only override isAdmin flag if it is provided by the authentication source

feat: allow multiple auth sources per user (#500,#477)
2026-04-17 13:06:21 +00:00 · 2026-01-19 23:17:56 +01:00 · 2026-01-19 23:00:03 +01:00
92 changed files with 2388 additions and 4316 deletions
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -20,7 +20,7 @@ jobs:
    runs-on: ubuntu-latest
    if: ${{ github.event_name == 'pull_request' }}
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
@@ -35,7 +35,7 @@ jobs:
      # ct lint requires Python 3.x to run following packages:
      #  - yamale (https://github.com/23andMe/Yamale)
      #  - yamllint (https://github.com/adrienverge/yamllint)
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: '3.x'
@@ -44,7 +44,7 @@ jobs:
      - name: Run chart-testing (lint)
        run: ct lint --config ct.yaml
-      - uses: nolar/setup-k3d-k3s@8bf8d22160e8b1d184dcb780e390d6952a7eec65 # v1.0.10
+      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -60,9 +60,9 @@ jobs:
    permissions:
      packages: write
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+      - uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -18,13 +18,13 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Check out the repo
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
      - name: Get Version
        shell: bash
@@ -32,14 +32,14 @@ jobs:
      - name: Login to Docker Hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -47,7 +47,7 @@ jobs:
      - name: Extract metadata (tags, labels) for Docker
        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
        with:
          images: |
            wgportal/wg-portal
@@ -68,7 +68,7 @@ jobs:
            type=semver,pattern=v{{major}}
      - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@@ -80,7 +80,7 @@ jobs:
            BUILD_VERSION=${{ env.BUILD_VERSION }}
      - name: Export binaries from images
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -96,7 +96,7 @@ jobs:
          done
      - name: Upload binaries
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
        with:
          name: binaries
          path: binaries/wg-portal_linux*
@@ -110,12 +110,12 @@ jobs:
      contents: write
    steps:
      - name: Download binaries
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
        with:
          name: binaries
      - name: Create GitHub Release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
        with:
          files: 'wg-portal_linux*'
          generate_release_notes: true
--- a/.github/workflows/pages.yml
+++ b/.github/workflows/pages.yml
@@ -15,11 +15,11 @@ jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
        with:
          fetch-depth: 0
-      - uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+      - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0
        with:
          python-version: 3.x
--- a/2
+++ b/2
@@ -20,7 +20,7 @@ RUN npm run build
 ######
 # Build backend
 ######
-FROM --platform=${BUILDPLATFORM} golang:1.26-alpine AS builder
+FROM --platform=${BUILDPLATFORM} golang:1.25-alpine AS builder
 # Set the working directory
 WORKDIR /build
 # Download dependencies
--- a/8
+++ b/8
@@ -1,8 +1,7 @@
 # Go parameters
 GOCMD=go
 GOVERSION=1.25
 MODULENAME=github.com/h44z/wg-portal
-GOFILES=$(shell go list ./... | grep -v /vendor/)
+GOFILES:=$(shell go list ./... | grep -v /vendor/)
 BUILDDIR=dist
 BINARIES=$(subst cmd/,,$(wildcard cmd/*))
 IMAGE=h44z/wg-portal
@@ -52,11 +51,6 @@ format:
 .PHONY: test
 test: test-vet test-race
 #> test-in-docker: Run tests in Docker (for non-Linux environments e.g. MacOS)
 .PHONY: test-in-docker
 test-in-docker:
 	docker run --rm -u $(shell id -u):$(shell id -g) -e HOME=/tmp -v $(PWD):/app -w /app golang:$(GOVERSION) make test
 #< test-vet: Static code analysis
 .PHONY: test-vet
 test-vet: build-dependencies
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -80,7 +80,7 @@ func main() {
 	internal.AssertNoError(err)
 	auditRecorder.StartBackgroundJobs(ctx)
-	userManager, err := users.NewUserManager(cfg, eventBus, database, database, database)
+	userManager, err := users.NewUserManager(cfg, eventBus, database, database)
 	internal.AssertNoError(err)
 	userManager.StartBackgroundJobs(ctx)
@@ -135,7 +135,6 @@ func main() {
 	apiV0EndpointPeers := handlersV0.NewPeerEndpoint(cfg, apiV0Auth, validatorManager, apiV0BackendPeers)
 	apiV0EndpointConfig := handlersV0.NewConfigEndpoint(cfg, apiV0Auth, wireGuard)
 	apiV0EndpointTest := handlersV0.NewTestEndpoint(apiV0Auth)
 	apiV0EndpointWebsocket := handlersV0.NewWebsocketEndpoint(cfg, apiV0Auth, eventBus)
 	apiFrontend := handlersV0.NewRestApi(apiV0Session,
 		apiV0EndpointAuth,
@@ -145,7 +144,6 @@ func main() {
 		apiV0EndpointPeers,
 		apiV0EndpointConfig,
 		apiV0EndpointTest,
 		apiV0EndpointWebsocket,
 	)
 	// endregion API v0 (SPA frontend)
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -6,9 +6,8 @@ advanced:
 core:
  admin_user: test@test.de
  admin_password: secret
-  create_default_peer_on_login: true
+  create_default_peer: true
-  create_default_peer_on_user_creation: false
+  create_default_peer_on_creation: false
  create_default_peer_on_interface_creation: false
 web:
  external_url: http://localhost:8888
@@ -48,7 +47,6 @@ auth:
        - https://www.googleapis.com/auth/userinfo.email
        - https://www.googleapis.com/auth/userinfo.profile
      registration_enabled: true
      logout_idp_session: true
    - id: oidc2
      provider_name: google2
      display_name: Login with</br>Google2
@@ -59,7 +57,6 @@ auth:
        - https://www.googleapis.com/auth/userinfo.email
        - https://www.googleapis.com/auth/userinfo.profile
      registration_enabled: true
      logout_idp_session: true
  oauth:
    - id: google_plain_oauth
      provider_name: google3
--- a/deploy/helm/Chart.yaml
+++ b/deploy/helm/Chart.yaml
@@ -16,7 +16,7 @@ annotations:
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.7.3
+version: 0.7.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
--- a/deploy/helm/README.md
+++ b/deploy/helm/README.md
@@ -1,6 +1,6 @@
 # wg-portal
-![Version: 0.7.3](https://img.shields.io/badge/Version-0.7.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2](https://img.shields.io/badge/AppVersion-v2-informational?style=flat-square)
+![Version: 0.7.2](https://img.shields.io/badge/Version-0.7.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v2](https://img.shields.io/badge/AppVersion-v2-informational?style=flat-square)
 WireGuard Configuration Portal with LDAP, OAuth, OIDC authentication
@@ -41,7 +41,6 @@ The [Values](#values) section lists the parameters that can be configured during
 | config.web | tpl/object | `{}` | [Web configuration](https://wgportal.org/latest/documentation/configuration/overview/#web) options.<br> `listening_address` will be set automatically from `service.web.port`. `external_url` is required to enable ingress and certificate resources. |
 | revisionHistoryLimit | string | `10` | The number of old ReplicaSets to retain to allow rollback. |
 | workloadType | string | `"Deployment"` | Workload type - `Deployment` or `StatefulSet` |
 | replicas | int | `1` | The replicas for the workload. |
 | strategy | object | `{"type":"RollingUpdate"}` | Update strategy for the workload Valid values are:  `RollingUpdate` or `Recreate` for Deployment,  `RollingUpdate` or `OnDelete` for StatefulSet |
 | image.repository | string | `"ghcr.io/h44z/wg-portal"` | Image repository |
 | image.pullPolicy | string | `"IfNotPresent"` | Image pull policy |
@@ -75,15 +74,12 @@ The [Values](#values) section lists the parameters that can be configured during
 | service.web.type | string | `"ClusterIP"` | Web service type |
 | service.web.port | int | `8888` | Web service port Used for the web interface listener |
 | service.web.appProtocol | string | `"http"` | Web service appProtocol. Will be auto set to `https` if certificate is enabled. |
 | service.web.extraSelectorLabels | object | `{}` | Extra labels to append to the selector labels. |
 | service.wireguard.annotations | object | `{}` | Annotations for the WireGuard service |
 | service.wireguard.type | string | `"LoadBalancer"` | Wireguard service type |
 | service.wireguard.ports | list | `[51820]` | Wireguard service ports. Exposes the WireGuard ports for created interfaces. Lowerest port is selected as start port for the first interface. Increment next port by 1 for each additional interface. |
 | service.wireguard.extraSelectorLabels | object | `{}` | Extra labels to append to the selector labels. |
 | service.metrics.port | int | `8787` |  |
 | ingress.enabled | bool | `false` | Specifies whether an ingress resource should be created |
 | ingress.className | string | `""` | Ingress class name |
 | ingress.pathType | string | `"ImplementationSpecific"` | Ingress pathType value. Valid values are `ImplementationSpecific`, `Exact` or `Prefix`. |
 | ingress.annotations | object | `{}` | Ingress annotations |
 | ingress.tls | bool | `false` | Ingress TLS configuration. Enable certificate resource or add ingress annotation to create required secret |
 | certificate.enabled | bool | `false` | Specifies whether a certificate resource should be created. If enabled, certificate will be used for the web. |
--- a/deploy/helm/templates/_service.tpl
+++ b/deploy/helm/templates/_service.tpl
@@ -49,7 +49,7 @@ spec:
  {{- with .scope.type }}
  type: {{ . }}
  {{- end }}
-  selector: {{- include "wg-portal.util.merge" (list .context .scope.extraSelectorLabels "wg-portal.selectorLabels") | nindent 4 }}
+  selector: {{- include "wg-portal.selectorLabels" .context | nindent 4 }}
 {{- end -}}
 {{/*
--- a/deploy/helm/templates/deployment.yaml
+++ b/deploy/helm/templates/deployment.yaml
@@ -8,9 +8,6 @@ spec:
  {{- with .Values.revisionHistoryLimit }}
  revisionHistoryLimit: {{ . }}
  {{- end }}
  {{- with .Values.replicas }}
  replicas: {{ . }}
  {{- end }}
  {{- with .Values.strategy }}
  strategy: {{- toYaml . | nindent 4 }}
  {{- end }}
--- a/deploy/helm/templates/ingress.yaml
+++ b/deploy/helm/templates/ingress.yaml
@@ -15,7 +15,7 @@ spec:
      http:
        paths:
          - path: {{ default "/" (urlParse (tpl .Values.config.web.external_url .)).path }}
-            pathType: {{ default "ImplementationSpecific" .Values.ingress.pathType }}
+            pathType: {{ default "ImplementationSpecific" .pathType }}
            backend:
              service:
                name: {{ include "wg-portal.fullname" . }}
--- a/deploy/helm/templates/statefulset.yaml
+++ b/deploy/helm/templates/statefulset.yaml
@@ -8,9 +8,6 @@ spec:
  {{- with .Values.revisionHistoryLimit }}
  revisionHistoryLimit: {{ . }}
  {{- end }}
  {{- with .Values.replicas }}
  replicas: {{ . }}
  {{- end }}
  {{- with .Values.strategy }}
  updateStrategy: {{- toYaml . | nindent 4 }}
  {{- end }}
--- a/deploy/helm/values.yaml
+++ b/deploy/helm/values.yaml
@@ -35,9 +35,6 @@ config:
 revisionHistoryLimit: ""
 # -- Workload type - `Deployment` or `StatefulSet`
 workloadType: Deployment
 # -- The replicas for the workload.
 # @default -- `1`
 replicas: 1
 # -- Update strategy for the workload
 # Valid values are:
 #  `RollingUpdate` or `Recreate` for Deployment,
@@ -127,8 +124,6 @@ service:
    port: 8888
    # -- Web service appProtocol. Will be auto set to `https` if certificate is enabled.
    appProtocol: http
    # -- Extra labels to append to the selector labels.
    extraSelectorLabels: {}
  wireguard:
    # -- Annotations for the WireGuard service
    annotations: {}
@@ -140,8 +135,6 @@ service:
    # Increment next port by 1 for each additional interface.
    ports:
      - 51820
    # -- Extra labels to append to the selector labels.
    extraSelectorLabels: {}
  metrics:
    port: 8787
@@ -150,10 +143,6 @@ ingress:
  enabled: false
  # -- Ingress class name
  className: ""
  # -- Ingress pathType value.
  # Valid values are `ImplementationSpecific`, `Exact` or `Prefix`.
  # @default -- `"ImplementationSpecific"`
  pathType: "ImplementationSpecific"
  # -- Ingress annotations
  annotations: {}
  # -- Ingress TLS configuration.
--- a/docs/documentation/configuration/examples.md
+++ b/docs/documentation/configuration/examples.md
@@ -8,7 +8,7 @@ core:
  admin_password: password
  admin_api_token: super-s3cr3t-api-token-or-a-UUID
  import_existing: false
-  create_default_peer_on_login: true
+  create_default_peer: true
  self_provisioning_allowed: true
 backend:
@@ -86,9 +86,6 @@ auth:
        memberof: memberOf
      admin_group: CN=WireGuardAdmins,OU=Some-OU,DC=COMPANY,DC=LOCAL
      registration_enabled: true
      # Restrict interface access based on LDAP filters
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
      log_user_info: true
 ```
@@ -144,9 +141,6 @@ auth:
      extra_scopes:
        - https://www.googleapis.com/auth/userinfo.email
        - https://www.googleapis.com/auth/userinfo.profile
      allowed_user_groups:
        - the-admin-group
        - vpn-users
      field_map:
        user_identifier: sub
        email: email
@@ -204,9 +198,6 @@ auth:
        - email
        - profile
        - i-want-some-groups
      allowed_user_groups:
        - admin-group-name
        - vpn-users
      field_map:
        email: email
        firstname: name
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -28,7 +28,6 @@ core:
 backend:
  default: local
  rekey_timeout_interval: 125s
  local_resolvconf_prefix: tun.
 advanced:
@@ -155,33 +154,17 @@ More advanced options are found in the subsequent `Advanced` section.
 - **Environment Variable:** `WG_PORTAL_CORE_EDITABLE_KEYS`
 - **Description:** Allow editing of WireGuard key-pairs directly in the UI.
-### `create_default_peer` (deprecated)
+### `create_default_peer`
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER`
 - **Description:** **DEPRECATED** in favor of [create_default_peer_on_login](#create_default_peer_on_login). If set to `true`, this option is equivalent to enabling `create_default_peer_on_login`. It will be removed in a future release (2.4).
 ### `create_default_peer_on_creation` (deprecated)
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION`
 - **Description:** **DEPRECATED** in favor of [create_default_peer_on_user_creation](#create_default_peer_on_user_creation) and [create_default_peer_on_interface_creation](#create_default_peer_on_interface_creation). If set to `true`, both of those options are enabled. It will be removed in a future release (2.4).
 ### `create_default_peer_on_login`
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER`
 - **Description:** If a user logs in for the first time with no existing peers, automatically create a new WireGuard peer for all server interfaces where the "Create default peer" flag is set.
 - **Important:** This option is only effective for interfaces where the "Create default peer" flag is set (via the UI).
-### `create_default_peer_on_user_creation`
+### `create_default_peer_on_creation`
 - **Default:** `false`
- **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_USER_CREATION`
+- **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION`
- **Description:** If a new user is created (e.g., through LDAP sync or registration) and has no peers, automatically create a new WireGuard peer for all server interfaces where the "Create default peer" flag is set.
+- **Description:** If an LDAP user is created (e.g., through LDAP sync) and has no peers, automatically create a new WireGuard peer for all server interfaces where the "Create default peer" flag is set.
- **Important:** This option is only effective for interfaces where the "Create default peer" flag is set (via the UI).
+- **Important:** This option requires [create_default_peer](#create_default_peer) to be enabled.
 ### `create_default_peer_on_interface_creation`
 - **Default:** `false`
 - **Environment Variable:** `WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_INTERFACE_CREATION`
 - **Description:** When a new server interface is created with the "Create default peer" flag set, automatically create a default WireGuard peer on that interface for every existing user who does not yet have a peer on it.
 - **Important:** This option is only effective for interfaces where the "Create default peer" flag is set (via the UI).
 ### `re_enable_peer_after_user_enable`
 - **Default:** `true`
@@ -220,13 +203,6 @@ The current MikroTik backend is in **BETA** and may not support all features.
 - **Description:** The default backend to use for managing WireGuard interfaces. 
  Valid options are: `local`, or other backend id's configured in the `mikrotik` section.
 ### `rekey_timeout_interval`
 - **Default:** `180s`
 - **Environment Variable:** `WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL`
 - **Description:** The interval after which a WireGuard peer is considered disconnected if no handshake updates are received. 
  This corresponds to the WireGuard rekey timeout setting of 120 seconds plus a 60-second buffer to account for latency or retry handling.
  Uses Go duration format (e.g., `10s`, `1m`). If omitted, a default of 180 seconds is used.
 ### `local_resolvconf_prefix`
 - **Default:** `tun.`
 - **Environment Variable:** `WG_PORTAL_BACKEND_LOCAL_RESOLVCONF_PREFIX`
@@ -577,10 +553,6 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`:
 - **Default:** *(empty)*
 - **Description:** A list of allowlisted domains. Only users with email addresses in these domains can log in or register. This is useful for restricting access to specific organizations or groups.
 #### `allowed_user_groups`
 - **Default:** *(empty)*
 - **Description:** A list of allowlisted user groups. If configured, at least one entry in the mapped `user_groups` claim must match one of these values.
 #### `field_map`
 - **Default:** *(empty)*
 - **Description:** Maps OIDC claims to WireGuard Portal user fields. 
@@ -616,10 +588,6 @@ Below are the properties for each OIDC provider entry inside `auth.oidc`:
 - **Description:** If `true`, sensitive OIDC user data, such as tokens and raw responses, will be logged at the trace level upon login (for debugging).
 - **Important:** Keep this setting disabled in production environments! Remove logs once you finished debugging authentication issues.
 #### `logout_idp_session`
 - **Default:** `true`
 - **Description:** If `true` (default), WireGuard Portal will redirect the user to the OIDC provider's `end_session_endpoint` after local logout, terminating the session at the IdP as well. Set to `false` to only invalidate the local WireGuard Portal session without touching the IdP session.
 ---
 ### OAuth
@@ -663,10 +631,6 @@ Below are the properties for each OAuth provider entry inside `auth.oauth`:
 - **Default:** *(empty)*
 - **Description:** A list of allowlisted domains. Only users with email addresses in these domains can log in or register. This is useful for restricting access to specific organizations or groups.
 #### `allowed_user_groups`
 - **Default:** *(empty)*
 - **Description:** A list of allowlisted user groups. If configured, at least one entry in the mapped `user_groups` claim must match one of these values.
 #### `field_map`
 - **Default:** *(empty)*
 - **Description:** Maps OAuth attributes to WireGuard Portal fields.
@@ -770,16 +734,6 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
 - **Important**: The `login_filter` must always be a valid LDAP filter. It should at most return one user. 
  If the filter returns multiple or no users, the login will fail.
 #### `interface_filter`
 - **Default:** *(empty)*
 - **Description:** A map of LDAP filters to restrict access to specific WireGuard interfaces. The map keys are the interface identifiers (e.g., `wg0`), and the values are LDAP filters. Only users matching the filter will be allowed to provision peers for the respective interface.
  For example:
  ```yaml
  interface_filter:
    wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
    wg1: "(description=special-access)"
  ```
 #### `admin_group`
 - **Default:** *(empty)*
 - **Description:** A specific LDAP group whose members are considered administrators in WireGuard Portal.
--- a/docs/documentation/getting-started/docker.md
+++ b/docs/documentation/getting-started/docker.md
@@ -35,14 +35,6 @@ WireGuard Portal supports managing WireGuard interfaces through three distinct d
   > :warning: If host networking is used, the WireGuard Portal UI will be accessible on all the host's IP addresses if the listening address is set to `:8888` in the configuration file.
   To avoid this, you can bind the listening address to a specific IP address, for example, the loopback address (`127.0.0.1:8888`). It is also possible to deploy firewall rules to restrict access to the WireGuard Portal UI.
   > :warning: If the host is running **systemd-networkd**, routes managed by WireGuard Portal may be removed whenever systemd-networkd restarts, as it will clean up routes it considers "foreign". To prevent this, add the following to your host's network configuration (e.g. `/etc/systemd/networkd.conf` or a drop-in file):
   > ```ini
   > [Network]
   > ManageForeignRoutingPolicyRules=no
   > ManageForeignRoutes=no
   > ```
   > After editing, reload the configuration with `sudo systemctl restart systemd-networkd`. For more information refer to the [systemd-networkd documentation](https://www.freedesktop.org/software/systemd/man/latest/networkd.conf.html#ManageForeignRoutes=).
 - **Within the WireGuard Portal Docker container**: 
   WireGuard interfaces can be managed directly from within the WireGuard Portal container itself.
   This is the recommended approach when running WireGuard Portal via Docker, as it encapsulates all functionality in a single, portable container without requiring a separate WireGuard host or image.
--- a/docs/documentation/getting-started/sources.md
+++ b/docs/documentation/getting-started/sources.md
@@ -4,7 +4,7 @@ To build the application from source files, use the Makefile provided in the rep
 - [Git](https://git-scm.com/downloads)
 - [Make](https://www.gnu.org/software/make/)
- [Go](https://go.dev/dl/): `>=1.25.0`
+- [Go](https://go.dev/dl/): `>=1.24.0`
 - [Node.js with npm](https://nodejs.org/en/download): `node>=18, npm>=9`
 ## Build
--- a/docs/documentation/usage/authentication.md
+++ b/docs/documentation/usage/authentication.md
@@ -66,40 +66,6 @@ auth:
        - "outlook.com"
 ```
 #### Limiting Login to Specific User Groups
 You can limit the login to specific user groups by setting the `allowed_user_groups` property for OAuth2 or OIDC providers.
 If this property is not empty, the user's `user_groups` claim must contain at least one matching group.
 To use this feature, ensure your group claim is mapped via `field_map.user_groups`.
 ```yaml
 auth:
  oidc:
    - provider_name: "oidc1"
      # ... other settings
      allowed_user_groups:
        - "wg-users"
        - "wg-admins"
      field_map:
        user_groups: "groups"
 ```
 If `allowed_user_groups` is configured and the authenticated user has no matching group in `user_groups`, login is denied.
 Minimal deny-by-group example:
 ```yaml
 auth:
  oauth:
    - provider_name: "oauth1"
      # ... other settings
      allowed_user_groups:
        - "vpn-users"
      field_map:
        user_groups: "groups"
 ```
 #### Limit Login to Existing Users
 You can limit the login to existing users only by setting the `registration_enabled` property to `false` for OAuth2 or OIDC providers.
@@ -181,26 +147,6 @@ You can map users to admin roles based on their group membership in the LDAP ser
 The `admin_group` property defines the distinguished name of the group that is allowed to log in as admin.
 All groups that are listed in the `memberof` attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.
 ### Interface-specific Provisioning Filters
 You can restrict which users are allowed to provision peers for specific WireGuard interfaces by setting the `interface_filter` property.
 This property is a map where each key corresponds to a WireGuard interface identifier, and the value is an LDAP filter.
 A user will only be able to see and provision peers for an interface if they match the specified LDAP filter for that interface.
 Example:
 ```yaml
 auth:
  ldap:
    - provider_name: "ldap1"
      # ... other settings
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
        wg1: "(department=IT)"
 ```
 This feature works by materializing the list of authorized users for each interface during the periodic LDAP synchronization.
 Even if a user bypasses the UI, the backend will enforce these restrictions at the service layer.
 ## User Synchronization
--- a/docs/documentation/usage/user-sync.md
+++ b/docs/documentation/usage/user-sync.md
@@ -44,11 +44,3 @@ All peers associated with that user will also be disabled.
 If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
 This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.
 ##### Interface-specific Access Materialization
 If `interface_filter` is configured in the LDAP provider, the synchronization process will evaluate these filters for each enabled user.
 The results are materialized in the `interfaces` table of the database in a hidden field. 
 This materialized list is used by the backend to quickly determine if a user has permission to provision peers for a specific interface, without having to query the LDAP server for every request.
 The list is refreshed every time the LDAP synchronization runs.
 For more details on how to configure these filters, see the [Authentication](./authentication.md#interface-specific-provisioning-filters) section.
