release: 0.28.0

chore: resolve uncomplete merge conflict
chore(translations): update translations via Crowdin (#532 )
2024-07-22 13:36:54 +02:00 · 2024-07-22 13:36:41 +02:00 · 2024-07-22 11:01:20 +02:00 · 2024-07-17 23:26:57 +02:00 · 2024-07-17 23:25:42 +02:00 · 2024-07-16 19:17:53 +02:00
46 changed files with 641 additions and 147 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,24 @@
+## [0.28.0](https://github.com/stonith404/pingvin-share/compare/v0.27.0...v0.28.0) (2024-07-22)
+
+
+### Features
+
+* **auth:** Add role-based access management from OpenID Connect ([#535](https://github.com/stonith404/pingvin-share/issues/535)) ([70fd2d9](https://github.com/stonith404/pingvin-share/commit/70fd2d94be3411cc430f5c56e522028398127efb))
+
+
+### Bug Fixes
+
+* store only 10 share tokens in the cookies and clear the expired ones ([e5a0c64](https://github.com/stonith404/pingvin-share/commit/e5a0c649e36e0db419d04446affe2564c45cf321))
+
+## [0.27.0](https://github.com/stonith404/pingvin-share/compare/v0.26.0...v0.27.0) (2024-07-11)
+
+
+### Features
+
+* add logs for successful registration, successful login and failed login ([d2bfb9a](https://github.com/stonith404/pingvin-share/commit/d2bfb9a55fdad6a05377b8552471cf1151304c90))
+* **auth:** Allow to hide username / password login form when OAuth is enabled ([#518](https://github.com/stonith404/pingvin-share/issues/518)) ([e1a68f7](https://github.com/stonith404/pingvin-share/commit/e1a68f75f7b034f1ef9e45f26de584f13e355589)), closes [#489](https://github.com/stonith404/pingvin-share/issues/489)
+* **smtp:** allow unauthorized mail server certificates ([#525](https://github.com/stonith404/pingvin-share/issues/525)) ([083d82c](https://github.com/stonith404/pingvin-share/commit/083d82c28b835c178f076e89ef8f5885e8ea31cb))
+
 ## [0.26.0](https://github.com/stonith404/pingvin-share/compare/v0.25.0...v0.26.0) (2024-07-03)


--- a/backend/package-lock.json
+++ b/backend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share-backend",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share-backend",
-      "version": "0.26.0",
+      "version": "0.28.0",
      "dependencies": {
        "@nestjs/cache-manager": "^2.2.2",
        "@nestjs/common": "^10.3.9",
@@ -19,6 +19,7 @@
        "@nestjs/swagger": "^7.3.1",
        "@nestjs/throttler": "^5.2.0",
        "@prisma/client": "^5.16.1",
+        "@types/jmespath": "^0.15.2",
        "archiver": "^7.0.1",
        "argon2": "^0.40.3",
        "body-parser": "^1.20.2",
@@ -28,6 +29,7 @@
        "class-validator": "^0.14.1",
        "content-disposition": "^0.5.4",
        "cookie-parser": "^1.4.6",
+        "jmespath": "^0.16.0",
        "mime-types": "^2.1.35",
        "moment": "^2.30.1",
        "nanoid": "^3.3.7",
@@ -1994,6 +1996,12 @@
        "@types/range-parser": "*"
      }
    },
+    "node_modules/@types/jmespath": {
+      "version": "0.15.2",
+      "resolved": "https://registry.npmjs.org/@types/jmespath/-/jmespath-0.15.2.tgz",
+      "integrity": "sha512-pegh49FtNsC389Flyo9y8AfkVIZn9MMPE9yJrO9svhq6Fks2MwymULWjZqySuxmctd3ZH4/n7Mr98D+1Qo5vGA==",
+      "license": "MIT"
+    },
    "node_modules/@types/json-schema": {
      "version": "7.0.12",
      "resolved": "https://registry.npmjs.org/@types/json-schema/-/json-schema-7.0.12.tgz",
@@ -5523,6 +5531,15 @@
        "url": "https://github.com/chalk/supports-color?sponsor=1"
      }
    },
+    "node_modules/jmespath": {
+      "version": "0.16.0",
+      "resolved": "https://registry.npmjs.org/jmespath/-/jmespath-0.16.0.tgz",
+      "integrity": "sha512-9FzQjJ7MATs1tSpnco1K6ayiYE3figslrXA72G2HQ/n76RzvYlofyi5QM+iX4YRs/pu3yzxlVQSST23+dMDknw==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">= 0.6.0"
+      }
+    },
    "node_modules/joi": {
      "version": "17.11.0",
      "resolved": "https://registry.npmjs.org/joi/-/joi-17.11.0.tgz",
--- a/backend/package.json
+++ b/backend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share-backend",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "scripts": {
    "build": "nest build",
    "dev": "cross-env NODE_ENV=development nest start --watch",
@@ -24,6 +24,7 @@
    "@nestjs/swagger": "^7.3.1",
    "@nestjs/throttler": "^5.2.0",
    "@prisma/client": "^5.16.1",
+    "@types/jmespath": "^0.15.2",
    "archiver": "^7.0.1",
    "argon2": "^0.40.3",
    "body-parser": "^1.20.2",
@@ -33,6 +34,7 @@
    "class-validator": "^0.14.1",
    "content-disposition": "^0.5.4",
    "cookie-parser": "^1.4.6",
+    "jmespath": "^0.16.0",
    "mime-types": "^2.1.35",
    "moment": "^2.30.1",
    "nanoid": "^3.3.7",
--- a/backend/prisma/seed/config.seed.ts
+++ b/backend/prisma/seed/config.seed.ts
@@ -71,7 +71,6 @@ const configVariables: ConfigVariables = {
    enableShareEmailRecipients: {
      type: "boolean",
      defaultValue: "false",
-
      secret: false,
    },
    shareRecipientsSubject: {
@@ -117,6 +116,12 @@ const configVariables: ConfigVariables = {
      defaultValue: "false",
      secret: false,
    },
+    allowUnauthorizedCertificates: {
+      type: "boolean",
+      defaultValue: "false",
+
+      secret: false,
+    },
    host: {
      type: "string",
      defaultValue: "",
@@ -148,6 +153,11 @@ const configVariables: ConfigVariables = {
      type: "boolean",
      defaultValue: "true",
    },
+    "disablePassword": {
+      type: "boolean",
+      defaultValue: "false",
+      secret: false,
+    },
    "github-enabled": {
      type: "boolean",
      defaultValue: "false",
@@ -220,6 +230,18 @@ const configVariables: ConfigVariables = {
      type: "string",
      defaultValue: "",
    },
+    "oidc-rolePath": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-roleGeneralAccess": {
+      type: "string",
+      defaultValue: "",
+    },
+    "oidc-roleAdminAccess": {
+      type: "string",
+      defaultValue: "",
+    },
    "oidc-clientId": {
      type: "string",
      defaultValue: "",
@@ -229,7 +251,7 @@ const configVariables: ConfigVariables = {
      defaultValue: "",
      obscured: true,
    },
-  }
+  },
 };

 type ConfigVariables = {
@@ -281,12 +303,15 @@ async function seedConfigVariables() {

 async function migrateConfigVariables() {
  const existingConfigVariables = await prisma.config.findMany();
+  const orderMap: { [category: string]: number } = {};

  for (const existingConfigVariable of existingConfigVariables) {
    const configVariable =
      configVariables[existingConfigVariable.category]?.[
-      existingConfigVariable.name
+        existingConfigVariable.name
      ];
+
+    // Delete the config variable if it doesn't exist in the seed
    if (!configVariable) {
      await prisma.config.delete({
        where: {
@@ -297,15 +322,11 @@ async function migrateConfigVariables() {
        },
      });

-      // Update the config variable if the metadata changed
-    } else if (
-      JSON.stringify({
-        ...configVariable,
-        name: existingConfigVariable.name,
-        category: existingConfigVariable.category,
-        value: existingConfigVariable.value,
-      }) != JSON.stringify(existingConfigVariable)
-    ) {
+      // Update the config variable if it exists in the seed
+    } else {
+      const variableOrder = Object.keys(
+        configVariables[existingConfigVariable.category]
+      ).indexOf(existingConfigVariable.name);
      await prisma.config.update({
        where: {
          name_category: {
@@ -318,8 +339,10 @@ async function migrateConfigVariables() {
          name: existingConfigVariable.name,
          category: existingConfigVariable.category,
          value: existingConfigVariable.value,
+          order: variableOrder,
        },
      });
+      orderMap[existingConfigVariable.category] = variableOrder + 1;
    }
  }
 }
--- a/backend/src/auth/auth.controller.ts
+++ b/backend/src/auth/auth.controller.ts
@@ -45,12 +45,13 @@ export class AuthController {
  })
  async signUp(
    @Body() dto: AuthRegisterDTO,
+    @Req() { ip }: Request,
    @Res({ passthrough: true }) response: Response,
  ) {
    if (!this.config.get("share.allowRegistration"))
      throw new ForbiddenException("Registration is not allowed");

-    const result = await this.authService.signUp(dto);
+    const result = await this.authService.signUp(dto, ip);

    this.authService.addTokensToResponse(
      response,
@@ -71,9 +72,10 @@ export class AuthController {
  @HttpCode(200)
  async signIn(
    @Body() dto: AuthSignInDTO,
+    @Req() { ip }: Request,
    @Res({ passthrough: true }) response: Response,
  ) {
-    const result = await this.authService.signIn(dto);
+    const result = await this.authService.signIn(dto, ip);

    if (result.accessToken && result.refreshToken) {
      this.authService.addTokensToResponse(
--- a/backend/src/auth/auth.service.ts
+++ b/backend/src/auth/auth.service.ts
@@ -2,6 +2,7 @@ import {
  BadRequestException,
  ForbiddenException,
  Injectable,
+  Logger,
  UnauthorizedException,
 } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
@@ -24,8 +25,9 @@ export class AuthService {
    private config: ConfigService,
    private emailService: EmailService,
  ) {}
+  private readonly logger = new Logger(AuthService.name);

-  async signUp(dto: AuthRegisterDTO) {
+  async signUp(dto: AuthRegisterDTO, ip: string, isAdmin?: boolean) {
    const isFirstUser = (await this.prisma.user.count()) == 0;

    const hash = dto.password ? await argon.hash(dto.password) : null;
@@ -35,7 +37,7 @@ export class AuthService {
          email: dto.email,
          username: dto.username,
          password: hash,
-          isAdmin: isFirstUser,
+          isAdmin: isAdmin ?? isFirstUser,
        },
      });

@@ -44,6 +46,7 @@ export class AuthService {
      );
      const accessToken = await this.createAccessToken(user, refreshTokenId);

+      this.logger.log(`User ${user.email} signed up from IP ${ip}`);
      return { accessToken, refreshToken, user };
    } catch (e) {
      if (e instanceof PrismaClientKnownRequestError) {
@@ -57,19 +60,27 @@ export class AuthService {
    }
  }

-  async signIn(dto: AuthSignInDTO) {
+  async signIn(dto: AuthSignInDTO, ip: string) {
    if (!dto.email && !dto.username)
      throw new BadRequestException("Email or username is required");

+    if (this.config.get("oauth.disablePassword"))
+      throw new ForbiddenException("Password sign in is disabled");
+
    const user = await this.prisma.user.findFirst({
      where: {
        OR: [{ email: dto.email }, { username: dto.username }],
      },
    });

-    if (!user || !(await argon.verify(user.password, dto.password)))
+    if (!user || !(await argon.verify(user.password, dto.password))) {
+      this.logger.log(
+        `Failed login attempt for user ${dto.email} from IP ${ip}`,
+      );
      throw new UnauthorizedException("Wrong email or password");
+    }

+    this.logger.log(`Successful login for user ${user.email} from IP ${ip}`);
    return this.generateToken(user);
  }

@@ -94,6 +105,9 @@ export class AuthService {
  }

  async requestResetPassword(email: string) {
+    if (this.config.get("oauth.disablePassword"))
+      throw new ForbiddenException("Password sign in is disabled");
+
    const user = await this.prisma.user.findFirst({
      where: { email },
      include: { resetPasswordToken: true },
@@ -119,6 +133,9 @@ export class AuthService {
  }

  async resetPassword(token: string, newPassword: string) {
+    if (this.config.get("oauth.disablePassword"))
+      throw new ForbiddenException("Password sign in is disabled");
+
    const user = await this.prisma.user.findFirst({
      where: { resetPasswordToken: { token } },
    });
--- a/backend/src/email/email.service.ts
+++ b/backend/src/email/email.service.ts
@@ -25,6 +25,11 @@ export class EmailService {
        user: this.config.get("smtp.username"),
        pass: this.config.get("smtp.password"),
      },
+      tls: {
+        rejectUnauthorized: !this.config.get(
+          "smtp.allowUnauthorizedCertificates",
+        ),
+      },
    });
  }

