release: 1.0.0

fix: internal server error if user has no password when trying to sign in
docs: fix docusaurus edit link
2024-08-25 16:02:46 +02:00 · 2024-08-25 16:00:49 +02:00 · 2024-08-25 15:42:21 +02:00 · 2024-08-25 15:33:35 +02:00 · 2024-08-25 15:30:46 +02:00 · 2024-08-24 17:30:11 +02:00
303 changed files with 51619 additions and 14765 deletions
--- a/.env.example
+++ b/.env.example
@@ -1,10 +0,0 @@
-# Read what every environment variable does: https://github.com/stonith404/pingvin-share#environment-variables
-
-# GENERAL
-APP_URL=http://localhost:3000
-SHOW_HOME_PAGE=true
-ALLOW_REGISTRATION=true
-MAX_FILE_SIZE=1000000000
-
-# SECURITY
-JWT_SECRET=long-random-string
--- a/.github/FUNDING.yml
+++ b/.github/FUNDING.yml
@@ -0,0 +1,2 @@
+# These are supported funding model platforms
+github: stonith404
--- a/.github/ISSUE_TEMPLATE/bug.yml
+++ b/.github/ISSUE_TEMPLATE/bug.yml
@@ -0,0 +1,45 @@
+name: "🐛 Bug Report"
+description: "Submit a bug report to help us improve"
+title: "🐛 Bug Report: "
+labels: [bug]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out our bug report form 🙏
+  - type: textarea
+    id: steps-to-reproduce
+    validations:
+      required: true
+    attributes:
+      label: "👟 Reproduction steps"
+      description: "How do you trigger this bug? Please walk us through it step by step."
+      placeholder: "When I ..."
+  - type: textarea
+    id: expected-behavior
+    validations:
+      required: true
+    attributes:
+      label: "👍 Expected behavior"
+      description: "What did you think would happen?"
+      placeholder: "It should ..."
+  - type: textarea
+    id: actual-behavior
+    validations:
+      required: true
+    attributes:
+      label: "👎 Actual Behavior"
+      description: "What did actually happen? Add screenshots, if applicable."
+      placeholder: "It actually ..."
+  - type: input
+    id: operating-system
+    attributes:
+      label: "🌐 Browser"
+      description: "Which browser do you use?"
+      placeholder: "Firefox"
+    validations:
+      required: true
+  - type: markdown
+    attributes:
+      value: |
+        Before submitting, please check if the issues hasn't been raised before.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: 💬 Discord
+    url: https://discord.gg/wHRQ9nFRcK
+    about: For help and chatting with the community
--- a/.github/ISSUE_TEMPLATE/feature.yml
+++ b/.github/ISSUE_TEMPLATE/feature.yml
@@ -0,0 +1,29 @@
+name: 🚀 Feature
+description: "Submit a proposal for a new feature"
+title: "🚀 Feature: "
+labels: [feature]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out our feature request form 🙏
+  - type: textarea
+    id: feature-description
+    validations:
+      required: true
+    attributes:
+      label: "🔖 Feature description"
+      description: "A clear and concise description of what the feature is."
+      placeholder: "You should add ..."
+  - type: textarea
+    id: pitch
+    validations:
+      required: true
+    attributes:
+      label: "🎤 Pitch"
+      description: "Please explain why this feature should be implemented and how it would be used. Add examples, if applicable."
+      placeholder: "In my use-case, ..."
+  - type: markdown
+    attributes:
+      value: |
+        Before submitting, please check if the issues hasn't been raised before.
--- a/.github/ISSUE_TEMPLATE/language-request.yml
+++ b/.github/ISSUE_TEMPLATE/language-request.yml
@@ -0,0 +1,19 @@
+name: "🌐 Language request"
+description: "You want to contribute to a language that isn't on Crowdin yet?"
+title: "🌐 Language request: <language name in english>"
+labels: [language-request]
+body:
+  - type: input
+    id: language-name-native
+    attributes:
+      label: "🌐 Language name (native)"
+      placeholder: "Schweizerdeutsch"
+    validations:
+      required: true
+  - type: input
+    id: language-code
+    attributes:
+      label: "🌐 Language code"
+      placeholder: "de-CH"
+    validations:
+      required: true
--- a/.github/workflows/backend-system-tests.yml
+++ b/.github/workflows/backend-system-tests.yml
@@ -13,13 +13,10 @@ jobs:
    runs-on: ubuntu-latest
    container: node:18
    steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v3
      - name: Install Dependencies
        working-directory: ./backend
        run: npm install
-      - name: Create .env file
-        working-directory: ./backend
-        run: mv .env.example .env
      - name: Run Server and Test with Newman
        working-directory: ./backend
        run: npm run test:system
--- a/.github/workflows/build-docker-image.yml
+++ b/.github/workflows/build-docker-image.yml
@@ -1,4 +1,4 @@
-name: Create Docker Image
+name: Build and Push Docker Image

 on:
  release:
@@ -9,16 +9,26 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
+
      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v1
+        uses: docker/setup-qemu-action@v2
+
      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1
-      - name: login to docker registry
-        run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
-      - name: Build the image
-        run: |
-          docker buildx build --push \
-             --tag stonith404/pingvin-share:latest \
-             --tag stonith404/pingvin-share:${{  github.ref_name }} \
-             --platform linux/amd64,linux/arm64 .
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Docker registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: stonith404/pingvin-share:latest,stonith404/pingvin-share:${{  github.ref_name }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
--- a/.gitignore
+++ b/.gitignore
@@ -23,6 +23,7 @@ yarn-error.log*

 # env file
 .env
+!/backend/prisma/.env

 # vercel
 .vercel
@@ -37,6 +38,9 @@ yarn-error.log*
 # project specific
 /backend/data/
 /data/
+/docs/build/
+/docs/.docusaurus
+/docs/.cache-loader

