Merge branch 'master' into stable

fix: "created_at" for users (#656 )
* fix: created_at for users * added tests for: created_at for users * cleanup fixes --------- Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>
2026-04-09 08:56:20 +00:00 · 2026-04-01 20:12:38 +02:00 · 2026-04-01 11:58:22 +02:00 · 2026-04-01 11:42:07 +02:00 · 2026-04-01 00:20:35 +02:00 · 2026-03-31 19:49:53 +02:00
49 changed files with 2784 additions and 1973 deletions
--- a/.github/workflows/chart.yml
+++ b/.github/workflows/chart.yml
@@ -44,7 +44,7 @@ jobs:
      - name: Run chart-testing (lint)
        run: ct lint --config ct.yaml
-      - uses: nolar/setup-k3d-k3s@293b8e5822a20bc0d5bcdd4826f1a665e72aba96 # v1.0.9
+      - uses: nolar/setup-k3d-k3s@8bf8d22160e8b1d184dcb780e390d6952a7eec65 # v1.0.10
        with:
          github-token: ${{ secrets.GITHUB_TOKEN }}
@@ -62,7 +62,7 @@ jobs:
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+      - uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -21,10 +21,10 @@ jobs:
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
      - name: Get Version
        shell: bash
@@ -32,14 +32,14 @@ jobs:
      - name: Login to Docker Hub
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}
      - name: Login to GitHub Container Registry
        if: github.event_name != 'pull_request'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
@@ -47,7 +47,7 @@ jobs:
      - name: Extract metadata (tags, labels) for Docker
        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: |
            wgportal/wg-portal
@@ -68,7 +68,7 @@ jobs:
            type=semver,pattern=v{{major}}
      - name: Build and push Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          push: ${{ github.event_name != 'pull_request' }}
@@ -80,7 +80,7 @@ jobs:
            BUILD_VERSION=${{ env.BUILD_VERSION }}
      - name: Export binaries from images
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
@@ -110,12 +110,12 @@ jobs:
      contents: write
    steps:
      - name: Download binaries
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
        with:
          name: binaries
      - name: Create GitHub Release
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
        with:
          files: 'wg-portal_linux*'
          generate_release_notes: true
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -80,7 +80,7 @@ func main() {
 	internal.AssertNoError(err)
 	auditRecorder.StartBackgroundJobs(ctx)
-	userManager, err := users.NewUserManager(cfg, eventBus, database, database)
+	userManager, err := users.NewUserManager(cfg, eventBus, database, database, database)
 	internal.AssertNoError(err)
 	userManager.StartBackgroundJobs(ctx)
--- a/docs/documentation/configuration/examples.md
+++ b/docs/documentation/configuration/examples.md
@@ -86,6 +86,9 @@ auth:
        memberof: memberOf
      admin_group: CN=WireGuardAdmins,OU=Some-OU,DC=COMPANY,DC=LOCAL
      registration_enabled: true
      # Restrict interface access based on LDAP filters
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
      log_user_info: true
 ```
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -28,6 +28,7 @@ core:
 backend:
  default: local
  rekey_timeout_interval: 125s
  local_resolvconf_prefix: tun.
 advanced:
@@ -203,6 +204,13 @@ The current MikroTik backend is in **BETA** and may not support all features.
 - **Description:** The default backend to use for managing WireGuard interfaces. 
  Valid options are: `local`, or other backend id's configured in the `mikrotik` section.
 ### `rekey_timeout_interval`
 - **Default:** `180s`
 - **Environment Variable:** `WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL`
 - **Description:** The interval after which a WireGuard peer is considered disconnected if no handshake updates are received. 
  This corresponds to the WireGuard rekey timeout setting of 120 seconds plus a 60-second buffer to account for latency or retry handling.
  Uses Go duration format (e.g., `10s`, `1m`). If omitted, a default of 180 seconds is used.
 ### `local_resolvconf_prefix`
 - **Default:** `tun.`
 - **Environment Variable:** `WG_PORTAL_BACKEND_LOCAL_RESOLVCONF_PREFIX`
@@ -734,6 +742,16 @@ Below are the properties for each LDAP provider entry inside `auth.ldap`:
 - **Important**: The `login_filter` must always be a valid LDAP filter. It should at most return one user. 
  If the filter returns multiple or no users, the login will fail.
 #### `interface_filter`
 - **Default:** *(empty)*
 - **Description:** A map of LDAP filters to restrict access to specific WireGuard interfaces. The map keys are the interface identifiers (e.g., `wg0`), and the values are LDAP filters. Only users matching the filter will be allowed to provision peers for the respective interface.
  For example:
  ```yaml
  interface_filter:
    wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
    wg1: "(description=special-access)"
  ```
 #### `admin_group`
 - **Default:** *(empty)*
 - **Description:** A specific LDAP group whose members are considered administrators in WireGuard Portal.
--- a/docs/documentation/usage/authentication.md
+++ b/docs/documentation/usage/authentication.md
@@ -147,6 +147,26 @@ You can map users to admin roles based on their group membership in the LDAP ser
 The `admin_group` property defines the distinguished name of the group that is allowed to log in as admin.
 All groups that are listed in the `memberof` attribute of the user will be checked against this group. If one of the groups matches, the user is granted admin access.
 ### Interface-specific Provisioning Filters
 You can restrict which users are allowed to provision peers for specific WireGuard interfaces by setting the `interface_filter` property.
 This property is a map where each key corresponds to a WireGuard interface identifier, and the value is an LDAP filter.
 A user will only be able to see and provision peers for an interface if they match the specified LDAP filter for that interface.
 Example:
 ```yaml
 auth:
  ldap:
    - provider_name: "ldap1"
      # ... other settings
      interface_filter:
        wg0: "(memberOf=CN=VPNUsers,OU=Groups,DC=COMPANY,DC=LOCAL)"
        wg1: "(department=IT)"
 ```
 This feature works by materializing the list of authorized users for each interface during the periodic LDAP synchronization.
 Even if a user bypasses the UI, the backend will enforce these restrictions at the service layer.
 ## User Synchronization
--- a/docs/documentation/usage/user-sync.md
+++ b/docs/documentation/usage/user-sync.md
@@ -44,3 +44,11 @@ All peers associated with that user will also be disabled.
 If you want a user and its peers to be automatically re-enabled once they are found in LDAP again, set the `auto_re_enable` property to `true`.
 This will only re-enable the user if they were disabled by the synchronization process. Manually disabled users will not be re-enabled.
 ##### Interface-specific Access Materialization
 If `interface_filter` is configured in the LDAP provider, the synchronization process will evaluate these filters for each enabled user.
 The results are materialized in the `interfaces` table of the database in a hidden field. 
 This materialized list is used by the backend to quickly determine if a user has permission to provision peers for a specific interface, without having to query the LDAP server for every request.
 The list is refreshed every time the LDAP synchronization runs.
 For more details on how to configure these filters, see the [Authentication](./authentication.md#interface-specific-provisioning-filters) section.
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -14,7 +14,7 @@
      let WGPORTAL_SITE_TITLE="WireGuard Portal";
      let WGPORTAL_SITE_COMPANY_NAME="WireGuard Portal";
    </script>
-    <script src="/api/v0/config/frontend.js"></script>
+    <script src="/api/v0/config/frontend.js" vite-ignore></script>
  </head>
  <body class="d-flex flex-column min-vh-100">
    <noscript>
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -9,28 +9,28 @@
  },
  "dependencies": {
    "@fontsource/nunito-sans": "^5.2.7",
-    "@fortawesome/fontawesome-free": "^7.1.0",
+    "@fortawesome/fontawesome-free": "^7.2.0",
    "@kyvg/vue3-notification": "^3.4.2",
    "@popperjs/core": "^2.11.8",
-    "@simplewebauthn/browser": "^13.2.2",
+    "@simplewebauthn/browser": "^13.3.0",
-    "@vojtechlanka/vue-tags-input": "^3.1.1",
+    "@vojtechlanka/vue-tags-input": "^3.1.2",
    "bootstrap": "^5.3.8",
    "bootswatch": "^5.3.8",
-    "cidr-tools": "^11.0.3",
+    "cidr-tools": "^11.3.2",
    "flag-icons": "^7.5.0",
    "ip-address": "^10.1.0",
-    "is-cidr": "^6.0.1",
+    "is-cidr": "^6.0.3",
    "is-ip": "^5.0.1",
    "pinia": "^3.0.4",
    "prismjs": "^1.30.0",
-    "vue": "^3.5.25",
+    "vue": "^3.5.31",
-    "vue-i18n": "^11.2.2",
+    "vue-i18n": "^11.3.0",
    "vue-prism-component": "github:h44z/vue-prism-component",
-    "vue-router": "^4.6.3"
+    "vue-router": "^5.0.4"
  },
  "devDependencies": {
-    "@vitejs/plugin-vue": "^6.0.2",
+    "@vitejs/plugin-vue": "^6.0.5",
-    "sass-embedded": "^1.93.3",
+    "sass-embedded": "^1.98.0",
-    "vite": "^7.2.7"
+    "vite": "^8.0.3"
  }
 }
--- a/frontend/src/components/InterfaceEditModal.vue
+++ b/frontend/src/components/InterfaceEditModal.vue
@@ -315,6 +315,7 @@ async function applyPeerDefaults() {
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.interface-edit.confirm-delete', {id: selectedInterface.value.Identifier}))) return
  isDeleting.value = true
  try {
    await interfaces.DeleteInterface(selectedInterface.value.Identifier)
--- a/frontend/src/components/Modal.vue
+++ b/frontend/src/components/Modal.vue
@@ -26,13 +26,13 @@
  display:block;
 }
 .modal.show {
-  opacity: 1;
+  opacity: 1.0;
 }
 .modal-backdrop {
  background-color: rgba(0,0,0,0.6) !important;
 }
 .modal-backdrop.show {
-  opacity: 1 !important;
+  opacity: 1.0 !important;
 }
 </style>
--- a/frontend/src/components/PeerEditModal.vue
+++ b/frontend/src/components/PeerEditModal.vue
@@ -294,6 +294,7 @@ async function save() {
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.peer-edit.confirm-delete', {id: selectedPeer.value.Identifier}))) return
  isDeleting.value = true
  try {
    await peers.DeletePeer(selectedPeer.value.Identifier)
--- a/frontend/src/components/UserEditModal.vue
+++ b/frontend/src/components/UserEditModal.vue
@@ -114,6 +114,7 @@ async function save() {
 async function del() {
  if (isDeleting.value) return
  if (!confirm(t('modals.user-edit.confirm-delete', {id: selectedUser.value.Identifier}))) return
  isDeleting.value = true
  try {
    await users.DeleteUser(selectedUser.value.Identifier)
--- a/frontend/src/lang/translations/de.json
+++ b/frontend/src/lang/translations/de.json
@@ -382,7 +382,8 @@
      "persist-local-changes": {
        "label": "Lokale Änderungen speichern"
      },
-      "sync-warning": "Um diesen synchronisierten Benutzer zu bearbeiten, aktivieren Sie die lokale Änderungsspeicherung. Andernfalls werden Ihre Änderungen bei der nächsten Synchronisierung überschrieben."