--- a/backend/src/oauth/dto/oauthSignIn.dto.ts
+++ b/backend/src/oauth/dto/oauthSignIn.dto.ts
@@ -3,4 +3,5 @@ export interface OAuthSignInDto {
  providerId: string;
  providerUsername: string;
  email: string;
+  isAdmin?: boolean;
 }
--- a/backend/src/oauth/oauth.controller.ts
+++ b/backend/src/oauth/oauth.controller.ts
@@ -85,7 +85,7 @@ export class OAuthController {
        accessToken?: string;
        refreshToken?: string;
        loginToken?: string;
-      } = await this.oauthService.signIn(user);
+      } = await this.oauthService.signIn(user, request.ip);
      if (token.accessToken) {
        this.authService.addTokensToResponse(
          response,
--- a/backend/src/oauth/oauth.service.ts
+++ b/backend/src/oauth/oauth.service.ts
@@ -1,4 +1,4 @@
-import { Inject, Injectable } from "@nestjs/common";
+import { Inject, Injectable, Logger } from "@nestjs/common";
 import { User } from "@prisma/client";
 import { nanoid } from "nanoid";
 import { AuthService } from "../auth/auth.service";
@@ -15,6 +15,7 @@ export class OAuthService {
    private auth: AuthService,
    @Inject("OAUTH_PLATFORMS") private platforms: string[],
  ) {}
+  private readonly logger = new Logger(OAuthService.name);

  available(): string[] {
    return this.platforms
@@ -39,21 +40,25 @@ export class OAuthService {
    return Object.fromEntries(oauthUsers.map((u) => [u.provider, u]));
  }

-  async signIn(user: OAuthSignInDto) {
+  async signIn(user: OAuthSignInDto, ip: string) {
    const oauthUser = await this.prisma.oAuthUser.findFirst({
      where: {
        provider: user.provider,
        providerUserId: user.providerId,
      },
-      include: {
-        user: true,
-      },
    });
    if (oauthUser) {
-      return this.auth.generateToken(oauthUser.user, true);
+      await this.updateIsAdmin(user);
+      const updatedUser = await this.prisma.user.findFirst({
+        where: {
+          email: user.email,
+        },
+      });
+      this.logger.log(`Successful login for user ${user.email} from IP ${ip}`);
+      return this.auth.generateToken(updatedUser, true);
    }

-    return this.signUp(user);
+    return this.signUp(user, ip);
  }

  async link(
@@ -119,7 +124,7 @@ export class OAuthService {
    }
  }

-  private async signUp(user: OAuthSignInDto) {
+  private async signUp(user: OAuthSignInDto, ip: string) {
    // register
    if (!this.config.get("oauth.allowRegistration")) {
      throw new ErrorPageException("no_user", "/auth/signIn", [
@@ -148,14 +153,19 @@ export class OAuthService {
          userId: existingUser.id,
        },
      });
+      await this.updateIsAdmin(user);
      return this.auth.generateToken(existingUser, true);
    }

-    const result = await this.auth.signUp({
-      email: user.email,
-      username: await this.getAvailableUsername(user.providerUsername),
-      password: null,
-    });
+    const result = await this.auth.signUp(
+      {
+        email: user.email,
+        username: await this.getAvailableUsername(user.providerUsername),
+        password: null,
+      },
+      ip,
+      user.isAdmin,
+    );

    await this.prisma.oAuthUser.create({
      data: {
@@ -168,4 +178,16 @@ export class OAuthService {

    return result;
  }
+
+  private async updateIsAdmin(user: OAuthSignInDto) {
+    if ("isAdmin" in user)
+      await this.prisma.user.update({
+        where: {
+          email: user.email,
+        },
+        data: {
+          isAdmin: user.isAdmin,
+        },
+      });
+  }
 }
--- a/backend/src/oauth/provider/discord.provider.ts
+++ b/backend/src/oauth/provider/discord.provider.ts
@@ -101,10 +101,10 @@ export class DiscordProvider implements OAuthProvider<DiscordToken> {
      });
      const guilds = (await res.json()) as DiscordPartialGuild[];
      if (!guilds.some((guild) => guild.id === guildId)) {
-        throw new ErrorPageException("discord_guild_permission_denied");
+        throw new ErrorPageException("user_not_allowed");
      }
    } catch {
-      throw new ErrorPageException("discord_guild_permission_denied");
+      throw new ErrorPageException("user_not_allowed");
    }
  }
 }
--- a/backend/src/oauth/provider/genericOidc.provider.ts
+++ b/backend/src/oauth/provider/genericOidc.provider.ts
@@ -2,6 +2,7 @@ import { Logger } from "@nestjs/common";
 import { ConfigService } from "../../config/config.service";
 import { JwtService } from "@nestjs/jwt";
 import { Cache } from "cache-manager";
+import * as jmespath from "jmespath";
 import { nanoid } from "nanoid";
 import { OAuthCallbackDto } from "../dto/oauthCallback.dto";
 import { OAuthProvider, OAuthToken } from "./oauthProvider.interface";
@@ -108,6 +109,11 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
    token: OAuthToken<OidcToken>,
    query: OAuthCallbackDto,
    claim?: string,
+    roleConfig?: {
+      path?: string;
+      generalAccess?: string;
+      adminAccess?: string;
+    },
  ): Promise<OAuthSignInDto> {
    const idTokenData = this.decodeIdToken(token.idToken);
    // maybe it's not necessary to verify the id token since it's directly obtained from the provider
@@ -127,6 +133,39 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
      : idTokenData.preferred_username ||
        idTokenData.name ||
        idTokenData.nickname;
+    
+    let isAdmin: boolean;
+    
+    if (roleConfig?.path) {
+      // A path to read roles from the token is configured
+      let roles: string[] | null;
+      try {
+        roles = jmespath.search(idTokenData, roleConfig.path);
+      } catch (e) {
+        roles = null;
+      }
+      if (Array.isArray(roles)) {
+        // Roles are found in the token
+        if (roleConfig.generalAccess && !roles.includes(roleConfig.generalAccess)) {
+          // Role for general access is configured and the user does not have it
+          this.logger.error(`User roles ${roles} do not include ${roleConfig.generalAccess}`);
+          throw new ErrorPageException("user_not_allowed");
+        }
+        if (roleConfig.adminAccess) {
+          // Role for admin access is configured
+          isAdmin = roles.includes(roleConfig.adminAccess);
+        }
+      } else {
+        this.logger.error(
+          `Roles not found at path ${roleConfig.path} in ID Token ${JSON.stringify(
+            idTokenData,
+            undefined,
+            2,
+          )}`,
+        );
+        throw new ErrorPageException("user_not_allowed");
+      }
+    }

    if (!username) {
      this.logger.error(
@@ -146,6 +185,7 @@ export abstract class GenericOidcProvider implements OAuthProvider<OidcToken> {
      email: idTokenData.email,
      providerId: idTokenData.sub,
      providerUsername: username,
+      ...(isAdmin !== undefined && { isAdmin }),
    };
  }

--- a/backend/src/oauth/provider/oidc.provider.ts
+++ b/backend/src/oauth/provider/oidc.provider.ts
@@ -34,6 +34,13 @@ export class OidcProvider extends GenericOidcProvider {
    _?: string,
  ): Promise<OAuthSignInDto> {
    const claim = this.config.get("oauth.oidc-usernameClaim") || undefined;
-    return super.getUserInfo(token, query, claim);
+    const rolePath = this.config.get("oauth.oidc-rolePath") || undefined;
+    const roleGeneralAccess = this.config.get("oauth.oidc-roleGeneralAccess") || undefined;
+    const roleAdminAccess = this.config.get("oauth.oidc-roleAdminAccess") || undefined;
+    return super.getUserInfo(token, query, claim, {
+      path: rolePath,
+      generalAccess: roleGeneralAccess,
+      adminAccess: roleAdminAccess,
+    });
  }
 }
--- a/backend/src/share/share.controller.ts
+++ b/backend/src/share/share.controller.ts
@@ -10,9 +10,11 @@ import {
  Res,
  UseGuards,
 } from "@nestjs/common";
+import { JwtService } from "@nestjs/jwt";
 import { Throttle } from "@nestjs/throttler";
 import { User } from "@prisma/client";
 import { Request, Response } from "express";
+import * as moment from "moment";
 import { GetUser } from "src/auth/decorator/getUser.decorator";
 import { AdministratorGuard } from "src/auth/guard/isAdmin.guard";
 import { JwtGuard } from "src/auth/guard/jwt.guard";
@@ -29,7 +31,10 @@ import { ShareTokenSecurity } from "./guard/shareTokenSecurity.guard";
 import { ShareService } from "./share.service";
@Controller("shares")
 export class ShareController {
-  constructor(private shareService: ShareService) {}
+  constructor(
+    private shareService: ShareService,
+    private jwtService: JwtService,
+  ) {}

  @Get("all")
  @UseGuards(JwtGuard, AdministratorGuard)
@@ -121,10 +126,13 @@ export class ShareController {
  @Post(":id/token")
  async getShareToken(
    @Param("id") id: string,
+    @Req() request: Request,
    @Res({ passthrough: true }) response: Response,
    @Body() body: SharePasswordDto,
  ) {
    const token = await this.shareService.getShareToken(id, body.password);
+
+    this.clearShareTokenCookies(request, response);
    response.cookie(`share_${id}_token`, token, {
      path: "/",
      httpOnly: true,
@@ -132,4 +140,32 @@ export class ShareController {

    return { token };
  }
+
+  /**
+   * Keeps the 10 most recent share token cookies and deletes the rest and all expired ones
+   */
+  private clearShareTokenCookies(request: Request, response: Response) {
+    const shareTokenCookies = Object.entries(request.cookies)
+      .filter(([key]) => key.startsWith("share_") && key.endsWith("_token"))
+      .map(([key, value]) => ({
+        key,
+        payload: this.jwtService.decode(value),
+      }));
+
+    const expiredTokens = shareTokenCookies.filter(
+      (cookie) => cookie.payload.exp < moment().unix(),
+    );
+    const validTokens = shareTokenCookies.filter(
+      (cookie) => cookie.payload.exp >= moment().unix(),
+    );
+
+    expiredTokens.forEach((cookie) => response.clearCookie(cookie.key));
+
+    if (validTokens.length > 10) {
+      validTokens
+        .sort((a, b) => a.payload.exp - b.payload.exp)
+        .slice(0, -10)
+        .forEach((cookie) => response.clearCookie(cookie.key));
+    }
+  }
 }
--- a/backend/src/share/share.service.ts
+++ b/backend/src/share/share.service.ts
@@ -4,7 +4,7 @@ import {
  Injectable,
  NotFoundException,
 } from "@nestjs/common";
-import { JwtService } from "@nestjs/jwt";
+import { JwtService, JwtSignOptions } from "@nestjs/jwt";
 import { Share, User } from "@prisma/client";
 import * as archiver from "archiver";
 import * as argon from "argon2";
@@ -328,15 +328,21 @@ export class ShareService {
    const { expiration } = await this.prisma.share.findUnique({
      where: { id: shareId },
    });
-    return this.jwtService.sign(
-      {
-        shareId,
-      },
-      {
-        expiresIn: moment(expiration).diff(new Date(), "seconds") + "s",
-        secret: this.config.get("internal.jwtSecret"),
-      },
-    );
+
+    const tokenPayload = {
+      shareId,
+      iat: moment().unix(),
+    };
+
+    const tokenOptions: JwtSignOptions = {
+      secret: this.config.get("internal.jwtSecret"),
+    };
+
+    if (!moment(expiration).isSame(0)) {
+      tokenOptions.expiresIn = moment(expiration).diff(new Date(), "seconds");
+    }
+
+    return this.jwtService.sign(tokenPayload, tokenOptions);
  }

  async verifyShareToken(shareId: string, token: string) {
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@@ -1,4 +1,3 @@
-version: '3.8'
 services:
  clamav:
    restart: unless-stopped
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: '3.8'
 services:
  pingvin-share:
    image: stonith404/pingvin-share
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share-frontend",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share-frontend",
-      "version": "0.26.0",
+      "version": "0.28.0",
      "dependencies": {
        "@emotion/react": "^11.11.4",
        "@emotion/server": "^11.11.0",
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share-frontend",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "scripts": {
    "dev": "next dev",
    "build": "next build",
--- a/frontend/src/components/auth/SignInForm.tsx
+++ b/frontend/src/components/auth/SignInForm.tsx
@@ -28,6 +28,19 @@ import toast from "../../utils/toast.util";
 import { safeRedirectPath } from "../../utils/router.util";