 # Jetbrains specific (webstorm)
-.idea/**/**
+.idea/**/**
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,4 +1,745 @@
-## 0.0.1 (2022-10-17)
+## [1.0.0](https://github.com/stonith404/pingvin-share/compare/v0.29.0...v1.0.0) (2024-08-25)
+
+
+### Features
+
+* **ldap:** Adding support for LDAP authentication ([#554](https://github.com/stonith404/pingvin-share/issues/554)) ([4186a76](https://github.com/stonith404/pingvin-share/commit/4186a768b310855282bc4876d1f294700963b8f5))
+
+
+### Bug Fixes
+
+* get started button on home page not working when sign-up is disabled ([4924f76](https://github.com/stonith404/pingvin-share/commit/4924f763947c9a6b79ba0d85887f104ed9545c78))
+* internal server error if user has no password when trying to sign in ([9c381a2](https://github.com/stonith404/pingvin-share/commit/9c381a2ed6b3b7dfd95d4278889b937ffb85e01b))
+
+## [0.29.0](https://github.com/stonith404/pingvin-share/compare/v0.28.0...v0.29.0) (2024-07-30)
+
+
+### Features
+
+* add more options to reverse shares ([#495](https://github.com/stonith404/pingvin-share/issues/495)) ([fe735f9](https://github.com/stonith404/pingvin-share/commit/fe735f9704c9d96398f3127a559e17848b08d140)), closes [#155](https://github.com/stonith404/pingvin-share/issues/155)
+* sort share files by name by default ([27ee9fb](https://github.com/stonith404/pingvin-share/commit/27ee9fb6cb98177661bed20a0baa399b27e70b7e))
+
+
+### Reverts
+
+* Revert "fix: set max age of access token cookie to 15 minutes" ([14c2185](https://github.com/stonith404/pingvin-share/commit/14c2185e6f1a81d63e25fbeec3e30a54cf6a44c5))
+
+## [0.28.0](https://github.com/stonith404/pingvin-share/compare/v0.27.0...v0.28.0) (2024-07-22)
+
+
+### Features
+
+* **auth:** Add role-based access management from OpenID Connect ([#535](https://github.com/stonith404/pingvin-share/issues/535)) ([70fd2d9](https://github.com/stonith404/pingvin-share/commit/70fd2d94be3411cc430f5c56e522028398127efb))
+
+
+### Bug Fixes
+
+* store only 10 share tokens in the cookies and clear the expired ones ([e5a0c64](https://github.com/stonith404/pingvin-share/commit/e5a0c649e36e0db419d04446affe2564c45cf321))
+
+## [0.27.0](https://github.com/stonith404/pingvin-share/compare/v0.26.0...v0.27.0) (2024-07-11)
+
+
+### Features
+
+* add logs for successful registration, successful login and failed login ([d2bfb9a](https://github.com/stonith404/pingvin-share/commit/d2bfb9a55fdad6a05377b8552471cf1151304c90))
+* **auth:** Allow to hide username / password login form when OAuth is enabled ([#518](https://github.com/stonith404/pingvin-share/issues/518)) ([e1a68f7](https://github.com/stonith404/pingvin-share/commit/e1a68f75f7b034f1ef9e45f26de584f13e355589)), closes [#489](https://github.com/stonith404/pingvin-share/issues/489)
+* **smtp:** allow unauthorized mail server certificates ([#525](https://github.com/stonith404/pingvin-share/issues/525)) ([083d82c](https://github.com/stonith404/pingvin-share/commit/083d82c28b835c178f076e89ef8f5885e8ea31cb))
+
+## [0.26.0](https://github.com/stonith404/pingvin-share/compare/v0.25.0...v0.26.0) (2024-07-03)
+
+
+### Features
+
+* **backend:** Make session duration configurable ([#512](https://github.com/stonith404/pingvin-share/issues/512)) ([367f804](https://github.com/stonith404/pingvin-share/commit/367f804a494c85b4caf879d51982339fb6b86ba1)), closes [#507](https://github.com/stonith404/pingvin-share/issues/507)
+
+
+### Bug Fixes
+
+* **oauth:** provider username is ignored when signing up using OAuth ([#511](https://github.com/stonith404/pingvin-share/issues/511)) ([31366d9](https://github.com/stonith404/pingvin-share/commit/31366d961f5827c200038b65ec9de5d4ddc8b898)), closes [#505](https://github.com/stonith404/pingvin-share/issues/505)
+* set max age of access token cookie to 15 minutes ([2dac385](https://github.com/stonith404/pingvin-share/commit/2dac38560b6c54b6e7676dcd4682bfa57973292f))
+
+## [0.25.0](https://github.com/stonith404/pingvin-share/compare/v0.24.2...v0.25.0) (2024-06-10)
+
+
+### Features
+
+* add auto open share modal config for global. ([#474](https://github.com/stonith404/pingvin-share/issues/474)) ([4fd2903](https://github.com/stonith404/pingvin-share/commit/4fd29037a08dbe505bdd8cf20f6f114cbade8483))
+* **frontend:** locale for dates and tooltip for copy link button ([#492](https://github.com/stonith404/pingvin-share/issues/492)) ([1c7832a](https://github.com/stonith404/pingvin-share/commit/1c7832ad1fb445fd1dbe1c111be5a331eaa4b797))
+
+
+### Bug Fixes
+
+* share size not displayed on my shares page ([c0cc16f](https://github.com/stonith404/pingvin-share/commit/c0cc16fa430bc64afb024c19d5faf24456bd417c))
+
+## [0.24.2](https://github.com/stonith404/pingvin-share/compare/v0.24.1...v0.24.2) (2024-05-22)
+
+
+### Bug Fixes
+
+* admin couldn't delete shares created by anonymous users ([7afda85](https://github.com/stonith404/pingvin-share/commit/7afda85f03d410a6c611860d0c3fb2b88a2e3679))
+* whitespace in title on homepage ([74cd520](https://github.com/stonith404/pingvin-share/commit/74cd520cb8c4ea87822ab6d54c0bf010455f401b))
+
+## [0.24.1](https://github.com/stonith404/pingvin-share/compare/v0.24.0...v0.24.1) (2024-05-04)
+
+
+### Bug Fixes
+
+* error on admin share management page if a share was created by an anonymous user ([c999df1](https://github.com/stonith404/pingvin-share/commit/c999df15e04a927f6e952db3c807b9591fb14894))
+
+## [0.24.0](https://github.com/stonith404/pingvin-share/compare/v0.23.1...v0.24.0) (2024-05-04)
+
+
+### Features
+
+* add admin-exclusive share-management page ([#461](https://github.com/stonith404/pingvin-share/issues/461)) ([3b1c9f1](https://github.com/stonith404/pingvin-share/commit/3b1c9f1efb7d02469e92537a2d1378b6cb412878))
+* add name property to share ([#462](https://github.com/stonith404/pingvin-share/issues/462)) ([b717663](https://github.com/stonith404/pingvin-share/commit/b717663b5c3a4a98e361e7e39b680f4852537c59))
+
+## [0.23.1](https://github.com/stonith404/pingvin-share/compare/v0.23.0...v0.23.1) (2024-04-05)
+
+
+### Bug Fixes
+
+* **backend:** crash on unhandled promise rejections ([1da4fee](https://github.com/stonith404/pingvin-share/commit/1da4feeb895a13d0a0ae754bd716a84e8186d081))
+* changing the chunk size needed an app restart ([24e100b](https://github.com/stonith404/pingvin-share/commit/24e100bd7be8bf20778bdf2767aa35cae8d7e502))
+* disable js execution on raw file view ([9d1a12b](https://github.com/stonith404/pingvin-share/commit/9d1a12b0d1812214f1fe6fa56e3848091ce4945c))
+* incorrect layout on 404 page ([3c5e0ad](https://github.com/stonith404/pingvin-share/commit/3c5e0ad5134ee2d405ac420152b5825102f65bfc))
+* normal shares were added to the previous reverse share ([3972589](https://github.com/stonith404/pingvin-share/commit/3972589f76519b03074d916fb2460c795b1f0737))
+* redirect vulnerability on error, sign in and totp page ([384fd19](https://github.com/stonith404/pingvin-share/commit/384fd19203b63eeb4b952f83a9e1eaab1b19b90d))
+
+## [0.23.0](https://github.com/stonith404/pingvin-share/compare/v0.22.2...v0.23.0) (2024-04-04)
+
+
+### Features
+
+* add config variable to adjust chunk size ([0bfbaea](https://github.com/stonith404/pingvin-share/commit/0bfbaea49aad0c695fee6558c89c661687912e4f))
+
+
+### Bug Fixes
+
+* delete share files if user gets deleted ([e71f6cd](https://github.com/stonith404/pingvin-share/commit/e71f6cd1598ed87366074398042a6b88675587ca))
+* error in logs if "allow unauthenticated shares" is enabled ([c6d8188](https://github.com/stonith404/pingvin-share/commit/c6d8188e4e33ba682551a3ca79205ff5a6d7ead5))
+* memory leak while uploading files by disabling base64 encoding of chunks ([7a15fbb](https://github.com/stonith404/pingvin-share/commit/7a15fbb4651c2fee32fb4c1ee2c9d7f12323feb0))
+
+## [0.22.2](https://github.com/stonith404/pingvin-share/compare/v0.22.1...v0.22.2) (2024-02-29)
+
+
+### Bug Fixes
+
+* extend access token cookie expiration ([013b988](https://github.com/stonith404/pingvin-share/commit/013b9886af5629b2ead6000b962267afc761c612))
+* reduce refresh access token calls ([1aa3d8e](https://github.com/stonith404/pingvin-share/commit/1aa3d8e5e89b3696cc9554f41e9ce13806dde406))
+* replace Nginx with Caddy to fix "premature close" error while downloading larger files ([43bff91](https://github.com/stonith404/pingvin-share/commit/43bff91db2ba4ec68d76e601f7bc42cb7a506bc5))
+
+## [0.22.1](https://github.com/stonith404/pingvin-share/compare/v0.22.0...v0.22.1) (2024-02-18)
+
+
+### Bug Fixes
+
+* back links on error modals ([f52dffd](https://github.com/stonith404/pingvin-share/commit/f52dffdaac5a893804525913943f3f4f99b7c55a))
+* prevent zoom on input field click on mobile ([9c734ec](https://github.com/stonith404/pingvin-share/commit/9c734ec439aeaeebe172caa41bf531e6d8b3fac3))
+* replace middleware backend url with local backend url ([76df6f6](https://github.com/stonith404/pingvin-share/commit/76df6f66d965dd751146468abfafb0c6acd46310))
+* user `id` and `totpVerified` can't be changed by user ([e663da4](https://github.com/stonith404/pingvin-share/commit/e663da45b1d15f5e6e33118e6a28e1504688034c))
+* user enumaration on forgot password page ([64515d7](https://github.com/stonith404/pingvin-share/commit/64515d77cfc116a243d78610395ccc383ba62940))
+
+## [0.22.0](https://github.com/stonith404/pingvin-share/compare/v0.21.5...v0.22.0) (2024-02-04)
+
+
+### Bug Fixes
+
+* **translations:** typo in string ([c189cd9](https://github.com/stonith404/pingvin-share/commit/c189cd97a502cee8ea79e5187d9288d636d4983c))
+
+## [0.21.5](https://github.com/stonith404/pingvin-share/compare/v0.21.4...v0.21.5) (2024-01-14)
+
+
+### Bug Fixes
+
+* password can be changed with wrong password ([0ccb836](https://github.com/stonith404/pingvin-share/commit/0ccb8364448d27ea07c8b11972ff454d610893c6))
+
+## [0.21.4](https://github.com/stonith404/pingvin-share/compare/v0.21.3...v0.21.4) (2024-01-09)
+
+
+### Features
+
+* **frontend:** add navigateToLink button for CopyTextField. close [#372](https://github.com/stonith404/pingvin-share/issues/372). ([#376](https://github.com/stonith404/pingvin-share/issues/376)) ([d775008](https://github.com/stonith404/pingvin-share/commit/d7750086b5b796cfc70d8dc0c7d0ab4bd1996ca0))
+
+## [0.21.3](https://github.com/stonith404/pingvin-share/compare/v0.21.2...v0.21.3) (2024-01-02)
+
+
+### Bug Fixes
+
+* don't show validation error on upload modal if password or max views are empty ([fe09d0e](https://github.com/stonith404/pingvin-share/commit/fe09d0e25f6fbfc4e1c9302054d3387fe8b1f0ea))
+
+## [0.21.2](https://github.com/stonith404/pingvin-share/compare/v0.21.1...v0.21.2) (2023-12-29)
+
+
+### Bug Fixes
+
+* missing logo images on fresh installation ([6fb31ab](https://github.com/stonith404/pingvin-share/commit/6fb31abd84b22cd464b6b45bf7ca6f83853e8720))
+* missing translations on reset password page ([7a301b4](https://github.com/stonith404/pingvin-share/commit/7a301b455cdea4b1dbc04cc6223e094fee9aca7b))
+
+## [0.21.1](https://github.com/stonith404/pingvin-share/compare/v0.21.0...v0.21.1) (2023-12-20)
+
+
+### Features
+
+* **oauth:** add oidc username claim ([#357](https://github.com/stonith404/pingvin-share/issues/357)) ([3ea52a2](https://github.com/stonith404/pingvin-share/commit/3ea52a24ef7c3b6845bc13382616ea0c8d784585))
+
+## [0.21.0](https://github.com/stonith404/pingvin-share/compare/v0.20.3...v0.21.0) (2023-12-01)
+
+
+### Features
+
+* **oauth:** limited discord server sign-in ([#346](https://github.com/stonith404/pingvin-share/issues/346)) ([5f94c72](https://github.com/stonith404/pingvin-share/commit/5f94c7295ab8594ed2ed615628214e869a02da2d))
+
+## [0.20.3](https://github.com/stonith404/pingvin-share/compare/v0.20.2...v0.20.3) (2023-11-17)
+
+
+### Bug Fixes
+
+* max expiration gets ignored if expiration is set to "never" ([330eef5](https://github.com/stonith404/pingvin-share/commit/330eef51e4f3f3fb29833bc9337e705553340aaa))
+
+## [0.20.2](https://github.com/stonith404/pingvin-share/compare/v0.20.1...v0.20.2) (2023-11-11)
+
+
+### Bug Fixes
+
+* **oauth:** github and discord login error ([#323](https://github.com/stonith404/pingvin-share/issues/323)) ([fd44f42](https://github.com/stonith404/pingvin-share/commit/fd44f42f28c0fa2091876b138f170202d9fde04e)), closes [#322](https://github.com/stonith404/pingvin-share/issues/322) [#302](https://github.com/stonith404/pingvin-share/issues/302)
+* reverse shares couldn't be created unauthenticated ([966ce26](https://github.com/stonith404/pingvin-share/commit/966ce261cb4ad99efaadef5c36564fdfaed0d5c4))
+
+## [0.20.1](https://github.com/stonith404/pingvin-share/compare/v0.20.0...v0.20.1) (2023-11-05)
+
+
+### Bug Fixes
+
+* share information text color in light mode ([1138cd0](https://github.com/stonith404/pingvin-share/commit/1138cd02b0b6ac1d71c4dbc2808110c672237190))
+
+## [0.20.0](https://github.com/stonith404/pingvin-share/compare/v0.19.2...v0.20.0) (2023-11-04)
+
+
+### Features
+
+* ability to add and delete files of existing share ([#306](https://github.com/stonith404/pingvin-share/issues/306)) ([98380e2](https://github.com/stonith404/pingvin-share/commit/98380e2d48cc8ffa831d9b69cf5c0e8a40e28862))
+
+## [0.19.2](https://github.com/stonith404/pingvin-share/compare/v0.19.1...v0.19.2) (2023-11-03)
+
+
+### Features
+
+* ability to limit the max expiration of a share ([bbfc9d6](https://github.com/stonith404/pingvin-share/commit/bbfc9d6f147eea404f011c3af9d7dc7655c3d21d))
+* change totp issuer to display logo in 2FAS app ([e0fbbec](https://github.com/stonith404/pingvin-share/commit/e0fbbeca3c1a858838b20aeead52694772b7d871))
+
+
+### Bug Fixes
+
+* jwt secret changes on application restart ([33742a0](https://github.com/stonith404/pingvin-share/commit/33742a043d6549783984ae7e8a3c30f0fe3917de))
+* wrong validation of setting max share expiration to `0` ([acc35f4](https://github.com/stonith404/pingvin-share/commit/acc35f47178e230f50ce54d6f1ad5370caa3382d))
+
+## [0.19.1](https://github.com/stonith404/pingvin-share/compare/v0.19.0...v0.19.1) (2023-10-22)
+
+
+### Bug Fixes
+
+* **oauth:** fix wrong redirectUri in oidc after change appUrl ([#296](https://github.com/stonith404/pingvin-share/issues/296)) ([119b1ec](https://github.com/stonith404/pingvin-share/commit/119b1ec840ad7f4e1c7c4bb476bf1eeed91d9a1a))
+
+## [0.19.0](https://github.com/stonith404/pingvin-share/compare/v0.18.2...v0.19.0) (2023-10-22)
+
+
+### Features
+
+* **auth:** add OAuth2 login ([#276](https://github.com/stonith404/pingvin-share/issues/276)) ([02cd98f](https://github.com/stonith404/pingvin-share/commit/02cd98fa9cf9865d91494848aabaf42b19e4957b)), closes [#278](https://github.com/stonith404/pingvin-share/issues/278) [#279](https://github.com/stonith404/pingvin-share/issues/279) [#281](https://github.com/stonith404/pingvin-share/issues/281)
+
+
+### Bug Fixes
+
+* delete unfinished shares after a day ([d327bc3](https://github.com/stonith404/pingvin-share/commit/d327bc355c8583231e058731934cf51ab25d9ce5))
+
+## [0.18.2](https://github.com/stonith404/pingvin-share/compare/v0.18.1...v0.18.2) (2023-10-09)
+
+
+### Bug Fixes
+
+* disable image optimizations for logo to prevent caching issues with custom logos ([3891900](https://github.com/stonith404/pingvin-share/commit/38919003e9091203b507d0f0b061f4a1835ff4f4))
+* memory leak while downloading large files ([97e7d71](https://github.com/stonith404/pingvin-share/commit/97e7d7190dfe219caf441dffcd7830c304c3c939))
+
+## [0.18.1](https://github.com/stonith404/pingvin-share/compare/v0.18.0...v0.18.1) (2023-09-22)
+
+
+### Bug Fixes
+
+* permission changes of docker container brakes existing installations ([6a4108e](https://github.com/stonith404/pingvin-share/commit/6a4108ed6138e7297e66fd1e38450f23afe99aae))
+
+## [0.18.0](https://github.com/stonith404/pingvin-share/compare/v0.17.5...v0.18.0) (2023-09-21)
+
+
+### Features
+
+* show upload modal on file drop ([13e7a30](https://github.com/stonith404/pingvin-share/commit/13e7a30bb96faeb25936ff08a107834fd7af5766))
+
+
+### Bug Fixes
+
+* **docker:** Updated to newest version of alpine linux and fixed missing dependencies ([#255](https://github.com/stonith404/pingvin-share/issues/255)) ([6fa7af7](https://github.com/stonith404/pingvin-share/commit/6fa7af79051c964060bd291c9faad90fc01a1b72))
+* nextjs proxy warning ([e9efbc1](https://github.com/stonith404/pingvin-share/commit/e9efbc17bcf4827e935e2018dcdf3b70a9a49991))
+
+## [0.17.5](https://github.com/stonith404/pingvin-share/compare/v0.17.4...v0.17.5) (2023-09-03)
+
+
+### Features
+
+* **localization:** Added thai language ([#231](https://github.com/stonith404/pingvin-share/issues/231)) ([bddb87b](https://github.com/stonith404/pingvin-share/commit/bddb87b9b3ec5426a3c7a14a96caf2eb45b93ff7))
+
+
+### Bug Fixes
+
+* autocomplete on create share modal ([d4e8d4f](https://github.com/stonith404/pingvin-share/commit/d4e8d4f58b9b7d10b865eff49aa784547891c4e8))
+* missing translation ([7647a9f](https://github.com/stonith404/pingvin-share/commit/7647a9f620cbc5d38e019225a680a53bd3027698))
+
+## [0.17.4](https://github.com/stonith404/pingvin-share/compare/v0.17.3...v0.17.4) (2023-08-01)
+
+
+### Bug Fixes
+
+* redirection to `localhost:3000` ([ea0d521](https://github.com/stonith404/pingvin-share/commit/ea0d5216e89346b8d3ef0277b76fdc6302e9de15))
+
+## [0.17.3](https://github.com/stonith404/pingvin-share/compare/v0.17.2...v0.17.3) (2023-07-31)
+
+
+### Bug Fixes
+
+* logo doesn't get loaded correctly ([9ba2b4c](https://github.com/stonith404/pingvin-share/commit/9ba2b4c82cdad9097b33f0451771818c7b972a6b))
+* share expiration never doesn't work if using another language than English ([a47d080](https://github.com/stonith404/pingvin-share/commit/a47d080657e1d08ef06ec7425d8bdafd5a26c24a))
+
+## [0.17.2](https://github.com/stonith404/pingvin-share/compare/v0.17.1...v0.17.2) (2023-07-31)
+
+
+### Bug Fixes
+
+* `ECONNREFUSED` with Docker ipv6 enabled ([c9a2a46](https://github.com/stonith404/pingvin-share/commit/c9a2a469c67d3c3cd08179b44e2bf82208f05177))
+
+## [0.17.1](https://github.com/stonith404/pingvin-share/compare/v0.17.0...v0.17.1) (2023-07-30)
+
+
+### Bug Fixes
+
+* rename pt-PT.ts to pt-BR.ts ([2584bb0](https://github.com/stonith404/pingvin-share/commit/2584bb0d48c761940eafc03d5cd98d47e7a5b0ae))
+
+## [0.17.0](https://github.com/stonith404/pingvin-share/compare/v0.16.1...v0.17.0) (2023-07-23)
+
+
+### Features
+
+* ability to define zip compression level ([7827b68](https://github.com/stonith404/pingvin-share/commit/7827b687fa022e86a2643e7a1951af8c7e80608c))
+* add note to language picker ([7f0c31c](https://github.com/stonith404/pingvin-share/commit/7f0c31c2e09b3ee9aae6c3dfb54fac2f2b1dfe23))
+* add share url alias `/s` ([231a2e9](https://github.com/stonith404/pingvin-share/commit/231a2e95b9734cf4704454e1945698753dbb378b))
+* localization ([#196](https://github.com/stonith404/pingvin-share/issues/196)) ([b9f6e3b](https://github.com/stonith404/pingvin-share/commit/b9f6e3bd08dcfc050048fba582b35958bc7b6184))
+* update default value of `maxSize` from `1073741824` to `1000000000` ([389dc87](https://github.com/stonith404/pingvin-share/commit/389dc87cac775d916d0cff9b71d3c5ff90bfe916))
+
+
+### Bug Fixes
+
+* confusion between GB and GiB ([5816b39](https://github.com/stonith404/pingvin-share/commit/5816b39fc6ef6fe6b7cf8e7925aa297561f5b796))
+* mistakes in English translations ([70b425b](https://github.com/stonith404/pingvin-share/commit/70b425b3807be79a3b518cc478996c71dffcf986))
+* wrong layout if button text is too long in modals ([f4c88ae](https://github.com/stonith404/pingvin-share/commit/f4c88aeb0823c2c18535c25fcf8e16afa8b53a56))
+
+### [0.16.1](https://github.com/stonith404/pingvin-share/compare/v0.16.0...v0.16.1) (2023-07-10)
+
+
+### Features
+
+* Adding reverse share ability to copy the link ([#191](https://github.com/stonith404/pingvin-share/issues/191)) ([7574eb3](https://github.com/stonith404/pingvin-share/commit/7574eb3191f21aadd64f436e9e7c78d3e3973a07)), closes [#178](https://github.com/stonith404/pingvin-share/issues/178) [#181](https://github.com/stonith404/pingvin-share/issues/181)
+* Adding reverse shares' shares a clickable link ([#190](https://github.com/stonith404/pingvin-share/issues/190)) ([0276294](https://github.com/stonith404/pingvin-share/commit/0276294f5219a7edcc762bc52391b6720cfd741d))
+
+
+### Bug Fixes
+
+* set link default value to random ([#192](https://github.com/stonith404/pingvin-share/issues/192)) ([a1ea7c0](https://github.com/stonith404/pingvin-share/commit/a1ea7c026594a54eafd52f764eecbf06e1bb4d4e)), closes [#178](https://github.com/stonith404/pingvin-share/issues/178) [#181](https://github.com/stonith404/pingvin-share/issues/181)
+
+## [0.16.0](https://github.com/stonith404/pingvin-share/compare/v0.15.0...v0.16.0) (2023-07-09)
+
+
+### Features
+
+* Adding more informations on My Shares page (table and modal) ([#174](https://github.com/stonith404/pingvin-share/issues/174)) ([1466240](https://github.com/stonith404/pingvin-share/commit/14662404614f15bc25384d924d8cb0458ab06cd8))
+* Adding the possibility of copying the link by clicking text and icons ([#171](https://github.com/stonith404/pingvin-share/issues/171)) ([348852c](https://github.com/stonith404/pingvin-share/commit/348852cfa4275f5c642669b43697f83c35333044))
+
+## [0.15.0](https://github.com/stonith404/pingvin-share/compare/v0.14.1...v0.15.0) (2023-05-09)
+
+
+### Features
+
+* add env variables for port, database url and data dir  ([98c0de7](https://github.com/stonith404/pingvin-share/commit/98c0de78e8a73e3e5bf0928226cfb8a024b566a1))
+* add healthcheck endpoint ([5132d17](https://github.com/stonith404/pingvin-share/commit/5132d177b8ab4e00a7e701e9956222fa2352d42c))
+* allow to configure clamav with environment variables ([1df5c71](https://github.com/stonith404/pingvin-share/commit/1df5c7123e4ca8695f4f1b7d49f46cdf147fb920))
+* configure ports, db url and api url with env variables ([e5071cb](https://github.com/stonith404/pingvin-share/commit/e5071cba1204093197b72e18d024b484e72e360a))
+
+### [0.14.1](https://github.com/stonith404/pingvin-share/compare/v0.14.0...v0.14.1) (2023-04-07)
+
+
+### Bug Fixes
+
+* boolean config variables can't be set to false ([39a7451](https://github.com/stonith404/pingvin-share/commit/39a74510c1f00466acaead39f7bee003b3db60d7))
+
+## [0.14.0](https://github.com/stonith404/pingvin-share/compare/v0.13.1...v0.14.0) (2023-04-01)
+
+
+### Features
+
+* **share, config:** more variables, placeholder and reset default ([#132](https://github.com/stonith404/pingvin-share/issues/132)) ([beece56](https://github.com/stonith404/pingvin-share/commit/beece56327da141c222fd9f5259697df6db9347a))
+
+
+### Bug Fixes
+
+* bool config variable can't be changed ([0e5c673](https://github.com/stonith404/pingvin-share/commit/0e5c67327092e4751208e559a2b0d5ee2b91b6e3))
+
+### [0.13.1](https://github.com/stonith404/pingvin-share/compare/v0.13.0...v0.13.1) (2023-03-14)
+
+
+### Bug Fixes
+
+* empty file can't be uploaded in chrome ([9f2097e](https://github.com/stonith404/pingvin-share/commit/9f2097e788dfb79c2f95085025934c3134a3eb38))
+
+## [0.13.0](https://github.com/stonith404/pingvin-share/compare/v0.12.1...v0.13.0) (2023-03-14)
+
+
+### Features
+
+* add preview modal ([c807d20](https://github.com/stonith404/pingvin-share/commit/c807d208d8f0518f6390f9f0f3d0eb00c12d213b))
+* sort shared files ([b25c30d](https://github.com/stonith404/pingvin-share/commit/b25c30d1ed57230096b17afaf8545c7b0ef2e4b1))
+
+
+### Bug Fixes
+
+* replace "pingvin share" with dynamic app name ([f55aa80](https://github.com/stonith404/pingvin-share/commit/f55aa805167f31864cb07e269a47533927cb533c))
+* set password manually input not shown ([8ff417a](https://github.com/stonith404/pingvin-share/commit/8ff417a013a45a777308f71c4f0d1817bfeed6be))
+* show line breaks in txt preview ([37e765d](https://github.com/stonith404/pingvin-share/commit/37e765ddc7b19554bc6fb50eb969984b58bf3cc5))
+* upload file if it is 0 bytes ([f82099f](https://github.com/stonith404/pingvin-share/commit/f82099f36eb4699385fc16dfb0e0c02e5d55b1e3))
+
+### [0.12.1](https://github.com/stonith404/pingvin-share/compare/v0.12.0...v0.12.1) (2023-03-11)
+
+
+### Bug Fixes
+
+* 48px icon does not update ([753dbe8](https://github.com/stonith404/pingvin-share/commit/753dbe83b770814115a2576c7a50e1bac9dc8ce1))
+
+## [0.12.0](https://github.com/stonith404/pingvin-share/compare/v0.11.1...v0.12.0) (2023-03-10)
+
+
+### Features
+
+* ability to change logo in frontend ([8403d7e](https://github.com/stonith404/pingvin-share/commit/8403d7e14ded801c3842a9b3fd87c3f6824c519e))
+
+
+### Bug Fixes
+
+* crypto is not defined ([8f71fd3](https://github.com/stonith404/pingvin-share/commit/8f71fd343506506532c1a24a4c66a16b1021705f))
+* home page shown even if disabled ([3ad6b03](https://github.com/stonith404/pingvin-share/commit/3ad6b03b6bd80168870049582683077b689fa548))
+
+### [0.11.1](https://github.com/stonith404/pingvin-share/compare/v0.11.0...v0.11.1) (2023-03-05)
+
+
+### Bug Fixes
+
+* old config variable prevents to create a share ([8b77e81](https://github.com/stonith404/pingvin-share/commit/8b77e81d4c1b8a2bf798595f5a66079c40734e09))
+
+## [0.11.0](https://github.com/stonith404/pingvin-share/compare/v0.10.2...v0.11.0) (2023-03-04)
+
+
+### Features
+
+* custom branding ([#112](https://github.com/stonith404/pingvin-share/issues/112)) ([fddad3e](https://github.com/stonith404/pingvin-share/commit/fddad3ef708c27052a8bf46f3076286d102f6d7e))
+* invite new user with email ([f984050](https://github.com/stonith404/pingvin-share/commit/f9840505b82fcb04364a79576f186b76cc75f5c0))
+
+
+### Bug Fixes
+
+* frontend error when user deleted ([0317f3a](https://github.com/stonith404/pingvin-share/commit/0317f3a508dc88ffe2c33413704f7df03a2372ea))
+
+### [0.10.2](https://github.com/stonith404/pingvin-share/compare/v0.10.1...v0.10.2) (2023-02-13)
+
+
+### Bug Fixes
+
+* pdf preview tries to render on server ([c3af0fe](https://github.com/stonith404/pingvin-share/commit/c3af0fe097582f69b63ed1ad18fb71bff334d32a))
+
+### [0.10.1](https://github.com/stonith404/pingvin-share/compare/v0.10.0...v0.10.1) (2023-02-12)
+
+
+### Bug Fixes
+
+* non administrator user redirection error while setup isn't finished ([dc8cf3d](https://github.com/stonith404/pingvin-share/commit/dc8cf3d5ca6b4f8a8f243b8e0b05e09738cf8b61))
+* setup wizard doesn't redirect after completion ([7cd9dff](https://github.com/stonith404/pingvin-share/commit/7cd9dff637900098c9f6e46ccade37283d47321b))
+
+## [0.10.0](https://github.com/stonith404/pingvin-share/compare/v0.9.0...v0.10.0) (2023-02-10)
+
+
+### ⚠ BREAKING CHANGES
+
+* reset password with email
+
+### Features
+
+* allow multiple shares with one reverse share link ([ccdf8ea](https://github.com/stonith404/pingvin-share/commit/ccdf8ea3ae1e7b8520c5b1dd9bea18b1b3305f35))
+* **frontend:** server side rendering to improve performance ([38de022](https://github.com/stonith404/pingvin-share/commit/38de022215a9b99c2eb36654f8dbb1e17ca87aba))
+* reset password with email ([5d1a7f0](https://github.com/stonith404/pingvin-share/commit/5d1a7f0310df2643213affd2a0d1785b7e0af398))
+
+
+### Bug Fixes
+
+* delete all shares of reverse share ([86a7379](https://github.com/stonith404/pingvin-share/commit/86a737951951c911abd7967d76cb253c4335cb0c))
+* invalid redirection after jwt expiry ([82f204e](https://github.com/stonith404/pingvin-share/commit/82f204e8a93e3113dcf65b1881d4943a898602eb))
+* setup status doesn't change ([064ef38](https://github.com/stonith404/pingvin-share/commit/064ef38d783b3f351535c2911eb451efd9526d71))
+* share creation without reverseShareToken ([b966270](https://github.com/stonith404/pingvin-share/commit/b9662701c42fe6771c07acb869564031accb2932))
+* share fails if a share was created with a reverse share link recently ([edc10b7](https://github.com/stonith404/pingvin-share/commit/edc10b72b7884c629a8417c3c82222b135ef7653))
+
+## [0.9.0](https://github.com/stonith404/pingvin-share/compare/v0.8.0...v0.9.0) (2023-01-31)
+
+
+### Features
+
+* direct file link ([008df06](https://github.com/stonith404/pingvin-share/commit/008df06b5cf48872d4dd68df813370596a4fd468))
+* file preview ([91a6b3f](https://github.com/stonith404/pingvin-share/commit/91a6b3f716d37d7831e17a7be1cdb35cb23da705))
+
+
+### Bug Fixes
+
+* improve send test email UX ([233c26e](https://github.com/stonith404/pingvin-share/commit/233c26e5cfde59e7d51023ef9901dec2b84a4845))
+
+## [0.8.0](https://github.com/stonith404/pingvin-share/compare/v0.7.0...v0.8.0) (2023-01-26)
+
+
+### Features
+
+* reverse shares ([#86](https://github.com/stonith404/pingvin-share/issues/86)) ([4a5fb54](https://github.com/stonith404/pingvin-share/commit/4a5fb549c6ac808261eb65d28db69510a82efd00))
+
+
+### Bug Fixes
+
+* Add meta tags to new pages ([bb64f6c](https://github.com/stonith404/pingvin-share/commit/bb64f6c33fc5c5e11f2c777785c96a74b57dfabc))
+* admin users were created while the setup wizard wasn't finished ([ad92cfc](https://github.com/stonith404/pingvin-share/commit/ad92cfc852ca6aa121654d747a02628492ae5b89))
+
+## [0.7.0](https://github.com/stonith404/pingvin-share/compare/v0.6.1...v0.7.0) (2023-01-13)
+
+
+### Features
+
+* add ClamAV to scan for malicious files ([76088cc](https://github.com/stonith404/pingvin-share/commit/76088cc76aedae709f06deaee2244efcf6a22bed))
+
+
+### Bug Fixes
+
+* invalid github release link on admin page ([349bf47](https://github.com/stonith404/pingvin-share/commit/349bf475cc7fc1141dbd2a9bd2f63153c4d5b41b))
+
+### [0.6.1](https://github.com/stonith404/pingvin-share/compare/v0.6.0...v0.6.1) (2023-01-11)
+
+
+### Features
+
+* delete all sessions if password was changed ([02e41e2](https://github.com/stonith404/pingvin-share/commit/02e41e243768de34de1bdc8833e83f60db530e55))
+
+
+### Bug Fixes
+
+* shareUrl uses wrong origin ([f1b44f8](https://github.com/stonith404/pingvin-share/commit/f1b44f87fa64d3b21ca92c9068cb352d0ad51bc0))
+* update password doesn't work ([74e8956](https://github.com/stonith404/pingvin-share/commit/74e895610642552c98c0015d0f8347735aaed457))
+
+## [0.6.0](https://github.com/stonith404/pingvin-share/compare/v0.5.1...v0.6.0) (2023-01-09)
+
+
+### Features
+
+* chunk uploads ([#76](https://github.com/stonith404/pingvin-share/issues/76)) ([653d72b](https://github.com/stonith404/pingvin-share/commit/653d72bcb958268e2f23efae94cccb72faa745af))
+
+
+### Bug Fixes
+
+* access token refreshes even it is still valid ([c8ad222](https://github.com/stonith404/pingvin-share/commit/c8ad2225e3c9ca79fea494d538b67797fbc7f6ae))
+* error message typo ([72c8081](https://github.com/stonith404/pingvin-share/commit/72c8081e7c135ab1f600ed7e3d7a0bf03dabde34))
+* migration for v0.5.1 ([f2d4895](https://github.com/stonith404/pingvin-share/commit/f2d4895e50d3da82cef68858752fb7f6293e7a20))
+* refresh token expires after 1 day instead of 3 months ([a5bef5d](https://github.com/stonith404/pingvin-share/commit/a5bef5d4a4ae75447ca1f65259c5541edfc87dd8))
+
+### [0.5.1](https://github.com/stonith404/pingvin-share/compare/v0.5.0...v0.5.1) (2023-01-04)
+
+
+### Features
+
+* show version and show button if new release is available on admin page ([71658ad](https://github.com/stonith404/pingvin-share/commit/71658ad39d7e3638de659e8230fad4e05f60fdd8))
+* use cookies for authentication ([faea1ab](https://github.com/stonith404/pingvin-share/commit/faea1abcc4b533f391feaed427e211fef9166fe4))
+
+
+### Bug Fixes
+
+* email configuration updated without restart ([1117465](https://github.com/stonith404/pingvin-share/commit/11174656e425c4be60e4f7b1ea8463678e5c60d2))
+
+## [0.5.0](https://github.com/stonith404/pingvin-share/compare/v0.4.0...v0.5.0) (2022-12-30)
+
+
+### Features
+
+* custom mail subject ([cabaee5](https://github.com/stonith404/pingvin-share/commit/cabaee588b50877872d210c870bfb9c95b541921))
+* improve config UI ([#69](https://github.com/stonith404/pingvin-share/issues/69)) ([5bc4f90](https://github.com/stonith404/pingvin-share/commit/5bc4f902f6218a09423491404806a4b7fb865c98))
+* manually switch color scheme ([ef21bac](https://github.com/stonith404/pingvin-share/commit/ef21bac59b11dc68649ab3b195dcb89d2b192e7b))
+
+
+### Bug Fixes
+
+* refresh token gets deleted on session end ([e5b50f8](https://github.com/stonith404/pingvin-share/commit/e5b50f855c02aa4b5c9ee873dd5a7ab25759972d))
+
+## [0.4.0](https://github.com/stonith404/pingvin-share/compare/v0.3.6...v0.4.0) (2022-12-21)
+
+
+### Features
+
+* custom email message ([0616a68](https://github.com/stonith404/pingvin-share/commit/0616a68bd2e0c9cb559ebdf294e353dd3f69c9a5))
+* TOTP (two-factor) Authentication ([#55](https://github.com/stonith404/pingvin-share/issues/55)) ([16480f6](https://github.com/stonith404/pingvin-share/commit/16480f6e9572011fadeb981a388b92cb646fa6d9))
+
+### [0.3.6](https://github.com/stonith404/pingvin-share/compare/v0.3.5...v0.3.6) (2022-12-13)
+
+
+### Features
+
+* add description field to share ([8728fa5](https://github.com/stonith404/pingvin-share/commit/8728fa5207524e9aee26d68eafe1b6fff367d749))
+
+
+### Bug Fixes
+
+* remove dot in email link ([9b0c08d](https://github.com/stonith404/pingvin-share/commit/9b0c08d0cdeeeef217ccba57f593fea9d8858371))
+* rerange accordion items ([844c47e](https://github.com/stonith404/pingvin-share/commit/844c47e1290fb0f7dedb41a18be59ed5ab83dabc))
+
+### [0.3.5](https://github.com/stonith404/pingvin-share/compare/v0.3.4...v0.3.5) (2022-12-11)
+
+
+### Features
+
+* upload 3 files at same time ([d010a8a](https://github.com/stonith404/pingvin-share/commit/d010a8a2d366708b1bb5088e9c1e9f9378d3e023))
+
+
+### Bug Fixes
+
+* jobs never get executed ([05cbb7b](https://github.com/stonith404/pingvin-share/commit/05cbb7b27ef98a3a80dd9edc318f1dcc9a8bd442))
+* only create zip if more than one file is in the share ([3d1d4d0](https://github.com/stonith404/pingvin-share/commit/3d1d4d0fc7c0351724387c3721280c334ae94d98))
+* remove unnecessary port expose ([084e911](https://github.com/stonith404/pingvin-share/commit/084e911eed95eb22fea0bf185803ba32c3eda1a9))
+* setup wizard table doesn't take full width ([9798e26](https://github.com/stonith404/pingvin-share/commit/9798e26872064edc1049138cf73479b1354a43ed))
+* use node slim to fix arm builds ([797f893](https://github.com/stonith404/pingvin-share/commit/797f8938cac9cc3bb788f632d97eba5c49fe98a5))
+* zip doesn't contain file extension ([5b01108](https://github.com/stonith404/pingvin-share/commit/5b0110877745f1fcde4952737a93c07ef4a2a92d))
+
+### [0.3.4](https://github.com/stonith404/pingvin-share/compare/v0.3.3...v0.3.4) (2022-12-10)
+
+
+### Bug Fixes
+
+* show alternative to copy button if site is not using https ([7e877ce](https://github.com/stonith404/pingvin-share/commit/7e877ce9f4b82d61c9b238e17def9f4c29e7aeb8))
+* sign up page available when registration is disabled ([c8a4521](https://github.com/stonith404/pingvin-share/commit/c8a4521677280d6aba89d293a1fe0c38adf9f92c))
+* tables on mobile ([b1bfb09](https://github.com/stonith404/pingvin-share/commit/b1bfb09dfd5c90cc18847470a9ce1ce8397c1476))
+
+### [0.3.3](https://github.com/stonith404/pingvin-share/compare/v0.3.2...v0.3.3) (2022-12-08)
+
+
+### Features
+
+* add support for different email and user ([888a0c5](https://github.com/stonith404/pingvin-share/commit/888a0c5fafc51b6872ed71e37d4b40c9bf6a07f1))
+
+
+### Bug Fixes
+
+* allow empty strings in config variable ([b8172ef](https://github.com/stonith404/pingvin-share/commit/b8172efd59fb3271ab9b818b13a7003342b2cebd))
+* improve admin dashboard color and layout ([a545c44](https://github.com/stonith404/pingvin-share/commit/a545c444261c90105dcb165ebcf4b26634e729ca))
+* obscure critical config variables ([bfb0d15](https://github.com/stonith404/pingvin-share/commit/bfb0d151ea2ba125e536a16b1873e143a67e9f64))
+* obscured text length ([cbe37c6](https://github.com/stonith404/pingvin-share/commit/cbe37c679853ecef1522ed213e4cac5defd5b45a))
+* space character in email ([907e56a](https://github.com/stonith404/pingvin-share/commit/907e56af0faccdbc8d7f5ab3418a4ad71ff849f5))
+
+### [0.3.2](https://github.com/stonith404/pingvin-share/compare/v0.3.1...v0.3.2) (2022-12-07)
+
+
+### Bug Fixes
+
+* make share password optional ([57cb683](https://github.com/stonith404/pingvin-share/commit/57cb683c64eaedec2697ea6863948bd2ae68dd75))
+* unauthenticated dialog not shown ([4a016ed](https://github.com/stonith404/pingvin-share/commit/4a016ed57db526ee900c567f7b7f0991f948c631))
+* use session storage for share token ([5ea63fb](https://github.com/stonith404/pingvin-share/commit/5ea63fb60be0c508c38ba228cc8ac6dd7b403aac))
+
+### [0.3.1](https://github.com/stonith404/pingvin-share/compare/v0.3.0...v0.3.1) (2022-12-05)
+
+
+### Bug Fixes
+
+* dropzone rejection on chrome ([75f57a4](https://github.com/stonith404/pingvin-share/commit/75f57a4e57fb13cc62e87428e8302b453ea6b44b))
+
+## [0.3.0](https://github.com/stonith404/pingvin-share/compare/v0.2.0...v0.3.0) (2022-12-05)
+
+
+### Features
+
+* add add new config strategy to frontend ([493705e](https://github.com/stonith404/pingvin-share/commit/493705e4ef21cb638620b0037b9ff2cec8046c95))
+* add administrator guard ([13f98cc](https://github.com/stonith404/pingvin-share/commit/13f98cc32c804c786c71b10dc4cf029d7795be76))
+* add job that deleted temporary files ([b649d8b](https://github.com/stonith404/pingvin-share/commit/b649d8bf8e849aff3f350e3c5fd0151a063b9706))
+* add new config strategy to backend ([1b5e53f](https://github.com/stonith404/pingvin-share/commit/1b5e53ff7ee00228eda6dc5c62d5cd8c3752b03b))
+* add setup wizard ([b579b8f](https://github.com/stonith404/pingvin-share/commit/b579b8f3309e2d7070e6a82c5da76ab8029bee11))
+* add user management ([7a3967f](https://github.com/stonith404/pingvin-share/commit/7a3967fd6f76a03461d05e962e82fe5130528ca5))
+* add user operations to backend ([31b3f6c](https://github.com/stonith404/pingvin-share/commit/31b3f6cb2fc662623df92cdbaf803f1b98a696ae))
+
+
+### Bug Fixes
+
+* convert async function to sync function ([1dbfe0b](https://github.com/stonith404/pingvin-share/commit/1dbfe0bbc9821bbee02220484c87cf9fe12fd033))
+* database migration by adding a username ([e9526fc](https://github.com/stonith404/pingvin-share/commit/e9526fc0390cc8ba70c824370041ea9aaf6f9ef9))
+* docker build ([e958a83](https://github.com/stonith404/pingvin-share/commit/e958a83b87a452e42fb38c12d4b11d71b2323c2d))
+* share password validation ([c795b98](https://github.com/stonith404/pingvin-share/commit/c795b988df437c85efb91e0f6f8ec782f38dbe3d))
+* unable to update user privileges ([d4a0f1a](https://github.com/stonith404/pingvin-share/commit/d4a0f1a4f16b7980fb244a4e582ceeb9bfaff877))
+
+## [0.2.0](https://github.com/stonith404/pingvin-share/compare/v0.1.1...v0.2.0) (2022-11-13)
+
+
+### Features
+
+* add email recepients functionality ([32ad43a](https://github.com/stonith404/pingvin-share/commit/32ad43ae27a29b946bfba0040cac7eb158c84553))
+
+
+### Bug Fixes
+
+* add public userDTO to prevent confusion ([0efd2d8](https://github.com/stonith404/pingvin-share/commit/0efd2d8bf96506cf7d7dc2dc3164a8d59009cec7))
+* email sending when not signed in ([32eaee4](https://github.com/stonith404/pingvin-share/commit/32eaee42363250defa92913c738a2702ba3e2693))
+* hide and disallow email recipients if disabled ([34db3ae](https://github.com/stonith404/pingvin-share/commit/34db3ae2a997498edaa70404807d0e770dad6edb))
+
+### [0.1.1](https://github.com/stonith404/pingvin-share/compare/v0.1.0...v0.1.1) (2022-10-31)
+
+
+### Bug Fixes
+
+* add `ALLOW_UNAUTHENTICATED_SHARES` to docker compose file ([599d8ca](https://github.com/stonith404/pingvin-share/commit/599d8caa31dc018c14c959d6602ac652eaef5da2))
+* only log jobs if they actually did something ([e40cc0f](https://github.com/stonith404/pingvin-share/commit/e40cc0f48beec09e18738de1b445cabd9daab09b))
+* share finishes before all files are uploaded ([99de4e5](https://github.com/stonith404/pingvin-share/commit/99de4e57e18df54596e168a57b94c55d7a834472))
+
+## [0.1.0](https://github.com/stonith404/pingvin-share/compare/v0.0.1...v0.1.0) (2022-10-29)
+
+
+### Features
+
+* add rate limiting ([712cfe6](https://github.com/stonith404/pingvin-share/commit/712cfe625a19dc9790cda5fbc2843fed0836b860))
+* allow unauthenticated uploads ([84d29df](https://github.com/stonith404/pingvin-share/commit/84d29dff68d0ea9d76d9a35f9fb7dff95d3dda1b))
+* **frontend:** remove footer ([c52a4d5](https://github.com/stonith404/pingvin-share/commit/c52a4d5e3ad717a10d15b7fe1dbf359b041c0976))
+
+
+### Bug Fixes
+
+* infinite loading when file size is small ([c2ddce6](https://github.com/stonith404/pingvin-share/commit/c2ddce62038e561d292f23fc6089562e64f1ffe9))
+* only show not signed in warning if not signed in ([c6e1f07](https://github.com/stonith404/pingvin-share/commit/c6e1f07f51e9cdd914bb70fb19dd81b90a470563))
+* opt out of static site generation to enable `publicRuntimeConfig` ([239b18c](https://github.com/stonith404/pingvin-share/commit/239b18cdae6367322bcdacb6b2bbaa1028295cc4))
+* visitor count doesn't get incremented ([c8021a4](https://github.com/stonith404/pingvin-share/commit/c8021a42b7fb094e587325bf855fc3133b6b96b0))
+
+### [0.0.1](https://github.com/stonith404/pingvin-share/compare/4bab33ad8a79302fd94c6d92a3ddf87cdff8b214...v0.0.1) (2022-10-17)
+
+
+### Features
+
+* add `linux/arm/v7` arch for docker image ([d9e5c28](https://github.com/stonith404/pingvin-share/commit/d9e5c286e3b53834276511227f219d0858ca0829))
+* add progress indicator for uploading files ([8c84d50](https://github.com/stonith404/pingvin-share/commit/8c84d50159bdabc75a1199ffdf372b9586f67371))
+* Added "never" expiration date ([56349c6](https://github.com/stonith404/pingvin-share/commit/56349c6f4cc739d07bcf8ad862b0868e09342883))
+* automatically detect hour format ([4e3f6be](https://github.com/stonith404/pingvin-share/commit/4e3f6be8e322929b83a35c7789078260dca9eb58))
+* extract logo to component ([58efc48](https://github.com/stonith404/pingvin-share/commit/58efc48ffa559b4bfa03e381bccb552c8fb830b9))
+* improve share security ([6358ac3](https://github.com/stonith404/pingvin-share/commit/6358ac3918d1af1cc05aca634d9d32a8f35d251f))
+* put db and uploads in same folder ([80cdcda](https://github.com/stonith404/pingvin-share/commit/80cdcda93c385a8f5c1e22c7b84740f5d8119ef1))
+* remove appwrite and add nextjs backend ([4bab33a](https://github.com/stonith404/pingvin-share/commit/4bab33ad8a79302fd94c6d92a3ddf87cdff8b214))
+* remove postgres & use a single docker container ([388ac39](https://github.com/stonith404/pingvin-share/commit/388ac395ba85aae8a91ddfb5f5637a80a3e6f16b))
+* replace tooltip with toast ([a33b5b3](https://github.com/stonith404/pingvin-share/commit/a33b5b37d92071e643a0bf78a9d6ecf29bebc65a))
+* use system color theme ([d902aae](https://github.com/stonith404/pingvin-share/commit/d902aae03ff33d39c733cf1bce88ae58ff4cd888))