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -14,7 +14,7 @@
      let WGPORTAL_SITE_TITLE="WireGuard Portal";
      let WGPORTAL_SITE_COMPANY_NAME="WireGuard Portal";
    </script>
-    <script src="/api/v0/config/frontend.js" vite-ignore></script>
+    <script src="/api/v0/config/frontend.js"></script>
  </head>
  <body class="d-flex flex-column min-vh-100">
    <noscript>
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -9,28 +9,28 @@
  },
  "dependencies": {
    "@fontsource/nunito-sans": "^5.2.7",
-    "@fortawesome/fontawesome-free": "^7.2.0",
+    "@fortawesome/fontawesome-free": "^7.1.0",
    "@kyvg/vue3-notification": "^3.4.2",
    "@popperjs/core": "^2.11.8",
-    "@simplewebauthn/browser": "^13.3.0",
+    "@simplewebauthn/browser": "^13.2.2",
-    "@vojtechlanka/vue-tags-input": "^3.1.2",
+    "@vojtechlanka/vue-tags-input": "^3.1.1",
    "bootstrap": "^5.3.8",
    "bootswatch": "^5.3.8",
-    "cidr-tools": "^11.3.2",
+    "cidr-tools": "^11.0.3",
    "flag-icons": "^7.5.0",
    "ip-address": "^10.1.0",
-    "is-cidr": "^6.0.3",
+    "is-cidr": "^6.0.1",
    "is-ip": "^5.0.1",
    "pinia": "^3.0.4",
    "prismjs": "^1.30.0",
-    "vue": "^3.5.32",
+    "vue": "^3.5.25",
-    "vue-i18n": "^11.3.2",
+    "vue-i18n": "^11.2.2",
    "vue-prism-component": "github:h44z/vue-prism-component",
-    "vue-router": "^5.0.4"
+    "vue-router": "^4.6.3"
  },
  "devDependencies": {
-    "@vitejs/plugin-vue": "^6.0.6",
+    "@vitejs/plugin-vue": "^6.0.2",
-    "sass-embedded": "^1.99.0",
+    "sass-embedded": "^1.93.3",
-    "vite": "^8.0.8"
+    "vite": "^7.2.7"
  }
 }
--- a/frontend/src/components/InterfaceEditModal.vue
+++ b/frontend/src/components/InterfaceEditModal.vue
@@ -53,7 +53,6 @@ const formData = ref(freshInterface())
 const isSaving = ref(false)
 const isDeleting = ref(false)
 const isApplyingDefaults = ref(false)
 const isCreatingDefaultPeers = ref(false)
 const isBackendValid = computed(() => {
  if (!props.visible || !selectedInterface.value) {
@@ -314,42 +313,8 @@ async function applyPeerDefaults() {
  }
 }
 async function createDefaultPeers() {
  if (props.interfaceId==='#NEW#') {
    return; // do nothing for new interfaces
  }
  if (!formData.value.CreateDefaultPeer) {
    return; // only allowed if the interface flag is set
  }
  if (isCreatingDefaultPeers.value) return
  isCreatingDefaultPeers.value = true
  try {
    await interfaces.CreateDefaultPeers(selectedInterface.value.Identifier)
    notify({
      title: "Default Peers Created",
      text: "Created default peers for all users on this interface.",
      type: 'success',
    })
    await peers.LoadPeers(selectedInterface.value.Identifier) // reload peers list
  } catch (e) {
    console.log(e)
    notify({
      title: "Failed to create default peers!",
      text: e.toString(),
      type: 'error',
    })
  } finally {
    isCreatingDefaultPeers.value = false
  }
 }
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.interface-edit.confirm-delete', {id: selectedInterface.value.Identifier}))) return
  isDeleting.value = true
  try {
    await interfaces.DeleteInterface(selectedInterface.value.Identifier)
@@ -524,16 +489,10 @@ async function del() {
              <input v-model="formData.Disabled" class="form-check-input" type="checkbox">
              <label class="form-check-label">{{ $t('modals.interface-edit.disabled.label') }}</label>
            </div>
-            <div class="d-flex align-items-center justify-content-between" v-if="formData.Mode==='server' && settings.Setting('CreateDefaultPeer')">
+            <div class="form-check form-switch" v-if="formData.Mode==='server' && settings.Setting('CreateDefaultPeer')">
              <div class="form-check form-switch mb-0">
              <input v-model="formData.CreateDefaultPeer" class="form-check-input" type="checkbox">
              <label class="form-check-label">{{ $t('modals.interface-edit.create-default-peer.label') }}</label>
            </div>
              <button v-if="props.interfaceId!=='#NEW#'" class="btn btn-primary btn-sm" type="button" @click.prevent="createDefaultPeers" :disabled="!formData.CreateDefaultPeer || isCreatingDefaultPeers">
                <span v-if="isCreatingDefaultPeers" class="spinner-border spinner-border-sm me-1" role="status" aria-hidden="true"></span>
                {{ $t('modals.interface-edit.button-create-default-peers') }}
              </button>
            </div>
            <div class="form-check form-switch" v-if="formData.Backend==='local'">
              <input v-model="formData.SaveConfig" checked="" class="form-check-input" type="checkbox">
              <label class="form-check-label">{{ $t('modals.interface-edit.save-config.label') }}</label>
--- a/frontend/src/components/Modal.vue
+++ b/frontend/src/components/Modal.vue
@@ -26,13 +26,13 @@
  display:block;
 }
 .modal.show {
-  opacity: 1.0;
+  opacity: 1;
 }
 .modal-backdrop {
  background-color: rgba(0,0,0,0.6) !important;
 }
 .modal-backdrop.show {
-  opacity: 1.0 !important;
+  opacity: 1 !important;
 }
 </style>
--- a/frontend/src/components/Pagination.vue
+++ b/frontend/src/components/Pagination.vue
@@ -1,121 +0,0 @@
 <script setup>
 import { computed } from 'vue';
 const props = defineProps({
  currentPage: {
    type: Number,
    required: true
  },
  totalCount: {
    type: Number,
    required: true
  },
  pageSize: {
    type: Number,
    required: true
  },
  onGotoPage: {
    type: Function,
    required: true
  },
  onNextPage: {
    type: Function,
    required: true
  },
  onPrevPage: {
    type: Function,
    required: true
  },
  hasNextPage: {
    type: Boolean,
    required: true
  },
  hasPrevPage: {
    type: Boolean,
    required: true
  }
 });
 const totalPages = computed(() => Math.ceil(props.totalCount / props.pageSize));
 const pages = computed(() => {
  const current = props.currentPage;
  const last = totalPages.value;
  const delta = 2; // Number of pages to show before and after current page
  const range = [];
  const rangeWithDots = [];
  // If total pages is small, just show all pages
  if (last <= 7) {
    for (let i = 1; i <= last; i++) {
      rangeWithDots.push({ type: 'page', value: i });
    }
    return rangeWithDots;
  }
  // Calculate the range around the current page
  let start = Math.max(2, current - delta);
  let end = Math.min(last - 1, current + delta);
  // Adjust range to always show a consistent number of pages if possible
  if (current <= delta + 2) {
    end = 2 + delta * 2;
  } else if (current >= last - delta - 1) {
    start = last - delta * 2 - 1;
  }
  // Add dots before the range if needed
  if (start > 2) {
    rangeWithDots.push({ type: 'page', value: 1 });
    rangeWithDots.push({ type: 'dots', value: 'dots-start' });
  } else {
    for (let i = 1; i < start; i++) {
      rangeWithDots.push({ type: 'page', value: i });
    }
  }
  // Add the central range
  for (let i = start; i <= end; i++) {
    rangeWithDots.push({ type: 'page', value: i });
  }
  // Add dots after the range if needed
  if (end < last - 1) {
    rangeWithDots.push({ type: 'dots', value: 'dots-end' });
    rangeWithDots.push({ type: 'page', value: last });
  } else {
    for (let i = end + 1; i <= last; i++) {
      rangeWithDots.push({ type: 'page', value: i });
    }
  }
  return rangeWithDots;
 });
 </script>
 <template>
  <ul class="pagination pagination-sm mb-0" v-if="totalPages > 1">
    <li :class="{ disabled: !hasPrevPage }" class="page-item">
      <a class="page-link" href="#" @click.prevent="hasPrevPage && onPrevPage()">&laquo;</a>
    </li>
    <li v-for="item in pages" :key="item.type === 'page' ? item.value : item.value" :class="{ active: currentPage === item.value, disabled: item.type === 'dots' }" class="page-item">
      <a v-if="item.type === 'page'" class="page-link" href="#" @click.prevent="onGotoPage(item.value)">{{ item.value }}</a>
      <span v-else class="page-link">...</span>
    </li>
    <li :class="{ disabled: !hasNextPage }" class="page-item">
      <a class="page-link" href="#" @click.prevent="hasNextPage && onNextPage()">&raquo;</a>
    </li>
  </ul>
 </template>
 <style scoped>
 .page-link {
  cursor: pointer;
 }
 .page-item.disabled .page-link {
  cursor: default;
 }
 </style>
--- a/frontend/src/components/PeerEditModal.vue
+++ b/frontend/src/components/PeerEditModal.vue
@@ -294,7 +294,6 @@ async function save() {
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.peer-edit.confirm-delete', {id: selectedPeer.value.Identifier}))) return
  isDeleting.value = true
  try {
    await peers.DeletePeer(selectedPeer.value.Identifier)
--- a/frontend/src/components/UserEditModal.vue
+++ b/frontend/src/components/UserEditModal.vue
@@ -114,7 +114,6 @@ async function save() {
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.user-edit.confirm-delete', {id: selectedUser.value.Identifier}))) return
  isDeleting.value = true
  try {
    await users.DeleteUser(selectedUser.value.Identifier)
--- a/frontend/src/helpers/websocket-wrapper.js
+++ b/frontend/src/helpers/websocket-wrapper.js
@@ -1,86 +0,0 @@
 import { peerStore } from '@/stores/peers';
 import { interfaceStore } from '@/stores/interfaces';
 import { authStore } from '@/stores/auth';
 let socket = null;
 let reconnectTimer = null;
 let failureCount = 0;
 export const websocketWrapper = {
    connect() {
        if (socket) {
            console.log('WebSocket already connected, re-using existing connection.');
            return;
        }
        const protocol = WGPORTAL_BACKEND_BASE_URL.startsWith('https://') ? 'wss://' : 'ws://';
        const baseUrl = WGPORTAL_BACKEND_BASE_URL.replace(/^https?:\/\//, '');
        const url = `${protocol}${baseUrl}/ws`;
        socket = new WebSocket(url);
        socket.onopen = () => {
            console.log('WebSocket connected');
            failureCount = 0;
            if (reconnectTimer) {
                clearInterval(reconnectTimer);
                reconnectTimer = null;
            }
        };
        socket.onclose = () => {
            console.log('WebSocket disconnected');
            failureCount++;
            socket = null;
            this.scheduleReconnect();
        };
        socket.onerror = (error) => {
            console.error('WebSocket error:', error);
            failureCount++;
            socket.close();
            socket = null;
        };
        socket.onmessage = (event) => {
            const message = JSON.parse(event.data);
            switch (message.type) {
                case 'peer_stats':
                    peerStore().updatePeerTrafficStats(message.data);
                    break;
                case 'interface_stats':
                    interfaceStore().updateInterfaceTrafficStats(message.data);
                    break;
            }
        };
    },
    disconnect() {
        if (socket) {
            socket.close();
            socket = null;
        }
        if (reconnectTimer) {
            clearInterval(reconnectTimer);
            reconnectTimer = null;
            failureCount = 0;
        }
    },
    scheduleReconnect() {
        if (reconnectTimer) return;
        if (!authStore().IsAuthenticated) return; // Don't reconnect if not logged in
        reconnectTimer = setInterval(() => {
            if (failureCount > 2) {
                console.log('WebSocket connection unavailable, giving up.');
                clearInterval(reconnectTimer);
                reconnectTimer = null;
                return;
            }
            console.log('Attempting to reconnect WebSocket...');
            this.connect();
        }, 5000);
    }
 };
--- a/frontend/src/lang/translations/de.json
+++ b/frontend/src/lang/translations/de.json
@@ -382,8 +382,7 @@
      "persist-local-changes": {
        "label": "Lokale Änderungen speichern"
      },
-      "sync-warning": "Um diesen synchronisierten Benutzer zu bearbeiten, aktivieren Sie die lokale Änderungsspeicherung. Andernfalls werden Ihre Änderungen bei der nächsten Synchronisierung überschrieben.",
+      "sync-warning": "Um diesen synchronisierten Benutzer zu bearbeiten, aktivieren Sie die lokale Änderungsspeicherung. Andernfalls werden Ihre Änderungen bei der nächsten Synchronisierung überschrieben."
      "confirm-delete": "Benutzer '{id}' wirklich löschen?"
    },
    "interface-view": {
      "headline": "Konfiguration für Schnittstelle:"
@@ -504,9 +503,7 @@
          "placeholder": "Persistentes Keepalive (0 = Standard)"
        }
      },
-      "button-apply-defaults": "Peer-Standardeinstellungen anwenden",
+      "button-apply-defaults": "Peer-Standardeinstellungen anwenden"
      "button-create-default-peers": "Standard-Peers erstellen",
      "confirm-delete": "Interface '{id}' wirklich löschen?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -628,8 +625,7 @@
      },
      "expires-at": {
        "label": "Ablaufdatum"
-      },
+      }
      "confirm-delete": "Peer '{id}' wirklich löschen?"
    },
    "peer-multi-create": {
      "headline-peer": "Mehrere Peers erstellen",
--- a/frontend/src/lang/translations/en.json
+++ b/frontend/src/lang/translations/en.json
@@ -382,8 +382,7 @@
      "persist-local-changes": {
        "label": "Persist local changes"
      },
-      "sync-warning": "To modify this synchronized user, enable local change persistence. Otherwise, your changes will be overwritten during the next synchronization.",
+      "sync-warning": "To modify this synchronized user, enable local change persistence. Otherwise, your changes will be overwritten during the next synchronization."
      "confirm-delete": "Are you sure you want to delete user '{id}'?"
    },
    "interface-view": {
      "headline": "Config for Interface:"
@@ -504,9 +503,8 @@
          "placeholder": "Persistent Keepalive (0 = default)"
        }
      },
-      "button-apply-defaults": "Apply Peer Defaults",
+
-      "button-create-default-peers": "Create Default Peers",
+      "button-apply-defaults": "Apply Peer Defaults"
      "confirm-delete": "Are you sure you want to delete interface '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -628,8 +626,7 @@
      },
      "expires-at": {
        "label": "Expiry date"
-      },
+      }
      "confirm-delete": "Are you sure you want to delete peer '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Create multiple peers",
--- a/frontend/src/lang/translations/es.json
+++ b/frontend/src/lang/translations/es.json
@@ -365,8 +365,7 @@
      },
      "admin": {
        "label": "Es administrador"
-      },
+      }
      "confirm-delete": "Seguro que desea eliminar el usuario '{id}'?"
    },
    "interface-view": {
      "headline": "Configuración de la interfaz:"
@@ -494,9 +493,7 @@
          "placeholder": "Keepalive Persistente (0 = por defecto)"
        }
      },
-      "button-apply-defaults": "Aplicar Valores Predeterminados de peers",
+      "button-apply-defaults": "Aplicar Valores Predeterminados de peers"
      "button-create-default-peers": "Crear Peers Predeterminados",
      "confirm-delete": "Seguro que desea eliminar la interfaz '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -616,8 +613,7 @@
      },
      "expires-at": {
        "label": "Fecha de expiración"
-      },
+      }
      "confirm-delete": "Seguro que desea eliminar el par '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Crear múltiples peers",
--- a/frontend/src/lang/translations/fr.json
+++ b/frontend/src/lang/translations/fr.json
@@ -126,7 +126,9 @@
    "peer-expiring": "Le pair expire le",
    "peer-connected": "Connecté",
    "peer-not-connected": "Non connecté",
-    "peer-handshake": "Dernière négociation :"
+    "peer-handshake": "Dernière négociation :",
    "button-show-peer": "Afficher le pair",
    "button-edit-peer": "Modifier le pair"
  },
  "users": {
    "headline": "Administration des utilisateurs",
@@ -262,8 +264,7 @@
      },
      "admin": {
        "label": "Est Admin"
-      },
+      }
      "confirm-delete": "Voulez-vous vraiment supprimer l'utilisateur \"{id}\" ?"
    },
    "interface-view": {
      "headline": "Configuration pour l'interface :"
@@ -376,9 +377,7 @@
          "placeholder": "Persistent Keepalive (0 = par défaut)"
        }
      },
-      "button-apply-defaults": "Appliquer les valeurs par défaut des pairs",
+      "button-apply-defaults": "Appliquer les valeurs par défaut des pairs"
      "button-create-default-peers": "Créer les pairs par défaut",
      "confirm-delete": "Voulez-vous vraiment supprimer l'interface \"{id}\" ?"
    },
    "peer-view": {
      "headline-peer": "Pair :",
@@ -494,8 +493,7 @@
      },
      "expires-at": {
        "label": "Date d'expiration"
-      },
+      }
      "confirm-delete": "Voulez-vous vraiment supprimer le pair \"{id}\" ?"
    },
    "peer-multi-create": {
      "headline-peer": "Créer plusieurs pairs",
--- a/frontend/src/lang/translations/ko.json
+++ b/frontend/src/lang/translations/ko.json
@@ -282,7 +282,6 @@
          "label": "관리자 여부"
        }
      },
      "confirm-delete": "사용자 '{id}'를 삭제하시겠습니까?",
      "interface-view": {
        "headline": "인터페이스 구성:"
      },
@@ -394,9 +393,7 @@
            "placeholder": "영구 Keepalive (0 = 기본값)"
          }
        },
-        "button-apply-defaults": "피어 기본값 적용",
+        "button-apply-defaults": "피어 기본값 적용"
        "button-create-default-peers": "기본 피어 생성",
        "confirm-delete": "인터페이스 '{id}'를 삭제하시겠습니까?"
      },
      "peer-view": {
        "headline-peer": "피어:",
@@ -512,8 +509,7 @@
        },
        "expires-at": {
          "label": "만료 날짜"
-        },
+        }
        "confirm-delete": "피어 '{id}'를 삭제하시겠습니까?"
      },
      "peer-multi-create": {
        "headline-peer": "여러 피어 생성",
--- a/frontend/src/lang/translations/pt.json
+++ b/frontend/src/lang/translations/pt.json
@@ -300,8 +300,7 @@
      },
      "admin": {
        "label": "É Administrador"
-      },
+      }
      "confirm-delete": "Tem certeza que deseja excluir o utilizador '{id}'?"
    },
    "interface-view": {
      "headline": "Configuração para a Interface:"
@@ -414,9 +413,7 @@
          "placeholder": "Keepalive persistente (0 = padrão)"
        }
      },
-      "button-apply-defaults": "Aplicar Padrões de Peer",
+      "button-apply-defaults": "Aplicar Padrões de Peer"
      "button-create-default-peers": "Criar Peers Padrão",
      "confirm-delete": "Tem certeza que deseja excluir a interface '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -533,8 +530,7 @@
      },
      "expires-at": {
        "label": "Data de expiração"
-      },
+      }
      "confirm-delete": "Tem certeza que deseja excluir o par '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Criar múltiplos peers",
--- a/frontend/src/lang/translations/ru.json
+++ b/frontend/src/lang/translations/ru.json
@@ -366,8 +366,7 @@
      },
      "admin": {
        "label": "Является администратором"
-      },
+      }
      "confirm-delete": "Вы уверены, что хотите удалить пользователя «{id}»?"
    },
    "interface-view": {
      "headline": "Конфигурация интерфейса:"
@@ -485,9 +484,7 @@
          "placeholder": "Постоянное поддержание активности (0 = значение по умолчанию)"
        }
      },
-      "button-apply-defaults": "Применить настройки пира по умолчанию",
+      "button-apply-defaults": "Применить настройки пира по умолчанию"
      "button-create-default-peers": "Создать пиров по умолчанию",
      "confirm-delete": "Вы уверены, что хотите удалить интерфейс «{id}»?"
    },
    "peer-view": {
      "headline-peer": "Пир:",
@@ -608,8 +605,7 @@
      },
      "expires-at": {
        "label": "Дата истечения срока действия"
-      },
+      }
      "confirm-delete": "Вы уверены, что хотите удалить пир «{id}»?"
    },
    "peer-multi-create": {
      "headline-peer": "Создать несколько узлов",
--- a/frontend/src/lang/translations/uk.json
+++ b/frontend/src/lang/translations/uk.json
@@ -151,6 +151,7 @@
    "admin": "Користувач має адміністративні привілеї",
    "no-admin": "Користувач не має адміністративних привілеїв"
  },
  "profile": {
    "headline": "Мої VPN-піри",
    "table-heading": {
@@ -188,6 +189,7 @@
      "api-link": "Документація API"
    }
  },
  "modals": {
    "user-view": {
      "headline": "Обліковий запис користувача:",
@@ -262,8 +264,7 @@
      },
      "admin": {
        "label": "Адміністратор"
-      },
+      }
      "confirm-delete": "Ви впевнені, що хочете видалити користувача «{id}»?"
    },
    "interface-view": {
      "headline": "Конфігурація для інтерфейсу:"
@@ -376,9 +377,7 @@
          "placeholder": "Постійний Keepalive (0 = за замовчуванням)"
        }
      },
-      "button-apply-defaults": "Застосувати значення за замовчуванням для пірів",
+      "button-apply-defaults": "Застосувати значення за замовчуванням для пірів"
      "button-create-default-peers": "Створити пірів за замовчуванням",
      "confirm-delete": "Ви впевнені, що хочете видалити інтерфейс «{id}»?"
    },
    "peer-view": {
      "headline-peer": "Пір:",
@@ -494,8 +493,7 @@
      },
      "expires-at": {
        "label": "Дата закінчення терміну дії"
-      },
+      }
      "confirm-delete": "Ви впевнені, що хочете видалити пір «{id}»?"
    },
    "peer-multi-create": {
      "headline-peer": "Створити декілька пір",
--- a/frontend/src/lang/translations/vi.json
+++ b/frontend/src/lang/translations/vi.json
@@ -240,8 +240,7 @@
      },
      "admin": {
        "label": "Là Quản trị viên"
-      },
+      }
      "confirm-delete": "Ban co chac muon xoa nguoi dung '{id}' khong?"
    },
    "interface-view": {
      "headline": "Cấu hình cho Giao diện:"
@@ -354,9 +353,8 @@
          "placeholder": "Giữ kết nối liên tục (0 = mặc định)"
        }
      },
-      "button-apply-defaults": "Áp dụng Cài đặt Mặc định của Peer",
+
-      "button-create-default-peers": "Tạo Peer Mặc định",
+      "button-apply-defaults": "Áp dụng Cài đặt Mặc định của Peer"
      "confirm-delete": "Ban co chac muon xoa giao dien '{id}' khong?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -472,8 +470,7 @@
      },
      "expires-at": {
        "label": "Ngày hết hạn"
-      },
+      }
      "confirm-delete": "Ban co chac muon xoa peer '{id}' khong?"