 const useStyles = createStyles((theme) => ({
+  signInWith: {
+    fontWeight: 500,
+    "&:before": {
+      content: "''",
+      flex: 1,
+      display: "block",
+    },
+    "&:after": {
+      content: "''",
+      flex: 1,
+      display: "block",
+    },
+  },
  or: {
    "&:before": {
      content: "''",
@@ -128,49 +141,58 @@ const SignInForm = ({ redirectPath }: { redirectPath: string }) => {
        </Text>
      )}
      <Paper withBorder shadow="md" p={30} mt={30} radius="md">
-        <form
-          onSubmit={form.onSubmit((values) => {
-            signIn(values.emailOrUsername, values.password);
-          })}
-        >
-          <TextInput
-            label={t("signin.input.email-or-username")}
-            placeholder={t("signin.input.email-or-username.placeholder")}
-            {...form.getInputProps("emailOrUsername")}
-          />
-          <PasswordInput
-            label={t("signin.input.password")}
-            placeholder={t("signin.input.password.placeholder")}
-            mt="md"
-            {...form.getInputProps("password")}
-          />
-          {config.get("smtp.enabled") && (
-            <Group position="right" mt="xs">
-              <Anchor component={Link} href="/auth/resetPassword" size="xs">
-                <FormattedMessage id="resetPassword.title" />
-              </Anchor>
-            </Group>
-          )}
-          <Button fullWidth mt="xl" type="submit">
-            <FormattedMessage id="signin.button.submit" />
-          </Button>
-        </form>
+        {config.get("oauth.disablePassword") || (
+          <form
+            onSubmit={form.onSubmit((values) => {
+              signIn(values.emailOrUsername, values.password);
+            })}
+          >
+            <TextInput
+              label={t("signin.input.email-or-username")}
+              placeholder={t("signin.input.email-or-username.placeholder")}
+              {...form.getInputProps("emailOrUsername")}
+            />
+            <PasswordInput
+              label={t("signin.input.password")}
+              placeholder={t("signin.input.password.placeholder")}
+              mt="md"
+              {...form.getInputProps("password")}
+            />
+            {config.get("smtp.enabled") && (
+              <Group position="right" mt="xs">
+                <Anchor component={Link} href="/auth/resetPassword" size="xs">
+                  <FormattedMessage id="resetPassword.title" />
+                </Anchor>
+              </Group>
+            )}
+            <Button fullWidth mt="xl" type="submit">
+              <FormattedMessage id="signin.button.submit" />
+            </Button>
+          </form>
+        )}
        {oauth.length > 0 && (
-          <Stack mt="xl">
-            <Group align="center" className={classes.or}>
-              <Text>{t("signIn.oauth.or")}</Text>
-            </Group>
+          <Stack mt={config.get("oauth.disablePassword") ? undefined : "xl"}>
+            {config.get("oauth.disablePassword") ? (
+              <Group align="center" className={classes.signInWith}>
+                <Text>{t("signIn.oauth.signInWith")}</Text>
+              </Group>
+            ) : (
+              <Group align="center" className={classes.or}>
+                <Text>{t("signIn.oauth.or")}</Text>
+              </Group>
+            )}
            <Group position="center">
              {oauth.map((provider) => (
                <Button
                  key={provider}
                  component="a"
-                  target="_blank"
                  title={t(`signIn.oauth.${provider}`)}
                  href={getOAuthUrl(config.get("general.appUrl"), provider)}
                  variant="light"
+                  fullWidth
                >
                  {getOAuthIcon(provider)}
+                  {"\u2002" + t(`signIn.oauth.${provider}`)}
                </Button>
              ))}
            </Group>
--- a/frontend/src/i18n/translations/ar-EG.ts
+++ b/frontend/src/i18n/translations/ar-EG.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "إن المصادقة الثنائية ضرورية",
  "signIn.notify.totp-required.description": "فضلًا أدخل رمز المصادقة الثنائية",
  "signIn.oauth.or": "أو",
+  "signIn.oauth.signInWith": "تسجيل الدخول بواسطة تطبيق",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -294,8 +295,8 @@ export default {
  "admin.config.general.app-url.description": "الرابط الذي تكون مشاركة Pingvin صالحة عليه",
  "admin.config.general.show-home-page": "إظهار الصفحة الرئيسية",
  "admin.config.general.show-home-page.description": "تحديد ما إذا كان سيتم عرض الصفحة الرئيسية",
-  "admin.config.general.session-duration": "Session Duration",
-  "admin.config.general.session-duration.description": "Time in hours after which a user must log in again (default: 3 months).",
+  "admin.config.general.session-duration": "مدة الجلسة",
+  "admin.config.general.session-duration.description": "الوقت بالساعات الذي يجب على المستخدم بعده إعادة تسجيل الدخول (الافتراضي: 3 أشهر).",
  "admin.config.general.logo": "الشعار",
  "admin.config.general.logo.description": "يمكنك تغيير شعارك عن طريق تحميل صورة جديدة. يجب أن تكون الصورة PNG ويجب أن يكون تنسيقها 1:1.",
  "admin.config.general.logo.placeholder": "اختر صورة",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "كلمة السر",
  "admin.config.smtp.password.description": "كلمة السر لخادم الـSMTP",
  "admin.config.smtp.button.test": "إرسال رسالة بريد تجريبية",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "السماح بتسجيل الحسابات الجديدة",
  "admin.config.oauth.allow-registration.description": "السماح للمستخدمين بالدخول بواسطة حساباتهم الاجتماعية",
  "admin.config.oauth.ignore-totp": "تجاهل TOTP",
  "admin.config.oauth.ignore-totp.description": "تجاهل TOTP إذا دخل المستخدم بحسابه الاجتماعي",
+  "admin.config.oauth.disable-password": "تعطيل تسجيل الدخول باستخدام كلمة السر",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "تفعيل خيار الدخول بحساب GitHub",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "رابط الاستكشاف لتطبيق OpenID Connect OAuth",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "طلب اسم المستخدم في رمز معرف OpenID Connect. إذا كنت لا تعرف معنى هذا الإعداد، اتركه فارغًا.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "معرف العميل لتطبيق OpenID Connect OAuth",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "حساب {0} هذا مرتبط بالفعل بحساب آخر.",
  "error.msg.not_linked": "لم يتم ربط حساب {0} هذا بأي حساب حتى الآن.",
  "error.msg.unverified_account": "لم يتم التحقق من حساب {0} هذا، يرجى المحاولة مرة أخرى بعد التحقق.",
-  "error.msg.discord_guild_permission_denied": "غير مسموح لك بتسجيل الدخول.",
+  "error.msg.user_not_allowed": "غير مسموح لك بتسجيل الدخول.",
  "error.msg.cannot_get_user_info": "فشلت عملية جلب معلومات المستخدم الخاصة بك من حساب {0} هذا.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/da-DK.ts
+++ b/frontend/src/i18n/translations/da-DK.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "2-faktor login påkrævet",
  "signIn.notify.totp-required.description": "Indtast den aktuelle engangskode fra din 2-faktor Authenticator",
  "signIn.oauth.or": "OR",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Adgangskode",
  "admin.config.smtp.password.description": "Adgangskoden til SMTP serveren",
  "admin.config.smtp.button.test": "Send test e-mail",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Tillad registrering",
  "admin.config.oauth.allow-registration.description": "Allow users to register via social login",
  "admin.config.oauth.ignore-totp": "Ignore TOTP",
  "admin.config.oauth.ignore-totp.description": "Whether to ignore TOTP when user using social login",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Whether GitHub login is enabled",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "This {0} account is already linked to another account.",
  "error.msg.not_linked": "This {0} account haven't linked to any account yet.",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "Du har ikke tilladelse til at logge ind.",
+  "error.msg.user_not_allowed": "Du har ikke tilladelse til at logge ind.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/de-DE.ts
+++ b/frontend/src/i18n/translations/de-DE.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Zwei-Faktor-Authentifizierung benötigt",
  "signIn.notify.totp-required.description": "Bitte füge deinen Zwei-Faktor-Authentifizierungscode ein",
  "signIn.oauth.or": "ODER",
+  "signIn.oauth.signInWith": "Anmelden mit",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -72,7 +73,7 @@ export default {
  "account.card.password.title": "Passwort",
  "account.card.password.old": "Altes Passwort",
  "account.card.password.new": "Neues Passwort",
-  "account.card.password.noPasswordSet": "Du hast kein Passwort erstellt. Wenn Du Dich mit E-Mail und Passwort anmelden möchtest, musst Du ein Passwort festlegen.",
+  "account.card.password.noPasswordSet": "Du hast kein Passwort erstellt. Wenn du dich mit E-Mail und Passwort anmelden möchtest, musst du ein Passwort festlegen.",
  "account.notify.password.success": "Passwort erfolgreich geändert",
  "account.card.oauth.title": "Anmeldung über soziale Netzwerke",
  "account.card.oauth.github": "GitHub",
@@ -84,7 +85,7 @@ export default {
  "account.card.oauth.unlink": "Verknüpfung aufheben",
  "account.card.oauth.unlinked": "Verknüpfung aufgehoben",
  "account.modal.unlink.title": "Kontoverknüpfung aufheben",
-  "account.modal.unlink.description": "Das Entfernen der Verknüpfung mit Deinem sozialen Konten kann dazu führen, dass Du Dein Konto verlierst, wenn Du Dich nicht an Deinen Benutzernamen und Dein Passwort erinnerst.",
+  "account.modal.unlink.description": "Das Entfernen der Verknüpfung mit deinem sozialen Konten kann dazu führen, dass du dein Konto verlierst, wenn du dich nicht an deinen Benutzernamen und dein Passwort erinnerst.",
