From 26817a8c30230b8cf22065303509b74c64e56124 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Wed, 5 Jun 2024 12:17:47 +0200
Subject: [PATCH 01/73] wip: OIDC structures & migration

---
 Cargo.toml                                    |  8 +-----
 migrations/20240603091113_oidc_login.down.sql |  1 +
 migrations/20240603091113_oidc_login.up.sql   |  6 +++++
 src/db/models/mod.rs                          |  3 +++
 src/db/models/oauth2service.rs                | 23 ++++++++++++++++
 src/handlers/mod.rs                           |  1 +
 src/handlers/openid_login.rs                  | 26 +++++++++++++++++++
 src/lib.rs                                    |  5 +++-
 8 files changed, 65 insertions(+), 8 deletions(-)
 create mode 100644 migrations/20240603091113_oidc_login.down.sql
 create mode 100644 migrations/20240603091113_oidc_login.up.sql
 create mode 100644 src/db/models/oauth2service.rs
 create mode 100644 src/handlers/openid_login.rs

diff --git a/Cargo.toml b/Cargo.toml
index 810ad3d1b8..b37efbba13 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -58,13 +58,7 @@ serde_cbor = { version = "0.12.0-dev", package = "serde_cbor_2" }
 serde_json = "1.0"
 serde_urlencoded = "0.7"
 sha-1 = "0.10"
-sqlx = { version = "0.7", features = [
-    "chrono",
-    "ipnetwork",
-    "runtime-tokio-native-tls",
-    "postgres",
-    "uuid",
-] }
+sqlx = { version = "0.7", features = ["chrono", "ipnetwork", "runtime-tokio-native-tls", "postgres", "uuid"] }
 ssh-key = "0.6"
 struct-patch = "0.4"
 tera = "1.19"
diff --git a/migrations/20240603091113_oidc_login.down.sql b/migrations/20240603091113_oidc_login.down.sql
new file mode 100644
index 0000000000..920b2c8467
--- /dev/null
+++ b/migrations/20240603091113_oidc_login.down.sql
@@ -0,0 +1 @@
+DROP TABLE oauth2service;
diff --git a/migrations/20240603091113_oidc_login.up.sql b/migrations/20240603091113_oidc_login.up.sql
new file mode 100644
index 0000000000..910d954fbf
--- /dev/null
+++ b/migrations/20240603091113_oidc_login.up.sql
@@ -0,0 +1,6 @@
+CREATE TABLE oauth2service (
+    id bigserial PRIMARY KEY,
+    "client_id" text NOT NULL,
+    "client_secret" text NOT NULL,
+    "auth_url" text NOT NULL
+);
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index e60dfdfe99..dcbd90e200 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -10,6 +10,9 @@ pub mod group;
 pub mod oauth2authorizedapp;
 #[cfg(feature = "openid")]
 pub mod oauth2client;
+// TODO(jck): enterprise-only enabled
+// TODO(jck): #[cfg(feature = "openid")]
+pub mod oauth2service;
 #[cfg(feature = "openid")]
 pub mod oauth2token;
 pub mod session;
diff --git a/src/db/models/oauth2service.rs b/src/db/models/oauth2service.rs
new file mode 100644
index 0000000000..a180fd3c9c
--- /dev/null
+++ b/src/db/models/oauth2service.rs
@@ -0,0 +1,23 @@
+use model_derive::Model;
+
+// TODO(jck): maybe rename OpenIdProvider
+#[derive(Deserialize, Model, Serialize)]
+pub struct OAuth2Service {
+    pub id: Option<i64>,
+    pub client_id: String, // unique
+    // TODO(jck): maybe remove since we get the id_token in the first reponse?
+    pub client_secret: String,
+    pub auth_url: String,
+    // TODO(jck): provider image?
+
+    // // TODO(jck): do we need this?
+    // #[model(ref)]
+    // pub redirect_uri: Vec<String>,
+    // // TODO(jck): can we assume constant scope ahead of time?
+    // #[model(ref)]
+    // pub scope: Vec<String>,
+    // // TODO(jck): remove?
+    // // informational
+    // pub name: String,
+    // pub enabled: bool,
+}
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index 0ee11dc383..8fce7dc299 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -24,6 +24,7 @@ pub(crate) mod mail;
 pub(crate) mod openid_clients;
 #[cfg(feature = "openid")]
 pub mod openid_flow;
+pub mod openid_login;
 pub(crate) mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod support;
diff --git a/src/handlers/openid_login.rs b/src/handlers/openid_login.rs
new file mode 100644
index 0000000000..bb1f7697c4
--- /dev/null
+++ b/src/handlers/openid_login.rs
@@ -0,0 +1,26 @@
+use crate::{error::WebError, AppState};
+use axum::extract::State;
+
+// /// Authorization Endpoint
+// /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
+// pub async fn authorization(
+//     State(appstate): State<AppState>,
+//     Query(data): Query<AuthenticationRequest>,
+//     cookies: CookieJar,
+//     private_cookies: PrivateCookieJar,
+// ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
+
+//     Ok()
+// }
+
+pub async fn auth_callback(State(state): State<AppState>) -> Result<(), WebError> {
+    // TODO(jck): log all useful stuff
+    debug!("OIDC login callback");
+    // TODO(jck): get user info from oidc provider
+    // TOOD(jck): create user based on user info
+    // TOOD(jck): log user in
+
+    // TODO(jck): log all useful stuff
+    info!("OIDC login succeeded for user");
+    Ok(())
+}
diff --git a/src/lib.rs b/src/lib.rs
index 85155852d1..4bd7f1685f 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -59,6 +59,7 @@ use self::{
             remove_group_member,
         },
         mail::{send_support_data, test_mail},
+        openid_login::auth_callback,
         settings::{
             get_settings, get_settings_essentials, patch_settings, set_default_branding,
             test_ldap_settings, update_settings,
@@ -273,7 +274,9 @@ pub fn build_webapp(
             .route("/webhook/:id", delete(delete_webhook))
             .route("/webhook/:id", post(change_enabled))
             // ldap
-            .route("/ldap/test", get(test_ldap_settings)),
+            .route("/ldap/test", get(test_ldap_settings))
+            // OIDC login
+            .route("/oidc/callback", get(auth_callback)),
     );
 
     #[cfg(feature = "openid")]

From 6702591575c96864b0c5a66494b3125b2d4371eb Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Tue, 11 Jun 2024 09:48:53 +0200
Subject: [PATCH 02/73] wip: callback handler

TODO:
* handler expects id_token as query parameter, should be after '#'
* extract user info
---
 src/handlers/openid_login.rs       | 45 ++++++++++++++++++++++++------
 web/src/pages/auth/Login/Login.tsx | 16 +++++++++++
 2 files changed, 53 insertions(+), 8 deletions(-)

diff --git a/src/handlers/openid_login.rs b/src/handlers/openid_login.rs
index bb1f7697c4..63f7ab6026 100644
--- a/src/handlers/openid_login.rs
+++ b/src/handlers/openid_login.rs
@@ -1,5 +1,10 @@
+use std::str::FromStr;
+
 use crate::{error::WebError, AppState};
-use axum::extract::State;
+use axum::extract::{Query, State};
+use openidconnect::{
+    core::CoreIdTokenVerifier, AdditionalClaims, GenderClaim, IdToken, IdTokenVerifier, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm
+};
 
 // /// Authorization Endpoint
 // /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
@@ -13,14 +18,38 @@ use axum::extract::State;
 //     Ok()
 // }
 
-pub async fn auth_callback(State(state): State<AppState>) -> Result<(), WebError> {
-    // TODO(jck): log all useful stuff
-    debug!("OIDC login callback");
-    // TODO(jck): get user info from oidc provider
-    // TOOD(jck): create user based on user info
-    // TOOD(jck): log user in
+/// Authentication response callback
+/// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+#[derive(Deserialize, Serialize, Debug)]
+pub struct AuthenticationResponse {
+    id_token: String,
+}
 
+pub async fn auth_callback(
+    State(state): State<AppState>,
+    Query(response): Query<AuthenticationResponse>,
+) -> Result<(), WebError> {
     // TODO(jck): log all useful stuff
-    info!("OIDC login succeeded for user");
+    debug!("OIDC login callback got response: {response:?}");
+    let token = IdToken::<
+        openidconnect::EmptyAdditionalClaims,
+        openidconnect::core::CoreGenderClaim,
+        openidconnect::core::CoreJweContentEncryptionAlgorithm,
+        openidconnect::core::CoreJwsSigningAlgorithm,
+        _,
+    >::from_str(&response.id_token);
+    debug!("Decoded token: {token:?}");
+    if let Ok(token) = token {
+        // TOOD(jck): create user based on user info
+        // TOOD(jck): log user in
+        // token.claims(verifier, nonce_verifier);
+
+        // TODO(jck): log all useful stuff
+        info!("OIDC login succeeded for user");
+    } else {
+        // TODO(jck): add context
+        warn!("OIDC login failed");
+    }
+
     Ok(())
 }
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 4a9123c336..e07a289d52 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -85,6 +85,14 @@ export const Login = () => {
     }
   };
 
+  const msUrl =
+    'https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/' +
+    'v2.0/authorize?client_id=f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc' +
+    '&scope=openid%20profile%20email&response_type=id_token&nonce=ala';
+  const redirect = () => {
+    window.location.replace(msUrl);
+  };
+
   return (
     <section id="login-container">
       <h1>{LL.loginPage.pageTitle()}</h1>
@@ -112,6 +120,14 @@ export const Login = () => {
           text={LL.form.login()}
           data-testid="login-form-submit"
         />
+        <Button
+          loading={loginMutation.isLoading}
+          size={ButtonSize.LARGE}
+          styleVariant={ButtonStyleVariant.PRIMARY}
+          text="Login with OIDC"
+          data-testid="login-form-submit"
+          onClick={redirect}
+        />
       </form>
     </section>
   );

From 474a02e7464550b1ace2dbcffae6072181343c23 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Tue, 11 Jun 2024 10:52:06 +0200
Subject: [PATCH 03/73] wip: try and parse the claims

ISSUE: no jwks keys
---
 src/handlers/openid_login.rs | 47 +++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/src/handlers/openid_login.rs b/src/handlers/openid_login.rs
index 63f7ab6026..4099e96428 100644
--- a/src/handlers/openid_login.rs
+++ b/src/handlers/openid_login.rs
@@ -3,7 +3,10 @@ use std::str::FromStr;
 use crate::{error::WebError, AppState};
 use axum::extract::{Query, State};
 use openidconnect::{
-    core::CoreIdTokenVerifier, AdditionalClaims, GenderClaim, IdToken, IdTokenVerifier, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm
+    core::{CoreClient, CoreIdTokenVerifier, CoreProviderMetadata},
+    AdditionalClaims, AuthUrl, ClientId, GenderClaim, IdToken, IdTokenVerifier, IssuerUrl,
+    JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm,
+    NonceVerifier,
 };
 
 // /// Authorization Endpoint
@@ -25,6 +28,14 @@ pub struct AuthenticationResponse {
     id_token: String,
 }
 
+struct Verifier;
+
+impl NonceVerifier for Verifier {
+    fn verify(self, nonce: Option<&openidconnect::Nonce>) -> Result<(), String> {
+        Ok(())
+    }
+}
+
 pub async fn auth_callback(
     State(state): State<AppState>,
     Query(response): Query<AuthenticationResponse>,
@@ -43,6 +54,40 @@ pub async fn auth_callback(
         // TOOD(jck): create user based on user info
         // TOOD(jck): log user in
         // token.claims(verifier, nonce_verifier);
+        // let provider_metadata = CoreProviderMetadata::discover(
+        //     &IssuerUrl::new("https://accounts.example.com".to_string())?,
+        //     http_client,
+        // )?;
+
+        let client_id = ClientId::new("f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc".to_string());
+        let client_secret = None;
+        let issuer_url = IssuerUrl::new(
+            "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
+                .to_string(),
+        )
+        .unwrap();
+        let auth_url = AuthUrl::new(
+            "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
+        ).unwrap();
+        let token_url = None;
+        let userinfo_url = None;
+        let jwks = JsonWebKeySet::default();
+        let client = CoreClient::new(
+            client_id,
+            client_secret,
+            issuer_url,
+            auth_url,
+            token_url,
+            userinfo_url,
+            jwks,
+        );
+        let claims = token.claims(&client.id_token_verifier(), Verifier);
+        info!("### Decoded claims: {claims:#?}");
+        // let name = claims.name().unwrap();
+        // let family_name = claims.family_name().unwrap();
+        // let given_name = claims.given_name().unwrap();
+        // let email = claims.email().unwrap();
+        // info!("### name: {name:?}, family_name: {family_name:?}, given_name: {given_name:?}, email: {email:?}");
 
         // TODO(jck): log all useful stuff
         info!("OIDC login succeeded for user");

From f4fe911925641ab145a234c16f50b41b29f328b8 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Tue, 11 Jun 2024 11:12:02 +0200
Subject: [PATCH 04/73] wip: Decoded the claims using openidconnect client

TODO:
* proper nonce
---
 Cargo.lock                   |  1 +
 Cargo.toml                   |  2 +-
 src/handlers/openid_login.rs | 64 ++++++++++++++++++++++--------------
 3 files changed, 42 insertions(+), 25 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 2224fd62ae..f6c1f2d7c5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2543,6 +2543,7 @@ dependencies = [
  "getrandom",
  "http 0.2.12",
  "rand",
+ "reqwest",
  "serde",
  "serde_json",
  "serde_path_to_error",
diff --git a/Cargo.toml b/Cargo.toml
index b37efbba13..42df6be076 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -36,7 +36,7 @@ ldap3 = { version = "0.11", default-features = false, features = ["tls"] }
 lettre = { version = "0.11", features = ["tokio1", "tokio1-native-tls"] }
 md4 = "0.10"
 otpauth = "0.4"
-openidconnect = { version = "3.4", default-features = false, optional = true }
+openidconnect = { version = "3.4", default-features = false, optional = true, features = ["reqwest"] }
 pulldown-cmark = "0.9"
 prost = "0.12"
 rand = "0.8"
diff --git a/src/handlers/openid_login.rs b/src/handlers/openid_login.rs
index 4099e96428..c9f8206155 100644
--- a/src/handlers/openid_login.rs
+++ b/src/handlers/openid_login.rs
@@ -4,8 +4,9 @@ use crate::{error::WebError, AppState};
 use axum::extract::{Query, State};
 use openidconnect::{
     core::{CoreClient, CoreIdTokenVerifier, CoreProviderMetadata},
+    reqwest::async_http_client,
     AdditionalClaims, AuthUrl, ClientId, GenderClaim, IdToken, IdTokenVerifier, IssuerUrl,
-    JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm,
+    JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm, Nonce,
     NonceVerifier,
 };
 
@@ -60,35 +61,50 @@ pub async fn auth_callback(
         // )?;
 
         let client_id = ClientId::new("f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc".to_string());
-        let client_secret = None;
-        let issuer_url = IssuerUrl::new(
-            "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
-                .to_string(),
-        )
-        .unwrap();
-        let auth_url = AuthUrl::new(
-            "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
-        ).unwrap();
-        let token_url = None;
-        let userinfo_url = None;
-        let jwks = JsonWebKeySet::default();
-        let client = CoreClient::new(
-            client_id,
-            client_secret,
-            issuer_url,
-            auth_url,
-            token_url,
-            userinfo_url,
-            jwks,
-        );
-        let claims = token.claims(&client.id_token_verifier(), Verifier);
-        info!("### Decoded claims: {claims:#?}");
+        // let client_secret = None;
+        // let issuer_url = IssuerUrl::new(
+        //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
+        //         .to_string(),
+        // )
+        // .unwrap();
+        // let auth_url = AuthUrl::new(
+        //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
+        // ).unwrap();
+        // let token_url = None;
+        // let userinfo_url = None;
+        // let jwks = JsonWebKeySet::default();
+        // let client = CoreClient::new(
+        //     client_id,
+        //     client_secret,
+        //     issuer_url,
+        //     auth_url,
+        //     token_url,
+        //     userinfo_url,
+        //     jwks,
+        // );
+        // let claims = token.claims(&client.id_token_verifier(), Verifier);
+        // info!("### Decoded claims: {claims:#?}");
         // let name = claims.name().unwrap();
         // let family_name = claims.family_name().unwrap();
         // let given_name = claims.given_name().unwrap();
         // let email = claims.email().unwrap();
         // info!("### name: {name:?}, family_name: {family_name:?}, given_name: {given_name:?}, email: {email:?}");
+        let provider_metadata = CoreProviderMetadata::discover_async(
+            IssuerUrl::new(
+                "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
+                    .to_string(),
+            )
+            .unwrap(),
+            async_http_client,
+        )
+        .await
+        .unwrap();
 
+        let client = CoreClient::from_provider_metadata(provider_metadata, client_id, None);
+        let claims = token.claims(&client.id_token_verifier(), &Nonce::new("ala".to_string())).unwrap();
+        info!("Decoded claims: {claims:#?}");
+        // // Set the URL the user will be redirected to after the authorization process.
+        // .set_redirect_uri(RedirectUrl::new("http://localhost:3000/api/v1/oidc/callback".to_string())?);
         // TODO(jck): log all useful stuff
         info!("OIDC login succeeded for user");
     } else {

From 7ae9775aed5f6ece56b2159a3a122ab976cffa39 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 13 Jun 2024 10:58:04 +0200
Subject: [PATCH 05/73] Simple OpenID settings tab

---
 web/src/i18n/en/index.ts                      |  10 ++
 web/src/i18n/i18n-types.ts                    |  44 ++++++++
 web/src/i18n/pl/index.ts                      |  10 ++
 web/src/pages/settings/SettingsPage.tsx       |   8 ++
 .../OpenIdSettings/OpenIdSettings.tsx         |   5 +
 .../components/OpenIdSettingsForm.tsx         | 100 ++++++++++++++++++
 .../components/OpenIdSettings/style.scss      |   0
 web/src/shared/types.ts                       |   9 +-
 8 files changed, 185 insertions(+), 1 deletion(-)
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/style.scss

diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index b17b71b4e5..fb0b2f5221 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -864,6 +864,7 @@ const en: BaseTranslation = {
       smtp: 'SMTP',
       global: 'Global settings',
       ldap: 'LDAP',
+      openid: 'OpenID',
     },
     messages: {
       editSuccess: 'Settings updated',
@@ -895,6 +896,15 @@ const en: BaseTranslation = {
         },
       },
     },
+    openIdSettings: {
+      title: 'OpenID Settings',
+      form: {
+        labels: {
+          name: 'Name',
+          documentUrl: 'OpenID document URL',
+        },
+      },
+    },
     modulesVisibility: {
       header: 'Modules Visibility',
       helper: `<p>
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 40142d1f62..7c6f2ce44b 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2124,6 +2124,10 @@ type RootTranslation = {
 			 * L​D​A​P
 			 */
 			ldap: string
+			/**
+			 * O​p​e​n​I​D
+			 */
+			openid: string
 		}
 		messages: {
 			/**
@@ -2209,6 +2213,24 @@ type RootTranslation = {
 				}
 			}
 		}
+		openIdSettings: {
+			/**
+			 * O​p​e​n​I​D​ ​S​e​t​t​i​n​g​s
+			 */
+			title: string
+			form: {
+				labels: {
+					/**
+					 * N​a​m​e
+					 */
+					name: string
+					/**
+					 * O​p​e​n​I​D​ ​d​o​c​u​m​e​n​t​ ​U​R​L
+					 */
+					documentUrl: string
+				}
+			}
+		}
 		modulesVisibility: {
 			/**
 			 * M​o​d​u​l​e​s​ ​V​i​s​i​b​i​l​i​t​y
@@ -5954,6 +5976,10 @@ export type TranslationFunctions = {
 			 * LDAP
 			 */
 			ldap: () => LocalizedString
+			/**
+			 * OpenID
+			 */
+			openid: () => LocalizedString
 		}
 		messages: {
 			/**
@@ -6039,6 +6065,24 @@ export type TranslationFunctions = {
 				}
 			}
 		}
+		openIdSettings: {
+			/**
+			 * OpenID Settings
+			 */
+			title: () => LocalizedString
+			form: {
+				labels: {
+					/**
+					 * Name
+					 */
+					name: () => LocalizedString
+					/**
+					 * OpenID document URL
+					 */
+					documentUrl: () => LocalizedString
+				}
+			}
+		}
 		modulesVisibility: {
 			/**
 			 * Modules Visibility
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 698fa3f439..381f673304 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -850,6 +850,7 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       smtp: 'SMTP',
       global: 'Globalne',
       ldap: 'LDAP',
+      openid: 'OpenID',
     },
     messages: {
       editSuccess: 'Ustawienia zaktualizowane.',
@@ -881,6 +882,15 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         submit: 'Test',
       },
     },
+    openIdSettings: {
+      title: 'OpenID Settings',
+      form: {
+        labels: {
+          name: 'Nazwa',
+          documentUrl: 'OpenID document URL',
+        },
+      },
+    },
     modulesVisibility: {
       header: 'Widoczność modułów',
       helper: `<p>
diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index bf6b9dac9f..8c2b8e1afb 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -14,6 +14,7 @@ import useApi from '../../shared/hooks/useApi';
 import { QueryKeys } from '../../shared/queries';
 import { GlobalSettings } from './components/GlobalSettings/GlobalSettings';
 import { LdapSettings } from './components/LdapSettings/LdapSettings';
+import { OpenIdSettings } from './components/OpenIdSettings/OpenIdSettings';
 import { SmtpSettings } from './components/SmtpSettings/SmtpSettings';
 import { useSettingsPage } from './hooks/useSettingsPage';
 
@@ -21,6 +22,7 @@ const tabsContent: ReactNode[] = [
   <GlobalSettings key={0} />,
   <SmtpSettings key={1} />,
   <LdapSettings key={2} />,
+  <OpenIdSettings key={3} />,
 ];
 
 export const SettingsPage = () => {
@@ -65,6 +67,12 @@ export const SettingsPage = () => {
         active: activeCard === 2,
         onClick: () => setActiveCard(2),
       },
+      {
+        key: 3,
+        content: LL.settingsPage.tabs.openid(),
+        active: activeCard === 3,
+        onClick: () => setActiveCard(3),
+      },
     ],
     [LL.settingsPage.tabs, activeCard],
   );
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
new file mode 100644
index 0000000000..e4239f84e5
--- /dev/null
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -0,0 +1,5 @@
+import './style.scss';
+
+import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
+
+export const OpenIdSettings = () => <OpenIdSettingsForm />;
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
new file mode 100644
index 0000000000..a5676d6ba2
--- /dev/null
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -0,0 +1,100 @@
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { useMemo, useRef } from 'react';
+import { SubmitHandler, useForm } from 'react-hook-form';
+import { z } from 'zod';
+
+import { useI18nContext } from '../../../../../i18n/i18n-react';
+import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
+import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
+import { Button } from '../../../../../shared/defguard-ui/components/Layout/Button/Button';
+import {
+  ButtonSize,
+  ButtonStyleVariant,
+} from '../../../../../shared/defguard-ui/components/Layout/Button/types';
+import useApi from '../../../../../shared/hooks/useApi';
+import { useToaster } from '../../../../../shared/hooks/useToaster';
+import { QueryKeys } from '../../../../../shared/queries';
+import { SettingsOpenId } from '../../../../../shared/types';
+import { useSettingsPage } from '../../../hooks/useSettingsPage';
+
+type FormFields = SettingsOpenId;
+
+export const OpenIdSettingsForm = () => {
+  const { LL } = useI18nContext();
+  const localLL = LL.settingsPage.openIdSettings;
+  const submitRef = useRef<HTMLInputElement | null>(null);
+  const settings = useSettingsPage((state) => state.settings);
+  const {
+    settings: { patchSettings },
+  } = useApi();
+
+  const queryClient = useQueryClient();
+
+  const toaster = useToaster();
+
+  const { isLoading, mutate } = useMutation({
+    mutationFn: patchSettings,
+    onSuccess: () => {
+      queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
+      toaster.success(LL.settingsPage.messages.editSuccess());
+    },
+  });
+
+  const schema = useMemo(
+    () =>
+      z.object({
+        name: z.string().min(1, LL.form.error.required()),
+        document_url: z
+          .string()
+          .url(LL.form.error.invalid())
+          .min(1, LL.form.error.required()),
+      }),
+    [LL.form.error],
+  );
+
+  const defaultValues = useMemo(
+    (): FormFields => ({
+      name: settings?.name ?? '',
+      document_url: settings?.document_url ?? '',
+    }),
+    [settings],
+  );
+
+  const { handleSubmit, control } = useForm<FormFields>({
+    resolver: zodResolver(schema),
+    defaultValues,
+    mode: 'all',
+  });
+
+  const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
+    mutate(data);
+  };
+  return (
+    <section id="oenid-settings">
+      <header>
+        <h2>{localLL.title()}</h2>
+        <Button
+          size={ButtonSize.SMALL}
+          styleVariant={ButtonStyleVariant.SAVE}
+          text={LL.common.controls.saveChanges()}
+          type="submit"
+          loading={isLoading}
+          icon={<IconCheckmarkWhite />}
+          onClick={() => submitRef.current?.click()}
+        />
+      </header>
+      <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
+        <FormInput
+          controller={{ control, name: 'name' }}
+          label={localLL.form.labels.name()}
+        />
+        <FormInput
+          controller={{ control, name: 'document_url' }}
+          label={localLL.form.labels.documentUrl()}
+        />
+        <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} />
+      </form>
+    </section>
+  );
+};
diff --git a/web/src/pages/settings/components/OpenIdSettings/style.scss b/web/src/pages/settings/components/OpenIdSettings/style.scss
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 6d91636d2d..5971eaff17 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -776,7 +776,8 @@ export type Settings = SettingsModules &
   SettingsSMTP &
   SettingsEnrollment &
   SettingsBranding &
-  SettingsLDAP;
+  SettingsLDAP &
+  SettingsOpenId;
 
 // essentials for core frontend, includes only those that are required for frontend operations
 export type SettingsEssentials = SettingsModules & SettingsBranding;
@@ -825,6 +826,12 @@ export type SettingsLDAP = {
   ldap_username_attr: string;
 };
 
+export type SettingsOpenId = {
+  // TODO(jck): array
+  name?: string;
+  document_url?: string;
+};
+
 export type SettingsWeb3 = {
   challenge_template: string;
 };

From c08b73695dd2174a6fff7cd89cb62d24c8ce97e9 Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 13 Jun 2024 13:17:29 +0200
Subject: [PATCH 06/73] Fetch openid providers from API

---
 migrations/20240603091113_oidc_login.down.sql |  1 -
 migrations/20240603091113_oidc_login.up.sql   |  6 --
 .../20240603091113_openid_provider.down.sql   |  1 +
 .../20240603091113_openid_provider.up.sql     |  6 ++
 src/db/models/mod.rs                          |  5 +-
 .../{oauth2service.rs => openid_provider.rs}  | 11 +--
 src/handlers/mod.rs                           |  1 +
 src/handlers/openid_providers.rs              | 38 ++++++++++
 src/lib.rs                                    |  7 +-
 .../components/OpenIdSettingsForm.tsx         | 75 +++++++++++--------
 web/src/shared/hooks/useApi.tsx               |  5 ++
 web/src/shared/queries.ts                     |  1 +
 web/src/shared/types.ts                       | 16 ++--
 13 files changed, 114 insertions(+), 59 deletions(-)
 delete mode 100644 migrations/20240603091113_oidc_login.down.sql
 delete mode 100644 migrations/20240603091113_oidc_login.up.sql
 create mode 100644 migrations/20240603091113_openid_provider.down.sql
 create mode 100644 migrations/20240603091113_openid_provider.up.sql
 rename src/db/models/{oauth2service.rs => openid_provider.rs} (67%)
 create mode 100644 src/handlers/openid_providers.rs

diff --git a/migrations/20240603091113_oidc_login.down.sql b/migrations/20240603091113_oidc_login.down.sql
deleted file mode 100644
index 920b2c8467..0000000000
--- a/migrations/20240603091113_oidc_login.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-DROP TABLE oauth2service;
diff --git a/migrations/20240603091113_oidc_login.up.sql b/migrations/20240603091113_oidc_login.up.sql
deleted file mode 100644
index 910d954fbf..0000000000
--- a/migrations/20240603091113_oidc_login.up.sql
+++ /dev/null
@@ -1,6 +0,0 @@
-CREATE TABLE oauth2service (
-    id bigserial PRIMARY KEY,
-    "client_id" text NOT NULL,
-    "client_secret" text NOT NULL,
-    "auth_url" text NOT NULL
-);
diff --git a/migrations/20240603091113_openid_provider.down.sql b/migrations/20240603091113_openid_provider.down.sql
new file mode 100644
index 0000000000..6ecbdb1291
--- /dev/null
+++ b/migrations/20240603091113_openid_provider.down.sql
@@ -0,0 +1 @@
+DROP TABLE openidprovider;
diff --git a/migrations/20240603091113_openid_provider.up.sql b/migrations/20240603091113_openid_provider.up.sql
new file mode 100644
index 0000000000..d325085382
--- /dev/null
+++ b/migrations/20240603091113_openid_provider.up.sql
@@ -0,0 +1,6 @@
+CREATE TABLE openidprovider (
+    id bigserial PRIMARY KEY,
+    "name" text NOT NULL,
+    "document_url" text NOT NULL,
+    CONSTRAINT openidprovider_name_unique UNIQUE ("name")
+);
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index dcbd90e200..8402eb7734 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -10,11 +10,10 @@ pub mod group;
 pub mod oauth2authorizedapp;
 #[cfg(feature = "openid")]
 pub mod oauth2client;
-// TODO(jck): enterprise-only enabled
-// TODO(jck): #[cfg(feature = "openid")]
-pub mod oauth2service;
 #[cfg(feature = "openid")]
 pub mod oauth2token;
+// TODO(jck): enterprise-only enabled
+pub mod openid_provider;
 pub mod session;
 pub mod settings;
 pub mod user;
diff --git a/src/db/models/oauth2service.rs b/src/db/models/openid_provider.rs
similarity index 67%
rename from src/db/models/oauth2service.rs
rename to src/db/models/openid_provider.rs
index a180fd3c9c..fef5fd1136 100644
--- a/src/db/models/oauth2service.rs
+++ b/src/db/models/openid_provider.rs
@@ -2,12 +2,13 @@ use model_derive::Model;
 
 // TODO(jck): maybe rename OpenIdProvider
 #[derive(Deserialize, Model, Serialize)]
-pub struct OAuth2Service {
+pub struct OpenIdProvider {
     pub id: Option<i64>,
-    pub client_id: String, // unique
-    // TODO(jck): maybe remove since we get the id_token in the first reponse?
-    pub client_secret: String,
-    pub auth_url: String,
+    pub name: String,
+    // pub client_id: String, // unique
+    // // TODO(jck): maybe remove since we get the id_token in the first reponse?
+    // pub client_secret: String,
+    // pub auth_url: String,
     // TODO(jck): provider image?
 
