chore(deps): bump golang from 1.25-alpine to 1.26-alpine

Bumps golang from 1.25-alpine to 1.26-alpine.

---
updated-dependencies:
- dependency-name: golang
  dependency-version: 1.26-alpine
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/workflows/chart.yml

@@ -20,7 +20,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ github.event_name == 'pull_request' }}
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
@@ -35,7 +35,7 @@ jobs:
       # ct lint requires Python 3.x to run following packages:
       #  - yamale (https://github.com/23andMe/Yamale)
       #  - yamllint (https://github.com/adrienverge/yamllint)
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: '3.x'
 
@@ -60,7 +60,7 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:

.github/workflows/docker-publish.yml

@@ -18,13 +18,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Set up QEMU
         uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
 
       - name: Get Version
         shell: bash
@@ -96,7 +96,7 @@ jobs:
           done
 
       - name: Upload binaries
-        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: binaries
           path: binaries/wg-portal_linux*
@@ -110,7 +110,7 @@ jobs:
       contents: write
     steps:
       - name: Download binaries
-        uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
         with:
           name: binaries
 

.github/workflows/pages.yml

@@ -15,11 +15,11 @@ jobs:
   deploy:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 0
 
-      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
+      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version: 3.x
 

Dockerfile

@@ -20,7 +20,7 @@ RUN npm run build
 ######
 # Build backend
 ######
-FROM --platform=${BUILDPLATFORM} golang:1.25-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.26-alpine AS builder
 # Set the working directory
 WORKDIR /build
 # Download dependencies

cmd/wg-portal/main.go

@@ -47,7 +47,7 @@ func main() {
 	rawDb, err := adapters.NewDatabase(cfg.Database)
 	internal.AssertNoError(err)
 
-	database, err := adapters.NewSqlRepository(rawDb)
+	database, err := adapters.NewSqlRepository(rawDb, cfg)
 	internal.AssertNoError(err)
 
 	wireGuard, err := wireguard.NewControllerManager(cfg)
@@ -135,6 +135,7 @@ func main() {
 	apiV0EndpointPeers := handlersV0.NewPeerEndpoint(cfg, apiV0Auth, validatorManager, apiV0BackendPeers)
 	apiV0EndpointConfig := handlersV0.NewConfigEndpoint(cfg, apiV0Auth, wireGuard)
 	apiV0EndpointTest := handlersV0.NewTestEndpoint(apiV0Auth)
+	apiV0EndpointWebsocket := handlersV0.NewWebsocketEndpoint(cfg, apiV0Auth, eventBus)
 
 	apiFrontend := handlersV0.NewRestApi(apiV0Session,
 		apiV0EndpointAuth,
@@ -144,6 +145,7 @@ func main() {
 		apiV0EndpointPeers,
 		apiV0EndpointConfig,
 		apiV0EndpointTest,
+		apiV0EndpointWebsocket,
 	)
 
 	// endregion API v0 (SPA frontend)

docs/documentation/configuration/overview.md

@@ -157,12 +157,14 @@ More advanced options are found in the subsequent `Advanced` section.
 ### `create_default_peer`
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER`
-- **Description:** If a user logs in for the first time with no existing peers, automatically create a new WireGuard peer for **all** server interfaces.
+- **Description:** If a user logs in for the first time with no existing peers, automatically create a new WireGuard peer for all server interfaces where the "Create default peer" flag is set.
+- **Important:** This option is only effective for interfaces where the "Create default peer" flag is set (via the UI).
 
 ### `create_default_peer_on_creation`
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION`
-- **Description:** If an LDAP user is created (e.g., through LDAP sync) and has no peers, automatically create a new WireGuard peer for **all** server interfaces.
+- **Description:** If an LDAP user is created (e.g., through LDAP sync) and has no peers, automatically create a new WireGuard peer for all server interfaces where the "Create default peer" flag is set.
+- **Important:** This option requires [create_default_peer](#create_default_peer) to be enabled.
 
 ### `re_enable_peer_after_user_enable`
 - **Default:** `true`

docs/documentation/getting-started/binaries.md

@@ -9,6 +9,11 @@ Make sure that you download the correct binary for your architecture. The availa
 - `wg-portal_linux_arm64` - Linux ARM 64-bit
 - `wg-portal_linux_arm_v7` - Linux ARM 32-bit
 
+### Released versions
+
+To download a specific version, replace `${WG_PORTAL_VERSION}` with the desired version (or set an environment variable). 
+All official release versions can be found on the [GitHub Releases Page](https://github.com/h44z/wg-portal/releases).
+
 With `curl`:
 
 ```shell
@@ -27,16 +32,74 @@ with `gh cli`:
 gh release download ${WG_PORTAL_VERSION} --repo h44z/wg-portal --output wg-portal --pattern '*amd64'
 ```
 
+The downloaded file will be named `wg-portal` and can be moved to a directory of your choice, see [Install](#install) for more information.
+
+### Unreleased versions (master branch builds)
+
+Unreleased versions can be fetched directly from the artifacts section of the [GitHub Workflow](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml?query=branch%3Amaster).
 
 
 ## Install
 
+The following command can be used to install the downloaded binary (`wg-portal`) to `/opt/wg-portal/wg-portal`. It ensures that the binary is executable.
+
 ```shell
 sudo mkdir -p /opt/wg-portal
 sudo install wg-portal /opt/wg-portal/
 ```
 
-## Unreleased versions (master branch builds)
+To handle tasks such as restarting the service or configuring automatic startup, it is recommended to use a process manager like [systemd](https://systemd.io/). 
+Refer to [Systemd Service Setup](#systemd-service-setup) for instructions.
 
-Unreleased versions can be fetched directly from the artifacts section of the [GitHub Workflow](https://github.com/h44z/wg-portal/actions/workflows/docker-publish.yml?query=branch%3Amaster).
+## Systemd Service Setup
 
+> **Note:** To run WireGuard Portal as systemd service, you need to download the binary for your architecture beforehand.
+> 
+> The following examples assume that you downloaded the binary to `/opt/wg-portal/wg-portal`. 
+> The configuration file is expected to be located at `/opt/wg-portal/config.yml`.
+
+To run WireGuard Portal as a systemd service, you can create a service unit file. The easiest way to do this is by using `systemctl edit`:
+
+```shell
+sudo systemctl edit --force --full wg-portal.service
+```
+
+Paste the following content into the editor and adjust the variables to your needs:
+
+```ini
+[Unit]
+Description=WireGuard Portal
+ConditionPathExists=/opt/wg-portal/wg-portal
+After=network.target
+
+[Service]
+Type=simple
+User=root
+Group=root
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
+
+Restart=on-failure
+RestartSec=10
+
+WorkingDirectory=/opt/wg-portal
+Environment=WG_PORTAL_CONFIG=/opt/wg-portal/config.yml
+ExecStart=/opt/wg-portal/wg-portal
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Alternatively, you can create or modify the file manually in `/etc/systemd/system/wg-portal.service`. 
+For systemd to pick up the changes, you need to reload the daemon:
+
+```shell
+sudo systemctl daemon-reload
+```
+
+After creating the service file, you can enable and start the service:
+
+```shell
+sudo systemctl enable --now wg-portal.service
+```
+
+To check status and log output, use: `sudo systemctl status wg-portal.service` or `sudo journalctl -u wg-portal.service`.

docs/documentation/rest-api/swagger.yaml

@@ -443,6 +443,18 @@ definitions:
                 maxLength: 64
                 minLength: 32
                 type: string
+            AuthSources:
+                description: The source of the user. This field is optional.
+                example:
+                    - db
+                items:
+                    enum:
+                        - db
+                        - ldap
+                        - oauth
+                    type: string
+                readOnly: true
+                type: array
             Department:
                 description: The department of the user. This field is optional.
                 example: Software Development
@@ -503,19 +515,6 @@ definitions:
                 description: The phone number of the user. This field is optional.
                 example: "+1234546789"
                 type: string
-            ProviderName:
-                description: The name of the authentication provider. This field is read-only.
-                example: ""
-                readOnly: true
-                type: string
-            Source:
-                description: The source of the user. This field is optional.
-                enum:
-                    - db
-                    - ldap
-                    - oauth
-                example: db
-                type: string
         required:
             - Identifier
         type: object

docs/documentation/usage/authentication.md

@@ -0,0 +1,152 @@
+WireGuard Portal supports multiple authentication mechanisms to manage user access. This includes
+
+ - Local user accounts
+ - LDAP authentication
+ - OAuth2 and OIDC authentication
+ - Passkey authentication (WebAuthn)
+
+Users can have two roles which limit their permissions in WireGuard Portal:
+
+- **User**: Can manage their own account and peers.
+- **Admin**: Can manage all users and peers, including the ability to manage WireGuard interfaces.
+
+In general, each user is identified by a _unique identifier_. If the same user identifier exists across multiple authentication sources, WireGuard Portal automatically merges those accounts into a single user record.
+When a user is associated with multiple authentication sources, their information in WireGuard Portal is updated based on the most recently logged-in source. For more details, see [User Synchronization](./user-sync.md) documentation.
+
+## Password Authentication
+
+WireGuard Portal supports username and password authentication for both local and LDAP-backed accounts.
+Local users are stored in the database, while LDAP users are authenticated against an external LDAP server.
+
+On initial startup, WireGuard Portal automatically creates a local admin account with the password `wgportal-default`.
+> :warning: This password must be changed immediately after the first login.
+
+The minimum password length for all local users can be configured in the [`auth`](../configuration/overview.md#auth)
+section of the configuration file. The default value is **16** characters, see [`min_password_length`](../configuration/overview.md#min_password_length).
+The minimum password length is also enforced for the default admin user.
+
+
+## Passkey (WebAuthn) Authentication
+
+Besides the standard authentication mechanisms, WireGuard Portal supports Passkey authentication.
+This feature is enabled by default and can be configured in the [`webauthn`](../configuration/overview.md#webauthn-passkeys) section of the configuration file.
+
+Users can register multiple Passkeys to their account. These Passkeys can be used to log in to the web UI as long as the user is not locked.
+> :warning: Passkey authentication does not disable password authentication. The password can still be used to log in (e.g., as a fallback).
+
+To register a Passkey, open the settings page *(1)* in the web UI and click on the "Register Passkey" *(2)* button.
+
+![Passkey UI](../../assets/images/passkey_setup.png)
+
+
+## OAuth2 and OIDC Authentication
+
+WireGuard Portal supports OAuth2 and OIDC authentication. You can use any OAuth2 or OIDC provider that supports the authorization code flow,
+such as Google, GitHub, or Keycloak.
+
+For OAuth2 or OIDC to work, you need to configure the [`external_url`](../configuration/overview.md#external_url) property in the [`web`](../configuration/overview.md#web) section of the configuration file.
+If you are planning to expose the portal to the internet, make sure that the `external_url` is configured to use HTTPS.
+
+To add OIDC or OAuth2 authentication to WireGuard Portal, create a Client-ID and Client-Secret in your OAuth2 provider and
+configure a new authentication provider in the [`auth`](../configuration/overview.md#auth) section of the configuration file.
+Make sure that each configured provider has a unique `provider_name` property set. Samples can be seen [here](../configuration/examples.md).
+
+#### Limiting Login to Specific Domains
+
+You can limit the login to specific domains by setting the `allowed_domains` property for OAuth2 or OIDC providers.
+This property is a comma-separated list of domains that are allowed to log in. The user's email address is checked against this list.
+For example, if you want to allow only users with an email address ending in `outlook.com` to log in, set the property as follows:
+
+```yaml
+auth:
+  oidc:
+    - provider_name: "oidc1"
+      # ... other settings
+      allowed_domains:
+        - "outlook.com"
+```
+
+#### Limit Login to Existing Users
+
+You can limit the login to existing users only by setting the `registration_enabled` property to `false` for OAuth2 or OIDC providers.
+If registration is enabled, new users will be created in the database when they log in for the first time.
+
+#### Admin Mapping
+
+You can map users to admin roles based on their attributes in the OAuth2 or OIDC provider. To do this, set the `admin_mapping` property for the provider.
+Administrative access can either be mapped by a specific attribute or by group membership.
+
+**Attribute specific mapping** can be achieved by setting the `admin_value_regex` and the `is_admin` property.
+The `admin_value_regex` property is a regular expression that is matched against the value of the `is_admin` attribute.
+The user is granted admin access if the regex matches the attribute value.
+
+Example:
+```yaml
+auth:
+  oidc:
+    - provider_name: "oidc1"
+      # ... other settings
+      field_map:
+        is_admin: "wg_admin_prop"
+      admin_mapping:
+        admin_value_regex: "^true$"
+```
+The example above will grant admin access to users with the `wg_admin_prop` attribute set to `true`.
+
+**Group membership mapping** can be achieved by setting the `admin_group_regex` and `user_groups` property.
+The `admin_group_regex` property is a regular expression that is matched against the group names of the user.
+The user is granted admin access if the regex matches any of the group names.
+
+Example:
+```yaml
+auth:
+  oidc:
+    - provider_name: "oidc1"
+      # ... other settings
+      field_map:
+        user_groups: "groups"
+      admin_mapping:
+        admin_group_regex: "^the-admin-group$"
+```
+The example above will grant admin access to users who are members of the `the-admin-group` group.
+
+
+## LDAP Authentication
+
+WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP.
+Multiple LDAP servers can be configured in the [`auth`](../configuration/overview.md#auth) section of the configuration file.
+WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.
+
+To configure LDAP authentication, create a new [`ldap`](../configuration/overview.md#ldap) authentication provider in the [`auth`](../configuration/overview.md#auth) section of the configuration file.
+
+### Limiting Login to Specific Users
+
+You can limit the login to specific users by setting the `login_filter` property for LDAP provider. This filter uses the LDAP search filter syntax.
+The username can be inserted into the query by placing the `{{login_identifier}}` placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.
+
+For example, if you want to allow only users with the `objectClass` attribute set to `organizationalPerson` to log in, set the property as follows:
+
+```yaml
+auth:
+  ldap:
+    - provider_name: "ldap1"
+      # ... other settings
+      login_filter: "(&(objectClass=organizationalPerson)(uid={{login_identifier}}))"
+```
+
+The `login_filter` should always be designed to return at most one user.
+
+### Limit Login to Existing Users
+
+You can limit the login to existing users only by setting the `registration_enabled` property to `false` for LDAP providers.
+If registration is enabled, new users will be created in the database when they log in for the first time.
+
+### Admin Mapping
+
+You can map users to admin roles based on their group membership in the LDAP server. To do this, set the `admin_group` and `memberof` property for the provider.
+The `admin_group` property defines the distinguished name of the group that is allowed to log in as admin.
+All groups that are listed in the `memberof` attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.
+
+
+## User Synchronization
+

docs/documentation/usage/general.md

@@ -14,7 +14,7 @@ WireGuard Interfaces can be categorized into three types:
 ## Accessing the Web UI
 
 The web UI should be accessed via the URL specified in the `external_url` property of the configuration file.
-By default, WireGuard Portal listens on port `8888` for HTTP connections. Check the [Security](security.md) section for more information on securing the web UI.
+By default, WireGuard Portal listens on port `8888` for HTTP connections. Check the [Security](security.md) or [Authentication](authentication.md) sections for more information on securing the web UI.
 
 So the default URL to access the web UI is:
 

docs/documentation/usage/ldap.md

@@ -1,37 +0,0 @@
-WireGuard Portal lets you hook up any LDAP server such as Active Directory or OpenLDAP for both authentication and user sync. 
-You can even register multiple LDAP servers side-by-side. When someone logs in via LDAP, their specific provider is remembered, 
-so there's no risk of cross-provider conflicts. Details on the log-in process can be found in the [Security](security.md#ldap-authentication) documentation.
-
-If you enable LDAP synchronization, all users within the LDAP directory will be created automatically in the WireGuard Portal database if they do not exist.
-If a user is disabled or deleted in LDAP, the user will be disabled in WireGuard Portal as well. 
-The synchronization process can be fine-tuned by multiple parameters, which are described below.
-
-## LDAP Synchronization
-
-WireGuard Portal can automatically synchronize users from LDAP to the database. 
-To enable this feature, set the `sync_interval` property in the LDAP provider configuration to a value greater than "0".
-The value is a string representing a duration, such as "15m" for 15 minutes or "1h" for 1 hour (check the [exact format definition](https://pkg.go.dev/time#ParseDuration) for details).
-The synchronization process will run in the background and synchronize users from LDAP to the database at the specified interval.
-Also make sure that the `sync_filter` property is a well-formed LDAP filter, or synchronization will fail.
-
-### Limiting Synchronization to Specific Users
-
-Use the `sync_filter` property in your LDAP provider block to restrict which users get synchronized. 
-It accepts any valid LDAP search filter, only entries matching that filter will be pulled into the portal's database. 
-
-For example, to import only users with a `mail` attribute:
-```yaml
-auth:
-  ldap:
-    - id: ldap
-      # ... other settings
-      sync_filter: (mail=*)
-```
-
-### Disable Missing Users
-
-If you set the `disable_missing` property to `true`, any user that is not found in LDAP during synchronization will be disabled in WireGuard Portal.
-All peers associated with that user will also be disabled.
-
-If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
-This will only re-enable the user if they where disabled by the synchronization process. Manually disabled users will not be re-enabled.

docs/documentation/usage/security.md

@@ -1,153 +1,12 @@
 This section describes the security features available to administrators for hardening WireGuard Portal and protecting its data.
 