  "account.notify.oauth.unlinked.success": "Verknüpfung erfolgreich aufgehoben",
  "account.card.security.title": "Sicherheit",
  "account.card.security.totp.enable.description": "Gib dein aktuelles Passwort ein, um TOTP zu aktivieren",
@@ -300,7 +301,7 @@ export default {
  "admin.config.general.logo.description": "Ändere dein Logo durch Hochladen eines Bildes. Das Bild muss im PNG-Format vorliegen und sollte mit Seitenverhältnis 1:1 sein.",
  "admin.config.general.logo.placeholder": "Bild auswählen",
  "admin.config.email.enable-share-email-recipients": "Erlaube das Teilen der Freigabe via Email",
-  "admin.config.email.enable-share-email-recipients.description": "Gibt an, ob Emails an Freigabe-Empfänger ermöglicht werden sollen. Aktiviere dies nur, wenn Du SMTP aktivierst hast.",
+  "admin.config.email.enable-share-email-recipients.description": "Gibt an, ob Emails an Freigabe-Empfänger ermöglicht werden sollen. Aktiviere dies nur, wenn du SMTP aktivierst hast.",
  "admin.config.email.share-recipients-subject": "Betreff für Freigabe-Empfänger",
  "admin.config.email.share-recipients-subject.description": "Betreff der E-Mail, die an die Freigabe-Empfänger gesendet wird.",
  "admin.config.email.share-recipients-message": "Nachricht für Freigabe-Empfänger",
@@ -332,7 +333,7 @@ export default {
  "admin.config.share.auto-open-share-modal": "Auto open create share modal",
  "admin.config.share.auto-open-share-modal.description": "The share creation modal automatically appears when a user selects files, eliminating the need to manually click the button.",
  "admin.config.smtp.enabled": "Aktiviert",
-  "admin.config.smtp.enabled.description": "Gibt an, ob SMTP aktiviert ist. Aktiviere dies nur, wenn Du den Host, den Port, die Email, den Benutzernamen und das Passwort deines SMTP-Servers eingegeben hast.",
+  "admin.config.smtp.enabled.description": "Gibt an, ob SMTP aktiviert ist. Aktiviere dies nur, wenn du den Host, den Port, die Email, den Benutzernamen und das Passwort deines SMTP-Servers eingegeben hast.",
  "admin.config.smtp.host": "Host",
  "admin.config.smtp.host.description": "Host des SMTP-Servers",
  "admin.config.smtp.port": "Port",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Passwort",
  "admin.config.smtp.password.description": "Passwort des SMTP-Servers",
  "admin.config.smtp.button.test": "Test-E-Mail senden",
+  "admin.config.smtp.allow-unauthorized-certificates": "Vertrauen von nicht authentifizierten SMTP-Server-Zertifikaten",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Verwenden Sie diese Option nur, wenn Sie selbst signierten Zertifikaten vertrauen müssen.",
  "admin.config.oauth.allow-registration": "Registrierung erlauben",
  "admin.config.oauth.allow-registration.description": "Benutzern erlauben, sich über Soziale Netzwerke zu registrieren",
  "admin.config.oauth.ignore-totp": "TOTP ignorieren",
  "admin.config.oauth.ignore-totp.description": "Gibt an, ob TOTP ignoriert werden soll, wenn sich der Benutzer über Soziale Netzwerke anmeldet",
+  "admin.config.oauth.disable-password": "Anmelden mit Passwort deaktivieren",
+  "admin.config.oauth.disable-password.description": "Deaktiviert das Anmelden mit Passwort\nStelle vor Aktivierung dieser Konfiguration sicher, dass ein OAuth-Provider korrekt konfiguriert ist, um nicht ausgesperrt zu werden.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "GitHub Anmeldung erlaubt",
  "admin.config.oauth.github-client-id": "GitHub Client-ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery-URL der OpenID OAuth App",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect Benutzername anfordern",
  "admin.config.oauth.oidc-username-claim.description": "Benutzername im OpenID Token. Leer lassen, wenn du nicht weißt, was diese Konfiguration bedeutet.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Muss ein valider JMES-Pfad sein, der zu einem Array an Rollen führt. " + "Die Zugangsverwaltung über Rollen in OpenID Connect ist nur empfohlen, wenn kein anderer Identitätsprovider konfiguriert und die Anmeldung per Password deaktiviert ist. " + "Leer lassen, wenn du nicht weißt, was diese Konfiguration bedeutet.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Rolle für generellen Zugriff. Muss Teil der Rollen eines Benutzers sein, damit dieser sich anmelden kann. " + "Leer lassen, wenn du nicht weißt, was diese Konfiguration bedeutet.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Rolle für administrativen Zugriff. Muss Teil der Rollen eines Benutzers sein, damit dieser auf das Administrator-Panel zugreifen kann. " + "Leer lassen, wenn du nicht weißt, was diese Konfiguration bedeutet.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client-ID",
  "admin.config.oauth.oidc-client-id.description": "Client-ID der OpenID Connect OAuth-App",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client-Secret",
@@ -401,8 +412,8 @@ export default {
  "error.msg.no_email": "Kann die E-Mail-Adresse von dem Konto {0} nicht abrufen.",
  "error.msg.already_linked": "Das Konto {0} ist bereits mit einem anderen Konto verknüpft.",
  "error.msg.not_linked": "Das Konto {0} wurde noch nicht mit einem Konto verknüpft.",
-  "error.msg.unverified_account": "Dieses Konto {0} wurde noch nicht verifiziert, bitte versuchen Sie es nach der Verifikation erneut.",
-  "error.msg.discord_guild_permission_denied": "Du bist nicht berechtigt, Dich anzumelden.",
+  "error.msg.unverified_account": "Dieses Konto {0} wurde noch nicht verifiziert, bitte versuche es nach der Verifikation erneut.",
+  "error.msg.user_not_allowed": "Du bist nicht berechtigt, dich anzumelden.",
  "error.msg.cannot_get_user_info": "Deine Benutzerinformationen können nicht von diesem Konto {0} abgerufen werden.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/el-GR.ts
+++ b/frontend/src/i18n/translations/el-GR.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Απαιτείται έλεγχος ταυτότητας δύο παραγόντων.",
  "signIn.notify.totp-required.description": "Παρακαλώ εισάγετε τον κωδικό 2FA.",
  "signIn.oauth.or": "Ή",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Κωδικός πρόσβασης",
  "admin.config.smtp.password.description": "Κωδικός πρόσβασης στον εξυπηρετητή SMTP",
  "admin.config.smtp.button.test": "Αποστολή δοκιμαστικού email",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Να επιτρέπεται η εγγραφή",
  "admin.config.oauth.allow-registration.description": "Επιτρέψτε στους χρήστες να εγγραφούν μέσω λογαριασμών κοινωνικής δικτύωσης",
  "admin.config.oauth.ignore-totp": "Παράβλεψη TOTP",
  "admin.config.oauth.ignore-totp.description": "Αν θα αγνοηθεί το TOTP όταν ο χρήστης χρησιμοποιεί την κοινωνική σύνδεση",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Αν είναι ενεργοποιημένη η σύνδεση GitHub",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Αφήστε κενό αν δε γνωρίζετε για αυτή τη ρύθμιση",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Αυτός ο λογαριασμός {0} είναι ήδη συνδεδεμένος με άλλο λογαριασμό.",
  "error.msg.not_linked": "Αυτός ο λογαριασμός {0} δεν έχει συνδεθεί με κανένα λογαριασμό ακόμα.",
  "error.msg.unverified_account": "Αυτός ο λογαριασμός {0} δεν έχει επαληθευτεί, παρακαλώ προσπαθήστε ξανά μετά την επαλήθευση.",
-  "error.msg.discord_guild_permission_denied": "Δεν σας επιτρέπεται η σύνδεση.",
+  "error.msg.user_not_allowed": "Δεν σας επιτρέπεται η σύνδεση.",
  "error.msg.cannot_get_user_info": "Δεν είναι δυνατή η λήψη των πληροφοριών χρήστη από αυτόν τον λογαριασμό {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/en-US.ts
+++ b/frontend/src/i18n/translations/en-US.ts
@@ -44,6 +44,7 @@ export default {
  "signIn.notify.totp-required.description":
    "Please enter your two-factor authentication code",
  "signIn.oauth.or": "OR",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -399,9 +400,8 @@ export default {
  "admin.config.general.show-home-page": "Show home page",
  "admin.config.general.show-home-page.description":
    "Whether to show the home page",
-  "admin.config.general.session-duration": 
-    "Session Duration",
-  "admin.config.general.session-duration.description": 
+  "admin.config.general.session-duration": "Session Duration",
+  "admin.config.general.session-duration.description":
    "Time in hours after which a user must log in again (default: 3 months).",
  "admin.config.general.logo": "Logo",
  "admin.config.general.logo.description":
@@ -453,9 +453,11 @@ export default {
  "admin.config.share.zip-compression-level.description":
    "Adjust the level to balance between file size and compression speed. Valid values range from 0 to 9, with 0 being no compression and 9 being maximum compression. ",
  "admin.config.share.chunk-size": "Chunk size",
-  "admin.config.share.chunk-size.description": "Adjust the chunk size (in bytes) for your uploads to balance efficiency and reliability according to your internet connection. Smaller chunks can enhance success rates for unstable connections, while larger chunks speed up uploads for stable connections.",
+  "admin.config.share.chunk-size.description":
+    "Adjust the chunk size (in bytes) for your uploads to balance efficiency and reliability according to your internet connection. Smaller chunks can enhance success rates for unstable connections, while larger chunks speed up uploads for stable connections.",
  "admin.config.share.auto-open-share-modal": "Auto open create share modal",
-  "admin.config.share.auto-open-share-modal.description": "The share creation modal automatically appears when a user selects files, eliminating the need to manually click the button.",
+  "admin.config.share.auto-open-share-modal.description":
+    "The share creation modal automatically appears when a user selects files, eliminating the need to manually click the button.",