     // // TODO(jck): do we need this?
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index 8fce7dc299..82ef2ba79d 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -25,6 +25,7 @@ pub(crate) mod openid_clients;
 #[cfg(feature = "openid")]
 pub mod openid_flow;
 pub mod openid_login;
+pub mod openid_providers;
 pub(crate) mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod support;
diff --git a/src/handlers/openid_providers.rs b/src/handlers/openid_providers.rs
new file mode 100644
index 0000000000..3eb1175e49
--- /dev/null
+++ b/src/handlers/openid_providers.rs
@@ -0,0 +1,38 @@
+use axum::{extract::State, http::StatusCode, Json};
+
+use crate::{appstate::AppState, auth::AdminRole, db::models::openid_provider::OpenIdProvider};
+
+use super::{ApiResponse, ApiResult};
+use serde_json::json;
+
+// pub async fn add_openid_provider(
+//     _admin: AdminRole,
+//     session: SessionInfo,
+//     State(appstate): State<AppState>,
+//     Json(data): Json<OpenIdProvider>,
+// ) -> ApiResult {
+//     debug!(
+//         "User {} adding OpenID provider {}",
+//         session.user.username, client.name
+//     );
+//     client.save(&appstate.pool).await?;
+//     info!(
+//         "User {} added OpenID client {}",
+//         session.user.username, client.name
+//     );
+//     Ok(ApiResponse {
+//         json: json!(client),
+//         status: StatusCode::CREATED,
+//     })
+// }
+
+pub async fn list_openid_providers(
+    _admin: AdminRole,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    let providers = OpenIdProvider::all(&appstate.pool).await?;
+    Ok(ApiResponse {
+        json: json!(providers),
+        status: StatusCode::OK,
+    })
+}
diff --git a/src/lib.rs b/src/lib.rs
index 4bd7f1685f..b0cbe19fb8 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -12,9 +12,9 @@ use axum::{
     serve, Extension, Router,
 };
 
-use handlers::ssh_authorized_keys::{
+use handlers::{openid_providers::list_openid_providers, ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
-};
+}};
 use handlers::{
     group::{bulk_assign_to_groups, list_groups_info},
     ssh_authorized_keys::rename_authentication_key,
@@ -276,7 +276,8 @@ pub fn build_webapp(
             // ldap
             .route("/ldap/test", get(test_ldap_settings))
             // OIDC login
-            .route("/oidc/callback", get(auth_callback)),
+            .route("/openid/callback", get(auth_callback))
+            .route("/openid/provider", get(list_openid_providers)),
     );
 
     #[cfg(feature = "openid")]
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index a5676d6ba2..08f644635e 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -1,5 +1,5 @@
 import { zodResolver } from '@hookform/resolvers/zod';
-import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { useMemo, useRef } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { z } from 'zod';
@@ -15,11 +15,8 @@ import {
 import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../shared/queries';
-import { SettingsOpenId } from '../../../../../shared/types';
 import { useSettingsPage } from '../../../hooks/useSettingsPage';
 
-type FormFields = SettingsOpenId;
-
 export const OpenIdSettingsForm = () => {
   const { LL } = useI18nContext();
   const localLL = LL.settingsPage.openIdSettings;
@@ -31,12 +28,24 @@ export const OpenIdSettingsForm = () => {
 
   const queryClient = useQueryClient();
 
+  const {
+    settings: { fetchOpenIdProviders },
+  } = useApi();
+  const { data: providers, isLoading } = useQuery({
+    queryFn: fetchOpenIdProviders,
+    queryKey: [QueryKeys.FETCH_OPENID_PROVIDERS],
+    refetchOnMount: true,
+    refetchOnWindowFocus: false,
+  });
+
+  console.log('providers:', providers);
+
   const toaster = useToaster();
 
-  const { isLoading, mutate } = useMutation({
+  const { isSaving, mutate } = useMutation({
     mutationFn: patchSettings,
     onSuccess: () => {
-      queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
+      queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
       toaster.success(LL.settingsPage.messages.editSuccess());
     },
   });
@@ -53,25 +62,25 @@ export const OpenIdSettingsForm = () => {
     [LL.form.error],
   );
 
-  const defaultValues = useMemo(
-    (): FormFields => ({
-      name: settings?.name ?? '',
-      document_url: settings?.document_url ?? '',
-    }),
-    [settings],
-  );
+  // const defaultValues = useMemo(
+  //   (): FormFields => ({
+  //     name: settings?.name ?? '',
+  //     document_url: settings?.document_url ?? '',
+  //   }),
+  //   [settings],
+  // );
 
-  const { handleSubmit, control } = useForm<FormFields>({
-    resolver: zodResolver(schema),
-    defaultValues,
-    mode: 'all',
-  });
+  // const { handleSubmit, control } = useForm<FormFields>({
+  //   resolver: zodResolver(schema),
+  //   defaultValues,
+  //   mode: 'all',
+  // });
 
-  const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
-    mutate(data);
-  };
+  // const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
+  //   mutate(data);
+  // };
   return (
-    <section id="oenid-settings">
+    <section id="openid-settings">
       <header>
         <h2>{localLL.title()}</h2>
         <Button
@@ -84,17 +93,17 @@ export const OpenIdSettingsForm = () => {
           onClick={() => submitRef.current?.click()}
         />
       </header>
-      <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
-        <FormInput
-          controller={{ control, name: 'name' }}
-          label={localLL.form.labels.name()}
-        />
-        <FormInput
-          controller={{ control, name: 'document_url' }}
-          label={localLL.form.labels.documentUrl()}
-        />
-        <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} />
-      </form>
+      {/* <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}> */}
+      {/*   <FormInput */}
+      {/*     controller={{ control, name: 'name' }} */}
+      {/*     label={localLL.form.labels.name()} */}
+      {/*   /> */}
+      {/*   <FormInput */}
+      {/*     controller={{ control, name: 'document_url' }} */}
+      {/*     label={localLL.form.labels.documentUrl()} */}
+      {/*   /> */}
+      {/*   <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} /> */}
+      {/* </form> */}
     </section>
   );
 };
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index 6eef585b0b..37cd0774a2 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -23,6 +23,7 @@ import {
   NetworkToken,
   NetworkUserStats,
   OpenidClient,
+  OpenIdProvider,
   RemoveUserClientRequest,
   ResetPasswordRequest,
   Settings,
@@ -435,6 +436,9 @@ const useApi = (props?: HookProps): ApiHook => {
   const addUsersToGroups: ApiHook['groups']['addUsersToGroups'] = (data) =>
     client.post('/groups-assign', data).then(unpackRequest);
 
+  const fetchOpenIdProviders: ApiHook['settings']['fetchOpenIdProviders'] = async () =>
+    client.get<OpenIdProvider[]>(`/openid/provider`).then((res) => res.data);
+
   useEffect(() => {
     client.interceptors.response.use(
       (res) => {
@@ -592,6 +596,7 @@ const useApi = (props?: HookProps): ApiHook => {
       patchSettings,
       getEssentialSettings,
       testLdapSettings,
+      fetchOpenIdProviders,
     },
     support: {
       downloadSupportData,
diff --git a/web/src/shared/queries.ts b/web/src/shared/queries.ts
index 5ea8b8e69b..a977d62ec6 100644
--- a/web/src/shared/queries.ts
+++ b/web/src/shared/queries.ts
@@ -26,4 +26,5 @@ export const QueryKeys = {
   FETCH_SUPPORT_DATA: 'FETCH_SUPPORT_DATA',
   FETCH_LOGS: 'FETCH_LOGS',
   FETCH_AUTHENTICATION_KEYS_INFO: 'FETCH_AUTHENTICATION_KEYS_INFO',
+  FETCH_OPENID_PROVIDERS: 'FETCH_OPENID_PROVIDERS',
 };
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 5971eaff17..8cf2ffa2ee 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -563,6 +563,7 @@ export interface ApiHook {
     patchSettings: (data: Partial<Settings>) => EmptyApiResponse;
     getEssentialSettings: () => Promise<SettingsEssentials>;
     testLdapSettings: () => Promise<EmptyApiResponse>;
+    fetchOpenIdProviders: () => Promise<OpenIdProvider[]>;
   };
   support: {
     downloadSupportData: () => Promise<unknown>;
@@ -776,8 +777,7 @@ export type Settings = SettingsModules &
   SettingsSMTP &
   SettingsEnrollment &
   SettingsBranding &
-  SettingsLDAP &
-  SettingsOpenId;
+  SettingsLDAP;
 
 // essentials for core frontend, includes only those that are required for frontend operations
 export type SettingsEssentials = SettingsModules & SettingsBranding;
@@ -826,12 +826,6 @@ export type SettingsLDAP = {
   ldap_username_attr: string;
 };
 
-export type SettingsOpenId = {
-  // TODO(jck): array
-  name?: string;
-  document_url?: string;
-};
-
 export type SettingsWeb3 = {
   challenge_template: string;
 };
@@ -858,6 +852,12 @@ export interface OpenidClient {
   enabled: boolean;
 }
 
+export interface OpenIdProvider {
+  id: string;
+  name: string;
+  document_url: string;
+}
+
 export interface EditOpenidClientRequest {
   id: string;
   name: string;

From e386c5ec07a046f6d4e4d86964ff73392f7dbbec Mon Sep 17 00:00:00 2001
From: Jacek Chmielewski <jchmielewski@teonite.com>
Date: Thu, 13 Jun 2024 18:44:47 +0200
Subject: [PATCH 07/73] wip: display providers

---
 src/db/models/openid_provider.rs              |   1 +
 .../components/OpenIdSettingsForm.tsx         |  67 ++++----
 .../components/ProviderDetails.tsx            | 160 ++++++++++++++++++
 3 files changed, 194 insertions(+), 34 deletions(-)
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx

diff --git a/src/db/models/openid_provider.rs b/src/db/models/openid_provider.rs
index fef5fd1136..cd6564125b 100644
--- a/src/db/models/openid_provider.rs
+++ b/src/db/models/openid_provider.rs
@@ -5,6 +5,7 @@ use model_derive::Model;
 pub struct OpenIdProvider {
     pub id: Option<i64>,
     pub name: String,
+    pub document_url: String,
     // pub client_id: String, // unique
     // // TODO(jck): maybe remove since we get the id_token in the first reponse?
     // pub client_secret: String,
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index 08f644635e..df66454cfd 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -1,32 +1,34 @@
-import { zodResolver } from '@hookform/resolvers/zod';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { useMemo, useRef } from 'react';
-import { SubmitHandler, useForm } from 'react-hook-form';
-import { z } from 'zod';
+// import { zodResolver } from '@hookform/resolvers/zod';
+// import { useMemo, useRef } from 'react';
+// import { SubmitHandler, useForm } from 'react-hook-form';
+// import { z } from 'zod';
+
+import { useQuery } from '@tanstack/react-query';
 
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
-import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
+// import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
 import { Button } from '../../../../../shared/defguard-ui/components/Layout/Button/Button';
 import {
   ButtonSize,
   ButtonStyleVariant,
 } from '../../../../../shared/defguard-ui/components/Layout/Button/types';
 import useApi from '../../../../../shared/hooks/useApi';
-import { useToaster } from '../../../../../shared/hooks/useToaster';
+// import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../shared/queries';
-import { useSettingsPage } from '../../../hooks/useSettingsPage';
+// import { useSettingsPage } from '../../../hooks/useSettingsPage';
+import { ProviderDetails } from './ProviderDetails';
 
 export const OpenIdSettingsForm = () => {
   const { LL } = useI18nContext();
   const localLL = LL.settingsPage.openIdSettings;
-  const submitRef = useRef<HTMLInputElement | null>(null);
-  const settings = useSettingsPage((state) => state.settings);
-  const {
-    settings: { patchSettings },
-  } = useApi();
+  // const submitRef = useRef<HTMLInputElement | null>(null);
+  // const settings = useSettingsPage((state) => state.settings);
+  // const {
+  //   settings: { patchSettings },
+  // } = useApi();
 
-  const queryClient = useQueryClient();
+  // const queryClient = useQueryClient();
 
   const {
     settings: { fetchOpenIdProviders },
@@ -40,27 +42,15 @@ export const OpenIdSettingsForm = () => {
 
   console.log('providers:', providers);
 
-  const toaster = useToaster();
+  // const toaster = useToaster();
 
-  const { isSaving, mutate } = useMutation({
-    mutationFn: patchSettings,
-    onSuccess: () => {
-      queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
-      toaster.success(LL.settingsPage.messages.editSuccess());
-    },
-  });
-
-  const schema = useMemo(
-    () =>
-      z.object({
-        name: z.string().min(1, LL.form.error.required()),
-        document_url: z
-          .string()
-          .url(LL.form.error.invalid())
-          .min(1, LL.form.error.required()),
-      }),
-    [LL.form.error],
-  );
+  // const { isSaving, mutate } = useMutation({
+  //   mutationFn: patchSettings,
+  //   onSuccess: () => {
+  //     queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
+  //     toaster.success(LL.settingsPage.messages.editSuccess());
+  //   },
+  // });
 
   // const defaultValues = useMemo(
   //   (): FormFields => ({
@@ -93,6 +83,15 @@ export const OpenIdSettingsForm = () => {
           onClick={() => submitRef.current?.click()}
         />
       </header>
+      <>
+        {providers && providers.length > 0 && (
+          <div className="devices">
+            {providers.map((provider) => (
+              <ProviderDetails key={provider.id} provider={provider} />
+            ))}
+          </div>
+        )}
+      </>
       {/* <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}> */}
       {/*   <FormInput */}
       {/*     controller={{ control, name: 'name' }} */}
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx b/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
new file mode 100644
index 0000000000..408f71d871
--- /dev/null
+++ b/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
@@ -0,0 +1,160 @@
+// import './style.scss';
+
+// import classNames from 'classnames';
+// import dayjs from 'dayjs';
+// import utc from 'dayjs/plugin/utc';
+// import { TargetAndTransition } from 'framer-motion';
+// import { isUndefined, orderBy } from 'lodash-es';
+// import { useMemo, useState } from 'react';
+
+import { useI18nContext } from '../../../../../i18n/i18n-react';
+// import IconClip from '../../../../../shared/components/svg/IconClip';
+// import SvgIconCollapse from '../../../../../shared/components/svg/IconCollapse';
+// import SvgIconExpand from '../../../../../shared/components/svg/IconExpand';
+// import { ColorsRGB } from '../../../../../shared/constants';
+// import { Badge } from '../../../../../shared/defguard-ui/components/Layout/Badge/Badge';
+import { Card } from '../../../../../shared/defguard-ui/components/Layout/Card/Card';
+// import { DeviceAvatar } from '../../../../../shared/defguard-ui/components/Layout/DeviceAvatar/DeviceAvatar';
+// import { EditButton } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButton';
+// import { EditButtonOption } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButtonOption';
+// import { EditButtonOptionStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/EditButton/types';
+import { Label } from '../../../../../shared/defguard-ui/components/Layout/Label/Label';
+// import { NoData } from '../../../../../shared/defguard-ui/components/Layout/NoData/NoData';
+// import { useUserProfileStore } from '../../../../../shared/hooks/store/useUserProfileStore';
+import { OpenIdProvider } from '../../../../../shared/types';
+// import { sortByDate } from '../../../../../shared/utils/sortByDate';
+// import { useDeleteDeviceModal } from '../hooks/useDeleteDeviceModal';
+// import { useDeviceConfigModal } from '../hooks/useDeviceConfigModal';
+// import { useEditDeviceModal } from '../hooks/useEditDeviceModal';
+
+// dayjs.extend(utc);
+
+// const dateFormat = 'DD.MM.YYYY | HH:mm';
+
+// const formatDate = (date: string): string => {
+//   return dayjs.utc(date).format(dateFormat);
+// };
+
+interface Props {
+  provider: OpenIdProvider;
+}
+
+export const ProviderDetails = ({ provider }: Props) => {
+  // const [hovered, setHovered] = useState(false);
+  const { LL } = useI18nContext();
+  // const setDeleteDeviceModal = useDeleteDeviceModal((state) => state.setState);
+  // const setEditDeviceModal = useEditDeviceModal((state) => state.setState);
+  // const openDeviceConfigModal = useDeviceConfigModal((state) => state.open);
+
+  // const schema = useMemo(
+  //   () =>
+  //     z.object({
+  //       name: z.string().min(1, LL.form.error.required()),
+  //       document_url: z
+  //         .string()
+  //         .url(LL.form.error.invalid())
+  //         .min(1, LL.form.error.required()),
+  //     }),
+  //   [LL.form.error],
+  // );
+
+  // const getContainerAnimate = useMemo((): TargetAndTransition => {
+  //   const res: TargetAndTransition = {
+  //     borderColor: ColorsRGB.White,
+  //   };
+  //   if (expanded || hovered) {
+  //     res.borderColor = ColorsRGB.GrayBorder;
+  //   }
+  //   return res;
+  // }, [expanded, hovered]);
+
+  // // first, order by last_connected_at then if not preset, by network_id
+  // const orderedLocations = useMemo((): DeviceNetworkInfo[] => {
+  //   const connected = device.networks.filter(
+  //     (network) => !isUndefined(network.last_connected_at),
+  //   );
+
+  //   const neverConnected = device.networks.filter((network) =>
+  //     isUndefined(network.last_connected_at),
+  //   );
+
+  //   const connectedSorted = sortByDate(
+  //     connected,
+  //     (n) => n.last_connected_at as string,
+  //     true,
+  //   );
+  //   const neverConnectedSorted = orderBy(neverConnected, ['network_id'], ['desc']);
+
+  //   return [...connectedSorted, ...neverConnectedSorted];
+  // }, [device.networks]);
+
+  // const latestLocation = orderedLocations.length ? orderedLocations[0] : undefined;
+
+  // if (!user) return null;
+
+  return (
+    <Card
+      // className={cn}
+      initial={false}
+      // animate={getContainerAnimate}
+      // onMouseOver={() => setHovered(true)}
+      // onMouseOut={() => setHovered(false)}
+    >
+      <section className="main-info">
+        <header>
+          <h3 data-testid="provider-name">{provider.name}</h3>
+        </header>
+        <div className="section-content">
+          <div>
+            <Label>{LL.settingsPage.openIdSettings.form.labels.documentUrl()}</Label>
+            <p data-testid="device-last-connected-from">{provider.document_url}</p>
+          </div>
+        </div>
+      </section>
+      <div className="card-controls">
+        {/* <EditButton visible={true}> */}
+        {/*   <EditButtonOption */}
+        {/*     text={LL.userPage.devices.card.edit.edit()} */}
+        {/*     onClick={() => { */}
+        {/*       setEditDeviceModal({ */}
+        {/*         visible: true, */}
+        {/*         device: device, */}
+        {/*       }); */}
+        {/*     }} */}
+        {/*   /> */}
+        {/*   <EditButtonOption */}
+        {/*     styleVariant={EditButtonOptionStyleVariant.STANDARD} */}
+        {/*     text={LL.userPage.devices.card.edit.showConfigurations()} */}
+        {/*     disabled={!device.networks?.length} */}
+        {/*     onClick={() => { */}
+        {/*       openDeviceConfigModal({ */}
+        {/*         deviceName: device.name, */}
+        {/*         publicKey: device.wireguard_pubkey, */}
+        {/*         deviceId: device.id, */}
+        {/*         userId: user.user.id, */}
+        {/*         networks: device.networks.map((n) => ({ */}
+        {/*           networkId: n.network_id, */}
+        {/*           networkName: n.network_name, */}
+        {/*         })), */}
+        {/*       }); */}
+        {/*     }} */}
+        {/*   /> */}
+        {/*   <EditButtonOption */}
+        {/*     styleVariant={EditButtonOptionStyleVariant.WARNING} */}
+        {/*     text={LL.userPage.devices.card.edit.delete()} */}
+        {/*     onClick={() => */}
+        {/*       setDeleteDeviceModal({ */}
+        {/*         visible: true, */}
+        {/*         device: device, */}
+        {/*       }) */}
+        {/*     } */}
+        {/*   /> */}
+        {/* </EditButton> */}
+        {/* <ExpandButton */}
+        {/*   expanded={expanded} */}
+        {/*   onClick={() => setExpanded((state) => !state)} */}
+        {/* /> */}
+      </div>
+    </Card>
+  );
+};

From 619f764bfafbb14edfdda46bd916b57bcd8c9574 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 10 Jul 2024 17:40:28 +0200
Subject: [PATCH 08/73] rudimentary openid flow

---
 LICENSE                                       |   2 +
 .../20240603091113_openid_provider.up.sql     |  10 +-
 .../20240710095931_add_openid_login.down.sql  |   1 +
 .../20240710095931_add_openid_login.up.sql    |   1 +
 ...20240710100027_make_emails_unique.down.sql |   1 +
 .../20240710100027_make_emails_unique.up.sql  |   2 +
 src/db/models/group.rs                        |   2 +-
 src/db/models/mod.rs                          |   4 +-
 src/db/models/openid_provider.rs              |  25 --
 src/db/models/user.rs                         |  13 +-
 src/enterprise/LICENSE                        |   1 +
 src/enterprise/db/mod.rs                      |   1 +
 src/enterprise/db/models/mod.rs               |   1 +
 src/enterprise/db/models/openid_provider.rs   |  78 ++++
 src/enterprise/handlers/mod.rs                |   2 +
 src/enterprise/handlers/openid_login.rs       | 379 ++++++++++++++++++
 src/enterprise/handlers/openid_providers.rs   | 137 +++++++
 src/enterprise/mod.rs                         |   2 +
 src/grpc/enrollment.rs                        |   2 +-
 src/handlers/auth.rs                          |  41 +-
 src/handlers/group.rs                         |   2 +-
 src/handlers/mod.rs                           |   4 +-
 src/handlers/openid_login.rs                  | 116 ------
 src/handlers/openid_providers.rs              |  38 --
 src/lib.rs                                    |  15 +-
 web/src/i18n/en/index.ts                      |   4 +-
 web/src/i18n/i18n-types.ts                    |  24 +-
 web/src/i18n/pl/index.ts                      |   4 +-
 web/src/pages/auth/Login/Login.tsx            |  29 +-
 .../components/OpenIdSettingsForm.tsx         | 228 ++++++++---
 .../components/ProviderDetails.tsx            | 158 +++++---
 .../pages/users/UserProfile/UserProfile.tsx   |   5 +-
 web/src/shared/hooks/useApi.tsx               |  13 +
 web/src/shared/types.ts                       |  17 +-
 34 files changed, 1033 insertions(+), 329 deletions(-)
 create mode 100644 migrations/20240710095931_add_openid_login.down.sql
 create mode 100644 migrations/20240710095931_add_openid_login.up.sql
 create mode 100644 migrations/20240710100027_make_emails_unique.down.sql
 create mode 100644 migrations/20240710100027_make_emails_unique.up.sql
 delete mode 100644 src/db/models/openid_provider.rs
 create mode 100644 src/enterprise/LICENSE
 create mode 100644 src/enterprise/db/mod.rs
 create mode 100644 src/enterprise/db/models/mod.rs
 create mode 100644 src/enterprise/db/models/openid_provider.rs
 create mode 100644 src/enterprise/handlers/mod.rs
 create mode 100644 src/enterprise/handlers/openid_login.rs
 create mode 100644 src/enterprise/handlers/openid_providers.rs
 create mode 100644 src/enterprise/mod.rs
 delete mode 100644 src/handlers/openid_login.rs
 delete mode 100644 src/handlers/openid_providers.rs

diff --git a/LICENSE b/LICENSE
index 8ddd140946..ec3d63af4f 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,5 +1,7 @@
 Copyright 2023 teonite ventures sp. z o.o. (teonite)
 
+Note: The following license applies to the entire repository except for the "enterprise" directory.
+
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
diff --git a/migrations/20240603091113_openid_provider.up.sql b/migrations/20240603091113_openid_provider.up.sql
index d325085382..8e47ecf749 100644
--- a/migrations/20240603091113_openid_provider.up.sql
+++ b/migrations/20240603091113_openid_provider.up.sql
@@ -1,6 +1,12 @@
 CREATE TABLE openidprovider (
     id bigserial PRIMARY KEY,
     "name" text NOT NULL,
-    "document_url" text NOT NULL,
-    CONSTRAINT openidprovider_name_unique UNIQUE ("name")
+    -- "document_url" text NOT NULL,
+    "provider_url" text NOT NULL,
+    "client_id" text NOT NULL,
+    "client_secret" text NOT NULL,
+    "enabled" boolean NOT NULL DEFAULT FALSE,
+    CONSTRAINT openidprovider_name_unique UNIQUE ("name"),
+    CONSTRAINT openidprovider_client_id_unique UNIQUE ("client_id"),
+    CONSTRAINT openidprovider_client_secret_unique UNIQUE ("client_secret")
 );
diff --git a/migrations/20240710095931_add_openid_login.down.sql b/migrations/20240710095931_add_openid_login.down.sql
new file mode 100644
index 0000000000..d216b19dd0
--- /dev/null
+++ b/migrations/20240710095931_add_openid_login.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" DROP COLUMN openid_login;
diff --git a/migrations/20240710095931_add_openid_login.up.sql b/migrations/20240710095931_add_openid_login.up.sql
new file mode 100644
index 0000000000..07f397654d
--- /dev/null
+++ b/migrations/20240710095931_add_openid_login.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" ADD COLUMN openid_login boolean NOT NULL DEFAULT false;
diff --git a/migrations/20240710100027_make_emails_unique.down.sql b/migrations/20240710100027_make_emails_unique.down.sql
new file mode 100644
index 0000000000..91a5a0a715
--- /dev/null
+++ b/migrations/20240710100027_make_emails_unique.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" DROP CONSTRAINT "user_email_key";
diff --git a/migrations/20240710100027_make_emails_unique.up.sql b/migrations/20240710100027_make_emails_unique.up.sql
new file mode 100644
index 0000000000..4c341861c6
--- /dev/null
+++ b/migrations/20240710100027_make_emails_unique.up.sql
@@ -0,0 +1,2 @@
+-- TODO(aleksander): Drop duplicate emails before adding the constraint.
+ALTER TABLE "user" ADD CONSTRAINT "user_email_key" UNIQUE (email);
diff --git a/src/db/models/group.rs b/src/db/models/group.rs
index 73f4476188..f5b5ea3ef2 100644
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@@ -60,7 +60,7 @@ impl Group {
                 User,
                 "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
                 phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
-                mfa_method \"mfa_method: _\", recovery_codes, is_active \
+                mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
                 FROM \"user\" \
                 JOIN group_user ON \"user\".id = group_user.user_id \
                 WHERE group_user.group_id = $1",
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index b79c6138f4..246bb2f4da 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -12,8 +12,6 @@ pub mod oauth2authorizedapp;
 pub mod oauth2client;
 #[cfg(feature = "openid")]
 pub mod oauth2token;
-// TODO(jck): enterprise-only enabled
-pub mod openid_provider;
 pub mod session;
 pub mod settings;
 pub mod user;
@@ -100,7 +98,7 @@ impl UserInfo {
             mfa_method: user.mfa_method.clone(),
             authorized_apps,
             is_active: user.is_active,
-            enrolled: user.has_password(),
+            enrolled: user.has_password() || user.openid_login,
         })
     }
 
diff --git a/src/db/models/openid_provider.rs b/src/db/models/openid_provider.rs
deleted file mode 100644
index cd6564125b..0000000000
--- a/src/db/models/openid_provider.rs
+++ /dev/null
@@ -1,25 +0,0 @@
-use model_derive::Model;
-
-// TODO(jck): maybe rename OpenIdProvider
-#[derive(Deserialize, Model, Serialize)]
-pub struct OpenIdProvider {
-    pub id: Option<i64>,
-    pub name: String,
-    pub document_url: String,
-    // pub client_id: String, // unique
-    // // TODO(jck): maybe remove since we get the id_token in the first reponse?
-    // pub client_secret: String,
-    // pub auth_url: String,
-    // TODO(jck): provider image?
-
-    // // TODO(jck): do we need this?
-    // #[model(ref)]
-    // pub redirect_uri: Vec<String>,
-    // // TODO(jck): can we assume constant scope ahead of time?
-    // #[model(ref)]
-    // pub scope: Vec<String>,
-    // // TODO(jck): remove?
-    // // informational
-    // pub name: String,
-    // pub enabled: bool,
-}
diff --git a/src/db/models/user.rs b/src/db/models/user.rs
index 2ea623127a..68eabd80a1 100644
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -74,6 +74,8 @@ pub struct User {
     pub phone: Option<String>,
     pub mfa_enabled: bool,
     pub is_active: bool,
+    /// Whether user logs in through an OpenID provider
+    pub openid_login: bool,
     // secret has been verified and TOTP can be used
     pub(crate) totp_enabled: bool,
     pub(crate) email_mfa_enabled: bool,
@@ -120,6 +122,7 @@ impl User {
             mfa_method: MFAMethod::None,
             recovery_codes: Vec::new(),
             is_active: true,
+            openid_login: false,
         }
     }
 