-## Authentication
+## Database Encryption
 
-WireGuard Portal supports multiple authentication methods, including:
-
-- Local user accounts
-- LDAP authentication
-- OAuth and OIDC authentication
-- Passkey authentication (WebAuthn)
-
-Users can have two roles which limit their permissions in WireGuard Portal:
-
-- **User**: Can manage their own account and peers.
-- **Admin**: Can manage all users and peers, including the ability to manage WireGuard interfaces.
-
-### Password Security
-
-WireGuard Portal supports username and password authentication for both local and LDAP-backed accounts.
-Local users are stored in the database, while LDAP users are authenticated against an external LDAP server.
-
-On initial startup, WireGuard Portal automatically creates a local admin account with the password `wgportal-default`.
-> :warning: This password must be changed immediately after the first login.
-
-The minimum password length for all local users can be configured in the [`auth`](../configuration/overview.md#auth) 
-section of the configuration file. The default value is **16** characters, see [`min_password_length`](../configuration/overview.md#min_password_length).
-The minimum password length is also enforced for the default admin user.
-
-
-### Passkey (WebAuthn) Authentication
-
-Besides the standard authentication mechanisms, WireGuard Portal supports Passkey authentication.
-This feature is enabled by default and can be configured in the [`webauthn`](../configuration/overview.md#webauthn-passkeys) section of the configuration file.
-
-Users can register multiple Passkeys to their account. These Passkeys can be used to log in to the web UI as long as the user is not locked.
-> :warning: Passkey authentication does not disable password authentication. The password can still be used to log in (e.g., as a fallback).
-
-To register a Passkey, open the settings page *(1)* in the web UI and click on the "Register Passkey" *(2)* button.
-
-![Passkey UI](../../assets/images/passkey_setup.png)
-
-
-### OAuth and OIDC Authentication
-
-WireGuard Portal supports OAuth and OIDC authentication. You can use any OAuth or OIDC provider that supports the authorization code flow, 
-such as Google, GitHub, or Keycloak.
-
-For OAuth or OIDC to work, you need to configure the [`external_url`](../configuration/overview.md#external_url) property in the [`web`](../configuration/overview.md#web) section of the configuration file.
-If you are planning to expose the portal to the internet, make sure that the `external_url` is configured to use HTTPS.
-
-To add OIDC or OAuth authentication to WireGuard Portal, create a Client-ID and Client-Secret in your OAuth provider and 
-configure a new authentication provider in the [`auth`](../configuration/overview.md#auth) section of the configuration file.
-Make sure that each configured provider has a unique `provider_name` property set. Samples can be seen [here](../configuration/examples.md).
-
-#### Limiting Login to Specific Domains
-
-You can limit the login to specific domains by setting the `allowed_domains` property for OAuth or OIDC providers.
-This property is a comma-separated list of domains that are allowed to log in. The user's email address is checked against this list.
-For example, if you want to allow only users with an email address ending in `outlook.com` to log in, set the property as follows:
-
-```yaml
-auth:
-  oidc:
-    - provider_name: "oidc1"
-      # ... other settings
-      allowed_domains:
-        - "outlook.com"
-```
-
-#### Limit Login to Existing Users
-
-You can limit the login to existing users only by setting the `registration_enabled` property to `false` for OAuth or OIDC providers.
-If registration is enabled, new users will be created in the database when they log in for the first time.
-
-#### Admin Mapping
-
-You can map users to admin roles based on their attributes in the OAuth or OIDC provider. To do this, set the `admin_mapping` property for the provider.
-Administrative access can either be mapped by a specific attribute or by group membership.
-
-**Attribute specific mapping** can be achieved by setting the `admin_value_regex` and the `is_admin` property.
-The `admin_value_regex` property is a regular expression that is matched against the value of the `is_admin` attribute.
-The user is granted admin access if the regex matches the attribute value.
-
-Example:
-```yaml
-auth:
-  oidc:
-    - provider_name: "oidc1"
-      # ... other settings
-      field_map:
-        is_admin: "wg_admin_prop"
-      admin_mapping:
-        admin_value_regex: "^true$"
-```
-The example above will grant admin access to users with the `wg_admin_prop` attribute set to `true`.
-
-**Group membership mapping** can be achieved by setting the `admin_group_regex` and `user_groups` property.
-The `admin_group_regex` property is a regular expression that is matched against the group names of the user.
-The user is granted admin access if the regex matches any of the group names.
-
-Example:
-```yaml
-auth:
-  oidc:
-    - provider_name: "oidc1"
-      # ... other settings
-      field_map:
-        user_groups: "groups"
-      admin_mapping:
-        admin_group_regex: "^the-admin-group$"
-```
-The example above will grant admin access to users who are members of the `the-admin-group` group.
-
-
-### LDAP Authentication
-
-WireGuard Portal supports LDAP authentication. You can use any LDAP server that supports the LDAP protocol, such as Active Directory or OpenLDAP.
-Multiple LDAP servers can be configured in the [`auth`](../configuration/overview.md#auth) section of the configuration file. 
-WireGuard Portal remembers the authentication provider of the user and therefore avoids conflicts between multiple LDAP providers.
-
-To configure LDAP authentication, create a new [`ldap`](../configuration/overview.md#ldap) authentication provider in the [`auth`](../configuration/overview.md#auth) section of the configuration file.
-
-#### Limiting Login to Specific Users
-
-You can limit the login to specific users by setting the `login_filter` property for LDAP provider. This filter uses the LDAP search filter syntax.
-The username can be inserted into the query by placing the `{{login_identifier}}` placeholder in the filter. This placeholder will then be replaced with the username entered by the user during login.
-
-For example, if you want to allow only users with the `objectClass` attribute set to `organizationalPerson` to log in, set the property as follows:
-
-```yaml
-auth:
-  ldap:
-    - provider_name: "ldap1"
-      # ... other settings
-      login_filter: "(&(objectClass=organizationalPerson)(uid={{login_identifier}}))"
-```
-
-The `login_filter` should always be designed to return at most one user.
-
-#### Limit Login to Existing Users
-
-You can limit the login to existing users only by setting the `registration_enabled` property to `false` for LDAP providers.
-If registration is enabled, new users will be created in the database when they log in for the first time.
-
-#### Admin Mapping
-
-You can map users to admin roles based on their group membership in the LDAP server. To do this, set the `admin_group` and `memberof` property for the provider.
-The `admin_group` property defines the distinguished name of the group that is allowed to log in as admin. 
-All groups that are listed in the `memberof` attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.
+WireGuard Portal supports multiple database backends. To reduce the risk of data exposure, sensitive information stored in the database can be encrypted.
+To enable encryption, set the [`encryption_passphrase`](../configuration/overview.md#database) in the database configuration section.
 
+> :warning: Important: Once encryption is enabled, it cannot be disabled, and the passphrase cannot be changed! 
+> Only new or updated records will be encrypted; existing data remains in plaintext until it’s next modified.
 
 ## UI and API Access
 
@@ -158,3 +17,8 @@ It is recommended to use HTTPS for all communication with the portal to prevent
 
 Event though, WireGuard Portal supports HTTPS out of the box, it is recommended to use a reverse proxy like Nginx or Traefik to handle SSL termination and other security features.
 A detailed explanation is available in the [Reverse Proxy](../getting-started/reverse-proxy.md) section.
+
+### Secure Authentication
+To prevent unauthorized access, WireGuard Portal supports integrating with secure authentication providers such as LDAP, OAuth2, or Passkeys, see [Authentication](./authentication.md) for more details.
+When possible, use centralized authentication and enforce multi-factor authentication (MFA) at the provider level for enhanced account security.
+For local accounts, administrators should enforce strong password requirements.

docs/documentation/usage/user-sync.md

@@ -0,0 +1,46 @@
+For all external authentication providers (LDAP, OIDC, OAuth2), WireGuard Portal can automatically create a local user record upon the user's first successful login.
+This behavior is controlled by the `registration_enabled` setting in each authentication provider's configuration.
+
+User information from external authentication sources is merged into the corresponding local WireGuard Portal user record whenever the user logs in.
+Additionally, WireGuard Portal supports periodic synchronization of user data from an LDAP directory.
+
+To prevent overwriting local changes, WireGuard Portal allows you to set a per-user flag that disables synchronization of external attributes.
+When this flag is set, the user in WireGuard Portal will not be updated automatically during log-ins or LDAP synchronization.
+
+### LDAP Synchronization
+
+WireGuard Portal lets you hook up any LDAP server such as Active Directory or OpenLDAP for both authentication and user sync.
+You can even register multiple LDAP servers side-by-side. Details on the log-in process can be found in the [LDAP Authentication](./authentication.md#ldap-authentication) section.
+
+If you enable LDAP synchronization, all users within the LDAP directory will be created automatically in the WireGuard Portal database if they do not exist.
+If a user is disabled or deleted in LDAP, the user will be disabled in WireGuard Portal as well.
+The synchronization process can be fine-tuned by multiple parameters, which are described below.
+
+#### Synchronization Parameters
+
+To enable the LDAP sycnhronization this feature, set the `sync_interval` property in the LDAP provider configuration to a value greater than "0".
+The value is a string representing a duration, such as "15m" for 15 minutes or "1h" for 1 hour (check the [exact format definition](https://pkg.go.dev/time#ParseDuration) for details).
+The synchronization process will run in the background and synchronize users from LDAP to the database at the specified interval.
+Also make sure that the `sync_filter` property is a well-formed LDAP filter, or synchronization will fail.
+
+##### Limiting Synchronization to Specific Users
+
+Use the `sync_filter` property in your LDAP provider block to restrict which users get synchronized.
+It accepts any valid LDAP search filter, only entries matching that filter will be pulled into the portal's database.
+
+For example, to import only users with a `mail` attribute:
+```yaml
+auth:
+  ldap:
+    - id: ldap
+      # ... other settings
+      sync_filter: (mail=*)
+```
+
+##### Disable Missing Users
+
+If you set the `disable_missing` property to `true`, any user that is not found in LDAP during synchronization will be disabled in WireGuard Portal.
+All peers associated with that user will also be disabled.
+
+If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
+This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.

docs/documentation/usage/webhooks.md

@@ -68,26 +68,32 @@ All payload models are encoded as JSON objects. Fields with empty values might b
 
 #### User Payload (entity: `user`)
 
-| JSON Field     | Type        | Description                       |
-|----------------|-------------|-----------------------------------|
-| CreatedBy      | string      | Creator identifier                |
-| UpdatedBy      | string      | Last updater identifier           |
-| CreatedAt      | time.Time   | Time of creation                  |
-| UpdatedAt      | time.Time   | Time of last update               |
-| Identifier     | string      | Unique user identifier            |
-| Email          | string      | User email                        |
-| Source         | string      | Authentication source             |
-| ProviderName   | string      | Name of auth provider             |
-| IsAdmin        | bool        | Whether user has admin privileges |
-| Firstname      | string      | User's first name (optional)      |
-| Lastname       | string      | User's last name (optional)       |
-| Phone          | string      | Contact phone number (optional)   |
-| Department     | string      | User's department (optional)      |
-| Notes          | string      | Additional notes (optional)       |
-| Disabled       | *time.Time  | When user was disabled            |
-| DisabledReason | string      | Reason for deactivation           |
-| Locked         | *time.Time  | When user account was locked      |
-| LockedReason   | string      | Reason for being locked           |
+| JSON Field     | Type          | Description                       |
+|----------------|---------------|-----------------------------------|
+| CreatedBy      | string        | Creator identifier                |
+| UpdatedBy      | string        | Last updater identifier           |
+| CreatedAt      | time.Time     | Time of creation                  |
+| UpdatedAt      | time.Time     | Time of last update               |
+| Identifier     | string        | Unique user identifier            |
+| Email          | string        | User email                        |
+| AuthSources    | []AuthSource  | Authentication sources            |
+| IsAdmin        | bool          | Whether user has admin privileges |
+| Firstname      | string        | User's first name (optional)      |
+| Lastname       | string        | User's last name (optional)       |
+| Phone          | string        | Contact phone number (optional)   |
+| Department     | string        | User's department (optional)      |
+| Notes          | string        | Additional notes (optional)       |
+| Disabled       | *time.Time    | When user was disabled            |
+| DisabledReason | string        | Reason for deactivation           |
+| Locked         | *time.Time    | When user account was locked      |
+| LockedReason   | string        | Reason for being locked           |
+
+`AuthSource`:
+
+| JSON Field   | Type          | Description                                         |
+|--------------|---------------|-----------------------------------------------------|
+| Source       | string        | The authentication source (e.g. LDAP, OAuth, or DB) |
+| ProviderName | string        | The identifier of the authentication provider       |
 
 
 #### Peer Payload (entity: `peer`)

frontend/src/components/InterfaceEditModal.vue

@@ -83,6 +83,7 @@ watch(() => props.visible, async (newValue, oldValue) => {
           formData.value.Identifier = interfaces.Prepared.Identifier
           formData.value.DisplayName = interfaces.Prepared.DisplayName
           formData.value.Mode = interfaces.Prepared.Mode
+          formData.value.CreateDefaultPeer = interfaces.Prepared.CreateDefaultPeer
           formData.value.Backend = interfaces.Prepared.Backend
 
           formData.value.PublicKey = interfaces.Prepared.PublicKey
@@ -122,6 +123,7 @@ watch(() => props.visible, async (newValue, oldValue) => {
           formData.value.Identifier = selectedInterface.value.Identifier
           formData.value.DisplayName = selectedInterface.value.DisplayName
           formData.value.Mode = selectedInterface.value.Mode
+          formData.value.CreateDefaultPeer = selectedInterface.value.CreateDefaultPeer
           formData.value.Backend = selectedInterface.value.Backend
 
           formData.value.PublicKey = selectedInterface.value.PublicKey
@@ -487,6 +489,10 @@ async function del() {
               <input v-model="formData.Disabled" class="form-check-input" type="checkbox">
               <label class="form-check-label">{{ $t('modals.interface-edit.disabled.label') }}</label>
             </div>
+            <div class="form-check form-switch" v-if="formData.Mode==='server' && settings.Setting('CreateDefaultPeer')">
+              <input v-model="formData.CreateDefaultPeer" class="form-check-input" type="checkbox">
+              <label class="form-check-label">{{ $t('modals.interface-edit.create-default-peer.label') }}</label>
+            </div>
             <div class="form-check form-switch" v-if="formData.Backend==='local'">
               <input v-model="formData.SaveConfig" checked="" class="form-check-input" type="checkbox">
               <label class="form-check-label">{{ $t('modals.interface-edit.save-config.label') }}</label>

frontend/src/components/UserEditModal.vue

@@ -42,7 +42,7 @@ const passwordWeak = computed(() => {
 })
 
 const formValid = computed(() => {
-  if (formData.value.Source !== 'db') {
+  if (!formData.value.AuthSources.some(s => s === 'db')) {
     return true // nothing to validate
   }
   if (props.userId !== '#NEW#' && passwordWeak.value) {
@@ -70,7 +70,7 @@ watch(() => props.visible, async (newValue, oldValue) => {
         } else { // fill existing userdata
           formData.value.Identifier = selectedUser.value.Identifier
           formData.value.Email = selectedUser.value.Email
-          formData.value.Source = selectedUser.value.Source
+          formData.value.AuthSources = selectedUser.value.AuthSources
           formData.value.IsAdmin = selectedUser.value.IsAdmin
           formData.value.Firstname = selectedUser.value.Firstname
           formData.value.Lastname = selectedUser.value.Lastname
@@ -80,6 +80,7 @@ watch(() => props.visible, async (newValue, oldValue) => {
           formData.value.Password = ""
           formData.value.Disabled = selectedUser.value.Disabled
           formData.value.Locked = selectedUser.value.Locked
+          formData.value.PersistLocalChanges = selectedUser.value.PersistLocalChanges
         }
       }
     }
@@ -133,7 +134,7 @@ async function del() {
 <template>
   <Modal :title="title" :visible="visible" @close="close">
     <template #default>
-      <fieldset v-if="formData.Source==='db'">
+      <fieldset>
         <legend class="mt-4">{{ $t('modals.user-edit.header-general') }}</legend>
         <div v-if="props.userId==='#NEW#'" class="form-group">
           <label class="form-label mt-4">{{ $t('modals.user-edit.identifier.label') }}</label>
@@ -141,16 +142,22 @@ async function del() {
         </div>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.user-edit.source.label') }}</label>
-          <input v-model="formData.Source" class="form-control" disabled="disabled" :placeholder="$t('modals.user-edit.source.placeholder')" type="text">
+          <input v-model="formData.AuthSources" class="form-control" disabled="disabled" :placeholder="$t('modals.user-edit.source.placeholder')" type="text">
         </div>
-        <div v-if="formData.Source==='db'" class="form-group">
+        <div class="form-group" v-if="formData.AuthSources.some(s => s ==='db')">
           <label class="form-label mt-4">{{ $t('modals.user-edit.password.label') }}</label>
           <input v-model="formData.Password" aria-describedby="passwordHelp" class="form-control" :class="{ 'is-invalid': passwordWeak,  'is-valid': formData.Password !== '' && !passwordWeak }" :placeholder="$t('modals.user-edit.password.placeholder')" type="password">
           <div class="invalid-feedback">{{ $t('modals.user-edit.password.too-weak') }}</div>
           <small v-if="props.userId!=='#NEW#'" id="passwordHelp" class="form-text text-muted">{{ $t('modals.user-edit.password.description') }}</small>
         </div>
       </fieldset>
-      <fieldset v-if="formData.Source==='db'">
+      <fieldset v-if="formData.AuthSources.some(s => s !=='db') && !formData.PersistLocalChanges">
+        <legend class="mt-4">{{ $t('modals.user-edit.header-personal') }}</legend>
+        <div class="alert alert-warning mt-3">
+          {{ $t('modals.user-edit.sync-warning') }}
+        </div>
+      </fieldset>
+      <fieldset v-if="!formData.AuthSources.some(s => s !=='db') || formData.PersistLocalChanges">
         <legend class="mt-4">{{ $t('modals.user-edit.header-personal') }}</legend>
         <div class="form-group">
           <label class="form-label mt-4">{{ $t('modals.user-edit.email.label') }}</label>
@@ -194,10 +201,14 @@ async function del() {
           <input v-model="formData.Locked" class="form-check-input" type="checkbox">
           <label class="form-check-label" >{{ $t('modals.user-edit.locked.label') }}</label>
         </div>
-        <div class="form-check form-switch" v-if="formData.Source==='db'">
+        <div class="form-check form-switch" v-if="!formData.AuthSources.some(s => s !=='db') || formData.PersistLocalChanges">
           <input v-model="formData.IsAdmin" checked="" class="form-check-input" type="checkbox">
           <label class="form-check-label">{{ $t('modals.user-edit.admin.label') }}</label>
         </div>
+        <div class="form-check form-switch" v-if="formData.AuthSources.some(s => s !=='db')">
+          <input v-model="formData.PersistLocalChanges" class="form-check-input" type="checkbox">
+          <label class="form-check-label" >{{ $t('modals.user-edit.persist-local-changes.label') }}</label>
+        </div>
       </fieldset>
 
     </template>

frontend/src/helpers/encoding.js

@@ -1,7 +1,7 @@
 export function base64_url_encode(input) {
   let output = btoa(input)
-  output = output.replace('+', '.')
-  output = output.replace('/', '_')
-  output = output.replace('=', '-')
+  output = output.replaceAll('+', '.')
+  output = output.replaceAll('/', '_')
+  output = output.replaceAll('=', '-')
   return output
 }

frontend/src/helpers/models.js

@@ -4,6 +4,7 @@ export function freshInterface() {
     Disabled: false,
     DisplayName: "",
     Identifier: "",
+    CreateDefaultPeer: false,
     Mode: "server",
     Backend: "local",
 