  "admin.config.smtp.enabled": "Enabled",
  "admin.config.smtp.enabled.description":
@@ -472,6 +474,10 @@ export default {
  "admin.config.smtp.password": "Password",
  "admin.config.smtp.password.description": "Password of the SMTP server",
  "admin.config.smtp.button.test": "Send test email",
+  "admin.config.smtp.allow-unauthorized-certificates":
+    "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description":
+    "Only set this to true if you need to trust self signed certificates.",

  "admin.config.oauth.allow-registration": "Allow registration",
  "admin.config.oauth.allow-registration.description":
@@ -479,6 +485,9 @@ export default {
  "admin.config.oauth.ignore-totp": "Ignore TOTP",
  "admin.config.oauth.ignore-totp.description":
    "Whether to ignore TOTP when user using social login",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description":
+    "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description":
    "Whether GitHub login is enabled",
@@ -530,6 +539,19 @@ export default {
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description":
    "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description":
+    "Must be a valid JMES path referencing an array of roles. " +
+    "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " +
+    "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description":
+    "Role required for general access. Must be present in a user’s roles for them to log in. " +
+    "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description":
+    "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " +
+    "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description":
    "Client ID of the OpenID Connect OAuth app",
@@ -558,7 +580,7 @@ export default {
  "error.msg.not_linked": "This {0} account haven't linked to any account yet.",
  "error.msg.unverified_account":
    "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied":
+  "error.msg.user_not_allowed":
    "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info":
    "Can not get your user info from this {0} account.",
--- a/frontend/src/i18n/translations/es-ES.ts
+++ b/frontend/src/i18n/translations/es-ES.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Se requiere autenticación de dos factores",
  "signIn.notify.totp-required.description": "Por favor ingrese su código de autenticación de dos factores",
  "signIn.oauth.or": "O",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Contraseña",
  "admin.config.smtp.password.description": "Contraseña del servidor SMTP",
  "admin.config.smtp.button.test": "Enviar correo de prueba",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Permitir registro",
  "admin.config.oauth.allow-registration.description": "Permitir a los usuarios registrarse mediante login social",
  "admin.config.oauth.ignore-totp": "Ignorar TOTP",
  "admin.config.oauth.ignore-totp.description": "Ignorar TOTP cuando el usuario utiliza inicio de sesión social",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Si el inicio de sesión de GitHub está habilitado",
  "admin.config.oauth.github-client-id": "ID del Cliente de GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Esta cuenta {0} ya está vinculada a otra cuenta.",
  "error.msg.not_linked": "Esta cuenta {0} aún no ha sido vinculada a ninguna cuenta.",
  "error.msg.unverified_account": "Esta cuenta {0} no está verificada, por favor inténtalo de nuevo después de la verificación.",
-  "error.msg.discord_guild_permission_denied": "No tienes permitido iniciar sesion.",
+  "error.msg.user_not_allowed": "No tienes permitido iniciar sesion.",
  "error.msg.cannot_get_user_info": "No se puede obtener la información de usuario de la cuenta {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/fi-FI.ts
+++ b/frontend/src/i18n/translations/fi-FI.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Kaksivaiheinen tunnistautuminen vaadittu",
  "signIn.notify.totp-required.description": "Syötä kaksivaiheisen tunnistautumisen koodi tähän",
  "signIn.oauth.or": "OR",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Salasana",
  "admin.config.smtp.password.description": "SMTP palvelimen salasana",
  "admin.config.smtp.button.test": "Lähetä testisähköposti",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Allow registration",
  "admin.config.oauth.allow-registration.description": "Allow users to register via social login",
  "admin.config.oauth.ignore-totp": "Ignore TOTP",
  "admin.config.oauth.ignore-totp.description": "Whether to ignore TOTP when user using social login",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Whether GitHub login is enabled",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "This {0} account is already linked to another account.",
  "error.msg.not_linked": "This {0} account haven't linked to any account yet.",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "You are not allowed to sign in.",
+  "error.msg.user_not_allowed": "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/fr-FR.ts
+++ b/frontend/src/i18n/translations/fr-FR.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Une authentification à deux facteurs est requise",
  "signIn.notify.totp-required.description": "Veuillez entrer votre code d'authentification à deux facteurs",
  "signIn.oauth.or": "OU",
+  "signIn.oauth.signInWith": "Se connecter avec",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -294,8 +295,8 @@ export default {
  "admin.config.general.app-url.description": "Depuis quel URL le partage Pingvin est disponible",
  "admin.config.general.show-home-page": "Afficher la page d’accueil",
  "admin.config.general.show-home-page.description": "Afficher ou non la page d’accueil",
-  "admin.config.general.session-duration": "Session Duration",
-  "admin.config.general.session-duration.description": "Time in hours after which a user must log in again (default: 3 months).",
+  "admin.config.general.session-duration": "Durée de la session",
+  "admin.config.general.session-duration.description": "Nombre d’heures après lesquelles un utilisateur doit se reconnecter (par défaut : 3 mois).",
  "admin.config.general.logo": "Logo",
  "admin.config.general.logo.description": "Changez de logo en envoyant une nouvelle image. L’image doit être au format PNG et doit avoir un ratio 1:1.",
  "admin.config.general.logo.placeholder": "Sélectionner une image",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Mot de passe",
  "admin.config.smtp.password.description": "Mot de passe du serveur SMTP",
  "admin.config.smtp.button.test": "Envoyer un courriel de test",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Autoriser l’inscription",
  "admin.config.oauth.allow-registration.description": "Permettre aux utilisateurs de s’inscrire via leur identifiant social",
  "admin.config.oauth.ignore-totp": "Ignorer TOTP",
  "admin.config.oauth.ignore-totp.description": "Ignorer le TOTP lorsque l’utilisateur utilise un identifiant social.",
+  "admin.config.oauth.disable-password": "Désactiver la connexion par mot de passe",
+  "admin.config.oauth.disable-password.description": "Désactive la connexion par mot de passe\nAssurez-vous qu’un fournisseur OAuth soit correctement configuré avant d’activer cette configuration pour éviter d'être enfermé.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Permettre la connexion via GitHub.",
  "admin.config.oauth.github-client-id": "ID client de GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "L’URI de découverte de la connexion à l'application OpenID OAuth",
  "admin.config.oauth.oidc-username-claim": "Revendication du nom d’utilisateur OpenID",
  "admin.config.oauth.oidc-username-claim.description": "Le champ contenant la revendication du nom d’utilisateur dans le jeton OpenID Connect. Laissez vide si vous ne savez pas quoi indiquer.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "ID du client OpenID",
  "admin.config.oauth.oidc-client-id.description": "L’ID du client de l’application OAuth OpenID Connect",
  "admin.config.oauth.oidc-client-secret": "Secret du client OpenID",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Le compte {0} est déjà associé à un autre compte.",
  "error.msg.not_linked": "Le compte {0} n’est pas encore associé à compte.",
  "error.msg.unverified_account": "Le compte {0} n'est pas vérifié, veuillez réessayer après vérification.",
-  "error.msg.discord_guild_permission_denied": "Vous n’êtes pas autorisé à vous authentifier.",
+  "error.msg.user_not_allowed": "Vous n’êtes pas autorisé à vous authentifier.",
  "error.msg.cannot_get_user_info": "Impossible d’obtenir vos informations utilisateur à partir du compte {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/hu-HU.ts
+++ b/frontend/src/i18n/translations/hu-HU.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Kétfaktoros hitelesítésre van szükség",
  "signIn.notify.totp-required.description": "Adja meg a másik úton kapott kódját",
  "signIn.oauth.or": "VAGY",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -294,8 +295,8 @@ export default {
  "admin.config.general.app-url.description": "A Pingvin Share megosztáskezelőre mutató hivatkozás",
  "admin.config.general.show-home-page": "Kezdőlap mutatása",
  "admin.config.general.show-home-page.description": "A kezdőlap mutatásának ki- és bekapcsolása",
-  "admin.config.general.session-duration": "Session Duration",
-  "admin.config.general.session-duration.description": "Time in hours after which a user must log in again (default: 3 months).",
+  "admin.config.general.session-duration": "Munkamenet időtartama",
+  "admin.config.general.session-duration.description": "Annak az időtartamnak a megadása, amit követően a felhasználónak ismét be kell jelentkeznie (alapérték: 3 hónap).",
  "admin.config.general.logo": "Logó",
  "admin.config.general.logo.description": "A logó személyessé tételéhez töltsön fel egy új képet. A formátum legyen PNG, az oldalarány 1:1.",
  "admin.config.general.logo.placeholder": "Kép kiválasztása",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Jelszó",
  "admin.config.smtp.password.description": "Jelszó az SMTP kiszolgálón",
  "admin.config.smtp.button.test": "Teszt email küldése",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Regisztráció engedélyezése",
  "admin.config.oauth.allow-registration.description": "A felhasználók közösségi bejelentkezésen át is regisztrálhatnak",
  "admin.config.oauth.ignore-totp": "TOTP mellőzése",
  "admin.config.oauth.ignore-totp.description": "TOTP mellőzése a közösségi bejelentkezést használó felhasználónál",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "GitHub bejelentkezés engedélyezése",
  "admin.config.oauth.github-client-id": "GitHub ügyfél ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Az OpenID Connect OAuth applikáció Discovery URI azonosítója",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect felhasználónév igény",
  "admin.config.oauth.oidc-username-claim.description": "Az OpenID Connect ID token felhasználónév igénye. Hagyja üresen ha nincs információja a beállításról.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect ügyfél ID azonosító",
  "admin.config.oauth.oidc-client-id.description": "Az OpenID Connect OAuth applikáció ügyfél ID azonosítója",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect ügyfél titok",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Ez a(z) {0} fiók már kapcsolódik egy másik fiókhoz.",
  "error.msg.not_linked": "Ez a(z){0} fiók még nem kapcsolódott egyetlen fiókhoz sem.",
  "error.msg.unverified_account": "Ezt a(z) {0} fiókot még nem igazolták vissza, kérem próbálja újra a megerősítés után.",
-  "error.msg.discord_guild_permission_denied": "Nem jelentkezhet be.",
+  "error.msg.user_not_allowed": "Nem jelentkezhet be.",
  "error.msg.cannot_get_user_info": "Nem nyerhető ki felhasználói információ ebből a(z) {0} fiókból.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/it-IT.ts
+++ b/frontend/src/i18n/translations/it-IT.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Autenticazione a due fattori richiesta",
  "signIn.notify.totp-required.description": "Inserisci il tuo codice di autenticazione a due fattori",
  "signIn.oauth.or": "OPPURE",
+  "signIn.oauth.signInWith": "Registrati con",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Password",
  "admin.config.smtp.password.description": "Password del server SMTP",
  "admin.config.smtp.button.test": "Invia e-mail di prova",
+  "admin.config.smtp.allow-unauthorized-certificates": "Fidati di certificati server SMTP non autorizzati",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Imposta il parametro a \"vero\" solo se vuoi fidarti di certificati self signed.",
  "admin.config.oauth.allow-registration": "Consenti la registrazione",
  "admin.config.oauth.allow-registration.description": "Consenti agli utenti di registrarsi tramite social login",
  "admin.config.oauth.ignore-totp": "Ignora TOTP",
  "admin.config.oauth.ignore-totp.description": "Indica se ignorare TOTP quando l'utente utilizza il social login",
+  "admin.config.oauth.disable-password": "Disabilita l'accesso tramite password",
+  "admin.config.oauth.disable-password.description": "Nel caso di disabilitazione della password di accesso\nAssicurarti di aver configurato correttamente un provider OAuth prima di attivare questa configurazione, per evitare di essere bloccato fuori dal servizio.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Se l'accesso tramite GitHub è abilitato",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "URI di scoperta dell'app OAuth di OpenID Connect",
  "admin.config.oauth.oidc-username-claim": "Richiesta nome utente OpenID Connect",
  "admin.config.oauth.oidc-username-claim.description": "Nome utente nel token OpenID Connect. Lascialo vuoto se non sai cos'è questa configurazione.",
+  "admin.config.oauth.oidc-role-path": "Percorso verso i ruoli in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Deve essere un percorso JMES valido che faccia riferimento a una serie di ruoli. " + "La gestione dei diritti di accesso utilizzando i ruoli OpenID Connect è consigliata solo se nessun altro provider d'identità è configurato e l'accesso tramite password è disabilitato. " + "Lascialo vuoto se non sai cosa sia questa configurazione.",
+  "admin.config.oauth.oidc-role-general-access": "Ruolo OpenID Connect per l'accesso generale",
+  "admin.config.oauth.oidc-role-general-access.description": "Ruolo richiesto per l'accesso generale. Deve essere presente nei ruoli di un utente affinché possa accedere. " + "Lascialo vuoto se non sai cosa sia questa configurazione.",