+      "sync-warning": "Um diesen synchronisierten Benutzer zu bearbeiten, aktivieren Sie die lokale Änderungsspeicherung. Andernfalls werden Ihre Änderungen bei der nächsten Synchronisierung überschrieben.",
      "confirm-delete": "Benutzer '{id}' wirklich löschen?"
    },
    "interface-view": {
      "headline": "Konfiguration für Schnittstelle:"
@@ -503,7 +504,8 @@
          "placeholder": "Persistentes Keepalive (0 = Standard)"
        }
      },
-      "button-apply-defaults": "Peer-Standardeinstellungen anwenden"
+      "button-apply-defaults": "Peer-Standardeinstellungen anwenden",
      "confirm-delete": "Interface '{id}' wirklich löschen?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -625,7 +627,8 @@
      },
      "expires-at": {
        "label": "Ablaufdatum"
-      }
+      },
      "confirm-delete": "Peer '{id}' wirklich löschen?"
    },
    "peer-multi-create": {
      "headline-peer": "Mehrere Peers erstellen",
--- a/frontend/src/lang/translations/en.json
+++ b/frontend/src/lang/translations/en.json
@@ -271,16 +271,16 @@
    "headline-preshared-key": "New Preshared Key",
    "button-generate": "Generate",
    "private-key": {
-        "label": "Private Key",
+      "label": "Private Key",
-        "placeholder": "The private key"
+      "placeholder": "The private key"
    },
    "public-key": {
-        "label": "Public Key",
+      "label": "Public Key",
-        "placeholder": "The public key"
+      "placeholder": "The public key"
    },
    "preshared-key": {
-        "label": "Preshared Key",
+      "label": "Preshared Key",
-        "placeholder": "The pre-shared key"
+      "placeholder": "The pre-shared key"
    }
  },
  "calculator": {
@@ -289,18 +289,18 @@
    "headline-allowed-ip": "New Allowed IPs",
    "button-exclude-private": "Exclude Private IP Ranges",
    "allowed-ip": {
-        "label": "Allowed IPs",
+      "label": "Allowed IPs",
-        "placeholder": "0.0.0.0/0, ::/0",
+      "placeholder": "0.0.0.0/0, ::/0",
-        "empty": "Value cannot be empty"
+      "empty": "Value cannot be empty"
    },
    "dissallowed-ip": {
-        "label": "Disallowed IPs",
+      "label": "Disallowed IPs",
-        "placeholder": "10.0.0.0/8, 192.168.0.0/16",
+      "placeholder": "10.0.0.0/8, 192.168.0.0/16",
-        "invalid": "Invalid address: {addr}"
+      "invalid": "Invalid address: {addr}"
    },
    "new-allowed-ip": {
-        "label": "Allowed IPs",
+      "label": "Allowed IPs",
-        "placeholder": ""
+      "placeholder": ""
    }
  },
  "modals": {
@@ -382,7 +382,8 @@
      "persist-local-changes": {
        "label": "Persist local changes"
      },
-      "sync-warning": "To modify this synchronized user, enable local change persistence. Otherwise, your changes will be overwritten during the next synchronization."
+      "sync-warning": "To modify this synchronized user, enable local change persistence. Otherwise, your changes will be overwritten during the next synchronization.",
      "confirm-delete": "Are you sure you want to delete user '{id}'?"
    },
    "interface-view": {
      "headline": "Config for Interface:"
@@ -503,8 +504,8 @@
          "placeholder": "Persistent Keepalive (0 = default)"
        }
      },
-
+      "button-apply-defaults": "Apply Peer Defaults",
-      "button-apply-defaults": "Apply Peer Defaults"
+      "confirm-delete": "Are you sure you want to delete interface '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -626,7 +627,8 @@
      },
      "expires-at": {
        "label": "Expiry date"
-      }
+      },
      "confirm-delete": "Are you sure you want to delete peer '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Create multiple peers",
--- a/frontend/src/lang/translations/es.json
+++ b/frontend/src/lang/translations/es.json
@@ -365,7 +365,8 @@
      },
      "admin": {
        "label": "Es administrador"
-      }
+      },
      "confirm-delete": "Seguro que desea eliminar el usuario '{id}'?"
    },
    "interface-view": {
      "headline": "Configuración de la interfaz:"
@@ -493,7 +494,8 @@
          "placeholder": "Keepalive Persistente (0 = por defecto)"
        }
      },
-      "button-apply-defaults": "Aplicar Valores Predeterminados de peers"
+      "button-apply-defaults": "Aplicar Valores Predeterminados de peers",
      "confirm-delete": "Seguro que desea eliminar la interfaz '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -613,7 +615,8 @@
      },
      "expires-at": {
        "label": "Fecha de expiración"
-      }
+      },
      "confirm-delete": "Seguro que desea eliminar el par '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Crear múltiples peers",
--- a/frontend/src/lang/translations/fr.json
+++ b/frontend/src/lang/translations/fr.json
@@ -126,9 +126,7 @@
    "peer-expiring": "Le pair expire le",
    "peer-connected": "Connecté",
    "peer-not-connected": "Non connecté",
-    "peer-handshake": "Dernière négociation :",
+    "peer-handshake": "Dernière négociation :"
    "button-show-peer": "Afficher le pair",
    "button-edit-peer": "Modifier le pair"
  },
  "users": {
    "headline": "Administration des utilisateurs",
@@ -264,7 +262,8 @@
      },
      "admin": {
        "label": "Est Admin"
-      }
+      },
      "confirm-delete": "Voulez-vous vraiment supprimer l'utilisateur \"{id}\" ?"
    },
    "interface-view": {
      "headline": "Configuration pour l'interface :"
@@ -377,7 +376,8 @@
          "placeholder": "Persistent Keepalive (0 = par défaut)"
        }
      },
-      "button-apply-defaults": "Appliquer les valeurs par défaut des pairs"
+      "button-apply-defaults": "Appliquer les valeurs par défaut des pairs",
      "confirm-delete": "Voulez-vous vraiment supprimer l'interface \"{id}\" ?"
    },
    "peer-view": {
      "headline-peer": "Pair :",
@@ -493,7 +493,8 @@
      },
      "expires-at": {
        "label": "Date d'expiration"
-      }
+      },
      "confirm-delete": "Voulez-vous vraiment supprimer le pair \"{id}\" ?"
    },
    "peer-multi-create": {
      "headline-peer": "Créer plusieurs pairs",
--- a/frontend/src/lang/translations/ko.json
+++ b/frontend/src/lang/translations/ko.json
@@ -282,6 +282,7 @@
          "label": "관리자 여부"
        }
      },
      "confirm-delete": "사용자 '{id}'를 삭제하시겠습니까?",
      "interface-view": {
        "headline": "인터페이스 구성:"
      },
@@ -393,7 +394,8 @@
            "placeholder": "영구 Keepalive (0 = 기본값)"
          }
        },
-        "button-apply-defaults": "피어 기본값 적용"
+        "button-apply-defaults": "피어 기본값 적용",
        "confirm-delete": "인터페이스 '{id}'를 삭제하시겠습니까?"
      },
      "peer-view": {
        "headline-peer": "피어:",
@@ -509,7 +511,8 @@
        },
        "expires-at": {
          "label": "만료 날짜"
-        }
+        },
        "confirm-delete": "피어 '{id}'를 삭제하시겠습니까?"
      },
      "peer-multi-create": {
        "headline-peer": "여러 피어 생성",
--- a/frontend/src/lang/translations/pt.json
+++ b/frontend/src/lang/translations/pt.json
@@ -300,7 +300,8 @@
      },
      "admin": {
        "label": "É Administrador"
-      }
+      },
      "confirm-delete": "Tem certeza que deseja excluir o utilizador '{id}'?"
    },
    "interface-view": {
      "headline": "Configuração para a Interface:"
@@ -413,7 +414,8 @@
          "placeholder": "Keepalive persistente (0 = padrão)"
        }
      },
-      "button-apply-defaults": "Aplicar Padrões de Peer"
+      "button-apply-defaults": "Aplicar Padrões de Peer",
      "confirm-delete": "Tem certeza que deseja excluir a interface '{id}'?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -530,7 +532,8 @@
      },
      "expires-at": {
        "label": "Data de expiração"
-      }
+      },
      "confirm-delete": "Tem certeza que deseja excluir o par '{id}'?"
    },
    "peer-multi-create": {
      "headline-peer": "Criar múltiplos peers",
--- a/frontend/src/lang/translations/ru.json
+++ b/frontend/src/lang/translations/ru.json
@@ -259,16 +259,16 @@
    "headline-preshared-key": "Новый общий ключ",
    "button-generate": "Генерировать",
    "private-key": {
-        "label": "Приватный ключ",
+      "label": "Приватный ключ",
-        "placeholder": "Приватный ключ"
+      "placeholder": "Приватный ключ"
    },
    "public-key": {
-        "label": "Публичный ключ",
+      "label": "Публичный ключ",
-        "placeholder": "Публичный ключ"
+      "placeholder": "Публичный ключ"
    },
    "preshared-key": {
-        "label": "Общий ключ",
+      "label": "Общий ключ",
-        "placeholder": "Общий ключ"
+      "placeholder": "Общий ключ"
    }
  },
  "calculator": {
@@ -277,18 +277,18 @@
    "headline-allowed-ip": "Новые разрешенные IP-адреса",
    "button-exclude-private": "Исключить частные диапазоны IP-адресов",
    "allowed-ip": {
-        "label": "Разрешенные IP-адреса",
+      "label": "Разрешенные IP-адреса",
-        "placeholder": "0.0.0.0/0, ::/0",
+      "placeholder": "0.0.0.0/0, ::/0",
-        "empty": "Поле ввода не должно быть пустым"
+      "empty": "Поле ввода не должно быть пустым"
    },
    "dissallowed-ip": {
-        "label": "Запрещенные IP-адреса",
+      "label": "Запрещенные IP-адреса",
-        "placeholder": "10.0.0.0/8, 192.168.0.0/16",
+      "placeholder": "10.0.0.0/8, 192.168.0.0/16",
-        "invalid": "Некорректный адрес: {addr}"
+      "invalid": "Некорректный адрес: {addr}"
    },
    "new-allowed-ip": {
-        "label": "Разрешенные IP-адреса",
+      "label": "Разрешенные IP-адреса",
-        "placeholder": ""
+      "placeholder": ""
    }
  },
  "modals": {
@@ -366,7 +366,8 @@
      },
      "admin": {
        "label": "Является администратором"
-      }
+      },
      "confirm-delete": "Вы уверены, что хотите удалить пользователя «{id}»?"
    },
    "interface-view": {
      "headline": "Конфигурация интерфейса:"
@@ -484,7 +485,8 @@
          "placeholder": "Постоянное поддержание активности (0 = значение по умолчанию)"
        }
      },
-      "button-apply-defaults": "Применить настройки пира по умолчанию"
+      "button-apply-defaults": "Применить настройки пира по умолчанию",
      "confirm-delete": "Вы уверены, что хотите удалить интерфейс «{id}»?"