@@ -451,7 +454,7 @@ impl User {
     ) -> Result<Vec<UserDiagnostic>, SqlxError> {
         let users = query!(
             "SELECT id, mfa_enabled, totp_enabled, email_mfa_enabled, \
-                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active \
+                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active, openid_login \
             FROM \"user\""
         )
         .fetch_all(pool)
@@ -465,7 +468,7 @@ impl User {
                 mfa_enabled: u.mfa_enabled,
                 id: u.id,
                 is_active: u.is_active,
-                enrolled: u.password_hash.is_some(),
+                enrolled: u.password_hash.is_some() || u.openid_login,
             })
             .collect();
         Ok(res)
@@ -481,7 +484,7 @@ impl User {
             "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, totp_secret, \
             email_mfa_enabled, email_mfa_secret, \
-            mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\"
             INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id
             INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id
@@ -572,7 +575,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE username = $1",
             username
         )
@@ -588,7 +591,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE email = $1",
             email
         )
diff --git a/src/enterprise/LICENSE b/src/enterprise/LICENSE
new file mode 100644
index 0000000000..0ba4000c5c
--- /dev/null
+++ b/src/enterprise/LICENSE
@@ -0,0 +1 @@
+Files in this directory ("enterprise") are not under the default repository license. Contact sales<at>defguard.net for further information.
\ No newline at end of file
diff --git a/src/enterprise/db/mod.rs b/src/enterprise/db/mod.rs
new file mode 100644
index 0000000000..c446ac8833
--- /dev/null
+++ b/src/enterprise/db/mod.rs
@@ -0,0 +1 @@
+pub mod models;
diff --git a/src/enterprise/db/models/mod.rs b/src/enterprise/db/models/mod.rs
new file mode 100644
index 0000000000..972680e374
--- /dev/null
+++ b/src/enterprise/db/models/mod.rs
@@ -0,0 +1 @@
+pub mod openid_provider;
diff --git a/src/enterprise/db/models/openid_provider.rs b/src/enterprise/db/models/openid_provider.rs
new file mode 100644
index 0000000000..5a5ee00533
--- /dev/null
+++ b/src/enterprise/db/models/openid_provider.rs
@@ -0,0 +1,78 @@
+use model_derive::Model;
+use sqlx::{query, query_as, Error as SqlxError};
+
+use crate::db::DbPool;
+
+// TODO(jck): maybe rename OpenIdProvider
+#[derive(Deserialize, Model, Serialize)]
+pub struct OpenIdProvider {
+    pub id: Option<i64>,
+    pub name: String,
+    pub provider_url: String,
+    pub client_id: String,
+    pub client_secret: String,
+    pub enabled: bool,
+    // pub client_id: String, // unique
+    // // TODO(jck): maybe remove since we get the id_token in the first reponse?
+    // pub client_secret: String,
+    // pub auth_url: String,
+    // TODO(jck): provider image?
+
+    // // TODO(jck): do we need this?
+    // #[model(ref)]
+    // pub redirect_uri: Vec<String>,
+    // // TODO(jck): can we assume constant scope ahead of time?
+    // #[model(ref)]
+    // pub scope: Vec<String>,
+    // // TODO(jck): remove?
+    // // informational
+    // pub name: String,
+    // pub enabled: bool,
+}
+
+impl OpenIdProvider {
+    #[must_use]
+    pub fn new<S: Into<String>>(name: S, provider_url: S, client_id: S, client_secret: S) -> Self {
+        Self {
+            id: None,
+            name: name.into(),
+            provider_url: provider_url.into(),
+            client_id: client_id.into(),
+            client_secret: client_secret.into(),
+            enabled: false,
+        }
+    }
+
+    pub async fn find_by_name(pool: &DbPool, name: &str) -> Result<Option<Self>, SqlxError> {
+        query_as!(
+            OpenIdProvider,
+            "SELECT id \"id?\", name, provider_url, client_id, client_secret, enabled FROM openidprovider WHERE name = $1",
+            name
+        )
+        .fetch_optional(pool)
+        .await
+    }
+
+    pub async fn exists(pool: &DbPool, provider: &OpenIdProvider) -> Result<bool, SqlxError> {
+        query!(
+            "SELECT EXISTS(SELECT 1 FROM openidprovider WHERE name = $1 OR client_id = $2 OR client_secret = $3)",
+            provider.name,
+            provider.client_id,
+            provider.client_secret
+        )
+        .fetch_one(pool)
+        .await?
+        .exists
+        .ok_or_else(|| SqlxError::RowNotFound)
+    }
+
+    // TODO(aleksander): there may be more than one active provider
+    pub async fn get_enabled(pool: &DbPool) -> Result<Self, SqlxError> {
+        query_as!(
+            OpenIdProvider,
+            "SELECT id \"id?\", name, provider_url, client_id, client_secret, enabled FROM openidprovider WHERE enabled = true limit 1"
+        )
+        .fetch_one(pool)
+        .await
+    }
+}
diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
new file mode 100644
index 0000000000..0ffbdd9e5f
--- /dev/null
+++ b/src/enterprise/handlers/mod.rs
@@ -0,0 +1,2 @@
+pub mod openid_login;
+pub mod openid_providers;
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
new file mode 100644
index 0000000000..2636168f90
--- /dev/null
+++ b/src/enterprise/handlers/openid_login.rs
@@ -0,0 +1,379 @@
+// use std::str::FromStr;
+
+// use crate::{error::WebError, AppState};
+// use axum::extract::{Query, State};
+// use openidconnect::{
+//     core::{CoreClient, CoreIdTokenVerifier, CoreProviderMetadata},
+//     reqwest::async_http_client,
+//     AdditionalClaims, AuthUrl, ClientId, GenderClaim, IdToken, IdTokenVerifier, IssuerUrl,
+//     JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm, Nonce,
+//     NonceVerifier,
+// };
+
+// // /// Authorization Endpoint
+// // /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
+// // pub async fn authorization(
+// //     State(appstate): State<AppState>,
+// //     Query(data): Query<AuthenticationRequest>,
+// //     cookies: CookieJar,
+// //     private_cookies: PrivateCookieJar,
+// // ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
+
+// //     Ok()
+// // }
+
+// /// Authentication response callback
+// /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+// #[derive(Deserialize, Serialize, Debug)]
+// pub struct AuthenticationResponse {
+//     // id_token: String,
+//     code: String,
+// }
+
+// struct Verifier;
+
+// impl NonceVerifier for Verifier {
+//     fn verify(self, nonce: Option<&openidconnect::Nonce>) -> Result<(), String> {
+//         Ok(())
+//     }
+// }
+
+// pub async fn auth_callback(
+//     State(state): State<AppState>,
+//     Query(response): Query<AuthenticationResponse>,
+// ) -> Result<(), WebError> {
+//     // TODO(jck): log all useful stuff
+//     debug!("OIDC login callback got response: {response:?}");
+//     let code = response.code.clone();
+
+//     info!("OIDC login callback got code: {code:?}");
+//     // let token = IdToken::<
+//     //     openidconnect::EmptyAdditionalClaims,
+//     //     openidconnect::core::CoreGenderClaim,
+//     //     openidconnect::core::CoreJweContentEncryptionAlgorithm,
+//     //     openidconnect::core::CoreJwsSigningAlgorithm,
+//     //     _,
+//     // >::from_str(&response.code);
+//     // debug!("Decoded token: {token:?}");
+//     // if let Ok(token) = token {
+//     //     // TOOD(jck): create user based on user info
+//     //     // TOOD(jck): log user in
+//     //     // token.claims(verifier, nonce_verifier);
+//     //     // let provider_metadata = CoreProviderMetadata::discover(
+//     //     //     &IssuerUrl::new("https://accounts.example.com".to_string())?,
+//     //     //     http_client,
+//     //     // )?;
+
+//     //     // let client_id = ClientId::new("f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc".to_string());
+//     //     // let client_secret = None;
+//     //     // let issuer_url = IssuerUrl::new(
+//     //     //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
+//     //     //         .to_string(),
+//     //     // )
+//     //     // .unwrap();
+//     //     // let auth_url = AuthUrl::new(
+//     //     //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
+//     //     // ).unwrap();
+//     //     // let token_url = None;
+//     //     // let userinfo_url = None;
+//     //     // let jwks = JsonWebKeySet::default();
+//     //     // let client = CoreClient::new(
+//     //     //     client_id,
+//     //     //     client_secret,
+//     //     //     issuer_url,
+//     //     //     auth_url,
+//     //     //     token_url,
+//     //     //     userinfo_url,
+//     //     //     jwks,
+//     //     // );
+//     //     // let claims = token.claims(&client.id_token_verifier(), Verifier);
+//     //     // info!("### Decoded claims: {claims:#?}");
+//     //     // let name = claims.name().unwrap();
+//     //     // let family_name = claims.family_name().unwrap();
+//     //     // let given_name = claims.given_name().unwrap();
+//     //     // let email = claims.email().unwrap();
+//     //     // info!("### name: {name:?}, family_name: {family_name:?}, given_name: {given_name:?}, email: {email:?}");
+//     //     let provider_metadata = CoreProviderMetadata::discover_async(
+//     //         IssuerUrl::new(
+//     //             // "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
+//     //             "https://accounts.google.com/o/oauth2/v2/auth".to_string(),
+//     //         )
+//     //         .unwrap(),
+//     //         async_http_client,
+//     //     )
+//     //     .await
+//     //     .unwrap();
+
+//     //     let client = CoreClient::from_provider_metadata(provider_metadata, client_id, None);
+//     //     let claims = token
+//     //         .claims(&client.id_token_verifier(), &Nonce::new("ala".to_string()))
+//     //         .unwrap();
+//     //     info!("Decoded claims: {claims:#?}");
+//     //     // // Set the URL the user will be redirected to after the authorization process.
+//     //     // .set_redirect_uri(RedirectUrl::new("http://localhost:3000/api/v1/oidc/callback".to_string())?);
+//     //     // TODO(jck): log all useful stuff
+//     //     info!("OIDC login succeeded for user");
+//     // } else {
+//     //     // TODO(jck): add context
+//     //     warn!("OIDC login failed");
+//     // }
+
+//     Ok(())
+// }
+
+use axum::http::header::LOCATION;
+use axum::http::{HeaderMap, HeaderValue, StatusCode};
+use axum::response::{IntoResponse, Redirect, Response};
+use axum_extra::extract::cookie::{Cookie, SameSite};
+use serde_json::json;
+use sqlx::PgPool;
+use std::collections::HashMap;
+use time::Duration;
+
+use axum::extract::{Query, State};
+use axum::Json;
+use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
+use axum_extra::extract::{CookieJar, PrivateCookieJar};
+use axum_extra::headers::UserAgent;
+use axum_extra::TypedHeader;
+use openidconnect::core::{
+    CoreAuthDisplay, CoreClaimName, CoreClaimType, CoreClient, CoreClientAuthMethod, CoreGrantType,
+    CoreIdTokenClaims, CoreIdTokenVerifier, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm,
+    CoreJweKeyManagementAlgorithm, CoreResponseMode, CoreResponseType, CoreRevocableToken,
+    CoreSubjectIdentifierType,
+};
+use openidconnect::{
+    core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
+    ProviderMetadata, RedirectUrl, RevocationUrl,
+};
+use openidconnect::{AuthenticationFlow, AuthorizationCode, CsrfToken, LanguageTag, Nonce, Scope};
+
+use crate::appstate::AppState;
+use crate::db::{AppEvent, DbPool, Session, SessionState, User, UserInfo};
+use crate::enterprise::db::models::openid_provider::OpenIdProvider;
+use crate::error::WebError;
+use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
+use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
+use crate::server_config;
+
+type ProvMeta = ProviderMetadata<
+    openidconnect::EmptyAdditionalProviderMetadata,
+    openidconnect::core::CoreAuthDisplay,
+    openidconnect::core::CoreClientAuthMethod,
+    openidconnect::core::CoreClaimName,
+    openidconnect::core::CoreClaimType,
+    openidconnect::core::CoreGrantType,
+    openidconnect::core::CoreJweContentEncryptionAlgorithm,
+    openidconnect::core::CoreJweKeyManagementAlgorithm,
+    openidconnect::core::CoreJwsSigningAlgorithm,
+    openidconnect::core::CoreJsonWebKeyType,
+    openidconnect::core::CoreJsonWebKeyUse,
+    openidconnect::core::CoreJsonWebKey,
+    openidconnect::core::CoreResponseMode,
+    openidconnect::core::CoreResponseType,
+    openidconnect::core::CoreSubjectIdentifierType,
+>;
+
+async fn get_provider_metadata(url: &str) -> Result<ProvMeta, WebError> {
+    let issuer_url = IssuerUrl::new(url.to_string()).unwrap();
+
+    let provider_metadata = CoreProviderMetadata::discover_async(issuer_url, async_http_client)
+        .await
+        .unwrap();
+
+    println!("{:?}", provider_metadata);
+
+    Ok(provider_metadata)
+}
+
+async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
+    let provider = OpenIdProvider::get_enabled(pool).await?;
+    let provider_metadata = get_provider_metadata(&provider.provider_url).await?;
+
+    let client_id = ClientId::new(provider.client_id);
+
+    let client_secret = ClientSecret::new(provider.client_secret);
+
+    let client =
+        CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
+            .set_redirect_uri(
+                RedirectUrl::new("http://localhost:3000/api/v1/openid/callback".to_string())
+                    .unwrap(),
+            );
+
+    Ok(client)
+}
+
+fn nonce_fn() -> Nonce {
+    Nonce::new("nonce".to_string())
+}
+
+fn csrf_fn() -> CsrfToken {
+    CsrfToken::new("csrf".to_string())
+}
+
+pub async fn make_auth_url(State(appstate): State<AppState>) -> Result<String, WebError> {
+    // TODO(aleksander): make sure that the user enables the oidc login first
+    let client = make_oidc_client(&appstate.pool).await?;
+
+    let (authorize_url, csrf_state, nonce) = client
+        .authorize_url(
+            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+            csrf_fn,
+            nonce_fn,
+        )
+        // This example is requesting access to the "calendar" features and the user's profile.
+        .add_scope(Scope::new("email".to_string()))
+        .add_scope(Scope::new("profile".to_string()))
+        .url();
+
+    info!("{:?}", authorize_url);
+    info!("{:?}", csrf_state);
+    info!("{:?}", nonce);
+
+    Ok(authorize_url.to_string())
+}
+
+/// Helper function to return redirection with status code 302.
+fn redirect_to<T: AsRef<str>>(uri: T, cookies: CookieJar) -> (StatusCode, HeaderMap, CookieJar) {
+    let mut headers = HeaderMap::new();
+    headers.insert(
+        LOCATION,
+        HeaderValue::try_from(uri.as_ref()).expect("URI isn't a valid header value"),
+    );
+
+    (StatusCode::FOUND, headers, cookies)
+}
+
+#[derive(Deserialize, Serialize, Debug)]
+pub struct AuthenticationResponse {
+    code: AuthorizationCode,
+    state: CsrfToken,
+}
+
+pub async fn auth_callback(
+    cookies: CookieJar,
+    user_agent: Option<TypedHeader<UserAgent>>,
+    forwarded_for_ip: Option<LeftmostXForwardedFor>,
+    InsecureClientIp(insecure_ip): InsecureClientIp,
+    Query(params): Query<AuthenticationResponse>,
+    State(appstate): State<AppState>,
+) -> Result<(StatusCode, HeaderMap, CookieJar), WebError> {
+    let client = make_oidc_client(&appstate.pool).await?;
+
+    let token = client
+        .exchange_code(params.code)
+        .request_async(async_http_client)
+        .await
+        .unwrap();
+
+    let nonce = Nonce::new("nonce".to_string());
+
+    let token_verifier = client.id_token_verifier();
+    let token_claims = token
+        .extra_fields()
+        .id_token()
+        .expect("Server did not return an ID token")
+        .claims(&token_verifier, &nonce)
+        .unwrap();
+    // println!("Google returned ID token: {:?}", token_claims);
+
+    let email = token_claims.email().unwrap();
+    let name = token_claims.name().unwrap();
+    // TODO: check whats up with localized claims
+    // println!("{:?}", token_claims);
+    let given_name = token_claims
+        .given_name()
+        .unwrap()
+        .clone()
+        .into_iter()
+        .next()
+        .unwrap()
+        .1;
+    let family_name = token_claims
+        .family_name()
+        .unwrap()
+        .clone()
+        .into_iter()
+        .next()
+        .unwrap()
+        .1;
+    println!("Email: {:?}", email);
+    println!("Name: {:?}", name);
+    println!("Given Name: {:?}", given_name);
+    println!("Family Name: {:?}", family_name);
+
+    let username = email.split('@').next().unwrap();
+
+    let user = match User::find_by_username(&appstate.pool, username).await {
+        Ok(Some(user)) => user,
+        Ok(None) => {
+            let mut user = User::new(
+                username.to_string(),
+                None,
+                family_name.to_string(),
+                given_name.to_string(),
+                email.to_string(),
+                // TODO: Add phone
+                None,
+            );
+            user.openid_login = true;
+            user.save(&appstate.pool).await?;
+            user
+        }
+        Err(e) => {
+            return Err(WebError::Authorization(e.to_string()));
+        }
+    };
+
+    let ip_address = forwarded_for_ip.map_or(insecure_ip, |v| v.0).to_string();
+    let user_agent_string = match user_agent {
+        Some(value) => value.to_string(),
+        None => String::new(),
+    };
+    let agent = parse_user_agent(&appstate.user_agent_parser, &user_agent_string);
+    let device_info = agent.clone().map(|v| get_user_agent_device(&v));
+
+    Session::delete_expired(&appstate.pool).await?;
+    let session = Session::new(
+        user.id.unwrap(),
+        SessionState::PasswordVerified,
+        ip_address.clone(),
+        device_info,
+    );
+    session.save(&appstate.pool).await?;
+
+    let max_age = Duration::seconds(server_config().auth_cookie_timeout.as_secs() as i64);
+    let config = server_config();
+    let auth_cookie = Cookie::build((SESSION_COOKIE_NAME, session.id.clone()))
+        .domain(
+            config
+                .cookie_domain
+                .clone()
+                .expect("Cookie domain not found"),
+        )
+        .path("/")
+        .http_only(true)
+        .secure(!config.cookie_insecure)
+        .same_site(SameSite::Lax)
+        .max_age(max_age);
+    let cookies = cookies.add(auth_cookie);
+
+    let login_event_type = "AUTHENTICATION".to_string();
+
+    let user_info = UserInfo::from_user(&appstate.pool, &user).await?;
+    appstate.trigger_action(AppEvent::UserCreated(user_info.clone()));
+
+    check_new_device_login(
+        &appstate.pool,
+        &appstate.mail_tx,
+        &session,
+        &user,
+        ip_address,
+        login_event_type,
+        agent,
+    )
+    .await?;
+
+    Ok(redirect_to("/", cookies))
+}
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
new file mode 100644
index 0000000000..b72dff312a
--- /dev/null
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -0,0 +1,137 @@
+use axum::{extract::State, http::StatusCode, Json};
+
+use crate::{
+    appstate::AppState,
+    auth::{AdminRole, SessionInfo},
+    enterprise::db::models::openid_provider::OpenIdProvider,
+    handlers::{ApiResponse, ApiResult},
+};
+
+use serde_json::json;
+
+#[derive(Debug, Deserialize)]
+pub struct AddProviderData {
+    name: String,
+    provider_url: String,
+    client_id: String,
+    client_secret: String,
+}
+
+pub async fn add_openid_provider(
+    _admin: AdminRole,
+    session: SessionInfo,
+    State(appstate): State<AppState>,
+    Json(provider_data): Json<AddProviderData>,
+) -> ApiResult {
+    let mut new_provider = OpenIdProvider::new(
+        provider_data.name,
+        provider_data.provider_url,
+        provider_data.client_id,
+        provider_data.client_secret,
+    );
+    // check if it already exists
+    if OpenIdProvider::exists(&appstate.pool, &new_provider).await? {
+        warn!(
+            "User {} failed to add OpenID client {}. Such client already exists.",
+            session.user.username, new_provider.name
+        );
+        return Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::CONFLICT,
+        });
+    }
+
+    debug!(
+        "User {} adding OpenID provider {}",
+        session.user.username, new_provider.name
+    );
+    new_provider.save(&appstate.pool).await?;
+    info!(
+        "User {} added OpenID client {}",
+        session.user.username, new_provider.name
+    );
+    Ok(ApiResponse {
+        json: json!({}),
+        status: StatusCode::CREATED,
+    })
+}
+
+pub async fn delete_openid_provider(
+    _admin: AdminRole,
+    session: SessionInfo,
+    State(appstate): State<AppState>,
+    Json(provider_data): Json<AddProviderData>,
+) -> ApiResult {
+    debug!(
+        "User {} deleting OpenID provider {}",
+        session.user.username, provider_data.name
+    );
+    let provider = OpenIdProvider::find_by_name(&appstate.pool, &provider_data.name).await?;
+    if let Some(provider) = provider {
+        provider.delete(&appstate.pool).await?;
+        info!(
+            "User {} deleted OpenID client {}",
+            session.user.username, provider_data.name
+        );
+        Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::OK,
+        })
+    } else {
+        warn!(
+            "User {} failed to delete OpenID client {}. Such client does not exist.",
+            session.user.username, provider_data.name
+        );
+        Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::NOT_FOUND,
+        })
+    }
+}
+
+pub async fn modify_openid_provider(
+    _admin: AdminRole,
+    session: SessionInfo,
+    State(appstate): State<AppState>,
+    Json(provider_data): Json<AddProviderData>,
+) -> ApiResult {
+    debug!(
+        "User {} modifying OpenID provider {}",
+        session.user.username, provider_data.name
+    );
+    let provider = OpenIdProvider::find_by_name(&appstate.pool, &provider_data.name).await?;
+    if let Some(mut provider) = provider {
+        provider.provider_url = provider_data.provider_url;
+        provider.client_id = provider_data.client_id;
+        provider.client_secret = provider_data.client_secret;
+        provider.save(&appstate.pool).await?;
+        info!(
+            "User {} modified OpenID client {}",
+            session.user.username, provider.name
+        );
+        Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::OK,
+        })
+    } else {
+        warn!(
+            "User {} failed to modify OpenID client {}. Such client does not exist.",
+            session.user.username, provider_data.name
+        );
+        Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::NOT_FOUND,
+        })
+    }
+}
+
+pub async fn list_openid_providers(
+    _admin: AdminRole,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    let providers = OpenIdProvider::all(&appstate.pool).await?;
+    Ok(ApiResponse {
+        json: json!(providers),
+        status: StatusCode::OK,
+    })
+}
diff --git a/src/enterprise/mod.rs b/src/enterprise/mod.rs
new file mode 100644
index 0000000000..212ebefc90
--- /dev/null
+++ b/src/enterprise/mod.rs
@@ -0,0 +1,2 @@
+pub mod db;
+pub mod handlers;
diff --git a/src/grpc/enrollment.rs b/src/grpc/enrollment.rs
index 16569d0d0b..9e299d501a 100644
--- a/src/grpc/enrollment.rs
+++ b/src/grpc/enrollment.rs
@@ -497,7 +497,7 @@ impl From<User> for AdminInfo {
 
 impl InitialUserInfo {
     async fn from_user(pool: &DbPool, user: User) -> Result<Self, sqlx::Error> {
-        let is_enrolled = user.has_password();
+        let is_enrolled = user.has_password() || user.openid_login;
         let devices = user.devices(pool).await?;
         let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
         Ok(Self {
diff --git a/src/handlers/auth.rs b/src/handlers/auth.rs
index d5c076aac1..b4fd350473 100644
--- a/src/handlers/auth.rs
+++ b/src/handlers/auth.rs
@@ -74,14 +74,39 @@ pub async fn authenticate(
             }
         },
         Ok(None) => {
-            // create user from LDAP
-            debug!("User not found in DB, authenticating user {username} with LDAP");
-            if let Ok(user) = user_from_ldap(&appstate.pool, &username, &data.password).await {
-                user
-            } else {
-                info!("Failed to authenticate user {username} with LDAP");
-                log_failed_login_attempt(&appstate.failed_logins, &username);
-                return Err(WebError::Authorization("user not found".into()));
+            match User::find_by_email(&appstate.pool, &username).await {
+                Ok(Some(user)) => match user.verify_password(&data.password) {
+                    Ok(()) => {
+                        if user.is_active {
+                            user
+                        } else {
+                            info!("Failed to authenticate user {username}: user is disabled");
+                            return Err(WebError::Authorization("user not found".into()));
+                        }
+                    }
+                    Err(err) => {
+                        info!("Failed to authenticate user {username}: {err}");
+                        log_failed_login_attempt(&appstate.failed_logins, &username);
+                        return Err(WebError::Authorization(err.to_string()));
+                    }
+                },
+                Ok(None) => {
+                    // create user from LDAP
+                    debug!("User not found in DB, authenticating user {username} with LDAP");
+                    if let Ok(user) =
+                        user_from_ldap(&appstate.pool, &username, &data.password).await
+                    {
+                        user
+                    } else {
+                        info!("Failed to authenticate user {username} with LDAP");
+                        log_failed_login_attempt(&appstate.failed_logins, &username);
+                        return Err(WebError::Authorization("user not found".into()));
+                    }
+                }
+                Err(err) => {
+                    error!("DB error when authenticating user {username}: {err}");
+                    return Err(WebError::DbError(err.to_string()));
+                }
             }
         }
         Err(err) => {
diff --git a/src/handlers/group.rs b/src/handlers/group.rs
index 748bdc5388..5969cefbd9 100644
--- a/src/handlers/group.rs
+++ b/src/handlers/group.rs
@@ -47,7 +47,7 @@ pub(crate) async fn bulk_assign_to_groups(
         User,
         "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE id = ANY($1)",
         &data.users
     )
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index 82ef2ba79d..dd3189df0a 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -24,8 +24,6 @@ pub(crate) mod mail;
 pub(crate) mod openid_clients;
 #[cfg(feature = "openid")]
 pub mod openid_flow;
-pub mod openid_login;
-pub mod openid_providers;
 pub(crate) mod settings;
 pub(crate) mod ssh_authorized_keys;
 pub(crate) mod support;
@@ -38,7 +36,7 @@ pub mod worker;
 pub(crate) mod yubikey;
 
 pub(crate) static SESSION_COOKIE_NAME: &str = "defguard_session";
-static SIGN_IN_COOKIE_NAME: &str = "defguard_sign_in";
+pub(crate) static SIGN_IN_COOKIE_NAME: &str = "defguard_sign_in";
 
 #[derive(Default)]
 pub struct ApiResponse {
diff --git a/src/handlers/openid_login.rs b/src/handlers/openid_login.rs
deleted file mode 100644
index c9f8206155..0000000000
--- a/src/handlers/openid_login.rs
+++ /dev/null
@@ -1,116 +0,0 @@
-use std::str::FromStr;
-
-use crate::{error::WebError, AppState};
-use axum::extract::{Query, State};
-use openidconnect::{
-    core::{CoreClient, CoreIdTokenVerifier, CoreProviderMetadata},
-    reqwest::async_http_client,
-    AdditionalClaims, AuthUrl, ClientId, GenderClaim, IdToken, IdTokenVerifier, IssuerUrl,
-    JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm, Nonce,
-    NonceVerifier,
-};
-
-// /// Authorization Endpoint
-// /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
-// pub async fn authorization(
-//     State(appstate): State<AppState>,
-//     Query(data): Query<AuthenticationRequest>,
-//     cookies: CookieJar,
-//     private_cookies: PrivateCookieJar,
-// ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
-
-//     Ok()
-// }
-
-/// Authentication response callback
-/// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
-#[derive(Deserialize, Serialize, Debug)]
-pub struct AuthenticationResponse {
-    id_token: String,
-}
-
-struct Verifier;
-
-impl NonceVerifier for Verifier {
-    fn verify(self, nonce: Option<&openidconnect::Nonce>) -> Result<(), String> {
-        Ok(())
-    }
-}
-
-pub async fn auth_callback(
-    State(state): State<AppState>,
-    Query(response): Query<AuthenticationResponse>,
-) -> Result<(), WebError> {
-    // TODO(jck): log all useful stuff
-    debug!("OIDC login callback got response: {response:?}");
-    let token = IdToken::<
-        openidconnect::EmptyAdditionalClaims,
-        openidconnect::core::CoreGenderClaim,
-        openidconnect::core::CoreJweContentEncryptionAlgorithm,
-        openidconnect::core::CoreJwsSigningAlgorithm,
-        _,
-    >::from_str(&response.id_token);
-    debug!("Decoded token: {token:?}");
-    if let Ok(token) = token {
-        // TOOD(jck): create user based on user info
-        // TOOD(jck): log user in
-        // token.claims(verifier, nonce_verifier);
-        // let provider_metadata = CoreProviderMetadata::discover(
-        //     &IssuerUrl::new("https://accounts.example.com".to_string())?,
-        //     http_client,
-        // )?;
-
-        let client_id = ClientId::new("f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc".to_string());
-        // let client_secret = None;
-        // let issuer_url = IssuerUrl::new(
-        //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
-        //         .to_string(),
-        // )
-        // .unwrap();
-        // let auth_url = AuthUrl::new(
-        //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
-        // ).unwrap();
-        // let token_url = None;
-        // let userinfo_url = None;
-        // let jwks = JsonWebKeySet::default();
-        // let client = CoreClient::new(
-        //     client_id,
-        //     client_secret,
-        //     issuer_url,
-        //     auth_url,
-        //     token_url,
-        //     userinfo_url,
-        //     jwks,
-        // );
-        // let claims = token.claims(&client.id_token_verifier(), Verifier);
-        // info!("### Decoded claims: {claims:#?}");
-        // let name = claims.name().unwrap();
-        // let family_name = claims.family_name().unwrap();
-        // let given_name = claims.given_name().unwrap();
-        // let email = claims.email().unwrap();
-        // info!("### name: {name:?}, family_name: {family_name:?}, given_name: {given_name:?}, email: {email:?}");
-        let provider_metadata = CoreProviderMetadata::discover_async(
-            IssuerUrl::new(
-                "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
-                    .to_string(),
-            )
-            .unwrap(),
-            async_http_client,
-        )
-        .await
-        .unwrap();
-
-        let client = CoreClient::from_provider_metadata(provider_metadata, client_id, None);
-        let claims = token.claims(&client.id_token_verifier(), &Nonce::new("ala".to_string())).unwrap();
-        info!("Decoded claims: {claims:#?}");
-        // // Set the URL the user will be redirected to after the authorization process.
-        // .set_redirect_uri(RedirectUrl::new("http://localhost:3000/api/v1/oidc/callback".to_string())?);
-        // TODO(jck): log all useful stuff
-        info!("OIDC login succeeded for user");
-    } else {
-        // TODO(jck): add context
-        warn!("OIDC login failed");
-    }
-
-    Ok(())
-}
diff --git a/src/handlers/openid_providers.rs b/src/handlers/openid_providers.rs
deleted file mode 100644
index 3eb1175e49..0000000000
--- a/src/handlers/openid_providers.rs
+++ /dev/null
@@ -1,38 +0,0 @@
-use axum::{extract::State, http::StatusCode, Json};
-
-use crate::{appstate::AppState, auth::AdminRole, db::models::openid_provider::OpenIdProvider};
-
-use super::{ApiResponse, ApiResult};
-use serde_json::json;
-
-// pub async fn add_openid_provider(
-//     _admin: AdminRole,
-//     session: SessionInfo,
-//     State(appstate): State<AppState>,
-//     Json(data): Json<OpenIdProvider>,
-// ) -> ApiResult {
-//     debug!(
-//         "User {} adding OpenID provider {}",
-//         session.user.username, client.name
-//     );
-//     client.save(&appstate.pool).await?;
-//     info!(
-//         "User {} added OpenID client {}",
-//         session.user.username, client.name
-//     );
-//     Ok(ApiResponse {
-//         json: json!(client),
-//         status: StatusCode::CREATED,
-//     })
-// }
-
-pub async fn list_openid_providers(
-    _admin: AdminRole,
-    State(appstate): State<AppState>,
-) -> ApiResult {
-    let providers = OpenIdProvider::all(&appstate.pool).await?;
-    Ok(ApiResponse {
-        json: json!(providers),
-        status: StatusCode::OK,
-    })
-}
diff --git a/src/lib.rs b/src/lib.rs
index c5cff67923..15b657e5c9 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -12,12 +12,17 @@ use axum::{
 };
 
 use assets::{index, svg, web_asset};
+use enterprise::handlers::{
+    openid_login::{auth_callback, make_auth_url},
+    openid_providers::{
+        add_openid_provider, delete_openid_provider, list_openid_providers, modify_openid_provider,
+    },
+};
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
 };
 use handlers::{
     group::{bulk_assign_to_groups, list_groups_info},
-    openid_providers::list_openid_providers,
     ssh_authorized_keys::rename_authentication_key,
     yubikey::{delete_yubikey, rename_yubikey},
 };
@@ -57,7 +62,6 @@ use self::{
             remove_group_member,
         },
         mail::{send_support_data, test_mail},
-        openid_login::auth_callback,
         settings::{
             get_settings, get_settings_essentials, patch_settings, set_default_branding,
             test_ldap_settings, update_settings,
@@ -111,6 +115,7 @@ pub mod assets;
 pub mod auth;
 pub mod config;
 pub mod db;
+pub mod enterprise;
 mod error;
 pub mod grpc;
 pub mod handlers;
@@ -280,8 +285,12 @@ pub fn build_webapp(
             // ldap
             .route("/ldap/test", get(test_ldap_settings))
             // OIDC login
+            .route("/openid/provider", get(list_openid_providers))
+            .route("/openid/provider", post(add_openid_provider))
+            .route("/openid/provider/:name", put(modify_openid_provider))
+            .route("/openid/provider/:name", delete(delete_openid_provider))
             .route("/openid/callback", get(auth_callback))
-            .route("/openid/provider", get(list_openid_providers)),
+            .route("/openid/get_auth_url", get(make_auth_url)),
     );
 
     #[cfg(feature = "openid")]
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index c07485308d..b7173da4b0 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -926,7 +926,9 @@ const en: BaseTranslation = {
       form: {
         labels: {
           name: 'Name',
-          documentUrl: 'OpenID document URL',
+          provider_url: 'Provider URL',
+          client_id: 'Client ID',
+          client_secret: 'Client Secret',
         },
       },
     },
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index aba715a0f7..7def1961af 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2287,9 +2287,17 @@ type RootTranslation = {
 					 */
 					name: string
 					/**
-					 * O​p​e​n​I​D​ ​d​o​c​u​m​e​n​t​ ​U​R​L
+					 * P​r​o​v​i​d​e​r​ ​U​R​L
 					 */
-					documentUrl: string
+					provider_url: string
+					/**
+					 * C​l​i​e​n​t​ ​I​D
+					 */
+					client_id: string
+					/**
+					 * C​l​i​e​n​t​ ​S​e​c​r​e​t
+					 */
+					client_secret: string
 				}
 			}
 		}
@@ -6197,9 +6205,17 @@ export type TranslationFunctions = {
 					 */
 					name: () => LocalizedString
 					/**
-					 * OpenID document URL
+					 * Provider URL
+					 */
+					provider_url: () => LocalizedString
+					/**
+					 * Client ID
+					 */
+					client_id: () => LocalizedString
+					/**
+					 * Client Secret
 					 */
-					documentUrl: () => LocalizedString
+					client_secret: () => LocalizedString
 				}
 			}
 		}
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 9d85acffa7..3b0ce59738 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -912,7 +912,9 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       form: {
         labels: {
           name: 'Nazwa',
-          documentUrl: 'OpenID document URL',
+          provider_url: 'URL dostawcy OpenID',
+          client_id: 'ID klienta',
+          client_secret: 'Sekret klienta',
         },
       },
     },
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index e07a289d52..522671105a 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -2,7 +2,7 @@ import './style.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation } from '@tanstack/react-query';
-import { AxiosError } from 'axios';
+import axios, { AxiosError } from 'axios';
 import { useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { z } from 'zod';
@@ -79,21 +79,36 @@ export const Login = () => {
     },
   });
 
+  const client = useMemo(() => {
+    const res = axios.create({
+      baseURL: '/api/v1',
+    });
+
+    res.defaults.headers.common['Content-Type'] = 'application/json';
+    return res;
+  }, []);
+
   const onSubmit: SubmitHandler<Inputs> = (data) => {
     if (!loginMutation.isLoading) {
       loginMutation.mutate(trimObjectStrings(data));
     }
   };
 
-  const msUrl =
-    'https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/' +
-    'v2.0/authorize?client_id=f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc' +
-    '&scope=openid%20profile%20email&response_type=id_token&nonce=ala';
+  const getUrl = async () => {
+    const url = client.get('/openid/get_auth_url').then((res) => res.data);
+    return url;
+  };
+
+  getUrl().then((url) => {
+    console.log(url);
+  });
   const redirect = () => {
-    window.location.replace(msUrl);
+    getUrl().then((url) => {
+      window.location.replace(url);
+    });
   };
 
-  return (
+  https: return (
     <section id="login-container">
       <h1>{LL.loginPage.pageTitle()}</h1>
       <form onSubmit={handleSubmit(onSubmit)}>
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index df66454cfd..a0795fd59e 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -3,7 +3,7 @@
 // import { SubmitHandler, useForm } from 'react-hook-form';
 // import { z } from 'zod';
 
-import { useQuery } from '@tanstack/react-query';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
@@ -18,20 +18,43 @@ import useApi from '../../../../../shared/hooks/useApi';
 import { QueryKeys } from '../../../../../shared/queries';
 // import { useSettingsPage } from '../../../hooks/useSettingsPage';
 import { ProviderDetails } from './ProviderDetails';
+import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
+import { useSettingsPage } from '../../../hooks/useSettingsPage';
+import { SubmitHandler, useForm } from 'react-hook-form';
+import { useToaster } from '../../../../../shared/hooks/useToaster';
+import { OpenIdProvider, SettingsOpenID } from '../../../../../shared/types';
+import { z } from 'zod';
+import { Select } from '../../../../../shared/defguard-ui/components/Layout/Select/Select';
+import {
+  SelectSelectedValue,
+  SelectSizeVariant,
+} from '../../../../../shared/defguard-ui/components/Layout/Select/types';
+
+type FormFields = SettingsOpenID;
 
 export const OpenIdSettingsForm = () => {
   const { LL } = useI18nContext();
   const localLL = LL.settingsPage.openIdSettings;
-  // const submitRef = useRef<HTMLInputElement | null>(null);
+  const submitRef = useRef<HTMLInputElement | null>(null);
   // const settings = useSettingsPage((state) => state.settings);
-  // const {
-  //   settings: { patchSettings },
-  // } = useApi();
+  // const setSettings = useSettingsPage((state) => state.setState);
+  const [currentProvider, setCurrentProvider] = useState<OpenIdProvider | null>(null);
+
+  const {
+    settings: { patchSettings },
+  } = useApi();
 
-  // const queryClient = useQueryClient();
+  const queryClient = useQueryClient();
 
   const {
-    settings: { fetchOpenIdProviders },
+    settings: {
+      fetchOpenIdProviders,
+      addOpenIdProvider,
+      deleteOpenIdProvider,
+      editOpenIdProvider,
+    },
   } = useApi();
   const { data: providers, isLoading } = useQuery({
     queryFn: fetchOpenIdProviders,
@@ -40,39 +63,150 @@ export const OpenIdSettingsForm = () => {
     refetchOnWindowFocus: false,
   });
 
-  console.log('providers:', providers);
-
-  // const toaster = useToaster();
-
-  // const { isSaving, mutate } = useMutation({
-  //   mutationFn: patchSettings,
-  //   onSuccess: () => {
-  //     queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
-  //     toaster.success(LL.settingsPage.messages.editSuccess());
-  //   },
-  // });
-
-  // const defaultValues = useMemo(
-  //   (): FormFields => ({
-  //     name: settings?.name ?? '',
-  //     document_url: settings?.document_url ?? '',
-  //   }),
-  //   [settings],
-  // );
-
-  // const { handleSubmit, control } = useForm<FormFields>({
-  //   resolver: zodResolver(schema),
-  //   defaultValues,
-  //   mode: 'all',
-  // });
-
-  // const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
-  //   mutate(data);
-  // };
+  const toaster = useToaster();
+
+  const { mutate } = useMutation({
+    mutationFn: currentProvider ? editOpenIdProvider : addOpenIdProvider,
+    onSuccess: () => {
+      queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
+      toaster.success(LL.settingsPage.messages.editSuccess());
+    },
+    // TODO(aleksander): HANDLE ERROR
+    onError: (error) => {
+      toaster.error(error.message);
+    },
+  });
+
+  useEffect(() => {
+    if (providers && providers.length > 0) {
+      setCurrentProvider(providers[0]);
+    }
+  }, [providers]);
+
+  const schema = useMemo(
+    () =>
+      z.object({
+        name: z.string().min(1, LL.form.error.required()),
+        provider_url: z
+          .string()
+          .url(LL.form.error.invalid())
+          .min(1, LL.form.error.required()),
+        client_id: z.string().min(1, LL.form.error.required()),
+        client_secret: z.string().min(1, LL.form.error.required()),
+      }),
+    [LL.form.error],
+  );
+
+  const defaultValues = useMemo(
+    (): FormFields => ({
+      name: currentProvider?.name ?? '',
+      provider_url: currentProvider?.provider_url ?? '',
+      client_id: currentProvider?.client_id ?? '',
+      client_secret: currentProvider?.client_secret ?? '',
+    }),
+    [currentProvider],
+  );
+
+  const { handleSubmit, reset, control } = useForm<FormFields>({
+    resolver: zodResolver(schema),
+    defaultValues,
+    mode: 'all',
+  });
+
+  useEffect(() => {
+    reset(defaultValues);
+  }, [defaultValues]);
+
+  console.log(currentProvider);
+
+  const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
+    mutate(data);
+  };
+
+  const options = useMemo(
+    () => [
+      {
+        key: 1,
+        value: 'https://accounts.google.com',
+        label: 'Google',
+      },
+      {
+        key: 2,
+        value: 'https://accounts.google2.com',
+        label: 'Microsoft',
+      },
+    ],
+    [],
+  );
+
+  const renderSelected = useCallback(
+    (selected: string): SelectSelectedValue => {
+      const option = options.find((o) => o.value === selected);
+
+      if (!option) throw Error("Selected value doesn't exist");
+
+      return {
+        key: option.key,
+        displayValue: option.label,
+      };
+    },
+    [options],
+  );
+
+  const handleChange = async (val: string) => {
+    if (!isLoading && currentProvider) {
+      const newProvider: OpenIdProvider = {
+        id: currentProvider.id,
+        name: options.find((o) => o.value === val)?.label ?? '',
+        provider_url: val,
+        client_id: currentProvider.client_id,
+        client_secret: currentProvider.client_secret,
+      };
+      setCurrentProvider(newProvider);
+    }
+  };
+
   return (
     <section id="openid-settings">
       <header>
         <h2>{localLL.title()}</h2>
+      </header>
+      <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
+        {/* TODO(aleksander): Make a select here */}
+        <FormInput
+          controller={{ control, name: 'name' }}
+          label={localLL.form.labels.name()}
+        />
+        <FormInput
+          controller={{ control, name: 'provider_url' }}
+          label={localLL.form.labels.provider_url()}
+        />
+        {/* <Select
+        sizeVariant={SelectSizeVariant.SMALL}
+        selected={settings?.enrollment_vpn_step_optional}
+        options={vpnOptionalityOptions}
+        renderSelected={renderSelectedVpn}
+        onChangeSingle={(res) => handleChange(res)}
+        loading={isLoading || isUndefined(settings)}
+      /> */}
+        <Select
+          sizeVariant={SelectSizeVariant.SMALL}
+          selected={currentProvider?.provider_url}
+          options={options}
+          renderSelected={renderSelected}
+          onChangeSingle={(res) => handleChange(res)}
+          loading={isLoading}
+        />
+        <FormInput
+          controller={{ control, name: 'client_id' }}
+          label={localLL.form.labels.client_id()}
+        />
+        <FormInput
+          controller={{ control, name: 'client_secret' }}
+          label={localLL.form.labels.client_secret()}
+          type="password"
+        />
+        <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} />
         <Button
           size={ButtonSize.SMALL}
           styleVariant={ButtonStyleVariant.SAVE}
@@ -82,27 +216,7 @@ export const OpenIdSettingsForm = () => {
           icon={<IconCheckmarkWhite />}
           onClick={() => submitRef.current?.click()}
         />
-      </header>
-      <>
-        {providers && providers.length > 0 && (
-          <div className="devices">
-            {providers.map((provider) => (
-              <ProviderDetails key={provider.id} provider={provider} />
-            ))}
-          </div>
-        )}
-      </>
-      {/* <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}> */}
-      {/*   <FormInput */}
-      {/*     controller={{ control, name: 'name' }} */}
-      {/*     label={localLL.form.labels.name()} */}
-      {/*   /> */}
-      {/*   <FormInput */}
-      {/*     controller={{ control, name: 'document_url' }} */}
-      {/*     label={localLL.form.labels.documentUrl()} */}
-      {/*   /> */}
-      {/*   <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} /> */}
-      {/* </form> */}
+      </form>
     </section>
   );
 };
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx b/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
index 408f71d871..3885671269 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
@@ -7,13 +7,21 @@
 // import { isUndefined, orderBy } from 'lodash-es';
 // import { useMemo, useState } from 'react';
 