@@ -136,7 +137,7 @@ export function freshUser() {
     Identifier: "",
 
     Email: "",
-    Source: "db",
+    AuthSources: ["db"],
     IsAdmin: false,
 
     Firstname: "",
@@ -154,6 +155,8 @@ export function freshUser() {
 
     ApiEnabled: false,
 
+    PersistLocalChanges: false,
+
     PeerCount: 0,
 
     // Internal values

frontend/src/helpers/websocket-wrapper.js

@@ -0,0 +1,86 @@
+import { peerStore } from '@/stores/peers';
+import { interfaceStore } from '@/stores/interfaces';
+import { authStore } from '@/stores/auth';
+
+let socket = null;
+let reconnectTimer = null;
+let failureCount = 0;
+
+export const websocketWrapper = {
+    connect() {
+        if (socket) {
+            console.log('WebSocket already connected, re-using existing connection.');
+            return;
+        }
+
+        const protocol = WGPORTAL_BACKEND_BASE_URL.startsWith('https://') ? 'wss://' : 'ws://';
+        const baseUrl = WGPORTAL_BACKEND_BASE_URL.replace(/^https?:\/\//, '');
+        const url = `${protocol}${baseUrl}/ws`;
+
+        socket = new WebSocket(url);
+
+        socket.onopen = () => {
+            console.log('WebSocket connected');
+            failureCount = 0;
+            if (reconnectTimer) {
+                clearInterval(reconnectTimer);
+                reconnectTimer = null;
+            }
+        };
+
+        socket.onclose = () => {
+            console.log('WebSocket disconnected');
+            failureCount++;
+            socket = null;
+            this.scheduleReconnect();
+        };
+
+        socket.onerror = (error) => {
+            console.error('WebSocket error:', error);
+            failureCount++;
+            socket.close();
+            socket = null;
+        };
+
+        socket.onmessage = (event) => {
+            const message = JSON.parse(event.data);
+            switch (message.type) {
+                case 'peer_stats':
+                    peerStore().updatePeerTrafficStats(message.data);
+                    break;
+                case 'interface_stats':
+                    interfaceStore().updateInterfaceTrafficStats(message.data);
+                    break;
+            }
+        };
+    },
+
+    disconnect() {
+        if (socket) {
+            socket.close();
+            socket = null;
+        }
+        if (reconnectTimer) {
+            clearInterval(reconnectTimer);
+            reconnectTimer = null;
+            failureCount = 0;
+        }
+    },
+
+    scheduleReconnect() {
+        if (reconnectTimer) return;
+        if (!authStore().IsAuthenticated) return; // Don't reconnect if not logged in
+
+        reconnectTimer = setInterval(() => {
+            if (failureCount > 2) {
+                console.log('WebSocket connection unavailable, giving up.');
+                clearInterval(reconnectTimer);
+                reconnectTimer = null;
+                return;
+            }
+
+            console.log('Attempting to reconnect WebSocket...');
+            this.connect();
+        }, 5000);
+    }
+};

frontend/src/lang/translations/de.json

@@ -147,7 +147,7 @@
       "email": "E-Mail",
       "firstname": "Vorname",
       "lastname": "Nachname",
-      "source": "Quelle",
+      "sources": "Quellen",
       "peers": "Peers",
       "admin": "Admin"
     },
@@ -378,7 +378,11 @@
       },
       "admin": {
         "label": "Ist Administrator"
-      }
+      },
+      "persist-local-changes": {
+        "label": "Lokale Änderungen speichern"
+      },
+      "sync-warning": "Um diesen synchronisierten Benutzer zu bearbeiten, aktivieren Sie die lokale Änderungsspeicherung. Andernfalls werden Ihre Änderungen bei der nächsten Synchronisierung überschrieben."
     },
     "interface-view": {
       "headline": "Konfiguration für Schnittstelle:"
@@ -469,6 +473,9 @@
       "disabled": {
         "label": "Schnittstelle deaktiviert"
       },
+      "create-default-peer": {
+        "label": "Peer für neue Benutzer automatisch erstellen"
+      },
       "save-config": {
         "label": "wg-quick Konfiguration automatisch speichern"
       },

frontend/src/lang/translations/en.json

@@ -147,7 +147,7 @@
       "email": "E-Mail",
       "firstname": "Firstname",
       "lastname": "Lastname",
-      "source": "Source",
+      "sources": "Sources",
       "peers": "Peers",
       "admin": "Admin"
     },
@@ -378,7 +378,11 @@
       },
       "admin": {
         "label": "Is Admin"
-      }
+      },
+      "persist-local-changes": {
+        "label": "Persist local changes"
+      },
+      "sync-warning": "To modify this synchronized user, enable local change persistence. Otherwise, your changes will be overwritten during the next synchronization."
     },
     "interface-view": {
       "headline": "Config for Interface:"
@@ -469,6 +473,9 @@
       "disabled": {
         "label": "Interface Disabled"
       },
+      "create-default-peer": {
+        "label": "Create default peer for new users"
+      },
       "save-config": {
         "label": "Automatically save wg-quick config"
       },

frontend/src/lang/translations/es.json

@@ -162,7 +162,7 @@
       "email": "Correo electrónico",
       "firstname": "Nombre",
       "lastname": "Apellido",
-      "source": "Origen",
+      "sources": "Origen",
       "peers": "Peers",
       "admin": "Administrador"
     },

frontend/src/lang/translations/fr.json

@@ -137,7 +137,7 @@
       "email": "E-mail",
       "firstname": "Prénom",
       "lastname": "Nom",
-      "source": "Source",
+      "sources": "Sources",
       "peers": "Pairs",
       "admin": "Admin"
     },

frontend/src/lang/translations/ko.json

@@ -136,7 +136,7 @@
         "email": "이메일",
         "firstname": "이름",
         "lastname": "성",
-        "source": "소스",
+        "sources": "소스",
         "peers": "피어",
         "admin": "관리자"
       },

frontend/src/lang/translations/pt.json

@@ -137,7 +137,7 @@
       "email": "E-Mail",
       "firstname": "Primeiro Nome",
       "lastname": "Último Nome",
-      "source": "Fonte",
+      "sources": "Fonte",
       "peers": "Peers",
       "admin": "Administrador"
     },

frontend/src/lang/translations/ru.json

@@ -143,7 +143,7 @@
       "email": "Электронная почта",
       "firstname": "Имя",
       "lastname": "Фамилия",
-      "source": "Источник",
+      "sources": "Источник",
       "peers": "Пиры",
       "admin": "Админ"
     },

frontend/src/lang/translations/uk.json

@@ -135,7 +135,7 @@
       "email": "E-Mail",
       "firstname": "Ім'я",
       "lastname": "Прізвище",
-      "source": "Джерело",
+      "sources": "Джерело",
       "peers": "Піри",
       "admin": "Адміністратор"
     },

frontend/src/lang/translations/vi.json

@@ -134,7 +134,7 @@
       "email": "E-Mail",
       "firstname": "Tên",
       "lastname": "Họ",
-      "source": "Nguồn",
+      "sources": "Nguồn",
       "peers": "Peers",
       "admin": "Quản trị viên"
     },

frontend/src/lang/translations/zh.json

@@ -134,7 +134,7 @@
         "email": "电子邮件",
         "firstname": "名",
         "lastname": "姓",
-        "source": "来源",
+        "sources": "来源",
         "peers": "节点",
         "admin": "管理员"
       },

frontend/src/stores/auth.js

@@ -2,6 +2,7 @@ import { defineStore } from 'pinia'
 
 import { notify } from "@kyvg/vue3-notification";
 import { apiWrapper } from '@/helpers/fetch-wrapper'
+import { websocketWrapper } from '@/helpers/websocket-wrapper'
 import router from '../router'
 import { browserSupportsWebAuthn,startRegistration,startAuthentication } from '@simplewebauthn/browser';
 import {base64_url_encode} from "@/helpers/encoding";
@@ -295,9 +296,11 @@ export const authStore = defineStore('auth',{
                     }
                 }
                 localStorage.setItem('user', JSON.stringify(this.user))
+                websocketWrapper.connect()
             } else {
                 this.user = null
                 localStorage.removeItem('user')
+                websocketWrapper.disconnect()
             }
         },
         setWebAuthnCredentials(credentials) {

frontend/src/stores/interfaces.js

@@ -14,6 +14,7 @@ export const interfaceStore = defineStore('interfaces', {
     configuration: "",
     selected: "",
     fetching: false,
+    trafficStats: {},
   }),
   getters: {
     Count: (state) => state.interfaces.length,
@@ -24,6 +25,9 @@ export const interfaceStore = defineStore('interfaces', {
     },
     GetSelected: (state) => state.interfaces.find((i) => i.Identifier === state.selected) || state.interfaces[0],
     isFetching: (state) => state.fetching,
+    TrafficStats: (state) => {
+      return (state.selected in state.trafficStats) ? state.trafficStats[state.selected] : { Received: 0, Transmitted: 0 }
+    },
   },
   actions: {
     setInterfaces(interfaces) {
@@ -34,6 +38,14 @@ export const interfaceStore = defineStore('interfaces', {
         this.selected = ""
       }
       this.fetching = false
+      this.trafficStats = {}
+    },
+    updateInterfaceTrafficStats(interfaceStats) {
+      const id = interfaceStats.EntityId;
+      this.trafficStats[id] = {
+        Received: interfaceStats.BytesReceived,
+        Transmitted: interfaceStats.BytesTransmitted,
+      };
     },
     async LoadInterfaces() {
       this.fetching = true

frontend/src/stores/peers.js

@@ -23,6 +23,7 @@ export const peerStore = defineStore('peers', {
     fetching: false,
     sortKey: 'IsConnected', // Default sort key
     sortOrder: -1, // 1 for ascending, -1 for descending
+    trafficStats: {},
   }),
   getters: {
     Find: (state) => {
@@ -76,6 +77,9 @@ export const peerStore = defineStore('peers', {
     Statistics: (state) => {
       return (id) => state.statsEnabled && (id in state.stats) ? state.stats[id] : freshStats()
     },
+    TrafficStats: (state) => {
+      return (id) => (id in state.trafficStats) ? state.trafficStats[id] : { Received: 0, Transmitted: 0 }
+    },
     hasStatistics: (state) => state.statsEnabled,
 
   },
@@ -111,6 +115,7 @@ export const peerStore = defineStore('peers', {
       this.peers = peers
       this.calculatePages()
       this.fetching = false
+      this.trafficStats = {}
     },
     setPeer(peer) {
       this.peer = peer
@@ -126,11 +131,19 @@ export const peerStore = defineStore('peers', {
       if (!statsResponse) {
         this.stats = {}
         this.statsEnabled = false
+        this.trafficStats = {}
       } else {
           this.stats = statsResponse.Stats
           this.statsEnabled = statsResponse.Enabled
       }
     },
+    updatePeerTrafficStats(peerStats) {
+      const id = peerStats.EntityId;
+      this.trafficStats[id] = {
+        Received: peerStats.BytesReceived,
+        Transmitted: peerStats.BytesTransmitted,
+      };
+    },
     async Reset() {
       this.setPeers([])
       this.setStats(undefined)

frontend/src/views/InterfaceView.vue

@@ -210,6 +210,12 @@ onMounted(async () => {
             <div class="col-12 col-lg-8">
               {{ $t('interfaces.interface.headline') }} <strong>{{interfaces.GetSelected.Identifier}}</strong> ({{ $t('modals.interface-edit.mode.' + interfaces.GetSelected.Mode )}} | {{ $t('interfaces.interface.backend') + ": " + calculateBackendName }}<span v-if="!isBackendValid" :title="t('interfaces.interface.wrong-backend')" class="ms-1 me-1"><i class="fa-solid fa-triangle-exclamation"></i></span>)
               <span v-if="interfaces.GetSelected.Disabled" class="text-danger"><i class="fa fa-circle-xmark" :title="interfaces.GetSelected.DisabledReason"></i></span>
+              <div v-if="interfaces.GetSelected && (interfaces.TrafficStats.Received > 0 || interfaces.TrafficStats.Transmitted > 0)" class="mt-2">
+                <small class="text-muted">
+                  Traffic: <i class="fa-solid fa-arrow-down me-1"></i>{{ humanFileSize(interfaces.TrafficStats.Received) }}/s
+                    <i class="fa-solid fa-arrow-up ms-1 me-1"></i>{{ humanFileSize(interfaces.TrafficStats.Transmitted) }}/s
+                </small>
+              </div>
             </div>
             <div class="col-12 col-lg-4 text-lg-end">
               <a class="btn-link" href="#" :title="$t('interfaces.interface.button-show-config')" @click.prevent="viewedInterfaceId=interfaces.GetSelected.Identifier"><i class="fas fa-eye"></i></a>
@@ -451,14 +457,19 @@ onMounted(async () => {
           <td v-if="interfaces.GetSelected.Mode==='client'">{{peer.Endpoint.Value}}</td>
           <td v-if="peers.hasStatistics">
             <div v-if="peers.Statistics(peer.Identifier).IsConnected">
-              <span class="badge rounded-pill bg-success" :title="$t('interfaces.peer-connected')"><i class="fa-solid fa-link"></i></span> <span :title="$t('interfaces.peer-handshake') + ' ' + peers.Statistics(peer.Identifier).LastHandshake">{{ $t('interfaces.peer-connected') }}</span>
+              <span class="badge rounded-pill bg-success" :title="$t('interfaces.peer-connected')"><i class="fa-solid fa-link"></i></span> <small class="text-muted" :title="$t('interfaces.peer-handshake') + ' ' + peers.Statistics(peer.Identifier).LastHandshake"><i class="fa-solid fa-circle-info"></i></small>
             </div>
             <div v-else>
               <span class="badge rounded-pill bg-light" :title="$t('interfaces.peer-not-connected')"><i class="fa-solid fa-link-slash"></i></span>
             </div>
           </td>
           <td v-if="peers.hasStatistics" >
-            <span class="text-center" >{{ humanFileSize(peers.Statistics(peer.Identifier).BytesReceived) }} / {{ humanFileSize(peers.Statistics(peer.Identifier).BytesTransmitted) }}</span>
+            <div class="d-flex flex-column">
+              <span :title="humanFileSize(peers.Statistics(peer.Identifier).BytesReceived) + ' / ' + humanFileSize(peers.Statistics(peer.Identifier).BytesTransmitted)">
+                <i class="fa-solid fa-arrow-down me-1"></i>{{ humanFileSize(peers.TrafficStats(peer.Identifier).Received) }}/s
+                <i class="fa-solid fa-arrow-up ms-1 me-1"></i>{{ humanFileSize(peers.TrafficStats(peer.Identifier).Transmitted) }}/s
+              </span>
+            </div>
           </td>
           <td class="text-center">
             <a href="#" :title="$t('interfaces.button-show-peer')" @click.prevent="viewedPeerId=peer.Identifier"><i class="fas fa-eye me-2"></i></a>

frontend/src/views/UserView.vue

@@ -131,7 +131,7 @@ onMounted(() => {
           <th scope="col">{{ $t('users.table-heading.email') }}</th>
           <th scope="col">{{ $t('users.table-heading.firstname') }}</th>
           <th scope="col">{{ $t('users.table-heading.lastname') }}</th>
-          <th class="text-center" scope="col">{{ $t('users.table-heading.source') }}</th>
+          <th class="text-center" scope="col">{{ $t('users.table-heading.sources') }}</th>
           <th class="text-center" scope="col">{{ $t('users.table-heading.peers') }}</th>
           <th class="text-center" scope="col">{{ $t('users.table-heading.admin') }}</th>
           <th scope="col"></th><!-- Actions -->
@@ -150,7 +150,7 @@ onMounted(() => {
           <td>{{user.Email}}</td>
           <td>{{user.Firstname}}</td>
           <td>{{user.Lastname}}</td>
-          <td class="text-center"><span class="badge rounded-pill bg-light">{{user.Source}}</span></td>
+          <td><span class="badge bg-light me-1" v-for="src in user.AuthSources" :key="src">{{src}}</span></td>
           <td class="text-center">{{user.PeerCount}}</td>
           <td class="text-center">
             <span v-if="user.IsAdmin" class="text-danger" :title="$t('users.admin')"><i class="fa fa-check-circle"></i></span>

go.mod

@@ -9,9 +9,10 @@ require (
 	github.com/glebarez/sqlite v1.11.0
 	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-pkgz/routegroup v1.6.0
-	github.com/go-playground/validator/v10 v10.28.0
+	github.com/go-playground/validator/v10 v10.30.1
 	github.com/go-webauthn/webauthn v0.15.0
 	github.com/google/uuid v1.6.0
+	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus-community/pro-bing v0.7.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
@@ -21,9 +22,9 @@ require (
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/yeqown/go-qrcode/v2 v2.2.5
 	github.com/yeqown/go-qrcode/writer/compressed v1.0.1
-	golang.org/x/crypto v0.46.0
+	golang.org/x/crypto v0.47.0
 	golang.org/x/oauth2 v0.34.0
-	golang.org/x/sys v0.39.0
+	golang.org/x/sys v0.40.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -41,7 +42,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.11 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
 	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
@@ -96,7 +97,7 @@ require (
 	golang.org/x/mod v0.31.0 // indirect
 	golang.org/x/net v0.48.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/text v0.32.0 // indirect
+	golang.org/x/text v0.33.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
 	google.golang.org/protobuf v1.36.10 // indirect

go.sum

@@ -50,8 +50,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
 github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.11 h1:AQvxbp830wPhHTqc1u7nzoLT+ZFxGY7emj5DR5DYFik=
-github.com/gabriel-vasile/mimetype v1.4.11/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
@@ -97,8 +97,8 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.28.0 h1:Q7ibns33JjyW48gHkuFT91qX48KG0ktULL6FgHdG688=
-github.com/go-playground/validator/v10 v10.28.0/go.mod h1:GoI6I1SjPBh9p7ykNE/yj3fFYbyDOpwMn5KXd+m2hUU=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
@@ -130,6 +130,8 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
+github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
+github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -270,8 +272,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
+golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
 golang.org/x/exp v0.0.0-20251209150349-8475f28825e9 h1:MDfG8Cvcqlt9XXrmEiD4epKn7VJHZO84hejP9Jmp0MM=
 golang.org/x/exp v0.0.0-20251209150349-8475f28825e9/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -332,8 +334,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
+golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -362,8 +364,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
+golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=

internal/adapters/database.go

@@ -23,9 +23,6 @@ import (
 	"github.com/h44z/wg-portal/internal/domain"
 )
 
-// SchemaVersion describes the current database schema version. It must be incremented if a manual migration is needed.
-var SchemaVersion uint64 = 1
-
 // SysStat stores the current database schema version and the timestamp when it was applied.
 type SysStat struct {
 	MigratedAt    time.Time `gorm:"column:migrated_at"`
@@ -179,13 +176,15 @@ func NewDatabase(cfg config.DatabaseConfig) (*gorm.DB, error) {
 // SqlRepo is a SQL database repository implementation.
 // Currently, it supports MySQL, SQLite, Microsoft SQL and Postgresql database systems.
 type SqlRepo struct {
-	db *gorm.DB
+	db  *gorm.DB
+	cfg *config.Config
 }
 
 // NewSqlRepository creates a new SqlRepo instance.
-func NewSqlRepository(db *gorm.DB) (*SqlRepo, error) {
+func NewSqlRepository(db *gorm.DB, cfg *config.Config) (*SqlRepo, error) {
 	repo := &SqlRepo{
-		db: db,
+		db:  db,
+		cfg: cfg,
 	}
 
 	if err := repo.preCheck(); err != nil {
@@ -223,6 +222,8 @@ func (r *SqlRepo) preCheck() error {
 func (r *SqlRepo) migrate() error {
 	slog.Debug("running migration: sys-stat", "result", r.db.AutoMigrate(&SysStat{}))
 	slog.Debug("running migration: user", "result", r.db.AutoMigrate(&domain.User{}))
+	slog.Debug("running migration: user authentications", "result",
+		r.db.AutoMigrate(&domain.UserAuthentication{}))
 	slog.Debug("running migration: user webauthn credentials", "result",
 		r.db.AutoMigrate(&domain.UserWebauthnCredential{}))
 	slog.Debug("running migration: interface", "result", r.db.AutoMigrate(&domain.Interface{}))
@@ -232,16 +233,88 @@ func (r *SqlRepo) migrate() error {
 	slog.Debug("running migration: audit data", "result", r.db.AutoMigrate(&domain.AuditEntry{}))
 
 	existingSysStat := SysStat{}
-	r.db.Where("schema_version = ?", SchemaVersion).First(&existingSysStat)
+	r.db.Order("schema_version desc").First(&existingSysStat) // get latest version
+
+	// Migration: 0 --> 1
 	if existingSysStat.SchemaVersion == 0 {
+		const schemaVersion = 1
 		sysStat := SysStat{
 			MigratedAt:    time.Now(),
-			SchemaVersion: SchemaVersion,
+			SchemaVersion: schemaVersion,
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
-			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", SchemaVersion, err)
+			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
-		slog.Debug("sys-stat entry written", "schema_version", SchemaVersion)
+		slog.Debug("sys-stat entry written", "schema_version", schemaVersion)
+		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
+	}
+
+	// Migration: 1 --> 2
+	if existingSysStat.SchemaVersion == 1 {
+		const schemaVersion = 2
+		// Preserve existing behavior for installations that had default-peer-creation enabled.
+		if r.cfg.Core.CreateDefaultPeer {
+			err := r.db.Model(&domain.Interface{}).
+				Where("type = ?", domain.InterfaceTypeServer).
+				Update("create_default_peer", true).Error
+			if err != nil {
+				return fmt.Errorf("failed to migrate interface flags for schema version %d: %w", schemaVersion, err)
+			}
+			slog.Debug("migrated interface create_default_peer flags", "schema_version", schemaVersion)
+		}
+		sysStat := SysStat{
+			MigratedAt:    time.Now(),
+			SchemaVersion: schemaVersion,
+		}
+		if err := r.db.Create(&sysStat).Error; err != nil {
+			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
+		}
+		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
+	}
+
+	// Migration: 2 --> 3
+	if existingSysStat.SchemaVersion == 2 {
+		const schemaVersion = 3
+		// Migration to multi-auth
+		err := r.db.Transaction(func(tx *gorm.DB) error {
+			var users []domain.User
+			if err := tx.Find(&users).Error; err != nil {
+				return err
+			}
+
+			now := time.Now()
+			for _, user := range users {
+				auth := domain.UserAuthentication{
+					BaseModel: domain.BaseModel{
+						CreatedBy: domain.CtxSystemDBMigrator,
+						UpdatedBy: domain.CtxSystemDBMigrator,
+						CreatedAt: now,
+						UpdatedAt: now,
+					},
+					UserIdentifier: user.Identifier,
+					Source:         user.Source,
+					ProviderName:   user.ProviderName,
+				}
+				if err := tx.Create(&auth).Error; err != nil {
+					return err
+				}
+			}
+
+			slog.Debug("migrated users to multi-auth model", "schema_version", schemaVersion)
+
+			return nil
+		})
+		if err != nil {
+			return fmt.Errorf("failed to migrate to multi-auth: %w", err)
+		}
+		sysStat := SysStat{
+			MigratedAt:    time.Now(),
+			SchemaVersion: schemaVersion,
+		}
+		if err := r.db.Create(&sysStat).Error; err != nil {
+			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
+		}
+		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 
 	return nil
@@ -751,7 +824,7 @@ func (r *SqlRepo) GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr
 func (r *SqlRepo) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
 	var user domain.User
 