    },
    "peer-multi-create": {
      "headline-peer": "Tạo nhiều peer",
--- a/frontend/src/lang/translations/zh.json
+++ b/frontend/src/lang/translations/zh.json
@@ -242,7 +242,6 @@
          "label": "管理员"
        }
      },
      "confirm-delete": "确定要删除用户“{id}”吗？",
      "interface-view": {
        "headline": "接口配置: "
      },
@@ -354,9 +353,7 @@
            "placeholder": "持久保持连接 (0 = 默认)"
          }
        },
-        "button-apply-defaults": "应用节点默认值",
+        "button-apply-defaults": "应用节点默认值"
        "button-create-default-peers": "创建默认节点",
        "confirm-delete": "确定要删除接口“{id}”吗？"
      },
      "peer-view": {
        "headline-peer": "节点: ",
@@ -472,8 +469,7 @@
        },
        "expires-at": {
          "label": "过期日期"
-        },
+        }
        "confirm-delete": "确定要删除对等点“{id}”吗？"
      },
      "peer-multi-create": {
        "headline-peer": "创建多个节点",
--- a/frontend/src/router/index.js
+++ b/frontend/src/router/index.js
@@ -1,6 +1,7 @@
 import {createRouter, createWebHashHistory} from 'vue-router'
 import HomeView from '../views/HomeView.vue'
 import LoginView from '../views/LoginView.vue'
 import InterfaceView from '../views/InterfaceView.vue'
 import {authStore} from '@/stores/auth'
 import {securityStore} from '@/stores/security'
@@ -19,6 +20,11 @@ const router = createRouter({
      name: 'login',
      component: LoginView
    },
    {
      path: '/interface',
      name: 'interface',
      component: InterfaceView
    },
    {
      path: '/interfaces',
      name: 'interfaces',
--- a/frontend/src/stores/audit.js
+++ b/frontend/src/stores/audit.js
@@ -11,6 +11,7 @@ export const auditStore = defineStore('audit', {
    filter: "",
    pageSize: 10,
    pageOffset: 0,
    pages: [],
    fetching: false,
  }),
  getters: {
@@ -40,22 +41,33 @@ export const auditStore = defineStore('audit', {
    afterPageSizeChange() {
      // reset pageOffset to avoid problems with new page sizes
      this.pageOffset = 0
      this.calculatePages()
    },
    calculatePages() {
      let pageCounter = 1;
      this.pages = []
      for (let i = 0; i < this.FilteredCount; i+=this.pageSize) {
        this.pages.push(pageCounter++)
      }
    },
    gotoPage(page) {
      this.pageOffset = (page-1) * this.pageSize
      this.calculatePages()
    },
    nextPage() {
      if (this.hasNextPage) {
      this.pageOffset += this.pageSize
-      }
+
      this.calculatePages()
    },
    previousPage() {
      if (this.hasPrevPage) {
      this.pageOffset -= this.pageSize
-      }
+
      this.calculatePages()
    },
    setEntries(entries) {
      this.entries = entries
      this.calculatePages()
      this.fetching = false
    },
    async LoadEntries() {
--- a/frontend/src/stores/auth.js
+++ b/frontend/src/stores/auth.js
@@ -2,7 +2,6 @@ import { defineStore } from 'pinia'
 import { notify } from "@kyvg/vue3-notification";
 import { apiWrapper } from '@/helpers/fetch-wrapper'
 import { websocketWrapper } from '@/helpers/websocket-wrapper'
 import router from '../router'
 import { browserSupportsWebAuthn,startRegistration,startAuthentication } from '@simplewebauthn/browser';
 import {base64_url_encode} from "@/helpers/encoding";
@@ -108,19 +107,12 @@ export const authStore = defineStore('auth',{
            this.setUserInfo(null)
            this.ResetReturnUrl() // just to be sure^^
            let logoutResponse = null
            try {
-                logoutResponse = await apiWrapper.post(`/auth/logout`)
+                await apiWrapper.post(`/auth/logout`)
            } catch (e) {
                console.log("Logout request failed:", e)
            }
            const redirectUrl = logoutResponse?.RedirectUrl
            if (redirectUrl) {
                window.location.href = redirectUrl
                return
            }
            notify({
                title: "Logged Out",
                text: "Logout successful!",
@@ -303,11 +295,9 @@ export const authStore = defineStore('auth',{
                    }
                }
                localStorage.setItem('user', JSON.stringify(this.user))
                websocketWrapper.connect()
            } else {
                this.user = null
                localStorage.removeItem('user')
                websocketWrapper.disconnect()
            }
        },
        setWebAuthnCredentials(credentials) {
--- a/frontend/src/stores/interfaces.js
+++ b/frontend/src/stores/interfaces.js
@@ -14,7 +14,6 @@ export const interfaceStore = defineStore('interfaces', {
    configuration: "",
    selected: "",
    fetching: false,
    trafficStats: {},
  }),
  getters: {
    Count: (state) => state.interfaces.length,
@@ -25,9 +24,6 @@ export const interfaceStore = defineStore('interfaces', {
    },
    GetSelected: (state) => state.interfaces.find((i) => i.Identifier === state.selected) || state.interfaces[0],
    isFetching: (state) => state.fetching,
    TrafficStats: (state) => {
      return (state.selected in state.trafficStats) ? state.trafficStats[state.selected] : { Received: 0, Transmitted: 0 }
    },
  },
  actions: {
    setInterfaces(interfaces) {
@@ -38,14 +34,6 @@ export const interfaceStore = defineStore('interfaces', {
        this.selected = ""
      }
      this.fetching = false
      this.trafficStats = {}
    },
    updateInterfaceTrafficStats(interfaceStats) {
      const id = interfaceStats.EntityId;
      this.trafficStats[id] = {
        Received: interfaceStats.BytesReceived,
        Transmitted: interfaceStats.BytesTransmitted,
      };
    },
    async LoadInterfaces() {
      this.fetching = true
@@ -148,18 +136,6 @@ export const interfaceStore = defineStore('interfaces', {
          throw new Error(error)
        })
    },
    async CreateDefaultPeers(id) {
      this.fetching = true
      return apiWrapper.post(`${baseUrl}/${base64_url_encode(id)}/create-default-peers`)
        .then(() => {
          this.fetching = false
        })
        .catch(error => {
          this.fetching = false
          console.log(error)
          throw new Error(error)
        })
    },
    async SaveConfiguration(id) {
      this.fetching = true
      return apiWrapper.post(`${baseUrl}/${base64_url_encode(id)}/save-config`)
--- a/frontend/src/stores/peers.js
+++ b/frontend/src/stores/peers.js
@@ -19,10 +19,10 @@ export const peerStore = defineStore('peers', {
    filter: "",
    pageSize: 10,
    pageOffset: 0,
    pages: [],
    fetching: false,
    sortKey: 'IsConnected', // Default sort key
    sortOrder: -1, // 1 for ascending, -1 for descending
    trafficStats: {},
  }),
  getters: {
    Find: (state) => {
@@ -76,9 +76,6 @@ export const peerStore = defineStore('peers', {
    Statistics: (state) => {
      return (id) => state.statsEnabled && (id in state.stats) ? state.stats[id] : freshStats()
    },
    TrafficStats: (state) => {
      return (id) => (id in state.trafficStats) ? state.trafficStats[id] : { Received: 0, Transmitted: 0 }
    },
    hasStatistics: (state) => state.statsEnabled,
  },
@@ -86,24 +83,34 @@ export const peerStore = defineStore('peers', {
    afterPageSizeChange() {
      // reset pageOffset to avoid problems with new page sizes
      this.pageOffset = 0
      this.calculatePages()
    },
    calculatePages() {
      let pageCounter = 1;
      this.pages = []
      for (let i = 0; i < this.FilteredCount; i+=this.pageSize) {
        this.pages.push(pageCounter++)
      }
    },
    gotoPage(page) {
      this.pageOffset = (page-1) * this.pageSize
      this.calculatePages()
    },
    nextPage() {
      if (this.hasNextPage) {
      this.pageOffset += this.pageSize
-      }
+
      this.calculatePages()
    },
    previousPage() {
      if (this.hasPrevPage) {
      this.pageOffset -= this.pageSize
-      }
+
      this.calculatePages()
    },
    setPeers(peers) {
      this.peers = peers
      this.calculatePages()
      this.fetching = false
      this.trafficStats = {}
    },
    setPeer(peer) {
      this.peer = peer
@@ -119,19 +126,11 @@ export const peerStore = defineStore('peers', {
      if (!statsResponse) {
        this.stats = {}
        this.statsEnabled = false
        this.trafficStats = {}
      } else {
          this.stats = statsResponse.Stats
          this.statsEnabled = statsResponse.Enabled
      }
    },
    updatePeerTrafficStats(peerStats) {
      const id = peerStats.EntityId;
      this.trafficStats[id] = {
        Received: peerStats.BytesReceived,
        Transmitted: peerStats.BytesTransmitted,
      };
    },
    async Reset() {
      this.setPeers([])
      this.setStats(undefined)
--- a/frontend/src/stores/profile.js
+++ b/frontend/src/stores/profile.js
@@ -20,6 +20,7 @@ export const profileStore = defineStore('profile', {
    filter: "",
    pageSize: 10,
    pageOffset: 0,
    pages: [],
    fetching: false,
    sortKey: 'IsConnected', // Default sort key
    sortOrder: -1, // 1 for ascending, -1 for descending
@@ -73,25 +74,34 @@ export const profileStore = defineStore('profile', {
    },
    hasStatistics: (state) => state.statsEnabled,
    CountInterfaces: (state) => state.interfaces.length,
    HasInterface: (state) => (id) => state.interfaces.some((i) => i.Identifier === id),
  },
  actions: {
    afterPageSizeChange() {
      // reset pageOffset to avoid problems with new page sizes
      this.pageOffset = 0
      this.calculatePages()
    },
    calculatePages() {
      let pageCounter = 1;
      this.pages = []
      for (let i = 0; i < this.FilteredPeerCount; i+=this.pageSize) {
        this.pages.push(pageCounter++)
      }
    },
    gotoPage(page) {
      this.pageOffset = (page-1) * this.pageSize
      this.calculatePages()
    },
    nextPage() {
      if (this.hasNextPage) {
      this.pageOffset += this.pageSize
-      }
+
      this.calculatePages()
    },
    previousPage() {
      if (this.hasPrevPage) {
      this.pageOffset -= this.pageSize
-      }
+
      this.calculatePages()
    },
    setPeers(peers) {
      this.peers = peers
--- a/frontend/src/stores/users.js
+++ b/frontend/src/stores/users.js
@@ -12,6 +12,7 @@ export const userStore = defineStore('users', {
    filter: "",
    pageSize: 10,
    pageOffset: 0,
    pages: [],
    fetching: false,
  }),
  getters: {
@@ -42,22 +43,33 @@ export const userStore = defineStore('users', {
    afterPageSizeChange() {
      // reset pageOffset to avoid problems with new page sizes
      this.pageOffset = 0
      this.calculatePages()
    },
    calculatePages() {
      let pageCounter = 1;
      this.pages = []
      for (let i = 0; i < this.FilteredCount; i+=this.pageSize) {
        this.pages.push(pageCounter++)
      }
    },
    gotoPage(page) {
      this.pageOffset = (page-1) * this.pageSize
      this.calculatePages()
    },
    nextPage() {
      if (this.hasNextPage) {
      this.pageOffset += this.pageSize
-      }
+
      this.calculatePages()
    },
    previousPage() {
      if (this.hasPrevPage) {
      this.pageOffset -= this.pageSize
-      }
+
      this.calculatePages()
    },
    setUsers(users) {
      this.users = users
      this.calculatePages()
      this.fetching = false
    },
    setUserPeers(peers) {
--- a/frontend/src/views/AuditView.vue
+++ b/frontend/src/views/AuditView.vue
@@ -1,7 +1,6 @@
 <script setup>
 import { onMounted } from "vue";
 import {auditStore} from "@/stores/audit";
 import Pagination from "@/components/Pagination.vue";
 const audit = auditStore()
@@ -61,24 +60,28 @@ onMounted(async () => {
    </table>
  </div>
  <hr>
  <div class="mt-3">
    <div class="row">
-      <div class="col-12 col-md-6">
+      <div class="col-6">
-        <Pagination
+        <ul class="pagination pagination-sm">
-            :currentPage="audit.currentPage"
+          <li :class="{disabled:audit.pageOffset===0}" class="page-item">
-            :totalCount="audit.FilteredCount"
+            <a class="page-link" @click="audit.previousPage">&laquo;</a>
-            :pageSize="audit.pageSize"
+          </li>
-            :hasNextPage="audit.hasNextPage"
+
-            :hasPrevPage="audit.hasPrevPage"
+          <li v-for="page in audit.pages" :key="page" :class="{active:audit.currentPage===page}" class="page-item">
-            :onGotoPage="audit.gotoPage"
+            <a class="page-link" @click="audit.gotoPage(page)">{{page}}</a>
-            :onNextPage="audit.nextPage"
+          </li>
-            :onPrevPage="audit.previousPage"
+
-        />
+          <li :class="{disabled:!audit.hasNextPage}" class="page-item">
            <a class="page-link" @click="audit.nextPage">&raquo;</a>
          </li>
        </ul>
      </div>
-      <div class="col-12 col-md-6">
+      <div class="col-6">
        <div class="form-group row">
-          <label class="col-sm-6 col-form-label text-md-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
+          <label class="col-sm-6 col-form-label text-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
          <div class="col-sm-6">
-            <select id="paginationSelector" v-model.number="audit.pageSize" class="form-select" @change="audit.afterPageSizeChange()">
+            <select id="paginationSelector" v-model.number="audit.pageSize" class="form-select" @click="audit.afterPageSizeChange()">
              <option value="10">10</option>
              <option value="25">25</option>
              <option value="50">50</option>
@@ -89,4 +92,5 @@ onMounted(async () => {
        </div>
      </div>
    </div>
  </div>
 </template>
--- a/frontend/src/views/InterfaceView.vue
+++ b/frontend/src/views/InterfaceView.vue
@@ -1,10 +1,9 @@
 <script setup>
-import PeerViewModal from "@/components/PeerViewModal.vue";
+import PeerViewModal from "../components/PeerViewModal.vue";
-import PeerEditModal from "@/components/PeerEditModal.vue";
+import PeerEditModal from "../components/PeerEditModal.vue";
-import PeerMultiCreateModal from "@/components/PeerMultiCreateModal.vue";
+import PeerMultiCreateModal from "../components/PeerMultiCreateModal.vue";
-import InterfaceEditModal from "@/components/InterfaceEditModal.vue";
+import InterfaceEditModal from "../components/InterfaceEditModal.vue";
-import InterfaceViewModal from "@/components/InterfaceViewModal.vue";
+import InterfaceViewModal from "../components/InterfaceViewModal.vue";
 import Pagination from "@/components/Pagination.vue";
 import {computed, onMounted, ref} from "vue";
 import {peerStore} from "@/stores/peers";
@@ -211,12 +210,6 @@ onMounted(async () => {
            <div class="col-12 col-lg-8">
              {{ $t('interfaces.interface.headline') }} <strong>{{interfaces.GetSelected.Identifier}}</strong> ({{ $t('modals.interface-edit.mode.' + interfaces.GetSelected.Mode )}} | {{ $t('interfaces.interface.backend') + ": " + calculateBackendName }}<span v-if="!isBackendValid" :title="t('interfaces.interface.wrong-backend')" class="ms-1 me-1"><i class="fa-solid fa-triangle-exclamation"></i></span>)
              <span v-if="interfaces.GetSelected.Disabled" class="text-danger"><i class="fa fa-circle-xmark" :title="interfaces.GetSelected.DisabledReason"></i></span>
              <div v-if="interfaces.GetSelected && (interfaces.TrafficStats.Received > 0 || interfaces.TrafficStats.Transmitted > 0)" class="mt-2">
                <small class="text-muted">
                  Traffic: <i class="fa-solid fa-arrow-down me-1"></i>{{ humanFileSize(interfaces.TrafficStats.Received) }}/s
                    <i class="fa-solid fa-arrow-up ms-1 me-1"></i>{{ humanFileSize(interfaces.TrafficStats.Transmitted) }}/s
                </small>
              </div>
            </div>
            <div class="col-12 col-lg-4 text-lg-end">
              <a class="btn-link" href="#" :title="$t('interfaces.interface.button-show-config')" @click.prevent="viewedInterfaceId=interfaces.GetSelected.Identifier"><i class="fas fa-eye"></i></a>
@@ -458,19 +451,14 @@ onMounted(async () => {
          <td v-if="interfaces.GetSelected.Mode==='client'">{{peer.Endpoint.Value}}</td>
          <td v-if="peers.hasStatistics">
            <div v-if="peers.Statistics(peer.Identifier).IsConnected">
-              <span class="badge rounded-pill bg-success" :title="$t('interfaces.peer-connected')"><i class="fa-solid fa-link"></i></span> <small class="text-muted" :title="$t('interfaces.peer-handshake') + ' ' + peers.Statistics(peer.Identifier).LastHandshake"><i class="fa-solid fa-circle-info"></i></small>
+              <span class="badge rounded-pill bg-success" :title="$t('interfaces.peer-connected')"><i class="fa-solid fa-link"></i></span> <span :title="$t('interfaces.peer-handshake') + ' ' + peers.Statistics(peer.Identifier).LastHandshake">{{ $t('interfaces.peer-connected') }}</span>
            </div>
            <div v-else>
              <span class="badge rounded-pill bg-light" :title="$t('interfaces.peer-not-connected')"><i class="fa-solid fa-link-slash"></i></span>
            </div>
          </td>
          <td v-if="peers.hasStatistics" >
-            <div class="d-flex flex-column">
+            <span class="text-center" >{{ humanFileSize(peers.Statistics(peer.Identifier).BytesReceived) }} / {{ humanFileSize(peers.Statistics(peer.Identifier).BytesTransmitted) }}</span>
              <span :title="humanFileSize(peers.Statistics(peer.Identifier).BytesReceived) + ' / ' + humanFileSize(peers.Statistics(peer.Identifier).BytesTransmitted)">
                <i class="fa-solid fa-arrow-down me-1"></i>{{ humanFileSize(peers.TrafficStats(peer.Identifier).Received) }}/s
                <i class="fa-solid fa-arrow-up ms-1 me-1"></i>{{ humanFileSize(peers.TrafficStats(peer.Identifier).Transmitted) }}/s
              </span>
            </div>
          </td>
          <td class="text-center">
            <a href="#" :title="$t('interfaces.button-show-peer')" @click.prevent="viewedPeerId=peer.Identifier"><i class="fas fa-eye me-2"></i></a>
@@ -483,23 +471,26 @@ onMounted(async () => {
  <hr v-if="interfaces.Count!==0">
  <div v-if="interfaces.Count!==0" class="mt-3">
    <div class="row">
-      <div class="col-12 col-md-6">
+      <div class="col-6">
-        <Pagination
+        <ul class="pagination pagination-sm">
-            :currentPage="peers.currentPage"
+          <li :class="{disabled:peers.pageOffset===0}" class="page-item">
-            :totalCount="peers.FilteredCount"
+            <a class="page-link" @click="peers.previousPage">&laquo;</a>
-            :pageSize="peers.pageSize"
+          </li>
-            :hasNextPage="peers.hasNextPage"
+
-            :hasPrevPage="peers.hasPrevPage"
+          <li v-for="page in peers.pages" :key="page" :class="{active:peers.currentPage===page}" class="page-item">
-            :onGotoPage="peers.gotoPage"
+            <a class="page-link" @click="peers.gotoPage(page)">{{page}}</a>
-            :onNextPage="peers.nextPage"
+          </li>
-            :onPrevPage="peers.previousPage"
+
-        />
+          <li :class="{disabled:!peers.hasNextPage}" class="page-item">
            <a class="page-link" @click="peers.nextPage">&raquo;</a>
          </li>
        </ul>
      </div>
-      <div class="col-12 col-md-6">
+      <div class="col-6">
        <div class="form-group row">
-          <label class="col-sm-6 col-form-label text-md-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
+          <label class="col-sm-6 col-form-label text-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
          <div class="col-sm-6">
-            <select id="paginationSelector" v-model.number="peers.pageSize" class="form-select" @change="peers.afterPageSizeChange()">
+            <select id="paginationSelector" v-model.number="peers.pageSize" class="form-select" @click="peers.afterPageSizeChange()">
              <option value="10">10</option>
              <option value="25">25</option>
              <option value="50">50</option>
--- a/frontend/src/views/ProfileView.vue
+++ b/frontend/src/views/ProfileView.vue
@@ -6,7 +6,6 @@ import { useI18n } from "vue-i18n";
 import { profileStore } from "@/stores/profile";
 import { peerStore } from "@/stores/peers";
 import UserPeerEditModal from "@/components/UserPeerEditModal.vue";
 import Pagination from "@/components/Pagination.vue";
 import { settingsStore } from "@/stores/settings";
 import { humanFileSize } from "@/helpers/utils";
@@ -67,6 +66,7 @@ onMounted(async () => {
  await profile.LoadPeers()
  await profile.LoadStats()
  await profile.LoadInterfaces()
  await profile.calculatePages(); // Forces to show initial page number
 })
 </script>
@@ -80,8 +80,6 @@ onMounted(async () => {
    <div class="col-12 col-lg-5">
      <h2 class="mt-2">{{ $t('profile.headline') }}</h2>
    </div>
    <div class="col-12 col-lg-3 text-lg-end" v-if="!settings.Setting('SelfProvisioning') || profile.CountInterfaces===0">
    </div>
    <div class="col-12 col-lg-4 text-lg-end">
      <div class="form-group d-inline">
        <div class="input-group mb-3">
@@ -92,8 +90,8 @@ onMounted(async () => {
        </div>
      </div>
    </div>
-    <div class="col-12 col-lg-3 text-lg-end" v-if="settings.Setting('SelfProvisioning') && profile.CountInterfaces>0">
+    <div class="col-12 col-lg-3 text-lg-end">
-      <div class="form-group">
+      <div class="form-group" v-if="settings.Setting('SelfProvisioning')">
        <div class="input-group mb-3">
          <button class="btn btn-primary" :title="$t('interfaces.button-add-peer')" @click.prevent="editPeerId = '#NEW#'">
            <i class="fa fa-plus me-1"></i><i class="fa fa-user"></i>
@@ -162,7 +160,8 @@ onMounted(async () => {
          </td>
          <td v-if="profile.hasStatistics">
            <div v-if="profile.Statistics(peer.Identifier).IsConnected">
-              <span class="badge rounded-pill bg-success" :title="$t('profile.peer-connected')"><i class="fa-solid fa-link"></i></span> <small class="text-muted" :title="$t('interfaces.peer-handshake') + ' ' + profile.Statistics(peer.Identifier).LastHandshake"><i class="fa-solid fa-circle-info"></i></small>
+              <span class="badge rounded-pill bg-success"><i class="fa-solid fa-link"></i></span>
              <span :title="profile.Statistics(peer.Identifier).LastHandshake">{{ $t('profile.peer-connected') }}</span>
            </div>
            <div v-else>
              <span class="badge rounded-pill bg-light"><i class="fa-solid fa-link-slash"></i></span>
@@ -175,7 +174,7 @@ onMounted(async () => {
          <td class="text-center">
            <a href="#" :title="$t('profile.button-show-peer')" @click.prevent="viewedPeerId = peer.Identifier"><i
                class="fas fa-eye me-2"></i></a>
-            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier" v-if="settings.Setting('SelfProvisioning') && profile.HasInterface(peer.InterfaceIdentifier)"><i
+            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier"><i
                class="fas fa-cog"></i></a>
          </td>
        </tr>
@@ -185,25 +184,28 @@ onMounted(async () => {
  <hr>
  <div class="mt-3">
    <div class="row">
-      <div class="col-12 col-md-6">
+      <div class="col-6">
-        <Pagination
+        <ul class="pagination pagination-sm">
-            :currentPage="profile.currentPage"
+          <li :class="{ disabled: profile.pageOffset === 0 }" class="page-item">
-            :totalCount="profile.FilteredPeerCount"
+            <a class="page-link" @click="profile.previousPage">&laquo;</a>
-            :pageSize="profile.pageSize"
+          </li>
-            :hasNextPage="profile.hasNextPage"
+
-            :hasPrevPage="profile.hasPrevPage"
+          <li v-for="page in profile.pages" :key="page" :class="{ active: profile.currentPage === page }" class="page-item">
-            :onGotoPage="profile.gotoPage"
+            <a class="page-link" @click="profile.gotoPage(page)">{{ page }}</a>
-            :onNextPage="profile.nextPage"
+          </li>
-            :onPrevPage="profile.previousPage"
+
-        />
+          <li :class="{ disabled: !profile.hasNextPage }" class="page-item">
            <a class="page-link" @click="profile.nextPage">&raquo;</a>
          </li>
        </ul>
      </div>
-      <div class="col-12 col-md-6">