 ### Bug Fixes
@@ -28,19 +769,3 @@
 * upload volume path ([7522221](https://github.com/stonith404/pingvin-share/commit/7522221ee163cb0bd6144e7b924c77065f223fb9))
 * wrong environment configuration for `ALLOW_REGISTRATION` ([759db40](https://github.com/stonith404/pingvin-share/commit/759db40ac9f42ff71a795ceec521a7f9531d71c9))

-
-### Features
-
-* add `linux/arm/v7` arch for docker image ([d9e5c28](https://github.com/stonith404/pingvin-share/commit/d9e5c286e3b53834276511227f219d0858ca0829))
-* add progress indicator for uploading files ([8c84d50](https://github.com/stonith404/pingvin-share/commit/8c84d50159bdabc75a1199ffdf372b9586f67371))
-* automatically detect hour format ([4e3f6be](https://github.com/stonith404/pingvin-share/commit/4e3f6be8e322929b83a35c7789078260dca9eb58))
-* extract logo to component ([58efc48](https://github.com/stonith404/pingvin-share/commit/58efc48ffa559b4bfa03e381bccb552c8fb830b9))
-* improve share security ([6358ac3](https://github.com/stonith404/pingvin-share/commit/6358ac3918d1af1cc05aca634d9d32a8f35d251f))
-* put db and uploads in same folder ([80cdcda](https://github.com/stonith404/pingvin-share/commit/80cdcda93c385a8f5c1e22c7b84740f5d8119ef1))
-* remove appwrite and add nextjs backend ([4bab33a](https://github.com/stonith404/pingvin-share/commit/4bab33ad8a79302fd94c6d92a3ddf87cdff8b214))
-* remove postgres & use a single docker container ([388ac39](https://github.com/stonith404/pingvin-share/commit/388ac395ba85aae8a91ddfb5f5637a80a3e6f16b))
-* replace tooltip with toast ([a33b5b3](https://github.com/stonith404/pingvin-share/commit/a33b5b37d92071e643a0bf78a9d6ecf29bebc65a))
-* use system color theme ([d902aae](https://github.com/stonith404/pingvin-share/commit/d902aae03ff33d39c733cf1bce88ae58ff4cd888))
-
-
-
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,68 +1,66 @@
+_Read this in another language: [Spanish](/docs/CONTRIBUTING.es.md), [English](/CONTRIBUTING.md), [Simplified Chinese](/docs/CONTRIBUTING.zh-cn.md)_
+
+---
+
 # Contributing

 We would ❤️ for you to contribute to Pingvin Share and help make it better! All contributions are welcome, including issues, suggestions, pull requests and more.

 ## Getting started
+
 You've found a bug, have suggestion or something else, just create an issue on GitHub and we can get in touch 😊.

+## Submit a Pull Request

-## Submit a Pull Request 
-Once you created a issue and you want to create a pull request, follow this guide.
+Before you submit the pull request for review please ensure that

-Branch naming convention is as following
+- The pull request naming follows the [Conventional Commits specification](https://www.conventionalcommits.org):

-`TYPE-ISSUE_ID-DESCRIPTION`
+  `<type>[optional scope]: <description>`

-example:
+  example:
+
+  ```
+  feat(share): add password protection
+  ```
+
+  When `TYPE` can be:
+
+  - **feat** - is a new feature
+  - **doc** - documentation only changes
+  - **fix** - a bug fix
+  - **refactor** - code change that neither fixes a bug nor adds a feature
+
+- Your pull request has a detailed description
+- You run `npm run format` to format the code
+
+<details>
+  <summary>Don't know how to create a pull request? Learn how to create a pull request</summary>
+
+1. Create a fork of the repository by clicking on the `Fork` button in the Pingvin Share repository
+
+2. Clone your fork to your machine with `git clone`

 ```
-feat-69-ability-to-set-share-expiration-to-never
-```
-
-When `TYPE` can be:
-
- **feat** - is a new feature
- **doc** - documentation only changes
- **fix** - a bug fix
- **refactor** - code change that neither fixes a bug nor adds a feature
-
-**All PRs must include a commit message with the changes description!**
-
-For the initial start, fork the project and use the `git clone` command to download the repository to your computer. A standard procedure for working on an issue would be to:
-
-1. `git pull`, before creating a new branch, pull the changes from upstream. Your master needs to be up to date.
-
-```
-$ git pull
-```
-
-2. Create new branch from `main` like: `feat-69-ability-to-set-share-expiration-to-never`<br/>
-
-```
-$ git checkout -b [name_of_your_new_branch]
+$ git clone https://github.com/[your_username]/pingvin-share
 ```

 3. Work - commit - repeat

-4. Before you push your changes, make sure you run the linter and format the code.
-
-```bash
-npm run lint
-npm run format
-```
-
-5. Push changes to GitHub
+4. Push changes to GitHub

 ```
 $ git push origin [name_of_your_new_branch]
 ```

-6. Submit your changes for review
+5. Submit your changes for review
   If you go to your repository on GitHub, you'll see a `Compare & pull request` button. Click on that button.
-7. Start a Pull Request
-   Now submit the pull request and click on `Create pull request`.
+6. Start a Pull Request
+7. Now submit the pull request and click on `Create pull request`.
 8. Get a code review approval/reject

+</details>
+
 ## Setup project

 Pingvin Share consists of a frontend and a backend.
@@ -74,20 +72,21 @@ The backend is built with [Nest.js](https://nestjs.com) and uses Typescript.
 #### Setup

 1. Open the `backend` folder
-2. Duplicate the `.env.example` file, rename the duplicate to `.env` and change the environment variables if needed
-3. Install the dependencies with `npm install`
-4. Push the database schema to the database by running `npx prisma db push`
+2. Install the dependencies with `npm install`
+3. Push the database schema to the database by running `npx prisma db push`
+4. Seed the database with `npx prisma db seed`
 5. Start the backend with `npm run dev`

 ### Frontend
+
 The frontend is built with [Next.js](https://nextjs.org) and uses Typescript.

 #### Setup
+
 1. Start the backend first
 2. Open the `frontend` folder
-3. Duplicate the `.env.example` file, rename the duplicate to `.env` and change the environment variables if needed
-4. Install the dependencies with `npm install`
-5. Start the frontend with `npm run dev`
+3. Install the dependencies with `npm install`
+4. Start the frontend with `npm run dev`

 You're all set!

--- a/15
+++ b/15
@@ -0,0 +1,15 @@
+:3000 {
+    # Reverse proxy for /api
+    reverse_proxy /api/* http://localhost:8080 {
+        header_up X-Forwarded-Host {host}:{server_port}
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
+
+    # Reverse proxy for all other requests
+    reverse_proxy http://localhost:3333 {
+        header_up X-Forwarded-Host {host}:{server_port}
+        header_up X-Forwarded-For {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
+}
--- a/50
+++ b/50
@@ -1,34 +1,58 @@
-FROM node:18-alpine AS frontend-builder
+# Stage 1: Frontend dependencies
+FROM node:20-alpine AS frontend-dependencies
 WORKDIR /opt/app
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci
+
+# Stage 2: Build frontend
+FROM node:20-alpine AS frontend-builder
+WORKDIR /opt/app
 COPY ./frontend .
+COPY --from=frontend-dependencies /opt/app/node_modules ./node_modules
 RUN npm run build

-FROM node:18 AS backend-builder
+# Stage 3: Backend dependencies
+FROM node:20-alpine AS backend-dependencies
+RUN apk add --no-cache python3
 WORKDIR /opt/app
 COPY backend/package.json backend/package-lock.json ./
 RUN npm ci
-COPY ./backend .
-RUN npx prisma generate
-RUN npm run build

-FROM node:18 AS runner
+# Stage 4: Build backend
+FROM node:20-alpine AS backend-builder
+WORKDIR /opt/app
+COPY ./backend .
+COPY --from=backend-dependencies /opt/app/node_modules ./node_modules
+RUN npx prisma generate
+RUN npm run build && npm prune --production
+
+# Stage 5: Final image
+FROM node:20-alpine AS runner
+ENV NODE_ENV=docker
+
+RUN apk update --no-cache \
+    && apk upgrade --no-cache \
+    && apk add --no-cache curl caddy
+
 WORKDIR /opt/app/frontend
-ENV NODE_ENV=production
-COPY --from=frontend-builder /opt/app/next.config.js .
 COPY --from=frontend-builder /opt/app/public ./public
-COPY --from=frontend-builder /opt/app/.next ./.next
-COPY --from=frontend-builder /opt/app/node_modules ./node_modules
+COPY --from=frontend-builder /opt/app/.next/standalone ./
+COPY --from=frontend-builder /opt/app/.next/static ./.next/static
+COPY --from=frontend-builder /opt/app/public/img /tmp/img

 WORKDIR /opt/app/backend
 COPY --from=backend-builder /opt/app/node_modules ./node_modules
 COPY --from=backend-builder /opt/app/dist ./dist
 COPY --from=backend-builder /opt/app/prisma ./prisma
 COPY --from=backend-builder /opt/app/package.json ./
+
+COPY ./Caddyfile /etc/caddy/Caddyfile
+COPY ./scripts/docker-entrypoint.sh /opt/app/docker-entrypoint.sh
+
 WORKDIR /opt/app

-RUN npm i -g dotenv-cli
-
 EXPOSE 3000
-CMD cd frontend && dotenv -e .env.development node_modules/.bin/next start & cd backend && npm run prod
+
+HEALTHCHECK --interval=10s --timeout=3s CMD curl -f http://localhost:3000/api/health || exit 1
+
+CMD ["sh", "/opt/app/docker-entrypoint.sh"]
--- a/README.md
+++ b/README.md
@@ -1,47 +1,36 @@
 # <div align="center"><img  src="https://user-images.githubusercontent.com/58886915/166198400-c2134044-1198-4647-a8b6-da9c4a204c68.svg" width="40"/> </br>Pingvin Share</div>

+[![](https://dcbadge.limes.pink/api/server/wHRQ9nFRcK)](https://discord.gg/wHRQ9nFRcK) [![](https://img.shields.io/badge/Crowdin-2E3340.svg?style=for-the-badge&logo=Crowdin&logoColor=white)](https://crowdin.com/project/pingvin-share) [![](https://img.shields.io/badge/sponsor-30363D?style=for-the-badge&logo=GitHub-Sponsors&logoColor=#white)](https://github.com/sponsors/stonith404)
+
+---
+
 Pingvin Share is self-hosted file sharing platform and an alternative for WeTransfer.

-## 🎪 Showcase
-
-Demo: https://pingvin-share.dev.eliasschneider.com
-
-<img src="https://user-images.githubusercontent.com/58886915/167101708-b85032ad-f5b1-480a-b8d7-ec0096ea2a43.png" width="700"/>
-
 ## ✨ Features

- Create a share with files that you can access with a link
- No file size limit, only your disk will be your limit
- Set a share expiration
- Optionally secure your share with a visitor limit and a password
- Light & dark mode
+- Share files using a link
+- Unlimited file size (restricted only by disk space)
+- Set an expiration date for shares
+- Secure shares with visitor limits and passwords
+- Email recipients
+- Integration with ClamAV for security scans
+
+## 🐧 Get to know Pingvin Share
+
+- [Demo](https://pingvin-share.dev.eliasschneider.com)
+- [Review by DB Tech](https://www.youtube.com/watch?v=rWwNeZCOPJA)
+
+<img src="https://user-images.githubusercontent.com/58886915/225038319-b2ef742c-3a74-4eb6-9689-4207a36842a4.png" width="700"/>

 ## ⌨️ Setup

-> Pleas note that Pingvin Share is in early stage and could include some bugs
+### Installation with Docker (recommended)

-1. Download the `docker-compose.yml` and `.env.example` file.
-2. Rename the `.env.example` file to `.env` and change the environment variables so that they fit to your environment. If you need help with the environment variables take a look [here](#environment-variables)
-3. Run `docker-compose up -d`
+1. Download the `docker-compose.yml` file
+2. Run `docker compose up -d`

-The website is now listening available on `http://localhost:3000`, have fun with Pingvin Share 🐧!
+The website is now listening on `http://localhost:3000`, have fun with Pingvin Share 🐧!