-	err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").First(&user, id).Error
+	err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Preload("Authentications").First(&user, id).Error
 
 	if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, domain.ErrNotFound
@@ -769,7 +842,8 @@ func (r *SqlRepo) GetUser(ctx context.Context, id domain.UserIdentifier) (*domai
 func (r *SqlRepo) GetUserByEmail(ctx context.Context, email string) (*domain.User, error) {
 	var users []domain.User
 
-	err := r.db.WithContext(ctx).Where("email = ?", email).Preload("WebAuthnCredentialList").Find(&users).Error
+	err := r.db.WithContext(ctx).Where("email = ?",
+		email).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&users).Error
 	if err != nil && errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, domain.ErrNotFound
 	}
@@ -809,7 +883,7 @@ func (r *SqlRepo) GetUserByWebAuthnCredential(ctx context.Context, credentialIdB
 func (r *SqlRepo) GetAllUsers(ctx context.Context) ([]domain.User, error) {
 	var users []domain.User
 
-	err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Find(&users).Error
+	err := r.db.WithContext(ctx).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&users).Error
 	if err != nil {
 		return nil, err
 	}
@@ -829,6 +903,7 @@ func (r *SqlRepo) FindUsers(ctx context.Context, search string) ([]domain.User,
 		Or("lastname LIKE ?", searchValue).
 		Or("email LIKE ?", searchValue).
 		Preload("WebAuthnCredentialList").
+		Preload("Authentications").
 		Find(&users).Error
 	if err != nil {
 		return nil, err
@@ -888,7 +963,17 @@ func (r *SqlRepo) getOrCreateUser(ui *domain.ContextUserInfo, tx *gorm.DB, id do
 ) {
 	var user domain.User
 
-	// userDefaults will be applied to newly created user records
+	result := tx.Model(&user).Preload("WebAuthnCredentialList").Preload("Authentications").Find(&user, id)
+	if result.Error != nil {
+		if !errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return nil, result.Error
+		}
+	}
+	if result.Error == nil && result.RowsAffected > 0 {
+		return &user, nil
+	}
+
+	// create a new user record if no user record exists yet
 	userDefaults := domain.User{
 		BaseModel: domain.BaseModel{
 			CreatedBy: ui.UserId(),
@@ -897,16 +982,15 @@ func (r *SqlRepo) getOrCreateUser(ui *domain.ContextUserInfo, tx *gorm.DB, id do
 			UpdatedAt: time.Now(),
 		},
 		Identifier: id,
-		Source:     domain.UserSourceDatabase,
 		IsAdmin:    false,
 	}
 
-	err := tx.Attrs(userDefaults).FirstOrCreate(&user, id).Error
+	err := tx.Create(&userDefaults).Error
 	if err != nil {
 		return nil, err
 	}
 
-	return &user, nil
+	return &userDefaults, nil
 }
 
 func (r *SqlRepo) upsertUser(ui *domain.ContextUserInfo, tx *gorm.DB, user *domain.User) error {
@@ -923,6 +1007,11 @@ func (r *SqlRepo) upsertUser(ui *domain.ContextUserInfo, tx *gorm.DB, user *doma
 		return fmt.Errorf("failed to update users webauthn credentials: %w", err)
 	}
 
+	err = tx.Session(&gorm.Session{FullSaveAssociations: true}).Unscoped().Model(user).Association("Authentications").Unscoped().Replace(user.Authentications)
+	if err != nil {
+		return fmt.Errorf("failed to update users authentications: %w", err)
+	}
+
 	return nil
 }
 

internal/adapters/wgcontroller/local.go

@@ -626,7 +626,7 @@ func (c LocalController) exec(command string, interfaceId domain.InterfaceIdenti
 	if err != nil {
 		slog.Warn("failed to executed shell command",
 			"command", commandWithInterfaceName, "stdin", stdin, "output", string(out), "error", err)
-		return fmt.Errorf("failed to exexute shell command %s: %w", commandWithInterfaceName, err)
+		return fmt.Errorf("failed to execute shell command %s: %w", commandWithInterfaceName, err)
 	}
 	slog.Debug("executed shell command",
 		"command", commandWithInterfaceName,

internal/app/api/core/assets/doc/v0_swagger.json

@@ -2676,6 +2676,12 @@
                 "ApiTokenCreated": {
                     "type": "string"
                 },
+                "AuthSources": {
+                    "type": "array",
+                    "items": {
+                        "type": "string"
+                    }
+                },
                 "Department": {
                     "type": "string"
                 },
@@ -2719,14 +2725,11 @@
                 "PeerCount": {
                     "type": "integer"
                 },
+                "PersistLocalChanges": {
+                    "type": "boolean"
+                },
                 "Phone": {
                     "type": "string"
-                },
-                "ProviderName": {
-                    "type": "string"
-                },
-                "Source": {
-                    "type": "string"
                 }
             }
         },

internal/app/api/core/assets/doc/v0_swagger.yaml

@@ -431,6 +431,10 @@ definitions:
         type: string
       ApiTokenCreated:
         type: string
+      AuthSources:
+        items:
+          type: string
+        type: array
       Department:
         type: string
       Disabled:
@@ -461,12 +465,10 @@ definitions:
         type: string
       PeerCount:
         type: integer
+      PersistLocalChanges:
+        type: boolean
       Phone:
         type: string
-      ProviderName:
-        type: string
-      Source:
-        type: string
     type: object
   model.WebAuthnCredentialRequest:
     properties:

internal/app/api/core/assets/doc/v1_swagger.json

@@ -2132,6 +2132,22 @@
                     "minLength": 32,
                     "example": ""
                 },
+                "AuthSources": {
+                    "description": "The source of the user. This field is optional.",
+                    "type": "array",
+                    "items": {
+                        "type": "string",
+                        "enum": [
+                            "db",
+                            "ldap",
+                            "oauth"
+                        ]
+                    },
+                    "readOnly": true,
+                    "example": [
+                        "db"
+                    ]
+                },
                 "Department": {
                     "description": "The department of the user. This field is optional.",
                     "type": "string",
@@ -2205,22 +2221,6 @@
                     "description": "The phone number of the user. This field is optional.",
                     "type": "string",
                     "example": "+1234546789"
-                },
-                "ProviderName": {
-                    "description": "The name of the authentication provider. This field is read-only.",
-                    "type": "string",
-                    "readOnly": true,
-                    "example": ""
-                },
-                "Source": {
-                    "description": "The source of the user. This field is optional.",
-                    "type": "string",
-                    "enum": [
-                        "db",
-                        "ldap",
-                        "oauth"
-                    ],
-                    "example": "db"
                 }
             }
         },

internal/app/api/core/assets/doc/v1_swagger.yaml

@@ -490,6 +490,18 @@ definitions:
         maxLength: 64
         minLength: 32
         type: string
+      AuthSources:
+        description: The source of the user. This field is optional.
+        example:
+        - db
+        items:
+          enum:
+          - db
+          - ldap
+          - oauth
+          type: string
+        readOnly: true
+        type: array
       Department:
         description: The department of the user. This field is optional.
         example: Software Development
@@ -552,19 +564,6 @@ definitions:
         description: The phone number of the user. This field is optional.
         example: "+1234546789"
         type: string
-      ProviderName:
-        description: The name of the authentication provider. This field is read-only.
-        example: ""
-        readOnly: true
-        type: string
-      Source:
-        description: The source of the user. This field is optional.
-        enum:
-        - db
-        - ldap
-        - oauth
-        example: db
-        type: string
     required:
     - Identifier
     type: object

internal/app/api/core/middleware/logging/writer.go

@@ -1,6 +1,8 @@
 package logging
 
 import (
+	"bufio"
+	"net"
 	"net/http"
 )
 
@@ -38,6 +40,12 @@ func (w *writerWrapper) Write(data []byte) (int, error) {
 	return n, err
 }
 
+// Hijack wraps the Hijack method of the ResponseWriter and returns the hijacked connection.
+// This is required for websockets to work.
+func (w *writerWrapper) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	return http.NewResponseController(w.ResponseWriter).Hijack()
+}
+
 // newWriterWrapper returns a new writerWrapper that wraps the given http.ResponseWriter.
 // It initializes the StatusCode to http.StatusOK.
 func newWriterWrapper(w http.ResponseWriter) *writerWrapper {

internal/app/api/v0/backend/user_service.go

@@ -3,6 +3,7 @@ package backend
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/h44z/wg-portal/internal/config"
@@ -95,8 +96,10 @@ func (u UserService) ChangePassword(
 	}
 
 	// ensure that the user uses the database backend; otherwise we can't change the password
-	if user.Source != domain.UserSourceDatabase {
-		return nil, fmt.Errorf("user source %s does not support password changes", user.Source)
+	if !slices.ContainsFunc(user.Authentications, func(authentication domain.UserAuthentication) bool {
+		return authentication.Source == domain.UserSourceDatabase
+	}) {
+		return nil, fmt.Errorf("user has no linked authentication source that does support password changes")
 	}
 
 	// validate old password

internal/app/api/v0/handlers/endpoint_authentication.go

@@ -6,7 +6,6 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
-	"strings"
 	"time"
 
 	"github.com/go-pkgz/routegroup"
@@ -449,7 +448,17 @@ func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {
 
 // isValidReturnUrl checks if the given return URL matches the configured external URL of the application.
 func (e AuthEndpoint) isValidReturnUrl(returnUrl string) bool {
-	if !strings.HasPrefix(returnUrl, e.cfg.Web.ExternalUrl) {
+	expectedUrl, err := url.Parse(e.cfg.Web.ExternalUrl)
+	if err != nil {
+		return false
+	}
+
+	returnUrlParsed, err := url.Parse(returnUrl)
+	if err != nil {
+		return false
+	}
+
+	if returnUrlParsed.Scheme != expectedUrl.Scheme || returnUrlParsed.Host != expectedUrl.Host {
 		return false
 	}
 

internal/app/api/v0/handlers/endpoint_config.go

@@ -145,6 +145,7 @@ func (e ConfigEndpoint) handleSettingsGet() http.HandlerFunc {
 				MinPasswordLength:         e.cfg.Auth.MinPasswordLength,
 				AvailableBackends:         controllerFn(),
 				LoginFormVisible:          !e.cfg.Auth.HideLoginForm || !hasSocialLogin,
+				CreateDefaultPeer:         e.cfg.Core.CreateDefaultPeer,
 			})
 		}
 	}

internal/app/api/v0/handlers/endpoint_websocket.go

@@ -0,0 +1,100 @@
+package handlers
+
+import (
+	"context"
+	"net/http"
+	"strings"
+	"sync"
+
+	"github.com/go-pkgz/routegroup"
+	"github.com/gorilla/websocket"
+
+	"github.com/h44z/wg-portal/internal/app"
+	"github.com/h44z/wg-portal/internal/config"
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+type WebsocketEventBus interface {
+	Subscribe(topic string, fn any) error
+	Unsubscribe(topic string, fn any) error
+}
+
+type WebsocketEndpoint struct {
+	authenticator Authenticator
+	bus           WebsocketEventBus
+
+	upgrader websocket.Upgrader
+}
+
+func NewWebsocketEndpoint(cfg *config.Config, auth Authenticator, bus WebsocketEventBus) *WebsocketEndpoint {
+	return &WebsocketEndpoint{
+		authenticator: auth,
+		bus:           bus,
+		upgrader: websocket.Upgrader{
+			ReadBufferSize:  1024,
+			WriteBufferSize: 1024,
+			CheckOrigin: func(r *http.Request) bool {
+				origin := r.Header.Get("Origin")
+				return strings.HasPrefix(origin, cfg.Web.ExternalUrl)
+			},
+		},
+	}
+}
+
+func (e WebsocketEndpoint) GetName() string {
+	return "WebsocketEndpoint"
+}
+
+func (e WebsocketEndpoint) RegisterRoutes(g *routegroup.Bundle) {
+	g.With(e.authenticator.LoggedIn()).HandleFunc("GET /ws", e.handleWebsocket())
+}
+
+// wsMessage represents a message sent over websocket to the frontend
+type wsMessage struct {
+	Type string `json:"type"` // either "peer_stats" or "interface_stats"
+	Data any    `json:"data"` // domain.TrafficDelta
+}
+
+func (e WebsocketEndpoint) handleWebsocket() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		conn, err := e.upgrader.Upgrade(w, r, nil)
+		if err != nil {
+			return
+		}
+		defer conn.Close()
+
+		ctx, cancel := context.WithCancel(r.Context())
+		defer cancel()
+
+		writeMutex := sync.Mutex{}
+		writeJSON := func(msg wsMessage) error {
+			writeMutex.Lock()
+			defer writeMutex.Unlock()
+			return conn.WriteJSON(msg)
+		}
+
+		peerStatsHandler := func(status domain.TrafficDelta) {
+			_ = writeJSON(wsMessage{Type: "peer_stats", Data: status})
+		}
+		interfaceStatsHandler := func(status domain.TrafficDelta) {
+			_ = writeJSON(wsMessage{Type: "interface_stats", Data: status})
+		}
+
+		_ = e.bus.Subscribe(app.TopicPeerStatsUpdated, peerStatsHandler)
+		defer e.bus.Unsubscribe(app.TopicPeerStatsUpdated, peerStatsHandler)
+		_ = e.bus.Subscribe(app.TopicInterfaceStatsUpdated, interfaceStatsHandler)
+		defer e.bus.Unsubscribe(app.TopicInterfaceStatsUpdated, interfaceStatsHandler)
+
+		// Keep connection open until client disconnects or context is cancelled
+		go func() {
+			for {
+				if _, _, err := conn.ReadMessage(); err != nil {
+					cancel()
+					return
+				}
+			}
+		}()
+
+		<-ctx.Done()
+	}
+}

internal/app/api/v0/model/models.go

@@ -14,6 +14,7 @@ type Settings struct {
 	MinPasswordLength         int                    `json:"MinPasswordLength"`
 	AvailableBackends         []SettingsBackendNames `json:"AvailableBackends"`
 	LoginFormVisible          bool                   `json:"LoginFormVisible"`
+	CreateDefaultPeer         bool                   `json:"CreateDefaultPeer"`
 }
 
 type SettingsBackendNames struct {

internal/app/api/v0/model/models_interface.go

@@ -9,15 +9,16 @@ import (
 )
 
 type Interface struct {
-	Identifier     string `json:"Identifier" example:"wg0"`      // device name, for example: wg0
-	DisplayName    string `json:"DisplayName"`                   // a nice display name/ description for the interface
-	Mode           string `json:"Mode" example:"server"`         // the interface type, either 'server', 'client' or 'any'
-	Backend        string `json:"Backend" example:"local"`       // the backend used for this interface e.g., local, mikrotik, ...
-	PrivateKey     string `json:"PrivateKey" example:"abcdef=="` // private Key of the server interface
-	PublicKey      string `json:"PublicKey" example:"abcdef=="`  // public Key of the server interface
-	Disabled       bool   `json:"Disabled"`                      // flag that specifies if the interface is enabled (up) or not (down)
-	DisabledReason string `json:"DisabledReason"`                // the reason why the interface has been disabled
-	SaveConfig     bool   `json:"SaveConfig"`                    // automatically persist config changes to the wgX.conf file
+	Identifier        string `json:"Identifier" example:"wg0"`      // device name, for example: wg0
+	DisplayName       string `json:"DisplayName"`                   // a nice display name/ description for the interface
+	Mode              string `json:"Mode" example:"server"`         // the interface type, either 'server', 'client' or 'any'
+	Backend           string `json:"Backend" example:"local"`       // the backend used for this interface e.g., local, mikrotik, ...
+	PrivateKey        string `json:"PrivateKey" example:"abcdef=="` // private Key of the server interface
+	PublicKey         string `json:"PublicKey" example:"abcdef=="`  // public Key of the server interface
+	Disabled          bool   `json:"Disabled"`                      // flag that specifies if the interface is enabled (up) or not (down)
+	DisabledReason    string `json:"DisabledReason"`                // the reason why the interface has been disabled
+	SaveConfig        bool   `json:"SaveConfig"`                    // automatically persist config changes to the wgX.conf file
+	CreateDefaultPeer bool   `json:"CreateDefaultPeer"`             // if true, default peers will be created for this interface
 
 	ListenPort   int      `json:"ListenPort"`   // the listening port, for example: 51820
 	Addresses    []string `json:"Addresses"`    // the interface ip addresses
@@ -65,6 +66,7 @@ func NewInterface(src *domain.Interface, peers []domain.Peer) *Interface {
 		Disabled:                   src.IsDisabled(),
 		DisabledReason:             src.DisabledReason,
 		SaveConfig:                 src.SaveConfig,
+		CreateDefaultPeer:          src.CreateDefaultPeer,
 		ListenPort:                 src.ListenPort,
 		Addresses:                  domain.CidrsToStringSlice(src.Addresses),
 		Dns:                        internal.SliceString(src.DnsStr),
@@ -151,6 +153,7 @@ func NewDomainInterface(src *Interface) *domain.Interface {
 		PreDown:                    src.PreDown,
 		PostDown:                   src.PostDown,
 		SaveConfig:                 src.SaveConfig,
+		CreateDefaultPeer:          src.CreateDefaultPeer,
 		DisplayName:                src.DisplayName,
 		Type:                       domain.InterfaceType(src.Mode),
 		Backend:                    domain.InterfaceBackend(src.Backend),

internal/app/api/v0/model/models_user.go

@@ -3,15 +3,15 @@ package model
 import (
 	"time"
 
+	"github.com/h44z/wg-portal/internal"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 
 type User struct {
-	Identifier   string `json:"Identifier"`
-	Email        string `json:"Email"`
-	Source       string `json:"Source"`
-	ProviderName string `json:"ProviderName"`
-	IsAdmin      bool   `json:"IsAdmin"`
+	Identifier  string   `json:"Identifier"`
+	Email       string   `json:"Email"`
+	AuthSources []string `json:"AuthSources"`
+	IsAdmin     bool     `json:"IsAdmin"`
 
 	Firstname  string `json:"Firstname"`
 	Lastname   string `json:"Lastname"`
@@ -29,6 +29,8 @@ type User struct {
 	ApiTokenCreated *time.Time `json:"ApiTokenCreated,omitempty"`
 	ApiEnabled      bool       `json:"ApiEnabled"`
 