+import { useMemo, useState } from 'react';
 import { useI18nContext } from '../../../../../i18n/i18n-react';
+import SvgIconUserList from '../../../../../shared/components/svg/IconUserList';
+import SvgIconUserListExpanded from '../../../../../shared/components/svg/IconUserListExpanded';
+import { Button } from '../../../../../shared/defguard-ui/components/Layout/Button/Button';
+import { ButtonStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/Button/types';
 // import IconClip from '../../../../../shared/components/svg/IconClip';
 // import SvgIconCollapse from '../../../../../shared/components/svg/IconCollapse';
 // import SvgIconExpand from '../../../../../shared/components/svg/IconExpand';
 // import { ColorsRGB } from '../../../../../shared/constants';
 // import { Badge } from '../../../../../shared/defguard-ui/components/Layout/Badge/Badge';
 import { Card } from '../../../../../shared/defguard-ui/components/Layout/Card/Card';
+import { EditButton } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButton';
+import { EditButtonOption } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButtonOption';
+import { EditButtonOptionStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/EditButton/types';
 // import { DeviceAvatar } from '../../../../../shared/defguard-ui/components/Layout/DeviceAvatar/DeviceAvatar';
 // import { EditButton } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButton';
 // import { EditButtonOption } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButtonOption';
@@ -26,7 +34,10 @@ import { OpenIdProvider } from '../../../../../shared/types';
 // import { useDeleteDeviceModal } from '../hooks/useDeleteDeviceModal';
 // import { useDeviceConfigModal } from '../hooks/useDeviceConfigModal';
 // import { useEditDeviceModal } from '../hooks/useEditDeviceModal';
-
+import { motion, TargetAndTransition } from 'framer-motion';
+import SvgIconCollapse from '../../../../../shared/components/svg/IconCollapse';
+import SvgIconExpand from '../../../../../shared/components/svg/IconExpand';
+import useApi from '../../../../../shared/hooks/useApi';
 // dayjs.extend(utc);
 
 // const dateFormat = 'DD.MM.YYYY | HH:mm';
@@ -39,12 +50,40 @@ interface Props {
   provider: OpenIdProvider;
 }
 
+type ExpandButtonProps = {
+  expanded: boolean;
+  onExpand: () => void;
+};
+
+const ExpandButton = ({ expanded, onExpand }: ExpandButtonProps) => {
+  return (
+    <Button
+      styleVariant={ButtonStyleVariant.ICON}
+      onClick={() => onExpand()}
+      icon={expanded ? <SvgIconCollapse /> : <SvgIconExpand />}
+    ></Button>
+  );
+};
+
 export const ProviderDetails = ({ provider }: Props) => {
   // const [hovered, setHovered] = useState(false);
   const { LL } = useI18nContext();
   // const setDeleteDeviceModal = useDeleteDeviceModal((state) => state.setState);
   // const setEditDeviceModal = useEditDeviceModal((state) => state.setState);
   // const openDeviceConfigModal = useDeviceConfigModal((state) => state.open);
+  const [expanded, setExpanded] = useState(false);
+
+  const getClassName = useMemo(() => {
+    const res = ['user-connection-list-item'];
+    if (expanded) {
+      res.push('expanded');
+    }
+    return res.join(' ');
+  }, [expanded]);
+
+  const {
+    settings: { deleteOpenIdProvider },
+  } = useApi();
 
   // const schema = useMemo(
   //   () =>
@@ -104,57 +143,76 @@ export const ProviderDetails = ({ provider }: Props) => {
         <header>
           <h3 data-testid="provider-name">{provider.name}</h3>
         </header>
-        <div className="section-content">
-          <div>
-            <Label>{LL.settingsPage.openIdSettings.form.labels.documentUrl()}</Label>
-            <p data-testid="device-last-connected-from">{provider.document_url}</p>
-          </div>
+        <div className="section-content"></div>
+        <div className={getClassName}>
+          <Button className="btn variant-confirm" text="Delete provider"></Button>
+          <ExpandButton
+            expanded={expanded}
+            onExpand={() => setExpanded((state) => !state)}
+          />
+          {expanded && (
+            <div>
+              <div>
+                <Label>{LL.settingsPage.openIdSettings.form.labels.provider_url()}</Label>
+                <p data-testid="device-last-connected-from">{provider.provider_url}</p>
+              </div>
+              <div>
+                <Label>{LL.settingsPage.openIdSettings.form.labels.client_id()}</Label>
+                <p data-testid="device-last-connected-from">{provider.client_id}</p>
+              </div>
+              <div>
+                <Label>
+                  {LL.settingsPage.openIdSettings.form.labels.client_secret()}
+                </Label>
+                <p data-testid="device-last-connected-from">{provider.client_secret}</p>
+              </div>
+            </div>
+          )}
         </div>
       </section>
-      <div className="card-controls">
-        {/* <EditButton visible={true}> */}
-        {/*   <EditButtonOption */}
-        {/*     text={LL.userPage.devices.card.edit.edit()} */}
-        {/*     onClick={() => { */}
-        {/*       setEditDeviceModal({ */}
-        {/*         visible: true, */}
-        {/*         device: device, */}
-        {/*       }); */}
-        {/*     }} */}
-        {/*   /> */}
-        {/*   <EditButtonOption */}
-        {/*     styleVariant={EditButtonOptionStyleVariant.STANDARD} */}
-        {/*     text={LL.userPage.devices.card.edit.showConfigurations()} */}
-        {/*     disabled={!device.networks?.length} */}
-        {/*     onClick={() => { */}
-        {/*       openDeviceConfigModal({ */}
-        {/*         deviceName: device.name, */}
-        {/*         publicKey: device.wireguard_pubkey, */}
-        {/*         deviceId: device.id, */}
-        {/*         userId: user.user.id, */}
-        {/*         networks: device.networks.map((n) => ({ */}
-        {/*           networkId: n.network_id, */}
-        {/*           networkName: n.network_name, */}
-        {/*         })), */}
-        {/*       }); */}
-        {/*     }} */}
-        {/*   /> */}
-        {/*   <EditButtonOption */}
-        {/*     styleVariant={EditButtonOptionStyleVariant.WARNING} */}
-        {/*     text={LL.userPage.devices.card.edit.delete()} */}
-        {/*     onClick={() => */}
-        {/*       setDeleteDeviceModal({ */}
-        {/*         visible: true, */}
-        {/*         device: device, */}
-        {/*       }) */}
-        {/*     } */}
-        {/*   /> */}
-        {/* </EditButton> */}
-        {/* <ExpandButton */}
-        {/*   expanded={expanded} */}
-        {/*   onClick={() => setExpanded((state) => !state)} */}
-        {/* /> */}
-      </div>
+      {/* <div className="card-controls">
+        <EditButton visible={true}>
+          <EditButtonOption
+            text={LL.userPage.devices.card.edit.edit()}
+            onClick={() => {
+              // setEditDeviceModal({
+              //   visible: true,
+              //   device: device,
+              // });
+            }}
+          />
+          <EditButtonOption
+            styleVariant={EditButtonOptionStyleVariant.STANDARD}
+            text={LL.userPage.devices.card.edit.showConfigurations()}
+            // disabled={!device.networks?.length}
+            onClick={() => {
+              // openDeviceConfigModal({
+              //   deviceName: device.name,
+              //   publicKey: device.wireguard_pubkey,
+              //   deviceId: device.id,
+              //   userId: user.user.id,
+              //   networks: device.networks.map((n) => ({
+              //     networkId: n.network_id,
+              //     networkName: n.network_name,
+              //   })),
+              // });
+            }}
+          />
+          <EditButtonOption
+            styleVariant={EditButtonOptionStyleVariant.WARNING}
+            text={LL.userPage.devices.card.edit.delete()}
+            onClick={
+              () => {}
+              // setDeleteDeviceModal({
+              //   visible: true,
+              //   device: device,
+              // })
+            }
+          />
+        </EditButton>
+
+        
+      </div> */}
     </Card>
   );
 };
diff --git a/web/src/pages/users/UserProfile/UserProfile.tsx b/web/src/pages/users/UserProfile/UserProfile.tsx
index fc44b44b03..5e01288894 100644
--- a/web/src/pages/users/UserProfile/UserProfile.tsx
+++ b/web/src/pages/users/UserProfile/UserProfile.tsx
@@ -182,7 +182,10 @@ const EditModeControls = () => {
           size={ButtonSize.SMALL}
           styleVariant={ButtonStyleVariant.SAVE}
           icon={<IconCheckmarkWhite />}
-          onClick={() => submitSubject.next()}
+          onClick={() => {
+            submitSubject.next();
+            console.log('submitSubject.next();');
+          }}
           loading={loading}
         />
       </div>
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index 37cd0774a2..bacdabbb15 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -439,6 +439,16 @@ const useApi = (props?: HookProps): ApiHook => {
   const fetchOpenIdProviders: ApiHook['settings']['fetchOpenIdProviders'] = async () =>
     client.get<OpenIdProvider[]>(`/openid/provider`).then((res) => res.data);
 
+  const addOpenIdProvider: ApiHook['settings']['addOpenIdProvider'] = async (data) =>
+    client.post(`/openid/provider`, data).then(unpackRequest);
+
+  const deleteOpenIdProvider: ApiHook['settings']['deleteOpenIdProvider'] = async (
+    name,
+  ) => client.delete(`/openid/provider/${name}`).then(unpackRequest);
+
+  const editOpenIdProvider: ApiHook['settings']['editOpenIdProvider'] = async (data) =>
+    client.put(`/openid/provider/${data.name}`, data).then(unpackRequest);
+
   useEffect(() => {
     client.interceptors.response.use(
       (res) => {
@@ -597,6 +607,9 @@ const useApi = (props?: HookProps): ApiHook => {
       getEssentialSettings,
       testLdapSettings,
       fetchOpenIdProviders,
+      addOpenIdProvider,
+      deleteOpenIdProvider,
+      editOpenIdProvider,
     },
     support: {
       downloadSupportData,
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 7801750261..6044d7df2a 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -570,6 +570,9 @@ export interface ApiHook {
     getEssentialSettings: () => Promise<SettingsEssentials>;
     testLdapSettings: () => Promise<EmptyApiResponse>;
     fetchOpenIdProviders: () => Promise<OpenIdProvider[]>;
+    addOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
+    deleteOpenIdProvider: (id: string) => Promise<EmptyApiResponse>;
+    editOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
   };
   support: {
     downloadSupportData: () => Promise<unknown>;
@@ -787,7 +790,8 @@ export type Settings = SettingsModules &
   SettingsSMTP &
   SettingsEnrollment &
   SettingsBranding &
-  SettingsLDAP;
+  SettingsLDAP &
+  SettingsOpenID;
 
 // essentials for core frontend, includes only those that are required for frontend operations
 export type SettingsEssentials = SettingsModules & SettingsBranding;
@@ -840,6 +844,13 @@ export type SettingsWeb3 = {
   challenge_template: string;
 };
 
+export type SettingsOpenID = {
+  name: string;
+  provider_url: string;
+  client_id: string;
+  client_secret: string;
+};
+
 export interface Webhook {
   id: string;
   url: string;
@@ -865,7 +876,9 @@ export interface OpenidClient {
 export interface OpenIdProvider {
   id: string;
   name: string;
-  document_url: string;
+  provider_url: string;
+  client_id: string;
+  client_secret: string;
 }
 
 export interface EditOpenidClientRequest {

From 80afbe685a4b6cb014f0ca3a83bb37564384dc05 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 12 Jul 2024 16:59:37 +0200
Subject: [PATCH 09/73] openid flow 2

---
 .../20240603091113_openid_provider.up.sql     |   3 +-
 .../20240710095931_add_openid_login.down.sql  |   1 -
 .../20240710095931_add_openid_login.up.sql    |   1 -
 src/db/models/group.rs                        |   2 +-
 src/db/models/mod.rs                          |   2 +-
 src/db/models/user.rs                         |  13 +-
 src/enterprise/db/models/openid_provider.rs   |  47 ++--
 src/enterprise/handlers/openid_login.rs       | 234 +++++++++++++-----
 src/enterprise/handlers/openid_providers.rs   |  36 +--
 src/grpc/enrollment.rs                        |   2 +-
 src/handlers/group.rs                         |   2 +-
 src/lib.rs                                    |  11 +-
 web/src/i18n/en/index.ts                      |   4 +-
 web/src/i18n/i18n-types.ts                    |  24 +-
 web/src/i18n/pl/index.ts                      |   4 +-
 web/src/pages/auth/Login/Login.tsx            |  39 ++-
 .../OpenIdSettings/OpenIdSettings.tsx         |   8 +-
 .../components/OpenIdSettingsForm.tsx         | 170 ++++++-------
 .../components/ProviderDetails.tsx            | 218 ----------------
 .../OpenIdSettings/components/style.scss      |  22 ++
 web/src/shared/hooks/useApi.tsx               |  12 +-
 web/src/shared/types.ts                       |  17 +-
 22 files changed, 401 insertions(+), 471 deletions(-)
 delete mode 100644 migrations/20240710095931_add_openid_login.down.sql
 delete mode 100644 migrations/20240710095931_add_openid_login.up.sql
 delete mode 100644 web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/components/style.scss

diff --git a/migrations/20240603091113_openid_provider.up.sql b/migrations/20240603091113_openid_provider.up.sql
index 8e47ecf749..397dda83e9 100644
--- a/migrations/20240603091113_openid_provider.up.sql
+++ b/migrations/20240603091113_openid_provider.up.sql
@@ -1,8 +1,7 @@
 CREATE TABLE openidprovider (
     id bigserial PRIMARY KEY,
     "name" text NOT NULL,
-    -- "document_url" text NOT NULL,
-    "provider_url" text NOT NULL,
+    "base_url" text NOT NULL,
     "client_id" text NOT NULL,
     "client_secret" text NOT NULL,
     "enabled" boolean NOT NULL DEFAULT FALSE,
diff --git a/migrations/20240710095931_add_openid_login.down.sql b/migrations/20240710095931_add_openid_login.down.sql
deleted file mode 100644
index d216b19dd0..0000000000
--- a/migrations/20240710095931_add_openid_login.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE "user" DROP COLUMN openid_login;
diff --git a/migrations/20240710095931_add_openid_login.up.sql b/migrations/20240710095931_add_openid_login.up.sql
deleted file mode 100644
index 07f397654d..0000000000
--- a/migrations/20240710095931_add_openid_login.up.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE "user" ADD COLUMN openid_login boolean NOT NULL DEFAULT false;
diff --git a/src/db/models/group.rs b/src/db/models/group.rs
index f5b5ea3ef2..73f4476188 100644
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@@ -60,7 +60,7 @@ impl Group {
                 User,
                 "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
                 phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
-                mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
+                mfa_method \"mfa_method: _\", recovery_codes, is_active \
                 FROM \"user\" \
                 JOIN group_user ON \"user\".id = group_user.user_id \
                 WHERE group_user.group_id = $1",
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index 246bb2f4da..fe7b8d4dd8 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -98,7 +98,7 @@ impl UserInfo {
             mfa_method: user.mfa_method.clone(),
             authorized_apps,
             is_active: user.is_active,
-            enrolled: user.has_password() || user.openid_login,
+            enrolled: user.has_password(),
         })
     }
 
diff --git a/src/db/models/user.rs b/src/db/models/user.rs
index 68eabd80a1..2ea623127a 100644
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -74,8 +74,6 @@ pub struct User {
     pub phone: Option<String>,
     pub mfa_enabled: bool,
     pub is_active: bool,
-    /// Whether user logs in through an OpenID provider
-    pub openid_login: bool,
     // secret has been verified and TOTP can be used
     pub(crate) totp_enabled: bool,
     pub(crate) email_mfa_enabled: bool,
@@ -122,7 +120,6 @@ impl User {
             mfa_method: MFAMethod::None,
             recovery_codes: Vec::new(),
             is_active: true,
-            openid_login: false,
         }
     }
 
@@ -454,7 +451,7 @@ impl User {
     ) -> Result<Vec<UserDiagnostic>, SqlxError> {
         let users = query!(
             "SELECT id, mfa_enabled, totp_enabled, email_mfa_enabled, \
-                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active, openid_login \
+                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active \
             FROM \"user\""
         )
         .fetch_all(pool)
@@ -468,7 +465,7 @@ impl User {
                 mfa_enabled: u.mfa_enabled,
                 id: u.id,
                 is_active: u.is_active,
-                enrolled: u.password_hash.is_some() || u.openid_login,
+                enrolled: u.password_hash.is_some(),
             })
             .collect();
         Ok(res)
@@ -484,7 +481,7 @@ impl User {
             "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, totp_secret, \
             email_mfa_enabled, email_mfa_secret, \
-            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
+            mfa_method \"mfa_method: _\", recovery_codes, is_active \
             FROM \"user\"
             INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id
             INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id
@@ -575,7 +572,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
             FROM \"user\" WHERE username = $1",
             username
         )
@@ -591,7 +588,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
             FROM \"user\" WHERE email = $1",
             email
         )
diff --git a/src/enterprise/db/models/openid_provider.rs b/src/enterprise/db/models/openid_provider.rs
index 5a5ee00533..9841f5f329 100644
--- a/src/enterprise/db/models/openid_provider.rs
+++ b/src/enterprise/db/models/openid_provider.rs
@@ -8,7 +8,7 @@ use crate::db::DbPool;
 pub struct OpenIdProvider {
     pub id: Option<i64>,
     pub name: String,
-    pub provider_url: String,
+    pub base_url: String,
     pub client_id: String,
     pub client_secret: String,
     pub enabled: bool,
@@ -32,11 +32,11 @@ pub struct OpenIdProvider {
 
 impl OpenIdProvider {
     #[must_use]
-    pub fn new<S: Into<String>>(name: S, provider_url: S, client_id: S, client_secret: S) -> Self {
+    pub fn new<S: Into<String>>(name: S, base_url: S, client_id: S, client_secret: S) -> Self {
         Self {
             id: None,
             name: name.into(),
-            provider_url: provider_url.into(),
+            base_url: base_url.into(),
             client_id: client_id.into(),
             client_secret: client_secret.into(),
             enabled: false,
@@ -46,33 +46,42 @@ impl OpenIdProvider {
     pub async fn find_by_name(pool: &DbPool, name: &str) -> Result<Option<Self>, SqlxError> {
         query_as!(
             OpenIdProvider,
-            "SELECT id \"id?\", name, provider_url, client_id, client_secret, enabled FROM openidprovider WHERE name = $1",
+            "SELECT id \"id?\", name, base_url, client_id, client_secret, enabled FROM openidprovider WHERE name = $1",
             name
         )
         .fetch_optional(pool)
         .await
     }
 
-    pub async fn exists(pool: &DbPool, provider: &OpenIdProvider) -> Result<bool, SqlxError> {
-        query!(
-            "SELECT EXISTS(SELECT 1 FROM openidprovider WHERE name = $1 OR client_id = $2 OR client_secret = $3)",
-            provider.name,
-            provider.client_id,
-            provider.client_secret
-        )
-        .fetch_one(pool)
-        .await?
-        .exists
-        .ok_or_else(|| SqlxError::RowNotFound)
+    // TODO: this is a temporary method. We currently support only one provider at a time
+    pub async fn upsert(&mut self, pool: &DbPool) -> Result<(), SqlxError> {
+        // TODO(aleksander): do it with only one query?
+        if let Some(provider) = OpenIdProvider::get_current(pool).await? {
+            query!(
+                "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4, enabled = $5 WHERE id = $6",
+                self.name,
+                self.base_url,
+                self.client_id,
+                self.client_secret,
+                self.enabled,
+                provider.id
+            )
+            .execute(pool)
+            .await?;
+        } else {
+            self.save(pool).await?;
+        }
+
+        Ok(())
     }
 
-    // TODO(aleksander): there may be more than one active provider
-    pub async fn get_enabled(pool: &DbPool) -> Result<Self, SqlxError> {
+    // TODO: this is a temporary method. We currently support only one provider at a time
+    pub async fn get_current(pool: &DbPool) -> Result<Option<Self>, SqlxError> {
         query_as!(
             OpenIdProvider,
-            "SELECT id \"id?\", name, provider_url, client_id, client_secret, enabled FROM openidprovider WHERE enabled = true limit 1"
+            "SELECT id \"id?\", name, base_url, client_id, client_secret, enabled FROM openidprovider"
         )
-        .fetch_one(pool)
+        .fetch_optional(pool)
         .await
     }
 }
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 2636168f90..b809b9e049 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -146,7 +146,10 @@ use openidconnect::{
     core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
     ProviderMetadata, RedirectUrl, RevocationUrl,
 };
-use openidconnect::{AuthenticationFlow, AuthorizationCode, CsrfToken, LanguageTag, Nonce, Scope};
+use openidconnect::{
+    AuthenticationFlow, AuthorizationCode, CsrfToken, EndUserEmail, EndUserFamilyName,
+    EndUserGivenName, LanguageTag, LocalizedClaim, Nonce, Scope,
+};
 
 use crate::appstate::AppState;
 use crate::db::{AppEvent, DbPool, Session, SessionState, User, UserInfo};
@@ -177,9 +180,16 @@ type ProvMeta = ProviderMetadata<
 async fn get_provider_metadata(url: &str) -> Result<ProvMeta, WebError> {
     let issuer_url = IssuerUrl::new(url.to_string()).unwrap();
 
-    let provider_metadata = CoreProviderMetadata::discover_async(issuer_url, async_http_client)
-        .await
-        .unwrap();
+    let provider_metadata =
+        match CoreProviderMetadata::discover_async(issuer_url, async_http_client).await {
+            Ok(metadata) => metadata,
+            Err(_) => {
+                return Err(WebError::Authorization(format!(
+                "Failed to discover provider metadata, make sure the providers' url is correct: {}",
+                url
+            )));
+            }
+        };
 
     println!("{:?}", provider_metadata);
 
@@ -187,33 +197,48 @@ async fn get_provider_metadata(url: &str) -> Result<ProvMeta, WebError> {
 }
 
 async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
-    let provider = OpenIdProvider::get_enabled(pool).await?;
-    let provider_metadata = get_provider_metadata(&provider.provider_url).await?;
+    let provider = match OpenIdProvider::get_current(pool).await? {
+        Some(provider) => provider,
+        None => {
+            return Err(WebError::Authorization(
+                "OpenID provider not found".to_string(),
+            ));
+        }
+    };
 
+    let provider_metadata = get_provider_metadata(&provider.base_url).await?;
     let client_id = ClientId::new(provider.client_id);
-
     let client_secret = ClientSecret::new(provider.client_secret);
+    let config = server_config();
+    let url = format!("{}api/v1/openid/callback", config.url);
+    let redirect_url = match RedirectUrl::new(url) {
+        Ok(url) => url,
+        Err(err) => {
+            return Err(WebError::Authorization(format!(
+                "Failed to create a redirect url from string: {}",
+                err
+            )));
+        }
+    };
 
-    let client =
+    Ok(
         CoreClient::from_provider_metadata(provider_metadata, client_id, Some(client_secret))
-            .set_redirect_uri(
-                RedirectUrl::new("http://localhost:3000/api/v1/openid/callback".to_string())
-                    .unwrap(),
-            );
-
-    Ok(client)
+            .set_redirect_uri(redirect_url),
+    )
 }
 
 fn nonce_fn() -> Nonce {
-    Nonce::new("nonce".to_string())
+    Nonce::new("nonce123123".to_string())
 }
 
 fn csrf_fn() -> CsrfToken {
     CsrfToken::new("csrf".to_string())
 }
 
-pub async fn make_auth_url(State(appstate): State<AppState>) -> Result<String, WebError> {
-    // TODO(aleksander): make sure that the user enables the oidc login first
+pub async fn get_auth_info(
+    private_cookies: PrivateCookieJar,
+    State(appstate): State<AppState>,
+) -> Result<(PrivateCookieJar, ApiResponse), WebError> {
     let client = make_oidc_client(&appstate.pool).await?;
 
     let (authorize_url, csrf_state, nonce) = client
@@ -222,16 +247,56 @@ pub async fn make_auth_url(State(appstate): State<AppState>) -> Result<String, W
             csrf_fn,
             nonce_fn,
         )
-        // This example is requesting access to the "calendar" features and the user's profile.
         .add_scope(Scope::new("email".to_string()))
+        // Unnecessary if we dont create an account
         .add_scope(Scope::new("profile".to_string()))
         .url();
 
-    info!("{:?}", authorize_url);
-    info!("{:?}", csrf_state);
-    info!("{:?}", nonce);
+    println!("{:?} | {:?} | {:?}", authorize_url, csrf_state, nonce);
 
-    Ok(authorize_url.to_string())
+    let config = server_config();
+
+    let nonce_cookie = Cookie::build(("nonce", nonce.secret().clone()))
+        .domain(
+            config
+                .cookie_domain
+                .clone()
+                .expect("Cookie domain not found"),
+        )
+        .path("/api/v1/openid/callback")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .secure(true)
+        .max_age(Duration::days(1))
+        .build();
+
+    let csrf_cookie = Cookie::build(("csrf", csrf_state.secret().clone()))
+        .domain(
+            config
+                .cookie_domain
+                .clone()
+                .expect("Cookie domain not found"),
+        )
+        .path("/api/v1/openid/callback")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .secure(true)
+        .max_age(Duration::days(1))
+        .build();
+
+    let private_cookies = private_cookies.add(nonce_cookie).add(csrf_cookie);
+
+    Ok((
+        private_cookies,
+        ApiResponse {
+            json: json!(
+                {
+                    "url": authorize_url,
+                }
+            ),
+            status: StatusCode::OK,
+        },
+    ))
 }
 
 /// Helper function to return redirection with status code 302.
@@ -249,77 +314,116 @@ fn redirect_to<T: AsRef<str>>(uri: T, cookies: CookieJar) -> (StatusCode, Header
 pub struct AuthenticationResponse {
     code: AuthorizationCode,
     state: CsrfToken,
+    // nonce: Nonce,
 }
 
 pub async fn auth_callback(
     cookies: CookieJar,
+    private_cookies: PrivateCookieJar,
     user_agent: Option<TypedHeader<UserAgent>>,
     forwarded_for_ip: Option<LeftmostXForwardedFor>,
     InsecureClientIp(insecure_ip): InsecureClientIp,
     Query(params): Query<AuthenticationResponse>,
     State(appstate): State<AppState>,
 ) -> Result<(StatusCode, HeaderMap, CookieJar), WebError> {
+    let cookie_nonce = private_cookies
+        .get("nonce")
+        .ok_or(WebError::Authorization(
+            "Nonce cookie not found".to_string(),
+        ))?
+        .value_trimmed()
+        .to_string();
+
+    let cookie_csrf = private_cookies
+        .get("csrf")
+        .ok_or(WebError::Authorization("CSRF cookie not found".to_string()))?
+        .value_trimmed()
+        .to_string();
+
+    if params.state.secret() != &cookie_csrf {
+        return Err(WebError::Authorization("CSRF token mismatch".to_string()));
+    };
+
     let client = make_oidc_client(&appstate.pool).await?;
 
     let token = client
         .exchange_code(params.code)
         .request_async(async_http_client)
         .await
-        .unwrap();
+        .map_err(|error| {
+            WebError::Authorization(format!(
+                "Failed to exchange code for token, error: {:?}",
+                error
+            ))
+        })?;
 
-    let nonce = Nonce::new("nonce".to_string());
+    let nonce = Nonce::new(cookie_nonce);
 
     let token_verifier = client.id_token_verifier();
-    let token_claims = token
-        .extra_fields()
-        .id_token()
-        .expect("Server did not return an ID token")
-        .claims(&token_verifier, &nonce)
-        .unwrap();
+    let id_token = match token.extra_fields().id_token() {
+        Some(token) => token,
+        None => {
+            return Err(WebError::Authorization(
+                "Server did not return an ID token".to_string(),
+            ));
+        }
+    };
+
+    let token_claims = match id_token.claims(&token_verifier, &nonce) {
+        Ok(claims) => claims,
+        Err(error) => {
+            return Err(WebError::Authorization(format!(
+                "Failed to verify ID token, error: {:?}",
+                error
+            )));
+        }
+    };
     // println!("Google returned ID token: {:?}", token_claims);
 
-    let email = token_claims.email().unwrap();
-    let name = token_claims.name().unwrap();
-    // TODO: check whats up with localized claims
-    // println!("{:?}", token_claims);
-    let given_name = token_claims
-        .given_name()
-        .unwrap()
-        .clone()
-        .into_iter()
-        .next()
-        .unwrap()
-        .1;
-    let family_name = token_claims
-        .family_name()
-        .unwrap()
-        .clone()
-        .into_iter()
-        .next()
-        .unwrap()
-        .1;
+    let email = token_claims.email().ok_or(WebError::Authorization(
+        "Email not found in the information returned from provider.".to_string(),
+    ))?;
+
+    // let name = token_claims.name().unwrap();
+    // let given_name: Option<&EndUserGivenName> = match token_claims.given_name() {
+    //     Some(given_name) => Ok(given_name.get(None)),
+    //     None => Err(WebError::Authorization(
+    //         "Given name not found in the information returned from provider.".to_string(),
+    //     ))?,
+    // }?;
+    // let family_name: Option<&EndUserFamilyName> = match token_claims.family_name() {
+    //     Some(family_name) => Ok(family_name.get(None)),
+    //     None => Err(WebError::Authorization(
+    //         "Family name not found in the information returned from provider.".to_string(),
+    //     ))?,
+    // }?;
+
+    let phone = token_claims.phone_number();
+
     println!("Email: {:?}", email);
-    println!("Name: {:?}", name);
-    println!("Given Name: {:?}", given_name);
-    println!("Family Name: {:?}", family_name);
+    // println!("Name: {:?}", name);
+    // println!("Given Name: {:?}", given_name);
+    // println!("Family Name: {:?}", family_name);
 
     let username = email.split('@').next().unwrap();
 
     let user = match User::find_by_username(&appstate.pool, username).await {
         Ok(Some(user)) => user,
         Ok(None) => {
-            let mut user = User::new(
-                username.to_string(),
-                None,
-                family_name.to_string(),
-                given_name.to_string(),
-                email.to_string(),
-                // TODO: Add phone
-                None,
-            );
-            user.openid_login = true;
-            user.save(&appstate.pool).await?;
-            user
+            // let mut user = User::new(
+            //     username.to_string(),
+            //     None,
+            //     family_name.to_string(),
+            //     given_name.to_string(),
+            //     email.to_string(),
+            //     None,
+            // );
+            // user.save(&appstate.pool).await?;
+            // user
+            return Err(WebError::Authorization(
+                "User not found. The user needs to be created first in order to login using OIDC."
+                    .to_string(),
+            ));
         }
         Err(e) => {
             return Err(WebError::Authorization(e.to_string()));
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index b72dff312a..85ea295a4d 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -12,7 +12,7 @@ use serde_json::json;
 #[derive(Debug, Deserialize)]
 pub struct AddProviderData {
     name: String,
-    provider_url: String,
+    base_url: String,
     client_id: String,
     client_secret: String,
 }
@@ -25,27 +25,15 @@ pub async fn add_openid_provider(
 ) -> ApiResult {
     let mut new_provider = OpenIdProvider::new(
         provider_data.name,
-        provider_data.provider_url,
+        provider_data.base_url,
         provider_data.client_id,
         provider_data.client_secret,
     );
-    // check if it already exists
-    if OpenIdProvider::exists(&appstate.pool, &new_provider).await? {
-        warn!(
-            "User {} failed to add OpenID client {}. Such client already exists.",
-            session.user.username, new_provider.name
-        );
-        return Ok(ApiResponse {
-            json: json!({}),
-            status: StatusCode::CONFLICT,
-        });
-    }
-
     debug!(
         "User {} adding OpenID provider {}",
         session.user.username, new_provider.name
     );
-    new_provider.save(&appstate.pool).await?;
+    new_provider.upsert(&appstate.pool).await?;
     info!(
         "User {} added OpenID client {}",
         session.user.username, new_provider.name
@@ -56,6 +44,22 @@ pub async fn add_openid_provider(
     })
 }
 
+pub async fn get_current_openid_provider(
+    _admin: AdminRole,
+    State(appstate): State<AppState>,
+) -> ApiResult {
+    match OpenIdProvider::get_current(&appstate.pool).await? {
+        Some(provider) => Ok(ApiResponse {
+            json: json!(provider),
+            status: StatusCode::OK,
+        }),
+        None => Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::NOT_FOUND,
+        }),
+    }
+}
+
 pub async fn delete_openid_provider(
     _admin: AdminRole,
     session: SessionInfo,
@@ -101,7 +105,7 @@ pub async fn modify_openid_provider(
     );
     let provider = OpenIdProvider::find_by_name(&appstate.pool, &provider_data.name).await?;
     if let Some(mut provider) = provider {
-        provider.provider_url = provider_data.provider_url;
+        provider.base_url = provider_data.base_url;
         provider.client_id = provider_data.client_id;
         provider.client_secret = provider_data.client_secret;
         provider.save(&appstate.pool).await?;
diff --git a/src/grpc/enrollment.rs b/src/grpc/enrollment.rs
index 9e299d501a..16569d0d0b 100644
--- a/src/grpc/enrollment.rs
+++ b/src/grpc/enrollment.rs
@@ -497,7 +497,7 @@ impl From<User> for AdminInfo {
 
 impl InitialUserInfo {
     async fn from_user(pool: &DbPool, user: User) -> Result<Self, sqlx::Error> {
-        let is_enrolled = user.has_password() || user.openid_login;
+        let is_enrolled = user.has_password();
         let devices = user.devices(pool).await?;
         let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
         Ok(Self {
diff --git a/src/handlers/group.rs b/src/handlers/group.rs
index 5969cefbd9..748bdc5388 100644
--- a/src/handlers/group.rs
+++ b/src/handlers/group.rs
@@ -47,7 +47,7 @@ pub(crate) async fn bulk_assign_to_groups(
         User,
         "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
             FROM \"user\" WHERE id = ANY($1)",
         &data.users
     )
diff --git a/src/lib.rs b/src/lib.rs
index 15b657e5c9..983c58715f 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -13,9 +13,10 @@ use axum::{
 
 use assets::{index, svg, web_asset};
 use enterprise::handlers::{
-    openid_login::{auth_callback, make_auth_url},
+    openid_login::{auth_callback, get_auth_info},
     openid_providers::{
-        add_openid_provider, delete_openid_provider, list_openid_providers, modify_openid_provider,
+        add_openid_provider, delete_openid_provider, get_current_openid_provider,
+        list_openid_providers, modify_openid_provider,
     },
 };
 use handlers::ssh_authorized_keys::{
@@ -285,12 +286,10 @@ pub fn build_webapp(
             // ldap
             .route("/ldap/test", get(test_ldap_settings))
             // OIDC login
-            .route("/openid/provider", get(list_openid_providers))
+            .route("/openid/provider", get(get_current_openid_provider))
             .route("/openid/provider", post(add_openid_provider))
-            .route("/openid/provider/:name", put(modify_openid_provider))
-            .route("/openid/provider/:name", delete(delete_openid_provider))
             .route("/openid/callback", get(auth_callback))
-            .route("/openid/get_auth_url", get(make_auth_url)),
+            .route("/openid/auth_info", get(get_auth_info)),
     );
 