    },
    "peer-view": {
      "headline-peer": "Пир:",
@@ -605,7 +607,8 @@
      },
      "expires-at": {
        "label": "Дата истечения срока действия"
-      }
+      },
      "confirm-delete": "Вы уверены, что хотите удалить пир «{id}»?"
    },
    "peer-multi-create": {
      "headline-peer": "Создать несколько узлов",
--- a/frontend/src/lang/translations/uk.json
+++ b/frontend/src/lang/translations/uk.json
@@ -151,7 +151,6 @@
    "admin": "Користувач має адміністративні привілеї",
    "no-admin": "Користувач не має адміністративних привілеїв"
  },
  "profile": {
    "headline": "Мої VPN-піри",
    "table-heading": {
@@ -189,7 +188,6 @@
      "api-link": "Документація API"
    }
  },
  "modals": {
    "user-view": {
      "headline": "Обліковий запис користувача:",
@@ -264,7 +262,8 @@
      },
      "admin": {
        "label": "Адміністратор"
-      }
+      },
      "confirm-delete": "Ви впевнені, що хочете видалити користувача «{id}»?"
    },
    "interface-view": {
      "headline": "Конфігурація для інтерфейсу:"
@@ -377,7 +376,8 @@
          "placeholder": "Постійний Keepalive (0 = за замовчуванням)"
        }
      },
-      "button-apply-defaults": "Застосувати значення за замовчуванням для пірів"
+      "button-apply-defaults": "Застосувати значення за замовчуванням для пірів",
      "confirm-delete": "Ви впевнені, що хочете видалити інтерфейс «{id}»?"
    },
    "peer-view": {
      "headline-peer": "Пір:",
@@ -493,7 +493,8 @@
      },
      "expires-at": {
        "label": "Дата закінчення терміну дії"
-      }
+      },
      "confirm-delete": "Ви впевнені, що хочете видалити пір «{id}»?"
    },
    "peer-multi-create": {
      "headline-peer": "Створити декілька пір",
--- a/frontend/src/lang/translations/vi.json
+++ b/frontend/src/lang/translations/vi.json
@@ -240,7 +240,8 @@
      },
      "admin": {
        "label": "Là Quản trị viên"
-      }
+      },
      "confirm-delete": "Ban co chac muon xoa nguoi dung '{id}' khong?"
    },
    "interface-view": {
      "headline": "Cấu hình cho Giao diện:"
@@ -353,8 +354,8 @@
          "placeholder": "Giữ kết nối liên tục (0 = mặc định)"
        }
      },
-
+      "button-apply-defaults": "Áp dụng Cài đặt Mặc định của Peer",
-      "button-apply-defaults": "Áp dụng Cài đặt Mặc định của Peer"
+      "confirm-delete": "Ban co chac muon xoa giao dien '{id}' khong?"
    },
    "peer-view": {
      "headline-peer": "Peer:",
@@ -470,7 +471,8 @@
      },
      "expires-at": {
        "label": "Ngày hết hạn"
-      }
+      },
      "confirm-delete": "Ban co chac muon xoa peer '{id}' khong?"
    },
    "peer-multi-create": {
      "headline-peer": "Tạo nhiều peer",
--- a/frontend/src/lang/translations/zh.json
+++ b/frontend/src/lang/translations/zh.json
@@ -242,6 +242,7 @@
          "label": "管理员"
        }
      },
      "confirm-delete": "确定要删除用户“{id}”吗？",
      "interface-view": {
        "headline": "接口配置: "
      },
@@ -353,7 +354,8 @@
            "placeholder": "持久保持连接 (0 = 默认)"
          }
        },
-        "button-apply-defaults": "应用节点默认值"
+        "button-apply-defaults": "应用节点默认值",
        "confirm-delete": "确定要删除接口“{id}”吗？"
      },
      "peer-view": {
        "headline-peer": "节点: ",
@@ -469,7 +471,8 @@
        },
        "expires-at": {
          "label": "过期日期"
-        }
+        },
        "confirm-delete": "确定要删除对等点“{id}”吗？"
      },
      "peer-multi-create": {
        "headline-peer": "创建多个节点",
--- a/frontend/src/router/index.js
+++ b/frontend/src/router/index.js
@@ -1,7 +1,6 @@
 import {createRouter, createWebHashHistory} from 'vue-router'
 import HomeView from '../views/HomeView.vue'
 import LoginView from '../views/LoginView.vue'
 import InterfaceView from '../views/InterfaceView.vue'
 import {authStore} from '@/stores/auth'
 import {securityStore} from '@/stores/security'
@@ -20,11 +19,6 @@ const router = createRouter({
      name: 'login',
      component: LoginView
    },
    {
      path: '/interface',
      name: 'interface',
      component: InterfaceView
    },
    {
      path: '/interfaces',
      name: 'interfaces',
--- a/frontend/src/stores/profile.js
+++ b/frontend/src/stores/profile.js
@@ -74,6 +74,7 @@ export const profileStore = defineStore('profile', {
    },
    hasStatistics: (state) => state.statsEnabled,
    CountInterfaces: (state) => state.interfaces.length,
    HasInterface: (state) => (id) => state.interfaces.some((i) => i.Identifier === id),
  },
  actions: {
    afterPageSizeChange() {
--- a/frontend/src/views/ProfileView.vue
+++ b/frontend/src/views/ProfileView.vue
@@ -80,6 +80,8 @@ onMounted(async () => {
    <div class="col-12 col-lg-5">
      <h2 class="mt-2">{{ $t('profile.headline') }}</h2>
    </div>
    <div class="col-12 col-lg-3 text-lg-end" v-if="!settings.Setting('SelfProvisioning') || profile.CountInterfaces===0">
    </div>
    <div class="col-12 col-lg-4 text-lg-end">
      <div class="form-group d-inline">
        <div class="input-group mb-3">
@@ -90,8 +92,8 @@ onMounted(async () => {
        </div>
      </div>
    </div>
-    <div class="col-12 col-lg-3 text-lg-end">
+    <div class="col-12 col-lg-3 text-lg-end" v-if="settings.Setting('SelfProvisioning') && profile.CountInterfaces>0">
-      <div class="form-group" v-if="settings.Setting('SelfProvisioning')">
+      <div class="form-group">
        <div class="input-group mb-3">
          <button class="btn btn-primary" :title="$t('interfaces.button-add-peer')" @click.prevent="editPeerId = '#NEW#'">
            <i class="fa fa-plus me-1"></i><i class="fa fa-user"></i>
@@ -160,8 +162,7 @@ onMounted(async () => {
          </td>
          <td v-if="profile.hasStatistics">
            <div v-if="profile.Statistics(peer.Identifier).IsConnected">
-              <span class="badge rounded-pill bg-success"><i class="fa-solid fa-link"></i></span>
+              <span class="badge rounded-pill bg-success" :title="$t('profile.peer-connected')"><i class="fa-solid fa-link"></i></span> <small class="text-muted" :title="$t('interfaces.peer-handshake') + ' ' + profile.Statistics(peer.Identifier).LastHandshake"><i class="fa-solid fa-circle-info"></i></small>
              <span :title="profile.Statistics(peer.Identifier).LastHandshake">{{ $t('profile.peer-connected') }}</span>
            </div>
            <div v-else>
              <span class="badge rounded-pill bg-light"><i class="fa-solid fa-link-slash"></i></span>
@@ -174,7 +175,7 @@ onMounted(async () => {
          <td class="text-center">
            <a href="#" :title="$t('profile.button-show-peer')" @click.prevent="viewedPeerId = peer.Identifier"><i
                class="fas fa-eye me-2"></i></a>
-            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier"><i
+            <a href="#" :title="$t('profile.button-edit-peer')" @click.prevent="editPeerId = peer.Identifier" v-if="settings.Setting('SelfProvisioning') && profile.HasInterface(peer.InterfaceIdentifier)"><i
                class="fas fa-cog"></i></a>
          </td>
        </tr>
--- a/go.mod
+++ b/go.mod
@@ -7,10 +7,10 @@ require (
 	github.com/alexedwards/scs/v2 v2.9.0
 	github.com/coreos/go-oidc/v3 v3.17.0
 	github.com/glebarez/sqlite v1.11.0
-	github.com/go-ldap/ldap/v3 v3.4.12
+	github.com/go-ldap/ldap/v3 v3.4.13
 	github.com/go-pkgz/routegroup v1.6.0
 	github.com/go-playground/validator/v10 v10.30.1
-	github.com/go-webauthn/webauthn v0.16.0
+	github.com/go-webauthn/webauthn v0.16.1
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/websocket v1.5.3
 	github.com/prometheus-community/pro-bing v0.8.0
@@ -22,9 +22,9 @@ require (
 	github.com/xhit/go-simple-mail/v2 v2.16.0
 	github.com/yeqown/go-qrcode/v2 v2.2.5
 	github.com/yeqown/go-qrcode/writer/compressed v1.0.1
-	golang.org/x/crypto v0.48.0
+	golang.org/x/crypto v0.49.0
-	golang.org/x/oauth2 v0.35.0
+	golang.org/x/oauth2 v0.36.0
-	golang.org/x/sys v0.41.0
+	golang.org/x/sys v0.42.0
 	golang.zx2c4.com/wireguard/wgctrl v0.0.0-20241231184526-a9ab2273dd10
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/mysql v1.6.0
@@ -61,7 +61,7 @@ require (
 	github.com/go-sql-driver/mysql v1.9.3 // indirect