+      <div class="col-6">
        <div class="form-group row">
-          <label class="col-sm-6 col-form-label text-md-end" for="paginationSelector">
+          <label class="col-sm-6 col-form-label text-end" for="paginationSelector">
            {{ $t('general.pagination.size')}}:
          </label>
          <div class="col-sm-6">
-            <select id="paginationSelector" v-model.number="profile.pageSize" class="form-select" @change="profile.afterPageSizeChange()">
+            <select id="paginationSelector" v-model.number="profile.pageSize" class="form-select" @click="profile.afterPageSizeChange()">
              <option value="10">10</option>
              <option value="25">25</option>
              <option value="50">50</option>
--- a/frontend/src/views/UserView.vue
+++ b/frontend/src/views/UserView.vue
@@ -1,9 +1,8 @@
 <script setup>
 import {userStore} from "@/stores/users";
 import {ref, onMounted, computed} from "vue";
-import UserEditModal from "@/components/UserEditModal.vue";
+import UserEditModal from "../components/UserEditModal.vue";
-import UserViewModal from "@/components/UserViewModal.vue";
+import UserViewModal from "../components/UserViewModal.vue";
 import Pagination from "@/components/Pagination.vue";
 import {useI18n} from "vue-i18n";
 const users = userStore()
@@ -166,24 +165,28 @@ onMounted(() => {
    </table>
  </div>
  <hr>
  <div class="mt-3">
    <div class="row">
-      <div class="col-12 col-md-6">
+      <div class="col-6">
-        <Pagination
+        <ul class="pagination pagination-sm">
-            :currentPage="users.currentPage"
+          <li :class="{disabled:users.pageOffset===0}" class="page-item">
-            :totalCount="users.FilteredCount"
+            <a class="page-link" @click="users.previousPage">&laquo;</a>
-            :pageSize="users.pageSize"
+          </li>
-            :hasNextPage="users.hasNextPage"
+
-            :hasPrevPage="users.hasPrevPage"
+          <li v-for="page in users.pages" :key="page" :class="{active:users.currentPage===page}" class="page-item">
-            :onGotoPage="users.gotoPage"
+            <a class="page-link" @click="users.gotoPage(page)">{{page}}</a>
-            :onNextPage="users.nextPage"
+          </li>
-            :onPrevPage="users.previousPage"
+
-        />
+          <li :class="{disabled:!users.hasNextPage}" class="page-item">
            <a class="page-link" @click="users.nextPage">&raquo;</a>
          </li>
        </ul>
      </div>
-      <div class="col-12 col-md-6">
+      <div class="col-6">
        <div class="form-group row">
-          <label class="col-sm-6 col-form-label text-md-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
+          <label class="col-sm-6 col-form-label text-end" for="paginationSelector">{{ $t('general.pagination.size') }}:</label>
          <div class="col-sm-6">
-            <select id="paginationSelector" v-model.number="users.pageSize" class="form-select" @change="users.afterPageSizeChange()">
+            <select id="paginationSelector" v-model.number="users.pageSize" class="form-select" @click="users.afterPageSizeChange()">
              <option value="10">10</option>
              <option value="25">25</option>
              <option value="50">50</option>
@@ -194,4 +197,5 @@ onMounted(() => {
        </div>
      </div>
    </div>
  </div>
 </template>
--- a/go.mod
+++ b/go.mod
@@ -1,19 +1,18 @@
 module github.com/h44z/wg-portal
-go 1.25.7
+go 1.24.0
 require (
 	github.com/a8m/envsubst v1.4.3
 	github.com/alexedwards/scs/v2 v2.9.0
-	github.com/coreos/go-oidc/v3 v3.18.0
+	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-ldap/ldap/v3 v3.4.13
+	github.com/go-ldap/ldap/v3 v3.4.12
 	github.com/go-pkgz/routegroup v1.6.0
-	github.com/go-playground/validator/v10 v10.30.2
+	github.com/go-playground/validator/v10 v10.30.1
-	github.com/go-webauthn/webauthn v0.16.4
+	github.com/go-webauthn/webauthn v0.15.0
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/websocket v1.5.3
+	github.com/prometheus-community/pro-bing v0.7.0
 	github.com/prometheus-community/pro-bing v0.8.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/stretchr/testify v1.11.1
 	github.com/swaggo/swag v1.16.6
@@ -22,9 +21,9 @@ require (
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/yeqown/go-qrcode/v2 v2.2.5
 	github.com/yeqown/go-qrcode/writer/compressed v1.0.1
-	golang.org/x/crypto v0.50.0
+	golang.org/x/crypto v0.46.0
-	golang.org/x/oauth2 v0.36.0
+	golang.org/x/oauth2 v0.34.0
-	golang.org/x/sys v0.43.0
+	golang.org/x/sys v0.39.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -34,77 +33,76 @@ require (
 )
 require (
-	filippo.io/edwards25519 v1.2.0 // indirect
+	filippo.io/edwards25519 v1.1.0 // indirect
 	github.com/Azure/go-ntlmssp v0.1.0 // indirect
 	github.com/KyleBanks/depth v1.2.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
-	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
+	github.com/fxamacker/cbor/v2 v2.9.0 // indirect
-	github.com/gabriel-vasile/mimetype v1.4.13 // indirect
+	github.com/gabriel-vasile/mimetype v1.4.12 // indirect
 	github.com/glebarez/go-sqlite v1.22.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
-	github.com/go-jose/go-jose/v4 v4.1.4 // indirect
+	github.com/go-jose/go-jose/v4 v4.1.3 // indirect
-	github.com/go-openapi/jsonpointer v0.23.0 // indirect
+	github.com/go-openapi/jsonpointer v0.22.4 // indirect
-	github.com/go-openapi/jsonreference v0.21.5 // indirect
+	github.com/go-openapi/jsonreference v0.21.4 // indirect
-	github.com/go-openapi/spec v0.22.4 // indirect
+	github.com/go-openapi/spec v0.22.2 // indirect
-	github.com/go-openapi/swag/conv v0.26.0 // indirect
+	github.com/go-openapi/swag/conv v0.25.4 // indirect
-	github.com/go-openapi/swag/jsonname v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonname v0.25.4 // indirect
-	github.com/go-openapi/swag/jsonutils v0.26.0 // indirect
+	github.com/go-openapi/swag/jsonutils v0.25.4 // indirect
-	github.com/go-openapi/swag/loading v0.26.0 // indirect
+	github.com/go-openapi/swag/loading v0.25.4 // indirect
-	github.com/go-openapi/swag/stringutils v0.26.0 // indirect
+	github.com/go-openapi/swag/stringutils v0.25.4 // indirect
-	github.com/go-openapi/swag/typeutils v0.26.0 // indirect
+	github.com/go-openapi/swag/typeutils v0.25.4 // indirect
-	github.com/go-openapi/swag/yamlutils v0.26.0 // indirect
+	github.com/go-openapi/swag/yamlutils v0.25.4 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-test/deep v1.1.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/go-webauthn/x v0.2.3 // indirect
+	github.com/go-webauthn/x v0.1.26 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
-	github.com/google/go-tpm v0.9.8 // indirect
+	github.com/google/go-tpm v0.9.7 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.9.1 // indirect
+	github.com/jackc/pgx/v5 v5.7.6 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
-	github.com/mattn/go-isatty v0.0.21 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/mdlayher/genetlink v1.4.0 // indirect
+	github.com/mdlayher/genetlink v1.3.2 // indirect
-	github.com/mdlayher/netlink v1.11.0 // indirect
+	github.com/mdlayher/netlink v1.8.0 // indirect
-	github.com/mdlayher/socket v0.6.0 // indirect
+	github.com/mdlayher/socket v0.5.1 // indirect
-	github.com/microsoft/go-mssqldb v1.9.8 // indirect
+	github.com/microsoft/go-mssqldb v1.9.5 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/ncruces/go-strftime v1.0.0 // indirect
 	github.com/philhofer/fwd v1.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
-	github.com/prometheus/common v0.67.5 // indirect
+	github.com/prometheus/common v0.67.4 // indirect
-	github.com/prometheus/procfs v0.20.1 // indirect
+	github.com/prometheus/procfs v0.19.2 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
 	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/tinylib/msgp v1.6.4 // indirect
 	github.com/toorop/go-dkim v0.0.0-20250226130143-9025cce95817 // indirect
 	github.com/vishvananda/netns v0.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/yeqown/reedsolomon v1.0.0 // indirect
-	go.yaml.in/yaml/v2 v2.4.4 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/exp v0.0.0-20251209150349-8475f28825e9 // indirect
-	golang.org/x/net v0.53.0 // indirect
+	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/net v0.48.0 // indirect
-	golang.org/x/text v0.36.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/tools v0.44.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	google.golang.org/protobuf v1.36.10 // indirect
-	modernc.org/libc v1.72.0 // indirect
+	modernc.org/libc v1.67.1 // indirect
 	modernc.org/mathutil v1.7.1 // indirect
 	modernc.org/memory v1.11.0 // indirect
-	modernc.org/sqlite v1.48.2 // indirect
+	modernc.org/sqlite v1.40.1 // indirect
 	sigs.k8s.io/yaml v1.6.0 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -1,31 +1,31 @@
-filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
+filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0 h1:Gt0j3wceWMwPmiazCa8MzMA0MfhmPIz0Qp0FJ6qcM0U=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.18.0/go.mod h1:Ot/6aikWnKWi4l9QB7qVSwa8iMphQNqkWALMoNT3rzM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1/go.mod h1:uE9zaUfEQT/nbQjVi2IblCG9iaLtZsuYZ8ne+PuQ02M=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1 h1:B+blDbyVIG3WaikNxPnhPiJ1MThR03b3vKGtER95TP4=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.10.1/go.mod h1:JdM5psgjfBf5fo2uWOZhflPWyDBZ/O/CNAH9CtsuZE4=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2/go.mod h1:yInRyqWXAuaPrgI7p70+lDDgh3mlBohis29jGMISnmc=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1 h1:FPKJS1T+clwv+OLGt13a8UjqeRuh0O4SJ3lUriThc+4=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.1/go.mod h1:j2chePtV91HrC22tGoRX3sGY42uF13WzmmV80/OdVAA=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.1/go.mod h1:GpPjLhVR9dnUoJMyHWSPy71xY9/lcmpzIPZXmF0FCVY=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1 h1:Wgf5rZba3YZqeTNJPtvqZoBu1sBN/L4sry+u2U3Y75w=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.3.1/go.mod h1:xxCBG/f/4Vbmh2XQJBsOmNdxWUY5j/s27jujKPbQf14=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.0.0/go.mod h1:bTSOgj05NGRuHHhQwAdPnYr9TOdNmKlZTgGLL6nyAdI=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1 h1:bFWuoEKg+gImo7pvkiQEFAc8ocibADgXeiLAxWhWmkI=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.1.1/go.mod h1:Vih/3yc6yac2JzU4hzpaDupBJP0Flaia9rXXrU8xyww=
 github.com/Azure/go-ntlmssp v0.1.0 h1:DjFo6YtWzNqNvQdrwEyr/e4nhU3vRiwenz5QX7sFz+A=
 github.com/Azure/go-ntlmssp v0.1.0/go.mod h1:NYqdhxd/8aAct/s4qSYZEerdPuH1liG2/X9DiVTbhpk=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2 h1:oygO0locgZJe7PpYPXT5A29ZkwJaPqcva7BVeemZOZs=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.4.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
 github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/a8m/envsubst v1.4.3 h1:kDF7paGK8QACWYaQo6KtyYBozY2jhQrTuNNuUxQkhJY=
@@ -38,8 +38,8 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/coreos/go-oidc/v3 v3.18.0 h1:V9orjXynvu5wiC9SemFTWnG4F45v403aIcjWo0d41+A=
+github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
-github.com/coreos/go-oidc/v3 v3.18.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4=
+github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -48,47 +48,47 @@ github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
-github.com/fxamacker/cbor/v2 v2.9.1 h1:2rWm8B193Ll4VdjsJY28jxs70IdDsHRWgQYAI80+rMQ=
+github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
-github.com/fxamacker/cbor/v2 v2.9.1/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
+github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
-github.com/gabriel-vasile/mimetype v1.4.13 h1:46nXokslUBsAJE/wMsp5gtO500a4F3Nkz9Ufpk2AcUM=
+github.com/gabriel-vasile/mimetype v1.4.12 h1:e9hWvmLYvtp846tLHam2o++qitpguFiYCKbn0w9jyqw=
-github.com/gabriel-vasile/mimetype v1.4.13/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
+github.com/gabriel-vasile/mimetype v1.4.12/go.mod h1:d+9Oxyo1wTzWdyVUPMmXFvp4F9tea18J8ufA774AB3s=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
 github.com/glebarez/sqlite v1.11.0 h1:wSG0irqzP6VurnMEpFGer5Li19RpIRi2qvQz++w0GMw=
 github.com/glebarez/sqlite v1.11.0/go.mod h1:h8/o8j5wiAsqSPoWELDUdJXhjAhsVliSn7bWZjOhrgQ=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ4S3TGls2FvczZtj5Re/2ZzkV9VwqPHH/3Bo=
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
+github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
-github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
+github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
-github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
+github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
-github.com/go-openapi/jsonpointer v0.23.0 h1:c25HFTJ6uWGmoe5BQI6p72p4o7KnlWYsy1MeFlAumsw=
+github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
-github.com/go-openapi/jsonpointer v0.23.0/go.mod h1:iWRmZTrGn7XwYhtPt/fvdSFj1OfNBngqRT2UG3BxSqY=
+github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
-github.com/go-openapi/jsonreference v0.21.5 h1:6uCGVXU/aNF13AQNggxfysJ+5ZcU4nEAe+pJyVWRdiE=
+github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=
-github.com/go-openapi/jsonreference v0.21.5/go.mod h1:u25Bw85sX4E2jzFodh1FOKMTZLcfifd1Q+iKKOUxExw=
+github.com/go-openapi/jsonreference v0.21.4/go.mod h1:rIENPTjDbLpzQmQWCj5kKj3ZlmEh+EFVbz3RTUh30/4=
-github.com/go-openapi/spec v0.22.4 h1:4pxGjipMKu0FzFiu/DPwN3CTBRlVM2yLf/YTWorYfDQ=
+github.com/go-openapi/spec v0.22.2 h1:KEU4Fb+Lp1qg0V4MxrSCPv403ZjBl8Lx1a83gIPU8Qc=
-github.com/go-openapi/spec v0.22.4/go.mod h1:WQ6Ai0VPWMZgMT4XySjlRIE6GP1bGQOtEThn3gcWLtQ=
+github.com/go-openapi/spec v0.22.2/go.mod h1:iIImLODL2loCh3Vnox8TY2YWYJZjMAKYyLH2Mu8lOZs=
 github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
-github.com/go-openapi/swag/conv v0.26.0 h1:5yGGsPYI1ZCva93U0AoKi/iZrNhaJEjr324YVsiD89I=
+github.com/go-openapi/swag/conv v0.25.4 h1:/Dd7p0LZXczgUcC/Ikm1+YqVzkEeCc9LnOWjfkpkfe4=
-github.com/go-openapi/swag/conv v0.26.0/go.mod h1:tpAmIL7X58VPnHHiSO4uE3jBeRamGsFsfdDeDtb5ECE=
+github.com/go-openapi/swag/conv v0.25.4/go.mod h1:3LXfie/lwoAv0NHoEuY1hjoFAYkvlqI/Bn5EQDD3PPU=
-github.com/go-openapi/swag/jsonname v0.26.0 h1:gV1NFX9M8avo0YSpmWogqfQISigCmpaiNci8cGECU5w=
+github.com/go-openapi/swag/jsonname v0.25.4 h1:bZH0+MsS03MbnwBXYhuTttMOqk+5KcQ9869Vye1bNHI=
-github.com/go-openapi/swag/jsonname v0.26.0/go.mod h1:urBBR8bZNoDYGr653ynhIx+gTeIz0ARZxHkAPktJK2M=
+github.com/go-openapi/swag/jsonname v0.25.4/go.mod h1:GPVEk9CWVhNvWhZgrnvRA6utbAltopbKwDu8mXNUMag=
-github.com/go-openapi/swag/jsonutils v0.26.0 h1:FawFML2iAXsPqmERscuMPIHmFsoP1tOqWkxBaKNMsnA=
+github.com/go-openapi/swag/jsonutils v0.25.4 h1:VSchfbGhD4UTf4vCdR2F4TLBdLwHyUDTd1/q4i+jGZA=
-github.com/go-openapi/swag/jsonutils v0.26.0/go.mod h1:2VmA0CJlyFqgawOaPI9psnjFDqzyivIqLYN34t9p91E=
+github.com/go-openapi/swag/jsonutils v0.25.4/go.mod h1:7OYGXpvVFPn4PpaSdPHJBtF0iGnbEaTk8AvBkoWnaAY=
-github.com/go-openapi/swag/jsonutils/fixtures_test v0.26.0 h1:apqeINu/ICHouqiRZbyFvuDge5jCmmLTqGQ9V95EaOM=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4 h1:IACsSvBhiNJwlDix7wq39SS2Fh7lUOCJRmx/4SN4sVo=
-github.com/go-openapi/swag/jsonutils/fixtures_test v0.26.0/go.mod h1:AyM6QT8uz5IdKxk5akv0y6u4QvcL9GWERt0Jx/F/R8Y=
+github.com/go-openapi/swag/jsonutils/fixtures_test v0.25.4/go.mod h1:Mt0Ost9l3cUzVv4OEZG+WSeoHwjWLnarzMePNDAOBiM=
-github.com/go-openapi/swag/loading v0.26.0 h1:Apg6zaKhCJurpJer0DCxq99qwmhFddBhaMX7kilDcko=
+github.com/go-openapi/swag/loading v0.25.4 h1:jN4MvLj0X6yhCDduRsxDDw1aHe+ZWoLjW+9ZQWIKn2s=
-github.com/go-openapi/swag/loading v0.26.0/go.mod h1:dBxQ/6V2uBaAQdevN18VELE6xSpJWZxLX4txe12JwDg=
+github.com/go-openapi/swag/loading v0.25.4/go.mod h1:rpUM1ZiyEP9+mNLIQUdMiD7dCETXvkkC30z53i+ftTE=
-github.com/go-openapi/swag/stringutils v0.26.0 h1:qZQngLxs5s7SLijc3N2ZO+fUq2o8LjuWAASSrJuh+xg=
+github.com/go-openapi/swag/stringutils v0.25.4 h1:O6dU1Rd8bej4HPA3/CLPciNBBDwZj9HiEpdVsb8B5A8=
-github.com/go-openapi/swag/stringutils v0.26.0/go.mod h1:sWn5uY+QIIspwPhvgnqJsH8xqFT2ZbYcvbcFanRyhFE=
+github.com/go-openapi/swag/stringutils v0.25.4/go.mod h1:GTsRvhJW5xM5gkgiFe0fV3PUlFm0dr8vki6/VSRaZK0=
-github.com/go-openapi/swag/typeutils v0.26.0 h1:2kdEwdiNWy+JJdOvu5MA2IIg2SylWAFuuyQIKYybfq4=
+github.com/go-openapi/swag/typeutils v0.25.4 h1:1/fbZOUN472NTc39zpa+YGHn3jzHWhv42wAJSN91wRw=
-github.com/go-openapi/swag/typeutils v0.26.0/go.mod h1:oovDuIUvTrEHVMqWilQzKzV4YlSKgyZmFh7AlfABNVE=
+github.com/go-openapi/swag/typeutils v0.25.4/go.mod h1:Ou7g//Wx8tTLS9vG0UmzfCsjZjKhpjxayRKTHXf2pTE=
-github.com/go-openapi/swag/yamlutils v0.26.0 h1:H7O8l/8NJJQ/oiReEN+oMpnGMyt8G0hl460nRZxhLMQ=
+github.com/go-openapi/swag/yamlutils v0.25.4 h1:6jdaeSItEUb7ioS9lFoCZ65Cne1/RZtPBZ9A56h92Sw=
-github.com/go-openapi/swag/yamlutils v0.26.0/go.mod h1:1evKEGAtP37Pkwcc7EWMF0hedX0/x3Rkvei2wtG/TbU=
+github.com/go-openapi/swag/yamlutils v0.25.4/go.mod h1:MNzq1ulQu+yd8Kl7wPOut/YHAAU/H6hL91fF+E2RFwc=
-github.com/go-openapi/testify/enable/yaml/v2 v2.4.2 h1:5zRca5jw7lzVREKCZVNBpysDNBjj74rBh0N2BGQbSR0=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2 h1:0+Y41Pz1NkbTHz8NngxTuAXxEodtNSI1WG1c/m5Akw4=
-github.com/go-openapi/testify/enable/yaml/v2 v2.4.2/go.mod h1:XVevPw5hUXuV+5AkI1u1PeAm27EQVrhXTTCPAF85LmE=
+github.com/go-openapi/testify/enable/yaml/v2 v2.0.2/go.mod h1:kme83333GCtJQHXQ8UKX3IBZu6z8T5Dvy5+CW3NLUUg=
-github.com/go-openapi/testify/v2 v2.4.2 h1:tiByHpvE9uHrrKjOszax7ZvKB7QOgizBWGBLuq0ePx4=
+github.com/go-openapi/testify/v2 v2.0.2 h1:X999g3jeLcoY8qctY/c/Z8iBHTbwLz7R2WXd6Ub6wls=
-github.com/go-openapi/testify/v2 v2.4.2/go.mod h1:SgsVHtfooshd0tublTtJ50FPKhujf47YRqauXXOUxfw=
+github.com/go-openapi/testify/v2 v2.0.2/go.mod h1:HCPmvFFnheKK2BuwSA0TbbdxJ3I16pjwMkYkP4Ywn54=
 github.com/go-pkgz/routegroup v1.6.0 h1:44XHZgF6JIIldRlv+zjg6SygULASmjifnfIQjwCT0e4=
 github.com/go-pkgz/routegroup v1.6.0/go.mod h1:Pmu04fhgWhRtBMIJ8HXppnnzOPjnL/IEPBIdO2zmeqg=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
@@ -97,23 +97,23 @@ github.com/go-playground/locales v0.14.1 h1:EWaQ/wswjilfKLTECiXz7Rh+3BjFhfDFKv/o
 github.com/go-playground/locales v0.14.1/go.mod h1:hxrqLVvrK65+Rwrd5Fc6F2O76J/NuW9t0sjnWqG1slY=
 github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJnYK9S473LQFuzCbDbfSFY=
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
-github.com/go-playground/validator/v10 v10.30.2 h1:JiFIMtSSHb2/XBUbWM4i/MpeQm9ZK2xqPNk8vgvu5JQ=
+github.com/go-playground/validator/v10 v10.30.1 h1:f3zDSN/zOma+w6+1Wswgd9fLkdwy06ntQJp0BBvFG0w=
-github.com/go-playground/validator/v10 v10.30.2/go.mod h1:mAf2pIOVXjTEBrwUMGKkCWKKPs9NheYGabeB04txQSc=
+github.com/go-playground/validator/v10 v10.30.1/go.mod h1:oSuBIQzuJxL//3MelwSLD5hc2Tu889bF0Idm9Dg26cM=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
 github.com/go-sql-driver/mysql v1.9.3/go.mod h1:qn46aNg1333BRMNU69Lq93t8du/dwxI64Gl8i5p1WMU=
 github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
-github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.4 h1:R9jqR/cYZa7hRquFF7Za/8qoH/K/TIs1/Q/4CyGN+1Q=
+github.com/go-webauthn/webauthn v0.15.0 h1:LR1vPv62E0/6+sTenX35QrCmpMCzLeVAcnXeH4MrbJY=
-github.com/go-webauthn/webauthn v0.16.4/go.mod h1:SU2ljAgToTV/YLPI0C05QS4qn+e04WpB5g1RMfcZfS4=
+github.com/go-webauthn/webauthn v0.15.0/go.mod h1:hcAOhVChPRG7oqG7Xj6XKN1mb+8eXTGP/B7zBLzkX5A=
-github.com/go-webauthn/x v0.2.3 h1:8oArS+Rc1SWFLXhE17KZNx258Z4kUSyaDgsSncCO5RA=
+github.com/go-webauthn/x v0.1.26 h1:eNzreFKnwNLDFoywGh9FA8YOMebBWTUNlNSdolQRebs=
-github.com/go-webauthn/x v0.2.3/go.mod h1:tM04GF3V6VYq79AZMl7vbj4q6pz9r7L2criWRzbWhPk=
+github.com/go-webauthn/x v0.1.26/go.mod h1:jmf/phPV6oIsF6hmdVre+ovHkxjDOmNH0t6fekWUxvg=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
-github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
-github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
@@ -121,10 +121,8 @@ github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EO
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
+github.com/google/go-tpm v0.9.7 h1:u89J4tUUeDTlH8xxC3CTW7OHZjbjKoHdQ9W7gCUhtxA=
-github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
+github.com/google/go-tpm v0.9.7/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
 github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
 github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
 github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
@@ -132,8 +130,6 @@ github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/zI+bUmuGM=
 github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=
 github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3 h1:2gKiV6YVmrJ1i2CKKa9obLvRieoRGviZFL26PcT/Co8=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
@@ -143,8 +139,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.1 h1:uwrxJXBnx76nyISkhr33kQLlUqjv7et7b9FjCen/tdc=
+github.com/jackc/pgx/v5 v5.7.6 h1:rWQc5FwZSPX58r1OQmkuaNicxdmExaEz5A2DO2hUuTk=
-github.com/jackc/pgx/v5 v5.9.1/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.7.6/go.mod h1:aruU7o91Tc2q2cFp5h4uP3f6ztExVpyVv88Xl/8Vl8M=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0 h1:9YKLH6ey7H4eDBXW8khjYslgyqG2xZikXP0EQFKrle8=
@@ -176,17 +172,17 @@ github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
-github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mdlayher/genetlink v1.4.0 h1:f/Xs7Y2T+GyX9b3dbiUhnLE9InGs5F9RxJ2JwBMl71o=
+github.com/mdlayher/genetlink v1.3.2 h1:KdrNKe+CTu+IbZnm/GVUMXSqBBLqcGpRDa0xkQy56gw=
-github.com/mdlayher/genetlink v1.4.0/go.mod h1:d1hrKr8fwZU2JkcAtQUAzeTrI7nbgQSl+5k1cC0biSA=
+github.com/mdlayher/genetlink v1.3.2/go.mod h1:tcC3pkCrPUGIKKsCsp0B3AdaaKuHtaxoJRz3cc+528o=
-github.com/mdlayher/netlink v1.11.0 h1:Cot7ixQZL6P/pxRFB4z3jRdGPYeZosFT+WHS3sMXy8Y=
+github.com/mdlayher/netlink v1.8.0 h1:e7XNIYJKD7hUct3Px04RuIGJbBxy1/c4nX7D5YyvvlM=
-github.com/mdlayher/netlink v1.11.0/go.mod h1:rMwDzh42W85uW3yTtiTRZFX9uway98aDQ5i+D8Jq4g4=
+github.com/mdlayher/netlink v1.8.0/go.mod h1:UhgKXUlDQhzb09DrCl2GuRNEglHmhYoWAHid9HK3594=
-github.com/mdlayher/socket v0.6.0 h1:ScZPaAGyO1icQnbFrhPM8mnXyMu9qukC1K4ZoM2IQKU=
+github.com/mdlayher/socket v0.5.1 h1:VZaqt6RkGkt2OE9l3GcC6nZkqD3xKeQLyfleW/uBcos=
-github.com/mdlayher/socket v0.6.0/go.mod h1:q7vozUAnxSqnjHc12Fik5yUKIzfZ8ITCfMkhOtE9z18=
+github.com/mdlayher/socket v0.5.1/go.mod h1:TjPLHI1UgwEv5J1B5q0zTZq12A/6H7nKmtTanQE37IQ=
 github.com/microsoft/go-mssqldb v1.8.2/go.mod h1:vp38dT33FGfVotRiTmDo3bFyaHq+p3LektQrjTULowo=
-github.com/microsoft/go-mssqldb v1.9.8 h1:d4IFMvF/o+HdpXUqbBfzHvn/NlFA75YGcfHUUvDFJEM=
+github.com/microsoft/go-mssqldb v1.9.5 h1:orwya0X/5bsL1o+KasupTkk2eNTNFkTQG0BEe/HxCn0=
-github.com/microsoft/go-mssqldb v1.9.8/go.mod h1:eGSRSGAW4hKMy5YcAenhCDjIRm2rhqIdmmwgciMzLus=
+github.com/microsoft/go-mssqldb v1.9.5/go.mod h1:VCP2a0KEZZtGLRHd1PsLavLFYy/3xX2yJUPycv3Sr2Q=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721 h1:RlZweED6sbSArvlE924+mUcZuXKLBHA35U7LN621Bws=
 github.com/mikioh/ipaddr v0.0.0-20190404000644-d465c8ab6721/go.mod h1:Ickgr2WtCLZ2MDGd4Gr0geeCH5HybhRJbonOgQpvSxc=
 github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
@@ -195,24 +191,22 @@ github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
 github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
 github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus-community/pro-bing v0.8.0 h1:CEY/g1/AgERRDjxw5P32ikcOgmrSuXs7xon7ovx6mNc=
+github.com/prometheus-community/pro-bing v0.7.0 h1:KFYFbxC2f2Fp6c+TyxbCOEarf7rbnzr9Gw8eIb0RfZA=
-github.com/prometheus-community/pro-bing v0.8.0/go.mod h1:Idyxz8raDO6TgkUN6ByiEGvWJNyQd40kN9ZUeho3lN0=
+github.com/prometheus-community/pro-bing v0.7.0/go.mod h1:Moob9dvlY50Bfq6i88xIwfyw7xLFHH69LUgx9n5zqCE=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
-github.com/prometheus/common v0.67.5 h1:pIgK94WWlQt1WLwAC5j2ynLaBRDiinoAb86HZHTUGI4=
+github.com/prometheus/common v0.67.4 h1:yR3NqWO1/UyO1w2PhUvXlGQs/PtFmoveVO0KZ4+Lvsc=
-github.com/prometheus/common v0.67.5/go.mod h1:SjE/0MzDEEAyrdr5Gqc6G+sXI67maCxzaT3A2+HqjUw=
+github.com/prometheus/common v0.67.4/go.mod h1:gP0fq6YjjNCLssJCQp0yk4M8W6ikLURwkdd/YKtTbyI=