     #[cfg(feature = "openid")]
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index b7173da4b0..439cf622be 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -926,9 +926,11 @@ const en: BaseTranslation = {
       form: {
         labels: {
           name: 'Name',
-          provider_url: 'Provider URL',
+          provider: 'Provider',
           client_id: 'Client ID',
           client_secret: 'Client Secret',
+          base_url: 'Provider URL',
+          tenant_id: 'Tenant ID',
         },
       },
     },
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 7def1961af..1ff6f18654 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2287,9 +2287,9 @@ type RootTranslation = {
 					 */
 					name: string
 					/**
-					 * P​r​o​v​i​d​e​r​ ​U​R​L
+					 * P​r​o​v​i​d​e​r
 					 */
-					provider_url: string
+					provider: string
 					/**
 					 * C​l​i​e​n​t​ ​I​D
 					 */
@@ -2298,6 +2298,14 @@ type RootTranslation = {
 					 * C​l​i​e​n​t​ ​S​e​c​r​e​t
 					 */
 					client_secret: string
+					/**
+					 * P​r​o​v​i​d​e​r​ ​U​R​L
+					 */
+					base_url: string
+					/**
+					 * T​e​n​a​n​t​ ​I​D
+					 */
+					tenant_id: string
 				}
 			}
 		}
@@ -6205,9 +6213,9 @@ export type TranslationFunctions = {
 					 */
 					name: () => LocalizedString
 					/**
-					 * Provider URL
+					 * Provider
 					 */
-					provider_url: () => LocalizedString
+					provider: () => LocalizedString
 					/**
 					 * Client ID
 					 */
@@ -6216,6 +6224,14 @@ export type TranslationFunctions = {
 					 * Client Secret
 					 */
 					client_secret: () => LocalizedString
+					/**
+					 * Provider URL
+					 */
+					base_url: () => LocalizedString
+					/**
+					 * Tenant ID
+					 */
+					tenant_id: () => LocalizedString
 				}
 			}
 		}
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 3b0ce59738..2c5d5ca2c0 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -912,9 +912,11 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       form: {
         labels: {
           name: 'Nazwa',
-          provider_url: 'URL dostawcy OpenID',
+          provider: 'Dostawca OpenID',
           client_id: 'ID klienta',
           client_secret: 'Sekret klienta',
+          base_url: 'URL dostawcy',
+          tenant_id: 'ID dzierżawy (Tenant ID)',
         },
       },
     },
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 522671105a..cd5d7947da 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -2,7 +2,7 @@ import './style.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation } from '@tanstack/react-query';
-import axios, { AxiosError } from 'axios';
+import { AxiosError } from 'axios';
 import { useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { z } from 'zod';
@@ -47,7 +47,10 @@ export const Login = () => {
   );
 
   const {
-    auth: { login },
+    auth: {
+      login,
+      openid: { getOpenidInfo },
+    },
   } = useApi();
 
   const { handleSubmit, control, setError } = useForm<Inputs>({
@@ -79,36 +82,26 @@ export const Login = () => {
     },
   });
 
-  const client = useMemo(() => {
-    const res = axios.create({
-      baseURL: '/api/v1',
-    });
-
-    res.defaults.headers.common['Content-Type'] = 'application/json';
-    return res;
-  }, []);
-
   const onSubmit: SubmitHandler<Inputs> = (data) => {
     if (!loginMutation.isLoading) {
       loginMutation.mutate(trimObjectStrings(data));
     }
   };
 
-  const getUrl = async () => {
-    const url = client.get('/openid/get_auth_url').then((res) => res.data);
-    return url;
-  };
+  // const redirect = () => {
+  //   // getUrl().then((url) => {
+  //   //   window.location.replace(url);
+  //   // });
+  // };
 
-  getUrl().then((url) => {
-    console.log(url);
-  });
-  const redirect = () => {
-    getUrl().then((url) => {
-      window.location.replace(url);
+  const openIdLogin = () => {
+    getOpenidInfo().then((data) => {
+      // console.log(data);
+      window.location.replace(data.url);
     });
   };
 
-  https: return (
+  return (
     <section id="login-container">
       <h1>{LL.loginPage.pageTitle()}</h1>
       <form onSubmit={handleSubmit(onSubmit)}>
@@ -141,7 +134,7 @@ export const Login = () => {
           styleVariant={ButtonStyleVariant.PRIMARY}
           text="Login with OIDC"
           data-testid="login-form-submit"
-          onClick={redirect}
+          onClick={openIdLogin}
         />
       </form>
     </section>
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
index e4239f84e5..bb4d08a60b 100644
--- a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -2,4 +2,10 @@ import './style.scss';
 
 import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
 
-export const OpenIdSettings = () => <OpenIdSettingsForm />;
+export const OpenIdSettings = () => {
+  return (
+    <div className="left">
+      <OpenIdSettingsForm />
+    </div>
+  );
+};
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index a0795fd59e..c99576d2f8 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -1,62 +1,42 @@
-// import { zodResolver } from '@hookform/resolvers/zod';
-// import { useMemo, useRef } from 'react';
-// import { SubmitHandler, useForm } from 'react-hook-form';
-// import { z } from 'zod';
+import './style.scss';
 
+import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { useCallback, useEffect, useMemo, useState } from 'react';
+import { SubmitHandler, useForm } from 'react-hook-form';
+import { z } from 'zod';
 
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
-// import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
+import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
 import { Button } from '../../../../../shared/defguard-ui/components/Layout/Button/Button';
 import {
   ButtonSize,
   ButtonStyleVariant,
 } from '../../../../../shared/defguard-ui/components/Layout/Button/types';
-import useApi from '../../../../../shared/hooks/useApi';
-// import { useToaster } from '../../../../../shared/hooks/useToaster';
-import { QueryKeys } from '../../../../../shared/queries';
-// import { useSettingsPage } from '../../../hooks/useSettingsPage';
-import { ProviderDetails } from './ProviderDetails';
-import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
-import { zodResolver } from '@hookform/resolvers/zod';
-import { useCallback, useEffect, useMemo, useRef, useState } from 'react';
-import { useSettingsPage } from '../../../hooks/useSettingsPage';
-import { SubmitHandler, useForm } from 'react-hook-form';
-import { useToaster } from '../../../../../shared/hooks/useToaster';
-import { OpenIdProvider, SettingsOpenID } from '../../../../../shared/types';
-import { z } from 'zod';
 import { Select } from '../../../../../shared/defguard-ui/components/Layout/Select/Select';
 import {
+  SelectOption,
   SelectSelectedValue,
   SelectSizeVariant,
 } from '../../../../../shared/defguard-ui/components/Layout/Select/types';
+import useApi from '../../../../../shared/hooks/useApi';
+import { useToaster } from '../../../../../shared/hooks/useToaster';
+import { QueryKeys } from '../../../../../shared/queries';
+import { OpenIdProvider } from '../../../../../shared/types';
 
-type FormFields = SettingsOpenID;
+type FormFields = OpenIdProvider;
 
 export const OpenIdSettingsForm = () => {
   const { LL } = useI18nContext();
   const localLL = LL.settingsPage.openIdSettings;
-  const submitRef = useRef<HTMLInputElement | null>(null);
-  // const settings = useSettingsPage((state) => state.settings);
-  // const setSettings = useSettingsPage((state) => state.setState);
   const [currentProvider, setCurrentProvider] = useState<OpenIdProvider | null>(null);
-
-  const {
-    settings: { patchSettings },
-  } = useApi();
-
   const queryClient = useQueryClient();
 
   const {
-    settings: {
-      fetchOpenIdProviders,
-      addOpenIdProvider,
-      deleteOpenIdProvider,
-      editOpenIdProvider,
-    },
+    settings: { fetchOpenIdProviders, addOpenIdProvider },
   } = useApi();
-  const { data: providers, isLoading } = useQuery({
+  const { data: provider, isLoading } = useQuery({
     queryFn: fetchOpenIdProviders,
     queryKey: [QueryKeys.FETCH_OPENID_PROVIDERS],
     refetchOnMount: true,
@@ -66,28 +46,28 @@ export const OpenIdSettingsForm = () => {
   const toaster = useToaster();
 
   const { mutate } = useMutation({
-    mutationFn: currentProvider ? editOpenIdProvider : addOpenIdProvider,
+    mutationFn: addOpenIdProvider,
     onSuccess: () => {
       queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
       toaster.success(LL.settingsPage.messages.editSuccess());
     },
-    // TODO(aleksander): HANDLE ERROR
     onError: (error) => {
-      toaster.error(error.message);
+      toaster.error(LL.messages.error());
+      console.error(error);
     },
   });
 
   useEffect(() => {
-    if (providers && providers.length > 0) {
-      setCurrentProvider(providers[0]);
+    if (provider) {
+      setCurrentProvider(provider);
     }
-  }, [providers]);
+  }, [provider]);
 
   const schema = useMemo(
     () =>
       z.object({
         name: z.string().min(1, LL.form.error.required()),
-        provider_url: z
+        base_url: z
           .string()
           .url(LL.form.error.invalid())
           .min(1, LL.form.error.required()),
@@ -99,8 +79,9 @@ export const OpenIdSettingsForm = () => {
 
   const defaultValues = useMemo(
     (): FormFields => ({
+      id: currentProvider?.id ?? 0,
       name: currentProvider?.name ?? '',
-      provider_url: currentProvider?.provider_url ?? '',
+      base_url: currentProvider?.base_url ?? '',
       client_id: currentProvider?.client_id ?? '',
       client_secret: currentProvider?.client_secret ?? '',
     }),
@@ -113,27 +94,31 @@ export const OpenIdSettingsForm = () => {
     mode: 'all',
   });
 
+  // Make sure the form is refresh
   useEffect(() => {
     reset(defaultValues);
-  }, [defaultValues]);
-
-  console.log(currentProvider);
+  }, [defaultValues, reset]);
 
   const handleValidSubmit: SubmitHandler<FormFields> = (data) => {
     mutate(data);
   };
 
-  const options = useMemo(
+  const options: SelectOption<string>[] = useMemo(
     () => [
       {
-        key: 1,
-        value: 'https://accounts.google.com',
+        value: 'Google',
         label: 'Google',
+        key: 1,
       },
       {
-        key: 2,
-        value: 'https://accounts.google2.com',
+        value: 'Microsoft',
         label: 'Microsoft',
+        key: 2,
+      },
+      {
+        value: 'Custom',
+        label: 'Custom',
+        key: 3,
       },
     ],
     [],
@@ -153,50 +138,43 @@ export const OpenIdSettingsForm = () => {
     [options],
   );
 
-  const handleChange = async (val: string) => {
-    if (!isLoading && currentProvider) {
-      const newProvider: OpenIdProvider = {
-        id: currentProvider.id,
-        name: options.find((o) => o.value === val)?.label ?? '',
-        provider_url: val,
-        client_id: currentProvider.client_id,
-        client_secret: currentProvider.client_secret,
-      };
-      setCurrentProvider(newProvider);
+  const getProviderUrl = useCallback(({ name }: { name: string }): string | null => {
+    switch (name) {
+      case 'Google':
+        return 'https://accounts.google.com';
+      case 'Microsoft':
+        return `https://login.microsoftonline.com/<TENANT_ID>/v2.0`;
+      default:
+        return null;
     }
+  }, []);
+
+  const handleChange = async (val: string) => {
+    console.log(currentProvider?.base_url);
+    setCurrentProvider({
+      id: currentProvider?.id ?? 0,
+      name: val,
+      base_url: getProviderUrl({ name: val }) ?? '',
+      client_id: currentProvider?.client_id ?? '',
+      client_secret: currentProvider?.client_secret ?? '',
+    });
   };
 
   return (
     <section id="openid-settings">
       <header>
         <h2>{localLL.title()}</h2>
-      </header>
-      <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
-        {/* TODO(aleksander): Make a select here */}
-        <FormInput
-          controller={{ control, name: 'name' }}
-          label={localLL.form.labels.name()}
-        />
-        <FormInput
-          controller={{ control, name: 'provider_url' }}
-          label={localLL.form.labels.provider_url()}
-        />
-        {/* <Select
-        sizeVariant={SelectSizeVariant.SMALL}
-        selected={settings?.enrollment_vpn_step_optional}
-        options={vpnOptionalityOptions}
-        renderSelected={renderSelectedVpn}
-        onChangeSingle={(res) => handleChange(res)}
-        loading={isLoading || isUndefined(settings)}
-      /> */}
-        <Select
-          sizeVariant={SelectSizeVariant.SMALL}
-          selected={currentProvider?.provider_url}
-          options={options}
-          renderSelected={renderSelected}
-          onChangeSingle={(res) => handleChange(res)}
+        <Button
+          size={ButtonSize.SMALL}
+          styleVariant={ButtonStyleVariant.SAVE}
+          text={LL.common.controls.saveChanges()}
+          type="submit"
           loading={isLoading}
+          form="openid-settings-form"
+          icon={<IconCheckmarkWhite />}
         />
+      </header>
+      <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
         <FormInput
           controller={{ control, name: 'client_id' }}
           label={localLL.form.labels.client_id()}
@@ -206,16 +184,20 @@ export const OpenIdSettingsForm = () => {
           label={localLL.form.labels.client_secret()}
           type="password"
         />
-        <input type="submit" aria-hidden="true" className="hidden" ref={submitRef} />
-        <Button
-          size={ButtonSize.SMALL}
-          styleVariant={ButtonStyleVariant.SAVE}
-          text={LL.common.controls.saveChanges()}
-          type="submit"
-          loading={isLoading}
-          icon={<IconCheckmarkWhite />}
-          onClick={() => submitRef.current?.click()}
+        <Select
+          sizeVariant={SelectSizeVariant.STANDARD}
+          selected={currentProvider?.name ?? undefined}
+          options={options}
+          renderSelected={renderSelected}
+          onChangeSingle={(res) => handleChange(res)}
+          label={localLL.form.labels.provider()}
         />
+        {currentProvider?.name !== 'Google' && (
+          <FormInput
+            controller={{ control, name: 'base_url' }}
+            label={localLL.form.labels.base_url()}
+          />
+        )}
       </form>
     </section>
   );
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx b/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
deleted file mode 100644
index 3885671269..0000000000
--- a/web/src/pages/settings/components/OpenIdSettings/components/ProviderDetails.tsx
+++ /dev/null
@@ -1,218 +0,0 @@
-// import './style.scss';
-
-// import classNames from 'classnames';
-// import dayjs from 'dayjs';
-// import utc from 'dayjs/plugin/utc';
-// import { TargetAndTransition } from 'framer-motion';
-// import { isUndefined, orderBy } from 'lodash-es';
-// import { useMemo, useState } from 'react';
-
-import { useMemo, useState } from 'react';
-import { useI18nContext } from '../../../../../i18n/i18n-react';
-import SvgIconUserList from '../../../../../shared/components/svg/IconUserList';
-import SvgIconUserListExpanded from '../../../../../shared/components/svg/IconUserListExpanded';
-import { Button } from '../../../../../shared/defguard-ui/components/Layout/Button/Button';
-import { ButtonStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/Button/types';
-// import IconClip from '../../../../../shared/components/svg/IconClip';
-// import SvgIconCollapse from '../../../../../shared/components/svg/IconCollapse';
-// import SvgIconExpand from '../../../../../shared/components/svg/IconExpand';
-// import { ColorsRGB } from '../../../../../shared/constants';
-// import { Badge } from '../../../../../shared/defguard-ui/components/Layout/Badge/Badge';
-import { Card } from '../../../../../shared/defguard-ui/components/Layout/Card/Card';
-import { EditButton } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButton';
-import { EditButtonOption } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButtonOption';
-import { EditButtonOptionStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/EditButton/types';
-// import { DeviceAvatar } from '../../../../../shared/defguard-ui/components/Layout/DeviceAvatar/DeviceAvatar';
-// import { EditButton } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButton';
-// import { EditButtonOption } from '../../../../../shared/defguard-ui/components/Layout/EditButton/EditButtonOption';
-// import { EditButtonOptionStyleVariant } from '../../../../../shared/defguard-ui/components/Layout/EditButton/types';
-import { Label } from '../../../../../shared/defguard-ui/components/Layout/Label/Label';
-// import { NoData } from '../../../../../shared/defguard-ui/components/Layout/NoData/NoData';
-// import { useUserProfileStore } from '../../../../../shared/hooks/store/useUserProfileStore';
-import { OpenIdProvider } from '../../../../../shared/types';
-// import { sortByDate } from '../../../../../shared/utils/sortByDate';
-// import { useDeleteDeviceModal } from '../hooks/useDeleteDeviceModal';
-// import { useDeviceConfigModal } from '../hooks/useDeviceConfigModal';
-// import { useEditDeviceModal } from '../hooks/useEditDeviceModal';
-import { motion, TargetAndTransition } from 'framer-motion';
-import SvgIconCollapse from '../../../../../shared/components/svg/IconCollapse';
-import SvgIconExpand from '../../../../../shared/components/svg/IconExpand';
-import useApi from '../../../../../shared/hooks/useApi';
-// dayjs.extend(utc);
-
-// const dateFormat = 'DD.MM.YYYY | HH:mm';
-
-// const formatDate = (date: string): string => {
-//   return dayjs.utc(date).format(dateFormat);
-// };
-
-interface Props {
-  provider: OpenIdProvider;
-}
-
-type ExpandButtonProps = {
-  expanded: boolean;
-  onExpand: () => void;
-};
-
-const ExpandButton = ({ expanded, onExpand }: ExpandButtonProps) => {
-  return (
-    <Button
-      styleVariant={ButtonStyleVariant.ICON}
-      onClick={() => onExpand()}
-      icon={expanded ? <SvgIconCollapse /> : <SvgIconExpand />}
-    ></Button>
-  );
-};
-
-export const ProviderDetails = ({ provider }: Props) => {
-  // const [hovered, setHovered] = useState(false);
-  const { LL } = useI18nContext();
-  // const setDeleteDeviceModal = useDeleteDeviceModal((state) => state.setState);
-  // const setEditDeviceModal = useEditDeviceModal((state) => state.setState);
-  // const openDeviceConfigModal = useDeviceConfigModal((state) => state.open);
-  const [expanded, setExpanded] = useState(false);
-
-  const getClassName = useMemo(() => {
-    const res = ['user-connection-list-item'];
-    if (expanded) {
-      res.push('expanded');
-    }
-    return res.join(' ');
-  }, [expanded]);
-
-  const {
-    settings: { deleteOpenIdProvider },
-  } = useApi();
-
-  // const schema = useMemo(
-  //   () =>
-  //     z.object({
-  //       name: z.string().min(1, LL.form.error.required()),
-  //       document_url: z
-  //         .string()
-  //         .url(LL.form.error.invalid())
-  //         .min(1, LL.form.error.required()),
-  //     }),
-  //   [LL.form.error],
-  // );
-
-  // const getContainerAnimate = useMemo((): TargetAndTransition => {
-  //   const res: TargetAndTransition = {
-  //     borderColor: ColorsRGB.White,
-  //   };
-  //   if (expanded || hovered) {
-  //     res.borderColor = ColorsRGB.GrayBorder;
-  //   }
-  //   return res;
-  // }, [expanded, hovered]);
-
-  // // first, order by last_connected_at then if not preset, by network_id
-  // const orderedLocations = useMemo((): DeviceNetworkInfo[] => {
-  //   const connected = device.networks.filter(
-  //     (network) => !isUndefined(network.last_connected_at),
-  //   );
-
-  //   const neverConnected = device.networks.filter((network) =>
-  //     isUndefined(network.last_connected_at),
-  //   );
-
-  //   const connectedSorted = sortByDate(
-  //     connected,
-  //     (n) => n.last_connected_at as string,
-  //     true,
-  //   );
-  //   const neverConnectedSorted = orderBy(neverConnected, ['network_id'], ['desc']);
-
-  //   return [...connectedSorted, ...neverConnectedSorted];
-  // }, [device.networks]);
-
-  // const latestLocation = orderedLocations.length ? orderedLocations[0] : undefined;
-
-  // if (!user) return null;
-
-  return (
-    <Card
-      // className={cn}
-      initial={false}
-      // animate={getContainerAnimate}
-      // onMouseOver={() => setHovered(true)}
-      // onMouseOut={() => setHovered(false)}
-    >
-      <section className="main-info">
-        <header>
-          <h3 data-testid="provider-name">{provider.name}</h3>
-        </header>
-        <div className="section-content"></div>
-        <div className={getClassName}>
-          <Button className="btn variant-confirm" text="Delete provider"></Button>
-          <ExpandButton
-            expanded={expanded}
-            onExpand={() => setExpanded((state) => !state)}
-          />
-          {expanded && (
-            <div>
-              <div>
-                <Label>{LL.settingsPage.openIdSettings.form.labels.provider_url()}</Label>
-                <p data-testid="device-last-connected-from">{provider.provider_url}</p>
-              </div>
-              <div>
-                <Label>{LL.settingsPage.openIdSettings.form.labels.client_id()}</Label>
-                <p data-testid="device-last-connected-from">{provider.client_id}</p>
-              </div>
-              <div>
-                <Label>
-                  {LL.settingsPage.openIdSettings.form.labels.client_secret()}
-                </Label>
-                <p data-testid="device-last-connected-from">{provider.client_secret}</p>
-              </div>
-            </div>
-          )}
-        </div>
-      </section>
-      {/* <div className="card-controls">
-        <EditButton visible={true}>
-          <EditButtonOption
-            text={LL.userPage.devices.card.edit.edit()}
-            onClick={() => {
-              // setEditDeviceModal({
-              //   visible: true,
-              //   device: device,
-              // });
-            }}
-          />
-          <EditButtonOption
-            styleVariant={EditButtonOptionStyleVariant.STANDARD}
-            text={LL.userPage.devices.card.edit.showConfigurations()}
-            // disabled={!device.networks?.length}
-            onClick={() => {
-              // openDeviceConfigModal({
-              //   deviceName: device.name,
-              //   publicKey: device.wireguard_pubkey,
-              //   deviceId: device.id,
-              //   userId: user.user.id,
-              //   networks: device.networks.map((n) => ({
-              //     networkId: n.network_id,
-              //     networkName: n.network_name,
-              //   })),
-              // });
-            }}
-          />
-          <EditButtonOption
-            styleVariant={EditButtonOptionStyleVariant.WARNING}
-            text={LL.userPage.devices.card.edit.delete()}
-            onClick={
-              () => {}
-              // setDeleteDeviceModal({
-              //   visible: true,
-              //   device: device,
-              // })
-            }
-          />
-        </EditButton>
-
-        
-      </div> */}
-    </Card>
-  );
-};
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/style.scss b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
new file mode 100644
index 0000000000..d0c0181827
--- /dev/null
+++ b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
@@ -0,0 +1,22 @@
+@use '@scssutils' as *;
+
+#openid-settings {
+  & > header {
+    & > .btn {
+      margin-left: auto;
+    }
+  }
+  form {
+    width: 100%;
+    display: flex;
+    flex-flow: column;
+    row-gap: 5px;
+
+    & > * {
+      width: 100%;
+    }
+  }
+  .select {
+    padding-bottom: 25px;
+  }
+}
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index bacdabbb15..723b6a4c98 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -153,6 +153,9 @@ const useApi = (props?: HookProps): ApiHook => {
 
   const logout = () => client.post<EmptyApiResponse>('/auth/logout').then(unpackRequest);
 
+  const getOpenidInfo: ApiHook['auth']['openid']['getOpenidInfo'] = () =>
+    client.get(`/openid/auth_info`).then(unpackRequest);
+
   const usernameAvailable = (username: string) =>
     client.post('/user/available', { username });
 
@@ -436,8 +439,8 @@ const useApi = (props?: HookProps): ApiHook => {
   const addUsersToGroups: ApiHook['groups']['addUsersToGroups'] = (data) =>
     client.post('/groups-assign', data).then(unpackRequest);
 
-  const fetchOpenIdProviders: ApiHook['settings']['fetchOpenIdProviders'] = async () =>
-    client.get<OpenIdProvider[]>(`/openid/provider`).then((res) => res.data);
+  const fetchOpenIdProvider: ApiHook['settings']['fetchOpenIdProviders'] = async () =>
+    client.get<OpenIdProvider>(`/openid/provider`).then((res) => res.data);
 
   const addOpenIdProvider: ApiHook['settings']['addOpenIdProvider'] = async (data) =>
     client.post(`/openid/provider`, data).then(unpackRequest);
@@ -539,6 +542,9 @@ const useApi = (props?: HookProps): ApiHook => {
     auth: {
       login,
       logout,
+      openid: {
+        getOpenidInfo,
+      },
       mfa: {
         disable: mfaDisable,
         enable: mfaEnable,
@@ -606,7 +612,7 @@ const useApi = (props?: HookProps): ApiHook => {
       patchSettings,
       getEssentialSettings,
       testLdapSettings,
-      fetchOpenIdProviders,
+      fetchOpenIdProviders: fetchOpenIdProvider,
       addOpenIdProvider,
       deleteOpenIdProvider,
       editOpenIdProvider,
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 6044d7df2a..5082a5944f 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -307,6 +307,12 @@ export interface LoginResponse {
   mfa?: MFALoginResponse;
 }
 
+export interface OpenidInfoResponse {
+  url: string;
+  nonce: string;
+  csrf: string;
+}
+
 export interface DeleteWebAuthNKeyRequest {
   username: User['username'];
   keyId: SecurityKey['id'];
@@ -500,6 +506,9 @@ export interface ApiHook {
   auth: {
     login: (data: LoginData) => Promise<LoginResponse>;
     logout: () => EmptyApiResponse;
+    openid: {
+      getOpenidInfo: () => Promise<OpenidInfoResponse>;
+    };
     mfa: {
       disable: () => EmptyApiResponse;
       enable: () => EmptyApiResponse;
@@ -569,7 +578,7 @@ export interface ApiHook {
     patchSettings: (data: Partial<Settings>) => EmptyApiResponse;
     getEssentialSettings: () => Promise<SettingsEssentials>;
     testLdapSettings: () => Promise<EmptyApiResponse>;
-    fetchOpenIdProviders: () => Promise<OpenIdProvider[]>;
+    fetchOpenIdProviders: () => Promise<OpenIdProvider>;
     addOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
     deleteOpenIdProvider: (id: string) => Promise<EmptyApiResponse>;
     editOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
@@ -846,7 +855,7 @@ export type SettingsWeb3 = {
 
 export type SettingsOpenID = {
   name: string;
-  provider_url: string;
+  base_url: string;
   client_id: string;
   client_secret: string;
 };
@@ -874,9 +883,9 @@ export interface OpenidClient {
 }
 
 export interface OpenIdProvider {
-  id: string;
+  id: number;
   name: string;
-  provider_url: string;
+  base_url: string;
   client_id: string;
   client_secret: string;
 }

From 37a9ed8e238f6e9d1b3b8a32c8da8348948aa5d0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:31:13 +0200
Subject: [PATCH 10/73] openid buttons and polishing

---
 ...4a6ef98659ae7ddf3a68c059886f0b9c2bfa.json} |  10 +-
 ...72929d6a612846acf4a5489c36a04cb57de59.json |  22 --
 ...ab52c14293fa64d260db812c89ed43a5a7cc8.json |  15 -
 ...ca984604c70823b13390169a5da57086df1a.json} |  10 +-
 ...8a644fcfc0bbb3ebf17f1f2410e24c3a2316.json} |  10 +-
 ...28e05088fe14b53d1b54105aa0d8f50c5d9c.json} |  10 +-
 ...43bdbf791077e0c081b16e3d1c2d5b3cc074b.json |  44 +++
 ...4e61bf3fdef17222de87443fa9428ea2e30b.json} |  20 +-
 ...22eae2b8fa401b802a07196f5541fa96524eb.json |  46 +++
 ...fca6caf4a42bb9ad01d6f44db41a572abce95.json |  18 ++
 ...0d8f76bf8c7b2e3e11de5590e67c2898fe28.json} |  10 +-
 ...db4217a168edb014ce3bd9fd092b21553cdc5.json |  14 +
 ...2f107c53f264016865af4379196f5e72acd4c.json |  44 +++
 ...742916968a18854c2f6d9d8004742b9afd54.json} |   5 +-
 ...4627ef6f053bcb59d81e41dd1cf1bd199b543.json |  18 ++
 ...4205b64526e89acd2fefd74d221b3c3ea620.json} |  10 +-
 ...24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json |  25 ++
 ...d92ba54c1a84d7083d47a684a3b1d5ad206f.json} |   5 +-
 ...0acc741c16c3efdd7a92475a419e9e30db4c.json} |  12 +-
 ...d4e20c54f7bb6f612156de08f5ba26bd0b7df.json |  46 +++
 ...862607a138b42416ccb2dabfb2ea953b482f.json} |   7 +-
 ...7e189c90b658aa343fc682b05be24f410b85.json} |  12 +-
 ...6211c645f786602e89561f03a5a60661d191.json} |  20 +-
 ...4fa0ccc6a7e26874afecc62b00de993a12aa.json} |   7 +-
 .../20240710100027_make_emails_unique.up.sql  |   8 +-
 ...0240715095940_add_oidc_login_flag.down.sql |   1 +
 .../20240715095940_add_oidc_login_flag.up.sql |   1 +
 ...5_add_oidc_create_account_setting.down.sql |   1 +
 ...955_add_oidc_create_account_setting.up.sql |   1 +
 src/db/models/group.rs                        |   2 +-
 src/db/models/mod.rs                          |   2 +-
 src/db/models/settings.rs                     |   2 +
 src/db/models/user.rs                         |  13 +-
 src/enterprise/db/models/openid_provider.rs   |  29 +-
 src/enterprise/handlers/openid_login.rs       | 262 ++++++------------
 src/enterprise/handlers/openid_providers.rs   |   1 +
 src/grpc/enrollment.rs                        |   2 +-
 src/handlers/group.rs                         |   2 +-
 web/src/components/AppLoader.tsx              |  19 +-
 web/src/i18n/en/index.ts                      |   6 +-
 web/src/i18n/i18n-types.ts                    |  28 +-
 web/src/i18n/pl/index.ts                      |   6 +-
 web/src/pages/auth/Login/Login.tsx            |  29 +-
 .../auth/Login/components/OidcButtons.tsx     | 182 ++++++++++++
 .../pages/auth/Login/components/style.scss    | 110 ++++++++
 web/src/pages/auth/Login/style.scss           |   4 +
 .../OpenIdSettings/OpenIdSettings.tsx         |  12 +-
 .../components/OpenIdGeneralSettings.tsx      |  55 ++++
 .../components/OpenIdSettingsForm.tsx         |  39 +--
 web/src/shared/hooks/store/useAuthStore.ts    |   4 +-
 web/src/shared/hooks/useApi.tsx               |   4 +-
 web/src/shared/queries.ts                     |   1 +
 web/src/shared/types.ts                       |   9 +-
 53 files changed, 917 insertions(+), 358 deletions(-)
 rename .sqlx/{query-fd950a860fe104136816e1605ed080d70a714e7a02f15e8a1d7b165814cf85d1.json => query-0572e003ba6f926f1dcceecb1e534a6ef98659ae7ddf3a68c059886f0b9c2bfa.json} (85%)
 delete mode 100644 .sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
 delete mode 100644 .sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json
 rename .sqlx/{query-6fc45edc38cf3f590daec8f930a4117ae77dd226c42ee175544f0ba5eccb315d.json => query-230fe22c6c9907c9ebab1dab9ef5ca984604c70823b13390169a5da57086df1a.json} (89%)
 rename .sqlx/{query-e253723a52a1632fd190ad5404cc0a6dfaf336b5416dafb8d634b521d3dce8d3.json => query-246af063a89129453ca514f8f32f8a644fcfc0bbb3ebf17f1f2410e24c3a2316.json} (83%)
 rename .sqlx/{query-52c659862cef5cd45bbe7bdc58cf70c93c46740cc778825583e060cdee73a212.json => query-2f420621d8767a0014924246904b28e05088fe14b53d1b54105aa0d8f50c5d9c.json} (86%)
 create mode 100644 .sqlx/query-40464c39168b11d05247d01336343bdbf791077e0c081b16e3d1c2d5b3cc074b.json
 rename .sqlx/{query-43ac4b3a375a4756d77b015c0bb871f6ccc4f5ecc7ec32f0b3a9f64398f3686e.json => query-42fbc74f13a7febfbf6bda66cd024e61bf3fdef17222de87443fa9428ea2e30b.json} (85%)
 create mode 100644 .sqlx/query-61f006defe9db54d750f92c978522eae2b8fa401b802a07196f5541fa96524eb.json
 create mode 100644 .sqlx/query-6ae26abc026e5fe59e8505b2563fca6caf4a42bb9ad01d6f44db41a572abce95.json
 rename .sqlx/{query-1b29a6b1d3741ede2d85271f0f0e07069048ba01f8c3c5988f044e788200f9f8.json => query-6e3362d9973d75894d3bd289e7d10d8f76bf8c7b2e3e11de5590e67c2898fe28.json} (89%)
 create mode 100644 .sqlx/query-7cf5b6245bab3bdf58bce20a791db4217a168edb014ce3bd9fd092b21553cdc5.json
 create mode 100644 .sqlx/query-87ac2de4f3fc7801f3b9dcf51992f107c53f264016865af4379196f5e72acd4c.json
 rename .sqlx/{query-c9773715f70d267a2bc1e23b86d06c9dd358479e5791b672369d3c0496d51269.json => query-935d9b9ad81c18d764b54ea4fc1d742916968a18854c2f6d9d8004742b9afd54.json} (74%)
 create mode 100644 .sqlx/query-a0700f9701a61fc64af20165feb4627ef6f053bcb59d81e41dd1cf1bd199b543.json
 rename .sqlx/{query-f5ed6899054f1915882741843733fc196d59c356d69c0d06e9782cb1bc73e6f3.json => query-a3d548764fe912cc9009618d41504205b64526e89acd2fefd74d221b3c3ea620.json} (89%)
 create mode 100644 .sqlx/query-a6fe220739875c6894e1a678d4c24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json
 rename .sqlx/{query-3063672b53bf0bada26d6d1b0adbebfbeb42e6a4949a10b2f23ea4d968aeb736.json => query-a7194f2160706f9d661d0d270aaad92ba54c1a84d7083d47a684a3b1d5ad206f.json} (70%)
 rename .sqlx/{query-e1875cb32cf6f270541b27319cb472abd8f6ed0dccc77a2ba0908dd487975ef5.json => query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json} (94%)
 create mode 100644 .sqlx/query-b12208760e0fc61c766c7c2d037d4e20c54f7bb6f612156de08f5ba26bd0b7df.json
 rename .sqlx/{query-8bd853a756c53e3f6bf0ae002c46709a7bb35324df203ce9918d67905d59cdc8.json => query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json} (91%)
 rename .sqlx/{query-e181b36a398dc70efd14bb7dc52138a17a5ec4c3210d5960149684e77ae88726.json => query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json} (93%)
 rename .sqlx/{query-2b9b3aa210fa00d43bece1acbd3ae490fea37010d98f3eff2ba15f50e8a6d7a9.json => query-fd4750032e0fcd91f0f8fad9aa946211c645f786602e89561f03a5a60661d191.json} (84%)
 rename .sqlx/{query-7ce8c80bce6f2ed44b7abaa53e65f6ff40beeeabdd4d88a393dd9986ab59934b.json => query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json} (84%)
 create mode 100644 migrations/20240715095940_add_oidc_login_flag.down.sql
 create mode 100644 migrations/20240715095940_add_oidc_login_flag.up.sql
 create mode 100644 migrations/20240715095955_add_oidc_create_account_setting.down.sql
 create mode 100644 migrations/20240715095955_add_oidc_create_account_setting.up.sql
 create mode 100644 web/src/pages/auth/Login/components/OidcButtons.tsx
 create mode 100644 web/src/pages/auth/Login/components/style.scss
 create mode 100644 web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx

diff --git a/.sqlx/query-fd950a860fe104136816e1605ed080d70a714e7a02f15e8a1d7b165814cf85d1.json b/.sqlx/query-0572e003ba6f926f1dcceecb1e534a6ef98659ae7ddf3a68c059886f0b9c2bfa.json
similarity index 85%
rename from .sqlx/query-fd950a860fe104136816e1605ed080d70a714e7a02f15e8a1d7b165814cf85d1.json
rename to .sqlx/query-0572e003ba6f926f1dcceecb1e534a6ef98659ae7ddf3a68c059886f0b9c2bfa.json
index 07b07f5449..52e7998636 100644
--- a/.sqlx/query-fd950a860fe104136816e1605ed080d70a714e7a02f15e8a1d7b165814cf85d1.json
+++ b/.sqlx/query-0572e003ba6f926f1dcceecb1e534a6ef98659ae7ddf3a68c059886f0b9c2bfa.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id, mfa_enabled, totp_enabled, email_mfa_enabled, mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active FROM \"user\"",
+  "query": "SELECT id, mfa_enabled, totp_enabled, email_mfa_enabled, mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active, openid_login FROM \"user\"",
   "describe": {
     "columns": [
       {
@@ -50,6 +50,11 @@
         "ordinal": 6,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 7,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -62,8 +67,9 @@
       false,
       false,
       true,
+      false,
       false
     ]
   },
-  "hash": "fd950a860fe104136816e1605ed080d70a714e7a02f15e8a1d7b165814cf85d1"
+  "hash": "0572e003ba6f926f1dcceecb1e534a6ef98659ae7ddf3a68c059886f0b9c2bfa"
 }
diff --git a/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json b/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
deleted file mode 100644
index ce67e42930..0000000000
--- a/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
+++ /dev/null
@@ -1,22 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "SELECT recovery_codes FROM \"user\" WHERE id = $1",
-  "describe": {
-    "columns": [
-      {
-        "ordinal": 0,
-        "name": "recovery_codes",
-        "type_info": "TextArray"
-      }
-    ],
-    "parameters": {
-      "Left": [
-        "Int8"
-      ]
-    },
-    "nullable": [
-      false
-    ]
-  },
-  "hash": "0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59"
-}
diff --git a/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json b/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json
deleted file mode 100644
index 8d314a5faa..0000000000
--- a/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json
+++ /dev/null
@@ -1,15 +0,0 @@
-{
-  "db_name": "PostgreSQL",
-  "query": "UPDATE session SET expires = $1 WHERE id = $2",
-  "describe": {
-    "columns": [],
-    "parameters": {
-      "Left": [
-        "Timestamp",
-        "Text"
-      ]
-    },
-    "nullable": []
-  },
-  "hash": "1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8"
-}
diff --git a/.sqlx/query-6fc45edc38cf3f590daec8f930a4117ae77dd226c42ee175544f0ba5eccb315d.json b/.sqlx/query-230fe22c6c9907c9ebab1dab9ef5ca984604c70823b13390169a5da57086df1a.json
similarity index 89%
rename from .sqlx/query-6fc45edc38cf3f590daec8f930a4117ae77dd226c42ee175544f0ba5eccb315d.json
rename to .sqlx/query-230fe22c6c9907c9ebab1dab9ef5ca984604c70823b13390169a5da57086df1a.json
index 256dd6ac1c..3ffbde7ccd 100644
--- a/.sqlx/query-6fc45edc38cf3f590daec8f930a4117ae77dd226c42ee175544f0ba5eccb315d.json
+++ b/.sqlx/query-230fe22c6c9907c9ebab1dab9ef5ca984604c70823b13390169a5da57086df1a.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active FROM \"user\" WHERE email = $1",
+  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login FROM \"user\" WHERE email = $1",
   "describe": {
     "columns": [
       {
@@ -90,6 +90,11 @@
         "ordinal": 14,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 15,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -112,8 +117,9 @@
       true,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "6fc45edc38cf3f590daec8f930a4117ae77dd226c42ee175544f0ba5eccb315d"
+  "hash": "230fe22c6c9907c9ebab1dab9ef5ca984604c70823b13390169a5da57086df1a"
 }
diff --git a/.sqlx/query-e253723a52a1632fd190ad5404cc0a6dfaf336b5416dafb8d634b521d3dce8d3.json b/.sqlx/query-246af063a89129453ca514f8f32f8a644fcfc0bbb3ebf17f1f2410e24c3a2316.json
similarity index 83%
rename from .sqlx/query-e253723a52a1632fd190ad5404cc0a6dfaf336b5416dafb8d634b521d3dce8d3.json
rename to .sqlx/query-246af063a89129453ca514f8f32f8a644fcfc0bbb3ebf17f1f2410e24c3a2316.json
index 98488e7959..2a93c87f47 100644
--- a/.sqlx/query-e253723a52a1632fd190ad5404cc0a6dfaf336b5416dafb8d634b521d3dce8d3.json
+++ b/.sqlx/query-246af063a89129453ca514f8f32f8a644fcfc0bbb3ebf17f1f2410e24c3a2316.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active FROM \"user\"\n            INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id\n            INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id\n            WHERE \"group\".name = $1",
+  "query": "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login FROM \"user\"\n            INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id\n            INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id\n            WHERE \"group\".name = $1",
   "describe": {
     "columns": [
       {
@@ -90,6 +90,11 @@
         "ordinal": 14,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 15,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -112,8 +117,9 @@
       true,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "e253723a52a1632fd190ad5404cc0a6dfaf336b5416dafb8d634b521d3dce8d3"
+  "hash": "246af063a89129453ca514f8f32f8a644fcfc0bbb3ebf17f1f2410e24c3a2316"
 }
diff --git a/.sqlx/query-52c659862cef5cd45bbe7bdc58cf70c93c46740cc778825583e060cdee73a212.json b/.sqlx/query-2f420621d8767a0014924246904b28e05088fe14b53d1b54105aa0d8f50c5d9c.json
similarity index 86%
rename from .sqlx/query-52c659862cef5cd45bbe7bdc58cf70c93c46740cc778825583e060cdee73a212.json
rename to .sqlx/query-2f420621d8767a0014924246904b28e05088fe14b53d1b54105aa0d8f50c5d9c.json
index 72a1d6e0f5..a792078586 100644
--- a/.sqlx/query-52c659862cef5cd45bbe7bdc58cf70c93c46740cc778825583e060cdee73a212.json
+++ b/.sqlx/query-2f420621d8767a0014924246904b28e05088fe14b53d1b54105aa0d8f50c5d9c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active FROM \"user\" JOIN group_user ON \"user\".id = group_user.user_id WHERE group_user.group_id = $1",
+  "query": "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login FROM \"user\" JOIN group_user ON \"user\".id = group_user.user_id WHERE group_user.group_id = $1",
   "describe": {
     "columns": [
       {
@@ -90,6 +90,11 @@
         "ordinal": 14,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 15,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -112,8 +117,9 @@
       true,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "52c659862cef5cd45bbe7bdc58cf70c93c46740cc778825583e060cdee73a212"
+  "hash": "2f420621d8767a0014924246904b28e05088fe14b53d1b54105aa0d8f50c5d9c"
 }
diff --git a/.sqlx/query-40464c39168b11d05247d01336343bdbf791077e0c081b16e3d1c2d5b3cc074b.json b/.sqlx/query-40464c39168b11d05247d01336343bdbf791077e0c081b16e3d1c2d5b3cc074b.json
new file mode 100644
index 0000000000..6ae98c3f09
--- /dev/null
+++ b/.sqlx/query-40464c39168b11d05247d01336343bdbf791077e0c081b16e3d1c2d5b3cc074b.json
@@ -0,0 +1,44 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT id \"id?\", name, base_url, client_id, client_secret FROM openidprovider",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id?",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "base_url",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "client_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 4,
+        "name": "client_secret",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "40464c39168b11d05247d01336343bdbf791077e0c081b16e3d1c2d5b3cc074b"
+}
diff --git a/.sqlx/query-43ac4b3a375a4756d77b015c0bb871f6ccc4f5ecc7ec32f0b3a9f64398f3686e.json b/.sqlx/query-42fbc74f13a7febfbf6bda66cd024e61bf3fdef17222de87443fa9428ea2e30b.json
similarity index 85%
rename from .sqlx/query-43ac4b3a375a4756d77b015c0bb871f6ccc4f5ecc7ec32f0b3a9f64398f3686e.json
rename to .sqlx/query-42fbc74f13a7febfbf6bda66cd024e61bf3fdef17222de87443fa9428ea2e30b.json
index 0e0a82ef1b..82c8bb185c 100644
--- a/.sqlx/query-43ac4b3a375a4756d77b015c0bb871f6ccc4f5ecc7ec32f0b3a9f64398f3686e.json
+++ b/.sqlx/query-42fbc74f13a7febfbf6bda66cd024e61bf3fdef17222de87443fa9428ea2e30b.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\"",
+  "query": "SELECT id \"id?\", \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"openid_login\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\"",
   "describe": {
     "columns": [
       {
@@ -50,26 +50,31 @@
       },
       {
         "ordinal": 9,
-        "name": "totp_enabled",
+        "name": "openid_login",
         "type_info": "Bool"
       },
       {
         "ordinal": 10,
-        "name": "email_mfa_enabled",
+        "name": "totp_enabled",
         "type_info": "Bool"
       },
       {
         "ordinal": 11,
+        "name": "email_mfa_enabled",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 12,
         "name": "totp_secret",
         "type_info": "Bytea"
       },
       {
-        "ordinal": 12,
+        "ordinal": 13,
         "name": "email_mfa_secret",
         "type_info": "Bytea"
       },
       {
-        "ordinal": 13,
+        "ordinal": 14,
         "name": "mfa_method: _",
         "type_info": {
           "Custom": {
@@ -87,7 +92,7 @@
         }
       },
       {
-        "ordinal": 14,
+        "ordinal": 15,
         "name": "recovery_codes: _",
         "type_info": "TextArray"
       }
@@ -107,11 +112,12 @@
       false,
       false,
       false,
+      false,
       true,
       true,
       false,
       false
     ]
   },
-  "hash": "43ac4b3a375a4756d77b015c0bb871f6ccc4f5ecc7ec32f0b3a9f64398f3686e"
+  "hash": "42fbc74f13a7febfbf6bda66cd024e61bf3fdef17222de87443fa9428ea2e30b"
 }
diff --git a/.sqlx/query-61f006defe9db54d750f92c978522eae2b8fa401b802a07196f5541fa96524eb.json b/.sqlx/query-61f006defe9db54d750f92c978522eae2b8fa401b802a07196f5541fa96524eb.json
new file mode 100644
index 0000000000..700ded04cd
--- /dev/null
+++ b/.sqlx/query-61f006defe9db54d750f92c978522eae2b8fa401b802a07196f5541fa96524eb.json
@@ -0,0 +1,46 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT id \"id?\", name, base_url, client_id, client_secret FROM openidprovider WHERE name = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id?",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "base_url",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "client_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 4,
+        "name": "client_secret",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "61f006defe9db54d750f92c978522eae2b8fa401b802a07196f5541fa96524eb"
+}
diff --git a/.sqlx/query-6ae26abc026e5fe59e8505b2563fca6caf4a42bb9ad01d6f44db41a572abce95.json b/.sqlx/query-6ae26abc026e5fe59e8505b2563fca6caf4a42bb9ad01d6f44db41a572abce95.json
new file mode 100644
index 0000000000..cc029dcf7e
--- /dev/null
+++ b/.sqlx/query-6ae26abc026e5fe59e8505b2563fca6caf4a42bb9ad01d6f44db41a572abce95.json
@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE \"openidprovider\" SET \"name\" = $2,\"base_url\" = $3,\"client_id\" = $4,\"client_secret\" = $5 WHERE id = $1",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Int8",
+        "Text",
+        "Text",
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "6ae26abc026e5fe59e8505b2563fca6caf4a42bb9ad01d6f44db41a572abce95"
+}
diff --git a/.sqlx/query-1b29a6b1d3741ede2d85271f0f0e07069048ba01f8c3c5988f044e788200f9f8.json b/.sqlx/query-6e3362d9973d75894d3bd289e7d10d8f76bf8c7b2e3e11de5590e67c2898fe28.json
similarity index 89%
rename from .sqlx/query-1b29a6b1d3741ede2d85271f0f0e07069048ba01f8c3c5988f044e788200f9f8.json
rename to .sqlx/query-6e3362d9973d75894d3bd289e7d10d8f76bf8c7b2e3e11de5590e67c2898fe28.json
index ee2196861b..6672cb3680 100644
--- a/.sqlx/query-1b29a6b1d3741ede2d85271f0f0e07069048ba01f8c3c5988f044e788200f9f8.json
+++ b/.sqlx/query-6e3362d9973d75894d3bd289e7d10d8f76bf8c7b2e3e11de5590e67c2898fe28.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active FROM \"user\" WHERE username = $1",
+  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login FROM \"user\" WHERE username = $1",
   "describe": {
     "columns": [
       {
@@ -90,6 +90,11 @@
         "ordinal": 14,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 15,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -112,8 +117,9 @@
       true,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "1b29a6b1d3741ede2d85271f0f0e07069048ba01f8c3c5988f044e788200f9f8"
+  "hash": "6e3362d9973d75894d3bd289e7d10d8f76bf8c7b2e3e11de5590e67c2898fe28"
 }
diff --git a/.sqlx/query-7cf5b6245bab3bdf58bce20a791db4217a168edb014ce3bd9fd092b21553cdc5.json b/.sqlx/query-7cf5b6245bab3bdf58bce20a791db4217a168edb014ce3bd9fd092b21553cdc5.json
new file mode 100644
index 0000000000..1bb2d632ff
--- /dev/null
+++ b/.sqlx/query-7cf5b6245bab3bdf58bce20a791db4217a168edb014ce3bd9fd092b21553cdc5.json
@@ -0,0 +1,14 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "DELETE FROM \"openidprovider\" WHERE id = $1",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Int8"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "7cf5b6245bab3bdf58bce20a791db4217a168edb014ce3bd9fd092b21553cdc5"
+}
diff --git a/.sqlx/query-87ac2de4f3fc7801f3b9dcf51992f107c53f264016865af4379196f5e72acd4c.json b/.sqlx/query-87ac2de4f3fc7801f3b9dcf51992f107c53f264016865af4379196f5e72acd4c.json
new file mode 100644
index 0000000000..11ad8e07f6
--- /dev/null
+++ b/.sqlx/query-87ac2de4f3fc7801f3b9dcf51992f107c53f264016865af4379196f5e72acd4c.json
@@ -0,0 +1,44 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT id \"id?\", \"name\",\"base_url\",\"client_id\",\"client_secret\" FROM \"openidprovider\"",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id?",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "base_url",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "client_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 4,
+        "name": "client_secret",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": []
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "87ac2de4f3fc7801f3b9dcf51992f107c53f264016865af4379196f5e72acd4c"
+}
diff --git a/.sqlx/query-c9773715f70d267a2bc1e23b86d06c9dd358479e5791b672369d3c0496d51269.json b/.sqlx/query-935d9b9ad81c18d764b54ea4fc1d742916968a18854c2f6d9d8004742b9afd54.json
similarity index 74%
rename from .sqlx/query-c9773715f70d267a2bc1e23b86d06c9dd358479e5791b672369d3c0496d51269.json
rename to .sqlx/query-935d9b9ad81c18d764b54ea4fc1d742916968a18854c2f6d9d8004742b9afd54.json
index 7111120273..781eaeef91 100644
--- a/.sqlx/query-c9773715f70d267a2bc1e23b86d06c9dd358479e5791b672369d3c0496d51269.json
+++ b/.sqlx/query-935d9b9ad81c18d764b54ea4fc1d742916968a18854c2f6d9d8004742b9afd54.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"user\" (\"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\",\"recovery_codes\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14) RETURNING id",
+  "query": "INSERT INTO \"user\" (\"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"openid_login\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\",\"recovery_codes\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -21,6 +21,7 @@
         "Bool",
         "Bool",
         "Bool",
+        "Bool",
         "Bytea",
         "Bytea",
         {
@@ -44,5 +45,5 @@
       false
     ]
   },
-  "hash": "c9773715f70d267a2bc1e23b86d06c9dd358479e5791b672369d3c0496d51269"
+  "hash": "935d9b9ad81c18d764b54ea4fc1d742916968a18854c2f6d9d8004742b9afd54"
 }
diff --git a/.sqlx/query-a0700f9701a61fc64af20165feb4627ef6f053bcb59d81e41dd1cf1bd199b543.json b/.sqlx/query-a0700f9701a61fc64af20165feb4627ef6f053bcb59d81e41dd1cf1bd199b543.json
new file mode 100644
index 0000000000..94ec297433
--- /dev/null
+++ b/.sqlx/query-a0700f9701a61fc64af20165feb4627ef6f053bcb59d81e41dd1cf1bd199b543.json
@@ -0,0 +1,18 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4 WHERE id = $5",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text",
+        "Text",
+        "Text",
+        "Int8"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "a0700f9701a61fc64af20165feb4627ef6f053bcb59d81e41dd1cf1bd199b543"
+}
diff --git a/.sqlx/query-f5ed6899054f1915882741843733fc196d59c356d69c0d06e9782cb1bc73e6f3.json b/.sqlx/query-a3d548764fe912cc9009618d41504205b64526e89acd2fefd74d221b3c3ea620.json
similarity index 89%
rename from .sqlx/query-f5ed6899054f1915882741843733fc196d59c356d69c0d06e9782cb1bc73e6f3.json
rename to .sqlx/query-a3d548764fe912cc9009618d41504205b64526e89acd2fefd74d221b3c3ea620.json
index d4dfe1b6b1..6344d31c1c 100644
--- a/.sqlx/query-f5ed6899054f1915882741843733fc196d59c356d69c0d06e9782cb1bc73e6f3.json
+++ b/.sqlx/query-a3d548764fe912cc9009618d41504205b64526e89acd2fefd74d221b3c3ea620.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active FROM \"user\" WHERE id = ANY($1)",
+  "query": "SELECT id \"id?\", username, password_hash, last_name, first_name, email, phone, mfa_enabled, totp_enabled, email_mfa_enabled, totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login FROM \"user\" WHERE id = ANY($1)",
   "describe": {
     "columns": [
       {
@@ -90,6 +90,11 @@
         "ordinal": 14,
         "name": "is_active",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 15,
+        "name": "openid_login",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -112,8 +117,9 @@
       true,
       false,
       false,
+      false,
       false
     ]
   },
-  "hash": "f5ed6899054f1915882741843733fc196d59c356d69c0d06e9782cb1bc73e6f3"
+  "hash": "a3d548764fe912cc9009618d41504205b64526e89acd2fefd74d221b3c3ea620"
 }
diff --git a/.sqlx/query-a6fe220739875c6894e1a678d4c24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json b/.sqlx/query-a6fe220739875c6894e1a678d4c24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json
new file mode 100644
index 0000000000..e32f0cf87a
--- /dev/null
+++ b/.sqlx/query-a6fe220739875c6894e1a678d4c24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4.json
@@ -0,0 +1,25 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "INSERT INTO \"openidprovider\" (\"name\",\"base_url\",\"client_id\",\"client_secret\") VALUES ($1,$2,$3,$4) RETURNING id",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id",
+        "type_info": "Int8"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Text",
+        "Text",
+        "Text",
+        "Text"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "a6fe220739875c6894e1a678d4c24de34b7c3ca8bd5e48ed9f313d20cbe8f8e4"
+}
diff --git a/.sqlx/query-3063672b53bf0bada26d6d1b0adbebfbeb42e6a4949a10b2f23ea4d968aeb736.json b/.sqlx/query-a7194f2160706f9d661d0d270aaad92ba54c1a84d7083d47a684a3b1d5ad206f.json
similarity index 70%
rename from .sqlx/query-3063672b53bf0bada26d6d1b0adbebfbeb42e6a4949a10b2f23ea4d968aeb736.json
rename to .sqlx/query-a7194f2160706f9d661d0d270aaad92ba54c1a84d7083d47a684a3b1d5ad206f.json
index e4f3bf2de0..d4f8666455 100644
--- a/.sqlx/query-3063672b53bf0bada26d6d1b0adbebfbeb42e6a4949a10b2f23ea4d968aeb736.json
+++ b/.sqlx/query-a7194f2160706f9d661d0d270aaad92ba54c1a84d7083d47a684a3b1d5ad206f.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"user\" SET \"username\" = $2,\"password_hash\" = $3,\"last_name\" = $4,\"first_name\" = $5,\"email\" = $6,\"phone\" = $7,\"mfa_enabled\" = $8,\"is_active\" = $9,\"totp_enabled\" = $10,\"email_mfa_enabled\" = $11,\"totp_secret\" = $12,\"email_mfa_secret\" = $13,\"mfa_method\" = $14,\"recovery_codes\" = $15 WHERE id = $1",
+  "query": "UPDATE \"user\" SET \"username\" = $2,\"password_hash\" = $3,\"last_name\" = $4,\"first_name\" = $5,\"email\" = $6,\"phone\" = $7,\"mfa_enabled\" = $8,\"is_active\" = $9,\"openid_login\" = $10,\"totp_enabled\" = $11,\"email_mfa_enabled\" = $12,\"totp_secret\" = $13,\"email_mfa_secret\" = $14,\"mfa_method\" = $15,\"recovery_codes\" = $16 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -16,6 +16,7 @@
         "Bool",
         "Bool",
         "Bool",
+        "Bool",
         "Bytea",
         "Bytea",
         {
@@ -37,5 +38,5 @@
     },
     "nullable": []
   },
-  "hash": "3063672b53bf0bada26d6d1b0adbebfbeb42e6a4949a10b2f23ea4d968aeb736"
+  "hash": "a7194f2160706f9d661d0d270aaad92ba54c1a84d7083d47a684a3b1d5ad206f"
 }
diff --git a/.sqlx/query-e1875cb32cf6f270541b27319cb472abd8f6ed0dccc77a2ba0908dd487975ef5.json b/.sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json
similarity index 94%
rename from .sqlx/query-e1875cb32cf6f270541b27319cb472abd8f6ed0dccc77a2ba0908dd487975ef5.json
rename to .sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json
index bd60bb9df9..83250222b3 100644
--- a/.sqlx/query-e1875cb32cf6f270541b27319cb472abd8f6ed0dccc77a2ba0908dd487975ef5.json
+++ b/.sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\" FROM \"settings\"",
+  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\" FROM \"settings\"",
   "describe": {
     "columns": [
       {
@@ -173,6 +173,11 @@
         "ordinal": 31,
         "name": "ldap_member_attr",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 32,
+        "name": "openid_create_account",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -210,8 +215,9 @@
       true,
       true,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "e1875cb32cf6f270541b27319cb472abd8f6ed0dccc77a2ba0908dd487975ef5"
+  "hash": "a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c"
 }
diff --git a/.sqlx/query-b12208760e0fc61c766c7c2d037d4e20c54f7bb6f612156de08f5ba26bd0b7df.json b/.sqlx/query-b12208760e0fc61c766c7c2d037d4e20c54f7bb6f612156de08f5ba26bd0b7df.json
new file mode 100644
index 0000000000..0d1ced94ee
--- /dev/null
+++ b/.sqlx/query-b12208760e0fc61c766c7c2d037d4e20c54f7bb6f612156de08f5ba26bd0b7df.json
@@ -0,0 +1,46 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT id \"id?\", \"name\",\"base_url\",\"client_id\",\"client_secret\" FROM \"openidprovider\" WHERE id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "id?",
+        "type_info": "Int8"
+      },
+      {
+        "ordinal": 1,
+        "name": "name",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 2,
+        "name": "base_url",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 3,
+        "name": "client_id",
+        "type_info": "Text"
+      },
+      {
+        "ordinal": 4,
+        "name": "client_secret",
+        "type_info": "Text"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Int8"
+      ]
+    },
+    "nullable": [
+      false,
+      false,
+      false,
+      false,
+      false
+    ]
+  },
+  "hash": "b12208760e0fc61c766c7c2d037d4e20c54f7bb6f612156de08f5ba26bd0b7df"
+}
diff --git a/.sqlx/query-8bd853a756c53e3f6bf0ae002c46709a7bb35324df203ce9918d67905d59cdc8.json b/.sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json
similarity index 91%
rename from .sqlx/query-8bd853a756c53e3f6bf0ae002c46709a7bb35324df203ce9918d67905d59cdc8.json
rename to .sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json
index 591494b00b..ff55394f7a 100644
--- a/.sqlx/query-8bd853a756c53e3f6bf0ae002c46709a7bb35324df203ce9918d67905d59cdc8.json
+++ b/.sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"settings\" SET \"openid_enabled\" = $2,\"wireguard_enabled\" = $3,\"webhooks_enabled\" = $4,\"worker_enabled\" = $5,\"challenge_template\" = $6,\"instance_name\" = $7,\"main_logo_url\" = $8,\"nav_logo_url\" = $9,\"smtp_server\" = $10,\"smtp_port\" = $11,\"smtp_encryption\" = $12,\"smtp_user\" = $13,\"smtp_password\" = $14,\"smtp_sender\" = $15,\"enrollment_vpn_step_optional\" = $16,\"enrollment_welcome_message\" = $17,\"enrollment_welcome_email\" = $18,\"enrollment_welcome_email_subject\" = $19,\"enrollment_use_welcome_message_as_email\" = $20,\"uuid\" = $21,\"ldap_url\" = $22,\"ldap_bind_username\" = $23,\"ldap_bind_password\" = $24,\"ldap_group_search_base\" = $25,\"ldap_user_search_base\" = $26,\"ldap_user_obj_class\" = $27,\"ldap_group_obj_class\" = $28,\"ldap_username_attr\" = $29,\"ldap_groupname_attr\" = $30,\"ldap_group_member_attr\" = $31,\"ldap_member_attr\" = $32 WHERE id = $1",
+  "query": "UPDATE \"settings\" SET \"openid_enabled\" = $2,\"wireguard_enabled\" = $3,\"webhooks_enabled\" = $4,\"worker_enabled\" = $5,\"challenge_template\" = $6,\"instance_name\" = $7,\"main_logo_url\" = $8,\"nav_logo_url\" = $9,\"smtp_server\" = $10,\"smtp_port\" = $11,\"smtp_encryption\" = $12,\"smtp_user\" = $13,\"smtp_password\" = $14,\"smtp_sender\" = $15,\"enrollment_vpn_step_optional\" = $16,\"enrollment_welcome_message\" = $17,\"enrollment_welcome_email\" = $18,\"enrollment_welcome_email_subject\" = $19,\"enrollment_use_welcome_message_as_email\" = $20,\"uuid\" = $21,\"ldap_url\" = $22,\"ldap_bind_username\" = $23,\"ldap_bind_password\" = $24,\"ldap_group_search_base\" = $25,\"ldap_user_search_base\" = $26,\"ldap_user_obj_class\" = $27,\"ldap_group_obj_class\" = $28,\"ldap_username_attr\" = $29,\"ldap_groupname_attr\" = $30,\"ldap_group_member_attr\" = $31,\"ldap_member_attr\" = $32,\"openid_create_account\" = $33 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -47,10 +47,11 @@
         "Text",
         "Text",
         "Text",
-        "Text"
+        "Text",
+        "Bool"
       ]
     },
     "nullable": []
   },
-  "hash": "8bd853a756c53e3f6bf0ae002c46709a7bb35324df203ce9918d67905d59cdc8"
+  "hash": "e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f"
 }
diff --git a/.sqlx/query-e181b36a398dc70efd14bb7dc52138a17a5ec4c3210d5960149684e77ae88726.json b/.sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json
similarity index 93%
rename from .sqlx/query-e181b36a398dc70efd14bb7dc52138a17a5ec4c3210d5960149684e77ae88726.json
rename to .sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json
index 45a90b155d..5441c96029 100644
--- a/.sqlx/query-e181b36a398dc70efd14bb7dc52138a17a5ec4c3210d5960149684e77ae88726.json
+++ b/.sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\" FROM \"settings\" WHERE id = $1",
+  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\" FROM \"settings\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -173,6 +173,11 @@
         "ordinal": 31,
         "name": "ldap_member_attr",
         "type_info": "Text"
+      },
+      {
+        "ordinal": 32,
+        "name": "openid_create_account",
+        "type_info": "Bool"
       }
     ],
     "parameters": {
@@ -212,8 +217,9 @@
       true,
       true,
       true,
-      true
+      true,
+      false
     ]
   },
-  "hash": "e181b36a398dc70efd14bb7dc52138a17a5ec4c3210d5960149684e77ae88726"
+  "hash": "fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85"
 }
diff --git a/.sqlx/query-2b9b3aa210fa00d43bece1acbd3ae490fea37010d98f3eff2ba15f50e8a6d7a9.json b/.sqlx/query-fd4750032e0fcd91f0f8fad9aa946211c645f786602e89561f03a5a60661d191.json
similarity index 84%
rename from .sqlx/query-2b9b3aa210fa00d43bece1acbd3ae490fea37010d98f3eff2ba15f50e8a6d7a9.json
rename to .sqlx/query-fd4750032e0fcd91f0f8fad9aa946211c645f786602e89561f03a5a60661d191.json
index c3182f082b..f0dc610017 100644
--- a/.sqlx/query-2b9b3aa210fa00d43bece1acbd3ae490fea37010d98f3eff2ba15f50e8a6d7a9.json
+++ b/.sqlx/query-fd4750032e0fcd91f0f8fad9aa946211c645f786602e89561f03a5a60661d191.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\" WHERE id = $1",
+  "query": "SELECT id \"id?\", \"username\",\"password_hash\",\"last_name\",\"first_name\",\"email\",\"phone\",\"mfa_enabled\",\"is_active\",\"openid_login\",\"totp_enabled\",\"email_mfa_enabled\",\"totp_secret\",\"email_mfa_secret\",\"mfa_method\" \"mfa_method: _\",\"recovery_codes\" \"recovery_codes: _\" FROM \"user\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -50,26 +50,31 @@
       },
       {
         "ordinal": 9,
-        "name": "totp_enabled",
+        "name": "openid_login",
         "type_info": "Bool"
       },
       {
         "ordinal": 10,
-        "name": "email_mfa_enabled",
+        "name": "totp_enabled",
         "type_info": "Bool"
       },
       {
         "ordinal": 11,
+        "name": "email_mfa_enabled",
+        "type_info": "Bool"
+      },
+      {
+        "ordinal": 12,
         "name": "totp_secret",
         "type_info": "Bytea"
       },
       {
-        "ordinal": 12,
+        "ordinal": 13,
         "name": "email_mfa_secret",
         "type_info": "Bytea"
       },
       {
-        "ordinal": 13,
+        "ordinal": 14,
         "name": "mfa_method: _",
         "type_info": {
           "Custom": {
@@ -87,7 +92,7 @@
         }
       },
       {
-        "ordinal": 14,
+        "ordinal": 15,
         "name": "recovery_codes: _",
         "type_info": "TextArray"
       }
@@ -109,11 +114,12 @@
       false,
       false,
       false,
+      false,
       true,
       true,
       false,
       false
     ]
   },
-  "hash": "2b9b3aa210fa00d43bece1acbd3ae490fea37010d98f3eff2ba15f50e8a6d7a9"
+  "hash": "fd4750032e0fcd91f0f8fad9aa946211c645f786602e89561f03a5a60661d191"
 }
diff --git a/.sqlx/query-7ce8c80bce6f2ed44b7abaa53e65f6ff40beeeabdd4d88a393dd9986ab59934b.json b/.sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json
similarity index 84%
rename from .sqlx/query-7ce8c80bce6f2ed44b7abaa53e65f6ff40beeeabdd4d88a393dd9986ab59934b.json
rename to .sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json
index de92e46380..9b24a3350d 100644
--- a/.sqlx/query-7ce8c80bce6f2ed44b7abaa53e65f6ff40beeeabdd4d88a393dd9986ab59934b.json
+++ b/.sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"settings\" (\"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\",\"smtp_user\",\"smtp_password\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$31) RETURNING id",
+  "query": "INSERT INTO \"settings\" (\"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\",\"smtp_user\",\"smtp_password\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$31,$32) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -52,12 +52,13 @@
         "Text",
         "Text",
         "Text",
-        "Text"
+        "Text",
+        "Bool"
       ]
     },
     "nullable": [
       false
     ]
   },
-  "hash": "7ce8c80bce6f2ed44b7abaa53e65f6ff40beeeabdd4d88a393dd9986ab59934b"
+  "hash": "fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa"
 }
diff --git a/migrations/20240710100027_make_emails_unique.up.sql b/migrations/20240710100027_make_emails_unique.up.sql
index 4c341861c6..2d79a9dff6 100644
--- a/migrations/20240710100027_make_emails_unique.up.sql
+++ b/migrations/20240710100027_make_emails_unique.up.sql
@@ -1,2 +1,8 @@
--- TODO(aleksander): Drop duplicate emails before adding the constraint.
+-- Deletes duplicated users based on their email. The first (by id) user with a given email is kept.
+DELETE FROM
+    "user" u1
+        USING "user" u2
+WHERE
+    u1.id > u2.id
+    AND u1.email = u2.email;
 ALTER TABLE "user" ADD CONSTRAINT "user_email_key" UNIQUE (email);
diff --git a/migrations/20240715095940_add_oidc_login_flag.down.sql b/migrations/20240715095940_add_oidc_login_flag.down.sql
new file mode 100644
index 0000000000..5eb7de3502
--- /dev/null
+++ b/migrations/20240715095940_add_oidc_login_flag.down.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" DROP COLUMN "openid_login";
diff --git a/migrations/20240715095940_add_oidc_login_flag.up.sql b/migrations/20240715095940_add_oidc_login_flag.up.sql
new file mode 100644
index 0000000000..c89fb898f1
--- /dev/null
+++ b/migrations/20240715095940_add_oidc_login_flag.up.sql
@@ -0,0 +1 @@
+ALTER TABLE "user" ADD COLUMN "openid_login" BOOLEAN NOT NULL DEFAULT FALSE;
diff --git a/migrations/20240715095955_add_oidc_create_account_setting.down.sql b/migrations/20240715095955_add_oidc_create_account_setting.down.sql
new file mode 100644
index 0000000000..7fc045f9ee
--- /dev/null
+++ b/migrations/20240715095955_add_oidc_create_account_setting.down.sql
@@ -0,0 +1 @@
+ALTER TABLE settings DROP COLUMN openid_create_account;
diff --git a/migrations/20240715095955_add_oidc_create_account_setting.up.sql b/migrations/20240715095955_add_oidc_create_account_setting.up.sql
new file mode 100644
index 0000000000..b82357c2d4
--- /dev/null
+++ b/migrations/20240715095955_add_oidc_create_account_setting.up.sql
@@ -0,0 +1 @@
+ALTER TABLE settings ADD COLUMN openid_create_account BOOLEAN NOT NULL DEFAULT TRUE;
diff --git a/src/db/models/group.rs b/src/db/models/group.rs
index 73f4476188..f5b5ea3ef2 100644
--- a/src/db/models/group.rs
+++ b/src/db/models/group.rs
@@ -60,7 +60,7 @@ impl Group {
                 User,
                 "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
                 phone, mfa_enabled, totp_enabled, totp_secret, email_mfa_enabled, email_mfa_secret, \
-                mfa_method \"mfa_method: _\", recovery_codes, is_active \
+                mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
                 FROM \"user\" \
                 JOIN group_user ON \"user\".id = group_user.user_id \
                 WHERE group_user.group_id = $1",
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index fe7b8d4dd8..246bb2f4da 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -98,7 +98,7 @@ impl UserInfo {
             mfa_method: user.mfa_method.clone(),
             authorized_apps,
             is_active: user.is_active,
-            enrolled: user.has_password(),
+            enrolled: user.has_password() || user.openid_login,
         })
     }
 
diff --git a/src/db/models/settings.rs b/src/db/models/settings.rs
index ed8257ba57..8f0d343f06 100644
--- a/src/db/models/settings.rs
+++ b/src/db/models/settings.rs
@@ -62,6 +62,8 @@ pub struct Settings {
     pub ldap_groupname_attr: Option<String>,
     pub ldap_group_member_attr: Option<String>,
     pub ldap_member_attr: Option<String>,
+    // Whether to create a new account when users try to log in with external OpenID
+    pub openid_create_account: bool,
 }
 
 impl Settings {
diff --git a/src/db/models/user.rs b/src/db/models/user.rs
index 2ea623127a..de93aa1c66 100644
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -74,6 +74,8 @@ pub struct User {
     pub phone: Option<String>,
     pub mfa_enabled: bool,
     pub is_active: bool,
+    // Whether the user has logged in using OIDC
+    pub openid_login: bool,
     // secret has been verified and TOTP can be used
     pub(crate) totp_enabled: bool,
     pub(crate) email_mfa_enabled: bool,
@@ -120,6 +122,7 @@ impl User {
             mfa_method: MFAMethod::None,
             recovery_codes: Vec::new(),
             is_active: true,
+            openid_login: false,
         }
     }
 