 	github.com/go-test/deep v1.1.1 // indirect
 	github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
-	github.com/go-webauthn/x v0.2.1 // indirect
+	github.com/go-webauthn/x v0.2.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
@@ -95,9 +95,9 @@ require (
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa // indirect
 	golang.org/x/mod v0.33.0 // indirect
-	golang.org/x/net v0.50.0 // indirect
+	golang.org/x/net v0.51.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/text v0.35.0 // indirect
 	golang.org/x/tools v0.42.0 // indirect
 	golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb // indirect
 	google.golang.org/protobuf v1.36.11 // indirect
--- a/go.sum
+++ b/go.sum
@@ -60,8 +60,8 @@ github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 h1:BP4M0CvQ
 github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-jose/go-jose/v4 v4.1.3 h1:CVLmWDhDVRa6Mi/IgCgaopNosCaHz7zrMeF9MlZRkrs=
 github.com/go-jose/go-jose/v4 v4.1.3/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
-github.com/go-ldap/ldap/v3 v3.4.12 h1:1b81mv7MagXZ7+1r7cLTWmyuTqVqdwbtJSjC0DAp9s4=
+github.com/go-ldap/ldap/v3 v3.4.13 h1:+x1nG9h+MZN7h/lUi5Q3UZ0fJ1GyDQYbPvbuH38baDQ=
-github.com/go-ldap/ldap/v3 v3.4.12/go.mod h1:+SPAGcTtOfmGsCb3h1RFiq4xpp4N636G75OEace8lNo=
+github.com/go-ldap/ldap/v3 v3.4.13/go.mod h1:LxsGZV6vbaK0sIvYfsv47rfh4ca0JXokCoKjZxsszv0=
 github.com/go-openapi/jsonpointer v0.22.4 h1:dZtK82WlNpVLDW2jlA1YCiVJFVqkED1MegOUy9kR5T4=
 github.com/go-openapi/jsonpointer v0.22.4/go.mod h1:elX9+UgznpFhgBuaMQ7iu4lvvX1nvNsesQ3oxmYTw80=
 github.com/go-openapi/jsonreference v0.21.4 h1:24qaE2y9bx/q3uRK/qN+TDwbok1NhbSmGjjySRCHtC8=
@@ -105,10 +105,10 @@ github.com/go-test/deep v1.1.1 h1:0r/53hagsehfO4bzD2Pgr/+RgHqhmf+k1Bpse2cTu1U=
 github.com/go-test/deep v1.1.1/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
 github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
-github.com/go-webauthn/webauthn v0.16.0 h1:A9BkfYIwWAMPSQCbM2HoWqo6JO5LFI8aqYAzo6nW7AY=
+github.com/go-webauthn/webauthn v0.16.1 h1:x5/SSki5/aIfogaRukqvbg/RXa3Sgxy/9vU7UfFPHKU=
-github.com/go-webauthn/webauthn v0.16.0/go.mod h1:hm9RS/JNYeUu3KqGbzqlnHClhDGCZzTZlABjathwnN0=
+github.com/go-webauthn/webauthn v0.16.1/go.mod h1:RBS+rtQJMkE5VfMQ4diDA2VNrEL8OeUhp4Srz37FHbQ=
-github.com/go-webauthn/x v0.2.1 h1:/oB8i0FhSANuoN+YJF5XHMtppa7zGEYaQrrf6ytotjc=
+github.com/go-webauthn/x v0.2.2 h1:zIiipvMbr48CXi5RG0XdBJR94kd8I5LfzHPb/q+YYmk=
-github.com/go-webauthn/x v0.2.1/go.mod h1:Wm0X0zXkzznit4gHj4m82GiBZRMEm+TDUIoJWIQLsE4=
+github.com/go-webauthn/x v0.2.2/go.mod h1:IpJ5qyWB9NRhLX3C7gIfjTU7RZLXEP6kzFkoVSE7Fz4=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
@@ -274,8 +274,8 @@ golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOM
 golang.org/x/crypto v0.22.0/go.mod h1:vr6Su+7cTlO45qkww3VDJlzDn0ctJvRgYbC2NvXHt+M=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
-golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4=
-golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
+golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA=
 golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa h1:Zt3DZoOFFYkKhDT3v7Lm9FDMEV06GpzjG2jrqW+QTE0=
 golang.org/x/exp v0.0.0-20260218203240-3dfff04db8fa/go.mod h1:K79w1Vqn7PoiZn+TkNpx3BUWUQksGO3JcVX6qIjytmA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -303,10 +303,10 @@ golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/net v0.24.0/go.mod h1:2Q7sJY5mzlzWjKtYUEXSlBWCdyaioyXzRB2RtU8KVE8=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
 golang.org/x/net v0.26.0/go.mod h1:5YKkiSynbBIh3p6iOc/vibscux0x38BZDkn8sCUPxHE=
-golang.org/x/net v0.50.0 h1:ucWh9eiCGyDR3vtzso0WMQinm2Dnt8cFMuQa9K33J60=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
-golang.org/x/net v0.50.0/go.mod h1:UgoSli3F/pBgdJBHCTc+tp3gmrU4XswgGRgtnwWTfyM=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
-golang.org/x/oauth2 v0.35.0 h1:Mv2mzuHuZuY2+bkyWXIHMfhNdJAdwW3FuWeCPYN5GVQ=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
-golang.org/x/oauth2 v0.35.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -314,8 +314,8 @@ golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.9.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -336,8 +336,8 @@ golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.21.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
-golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -366,8 +366,8 @@ golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 golang.org/x/text v0.20.0/go.mod h1:D4IsuqiFMhST5bX19pQ9ikHC2GsaKyk/oF+pn3ducp4=
-golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.35.0 h1:JOVx6vVDFokkpaq1AEptVzLTpDe9KGpj5tR4/X+ybL8=
-golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
+golang.org/x/text v0.35.0/go.mod h1:khi/HExzZJ2pGnjenulevKNX1W67CUy0AsXcNubPGCA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/internal/adapters/database.go
+++ b/internal/adapters/database.go
@@ -232,21 +232,19 @@ func (r *SqlRepo) migrate() error {
 	slog.Debug("running migration: interface status", "result", r.db.AutoMigrate(&domain.InterfaceStatus{}))
 	slog.Debug("running migration: audit data", "result", r.db.AutoMigrate(&domain.AuditEntry{}))
-	existingSysStat := SysStat{}
+	var existingSysStat SysStat
 	var err error
 	r.db.Order("schema_version desc").First(&existingSysStat) // get latest version
 	// Migration: 0 --> 1
 	if existingSysStat.SchemaVersion == 0 {
 		const schemaVersion = 1
-		sysStat := SysStat{
+		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
-			MigratedAt:    time.Now(),
+		if err != nil {
-			SchemaVersion: schemaVersion,
+			return err
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
 			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
 		slog.Debug("sys-stat entry written", "schema_version", schemaVersion)
 		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	// Migration: 1 --> 2
@@ -262,14 +260,10 @@ func (r *SqlRepo) migrate() error {
 			}
 			slog.Debug("migrated interface create_default_peer flags", "schema_version", schemaVersion)
 		}
-		sysStat := SysStat{
+		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
-			MigratedAt:    time.Now(),
+		if err != nil {
-			SchemaVersion: schemaVersion,
+			return err
 		}
 		if err := r.db.Create(&sysStat).Error; err != nil {
 			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 		}
 		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	// Migration: 2 --> 3
@@ -307,19 +301,45 @@ func (r *SqlRepo) migrate() error {
 		if err != nil {
 			return fmt.Errorf("failed to migrate to multi-auth: %w", err)
 		}
-		sysStat := SysStat{
+		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
-			MigratedAt:    time.Now(),
+		if err != nil {
-			SchemaVersion: schemaVersion,
+			return err
 		}
-		if err := r.db.Create(&sysStat).Error; err != nil {
+	}
-			return fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
+
 	// Migration: 3 --> 4
 	if existingSysStat.SchemaVersion == 3 {
 		const schemaVersion = 4
 		cutoff := time.Date(2000, 1, 1, 0, 0, 0, 0, time.UTC)
 		// Fix zero created_at timestamps for users. Set the to the last known update timestamp.
 		err := r.db.Model(&domain.User{}).Where("created_at < ?", cutoff).
 			Update("created_at", gorm.Expr("updated_at")).Error
 		if err != nil {
 			slog.Warn("failed to fix zero created_at for users", "error", err)
 		}
 		slog.Debug("fixed zero created_at timestamps for users", "schema_version", schemaVersion)
 		existingSysStat, err = r.addMigration(schemaVersion) // ensure that follow-up checks test against the latest version
 		if err != nil {
 			return err
 		}
 		existingSysStat = sysStat // ensure that follow-up checks test against the latest version
 	}
 	return nil
 }
 func (r *SqlRepo) addMigration(schemaVersion uint64) (SysStat, error) {
 	sysStat := SysStat{
 		MigratedAt:    time.Now(),
 		SchemaVersion: schemaVersion,
 	}
 	if err := r.db.Create(&sysStat).Error; err != nil {
 		return SysStat{}, fmt.Errorf("failed to write sysstat entry for schema version %d: %w", schemaVersion, err)
 	}
 	return sysStat, nil
 }
 // region interfaces
 // GetInterface returns the interface with the given id.