-github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.19.2 h1:zUMhqEW66Ex7OXIiDkll3tl9a1ZdilUOd/F6ZXw4Vws=
-github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
+github.com/prometheus/procfs v0.19.2/go.mod h1:M0aotyiemPhBCM0z5w87kL22CxfcH05ZpYlu+b4J7mw=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
@@ -236,8 +230,6 @@ github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
 github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
 github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=
 github.com/tinylib/msgp v1.6.4/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
 github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208/go.mod h1:BzWtXXrXzZUvMacR0oF/fbDDgUPO8L36tDMmRAf14ns=
 github.com/toorop/go-dkim v0.0.0-20250226130143-9025cce95817 h1:q0hKh5a5FRkhuTb5JNfgjzpzvYLHjH0QOgPZPYnRWGA=
 github.com/toorop/go-dkim v0.0.0-20250226130143-9025cce95817/go.mod h1:BzWtXXrXzZUvMacR0oF/fbDDgUPO8L36tDMmRAf14ns=
@@ -262,8 +254,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
 go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
-go.yaml.in/yaml/v2 v2.4.4 h1:tuyd0P+2Ont/d6e2rl3be67goVK4R6deVxCUX5vyPaQ=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
-go.yaml.in/yaml/v2 v2.4.4/go.mod h1:gMZqIpDtDqOfM0uNfy0SkpRhvUryYH0Z6wdMYcacYXQ=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -278,16 +270,18 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.50.0 h1:zO47/JPrL6vsNkINmLoo/PH1gcxpls50DNogFvB5ZGI=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
-golang.org/x/crypto v0.50.0/go.mod h1:3muZ7vA7PBCE6xgPX7nkzzjiUq87kRItoJQM1Yo8S+Q=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
 golang.org/x/exp v0.0.0-20251209150349-8475f28825e9 h1:MDfG8Cvcqlt9XXrmEiD4epKn7VJHZO84hejP9Jmp0MM=
 golang.org/x/exp v0.0.0-20251209150349-8475f28825e9/go.mod h1:EPRbTFwzwjXj9NpYyyrvenVh9Y+GFeEvMNh7Xuz7xgU=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.9.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
@@ -305,10 +299,10 @@ golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.53.0 h1:d+qAbo5L0orcWAr0a9JweQpjXF19LMXJE8Ey7hwOdUA=
+golang.org/x/net v0.48.0 h1:zyQRTTrjc33Lhh0fBgT/H3oZq9WuvRR5gPC70xpDiQU=
-golang.org/x/net v0.53.0/go.mod h1:JvMuJH7rrdiCfbeHoo3fCQU24Lf5JJwT9W3sJFulfgs=
+golang.org/x/net v0.48.0/go.mod h1:+ndRgGjkh8FGtu1w1FGbEC31if4VrNVMuKTgcAAnQRY=
-golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.34.0 h1:hqK/t4AKgbqWkdkcAeI8XLmbK+4m4G5YeQRrmiotGlw=
-golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/oauth2 v0.34.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -316,8 +310,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -338,8 +332,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.43.0 h1:Rlag2XtaFTxp19wS8MXlJwTvoh8ArU6ezoyFsMyCTNI=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
-golang.org/x/sys v0.43.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -368,23 +362,23 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/text v0.36.0 h1:JfKh3XmcRPqZPKevfXVpI1wXPTqbkE5f7JA92a55Yxg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
-golang.org/x/text v0.36.0/go.mod h1:NIdBknypM8iqVmPiuco0Dh6P5Jcdk8lJL0CUebqK164=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb h1:whnFRlWMcXI9d+ZbWg+4sHnLp52d5yiIPUxMBSt4X9A=
 golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb/go.mod h1:rpwXGsirqLqN2L0JDJQlwOboGHmptD5ZD6T2VmcqhTw=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10 h1:3GDAcqdIg1ozBNLgPy4SLT84nfcBjr6rhGtXYtrkWLU=
 golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10/go.mod h1:T97yPqesLiNrOYxkwmhMI0ZIlJDm+p0PMR8eRVeR5tQ=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.10 h1:AYd7cD/uASjIL6Q9LiTjz8JLcrh/88q5UObnmY3aOOE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/protobuf v1.36.10/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -404,20 +398,20 @@ gorm.io/driver/sqlserver v1.6.3/go.mod h1:VZeNn7hqX1aXoN5TPAFGWvxWG90xtA8erGn2gQ
 gorm.io/gorm v1.30.0/go.mod h1:8Z33v652h4//uMA76KjeDH8mJXPm1QNCYrMeatR0DOE=
 gorm.io/gorm v1.31.1 h1:7CA8FTFz/gRfgqgpeKIBcervUn3xSyPUmr6B2WXJ7kg=
 gorm.io/gorm v1.31.1/go.mod h1:XyQVbO2k6YkOis7C2437jSit3SsDK72s7n7rsSHd+Gs=
-modernc.org/cc/v4 v4.27.3 h1:uNCgn37E5U09mTv1XgskEVUJ8ADKpmFMPxzGJ0TSo+U=
+modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=
-modernc.org/cc/v4 v4.27.3/go.mod h1:3YjcbCqhoTTHPycJDRl2WZKKFj0nwcOIPBfEZK0Hdk8=
+modernc.org/cc/v4 v4.27.1/go.mod h1:uVtb5OGqUKpoLWhqwNQo/8LwvoiEBLvZXIQ/SmO6mL0=
-modernc.org/ccgo/v4 v4.32.4 h1:L5OB8rpEX4ZsXEQwGozRfJyJSFHbbNVOoQ59DU9/KuU=
+modernc.org/ccgo/v4 v4.30.1 h1:4r4U1J6Fhj98NKfSjnPUN7Ze2c6MnAdL0hWw6+LrJpc=
-modernc.org/ccgo/v4 v4.32.4/go.mod h1:lY7f+fiTDHfcv6YlRgSkxYfhs+UvOEEzj49jAn2TOx0=
+modernc.org/ccgo/v4 v4.30.1/go.mod h1:bIOeI1JL54Utlxn+LwrFyjCx2n2RDiYEaJVSrgdrRfM=
-modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.3.40 h1:ZGMswMNc9JOCrcrakF1HrvmergNLAmxOPjizirpfqBA=
-modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/fileutil v1.3.40/go.mod h1:HxmghZSZVAz/LXcMNwZPA/DRrQZEVP9VX0V4LQGQFOc=
 modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
 modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
-modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.1 h1:k8T3gkXWY9sEiytKhcgyiZ2L0DTyCQ/nvX+LoCljoRE=
-modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/gc/v3 v3.1.1/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
 modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
 modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
-modernc.org/libc v1.72.0 h1:IEu559v9a0XWjw0DPoVKtXpO2qt5NVLAnFaBbjq+n8c=
+modernc.org/libc v1.67.1 h1:bFaqOaa5/zbWYJo8aW0tXPX21hXsngG2M7mckCnFSVk=
-modernc.org/libc v1.72.0/go.mod h1:tTU8DL8A+XLVkEY3x5E/tO7s2Q/q42EtnNWda/L5QhQ=
+modernc.org/libc v1.67.1/go.mod h1:QvvnnJ5P7aitu0ReNpVIEyesuhmDLQ8kaEoyMjIFZJA=
 modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
 modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
 modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
@@ -426,8 +420,8 @@ modernc.org/opt v0.1.4 h1:2kNGMRiUjrp4LcaPuLY2PzUfqM/w9N23quVwhKt5Qm8=
 modernc.org/opt v0.1.4/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
 modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
 modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
-modernc.org/sqlite v1.48.2 h1:5CnW4uP8joZtA0LedVqLbZV5GD7F/0x91AXeSyjoh5c=
+modernc.org/sqlite v1.40.1 h1:VfuXcxcUWWKRBuP8+BR9L7VnmusMgBNNnBYGEe9w/iY=
-modernc.org/sqlite v1.48.2/go.mod h1:hWjRO6Tj/5Ik8ieqxQybiEOUXy0NJFNp2tpvVpKlvig=
+modernc.org/sqlite v1.40.1/go.mod h1:9fjQZ0mB1LLP0GYrp39oOJXx/I2sxEnZtzCmEQIKvGE=
 modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
 modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
 modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
--- a/internal/adapters/database.go
+++ b/internal/adapters/database.go
@@ -232,26 +232,28 @@ func (r *SqlRepo) migrate() error {
 	slog.Debug("running migration: interface status", "result", r.db.AutoMigrate(&domain.InterfaceStatus{}))
 	slog.Debug("running migration: audit data", "result", r.db.AutoMigrate(&domain.AuditEntry{}))
-	var existingSysStat SysStat
+	existingSysStat := SysStat{}
 	var err error
 	r.db.Order("schema_version desc").First(&existingSysStat) // get latest version
 	// Migration: 0 --> 1
 	if existingSysStat.SchemaVersion == 0 {
 		const schemaVersion = 1
-		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
+		sysStat := SysStat{
-		if err != nil {
+			MigratedAt:    time.Now(),
-			return err
+			SchemaVersion: schemaVersion,
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
 			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
 		slog.Debug("sys-stat entry written", "schema_version", schemaVersion)
 		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	// Migration: 1 --> 2
 	if existingSysStat.SchemaVersion == 1 {
 		const schemaVersion = 2
 		// Preserve existing behavior for installations that had default-peer-creation enabled.
-		if r.cfg.DefaultPeerCreationEnabled() {
+		if r.cfg.Core.CreateDefaultPeer {
 			err := r.db.Model(&domain.Interface{}).
 				Where("type = ?", domain.InterfaceTypeServer).
 				Update("create_default_peer", true).Error
@@ -260,10 +262,14 @@ func (r *SqlRepo) migrate() error {
 			}
 			slog.Debug("migrated interface create_default_peer flags", "schema_version", schemaVersion)
 		}
-		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
+		sysStat := SysStat{
-		if err != nil {
+			MigratedAt:    time.Now(),
-			return err
+			SchemaVersion: schemaVersion,
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
 			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
 		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	// Migration: 2 --> 3
@@ -301,43 +307,17 @@ func (r *SqlRepo) migrate() error {
 		if err != nil {
 			return fmt.Errorf("failed to migrate to multi-auth: %w", err)
 		}
 		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
 		if err != nil {
 			return err
 		}
 	}
 	// Migration: 3 --> 4
 	if existingSysStat.SchemaVersion == 3 {
 		const schemaVersion = 4
 		cutoff := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
 		// Fix zero created_at timestamps for users. Set the to the last known update timestamp.
 		err := r.db.Model(&domain.User{}).Where("created_at < ?", cutoff).
 			Update("created_at", gorm.Expr("updated_at")).Error
 		if err != nil {
 			slog.Warn("failed to fix zero created_at for users", "error", err)
 		}
 		slog.Debug("fixed zero created_at timestamps for users", "schema_version", schemaVersion)
 		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
 		if err != nil {
 			return err
 		}
 	}
 	return nil
 }
 func (r *SqlRepo) addMigration(schemaVersion uint64) (SysStat, error) {
 		sysStat := SysStat{
 			MigratedAt:    time.Now(),
 			SchemaVersion: schemaVersion,
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
-		return SysStat{}, fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
+			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
-	return sysStat, nil
+		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	return nil
 }
 // region interfaces
@@ -502,7 +482,7 @@ func (r *SqlRepo) getOrCreateInterface(
 		Identifier: id,
 	}
-	err := tx.Preload("Addresses").Attrs(interfaceDefaults).FirstOrCreate(&in, id).Error
+	err := tx.Attrs(interfaceDefaults).FirstOrCreate(&in, id).Error
 	if err != nil {
 		return nil, err
 	}
@@ -711,7 +691,7 @@ func (r *SqlRepo) getOrCreatePeer(ui *domain.ContextUserInfo, tx *gorm.DB, id do
 		Identifier: id,
 	}
-	err := tx.Preload("Addresses").Attrs(interfaceDefaults).FirstOrCreate(&peer, id).Error
+	err := tx.Attrs(interfaceDefaults).FirstOrCreate(&peer, id).Error
 	if err != nil {
 		return nil, err
 	}
--- a/internal/adapters/database_created_at_test.go
+++ b/internal/adapters/database_created_at_test.go
@@ -1,168 +0,0 @@
 package adapters
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/glebarez/sqlite"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 func newTestDB(t *testing.T) *gorm.DB {
 	t.Helper()
 	db, err := gorm.Open(sqlite.Open("file::memory:"), &gorm.Config{})
 	require.NoError(t, err)
 	return db
 }
 func TestUpsertUser_SetsCreatedAtWhenZero(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ui := domain.SystemAdminContextUserInfo()
 	user := &domain.User{
 		Identifier: "test-user",
 		Email:      "test@example.com",
 		// CreatedAt is zero
 	}
 	err := repo.upsertUser(ui, db, user)
 	require.NoError(t, err)
 	assert.False(t, user.CreatedAt.IsZero(), "CreatedAt should be set when it was zero")
 	assert.Equal(t, ui.UserId(), user.UpdatedBy, "UpdatedBy should be set when it was empty")
 	assert.WithinDuration(t, user.UpdatedAt, user.CreatedAt, time.Second,
 		"CreatedAt should be close to UpdatedAt for new user")
 }
 func TestUpsertUser_PreservesExistingCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ui := domain.SystemAdminContextUserInfo()
 	originalTime := time.Date(2025, 1, 1, 12, 0, 0, 0, time.UTC)
 	user := &domain.User{
 		Identifier: "test-user",
 		Email:      "test@example.com",
 		BaseModel: domain.BaseModel{
 			CreatedAt: originalTime,
 			CreatedBy: "original-creator",
 		},
 	}
 	err := repo.upsertUser(ui, db, user)
 	require.NoError(t, err)
 	assert.Equal(t, originalTime, user.CreatedAt, "CreatedAt should not be overwritten")
 	assert.Equal(t, "original-creator", user.CreatedBy, "CreatedBy should not be overwritten")
 }
 func TestSaveUser_NewUserGetsCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
 	before := time.Now().Add(-time.Second)
 	err := repo.SaveUser(ctx, "new-user", func(u *domain.User) (*domain.User, error) {
 		u.Email = "new@example.com"
 		return u, nil
 	})
 	require.NoError(t, err)
 	var saved domain.User
 	require.NoError(t, db.First(&saved, "identifier = ?", "new-user").Error)
 	assert.False(t, saved.CreatedAt.IsZero(), "CreatedAt should not be zero")
 	assert.True(t, saved.CreatedAt.After(before), "CreatedAt should be recent")
 	assert.NotEmpty(t, saved.CreatedBy, "CreatedBy should be set")
 }
 func TestMigration_FixesZeroCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	// Manually create tables and seed schema version 3
 	require.NoError(t, db.AutoMigrate(
 		&SysStat{},
 		&domain.User{},
 		&domain.UserAuthentication{},
 		&domain.Interface{},
 		&domain.Cidr{},
 		&domain.Peer{},
 		&domain.AuditEntry{},
 		&domain.UserWebauthnCredential{},
 	))
 	// Insert schema versions 1, 2, 3 so migration starts at 3
 	for v := uint64(1); v <= 3; v++ {
 		require.NoError(t, db.Create(&SysStat{SchemaVersion: v, MigratedAt: time.Now()}).Error)
 	}
 	updatedAt := time.Date(2025, 6, 15, 10, 0, 0, 0, time.UTC)
 	// Insert a user with zero created_at but valid updated_at
 	require.NoError(t, db.Exec(
 		"INSERT INTO users (identifier, email, created_at, updated_at) VALUES (?, ?, ?, ?)",
 		"zero-user", "zero@example.com", time.Time{}, updatedAt,
 	).Error)
 	// Run migration
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	require.NoError(t, repo.migrate())
 	// Verify created_at was backfilled from updated_at
 	var user domain.User
 	require.NoError(t, db.First(&user, "identifier = ?", "zero-user").Error)
 	assert.Equal(t, updatedAt, user.CreatedAt, "created_at should be backfilled from updated_at")
 	// Verify schema version advanced to 4
 	var latest SysStat
 	require.NoError(t, db.Order("schema_version DESC").First(&latest).Error)
 	assert.Equal(t, uint64(4), latest.SchemaVersion)
 }
 func TestMigration_DoesNotTouchValidCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(
 		&SysStat{},
 		&domain.User{},
 		&domain.UserAuthentication{},
 		&domain.Interface{},
 		&domain.Cidr{},
 		&domain.Peer{},
 		&domain.AuditEntry{},
 		&domain.UserWebauthnCredential{},
 	))
 	for v := uint64(1); v <= 3; v++ {
 		require.NoError(t, db.Create(&SysStat{SchemaVersion: v, MigratedAt: time.Now()}).Error)
 	}
 	createdAt := time.Date(2024, 3, 1, 8, 0, 0, 0, time.UTC)
 	updatedAt := time.Date(2025, 6, 15, 10, 0, 0, 0, time.UTC)
 	require.NoError(t, db.Exec(
 		"INSERT INTO users (identifier, email, created_at, updated_at) VALUES (?, ?, ?, ?)",
 		"valid-user", "valid@example.com", createdAt, updatedAt,
 	).Error)
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	require.NoError(t, repo.migrate())
 	var user domain.User
 	require.NoError(t, db.First(&user, "identifier = ?", "valid-user").Error)
 	assert.Equal(t, createdAt, user.CreatedAt, "valid created_at should not be modified")
 }
--- a/internal/adapters/database_simple_test.go
+++ b/internal/adapters/database_simple_test.go
@@ -1,73 +0,0 @@
 package adapters
 import (
 	"context"
 	"reflect"
 	"testing"
 	"github.com/glebarez/sqlite"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 	"gorm.io/gorm/schema"
 )
 func init() {
 	schema.RegisterSerializer("encstr", dummySerializer{})
 }
 type dummySerializer struct{}
 func (dummySerializer) Scan(ctx context.Context, field *schema.Field, dst reflect.Value, dbValue any) error {
 	return nil
 }
 func (dummySerializer) Value(ctx context.Context, field *schema.Field, dst reflect.Value, fieldValue any) (any, error) {
 	if fieldValue == nil {
 		return nil, nil
 	}
 	if v, ok := fieldValue.(string); ok {
 		return v, nil
 	}
 	if v, ok := fieldValue.(domain.PreSharedKey); ok {
 		return string(v), nil
 	}
 	return fieldValue, nil
 }
 func TestSqlRepo_SaveInterface_Simple(t *testing.T) {
 	// Initialize in-memory database
 	db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
 	require.NoError(t, err)
 	// Migrate only what's needed for this test (avoids Peer and its encstr serializer)
 	require.NoError(t, db.AutoMigrate(&domain.Interface{}, &domain.Cidr{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
 	ifaceId := domain.InterfaceIdentifier("wg0")
 	// 1. Create an interface with one address
 	addr, _ := domain.CidrFromString("10.0.0.1/24")
 	initialIface := &domain.Interface{
 		Identifier: ifaceId,
 		Addresses:  []domain.Cidr{addr},
 	}
 	require.NoError(t, db.Create(initialIface).Error)
 	// 2. Perform a "partial" update using SaveInterface (this is the buggy path)
 	err = repo.SaveInterface(ctx, ifaceId, func(in *domain.Interface) (*domain.Interface, error) {
 		in.DisplayName = "New Name"
 		return in, nil
 	})
 	require.NoError(t, err)
 	// 3. Verify that the address was NOT deleted
 	var finalIface domain.Interface
 	require.NoError(t, db.Preload("Addresses").First(&finalIface, "identifier = ?", ifaceId).Error)
 	require.Equal(t, "New Name", finalIface.DisplayName)
 	require.Len(t, finalIface.Addresses, 1, "Address list should still have 1 entry!")
 	require.Equal(t, "10.0.0.1/24", finalIface.Addresses[0].Cidr)
 }
--- a/internal/adapters/metrics.go
+++ b/internal/adapters/metrics.go
@@ -30,7 +30,7 @@ type MetricsServer struct {
 // Wireguard metrics labels
 var (
 	ifaceLabels = []string{"interface"}
-	peerLabels  = []string{"interface", "addresses", "id", "name", "user"}
+	peerLabels  = []string{"interface", "addresses", "id", "name"}
 )
 // NewMetricsServer returns a new prometheus server
@@ -126,7 +126,6 @@ func (m *MetricsServer) UpdatePeerMetrics(peer *domain.Peer, status domain.PeerS
 		peer.Interface.AddressStr(),
 		string(status.PeerId),
 		peer.DisplayName,
 		string(peer.UserIdentifier),
 	}
 	if status.LastHandshake != nil {
--- a/internal/adapters/wgcontroller/local.go
+++ b/internal/adapters/wgcontroller/local.go
@@ -626,7 +626,7 @@ func (c LocalController) exec(command string, interfaceId domain.InterfaceIdenti
 	if err != nil {
 		slog.Warn("failed to executed shell command",
 			"command", commandWithInterfaceName, "stdin", stdin, "output", string(out), "error", err)
-		return fmt.Errorf("failed to execute shell command %s: %w", commandWithInterfaceName, err)
+		return fmt.Errorf("failed to exexute shell command %s: %w", commandWithInterfaceName, err)
 	}
 	slog.Debug("executed shell command",
 		"command", commandWithInterfaceName,
--- a/internal/app/api/core/middleware/logging/writer.go
+++ b/internal/app/api/core/middleware/logging/writer.go
@@ -1,8 +1,6 @@
 package logging
 import (
 	"bufio"
 	"net"
 	"net/http"
 )
@@ -40,12 +38,6 @@ func (w *writerWrapper) Write(data []byte) (int, error) {
 	return n, err
 }
 // Hijack wraps the Hijack method of the ResponseWriter and returns the hijacked connection.
 // This is required for websockets to work.
 func (w *writerWrapper) Hijack() (net.Conn, *bufio.ReadWriter, error) {
 	return http.NewResponseController(w.ResponseWriter).Hijack()
 }
 // newWriterWrapper returns a new writerWrapper that wraps the given http.ResponseWriter.
 // It initializes the StatusCode to http.StatusOK.
 func newWriterWrapper(w http.ResponseWriter) *writerWrapper {
--- a/internal/app/api/v0/backend/interface_service.go
+++ b/internal/app/api/v0/backend/interface_service.go
@@ -2,7 +2,6 @@ package backend
 import (
 	"context"
 	"fmt"
 	"io"
 	"github.com/h44z/wg-portal/internal/config"
@@ -19,7 +18,6 @@ type InterfaceServiceInterfaceManager interface {
 	DeleteInterface(ctx context.Context, id domain.InterfaceIdentifier) error
 	PrepareInterface(ctx context.Context) (*domain.Interface, error)
 	ApplyPeerDefaults(ctx context.Context, in *domain.Interface) error
 	CreateDefaultPeers(ctx context.Context, id domain.InterfaceIdentifier) error
 }
 type InterfaceServiceConfigFileManager interface {
@@ -91,10 +89,3 @@ func (i InterfaceService) PersistInterfaceConfig(ctx context.Context, id domain.
 func (i InterfaceService) ApplyPeerDefaults(ctx context.Context, in *domain.Interface) error {
 	return i.interfaces.ApplyPeerDefaults(ctx, in)
 }
 func (i InterfaceService) CreateDefaultPeers(ctx context.Context, id domain.InterfaceIdentifier) error {
 	if !i.cfg.DefaultPeerCreationEnabled() {
 		return fmt.Errorf("default peer creation is not enabled")
 	}
 	return i.interfaces.CreateDefaultPeers(ctx, id)
 }
--- a/internal/app/api/v0/backend/user_service.go
+++ b/internal/app/api/v0/backend/user_service.go
@@ -54,17 +54,6 @@ func (u UserService) GetAllUsers(ctx context.Context) ([]domain.User, error) {
 }
 func (u UserService) UpdateUser(ctx context.Context, user *domain.User) (*domain.User, error) {
 	sessionUser := domain.GetUserInfo(ctx)
 	currentUser, err := u.users.GetUser(ctx, user.Identifier)
 	if err != nil {
 		return nil, err
 	}
 	// if this endpoint is used by non-admins, make sure that the user can only modify a specific subset of attributes
 	if !sessionUser.IsAdmin {
 		user.CopyAdminAttributes(currentUser, u.cfg.Advanced.ApiAdminOnly)
 	}
 	return u.users.UpdateUser(ctx, user)
 }
--- a/internal/app/api/v0/handlers/endpoint_authentication.go
+++ b/internal/app/api/v0/handlers/endpoint_authentication.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 	"net/url"
 	"strconv"
 	"strings"
 	"time"
 	"github.com/go-pkgz/routegroup"
@@ -25,9 +26,7 @@ type AuthenticationService interface {
 	// OauthLoginStep1 initiates the OAuth login flow.
 	OauthLoginStep1(_ context.Context, providerId string) (authCodeUrl, state, nonce string, err error)
 	// OauthLoginStep2 completes the OAuth login flow and logins the user in.
-	OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, string, error)
+	OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, error)
 	// OauthProviderLogoutUrl returns an IdP logout URL for the given provider if supported.
 	OauthProviderLogoutUrl(providerId, idTokenHint, postLogoutRedirectUri string) (string, bool)
 }
 type WebAuthnService interface {
@@ -333,7 +332,7 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
 		}
 		loginCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second) // avoid long waits
-		user, idTokenHint, err := e.authService.OauthLoginStep2(loginCtx, provider, currentSession.OauthNonce,
+		user, err := e.authService.OauthLoginStep2(loginCtx, provider, currentSession.OauthNonce,
 			oauthCode)
 		cancel()
 		if err != nil {
@@ -348,7 +347,7 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
 			return
 		}
-		e.setAuthenticatedUser(r, user, provider, idTokenHint)
+		e.setAuthenticatedUser(r, user)
 		if returnUrl != nil && e.isValidReturnUrl(returnUrl.String()) {
 			queryParams := returnUrl.Query()
@@ -361,7 +360,7 @@ func (e AuthEndpoint) handleOauthCallbackGet() http.HandlerFunc {
 	}
 }
-func (e AuthEndpoint) setAuthenticatedUser(r *http.Request, user *domain.User, oauthProvider, idTokenHint string) {
+func (e AuthEndpoint) setAuthenticatedUser(r *http.Request, user *domain.User) {
 	// start a fresh session
 	e.session.DestroyData(r.Context())
@@ -376,9 +375,8 @@ func (e AuthEndpoint) setAuthenticatedUser(r *http.Request, user *domain.User, o
 	currentSession.OauthState = ""
 	currentSession.OauthNonce = ""
-	currentSession.OauthProvider = oauthProvider
+	currentSession.OauthProvider = ""
 	currentSession.OauthReturnTo = ""
 	currentSession.OauthIdToken = idTokenHint
 	e.session.SetData(r.Context(), currentSession)
 }
@@ -421,7 +419,7 @@ func (e AuthEndpoint) handleLoginPost() http.HandlerFunc {
 			return
 		}
-		e.setAuthenticatedUser(r, user, "", "")
+		e.setAuthenticatedUser(r, user)
 		respond.JSON(w, http.StatusOK, user)
 	}
@@ -433,49 +431,25 @@ func (e AuthEndpoint) handleLoginPost() http.HandlerFunc {
 // @Tags Authentication
 // @Summary Get all available external login providers.