+	PersistLocalChanges bool `json:"PersistLocalChanges"`
+
 	// Calculated
 
 	PeerCount int `json:"PeerCount"`
@@ -36,24 +38,26 @@ type User struct {
 
 func NewUser(src *domain.User, exposeCreds bool) *User {
 	u := &User{
-		Identifier:      string(src.Identifier),
-		Email:           src.Email,
-		Source:          string(src.Source),
-		ProviderName:    src.ProviderName,
-		IsAdmin:         src.IsAdmin,
-		Firstname:       src.Firstname,
-		Lastname:        src.Lastname,
-		Phone:           src.Phone,
-		Department:      src.Department,
-		Notes:           src.Notes,
-		Password:        "", // never fill password
-		Disabled:        src.IsDisabled(),
-		DisabledReason:  src.DisabledReason,
-		Locked:          src.IsLocked(),
-		LockedReason:    src.LockedReason,
-		ApiToken:        "", // by default, do not expose API token
-		ApiTokenCreated: src.ApiTokenCreated,
-		ApiEnabled:      src.IsApiEnabled(),
+		Identifier: string(src.Identifier),
+		Email:      src.Email,
+		AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
+			return string(authentication.Source)
+		}),
+		IsAdmin:             src.IsAdmin,
+		Firstname:           src.Firstname,
+		Lastname:            src.Lastname,
+		Phone:               src.Phone,
+		Department:          src.Department,
+		Notes:               src.Notes,
+		Password:            "", // never fill password
+		Disabled:            src.IsDisabled(),
+		DisabledReason:      src.DisabledReason,
+		Locked:              src.IsLocked(),
+		LockedReason:        src.LockedReason,
+		ApiToken:            "", // by default, do not expose API token
+		ApiTokenCreated:     src.ApiTokenCreated,
+		ApiEnabled:          src.IsApiEnabled(),
+		PersistLocalChanges: src.PersistLocalChanges,
 
 		PeerCount: src.LinkedPeerCount,
 	}
@@ -77,22 +81,21 @@ func NewUsers(src []domain.User) []User {
 func NewDomainUser(src *User) *domain.User {
 	now := time.Now()
 	res := &domain.User{
-		Identifier:      domain.UserIdentifier(src.Identifier),
-		Email:           src.Email,
-		Source:          domain.UserSource(src.Source),
-		ProviderName:    src.ProviderName,
-		IsAdmin:         src.IsAdmin,
-		Firstname:       src.Firstname,
-		Lastname:        src.Lastname,
-		Phone:           src.Phone,
-		Department:      src.Department,
-		Notes:           src.Notes,
-		Password:        domain.PrivateString(src.Password),
-		Disabled:        nil, // set below
-		DisabledReason:  src.DisabledReason,
-		Locked:          nil, // set below
-		LockedReason:    src.LockedReason,
-		LinkedPeerCount: src.PeerCount,
+		Identifier:          domain.UserIdentifier(src.Identifier),
+		Email:               src.Email,
+		IsAdmin:             src.IsAdmin,
+		Firstname:           src.Firstname,
+		Lastname:            src.Lastname,
+		Phone:               src.Phone,
+		Department:          src.Department,
+		Notes:               src.Notes,
+		Password:            domain.PrivateString(src.Password),
+		Disabled:            nil, // set below
+		DisabledReason:      src.DisabledReason,
+		Locked:              nil, // set below
+		LockedReason:        src.LockedReason,
+		LinkedPeerCount:     src.PeerCount,
+		PersistLocalChanges: src.PersistLocalChanges,
 	}
 
 	if src.Disabled {

internal/app/api/v1/models/models_user.go

@@ -3,6 +3,7 @@ package models
 import (
 	"time"
 
+	"github.com/h44z/wg-portal/internal"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 
@@ -13,9 +14,7 @@ type User struct {
 	// The email address of the user. This field is optional.
 	Email string `json:"Email" binding:"omitempty,email" example:"test@test.com"`
 	// The source of the user. This field is optional.
-	Source string `json:"Source" binding:"oneof=db ldap oauth" example:"db"`
-	// The name of the authentication provider. This field is read-only.
-	ProviderName string `json:"ProviderName,omitempty" readonly:"true" example:""`
+	AuthSources []string `json:"AuthSources" readonly:"true" binding:"oneof=db ldap oauth" example:"db"`
 	// If this field is set, the user is an admin.
 	IsAdmin bool `json:"IsAdmin" example:"false"`
 
@@ -52,10 +51,11 @@ type User struct {
 
 func NewUser(src *domain.User, exposeCredentials bool) *User {
 	u := &User{
-		Identifier:     string(src.Identifier),
-		Email:          src.Email,
-		Source:         string(src.Source),
-		ProviderName:   src.ProviderName,
+		Identifier: string(src.Identifier),
+		Email:      src.Email,
+		AuthSources: internal.Map(src.Authentications, func(authentication domain.UserAuthentication) string {
+			return string(authentication.Source)
+		}),
 		IsAdmin:        src.IsAdmin,
 		Firstname:      src.Firstname,
 		Lastname:       src.Lastname,
@@ -93,8 +93,6 @@ func NewDomainUser(src *User) *domain.User {
 	res := &domain.User{
 		Identifier:     domain.UserIdentifier(src.Identifier),
 		Email:          src.Email,
-		Source:         domain.UserSource(src.Source),
-		ProviderName:   src.ProviderName,
 		IsAdmin:        src.IsAdmin,
 		Firstname:      src.Firstname,
 		Lastname:       src.Lastname,

internal/app/app.go

@@ -129,8 +129,6 @@ func (a *App) createDefaultUser(ctx context.Context) error {
 		},
 		Identifier:      adminUserId,
 		Email:           "admin@wgportal.local",
-		Source:          domain.UserSourceDatabase,
-		ProviderName:    "",
 		IsAdmin:         true,
 		Firstname:       "WireGuard Portal",
 		Lastname:        "Admin",

internal/app/auth/auth.go

@@ -29,8 +29,8 @@ type UserManager interface {
 	GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
 	// RegisterUser creates a new user in the database.
 	RegisterUser(ctx context.Context, user *domain.User) error
-	// UpdateUser updates an existing user in the database.
-	UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
+	// UpdateUserInternal updates an existing user in the database.
+	UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
 }
 
 type EventBus interface {
@@ -232,7 +232,7 @@ func (a *Authenticator) setupExternalAuthProviders(
 	}
 	for i := range ldap { // LDAP
 		providerCfg := &ldap[i]
-		providerId := strings.ToLower(providerCfg.URL)
+		providerId := strings.ToLower(providerCfg.ProviderName)
 
 		if _, exists := a.ldapAuthenticators[providerId]; exists {
 			// this is an unrecoverable error, we cannot register the same provider twice
@@ -354,21 +354,45 @@ func (a *Authenticator) passwordAuthentication(
 	var ldapProvider AuthenticatorLdap
 
 	var userInDatabase = false
-	var userSource domain.UserSource
 	existingUser, err := a.users.GetUser(ctx, identifier)
 	if err == nil {
 		userInDatabase = true
-		userSource = existingUser.Source
 	}
 	if userInDatabase && (existingUser.IsLocked() || existingUser.IsDisabled()) {
 		return nil, errors.New("user is locked")
 	}
 
-	if !userInDatabase || userSource == domain.UserSourceLdap {
-		// search user in ldap if registration is enabled
+	authOK := false
+	if userInDatabase {
+		// User is already in db, search for authentication sources which support password authentication and
+		// validate the password.
+		for _, authentication := range existingUser.Authentications {
+			if authentication.Source == domain.UserSourceDatabase {
+				err := existingUser.CheckPassword(password)
+				if err == nil {
+					authOK = true
+					break
+				}
+			}
+
+			if authentication.Source == domain.UserSourceLdap {
+				ldapProvider, ok := a.ldapAuthenticators[strings.ToLower(authentication.ProviderName)]
+				if !ok {
+					continue // ldap provider not found, skip further checks
+				}
+				err := ldapProvider.PlaintextAuthentication(identifier, password)
+				if err == nil {
+					authOK = true
+					break
+				}
+			}
+		}
+	} else {
+		// User is not yet in the db, check ldap providers which have registration enabled.
+		// If the user is found, check the password - on success, sync it to the db.
 		for _, ldapAuth := range a.ldapAuthenticators {
-			if !userInDatabase && !ldapAuth.RegistrationEnabled() {
-				continue
+			if !ldapAuth.RegistrationEnabled() {
+				continue // ldap provider does not support registration, skip further checks
 			}
 
 			rawUserInfo, err := ldapAuth.GetUserInfo(context.Background(), identifier)
@@ -379,55 +403,39 @@ func (a *Authenticator) passwordAuthentication(
 				}
 				continue // user not found / other ldap error
 			}
+
+			// user found, check if the password is correct
+			err = ldapAuth.PlaintextAuthentication(identifier, password)
+			if err != nil {
+				continue // password is incorrect, skip further checks
+			}
+
+			// create a new user in the db
 			ldapUserInfo, err = ldapAuth.ParseUserInfo(rawUserInfo)
 			if err != nil {
 				slog.Error("failed to parse ldap user info",
 					"source", ldapAuth.GetName(), "identifier", identifier, "error", err)
 				continue
 			}
+			user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(), true)
+			if err != nil {
+				return nil, fmt.Errorf("unable to process user information: %w", err)
+			}
 
-			// ldap user found
-			userSource = domain.UserSourceLdap
-			ldapProvider = ldapAuth
+			existingUser = user
+			slog.Debug("created new LDAP user in db",
+				"identifier", user.Identifier, "provider", ldapProvider.GetName())
 
+			authOK = true
 			break
 		}
 	}
 
-	if userSource == "" {
-		slog.Warn("no user source found for user",
-			"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
-		return nil, errors.New("user not found")
+	if !authOK {
+		return nil, errors.New("failed to authenticate user")
 	}
 
-	if userSource == domain.UserSourceLdap && ldapProvider == nil {
-		slog.Warn("no ldap provider found for user",
-			"identifier", identifier, "ldapProviderCount", len(a.ldapAuthenticators), "inDb", userInDatabase)
-		return nil, errors.New("ldap provider not found")
-	}
-
-	switch userSource {
-	case domain.UserSourceDatabase:
-		err = existingUser.CheckPassword(password)
-	case domain.UserSourceLdap:
-		err = ldapProvider.PlaintextAuthentication(identifier, password)
-	default:
-		err = errors.New("no authentication backend available")
-	}
-	if err != nil {
-		return nil, fmt.Errorf("failed to authenticate: %w", err)
-	}
-
-	if !userInDatabase {
-		user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(),
-			ldapProvider.RegistrationEnabled())
-		if err != nil {
-			return nil, fmt.Errorf("unable to process user information: %w", err)
-		}
-		return user, nil
-	} else {
-		return existingUser, nil
-	}
+	return existingUser, nil
 }
 
 // endregion password authentication
@@ -590,17 +598,34 @@ func (a *Authenticator) registerNewUser(
 	source domain.UserSource,
 	provider string,
 ) (*domain.User, error) {
+	ctxUserInfo := domain.GetUserInfo(ctx)
+	now := time.Now()
+
 	// convert user info to domain.User
 	user := &domain.User{
-		Identifier:   userInfo.Identifier,
-		Email:        userInfo.Email,
-		Source:       source,
-		ProviderName: provider,
-		IsAdmin:      userInfo.IsAdmin,
-		Firstname:    userInfo.Firstname,
-		Lastname:     userInfo.Lastname,
-		Phone:        userInfo.Phone,
-		Department:   userInfo.Department,
+		Identifier: userInfo.Identifier,
+		Email:      userInfo.Email,
+		IsAdmin:    false,
+		Firstname:  userInfo.Firstname,
+		Lastname:   userInfo.Lastname,
+		Phone:      userInfo.Phone,
+		Department: userInfo.Department,
+		Authentications: []domain.UserAuthentication{
+			{
+				BaseModel: domain.BaseModel{
+					CreatedBy: ctxUserInfo.UserId(),
+					UpdatedBy: ctxUserInfo.UserId(),
+					CreatedAt: now,
+					UpdatedAt: now,
+				},
+				UserIdentifier: userInfo.Identifier,
+				Source:         source,
+				ProviderName:   provider,
+			},
+		},
+	}
+	if userInfo.AdminInfoAvailable && userInfo.IsAdmin {
+		user.IsAdmin = true
 	}
 
 	err := a.users.RegisterUser(ctx, user)
@@ -610,6 +635,7 @@ func (a *Authenticator) registerNewUser(
 
 	slog.Debug("registered user from external authentication provider",
 		"user", user.Identifier,
+		"adminInfoAvailable", userInfo.AdminInfoAvailable,
 		"isAdmin", user.IsAdmin,
 		"provider", source)
 
@@ -643,6 +669,39 @@ func (a *Authenticator) updateExternalUser(
 		return nil // user is locked or disabled, do not update
 	}
 
+	// Update authentication sources
+	foundAuthSource := false
+	for _, auth := range existingUser.Authentications {
+		if auth.Source == source && auth.ProviderName == provider {
+			foundAuthSource = true
+			break
+		}
+	}
+	if !foundAuthSource {
+		ctxUserInfo := domain.GetUserInfo(ctx)
+		now := time.Now()
+		existingUser.Authentications = append(existingUser.Authentications, domain.UserAuthentication{
+			BaseModel: domain.BaseModel{
+				CreatedBy: ctxUserInfo.UserId(),
+				UpdatedBy: ctxUserInfo.UserId(),
+				CreatedAt: now,
+				UpdatedAt: now,
+			},
+			UserIdentifier: existingUser.Identifier,
+			Source:         source,
+			ProviderName:   provider,
+		})
+	}
+
+	if existingUser.PersistLocalChanges {
+		if !foundAuthSource {
+			// Even if local changes are persisted, we need to save the new authentication source
+			_, err := a.users.UpdateUserInternal(ctx, existingUser)
+			return err
+		}
+		return nil
+	}
+
 	isChanged := false
 	if existingUser.Email != userInfo.Email {
 		existingUser.Email = userInfo.Email
@@ -664,33 +723,24 @@ func (a *Authenticator) updateExternalUser(
 		existingUser.Department = userInfo.Department
 		isChanged = true
 	}
-	if existingUser.IsAdmin != userInfo.IsAdmin {
+	if userInfo.AdminInfoAvailable && existingUser.IsAdmin != userInfo.IsAdmin {
 		existingUser.IsAdmin = userInfo.IsAdmin
 		isChanged = true
 	}
-	if existingUser.Source != source {
-		existingUser.Source = source
-		isChanged = true
-	}
-	if existingUser.ProviderName != provider {
-		existingUser.ProviderName = provider
-		isChanged = true
-	}
 
-	if !isChanged {
-		return nil // nothing to update
-	}
+	if isChanged || !foundAuthSource {
+		_, err := a.users.UpdateUserInternal(ctx, existingUser)
+		if err != nil {
+			return fmt.Errorf("failed to update user: %w", err)
+		}
 
-	_, err := a.users.UpdateUser(ctx, existingUser)
-	if err != nil {
-		return fmt.Errorf("failed to update user: %w", err)
+		slog.Debug("updated user with data from external authentication provider",
+			"user", existingUser.Identifier,
+			"adminInfoAvailable", userInfo.AdminInfoAvailable,
+			"isAdmin", existingUser.IsAdmin,
+			"provider", source)
 	}
 
-	slog.Debug("updated user with data from external authentication provider",
-		"user", existingUser.Identifier,
-		"isAdmin", existingUser.IsAdmin,
-		"provider", source)
-
 	return nil
 }
 

internal/app/auth/auth_ldap.go

@@ -127,18 +127,26 @@ func (l LdapAuthenticator) GetUserInfo(_ context.Context, userId domain.UserIden
 
 // ParseUserInfo parses the user information from the LDAP server into a domain.AuthenticatorUserInfo struct.
 func (l LdapAuthenticator) ParseUserInfo(raw map[string]any) (*domain.AuthenticatorUserInfo, error) {
-	isAdmin, err := internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
-	if err != nil {
-		return nil, fmt.Errorf("failed to check admin group: %w", err)
+	isAdmin := false
+	adminInfoAvailable := false
+	if l.cfg.FieldMap.GroupMembership != "" {
+		adminInfoAvailable = true
+		var err error
+		isAdmin, err = internal.LdapIsMemberOf(raw[l.cfg.FieldMap.GroupMembership].([][]byte), l.cfg.ParsedAdminGroupDN)
+		if err != nil {
+			return nil, fmt.Errorf("failed to check admin group: %w", err)
+		}
 	}
+
 	userInfo := &domain.AuthenticatorUserInfo{
-		Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
-		Email:      internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
-		Firstname:  internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
-		Lastname:   internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
-		Phone:      internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
-		Department: internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
-		IsAdmin:    isAdmin,
+		Identifier:         domain.UserIdentifier(internal.MapDefaultString(raw, l.cfg.FieldMap.UserIdentifier, "")),
+		Email:              internal.MapDefaultString(raw, l.cfg.FieldMap.Email, ""),
+		Firstname:          internal.MapDefaultString(raw, l.cfg.FieldMap.Firstname, ""),
+		Lastname:           internal.MapDefaultString(raw, l.cfg.FieldMap.Lastname, ""),
+		Phone:              internal.MapDefaultString(raw, l.cfg.FieldMap.Phone, ""),
+		Department:         internal.MapDefaultString(raw, l.cfg.FieldMap.Department, ""),
+		IsAdmin:            isAdmin,
+		AdminInfoAvailable: adminInfoAvailable,
 	}
 
 	return userInfo, nil

internal/app/auth/oauth_common.go

@@ -15,9 +15,11 @@ func parseOauthUserInfo(
 	raw map[string]any,
 ) (*domain.AuthenticatorUserInfo, error) {
 	var isAdmin bool
+	var adminInfoAvailable bool
 
 	// first try to match the is_admin field against the given regex
 	if mapping.IsAdmin != "" {
+		adminInfoAvailable = true
 		re := adminMapping.GetAdminValueRegex()
 		if re.MatchString(strings.TrimSpace(internal.MapDefaultString(raw, mapping.IsAdmin, ""))) {
 			isAdmin = true
@@ -26,6 +28,7 @@ func parseOauthUserInfo(
 
 	// next try to parse the user's groups
 	if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
+		adminInfoAvailable = true
 		userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
 		re := adminMapping.GetAdminGroupRegex()
 		for _, group := range userGroups {
@@ -37,13 +40,14 @@ func parseOauthUserInfo(
 	}
 
 	userInfo := &domain.AuthenticatorUserInfo{
-		Identifier: domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
-		Email:      internal.MapDefaultString(raw, mapping.Email, ""),
-		Firstname:  internal.MapDefaultString(raw, mapping.Firstname, ""),
-		Lastname:   internal.MapDefaultString(raw, mapping.Lastname, ""),
-		Phone:      internal.MapDefaultString(raw, mapping.Phone, ""),
-		Department: internal.MapDefaultString(raw, mapping.Department, ""),
-		IsAdmin:    isAdmin,
+		Identifier:         domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
+		Email:              internal.MapDefaultString(raw, mapping.Email, ""),
+		Firstname:          internal.MapDefaultString(raw, mapping.Firstname, ""),
+		Lastname:           internal.MapDefaultString(raw, mapping.Lastname, ""),
+		Phone:              internal.MapDefaultString(raw, mapping.Phone, ""),
+		Department:         internal.MapDefaultString(raw, mapping.Department, ""),
+		IsAdmin:            isAdmin,
+		AdminInfoAvailable: adminInfoAvailable,
 	}
 
 	return userInfo, nil

internal/app/auth/webauthn.go

@@ -23,8 +23,8 @@ type WebAuthnUserManager interface {
 	GetUser(context.Context, domain.UserIdentifier) (*domain.User, error)
 	// GetUserByWebAuthnCredential returns a user by its WebAuthn ID.
 	GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error)
-	// UpdateUser updates an existing user in the database.
-	UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error)
+	// UpdateUserInternal updates an existing user in the database.
+	UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error)
 }
 
 type WebAuthnAuthenticator struct {
@@ -89,7 +89,7 @@ func (a *WebAuthnAuthenticator) StartWebAuthnRegistration(ctx context.Context, u
 
 	if user.WebAuthnId == "" {
 		user.GenerateWebAuthnId()
-		user, err = a.users.UpdateUser(ctx, user)
+		user, err = a.users.UpdateUserInternal(ctx, user)
 		if err != nil {
 			return nil, nil, fmt.Errorf("failed to store webauthn id to user: %w", err)
 		}
@@ -150,7 +150,7 @@ func (a *WebAuthnAuthenticator) FinishWebAuthnRegistration(
 		return nil, err
 	}
 