@@ -482,7 +502,7 @@ func (r *SqlRepo) getOrCreateInterface(
 		Identifier: id,
 	}
-	err := tx.Attrs(interfaceDefaults).FirstOrCreate(&in, id).Error
+	err := tx.Preload("Addresses").Attrs(interfaceDefaults).FirstOrCreate(&in, id).Error
 	if err != nil {
 		return nil, err
 	}
@@ -691,7 +711,7 @@ func (r *SqlRepo) getOrCreatePeer(ui *domain.ContextUserInfo, tx *gorm.DB, id do
 		Identifier: id,
 	}
-	err := tx.Attrs(interfaceDefaults).FirstOrCreate(&peer, id).Error
+	err := tx.Preload("Addresses").Attrs(interfaceDefaults).FirstOrCreate(&peer, id).Error
 	if err != nil {
 		return nil, err
 	}
--- a/internal/adapters/database_created_at_test.go
+++ b/internal/adapters/database_created_at_test.go
@@ -0,0 +1,168 @@
 package adapters
 import (
 	"context"
 	"testing"
 	"time"
 	"github.com/glebarez/sqlite"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
 func newTestDB(t *testing.T) *gorm.DB {
 	t.Helper()
 	db, err := gorm.Open(sqlite.Open("file::memory:"), &gorm.Config{})
 	require.NoError(t, err)
 	return db
 }
 func TestUpsertUser_SetsCreatedAtWhenZero(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ui := domain.SystemAdminContextUserInfo()
 	user := &domain.User{
 		Identifier: "test-user",
 		Email:      "test@example.com",
 		// CreatedAt is zero
 	}
 	err := repo.upsertUser(ui, db, user)
 	require.NoError(t, err)
 	assert.False(t, user.CreatedAt.IsZero(), "CreatedAt should be set when it was zero")
 	assert.Equal(t, ui.UserId(), user.UpdatedBy, "UpdatedBy should be set when it was empty")
 	assert.WithinDuration(t, user.UpdatedAt, user.CreatedAt, time.Second,
 		"CreatedAt should be close to UpdatedAt for new user")
 }
 func TestUpsertUser_PreservesExistingCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ui := domain.SystemAdminContextUserInfo()
 	originalTime := time.Date(2025, 1, 1, 12, 0, 0, 0, time.UTC)
 	user := &domain.User{
 		Identifier: "test-user",
 		Email:      "test@example.com",
 		BaseModel: domain.BaseModel{
 			CreatedAt: originalTime,
 			CreatedBy: "original-creator",
 		},
 	}
 	err := repo.upsertUser(ui, db, user)
 	require.NoError(t, err)
 	assert.Equal(t, originalTime, user.CreatedAt, "CreatedAt should not be overwritten")
 	assert.Equal(t, "original-creator", user.CreatedBy, "CreatedBy should not be overwritten")
 }
 func TestSaveUser_NewUserGetsCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(&domain.User{}, &domain.UserAuthentication{}, &domain.UserWebauthnCredential{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
 	before := time.Now().Add(-time.Second)
 	err := repo.SaveUser(ctx, "new-user", func(u *domain.User) (*domain.User, error) {
 		u.Email = "new@example.com"
 		return u, nil
 	})
 	require.NoError(t, err)
 	var saved domain.User
 	require.NoError(t, db.First(&saved, "identifier = ?", "new-user").Error)
 	assert.False(t, saved.CreatedAt.IsZero(), "CreatedAt should not be zero")
 	assert.True(t, saved.CreatedAt.After(before), "CreatedAt should be recent")
 	assert.NotEmpty(t, saved.CreatedBy, "CreatedBy should be set")
 }
 func TestMigration_FixesZeroCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	// Manually create tables and seed schema version 3
 	require.NoError(t, db.AutoMigrate(
 		&SysStat{},
 		&domain.User{},
 		&domain.UserAuthentication{},
 		&domain.Interface{},
 		&domain.Cidr{},
 		&domain.Peer{},
 		&domain.AuditEntry{},
 		&domain.UserWebauthnCredential{},
 	))
 	// Insert schema versions 1, 2, 3 so migration starts at 3
 	for v := uint64(1); v <= 3; v++ {
 		require.NoError(t, db.Create(&SysStat{SchemaVersion: v, MigratedAt: time.Now()}).Error)
 	}
 	updatedAt := time.Date(2025, 6, 15, 10, 0, 0, 0, time.UTC)
 	// Insert a user with zero created_at but valid updated_at
 	require.NoError(t, db.Exec(
 		"INSERT INTO users (identifier, email, created_at, updated_at) VALUES (?, ?, ?, ?)",
 		"zero-user", "zero@example.com", time.Time{}, updatedAt,
 	).Error)
 	// Run migration
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	require.NoError(t, repo.migrate())
 	// Verify created_at was backfilled from updated_at
 	var user domain.User
 	require.NoError(t, db.First(&user, "identifier = ?", "zero-user").Error)
 	assert.Equal(t, updatedAt, user.CreatedAt, "created_at should be backfilled from updated_at")
 	// Verify schema version advanced to 4
 	var latest SysStat
 	require.NoError(t, db.Order("schema_version DESC").First(&latest).Error)
 	assert.Equal(t, uint64(4), latest.SchemaVersion)
 }
 func TestMigration_DoesNotTouchValidCreatedAt(t *testing.T) {
 	db := newTestDB(t)
 	require.NoError(t, db.AutoMigrate(
 		&SysStat{},
 		&domain.User{},
 		&domain.UserAuthentication{},
 		&domain.Interface{},
 		&domain.Cidr{},
 		&domain.Peer{},
 		&domain.AuditEntry{},
 		&domain.UserWebauthnCredential{},
 	))
 	for v := uint64(1); v <= 3; v++ {
 		require.NoError(t, db.Create(&SysStat{SchemaVersion: v, MigratedAt: time.Now()}).Error)
 	}
 	createdAt := time.Date(2024, 3, 1, 8, 0, 0, 0, time.UTC)
 	updatedAt := time.Date(2025, 6, 15, 10, 0, 0, 0, time.UTC)
 	require.NoError(t, db.Exec(
 		"INSERT INTO users (identifier, email, created_at, updated_at) VALUES (?, ?, ?, ?)",
 		"valid-user", "valid@example.com", createdAt, updatedAt,
 	).Error)
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	require.NoError(t, repo.migrate())
 	var user domain.User
 	require.NoError(t, db.First(&user, "identifier = ?", "valid-user").Error)
 	assert.Equal(t, createdAt, user.CreatedAt, "valid created_at should not be modified")
 }
--- a/internal/adapters/database_simple_test.go
+++ b/internal/adapters/database_simple_test.go
@@ -0,0 +1,73 @@
 package adapters
 import (
 	"context"
 	"reflect"
 	"testing"
 	"github.com/glebarez/sqlite"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 	"github.com/stretchr/testify/require"
 	"gorm.io/gorm"
 	"gorm.io/gorm/schema"
 )
 func init() {
 	schema.RegisterSerializer("encstr", dummySerializer{})
 }
 type dummySerializer struct{}
 func (dummySerializer) Scan(ctx context.Context, field *schema.Field, dst reflect.Value, dbValue any) error {
 	return nil
 }
 func (dummySerializer) Value(ctx context.Context, field *schema.Field, dst reflect.Value, fieldValue any) (any, error) {
 	if fieldValue == nil {
 		return nil, nil
 	}
 	if v, ok := fieldValue.(string); ok {
 		return v, nil
 	}
 	if v, ok := fieldValue.(domain.PreSharedKey); ok {
 		return string(v), nil
 	}
 	return fieldValue, nil
 }
 func TestSqlRepo_SaveInterface_Simple(t *testing.T) {
 	// Initialize in-memory database
 	db, err := gorm.Open(sqlite.Open("file::memory:?cache=shared"), &gorm.Config{})
 	require.NoError(t, err)
 	// Migrate only what's needed for this test (avoids Peer and its encstr serializer)
 	require.NoError(t, db.AutoMigrate(&domain.Interface{}, &domain.Cidr{}))
 	repo := &SqlRepo{db: db, cfg: &config.Config{}}
 	ctx := domain.SetUserInfo(context.Background(), domain.SystemAdminContextUserInfo())
 	ifaceId := domain.InterfaceIdentifier("wg0")
 	// 1. Create an interface with one address
 	addr, _ := domain.CidrFromString("10.0.0.1/24")
 	initialIface := &domain.Interface{
 		Identifier: ifaceId,
 		Addresses:  []domain.Cidr{addr},
 	}
 	require.NoError(t, db.Create(initialIface).Error)
 	// 2. Perform a "partial" update using SaveInterface (this is the buggy path)
 	err = repo.SaveInterface(ctx, ifaceId, func(in *domain.Interface) (*domain.Interface, error) {
 		in.DisplayName = "New Name"
 		return in, nil
 	})
 	require.NoError(t, err)
 	// 3. Verify that the address was NOT deleted
 	var finalIface domain.Interface
 	require.NoError(t, db.Preload("Addresses").First(&finalIface, "identifier = ?", ifaceId).Error)
 	require.Equal(t, "New Name", finalIface.DisplayName)
 	require.Len(t, finalIface.Addresses, 1, "Address list should still have 1 entry!")
 	require.Equal(t, "10.0.0.1/24", finalIface.Addresses[0].Cidr)
 }
--- a/internal/adapters/metrics.go
+++ b/internal/adapters/metrics.go
@@ -30,7 +30,7 @@ type MetricsServer struct {
 // Wireguard metrics labels
 var (
 	ifaceLabels = []string{"interface"}
-	peerLabels  = []string{"interface", "addresses", "id", "name"}
+	peerLabels  = []string{"interface", "addresses", "id", "name", "user"}
 )
 // NewMetricsServer returns a new prometheus server
@@ -126,6 +126,7 @@ func (m *MetricsServer) UpdatePeerMetrics(peer *domain.Peer, status domain.PeerS
 		peer.Interface.AddressStr(),
 		string(status.PeerId),
 		peer.DisplayName,
 		string(peer.UserIdentifier),
 	}
 	if status.LastHandshake != nil {
--- a/internal/app/users/ldap_sync.go
+++ b/internal/app/users/ldap_sync.go
@@ -90,6 +90,12 @@ func (m Manager) synchronizeLdapUsers(ctx context.Context, provider *config.Ldap
 		}
 	}
 	// Update interface allowed users based on LDAP filters
 	err = m.updateInterfaceLdapFilters(ctx, conn, provider)
 	if err != nil {
 		return err
 	}
 	return nil
 }
@@ -237,3 +243,59 @@ func (m Manager) disableMissingLdapUsers(
 	return nil
 }
 func (m Manager) updateInterfaceLdapFilters(
 	ctx context.Context,
 	conn *ldap.Conn,
 	provider *config.LdapProvider,
 ) error {
 	if len(provider.InterfaceFilter) == 0 {
 		return nil // nothing to do if no interfaces are configured for this provider
 	}
 	for ifaceName, groupFilter := range provider.InterfaceFilter {
 		ifaceId := domain.InterfaceIdentifier(ifaceName)
 		// Combined filter: user must match the provider's base SyncFilter AND the interface's LdapGroupFilter
 		combinedFilter := fmt.Sprintf("(&(%s)(%s))", provider.SyncFilter, groupFilter)
 		rawUsers, err := internal.LdapFindAllUsers(conn, provider.BaseDN, combinedFilter, &provider.FieldMap)
 		if err != nil {
 			slog.Error("failed to find users for interface filter", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 			continue
 		}
 		matchedUserIds := make([]domain.UserIdentifier, 0, len(rawUsers))
 		for _, rawUser := range rawUsers {
 			userId := domain.UserIdentifier(internal.MapDefaultString(rawUser, provider.FieldMap.UserIdentifier, ""))
 			if userId != "" {
 				matchedUserIds = append(matchedUserIds, userId)
 			}
 		}
 		// Save the interface
 		err = m.interfaces.SaveInterface(ctx, ifaceId, func(i *domain.Interface) (*domain.Interface, error) {
 			if i.LdapAllowedUsers == nil {
 				i.LdapAllowedUsers = make(map[string][]domain.UserIdentifier)
 			}
 			i.LdapAllowedUsers[provider.ProviderName] = matchedUserIds
 			return i, nil
 		})
 		if err != nil {
 			slog.Error("failed to save interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"error", err)
 		} else {
 			slog.Debug("updated interface ldap allowed users", 
 				"interface", ifaceId, 
 				"provider", provider.ProviderName, 
 				"matched_count", len(matchedUserIds))
 		}
 	}
 	return nil
 }
--- a/internal/app/users/user_manager.go
+++ b/internal/app/users/user_manager.go
@@ -39,6 +39,11 @@ type PeerDatabaseRepo interface {
 	GetUserPeers(ctx context.Context, id domain.UserIdentifier) ([]domain.Peer, error)
 }
 type InterfaceDatabaseRepo interface {
 	// SaveInterface saves the interface with the given identifier.
 	SaveInterface(ctx context.Context, id domain.InterfaceIdentifier, updateFunc func(i *domain.Interface) (*domain.Interface, error)) error
 }
 type EventBus interface {
 	// Publish sends a message to the message bus.
 	Publish(topic string, args ...any)
@@ -50,22 +55,27 @@ type EventBus interface {
 type Manager struct {
 	cfg *config.Config
-	bus   EventBus
+	bus        EventBus
-	users UserDatabaseRepo
+	users      UserDatabaseRepo
-	peers PeerDatabaseRepo
+	peers      PeerDatabaseRepo
 	interfaces InterfaceDatabaseRepo
 }
 // NewUserManager creates a new user manager instance.