-### Environment variables
+## 📚 Documentation

-| Variable             | Description                                                                                 | Possible values |
-| -------------------- | ------------------------------------------------------------------------------------------- | --------------- |
-| `APP_URL`            | On which URL Pingvin Share is available. E.g http://localhost or https://pingvin-share.com. | URL             |
-| `SHOW_HOME_PAGE`     | Whether the Pingvin Share home page should be shown.                                        | true/false      |
-| `ALLOW_REGISTRATION` | Whether a new user can create a new account.                                                | true/false      |
-| `MAX_FILE_SIZE`      | Maximum allowed size per file in bytes.                                                     | Number          |
-| `JWT_SECRET`         | Long random string to sign the JWT's.                                                       | Random string   |
-
-### Upgrade to a new version
-
-Just update the docker container by running `docker compose pull && docker compose up -d`
-
-> Note: If you installed Pingvin Share before it used Sqlite, you unfortunately have to set up the project from scratch again, sorry for that.
-
-## 🖤 Contribute
-
-You're very welcome to contribute to Pingvin Share! Follow the [contribution guide](/CONTRIBUTING.md) to get started.
+For more installation options and advanced configurations, please refer to the [documentation](https://stonith404.github.io/pingvin-share).
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,7 @@
+# Security Policy
+
+## Supported Versions
+As Pingvin Share is in beta, older versions don't get security updates. Please consider to update Pingvin Share regularly. Updates can be automated with e.g [Watchtower](https://github.com/containrrr/watchtower).
+
+## Reporting a Vulnerability
+Thank you for taking the time to report a vulnerability. Please DO NOT create an issue on GitHub because the vulnerability could get exploited. Instead please write an email to [elias@eliasschneider.com](mailto:elias@eliasschneider.com).
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -1,7 +0,0 @@
-# CONFIGURATION
-APP_URL=http://localhost:3000
-ALLOW_REGISTRATION=true
-MAX_FILE_SIZE=5000000000
-
-# SECURITY
-JWT_SECRET=random-string
--- a/backend/.prettierignore
+++ b/backend/.prettierignore
@@ -0,0 +1 @@
+/src/constants.ts
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -1,22 +0,0 @@
-FROM node:18 AS deps
-WORKDIR /opt/app
-COPY package.json package-lock.json ./
-COPY prisma ./prisma
-RUN npm ci
-RUN npx prisma generate
-
-
-FROM node:18 As build
-WORKDIR /opt/app
-COPY . .
-COPY --from=deps /opt/app/node_modules ./node_modules
-RUN npm run build
-
-
-FROM node:18 As runner
-WORKDIR /opt/app
-COPY --from=build /opt/app/node_modules ./node_modules
-COPY --from=build /opt/app/dist ./dist
-COPY --from=build /opt/app/prisma ./prisma
-COPY --from=deps /opt/app/package.json ./
-CMD npm run prod
--- a/backend/nest-cli.json
+++ b/backend/nest-cli.json
@@ -1,5 +1,8 @@
 {
  "$schema": "https://json.schemastore.org/nest-cli",
  "collection": "@nestjs/schematics",
-  "sourceRoot": "src"
+  "sourceRoot": "src",
+  "compilerOptions": {
+    "plugins": ["@nestjs/swagger"]
+  }
 }
--- a/backend/package-lock.json
+++ b/backend/package-lock.json
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,65 +1,87 @@
 {
  "name": "pingvin-share-backend",
-  "version": "0.0.1",
+  "version": "1.0.0",
  "scripts": {
    "build": "nest build",
-    "dev": "dotenv -- nest start --watch",
-    "prod": "npx prisma migrate deploy && dotenv node dist/main",
+    "dev": "cross-env NODE_ENV=development nest start --watch",
+    "prod": "prisma migrate deploy && prisma db seed && node dist/src/main",
    "lint": "eslint 'src/**/*.ts'",
-    "format": "prettier --write 'src/**/*.ts'",
-    "test:system": "npx prisma migrate reset -f && nest start & sleep 10 && newman run ./test/system/newman-system-tests.json"
+    "format": "prettier --end-of-line=auto --write 'src/**/*.ts'",
+    "test:system": "prisma migrate reset -f && nest start & wait-on http://localhost:8080/api/configs && newman run ./test/newman-system-tests.json"
+  },
+  "prisma": {
+    "seed": "ts-node prisma/seed/config.seed.ts"
  },
  "dependencies": {
-    "@nestjs/common": "^9.1.2",
-    "@nestjs/config": "^2.2.0",
-    "@nestjs/core": "^9.1.2",
-    "@nestjs/jwt": "^9.0.0",
-    "@nestjs/passport": "^9.0.0",
-    "@nestjs/platform-express": "^9.1.2",
-    "@nestjs/schedule": "^2.1.0",
-    "@nestjs/swagger": "^6.1.2",
-    "archiver": "^5.3.1",
-    "argon2": "^0.29.1",
+    "@nestjs/cache-manager": "^2.2.2",
+    "@nestjs/common": "^10.3.9",
+    "@nestjs/config": "^3.2.2",
+    "@nestjs/core": "^10.3.9",
+    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/passport": "^10.0.3",
+    "@nestjs/platform-express": "^10.3.9",
+    "@nestjs/schedule": "^4.0.2",
+    "@nestjs/swagger": "^7.3.1",
+    "@nestjs/throttler": "^5.2.0",
+    "@prisma/client": "^5.16.1",
+    "@types/jmespath": "^0.15.2",
+    "@types/ldapjs": "^3.0.6",
+    "archiver": "^7.0.1",
+    "argon2": "^0.40.3",
+    "body-parser": "^1.20.2",
+    "cache-manager": "^5.6.1",
+    "clamscan": "^2.2.1",
    "class-transformer": "^0.5.1",
-    "class-validator": "^0.13.2",
+    "class-validator": "^0.14.1",
    "content-disposition": "^0.5.4",
+    "cookie-parser": "^1.4.6",
+    "jmespath": "^0.16.0",
+    "ldapjs": "^3.0.7",
    "mime-types": "^2.1.35",
-    "moment": "^2.29.4",
-    "multer": "^1.4.5-lts.1",
-    "passport": "^0.6.0",
-    "passport-jwt": "^4.0.0",
+    "moment": "^2.30.1",
+    "nanoid": "^3.3.7",
+    "nodemailer": "^6.9.14",
+    "otplib": "^12.0.1",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
    "passport-local": "^1.0.0",
-    "reflect-metadata": "^0.1.13",
-    "rimraf": "^3.0.2",
-    "rxjs": "^7.5.7"
+    "qrcode-svg": "^1.1.0",
+    "reflect-metadata": "^0.2.2",
+    "rimraf": "^5.0.7",
+    "rxjs": "^7.8.1",
+    "sharp": "^0.33.4",
+    "ts-node": "^10.9.2"
  },
  "devDependencies": {
-    "@nestjs/cli": "^9.1.4",
-    "@nestjs/schematics": "^9.0.3",
-    "@nestjs/testing": "^9.1.2",
-    "@prisma/client": "^4.4.0",
-    "@types/archiver": "^5.3.1",
-    "@types/cron": "^2.0.0",
-    "@types/express": "^4.17.14",
-    "@types/mime-types": "^2.1.1",
-    "@types/multer": "^1.4.7",
-    "@types/node": "^18.7.23",
-    "@types/passport-jwt": "^3.0.7",
-    "@types/supertest": "^2.0.12",
-    "@typescript-eslint/eslint-plugin": "^5.40.0",
-    "@typescript-eslint/parser": "^5.40.0",
+    "@nestjs/cli": "^10.3.2",
+    "@nestjs/schematics": "^10.1.1",
+    "@nestjs/testing": "^10.3.9",
+    "@types/archiver": "^6.0.2",
+    "@types/clamscan": "^2.0.8",
+    "@types/cookie-parser": "^1.4.7",
+    "@types/cron": "^2.0.1",
+    "@types/express": "^4.17.21",
+    "@types/mime-types": "^2.1.4",
+    "@types/multer": "^1.4.11",
+    "@types/node": "^20.14.9",
+    "@types/nodemailer": "^6.4.15",
+    "@types/passport-jwt": "^4.0.1",
+    "@types/qrcode-svg": "^1.1.4",
+    "@types/sharp": "^0.31.1",
+    "@types/supertest": "^6.0.2",
+    "@typescript-eslint/eslint-plugin": "^7.14.1",
+    "@typescript-eslint/parser": "^7.14.1",
    "cross-env": "^7.0.3",
-    "dotenv-cli": "^6.0.0",
-    "eslint": "^8.25.0",
-    "eslint-config-prettier": "^8.3.0",
-    "eslint-plugin-prettier": "^4.0.0",
-    "newman": "^5.3.2",
-    "prettier": "^2.7.1",
-    "prisma": "^4.4.0",
+    "eslint": "^8.56.0",
+    "eslint-config-prettier": "^9.1.0",
+    "eslint-plugin-prettier": "^5.1.3",
+    "newman": "^6.1.3",
+    "prettier": "^3.3.2",
+    "prisma": "^5.16.1",
    "source-map-support": "^0.5.21",
-    "ts-loader": "^9.4.1",
-    "ts-node": "^10.9.1",
-    "tsconfig-paths": "4.1.0",
-    "typescript": "^4.8.4"
+    "ts-loader": "^9.5.1",
+    "tsconfig-paths": "4.2.0",
+    "typescript": "^5.5.2",
+    "wait-on": "^7.2.0"
  }
 }
--- a/backend/prisma/.env
+++ b/backend/prisma/.env
@@ -0,0 +1,2 @@
+#This file is only used to set a default value for the database url
+DATABASE_URL="file:../data/pingvin-share.db"
--- a/backend/prisma/migrations/20221018123139_make_creator_optional/migration.sql
+++ b/backend/prisma/migrations/20221018123139_make_creator_optional/migration.sql
@@ -0,0 +1,17 @@
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Share" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "uploadLocked" BOOLEAN NOT NULL DEFAULT false,
+    "isZipReady" BOOLEAN NOT NULL DEFAULT false,
+    "views" INTEGER NOT NULL DEFAULT 0,
+    "expiration" DATETIME NOT NULL,
+    "creatorId" TEXT,
+    CONSTRAINT "Share_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE SET NULL ON UPDATE CASCADE
+);
+INSERT INTO "new_Share" ("createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views") SELECT "createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views" FROM "Share";
+DROP TABLE "Share";
+ALTER TABLE "new_Share" RENAME TO "Share";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20221113221005_share_recipient/migration.sql
+++ b/backend/prisma/migrations/20221113221005_share_recipient/migration.sql
@@ -0,0 +1,25 @@
+-- CreateTable
+CREATE TABLE "ShareRecipient" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "email" TEXT NOT NULL,
+    "shareId" TEXT NOT NULL,
+    CONSTRAINT "ShareRecipient_shareId_fkey" FOREIGN KEY ("shareId") REFERENCES "Share" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Share" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "uploadLocked" BOOLEAN NOT NULL DEFAULT false,
+    "isZipReady" BOOLEAN NOT NULL DEFAULT false,
+    "views" INTEGER NOT NULL DEFAULT 0,
+    "expiration" DATETIME NOT NULL,
+    "creatorId" TEXT,
+    CONSTRAINT "Share_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_Share" ("createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views") SELECT "createdAt", "creatorId", "expiration", "id", "isZipReady", "uploadLocked", "views" FROM "Share";
+DROP TABLE "Share";
+ALTER TABLE "new_Share" RENAME TO "Share";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20221201220540_config_and_admin_functionalities/migration.sql
+++ b/backend/prisma/migrations/20221201220540_config_and_admin_functionalities/migration.sql
@@ -0,0 +1,37 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `firstName` on the `User` table. All the data in the column will be lost.
+  - You are about to drop the column `lastName` on the `User` table. All the data in the column will be lost.
+  - Added the required column `username` to the `User` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+CREATE TABLE "Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_User" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "password" TEXT NOT NULL,
+    "isAdmin" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_User" ("createdAt", "email", "id", "password", "updatedAt", "username") SELECT "createdAt", "email", "id", "password", "updatedAt", 'user-' || User.id as "username"  FROM "User";
+DROP TABLE "User";
+ALTER TABLE "new_User" RENAME TO "User";
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20221208191607_v0_3_3/migration.sql
+++ b/backend/prisma/migrations/20221208191607_v0_3_3/migration.sql
@@ -0,0 +1,17 @@
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "secret", "type", "updatedAt", "value") SELECT "description", "key", "locked", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20221213173854_v0_3_6/migration.sql
+++ b/backend/prisma/migrations/20221213173854_v0_3_6/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Share" ADD COLUMN "description" TEXT;
--- a/backend/prisma/migrations/20221219061131_user_entity/migration.sql
+++ b/backend/prisma/migrations/20221219061131_user_entity/migration.sql
@@ -0,0 +1,31 @@
+-- CreateTable
+CREATE TABLE "LoginToken" (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    "used" BOOLEAN NOT NULL DEFAULT false,
+    CONSTRAINT "LoginToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_User" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "password" TEXT NOT NULL,
+    "isAdmin" BOOLEAN NOT NULL DEFAULT false,
+    "totpEnabled" BOOLEAN NOT NULL DEFAULT false,
+    "totpVerified" BOOLEAN NOT NULL DEFAULT false,
+    "totpSecret" TEXT
+);
+INSERT INTO "new_User" ("createdAt", "email", "id", "isAdmin", "password", "updatedAt", "username") SELECT "createdAt", "email", "id", "isAdmin", "password", "updatedAt", "username" FROM "User";
+DROP TABLE "User";
+ALTER TABLE "new_User" RENAME TO "User";
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20221230120407_category_attribute_config/migration.sql
+++ b/backend/prisma/migrations/20221230120407_category_attribute_config/migration.sql
@@ -0,0 +1,56 @@
+/*
+  Warnings:
+
+  - Added the required column `category` to the `Config` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value") SELECT "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+
+ UPDATE config SET category = "internal" WHERE key = "SETUP_FINISHED";
+ UPDATE config SET category = "internal" WHERE key = "TOTP_SECRET";
+ UPDATE config SET category = "internal" WHERE key = "JWT_SECRET";
+ UPDATE config SET category = "general" WHERE key = "APP_URL";
+ UPDATE config SET category = "general" WHERE key = "SHOW_HOME_PAGE";
+ UPDATE config SET category = "share" WHERE key = "ALLOW_REGISTRATION";
+ UPDATE config SET category = "share" WHERE key = "ALLOW_UNAUTHENTICATED_SHARES";
+ UPDATE config SET category = "share" WHERE key = "MAX_FILE_SIZE";
+ UPDATE config SET category = "email" WHERE key = "ENABLE_EMAIL_RECIPIENTS";
+ UPDATE config SET category = "email" WHERE key = "EMAIL_MESSAGE";
+ UPDATE config SET category = "email" WHERE key = "EMAIL_SUBJECT";
+ UPDATE config SET category = "email" WHERE key = "SMTP_HOST";
+ UPDATE config SET category = "email" WHERE key = "SMTP_PORT";
+ UPDATE config SET category = "email" WHERE key = "SMTP_EMAIL";
+ UPDATE config SET category = "email" WHERE key = "SMTP_USERNAME";
+ UPDATE config SET category = "email" WHERE key = "SMTP_PASSWORD";
+
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false
+);
+INSERT INTO "new_Config" ("description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "category") SELECT "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "category" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20230104145733_v0_5_1/migration.sql
+++ b/backend/prisma/migrations/20230104145733_v0_5_1/migration.sql
@@ -0,0 +1,21 @@
+/*
+  Warnings:
+
+  - The primary key for the `RefreshToken` table will be changed. If it partially fails, the table could be left without primary key constraint.
+  - The required column `id` was added to the `RefreshToken` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+DROP TABLE "RefreshToken";
+CREATE TABLE "RefreshToken" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "token" TEXT NOT NULL,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    CONSTRAINT "RefreshToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+CREATE UNIQUE INDEX "RefreshToken_token_key" ON "RefreshToken"("token");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20230113080918_removed_reason_attribute/migration.sql
+++ b/backend/prisma/migrations/20230113080918_removed_reason_attribute/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Share" ADD COLUMN "removedReason" TEXT;
--- a/backend/prisma/migrations/20230126125501_reverse_shares/migration.sql
+++ b/backend/prisma/migrations/20230126125501_reverse_shares/migration.sql
@@ -0,0 +1,67 @@
+/*
+  Warnings:
+
+  - Added the required column `order` to the `Config` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+CREATE TABLE "ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "used" BOOLEAN NOT NULL DEFAULT false,
+    "creatorId" TEXT NOT NULL,
+    "shareId" TEXT,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    CONSTRAINT "ReverseShare_shareId_fkey" FOREIGN KEY ("shareId") REFERENCES "Share" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "key" TEXT NOT NULL PRIMARY KEY,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false,
+    "order" INTEGER NOT NULL
+);
+INSERT INTO "new_Config" ("category", "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", "order") SELECT "category", "description", "key", "locked", "obscured", "secret", "type", "updatedAt", "value", 0 FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ReverseShare_shareId_key" ON "ReverseShare"("shareId");
+
+-- Custom migration
+UPDATE Config SET `order` = 0 WHERE key = "JWT_SECRET";
+UPDATE Config SET `order` = 0 WHERE key = "TOTP_SECRET";
+
+UPDATE Config SET `order` = 1 WHERE key = "APP_URL";
+UPDATE Config SET `order` = 2 WHERE key = "SHOW_HOME_PAGE";
+UPDATE Config SET `order` = 3 WHERE key = "ALLOW_REGISTRATION";
+UPDATE Config SET `order` = 4 WHERE key = "ALLOW_UNAUTHENTICATED_SHARES";
+UPDATE Config SET `order` = 5 WHERE key = "MAX_SHARE_SIZE";
+UPDATE Config SET `order` = 6, key = "ENABLE_SHARE_EMAIL_RECIPIENTS" WHERE key = "ENABLE_EMAIL_RECIPIENTS";
+UPDATE Config SET `order` = 7, key = "SHARE_RECEPIENTS_EMAIL_MESSAGE" WHERE key = "EMAIL_MESSAGE";
+UPDATE Config SET `order` = 8, key = "SHARE_RECEPIENTS_EMAIL_SUBJECT" WHERE key = "EMAIL_SUBJECT";
+UPDATE Config SET `order` = 12 WHERE key = "SMTP_HOST";
+UPDATE Config SET `order` = 13 WHERE key = "SMTP_PORT";
+UPDATE Config SET `order` = 14 WHERE key = "SMTP_EMAIL";
+UPDATE Config SET `order` = 15 WHERE key = "SMTP_USERNAME";
+UPDATE Config SET `order` = 16 WHERE key = "SMTP_PASSWORD";
+
+INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`) VALUES (11, "SMTP_ENABLED", "Whether SMTP is enabled. Only set this to true if you entered the host, port, email, user and password of your SMTP server.", "boolean", IFNULL((SELECT value FROM Config WHERE key="ENABLE_SHARE_EMAIL_RECIPIENTS"), "false"), "smtp", 0, strftime('%s', 'now'));
+INSERT INTO Config (`order`, `key`, `description`, `type`, `value`, `category`, `secret`, `updatedAt`, `locked`) VALUES (0, "SETUP_STATUS", "Status of the setup wizard", "string", IIF((SELECT value FROM Config WHERE key="SETUP_FINISHED") == "true", "FINISHED", "STARTED"), "internal", 0, strftime('%s', 'now'), 1);
--- a/backend/prisma/migrations/20230209205230_v0_10_0/migration.sql
+++ b/backend/prisma/migrations/20230209205230_v0_10_0/migration.sql
@@ -0,0 +1,64 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `shareId` on the `ReverseShare` table. All the data in the column will be lost.
+  - You are about to drop the column `used` on the `ReverseShare` table. All the data in the column will be lost.
+  - Added the required column `remainingUses` to the `ReverseShare` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- CreateTable
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "ResetPasswordToken" (
+    "token" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "expiresAt" DATETIME NOT NULL,
+    "userId" TEXT NOT NULL,
+    CONSTRAINT "ResetPasswordToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- Disable TOTP as secret isn't encrypted anymore
+UPDATE User SET totpEnabled=false, totpSecret=null, totpVerified=false WHERE totpSecret IS NOT NULL;
+
+-- RedefineTables
+CREATE TABLE "new_Share" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "uploadLocked" BOOLEAN NOT NULL DEFAULT false,
+    "isZipReady" BOOLEAN NOT NULL DEFAULT false,
+    "views" INTEGER NOT NULL DEFAULT 0,
+    "expiration" DATETIME NOT NULL,
+    "description" TEXT,
+    "removedReason" TEXT,
+    "creatorId" TEXT,
+    "reverseShareId" TEXT,
+    CONSTRAINT "Share_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE,
+    CONSTRAINT "Share_reverseShareId_fkey" FOREIGN KEY ("reverseShareId") REFERENCES "ReverseShare" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+INSERT INTO "new_Share" ("createdAt", "creatorId", "description", "expiration", "id", "isZipReady", "removedReason", "uploadLocked", "views", "reverseShareId")
+SELECT "createdAt", "creatorId", "description", "expiration", "id", "isZipReady", "removedReason", "uploadLocked", "views", (SELECT id FROM ReverseShare WHERE shareId=Share.id)
+FROM "Share";
+
+
+DROP TABLE "Share";
+ALTER TABLE "new_Share" RENAME TO "Share";
+CREATE TABLE "new_ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "remainingUses" INTEGER NOT NULL,
+    "creatorId" TEXT NOT NULL,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_ReverseShare" ("createdAt", "creatorId", "id", "maxShareSize", "sendEmailNotification", "shareExpiration", "token", "remainingUses") SELECT "createdAt", "creatorId", "id", "maxShareSize", "sendEmailNotification", "shareExpiration", "token", iif("ReverseShare".used, 0, 1) FROM "ReverseShare";
+DROP TABLE "ReverseShare";
+ALTER TABLE "new_ReverseShare" RENAME TO "ReverseShare";
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "ResetPasswordToken_userId_key" ON "ResetPasswordToken"("userId");
--- a/backend/prisma/migrations/20230303091601_v0_11_0/migration.sql
+++ b/backend/prisma/migrations/20230303091601_v0_11_0/migration.sql
@@ -0,0 +1,94 @@
+/*
+  Warnings:
+
+  - The primary key for the `Config` table will be changed. If it partially fails, the table could be left without primary key constraint.
+  - You are about to drop the column `key` on the `Config` table. All the data in the column will be lost.
+  - Added the required column `name` to the `Config` table without a default value. This is not possible if the table is not empty.
+
+*/
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "name" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "type" TEXT NOT NULL,
+    "value" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false,
+    "order" INTEGER NOT NULL,
+
+    PRIMARY KEY ("name", "category")
+);
+-- INSERT INTO "new_Config" ("category", "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value") SELECT "category", "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value" FROM "Config";
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'internal', 'jwtSecret', "description", "locked", "obscured", 0, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'JWT_SECRET';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'general', 'appUrl', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'APP_URL';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'general', 'showHomePage', "description", "locked", "obscured", 2, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SHOW_HOME_PAGE';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'share', 'allowRegistration', "description", "locked", "obscured", 0, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'ALLOW_REGISTRATION';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'share', 'allowUnauthenticatedShares', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'ALLOW_UNAUTHENTICATED_SHARES';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'share', 'maxSize', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'MAX_SHARE_SIZE';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'enableShareEmailRecipients', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'ENABLE_SHARE_EMAIL_RECIPIENTS';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'shareRecipientsSubject', "description", "locked", "obscured", 2, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SHARE_RECEPIENTS_EMAIL_SUBJECT';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'shareRecipientsMessage', "description", "locked", "obscured", 3, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SHARE_RECEPIENTS_EMAIL_MESSAGE';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'reverseShareSubject', "description", "locked", "obscured", 4, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'REVERSE_SHARE_EMAIL_SUBJECT';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'reverseShareMessage', "description", "locked", "obscured", 5, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'REVERSE_SHARE_EMAIL_MESSAGE';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'resetPasswordSubject', "description", "locked", "obscured", 6, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'RESET_PASSWORD_EMAIL_SUBJECT';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'email', 'resetPasswordMessage', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'RESET_PASSWORD_EMAIL_MESSAGE';
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'enabled', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_ENABLED';
+
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'host', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_HOST';
+
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'port', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_PORT';
+
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'email', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_EMAIL';
+
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'username', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_USERNAME';
+
+
+INSERT INTO new_Config ("category", "name" , "description", "locked", "obscured", "order", "secret", "type", "updatedAt", "value")
+SELECT 'smtp', 'password', "description", "locked", "obscured", 1, "secret", "type", "updatedAt", "value" FROM Config WHERE key = 'SMTP_PASSWORD';
+
+
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20230319120712_edited_value/migration.sql
+++ b/backend/prisma/migrations/20230319120712_edited_value/migration.sql
@@ -0,0 +1,23 @@
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "name" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "type" TEXT NOT NULL,
+    "value" TEXT,
+    "defaultValue" TEXT NOT NULL DEFAULT '',
+    "description" TEXT NOT NULL,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false,
+    "order" INTEGER NOT NULL,
+
+    PRIMARY KEY ("name", "category")
+);
+INSERT INTO "new_Config" ("category", "description", "locked", "name", "obscured", "order", "secret", "type", "updatedAt", "value") SELECT "category", "description", "locked", "name", "obscured", "order", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20230718155819_remove_config_veriable_description/migration.sql
+++ b/backend/prisma/migrations/20230718155819_remove_config_veriable_description/migration.sql
@@ -0,0 +1,27 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `description` on the `Config` table. All the data in the column will be lost.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_Config" (
+    "updatedAt" DATETIME NOT NULL,
+    "name" TEXT NOT NULL,
+    "category" TEXT NOT NULL,
+    "type" TEXT NOT NULL,
+    "defaultValue" TEXT NOT NULL DEFAULT '',
+    "value" TEXT,
+    "obscured" BOOLEAN NOT NULL DEFAULT false,
+    "secret" BOOLEAN NOT NULL DEFAULT true,
+    "locked" BOOLEAN NOT NULL DEFAULT false,
+    "order" INTEGER NOT NULL,
+
+    PRIMARY KEY ("name", "category")
+);
+INSERT INTO "new_Config" ("category", "defaultValue", "locked", "name", "obscured", "order", "secret", "type", "updatedAt", "value") SELECT "category", "defaultValue", "locked", "name", "obscured", "order", "secret", "type", "updatedAt", "value" FROM "Config";
+DROP TABLE "Config";
+ALTER TABLE "new_Config" RENAME TO "Config";
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20231021165436_oauth/migration.sql
+++ b/backend/prisma/migrations/20231021165436_oauth/migration.sql
@@ -0,0 +1,31 @@
+-- CreateTable
+CREATE TABLE "OAuthUser" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "provider" TEXT NOT NULL,
+    "providerUserId" TEXT NOT NULL,
+    "providerUsername" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    CONSTRAINT "OAuthUser_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_User" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "updatedAt" DATETIME NOT NULL,
+    "username" TEXT NOT NULL,
+    "email" TEXT NOT NULL,
+    "password" TEXT,
+    "isAdmin" BOOLEAN NOT NULL DEFAULT false,
+    "totpEnabled" BOOLEAN NOT NULL DEFAULT false,
+    "totpVerified" BOOLEAN NOT NULL DEFAULT false,
+    "totpSecret" TEXT
+);
+INSERT INTO "new_User" ("createdAt", "email", "id", "isAdmin", "password", "totpEnabled", "totpSecret", "totpVerified", "updatedAt", "username") SELECT "createdAt", "email", "id", "isAdmin", "password", "totpEnabled", "totpSecret", "totpVerified", "updatedAt", "username" FROM "User";
+DROP TABLE "User";
+ALTER TABLE "new_User" RENAME TO "User";
+CREATE UNIQUE INDEX "User_username_key" ON "User"("username");
+CREATE UNIQUE INDEX "User_email_key" ON "User"("email");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20240501154254_share_name_property/migration.sql
+++ b/backend/prisma/migrations/20240501154254_share_name_property/migration.sql
@@ -0,0 +1,2 @@
+-- AlterTable
+ALTER TABLE "Share" ADD COLUMN "name" TEXT;
--- a/backend/prisma/migrations/20240609145325_add_simplied_field_for_reverse_share/migration.sql
+++ b/backend/prisma/migrations/20240609145325_add_simplied_field_for_reverse_share/migration.sql
@@ -0,0 +1,20 @@
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "remainingUses" INTEGER NOT NULL,
+    "simplified" BOOLEAN NOT NULL DEFAULT false,
+    "creatorId" TEXT NOT NULL,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_ReverseShare" ("createdAt", "creatorId", "id", "maxShareSize", "remainingUses", "sendEmailNotification", "shareExpiration", "token") SELECT "createdAt", "creatorId", "id", "maxShareSize", "remainingUses", "sendEmailNotification", "shareExpiration", "token" FROM "ReverseShare";
+DROP TABLE "ReverseShare";
+ALTER TABLE "new_ReverseShare" RENAME TO "ReverseShare";
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+PRAGMA foreign_key_check;
+PRAGMA foreign_keys=ON;
--- a/backend/prisma/migrations/20240725141038_add_public_access_field_for_reverse_share/migration.sql
+++ b/backend/prisma/migrations/20240725141038_add_public_access_field_for_reverse_share/migration.sql
@@ -0,0 +1,22 @@
+-- RedefineTables
+PRAGMA defer_foreign_keys=ON;
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_ReverseShare" (
+    "id" TEXT NOT NULL PRIMARY KEY,
+    "createdAt" DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "token" TEXT NOT NULL,
+    "shareExpiration" DATETIME NOT NULL,
+    "maxShareSize" TEXT NOT NULL,
+    "sendEmailNotification" BOOLEAN NOT NULL,
+    "remainingUses" INTEGER NOT NULL,
+    "simplified" BOOLEAN NOT NULL DEFAULT false,
+    "publicAccess" BOOLEAN NOT NULL DEFAULT true,
+    "creatorId" TEXT NOT NULL,
+    CONSTRAINT "ReverseShare_creatorId_fkey" FOREIGN KEY ("creatorId") REFERENCES "User" ("id") ON DELETE CASCADE ON UPDATE CASCADE
+);
+INSERT INTO "new_ReverseShare" ("createdAt", "creatorId", "id", "maxShareSize", "remainingUses", "sendEmailNotification", "shareExpiration", "simplified", "token") SELECT "createdAt", "creatorId", "id", "maxShareSize", "remainingUses", "sendEmailNotification", "shareExpiration", "simplified", "token" FROM "ReverseShare";
+DROP TABLE "ReverseShare";
+ALTER TABLE "new_ReverseShare" RENAME TO "ReverseShare";
+CREATE UNIQUE INDEX "ReverseShare_token_key" ON "ReverseShare"("token");
+PRAGMA foreign_keys=ON;
+PRAGMA defer_foreign_keys=OFF;
--- a/backend/prisma/migrations/20240803232708_ldap_support/migration.sql
+++ b/backend/prisma/migrations/20240803232708_ldap_support/migration.sql
@@ -0,0 +1,11 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[ldapDN]` on the table `User` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN "ldapDN" TEXT;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "User_ldapDN_key" ON "User"("ldapDN");
--- a/backend/prisma/schema.prisma
+++ b/backend/prisma/schema.prisma
@@ -4,7 +4,7 @@ generator client {

 datasource db {
  provider = "sqlite"
-  url      = "file:../data/pingvin-share.db"
+  url      = env("DATABASE_URL")
 }

 model User {
@@ -12,17 +12,28 @@ model User {
  createdAt DateTime @default(now())
  updatedAt DateTime @updatedAt

-  email     String  @unique
-  password  String
-  firstName String?
-  lastName  String?
+  username String  @unique
+  email    String  @unique
+  password String?
+  isAdmin  Boolean @default(false)
+  ldapDN   String? @unique

  shares        Share[]
  refreshTokens RefreshToken[]
+  loginTokens   LoginToken[]
+  reverseShares ReverseShare[]
+
+  totpEnabled        Boolean             @default(false)
+  totpVerified       Boolean             @default(false)
+  totpSecret         String?
+  resetPasswordToken ResetPasswordToken?
+
+  oAuthUsers OAuthUser[]
 }

 model RefreshToken {
-  token     String   @id @default(uuid())
+  id        String   @id @default(uuid())
+  token     String   @unique @default(uuid())
  createdAt DateTime @default(now())

  expiresAt DateTime
@@ -31,19 +42,83 @@ model RefreshToken {
  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
 }

+model LoginToken {
+  token     String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  expiresAt DateTime
+
+  userId String
+  user   User    @relation(fields: [userId], references: [id], onDelete: Cascade)
+  used   Boolean @default(false)
+}
+
+model ResetPasswordToken {
+  token     String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  expiresAt DateTime
+
+  userId String @unique
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
+model OAuthUser {
+  id               String @id @default(uuid())
+  provider         String
+  providerUserId   String
+  providerUsername String
+  userId           String
+  user             User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+}
+
 model Share {
  id        String   @id @default(uuid())
  createdAt DateTime @default(now())

-  uploadLocked Boolean  @default(false)
-  isZipReady   Boolean  @default(false)
-  views        Int      @default(0)
-  expiration   DateTime
+  name          String?
+  uploadLocked  Boolean  @default(false)
+  isZipReady    Boolean  @default(false)
+  views         Int      @default(0)
+  expiration    DateTime
+  description   String?
+  removedReason String?
+
+  creatorId String?
+  creator   User?   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
+
+  reverseShareId String?
+  reverseShare   ReverseShare? @relation(fields: [reverseShareId], references: [id], onDelete: Cascade)
+
+  security   ShareSecurity?
+  recipients ShareRecipient[]
+  files      File[]
+}
+
+model ReverseShare {
+  id        String   @id @default(uuid())
+  createdAt DateTime @default(now())
+
+  token                 String   @unique @default(uuid())
+  shareExpiration       DateTime
+  maxShareSize          String
+  sendEmailNotification Boolean
+  remainingUses         Int
+  simplified            Boolean  @default(false)
+  publicAccess          Boolean  @default(true)

  creatorId String
-  creator   User           @relation(fields: [creatorId], references: [id])
-  security  ShareSecurity?
-  files     File[]
+  creator   User   @relation(fields: [creatorId], references: [id], onDelete: Cascade)
+
+  shares Share[]
+}
+
+model ShareRecipient {
+  id    String @id @default(uuid())
+  email String
+
+  shareId String
+  share   Share  @relation(fields: [shareId], references: [id], onDelete: Cascade)
 }

 model File {
@@ -67,3 +142,19 @@ model ShareSecurity {
  shareId String? @unique
  share   Share?  @relation(fields: [shareId], references: [id], onDelete: Cascade)
 }
+
+model Config {
+  updatedAt DateTime @updatedAt
+
+  name         String
+  category     String
+  type         String
+  defaultValue String  @default("")
+  value        String?
+  obscured     Boolean @default(false)
+  secret       Boolean @default(true)
+  locked       Boolean @default(false)
+  order        Int
+
+  @@id([name, category])
+}
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@@ -0,0 +1,395 @@
+import { Prisma, PrismaClient } from "@prisma/client";
+import * as crypto from "crypto";
+
+const configVariables: ConfigVariables = {
+  internal: {
+    jwtSecret: {
+      type: "string",
+      value: crypto.randomBytes(256).toString("base64"),
+      locked: true,
+    },
+  },
+  general: {
+    appName: {
+      type: "string",
+      defaultValue: "Pingvin Share",
+      secret: false,
+    },
+    appUrl: {
+      type: "string",
+      defaultValue: "http://localhost:3000",
+      secret: false,
+    },
+    showHomePage: {
+      type: "boolean",
+      defaultValue: "true",
+      secret: false,
+    },
+    sessionDuration: {
+      type: "number",
+      defaultValue: "2160",
+      secret: false,
+    },
+  },
+  share: {
+    allowRegistration: {
+      type: "boolean",
+      defaultValue: "true",
+      secret: false,
+    },
+    allowUnauthenticatedShares: {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+    maxExpiration: {
+      type: "number",
+      defaultValue: "0",
+      secret: false,
+    },
+    maxSize: {
+      type: "number",
+      defaultValue: "1000000000",
+      secret: false,
+    },
+    zipCompressionLevel: {
+      type: "number",
+      defaultValue: "9",
+    },
+    chunkSize: {
+      type: "number",
+      defaultValue: "10000000",
+      secret: false,
+    },
+    autoOpenShareModal: {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+  },
+  email: {
+    enableShareEmailRecipients: {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+    shareRecipientsSubject: {
+      type: "string",
+      defaultValue: "Files shared with you",
+    },
+    shareRecipientsMessage: {
+      type: "text",
+      defaultValue:
+        "Hey!\n\n{creator} shared some files with you, view or download the files with this link: {shareUrl}\n\nThe share will expire {expires}.\n\nNote: {desc}\n\nShared securely with Pingvin Share 🐧",
+    },
+    reverseShareSubject: {
+      type: "string",
+      defaultValue: "Reverse share link used",
+    },
+    reverseShareMessage: {
+      type: "text",
+      defaultValue:
+        "Hey!\n\nA share was just created with your reverse share link: {shareUrl}\n\nShared securely with Pingvin Share 🐧",
+    },
+    resetPasswordSubject: {
+      type: "string",
+      defaultValue: "Pingvin Share password reset",
+    },
+    resetPasswordMessage: {
+      type: "text",
+      defaultValue:
+        "Hey!\n\nYou requested a password reset. Click this link to reset your password: {url}\nThe link expires in a hour.\n\nPingvin Share 🐧",
+    },
+    inviteSubject: {
+      type: "string",
+      defaultValue: "Pingvin Share invite",
+    },
+    inviteMessage: {
+      type: "text",
+      defaultValue:
+        "Hey!\n\nYou were invited to Pingvin Share. Click this link to accept the invite: {url}\n\nYour password is: {password}\n\nPingvin Share 🐧",
+    },
+  },
+  smtp: {
+    enabled: {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+    allowUnauthorizedCertificates: {
+      type: "boolean",
+      defaultValue: "false",
+
+      secret: false,
+    },
+    host: {
+      type: "string",
+      defaultValue: "",
+    },
+    port: {
+      type: "number",
+      defaultValue: "0",
+    },
+    email: {
+      type: "string",
+      defaultValue: "",
+    },
+    username: {
+      type: "string",
+      defaultValue: "",
+    },
+    password: {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+  },
+  ldap: {
+    enabled: {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+
+    url: {
+      type: "string",
+      defaultValue: "",
+    },
+
+    bindDn: {
+      type: "string",
+      defaultValue: "",
+    },
+    bindPassword: {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+
+    searchBase: {
+      type: "string",
+      defaultValue: "",
+    },
+    searchQuery: {
+      type: "string",
+      defaultValue: ""
+    },
+
+    adminGroups: {
+      type: "string",
+      defaultValue: ""
+    }
+  },
+  oauth: {
+    "allowRegistration": {
+      type: "boolean",
+      defaultValue: "true",
+    },
+    "ignoreTotp": {
+      type: "boolean",
+      defaultValue: "true",
+    },
+    "disablePassword": {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
+    "github-enabled": {
+      type: "boolean",
+      defaultValue: "false",
+    },
+    "github-clientId": {
+      type: "string",
+      defaultValue: "",
+    },
+    "github-clientSecret": {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+    "google-enabled": {
+      type: "boolean",
+      defaultValue: "false",
+    },
+    "google-clientId": {
+      type: "string",
+      defaultValue: "",
+    },
+    "google-clientSecret": {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+    "microsoft-enabled": {
+      type: "boolean",
+      defaultValue: "false",
+    },
+    "microsoft-tenant": {
+      type: "string",
+      defaultValue: "common",
+    },
+    "microsoft-clientId": {
+      type: "string",
+      defaultValue: "",
+    },
+    "microsoft-clientSecret": {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+    "discord-enabled": {
+      type: "boolean",
+      defaultValue: "false",
+    },
+    "discord-limitedGuild": {
+      type: "string",
+      defaultValue: "",
+    },
+    "discord-clientId": {
+      type: "string",
+      defaultValue: "",
+    },
+    "discord-clientSecret": {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+    "oidc-enabled": {
+      type: "boolean",
+      defaultValue: "false",
+    },
+    "oidc-discoveryUri": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-usernameClaim": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-rolePath": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-roleGeneralAccess": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-roleAdminAccess": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-clientId": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-clientSecret": {
+      type: "string",
+      defaultValue: "",
+      obscured: true,
+    },
+  },
+};
+
+type ConfigVariables = {
+  [category: string]: {
+    [variable: string]: Omit<
+      Prisma.ConfigCreateInput,
+      "name" | "category" | "order"
+    >;
+  };
+};
+
+const prisma = new PrismaClient({
+  datasources: {
+    db: {
+      url:
+        process.env.DATABASE_URL ||
+        "file:../data/pingvin-share.db?connection_limit=1",
+    },
+  },
+});
+
+async function seedConfigVariables() {
+  for (const [category, configVariablesOfCategory] of Object.entries(
+    configVariables
+  )) {
+    let order = 0;
+    for (const [name, properties] of Object.entries(
+      configVariablesOfCategory
+    )) {
+      const existingConfigVariable = await prisma.config.findUnique({
+        where: { name_category: { name, category } },
+      });
+
+      // Create a new config variable if it doesn't exist
+      if (!existingConfigVariable) {
+        await prisma.config.create({
+          data: {
+            order,
+            name,
+            ...properties,
+            category,
+          },
+        });
+      }
+      order++;
+    }
+  }
+}
+
+async function migrateConfigVariables() {
+  const existingConfigVariables = await prisma.config.findMany();
+  const orderMap: { [category: string]: number } = {};
+
+  for (const existingConfigVariable of existingConfigVariables) {
+    const configVariable =
+      configVariables[existingConfigVariable.category]?.[
+      existingConfigVariable.name
+      ];
+
+    // Delete the config variable if it doesn't exist in the seed
+    if (!configVariable) {
+      await prisma.config.delete({
+        where: {
+          name_category: {
+            name: existingConfigVariable.name,
+            category: existingConfigVariable.category,
+          },
+        },
+      });
+
+      // Update the config variable if it exists in the seed
+    } else {
+      const variableOrder = Object.keys(
+        configVariables[existingConfigVariable.category]
+      ).indexOf(existingConfigVariable.name);
+      await prisma.config.update({
+        where: {
+          name_category: {
+            name: existingConfigVariable.name,
+            category: existingConfigVariable.category,
+          },
+        },
+        data: {
+          ...configVariable,
+          name: existingConfigVariable.name,
+          category: existingConfigVariable.category,
+          value: existingConfigVariable.value,
+          order: variableOrder,
+        },
+      });
+      orderMap[existingConfigVariable.category] = variableOrder + 1;
+    }
+  }
+}
+
+seedConfigVariables()
+  .then(() => migrateConfigVariables())
+  .then(async () => {
+    await prisma.$disconnect();
+  })
+  .catch(async (e) => {
+    console.error(e);
+    await prisma.$disconnect();
+    process.exit(1);
+  });
--- a/backend/src/app.controller.ts
+++ b/backend/src/app.controller.ts
@@ -0,0 +1,19 @@
+import { Controller, Get, Res } from "@nestjs/common";
+import { Response } from "express";
+import { PrismaService } from "./prisma/prisma.service";
+
+@Controller("/")
+export class AppController {
+  constructor(private prismaService: PrismaService) {}
+
+  @Get("health")
+  async health(@Res({ passthrough: true }) res: Response) {
+    try {
+      await this.prismaService.config.findMany();
+      return "OK";
+    } catch {
+      res.statusCode = 500;
+      return "ERROR";
+    }
+  }
+}
--- a/backend/src/app.module.ts
+++ b/backend/src/app.module.ts
@@ -1,27 +1,53 @@
 import { Module } from "@nestjs/common";
-import { ConfigModule } from "@nestjs/config";
+
 import { ScheduleModule } from "@nestjs/schedule";
 import { AuthModule } from "./auth/auth.module";
-import { JobsService } from "./jobs/jobs.service";