-	user, err = a.users.UpdateUser(ctx, user)
+	user, err = a.users.UpdateUserInternal(ctx, user)
 	if err != nil {
 		return nil, err
 	}
@@ -181,7 +181,7 @@ func (a *WebAuthnAuthenticator) RemoveCredential(
 	}
 
 	user.RemoveCredential(credentialIdBase64)
-	user, err = a.users.UpdateUser(ctx, user)
+	user, err = a.users.UpdateUserInternal(ctx, user)
 	if err != nil {
 		return nil, err
 	}
@@ -205,7 +205,7 @@ func (a *WebAuthnAuthenticator) UpdateCredential(
 		return nil, err
 	}
 
-	user, err = a.users.UpdateUser(ctx, user)
+	user, err = a.users.UpdateUserInternal(ctx, user)
 	if err != nil {
 		return nil, err
 	}

internal/app/eventbus.go

@@ -26,6 +26,7 @@ const TopicUserEnabled = "user:enabled"
 const TopicInterfaceCreated = "interface:created"
 const TopicInterfaceUpdated = "interface:updated"
 const TopicInterfaceDeleted = "interface:deleted"
+const TopicInterfaceStatsUpdated = "interface:stats:updated"
 
 // endregion interface-events
 
@@ -37,6 +38,7 @@ const TopicPeerUpdated = "peer:updated"
 const TopicPeerInterfaceUpdated = "peer:interface:updated"
 const TopicPeerIdentifierUpdated = "peer:identifier:updated"
 const TopicPeerStateChanged = "peer:state:changed"
+const TopicPeerStatsUpdated = "peer:stats:updated"
 
 // endregion peer-events
 

internal/app/migrate_v1.go

@@ -144,8 +144,6 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
 			},
 			Identifier:      domain.UserIdentifier(oldUser.Email),
 			Email:           oldUser.Email,
-			Source:          domain.UserSource(oldUser.Source),
-			ProviderName:    "",
 			IsAdmin:         oldUser.IsAdmin,
 			Firstname:       oldUser.Firstname,
 			Lastname:        oldUser.Lastname,
@@ -159,11 +157,25 @@ func migrateV1Users(oldDb, newDb *gorm.DB) error {
 			LockedReason:    "",
 			LinkedPeerCount: 0,
 		}
-
 		if err := newDb.Create(&newUser).Error; err != nil {
 			return fmt.Errorf("failed to migrate user %s: %w", oldUser.Email, err)
 		}
 
+		authentication := domain.UserAuthentication{
+			BaseModel: domain.BaseModel{
+				CreatedBy: domain.CtxSystemV1Migrator,
+				UpdatedBy: domain.CtxSystemV1Migrator,
+				CreatedAt: oldUser.CreatedAt,
+				UpdatedAt: oldUser.UpdatedAt,
+			},
+			UserIdentifier: domain.UserIdentifier(oldUser.Email),
+			Source:         domain.UserSource(oldUser.Source),
+			ProviderName:   "", // unknown
+		}
+		if err := newDb.Create(&authentication).Error; err != nil {
+			return fmt.Errorf("failed to migrate user-authentication %s: %w", oldUser.Email, err)
+		}
+
 		slog.Debug("user migrated successfully", "identifier", newUser.Identifier)
 	}
 
@@ -346,8 +358,6 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
 				},
 				Identifier:   domain.UserIdentifier(oldPeer.Email),
 				Email:        oldPeer.Email,
-				Source:       domain.UserSourceDatabase,
-				ProviderName: "",
 				IsAdmin:      false,
 				Locked:       &now,
 				LockedReason: domain.DisabledReasonMigrationDummy,
@@ -358,6 +368,21 @@ func migrateV1Peers(oldDb, newDb *gorm.DB) error {
 				return fmt.Errorf("failed to migrate dummy user %s: %w", oldPeer.Email, err)
 			}
 
+			authentication := domain.UserAuthentication{
+				BaseModel: domain.BaseModel{
+					CreatedBy: domain.CtxSystemV1Migrator,
+					UpdatedBy: domain.CtxSystemV1Migrator,
+					CreatedAt: now,
+					UpdatedAt: now,
+				},
+				UserIdentifier: domain.UserIdentifier(oldPeer.Email),
+				Source:         domain.UserSourceDatabase,
+				ProviderName:   "", // unknown
+			}
+			if err := newDb.Create(&authentication).Error; err != nil {
+				return fmt.Errorf("failed to migrate dummy user-authentication %s: %w", oldPeer.Email, err)
+			}
+
 			slog.Debug("dummy user migrated successfully", "identifier", user.Identifier)
 		}
 		newPeer := domain.Peer{

internal/app/users/ldap_helper.go

@@ -2,6 +2,7 @@ package users
 
 import (
 	"fmt"
+	"slices"
 	"strings"
 	"time"
 
@@ -25,6 +26,8 @@ func convertRawLdapUser(
 		return nil, fmt.Errorf("failed to check admin group: %w", err)
 	}
 
+	uid := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
+
 	return &domain.User{
 		BaseModel: domain.BaseModel{
 			CreatedBy: domain.CtxSystemLdapSyncer,
@@ -32,18 +35,23 @@ func convertRawLdapUser(
 			CreatedAt: now,
 			UpdatedAt: now,
 		},
-		Identifier:   domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, "")),
-		Email:        strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
-		Source:       domain.UserSourceLdap,
-		ProviderName: providerName,
-		IsAdmin:      isAdmin,
-		Firstname:    internal.MapDefaultString(rawUser, fields.Firstname, ""),
-		Lastname:     internal.MapDefaultString(rawUser, fields.Lastname, ""),
-		Phone:        internal.MapDefaultString(rawUser, fields.Phone, ""),
-		Department:   internal.MapDefaultString(rawUser, fields.Department, ""),
-		Notes:        "",
-		Password:     "",
-		Disabled:     nil,
+		Identifier: uid,
+		Email:      strings.ToLower(internal.MapDefaultString(rawUser, fields.Email, "")),
+		IsAdmin:    isAdmin,
+		Authentications: []domain.UserAuthentication{
+			{
+				UserIdentifier: uid,
+				Source:         domain.UserSourceLdap,
+				ProviderName:   providerName,
+			},
+		},
+		Firstname:  internal.MapDefaultString(rawUser, fields.Firstname, ""),
+		Lastname:   internal.MapDefaultString(rawUser, fields.Lastname, ""),
+		Phone:      internal.MapDefaultString(rawUser, fields.Phone, ""),
+		Department: internal.MapDefaultString(rawUser, fields.Department, ""),
+		Notes:      "",
+		Password:   "",
+		Disabled:   nil,
 	}, nil
 }
 
@@ -72,7 +80,9 @@ func userChangedInLdap(dbUser, ldapUser *domain.User) bool {
 		return true
 	}
 
-	if dbUser.ProviderName != ldapUser.ProviderName {
+	if !slices.ContainsFunc(dbUser.Authentications, func(authentication domain.UserAuthentication) bool {
+		return authentication.Source == ldapUser.Authentications[0].Source
+	}) {
 		return true
 	}
 

internal/app/users/ldap_sync.go

@@ -0,0 +1,239 @@
+package users
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"log/slog"
+	"time"
+
+	"github.com/go-ldap/ldap/v3"
+
+	"github.com/h44z/wg-portal/internal"
+	"github.com/h44z/wg-portal/internal/app"
+	"github.com/h44z/wg-portal/internal/config"
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+func (m Manager) runLdapSynchronizationService(ctx context.Context) {
+	ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
+
+	for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
+		go func(cfg config.LdapProvider) {
+			syncInterval := cfg.SyncInterval
+			if syncInterval == 0 {
+				slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
+				return
+			}
+
+			// perform initial sync
+			err := m.synchronizeLdapUsers(ctx, &cfg)
+			if err != nil {
+				slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
+			} else {
+				slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
+			}
+
+			// start periodic sync
+			running := true
+			for running {
+				select {
+				case <-ctx.Done():
+					running = false
+					continue
+				case <-time.After(syncInterval):
+					// select blocks until one of the cases evaluate to true
+				}
+
+				err := m.synchronizeLdapUsers(ctx, &cfg)
+				if err != nil {
+					slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
+				}
+			}
+		}(ldapCfg)
+	}
+}
+
+func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
+	slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
+
+	dn, err := ldap.ParseDN(provider.AdminGroupDN)
+	if err != nil {
+		return fmt.Errorf("failed to parse admin group DN: %w", err)
+	}
+	provider.ParsedAdminGroupDN = dn
+
+	conn, err := internal.LdapConnect(provider)
+	if err != nil {
+		return fmt.Errorf("failed to setup LDAP connection: %w", err)
+	}
+	defer internal.LdapDisconnect(conn)
+
+	rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
+	if err != nil {
+		return err
+	}
+
+	slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
+
+	// Update existing LDAP users
+	err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
+	if err != nil {
+		return err
+	}
+
+	// Disable missing LDAP users
+	if provider.DisableMissing {
+		err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
+		if err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+func (m Manager) updateLdapUsers(
+	ctx context.Context,
+	provider *config.LdapProvider,
+	rawUsers []internal.RawLdapUser,
+	fields *config.LdapFields,
+	adminGroupDN *ldap.DN,
+) error {
+	for _, rawUser := range rawUsers {
+		user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
+		if err != nil && !errors.Is(err, domain.ErrNotFound) {
+			return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
+		}
+
+		if provider.SyncLogUserInfo {
+			slog.Debug("ldap user data",
+				"raw-user", rawUser, "user", user.Identifier,
+				"is-admin", user.IsAdmin, "provider", provider.ProviderName)
+		}
+
+		existingUser, err := m.users.GetUser(ctx, user.Identifier)
+		if err != nil && !errors.Is(err, domain.ErrNotFound) {
+			return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
+		}
+
+		tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+		tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
+
+		if existingUser == nil {
+			// create new user
+			slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
+
+			_, err := m.create(tctx, user)
+			if err != nil {
+				cancel()
+				return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
+			}
+		} else {
+			// update existing user
+			if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
+				user.Disabled = nil
+				user.DisabledReason = ""
+			} else {
+				user.Disabled = existingUser.Disabled
+				user.DisabledReason = existingUser.DisabledReason
+			}
+
+			if existingUser.PersistLocalChanges {
+				cancel()
+				continue // skip synchronization for this user
+			}
+
+			if userChangedInLdap(existingUser, user) {
+				syncedUser, err := m.users.GetUser(ctx, user.Identifier)
+				if err != nil && !errors.Is(err, domain.ErrNotFound) {
+					cancel()
+					return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
+				}
+				syncedUser.UpdatedAt = time.Now()
+				syncedUser.UpdatedBy = domain.CtxSystemLdapSyncer
+				syncedUser.MergeAuthSources(user.Authentications...)
+				syncedUser.Email = user.Email
+				syncedUser.Firstname = user.Firstname
+				syncedUser.Lastname = user.Lastname
+				syncedUser.Phone = user.Phone
+				syncedUser.Department = user.Department
+				syncedUser.IsAdmin = user.IsAdmin
+				syncedUser.Disabled = user.Disabled
+				syncedUser.DisabledReason = user.DisabledReason
+
+				_, err = m.update(tctx, existingUser, syncedUser, false)
+				if err != nil {
+					cancel()
+					return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
+				}
+			}
+		}
+
+		cancel()
+	}
+
+	return nil
+}
+
+func (m Manager) disableMissingLdapUsers(
+	ctx context.Context,
+	providerName string,
+	rawUsers []internal.RawLdapUser,
+	fields *config.LdapFields,
+) error {
+	allUsers, err := m.users.GetAllUsers(ctx)
+	if err != nil {
+		return err
+	}
+	for _, user := range allUsers {
+		userHasAuthSource := false
+		for _, auth := range user.Authentications {
+			if auth.Source == domain.UserSourceLdap && auth.ProviderName == providerName {
+				userHasAuthSource = true
+				break
+			}
+		}
+		if !userHasAuthSource {
+			continue // ignore non ldap users
+		}
+		if user.IsDisabled() {
+			continue // ignore deactivated
+		}
+		if user.PersistLocalChanges {
+			continue // skip sync for this user
+		}
+
+		existsInLDAP := false
+		for _, rawUser := range rawUsers {
+			userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
+			if user.Identifier == userId {
+				existsInLDAP = true
+				break
+			}
+		}
+
+		if existsInLDAP {
+			continue
+		}
+
+		slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
+
+		now := time.Now()
+		user.Disabled = &now
+		user.DisabledReason = domain.DisabledReasonLdapMissing
+
+		err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
+			u.Disabled = user.Disabled
+			u.DisabledReason = user.DisabledReason
+			return u, nil
+		})
+		if err != nil {
+			return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
+		}
+
+		m.bus.Publish(app.TopicUserDisabled, user)
+	}
+
+	return nil
+}

internal/app/users/user_manager.go

@@ -4,15 +4,12 @@ import (
 	"context"
 	"errors"
 	"fmt"
-	"log/slog"
 	"math"
 	"sync"
 	"time"
 
-	"github.com/go-ldap/ldap/v3"
 	"github.com/google/uuid"
 
-	"github.com/h44z/wg-portal/internal"
 	"github.com/h44z/wg-portal/internal/app"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
@@ -79,7 +76,7 @@ func (m Manager) RegisterUser(ctx context.Context, user *domain.User) error {
 		return err
 	}
 
-	createdUser, err := m.CreateUser(ctx, user)
+	createdUser, err := m.create(ctx, user)
 	if err != nil {
 		return err
 	}
@@ -101,20 +98,11 @@ func (m Manager) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain
 		return nil, err
 	}
 
-	user, err := m.users.GetUser(ctx, id)
-	if err != nil {
-		return nil, fmt.Errorf("unable to load user %s: %w", id, err)
-	}
-	peers, _ := m.peers.GetUserPeers(ctx, id) // ignore error, list will be empty in error case
-
-	user.LinkedPeerCount = len(peers)
-
-	return user, nil
+	return m.getUser(ctx, id)
 }
 
 // GetUserByEmail returns the user with the given email address.
 func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User, error) {
-
 	user, err := m.users.GetUserByEmail(ctx, email)
 	if err != nil {
 		return nil, fmt.Errorf("unable to load user for email %s: %w", email, err)
@@ -124,16 +112,11 @@ func (m Manager) GetUserByEmail(ctx context.Context, email string) (*domain.User
 		return nil, err
 	}
 
-	peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
-
-	user.LinkedPeerCount = len(peers)
-
-	return user, nil
+	return m.enrichUser(ctx, user), nil
 }
 
 // GetUserByWebAuthnCredential returns the user for the given WebAuthn credential.
 func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBase64 string) (*domain.User, error) {
-
 	user, err := m.users.GetUserByWebAuthnCredential(ctx, credentialIdBase64)
 	if err != nil {
 		return nil, fmt.Errorf("unable to load user for webauthn credential %s: %w", credentialIdBase64, err)
@@ -143,11 +126,7 @@ func (m Manager) GetUserByWebAuthnCredential(ctx context.Context, credentialIdBa
 		return nil, err
 	}
 
-	peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
-
-	user.LinkedPeerCount = len(peers)
-
-	return user, nil
+	return m.enrichUser(ctx, user), nil
 }
 
 // GetAllUsers returns all users.
@@ -169,8 +148,7 @@ func (m Manager) GetAllUsers(ctx context.Context) ([]domain.User, error) {
 		go func() {
 			defer wg.Done()
 			for user := range ch {
-				peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
-				user.LinkedPeerCount = len(peers)
+				m.enrichUser(ctx, user)
 			}
 		}()
 	}
@@ -194,77 +172,29 @@ func (m Manager) UpdateUser(ctx context.Context, user *domain.User) (*domain.Use
 		return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
 	}
 
-	if err := m.validateModifications(ctx, existingUser, user); err != nil {
-		return nil, fmt.Errorf("update not allowed: %w", err)
-	}
+	user.CopyCalculatedAttributes(existingUser, true) // ensure that crucial attributes stay the same
 
-	user.CopyCalculatedAttributes(existingUser)
-	err = user.HashPassword()
+	return m.update(ctx, existingUser, user, true)
+}
+
+// UpdateUserInternal updates the user with the given identifier. This function must never be called from external.
+// This function allows to override authentications and webauthn credentials.
+func (m Manager) UpdateUserInternal(ctx context.Context, user *domain.User) (*domain.User, error) {
+	existingUser, err := m.users.GetUser(ctx, user.Identifier)
 	if err != nil {
-		return nil, err
-	}
-	if user.Password == "" { // keep old password
-		user.Password = existingUser.Password
+		return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
 	}
 
-	err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
-		user.CopyCalculatedAttributes(u)
-		return user, nil
-	})
-	if err != nil {
-		return nil, fmt.Errorf("update failure: %w", err)
-	}
-
-	m.bus.Publish(app.TopicUserUpdated, *user)
-
-	switch {
-	case !existingUser.IsDisabled() && user.IsDisabled():
-		m.bus.Publish(app.TopicUserDisabled, *user)
-	case existingUser.IsDisabled() && !user.IsDisabled():
-		m.bus.Publish(app.TopicUserEnabled, *user)
-	}
-
-	return user, nil
+	return m.update(ctx, existingUser, user, false)
 }
 
 // CreateUser creates a new user.
 func (m Manager) CreateUser(ctx context.Context, user *domain.User) (*domain.User, error) {
-	if user.Identifier == "" {
-		return nil, errors.New("missing user identifier")
-	}
-
 	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
 		return nil, err
 	}
 
-	existingUser, err := m.users.GetUser(ctx, user.Identifier)
-	if err != nil && !errors.Is(err, domain.ErrNotFound) {
-		return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
-	}
-	if existingUser != nil {
-		return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
-	}
-
-	if err := m.validateCreation(ctx, user); err != nil {
-		return nil, fmt.Errorf("creation not allowed: %w", err)
-	}
-
-	err = user.HashPassword()
-	if err != nil {
-		return nil, err
-	}
-
-	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
-		user.CopyCalculatedAttributes(u)
-		return user, nil
-	})
-	if err != nil {
-		return nil, fmt.Errorf("creation failure: %w", err)
-	}
-
-	m.bus.Publish(app.TopicUserCreated, *user)
-
-	return user, nil
+	return m.create(ctx, user)
 }
 
 // DeleteUser deletes the user with the given identifier.
@@ -307,15 +237,10 @@ func (m Manager) ActivateApi(ctx context.Context, id domain.UserIdentifier) (*do
 	user.ApiToken = uuid.New().String()
 	user.ApiTokenCreated = &now
 
-	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
-		user.CopyCalculatedAttributes(u)
-		return user, nil
-	})
+	user, err = m.update(ctx, user, user, true) // self-update
 	if err != nil {
-		return nil, fmt.Errorf("update failure: %w", err)
+		return nil, err
 	}
-
-	m.bus.Publish(app.TopicUserUpdated, *user)
 	m.bus.Publish(app.TopicUserApiEnabled, *user)
 
 	return user, nil
@@ -335,15 +260,10 @@ func (m Manager) DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*
 	user.ApiToken = ""
 	user.ApiTokenCreated = nil
 
