ({
+            licenseKey: key.licenseKey,
+            instanceId: key.instanceId
+                ? decrypt(key.instanceId, this.serverSecret)
+                : key.instanceId
+        }));
+
+        const response = await fetch(this.validationServerUrl, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json"
+            },
+            body: JSON.stringify({
+                licenseKeys: decryptedKeys,
+                ephemeralKey: this.ephemeralKey,
+                instanceName: this.hostId
+            })
+        });
+
+        const data = await response.json();
+
+        return data as ValidateLicenseAPIResponse;
+    }
+}
+
+await setHostMeta();
+
+const [info] = await db.select().from(hostMeta).limit(1);
+
+if (!info) {
+    throw new Error("Host information not found");
+}
+
+export const license = new License(info.hostMetaId);
+
+export default license;