-import { FileController } from "./file/file.controller";
+import { CacheModule } from "@nestjs/cache-manager";
+import { APP_GUARD } from "@nestjs/core";
+import { ThrottlerGuard, ThrottlerModule } from "@nestjs/throttler";
+import { AppController } from "./app.controller";
+import { ClamScanModule } from "./clamscan/clamscan.module";
+import { ConfigModule } from "./config/config.module";
+import { EmailModule } from "./email/email.module";
 import { FileModule } from "./file/file.module";
+import { JobsModule } from "./jobs/jobs.module";
+import { OAuthModule } from "./oauth/oauth.module";
 import { PrismaModule } from "./prisma/prisma.module";
-import { PrismaService } from "./prisma/prisma.service";
-import { ShareController } from "./share/share.controller";
+import { ReverseShareModule } from "./reverseShare/reverseShare.module";
 import { ShareModule } from "./share/share.module";
-import { UserController } from "./user/user.controller";
+import { UserModule } from "./user/user.module";

@Module({
  imports: [
    AuthModule,
    ShareModule,
    FileModule,
+    EmailModule,
    PrismaModule,
-    ConfigModule.forRoot({ isGlobal: true }),
+    ConfigModule,
+    JobsModule,
+    UserModule,
+    ThrottlerModule.forRoot([
+      {
+        ttl: 60,
+        limit: 100,
+      },
+    ]),
    ScheduleModule.forRoot(),
+    ClamScanModule,
+    ReverseShareModule,
+    OAuthModule,
+    CacheModule.register({
+      isGlobal: true,
+    }),
+  ],
+  controllers: [AppController],
+  providers: [
+    {
+      provide: APP_GUARD,
+      useClass: ThrottlerGuard,
+    },
  ],
-  providers: [PrismaService, JobsService],
-  controllers: [UserController, ShareController, FileController],
 })
 export class AppModule {}
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@@ -3,41 +3,200 @@ import {
  Controller,
  ForbiddenException,
  HttpCode,
+  Param,
+  Patch,
  Post,
+  Req,
+  Res,
+  UnauthorizedException,
+  UseGuards,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
-
+import { Throttle } from "@nestjs/throttler";
+import { User } from "@prisma/client";
+import { Request, Response } from "express";
+import { ConfigService } from "src/config/config.service";
 import { AuthService } from "./auth.service";
+import { AuthTotpService } from "./authTotp.service";
+import { GetUser } from "./decorator/getUser.decorator";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
-import { RefreshAccessTokenDTO } from "./dto/refreshAccessToken.dto";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";
+import { EnableTotpDTO } from "./dto/enableTotp.dto";
+import { ResetPasswordDTO } from "./dto/resetPassword.dto";
+import { TokenDTO } from "./dto/token.dto";
+import { UpdatePasswordDTO } from "./dto/updatePassword.dto";
+import { VerifyTotpDTO } from "./dto/verifyTotp.dto";
+import { JwtGuard } from "./guard/jwt.guard";

@Controller("auth")
 export class AuthController {
  constructor(
    private authService: AuthService,
-    private config: ConfigService
+    private authTotpService: AuthTotpService,
+    private config: ConfigService,
  ) {}

  @Post("signUp")
-  signUp(@Body() dto: AuthRegisterDTO) {
-    if (this.config.get("ALLOW_REGISTRATION") == "false")
+  @Throttle({
+    default: {
+      limit: 20,
+      ttl: 5 * 60,
+    },
+  })
+  async signUp(
+    @Body() dto: AuthRegisterDTO,
+    @Req() { ip }: Request,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    if (!this.config.get("share.allowRegistration"))
      throw new ForbiddenException("Registration is not allowed");
-    return this.authService.signUp(dto);
+
+    const result = await this.authService.signUp(dto, ip);
+
+    this.authService.addTokensToResponse(
+      response,
+      result.refreshToken,
+      result.accessToken,
+    );
+
+    return result;
  }

  @Post("signIn")
+  @Throttle({
+    default: {
+      limit: 20,
+      ttl: 5 * 60,
+    },
+  })
  @HttpCode(200)
-  signIn(@Body() dto: AuthSignInDTO) {
-    return this.authService.signIn(dto);
+  async signIn(
+    @Body() dto: AuthSignInDTO,
+    @Req() { ip }: Request,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    const result = await this.authService.signIn(dto, ip);
+
+    if (result.accessToken && result.refreshToken) {
+      this.authService.addTokensToResponse(
+        response,
+        result.refreshToken,
+        result.accessToken,
+      );
+    }
+
+    return result;
+  }
+
+  @Post("signIn/totp")
+  @Throttle({
+    default: {
+      limit: 20,
+      ttl: 5 * 60,
+    },
+  })
+  @HttpCode(200)
+  async signInTotp(
+    @Body() dto: AuthSignInTotpDTO,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    const result = await this.authTotpService.signInTotp(dto);
+
+    this.authService.addTokensToResponse(
+      response,
+      result.refreshToken,
+      result.accessToken,
+    );
+
+    return new TokenDTO().from(result);
+  }
+
+  @Post("resetPassword/:email")
+  @Throttle({
+    default: {
+      limit: 20,
+      ttl: 5 * 60,
+    },
+  })
+  @HttpCode(202)
+  async requestResetPassword(@Param("email") email: string) {
+    this.authService.requestResetPassword(email);
+  }
+
+  @Post("resetPassword")
+  @Throttle({
+    default: {
+      limit: 20,
+      ttl: 5 * 60,
+    },
+  })
+  @HttpCode(204)
+  async resetPassword(@Body() dto: ResetPasswordDTO) {
+    return await this.authService.resetPassword(dto.token, dto.password);
+  }
+
+  @Patch("password")
+  @UseGuards(JwtGuard)
+  async updatePassword(
+    @GetUser() user: User,
+    @Res({ passthrough: true }) response: Response,
+    @Body() dto: UpdatePasswordDTO,
+  ) {
+    const result = await this.authService.updatePassword(
+      user,
+      dto.password,
+      dto.oldPassword,
+    );
+
+    this.authService.addTokensToResponse(response, result.refreshToken);
+    return new TokenDTO().from(result);
  }

  @Post("token")
  @HttpCode(200)
-  async refreshAccessToken(@Body() body: RefreshAccessTokenDTO) {
+  async refreshAccessToken(
+    @Req() request: Request,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    if (!request.cookies.refresh_token) throw new UnauthorizedException();
+
    const accessToken = await this.authService.refreshAccessToken(
-      body.refreshToken
+      request.cookies.refresh_token,
    );
-    return { accessToken };
+    this.authService.addTokensToResponse(response, undefined, accessToken);
+    return new TokenDTO().from({ accessToken });
+  }
+
+  @Post("signOut")
+  async signOut(
+    @Req() request: Request,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    await this.authService.signOut(request.cookies.access_token);
+    response.cookie("access_token", "accessToken", { maxAge: -1 });
+    response.cookie("refresh_token", "", {
+      path: "/api/auth/token",
+      httpOnly: true,
+      maxAge: -1,
+    });
+  }
+
+  @Post("totp/enable")
+  @UseGuards(JwtGuard)
+  async enableTotp(@GetUser() user: User, @Body() body: EnableTotpDTO) {
+    return this.authTotpService.enableTotp(user, body.password);
+  }
+
+  @Post("totp/verify")
+  @UseGuards(JwtGuard)
+  async verifyTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    return this.authTotpService.verifyTotp(user, body.password, body.code);
+  }
+
+  @Post("totp/disable")
+  @UseGuards(JwtGuard)
+  async disableTotp(@GetUser() user: User, @Body() body: VerifyTotpDTO) {
+    // Note: We use VerifyTotpDTO here because it has both fields we need: password and totp code
+    return this.authTotpService.disableTotp(user, body.password, body.code);
  }
 }
--- a/backend/src/auth/auth.module.ts
+++ b/backend/src/auth/auth.module.ts
@@ -1,13 +1,23 @@
 import { Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { EmailModule } from "src/email/email.module";
 import { AuthController } from "./auth.controller";
 import { AuthService } from "./auth.service";
+import { AuthTotpService } from "./authTotp.service";
 import { JwtStrategy } from "./strategy/jwt.strategy";
+import { LdapService } from "./ldap.service";
+import { UserModule } from "../user/user.module";

@Module({
-  imports: [JwtModule.register({})],
+  imports: [
+    JwtModule.register({
+      global: true,
+    }),
+    EmailModule,
+    UserModule,
+  ],
  controllers: [AuthController],
-  providers: [AuthService, JwtStrategy],
+  providers: [AuthService, AuthTotpService, JwtStrategy, LdapService],
  exports: [AuthService],
 })
-export class AuthModule {}
+export class AuthModule { }
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -1,78 +1,224 @@
 import {
  BadRequestException,
+  ForbiddenException,
  Injectable,
+  Logger,
  UnauthorizedException,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
 import { User } from "@prisma/client";
-import { PrismaClientKnownRequestError } from "@prisma/client/runtime";
+import { PrismaClientKnownRequestError } from "@prisma/client/runtime/library";
 import * as argon from "argon2";
+import { Request, Response } from "express";
 import * as moment from "moment";
+import { ConfigService } from "src/config/config.service";
+import { EmailService } from "src/email/email.service";
 import { PrismaService } from "src/prisma/prisma.service";
 import { AuthRegisterDTO } from "./dto/authRegister.dto";
 import { AuthSignInDTO } from "./dto/authSignIn.dto";
+import { LdapService } from "./ldap.service";
+import { inspect } from "util";
+import { UserSevice } from "../user/user.service";

@Injectable()
 export class AuthService {
  constructor(
    private prisma: PrismaService,
    private jwtService: JwtService,
-    private config: ConfigService
-  ) {}
+    private config: ConfigService,
+    private emailService: EmailService,
+    private ldapService: LdapService,
+    private userService: UserSevice,
+  ) { }
+  private readonly logger = new Logger(AuthService.name);

-  async signUp(dto: AuthRegisterDTO) {
-    const hash = await argon.hash(dto.password);
+  async signUp(dto: AuthRegisterDTO, ip: string, isAdmin?: boolean) {
+    const isFirstUser = (await this.prisma.user.count()) == 0;
+
+    const hash = dto.password ? await argon.hash(dto.password) : null;
    try {
      const user = await this.prisma.user.create({
        data: {
          email: dto.email,
+          username: dto.username,
          password: hash,
+          isAdmin: isAdmin ?? isFirstUser,
        },
      });

-      const accessToken = await this.createAccessToken(user);
-      const refreshToken = await this.createRefreshToken(user.id);
+      const { refreshToken, refreshTokenId } = await this.createRefreshToken(
+        user.id,
+      );
+      const accessToken = await this.createAccessToken(user, refreshTokenId);

-      return { accessToken, refreshToken };
+      this.logger.log(`User ${user.email} signed up from IP ${ip}`);
+      return { accessToken, refreshToken, user };
    } catch (e) {
      if (e instanceof PrismaClientKnownRequestError) {
        if (e.code == "P2002") {
-          throw new BadRequestException("Credentials taken");
+          const duplicatedField: string = e.meta.target[0];
+          throw new BadRequestException(
+            `A user with this ${duplicatedField} already exists`,
+          );
        }
      }
    }
  }

-  async signIn(dto: AuthSignInDTO) {
-    const user = await this.prisma.user.findUnique({
-      where: {
-        email: dto.email,
-      },
-    });
+  async signIn(dto: AuthSignInDTO, ip: string) {
+    if (!dto.email && !dto.username)
+      throw new BadRequestException("Email or username is required");

-    if (!user || !(await argon.verify(user.password, dto.password)))
-      throw new UnauthorizedException("Wrong email or password");
+    if (!this.config.get("oauth.disablePassword")) {
+      const user = await this.prisma.user.findFirst({
+        where: {
+          OR: [{ email: dto.email }, { username: dto.username }],
+        },
+      });

-    const accessToken = await this.createAccessToken(user);
-    const refreshToken = await this.createRefreshToken(user.id);
+      if (user?.password && await argon.verify(user.password, dto.password)) {
+        this.logger.log(`Successful password login for user ${user.email} from IP ${ip}`);
+        return this.generateToken(user);
+      }
+    }
+
+    if (this.config.get("ldap.enabled")) {
+      this.logger.debug(`Trying LDAP login for user ${dto.username}`);
+      const ldapUser = await this.ldapService.authenticateUser(dto.username, dto.password);
+      if (ldapUser) {
+        const user = await this.userService.findOrCreateFromLDAP(dto.username, ldapUser);
+        this.logger.log(`Successful LDAP login for user ${user.email} from IP ${ip}`);
+        return this.generateToken(user);
+      }
+    }
+
+    this.logger.log(
+      `Failed login attempt for user ${dto.email || dto.username} from IP ${ip}`,
+    );
+    throw new UnauthorizedException("Wrong email or password");
+  }
+
+  async generateToken(user: User, isOAuth = false) {
+    // TODO: Make all old loginTokens invalid when a new one is created
+    // Check if the user has TOTP enabled
+    if (
+      user.totpVerified &&
+      !(isOAuth && this.config.get("oauth.ignoreTotp"))
+    ) {
+      const loginToken = await this.createLoginToken(user.id);
+
+      return { loginToken };
+    }
+
+    const { refreshToken, refreshTokenId } = await this.createRefreshToken(
+      user.id,
+    );
+    const accessToken = await this.createAccessToken(user, refreshTokenId);

    return { accessToken, refreshToken };
  }

-  async createAccessToken(user: User) {
+  async requestResetPassword(email: string) {
+    if (this.config.get("oauth.disablePassword"))
+      throw new ForbiddenException("Password sign in is disabled");
+
+    const user = await this.prisma.user.findFirst({
+      where: { email },
+      include: { resetPasswordToken: true },
+    });
+
+    if (!user) return;
+
+    // Delete old reset password token
+    if (user.resetPasswordToken) {
+      await this.prisma.resetPasswordToken.delete({
+        where: { token: user.resetPasswordToken.token },
+      });
+    }
+
+    const { token } = await this.prisma.resetPasswordToken.create({
+      data: {
+        expiresAt: moment().add(1, "hour").toDate(),
+        user: { connect: { id: user.id } },
+      },
+    });
+
+    await this.emailService.sendResetPasswordEmail(user.email, token);
+  }
+
+  async resetPassword(token: string, newPassword: string) {
+    if (this.config.get("oauth.disablePassword"))
+      throw new ForbiddenException("Password sign in is disabled");
+
+    const user = await this.prisma.user.findFirst({
+      where: { resetPasswordToken: { token } },
+    });
+
+    if (!user) throw new BadRequestException("Token invalid or expired");
+
+    const newPasswordHash = await argon.hash(newPassword);
+
+    await this.prisma.resetPasswordToken.delete({
+      where: { token },
+    });
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: { password: newPasswordHash },
+    });
+  }
+
+  async updatePassword(user: User, newPassword: string, oldPassword?: string) {
+    const isPasswordValid =
+      !user.password || (await argon.verify(user.password, oldPassword));
+
+    if (!isPasswordValid) throw new ForbiddenException("Invalid password");
+
+    const hash = await argon.hash(newPassword);
+
+    await this.prisma.refreshToken.deleteMany({
+      where: { userId: user.id },
+    });
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: { password: hash },
+    });
+
+    return this.createRefreshToken(user.id);
+  }
+
+  async createAccessToken(user: User, refreshTokenId: string) {
    return this.jwtService.sign(
      {
        sub: user.id,
        email: user.email,
+        isAdmin: user.isAdmin,
+        refreshTokenId,
      },
      {
        expiresIn: "15min",
-        secret: this.config.get("JWT_SECRET"),
-      }
+        secret: this.config.get("internal.jwtSecret"),
+      },
    );
  }

+  async signOut(accessToken: string) {
+    const { refreshTokenId } =
+      (this.jwtService.decode(accessToken) as {
+        refreshTokenId: string;
+      }) || {};
+
+    if (refreshTokenId) {
+      await this.prisma.refreshToken
+        .delete({ where: { id: refreshTokenId } })
+        .catch((e) => {
+          // Ignore error if refresh token doesn't exist
+          if (e.code != "P2025") throw e;
+        });
+    }
+  }
+
  async refreshAccessToken(refreshToken: string) {
    const refreshTokenMetaData = await this.prisma.refreshToken.findUnique({
      where: { token: refreshToken },
@@ -82,16 +228,69 @@ export class AuthService {
    if (!refreshTokenMetaData || refreshTokenMetaData.expiresAt < new Date())
      throw new UnauthorizedException();

-    return this.createAccessToken(refreshTokenMetaData.user);
+    return this.createAccessToken(
+      refreshTokenMetaData.user,
+      refreshTokenMetaData.id,
+    );
  }

  async createRefreshToken(userId: string) {
-    const refreshToken = (
-      await this.prisma.refreshToken.create({
-        data: { userId, expiresAt: moment().add(3, "months").toDate() },
+    const { id, token } = await this.prisma.refreshToken.create({
+      data: {
+        userId,
+        expiresAt: moment()
+          .add(this.config.get("general.sessionDuration"), "hours")
+          .toDate(),
+      },
+    });
+
+    return { refreshTokenId: id, refreshToken: token };
+  }
+
+  async createLoginToken(userId: string) {
+    const loginToken = (
+      await this.prisma.loginToken.create({
+        data: { userId, expiresAt: moment().add(5, "minutes").toDate() },
      })
    ).token;

-    return refreshToken;
+    return loginToken;
+  }
+
+  addTokensToResponse(
+    response: Response,
+    refreshToken?: string,
+    accessToken?: string,
+  ) {
+    if (accessToken)
+      response.cookie("access_token", accessToken, {
+        sameSite: "lax",
+        maxAge: 1000 * 60 * 60 * 24 * 30 * 3, // 3 months
+      });
+    if (refreshToken)
+      response.cookie("refresh_token", refreshToken, {
+        path: "/api/auth/token",
+        httpOnly: true,
+        sameSite: "strict",
+        maxAge: 1000 * 60 * 60 * this.config.get("general.sessionDuration"),
+      });
+  }
+
+  /**
+   * Returns the user id if the user is logged in, null otherwise
+   */
+  async getIdOfCurrentUser(request: Request): Promise<string | null> {
+    if (!request.cookies.access_token) return null;
+    try {
+      const payload = await this.jwtService.verifyAsync(
+        request.cookies.access_token,
+        {
+          secret: this.config.get("internal.jwtSecret"),
+        },
+      );
+      return payload.sub;
+    } catch {
+      return null;
+    }
  }
 }
--- a/backend/src/auth/authTotp.service.ts
+++ b/backend/src/auth/authTotp.service.ts
@@ -0,0 +1,170 @@
+import {
+  BadRequestException,
+  ForbiddenException,
+  Injectable,
+  UnauthorizedException,
+} from "@nestjs/common";
+import { User } from "@prisma/client";
+import * as argon from "argon2";
+import { authenticator, totp } from "otplib";
+import * as qrcode from "qrcode-svg";
+import { PrismaService } from "src/prisma/prisma.service";
+import { AuthService } from "./auth.service";
+import { AuthSignInTotpDTO } from "./dto/authSignInTotp.dto";
+
+@Injectable()
+export class AuthTotpService {
+  constructor(
+    private prisma: PrismaService,
+    private authService: AuthService,
+  ) {}
+
+  async signInTotp(dto: AuthSignInTotpDTO) {
+    const token = await this.prisma.loginToken.findFirst({
+      where: {
+        token: dto.loginToken,
+      },
+      include: {
+        user: true,
+      },
+    });
+
+    if (!token || token.used)
+      throw new UnauthorizedException("Invalid login token");
+
+    if (token.expiresAt < new Date())
+      throw new UnauthorizedException("Login token expired", "token_expired");
+
+    // Check the TOTP code
+    const { totpSecret } = token.user;
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    if (!authenticator.check(dto.totp, totpSecret)) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    // Set the login token to used
+    await this.prisma.loginToken.update({
+      where: { token: token.token },
+      data: { used: true },
+    });
+
+    const { refreshToken, refreshTokenId } =
+      await this.authService.createRefreshToken(token.user.id);
+    const accessToken = await this.authService.createAccessToken(
+      token.user,
+      refreshTokenId,
+    );
+
+    return { accessToken, refreshToken };
+  }
+
+  async enableTotp(user: User, password: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    // Check if we have a secret already
+    const { totpVerified } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpVerified: true },
+    });
+
+    if (totpVerified) {
+      throw new BadRequestException("TOTP is already enabled");
+    }
+
+    const secret = authenticator.generateSecret();
+
+    const otpURL = totp.keyuri(
+      user.username || user.email,
+      "pingvin-share",
+      secret,
+    );
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpEnabled: true,
+        totpSecret: secret,
+      },
+    });
+
+    // TODO: Maybe we should generate the QR code on the client rather than the server?
+    const qrCode = new qrcode({
+      content: otpURL,
+      container: "svg-viewbox",
+      join: true,
+    }).svg();
+
+    return {
+      totpAuthUrl: otpURL,
+      totpSecret: secret,
+      qrCode:
+        "data:image/svg+xml;base64," + Buffer.from(qrCode).toString("base64"),
+    };
+  }
+
+  // TODO: Maybe require a token to verify that the user who started enabling totp is the one who is verifying it?
+  async verifyTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not in progress");
+    }
+
+    const expected = authenticator.generate(totpSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: true,
+      },
+    });
+
+    return true;
+  }
+
+  async disableTotp(user: User, password: string, code: string) {
+    if (!(await argon.verify(user.password, password)))
+      throw new ForbiddenException("Invalid password");
+
+    const { totpSecret } = await this.prisma.user.findUnique({
+      where: { id: user.id },
+      select: { totpSecret: true },
+    });
+
+    if (!totpSecret) {
+      throw new BadRequestException("TOTP is not enabled");
+    }
+
+    const expected = authenticator.generate(totpSecret);
+
+    if (code !== expected) {
+      throw new BadRequestException("Invalid code");
+    }
+
+    await this.prisma.user.update({
+      where: { id: user.id },
+      data: {
+        totpVerified: false,
+        totpEnabled: false,
+        totpSecret: null,
+      },
+    });
+
+    return true;
+  }
+}
--- a/backend/src/auth/decorator/getUser.decorator.ts
+++ b/backend/src/auth/decorator/getUser.decorator.ts
@@ -5,5 +5,5 @@ export const GetUser = createParamDecorator(
    const request = ctx.switchToHttp().getRequest();
    const user = request.user;
    return data ? user?.[data] : user;
-  }
+  },
 );
--- a/backend/src/auth/dto/authRegister.dto.ts
+++ b/backend/src/auth/dto/authRegister.dto.ts
@@ -1,3 +1,8 @@
+import { PickType } from "@nestjs/swagger";
 import { UserDTO } from "src/user/dto/user.dto";

-export class AuthRegisterDTO extends UserDTO {}
+export class AuthRegisterDTO extends PickType(UserDTO, [
+  "email",
+  "username",
+  "password",
+] as const) {}
--- a/backend/src/auth/dto/authSignIn.dto.ts
+++ b/backend/src/auth/dto/authSignIn.dto.ts
@@ -1,7 +1,13 @@
 import { PickType } from "@nestjs/swagger";
+import { IsEmail, IsOptional, IsString } from "class-validator";
 import { UserDTO } from "src/user/dto/user.dto";

-export class AuthSignInDTO extends PickType(UserDTO, [
-  "email",
-  "password",
-] as const) {}
+export class AuthSignInDTO extends PickType(UserDTO, ["password"] as const) {
+  @IsEmail()
+  @IsOptional()
+  email: string;
+
+  @IsString()
+  @IsOptional()
+  username: string;
+}
--- a/backend/src/auth/dto/authSignInTotp.dto.ts
+++ b/backend/src/auth/dto/authSignInTotp.dto.ts
@@ -0,0 +1,10 @@
+import { IsString } from "class-validator";
+import { AuthSignInDTO } from "./authSignIn.dto";
+
+export class AuthSignInTotpDTO {
+  @IsString()
+  totp: string;
+
+  @IsString()
+  loginToken: string;
+}
--- a/backend/src/auth/dto/enableTotp.dto.ts
+++ b/backend/src/auth/dto/enableTotp.dto.ts
@@ -0,0 +1,4 @@
+import { PickType } from "@nestjs/swagger";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class EnableTotpDTO extends PickType(UserDTO, ["password"] as const) {}
--- a/backend/src/auth/dto/refreshAccessToken.dto.ts
+++ b/backend/src/auth/dto/refreshAccessToken.dto.ts
@@ -1,6 +0,0 @@
-import { IsNotEmpty } from "class-validator";
-
-export class RefreshAccessTokenDTO {
-  @IsNotEmpty()
-  refreshToken: string;
-}
--- a/backend/src/auth/dto/resetPassword.dto.ts
+++ b/backend/src/auth/dto/resetPassword.dto.ts
@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/swagger";
+import { IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class ResetPasswordDTO extends PickType(UserDTO, ["password"]) {
+  @IsString()
+  token: string;
+}
--- a/backend/src/auth/dto/token.dto.ts
+++ b/backend/src/auth/dto/token.dto.ts
@@ -0,0 +1,15 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class TokenDTO {
+  @Expose()
+  accessToken: string;
+
+  @Expose()
+  refreshToken: string;
+
+  from(partial: Partial<TokenDTO>) {
+    return plainToClass(TokenDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+}
--- a/backend/src/auth/dto/updatePassword.dto.ts
+++ b/backend/src/auth/dto/updatePassword.dto.ts
@@ -0,0 +1,9 @@
+import { PickType } from "@nestjs/swagger";
+import { IsOptional, IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class UpdatePasswordDTO extends PickType(UserDTO, ["password"]) {
+  @IsString()
+  @IsOptional()
+  oldPassword?: string;
+}
--- a/backend/src/auth/dto/verifyTotp.dto.ts
+++ b/backend/src/auth/dto/verifyTotp.dto.ts
@@ -0,0 +1,8 @@
+import { PickType } from "@nestjs/swagger";
+import { IsString } from "class-validator";
+import { UserDTO } from "src/user/dto/user.dto";
+
+export class VerifyTotpDTO extends PickType(UserDTO, ["password"] as const) {
+  @IsString()
+  code: string;
+}
--- a/backend/src/auth/guard/isAdmin.guard.ts
+++ b/backend/src/auth/guard/isAdmin.guard.ts
@@ -0,0 +1,13 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+import { User } from "@prisma/client";
+
+@Injectable()
+export class AdministratorGuard implements CanActivate {
+  canActivate(context: ExecutionContext) {
+    const { user }: { user: User } = context.switchToHttp().getRequest();
+
+    if (!user) return false;
+
+    return user.isAdmin;
+  }
+}
--- a/backend/src/auth/guard/jwt.guard.ts
+++ b/backend/src/auth/guard/jwt.guard.ts
@@ -1,7 +1,17 @@
+import { ExecutionContext, Injectable } from "@nestjs/common";
 import { AuthGuard } from "@nestjs/passport";
+import { ConfigService } from "src/config/config.service";