-	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
-		user.CopyCalculatedAttributes(u)
-		return user, nil
-	})
+	user, err = m.update(ctx, user, user, true) // self-update
 	if err != nil {
-		return nil, fmt.Errorf("update failure: %w", err)
+		return nil, err
 	}
-
-	m.bus.Publish(app.TopicUserUpdated, *user)
 	m.bus.Publish(app.TopicUserApiDisabled, *user)
 
 	return user, nil
@@ -380,10 +300,6 @@ func (m Manager) validateModifications(ctx context.Context, old, new *domain.Use
 		return fmt.Errorf("cannot lock own user: %w", domain.ErrInvalidData)
 	}
 
-	if old.Source != new.Source {
-		return fmt.Errorf("cannot change user source: %w", domain.ErrInvalidData)
-	}
-
 	return nil
 }
 
@@ -414,14 +330,19 @@ func (m Manager) validateCreation(ctx context.Context, new *domain.User) error {
 		return fmt.Errorf("reserved user identifier: %w", domain.ErrInvalidData)
 	}
 
+	if len(new.Authentications) != 1 {
+		return fmt.Errorf("invalid number of authentications: %d, expected 1: %w",
+			len(new.Authentications), domain.ErrInvalidData)
+	}
+
 	// Admins are allowed to create users for arbitrary sources.
-	if new.Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
+	if new.Authentications[0].Source != domain.UserSourceDatabase && !currentUser.IsAdmin {
 		return fmt.Errorf("invalid user source: %s, only %s is allowed: %w",
-			new.Source, domain.UserSourceDatabase, domain.ErrInvalidData)
+			new.Authentications[0].Source, domain.UserSourceDatabase, domain.ErrInvalidData)
 	}
 
 	// database users must have a password
-	if new.Source == domain.UserSourceDatabase && string(new.Password) == "" {
+	if new.Authentications[0].Source == domain.UserSourceDatabase && string(new.Password) == "" {
 		return fmt.Errorf("missing password: %w", domain.ErrInvalidData)
 	}
 
@@ -460,214 +381,112 @@ func (m Manager) validateApiChange(ctx context.Context, user *domain.User) error
 	return nil
 }
 
-func (m Manager) runLdapSynchronizationService(ctx context.Context) {
-	ctx = domain.SetUserInfo(ctx, domain.LdapSyncContextUserInfo()) // switch to service context for LDAP sync
+// region internal-modifiers
 
-	for _, ldapCfg := range m.cfg.Auth.Ldap { // LDAP Auth providers
-		go func(cfg config.LdapProvider) {
-			syncInterval := cfg.SyncInterval
-			if syncInterval == 0 {
-				slog.Debug("sync disabled for LDAP server", "provider", cfg.ProviderName)
-				return
-			}
-
-			// perform initial sync
-			err := m.synchronizeLdapUsers(ctx, &cfg)
-			if err != nil {
-				slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
-			} else {
-				slog.Debug("initial LDAP user sync completed", "provider", cfg.ProviderName)
-			}
-
-			// start periodic sync
-			running := true
-			for running {
-				select {
-				case <-ctx.Done():
-					running = false
-					continue
-				case <-time.After(syncInterval):
-					// select blocks until one of the cases evaluate to true
-				}
-
-				err := m.synchronizeLdapUsers(ctx, &cfg)
-				if err != nil {
-					slog.Error("failed to synchronize LDAP users", "provider", cfg.ProviderName, "error", err)
-				}
-			}
-		}(ldapCfg)
+func (m Manager) enrichUser(ctx context.Context, user *domain.User) *domain.User {
+	if user == nil {
+		return nil
 	}
+	peers, _ := m.peers.GetUserPeers(ctx, user.Identifier) // ignore error, list will be empty in error case
+	user.LinkedPeerCount = len(peers)
+	return user
 }
 
-func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.LdapProvider) error {
-	slog.Debug("starting to synchronize users", "provider", provider.ProviderName)
-
-	dn, err := ldap.ParseDN(provider.AdminGroupDN)
+func (m Manager) getUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
+	user, err := m.users.GetUser(ctx, id)
 	if err != nil {
-		return fmt.Errorf("failed to parse admin group DN: %w", err)
+		return nil, fmt.Errorf("unable to load user %s: %w", id, err)
 	}
-	provider.ParsedAdminGroupDN = dn
-
-	conn, err := internal.LdapConnect(provider)
-	if err != nil {
-		return fmt.Errorf("failed to setup LDAP connection: %w", err)
-	}
-	defer internal.LdapDisconnect(conn)
-
-	rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, provider.SyncFilter, &provider.FieldMap)
-	if err != nil {
-		return err
-	}
-
-	slog.Debug("fetched raw ldap users", "count", len(rawUsers), "provider", provider.ProviderName)
-
-	// Update existing LDAP users
-	err = m.updateLdapUsers(ctx, provider, rawUsers, &provider.FieldMap, provider.ParsedAdminGroupDN)
-	if err != nil {
-		return err
-	}
-
-	// Disable missing LDAP users
-	if provider.DisableMissing {
-		err = m.disableMissingLdapUsers(ctx, provider.ProviderName, rawUsers, &provider.FieldMap)
-		if err != nil {
-			return err
-		}
-	}
-
-	return nil
+	return m.enrichUser(ctx, user), nil
 }
 
-func (m Manager) updateLdapUsers(
-	ctx context.Context,
-	provider *config.LdapProvider,
-	rawUsers []internal.RawLdapUser,
-	fields *config.LdapFields,
-	adminGroupDN *ldap.DN,
-) error {
-	for _, rawUser := range rawUsers {
-		user, err := convertRawLdapUser(provider.ProviderName, rawUser, fields, adminGroupDN)
-		if err != nil && !errors.Is(err, domain.ErrNotFound) {
-			return fmt.Errorf("failed to convert LDAP data for %v: %w", rawUser["dn"], err)
-		}
-
-		if provider.SyncLogUserInfo {
-			slog.Debug("ldap user data",
-				"raw-user", rawUser, "user", user.Identifier,
-				"is-admin", user.IsAdmin, "provider", provider.ProviderName)
-		}
-
-		existingUser, err := m.users.GetUser(ctx, user.Identifier)
-		if err != nil && !errors.Is(err, domain.ErrNotFound) {
-			return fmt.Errorf("find error for user id %s: %w", user.Identifier, err)
-		}
-
-		tctx, cancel := context.WithTimeout(ctx, 30*time.Second)
-		tctx = domain.SetUserInfo(tctx, domain.SystemAdminContextUserInfo())
-
-		if existingUser == nil {
-			// create new user
-			slog.Debug("creating new user from provider", "user", user.Identifier, "provider", provider.ProviderName)
-
-			_, err := m.CreateUser(tctx, user)
-			if err != nil {
-				cancel()
-				return fmt.Errorf("create error for user id %s: %w", user.Identifier, err)
-			}
-		} else {
-			// update existing user
-			if provider.AutoReEnable && existingUser.DisabledReason == domain.DisabledReasonLdapMissing {
-				user.Disabled = nil
-				user.DisabledReason = ""
-			} else {
-				user.Disabled = existingUser.Disabled
-				user.DisabledReason = existingUser.DisabledReason
-			}
-			if existingUser.Source == domain.UserSourceLdap && userChangedInLdap(existingUser, user) {
-				err := m.users.SaveUser(tctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
-					u.UpdatedAt = time.Now()
-					u.UpdatedBy = domain.CtxSystemLdapSyncer
-					u.Source = user.Source
-					u.ProviderName = user.ProviderName
-					u.Email = user.Email
-					u.Firstname = user.Firstname
-					u.Lastname = user.Lastname
-					u.Phone = user.Phone
-					u.Department = user.Department
-					u.IsAdmin = user.IsAdmin
-					u.Disabled = nil
-					u.DisabledReason = ""
-
-					return u, nil
-				})
-				if err != nil {
-					cancel()
-					return fmt.Errorf("update error for user id %s: %w", user.Identifier, err)
-				}
-
-				if existingUser.IsDisabled() && !user.IsDisabled() {
-					m.bus.Publish(app.TopicUserEnabled, *user)
-				}
-			}
-		}
-
-		cancel()
+func (m Manager) update(ctx context.Context, existingUser, user *domain.User, keepAuthentications bool) (
+	*domain.User,
+	error,
+) {
+	if err := m.validateModifications(ctx, existingUser, user); err != nil {
+		return nil, fmt.Errorf("update not allowed: %w", err)
 	}
 
-	return nil
+	err := user.HashPassword()
+	if err != nil {
+		return nil, err
+	}
+	if user.Password == "" { // keep old password
+		user.Password = existingUser.Password
+	}
+
+	err = m.users.SaveUser(ctx, existingUser.Identifier, func(u *domain.User) (*domain.User, error) {
+		user.CopyCalculatedAttributes(u, keepAuthentications)
+		return user, nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("update failure: %w", err)
+	}
+
+	m.bus.Publish(app.TopicUserUpdated, *user)
+
+	switch {
+	case !existingUser.IsDisabled() && user.IsDisabled():
+		m.bus.Publish(app.TopicUserDisabled, *user)
+	case existingUser.IsDisabled() && !user.IsDisabled():
+		m.bus.Publish(app.TopicUserEnabled, *user)
+	}
+
+	return user, nil
 }
 
-func (m Manager) disableMissingLdapUsers(
-	ctx context.Context,
-	providerName string,
-	rawUsers []internal.RawLdapUser,
-	fields *config.LdapFields,
-) error {
-	allUsers, err := m.users.GetAllUsers(ctx)
-	if err != nil {
-		return err
+func (m Manager) create(ctx context.Context, user *domain.User) (*domain.User, error) {
+	if user.Identifier == "" {
+		return nil, errors.New("missing user identifier")
 	}
-	for _, user := range allUsers {
-		if user.Source != domain.UserSourceLdap {
-			continue // ignore non ldap users
-		}
-		if user.ProviderName != providerName {
-			continue // user was synchronized through different provider
-		}
-		if user.IsDisabled() {
-			continue // ignore deactivated
-		}
 
-		existsInLDAP := false
-		for _, rawUser := range rawUsers {
-			userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, fields.UserIdentifier, ""))
-			if user.Identifier == userId {
-				existsInLDAP = true
-				break
-			}
-		}
-
-		if existsInLDAP {
-			continue
-		}
-
-		slog.Debug("user is missing in ldap provider, disabling", "user", user.Identifier, "provider", providerName)
+	existingUser, err := m.users.GetUser(ctx, user.Identifier)
+	if err != nil && !errors.Is(err, domain.ErrNotFound) {
+		return nil, fmt.Errorf("unable to load existing user %s: %w", user.Identifier, err)
+	}
+	if existingUser != nil {
+		return nil, errors.Join(fmt.Errorf("user %s already exists", user.Identifier), domain.ErrDuplicateEntry)
+	}
 
+	// Add default authentication if missing
+	if len(user.Authentications) == 0 {
+		ctxUserInfo := domain.GetUserInfo(ctx)
 		now := time.Now()
-		user.Disabled = &now
-		user.DisabledReason = domain.DisabledReasonLdapMissing
-
-		err := m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
-			u.Disabled = user.Disabled
-			u.DisabledReason = user.DisabledReason
-			return u, nil
-		})
-		if err != nil {
-			return fmt.Errorf("disable error for user id %s: %w", user.Identifier, err)
+		user.Authentications = []domain.UserAuthentication{
+			{
+				BaseModel: domain.BaseModel{
+					CreatedBy: ctxUserInfo.UserId(),
+					UpdatedBy: ctxUserInfo.UserId(),
+					CreatedAt: now,
+					UpdatedAt: now,
+				},
+				UserIdentifier: user.Identifier,
+				Source:         domain.UserSourceDatabase,
+				ProviderName:   "",
+			},
 		}
-
-		m.bus.Publish(app.TopicUserDisabled, user)
 	}
 
-	return nil
+	if err := m.validateCreation(ctx, user); err != nil {
+		return nil, fmt.Errorf("creation not allowed: %w", err)
+	}
+
+	err = user.HashPassword()
+	if err != nil {
+		return nil, err
+	}
+
+	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
+		return user, nil
+	})
+	if err != nil {
+		return nil, fmt.Errorf("creation failure: %w", err)
+	}
+
+	m.bus.Publish(app.TopicUserCreated, *user)
+
+	return user, nil
 }
+
+// endregion internal-modifiers

internal/app/webhooks/models/user.go

@@ -3,6 +3,7 @@ package models
 import (
 	"time"
 
+	"github.com/h44z/wg-portal/internal"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 
@@ -13,11 +14,10 @@ type User struct {
 	CreatedAt time.Time `json:"CreatedAt"`
 	UpdatedAt time.Time `json:"UpdatedAt"`
 
-	Identifier   string `json:"Identifier"`
-	Email        string `json:"Email"`
-	Source       string `json:"Source"`
-	ProviderName string `json:"ProviderName"`
-	IsAdmin      bool   `json:"IsAdmin"`
+	Identifier  string           `json:"Identifier"`
+	Email       string           `json:"Email"`
+	AuthSources []UserAuthSource `json:"AuthSources"`
+	IsAdmin     bool             `json:"IsAdmin"`
 
 	Firstname  string `json:"Firstname,omitempty"`
 	Lastname   string `json:"Lastname,omitempty"`
@@ -31,8 +31,22 @@ type User struct {
 	LockedReason   string     `json:"LockedReason,omitempty"`
 }
 
+// UserAuthSource represents a single authentication source for a user.
+// For details about the fields, see the domain.UserAuthentication struct.
+type UserAuthSource struct {
+	Source       string `json:"Source"`
+	ProviderName string `json:"ProviderName"`
+}
+
 // NewUser creates a new User model from a domain.User
 func NewUser(src domain.User) User {
+	authSources := internal.Map(src.Authentications, func(authentication domain.UserAuthentication) UserAuthSource {
+		return UserAuthSource{
+			Source:       string(authentication.Source),
+			ProviderName: authentication.ProviderName,
+		}
+	})
+
 	return User{
 		CreatedBy:      src.CreatedBy,
 		UpdatedBy:      src.UpdatedBy,
@@ -40,8 +54,7 @@ func NewUser(src domain.User) User {
 		UpdatedAt:      src.UpdatedAt,
 		Identifier:     string(src.Identifier),
 		Email:          src.Email,
-		Source:         string(src.Source),
-		ProviderName:   src.ProviderName,
+		AuthSources:    authSources,
 		IsAdmin:        src.IsAdmin,
 		Firstname:      src.Firstname,
 		Lastname:       src.Lastname,

internal/app/wireguard/statistics.go

@@ -121,15 +121,25 @@ func (c *StatisticsCollector) collectInterfaceData(ctx context.Context) {
 						"error", err)
 					continue
 				}
+				now := time.Now()
 				err = c.db.UpdateInterfaceStatus(ctx, in.Identifier,
 					func(i *domain.InterfaceStatus) (*domain.InterfaceStatus, error) {
-						i.UpdatedAt = time.Now()
+						td := domain.CalculateTrafficDelta(
+							string(in.Identifier),
+							i.UpdatedAt, now,
+							i.BytesTransmitted, physicalInterface.BytesUpload,
+							i.BytesReceived, physicalInterface.BytesDownload,
+						)
+						i.UpdatedAt = now
 						i.BytesReceived = physicalInterface.BytesDownload
 						i.BytesTransmitted = physicalInterface.BytesUpload
 
 						// Update prometheus metrics
 						go c.updateInterfaceMetrics(*i)
 
+						// Publish stats update event
+						c.bus.Publish(app.TopicInterfaceStatsUpdated, td)
+
 						return i, nil
 					})
 				if err != nil {
@@ -172,6 +182,7 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 					slog.Warn("failed to fetch peers for data collection", "interface", in.Identifier, "error", err)
 					continue
 				}
+				now := time.Now()
 				for _, peer := range peers {
 					var connectionStateChanged bool
 					var newPeerStatus domain.PeerStatus
@@ -184,8 +195,15 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 								lastHandshake = &peer.LastHandshake
 							}
 
+							td := domain.CalculateTrafficDelta(
+								string(peer.Identifier),
+								p.UpdatedAt, now,
+								p.BytesTransmitted, peer.BytesDownload,
+								p.BytesReceived, peer.BytesUpload,
+							)
+
 							// calculate if session was restarted
-							p.UpdatedAt = time.Now()
+							p.UpdatedAt = now
 							p.LastSessionStart = getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
 								lastHandshake)
 							p.BytesReceived = peer.BytesUpload      // store bytes that where uploaded from the peer and received by the server
@@ -195,7 +213,8 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 							p.CalcConnected()
 
 							if wasConnected != p.IsConnected {
-								slog.Debug("peer connection state changed", "peer", peer.Identifier, "connected", p.IsConnected)
+								slog.Debug("peer connection state changed",
+									"peer", peer.Identifier, "connected", p.IsConnected)
 								connectionStateChanged = true
 								newPeerStatus = *p // store new status for event publishing
 							}
@@ -203,6 +222,9 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 							// Update prometheus metrics
 							go c.updatePeerMetrics(ctx, *p)
 