@@ -451,7 +454,7 @@ impl User {
     ) -> Result<Vec<UserDiagnostic>, SqlxError> {
         let users = query!(
             "SELECT id, mfa_enabled, totp_enabled, email_mfa_enabled, \
-                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active \
+                mfa_method as \"mfa_method: MFAMethod\", password_hash, is_active, openid_login \
             FROM \"user\""
         )
         .fetch_all(pool)
@@ -465,7 +468,7 @@ impl User {
                 mfa_enabled: u.mfa_enabled,
                 id: u.id,
                 is_active: u.is_active,
-                enrolled: u.password_hash.is_some(),
+                enrolled: u.password_hash.is_some() || u.openid_login,
             })
             .collect();
         Ok(res)
@@ -481,7 +484,7 @@ impl User {
             "SELECT \"user\".id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, totp_secret, \
             email_mfa_enabled, email_mfa_secret, \
-            mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\"
             INNER JOIN \"group_user\" ON \"user\".id = \"group_user\".user_id
             INNER JOIN \"group\" ON \"group_user\".group_id = \"group\".id
@@ -572,7 +575,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE username = $1",
             username
         )
@@ -588,7 +591,7 @@ impl User {
             Self,
             "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE email = $1",
             email
         )
diff --git a/src/enterprise/db/models/openid_provider.rs b/src/enterprise/db/models/openid_provider.rs
index 9841f5f329..1d63214957 100644
--- a/src/enterprise/db/models/openid_provider.rs
+++ b/src/enterprise/db/models/openid_provider.rs
@@ -3,7 +3,6 @@ use sqlx::{query, query_as, Error as SqlxError};
 
 use crate::db::DbPool;
 
-// TODO(jck): maybe rename OpenIdProvider
 #[derive(Deserialize, Model, Serialize)]
 pub struct OpenIdProvider {
     pub id: Option<i64>,
@@ -11,23 +10,6 @@ pub struct OpenIdProvider {
     pub base_url: String,
     pub client_id: String,
     pub client_secret: String,
-    pub enabled: bool,
-    // pub client_id: String, // unique
-    // // TODO(jck): maybe remove since we get the id_token in the first reponse?
-    // pub client_secret: String,
-    // pub auth_url: String,
-    // TODO(jck): provider image?
-
-    // // TODO(jck): do we need this?
-    // #[model(ref)]
-    // pub redirect_uri: Vec<String>,
-    // // TODO(jck): can we assume constant scope ahead of time?
-    // #[model(ref)]
-    // pub scope: Vec<String>,
-    // // TODO(jck): remove?
-    // // informational
-    // pub name: String,
-    // pub enabled: bool,
 }
 
 impl OpenIdProvider {
@@ -39,31 +21,27 @@ impl OpenIdProvider {
             base_url: base_url.into(),
             client_id: client_id.into(),
             client_secret: client_secret.into(),
-            enabled: false,
         }
     }
 
     pub async fn find_by_name(pool: &DbPool, name: &str) -> Result<Option<Self>, SqlxError> {
         query_as!(
             OpenIdProvider,
-            "SELECT id \"id?\", name, base_url, client_id, client_secret, enabled FROM openidprovider WHERE name = $1",
+            "SELECT id \"id?\", name, base_url, client_id, client_secret FROM openidprovider WHERE name = $1",
             name
         )
         .fetch_optional(pool)
         .await
     }
 
-    // TODO: this is a temporary method. We currently support only one provider at a time
     pub async fn upsert(&mut self, pool: &DbPool) -> Result<(), SqlxError> {
-        // TODO(aleksander): do it with only one query?
         if let Some(provider) = OpenIdProvider::get_current(pool).await? {
             query!(
-                "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4, enabled = $5 WHERE id = $6",
+                "UPDATE openidprovider SET name = $1, base_url = $2, client_id = $3, client_secret = $4 WHERE id = $5",
                 self.name,
                 self.base_url,
                 self.client_id,
                 self.client_secret,
-                self.enabled,
                 provider.id
             )
             .execute(pool)
@@ -75,11 +53,10 @@ impl OpenIdProvider {
         Ok(())
     }
 
-    // TODO: this is a temporary method. We currently support only one provider at a time
     pub async fn get_current(pool: &DbPool) -> Result<Option<Self>, SqlxError> {
         query_as!(
             OpenIdProvider,
-            "SELECT id \"id?\", name, base_url, client_id, client_secret, enabled FROM openidprovider"
+            "SELECT id \"id?\", name, base_url, client_id, client_secret FROM openidprovider"
         )
         .fetch_optional(pool)
         .await
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index b809b9e049..606462bc22 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,126 +1,3 @@
-// use std::str::FromStr;
-
-// use crate::{error::WebError, AppState};
-// use axum::extract::{Query, State};
-// use openidconnect::{
-//     core::{CoreClient, CoreIdTokenVerifier, CoreProviderMetadata},
-//     reqwest::async_http_client,
-//     AdditionalClaims, AuthUrl, ClientId, GenderClaim, IdToken, IdTokenVerifier, IssuerUrl,
-//     JsonWebKeySet, JsonWebKeyType, JweContentEncryptionAlgorithm, JwsSigningAlgorithm, Nonce,
-//     NonceVerifier,
-// };
-
-// // /// Authorization Endpoint
-// // /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthorizationEndpoint
-// // pub async fn authorization(
-// //     State(appstate): State<AppState>,
-// //     Query(data): Query<AuthenticationRequest>,
-// //     cookies: CookieJar,
-// //     private_cookies: PrivateCookieJar,
-// // ) -> Result<(StatusCode, HeaderMap, PrivateCookieJar), WebError> {
-
-// //     Ok()
-// // }
-
-// /// Authentication response callback
-// /// See https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
-// #[derive(Deserialize, Serialize, Debug)]
-// pub struct AuthenticationResponse {
-//     // id_token: String,
-//     code: String,
-// }
-
-// struct Verifier;
-
-// impl NonceVerifier for Verifier {
-//     fn verify(self, nonce: Option<&openidconnect::Nonce>) -> Result<(), String> {
-//         Ok(())
-//     }
-// }
-
-// pub async fn auth_callback(
-//     State(state): State<AppState>,
-//     Query(response): Query<AuthenticationResponse>,
-// ) -> Result<(), WebError> {
-//     // TODO(jck): log all useful stuff
-//     debug!("OIDC login callback got response: {response:?}");
-//     let code = response.code.clone();
-
-//     info!("OIDC login callback got code: {code:?}");
-//     // let token = IdToken::<
-//     //     openidconnect::EmptyAdditionalClaims,
-//     //     openidconnect::core::CoreGenderClaim,
-//     //     openidconnect::core::CoreJweContentEncryptionAlgorithm,
-//     //     openidconnect::core::CoreJwsSigningAlgorithm,
-//     //     _,
-//     // >::from_str(&response.code);
-//     // debug!("Decoded token: {token:?}");
-//     // if let Ok(token) = token {
-//     //     // TOOD(jck): create user based on user info
-//     //     // TOOD(jck): log user in
-//     //     // token.claims(verifier, nonce_verifier);
-//     //     // let provider_metadata = CoreProviderMetadata::discover(
-//     //     //     &IssuerUrl::new("https://accounts.example.com".to_string())?,
-//     //     //     http_client,
-//     //     // )?;
-
-//     //     // let client_id = ClientId::new("f2cef8b3-5b09-4c3f-988b-51fc3c42ecbc".to_string());
-//     //     // let client_secret = None;
-//     //     // let issuer_url = IssuerUrl::new(
-//     //     //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
-//     //     //         .to_string(),
-//     //     // )
-//     //     // .unwrap();
-//     //     // let auth_url = AuthUrl::new(
-//     //     //     "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/oauth2/v2.0/authorize".to_string()
-//     //     // ).unwrap();
-//     //     // let token_url = None;
-//     //     // let userinfo_url = None;
-//     //     // let jwks = JsonWebKeySet::default();
-//     //     // let client = CoreClient::new(
-//     //     //     client_id,
-//     //     //     client_secret,
-//     //     //     issuer_url,
-//     //     //     auth_url,
-//     //     //     token_url,
-//     //     //     userinfo_url,
-//     //     //     jwks,
-//     //     // );
-//     //     // let claims = token.claims(&client.id_token_verifier(), Verifier);
-//     //     // info!("### Decoded claims: {claims:#?}");
-//     //     // let name = claims.name().unwrap();
-//     //     // let family_name = claims.family_name().unwrap();
-//     //     // let given_name = claims.given_name().unwrap();
-//     //     // let email = claims.email().unwrap();
-//     //     // info!("### name: {name:?}, family_name: {family_name:?}, given_name: {given_name:?}, email: {email:?}");
-//     //     let provider_metadata = CoreProviderMetadata::discover_async(
-//     //         IssuerUrl::new(
-//     //             // "https://login.microsoftonline.com/2fc43015-5699-4d01-bd01-d6f2bd66818a/v2.0"
-//     //             "https://accounts.google.com/o/oauth2/v2/auth".to_string(),
-//     //         )
-//     //         .unwrap(),
-//     //         async_http_client,
-//     //     )
-//     //     .await
-//     //     .unwrap();
-
-//     //     let client = CoreClient::from_provider_metadata(provider_metadata, client_id, None);
-//     //     let claims = token
-//     //         .claims(&client.id_token_verifier(), &Nonce::new("ala".to_string()))
-//     //         .unwrap();
-//     //     info!("Decoded claims: {claims:#?}");
-//     //     // // Set the URL the user will be redirected to after the authorization process.
-//     //     // .set_redirect_uri(RedirectUrl::new("http://localhost:3000/api/v1/oidc/callback".to_string())?);
-//     //     // TODO(jck): log all useful stuff
-//     //     info!("OIDC login succeeded for user");
-//     // } else {
-//     //     // TODO(jck): add context
-//     //     warn!("OIDC login failed");
-//     // }
-
-//     Ok(())
-// }
-
 use axum::http::header::LOCATION;
 use axum::http::{HeaderMap, HeaderValue, StatusCode};
 use axum::response::{IntoResponse, Redirect, Response};
@@ -152,7 +29,7 @@ use openidconnect::{
 };
 
 use crate::appstate::AppState;
-use crate::db::{AppEvent, DbPool, Session, SessionState, User, UserInfo};
+use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
 use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
@@ -200,7 +77,7 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
     let provider = match OpenIdProvider::get_current(pool).await? {
         Some(provider) => provider,
         None => {
-            return Err(WebError::Authorization(
+            return Err(WebError::ObjectNotFound(
                 "OpenID provider not found".to_string(),
             ));
         }
@@ -214,10 +91,10 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
     let redirect_url = match RedirectUrl::new(url) {
         Ok(url) => url,
         Err(err) => {
-            return Err(WebError::Authorization(format!(
-                "Failed to create a redirect url from string: {}",
-                err
-            )));
+            error!("Failed to create redirect URL: {:?}", err);
+            return Err(WebError::Authorization(
+                "Failed to create redirect URL".to_string(),
+            ));
         }
     };
 
@@ -227,14 +104,6 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
     )
 }
 
-fn nonce_fn() -> Nonce {
-    Nonce::new("nonce123123".to_string())
-}
-
-fn csrf_fn() -> CsrfToken {
-    CsrfToken::new("csrf".to_string())
-}
-
 pub async fn get_auth_info(
     private_cookies: PrivateCookieJar,
     State(appstate): State<AppState>,
@@ -244,16 +113,13 @@ pub async fn get_auth_info(
     let (authorize_url, csrf_state, nonce) = client
         .authorize_url(
             AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
-            csrf_fn,
-            nonce_fn,
+            CsrfToken::new_random,
+            Nonce::new_random,
         )
         .add_scope(Scope::new("email".to_string()))
-        // Unnecessary if we dont create an account
         .add_scope(Scope::new("profile".to_string()))
         .url();
 
-    println!("{:?} | {:?} | {:?}", authorize_url, csrf_state, nonce);
-
     let config = server_config();
 
     let nonce_cookie = Cookie::build(("nonce", nonce.secret().clone()))
@@ -314,7 +180,6 @@ fn redirect_to<T: AsRef<str>>(uri: T, cookies: CookieJar) -> (StatusCode, Header
 pub struct AuthenticationResponse {
     code: AuthorizationCode,
     state: CsrfToken,
-    // nonce: Nonce,
 }
 
 pub async fn auth_callback(
@@ -326,6 +191,7 @@ pub async fn auth_callback(
     Query(params): Query<AuthenticationResponse>,
     State(appstate): State<AppState>,
 ) -> Result<(StatusCode, HeaderMap, CookieJar), WebError> {
+    debug!("Auth callback received, logging in user...");
     let cookie_nonce = private_cookies
         .get("nonce")
         .ok_or(WebError::Authorization(
@@ -336,7 +202,7 @@ pub async fn auth_callback(
 
     let cookie_csrf = private_cookies
         .get("csrf")
-        .ok_or(WebError::Authorization("CSRF cookie not found".to_string()))?
+        .ok_or(WebError::BadRequest("CSRF cookie not found".to_string()))?
         .value_trimmed()
         .to_string();
 
@@ -378,52 +244,83 @@ pub async fn auth_callback(
             )));
         }
     };
-    // println!("Google returned ID token: {:?}", token_claims);
 
-    let email = token_claims.email().ok_or(WebError::Authorization(
+    let email = token_claims.email().ok_or(WebError::BadRequest(
         "Email not found in the information returned from provider.".to_string(),
     ))?;
 
-    // let name = token_claims.name().unwrap();
-    // let given_name: Option<&EndUserGivenName> = match token_claims.given_name() {
-    //     Some(given_name) => Ok(given_name.get(None)),
-    //     None => Err(WebError::Authorization(
-    //         "Given name not found in the information returned from provider.".to_string(),
-    //     ))?,
-    // }?;
-    // let family_name: Option<&EndUserFamilyName> = match token_claims.family_name() {
-    //     Some(family_name) => Ok(family_name.get(None)),
-    //     None => Err(WebError::Authorization(
-    //         "Family name not found in the information returned from provider.".to_string(),
-    //     ))?,
-    // }?;
+    // Extract given name and family name from the localized token claims
+    // 'None' extracts the default value without the need to specify a language
+
+    let given_name_error = "Given name not found in the information returned from provider.";
+
+    let given_name = token_claims
+        .given_name()
+        .ok_or(WebError::BadRequest(given_name_error.to_string()))?
+        // Gets the
+        .get(None)
+        .ok_or(WebError::BadRequest(given_name_error.to_string()))?;
+
+    let family_name_error = "Family name not found in the information returned from provider.";
+
+    let family_name = token_claims
+        .family_name()
+        .ok_or(WebError::BadRequest(family_name_error.to_string()))?
+        .get(None)
+        .ok_or(WebError::BadRequest(family_name_error.to_string()))?;
 
     let phone = token_claims.phone_number();
 
-    println!("Email: {:?}", email);
-    // println!("Name: {:?}", name);
-    // println!("Given Name: {:?}", given_name);
-    // println!("Family Name: {:?}", family_name);
+    let username = email
+        .split('@')
+        .next()
+        .ok_or(WebError::BadRequest(
+            "Failed to extract username from email address".to_string(),
+        ))?
+        // + is not allowed in usernames, but fairly common in email addresses
+        // TODO: Make this more robust, trim everything that's forbidden in usernames
+        .replace('+', "_");
 
-    let username = email.split('@').next().unwrap();
+    let settings = Settings::get_settings(&appstate.pool).await?;
 
-    let user = match User::find_by_username(&appstate.pool, username).await {
-        Ok(Some(user)) => user,
+    let user = match User::find_by_email(&appstate.pool, email).await {
+        Ok(Some(mut user)) => {
+            if !user.openid_login {
+                user.openid_login = true;
+                user.save(&appstate.pool).await?;
+            }
+            user
+        }
         Ok(None) => {
-            // let mut user = User::new(
-            //     username.to_string(),
-            //     None,
-            //     family_name.to_string(),
-            //     given_name.to_string(),
-            //     email.to_string(),
-            //     None,
-            // );
-            // user.save(&appstate.pool).await?;
-            // user
-            return Err(WebError::Authorization(
-                "User not found. The user needs to be created first in order to login using OIDC."
-                    .to_string(),
-            ));
+            if settings.openid_create_account {
+                // Check if user with the same username already exists
+                if User::find_by_username(&appstate.pool, &username)
+                    .await?
+                    .is_some()
+                {
+                    return Err(WebError::Authorization(format!(
+                        "User with username {} already exists",
+                        username
+                    )));
+                }
+
+                let mut user = User::new(
+                    username.to_string(),
+                    None,
+                    family_name.to_string(),
+                    given_name.to_string(),
+                    email.to_string(),
+                    phone.map(|v| v.to_string()),
+                );
+                user.openid_login = true;
+                user.save(&appstate.pool).await?;
+                user
+            } else {
+                return Err(WebError::Authorization(
+                    "User not found. The user needs to be created first in order to login using OIDC."
+                        .to_string(),
+                ));
+            }
         }
         Err(e) => {
             return Err(WebError::Authorization(e.to_string()));
@@ -479,5 +376,10 @@ pub async fn auth_callback(
     )
     .await?;
 
+    info!(
+        "External OpenID authentication successful for user {}",
+        user.username
+    );
+
     Ok(redirect_to("/", cookies))
 }
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index 85ea295a4d..aca965cf49 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -33,6 +33,7 @@ pub async fn add_openid_provider(
         "User {} adding OpenID provider {}",
         session.user.username, new_provider.name
     );
+    // Currently, we only support one OpenID provider at a time
     new_provider.upsert(&appstate.pool).await?;
     info!(
         "User {} added OpenID client {}",
diff --git a/src/grpc/enrollment.rs b/src/grpc/enrollment.rs
index 16569d0d0b..9e299d501a 100644
--- a/src/grpc/enrollment.rs
+++ b/src/grpc/enrollment.rs
@@ -497,7 +497,7 @@ impl From<User> for AdminInfo {
 
 impl InitialUserInfo {
     async fn from_user(pool: &DbPool, user: User) -> Result<Self, sqlx::Error> {
-        let is_enrolled = user.has_password();
+        let is_enrolled = user.has_password() || user.openid_login;
         let devices = user.devices(pool).await?;
         let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
         Ok(Self {
diff --git a/src/handlers/group.rs b/src/handlers/group.rs
index 748bdc5388..5969cefbd9 100644
--- a/src/handlers/group.rs
+++ b/src/handlers/group.rs
@@ -47,7 +47,7 @@ pub(crate) async fn bulk_assign_to_groups(
         User,
         "SELECT id \"id?\", username, password_hash, last_name, first_name, email, \
             phone, mfa_enabled, totp_enabled, email_mfa_enabled, \
-            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active \
+            totp_secret, email_mfa_secret, mfa_method \"mfa_method: _\", recovery_codes, is_active, openid_login \
             FROM \"user\" WHERE id = ANY($1)",
         &data.users
     )
diff --git a/web/src/components/AppLoader.tsx b/web/src/components/AppLoader.tsx
index 0e87e4a4d8..82fc8ee459 100644
--- a/web/src/components/AppLoader.tsx
+++ b/web/src/components/AppLoader.tsx
@@ -30,6 +30,9 @@ export const AppLoader = () => {
     getAppInfo,
     user: { getMe },
     settings: { getEssentialSettings },
+    auth: {
+      openid: { getOpenIdInfo: getOpenidInfo },
+    },
   } = useApi();
   const [userLoading, setUserLoading] = useState(true);
   const { setLocale } = useI18nContext();
@@ -106,7 +109,21 @@ export const AppLoader = () => {
     }
   }, [essentialSettings, setAppStore]);
 
-  if (userLoading || (settingsLoading && isUndefined(appSettings))) {
+  const { data: openIdInfo, isLoading: openIdLoading } = useQuery({
+    queryKey: [QueryKeys.FETCH_OPENID_INFO],
+    queryFn: getOpenidInfo,
+    refetchOnMount: true,
+    refetchOnWindowFocus: false,
+    retry: false,
+  });
+
+  useEffect(() => {
+    if (openIdInfo) {
+      setAuthState({ openIdLoginInfo: openIdInfo });
+    }
+  }, [openIdInfo, setAuthState]);
+
+  if (userLoading || (settingsLoading && isUndefined(appSettings)) || openIdLoading) {
     return <LoaderPage />;
   }
 
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 439cf622be..d048f63dea 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -922,7 +922,11 @@ const en: BaseTranslation = {
       },
     },
     openIdSettings: {
-      title: 'OpenID Settings',
+      titleClient: 'External OpenID Client Settings',
+      titleGeneral: 'External OpenID Settings',
+      general: {
+        createAccount: 'Automatically create user account when logging in through external OpenID for first time.',
+      },
       form: {
         labels: {
           name: 'Name',
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 1ff6f18654..ec6814c83a 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2277,9 +2277,19 @@ type RootTranslation = {
 		}
 		openIdSettings: {
 			/**
-			 * O​p​e​n​I​D​ ​S​e​t​t​i​n​g​s
+			 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​C​l​i​e​n​t​ ​S​e​t​t​i​n​g​s
 			 */
-			title: string
+			titleClient: string
+			/**
+			 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​S​e​t​t​i​n​g​s
+			 */
+			titleGeneral: string
+			general: {
+				/**
+				 * A​u​t​o​m​a​t​i​c​a​l​l​y​ ​c​r​e​a​t​e​ ​u​s​e​r​ ​a​c​c​o​u​n​t​ ​w​h​e​n​ ​l​o​g​g​i​n​g​ ​i​n​ ​t​h​r​o​u​g​h​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​f​o​r​ ​f​i​r​s​t​ ​t​i​m​e​.
+				 */
+				createAccount: string
+			}
 			form: {
 				labels: {
 					/**
@@ -6203,9 +6213,19 @@ export type TranslationFunctions = {
 		}
 		openIdSettings: {
 			/**
-			 * OpenID Settings
+			 * External OpenID Client Settings
 			 */
-			title: () => LocalizedString
+			titleClient: () => LocalizedString
+			/**
+			 * External OpenID Settings
+			 */
+			titleGeneral: () => LocalizedString
+			general: {
+				/**
+				 * Automatically create user account when logging in through external OpenID for first time.
+				 */
+				createAccount: () => LocalizedString
+			}
 			form: {
 				labels: {
 					/**
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 2c5d5ca2c0..53e827ce7d 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -908,7 +908,11 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       },
     },
     openIdSettings: {
-      title: 'OpenID Settings',
+      titleClient: 'Ustawienia klienta zewnętrznego OpenID',
+      titleGeneral: 'Ustawienia zewnętrznego OpenID',
+      general: {
+        createAccount: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
+      },
       form: {
         labels: {
           name: 'Nazwa',
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index cd5d7947da..121599f793 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -20,6 +20,7 @@ import { MutationKeys } from '../../../shared/mutations';
 import { patternSafeUsernameCharacters } from '../../../shared/patterns';
 import { LoginData } from '../../../shared/types';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings';
+import { OpenIdLoginButton } from './components/OidcButtons';
 
 type Inputs = {
   username: string;
@@ -28,6 +29,7 @@ type Inputs = {
 
 export const Login = () => {
   const { LL } = useI18nContext();
+  const openIdInfo = useAuthStore((state) => state.openIdLoginInfo);
 
   const zodSchema = useMemo(
     () =>
@@ -47,10 +49,7 @@ export const Login = () => {
   );
 
   const {
-    auth: {
-      login,
-      openid: { getOpenidInfo },
-    },
+    auth: { login },
   } = useApi();
 
   const { handleSubmit, control, setError } = useForm<Inputs>({
@@ -88,19 +87,6 @@ export const Login = () => {
     }
   };
 