 // @Produce json
-// @Success 200 {object} model.LogoutResponse
+// @Success 200 {object} model.Error
 // @Router /auth/logout [post]
 func (e AuthEndpoint) handleLogoutPost() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		currentSession := e.session.GetData(r.Context())
 		if !currentSession.LoggedIn { // Not logged in
-			respond.JSON(w, http.StatusOK, model.LogoutResponse{Message: "not logged in"})
+			respond.JSON(w, http.StatusOK, model.Error{Code: http.StatusOK, Message: "not logged in"})
 			return
 		}
 		postLogoutRedirectUri := e.cfg.Web.ExternalUrl
 		if e.cfg.Web.BasePath != "" {
 			postLogoutRedirectUri += e.cfg.Web.BasePath
 		}
 		postLogoutRedirectUri += "/#/login"
 		var redirectUrl *string
 		if currentSession.OauthProvider != "" {
 			if idpLogoutUrl, ok := e.authService.OauthProviderLogoutUrl(currentSession.OauthProvider,
 				currentSession.OauthIdToken, postLogoutRedirectUri); ok {
 				redirectUrl = &idpLogoutUrl
 			}
 		}
 		e.session.DestroyData(r.Context())
-		respond.JSON(w, http.StatusOK, model.LogoutResponse{Message: "logout ok", RedirectUrl: redirectUrl})
+		respond.JSON(w, http.StatusOK, model.Error{Code: http.StatusOK, Message: "logout ok"})
 	}
 }
 // isValidReturnUrl checks if the given return URL matches the configured external URL of the application.
 func (e AuthEndpoint) isValidReturnUrl(returnUrl string) bool {
-	expectedUrl, err := url.Parse(e.cfg.Web.ExternalUrl)
+	if !strings.HasPrefix(returnUrl, e.cfg.Web.ExternalUrl) {
 	if err != nil {
 		return false
 	}
 	returnUrlParsed, err := url.Parse(returnUrl)
 	if err != nil {
 		return false
 	}
 	if returnUrlParsed.Scheme != expectedUrl.Scheme || returnUrlParsed.Host != expectedUrl.Host {
 		return false
 	}
@@ -710,7 +684,7 @@ func (e AuthEndpoint) handleWebAuthnLoginFinish() http.HandlerFunc {
 			return
 		}
-		e.setAuthenticatedUser(r, user, "", "")
+		e.setAuthenticatedUser(r, user)
 		respond.JSON(w, http.StatusOK, model.NewUser(user, false))
 	}
--- a/internal/app/api/v0/handlers/endpoint_config.go
+++ b/internal/app/api/v0/handlers/endpoint_config.go
@@ -145,7 +145,7 @@ func (e ConfigEndpoint) handleSettingsGet() http.HandlerFunc {
 				MinPasswordLength:         e.cfg.Auth.MinPasswordLength,
 				AvailableBackends:         controllerFn(),
 				LoginFormVisible:          !e.cfg.Auth.HideLoginForm || !hasSocialLogin,
-				CreateDefaultPeer:         e.cfg.DefaultPeerCreationEnabled(),
+				CreateDefaultPeer:         e.cfg.Core.CreateDefaultPeer,
 			})
 		}
 	}
--- a/internal/app/api/v0/handlers/endpoint_interfaces.go
+++ b/internal/app/api/v0/handlers/endpoint_interfaces.go
@@ -33,8 +33,6 @@ type InterfaceService interface {
 	PersistInterfaceConfig(ctx context.Context, id domain.InterfaceIdentifier) error
 	// ApplyPeerDefaults applies the peer defaults to all peers of the given interface.
 	ApplyPeerDefaults(ctx context.Context, in *domain.Interface) error
 	// CreateDefaultPeers creates default peers for all existing users on the given interface.
 	CreateDefaultPeers(ctx context.Context, id domain.InterfaceIdentifier) error
 }
 type InterfaceEndpoint struct {
@@ -75,7 +73,6 @@ func (e InterfaceEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	apiGroup.HandleFunc("GET /config/{id}", e.handleConfigGet())
 	apiGroup.HandleFunc("POST /{id}/save-config", e.handleSaveConfigPost())
 	apiGroup.HandleFunc("POST /{id}/apply-peer-defaults", e.handleApplyPeerDefaultsPost())
 	apiGroup.HandleFunc("POST /{id}/create-default-peers", e.handleCreateDefaultPeersPost())
 	apiGroup.HandleFunc("GET /peers/{id}", e.handlePeersGet())
 }
@@ -424,34 +421,3 @@ func (e InterfaceEndpoint) handleApplyPeerDefaultsPost() http.HandlerFunc {
 		respond.Status(w, http.StatusNoContent)
 	}
 }
 // handleCreateDefaultPeersPost returns a gorm Handler function.
 //
 // @ID interfaces_handleCreateDefaultPeersPost
 // @Tags Interface
 // @Summary Create default peers for all existing users on the given interface.
 // @Produce json
 // @Param id path string true "The interface identifier"
 // @Success 204 "No content if creating the default peers was successful"
 // @Failure 400 {object} model.Error
 // @Failure 500 {object} model.Error
 // @Router /interface/{id}/create-default-peers [post]
 func (e InterfaceEndpoint) handleCreateDefaultPeersPost() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		id := Base64UrlDecode(request.Path(r, "id"))
 		if id == "" {
 			respond.JSON(w, http.StatusBadRequest,
 				model.Error{Code: http.StatusBadRequest, Message: "missing interface id"})
 			return
 		}
 		if err := e.interfaceService.CreateDefaultPeers(r.Context(), domain.InterfaceIdentifier(id)); err != nil {
 			respond.JSON(w, http.StatusInternalServerError, model.Error{
 				Code: http.StatusInternalServerError, Message: err.Error(),
 			})
 			return
 		}
 		respond.Status(w, http.StatusNoContent)
 	}
 }
--- a/internal/app/api/v0/handlers/endpoint_websocket.go
+++ b/internal/app/api/v0/handlers/endpoint_websocket.go
@@ -1,100 +0,0 @@
 package handlers
 import (
 	"context"
 	"net/http"
 	"strings"
 	"sync"
 	"github.com/go-pkgz/routegroup"
 	"github.com/gorilla/websocket"
 	"github.com/h44z/wg-portal/internal/app"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 type WebsocketEventBus interface {
 	Subscribe(topic string, fn any) error
 	Unsubscribe(topic string, fn any) error
 }
 type WebsocketEndpoint struct {
 	authenticator Authenticator
 	bus           WebsocketEventBus
 	upgrader websocket.Upgrader
 }
 func NewWebsocketEndpoint(cfg *config.Config, auth Authenticator, bus WebsocketEventBus) *WebsocketEndpoint {
 	return &WebsocketEndpoint{
 		authenticator: auth,
 		bus:           bus,
 		upgrader: websocket.Upgrader{
 			ReadBufferSize:  1024,
 			WriteBufferSize: 1024,
 			CheckOrigin: func(r *http.Request) bool {
 				origin := r.Header.Get("Origin")
 				return strings.HasPrefix(origin, cfg.Web.ExternalUrl)
 			},
 		},
 	}
 }
 func (e WebsocketEndpoint) GetName() string {
 	return "WebsocketEndpoint"
 }
 func (e WebsocketEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 	g.With(e.authenticator.LoggedIn()).HandleFunc("GET /ws", e.handleWebsocket())
 }
 // wsMessage represents a message sent over websocket to the frontend
 type wsMessage struct {
 	Type string `json:"type"` // either "peer_stats" or "interface_stats"
 	Data any    `json:"data"` // domain.TrafficDelta
 }
 func (e WebsocketEndpoint) handleWebsocket() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		conn, err := e.upgrader.Upgrade(w, r, nil)
 		if err != nil {
 			return
 		}
 		defer conn.Close()
 		ctx, cancel := context.WithCancel(r.Context())
 		defer cancel()
 		writeMutex := sync.Mutex{}
 		writeJSON := func(msg wsMessage) error {
 			writeMutex.Lock()
 			defer writeMutex.Unlock()
 			return conn.WriteJSON(msg)
 		}
 		peerStatsHandler := func(status domain.TrafficDelta) {
 			_ = writeJSON(wsMessage{Type: "peer_stats", Data: status})
 		}
 		interfaceStatsHandler := func(status domain.TrafficDelta) {
 			_ = writeJSON(wsMessage{Type: "interface_stats", Data: status})
 		}
 		_ = e.bus.Subscribe(app.TopicPeerStatsUpdated, peerStatsHandler)
 		defer e.bus.Unsubscribe(app.TopicPeerStatsUpdated, peerStatsHandler)
 		_ = e.bus.Subscribe(app.TopicInterfaceStatsUpdated, interfaceStatsHandler)
 		defer e.bus.Unsubscribe(app.TopicInterfaceStatsUpdated, interfaceStatsHandler)
 		// Keep connection open until client disconnects or context is cancelled
 		go func() {
 			for {
 				if _, _, err := conn.ReadMessage(); err != nil {
 					cancel()
 					return
 				}
 			}
 		}()
 		<-ctx.Done()
 	}
 }
--- a/internal/app/api/v0/handlers/web_session.go
+++ b/internal/app/api/v0/handlers/web_session.go
@@ -30,7 +30,6 @@ type SessionData struct {
 	OauthNonce    string
 	OauthProvider string
 	OauthReturnTo string
 	OauthIdToken  string
 	WebAuthnData string
@@ -90,6 +89,5 @@ func (s *SessionWrapper) defaultSessionData() SessionData {
 		OauthNonce:     "",
 		OauthProvider:  "",
 		OauthReturnTo:  "",
 		OauthIdToken:   "",
 	}
 }
--- a/internal/app/api/v0/model/models_authentication.go
+++ b/internal/app/api/v0/model/models_authentication.go
@@ -45,11 +45,6 @@ type OauthInitiationResponse struct {
 	State       string
 }
 type LogoutResponse struct {
 	Message     string  `json:"Message"`
 	RedirectUrl *string `json:"RedirectUrl,omitempty"`
 }
 type WebAuthnCredentialRequest struct {
 	Name string `json:"Name"`
 }
--- a/internal/app/auth/auth.go
+++ b/internal/app/auth/auth.go
@@ -65,11 +65,6 @@ type AuthenticatorOauth interface {
 	RegistrationEnabled() bool
 	// GetAllowedDomains returns the list of whitelisted domains
 	GetAllowedDomains() []string
 	// GetAllowedUserGroups returns the list of whitelisted user groups.
 	// If non-empty, at least one user group must match.
 	GetAllowedUserGroups() []string
 	// GetLogoutUrl returns an IdP logout URL if supported by the provider.
 	GetLogoutUrl(idTokenHint, postLogoutRedirectUri string) (string, bool)
 }
 // AuthenticatorLdap is the interface for all LDAP authenticators.
@@ -356,6 +351,7 @@ func (a *Authenticator) passwordAuthentication(
 		domain.SystemAdminContextUserInfo()) // switch to admin user context to check if user exists
 	var ldapUserInfo *domain.AuthenticatorUserInfo
 	var ldapProvider AuthenticatorLdap
 	var userInDatabase = false
 	existingUser, err := a.users.GetUser(ctx, identifier)
@@ -421,14 +417,14 @@ func (a *Authenticator) passwordAuthentication(
 					"source", ldapAuth.GetName(), "identifier", identifier, "error", err)
 				continue
 			}
-			user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapAuth.GetName(), true)
+			user, err := a.processUserInfo(ctx, ldapUserInfo, domain.UserSourceLdap, ldapProvider.GetName(), true)
 			if err != nil {
 				return nil, fmt.Errorf("unable to process user information: %w", err)
 			}
 			existingUser = user
 			slog.Debug("created new LDAP user in db",
-				"identifier", user.Identifier, "provider", ldapAuth.GetName())
+				"identifier", user.Identifier, "provider", ldapProvider.GetName())
 			authOK = true
 			break
@@ -502,63 +498,31 @@ func isDomainAllowed(email string, allowedDomains []string) bool {
 	return false
 }
 func isAnyAllowedUserGroup(userGroups, allowedUserGroups []string) bool {
 	if len(allowedUserGroups) == 0 {
 		return true
 	}
 	allowed := make(map[string]struct{}, len(allowedUserGroups))
 	for _, group := range allowedUserGroups {
 		trimmed := strings.TrimSpace(group)
 		if trimmed == "" {
 			continue
 		}
 		allowed[trimmed] = struct{}{}
 	}
 	if len(allowed) == 0 {
 		return false
 	}
 	for _, group := range userGroups {
 		if _, ok := allowed[strings.TrimSpace(group)]; ok {
 			return true
 		}
 	}
 	return false
 }
 // OauthLoginStep2 finishes the oauth authentication flow by exchanging the code for an access token and
 // fetching the user information.
-func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, string, error) {
+func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce, code string) (*domain.User, error) {
 	oauthProvider, ok := a.oauthAuthenticators[providerId]
 	if !ok {
-		return nil, "", fmt.Errorf("missing oauth provider %s", providerId)
+		return nil, fmt.Errorf("missing oauth provider %s", providerId)
 	}
 	oauth2Token, err := oauthProvider.Exchange(ctx, code)
 	if err != nil {
-		return nil, "", fmt.Errorf("unable to exchange code: %w", err)
+		return nil, fmt.Errorf("unable to exchange code: %w", err)
 	}
 	idTokenHint, _ := oauth2Token.Extra("id_token").(string)
 	rawUserInfo, err := oauthProvider.GetUserInfo(ctx, oauth2Token, nonce)
 	if err != nil {
-		return nil, "", fmt.Errorf("unable to fetch user information: %w", err)
+		return nil, fmt.Errorf("unable to fetch user information: %w", err)
 	}
 	userInfo, err := oauthProvider.ParseUserInfo(rawUserInfo)
 	if err != nil {
-		return nil, "", fmt.Errorf("unable to parse user information: %w", err)
+		return nil, fmt.Errorf("unable to parse user information: %w", err)
 	}
 	if !isDomainAllowed(userInfo.Email, oauthProvider.GetAllowedDomains()) {
-		return nil, "", fmt.Errorf("user %s is not in allowed domains", userInfo.Email)
+		return nil, fmt.Errorf("user %s is not in allowed domains", userInfo.Email)
 	}
 	if !isAnyAllowedUserGroup(userInfo.UserGroups, oauthProvider.GetAllowedUserGroups()) {
 		return nil, "", fmt.Errorf("user %s is not in allowed user groups", userInfo.Identifier)
 	}
 	ctx = domain.SetUserInfo(ctx,
@@ -574,7 +538,7 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 				Error:    err.Error(),
 			},
 		})
-		return nil, "", fmt.Errorf("unable to process user information: %w", err)
+		return nil, fmt.Errorf("unable to process user information: %w", err)
 	}
 	if user.IsLocked() || user.IsDisabled() {
@@ -586,7 +550,7 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 				Error:    "user is locked",
 			},
 		})
-		return nil, "", errors.New("user is locked")
+		return nil, errors.New("user is locked")
 	}
 	a.bus.Publish(app.TopicAuthLogin, user.Identifier)
@@ -598,16 +562,7 @@ func (a *Authenticator) OauthLoginStep2(ctx context.Context, providerId, nonce,
 		},
 	})
-	return user, idTokenHint, nil
+	return user, nil
 }
 func (a *Authenticator) OauthProviderLogoutUrl(providerId, idTokenHint, postLogoutRedirectUri string) (string, bool) {
 	oauthProvider, ok := a.oauthAuthenticators[providerId]
 	if !ok {
 		return "", false
 	}
 	return oauthProvider.GetLogoutUrl(idTokenHint, postLogoutRedirectUri)
 }
 func (a *Authenticator) processUserInfo(
--- a/internal/app/auth/auth_oauth.go
+++ b/internal/app/auth/auth_oauth.go
@@ -29,7 +29,6 @@ type PlainOauthAuthenticator struct {
 	userInfoLogging      bool
 	sensitiveInfoLogging bool
 	allowedDomains       []string
 	allowedUserGroups    []string
 }
 func newPlainOauthAuthenticator(
@@ -61,7 +60,6 @@ func newPlainOauthAuthenticator(
 	provider.userInfoLogging = cfg.LogUserInfo
 	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 	provider.allowedUserGroups = cfg.AllowedUserGroups
 	return provider, nil
 }
@@ -75,14 +73,6 @@ func (p PlainOauthAuthenticator) GetAllowedDomains() []string {
 	return p.allowedDomains
 }
 func (p PlainOauthAuthenticator) GetAllowedUserGroups() []string {
 	return p.allowedUserGroups
 }
 func (p PlainOauthAuthenticator) GetLogoutUrl(_, _ string) (string, bool) {
 	return "", false
 }
 // RegistrationEnabled returns whether registration is enabled for the OAuth authenticator.
 func (p PlainOauthAuthenticator) RegistrationEnabled() bool {
 	return p.registrationEnabled
--- a/internal/app/auth/auth_oidc.go
+++ b/internal/app/auth/auth_oidc.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
 	"net/url"
 	"github.com/coreos/go-oidc/v3/oidc"
 	"golang.org/x/oauth2"
@@ -27,9 +26,6 @@ type OidcAuthenticator struct {
 	userInfoLogging      bool
 	sensitiveInfoLogging bool
 	allowedDomains       []string
 	allowedUserGroups    []string
 	endSessionEndpoint   string
 	logoutIdpSession     bool
 }
 func newOidcAuthenticator(
@@ -65,17 +61,6 @@ func newOidcAuthenticator(
 	provider.userInfoLogging = cfg.LogUserInfo
 	provider.sensitiveInfoLogging = cfg.LogSensitiveInfo
 	provider.allowedDomains = cfg.AllowedDomains
 	provider.allowedUserGroups = cfg.AllowedUserGroups
 	provider.logoutIdpSession = cfg.LogoutIdpSession == nil || *cfg.LogoutIdpSession
 	var providerMetadata struct {
 		EndSessionEndpoint string `json:"end_session_endpoint"`
 	}
 	if err = provider.provider.Claims(&providerMetadata); err != nil {
 		slog.Debug("OIDC: failed to parse provider metadata", "provider", cfg.ProviderName, "error", err)
 	} else {
 		provider.endSessionEndpoint = providerMetadata.EndSessionEndpoint
 	}
 	return provider, nil
 }
@@ -89,38 +74,6 @@ func (o OidcAuthenticator) GetAllowedDomains() []string {
 	return o.allowedDomains
 }
 func (o OidcAuthenticator) GetAllowedUserGroups() []string {
 	return o.allowedUserGroups
 }
 func (o OidcAuthenticator) GetLogoutUrl(idTokenHint, postLogoutRedirectUri string) (string, bool) {
 	if !o.logoutIdpSession {
 		return "", false
 	}
 	if o.endSessionEndpoint == "" {
 		slog.Debug("OIDC logout URL generation disabled: provider has no end_session_endpoint", "provider", o.name)
 		return "", false
 	}
 	logoutUrl, err := url.Parse(o.endSessionEndpoint)
 	if err != nil {
 		slog.Debug("OIDC logout URL generation failed, unable to parse end_session_endpoint url",
 			"provider", o.name, "error", err)
 		return "", false
 	}
 	params := logoutUrl.Query()
 	if idTokenHint != "" {
 		params.Set("id_token_hint", idTokenHint)
 	}
 	if postLogoutRedirectUri != "" {
 		params.Set("post_logout_redirect_uri", postLogoutRedirectUri)
 	}
 	logoutUrl.RawQuery = params.Encode()
 	return logoutUrl.String(), true
 }
 // RegistrationEnabled returns whether registration is enabled for this authenticator.
 func (o OidcAuthenticator) RegistrationEnabled() bool {
 	return o.registrationEnabled
--- a/internal/app/auth/oauth_common.go
+++ b/internal/app/auth/oauth_common.go
@@ -16,7 +16,6 @@ func parseOauthUserInfo(
 ) (*domain.AuthenticatorUserInfo, error) {
 	var isAdmin bool
 	var adminInfoAvailable bool
 	userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
 	// first try to match the is_admin field against the given regex
 	if mapping.IsAdmin != "" {
@@ -30,6 +29,7 @@ func parseOauthUserInfo(
 	// next try to parse the user's groups
 	if !isAdmin && mapping.UserGroups != "" && adminMapping.AdminGroupRegex != "" {
 		adminInfoAvailable = true
 		userGroups := internal.MapDefaultStringSlice(raw, mapping.UserGroups, nil)
 		re := adminMapping.GetAdminGroupRegex()
 		for _, group := range userGroups {
 			if re.MatchString(strings.TrimSpace(group)) {
@@ -42,7 +42,6 @@ func parseOauthUserInfo(
 	userInfo := &domain.AuthenticatorUserInfo{
 		Identifier:         domain.UserIdentifier(internal.MapDefaultString(raw, mapping.UserIdentifier, "")),
 		Email:              internal.MapDefaultString(raw, mapping.Email, ""),
 		UserGroups:         userGroups,
 		Firstname:          internal.MapDefaultString(raw, mapping.Firstname, ""),
 		Lastname:           internal.MapDefaultString(raw, mapping.Lastname, ""),
 		Phone:              internal.MapDefaultString(raw, mapping.Phone, ""),
--- a/internal/app/auth/oauth_common_test.go
+++ b/internal/app/auth/oauth_common_test.go
@@ -96,7 +96,6 @@ func Test_parseOauthUserInfo_admin_group(t *testing.T) {
 	assert.Equal(t, info.Firstname, "Test User")
 	assert.Equal(t, info.Lastname, "")
 	assert.Equal(t, info.Email, "test@mydomain.net")
 	assert.Equal(t, info.UserGroups, []string{"abuse@mydomain.net", "postmaster@mydomain.net", "wgportal-admins@mydomain.net"})
 }
 func Test_parseOauthUserInfo_admin_value(t *testing.T) {
--- a/internal/app/eventbus.go
+++ b/internal/app/eventbus.go
@@ -26,7 +26,6 @@ const TopicUserEnabled = "user:enabled"
 const TopicInterfaceCreated = "interface:created"
 const TopicInterfaceUpdated = "interface:updated"
 const TopicInterfaceDeleted = "interface:deleted"
 const TopicInterfaceStatsUpdated = "interface:stats:updated"
 // endregion interface-events
@@ -38,7 +37,6 @@ const TopicPeerUpdated = "peer:updated"
 const TopicPeerInterfaceUpdated = "peer:interface:updated"
 const TopicPeerIdentifierUpdated = "peer:identifier:updated"
 const TopicPeerStateChanged = "peer:state:changed"
 const TopicPeerStatsUpdated = "peer:stats:updated"
 // endregion peer-events
--- a/internal/app/mail/manager.go
+++ b/internal/app/mail/manager.go
@@ -190,22 +190,20 @@ func (m Manager) resolveEmail(ctx context.Context, peer *domain.Peer) (string, d
 			if err == nil {
 				slog.Debug("peer email: using user-identifier as email",
 					"peer", peer.Identifier, "email", peer.UserIdentifier)
-				return string(peer.UserIdentifier), domain.User{
+				return string(peer.UserIdentifier), domain.User{}
-					Email: string(peer.UserIdentifier),
+			} else {
 				}
 			}
 				slog.Debug("peer email: skipping peer email",
 					"peer", peer.Identifier,
 					"reason", "peer has no user linked and user-identifier is not a valid email address")
 				return "", domain.User{}
 			}
-
+		} else {
 			slog.Debug("peer email: skipping peer email",
 				"peer", peer.Identifier,
 				"reason", "user has no user linked")
 			return "", domain.User{}
 		}
 	}
 	if user.Email == "" {
 		slog.Debug("peer email: skipping peer email",
--- a/internal/app/users/ldap_sync.go
+++ b/internal/app/users/ldap_sync.go
@@ -90,12 +90,6 @@ func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.Ldap
 		}
 	}
 	// Update interface allowed users based on LDAP filters
 	err = m.updateInterfaceLdapFilters(ctx, conn, provider)
 	if err != nil {
 		return err
 	}
 	return nil
 }
@@ -243,59 +237,3 @@ func (m Manager) disableMissingLdapUsers(
 	return nil
 }
 func (m Manager) updateInterfaceLdapFilters(
 	ctx context.Context,
 	conn *ldap.Conn,
 	provider *config.LdapProvider,
 ) error {
 	if len(provider.InterfaceFilter) == 0 {
 		return nil // nothing to do if no interfaces are configured for this provider
 	}
 	for ifaceName, groupFilter := range provider.InterfaceFilter {
 		ifaceId := domain.InterfaceIdentifier(ifaceName)
 		// Combined filter: user must match the provider's base SyncFilter AND the interface's LdapGroupFilter
 		combinedFilter := fmt.Sprintf("(&(%s)(%s))", provider.SyncFilter, groupFilter)
 		rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, combinedFilter, &provider.FieldMap)
 		if err != nil {
 			slog.Error("failed to find users for interface filter", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 			continue
 		}
 		matchedUserIds := make([]domain.UserIdentifier, 0, len(rawUsers))
 		for _, rawUser := range rawUsers {
 			userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, provider.FieldMap.UserIdentifier, ""))
 			if userId != "" {
 				matchedUserIds = append(matchedUserIds, userId)
 			}
 		}
 		// Save the interface
 		err = m.interfaces.SaveInterface(ctx, ifaceId, func(i *domain.Interface) (*domain.Interface, error) {
 			if i.LdapAllowedUsers == nil {
 				i.LdapAllowedUsers = make(map[string][]domain.UserIdentifier)
 			}
 			i.LdapAllowedUsers[provider.ProviderName] = matchedUserIds
 			return i, nil
 		})
 		if err != nil {
 			slog.Error("failed to save interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 		} else {
 			slog.Debug("updated interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"matched_count", len(matchedUserIds))
 		}
 	}
 	return nil
 }
--- a/internal/app/users/user_manager.go
+++ b/internal/app/users/user_manager.go
@@ -39,11 +39,6 @@ type PeerDatabaseRepo interface {
 	GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error)
 }
 type InterfaceDatabaseRepo interface {
 	// SaveInterface saves the interface with the given identifier.