+@Injectable()
 export class JwtGuard extends AuthGuard("jwt") {
-  constructor() {
+  constructor(private config: ConfigService) {
    super();
  }
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    try {
+      return (await super.canActivate(context)) as boolean;
+    } catch {
+      return this.config.get("share.allowUnauthenticatedShares");
+    }
+  }
 }
--- a/backend/src/auth/ldap.service.ts
+++ b/backend/src/auth/ldap.service.ts
@@ -0,0 +1,154 @@
+import { Inject, Injectable, Logger } from "@nestjs/common";
+import * as ldap from "ldapjs";
+import { AttributeJson, InvalidCredentialsError, SearchCallbackResponse, SearchOptions } from "ldapjs";
+import { inspect } from "node:util";
+import { ConfigService } from "../config/config.service";
+
+type LdapSearchEntry = {
+    objectName: string,
+    attributes: AttributeJson[],
+};
+
+async function ldapExecuteSearch(client: ldap.Client, base: string, options: SearchOptions): Promise<LdapSearchEntry[]> {
+    const searchResponse = await new Promise<SearchCallbackResponse>((resolve, reject) => {
+        client.search(base, options, (err, res) => {
+            if (err) {
+                reject(err);
+            } else {
+                resolve(res);
+            }
+        });
+    });
+
+    return await new Promise<any[]>((resolve, reject) => {
+        const entries: LdapSearchEntry[] = [];
+        searchResponse.on("searchEntry", entry => entries.push({ attributes: entry.pojo.attributes, objectName: entry.pojo.objectName }));
+        searchResponse.once("error", reject);
+        searchResponse.once("end", () => resolve(entries));
+    });
+}
+
+async function ldapBindUser(client: ldap.Client, dn: string, password: string): Promise<void> {
+    return new Promise<void>((resolve, reject) => {
+        client.bind(dn, password, error => {
+            if (error) {
+                reject(error);
+            } else {
+                resolve();
+            }
+        });
+    })
+}
+
+async function ldapCreateConnection(logger: Logger, url: string): Promise<ldap.Client> {
+    const ldapClient = ldap.createClient({
+        url: url.split(","),
+        connectTimeout: 10_000,
+        timeout: 10_000
+    });
+
+    await new Promise((resolve, reject) => {
+        ldapClient.once("error", reject);
+        ldapClient.on("setupError", reject);
+        ldapClient.on("socketTimeout", reject);
+        ldapClient.on("connectRefused", () => reject(new Error("connection has been refused")));
+        ldapClient.on("connectTimeout", () => reject(new Error("connect timed out")));
+        ldapClient.on("connectError", reject);
+
+        ldapClient.on("connect", resolve);
+    }).catch(error => {
+        logger.error(`Connect error: ${inspect(error)}`);
+        ldapClient.destroy();
+        throw error;
+    });
+
+    return ldapClient;
+}
+
+export type LdapAuthenticateResult = {
+    userDn: string,
+    attributes: Record<string, string[]>
+};
+
+@Injectable()
+export class LdapService {
+    private readonly logger = new Logger(LdapService.name);
+    constructor(
+        @Inject(ConfigService)
+        private readonly serviceConfig: ConfigService,
+    ) { }
+
+    private async createLdapConnection(): Promise<ldap.Client> {
+        const ldapUrl = this.serviceConfig.get("ldap.url");
+        if (!ldapUrl) {
+            throw new Error("LDAP server URL is not defined");
+        }
+
+        const ldapClient = await ldapCreateConnection(this.logger, ldapUrl);
+        try {
+            const bindDn = this.serviceConfig.get("ldap.bindDn") || null;
+            if (bindDn) {
+                try {
+                    await ldapBindUser(ldapClient, bindDn, this.serviceConfig.get("ldap.bindPassword"))
+                } catch (error) {
+                    this.logger.warn(`Failed to bind to default user: ${error}`);
+                    throw new Error("failed to bind to default user");
+                }
+            }
+
+            return ldapClient;
+        } catch (error) {
+            ldapClient.destroy();
+            throw error;
+        }
+    }
+
+    public async authenticateUser(username: string, password: string): Promise<LdapAuthenticateResult | null> {
+        if (!username.match(/^[a-zA-Z0-0]+$/)) {
+            return null;
+        }
+
+        const searchBase = this.serviceConfig.get("ldap.searchBase");
+        const searchQuery = this.serviceConfig.get("ldap.searchQuery")
+            .replaceAll("%username%", username);
+
+        const ldapClient = await this.createLdapConnection();
+        try {
+            const [result] = await ldapExecuteSearch(ldapClient, searchBase, {
+                filter: searchQuery,
+                scope: "sub"
+            });
+
+            if (!result) {
+                /* user not found */
+                return null;
+            }
+
+            try {
+                await ldapBindUser(ldapClient, result.objectName, password);
+
+                /*
+                 * In theory we could query the user attributes now,
+                 * but as we must query the user attributes for validation anyways
+                 * we'll create a second ldap server connection.
+                 */
+                return {
+                    userDn: result.objectName,
+                    attributes: Object.fromEntries(result.attributes.map(attribute => [attribute.type, attribute.values])),
+                };
+            } catch (error) {
+                if (error instanceof InvalidCredentialsError) {
+                    return null;
+                }
+
+                this.logger.warn(`LDAP user bind failure: ${inspect(error)}`);
+                return null;
+            } finally {
+                ldapClient.destroy();
+            }
+        } catch (error) {
+            this.logger.warn(`LDAP connect error: ${inspect(error)}`);
+            return null;
+        }
+    }
+}
--- a/backend/src/auth/strategy/jwt.strategy.ts
+++ b/backend/src/auth/strategy/jwt.strategy.ts
@@ -1,24 +1,33 @@
 import { Injectable } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { PassportStrategy } from "@nestjs/passport";
 import { User } from "@prisma/client";
-import { ExtractJwt, Strategy } from "passport-jwt";
+import { Request } from "express";
+import { Strategy } from "passport-jwt";
+import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";

@Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
-  constructor(config: ConfigService, private prisma: PrismaService) {
+  constructor(
+    config: ConfigService,
+    private prisma: PrismaService,
+  ) {
+    config.get("internal.jwtSecret");
    super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      secretOrKey: config.get("JWT_SECRET"),
+      jwtFromRequest: JwtStrategy.extractJWT,
+      secretOrKey: config.get("internal.jwtSecret"),
    });
  }

+  private static extractJWT(req: Request) {
+    if (!req.cookies.access_token) return null;
+    return req.cookies.access_token;
+  }
+
  async validate(payload: { sub: string }) {
    const user: User = await this.prisma.user.findUnique({
      where: { id: payload.sub },
    });
-
    return user;
  }
 }
--- a/backend/src/clamscan/clamscan.module.ts
+++ b/backend/src/clamscan/clamscan.module.ts
@@ -0,0 +1,10 @@
+import { forwardRef, Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ClamScanService } from "./clamscan.service";
+
+@Module({
+  imports: [forwardRef(() => FileModule)],
+  providers: [ClamScanService],
+  exports: [ClamScanService],
+})
+export class ClamScanModule {}
--- a/backend/src/clamscan/clamscan.service.ts
+++ b/backend/src/clamscan/clamscan.service.ts
@@ -0,0 +1,88 @@
+import { Injectable, Logger } from "@nestjs/common";
+import * as NodeClam from "clamscan";
+import * as fs from "fs";
+import { FileService } from "src/file/file.service";
+import { PrismaService } from "src/prisma/prisma.service";
+import { CLAMAV_HOST, CLAMAV_PORT, SHARE_DIRECTORY } from "../constants";
+
+const clamscanConfig = {
+  clamdscan: {
+    host: CLAMAV_HOST,
+    port: CLAMAV_PORT,
+    localFallback: false,
+  },
+  preference: "clamdscan",
+};
+@Injectable()
+export class ClamScanService {
+  private readonly logger = new Logger(ClamScanService.name);
+
+  constructor(
+    private fileService: FileService,
+    private prisma: PrismaService,
+  ) {}
+
+  private ClamScan: Promise<NodeClam | null> = new NodeClam()
+    .init(clamscanConfig)
+    .then((res) => {
+      this.logger.log("ClamAV is active");
+      return res;
+    })
+    .catch(() => {
+      this.logger.log("ClamAV is not active");
+      return null;
+    });
+
+  async check(shareId: string) {
+    const clamScan = await this.ClamScan;
+
+    if (!clamScan) return [];
+
+    const infectedFiles = [];
+
+    const files = fs
+      .readdirSync(`${SHARE_DIRECTORY}/${shareId}`)
+      .filter((file) => file != "archive.zip");
+
+    for (const fileId of files) {
+      const { isInfected } = await clamScan
+        .isInfected(`${SHARE_DIRECTORY}/${shareId}/${fileId}`)
+        .catch(() => {
+          this.logger.log("ClamAV is not active");
+          return { isInfected: false };
+        });
+
+      const fileName = (
+        await this.prisma.file.findUnique({ where: { id: fileId } })
+      ).name;
+
+      if (isInfected) {
+        infectedFiles.push({ id: fileId, name: fileName });
+      }
+    }
+
+    return infectedFiles;
+  }
+
+  async checkAndRemove(shareId: string) {
+    const infectedFiles = await this.check(shareId);
+
+    if (infectedFiles.length > 0) {
+      await this.fileService.deleteAllFiles(shareId);
+      await this.prisma.file.deleteMany({ where: { shareId } });
+
+      const fileNames = infectedFiles.map((file) => file.name).join(", ");
+
+      await this.prisma.share.update({
+        where: { id: shareId },
+        data: {
+          removedReason: `Your share got removed because the file(s) ${fileNames} are malicious.`,
+        },
+      });
+
+      this.logger.warn(
+        `Share ${shareId} deleted because it contained ${infectedFiles.length} malicious file(s)`,
+      );
+    }
+  }
+}
--- a/backend/src/config/config.controller.ts
+++ b/backend/src/config/config.controller.ts
@@ -0,0 +1,75 @@
+import {
+  Body,
+  Controller,
+  FileTypeValidator,
+  Get,
+  Param,
+  ParseFilePipe,
+  Patch,
+  Post,
+  UploadedFile,
+  UseGuards,
+  UseInterceptors,
+} from "@nestjs/common";
+import { FileInterceptor } from "@nestjs/platform-express";
+import { SkipThrottle } from "@nestjs/throttler";
+import { AdministratorGuard } from "src/auth/guard/isAdmin.guard";
+import { JwtGuard } from "src/auth/guard/jwt.guard";
+import { EmailService } from "src/email/email.service";
+import { ConfigService } from "./config.service";
+import { AdminConfigDTO } from "./dto/adminConfig.dto";
+import { ConfigDTO } from "./dto/config.dto";
+import { TestEmailDTO } from "./dto/testEmail.dto";
+import UpdateConfigDTO from "./dto/updateConfig.dto";
+import { LogoService } from "./logo.service";
+
+@Controller("configs")
+export class ConfigController {
+  constructor(
+    private configService: ConfigService,
+    private logoService: LogoService,
+    private emailService: EmailService,
+  ) {}
+
+  @Get()
+  @SkipThrottle()
+  async list() {
+    return new ConfigDTO().fromList(await this.configService.list());
+  }
+
+  @Get("admin/:category")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async getByCategory(@Param("category") category: string) {
+    return new AdminConfigDTO().fromList(
+      await this.configService.getByCategory(category),
+    );
+  }
+
+  @Patch("admin")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async updateMany(@Body() data: UpdateConfigDTO[]) {
+    return new AdminConfigDTO().fromList(
+      await this.configService.updateMany(data),
+    );
+  }
+
+  @Post("admin/testEmail")
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async testEmail(@Body() { email }: TestEmailDTO) {
+    await this.emailService.sendTestMail(email);
+  }
+
+  @Post("admin/logo")
+  @UseInterceptors(FileInterceptor("file"))
+  @UseGuards(JwtGuard, AdministratorGuard)
+  async uploadLogo(
+    @UploadedFile(
+      new ParseFilePipe({
+        validators: [new FileTypeValidator({ fileType: "image/png" })],
+      }),
+    )
+    file: Express.Multer.File,
+  ) {
+    return await this.logoService.create(file.buffer);
+  }
+}
--- a/backend/src/config/config.module.ts
+++ b/backend/src/config/config.module.ts
@@ -0,0 +1,25 @@
+import { Global, Module } from "@nestjs/common";
+import { EmailModule } from "src/email/email.module";
+import { PrismaService } from "src/prisma/prisma.service";
+import { ConfigController } from "./config.controller";
+import { ConfigService } from "./config.service";
+import { LogoService } from "./logo.service";
+
+@Global()
+@Module({
+  imports: [EmailModule],
+  providers: [
+    {
+      provide: "CONFIG_VARIABLES",
+      useFactory: async (prisma: PrismaService) => {
+        return await prisma.config.findMany();
+      },
+      inject: [PrismaService],
+    },
+    ConfigService,
+    LogoService,
+  ],
+  controllers: [ConfigController],
+  exports: [ConfigService],
+})
+export class ConfigModule {}
--- a/backend/src/config/config.service.ts
+++ b/backend/src/config/config.service.ts
@@ -0,0 +1,119 @@
+import {
+  BadRequestException,
+  Inject,
+  Injectable,
+  NotFoundException,
+} from "@nestjs/common";
+import { Config } from "@prisma/client";
+import { PrismaService } from "src/prisma/prisma.service";
+import { EventEmitter } from "events";
+
+/**
+ * ConfigService extends EventEmitter to allow listening for config updates,
+ * now only `update` event will be emitted.
+ */
+@Injectable()
+export class ConfigService extends EventEmitter {
+  constructor(
+    @Inject("CONFIG_VARIABLES") private configVariables: Config[],
+    private prisma: PrismaService,
+  ) {
+    super();
+  }
+
+  get(key: `${string}.${string}`): any {
+    const configVariable = this.configVariables.filter(
+      (variable) => `${variable.category}.${variable.name}` == key,
+    )[0];
+
+    if (!configVariable) throw new Error(`Config variable ${key} not found`);
+
+    const value = configVariable.value ?? configVariable.defaultValue;
+
+    if (configVariable.type == "number") return parseInt(value);
+    if (configVariable.type == "boolean") return value == "true";
+    if (configVariable.type == "string" || configVariable.type == "text")
+      return value;
+  }
+
+  async getByCategory(category: string) {
+    const configVariables = await this.prisma.config.findMany({
+      orderBy: { order: "asc" },
+      where: { category, locked: { equals: false } },
+    });
+
+    return configVariables.map((variable) => {
+      return {
+        ...variable,
+        key: `${variable.category}.${variable.name}`,
+        value: variable.value ?? variable.defaultValue,
+      };
+    });
+  }
+
+  async list() {
+    const configVariables = await this.prisma.config.findMany({
+      where: { secret: { equals: false } },
+    });
+
+    return configVariables.map((variable) => {
+      return {
+        ...variable,
+        key: `${variable.category}.${variable.name}`,
+        value: variable.value ?? variable.defaultValue,
+      };
+    });
+  }
+
+  async updateMany(data: { key: string; value: string | number | boolean }[]) {
+    const response: Config[] = [];
+
+    for (const variable of data) {
+      response.push(await this.update(variable.key, variable.value));
+    }
+
+    return response;
+  }
+
+  async update(key: string, value: string | number | boolean) {
+    const configVariable = await this.prisma.config.findUnique({
+      where: {
+        name_category: {
+          category: key.split(".")[0],
+          name: key.split(".")[1],
+        },
+      },
+    });
+
+    if (!configVariable || configVariable.locked)
+      throw new NotFoundException("Config variable not found");
+
+    if (value === "") {
+      value = null;
+    } else if (
+      typeof value != configVariable.type &&
+      typeof value == "string" &&
+      configVariable.type != "text"
+    ) {
+      throw new BadRequestException(
+        `Config variable must be of type ${configVariable.type}`,
+      );
+    }
+
+    const updatedVariable = await this.prisma.config.update({
+      where: {
+        name_category: {
+          category: key.split(".")[0],
+          name: key.split(".")[1],
+        },
+      },
+      data: { value: value === null ? null : value.toString() },
+    });
+
+    this.configVariables = await this.prisma.config.findMany();
+
+    this.emit("update", key, value);
+
+    return updatedVariable;
+  }
+}
--- a/backend/src/config/dto/adminConfig.dto.ts
+++ b/backend/src/config/dto/adminConfig.dto.ts
@@ -0,0 +1,31 @@
+import { Expose, plainToClass } from "class-transformer";
+import { ConfigDTO } from "./config.dto";
+
+export class AdminConfigDTO extends ConfigDTO {
+  @Expose()
+  name: string;
+
+  @Expose()
+  secret: boolean;
+
+  @Expose()
+  defaultValue: string;
+
+  @Expose()
+  updatedAt: Date;
+
+  @Expose()
+  obscured: boolean;
+
+  from(partial: Partial<AdminConfigDTO>) {
+    return plainToClass(AdminConfigDTO, partial, {
+      excludeExtraneousValues: true,
+    });
+  }
+
+  fromList(partial: Partial<AdminConfigDTO>[]) {
+    return partial.map((part) =>
+      plainToClass(AdminConfigDTO, part, { excludeExtraneousValues: true }),
+    );
+  }
+}
--- a/backend/src/config/dto/config.dto.ts
+++ b/backend/src/config/dto/config.dto.ts
@@ -0,0 +1,18 @@
+import { Expose, plainToClass } from "class-transformer";
+
+export class ConfigDTO {
+  @Expose()
+  key: string;
+
+  @Expose()
+  value: string;
+
+  @Expose()
+  type: string;
+
+  fromList(partial: Partial<ConfigDTO>[]) {
+    return partial.map((part) =>
+      plainToClass(ConfigDTO, part, { excludeExtraneousValues: true }),
+    );
+  }
+}
--- a/backend/src/config/dto/testEmail.dto.ts
+++ b/backend/src/config/dto/testEmail.dto.ts
@@ -0,0 +1,7 @@
+import { IsEmail, IsNotEmpty } from "class-validator";
+
+export class TestEmailDTO {
+  @IsEmail()
+  @IsNotEmpty()
+  email: string;
+}
--- a/backend/src/config/dto/updateConfig.dto.ts
+++ b/backend/src/config/dto/updateConfig.dto.ts
@@ -0,0 +1,11 @@
+import { IsNotEmpty, IsString } from "class-validator";
+
+class UpdateConfigDTO {
+  @IsString()
+  key: string;
+
+  @IsNotEmpty()
+  value: string | number | boolean;
+}
+
+export default UpdateConfigDTO;
--- a/backend/src/config/logo.service.ts
+++ b/backend/src/config/logo.service.ts
@@ -0,0 +1,33 @@
+import { Injectable } from "@nestjs/common";
+import * as fs from "fs";
+import * as sharp from "sharp";
+
+const IMAGES_PATH = "../frontend/public/img";
+
+@Injectable()
+export class LogoService {
+  async create(file: Buffer) {
+    const resized = await sharp(file).resize(900).toBuffer();
+    fs.writeFileSync(`${IMAGES_PATH}/logo.png`, resized, "binary");
+    this.createFavicon(file);
+    this.createPWAIcons(file);
+  }
+
+  async createFavicon(file: Buffer) {
+    const resized = await sharp(file).resize(16).toBuffer();
+    fs.promises.writeFile(`${IMAGES_PATH}/favicon.ico`, resized, "binary");
+  }
+
+  async createPWAIcons(file: Buffer) {
+    const sizes = [48, 72, 96, 128, 144, 152, 192, 384, 512];
+
+    for (const size of sizes) {
+      const resized = await sharp(file).resize(size).toBuffer();
+      fs.promises.writeFile(
+        `${IMAGES_PATH}/icons/icon-${size}x${size}.png`,
+        resized,
+        "binary",
+      );
+    }
+  }
+}
--- a/backend/src/constants.ts
+++ b/backend/src/constants.ts
@@ -0,0 +1,9 @@
+export const DATA_DIRECTORY = process.env.DATA_DIRECTORY || "./data";
+export const SHARE_DIRECTORY = `${DATA_DIRECTORY}/uploads/shares`;
+export const DATABASE_URL =
+  process.env.DATABASE_URL ||
+  "file:../data/pingvin-share.db?connection_limit=1";
+export const CLAMAV_HOST =
+  process.env.CLAMAV_HOST ||
+  (process.env.NODE_ENV == "docker" ? "clamav" : "127.0.0.1");
+export const CLAMAV_PORT = parseInt(process.env.CLAMAV_PORT) || 3310;
--- a/backend/src/email/email.module.ts
+++ b/backend/src/email/email.module.ts
@@ -0,0 +1,8 @@
+import { Module } from "@nestjs/common";
+import { EmailService } from "./email.service";
+
+@Module({
+  providers: [EmailService],
+  exports: [EmailService],
+})
+export class EmailModule {}
--- a/backend/src/email/email.service.ts
+++ b/backend/src/email/email.service.ts
@@ -0,0 +1,138 @@
+import {
+  Injectable,
+  InternalServerErrorException,
+  Logger,
+} from "@nestjs/common";
+import { User } from "@prisma/client";
+import * as moment from "moment";
+import * as nodemailer from "nodemailer";
+import { ConfigService } from "src/config/config.service";
+
+@Injectable()
+export class EmailService {
+  constructor(private config: ConfigService) {}
+  private readonly logger = new Logger(EmailService.name);
+
+  getTransporter() {
+    if (!this.config.get("smtp.enabled"))
+      throw new InternalServerErrorException("SMTP is disabled");
+
+    return nodemailer.createTransport({
+      host: this.config.get("smtp.host"),
+      port: this.config.get("smtp.port"),
+      secure: this.config.get("smtp.port") == 465,
+      auth: {
+        user: this.config.get("smtp.username"),
+        pass: this.config.get("smtp.password"),
+      },
+      tls: {
+        rejectUnauthorized: !this.config.get(
+          "smtp.allowUnauthorizedCertificates",
+        ),
+      },
+    });
+  }
+
+  private async sendMail(email: string, subject: string, text: string) {
+    await this.getTransporter()
+      .sendMail({
+        from: `"${this.config.get("general.appName")}" <${this.config.get(
+          "smtp.email",
+        )}>`,
+        to: email,
+        subject,
+        text,
+      })
+      .catch((e) => {
+        this.logger.error(e);
+        throw new InternalServerErrorException("Failed to send email");
+      });
+  }
+
+  async sendMailToShareRecipients(
+    recipientEmail: string,
+    shareId: string,
+    creator?: User,
+    description?: string,
+    expiration?: Date,
+  ) {
+    if (!this.config.get("email.enableShareEmailRecipients"))
+      throw new InternalServerErrorException("Email service disabled");
+
+    const shareUrl = `${this.config.get("general.appUrl")}/s/${shareId}`;
+
+    await this.sendMail(
+      recipientEmail,
+      this.config.get("email.shareRecipientsSubject"),
+      this.config
+        .get("email.shareRecipientsMessage")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{creator}", creator?.username ?? "Someone")
+        .replaceAll("{shareUrl}", shareUrl)
+        .replaceAll("{desc}", description ?? "No description")
+        .replaceAll(
+          "{expires}",
+          moment(expiration).unix() != 0
+            ? moment(expiration).fromNow()
+            : "in: never",
+        ),
+    );
+  }
+
+  async sendMailToReverseShareCreator(recipientEmail: string, shareId: string) {
+    const shareUrl = `${this.config.get("general.appUrl")}/s/${shareId}`;
+
+    await this.sendMail(
+      recipientEmail,
+      this.config.get("email.reverseShareSubject"),
+      this.config
+        .get("email.reverseShareMessage")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{shareUrl}", shareUrl),
+    );
+  }
+
+  async sendResetPasswordEmail(recipientEmail: string, token: string) {
+    const resetPasswordUrl = `${this.config.get(
+      "general.appUrl",
+    )}/auth/resetPassword/${token}`;
+
+    await this.sendMail(
+      recipientEmail,
+      this.config.get("email.resetPasswordSubject"),
+      this.config
+        .get("email.resetPasswordMessage")
+        .replaceAll("\\n", "\n")
+        .replaceAll("{url}", resetPasswordUrl),
+    );
+  }
+
+  async sendInviteEmail(recipientEmail: string, password: string) {
+    const loginUrl = `${this.config.get("general.appUrl")}/auth/signIn`;
+
+    await this.sendMail(
+      recipientEmail,
+      this.config.get("email.inviteSubject"),
+      this.config
+        .get("email.inviteMessage")
+        .replaceAll("{url}", loginUrl)
+        .replaceAll("{password}", password),
+    );
+  }
+
+  async sendTestMail(recipientEmail: string) {
+    await this.getTransporter()
+      .sendMail({
+        from: `"${this.config.get("general.appName")}" <${this.config.get(
+          "smtp.email",
+        )}>`,
+        to: recipientEmail,
+        subject: "Test email",
+        text: "This is a test email",
+      })
+      .catch((e) => {
+        this.logger.error(e);
+        throw new InternalServerErrorException(e.message);
+      });
+  }
+}
--- a/backend/src/file/file.controller.ts
+++ b/backend/src/file/file.controller.ts
@@ -1,111 +1,99 @@
 import {
+  Body,
  Controller,
+  Delete,
  Get,
  Param,
-  ParseFilePipeBuilder,
  Post,
+  Query,
  Res,
  StreamableFile,
-  UploadedFile,
  UseGuards,
-  UseInterceptors,
 } from "@nestjs/common";
-import { FileInterceptor } from "@nestjs/platform-express";
+import { SkipThrottle } from "@nestjs/throttler";
 import * as contentDisposition from "content-disposition";
 import { Response } from "express";
-import { JwtGuard } from "src/auth/guard/jwt.guard";
-import { FileDownloadGuard } from "src/file/guard/fileDownload.guard";
-import { ShareDTO } from "src/share/dto/share.dto";
+import { CreateShareGuard } from "src/share/guard/createShare.guard";
 import { ShareOwnerGuard } from "src/share/guard/shareOwner.guard";
-import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
 import { FileService } from "./file.service";
+import { FileSecurityGuard } from "./guard/fileSecurity.guard";