-func NewUserManager(cfg *config.Config, bus EventBus, users UserDatabaseRepo, peers PeerDatabaseRepo) (
+func NewUserManager(
-	*Manager,
+	cfg *config.Config,
-	error,
+	bus EventBus,
-) {
+	users UserDatabaseRepo,
 	peers PeerDatabaseRepo,
 	interfaces InterfaceDatabaseRepo,
 ) (*Manager, error) {
 	m := &Manager{
 		cfg: cfg,
 		bus: bus,
-		users: users,
+		users:      users,
-		peers: peers,
+		peers:      peers,
 		interfaces: interfaces,
 	}
 	return m, nil
 }
@@ -523,6 +533,7 @@ func (m Manager) create(ctx context.Context, user *domain.User) (*domain.User, e
 	}
 	err = m.users.SaveUser(ctx, user.Identifier, func(u *domain.User) (*domain.User, error) {
 		user.CopyCalculatedAttributes(u, false)
 		return user, nil
 	})
 	if err != nil {
--- a/internal/app/wireguard/statistics.go
+++ b/internal/app/wireguard/statistics.go
@@ -204,13 +204,13 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 							// calculate if session was restarted
 							p.UpdatedAt = now
-							p.LastSessionStart = getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
+							p.LastSessionStart = c.getSessionStartTime(*p, peer.BytesUpload, peer.BytesDownload,
 								lastHandshake)
 							p.BytesReceived = peer.BytesUpload      // store bytes that where uploaded from the peer and received by the server
 							p.BytesTransmitted = peer.BytesDownload // store bytes that where received from the peer and sent by the server
 							p.Endpoint = peer.Endpoint
 							p.LastHandshake = lastHandshake
-							p.CalcConnected()
+							p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
 							if wasConnected != p.IsConnected {
 								slog.Debug("peer connection state changed",
@@ -249,7 +249,7 @@ func (c *StatisticsCollector) collectPeerData(ctx context.Context) {
 	}
 }
-func getSessionStartTime(
+func (c *StatisticsCollector) getSessionStartTime(
 	oldStats domain.PeerStatus,
 	newReceived, newTransmitted uint64,
 	latestHandshake *time.Time,
@@ -258,7 +258,7 @@ func getSessionStartTime(
 		return nil // currently not connected
 	}
-	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-1 * c.cfg.Backend.ReKeyTimeoutInterval) // if a handshake is older than the rekey interval + grace-period, the peer is no longer connected
 	switch {
 	// old session was never initiated
 	case oldStats.BytesReceived == 0 && oldStats.BytesTransmitted == 0 && (newReceived > 0 || newTransmitted > 0):
@@ -369,7 +369,7 @@ func (c *StatisticsCollector) pingWorker(ctx context.Context) {
 					p.LastPing = nil
 				}
 				p.UpdatedAt = time.Now()
-				p.CalcConnected()
+				p.CalcConnected(c.cfg.Backend.ReKeyTimeoutInterval)
 				if wasConnected != p.IsConnected {
 					connectionStateChanged = true
--- a/internal/app/wireguard/statistics_test.go
+++ b/internal/app/wireguard/statistics_test.go
@@ -5,10 +5,11 @@ import (
 	"testing"
 	"time"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
-func Test_getSessionStartTime(t *testing.T) {
+func TestStatisticsCollector_getSessionStartTime(t *testing.T) {
 	now := time.Now()
 	nowMinus1 := now.Add(-1 * time.Minute)
 	nowMinus3 := now.Add(-3 * time.Minute)
@@ -133,7 +134,14 @@ func Test_getSessionStartTime(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if got := getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
+			c := &StatisticsCollector{
 				cfg: &config.Config{
 					Backend: config.Backend{
 						ReKeyTimeoutInterval: 180 * time.Second,
 					},
 				},
 			}
 			if got := c.getSessionStartTime(tt.args.oldStats, tt.args.newReceived, tt.args.newTransmitted,
 				tt.args.lastHandshake); !reflect.DeepEqual(got, tt.want) {
 				t.Errorf("getSessionStartTime() = %v, want %v", got, tt.want)
 			}
--- a/internal/app/wireguard/wireguard.go
+++ b/internal/app/wireguard/wireguard.go
@@ -35,6 +35,7 @@ type InterfaceAndPeerDatabaseRepo interface {
 	DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 	GetPeer(ctx context.Context, id domain.PeerIdentifier) (*domain.Peer, error)
 	GetUsedIpsPerSubnet(ctx context.Context, subnets []domain.Cidr) (map[domain.Cidr][]domain.Cidr, error)
 	GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error)
 }
 type WgQuickController interface {
--- a/internal/app/wireguard/wireguard_interfaces.go
+++ b/internal/app/wireguard/wireguard_interfaces.go
@@ -16,6 +16,11 @@ import (
 	"github.com/h44z/wg-portal/internal/domain"
 )
 // GetInterface returns the interface for the given interface identifier.
 func (m Manager) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
 	return m.db.GetInterface(ctx, id)
 }
 // GetInterfaceAndPeers returns the interface and all peers for the given interface identifier.
 func (m Manager) GetInterfaceAndPeers(ctx context.Context, id domain.InterfaceIdentifier) (
 	*domain.Interface,
@@ -63,12 +68,17 @@ func (m Manager) GetAllInterfacesAndPeers(ctx context.Context) ([]domain.Interfa
 // GetUserInterfaces returns all interfaces that are available for users to create new peers.
 // If self-provisioning is disabled, this function will return an empty list.
-// At the moment, there are no interfaces specific to single users, thus the user id is not used.
+func (m Manager) GetUserInterfaces(ctx context.Context, userId domain.UserIdentifier) ([]domain.Interface, error) {
 func (m Manager) GetUserInterfaces(ctx context.Context, _ domain.UserIdentifier) ([]domain.Interface, error) {
 	if !m.cfg.Core.SelfProvisioningAllowed {
 		return nil, nil // self-provisioning is disabled - no interfaces for users
 	}
 	user, err := m.db.GetUser(ctx, userId)
 	if err != nil {
 		slog.Error("failed to load user for interface group verification", "user", userId, "error", err)
 		return nil, nil // fail closed
 	}
 	interfaces, err := m.db.GetAllInterfaces(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("unable to load all interfaces: %w", err)
@@ -83,6 +93,9 @@ func (m Manager) GetUserInterfaces(ctx context.Context, _ domain.UserIdentifier)
 		if iface.Type != domain.InterfaceTypeServer {
 			continue // skip client interfaces
 		}
 		if !user.IsAdmin && !iface.IsUserAllowed(userId, m.cfg) {
 			continue // user not allowed due to LDAP group filter
 		}
 		userInterfaces = append(userInterfaces, iface.PublicInfo())
 	}
--- a/internal/app/wireguard/wireguard_interfaces_test.go
+++ b/internal/app/wireguard/wireguard_interfaces_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/h44z/wg-portal/internal/config"
 	"github.com/h44z/wg-portal/internal/domain"
 )
@@ -92,3 +93,126 @@ func TestImportPeer_AddressMapping(t *testing.T) {
 		})
 	}
 }
 func (f *mockDB) GetUser(ctx context.Context, id domain.UserIdentifier) (*domain.User, error) {
 	return &domain.User{
 		Identifier: id,
 		IsAdmin:    false,
 	}, nil
 }
 func TestInterface_IsUserAllowed(t *testing.T) {
 	cfg := &config.Config{
 		Auth: config.Auth{
 			Ldap: []config.LdapProvider{
 				{
 					ProviderName: "ldap1",
 					InterfaceFilter: map[string]string{
 						"wg0": "(memberOf=CN=VPNUsers,...)",
 					},
 				},
 			},
 		},
 	}
 	tests := []struct {
 		name   string
 		iface  domain.Interface
 		userId domain.UserIdentifier
 		expect bool
 	}{
 		{
 			name: "Unrestricted interface",
 			iface: domain.Interface{
 				Identifier: "wg1",
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user allowed (at least one match)",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 					"ldap2": {"user1"},
 				},
 			},
 			userId: "user1",
 			expect: true,
 		},
 		{
 			name: "Restricted interface - user NOT allowed",
 			iface: domain.Interface{
 				Identifier: "wg0",
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"user2"},
 				},
 			},
 			userId: "user1",
 			expect: false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			assert.Equal(t, tt.expect, tt.iface.IsUserAllowed(tt.userId, cfg))
 		})
 	}
 }
 func TestManager_GetUserInterfaces_Filtering(t *testing.T) {
 	cfg := &config.Config{}
 	cfg.Core.SelfProvisioningAllowed = true
 	cfg.Auth.Ldap = []config.LdapProvider{
 		{
 			ProviderName: "ldap1",
 			InterfaceFilter: map[string]string{
 				"wg_restricted": "(some-filter)",
 			},
 		},
 	}
 	db := &mockDB{
 		interfaces: []domain.Interface{
 			{Identifier: "wg_public", Type: domain.InterfaceTypeServer},
 			{
 				Identifier: "wg_restricted",
 				Type:       domain.InterfaceTypeServer,
 				LdapAllowedUsers: map[string][]domain.UserIdentifier{
 					"ldap1": {"allowed_user"},
 				},
 			},
 		},
 	}
 	m := Manager{
 		cfg: cfg,
 		db:  db,
 	}
 	t.Run("Allowed user sees both", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "allowed_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 2, len(ifaces))
 	})
 	t.Run("Unallowed user sees only public", func(t *testing.T) {
 		ifaces, err := m.GetUserInterfaces(context.Background(), "other_user")
 		assert.NoError(t, err)
 		assert.Equal(t, 1, len(ifaces))
 		if len(ifaces) > 0 {
 			assert.Equal(t, domain.InterfaceIdentifier("wg_public"), ifaces[0].Identifier)
 		}
 	})
 }
--- a/internal/app/wireguard/wireguard_peers.go
+++ b/internal/app/wireguard/wireguard_peers.go
@@ -93,6 +93,10 @@ func (m Manager) PreparePeer(ctx context.Context, id domain.InterfaceIdentifier)
 	currentUser := domain.GetUserInfo(ctx)
 	if err := m.checkInterfaceAccess(ctx, id); err != nil {
 		return nil, err
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return nil, fmt.Errorf("unable to find interface %s: %w", id, err)
@@ -188,6 +192,9 @@ func (m Manager) CreatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		if err := domain.ValidateUserAccessRights(ctx, peer.UserIdentifier); err != nil {
 			return nil, err
 		}
 		if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 			return nil, err
 		}
 	}
 	sessionUser := domain.GetUserInfo(ctx)
@@ -304,6 +311,10 @@ func (m Manager) UpdatePeer(ctx context.Context, peer *domain.Peer) (*domain.Pee
 		return nil, err
 	}
 	if err := m.checkInterfaceAccess(ctx, existingPeer.InterfaceIdentifier); err != nil {
 		return nil, err
 	}
 	if err := m.validatePeerModifications(ctx, existingPeer, peer); err != nil {
 		return nil, fmt.Errorf("update not allowed: %w", err)
 	}
@@ -373,6 +384,10 @@ func (m Manager) DeletePeer(ctx context.Context, id domain.PeerIdentifier) error
 		return err
 	}
 	if err := m.checkInterfaceAccess(ctx, peer.InterfaceIdentifier); err != nil {
 		return err
 	}
 	if err := m.validatePeerDeletion(ctx, peer); err != nil {
 		return fmt.Errorf("delete not allowed: %w", err)
 	}
@@ -606,4 +621,22 @@ func (m Manager) validatePeerDeletion(ctx context.Context, _ *domain.Peer) error
 	return nil
 }
 func (m Manager) checkInterfaceAccess(ctx context.Context, id domain.InterfaceIdentifier) error {
 	user := domain.GetUserInfo(ctx)
 	if user.IsAdmin {
 		return nil
 	}
 	iface, err := m.db.GetInterface(ctx, id)
 	if err != nil {
 		return fmt.Errorf("failed to get interface %s: %w", id, err)
 	}
 	if !iface.IsUserAllowed(user.Id, m.cfg) {
 		return fmt.Errorf("user %s is not allowed to access interface %s: %w", user.Id, id, domain.ErrNoPermission)
 	}
 	return nil
 }
 // endregion helper-functions
--- a/internal/app/wireguard/wireguard_peers_test.go
+++ b/internal/app/wireguard/wireguard_peers_test.go
@@ -60,6 +60,7 @@ func (f *mockController) PingAddresses(_ context.Context, _ string) (*domain.Pin
 type mockDB struct {
 	savedPeers map[domain.PeerIdentifier]*domain.Peer
 	iface      *domain.Interface
 	interfaces []domain.Interface
 }
 func (f *mockDB) GetInterface(ctx context.Context, id domain.InterfaceIdentifier) (*domain.Interface, error) {
@@ -79,6 +80,9 @@ func (f *mockDB) GetPeersStats(ctx context.Context, ids ...domain.PeerIdentifier
 	return nil, nil
 }
 func (f *mockDB) GetAllInterfaces(ctx context.Context) ([]domain.Interface, error) {
 	if f.interfaces != nil {
 		return f.interfaces, nil
 	}
 	if f.iface != nil {
 		return []domain.Interface{*f.iface}, nil
 	}
--- a/internal/config/auth.go
+++ b/internal/config/auth.go
@@ -214,6 +214,10 @@ type LdapProvider struct {
 	// If RegistrationEnabled is set to true, wg-portal will create new users that do not exist in the database.