+							// Publish stats update event
+							c.bus.Publish(app.TopicPeerStatsUpdated, td)
+
 							return p, nil
 						})
 					if err != nil {

internal/app/wireguard/wireguard_interfaces.go

@@ -374,6 +374,7 @@ func (m Manager) PrepareInterface(ctx context.Context) (*domain.Interface, error
 		SaveConfig:                 m.cfg.Advanced.ConfigStoragePath != "",
 		DisplayName:                string(id),
 		Type:                       domain.InterfaceTypeServer,
+		CreateDefaultPeer:          m.cfg.Core.CreateDefaultPeer,
 		DriverType:                 "",
 		Disabled:                   nil,
 		DisabledReason:             "",
@@ -984,7 +985,26 @@ func (m Manager) importPeer(ctx context.Context, in *domain.Interface, p *domain
 	peer.InterfaceIdentifier = in.Identifier
 	peer.EndpointPublicKey = domain.NewConfigOption(in.PublicKey, true)
 	peer.AllowedIPsStr = domain.NewConfigOption(in.PeerDefAllowedIPsStr, true)
-	peer.Interface.Addresses = p.AllowedIPs // use allowed IP's as the peer IP's TODO: Should this also match server interface address' prefix length?
+
+	// split allowed IP's into interface addresses and extra allowed IP's
+	var interfaceAddresses []domain.Cidr
+	var extraAllowedIPs []domain.Cidr
+	for _, allowedIP := range p.AllowedIPs {
+		isHost := (allowedIP.IsV4() && allowedIP.NetLength == 32) || (!allowedIP.IsV4() && allowedIP.NetLength == 128)
+		isNetworkAddr := allowedIP.Addr == allowedIP.NetworkAddr().Addr
+
+		// Network addresses (e.g. 10.0.0.0/24) will always be extra allowed IP's.
+		// For IP addresses, such as 10.0.0.1/24, it is challenging to tell whether it is an interface address or
+		// an extra allowed IP, therefore we treat such addresses as interface addresses.
+		if !isHost && isNetworkAddr {
+			extraAllowedIPs = append(extraAllowedIPs, allowedIP)
+		} else {
+			interfaceAddresses = append(interfaceAddresses, allowedIP)
+		}
+	}
+	peer.Interface.Addresses = interfaceAddresses
+	peer.ExtraAllowedIPsStr = domain.CidrsToString(extraAllowedIPs)
+
 	peer.Interface.DnsStr = domain.NewConfigOption(in.PeerDefDnsStr, true)
 	peer.Interface.DnsSearchStr = domain.NewConfigOption(in.PeerDefDnsSearchStr, true)
 	peer.Interface.Mtu = domain.NewConfigOption(in.PeerDefMtu, true)

internal/app/wireguard/wireguard_interfaces_test.go

@@ -0,0 +1,94 @@
+package wireguard
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/h44z/wg-portal/internal/domain"
+)
+
+func TestImportPeer_AddressMapping(t *testing.T) {
+	tests := []struct {
+		name                 string
+		allowedIPs           []string
+		expectedInterface    []string
+		expectedExtraAllowed string
+	}{
+		{
+			name:                 "IPv4 host address",
+			allowedIPs:           []string{"10.0.0.1/32"},
+			expectedInterface:    []string{"10.0.0.1/32"},
+			expectedExtraAllowed: "",
+		},
+		{
+			name:                 "IPv6 host address",
+			allowedIPs:           []string{"fd00::1/128"},
+			expectedInterface:    []string{"fd00::1/128"},
+			expectedExtraAllowed: "",
+		},
+		{
+			name:                 "IPv4 network address",
+			allowedIPs:           []string{"10.0.1.0/24"},
+			expectedInterface:    []string{},
+			expectedExtraAllowed: "10.0.1.0/24",
+		},
+		{
+			name:                 "IPv4 normal address with mask",
+			allowedIPs:           []string{"10.0.1.5/24"},
+			expectedInterface:    []string{"10.0.1.5/24"},
+			expectedExtraAllowed: "",
+		},
+		{
+			name: "Mixed addresses",
+			allowedIPs: []string{
+				"10.0.0.1/32", "192.168.1.0/24", "172.16.0.5/24", "fd00::1/128", "fd00:1::/64",
+			},
+			expectedInterface:    []string{"10.0.0.1/32", "172.16.0.5/24", "fd00::1/128"},
+			expectedExtraAllowed: "192.168.1.0/24,fd00:1::/64",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			db := &mockDB{}
+			m := Manager{
+				db: db,
+			}
+
+			iface := &domain.Interface{
+				Identifier: "wg0",
+				Type:       domain.InterfaceTypeServer,
+			}
+
+			allowedIPs := make([]domain.Cidr, len(tt.allowedIPs))
+			for i, s := range tt.allowedIPs {
+				cidr, _ := domain.CidrFromString(s)
+				allowedIPs[i] = cidr
+			}
+
+			p := &domain.PhysicalPeer{
+				Identifier: "peer1",
+				KeyPair:    domain.KeyPair{PublicKey: "peer1-public-key-is-long-enough"},
+				AllowedIPs: allowedIPs,
+			}
+
+			err := m.importPeer(context.Background(), iface, p)
+			assert.NoError(t, err)
+
+			savedPeer := db.savedPeers["peer1"]
+			assert.NotNil(t, savedPeer)
+
+			// Check interface addresses
+			actualInterface := make([]string, len(savedPeer.Interface.Addresses))
+			for i, addr := range savedPeer.Interface.Addresses {
+				actualInterface[i] = addr.String()
+			}
+			assert.ElementsMatch(t, tt.expectedInterface, actualInterface)
+
+			// Check extra allowed IPs
+			assert.Equal(t, tt.expectedExtraAllowed, savedPeer.ExtraAllowedIPsStr)
+		})
+	}
+}

internal/app/wireguard/wireguard_peers.go

@@ -35,6 +35,10 @@ func (m Manager) CreateDefaultPeer(ctx context.Context, userId domain.UserIdenti
 			continue // only create default peers for server interfaces
 		}
 
+		if !iface.CreateDefaultPeer {
+			continue // only create default peers if the interface flag is set
+		}
+
 		peerAlreadyCreated := slices.ContainsFunc(userPeers, func(peer domain.Peer) bool {
 			return peer.InterfaceIdentifier == iface.Identifier
 		})

internal/app/wireguard/wireguard_peers_test.go

@@ -78,7 +78,12 @@ func (f *mockDB) GetInterfaceAndPeers(ctx context.Context, id domain.InterfaceId
 func (f *mockDB) GetPeersStats(ctx context.Context, ids ...domain.PeerIdentifier) ([]domain.PeerStatus, error) {
 	return nil, nil
 }
-func (f *mockDB) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) { return nil, nil }
+func (f *mockDB) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) {
+	if f.iface != nil {
+		return []domain.Interface{*f.iface}, nil
+	}
+	return nil, nil
+}
 func (f *mockDB) GetInterfaceIps(ctx context.Context) (map[domain.InterfaceIdentifier][]domain.Cidr, error) {
 	return nil, nil
 }
@@ -192,3 +197,58 @@ func TestCreatePeer_SetsIdentifier_FromPublicKey(t *testing.T) {
 		t.Fatalf("expected peer with identifier %q to be saved in DB", expectedId)
 	}
 }
+
+func TestCreateDefaultPeer_RespectsInterfaceFlag(t *testing.T) {
+	// Arrange
+	cfg := &config.Config{}
+	cfg.Core.CreateDefaultPeer = true
+
+	bus := &mockBus{}
+	ctrlMgr := &ControllerManager{
+		controllers: map[domain.InterfaceBackend]backendInstance{
+			config.LocalBackendName: {Implementation: &mockController{}},
+		},
+	}
+
+	db := &mockDB{
+		iface: &domain.Interface{
+			Identifier:        "wg0",
+			Type:              domain.InterfaceTypeServer,
+			CreateDefaultPeer: false, // Flag is disabled!
+		},
+	}
+
+	m := Manager{
+		cfg: cfg,
+		bus: bus,
+		db:  db,
+		wg:  ctrlMgr,
+	}
+
+	userId := domain.UserIdentifier("user@example.com")
+	ctx := domain.SetUserInfo(context.Background(), &domain.ContextUserInfo{Id: userId, IsAdmin: true})
+
+	// Act
+	err := m.CreateDefaultPeer(ctx, userId)
+
+	// Assert
+	if err != nil {
+		t.Fatalf("CreateDefaultPeer returned error: %v", err)
+	}
+
+	if len(db.savedPeers) != 0 {
+		t.Fatalf("expected no peers to be created because interface flag is false, but got %d", len(db.savedPeers))
+	}
+
+	// Now enable the flag and try again
+	db.iface.CreateDefaultPeer = true
+	err = m.CreateDefaultPeer(ctx, userId)
+
+	if err != nil {
+		t.Fatalf("CreateDefaultPeer returned error after enabling flag: %v", err)
+	}
+
+	if len(db.savedPeers) != 1 {
+		t.Fatalf("expected 1 peer to be created because interface flag is true, but got %d", len(db.savedPeers))
+	}
+}

internal/domain/auth.go

@@ -10,11 +10,12 @@ type LoginProviderInfo struct {
 }
 
 type AuthenticatorUserInfo struct {
-	Identifier UserIdentifier
-	Email      string
-	Firstname  string
-	Lastname   string
-	Phone      string
-	Department string
-	IsAdmin    bool
+	Identifier         UserIdentifier
+	Email              string
+	Firstname          string
+	Lastname           string
+	Phone              string
+	Department         string
+	IsAdmin            bool
+	AdminInfoAvailable bool // true if the IsAdmin flag is valid
 }

internal/domain/context.go

@@ -14,6 +14,7 @@ const (
 	CtxSystemLdapSyncer = "_WG_SYS_LDAP_SYNCER_"
 	CtxSystemWgImporter = "_WG_SYS_WG_IMPORTER_"
 	CtxSystemV1Migrator = "_WG_SYS_V1_MIGRATOR_"
+	CtxSystemDBMigrator = "_WG_SYS_DB_MIGRATOR_"
 )
 
 type ContextUserInfo struct {

internal/domain/interface.go

@@ -53,12 +53,13 @@ type Interface struct {
 	SaveConfig bool // automatically persist config changes to the wgX.conf file
 
 	// WG Portal specific
-	DisplayName    string           // a nice display name/ description for the interface
-	Type           InterfaceType    // the interface type, either InterfaceTypeServer or InterfaceTypeClient
-	Backend        InterfaceBackend // the backend that is used to manage the interface (wgctrl, mikrotik, ...)
-	DriverType     string           // the interface driver type (linux, software, ...)
-	Disabled       *time.Time       `gorm:"index"` // flag that specifies if the interface is enabled (up) or not (down)
-	DisabledReason string           // the reason why the interface has been disabled
+	DisplayName       string           // a nice display name/ description for the interface
+	Type              InterfaceType    // the interface type, either InterfaceTypeServer or InterfaceTypeClient
+	CreateDefaultPeer bool             // if true, default peers will be created for this interface
+	Backend           InterfaceBackend // the backend that is used to manage the interface (wgctrl, mikrotik, ...)
+	DriverType        string           // the interface driver type (linux, software, ...)
+	Disabled          *time.Time       `gorm:"index"` // flag that specifies if the interface is enabled (up) or not (down)
+	DisabledReason    string           // the reason why the interface has been disabled
 
 	// Default settings for the peer, used for new peers, those settings will be published to ConfigOption options of
 	// the peer config

internal/domain/statistics.go

@@ -61,3 +61,25 @@ func (r PingerResult) AverageRtt() time.Duration {
 	}
 	return total / time.Duration(len(r.Rtts))
 }
+
+type TrafficDelta struct {
+	EntityId                  string `json:"EntityId"` // Either peerId or interfaceId
+	BytesReceivedPerSecond    uint64 `json:"BytesReceived"`
+	BytesTransmittedPerSecond uint64 `json:"BytesTransmitted"`
+}
+
+func CalculateTrafficDelta(id string, oldTime, newTime time.Time, oldTx, newTx, oldRx, newRx uint64) TrafficDelta {
+	timeDiff := uint64(newTime.Sub(oldTime).Seconds())
+	if timeDiff == 0 {
+		return TrafficDelta{
+			EntityId:                  id,
+			BytesReceivedPerSecond:    0,
+			BytesTransmittedPerSecond: 0,
+		}
+	}
+	return TrafficDelta{
+		EntityId:                  id,
+		BytesReceivedPerSecond:    (newRx - oldRx) / timeDiff,
+		BytesTransmittedPerSecond: (newTx - oldTx) / timeDiff,
+	}
+}

internal/domain/user.go

@@ -25,6 +25,14 @@ type UserIdentifier string
 
 type UserSource string
 
+type UserAuthentication struct {
+	BaseModel
+
+	UserIdentifier UserIdentifier `gorm:"primaryKey;column:user_identifier"` // sAMAccountName, sub, etc.
+	Source         UserSource     `gorm:"primaryKey;column:source"`
+	ProviderName   string         `gorm:"primaryKey;column:provider_name"`
+}
+
 // User is the user model that gets linked to peer entries, by default an empty user model with only the email address is created
 type User struct {
 	BaseModel
@@ -32,10 +40,15 @@ type User struct {
 	// required fields
 	Identifier   UserIdentifier `gorm:"primaryKey;column:identifier"`
 	Email        string         `form:"email" binding:"required,email"`
-	Source       UserSource
-	ProviderName string
+	Source       UserSource     // deprecated: moved to Authentications.Source
+	ProviderName string         // deprecated: moved to Authentications.ProviderName
 	IsAdmin      bool
 
+	// authentication sources
+	Authentications []UserAuthentication `gorm:"foreignKey:user_identifier"`
+	// synchronization behavior
+	PersistLocalChanges bool `gorm:"column:persist_local_changes"`
+
 	// optional fields
 	Firstname  string `form:"firstname" binding:"omitempty"`
 	Lastname   string `form:"lastname" binding:"omitempty"`
@@ -81,15 +94,19 @@ func (u *User) IsApiEnabled() bool {
 }
 
 func (u *User) CanChangePassword() error {
-	if u.Source == UserSourceDatabase {
-		return nil
+	if slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
+		return e.Source == UserSourceDatabase
+	}) {
+		return nil // password can be changed for database users
 	}
 
 	return errors.New("password change only allowed for database source")
 }
 
 func (u *User) HasWeakPassword(minLength int) error {
-	if u.Source != UserSourceDatabase {
+	if !slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
+		return e.Source == UserSourceDatabase
+	}) {
 		return nil // password is not required for non-database users, so no check needed
 	}
 
@@ -105,13 +122,16 @@ func (u *User) HasWeakPassword(minLength int) error {
 }
 
 func (u *User) EditAllowed(new *User) error {
-	if u.Source == UserSourceDatabase {
-		return nil
+	if len(u.Authentications) == 1 && u.Authentications[0].Source == UserSourceDatabase {
+		return nil // database-only users can be edited always
+	}
+
+	if new.PersistLocalChanges {
+		return nil // if changes will be persisted locally, they can be edited always
 	}
 
 	// for users which are not database users, only the notes field and the disabled flag can be updated
 	updateOk := u.Identifier == new.Identifier
-	updateOk = updateOk && u.Source == new.Source
 	updateOk = updateOk && u.IsAdmin == new.IsAdmin
 	updateOk = updateOk && u.Email == new.Email
 	updateOk = updateOk && u.Firstname == new.Firstname
@@ -120,7 +140,7 @@ func (u *User) EditAllowed(new *User) error {
 	updateOk = updateOk && u.Department == new.Department
 
 	if !updateOk {
-		return errors.New("edit only allowed for database source")
+		return errors.New("edit only allowed for reserved fields")
 	}
 
 	return nil
@@ -131,8 +151,10 @@ func (u *User) DeleteAllowed() error {
 }
 
 func (u *User) CheckPassword(password string) error {
-	if u.Source != UserSourceDatabase {
-		return errors.New("invalid user source")
+	if !slices.ContainsFunc(u.Authentications, func(e UserAuthentication) bool {
+		return e.Source == UserSourceDatabase
+	}) {
+		return errors.New("invalid user source") // password can only be checked for database users
 	}
 
 	if u.IsDisabled() {
@@ -180,9 +202,24 @@ func (u *User) HashPassword() error {
 	return nil
 }
 
-func (u *User) CopyCalculatedAttributes(src *User) {
+func (u *User) CopyCalculatedAttributes(src *User, withAuthentications bool) {
 	u.BaseModel = src.BaseModel
 	u.LinkedPeerCount = src.LinkedPeerCount
+	if withAuthentications {
+		u.Authentications = src.Authentications
+		u.WebAuthnId = src.WebAuthnId
+		u.WebAuthnCredentialList = src.WebAuthnCredentialList
+	}
+}
+
+// MergeAuthSources merges the given authentication sources with the existing ones.
+// Already existing sources are not overwritten, nor will be added any duplicates.
+func (u *User) MergeAuthSources(extSources ...UserAuthentication) {
+	for _, src := range extSources {
+		if !slices.Contains(u.Authentications, src) {
+			u.Authentications = append(u.Authentications, src)
+		}
+	}
 }
 
 // DisplayName returns the display name of the user.

internal/domain/user_test.go

@@ -35,19 +35,25 @@ func TestUser_IsApiEnabled(t *testing.T) {
 }
 
 func TestUser_CanChangePassword(t *testing.T) {
-	user := &User{Source: UserSourceDatabase}
+	user := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
 	assert.NoError(t, user.CanChangePassword())
 
-	user.Source = UserSourceLdap
+	user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
 	assert.Error(t, user.CanChangePassword())
 
-	user.Source = UserSourceOauth
+	user.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
 	assert.Error(t, user.CanChangePassword())
+
+	user.Authentications = []UserAuthentication{{Source: UserSourceLdap}, {Source: UserSourceDatabase}}
+	assert.NoError(t, user.CanChangePassword())
+
+	user.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
+	assert.NoError(t, user.CanChangePassword())
 }
 
 func TestUser_EditAllowed(t *testing.T) {
-	user := &User{Source: UserSourceDatabase}
-	newUser := &User{Source: UserSourceDatabase}
+	user := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
+	newUser := &User{Authentications: []UserAuthentication{{Source: UserSourceDatabase}}}
 	assert.NoError(t, user.EditAllowed(newUser))
 
 	newUser.Notes = "notes can be changed"
@@ -59,8 +65,8 @@ func TestUser_EditAllowed(t *testing.T) {
 	newUser.Lastname = "lastname or other fields can be changed"
 	assert.NoError(t, user.EditAllowed(newUser))
 
-	user.Source = UserSourceLdap
-	newUser.Source = UserSourceLdap
+	user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
+	newUser.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
 	newUser.Disabled = nil
 	newUser.Lastname = ""
 	newUser.Notes = "notes can be changed"
@@ -72,8 +78,8 @@ func TestUser_EditAllowed(t *testing.T) {
 	newUser.Lastname = "lastname or other fields can not be changed"
 	assert.Error(t, user.EditAllowed(newUser))
 
-	user.Source = UserSourceOauth
-	newUser.Source = UserSourceOauth
+	user.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
+	newUser.Authentications = []UserAuthentication{{Source: UserSourceOauth}}
 	newUser.Disabled = nil
 	newUser.Lastname = ""
 	newUser.Notes = "notes can be changed"
@@ -84,6 +90,20 @@ func TestUser_EditAllowed(t *testing.T) {
 
 	newUser.Lastname = "lastname or other fields can not be changed"
 	assert.Error(t, user.EditAllowed(newUser))
+
+	user.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
+	newUser.Authentications = []UserAuthentication{{Source: UserSourceOauth}, {Source: UserSourceDatabase}}
+	newUser.PersistLocalChanges = true
+	newUser.Disabled = nil
+	newUser.Lastname = ""
+	newUser.Notes = "notes can be changed"
+	assert.NoError(t, user.EditAllowed(newUser))
+
+	newUser.Disabled = &time.Time{}
+	assert.NoError(t, user.EditAllowed(newUser))
+
+	newUser.Lastname = "lastname or other fields can be changed"
+	assert.NoError(t, user.EditAllowed(newUser))
 }
 
 func TestUser_DeleteAllowed(t *testing.T) {
@@ -95,13 +115,15 @@ func TestUser_CheckPassword(t *testing.T) {
 	password := "password"
 	hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
 
-	user := &User{Source: UserSourceDatabase, Password: PrivateString(hashedPassword)}
+	user := &User{
+		Authentications: []UserAuthentication{{Source: UserSourceDatabase}}, Password: PrivateString(hashedPassword),
+	}
 	assert.NoError(t, user.CheckPassword(password))
 
 	user.Password = ""
 	assert.Error(t, user.CheckPassword(password))
 
-	user.Source = UserSourceLdap
+	user.Authentications = []UserAuthentication{{Source: UserSourceLdap}}
 	assert.Error(t, user.CheckPassword(password))
 }
 

internal/util.go

@@ -168,3 +168,12 @@ func BoolToFloat64(b bool) float64 {
 	}
 	return 0.0
 }
+
+// Map applies the given function to each element of the given slice and returns the resulting slice
+func Map[T, V any](ts []T, fn func(T) V) []V {
+	result := make([]V, len(ts))
+	for i, t := range ts {
+		result[i] = fn(t)
+	}
+	return result
+}

mkdocs.yml

@@ -81,12 +81,12 @@ nav:
           - Reverse Proxy (HTTPS): documentation/getting-started/reverse-proxy.md
       - Configuration:
           - Overview: documentation/configuration/overview.md
-          - Mail templates: documentation/configuration/mail-templates.md
           - Examples: documentation/configuration/examples.md
       - Usage:
           - General: documentation/usage/general.md
           - Backends: documentation/usage/backends.md
-          - LDAP: documentation/usage/ldap.md
+          - Authentication: documentation/usage/authentication.md
+          - User Management: documentation/usage/user-sync.md
           - Security: documentation/usage/security.md
           - Webhooks: documentation/usage/webhooks.md
           - Mail Templates: documentation/usage/mail-templates.md

scripts/wg-portal.service

@@ -7,11 +7,13 @@ After=network.target
 Type=simple
 User=root
 Group=root
+AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW
 
 Restart=on-failure
 RestartSec=10
 
 WorkingDirectory=/opt/wg-portal
+Environment=WG_PORTAL_CONFIG=/opt/wg-portal/config.yml
 ExecStart=/opt/wg-portal/wg-portal-amd64
 
 [Install]