 	SaveInterface(ctx context.Context, id domain.InterfaceIdentifier, updateFunc func(i *domain.Interface) (*domain.Interface, error)) error
 }
 type EventBus interface {
 	// Publish sends a message to the message bus.
 	Publish(topic string, args ...any)
@@ -58,24 +53,19 @@ type Manager struct {
 	bus   EventBus
 	users UserDatabaseRepo
 	peers PeerDatabaseRepo
 	interfaces InterfaceDatabaseRepo
 }
 // NewUserManager creates a new user manager instance.
-func NewUserManager(
+func NewUserManager(cfg *config.Config, bus EventBus, users UserDatabaseRepo, peers PeerDatabaseRepo) (
-	cfg *config.Config,
+	*Manager,
-	bus EventBus,
+	error,
-	users UserDatabaseRepo,
+) {
 	peers PeerDatabaseRepo,
 	interfaces InterfaceDatabaseRepo,
 ) (*Manager, error) {
 	m := &Manager{
 		cfg: cfg,
 		bus: bus,
 		users: users,
 		peers: peers,
 		interfaces: interfaces,
 	}
 	return m, nil
 }
@@ -282,9 +272,8 @@ func (m Manager) DeactivateApi(ctx context.Context, id domain.UserIdentifier) (*
 func (m Manager) validateModifications(ctx context.Context, old, new *domain.User) error {
 	currentUser := domain.GetUserInfo(ctx)
-	adminErrors := m.validateAdminModifications(ctx, old, new)
+	if currentUser.Id != new.Identifier && !currentUser.IsAdmin {
-	if adminErrors != nil {
+		return fmt.Errorf("insufficient permissions")
 		return adminErrors
 	}
 	if err := old.EditAllowed(new); err != nil && currentUser.Id != domain.SystemAdminContextUserInfo().Id {
@@ -314,46 +303,6 @@ func (m Manager) validateModifications(ctx context.Context, old, new *domain.Use
 	return nil
 }
 func (m Manager) validateAdminModifications(ctx context.Context, old, new *domain.User) error {
 	currentUser := domain.GetUserInfo(ctx)
 	if currentUser.IsAdmin {
 		if currentUser.Id == old.Identifier && !new.IsAdmin {
 			return fmt.Errorf("cannot remove own admin rights: %w", domain.ErrInvalidData)
 		}
 		return nil // admins can do (almost) everything
 	}
 	// non-admins can only modify very their own profile data
 	if currentUser.Id != new.Identifier {
 		return fmt.Errorf("insufficient permissions: %w", domain.ErrInvalidData)
 	}
 	if new.IsAdmin {
 		return fmt.Errorf("cannot grant admin rights: %w", domain.ErrInvalidData)
 	}
 	if new.Notes != old.Notes {
 		return fmt.Errorf("cannot update notes: %w", domain.ErrInvalidData)
 	}
 	if old.Locked != new.Locked || old.LockedReason != new.LockedReason {
 		return fmt.Errorf("cannot change lock state: %w", domain.ErrInvalidData)
 	}
 	if old.Disabled != new.Disabled || old.DisabledReason != new.DisabledReason {
 		return fmt.Errorf("cannot change disabled state: %w", domain.ErrInvalidData)
 	}
 	if old.PersistLocalChanges != new.PersistLocalChanges {
 		return fmt.Errorf("cannot change disabled state: %w", domain.ErrInvalidData)
 	}
 	return nil
 }
 func (m Manager) validateCreation(ctx context.Context, new *domain.User) error {
 	currentUser := domain.GetUserInfo(ctx)
@@ -425,10 +374,6 @@ func (m Manager) validateDeletion(ctx context.Context, del *domain.User) error {
 func (m Manager) validateApiChange(ctx context.Context, user *domain.User) error {
 	currentUser := domain.GetUserInfo(ctx)
 	if !currentUser.IsAdmin && m.cfg.Advanced.ApiAdminOnly {
 		return fmt.Errorf("insufficient permissions to change API access: %w", domain.ErrNoPermission)
 	}
 	if currentUser.Id != user.Identifier {
 		return fmt.Errorf("cannot change API access of user: %w", domain.ErrNoPermission)
 	}
@@ -533,7 +478,6 @@ func (m Manager) create(ctx context.Context, user *domain.User) (*domain.User, e
 	}
 	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
 		user.CopyCalculatedAttributes(u, false)
 		return user, nil
 	})
 	if err != nil {
--- a/internal/app/wireguard/statistics.go
+++ b/internal/app/wireguard/statistics.go
@@ -121,25 +121,15 @@ func (c *StatisticsCollector) collectInterfaceData(ctx context.Context) {
 						"error", err)
 					continue
 				}
 				now := time.Now()
 				err = c.db.UpdateInterfaceStatus(ctx, in.Identifier,
 					func(i *domain.InterfaceStatus) (*domain.InterfaceStatus, error) {
-						td := domain.CalculateTrafficDelta(
+						i.UpdatedAt = time.Now()
 							string(in.Identifier),
 							i.UpdatedAt, now,
 							i.BytesTransmitted, physicalInterface.BytesUpload,
 							i.BytesReceived, physicalInterface.BytesDownload,
 						)
 						i.UpdatedAt = now
 						i.BytesReceived = physicalInterface.BytesDownload
 						i.BytesTransmitted = physicalInterface.BytesUpload
 						// Update prometheus metrics
 						go c.updateInterfaceMetrics(*i)
 						// Publish stats update event
 						c.bus.Publish(app.TopicInterfaceStatsUpdated, td)
 						return i, nil
 					})
 				if err != nil {
@@ -182,7 +172,6 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 					slog.Warn("failed to fetch peers for data collection", "interface", in.Identifier, "error", err)
 					continue
 				}
 				now := time.Now()
 				for _, peer := range peers {
 					var connectionStateChanged bool
 					var newPeerStatus domain.PeerStatus
@@ -195,26 +184,18 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 								lastHandshake = &peer.LastHandshake
 							}
 							td := domain.CalculateTrafficDelta(
 								string(peer.Identifier),
 								p.UpdatedAt, now,
 								p.BytesTransmitted, peer.BytesDownload,
 								p.BytesReceived, peer.BytesUpload,
 							)
 							// calculate if session was restarted
-							p.UpdatedAt = now
+							p.UpdatedAt = time.Now()
-							p.LastSessionStart = c.getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
+							p.LastSessionStart = getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
 								lastHandshake)
 							p.BytesReceived = peer.BytesUpload      // store bytes that where uploaded from the peer and received by the server
 							p.BytesTransmitted = peer.BytesDownload // store bytes that where received from the peer and sent by the server
 							p.Endpoint = peer.Endpoint
 							p.LastHandshake = lastHandshake
-							p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
+							p.CalcConnected()
 							if wasConnected != p.IsConnected {
-								slog.Debug("peer connection state changed",
+								slog.Debug("peer connection state changed", "peer", peer.Identifier, "connected", p.IsConnected)
 									"peer", peer.Identifier, "connected", p.IsConnected)
 								connectionStateChanged = true
 								newPeerStatus = *p // store new status for event publishing
 							}
@@ -222,9 +203,6 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 							// Update prometheus metrics
 							go c.updatePeerMetrics(ctx, *p)
 							// Publish stats update event
 							c.bus.Publish(app.TopicPeerStatsUpdated, td)
 							return p, nil
 						})
 					if err != nil {
@@ -249,7 +227,7 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 	}
 }
-func (c *StatisticsCollector) getSessionStartTime(
+func getSessionStartTime(
 	oldStats domain.PeerStatus,
 	newReceived, newTransmitted uint64,
 	latestHandshake *time.Time,
@@ -258,7 +236,7 @@ func (c *StatisticsCollector) getSessionStartTime(
 		return nil // currently not connected
 	}
-	oldestHandshakeTime := time.Now().Add(-1 * c.cfg.Backend.ReKeyTimeoutInterval) // if a handshake is older than the rekey interval + grace-period, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
 	switch {
 	// old session was never initiated
 	case oldStats.BytesReceived == 0 && oldStats.BytesTransmitted == 0 && (newReceived > 0 || newTransmitted > 0):
@@ -369,7 +347,7 @@ func (c *StatisticsCollector) pingWorker(ctx context.Context) {
 					p.LastPing = nil
 				}
 				p.UpdatedAt = time.Now()
-				p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
+				p.CalcConnected()
 				if wasConnected != p.IsConnected {
 					connectionStateChanged = true
--- a/internal/app/wireguard/statistics_test.go
+++ b/internal/app/wireguard/statistics_test.go
@@ -5,11 +5,10 @@ import (
 	"testing"
 	"time"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
-func TestStatisticsCollector_getSessionStartTime(t *testing.T) {
+func Test_getSessionStartTime(t *testing.T) {
 	now := time.Now()
 	nowMinus1 := now.Add(-1 * time.Minute)
 	nowMinus3 := now.Add(-3 * time.Minute)
@@ -134,14 +133,7 @@ func TestStatisticsCollector_getSessionStartTime(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			c := &StatisticsCollector{
+			if got := getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
 				cfg: &config.Config{
 					Backend: config.Backend{
 						ReKeyTimeoutInterval: 180 * time.Second,
 					},
 				},
 			}
 			if got := c.getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
 				tt.args.lastHandshake); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("getSessionStartTime() = %v, want %v", got, tt.want)
 			}
--- a/internal/app/wireguard/wireguard.go
+++ b/internal/app/wireguard/wireguard.go
@@ -35,8 +35,6 @@ type InterfaceAndPeerDatabaseRepo interface {
 	DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 	GetPeer(ctx context.Context, id domain.PeerIdentifier) (*domain.Peer, error)
 	GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr) (map[domain.Cidr][]domain.Cidr, error)
 	GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
 	GetAllUsers(ctx context.Context) ([]domain.User, error)
 }
 type WgQuickController interface {
@@ -61,7 +59,6 @@ type Manager struct {
 	wg  *ControllerManager
 	userLockMap *sync.Map
 	interfaceLockMap *sync.Map
 }
 func NewWireGuardManager(
@@ -76,7 +73,6 @@ func NewWireGuardManager(
 		wg:          wg,
 		db:          db,
 		userLockMap: &sync.Map{},
 		interfaceLockMap: &sync.Map{},
 	}
 	m.connectToMessageBus()
@@ -96,11 +92,10 @@ func (m Manager) connectToMessageBus() {
 	_ = m.bus.Subscribe(app.TopicUserDisabled, m.handleUserDisabledEvent)
 	_ = m.bus.Subscribe(app.TopicUserEnabled, m.handleUserEnabledEvent)
 	_ = m.bus.Subscribe(app.TopicUserDeleted, m.handleUserDeletedEvent)
 	_ = m.bus.Subscribe(app.TopicInterfaceCreated, m.handleInterfaceCreatedEvent)
 }
 func (m Manager) handleUserCreationEvent(user domain.User) {
-	if !m.cfg.Core.CreateDefaultPeerOnUserCreation {
+	if !m.cfg.Core.CreateDefaultPeerOnCreation {
 		return
 	}
@@ -121,7 +116,7 @@ func (m Manager) handleUserCreationEvent(user domain.User) {
 }
 func (m Manager) handleUserLoginEvent(userId domain.UserIdentifier) {
-	if !m.cfg.Core.CreateDefaultPeerOnLogin {
+	if !m.cfg.Core.CreateDefaultPeer {
 		return
 	}
@@ -273,31 +268,6 @@ func (m Manager) handleUserDeletedEvent(user domain.User) {
 	}
 }
 // handleInterfaceCreatedEvent creates default peers for all existing users when a new interface is created.
 // This ensures users that already exist (e.g. imported via a prior LDAP sync that had no interface available)
 // also receive a default peer for the newly created interface.
 func (m Manager) handleInterfaceCreatedEvent(iface domain.Interface) {
 	if !m.cfg.Core.CreateDefaultPeerOnUserCreation {
 		return
 	}
 	_, loaded := m.interfaceLockMap.LoadOrStore(iface.Identifier, "create")
 	if loaded {
 		return // another goroutine is already handling this interface
 	}
 	defer m.interfaceLockMap.Delete(iface.Identifier)
 	slog.Debug("handling new interface event", "interface", iface.Identifier)
 	ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
 	err := m.CreateDefaultPeers(ctx, iface.Identifier)
 	if err != nil {
 		slog.Error("failed to create default peers on new interface",
 			"interface", iface.Identifier, "error", err)
 	}
 }
 func (m Manager) runExpiredPeersCheck(ctx context.Context) {
 	ctx = domain.SetUserInfo(ctx, domain.SystemAdminContextUserInfo())
--- a/internal/app/wireguard/wireguard_interfaces.go
+++ b/internal/app/wireguard/wireguard_interfaces.go
@@ -16,11 +16,6 @@ import (
 	"github.com/h44z/wg-portal/internal/domain"
 )
 // GetInterface returns the interface for the given interface identifier.
 func (m Manager) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
 	return m.db.GetInterface(ctx, id)
 }
 // GetInterfaceAndPeers returns the interface and all peers for the given interface identifier.
 func (m Manager) GetInterfaceAndPeers(ctx context.Context, id domain.InterfaceIdentifier) (
 	*domain.Interface,
@@ -68,17 +63,12 @@ func (m Manager) GetAllInterfacesAndPeers(ctx context.Context) ([]domain.Interfa
 // GetUserInterfaces returns all interfaces that are available for users to create new peers.
 // If self-provisioning is disabled, this function will return an empty list.
-func (m Manager) GetUserInterfaces(ctx context.Context, userId domain.UserIdentifier) ([]domain.Interface, error) {
+// At the moment, there are no interfaces specific to single users, thus the user id is not used.
 func (m Manager) GetUserInterfaces(ctx context.Context, _ domain.UserIdentifier) ([]domain.Interface, error) {
 	if !m.cfg.Core.SelfProvisioningAllowed {
 		return nil, nil // self-provisioning is disabled - no interfaces for users
 	}
 	user, err := m.db.GetUser(ctx, userId)
 	if err != nil {
 		slog.Error("failed to load user for interface group verification", "user", userId, "error", err)
 		return nil, nil // fail closed
 	}
 	interfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("unable to load all interfaces: %w", err)
@@ -93,9 +83,6 @@ func (m Manager) GetUserInterfaces(ctx context.Context, userId domain.UserIdenti
 		if iface.Type != domain.InterfaceTypeServer {
 			continue // skip client interfaces
 		}
 		if !user.IsAdmin && !iface.IsUserAllowed(userId, m.cfg) {
 			continue // user not allowed due to LDAP group filter
 		}
 		userInterfaces = append(userInterfaces, iface.PublicInfo())
 	}
@@ -387,7 +374,7 @@ func (m Manager) PrepareInterface(ctx context.Context) (*domain.Interface, error
 		SaveConfig:                 m.cfg.Advanced.ConfigStoragePath != "",
 		DisplayName:                string(id),
 		Type:                       domain.InterfaceTypeServer,
-		CreateDefaultPeer:          m.cfg.DefaultPeerCreationEnabled(),
+		CreateDefaultPeer:          m.cfg.Core.CreateDefaultPeer,
 		DriverType:                 "",
 		Disabled:                   nil,
 		DisabledReason:             "",
@@ -998,26 +985,7 @@ func (m Manager) importPeer(ctx context.Context, in *domain.Interface, p *domain
 	peer.InterfaceIdentifier = in.Identifier
 	peer.EndpointPublicKey = domain.NewConfigOption(in.PublicKey, true)
 	peer.AllowedIPsStr = domain.NewConfigOption(in.PeerDefAllowedIPsStr, true)
-
+	peer.Interface.Addresses = p.AllowedIPs // use allowed IP's as the peer IP's TODO: Should this also match server interface address' prefix length?
 	// split allowed IP's into interface addresses and extra allowed IP's
 	var interfaceAddresses []domain.Cidr
 	var extraAllowedIPs []domain.Cidr
 	for _, allowedIP := range p.AllowedIPs {
 		isHost := (allowedIP.IsV4() && allowedIP.NetLength == 32) || (!allowedIP.IsV4() && allowedIP.NetLength == 128)
 		isNetworkAddr := allowedIP.Addr == allowedIP.NetworkAddr().Addr
 		// Network addresses (e.g. 10.0.0.0/24) will always be extra allowed IP's.
 		// For IP addresses, such as 10.0.0.1/24, it is challenging to tell whether it is an interface address or
 		// an extra allowed IP, therefore we treat such addresses as interface addresses.
 		if !isHost && isNetworkAddr {
 			extraAllowedIPs = append(extraAllowedIPs, allowedIP)
 		} else {
 			interfaceAddresses = append(interfaceAddresses, allowedIP)
 		}
 	}
 	peer.Interface.Addresses = interfaceAddresses
 	peer.ExtraAllowedIPsStr = domain.CidrsToString(extraAllowedIPs)
 	peer.Interface.DnsStr = domain.NewConfigOption(in.PeerDefDnsStr, true)
 	peer.Interface.DnsSearchStr = domain.NewConfigOption(in.PeerDefDnsSearchStr, true)
 	peer.Interface.Mtu = domain.NewConfigOption(in.PeerDefMtu, true)
--- a/internal/app/wireguard/wireguard_interfaces_test.go
+++ b/internal/app/wireguard/wireguard_interfaces_test.go
@@ -1,211 +0,0 @@
 package wireguard
 import (
 	"context"
 	"testing"
 	"github.com/stretchr/testify/assert"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 func TestImportPeer_AddressMapping(t *testing.T) {
 	tests := []struct {
 		name                 string
 		allowedIPs           []string
 		expectedInterface    []string
 		expectedExtraAllowed string
 	}{
 		{
 			name:                 "IPv4 host address",
 			allowedIPs:           []string{"10.0.0.1/32"},
 			expectedInterface:    []string{"10.0.0.1/32"},
 			expectedExtraAllowed: "",
 		},
 		{
 			name:                 "IPv6 host address",
 			allowedIPs:           []string{"fd00::1/128"},
 			expectedInterface:    []string{"fd00::1/128"},
 			expectedExtraAllowed: "",
 		},
 		{
 			name:                 "IPv4 network address",
 			allowedIPs:           []string{"10.0.1.0/24"},
 			expectedInterface:    []string{},
 			expectedExtraAllowed: "10.0.1.0/24",
 		},
 		{
 			name:                 "IPv4 normal address with mask",
 			allowedIPs:           []string{"10.0.1.5/24"},
 			expectedInterface:    []string{"10.0.1.5/24"},
 			expectedExtraAllowed: "",
 		},
 		{
 			name: "Mixed addresses",
 			allowedIPs: []string{
 				"10.0.0.1/32", "192.168.1.0/24", "172.16.0.5/24", "fd00::1/128", "fd00:1::/64",
 			},
 			expectedInterface:    []string{"10.0.0.1/32", "172.16.0.5/24", "fd00::1/128"},
 			expectedExtraAllowed: "192.168.1.0/24,fd00:1::/64",
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			db := &mockDB{}
 			m := Manager{
 				db: db,
 			}
 			iface := &domain.Interface{
 				Identifier: "wg0",
 				Type:       domain.InterfaceTypeServer,
 			}
 			allowedIPs := make([]domain.Cidr, len(tt.allowedIPs))
 			for i, s := range tt.allowedIPs {
 				cidr, _ := domain.CidrFromString(s)
 				allowedIPs[i] = cidr
 			}
 			p := &domain.PhysicalPeer{
 				Identifier: "peer1",
 				KeyPair:    domain.KeyPair{PublicKey: "peer1-public-key-is-long-enough"},
 				AllowedIPs: allowedIPs,
 			}
 			err := m.importPeer(context.Background(), iface, p)
 			assert.NoError(t, err)
 			savedPeer := db.savedPeers["peer1"]
 			assert.NotNil(t, savedPeer)
 			// Check interface addresses
 			actualInterface := make([]string, len(savedPeer.Interface.Addresses))
 			for i, addr := range savedPeer.Interface.Addresses {
 				actualInterface[i] = addr.String()
 			}
 			assert.ElementsMatch(t, tt.expectedInterface, actualInterface)
 			// Check extra allowed IPs
 			assert.Equal(t, tt.expectedExtraAllowed, savedPeer.ExtraAllowedIPsStr)
 		})
 	}
 }
 func TestInterface_IsUserAllowed(t *testing.T) {
 	cfg := &config.Config{
 		Auth: config.Auth{
 			Ldap: []config.LdapProvider{
 				{
 					ProviderName: "ldap1",
 					InterfaceFilter: map[string]string{
 						"wg0": "(memberOf=CN=VPNUsers,...)",
 					},
 				},
 			},
 		},
 	}
 	tests := []struct {
 		name   string
 		iface  domain.Interface
 		userId domain.UserIdentifier
 		expect bool
 	}{
 		{
 			name: "Unrestricted interface",
 			iface: domain.Interface{
 				Identifier: "wg1",
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed (at least one match)",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 					"ldap2": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user NOT allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 				},
 			},
 			userId: "user1",
 			expect: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expect, tt.iface.IsUserAllowed(tt.userId, cfg))
 		})
 	}
 }
 func TestManager_GetUserInterfaces_Filtering(t *testing.T) {
 	cfg := &config.Config{}
 	cfg.Core.SelfProvisioningAllowed = true
 	cfg.Auth.Ldap = []config.LdapProvider{
 		{
 			ProviderName: "ldap1",
 			InterfaceFilter: map[string]string{
 				"wg_restricted": "(some-filter)",
 			},
 		},
 	}
 	db := &mockDB{
 		interfaces: []domain.Interface{
 			{Identifier: "wg_public", Type: domain.InterfaceTypeServer},
 			{
 				Identifier: "wg_restricted",
 				Type:       domain.InterfaceTypeServer,
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"allowed_user"},
 				},
 			},
 		},
 	}
 	m := Manager{
 		cfg: cfg,
 		db:  db,
 	}
 	t.Run("Allowed user sees both", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "allowed_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 2, len(ifaces))
 	})
 	t.Run("Unallowed user sees only public", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "other_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 1, len(ifaces))
 		if len(ifaces) > 0 {
 			assert.Equal(t, domain.InterfaceIdentifier("wg_public"), ifaces[0].Identifier)
 		}
 	})
 }
--- a/internal/app/wireguard/wireguard_peers.go
+++ b/internal/app/wireguard/wireguard_peers.go
@@ -15,10 +15,6 @@ import (
 // CreateDefaultPeer creates a default peer for the given user on all server interfaces.
 func (m Manager) CreateDefaultPeer(ctx context.Context, userId domain.UserIdentifier) error {
 	if !m.cfg.DefaultPeerCreationEnabled() {
 		return nil
 	}
 	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
 		return err
 	}
@@ -28,21 +24,39 @@ func (m Manager) CreateDefaultPeer(ctx context.Context, userId domain.UserIdenti
 		return fmt.Errorf("failed to fetch all interfaces: %w", err)
 	}
-	user, err := m.db.GetUser(ctx, userId)
+	userPeers, err := m.db.GetUserPeers(context.Background(), userId)
 	if err != nil {
-		return fmt.Errorf("failed to fetch user: %w", err)
+		return fmt.Errorf("failed to retrieve existing peers prior to default peer creation: %w", err)
 	}
 	var newPeers []domain.Peer
 	for _, iface := range existingInterfaces {
-		peer, err := m.prepareDefaultPeer(ctx, &iface, user)
+		if iface.Type != domain.InterfaceTypeServer {
-		if err != nil {
+			continue // only create default peers for server interfaces
 			return fmt.Errorf("failed to prepare default peer: %w", err)
 		}
-		if peer != nil {
+		if !iface.CreateDefaultPeer {
-			newPeers = append(newPeers, *peer)
+			continue // only create default peers if the interface flag is set
 		}
 		peerAlreadyCreated := slices.ContainsFunc(userPeers, func(peer domain.Peer) bool {
 			return peer.InterfaceIdentifier == iface.Identifier
 		})
 		if peerAlreadyCreated {
 			continue // skip creation if a peer already exists for this interface
 		}
 		peer, err := m.PreparePeer(ctx, iface.Identifier)
 		if err != nil {
 			return fmt.Errorf("failed to create default peer for interface %s: %w", iface.Identifier, err)
 		}
 		peer.UserIdentifier = userId
 		peer.Notes = fmt.Sprintf("Default peer created for user %s", userId)
 		peer.AutomaticallyCreated = true
 		peer.GenerateDisplayName("Default")
 		newPeers = append(newPeers, *peer)
 	}
 	for i, peer := range newPeers {
@@ -53,61 +67,9 @@ func (m Manager) CreateDefaultPeer(ctx context.Context, userId domain.UserIdenti
 		}
 	}
-	slog.InfoContext(ctx, "created default peers for user", "user", userId, "count", len(newPeers))
+	slog.InfoContext(ctx, "created default peers for user",
-
+		"user", userId,
-	return nil
+		"count", len(newPeers))
 }
 // CreateDefaultPeers creates default peers for all existing users on the given interface.