+  "admin.config.oauth.oidc-role-admin-access": "Ruolo OpenID Connect per l'accesso amministrativo",
+  "admin.config.oauth.oidc-role-admin-access.description": "Ruolo richiesto per l'accesso amministrativo. Deve essere presente nei ruoli di un utente per accedere al pannello di amministrazione. " + "Lascialo vuoto se non sai cosa sia questa configurazione.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID dell'app OAuth di OpenID Connect",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Questo account {0} è già collegato ad un altro account.",
  "error.msg.not_linked": "Questo account {0} non è ancora collegato ad alcun account.",
  "error.msg.unverified_account": "Questo account {0} non è verificato, per favore riprova dopo la verifica.",
-  "error.msg.discord_guild_permission_denied": "Non sei autorizzato ad accedere.",
+  "error.msg.user_not_allowed": "Non sei autorizzato ad accedere.",
  "error.msg.cannot_get_user_info": "Non è possibile ottenere le informazioni utente da questo account {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/ja-JP.ts
+++ b/frontend/src/i18n/translations/ja-JP.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "二段階認証が必要です",
  "signIn.notify.totp-required.description": "二段階認証コードを入力してください",
  "signIn.oauth.or": "または",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "パスワード",
  "admin.config.smtp.password.description": "SMTPサーバーのパスワード",
  "admin.config.smtp.button.test": "テストメールを送信",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "登録を許可する",
  "admin.config.oauth.allow-registration.description": "ユーザーにソーシャルアカウント経由での登録を許可します",
  "admin.config.oauth.ignore-totp": "二段階認証を無視する",
  "admin.config.oauth.ignore-totp.description": "ソーシャルログイン時に二段階認証を無視するかどうかを設定します",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "GitHubアカウントを使用したログインを許可するかどうかを設定します",
  "admin.config.oauth.github-client-id": "GitHub クライアントID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "この{0} アカウントは、既に別のアカウントにリンクされています。",
  "error.msg.not_linked": "この{0} アカウントはどのアカウントにもリンクされていません。",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "You are not allowed to sign in.",
+  "error.msg.user_not_allowed": "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/ko-KR.ts
+++ b/frontend/src/i18n/translations/ko-KR.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "2단계 인증이 필요합니다",
  "signIn.notify.totp-required.description": "2단계 인증 코드를 입력해주세요",
  "signIn.oauth.or": "또는",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "깃허브",
  "signIn.oauth.google": "구글",
  "signIn.oauth.microsoft": "마이크로소프트",
@@ -44,10 +45,10 @@ export default {
  "signup.title": "계정 만들기",
  "signup.description": "이미 계정이 있으신가요?",
  "signup.button.signin": "로그인",
-  "signup.input.username": "사용자 이름",
-  "signup.input.username.placeholder": "당신의 사용지 이름",
+  "signup.input.username": "사용자명",
+  "signup.input.username.placeholder": "귀하의 사용자명",
  "signup.input.email": "이메일",
-  "signup.input.email.placeholder": "당신의 이메일",
+  "signup.input.email.placeholder": "귀하의 이메일",
  "signup.button.submit": "시작하기",
  // END /auth/signup
  // /auth/totp
@@ -258,13 +259,13 @@ export default {
  // /share/[id]
  "share.title": "공유 {shareId}",
  "share.description": "내가 당신과 공유한 것을 보세요!",
-  "share.error.visitor-limit-exceeded.title": "방문자 제한 초과",
-  "share.error.visitor-limit-exceeded.description": "The visitor limit from this share has been exceeded.",
+  "share.error.visitor-limit-exceeded.title": "방문자 한도 초과",
+  "share.error.visitor-limit-exceeded.description": "이 공유의 방문자 한도를 초과했습니다.",
  "share.error.removed.title": "공유가 삭제됨",
  "share.error.not-found.title": "공유를 찾을 수 없습니다.",
  "share.error.not-found.description": "당신이 찾는 공유는 존재하지 않습니다.",
  "share.modal.password.title": "비밀번호 필요",
-  "share.modal.password.description": "이 공유에 액세스하려면 공유의 암호를 입력하십시오.",
+  "share.modal.password.description": "이 공유에 접근하려면 공유의 암호를 입력하십시오.",
  "share.modal.password": "비밀번호",
  "share.modal.error.invalid-password": "잘못된 비밀번호",
  "share.button.download-all": "모두 다운로드",
@@ -289,13 +290,13 @@ export default {
  "admin.config.category.smtp": "SMTP",
  "admin.config.category.oauth": "소셜 로그인",
  "admin.config.general.app-name": "앱 이름",
-  "admin.config.general.app-name.description": "Name of the application",
+  "admin.config.general.app-name.description": "이 앱의 이름",
  "admin.config.general.app-url": "앱 URL",
  "admin.config.general.app-url.description": "Pingvin Share를 사용할 수 있는 URL",
  "admin.config.general.show-home-page": "홈 페이지 표시",
-  "admin.config.general.show-home-page.description": "홈 페이지를 표시할지 여부를 점검하십시오.",
-  "admin.config.general.session-duration": "Session Duration",
-  "admin.config.general.session-duration.description": "Time in hours after which a user must log in again (default: 3 months).",
+  "admin.config.general.show-home-page.description": "홈 페이지를 표시할지 여부",
+  "admin.config.general.session-duration": "세션 기간",
+  "admin.config.general.session-duration.description": "사용자가 다시 로그인해야 하는 시간 (기본값: 3개월)",
  "admin.config.general.logo": "로고",
  "admin.config.general.logo.description": "새 이미지를 업로드하여 로고를 변경하십시오. 이미지는 PNG여야 하며 1:1 비율이어야 합니다.",
  "admin.config.general.logo.placeholder": "이미지 선택",
@@ -305,9 +306,9 @@ export default {
  "admin.config.email.share-recipients-subject.description": "공유 수신자에게 전송되는 이메일의 제목입니다.",
  "admin.config.email.share-recipients-message": "수신자 메시지 공유",
  "admin.config.email.share-recipients-message.description": "공유 수신자에게 보내는 메시지입니다. 사용 가능한 변수:\n {creator} - 공유 작성자의 사용자 이름\n {shareUrl} - 공유의 URL\n {desc} - 공유에 대한 설명\n {expires} - 공유 만료일\n 변수는 실제 값으로 대체됩니다.",
-  "admin.config.email.reverse-share-subject": "역공유 제목",
+  "admin.config.email.reverse-share-subject": "역방향 공유 제목",
  "admin.config.email.reverse-share-subject.description": "누군가 당신이 공유한 역방향 공유 링크를 사용하여 공유를 생성했을 때 전송되는 이메일의 제목입니다.",
-  "admin.config.email.reverse-share-message": "역공유 메시지",
+  "admin.config.email.reverse-share-message": "역방향 공유 메시지",
  "admin.config.email.reverse-share-message.description": "누군가 귀하의 역방향 공유 링크를 사용하여 공유를 생성하면 전송되는 메시지입니다.. {shareUrl} 은 작성자 이름 및 공유 URL로 대체됩니다.",
  "admin.config.email.reset-password-subject": "비밀번호 재설정 제목",
  "admin.config.email.reset-password-subject.description": "사용자가 암호 재설정을 요청할 때 전송되는 메일의 제목입니다.",
@@ -321,16 +322,16 @@ export default {
  "admin.config.share.allow-registration.description": "등록 가능 여부",
  "admin.config.share.allow-unauthenticated-shares": "인증되지 않은 공유 허용",
  "admin.config.share.allow-unauthenticated-shares.description": "인증되지 않은 사용자가 공유를 생성할 수 있는지 여부",
-  "admin.config.share.max-expiration": "최대 만료일",
-  "admin.config.share.max-expiration.description": "최대 공유 만료 시간입니다. 만료 기간을 설정하지 않는경우 0으로 설정합니다.",
+  "admin.config.share.max-expiration": "최대 만료 시간",
+  "admin.config.share.max-expiration.description": "공유의 최대 만료 시간. 무제한 만료를 허용하려면 0으로 설정하세요.",
  "admin.config.share.max-size": "최대 크기",
-  "admin.config.share.max-size.description": "공유 최대 크기 - 바이트",
-  "admin.config.share.zip-compression-level": "압축 레벨",
+  "admin.config.share.max-size.description": "공유의 최대 크기 (바이트)",
+  "admin.config.share.zip-compression-level": "Zip 압축 레벨",
  "admin.config.share.zip-compression-level.description": "파일 크기와 압축 속도 간의 균형을 맞추도록 레벨을 조정합니다. 유효한 값의 범위는 0에서 9까지이며, 0은 압축되지 않고 9는 최대 압축입니다. ",
  "admin.config.share.chunk-size": "청크 크기",
  "admin.config.share.chunk-size.description": "업로드할 청크 크기(바이트 단위)를 조정하여 인터넷 연결에 따라 효율성과 신뢰성의 균형을 유지합니다. 더 작은 청크는 불안정한 연결에 대한 성공률을 향상시킬 수 있고, 더 큰 청크는 안정적인 연결에 대한 업로드 속도를 높일 수 있습니다.",
-  "admin.config.share.auto-open-share-modal": "Auto open create share modal",
-  "admin.config.share.auto-open-share-modal.description": "The share creation modal automatically appears when a user selects files, eliminating the need to manually click the button.",
+  "admin.config.share.auto-open-share-modal": "공유 생성 창 자동 열기",
+  "admin.config.share.auto-open-share-modal.description": "사용자가 파일을 선택하면 공유 생성 창이 자동으로 나타나서 버튼을 수동으로 클릭할 필요가 없습니다.",
  "admin.config.smtp.enabled": "활성화됨",
  "admin.config.smtp.enabled.description": "SMTP 사용 여부 SMTP 서버의 호스트, 포트, 전자 메일, 사용자 및 암호를 입력한 경우에만 true로 설정합니다.",
  "admin.config.smtp.host": "호스트",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "비밀번호",
  "admin.config.smtp.password.description": "SMTP 서버 비밀번호",
  "admin.config.smtp.button.test": "테스트 이메일 보내기",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "가입 허용",
  "admin.config.oauth.allow-registration.description": "사용자가 소셜 로그인을 통해 등록할 수 있도록 허용",
  "admin.config.oauth.ignore-totp": "TOTP 무시",
  "admin.config.oauth.ignore-totp.description": "사용자가 소셜 로그인을 사용하는 경우 TOTP를 무시할 것인지 여부",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "깃허브",
  "admin.config.oauth.github-enabled.description": "깃허브 로그인 사용 여부",
  "admin.config.oauth.github-client-id": "GitHub 클라이언트 ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "OpenID Connect ID 토큰의 Username claim 입니다. 이 구성이 무엇인지 모르면 비워 둡니다.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect 클라이언트 ID",
  "admin.config.oauth.oidc-client-id.description": "OpenID Connect OAuth 앱의 클라이언트 ID",
  "admin.config.oauth.oidc-client-secret": "OpenID 클라이언트 secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "이 {0} 계정은 이미 다른 계정에 연결되어 있습니다.",
  "error.msg.not_linked": "이 {0} 계정은 아직 어떤 계정에도 연결되지 않았습니다.",
  "error.msg.unverified_account": "이 {0} 계정은 확인되지 않았습니다. 확인 후 다시 시도하십시오.",
-  "error.msg.discord_guild_permission_denied": "로그인할 수 없습니다.",
+  "error.msg.user_not_allowed": "로그인할 수 없습니다.",
  "error.msg.cannot_get_user_info": "이 {0} 계정에서 사용자 정보를 가져올 수 없습니다",
  "error.param.provider_github": "깃허브",
  "error.param.provider_google": "구글",
--- a/frontend/src/i18n/translations/nl-BE.ts
+++ b/frontend/src/i18n/translations/nl-BE.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Tweestapsverificatie vereist",
  "signIn.notify.totp-required.description": "Voer uw tweestapsverificatiecode in",
  "signIn.oauth.or": "OF",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Wachtwoord",
  "admin.config.smtp.password.description": "Wachtwoord van de SMTP-server",
  "admin.config.smtp.button.test": "Teste-mail verzenden",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Sta registratie toe",
  "admin.config.oauth.allow-registration.description": "Gebruikers toestaan zich te registreren via sociale login",
  "admin.config.oauth.ignore-totp": "TOTP negeren",
  "admin.config.oauth.ignore-totp.description": "TOTP negeren wanneer gebruiker sociale login gebruikt",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Ofdat GitHub login is ingeschakeld",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI van de OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Gebruikersnaam claim in OpenID Connect-ID-token. Laat het leeg als u niet weet wat deze configuratie is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "Client-ID OpenID Connect",
  "admin.config.oauth.oidc-client-id.description": "Client-ID van de OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Dit {0} account is al gekoppeld aan een ander account.",
  "error.msg.not_linked": "Dit {0} account is nog aan geen enkel account gekoppeld.",
  "error.msg.unverified_account": "Dit {0} account is nog niet geverifieerd, probeer het opnieuw na de verificatie.",
-  "error.msg.discord_guild_permission_denied": "U heeft geen toestemming om in te loggen.",
+  "error.msg.user_not_allowed": "U heeft geen toestemming om in te loggen.",
  "error.msg.cannot_get_user_info": "Kan uw gebruikersgegevens van dit {0} account niet ophalen.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/pl-PL.ts
+++ b/frontend/src/i18n/translations/pl-PL.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Wymagane jest uwierzytelnianie dwuetapowe",
  "signIn.notify.totp-required.description": "Wprowadź kod uwierzytelniania dwuetapowego",
  "signIn.oauth.or": "LUB",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Hasło",
  "admin.config.smtp.password.description": "Hasło serwera SMTP",
  "admin.config.smtp.button.test": "Wyślij testowego e-maila",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Zezwól na rejestrację",
  "admin.config.oauth.allow-registration.description": "Zezwalaj użytkownikom na rejestrację za pomocą konta społecznościowego",
  "admin.config.oauth.ignore-totp": "Ignoruj TOTP",
  "admin.config.oauth.ignore-totp.description": "Czy zignorować TOTP, kiedy użytkownik loguje się za pomocą konta społecznościowego",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Czy login na GitHub jest włączony",
  "admin.config.oauth.github-client-id": "ID klienta GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Wykrywanie URI OAuth aplikacji OpenID Connect",
  "admin.config.oauth.oidc-username-claim": "Żądanie nazwy użytkownika OpenID Connect",
  "admin.config.oauth.oidc-username-claim.description": "Żądanie nazwy użytkownika w tokenie identyfikatora OpenID Connect. Jeśli nie wiesz, czym jest ta konfiguracja, pozostaw pustą.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "Identyfikator klienta OpenID Connect",
  "admin.config.oauth.oidc-client-id.description": "Identyfikator klienta OAuth aplikacji OpenID Connect",
  "admin.config.oauth.oidc-client-secret": "Sekret klienta OpenID Connect",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "To konto {0} zostało już połączone z innym kontem.",
  "error.msg.not_linked": "To konto {0} nie zostało jeszcze połączone z żadnym kontem.",
  "error.msg.unverified_account": "To konto {0} nie zostało zweryfikowane, spróbuj ponownie po weryfikacji.",
-  "error.msg.discord_guild_permission_denied": "Nie możesz się zalogować.",
+  "error.msg.user_not_allowed": "Nie możesz się zalogować.",
  "error.msg.cannot_get_user_info": "Nie można uzyskać informacji o użytkowniku z tego konta {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/pt-BR.ts
+++ b/frontend/src/i18n/translations/pt-BR.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Autenticação de dois fatores necessária",
  "signIn.notify.totp-required.description": "Insira seu código de autenticação de dois fatores",
  "signIn.oauth.or": "OU",
+  "signIn.oauth.signInWith": "Iniciar sessão com",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Senha",
  "admin.config.smtp.password.description": "Senha do servidor SMTP",
  "admin.config.smtp.button.test": "Enviar email de teste",
+  "admin.config.smtp.allow-unauthorized-certificates": "Confiar em certificados de servidor SMTP não autorizados",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Apenas defina isso como verdadeiro se você precisar confiar nos certificados auto-assinados.",