 	RegistrationEnabled bool `yaml:"registration_enabled"`
 	// InterfaceFilter allows restricting interfaces using an LDAP filter.
 	// Map key is the interface identifier (e.g., "wg0"), value is the filter string.
 	InterfaceFilter map[string]string `yaml:"interface_filter"`
 	// If LogUserInfo is set to true, the user info retrieved from the LDAP provider will be logged in trace level.
 	LogUserInfo bool `yaml:"log_user_info"`
 }
--- a/internal/config/backend.go
+++ b/internal/config/backend.go
@@ -10,6 +10,8 @@ const LocalBackendName = "local"
 type Backend struct {
 	Default string `yaml:"default"` // The default backend to use (defaults to the internal backend)
 	ReKeyTimeoutInterval time.Duration `yaml:"rekey_timeout_interval"` // Interval after which a connection is assumed dead
 	// Local Backend-specific configuration
 	IgnoredLocalInterfaces []string `yaml:"ignored_local_interfaces"` // A list of interface names that should be ignored by this backend (e.g., "wg0")
@@ -115,8 +117,8 @@ func (b *BackendMikrotik) GetApiTimeout() time.Duration {
 type BackendPfsense struct {
 	BackendBase `yaml:",inline"` // Embed the base fields
-	ApiUrl       string        `yaml:"api_url"` // The base URL of the pfSense REST API (e.g., "https://pfsense.example.com/api/v2")
+	ApiUrl       string        `yaml:"api_url"`        // The base URL of the pfSense REST API (e.g., "https://pfsense.example.com/api/v2")
-	ApiKey       string        `yaml:"api_key"` // API key for authentication (generated in pfSense under 'System' -> 'REST API' -> 'Keys')
+	ApiKey       string        `yaml:"api_key"`        // API key for authentication (generated in pfSense under 'System' -> 'REST API' -> 'Keys')
 	ApiVerifyTls bool          `yaml:"api_verify_tls"` // Whether to verify the TLS certificate of the pfSense API
 	ApiTimeout   time.Duration `yaml:"api_timeout"`    // Timeout for API requests (default: 30 seconds)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -139,6 +139,7 @@ func defaultConfig() *Config {
 	cfg.Backend = Backend{
 		Default:                LocalBackendName, // local backend is the default (using wgcrtl)
 		ReKeyTimeoutInterval:   getEnvDuration("WG_PORTAL_BACKEND_REKEY_TIMEOUT_INTERVAL", 180*time.Second),
 		IgnoredLocalInterfaces: getEnvStrSlice("WG_PORTAL_BACKEND_IGNORED_LOCAL_INTERFACES", nil),
 		// Most resolconf implementations use "tun." as a prefix for interface names.
 		// But systemd's implementation uses no prefix, for example.
--- a/internal/domain/interface.go
+++ b/internal/domain/interface.go
@@ -78,6 +78,33 @@ type Interface struct {
 	PeerDefPostUp   string // default action that is executed after the device is up
 	PeerDefPreDown  string // default action that is executed before the device is down
 	PeerDefPostDown string // default action that is executed after the device is down
 	// Self-provisioning access control
 	LdapAllowedUsers map[string][]UserIdentifier `gorm:"serializer:json"` // Materialised during LDAP sync, keyed by ProviderName
 }
 // IsUserAllowed returns true if the interface has no filter, or if the user is in the allowed list.
 func (i *Interface) IsUserAllowed(userId UserIdentifier, cfg *config.Config) bool {
 	isRestricted := false
 	for _, provider := range cfg.Auth.Ldap {
 		if _, exists := provider.InterfaceFilter[string(i.Identifier)]; exists {
 			isRestricted = true
 			break
 		}
 	}
 	if !isRestricted {
 		return true // The interface is completely unrestricted by LDAP config
 	}
 	for _, allowedUsers := range i.LdapAllowedUsers {
 		for _, uid := range allowedUsers {
 			if uid == userId {
 				return true
 			}
 		}
 	}
 	return false
 }
 // PublicInfo returns a copy of the interface with only the public information.
--- a/internal/domain/statistics.go
+++ b/internal/domain/statistics.go
@@ -21,8 +21,8 @@ type PeerStatus struct {
 	LastSessionStart *time.Time `gorm:"column:last_session_start" json:"LastSessionStart"`
 }
-func (s *PeerStatus) CalcConnected() {
+func (s *PeerStatus) CalcConnected(timeout time.Duration) {
-	oldestHandshakeTime := time.Now().Add(-2 * time.Minute) // if a handshake is older than 2 minutes, the peer is no longer connected
+	oldestHandshakeTime := time.Now().Add(-1 * timeout) // if a handshake is older than the rekey-interval + grace-period, the peer is no longer connected
 	handshakeValid := false
 	if s.LastHandshake != nil {
--- a/internal/domain/statistics_test.go
+++ b/internal/domain/statistics_test.go
@@ -9,11 +9,16 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 	now := time.Now()
 	past := now.Add(-3 * time.Minute)
 	recent := now.Add(-1 * time.Minute)
 	defaultTimeout := 125 * time.Second // rekey interval of 120s + 5 seconds grace period
 	past126 := now.Add(-1*defaultTimeout - 1*time.Second)
 	past125 := now.Add(-1 * defaultTimeout)
 	past124 := now.Add(-1*defaultTimeout + 1*time.Second)
 	tests := []struct {
-		name   string
+		name    string
-		status PeerStatus
+		status  PeerStatus
-		want   bool
+		timeout time.Duration
 		want    bool
 	}{
 		{
 			name: "Pingable and recent handshake",
@@ -21,7 +26,8 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &recent,
 			},
-			want: true,
+			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Not pingable but recent handshake",
@@ -29,7 +35,8 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: &recent,
 			},
-			want: true,
+			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Pingable but old handshake",
@@ -37,15 +44,44 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: &past,
 			},
-			want: true,
+			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
-			name: "Not pingable and old handshake",
+			name: "Not pingable and ok handshake (-124s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past124,
 			},
 			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Not pingable and old handshake (-125s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past125,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (-126s)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past126,
 			},
 			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Not pingable and old handshake (very old)",
 			status: PeerStatus{
 				IsPingable:    false,
 				LastHandshake: &past,
 			},
-			want: false,
+			timeout: defaultTimeout,
 			want:    false,
 		},
 		{
 			name: "Pingable and no handshake",
@@ -53,7 +89,8 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    true,
 				LastHandshake: nil,
 			},
-			want: true,
+			timeout: defaultTimeout,
 			want:    true,
 		},
 		{
 			name: "Not pingable and no handshake",
@@ -61,12 +98,13 @@ func TestPeerStatus_IsConnected(t *testing.T) {
 				IsPingable:    false,
 				LastHandshake: nil,
 			},
-			want: false,
+			timeout: defaultTimeout,
 			want:    false,
 		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			tt.status.CalcConnected()
+			tt.status.CalcConnected(tt.timeout)
 			if got := tt.status.IsConnected; got != tt.want {
 				t.Errorf("IsConnected = %v, want %v", got, tt.want)
 			}
--- a/internal/domain/user.go
+++ b/internal/domain/user.go
@@ -68,7 +68,7 @@ type User struct {
 	WebAuthnCredentialList []UserWebauthnCredential `gorm:"foreignKey:user_identifier"` // the webauthn credentials of the user, used for webauthn authentication
 	// API token for REST API access
-	ApiToken        string `form:"api_token" binding:"omitempty"`
+	ApiToken        string `form:"api_token" binding:"omitempty" gorm:"serializer:encstr"`
 	ApiTokenCreated *time.Time
 	LinkedPeerCount int `gorm:"-"`
Author	SHA1	Message	Date
Christoph Haas	1c3eacb08d	Merge branch 'master' into stable	2026-04-01 20:12:38 +02:00
Mykhailo Roit	0e9e9d697f	fix: "created_at" for users (#656 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Docker / release (push) Has been cancelled Details * fix: created_at for users * added tests for: created_at for users * cleanup fixes --------- Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>	2026-04-01 11:58:22 +02:00
Christoph	87bfd5b23a	feat: allow encrypting user api token using gorm serializer	2026-04-01 11:42:07 +02:00
h44z	920806b231	chore: update frontend deps (#657 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details Docker / release (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details	2026-04-01 00:20:35 +02:00
Leandre Chamberland-Dozois	ec08e31eb7	feat(frontend): add confirmation dialog before deleting users, peers, and interfaces (#654 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details Docker / release (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details * feat(frontend): add confirmation dialog before deleting users, peers, and interfaces (#652) Add a browser confirm() dialog to the delete functions in UserEditModal, PeerEditModal, and InterfaceEditModal to prevent accidental deletions. The bulk-delete actions in UserView already had this protection; this change brings single-item deletion in line with that behavior. Translation keys (confirm-delete) added for all 10 supported locales: de, en, es, fr, ko, pt, ru, uk, vi, zh. Signed-off-by: LeC-D <leo.openc@gmail.com> * fix broken translation files --------- Signed-off-by: LeC-D <leo.openc@gmail.com> Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>	2026-03-31 19:49:53 +02:00
Jacopo Clark	c1a7edcc9a	fix: prevent interface address clearing during startup (#651 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Docker / release (push) Has been cancelled Details Signed-off-by: jc <37738506+theguy147@users.noreply.github.com> Co-authored-by: jc <37738506+theguy147@users.noreply.github.com>	2026-03-25 22:08:06 +01:00
Christoph Haas	cc472216b4	Merge branch 'master' into stable	2026-03-22 22:34:48 +01:00