@Controller("shares/:shareId/files")
 export class FileController {
  constructor(private fileService: FileService) {}

  @Post()
-  @UseGuards(JwtGuard, ShareOwnerGuard)
-  @UseInterceptors(
-    FileInterceptor("file", {
-      dest: "./data/uploads/_temp/",
-    })
-  )
+  @SkipThrottle()
+  @UseGuards(CreateShareGuard, ShareOwnerGuard)
  async create(
-    @UploadedFile(
-      new ParseFilePipeBuilder()
-        .addMaxSizeValidator({
-          maxSize: parseInt(process.env.MAX_FILE_SIZE),
-        })
-        .build()
-    )
-    file: Express.Multer.File,
-    @Param("shareId") shareId: string
+    @Query()
+    query: {
+      id: string;
+      name: string;
+      chunkIndex: string;
+      totalChunks: string;
+    },
+    @Body() body: string,
+    @Param("shareId") shareId: string,
  ) {
-    // Fixes file names with special characters
-    file.originalname = Buffer.from(file.originalname, "latin1").toString(
-      "utf8"
+    const { id, name, chunkIndex, totalChunks } = query;
+
+    // Data can be empty if the file is empty
+    return await this.fileService.create(
+      body,
+      { index: parseInt(chunkIndex), total: parseInt(totalChunks) },
+      { id, name },
+      shareId,
    );
-    return new ShareDTO().from(await this.fileService.create(file, shareId));
-  }
-
-  @Get(":fileId/download")
-  @UseGuards(ShareSecurityGuard)
-  async getFileDownloadUrl(
-    @Res({ passthrough: true }) res: Response,
-    @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
-  ) {
-    const url = this.fileService.getFileDownloadUrl(shareId, fileId);
-
-    return { url };
-  }
-
-  @Get("zip/download")
-  @UseGuards(ShareSecurityGuard)
-  async getZipArchiveDownloadURL(
-    @Res({ passthrough: true }) res: Response,
-    @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
-  ) {
-    const url = this.fileService.getFileDownloadUrl(shareId, fileId);
-
-    res.set({
-      "Content-Type": "application/zip",
-    });
-
-    return { url };
  }

  @Get("zip")
-  @UseGuards(FileDownloadGuard)
+  @UseGuards(FileSecurityGuard)
  async getZip(
    @Res({ passthrough: true }) res: Response,
-    @Param("shareId") shareId: string
+    @Param("shareId") shareId: string,
  ) {
    const zip = this.fileService.getZip(shareId);
    res.set({
      "Content-Type": "application/zip",
-      "Content-Disposition": `attachment ; filename="pingvin-share-${shareId}"`,
+      "Content-Disposition": contentDisposition(`${shareId}.zip`),
    });

    return new StreamableFile(zip);
  }

  @Get(":fileId")
-  @UseGuards(FileDownloadGuard)
+  @UseGuards(FileSecurityGuard)
  async getFile(
    @Res({ passthrough: true }) res: Response,
    @Param("shareId") shareId: string,
-    @Param("fileId") fileId: string
+    @Param("fileId") fileId: string,
+    @Query("download") download = "true",
  ) {
    const file = await this.fileService.get(shareId, fileId);
-    res.set({
+
+    const headers = {
      "Content-Type": file.metaData.mimeType,
      "Content-Length": file.metaData.size,
-      "Content-Disposition": contentDisposition(file.metaData.name),
-    });
+      "Content-Security-Policy": "script-src 'none'",
+    };
+
+    if (download === "true") {
+      headers["Content-Disposition"] = contentDisposition(file.metaData.name);
+    }
+
+    res.set(headers);

    return new StreamableFile(file.file);
  }
+
+  @Delete(":fileId")
+  @SkipThrottle()
+  @UseGuards(ShareOwnerGuard)
+  async remove(
+    @Param("fileId") fileId: string,
+    @Param("shareId") shareId: string,
+  ) {
+    await this.fileService.remove(shareId, fileId);
+  }
 }
--- a/backend/src/file/file.module.ts
+++ b/backend/src/file/file.module.ts
@@ -1,11 +1,12 @@
 import { Module } from "@nestjs/common";
 import { JwtModule } from "@nestjs/jwt";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
 import { ShareModule } from "src/share/share.module";
 import { FileController } from "./file.controller";
 import { FileService } from "./file.service";

@Module({
-  imports: [JwtModule.register({}), ShareModule],
+  imports: [JwtModule.register({}), ReverseShareModule, ShareModule],
  controllers: [FileController],
  providers: [FileService],
  exports: [FileService],
--- a/backend/src/file/file.service.ts
+++ b/backend/src/file/file.service.ts
@@ -1,49 +1,108 @@
 import {
  BadRequestException,
+  HttpException,
+  HttpStatus,
  Injectable,
  NotFoundException,
 } from "@nestjs/common";
-import { ConfigService } from "@nestjs/config";
 import { JwtService } from "@nestjs/jwt";
-import { randomUUID } from "crypto";
+import * as crypto from "crypto";
 import * as fs from "fs";
 import * as mime from "mime-types";
+import { ConfigService } from "src/config/config.service";
 import { PrismaService } from "src/prisma/prisma.service";
+import { SHARE_DIRECTORY } from "../constants";

@Injectable()
 export class FileService {
  constructor(
    private prisma: PrismaService,
    private jwtService: JwtService,
-    private config: ConfigService
+    private config: ConfigService,
  ) {}

-  async create(file: Express.Multer.File, shareId: string) {
+  async create(
+    data: string,
+    chunk: { index: number; total: number },
+    file: { id?: string; name: string },
+    shareId: string,
+  ) {
+    if (!file.id) file.id = crypto.randomUUID();
+
    const share = await this.prisma.share.findUnique({
      where: { id: shareId },
+      include: { files: true, reverseShare: true },
    });

    if (share.uploadLocked)
      throw new BadRequestException("Share is already completed");

-    const fileId = randomUUID();
+    let diskFileSize: number;
+    try {
+      diskFileSize = fs.statSync(
+        `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
+      ).size;
+    } catch {
+      diskFileSize = 0;
+    }

-    await fs.promises.mkdir(`./data/uploads/shares/${shareId}`, {
-      recursive: true,
-    });
-    fs.promises.rename(
-      `./data/uploads/_temp/${file.filename}`,
-      `./data/uploads/shares/${shareId}/${fileId}`
+    // If the sent chunk index and the expected chunk index doesn't match throw an error
+    const chunkSize = this.config.get("share.chunkSize");
+    const expectedChunkIndex = Math.ceil(diskFileSize / chunkSize);
+
+    if (expectedChunkIndex != chunk.index)
+      throw new BadRequestException({
+        message: "Unexpected chunk received",
+        error: "unexpected_chunk_index",
+        expectedChunkIndex,
+      });
+
+    const buffer = Buffer.from(data, "base64");
+
+    // Check if share size limit is exceeded
+    const fileSizeSum = share.files.reduce(
+      (n, { size }) => n + parseInt(size),
+      0,
    );

-    return await this.prisma.file.create({
-      data: {
-        id: fileId,
-        name: file.originalname,
-        size: file.size.toString(),
-        share: { connect: { id: shareId } },
-      },
-    });
+    const shareSizeSum = fileSizeSum + diskFileSize + buffer.byteLength;
+
+    if (
+      shareSizeSum > this.config.get("share.maxSize") ||
+      (share.reverseShare?.maxShareSize &&
+        shareSizeSum > parseInt(share.reverseShare.maxShareSize))
+    ) {
+      throw new HttpException(
+        "Max share size exceeded",
+        HttpStatus.PAYLOAD_TOO_LARGE,
+      );
+    }
+
+    fs.appendFileSync(
+      `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
+      buffer,
+    );
+
+    const isLastChunk = chunk.index == chunk.total - 1;
+    if (isLastChunk) {
+      fs.renameSync(
+        `${SHARE_DIRECTORY}/${shareId}/${file.id}.tmp-chunk`,
+        `${SHARE_DIRECTORY}/${shareId}/${file.id}`,
+      );
+      const fileSize = fs.statSync(
+        `${SHARE_DIRECTORY}/${shareId}/${file.id}`,
+      ).size;
+      await this.prisma.file.create({
+        data: {
+          id: file.id,
+          name: file.name,
+          size: fileSize.toString(),
+          share: { connect: { id: shareId } },
+        },
+      });
+    }
+
+    return file;
  }

  async get(shareId: string, fileId: string) {
@@ -53,9 +112,7 @@ export class FileService {

    if (!fileMetaData) throw new NotFoundException("File not found");

-    const file = fs.createReadStream(
-      `./data/uploads/shares/${shareId}/${fileId}`
-    );
+    const file = fs.createReadStream(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);

    return {
      metaData: {
@@ -67,47 +124,26 @@ export class FileService {
    };
  }

+  async remove(shareId: string, fileId: string) {
+    const fileMetaData = await this.prisma.file.findUnique({
+      where: { id: fileId },
+    });
+
+    if (!fileMetaData) throw new NotFoundException("File not found");
+
+    fs.unlinkSync(`${SHARE_DIRECTORY}/${shareId}/${fileId}`);
+
+    await this.prisma.file.delete({ where: { id: fileId } });
+  }
+
  async deleteAllFiles(shareId: string) {
-    await fs.promises.rm(`./data/uploads/shares/${shareId}`, {
+    await fs.promises.rm(`${SHARE_DIRECTORY}/${shareId}`, {
      recursive: true,
      force: true,
    });
  }

  getZip(shareId: string) {
-    return fs.createReadStream(`./data/uploads/shares/${shareId}/archive.zip`);
-  }
-
-  getFileDownloadUrl(shareId: string, fileId: string) {
-    const downloadToken = this.generateFileDownloadToken(shareId, fileId);
-    return `${this.config.get(
-      "APP_URL"
-    )}/api/shares/${shareId}/files/${fileId}?token=${downloadToken}`;
-  }
-
-  generateFileDownloadToken(shareId: string, fileId: string) {
-    if (fileId == "zip") fileId = undefined;
-
-    return this.jwtService.sign(
-      {
-        shareId,
-        fileId,
-      },
-      {
-        expiresIn: "10min",
-        secret: this.config.get("JWT_SECRET"),
-      }
-    );
-  }
-
-  verifyFileDownloadToken(shareId: string, token: string) {
-    try {
-      const claims = this.jwtService.verify(token, {
-        secret: this.config.get("JWT_SECRET"),
-      });
-      return claims.shareId == shareId;
-    } catch {
-      return false;
-    }
+    return fs.createReadStream(`${SHARE_DIRECTORY}/${shareId}/archive.zip`);
  }
 }
--- a/backend/src/file/guard/fileDownload.guard.ts
+++ b/backend/src/file/guard/fileDownload.guard.ts
@@ -1,17 +0,0 @@
-import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
-import { Request } from "express";
-import { FileService } from "src/file/file.service";
-
-@Injectable()
-export class FileDownloadGuard implements CanActivate {
-  constructor(private fileService: FileService) {}
-
-  async canActivate(context: ExecutionContext) {
-    const request: Request = context.switchToHttp().getRequest();
-
-    const token = request.query.token as string;
-    const { shareId } = request.params;
-
-    return this.fileService.verifyFileDownloadToken(shareId, token);
-  }
-}
--- a/backend/src/file/guard/fileSecurity.guard.ts
+++ b/backend/src/file/guard/fileSecurity.guard.ts
@@ -0,0 +1,67 @@
+import {
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  NotFoundException,
+} from "@nestjs/common";
+import { Request } from "express";
+import * as moment from "moment";
+import { PrismaService } from "src/prisma/prisma.service";
+import { ShareSecurityGuard } from "src/share/guard/shareSecurity.guard";
+import { ShareService } from "src/share/share.service";
+import { ConfigService } from "src/config/config.service";
+
+@Injectable()
+export class FileSecurityGuard extends ShareSecurityGuard {
+  constructor(
+    private _shareService: ShareService,
+    private _prisma: PrismaService,
+    _config: ConfigService,
+  ) {
+    super(_shareService, _prisma, _config);
+  }
+
+  async canActivate(context: ExecutionContext) {
+    const request: Request = context.switchToHttp().getRequest();
+
+    const shareId = Object.prototype.hasOwnProperty.call(
+      request.params,
+      "shareId",
+    )
+      ? request.params.shareId
+      : request.params.id;
+
+    const shareToken = request.cookies[`share_${shareId}_token`];
+
+    const share = await this._prisma.share.findUnique({
+      where: { id: shareId },
+      include: { security: true },
+    });
+
+    // If there is no share token the user requests a file directly
+    if (!shareToken) {
+      if (
+        !share ||
+        (moment().isAfter(share.expiration) &&
+          !moment(share.expiration).isSame(0))
+      ) {
+        throw new NotFoundException("File not found");
+      }
+
+      if (share.security?.password)
+        throw new ForbiddenException("This share is password protected");
+
+      if (share.security?.maxViews && share.security.maxViews <= share.views) {
+        throw new ForbiddenException(
+          "Maximum views exceeded",
+          "share_max_views_exceeded",
+        );
+      }
+
+      await this._shareService.increaseViewCount(share);
+      return true;
+    } else {
+      return super.canActivate(context);
+    }
+  }
+}
--- a/backend/src/jobs/jobs.module.ts
+++ b/backend/src/jobs/jobs.module.ts
@@ -0,0 +1,10 @@
+import { Module } from "@nestjs/common";
+import { FileModule } from "src/file/file.module";
+import { ReverseShareModule } from "src/reverseShare/reverseShare.module";
+import { JobsService } from "./jobs.service";
+
+@Module({
+  imports: [FileModule, ReverseShareModule],
+  providers: [JobsService],
+})
+export class JobsModule {}
--- a/backend/src/jobs/jobs.service.ts
+++ b/backend/src/jobs/jobs.service.ts
@@ -1,14 +1,20 @@
-import { Injectable } from "@nestjs/common";
+import { Injectable, Logger } from "@nestjs/common";
 import { Cron } from "@nestjs/schedule";
+import * as fs from "fs";
+import * as moment from "moment";
 import { FileService } from "src/file/file.service";
 import { PrismaService } from "src/prisma/prisma.service";
-import * as moment from "moment";
+import { ReverseShareService } from "src/reverseShare/reverseShare.service";
+import { SHARE_DIRECTORY } from "../constants";

@Injectable()
 export class JobsService {
+  private readonly logger = new Logger(JobsService.name);
+
  constructor(
    private prisma: PrismaService,
-    private fileService: FileService
+    private reverseShareService: ReverseShareService,
+    private fileService: FileService,
  ) {}

  @Cron("0 * * * *")
@@ -31,14 +37,105 @@ export class JobsService {
      await this.fileService.deleteAllFiles(expiredShare.id);
    }

-    console.log(`job: deleted ${expiredShares.length} expired shares`);
+    if (expiredShares.length > 0) {
+      this.logger.log(`Deleted ${expiredShares.length} expired shares`);
+    }
  }

  @Cron("0 * * * *")
-  async deleteExpiredRefreshTokens() {
-    const expiredShares = await this.prisma.refreshToken.deleteMany({
+  async deleteExpiredReverseShares() {
+    const expiredReverseShares = await this.prisma.reverseShare.findMany({
+      where: {
+        shareExpiration: { lt: new Date() },
+      },
+    });
+
+    for (const expiredReverseShare of expiredReverseShares) {
+      await this.reverseShareService.remove(expiredReverseShare.id);
+    }
+
+    if (expiredReverseShares.length > 0) {
+      this.logger.log(
+        `Deleted ${expiredReverseShares.length} expired reverse shares`,
+      );
+    }
+  }
+
+  @Cron("0 */6 * * *")
+  async deleteUnfinishedShares() {
+    const unfinishedShares = await this.prisma.share.findMany({
+      where: {
+        createdAt: { lt: moment().subtract(1, "day").toDate() },
+        uploadLocked: false,
+      },
+    });
+
+    for (const unfinishedShare of unfinishedShares) {
+      await this.prisma.share.delete({
+        where: { id: unfinishedShare.id },
+      });
+
+      await this.fileService.deleteAllFiles(unfinishedShare.id);
+    }
+
+    if (unfinishedShares.length > 0) {
+      this.logger.log(`Deleted ${unfinishedShares.length} unfinished shares`);
+    }
+  }
+
+  @Cron("0 0 * * *")
+  deleteTemporaryFiles() {
+    let filesDeleted = 0;
+
+    const shareDirectories = fs
+      .readdirSync(SHARE_DIRECTORY, { withFileTypes: true })
+      .filter((dirent) => dirent.isDirectory())
+      .map((dirent) => dirent.name);
+
+    for (const shareDirectory of shareDirectories) {
+      const temporaryFiles = fs
+        .readdirSync(`${SHARE_DIRECTORY}/${shareDirectory}`)
+        .filter((file) => file.endsWith(".tmp-chunk"));
+
+      for (const file of temporaryFiles) {
+        const stats = fs.statSync(
+          `${SHARE_DIRECTORY}/${shareDirectory}/${file}`,
+        );
+        const isOlderThanOneDay = moment(stats.mtime)
+          .add(1, "day")
+          .isBefore(moment());
+
+        if (isOlderThanOneDay) {
+          fs.rmSync(`${SHARE_DIRECTORY}/${shareDirectory}/${file}`);
+          filesDeleted++;
+        }
+      }
+    }
+
+    this.logger.log(`Deleted ${filesDeleted} temporary files`);
+  }
+
+  @Cron("1 * * * *")
+  async deleteExpiredTokens() {
+    const { count: refreshTokenCount } =
+      await this.prisma.refreshToken.deleteMany({
+        where: { expiresAt: { lt: new Date() } },
+      });
+
+    const { count: loginTokenCount } = await this.prisma.loginToken.deleteMany({
      where: { expiresAt: { lt: new Date() } },
    });
-    console.log(`job: deleted ${expiredShares.count} expired refresh tokens`);
+
+    const { count: resetPasswordTokenCount } =
+      await this.prisma.resetPasswordToken.deleteMany({
+        where: { expiresAt: { lt: new Date() } },
+      });
+
+    const deletedTokensCount =
+      refreshTokenCount + loginTokenCount + resetPasswordTokenCount;
+
+    if (deletedTokensCount > 0) {
+      this.logger.log(`Deleted ${deletedTokensCount} expired refresh tokens`);
+    }
  }
 }
--- a/backend/src/main.ts
+++ b/backend/src/main.ts
@@ -1,15 +1,56 @@
-import { ClassSerializerInterceptor, ValidationPipe } from "@nestjs/common";
+import {
+  ClassSerializerInterceptor,
+  Logger,
+  ValidationPipe,
+} from "@nestjs/common";
 import { NestFactory, Reflector } from "@nestjs/core";
+import { NestExpressApplication } from "@nestjs/platform-express";
+import { DocumentBuilder, SwaggerModule } from "@nestjs/swagger";
+import * as bodyParser from "body-parser";
+import * as cookieParser from "cookie-parser";
+import { NextFunction, Request, Response } from "express";
 import * as fs from "fs";
 import { AppModule } from "./app.module";
+import { ConfigService } from "./config/config.service";
+import { DATA_DIRECTORY } from "./constants";
+
 async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
-  app.useGlobalPipes(new ValidationPipe());
+  const app = await NestFactory.create<NestExpressApplication>(AppModule);
+  app.useGlobalPipes(new ValidationPipe({ whitelist: true }));
  app.useGlobalInterceptors(new ClassSerializerInterceptor(app.get(Reflector)));

-  await fs.promises.mkdir("./data/uploads/_temp", { recursive: true });
+  const config = app.get<ConfigService>(ConfigService);
+
+  app.use((req: Request, res: Response, next: NextFunction) => {
+    const chunkSize = config.get("share.chunkSize");
+    bodyParser.raw({
+      type: "application/octet-stream",
+      limit: `${chunkSize}B`,
+    })(req, res, next);
+  });
+
+  app.use(cookieParser());
+  app.set("trust proxy", true);
+
+  await fs.promises.mkdir(`${DATA_DIRECTORY}/uploads/_temp`, {
+    recursive: true,
+  });