  "admin.config.oauth.allow-registration": "Permitir registro",
  "admin.config.oauth.allow-registration.description": "Permitir que os usuários se registrem através do login de redes sociais",
  "admin.config.oauth.ignore-totp": "Ignorar TOTP",
  "admin.config.oauth.ignore-totp.description": "Ignorar o TOTP quando usuário usando login social",
+  "admin.config.oauth.disable-password": "Desativar login por senha",
+  "admin.config.oauth.disable-password.description": "Se deseja desativar o login por senha\nCertifique-se de que um provedor OAuth está configurado corretamente antes de ativar essa configuração para evitar ser bloqueado.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Se o login GitHub está habilitado",
  "admin.config.oauth.github-client-id": "Client ID do GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "URI da descoberta do aplicativo OpenID Connect OAuth",
  "admin.config.oauth.oidc-username-claim": "Reivindicação de nome de usuário OpenID Connect",
  "admin.config.oauth.oidc-username-claim.description": "Nome de usuário no token de ID OpenID Connect. Deixe em branco se você não sabe o que é esta configuração.",
+  "admin.config.oauth.oidc-role-path": "Caminho para as funções no token OpenID Connect",
+  "admin.config.oauth.oidc-role-path.description": "Deve ser um caminho JMES válido, fazendo referência a uma matriz de funções. " + "Gerenciar direitos de acesso usando as funções OpenID Connect só é recomendado se nenhum outro provedor de identidade for configurado e o login por senha for desativado. " + "Deixe em branco se você não sabe o que é esta configuração.",
+  "admin.config.oauth.oidc-role-general-access": "Função OpenID Connect para acesso geral",
+  "admin.config.oauth.oidc-role-general-access.description": "Função necessária para acesso geral. Deve estar presente nas funções de um usuário para que ele faça o login. " + "Deixe em branco se você não sabe o que é esta configuração.",
+  "admin.config.oauth.oidc-role-admin-access": "Função OpenID Connect para acesso de administrador",
+  "admin.config.oauth.oidc-role-admin-access.description": "Função necessária para acesso administrativo. Deve estar presente nos papéis de um usuário para ele acessar o painel de administração. " + "Deixe em branco se você não sabe o que é esta configuração.",
  "admin.config.oauth.oidc-client-id": "ID do cliente OpenID Connect",
  "admin.config.oauth.oidc-client-id.description": "ID do cliente do aplicativo OpenID OAuth",
  "admin.config.oauth.oidc-client-secret": "Segredo do cliente OpenID Connect",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Esta conta {0} já está vinculada a outra conta.",
  "error.msg.not_linked": "Esta conta {0} ainda não foi vinculada a nenhuma conta.",
  "error.msg.unverified_account": "Esta conta {0} não foi verificada, tente novamente após a verificação.",
-  "error.msg.discord_guild_permission_denied": "Você não tem permissão para acessar.",
+  "error.msg.user_not_allowed": "Você não tem permissão para acessar.",
  "error.msg.cannot_get_user_info": "Não é possível obter suas informações de usuário desta conta {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/ru-RU.ts
+++ b/frontend/src/i18n/translations/ru-RU.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Требуется двухфакторная аутентификация",
  "signIn.notify.totp-required.description": "Пожалуйста, введите код Вашей 2-х факторной аутентификации",
  "signIn.oauth.or": "ИЛИ",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Пароль",
  "admin.config.smtp.password.description": "Пароль SMTP-сервера",
  "admin.config.smtp.button.test": "Отправить тестовое письмо",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Разрешить регистрацию",
  "admin.config.oauth.allow-registration.description": "Разрешить пользователям регистрироваться используя учетные записи социальных сетей",
  "admin.config.oauth.ignore-totp": "Игнорировать TOTP",
  "admin.config.oauth.ignore-totp.description": "Игнорировать TOTP при использовании социальной авторизации",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Включен ли логин на GitHub",
  "admin.config.oauth.github-client-id": "ID клиента GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Эта учетная запись {0} уже привязана к другому аккаунту.",
  "error.msg.not_linked": "Эта учетная запись {0} ещё не привязана ни к одному аккаунту.",
  "error.msg.unverified_account": "Эта учетная запись {0} не подтверждена, повторите попытку после подтверждения.",
-  "error.msg.discord_guild_permission_denied": "У вас нет разрешения на вход.",
+  "error.msg.user_not_allowed": "У вас нет разрешения на вход.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/sl-SI.ts
+++ b/frontend/src/i18n/translations/sl-SI.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Zahtevana je dvofaktorska avtentikacija",
  "signIn.notify.totp-required.description": "Prosim vnesite vašo kodo dvofaktorske avtentikacije",
  "signIn.oauth.or": "ALI",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Geslo",
  "admin.config.smtp.password.description": "Geslo SMTP strežnika",
  "admin.config.smtp.button.test": "Pošlji testno sporočilo",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Dovoli registracijo",
  "admin.config.oauth.allow-registration.description": "Dovoli registracijo uporabnika prek družbenih omrežij",
  "admin.config.oauth.ignore-totp": "Ignoriraj TOTP",
  "admin.config.oauth.ignore-totp.description": "Če ignorirati TOTP, ko se uporabnik registrira prek družbenih omrežij",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Če je dovoljena prijava z GitHub računom",
  "admin.config.oauth.github-client-id": "GitHub ID klienta",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "URI za odkrivanje OpenID Connect OAuth aplikacije",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect zahteva za uporabniško ime",
  "admin.config.oauth.oidc-username-claim.description": "Zahteva za uporabniško ime za OpenID Connect ID žetona. Pustite prazno, če ne poznate te nastavitve.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect ID klienta",
  "admin.config.oauth.oidc-client-id.description": "ID Klienta OpenID Connect OAuth aplikacije",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect skrivnost klienta",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Račun {0} je že povezan na drug račun.",
  "error.msg.not_linked": "Račun {0} še ni povezan z nobenim računom.",
  "error.msg.unverified_account": "Račun {0} je nepreverjen, prosimo poskusite ponovno po preverjanju.",
-  "error.msg.discord_guild_permission_denied": "Nimate dovoljenja za prijavo.",
+  "error.msg.user_not_allowed": "Nimate dovoljenja za prijavo.",
  "error.msg.cannot_get_user_info": "Ne moremo najti uporabniških informacij za račun {0}.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/sr-SP.ts
+++ b/frontend/src/i18n/translations/sr-SP.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Потребна је двофакторска аутентификација",
  "signIn.notify.totp-required.description": "Унесите свој двофакторски код за аутентификацију",
  "signIn.oauth.or": "Или",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Лозинка",
  "admin.config.smtp.password.description": "Лозинка SMTP сервера",
  "admin.config.smtp.button.test": "Пошаљи тестну е-пошту",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Дозволи регистрацију",
  "admin.config.oauth.allow-registration.description": "Дозволите корисницима да се региструју путем друштвене пријаве",
  "admin.config.oauth.ignore-totp": "Занемари ТОТП",
  "admin.config.oauth.ignore-totp.description": "Да ли да игноришете ТОТП када корисник користи пријаву на друштвеним мрежама",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Да ли је пријављивање на GitHub омогућено",
  "admin.config.oauth.github-client-id": "GitHub ИД клијента",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Овај {0} налог је већ повезан са другим налогом.",
  "error.msg.not_linked": "Овај {0} налог још увек није повезан ни са једним налогом.",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "You are not allowed to sign in.",
+  "error.msg.user_not_allowed": "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/sv-SE.ts
+++ b/frontend/src/i18n/translations/sv-SE.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Tvåfaktorsautentisering krävs",
  "signIn.notify.totp-required.description": "Vänligen ange din tvåfaktorsautentiseringskod",
  "signIn.oauth.or": "ELLER",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Lösenord",
  "admin.config.smtp.password.description": "Lösenord för SMTP-servern",
  "admin.config.smtp.button.test": "Skicka testmeddelande",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Tillåt registrering",
  "admin.config.oauth.allow-registration.description": "Tillåt användare att registrera sig via social inloggning",
  "admin.config.oauth.ignore-totp": "Ignorera TOTP",
  "admin.config.oauth.ignore-totp.description": "Om du vill ignorera TOTP när användaren använder social inloggning",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Om GitHub-inloggning är aktiverad",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI för OpenID Connect OAuth appen",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect användarnamnsanspråk",
  "admin.config.oauth.oidc-username-claim.description": "Användarnamnsanspråk i OpenID Connect ID token. Lämna tomt om du inte vet vad denna konfiguration är.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID för OpenID OAuth",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Detta {0} konto är redan länkat till ett annat konto.",
  "error.msg.not_linked": "Detta {0} konto har ännu inte länkat till något konto.",
  "error.msg.unverified_account": "Detta {0} -konto är overifierat, försök igen efter verifiering.",
-  "error.msg.discord_guild_permission_denied": "Du är inte tillåten att logga in.",
+  "error.msg.user_not_allowed": "Du är inte tillåten att logga in.",
  "error.msg.cannot_get_user_info": "Kan inte hämta din användarinformation från detta {0} konto.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/th-TH.ts
+++ b/frontend/src/i18n/translations/th-TH.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "ยืนยันตรวจสอบสิทธิ์สองปัจจัย",
  "signIn.notify.totp-required.description": "กรุณาใส่รหัสยืนยันตัวตนสองปัจจัย",
  "signIn.oauth.or": "OR",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "รหัสผ่าน",
  "admin.config.smtp.password.description": "รหัสผ่านของเซิร์ฟเวอร์ SMTP",
  "admin.config.smtp.button.test": "ส่งอีเมล์์์์์์ทดสอบ",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Allow registration",
  "admin.config.oauth.allow-registration.description": "Allow users to register via social login",
  "admin.config.oauth.ignore-totp": "Ignore TOTP",
  "admin.config.oauth.ignore-totp.description": "Whether to ignore TOTP when user using social login",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Whether GitHub login is enabled",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "This {0} account is already linked to another account.",
  "error.msg.not_linked": "This {0} account haven't linked to any account yet.",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "You are not allowed to sign in.",
+  "error.msg.user_not_allowed": "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/tr-TR.ts
+++ b/frontend/src/i18n/translations/tr-TR.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "İki faktörlü kimlik doğrulama gerekli",
  "signIn.notify.totp-required.description": "Lütfen iki faktörlü doğrulama kodunuzu girin",
  "signIn.oauth.or": "YA DA",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Şifre",
  "admin.config.smtp.password.description": "SMTP sunucusunun şifresi",
  "admin.config.smtp.button.test": "Test e-postası gönder",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Kayıtlara izin ver",
  "admin.config.oauth.allow-registration.description": "Sosyal Medya kayıtlarına izin verilip verilmeyeceği",
  "admin.config.oauth.ignore-totp": "2FA görmezden gel",
  "admin.config.oauth.ignore-totp.description": "Sosyal Medya ile giriş yapıldıktıktan sonra 2FA görmezden gelinip gelinmeyeceği",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "GitHub girişine izin verilip verilmeyeceği",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "OpenID Connect OAuth uygulamasının Keşfetme URI'si",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect kullanıcı adı sahiplenme",
  "admin.config.oauth.oidc-username-claim.description": "OpenID Connect ID belirtecinde kullanıcı adı sahiplenme. Bu yapılandırmanın ne olduğunu bilmiyorsanız boş bırakın.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "OpenID Connect OAuth uygulamasının Client ID'si",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Bu {0} hesabı zaten başka bir hesaba bağlı.",
  "error.msg.not_linked": "Bu {0} hesabı henüz bir hesaba bağlı değil.",
  "error.msg.unverified_account": "Bu {0} hesabı doğrulanmamış, lütfen doğruladıktan sonra yeniden dene.",
-  "error.msg.discord_guild_permission_denied": "Giriş yapmana izin verilmiyor.",
+  "error.msg.user_not_allowed": "Giriş yapmana izin verilmiyor.",
  "error.msg.cannot_get_user_info": "Bu {0} hesabından kullanıcı bilgilerinizi alamıyorum.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/uk-UA.ts
+++ b/frontend/src/i18n/translations/uk-UA.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "Потрібна двофакторна аутентифікація",
  "signIn.notify.totp-required.description": "Будь ласка, введіть код Вашої 2-х факторної аутентифікації",
  "signIn.oauth.or": "АБО",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "Пароль",
  "admin.config.smtp.password.description": "Пароль SMTP-сервера",
  "admin.config.smtp.button.test": "Відправити тестовий лист",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "Дозволити реєстрацію",
  "admin.config.oauth.allow-registration.description": "Дозволити користувачам реєструватися, використовуючи облікові записи соціальних мереж",
  "admin.config.oauth.ignore-totp": "Ігнорувати TOTP",
  "admin.config.oauth.ignore-totp.description": "Ігнорувати TOTP при використанні соціальної авторизації",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "Чи ввімкнено логін на GitHub",
  "admin.config.oauth.github-client-id": "ID клієнта GitHub",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "URI Discovery URI додатка OpenID Connect OAuth",
  "admin.config.oauth.oidc-username-claim": "Заява на ім'я користувача OpenID Connect",