 func (m Manager) CreateDefaultPeers(ctx context.Context, interfaceId domain.InterfaceIdentifier) error {
 	if !m.cfg.DefaultPeerCreationEnabled() {
 		return nil
 	}
 	if err := domain.ValidateAdminAccessRights(ctx); err != nil {
 		return err
 	}
 	iface, err := m.db.GetInterface(ctx, interfaceId)
 	if err != nil {
 		return fmt.Errorf("failed to fetch interface %s: %w", interfaceId, err)
 	}
 	if !iface.CreateDefaultPeers() {
 		return nil
 	}
 	users, err := m.db.GetAllUsers(ctx)
 	if err != nil {
 		return fmt.Errorf("failed to fetch all users: %w", err)
 	}
 	var errs error
 	var peerCount int
 	for _, user := range users {
 		peer, err := m.prepareDefaultPeer(ctx, iface, &user)
 		if err != nil {
 			errs = errors.Join(errs, fmt.Errorf("failed to prepare default peer for user %s: %w",
 				user.Identifier, err))
 			continue
 		}
 		if peer == nil {
 			continue
 		}
 		_, err = m.CreatePeer(ctx, peer)
 		if err != nil {
 			errs = errors.Join(errs, fmt.Errorf("failed to create default peer for user %s: %w",
 				user.Identifier, err))
 			continue
 		}
 		peerCount++
 	}
 	if errs != nil {
 		return fmt.Errorf("failed to create default peers for interface %s: %w", interfaceId, errs)
 	}
 	slog.InfoContext(ctx, "created default peers for interface", "interface", interfaceId, "count", peerCount)
 	return nil
 }
@@ -131,10 +93,6 @@ func (m Manager) PreparePeer(ctx context.Context, id domain.InterfaceIdentifier)
 	currentUser := domain.GetUserInfo(ctx)
 	if err := m.checkInterfaceAccess(ctx, id); err != nil {
 		return nil, err
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return nil, fmt.Errorf("unable to find interface %s: %w", id, err)
@@ -230,9 +188,6 @@ func (m Manager) CreatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
 			return nil, err
 		}
 		if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 			return nil, err
 		}
 	}
 	sessionUser := domain.GetUserInfo(ctx)
@@ -349,10 +304,6 @@ func (m Manager) UpdatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		return nil, err
 	}
 	if err := m.checkInterfaceAccess(ctx, existingPeer.InterfaceIdentifier); err != nil {
 		return nil, err
 	}
 	if err := m.validatePeerModifications(ctx, existingPeer, peer); err != nil {
 		return nil, fmt.Errorf("update not allowed: %w", err)
 	}
@@ -422,10 +373,6 @@ func (m Manager) DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 		return err
 	}
 	if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 		return err
 	}
 	if err := m.validatePeerDeletion(ctx, peer); err != nil {
 		return fmt.Errorf("delete not allowed: %w", err)
 	}
@@ -659,57 +606,4 @@ func (m Manager) validatePeerDeletion(ctx context.Context, _ *domain.Peer) error
 	return nil
 }
 func (m Manager) checkInterfaceAccess(ctx context.Context, id domain.InterfaceIdentifier) error {
 	user := domain.GetUserInfo(ctx)
 	if user.IsAdmin {
 		return nil
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return fmt.Errorf("failed to get interface %s: %w", id, err)
 	}
 	if !iface.IsUserAllowed(user.Id, m.cfg) {
 		return fmt.Errorf("user %s is not allowed to access interface %s: %w", user.Id, id, domain.ErrNoPermission)
 	}
 	return nil
 }
 func (m Manager) prepareDefaultPeer(ctx context.Context, iface *domain.Interface, user *domain.User) (
 	*domain.Peer,
 	error,
 ) {
 	if !iface.CreateDefaultPeers() || !user.CreateDefaultPeers() {
 		return nil, nil
 	}
 	userPeers, err := m.db.GetUserPeers(ctx, user.Identifier)
 	if err != nil {
 		return nil, fmt.Errorf("failed to retrieve existing peers prior to default peer creation: %w", err)
 	}
 	peerAlreadyCreated := slices.ContainsFunc(userPeers, func(peer domain.Peer) bool {
 		// Ignore the AutomaticallyCreated flag on the peer.
 		// If a user already has a peer for a given interface, no default peer should be created.
 		return peer.InterfaceIdentifier == iface.Identifier
 	})
 	if peerAlreadyCreated {
 		return nil, nil // skip creation if a peer already exists for this interface
 	}
 	peer, err := m.PreparePeer(ctx, iface.Identifier)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create default peer for interface %s: %w", iface.Identifier, err)
 	}
 	peer.UserIdentifier = user.Identifier
 	peer.Notes = fmt.Sprintf("Default peer created for user %s", user.Identifier)
 	peer.AutomaticallyCreated = true
 	peer.GenerateDisplayName("Default")
 	return peer, nil
 }
 // endregion helper-functions
--- a/internal/app/wireguard/wireguard_peers_test.go
+++ b/internal/app/wireguard/wireguard_peers_test.go
@@ -60,8 +60,6 @@ func (f *mockController) PingAddresses(_ context.Context, _ string) (*domain.Pin
 type mockDB struct {
 	savedPeers map[domain.PeerIdentifier]*domain.Peer
 	iface      *domain.Interface
 	interfaces []domain.Interface
 	users      []domain.User
 }
 func (f *mockDB) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
@@ -81,9 +79,6 @@ func (f *mockDB) GetPeersStats(ctx context.Context, ids ...domain.PeerIdentifier
 	return nil, nil
 }
 func (f *mockDB) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) {
 	if f.interfaces != nil {
 		return f.interfaces, nil
 	}
 	if f.iface != nil {
 		return []domain.Interface{*f.iface}, nil
 	}
@@ -142,15 +137,6 @@ func (f *mockDB) GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr)
 ) {
 	return map[domain.Cidr][]domain.Cidr{}, nil
 }
 func (f *mockDB) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
 	return &domain.User{
 		Identifier: id,
 		IsAdmin:    false,
 	}, nil
 }
 func (f *mockDB) GetAllUsers(ctx context.Context) ([]domain.User, error) {
 	return f.users, nil
 }
 // --- Test ---
@@ -215,7 +201,7 @@ func TestCreatePeer_SetsIdentifier_FromPublicKey(t *testing.T) {
 func TestCreateDefaultPeer_RespectsInterfaceFlag(t *testing.T) {
 	// Arrange
 	cfg := &config.Config{}
-	cfg.Core.CreateDefaultPeerOnLogin = true
+	cfg.Core.CreateDefaultPeer = true
 	bus := &mockBus{}
 	ctrlMgr := &ControllerManager{
--- a/internal/config/auth.go
+++ b/internal/config/auth.go
@@ -214,10 +214,6 @@ type LdapProvider struct {
 	// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
 	RegistrationEnabled bool `yaml:"registration_enabled"`
 	// InterfaceFilter allows restricting interfaces using an LDAP filter.
 	// Map key is the interface identifier (e.g., "wg0"), value is the filter string.
 	InterfaceFilter map[string]string `yaml:"interface_filter"`
 	// If LogUserInfo is set to true, the user info retrieved from the LDAP provider will be logged in trace level.
 	LogUserInfo bool `yaml:"log_user_info"`
 }
@@ -258,10 +254,6 @@ type OpenIDConnectProvider struct {
 	// AllowedDomains defines the list of allowed domains
 	AllowedDomains []string `yaml:"allowed_domains"`
 	// AllowedUserGroups defines the list of allowed user groups.
 	// If not empty, at least one group from the user's group claim must match.
 	AllowedUserGroups []string `yaml:"allowed_user_groups"`
 	// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
 	FieldMap OauthFields `yaml:"field_map"`
@@ -278,11 +270,6 @@ type OpenIDConnectProvider struct {
 	// If LogSensitiveInfo is set to true, sensitive information retrieved from the OIDC provider will be logged in trace level.
 	// This also includes OAuth tokens! Keep this disabled in production!
 	LogSensitiveInfo bool `yaml:"log_sensitive_info"`
 	// LogoutIdpSession controls whether the user's session at the OIDC provider is terminated on logout.
 	// If set to true (default), the user will be redirected to the IdP's end_session_endpoint after local logout.
 	// If set to false, only the local wg-portal session is invalidated.
 	LogoutIdpSession *bool `yaml:"logout_idp_session"`
 }
 // OAuthProvider contains the configuration for the OAuth provider.
@@ -312,10 +299,6 @@ type OAuthProvider struct {
 	// AllowedDomains defines the list of allowed domains
 	AllowedDomains []string `yaml:"allowed_domains"`
 	// AllowedUserGroups defines the list of allowed user groups.
 	// If not empty, at least one group from the user's group claim must match.
 	AllowedUserGroups []string `yaml:"allowed_user_groups"`
 	// FieldMap is used to map the names of the user-info endpoint fields to wg-portal fields
 	FieldMap OauthFields `yaml:"field_map"`
--- a/internal/config/backend.go
+++ b/internal/config/backend.go
@@ -10,8 +10,6 @@ const LocalBackendName = "local"
 type Backend struct {
 	Default string `yaml:"default"` // The default backend to use (defaults to the internal backend)
 	ReKeyTimeoutInterval time.Duration `yaml:"rekey_timeout_interval"` // Interval after which a connection is assumed dead
 	// Local Backend-specific configuration
 	IgnoredLocalInterfaces []string `yaml:"ignored_local_interfaces"` // A list of interface names that should be ignored by this backend (e.g., "wg0")
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -22,11 +22,8 @@ type Config struct {
 		AdminApiToken     string `yaml:"admin_api_token"` // if set, the API access is enabled automatically
 		EditableKeys                bool `yaml:"editable_keys"`
-		CreateDefaultPeer                    bool `yaml:"create_default_peer"`             // DEPRECATED: in favor of CreateDefaultPeerOnLogin
+		CreateDefaultPeer           bool `yaml:"create_default_peer"`
-		CreateDefaultPeerOnCreation          bool `yaml:"create_default_peer_on_creation"` // DEPRECATED: in favor of CreateDefaultPeerOnUserCreation
+		CreateDefaultPeerOnCreation bool `yaml:"create_default_peer_on_creation"`
 		CreateDefaultPeerOnLogin             bool `yaml:"create_default_peer_on_login"`
 		CreateDefaultPeerOnUserCreation      bool `yaml:"create_default_peer_on_user_creation"`
 		CreateDefaultPeerOnInterfaceCreation bool `yaml:"create_default_peer_on_interface_creation"`
 		ReEnablePeerAfterUserEnable bool `yaml:"re_enable_peer_after_user_enable"`
 		DeletePeerAfterUserDeleted  bool `yaml:"delete_peer_after_user_deleted"`
 		SelfProvisioningAllowed     bool `yaml:"self_provisioning_allowed"`
@@ -81,7 +78,7 @@ func (c *Config) LogStartupValues() {
 	slog.Debug("Config Features",
 		"editableKeys", c.Core.EditableKeys,
-		"createDefaultPeerOnCreation", c.Core.CreateDefaultPeerOnUserCreation,
+		"createDefaultPeerOnCreation", c.Core.CreateDefaultPeerOnCreation,
 		"reEnablePeerAfterUserEnable", c.Core.ReEnablePeerAfterUserEnable,
 		"deletePeerAfterUserDeleted", c.Core.DeletePeerAfterUserDeleted,
 		"selfProvisioningAllowed", c.Core.SelfProvisioningAllowed,
@@ -115,13 +112,6 @@ func (c *Config) LogStartupValues() {
 }
 // DefaultPeerCreationEnabled returns true if at least one default peer generation mechanism is enabled.
 func (c *Config) DefaultPeerCreationEnabled() bool {
 	return c.Core.CreateDefaultPeerOnLogin ||
 		c.Core.CreateDefaultPeerOnInterfaceCreation ||
 		c.Core.CreateDefaultPeerOnUserCreation
 }
 // defaultConfig returns the default configuration
 func defaultConfig() *Config {
 	cfg := &Config{}
@@ -132,13 +122,8 @@ func defaultConfig() *Config {
 	cfg.Core.AdminApiToken = getEnvStr("WG_PORTAL_CORE_ADMIN_API_TOKEN", "") // by default, the API access is disabled
 	cfg.Core.ImportExisting = getEnvBool("WG_PORTAL_CORE_IMPORT_EXISTING", true)
 	cfg.Core.RestoreState = getEnvBool("WG_PORTAL_CORE_RESTORE_STATE", true)
-	cfg.Core.CreateDefaultPeer = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER", false) // deprecated
+	cfg.Core.CreateDefaultPeer = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER", false)
-	cfg.Core.CreateDefaultPeerOnCreation = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION",
+	cfg.Core.CreateDefaultPeerOnCreation = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION", false)
 		false) // deprecated
 	cfg.Core.CreateDefaultPeerOnLogin = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER", false)
 	cfg.Core.CreateDefaultPeerOnUserCreation = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_USER_CREATION", false)
 	cfg.Core.CreateDefaultPeerOnInterfaceCreation = getEnvBool("WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_INTERFACE_CREATION",
 		false)
 	cfg.Core.EditableKeys = getEnvBool("WG_PORTAL_CORE_EDITABLE_KEYS", true)
 	cfg.Core.SelfProvisioningAllowed = getEnvBool("WG_PORTAL_CORE_SELF_PROVISIONING_ALLOWED", false)
 	cfg.Core.ReEnablePeerAfterUserEnable = getEnvBool("WG_PORTAL_CORE_RE_ENABLE_PEER_AFTER_USER_ENABLE", true)
@@ -154,7 +139,6 @@ func defaultConfig() *Config {
 	cfg.Backend = Backend{
 		Default:                LocalBackendName, // local backend is the default (using wgcrtl)
 		ReKeyTimeoutInterval:   getEnvDuration("WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL", 180*time.Second),
 		IgnoredLocalInterfaces: getEnvStrSlice("WG_PORTAL_BACKEND_IGNORED_LOCAL_INTERFACES", nil),
 		// Most resolconf implementations use "tun." as a prefix for interface names.
 		// But systemd's implementation uses no prefix, for example.
@@ -261,8 +245,6 @@ func GetConfig() (*Config, error) {
 		}
 	}
 	handleDeprecatedConfigValues(cfg)
 	return cfg, nil
 }
@@ -356,18 +338,3 @@ func getEnvDuration(name string, fallback time.Duration) time.Duration {
 	return d
 }
 func handleDeprecatedConfigValues(cfg *Config) {
 	// deprecated, will be removed in 2.4
 	if cfg.Core.CreateDefaultPeer {
 		slog.Warn("DEPRECATION WARNING: deprecated core config option: create_default_peer (WG_PORTAL_CORE_CREATE_DEFAULT_PEER)")
 		cfg.Core.CreateDefaultPeerOnLogin = true
 	}
 	// deprecated, will be removed in 2.4
 	if cfg.Core.CreateDefaultPeerOnCreation {
 		slog.Warn("DEPRECATION WARNING: deprecated core config option: create_default_peer_on_creation (WG_PORTAL_CORE_CREATE_DEFAULT_PEER_ON_CREATION)")
 		cfg.Core.CreateDefaultPeerOnUserCreation = true
 		cfg.Core.CreateDefaultPeerOnInterfaceCreation = true
 	}
 }
--- a/internal/domain/auth.go
+++ b/internal/domain/auth.go
@@ -12,7 +12,6 @@ type LoginProviderInfo struct {
 type AuthenticatorUserInfo struct {
 	Identifier         UserIdentifier
 	Email              string
 	UserGroups         []string
 	Firstname          string
 	Lastname           string
 	Phone              string
--- a/internal/domain/interface.go
+++ b/internal/domain/interface.go
@@ -78,33 +78,6 @@ type Interface struct {
 	PeerDefPostUp   string // default action that is executed after the device is up
 	PeerDefPreDown  string // default action that is executed before the device is down
 	PeerDefPostDown string // default action that is executed after the device is down
 	// Self-provisioning access control
 	LdapAllowedUsers map[string][]UserIdentifier `gorm:"serializer:json"` // Materialised during LDAP sync, keyed by ProviderName
 }
 // IsUserAllowed returns true if the interface has no filter, or if the user is in the allowed list.
 func (i *Interface) IsUserAllowed(userId UserIdentifier, cfg *config.Config) bool {
 	isRestricted := false
 	for _, provider := range cfg.Auth.Ldap {
 		if _, exists := provider.InterfaceFilter[string(i.Identifier)]; exists {
 			isRestricted = true
 			break
 		}
 	}
 	if !isRestricted {
 		return true // The interface is completely unrestricted by LDAP config
 	}
 	for _, allowedUsers := range i.LdapAllowedUsers {
 		for _, uid := range allowedUsers {
 			if uid == userId {
 				return true
 			}
 		}
 	}
 	return false
 }
 // PublicInfo returns a copy of the interface with only the public information.
@@ -240,18 +213,6 @@ func (i *Interface) GetRoutingTable() int {
 	}
 }
 // CreateDefaultPeers determines whether default peers should be created for this interface.
 func (i *Interface) CreateDefaultPeers() bool {
 	if !i.CreateDefaultPeer {
 		return false // only create default peers if the interface flag is set
 	}
 	if i.Type != InterfaceTypeServer {
 		return false // only create default peers for server interfaces
 	}
 	return true
 }
 type PhysicalInterface struct {
 	Identifier InterfaceIdentifier // device name, for example: wg0
 	KeyPair                        // private/public Key of the server interface
--- a/internal/domain/interface_test.go
+++ b/internal/domain/interface_test.go
@@ -139,29 +139,3 @@ func TestInterface_GetRoutingTableNonLocal(t *testing.T) {
 	iface.RoutingTable = "abc"
 	assert.Equal(t, 0, iface.GetRoutingTable())
 }
 func TestInterface_CreateDefaultPeers(t *testing.T) {
 	iface := &Interface{}
 	assert.False(t, iface.CreateDefaultPeers())
 	iface.CreateDefaultPeer = true
 	assert.False(t, iface.CreateDefaultPeers()) // still wrong type
 	iface2 := &Interface{Type: InterfaceTypeServer}
 	assert.False(t, iface2.CreateDefaultPeers()) // CreateDefaultPeer flag is false
 	iface2.CreateDefaultPeer = true
 	assert.True(t, iface2.CreateDefaultPeers())
 	iface3 := &Interface{Type: InterfaceTypeClient}
 	assert.False(t, iface3.CreateDefaultPeers())
 	iface3.CreateDefaultPeer = true
 	assert.False(t, iface3.CreateDefaultPeers())
 	iface4 := &Interface{Type: InterfaceTypeAny}
 	assert.False(t, iface4.CreateDefaultPeers())
 	iface4.CreateDefaultPeer = true
 	assert.False(t, iface4.CreateDefaultPeers())
 }
--- a/internal/domain/statistics.go
+++ b/internal/domain/statistics.go
@@ -21,8 +21,8 @@ type PeerStatus struct {
 	LastSessionStart *time.Time `gorm:"column:last_session_start" json:"LastSessionStart"`
 }
-func (s *PeerStatus) CalcConnected(timeout time.Duration) {
+func (s *PeerStatus) CalcConnected() {
-	oldestHandshakeTime := time.Now().Add(-1 * timeout) // if a handshake is older than the rekey-interval + grace-period, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
 	handshakeValid := false
 	if s.LastHandshake != nil {
@@ -61,25 +61,3 @@ func (r PingerResult) AverageRtt() time.Duration {
 	}
 	return total / time.Duration(len(r.Rtts))
 }
 type TrafficDelta struct {
 	EntityId                  string `json:"EntityId"` // Either peerId or interfaceId
 	BytesReceivedPerSecond    uint64 `json:"BytesReceived"`
 	BytesTransmittedPerSecond uint64 `json:"BytesTransmitted"`
 }
 func CalculateTrafficDelta(id string, oldTime, newTime time.Time, oldTx, newTx, oldRx, newRx uint64) TrafficDelta {
 	timeDiff := uint64(newTime.Sub(oldTime).Seconds())
 	if timeDiff == 0 {
 		return TrafficDelta{
 			EntityId:                  id,
 			BytesReceivedPerSecond:    0,
 			BytesTransmittedPerSecond: 0,
 		}
 	}
 	return TrafficDelta{
 		EntityId:                  id,
 		BytesReceivedPerSecond:    (newRx - oldRx) / timeDiff,
 		BytesTransmittedPerSecond: (newTx - oldTx) / timeDiff,
 	}
 }
--- a/internal/domain/statistics_test.go
+++ b/internal/domain/statistics_test.go
@@ -9,15 +9,10 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 	now := time.Now()
 	past := now.Add(-3 * time.Minute)
 	recent := now.Add(-1 * time.Minute)
 	defaultTimeout := 125 * time.Second // rekey interval of 120s + 5 seconds grace period
 	past126 := now.Add(-1*defaultTimeout - 1*time.Second)
 	past125 := now.Add(-1 * defaultTimeout)
 	past124 := now.Add(-1*defaultTimeout + 1*time.Second)
 	tests := []struct {
 		name   string
 		status PeerStatus
 		timeout time.Duration
 		want   bool
 	}{
 		{
@@ -26,7 +21,6 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &recent,
 			},
 			timeout: defaultTimeout,
 			want: true,
 		},
 		{
@@ -35,7 +29,6 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: &recent,
 			},
 			timeout: defaultTimeout,
 			want: true,
 		},
 		{
@@ -44,43 +37,14 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &past,
 			},
 			timeout: defaultTimeout,
 			want: true,
 		},
 		{
-			name: "Not pingable and ok handshake (-124s)",
+			name: "Not pingable and old handshake",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past124,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Not pingable and old handshake (-125s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past125,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (-126s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past126,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (very old)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past,
 			},
 			timeout: defaultTimeout,
 			want: false,
 		},
 		{
@@ -89,7 +53,6 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: nil,
 			},
 			timeout: defaultTimeout,
 			want: true,
 		},
 		{
@@ -98,13 +61,12 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: nil,
 			},
 			timeout: defaultTimeout,
 			want: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tt.status.CalcConnected(tt.timeout)
+			tt.status.CalcConnected()
 			if got := tt.status.IsConnected; got != tt.want {
 				t.Errorf("IsConnected = %v, want %v", got, tt.want)
 			}
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -68,7 +68,7 @@ type User struct {
 	WebAuthnCredentialList []UserWebauthnCredential `gorm:"foreignKey:user_identifier"` // the webauthn credentials of the user, used for webauthn authentication
 	// API token for REST API access
-	ApiToken        string `form:"api_token" binding:"omitempty" gorm:"serializer:encstr"`
+	ApiToken        string `form:"api_token" binding:"omitempty"`
 	ApiTokenCreated *time.Time
 	LinkedPeerCount int `gorm:"-"`
@@ -212,33 +212,6 @@ func (u *User) CopyCalculatedAttributes(src *User, withAuthentications bool) {
 	}
 }
 // CopyAdminAttributes copies all attributes from the given user except password, passkey and
 // api-token if apiAdminOnly is false.
 func (u *User) CopyAdminAttributes(src *User, apiAdminOnly bool) {
 	u.BaseModel = src.BaseModel
 	u.Identifier = src.Identifier
 	u.Email = src.Email
 	u.Source = src.Source
 	u.ProviderName = src.ProviderName
 	u.IsAdmin = src.IsAdmin
 	u.Authentications = src.Authentications
 	u.PersistLocalChanges = src.PersistLocalChanges
 	u.Firstname = src.Firstname
 	u.Lastname = src.Lastname
 	u.Phone = src.Phone
 	u.Department = src.Department
 	u.Notes = src.Notes
 	u.Disabled = src.Disabled
 	u.DisabledReason = src.DisabledReason
 	u.Locked = src.Locked
 	u.LockedReason = src.LockedReason
 	u.LinkedPeerCount = src.LinkedPeerCount
 	if apiAdminOnly {
 		u.ApiToken = src.ApiToken
 		u.ApiTokenCreated = src.ApiTokenCreated
 	}
 }
 // MergeAuthSources merges the given authentication sources with the existing ones.
 // Already existing sources are not overwritten, nor will be added any duplicates.
 func (u *User) MergeAuthSources(extSources ...UserAuthentication) {
@@ -270,18 +243,6 @@ func (u *User) DisplayName() string {
 	return displayName
 }
 // CreateDefaultPeers determines whether default peers should be created for this user.
 func (u *User) CreateDefaultPeers() bool {
 	if u.IsDisabled() {
 		return false
 	}
 	if u.IsLocked() {
 		return false
 	}
 	return true
 }
 // region webauthn
 func (u *User) WebAuthnID() []byte {
--- a/internal/domain/user_test.go
+++ b/internal/domain/user_test.go
@@ -145,17 +145,3 @@ func TestUser_HashPassword(t *testing.T) {
 	user.Password = ""
 	assert.NoError(t, user.HashPassword())
 }
 func TestUser_CreateDefaultPeers(t *testing.T) {
 	user := &User{}
 	assert.True(t, user.CreateDefaultPeers())
 	user2 := &User{Disabled: &time.Time{}}
 	assert.False(t, user2.CreateDefaultPeers())
 	user3 := &User{Locked: &time.Time{}}
 	assert.False(t, user3.CreateDefaultPeers())
 	user4 := &User{Disabled: &time.Time{}, Locked: &time.Time{}}
 	assert.False(t, user4.CreateDefaultPeers())
 }
Author	SHA1	Message	Date
Christoph Haas	79eaedb9ca	only override isAdmin flag if it is provided by the authentication source	2026-01-19 23:17:56 +01:00
Christoph Haas	70832bfb52	feat: allow multiple auth sources per user (#500,#477)	2026-01-19 23:00:03 +01:00