  app.setGlobalPrefix("api");
-  await app.listen(8080);
+
+  // Setup Swagger in development mode
+  if (process.env.NODE_ENV == "development") {
+    const config = new DocumentBuilder()
+      .setTitle("Pingvin Share API")
+      .setVersion("1.0")
+      .build();
+    const document = SwaggerModule.createDocument(app, config);
+    SwaggerModule.setup("api/swagger", app, document);
+  }
+
+  await app.listen(parseInt(process.env.PORT) || 8080);
+
+  const logger = new Logger("UnhandledAsyncError");
+  process.on("unhandledRejection", (e) => logger.error(e));
 }
 bootstrap();
--- a/backend/src/oauth/dto/oauthCallback.dto.ts
+++ b/backend/src/oauth/dto/oauthCallback.dto.ts
@@ -0,0 +1,9 @@
+import { IsString } from "class-validator";
+
+export class OAuthCallbackDto {
+  @IsString()
+  code: string;
+
+  @IsString()
+  state: string;
+}
--- a/backend/src/oauth/dto/oauthSignIn.dto.ts
+++ b/backend/src/oauth/dto/oauthSignIn.dto.ts
@@ -0,0 +1,7 @@
+export interface OAuthSignInDto {
+  provider: "github" | "google" | "microsoft" | "discord" | "oidc";
+  providerId: string;
+  providerUsername: string;
+  email: string;
+  isAdmin?: boolean;
+}
--- a/backend/src/oauth/exceptions/errorPage.exception.ts
+++ b/backend/src/oauth/exceptions/errorPage.exception.ts
@@ -0,0 +1,15 @@
+export class ErrorPageException extends Error {
+  /**
+   * Exception for redirecting to error page (all i18n key should omit `error.msg` and `error.param` prefix)
+   * @param key i18n key of message
+   * @param redirect redirect url
+   * @param params message params (key)
+   */
+  constructor(
+    public readonly key: string = "default",
+    public readonly redirect?: string,
+    public readonly params?: string[],
+  ) {
+    super("error");
+  }
+}
--- a/backend/src/oauth/filter/errorPageException.filter.ts
+++ b/backend/src/oauth/filter/errorPageException.filter.ts
@@ -0,0 +1,39 @@
+import { ArgumentsHost, Catch, ExceptionFilter, Logger } from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+import { ErrorPageException } from "../exceptions/errorPage.exception";
+
+@Catch(ErrorPageException)
+export class ErrorPageExceptionFilter implements ExceptionFilter {
+  private readonly logger = new Logger(ErrorPageExceptionFilter.name);
+
+  constructor(private config: ConfigService) {}
+
+  catch(exception: ErrorPageException, host: ArgumentsHost) {
+    this.logger.error(
+      JSON.stringify({
+        error: exception.key,
+        params: exception.params,
+        redirect: exception.redirect,
+      }),
+    );
+
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+
+    const url = new URL(`${this.config.get("general.appUrl")}/error`);
+    url.searchParams.set("error", exception.key);
+    if (exception.redirect) {
+      url.searchParams.set("redirect", exception.redirect);
+    } else {
+      const redirect = ctx.getRequest().cookies.access_token
+        ? "/account"
+        : "/auth/signIn";
+      url.searchParams.set("redirect", redirect);
+    }
+    if (exception.params) {
+      url.searchParams.set("params", exception.params.join(","));
+    }
+
+    response.redirect(url.toString());
+  }
+}
--- a/backend/src/oauth/filter/oauthException.filter.ts
+++ b/backend/src/oauth/filter/oauthException.filter.ts
@@ -0,0 +1,38 @@
+import {
+  ArgumentsHost,
+  Catch,
+  ExceptionFilter,
+  HttpException,
+  Logger,
+} from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+
+@Catch(HttpException)
+export class OAuthExceptionFilter implements ExceptionFilter {
+  private errorKeys: Record<string, string> = {
+    access_denied: "access_denied",
+    expired_token: "expired_token",
+  };
+  private readonly logger = new Logger(OAuthExceptionFilter.name);
+
+  constructor(private config: ConfigService) {}
+
+  catch(exception: HttpException, host: ArgumentsHost) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+    const request = ctx.getRequest();
+
+    this.logger.error(exception.message);
+    this.logger.error(
+      "Request query: " + JSON.stringify(request.query, null, 2),
+    );
+
+    const key = this.errorKeys[request.query.error] || "default";
+
+    const url = new URL(`${this.config.get("general.appUrl")}/error`);
+    url.searchParams.set("redirect", "/account");
+    url.searchParams.set("error", key);
+
+    response.redirect(url.toString());
+  }
+}
--- a/backend/src/oauth/guard/oauth.guard.ts
+++ b/backend/src/oauth/guard/oauth.guard.ts
@@ -0,0 +1,12 @@
+import { CanActivate, ExecutionContext, Injectable } from "@nestjs/common";
+
+@Injectable()
+export class OAuthGuard implements CanActivate {
+  constructor() {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    const provider = request.params.provider;
+    return request.query.state === request.cookies[`oauth_${provider}_state`];
+  }
+}
--- a/backend/src/oauth/guard/provider.guard.ts
+++ b/backend/src/oauth/guard/provider.guard.ts
@@ -0,0 +1,24 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Inject,
+  Injectable,
+} from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+
+@Injectable()
+export class ProviderGuard implements CanActivate {
+  constructor(
+    private config: ConfigService,
+    @Inject("OAUTH_PLATFORMS") private platforms: string[],
+  ) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const request = context.switchToHttp().getRequest();
+    const provider = request.params.provider;
+    return (
+      this.platforms.includes(provider) &&
+      this.config.get(`oauth.${provider}-enabled`)
+    );
+  }
+}
--- a/backend/src/oauth/oauth.controller.ts
+++ b/backend/src/oauth/oauth.controller.ts
@@ -0,0 +1,110 @@
+import {
+  Controller,
+  Get,
+  Inject,
+  Param,
+  Post,
+  Query,
+  Req,
+  Res,
+  UseFilters,
+  UseGuards,
+} from "@nestjs/common";
+import { User } from "@prisma/client";
+import { Request, Response } from "express";
+import { nanoid } from "nanoid";
+import { AuthService } from "../auth/auth.service";
+import { GetUser } from "../auth/decorator/getUser.decorator";
+import { JwtGuard } from "../auth/guard/jwt.guard";
+import { ConfigService } from "../config/config.service";
+import { OAuthCallbackDto } from "./dto/oauthCallback.dto";
+import { ErrorPageExceptionFilter } from "./filter/errorPageException.filter";
+import { OAuthGuard } from "./guard/oauth.guard";
+import { ProviderGuard } from "./guard/provider.guard";
+import { OAuthService } from "./oauth.service";
+import { OAuthProvider } from "./provider/oauthProvider.interface";
+import { OAuthExceptionFilter } from "./filter/oauthException.filter";
+
+@Controller("oauth")
+export class OAuthController {
+  constructor(
+    private authService: AuthService,
+    private oauthService: OAuthService,
+    private config: ConfigService,
+    @Inject("OAUTH_PROVIDERS")
+    private providers: Record<string, OAuthProvider<unknown>>,
+  ) {}
+
+  @Get("available")
+  available() {
+    return this.oauthService.available();
+  }
+
+  @Get("status")
+  @UseGuards(JwtGuard)
+  async status(@GetUser() user: User) {
+    return this.oauthService.status(user);
+  }
+
+  @Get("auth/:provider")
+  @UseGuards(ProviderGuard)
+  @UseFilters(ErrorPageExceptionFilter)
+  async auth(
+    @Param("provider") provider: string,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    const state = nanoid(16);
+    const url = await this.providers[provider].getAuthEndpoint(state);
+    response.cookie(`oauth_${provider}_state`, state, { sameSite: "lax" });
+    response.redirect(url);
+  }
+
+  @Get("callback/:provider")
+  @UseGuards(ProviderGuard, OAuthGuard)
+  @UseFilters(ErrorPageExceptionFilter, OAuthExceptionFilter)
+  async callback(
+    @Param("provider") provider: string,
+    @Query() query: OAuthCallbackDto,
+    @Req() request: Request,
+    @Res({ passthrough: true }) response: Response,
+  ) {
+    const oauthToken = await this.providers[provider].getToken(query);
+    const user = await this.providers[provider].getUserInfo(oauthToken, query);
+    const id = await this.authService.getIdOfCurrentUser(request);
+
+    if (id) {
+      await this.oauthService.link(
+        id,
+        provider,
+        user.providerId,
+        user.providerUsername,
+      );
+      response.redirect(this.config.get("general.appUrl") + "/account");
+    } else {
+      const token: {
+        accessToken?: string;
+        refreshToken?: string;
+        loginToken?: string;
+      } = await this.oauthService.signIn(user, request.ip);
+      if (token.accessToken) {
+        this.authService.addTokensToResponse(
+          response,
+          token.refreshToken,
+          token.accessToken,
+        );
+        response.redirect(this.config.get("general.appUrl"));
+      } else {
+        response.redirect(
+          this.config.get("general.appUrl") + `/auth/totp/${token.loginToken}`,
+        );
+      }
+    }
+  }
+
+  @Post("unlink/:provider")
+  @UseGuards(JwtGuard, ProviderGuard)
+  @UseFilters(ErrorPageExceptionFilter)
+  unlink(@GetUser() user: User, @Param("provider") provider: string) {
+    return this.oauthService.unlink(user, provider);
+  }
+}
--- a/backend/src/oauth/oauth.module.ts
+++ b/backend/src/oauth/oauth.module.ts
@@ -0,0 +1,56 @@
+import { Module } from "@nestjs/common";
+import { OAuthController } from "./oauth.controller";
+import { OAuthService } from "./oauth.service";
+import { AuthModule } from "../auth/auth.module";
+import { GitHubProvider } from "./provider/github.provider";
+import { GoogleProvider } from "./provider/google.provider";
+import { OAuthProvider } from "./provider/oauthProvider.interface";
+import { OidcProvider } from "./provider/oidc.provider";
+import { DiscordProvider } from "./provider/discord.provider";
+import { MicrosoftProvider } from "./provider/microsoft.provider";
+
+@Module({
+  controllers: [OAuthController],
+  providers: [
+    OAuthService,
+    GitHubProvider,
+    GoogleProvider,
+    MicrosoftProvider,
+    DiscordProvider,
+    OidcProvider,
+    {
+      provide: "OAUTH_PROVIDERS",
+      useFactory(
+        github: GitHubProvider,
+        google: GoogleProvider,
+        microsoft: MicrosoftProvider,
+        discord: DiscordProvider,
+        oidc: OidcProvider,
+      ): Record<string, OAuthProvider<unknown>> {
+        return {
+          github,
+          google,
+          microsoft,
+          discord,
+          oidc,
+        };
+      },
+      inject: [
+        GitHubProvider,
+        GoogleProvider,
+        MicrosoftProvider,
+        DiscordProvider,
+        OidcProvider,
+      ],
+    },
+    {
+      provide: "OAUTH_PLATFORMS",
+      useFactory(providers: Record<string, OAuthProvider<unknown>>): string[] {
+        return Object.keys(providers);
+      },
+      inject: ["OAUTH_PROVIDERS"],
+    },
+  ],
+  imports: [AuthModule],
+})
+export class OAuthModule {}
--- a/backend/src/oauth/oauth.service.ts
+++ b/backend/src/oauth/oauth.service.ts
@@ -0,0 +1,193 @@
+import { Inject, Injectable, Logger } from "@nestjs/common";
+import { User } from "@prisma/client";
+import { nanoid } from "nanoid";
+import { AuthService } from "../auth/auth.service";
+import { ConfigService } from "../config/config.service";
+import { PrismaService } from "../prisma/prisma.service";
+import { OAuthSignInDto } from "./dto/oauthSignIn.dto";
+import { ErrorPageException } from "./exceptions/errorPage.exception";
+
+@Injectable()
+export class OAuthService {
+  constructor(
+    private prisma: PrismaService,
+    private config: ConfigService,
+    private auth: AuthService,
+    @Inject("OAUTH_PLATFORMS") private platforms: string[],
+  ) {}
+  private readonly logger = new Logger(OAuthService.name);
+
+  available(): string[] {
+    return this.platforms
+      .map((platform) => [
+        platform,
+        this.config.get(`oauth.${platform}-enabled`),
+      ])
+      .filter(([_, enabled]) => enabled)
+      .map(([platform, _]) => platform);
+  }
+
+  async status(user: User) {
+    const oauthUsers = await this.prisma.oAuthUser.findMany({
+      select: {
+        provider: true,
+        providerUsername: true,
+      },
+      where: {
+        userId: user.id,
+      },
+    });
+    return Object.fromEntries(oauthUsers.map((u) => [u.provider, u]));
+  }
+
+  async signIn(user: OAuthSignInDto, ip: string) {
+    const oauthUser = await this.prisma.oAuthUser.findFirst({
+      where: {
+        provider: user.provider,
+        providerUserId: user.providerId,
+      },
+    });
+    if (oauthUser) {
+      await this.updateIsAdmin(user);
+      const updatedUser = await this.prisma.user.findFirst({
+        where: {
+          email: user.email,
+        },
+      });
+      this.logger.log(`Successful login for user ${user.email} from IP ${ip}`);
+      return this.auth.generateToken(updatedUser, true);
+    }
+
+    return this.signUp(user, ip);
+  }
+
+  async link(
+    userId: string,
+    provider: string,
+    providerUserId: string,
+    providerUsername: string,
+  ) {
+    const oauthUser = await this.prisma.oAuthUser.findFirst({
+      where: {
+        provider,
+        providerUserId,
+      },
+    });
+    if (oauthUser) {
+      throw new ErrorPageException("already_linked", "/account", [
+        `provider_${provider}`,
+      ]);
+    }
+
+    await this.prisma.oAuthUser.create({
+      data: {
+        userId,
+        provider,
+        providerUsername,
+        providerUserId,
+      },
+    });
+  }
+
+  async unlink(user: User, provider: string) {
+    const oauthUser = await this.prisma.oAuthUser.findFirst({
+      where: {
+        userId: user.id,
+        provider,
+      },
+    });
+    if (oauthUser) {
+      await this.prisma.oAuthUser.delete({
+        where: {
+          id: oauthUser.id,
+        },
+      });
+    } else {
+      throw new ErrorPageException("not_linked", "/account", [provider]);
+    }
+  }
+
+  private async getAvailableUsername(preferredUsername: string) {
+    // only remove + and - from preferred username for now (maybe not enough)
+    let username = preferredUsername.replace(/[+-]/g, "").substring(0, 20);
+    while (true) {
+      const user = await this.prisma.user.findFirst({
+        where: {
+          username: username,
+        },
+      });
+      if (user) {
+        username = username + "_" + nanoid(10).replaceAll("-", "");
+      } else {
+        return username;
+      }
+    }
+  }
+
+  private async signUp(user: OAuthSignInDto, ip: string) {
+    // register
+    if (!this.config.get("oauth.allowRegistration")) {
+      throw new ErrorPageException("no_user", "/auth/signIn", [
+        `provider_${user.provider}`,
+      ]);
+    }
+
+    if (!user.email) {
+      throw new ErrorPageException("no_email", "/auth/signIn", [
+        `provider_${user.provider}`,
+      ]);
+    }
+
+    const existingUser: User = await this.prisma.user.findFirst({
+      where: {
+        email: user.email,
+      },
+    });
+
+    if (existingUser) {
+      await this.prisma.oAuthUser.create({
+        data: {
+          provider: user.provider,
+          providerUserId: user.providerId.toString(),
+          providerUsername: user.providerUsername,
+          userId: existingUser.id,
+        },
+      });
+      await this.updateIsAdmin(user);
+      return this.auth.generateToken(existingUser, true);
+    }
+
+    const result = await this.auth.signUp(
+      {
+        email: user.email,
+        username: await this.getAvailableUsername(user.providerUsername),
+        password: null,
+      },
+      ip,
+      user.isAdmin,
+    );
+
+    await this.prisma.oAuthUser.create({
+      data: {
+        provider: user.provider,
+        providerUserId: user.providerId.toString(),
+        providerUsername: user.providerUsername,
+        userId: result.user.id,
+      },
+    });
+
+    return result;
+  }
+
+  private async updateIsAdmin(user: OAuthSignInDto) {
+    if ("isAdmin" in user)
+      await this.prisma.user.update({
+        where: {
+          email: user.email,
+        },
+        data: {
+          isAdmin: user.isAdmin,
+        },
+      });
+  }
+}
--- a/backend/src/oauth/provider/discord.provider.ts
+++ b/backend/src/oauth/provider/discord.provider.ts
@@ -0,0 +1,135 @@
+import { Injectable } from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
+import { OAuthSignInDto } from "../dto/oauthSignIn.dto";
+import { ErrorPageException } from "../exceptions/errorPage.exception";
+import { OAuthProvider, OAuthToken } from "./oauthProvider.interface";
+@Injectable()
+export class DiscordProvider implements OAuthProvider<DiscordToken> {
+  constructor(private config: ConfigService) {}
+
+  getAuthEndpoint(state: string): Promise<string> {
+    let scope = "identify email";
+    if (this.config.get("oauth.discord-limitedGuild")) {
+      scope += " guilds";
+    }
+    return Promise.resolve(
+      "https://discord.com/api/oauth2/authorize?" +
+        new URLSearchParams({
+          client_id: this.config.get("oauth.discord-clientId"),
+          redirect_uri:
+            this.config.get("general.appUrl") + "/api/oauth/callback/discord",
+          response_type: "code",
+          state,
+          scope,
+        }).toString(),
+    );
+  }
+
+  private getAuthorizationHeader() {
+    return (
+      "Basic " +
+      Buffer.from(
+        this.config.get("oauth.discord-clientId") +
+          ":" +
+          this.config.get("oauth.discord-clientSecret"),
+      ).toString("base64")
+    );
+  }
+
+  async getToken(query: OAuthCallbackDto): Promise<OAuthToken<DiscordToken>> {
+    const res = await fetch("https://discord.com/api/v10/oauth2/token", {
+      method: "post",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        Authorization: this.getAuthorizationHeader(),
+      },
+      body: new URLSearchParams({
+        code: query.code,
+        grant_type: "authorization_code",
+        redirect_uri:
+          this.config.get("general.appUrl") + "/api/oauth/callback/discord",
+      }),
+    });
+    const token = (await res.json()) as DiscordToken;
+    return {
+      accessToken: token.access_token,
+      refreshToken: token.refresh_token,
+      expiresIn: token.expires_in,
+      scope: token.scope,
+      tokenType: token.token_type,
+      rawToken: token,
+    };
+  }
+
+  async getUserInfo(token: OAuthToken<DiscordToken>): Promise<OAuthSignInDto> {
+    const res = await fetch("https://discord.com/api/v10/users/@me", {
+      method: "get",
+      headers: {
+        Accept: "application/json",
+        Authorization: `${token.tokenType || "Bearer"} ${token.accessToken}`,
+      },
+    });
+    const user = (await res.json()) as DiscordUser;
+    if (user.verified === false) {
+      throw new ErrorPageException("unverified_account", undefined, [
+        "provider_discord",
+      ]);
+    }
+
+    const guild = this.config.get("oauth.discord-limitedGuild");
+    if (guild) {
+      await this.checkLimitedGuild(token, guild);
+    }
+
+    return {
+      provider: "discord",
+      providerId: user.id,
+      providerUsername: user.global_name ?? user.username,
+      email: user.email,
+    };
+  }
+
+  async checkLimitedGuild(token: OAuthToken<DiscordToken>, guildId: string) {
+    try {
+      const res = await fetch("https://discord.com/api/v10/users/@me/guilds", {
+        method: "get",
+        headers: {
+          Accept: "application/json",
+          Authorization: `${token.tokenType || "Bearer"} ${token.accessToken}`,
+        },
+      });
+      const guilds = (await res.json()) as DiscordPartialGuild[];
+      if (!guilds.some((guild) => guild.id === guildId)) {
+        throw new ErrorPageException("user_not_allowed");
+      }
+    } catch {
+      throw new ErrorPageException("user_not_allowed");
+    }
+  }
+}
+
+export interface DiscordToken {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  refresh_token: string;
+  scope: string;
+}
+
+export interface DiscordUser {
+  id: string;
+  username: string;
+  global_name: string;
+  email: string;
+  verified: boolean;
+}
+
+export interface DiscordPartialGuild {
+  id: string;
+  name: string;
+  icon: string;
+  owner: boolean;
+  permissions: string;
+  features: string[];
+}
--- a/backend/src/oauth/provider/genericOidc.provider.ts
+++ b/backend/src/oauth/provider/genericOidc.provider.ts
@@ -0,0 +1,281 @@
+import { Logger } from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+import { JwtService } from "@nestjs/jwt";
+import { Cache } from "cache-manager";
+import * as jmespath from "jmespath";
+import { nanoid } from "nanoid";
+import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
+import { OAuthProvider, OAuthToken } from "./oauthProvider.interface";
+import { OAuthSignInDto } from "../dto/oauthSignIn.dto";
+import { ErrorPageException } from "../exceptions/errorPage.exception";
+
+export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
+  protected discoveryUri: string;
+  private configuration: OidcConfigurationCache;
+  private jwk: OidcJwkCache;
+  private logger: Logger = new Logger(
+    Object.getPrototypeOf(this).constructor.name,
+  );
+
+  protected constructor(
+    protected name: string,
+    protected keyOfConfigUpdateEvents: string[],
+    protected config: ConfigService,
+    protected jwtService: JwtService,
+    protected cache: Cache,
+  ) {
+    this.discoveryUri = this.getDiscoveryUri();
+    this.config.addListener("update", (key: string) => {
+      if (this.keyOfConfigUpdateEvents.includes(key)) {
+        this.deinit();
+        this.discoveryUri = this.getDiscoveryUri();
+      }
+    });
+  }
+
+  protected getRedirectUri(): string {
+    return `${this.config.get("general.appUrl")}/api/oauth/callback/${
+      this.name
+    }`;
+  }
+
+  async getConfiguration(): Promise<OidcConfiguration> {
+    if (!this.configuration || this.configuration.expires < Date.now()) {
+      await this.fetchConfiguration();
+    }
+    return this.configuration.data;
+  }
+
+  async getJwk(): Promise<OidcJwk[]> {
+    if (!this.jwk || this.jwk.expires < Date.now()) {
+      await this.fetchJwk();
+    }
+    return this.jwk.data;
+  }
+
+  async getAuthEndpoint(state: string) {
+    const configuration = await this.getConfiguration();
+    const endpoint = configuration.authorization_endpoint;
+
+    const nonce = nanoid();
+    await this.cache.set(
+      `oauth-${this.name}-nonce-${state}`,
+      nonce,
+      1000 * 60 * 5,
+    );
+
+    return (
+      endpoint +
+      "?" +
+      new URLSearchParams({
+        client_id: this.config.get(`oauth.${this.name}-clientId`),
+        response_type: "code",
+        scope: "openid profile email",
+        redirect_uri: this.getRedirectUri(),
+        state,
+        nonce,
+      }).toString()
+    );
+  }
+
+  async getToken(query: OAuthCallbackDto): Promise<OAuthToken<OidcToken>> {
+    const configuration = await this.getConfiguration();
+    const endpoint = configuration.token_endpoint;
+    const res = await fetch(endpoint, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body: new URLSearchParams({
+        client_id: this.config.get(`oauth.${this.name}-clientId`),
+        client_secret: this.config.get(`oauth.${this.name}-clientSecret`),
+        grant_type: "authorization_code",
+        code: query.code,
+        redirect_uri: this.getRedirectUri(),
+      }).toString(),
+    });
+    const token = (await res.json()) as OidcToken;
+    return {
+      accessToken: token.access_token,
+      expiresIn: token.expires_in,
+      idToken: token.id_token,
+      refreshToken: token.refresh_token,
+      tokenType: token.token_type,
+      rawToken: token,
+    };
+  }
+
+  async getUserInfo(
+    token: OAuthToken<OidcToken>,
+    query: OAuthCallbackDto,
+    claim?: string,
+    roleConfig?: {
+      path?: string;
+      generalAccess?: string;
+      adminAccess?: string;
+    },
+  ): Promise<OAuthSignInDto> {
+    const idTokenData = this.decodeIdToken(token.idToken);
+    // maybe it's not necessary to verify the id token since it's directly obtained from the provider
+
+    const key = `oauth-${this.name}-nonce-${query.state}`;
+    const nonce = await this.cache.get(key);
+    await this.cache.del(key);
+    if (nonce !== idTokenData.nonce) {
+      this.logger.error(
+        `Invalid nonce. Expected ${nonce}, but got ${idTokenData.nonce}`,
+      );
+      throw new ErrorPageException("invalid_token");
+    }
+
+    const username = claim
+      ? idTokenData[claim]
+      : idTokenData.preferred_username ||
+        idTokenData.name ||
+        idTokenData.nickname;
+
+    let isAdmin: boolean;
+
+    if (roleConfig?.path) {
+      // A path to read roles from the token is configured
+      let roles: string[] | null;
+      try {
+        roles = jmespath.search(idTokenData, roleConfig.path);
+      } catch (e) {
+        roles = null;
+      }
+      if (Array.isArray(roles)) {
+        // Roles are found in the token
+        if (
+          roleConfig.generalAccess &&
+          !roles.includes(roleConfig.generalAccess)
+        ) {
+          // Role for general access is configured and the user does not have it
+          this.logger.error(
+            `User roles ${roles} do not include ${roleConfig.generalAccess}`,
+          );
+          throw new ErrorPageException("user_not_allowed");
+        }
+        if (roleConfig.adminAccess) {
+          // Role for admin access is configured
+          isAdmin = roles.includes(roleConfig.adminAccess);
+        }
+      } else {
+        this.logger.error(
+          `Roles not found at path ${roleConfig.path} in ID Token ${JSON.stringify(
+            idTokenData,
+            undefined,
+            2,
+          )}`,
+        );
+        throw new ErrorPageException("user_not_allowed");
+      }
+    }
+
+    if (!username) {
+      this.logger.error(
+        `Can not get username from ID Token ${JSON.stringify(
+          idTokenData,
+          undefined,
+          2,
+        )}`,
+      );
+      throw new ErrorPageException("cannot_get_user_info", undefined, [
+        `provider_${this.name}`,
+      ]);
+    }
+
+    return {
+      provider: this.name as any,
+      email: idTokenData.email,
+      providerId: idTokenData.sub,
+      providerUsername: username,
+      ...(isAdmin !== undefined && { isAdmin }),
+    };
+  }
+
+  protected abstract getDiscoveryUri(): string;
+
+  private async fetchConfiguration(): Promise<void> {
+    const res = await fetch(this.discoveryUri);
+    const expires = res.headers.has("expires")
+      ? new Date(res.headers.get("expires")).getTime()
+      : Date.now() + 1000 * 60 * 60 * 24;
+    this.configuration = {
+      expires,
+      data: (await res.json()) as OidcConfiguration,
+    };
+  }
+
+  private async fetchJwk(): Promise<void> {
+    const configuration = await this.getConfiguration();
+    const res = await fetch(configuration.jwks_uri);
+    const expires = res.headers.has("expires")
+      ? new Date(res.headers.get("expires")).getTime()
+      : Date.now() + 1000 * 60 * 60 * 24;
+    this.jwk = {
+      expires,
+      data: (await res.json())["keys"],
+    };
+  }
+
+  private deinit() {
+    this.discoveryUri = undefined;
+    this.configuration = undefined;
+    this.jwk = undefined;
+  }
+
+  private decodeIdToken(idToken: string): OidcIdToken {
+    return this.jwtService.decode(idToken) as OidcIdToken;
+  }
+}
+
+export interface OidcCache<T> {
+  expires: number;
+  data: T;
+}
+
+export interface OidcConfiguration {
+  issuer: string;
+  authorization_endpoint: string;
+  token_endpoint: string;
+  userinfo_endpoint?: string;
+  jwks_uri: string;
+  response_types_supported: string[];
+  id_token_signing_alg_values_supported: string[];
+  scopes_supported?: string[];
+  claims_supported?: string[];
+}
+
+export interface OidcJwk {
+  e: string;
+  alg: string;
+  kid: string;
+  use: string;
+  kty: string;
+  n: string;
+}
+
+export type OidcConfigurationCache = OidcCache<OidcConfiguration>;
+
+export type OidcJwkCache = OidcCache<OidcJwk[]>;
+
+export interface OidcToken {
+  access_token: string;
+  refresh_token: string;
+  token_type: string;
+  expires_in: number;
+  id_token: string;
+}
+
+export interface OidcIdToken {
+  iss: string;
+  sub: string;
+  exp: number;
+  iat: number;
+  email: string;
+  name: string;
+  nickname: string;
+  preferred_username: string;
+  nonce: string;
+}
--- a/backend/src/oauth/provider/github.provider.ts
+++ b/backend/src/oauth/provider/github.provider.ts
@@ -0,0 +1,111 @@
+import { Injectable } from "@nestjs/common";
+import { ConfigService } from "../../config/config.service";
+import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
+import { OAuthSignInDto } from "../dto/oauthSignIn.dto";
+import { ErrorPageException } from "../exceptions/errorPage.exception";
+import { OAuthProvider, OAuthToken } from "./oauthProvider.interface";
+
+@Injectable()
+export class GitHubProvider implements OAuthProvider<GitHubToken> {
+  constructor(private config: ConfigService) {}
+
+  getAuthEndpoint(state: string): Promise<string> {
+    return Promise.resolve(
+      "https://github.com/login/oauth/authorize?" +
+        new URLSearchParams({
+          client_id: this.config.get("oauth.github-clientId"),
+          redirect_uri:
+            this.config.get("general.appUrl") + "/api/oauth/callback/github",
+          state: state,
+          scope: "user:email",
+        }).toString(),
+    );
+  }
+
+  async getToken(query: OAuthCallbackDto): Promise<OAuthToken<GitHubToken>> {
+    const res = await fetch(
+      "https://github.com/login/oauth/access_token?" +
+        new URLSearchParams({
+          client_id: this.config.get("oauth.github-clientId"),
+          client_secret: this.config.get("oauth.github-clientSecret"),
+          code: query.code,
+        }).toString(),
+      {
+        method: "post",
+        headers: {
+          Accept: "application/json",
+        },
+      },
+    );
+    const token = (await res.json()) as GitHubToken;
+    return {
+      accessToken: token.access_token,
+      tokenType: token.token_type,
+      scope: token.scope,
+      rawToken: token,
+    };
+  }
+
+  async getUserInfo(token: OAuthToken<GitHubToken>): Promise<OAuthSignInDto> {
+    if (!token.scope.includes("user:email")) {
+      throw new ErrorPageException("no_email", undefined, ["provider_github"]);
+    }
+    const user = await this.getGitHubUser(token);
+    const email = await this.getGitHubEmail(token);
+    if (!email) {
+      throw new ErrorPageException("no_email", undefined, ["provider_github"]);
+    }
+
+    return {
+      provider: "github",
+      providerId: user.id.toString(),
+      providerUsername: user.name ?? user.login,
+      email,
+    };
+  }
+
+  private async getGitHubUser(
+    token: OAuthToken<GitHubToken>,
+  ): Promise<GitHubUser> {
+    const res = await fetch("https://api.github.com/user", {
+      headers: {
+        Accept: "application/vnd.github+json",
+        Authorization: `${token.tokenType ?? "Bearer"} ${token.accessToken}`,
+      },
+    });
+    return (await res.json()) as GitHubUser;
+  }
+
+  private async getGitHubEmail(
+    token: OAuthToken<GitHubToken>,
+  ): Promise<string | undefined> {
+    const res = await fetch("https://api.github.com/user/public_emails", {
+      headers: {
+        Accept: "application/vnd.github+json",
+        Authorization: `${token.tokenType ?? "Bearer"} ${token.accessToken}`,
+      },
+    });
+    const emails = (await res.json()) as GitHubEmail[];
+    return emails.find((e) => e.primary && e.verified)?.email;
+  }
+}
+
+export interface GitHubToken {
+  access_token: string;
+  token_type: string;
+  scope: string;
+}
+
+export interface GitHubUser {
+  login: string;
+  id: number;
+  name?: string;
+  email?: string; // this filed seems only return null
+}
+
+export interface GitHubEmail {
+  email: string;
+  primary: boolean;
+  verified: boolean;
+  visibility: string | null;
+}
--- a/backend/src/oauth/provider/google.provider.ts
+++ b/backend/src/oauth/provider/google.provider.ts
@@ -0,0 +1,21 @@
+import { GenericOidcProvider } from "./genericOidc.provider";
+import { ConfigService } from "../../config/config.service";
+import { JwtService } from "@nestjs/jwt";
+import { Inject, Injectable } from "@nestjs/common";
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Cache } from "cache-manager";
+
+@Injectable()
+export class GoogleProvider extends GenericOidcProvider {
+  constructor(
+    config: ConfigService,
+    jwtService: JwtService,
+    @Inject(CACHE_MANAGER) cache: Cache,
+  ) {
+    super("google", ["oauth.google-enabled"], config, jwtService, cache);
+  }
+
+  protected getDiscoveryUri(): string {
+    return "https://accounts.google.com/.well-known/openid-configuration";
+  }
+}
--- a/backend/src/oauth/provider/microsoft.provider.ts
+++ b/backend/src/oauth/provider/microsoft.provider.ts
@@ -0,0 +1,29 @@
+import { GenericOidcProvider } from "./genericOidc.provider";
+import { ConfigService } from "../../config/config.service";
+import { JwtService } from "@nestjs/jwt";
+import { Inject, Injectable } from "@nestjs/common";
+import { CACHE_MANAGER } from "@nestjs/cache-manager";
+import { Cache } from "cache-manager";
+
+@Injectable()
+export class MicrosoftProvider extends GenericOidcProvider {
+  constructor(
+    config: ConfigService,
+    jwtService: JwtService,
+    @Inject(CACHE_MANAGER) cache: Cache,
+  ) {
+    super(
+      "microsoft",
+      ["oauth.microsoft-enabled", "oauth.microsoft-tenant"],
+      config,
+      jwtService,
+      cache,
+    );
+  }
+
+  protected getDiscoveryUri(): string {
+    return `https://login.microsoftonline.com/${this.config.get(
+      "oauth.microsoft-tenant",
+    )}/v2.0/.well-known/openid-configuration`;
+  }
+}
--- a/backend/src/oauth/provider/oauthProvider.interface.ts
+++ b/backend/src/oauth/provider/oauthProvider.interface.ts
@@ -0,0 +1,24 @@
+import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
+import { OAuthSignInDto } from "../dto/oauthSignIn.dto";
+
+/**
+ * @typeParam T - type of token
+ * @typeParam C - type of callback query
+ */
+export interface OAuthProvider<T, C = OAuthCallbackDto> {
+  getAuthEndpoint(state: string): Promise<string>;
+
+  getToken(query: C): Promise<OAuthToken<T>>;
+
+  getUserInfo(token: OAuthToken<T>, query: C): Promise<OAuthSignInDto>;
+}
+
+export interface OAuthToken<T> {
+  accessToken: string;
+  expiresIn?: number;
+  refreshToken?: string;
+  tokenType?: string;
+  scope?: string;
+  idToken?: string;
+  rawToken: T;
+}
--- a/Show More
+++ b/Show More