  "admin.config.oauth.oidc-username-claim.description": "Заява про ім'я користувача в токені OpenID Connect ID. Залиште порожнім, якщо не знаєте, що це за конфіг.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Клієнтський ідентифікатор додатка OpenID Connect OAuth",
  "admin.config.oauth.oidc-client-secret": "Секрет клієнта OpenID Connect",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "Цей обліковий запис {0} уже прив'язано до іншого акаунта.",
  "error.msg.not_linked": "Цей обліковий запис {0} ще не прив'язаний до жодного акаунту.",
  "error.msg.unverified_account": "Цей обліковий запис {0} не підтверджено, повторіть спробу після підтвердження.",
-  "error.msg.discord_guild_permission_denied": "У вас немає дозволу на вхід.",
+  "error.msg.user_not_allowed": "У вас немає дозволу на вхід.",
  "error.msg.cannot_get_user_info": "Не вдається отримати інфу про користувача з цього {0} облікового запису.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/frontend/src/i18n/translations/zh-CN.ts
+++ b/frontend/src/i18n/translations/zh-CN.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "请继续两步验证",
  "signIn.notify.totp-required.description": "请输入一次性验证码",
  "signIn.oauth.or": "或",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "谷歌",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "密码",
  "admin.config.smtp.password.description": "SMTP 主机密码",
  "admin.config.smtp.button.test": "发送测试邮件",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "允许注册",
  "admin.config.oauth.allow-registration.description": "允许用户通过登录社交账号来注册",
  "admin.config.oauth.ignore-totp": "忽略两步验证",
  "admin.config.oauth.ignore-totp.description": "用户通过社交账号登录时是否忽略两步验证",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "是否启用 GitHub 账号登录",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "OpenID Connect OAuth App 的 Discovery URI",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect 用户名请求",
  "admin.config.oauth.oidc-username-claim.description": "OpenID Connect ID token 中的用户名请求。如果您不知道这项配置是什么，请留空。",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect 的 Client ID",
  "admin.config.oauth.oidc-client-id.description": "OpenID Connect OAuth App 的 Client ID",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect 的 Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "{0} 这个账户已经关联到另一个账号。",
  "error.msg.not_linked": "{0} 这个账户尚未关联到任何账号。",
  "error.msg.unverified_account": "{0} 这个账户尚未验证，请在验证后重试。",
-  "error.msg.discord_guild_permission_denied": "您无权登录。",
+  "error.msg.user_not_allowed": "您无权登录。",
  "error.msg.cannot_get_user_info": "无法从 {0} 这个账户获取您的用户信息。",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "谷歌",
--- a/frontend/src/i18n/translations/zh-TW.ts
+++ b/frontend/src/i18n/translations/zh-TW.ts
@@ -34,6 +34,7 @@ export default {
  "signIn.notify.totp-required.title": "請繼續兩步驗證",
  "signIn.notify.totp-required.description": "請輸入一次性驗證碼",
  "signIn.oauth.or": "OR",
+  "signIn.oauth.signInWith": "Sign in with",
  "signIn.oauth.github": "GitHub",
  "signIn.oauth.google": "Google",
  "signIn.oauth.microsoft": "Microsoft",
@@ -344,10 +345,14 @@ export default {
  "admin.config.smtp.password": "密碼",
  "admin.config.smtp.password.description": "SMTP 主機密碼",
  "admin.config.smtp.button.test": "發送測試Email",
+  "admin.config.smtp.allow-unauthorized-certificates": "Trust unauthorized SMTP server certificates",
+  "admin.config.smtp.allow-unauthorized-certificates.description": "Only set this to true if you need to trust self signed certificates.",
  "admin.config.oauth.allow-registration": "允許註冊",
  "admin.config.oauth.allow-registration.description": "允許使用者以第三方登入註冊",
  "admin.config.oauth.ignore-totp": "略過 TOTP",
  "admin.config.oauth.ignore-totp.description": "當使用者使用第三方登入時，略過 TOTP 驗證",
+  "admin.config.oauth.disable-password": "Disable password login",
+  "admin.config.oauth.disable-password.description": "Whether to disable password login\nMake sure that an OAuth provider is properly configured before activating this configuration to avoid being locked out.",
  "admin.config.oauth.github-enabled": "GitHub",
  "admin.config.oauth.github-enabled.description": "啟用 Github 登入",
  "admin.config.oauth.github-client-id": "GitHub Client ID",
@@ -382,6 +387,12 @@ export default {
  "admin.config.oauth.oidc-discovery-uri.description": "Discovery URI of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-username-claim": "OpenID Connect username claim",
  "admin.config.oauth.oidc-username-claim.description": "Username claim in OpenID Connect ID token. Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-path": "Path to roles in OpenID Connect token",
+  "admin.config.oauth.oidc-role-path.description": "Must be a valid JMES path referencing an array of roles. " + "Managing access rights using OpenID Connect roles is only recommended if no other identity provider is configured and password login is disabled. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-general-access": "OpenID Connect role for general access",
+  "admin.config.oauth.oidc-role-general-access.description": "Role required for general access. Must be present in a user’s roles for them to log in. " + "Leave it blank if you don't know what this config is.",
+  "admin.config.oauth.oidc-role-admin-access": "OpenID Connect role for admin access",
+  "admin.config.oauth.oidc-role-admin-access.description": "Role required for administrative access. Must be present in a user’s roles for them to access the admin panel. " + "Leave it blank if you don't know what this config is.",
  "admin.config.oauth.oidc-client-id": "OpenID Connect Client ID",
  "admin.config.oauth.oidc-client-id.description": "Client ID of the OpenID Connect OAuth app",
  "admin.config.oauth.oidc-client-secret": "OpenID Connect Client secret",
@@ -402,7 +413,7 @@ export default {
  "error.msg.already_linked": "此 {0} 帳號已與另一個帳號關聯。",
  "error.msg.not_linked": "此 {0} 帳號尚未關聯到任何帳號。",
  "error.msg.unverified_account": "This {0} account is unverified, please try again after verification.",
-  "error.msg.discord_guild_permission_denied": "You are not allowed to sign in.",
+  "error.msg.user_not_allowed": "You are not allowed to sign in.",
  "error.msg.cannot_get_user_info": "Can not get your user info from this {0} account.",
  "error.param.provider_github": "GitHub",
  "error.param.provider_google": "Google",
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "pingvin-share",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "pingvin-share",
-      "version": "0.26.0",
+      "version": "0.28.0",
      "devDependencies": {
        "conventional-changelog-cli": "^3.0.0"
      }
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pingvin-share",
-  "version": "0.26.0",
+  "version": "0.28.0",
  "scripts": {
    "format": "cd frontend && npm run format && cd ../backend && npm run format",
    "lint": "cd frontend && npm run lint && cd ../backend && npm run lint",
Author	SHA1	Message	Date
Elias Schneider	601772d2f4	release: 0.28.0	2024-07-22 13:36:54 +02:00
Elias Schneider	0e66be5f08	chore: resolve uncomplete merge conflict	2024-07-22 13:36:41 +02:00
Elias Schneider	4cabcfb715	chore(translations): update translations via Crowdin (#532 ) * New translations en-us.ts (French) * New translations en-us.ts (Spanish) * New translations en-us.ts (Danish) * New translations en-us.ts (German) * New translations en-us.ts (Greek) * New translations en-us.ts (Finnish) * New translations en-us.ts (Hungarian) * New translations en-us.ts (Italian) * New translations en-us.ts (Japanese) * New translations en-us.ts (Korean) * New translations en-us.ts (Polish) * New translations en-us.ts (Russian) * New translations en-us.ts (Slovenian) * New translations en-us.ts (Serbian (Cyrillic)) * New translations en-us.ts (Swedish) * New translations en-us.ts (Ukrainian) * New translations en-us.ts (Chinese Simplified) * New translations en-us.ts (Chinese Traditional) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Thai) * New translations en-us.ts (Dutch, Belgium) * New translations en-us.ts (Arabic, Egypt) * New translations en-us.ts (Turkish) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Italian) * New translations en-us.ts (French) * New translations en-us.ts (Spanish) * New translations en-us.ts (Danish) * New translations en-us.ts (German) * New translations en-us.ts (Greek) * New translations en-us.ts (Finnish) * New translations en-us.ts (Hungarian) * New translations en-us.ts (Italian) * New translations en-us.ts (Japanese) * New translations en-us.ts (Korean) * New translations en-us.ts (Polish) * New translations en-us.ts (Russian) * New translations en-us.ts (Slovenian) * New translations en-us.ts (Serbian (Cyrillic)) * New translations en-us.ts (Swedish) * New translations en-us.ts (Ukrainian) * New translations en-us.ts (Chinese Simplified) * New translations en-us.ts (Chinese Traditional) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Thai) * New translations en-us.ts (Dutch, Belgium) * New translations en-us.ts (Arabic, Egypt) * New translations en-us.ts (Turkish) * New translations en-us.ts (Italian) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Arabic, Egypt)	2024-07-22 11:01:20 +02:00
Maurice Schorn	e5e9d85d39	chore: remove obsolete version from docker compose * compose version tag is not a necessity * adjust default nextjs port * Update docker-compose.yml --------- Co-authored-by: Elias Schneider <login@eliasschneider.com>	2024-07-17 23:26:57 +02:00
Marvin A. Ruder	70fd2d94be	feat(auth): Add role-based access management from OpenID Connect (#535 ) * feat(auth): Add role-based access management from OpenID Connect Signed-off-by: Marvin A. Ruder <signed@mruder.dev> * Apply suggestions from code review Signed-off-by: Marvin A. Ruder <signed@mruder.dev> --------- Signed-off-by: Marvin A. Ruder <signed@mruder.dev>	2024-07-17 23:25:42 +02:00
Elias Schneider	e5a0c649e3	fix: store only 10 share tokens in the cookies and clear the expired ones	2024-07-16 19:17:53 +02:00
Anti-Apple4life	414bcecbb5	chore: fix compile-time errors and warnings in i18n translations (#531 ) * Fix aingle-quote warning in fi-FI.ts * Fix duplicate key in fr-FR.ts	2024-07-11 23:43:15 +02:00
Elias Schneider	968352cb6c	release: 0.27.0	2024-07-11 21:57:37 +02:00
Elias Schneider	355f860387	chore(translations): update translations via Crowdin (#524 ) * New translations en-us.ts (French) * New translations en-us.ts (Spanish) * New translations en-us.ts (Danish) * New translations en-us.ts (German) * New translations en-us.ts (Greek) * New translations en-us.ts (Finnish) * New translations en-us.ts (Hungarian) * New translations en-us.ts (Italian) * New translations en-us.ts (Japanese) * New translations en-us.ts (Korean) * New translations en-us.ts (Polish) * New translations en-us.ts (Russian) * New translations en-us.ts (Slovenian) * New translations en-us.ts (Serbian (Cyrillic)) * New translations en-us.ts (Swedish) * New translations en-us.ts (Ukrainian) * New translations en-us.ts (Chinese Simplified) * New translations en-us.ts (Chinese Traditional) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Thai) * New translations en-us.ts (Dutch, Belgium) * New translations en-us.ts (Arabic, Egypt) * New translations en-us.ts (Turkish) * New translations en-us.ts (Italian) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (French) * New translations en-us.ts (French) * New translations en-us.ts (Spanish) * New translations en-us.ts (Danish) * New translations en-us.ts (German) * New translations en-us.ts (Greek) * New translations en-us.ts (Finnish) * New translations en-us.ts (Hungarian) * New translations en-us.ts (Italian) * New translations en-us.ts (Japanese) * New translations en-us.ts (Korean) * New translations en-us.ts (Polish) * New translations en-us.ts (Russian) * New translations en-us.ts (Slovenian) * New translations en-us.ts (Serbian (Cyrillic)) * New translations en-us.ts (Swedish) * New translations en-us.ts (Ukrainian) * New translations en-us.ts (Chinese Simplified) * New translations en-us.ts (Chinese Traditional) * New translations en-us.ts (Portuguese, Brazilian) * New translations en-us.ts (Thai) * New translations en-us.ts (Dutch, Belgium) * New translations en-us.ts (Arabic, Egypt) * New translations en-us.ts (Turkish)	2024-07-11 21:57:08 +02:00
thecrafterjt	083d82c28b	feat(smtp): allow unauthorized mail server certificates (#525 ) * Update config.seed.ts Added Config Option "allowUnauthenticatedCertificates". * Update email.service.ts Now using new Config Option "allowUnauthenticatedCertificates". * Update en-US.ts * Update ar-EG.ts * Update da-DK.ts * Update el-GR.ts * Update es-ES.ts * Update fi-FI.ts * Update fr-FR.ts * Update hu-HU.ts * Update it-IT.ts * Update ja-JP.ts * Update ko-KR.ts * Update nl-BE.ts * Update pl-PL.ts * Update pt-BR.ts * Update ru-RU.ts * Update sl-SI.ts * Update sr-SP.ts * Update sv-SE.ts * Update th-TH.ts * Update tr-TR.ts * Update uk-UA.ts * Update zh-CN.ts * Update zh-TW.ts * Update config.seed.ts * Update email.service.ts * Update de-DE.ts * Add files via upload rename allow-unauthenticated-certificates to allow-unauthorized-certificates * Add files via upload rename allowUnauthenticatedCertificates to allowUnauthorizedCertificates * Add files via upload rename allowUnauthenticatedCertificates to allowUnauthorizedCertificates * rename "unauthenticated" to "unauthorized" * refactor: run formatter --------- Co-authored-by: Elias Schneider <login@eliasschneider.com>	2024-07-11 21:50:09 +02:00
Elias Schneider	046c630abf	Merge branches 'main' and 'main' of https://github.com/stonith404/pingvin-share	2024-07-10 18:39:53 +02:00
Elias Schneider	d2bfb9a55f	feat: add logs for successful registration, successful login and failed login	2024-07-10 18:39:47 +02:00
Elias Schneider	fccf57e9e4	chore(translations): update translations via Crowdin (#520 ) * New translations en-us.ts (Hungarian) * New translations en-us.ts (Korean)	2024-07-07 23:08:28 +02:00
Marvin A. Ruder	e1a68f75f7	feat(auth): Allow to hide username / password login form when OAuth is enabled (#518 ) * 🚀 Feature: Allow to hide username / password login form when OAuth is enabled * Hide “Sign in” password form * Disable routes related to password authentication * Change styling of OAuth provider buttons * Open OAuth page in same tab * Fix consistent usage of informal language in de-DE locale Fixes #489 Signed-off-by: Marvin A. Ruder <signed@mruder.dev> * fix: order of new config variables --------- Signed-off-by: Marvin A. Ruder <signed@mruder.dev> Co-authored-by: Elias Schneider <login@eliasschneider.com>	2024-07-07 23:08:14 +02:00