dependabot[bot]	31ad35809c	chore(deps): bump the actions group across 1 directory with 8 updates (#639 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Docker / release (push) Has been cancelled Details Bumps the actions group with 8 updates in the / directory: \| Package \| From \| To \| \| --- \| --- \| --- \| \| [nolar/setup-k3d-k3s](https://github.com/nolar/setup-k3d-k3s) \| `1.0.9` \| `1.0.10` \| \| [docker/login-action](https://github.com/docker/login-action) \| `3.7.0` \| `4.0.0` \| \| [docker/setup-qemu-action](https://github.com/docker/setup-qemu-action) \| `3.7.0` \| `4.0.0` \| \| [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) \| `3.12.0` \| `4.0.0` \| \| [docker/metadata-action](https://github.com/docker/metadata-action) \| `5.10.0` \| `6.0.0` \| \| [docker/build-push-action](https://github.com/docker/build-push-action) \| `6.19.2` \| `7.0.0` \| \| [actions/download-artifact](https://github.com/actions/download-artifact) \| `8.0.0` \| `8.0.1` \| \| [softprops/action-gh-release](https://github.com/softprops/action-gh-release) \| `2.4.2` \| `2.6.1` \| Updates `nolar/setup-k3d-k3s` from 1.0.9 to 1.0.10 - [Release notes](https://github.com/nolar/setup-k3d-k3s/releases) - [Commits](`293b8e5822...8bf8d22160`) Updates `docker/login-action` from 3.7.0 to 4.0.0 - [Release notes](https://github.com/docker/login-action/releases) - [Commits](`c94ce9fb46...b45d80f862`) Updates `docker/setup-qemu-action` from 3.7.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-qemu-action/releases) - [Commits](`c7c5346462...ce360397dd`) Updates `docker/setup-buildx-action` from 3.12.0 to 4.0.0 - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](`8d2750c68a...4d04d5d948`) Updates `docker/metadata-action` from 5.10.0 to 6.0.0 - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](`c299e40c65...030e881283`) Updates `docker/build-push-action` from 6.19.2 to 7.0.0 - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](`10e90e3645...d08e5c354a`) Updates `actions/download-artifact` from 8.0.0 to 8.0.1 - [Release notes](https://github.com/actions/download-artifact/releases) - [Commits](`70fc10c6e5...3e5f45b2cf`) Updates `softprops/action-gh-release` from 2.4.2 to 2.6.1 - [Release notes](https://github.com/softprops/action-gh-release/releases) - [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md) - [Commits](`5be0e66d93...153bb8e044`) --- updated-dependencies: - dependency-name: nolar/setup-k3d-k3s dependency-version: 1.0.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: docker/login-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-qemu-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/setup-buildx-action dependency-version: 4.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/metadata-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: docker/build-push-action dependency-version: 7.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: actions - dependency-name: actions/download-artifact dependency-version: 8.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: actions - dependency-name: softprops/action-gh-release dependency-version: 2.6.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: actions ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-22 22:27:23 +01:00
dependabot[bot]	3ae3da223d	chore(deps): bump the patch group across 1 directory with 4 updates (#643 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details Docker / release (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Bumps the patch group with 2 updates in the / directory: [github.com/go-ldap/ldap/v3](https://github.com/go-ldap/ldap) and [github.com/go-webauthn/webauthn](https://github.com/go-webauthn/webauthn). Updates `github.com/go-ldap/ldap/v3` from 3.4.12 to 3.4.13 - [Release notes](https://github.com/go-ldap/ldap/releases) - [Commits](https://github.com/go-ldap/ldap/compare/v3.4.12...v3.4.13) Updates `github.com/go-webauthn/webauthn` from 0.16.0 to 0.16.1 - [Release notes](https://github.com/go-webauthn/webauthn/releases) - [Commits](https://github.com/go-webauthn/webauthn/compare/v0.16.0...v0.16.1) Updates `golang.org/x/crypto` from 0.48.0 to 0.49.0 - [Commits](https://github.com/golang/crypto/compare/v0.48.0...v0.49.0) Updates `golang.org/x/sys` from 0.41.0 to 0.42.0 - [Commits](https://github.com/golang/sys/compare/v0.41.0...v0.42.0) --- updated-dependencies: - dependency-name: github.com/go-ldap/ldap/v3 dependency-version: 3.4.13 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch - dependency-name: github.com/go-webauthn/webauthn dependency-version: 0.16.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: patch - dependency-name: golang.org/x/crypto dependency-version: 0.49.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: patch - dependency-name: golang.org/x/sys dependency-version: 0.42.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-22 10:18:11 +01:00
Mykhailo Roit	243954a889	feat(metrics): add user label to peer metrics (#647 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details Docker / release (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details	2026-03-21 18:52:21 +01:00
Jacopo Clark	402cc1b5f3	feat: Implement LDAP interface-specific provisioning filters (#642 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Docker / release (push) Has been cancelled Details * Implement LDAP filter-based access control for interface provisioning * test: add unit tests for LDAP interface filtering logic * smaller improvements / cleanup --------- Co-authored-by: jc <37738506+theguy147@users.noreply.github.com> Co-authored-by: Christoph Haas <christoph.h@sprinternet.at>	2026-03-19 23:13:19 +01:00
h44z	f70f60a3f5	fix: configurable handshake validity interval and improved defaults (#645 ) * fix: support configurable rekey timeout interval for peer connectivity tracking (#641) * change default check-time to 180s	2026-03-19 23:11:40 +01:00
dependabot[bot]	2585be118f	chore(deps): bump golang.org/x/oauth2 from 0.35.0 to 0.36.0 (#635 ) Some checks failed Docker / Build and Push (push) Has been cancelled Details Docker / release (push) Has been cancelled Details github-pages / deploy (push) Has been cancelled Details Bumps [golang.org/x/oauth2](https://github.com/golang/oauth2) from 0.35.0 to 0.36.0. - [Commits](https://github.com/golang/oauth2/compare/v0.35.0...v0.36.0) --- updated-dependencies: - dependency-name: golang.org/x/oauth2 dependency-version: 0.36.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>	2026-03-18 22:50:34 +01:00
Christoph	95394628d3	Merge branch 'master' into stable	2026-03-03 17:02:52 +01:00
Christoph Haas	b553375c43	Merge branch 'master' into stable	2026-02-28 22:32:43 +01:00
htiryaki-oe24	0a8ec71b3f	Fixes minor chart issues #629 (#630 ) (cherry picked from commit `3e0ffec07c`)	2026-02-24 22:41:28 +01:00
h44z	fe4485037a	Merge commit from fork	2026-02-24 22:40:13 +01:00
Arnaud Rocher	6e47d8c3e9	fix: parity of Base64/URL encoding between frontend and backend (#611 ) Signed-off-by: Arnaud Rocher <arnaud.roche3@gmail.com> (cherry picked from commit `5d58df8a19`)	2026-01-29 22:39:33 +01:00
h44z	eb28492539	Merge commit from fork * fix: prevent open redirect in OAuth return URL validation * reformat check --------- Co-authored-by: Arne Cools <arne.cools@intigriti.com> (cherry picked from commit `e62db0d62e`)	2026-01-29 22:38:42 +01:00
Christoph	d1a4ddde10	Merge branch 'master' into stable	2025-11-23 21:00:12 +01:00
Christoph Haas	b1637b0c4e	Merge branch 'master' into stable # Conflicts: # internal/domain/peer.go	2025-10-19 13:25:07 +02:00
h44z	0cc7ebb83e	ensure hooks run after restart (#494 ) (#497 ) (cherry picked from commit `99df4ca3cd`)	2025-09-03 22:48:45 +02:00
h44z	eb6a787cfc	ensure that LDAP filter values are escaped (#512 ) (cherry picked from commit `0cbca61c15`)	2025-09-03 22:47:40 +02:00
Christoph Haas	b546eec4ed	fix multi-peer generation, fix prefix handling (#491 ) (cherry picked from commit `c20f17cddf`)	2025-08-12 21:25:48 +02:00
h44z	9be2133220	fix migration tool (#495 ) (#496 ) (cherry picked from commit `9884d8c002`)	2025-08-12 21:23:30 +02:00
Christoph Haas	b05837b2d9	ensure that v2 (or just 2) tags are only published for stable releases (#493 ) (cherry picked from commit `b099e8abfa`)	2025-08-12 21:23:28 +02:00
Christoph Haas	08c8f8eac0	backport username display bugfix (#456 )	2025-06-12 19:11:25 +02:00
Christoph Haas	d864e24145	improve logging of OAuth login issues, decrease auth-code exchange timeout (#451 ) (cherry picked from commit `e3b65ca337`)	2025-06-12 19:07:46 +02:00
Christoph Haas	5b56e58fe9	fix self-provisioned peer-generation (#452 ) (cherry picked from commit `61d8aa6589`)	2025-06-09 17:41:29 +02:00
Christoph Haas	930ef7b573	Merge branch 'master' into stable	2025-05-16 09:58:14 +02:00
Christoph Haas	18296673d7	Merge branch 'master' into stable	2025-05-13 20:25:27 +02:00
Christoph Haas	4ccc59c109	Merge branch 'master' into stable # Conflicts: # .github/workflows/docker-publish.yml # README.md # assets/tpl/admin_index.html # assets/tpl/user_index.html # cmd/wg-portal/main.go # docker-compose.yml # go.mod # go.sum # internal/common/util.go # internal/server/docs/docs.go # internal/server/handlers_common.go # internal/server/server.go # internal/wireguard/peermanager.go	2025-05-04 20:38:55 +02:00
onyx-flame	e6b01a9903	Feature (v1): add latest handshake data to API response (#203 ) * feature: updated handshake-related fields type * feature: updated handshake representations in templates * feature: added handshake field to Swagger schema	2023-12-23 12:56:52 +01:00
Christoph Haas	2f79dd04c0	adopt github actions	2023-10-26 11:29:34 +02:00
Christoph Haas	e5ed9736b3	update docker build settings, move to new docker hub repository, use stable branch and major version tags	2023-10-26 11:22:58 +02:00
Christoph Haas	c8353b85ae	Merge branch 'replace_ext_lib' into stable	2023-10-26 10:40:06 +02:00
Christoph Haas	6142031387	update gin	2023-10-26 10:39:01 +02:00
Christoph Haas	dd86d0ff49	replace inaccessible external lib	2023-10-26 10:31:29 +02:00
Christoph Haas	bdd426a679	populate peer device type (#170 )	2023-10-26 10:20:08 +02:00