-  // const redirect = () => {
-  //   // getUrl().then((url) => {
-  //   //   window.location.replace(url);
-  //   // });
-  // };
-
-  const openIdLogin = () => {
-    getOpenidInfo().then((data) => {
-      // console.log(data);
-      window.location.replace(data.url);
-    });
-  };
-
   return (
     <section id="login-container">
       <h1>{LL.loginPage.pageTitle()}</h1>
@@ -128,14 +114,7 @@ export const Login = () => {
           text={LL.form.login()}
           data-testid="login-form-submit"
         />
-        <Button
-          loading={loginMutation.isLoading}
-          size={ButtonSize.LARGE}
-          styleVariant={ButtonStyleVariant.PRIMARY}
-          text="Login with OIDC"
-          data-testid="login-form-submit"
-          onClick={openIdLogin}
-        />
+        {openIdInfo && <OpenIdLoginButton url={openIdInfo.url} />}
       </form>
     </section>
   );
diff --git a/web/src/pages/auth/Login/components/OidcButtons.tsx b/web/src/pages/auth/Login/components/OidcButtons.tsx
new file mode 100644
index 0000000000..57efe1435a
--- /dev/null
+++ b/web/src/pages/auth/Login/components/OidcButtons.tsx
@@ -0,0 +1,182 @@
+import './style.scss';
+import { Button } from '../../../../shared/defguard-ui/components/Layout/Button/Button';
+import {
+  ButtonSize,
+  ButtonStyleVariant,
+} from '../../../../shared/defguard-ui/components/Layout/Button/types';
+
+export const OpenIdLoginButton = ({ url }: { url: string }) => {
+  if (url.startsWith('https://accounts.google.com')) {
+    return <GoogleButton url={url} />;
+  } else if (url.startsWith('https://login.microsoftonline.com')) {
+    return <MicrosoftButton url={url} />;
+  } else {
+    return <CustomButton url={url} />;
+  }
+};
+
+const GoogleButton = ({ url }: { url: string }) => {
+  return (
+    <button
+      className="gsi-material-button"
+      onClick={() => {
+        window.location.replace(url);
+      }}
+      type="button"
+    >
+      <div className="gsi-material-button-state"></div>
+      <div className="gsi-material-button-content-wrapper">
+        <div className="gsi-material-button-icon">
+          <svg
+            version="1.1"
+            xmlns="http://www.w3.org/2000/svg"
+            viewBox="0 0 48 48"
+            xmlnsXlink="http://www.w3.org/1999/xlink"
+            style={{
+              display: 'block',
+            }}
+          >
+            <path
+              fill="#EA4335"
+              d="M24 9.5c3.54 0 6.71 1.22 9.21 3.6l6.85-6.85C35.9 2.38 30.47 0 24 0 14.62 0 6.51 5.38 2.56 13.22l7.98 6.19C12.43 13.72 17.74 9.5 24 9.5z"
+            ></path>
+            <path
+              fill="#4285F4"
+              d="M46.98 24.55c0-1.57-.15-3.09-.38-4.55H24v9.02h12.94c-.58 2.96-2.26 5.48-4.78 7.18l7.73 6c4.51-4.18 7.09-10.36 7.09-17.65z"
+            ></path>
+            <path
+              fill="#FBBC05"
+              d="M10.53 28.59c-.48-1.45-.76-2.99-.76-4.59s.27-3.14.76-4.59l-7.98-6.19C.92 16.46 0 20.12 0 24c0 3.88.92 7.54 2.56 10.78l7.97-6.19z"
+            ></path>
+            <path
+              fill="#34A853"
+              d="M24 48c6.48 0 11.93-2.13 15.89-5.81l-7.73-6c-2.15 1.45-4.92 2.3-8.16 2.3-6.26 0-11.57-4.22-13.47-9.91l-7.98 6.19C6.51 42.62 14.62 48 24 48z"
+            ></path>
+            <path fill="none" d="M0 0h48v48H0z"></path>
+          </svg>
+        </div>
+        <span className="gsi-material-button-contents">Sign in with Google</span>
+        <span
+          style={{
+            display: 'none',
+          }}
+        >
+          Sign in with Google
+        </span>
+      </div>
+    </button>
+  );
+};
+
+const CustomButton = ({ url }: { url: string }) => {
+  return (
+    <Button
+      size={ButtonSize.LARGE}
+      styleVariant={ButtonStyleVariant.PRIMARY}
+      text="Login with OIDC"
+      data-testid="login-oidc"
+      onClick={() => {
+        window.location.replace(url);
+      }}
+      type="button"
+    />
+  );
+};
+
+const MicrosoftButton = ({ url }: { url: string }) => {
+  return (
+    <button
+      onClick={() => {
+        window.location.replace(url);
+      }}
+      className="ms-button"
+      type="button"
+    >
+      <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 215 41">
+        <title>Sign in with Microsoft</title>
+        <rect width="215" height="41" fill="#fff" />
+        <path d="M214,1V40H1V1H214m1-1H0V41H215V0Z" fill="#8c8c8c" />
+        <path
+          d="M45.812,25.082V23.288a2.849,2.849,0,0,0,.576.4,4.5,4.5,0,0,0,.707.3,5.513,5.513,0,0,0,.747.187,3.965,3.965,0,0,0,.688.065,2.937,2.937,0,0,0,1.637-.365,1.2,1.2,0,0,0,.538-1.062,1.16,1.16,0,0,0-.179-.649,1.928,1.928,0,0,0-.5-.5,5.355,5.355,0,0,0-.757-.435q-.437-.209-.935-.436c-.356-.19-.687-.383-1-.578a4.358,4.358,0,0,1-.8-.648,2.728,2.728,0,0,1-.534-.8,2.6,2.6,0,0,1-.194-1.047,2.416,2.416,0,0,1,.333-1.285,2.811,2.811,0,0,1,.879-.9,4.026,4.026,0,0,1,1.242-.528,5.922,5.922,0,0,1,1.42-.172,5.715,5.715,0,0,1,2.4.374v1.721a3.832,3.832,0,0,0-2.3-.645,4.106,4.106,0,0,0-.773.074,2.348,2.348,0,0,0-.689.241,1.5,1.5,0,0,0-.494.433,1.054,1.054,0,0,0-.19.637,1.211,1.211,0,0,0,.146.608,1.551,1.551,0,0,0,.429.468,4.276,4.276,0,0,0,.688.414c.271.134.584.28.942.436q.547.285,1.036.6a4.881,4.881,0,0,1,.856.7,3.015,3.015,0,0,1,.586.846,2.464,2.464,0,0,1,.217,1.058,2.635,2.635,0,0,1-.322,1.348,2.608,2.608,0,0,1-.868.892,3.82,3.82,0,0,1-1.257.5,6.988,6.988,0,0,1-1.5.155c-.176,0-.392-.014-.649-.04s-.518-.067-.787-.117a7.772,7.772,0,0,1-.761-.187A2.4,2.4,0,0,1,45.812,25.082Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M55.129,16.426a1.02,1.02,0,0,1-.714-.272.89.89,0,0,1-.3-.688.916.916,0,0,1,.3-.7,1.008,1.008,0,0,1,.714-.278,1.039,1.039,0,0,1,.732.278.909.909,0,0,1,.3.7.9.9,0,0,1-.3.678A1.034,1.034,0,0,1,55.129,16.426Zm.842,9.074h-1.7V18h1.7Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M65.017,24.9q0,4.131-4.153,4.131a6.187,6.187,0,0,1-2.556-.491V26.986a4.726,4.726,0,0,0,2.337.7,2.342,2.342,0,0,0,2.672-2.628V24.24h-.029a2.947,2.947,0,0,1-4.742.436,4.041,4.041,0,0,1-.838-2.684,4.738,4.738,0,0,1,.9-3.04,3,3,0,0,1,2.476-1.128,2.384,2.384,0,0,1,2.2,1.216h.029V18h1.7Zm-1.684-2.835v-.973a1.91,1.91,0,0,0-.524-1.352A1.718,1.718,0,0,0,61.5,19.18a1.793,1.793,0,0,0-1.512.714,3.217,3.217,0,0,0-.546,2,2.774,2.774,0,0,0,.524,1.769,1.678,1.678,0,0,0,1.387.662,1.805,1.805,0,0,0,1.429-.632A2.391,2.391,0,0,0,63.333,22.064Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M73.908,25.5h-1.7V21.273q0-2.1-1.486-2.1a1.622,1.622,0,0,0-1.282.582,2.162,2.162,0,0,0-.5,1.469V25.5H67.229V18h1.707v1.245h.029A2.673,2.673,0,0,1,71.4,17.824a2.265,2.265,0,0,1,1.868.795,3.57,3.57,0,0,1,.644,2.3Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M80.962,16.426a1.02,1.02,0,0,1-.714-.272.89.89,0,0,1-.3-.688.916.916,0,0,1,.3-.7,1.008,1.008,0,0,1,.714-.278,1.039,1.039,0,0,1,.732.278.909.909,0,0,1,.3.7.9.9,0,0,1-.3.678A1.034,1.034,0,0,1,80.962,16.426ZM81.8,25.5H80.1V18h1.7Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M90.7,25.5H89V21.273q0-2.1-1.486-2.1a1.622,1.622,0,0,0-1.282.582,2.157,2.157,0,0,0-.506,1.469V25.5H84.023V18H85.73v1.245h.03a2.673,2.673,0,0,1,2.431-1.421,2.265,2.265,0,0,1,1.868.795,3.57,3.57,0,0,1,.644,2.3Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M106.984,18l-2.212,7.5h-1.78l-1.361-5.083a3.215,3.215,0,0,1-.1-.659H101.5a3.069,3.069,0,0,1-.131.644l-1.48,5.1H98.145L95.939,18H97.7l1.363,5.405a3.16,3.16,0,0,1,.087.645H99.2a3.384,3.384,0,0,1,.117-.659L100.832,18h1.6l1.347,5.428a3.732,3.732,0,0,1,.095.644h.052a3.387,3.387,0,0,1,.11-.644L105.365,18Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M109.1,16.426a1.018,1.018,0,0,1-.714-.272.886.886,0,0,1-.3-.688.912.912,0,0,1,.3-.7,1.006,1.006,0,0,1,.714-.278,1.039,1.039,0,0,1,.732.278.912.912,0,0,1,.3.7.9.9,0,0,1-.3.678A1.034,1.034,0,0,1,109.1,16.426Zm.841,9.074h-1.7V18h1.7Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M116.117,25.42a2.955,2.955,0,0,1-1.31.248q-2.182,0-2.183-2.094V19.333h-1.253V18h1.253V16.264l1.7-.483V18h1.794v1.333h-1.794v3.75a1.484,1.484,0,0,0,.241.952,1.006,1.006,0,0,0,.807.285,1.167,1.167,0,0,0,.746-.248Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M124.248,25.5h-1.7V21.4q0-2.226-1.487-2.226a1.556,1.556,0,0,0-1.26.644,2.568,2.568,0,0,0-.513,1.649V25.5h-1.707V14.4h1.707v4.849h.029a2.685,2.685,0,0,1,2.432-1.421q2.5,0,2.5,3.055Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M141.907,25.5h-1.728V18.7q0-.835.1-2.043h-.029a6.992,6.992,0,0,1-.285.988L136.831,25.5h-1.2l-3.143-7.793a7.236,7.236,0,0,1-.277-1.047h-.029q.057.63.058,2.058V25.5h-1.611V15h2.453l2.762,7a10.884,10.884,0,0,1,.41,1.2h.036c.181-.551.327-.962.44-1.23L139.541,15h2.366Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M145.158,16.426a1.022,1.022,0,0,1-.714-.272.89.89,0,0,1-.3-.688.916.916,0,0,1,.3-.7,1.009,1.009,0,0,1,.714-.278,1.043,1.043,0,0,1,.733.278.911.911,0,0,1,.3.7.9.9,0,0,1-.3.678A1.038,1.038,0,0,1,145.158,16.426ZM146,25.5h-1.7V18H146Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M153.589,25.156a4.2,4.2,0,0,1-2.131.52,3.606,3.606,0,0,1-2.695-1.044,3.691,3.691,0,0,1-1.026-2.706,4.07,4.07,0,0,1,1.1-2.978,3.944,3.944,0,0,1,2.948-1.124,4.3,4.3,0,0,1,1.81.36v1.582a2.743,2.743,0,0,0-1.67-.586,2.32,2.32,0,0,0-1.766.728,2.665,2.665,0,0,0-.688,1.908,2.536,2.536,0,0,0,.648,1.838,2.3,2.3,0,0,0,1.739.674,2.716,2.716,0,0,0,1.729-.652Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M159.625,19.619a1.4,1.4,0,0,0-.887-.242,1.513,1.513,0,0,0-1.259.682,3.04,3.04,0,0,0-.506,1.852V25.5h-1.7V18h1.7v1.545H157a2.606,2.606,0,0,1,.766-1.233,1.724,1.724,0,0,1,1.154-.444,1.432,1.432,0,0,1,.7.14Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M164.02,25.676a3.719,3.719,0,0,1-2.773-1.051,3.8,3.8,0,0,1-1.036-2.787,3.7,3.7,0,0,1,3.991-4.014,3.6,3.6,0,0,1,2.739,1.033,3.986,3.986,0,0,1,.982,2.864,3.932,3.932,0,0,1-1.059,2.875A3.8,3.8,0,0,1,164.02,25.676Zm.08-6.5a1.938,1.938,0,0,0-1.575.7,2.913,2.913,0,0,0-.579,1.919,2.744,2.744,0,0,0,.586,1.856,1.965,1.965,0,0,0,1.568.678,1.87,1.87,0,0,0,1.542-.666,2.956,2.956,0,0,0,.538-1.9,3,3,0,0,0-.538-1.911A1.858,1.858,0,0,0,164.1,19.18Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M169.182,25.266V23.691a3.392,3.392,0,0,0,2.1.725q1.539,0,1.538-.908a.714.714,0,0,0-.132-.436,1.241,1.241,0,0,0-.355-.318,2.784,2.784,0,0,0-.527-.25q-.3-.108-.677-.248a7.052,7.052,0,0,1-.832-.389,2.545,2.545,0,0,1-.615-.465,1.745,1.745,0,0,1-.37-.59,2.145,2.145,0,0,1-.125-.769,1.775,1.775,0,0,1,.256-.955,2.223,2.223,0,0,1,.69-.7,3.289,3.289,0,0,1,.98-.425,4.511,4.511,0,0,1,1.136-.143,5.181,5.181,0,0,1,1.86.315v1.487a3.136,3.136,0,0,0-1.816-.542,2.317,2.317,0,0,0-.582.066,1.472,1.472,0,0,0-.443.183.886.886,0,0,0-.286.282.669.669,0,0,0-.1.363.77.77,0,0,0,.1.41.93.93,0,0,0,.3.3,2.654,2.654,0,0,0,.483.234q.282.105.649.23a9.4,9.4,0,0,1,.867.4,2.886,2.886,0,0,1,.656.465,1.806,1.806,0,0,1,.417.6,2.034,2.034,0,0,1,.147.81,1.847,1.847,0,0,1-.264,1,2.205,2.205,0,0,1-.7.7,3.292,3.292,0,0,1-1.015.413,5.222,5.222,0,0,1-1.212.136A5.115,5.115,0,0,1,169.182,25.266Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M179.443,25.676a3.717,3.717,0,0,1-2.772-1.051,3.793,3.793,0,0,1-1.036-2.787,3.7,3.7,0,0,1,3.991-4.014,3.6,3.6,0,0,1,2.739,1.033,3.986,3.986,0,0,1,.982,2.864,3.932,3.932,0,0,1-1.059,2.875A3.8,3.8,0,0,1,179.443,25.676Zm.08-6.5a1.936,1.936,0,0,0-1.574.7,2.908,2.908,0,0,0-.579,1.919,2.739,2.739,0,0,0,.586,1.856,1.964,1.964,0,0,0,1.567.678,1.868,1.868,0,0,0,1.542-.666,2.95,2.95,0,0,0,.539-1.9,2.99,2.99,0,0,0-.539-1.911A1.857,1.857,0,0,0,179.523,19.18Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M189.067,15.781a1.533,1.533,0,0,0-.784-.2q-1.237,0-1.237,1.4V18h1.743v1.333h-1.736V25.5h-1.7V19.333h-1.282V18h1.282V16.784a2.362,2.362,0,0,1,.777-1.871,2.82,2.82,0,0,1,1.94-.684,2.879,2.879,0,0,1,1,.138Z"
+          fill="#5e5e5e"
+        />
+        <path
+          d="M194.23,25.42a2.955,2.955,0,0,1-1.31.248q-2.182,0-2.183-2.094V19.333h-1.253V18h1.253V16.264l1.7-.483V18h1.793v1.333h-1.793v3.75a1.484,1.484,0,0,0,.241.952,1,1,0,0,0,.806.285,1.165,1.165,0,0,0,.746-.248Z"
+          fill="#5e5e5e"
+        />
+        <rect x="13" y="11" width="9" height="9" fill="#f25022" />
+        <rect x="13" y="21" width="9" height="9" fill="#00a4ef" />
+        <rect x="23" y="11" width="9" height="9" fill="#7fba00" />
+        <rect x="23" y="21" width="9" height="9" fill="#ffb900" />
+      </svg>
+    </button>
+  );
+};
diff --git a/web/src/pages/auth/Login/components/style.scss b/web/src/pages/auth/Login/components/style.scss
new file mode 100644
index 0000000000..dd798a7518
--- /dev/null
+++ b/web/src/pages/auth/Login/components/style.scss
@@ -0,0 +1,110 @@
+.gsi-material-button {
+  -moz-user-select: none;
+  -webkit-user-select: none;
+  -ms-user-select: none;
+  -webkit-appearance: none;
+  background-color: WHITE;
+  background-image: none;
+  border: 1px solid #747775;
+  -webkit-border-radius: 4px;
+  border-radius: 4px;
+  -webkit-box-sizing: border-box;
+  box-sizing: border-box;
+  color: #1f1f1f;
+  cursor: pointer;
+  font-family: 'Roboto', arial, sans-serif;
+  font-size: 14px;
+  height: 40px;
+  letter-spacing: 0.25px;
+  outline: none;
+  overflow: hidden;
+  padding: 0 12px;
+  position: relative;
+  text-align: center;
+  -webkit-transition: background-color .218s, border-color .218s, box-shadow .218s;
+  transition: background-color .218s, border-color .218s, box-shadow .218s;
+  vertical-align: middle;
+  white-space: nowrap;
+  width: auto;
+  max-width: 400px;
+  min-width: min-content;
+}
+
+.gsi-material-button .gsi-material-button-icon {
+  height: 20px;
+  margin-right: 12px;
+  min-width: 20px;
+  width: 20px;
+}
+
+.gsi-material-button .gsi-material-button-content-wrapper {
+  -webkit-align-items: center;
+  align-items: center;
+  display: flex;
+  -webkit-flex-direction: row;
+  flex-direction: row;
+  -webkit-flex-wrap: nowrap;
+  flex-wrap: nowrap;
+  height: 100%;
+  justify-content: space-between;
+  position: relative;
+  width: 100%;
+}
+
+.gsi-material-button .gsi-material-button-contents {
+  -webkit-flex-grow: 1;
+  flex-grow: 1;
+  font-family: 'Roboto', arial, sans-serif;
+  font-weight: 500;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  vertical-align: top;
+}
+
+.gsi-material-button .gsi-material-button-state {
+  -webkit-transition: opacity .218s;
+  transition: opacity .218s;
+  bottom: 0;
+  left: 0;
+  opacity: 0;
+  position: absolute;
+  right: 0;
+  top: 0;
+}
+
+.gsi-material-button:disabled {
+  cursor: default;
+  background-color: #ffffff61;
+  border-color: #1f1f1f1f;
+}
+
+.gsi-material-button:disabled .gsi-material-button-contents {
+  opacity: 38%;
+}
+
+.gsi-material-button:disabled .gsi-material-button-icon {
+  opacity: 38%;
+}
+
+.gsi-material-button:not(:disabled):active .gsi-material-button-state, 
+.gsi-material-button:not(:disabled):focus .gsi-material-button-state {
+  background-color: #303030;
+  opacity: 12%;
+}
+
+.gsi-material-button:not(:disabled):hover {
+  -webkit-box-shadow: 0 1px 2px 0 rgba(60, 64, 67, .30), 0 1px 3px 1px rgba(60, 64, 67, .15);
+  box-shadow: 0 1px 2px 0 rgba(60, 64, 67, .30), 0 1px 3px 1px rgba(60, 64, 67, .15);
+}
+
+.gsi-material-button:not(:disabled):hover .gsi-material-button-state {
+  background-color: #303030;
+  opacity: 8%;
+}
+
+.ms-button {
+  background-color: transparent;
+  border: none;
+  cursor: pointer;
+  padding: 0;
+}
\ No newline at end of file
diff --git a/web/src/pages/auth/Login/style.scss b/web/src/pages/auth/Login/style.scss
index 46b746ad0e..a35ae9200c 100644
--- a/web/src/pages/auth/Login/style.scss
+++ b/web/src/pages/auth/Login/style.scss
@@ -36,6 +36,10 @@
       margin-bottom: 5px;
     }
 
+    & > .btn {
+      margin-bottom: 10px;
+    }
+
     & > * {
       width: 100%;
     }
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
index bb4d08a60b..791ac8666e 100644
--- a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -1,11 +1,17 @@
 import './style.scss';
 
 import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
+import { OpenIdGeneralSettings } from './components/OpenIdGeneralSettings';
 
 export const OpenIdSettings = () => {
   return (
-    <div className="left">
-      <OpenIdSettingsForm />
-    </div>
+    <>
+      <div className="left">
+        <OpenIdGeneralSettings />
+      </div>
+      <div className="right">
+        <OpenIdSettingsForm />
+      </div>
+    </>
   );
 };
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
new file mode 100644
index 0000000000..47cf9f6eeb
--- /dev/null
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
@@ -0,0 +1,55 @@
+import './style.scss';
+
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+
+import { useI18nContext } from '../../../../../i18n/i18n-react';
+import { LabeledCheckbox } from '../../../../../shared/defguard-ui/components/Layout/LabeledCheckbox/LabeledCheckbox';
+import useApi from '../../../../../shared/hooks/useApi';
+import { useToaster } from '../../../../../shared/hooks/useToaster';
+import { MutationKeys } from '../../../../../shared/mutations';
+import { QueryKeys } from '../../../../../shared/queries';
+import { useSettingsPage } from '../../../hooks/useSettingsPage';
+
+export const OpenIdGeneralSettings = () => {
+  const { LL } = useI18nContext();
+  const localLL = LL.settingsPage.openIdSettings;
+  const toaster = useToaster();
+  const {
+    settings: { patchSettings },
+  } = useApi();
+
+  const settings = useSettingsPage((state) => state.settings);
+
+  const queryClient = useQueryClient();
+
+  const { mutate, isLoading } = useMutation([MutationKeys.EDIT_SETTINGS], patchSettings, {
+    onSuccess: () => {
+      queryClient.invalidateQueries([QueryKeys.FETCH_ESSENTIAL_SETTINGS]);
+      queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
+      toaster.success(LL.settingsPage.messages.editSuccess());
+    },
+    onError: () => {
+      toaster.error(LL.messages.error());
+    },
+  });
+
+  if (!settings) return null;
+
+  return (
+    <section id="openid-settings">
+      <header>
+        <h2>{localLL.titleGeneral()}</h2>
+      </header>
+      <div>
+        <LabeledCheckbox
+          disabled={isLoading}
+          label={localLL.general.createAccount()}
+          value={settings.openid_create_account}
+          onChange={() =>
+            mutate({ openid_create_account: !settings.openid_create_account })
+          }
+        />
+      </div>
+    </section>
+  );
+};
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index c99576d2f8..7252e296f4 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -36,11 +36,16 @@ export const OpenIdSettingsForm = () => {
   const {
     settings: { fetchOpenIdProviders, addOpenIdProvider },
   } = useApi();
-  const { data: provider, isLoading } = useQuery({
+
+  const { isLoading } = useQuery({
     queryFn: fetchOpenIdProviders,
     queryKey: [QueryKeys.FETCH_OPENID_PROVIDERS],
     refetchOnMount: true,
     refetchOnWindowFocus: false,
+    onSuccess: (provider) => {
+      setCurrentProvider(provider);
+    },
+    retry: false,
   });
 
   const toaster = useToaster();
@@ -57,12 +62,6 @@ export const OpenIdSettingsForm = () => {
     },
   });
 
-  useEffect(() => {
-    if (provider) {
-      setCurrentProvider(provider);
-    }
-  }, [provider]);
-
   const schema = useMemo(
     () =>
       z.object({
@@ -94,7 +93,7 @@ export const OpenIdSettingsForm = () => {
     mode: 'all',
   });
 
-  // Make sure the form is refresh
+  // Make sure the form data is fresh
   useEffect(() => {
     reset(defaultValues);
   }, [defaultValues, reset]);
@@ -149,21 +148,23 @@ export const OpenIdSettingsForm = () => {
     }
   }, []);
 
-  const handleChange = async (val: string) => {
-    console.log(currentProvider?.base_url);
-    setCurrentProvider({
-      id: currentProvider?.id ?? 0,
-      name: val,
-      base_url: getProviderUrl({ name: val }) ?? '',
-      client_id: currentProvider?.client_id ?? '',
-      client_secret: currentProvider?.client_secret ?? '',
-    });
-  };
+  const handleChange = useCallback(
+    (val: string) => {
+      setCurrentProvider({
+        id: currentProvider?.id ?? 0,
+        name: val,
+        base_url: getProviderUrl({ name: val }) ?? '',
+        client_id: currentProvider?.client_id ?? '',
+        client_secret: currentProvider?.client_secret ?? '',
+      });
+    },
+    [currentProvider, getProviderUrl],
+  );
 
   return (
     <section id="openid-settings">
       <header>
-        <h2>{localLL.title()}</h2>
+        <h2>{localLL.titleClient()}</h2>
         <Button
           size={ButtonSize.SMALL}
           styleVariant={ButtonStyleVariant.SAVE}
diff --git a/web/src/shared/hooks/store/useAuthStore.ts b/web/src/shared/hooks/store/useAuthStore.ts
index ef8e9fa812..3b6c850841 100644
--- a/web/src/shared/hooks/store/useAuthStore.ts
+++ b/web/src/shared/hooks/store/useAuthStore.ts
@@ -3,7 +3,7 @@ import { Subject } from 'rxjs';
 import { createJSONStorage, persist } from 'zustand/middleware';
 import { createWithEqualityFn } from 'zustand/traditional';
 
-import { LoginSubjectData, User } from '../../types';
+import { LoginSubjectData, OpenIdInfoResponse, OpenIdProvider, User } from '../../types';
 
 export const useAuthStore = createWithEqualityFn<AuthStore>()(
   persist(
@@ -34,6 +34,8 @@ export interface AuthStore {
   isAdmin?: boolean;
   // If this is set, redirect user to allow page and nowhere else
   openIdParams?: URLSearchParams;
+  // External oidc info required for login
+  openIdLoginInfo?: OpenIdInfoResponse;
   setState: (newState: Partial<AuthStore>) => void;
   resetState: () => void;
 }
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index 723b6a4c98..dfe188ba95 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -153,7 +153,7 @@ const useApi = (props?: HookProps): ApiHook => {
 
   const logout = () => client.post<EmptyApiResponse>('/auth/logout').then(unpackRequest);
 
-  const getOpenidInfo: ApiHook['auth']['openid']['getOpenidInfo'] = () =>
+  const getOpenidInfo: ApiHook['auth']['openid']['getOpenIdInfo'] = () =>
     client.get(`/openid/auth_info`).then(unpackRequest);
 
   const usernameAvailable = (username: string) =>
@@ -543,7 +543,7 @@ const useApi = (props?: HookProps): ApiHook => {
       login,
       logout,
       openid: {
-        getOpenidInfo,
+        getOpenIdInfo: getOpenidInfo,
       },
       mfa: {
         disable: mfaDisable,
diff --git a/web/src/shared/queries.ts b/web/src/shared/queries.ts
index a977d62ec6..1087fcbb58 100644
--- a/web/src/shared/queries.ts
+++ b/web/src/shared/queries.ts
@@ -27,4 +27,5 @@ export const QueryKeys = {
   FETCH_LOGS: 'FETCH_LOGS',
   FETCH_AUTHENTICATION_KEYS_INFO: 'FETCH_AUTHENTICATION_KEYS_INFO',
   FETCH_OPENID_PROVIDERS: 'FETCH_OPENID_PROVIDERS',
+  FETCH_OPENID_INFO: 'FETCH_OPENID_INFO',
 };
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 5082a5944f..3df675374e 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -307,7 +307,7 @@ export interface LoginResponse {
   mfa?: MFALoginResponse;
 }
 
-export interface OpenidInfoResponse {
+export interface OpenIdInfoResponse {
   url: string;
   nonce: string;
   csrf: string;
@@ -507,7 +507,7 @@ export interface ApiHook {
     login: (data: LoginData) => Promise<LoginResponse>;
     logout: () => EmptyApiResponse;
     openid: {
-      getOpenidInfo: () => Promise<OpenidInfoResponse>;
+      getOpenIdInfo: () => Promise<OpenIdInfoResponse>;
     };
     mfa: {
       disable: () => EmptyApiResponse;
@@ -854,10 +854,7 @@ export type SettingsWeb3 = {
 };
 
 export type SettingsOpenID = {
-  name: string;
-  base_url: string;
-  client_id: string;
-  client_secret: string;
+  openid_create_account: boolean;
 };
 
 export interface Webhook {

From bc705e5a9113663dafad0df186df8975147efb06 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:33:44 +0200
Subject: [PATCH 11/73] cleanup

---
 src/enterprise/handlers/openid_login.rs | 25 +++++++------------------
 src/lib.rs                              |  3 +--
 2 files changed, 8 insertions(+), 20 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 606462bc22..88d7e93dba 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,38 +1,29 @@
 use axum::http::header::LOCATION;
 use axum::http::{HeaderMap, HeaderValue, StatusCode};
-use axum::response::{IntoResponse, Redirect, Response};
+
 use axum_extra::extract::cookie::{Cookie, SameSite};
 use serde_json::json;
-use sqlx::PgPool;
-use std::collections::HashMap;
+
 use time::Duration;
 
 use axum::extract::{Query, State};
-use axum::Json;
+
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
 use axum_extra::extract::{CookieJar, PrivateCookieJar};
 use axum_extra::headers::UserAgent;
 use axum_extra::TypedHeader;
-use openidconnect::core::{
-    CoreAuthDisplay, CoreClaimName, CoreClaimType, CoreClient, CoreClientAuthMethod, CoreGrantType,
-    CoreIdTokenClaims, CoreIdTokenVerifier, CoreJsonWebKey, CoreJweContentEncryptionAlgorithm,
-    CoreJweKeyManagementAlgorithm, CoreResponseMode, CoreResponseType, CoreRevocableToken,
-    CoreSubjectIdentifierType,
-};
+use openidconnect::core::{CoreClient, CoreResponseType};
 use openidconnect::{
     core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
-    ProviderMetadata, RedirectUrl, RevocationUrl,
-};
-use openidconnect::{
-    AuthenticationFlow, AuthorizationCode, CsrfToken, EndUserEmail, EndUserFamilyName,
-    EndUserGivenName, LanguageTag, LocalizedClaim, Nonce, Scope,
+    ProviderMetadata, RedirectUrl,
 };
+use openidconnect::{AuthenticationFlow, AuthorizationCode, CsrfToken, Nonce, Scope};
 
 use crate::appstate::AppState;
 use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
-use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
+use crate::handlers::{ApiResponse, SESSION_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
 use crate::server_config;
 
@@ -68,8 +59,6 @@ async fn get_provider_metadata(url: &str) -> Result<ProvMeta, WebError> {
             }
         };
 
-    println!("{:?}", provider_metadata);
-
     Ok(provider_metadata)
 }
 
diff --git a/src/lib.rs b/src/lib.rs
index 983c58715f..d51615f619 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -15,8 +15,7 @@ use assets::{index, svg, web_asset};
 use enterprise::handlers::{
     openid_login::{auth_callback, get_auth_info},
     openid_providers::{
-        add_openid_provider, delete_openid_provider, get_current_openid_provider,
-        list_openid_providers, modify_openid_provider,
+        add_openid_provider, get_current_openid_provider,
     },
 };
 use handlers::ssh_authorized_keys::{

From 7b49cd3de2c8011dfcc2e4c976532eec77a520b2 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:38:27 +0200
Subject: [PATCH 12/73] cargo lock

---
 Cargo.lock | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Cargo.lock b/Cargo.lock
index 9fb222b541..5a644ce8b5 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2604,7 +2604,7 @@ dependencies = [
  "getrandom",
  "http 0.2.12",
  "rand",
- "reqwest",
+ "reqwest 0.11.27",
  "serde",
  "serde_json",
  "serde_path_to_error",

From d5d92131f11ba3e8156b0002404d54b31597068b Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:42:38 +0200
Subject: [PATCH 13/73] parse url

---
 web/src/pages/auth/Login/components/OidcButtons.tsx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/src/pages/auth/Login/components/OidcButtons.tsx b/web/src/pages/auth/Login/components/OidcButtons.tsx
index 57efe1435a..a073a238ec 100644
--- a/web/src/pages/auth/Login/components/OidcButtons.tsx
+++ b/web/src/pages/auth/Login/components/OidcButtons.tsx
@@ -6,9 +6,11 @@ import {
 } from '../../../../shared/defguard-ui/components/Layout/Button/types';
 
 export const OpenIdLoginButton = ({ url }: { url: string }) => {
-  if (url.startsWith('https://accounts.google.com')) {
+  const { hostname } = new URL(url);
+
+  if (hostname === 'accounts.google.com') {
     return <GoogleButton url={url} />;
-  } else if (url.startsWith('https://login.microsoftonline.com')) {
+  } else if (hostname === 'login.microsoftonline.com') {
     return <MicrosoftButton url={url} />;
   } else {
     return <CustomButton url={url} />;

From ef39ec59128f912cee8c98671d13cedbd2675dde Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 13:44:04 +0200
Subject: [PATCH 14/73] format

---
 src/lib.rs | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/lib.rs b/src/lib.rs
index ef4c5e3af1..6c7d91989d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -14,9 +14,7 @@ use axum::{
 use assets::{index, svg, web_asset};
 use enterprise::handlers::{
     openid_login::{auth_callback, get_auth_info},
-    openid_providers::{
-        add_openid_provider, get_current_openid_provider,
-    },
+    openid_providers::{add_openid_provider, get_current_openid_provider},
 };
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,

From 173a5047dad2f10a0fc563cf5d3eb5031b1693ae Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 14:26:30 +0200
Subject: [PATCH 15/73] cleanup and comments

---
 src/enterprise/handlers/openid_login.rs | 98 ++++++++++++-------------
 1 file changed, 48 insertions(+), 50 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 88d7e93dba..8f91ccb002 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -48,6 +48,9 @@ type ProvMeta = ProviderMetadata<
 async fn get_provider_metadata(url: &str) -> Result<ProvMeta, WebError> {
     let issuer_url = IssuerUrl::new(url.to_string()).unwrap();
 
+    // Discover the provider metadata based on a known base issuer URL
+    // The url should be in the form of e.g. https://accounts.google.com
+    // The url shouldn't contain a .well-known part, it will be added automatically
     let provider_metadata =
         match CoreProviderMetadata::discover_async(issuer_url, async_http_client).await {
             Ok(metadata) => metadata,
@@ -99,6 +102,7 @@ pub async fn get_auth_info(
 ) -> Result<(PrivateCookieJar, ApiResponse), WebError> {
     let client = make_oidc_client(&appstate.pool).await?;
 
+    // Generate the redirect URL and the values needed later for callback authenticity verification
     let (authorize_url, csrf_state, nonce) = client
         .authorize_url(
             AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
@@ -110,7 +114,6 @@ pub async fn get_auth_info(
         .url();
 
     let config = server_config();
-
     let nonce_cookie = Cookie::build(("nonce", nonce.secret().clone()))
         .domain(
             config
@@ -124,7 +127,6 @@ pub async fn get_auth_info(
         .secure(true)
         .max_age(Duration::days(1))
         .build();
-
     let csrf_cookie = Cookie::build(("csrf", csrf_state.secret().clone()))
         .domain(
             config
@@ -138,7 +140,6 @@ pub async fn get_auth_info(
         .secure(true)
         .max_age(Duration::days(1))
         .build();
-
     let private_cookies = private_cookies.add(nonce_cookie).add(csrf_cookie);
 
     Ok((
@@ -154,17 +155,6 @@ pub async fn get_auth_info(
     ))
 }
 
-/// Helper function to return redirection with status code 302.
-fn redirect_to<T: AsRef<str>>(uri: T, cookies: CookieJar) -> (StatusCode, HeaderMap, CookieJar) {
-    let mut headers = HeaderMap::new();
-    headers.insert(
-        LOCATION,
-        HeaderValue::try_from(uri.as_ref()).expect("URI isn't a valid header value"),
-    );
-
-    (StatusCode::FOUND, headers, cookies)
-}
-
 #[derive(Deserialize, Serialize, Debug)]
 pub struct AuthenticationResponse {
     code: AuthorizationCode,
@@ -179,8 +169,11 @@ pub async fn auth_callback(
     InsecureClientIp(insecure_ip): InsecureClientIp,
     Query(params): Query<AuthenticationResponse>,
     State(appstate): State<AppState>,
-) -> Result<(StatusCode, HeaderMap, CookieJar), WebError> {
+) -> Result<(StatusCode, HeaderMap, CookieJar, PrivateCookieJar), WebError> {
     debug!("Auth callback received, logging in user...");
+
+    // Get the nonce and csrf cookies, we need them to verify the callback
+    let mut private_cookies = private_cookies;
     let cookie_nonce = private_cookies
         .get("nonce")
         .ok_or(WebError::Authorization(
@@ -188,19 +181,19 @@ pub async fn auth_callback(
         ))?
         .value_trimmed()
         .to_string();
-
     let cookie_csrf = private_cookies
         .get("csrf")
         .ok_or(WebError::BadRequest("CSRF cookie not found".to_string()))?
         .value_trimmed()
         .to_string();
 
+    // Verify the csrf token
     if params.state.secret() != &cookie_csrf {
         return Err(WebError::Authorization("CSRF token mismatch".to_string()));
     };
 
+    // Get the ID token and verify it against the nonce value received in the callback
     let client = make_oidc_client(&appstate.pool).await?;
-
     let token = client
         .exchange_code(params.code)
         .request_async(async_http_client)
@@ -211,9 +204,7 @@ pub async fn auth_callback(
                 error
             ))
         })?;
-
     let nonce = Nonce::new(cookie_nonce);
-
     let token_verifier = client.id_token_verifier();
     let id_token = match token.extra_fields().id_token() {
         Some(token) => token,
@@ -224,6 +215,11 @@ pub async fn auth_callback(
         }
     };
 
+    private_cookies = private_cookies
+        .remove(Cookie::from("nonce"))
+        .remove(Cookie::from("csrf"));
+
+    // claims = user attributes
     let token_claims = match id_token.claims(&token_verifier, &nonce) {
         Ok(claims) => claims,
         Err(error) => {
@@ -234,32 +230,10 @@ pub async fn auth_callback(
         }
     };
 
+    // Only email and username is required for user lookup and login
     let email = token_claims.email().ok_or(WebError::BadRequest(
         "Email not found in the information returned from provider.".to_string(),
     ))?;
-
-    // Extract given name and family name from the localized token claims
-    // 'None' extracts the default value without the need to specify a language
-
-    let given_name_error = "Given name not found in the information returned from provider.";
-
-    let given_name = token_claims
-        .given_name()
-        .ok_or(WebError::BadRequest(given_name_error.to_string()))?
-        // Gets the
-        .get(None)
-        .ok_or(WebError::BadRequest(given_name_error.to_string()))?;
-
-    let family_name_error = "Family name not found in the information returned from provider.";
-
-    let family_name = token_claims
-        .family_name()
-        .ok_or(WebError::BadRequest(family_name_error.to_string()))?
-        .get(None)
-        .ok_or(WebError::BadRequest(family_name_error.to_string()))?;
-
-    let phone = token_claims.phone_number();
-
     let username = email
         .split('@')
         .next()
@@ -267,13 +241,18 @@ pub async fn auth_callback(
             "Failed to extract username from email address".to_string(),
         ))?
         // + is not allowed in usernames, but fairly common in email addresses
-        // TODO: Make this more robust, trim everything that's forbidden in usernames
+        // TODO: Make this more robust, maybe trim everything that's forbidden in usernames
         .replace('+', "_");
 
+    // Handle logging in or creating the user
     let settings = Settings::get_settings(&appstate.pool).await?;
-
     let user = match User::find_by_email(&appstate.pool, email).await {
         Ok(Some(mut user)) => {
+            // Make sure the user is not disabled
+            if !user.is_active {
+                return Err(WebError::Authorization("User is disabled".to_string()));
+            }
+
             if !user.openid_login {
                 user.openid_login = true;
                 user.save(&appstate.pool).await?;
@@ -281,6 +260,7 @@ pub async fn auth_callback(
             user
         }
         Ok(None) => {
+            // Check if the user should be created if they don't exist (default: true)
             if settings.openid_create_account {
                 // Check if user with the same username already exists
                 if User::find_by_username(&appstate.pool, &username)
@@ -293,6 +273,24 @@ pub async fn auth_callback(
                     )));
                 }
 
+                // Extract all necessary information from the token needed to create an account
+                let given_name_error =
+                    "Given name not found in the information returned from provider.";
+                let given_name = token_claims
+                    .given_name()
+                    .ok_or(WebError::BadRequest(given_name_error.to_string()))?
+                    // 'None' gets you the default value from a localized claim. Otherwise you would need to pass a locale.
+                    .get(None)
+                    .ok_or(WebError::BadRequest(given_name_error.to_string()))?;
+                let family_name_error =
+                    "Family name not found in the information returned from provider.";
+                let family_name = token_claims
+                    .family_name()
+                    .ok_or(WebError::BadRequest(family_name_error.to_string()))?
+                    .get(None)
+                    .ok_or(WebError::BadRequest(family_name_error.to_string()))?;
+                let phone = token_claims.phone_number();
+
                 let mut user = User::new(
                     username.to_string(),
                     None,
@@ -316,6 +314,7 @@ pub async fn auth_callback(
         }
     };
 
+    // Handle creating the session
     let ip_address = forwarded_for_ip.map_or(insecure_ip, |v| v.0).to_string();
     let user_agent_string = match user_agent {
         Some(value) => value.to_string(),
@@ -323,7 +322,6 @@ pub async fn auth_callback(
     };
     let agent = parse_user_agent(&appstate.user_agent_parser, &user_agent_string);
     let device_info = agent.clone().map(|v| get_user_agent_device(&v));
-
     Session::delete_expired(&appstate.pool).await?;
     let session = Session::new(
         user.id.unwrap(),
@@ -332,7 +330,6 @@ pub async fn auth_callback(
         device_info,
     );
     session.save(&appstate.pool).await?;
-
     let max_age = Duration::seconds(server_config().auth_cookie_timeout.as_secs() as i64);
     let config = server_config();
     let auth_cookie = Cookie::build((SESSION_COOKIE_NAME, session.id.clone()))
@@ -348,12 +345,9 @@ pub async fn auth_callback(
         .same_site(SameSite::Lax)
         .max_age(max_age);
     let cookies = cookies.add(auth_cookie);
-
     let login_event_type = "AUTHENTICATION".to_string();
-
     let user_info = UserInfo::from_user(&appstate.pool, &user).await?;
     appstate.trigger_action(AppEvent::UserCreated(user_info.clone()));
-
     check_new_device_login(
         &appstate.pool,
         &appstate.mail_tx,
@@ -370,5 +364,9 @@ pub async fn auth_callback(
         user.username
     );
 
-    Ok(redirect_to("/", cookies))
+    // Redirect to '/' on successful login
+    let mut headers = HeaderMap::new();
+    let header_value = HeaderValue::from_str("/").or(Err(StatusCode::INTERNAL_SERVER_ERROR))?;
+    headers.insert(LOCATION, header_value);
+    Ok((StatusCode::FOUND, headers, cookies, private_cookies))
 }

From 7fdf856407947fbae74216ee9992f8495caf5186 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 15 Jul 2024 14:40:41 +0200
Subject: [PATCH 16/73] sqlx prepare

---
 ...72929d6a612846acf4a5489c36a04cb57de59.json | 22 +++++++++++++++++++
 ...ab52c14293fa64d260db812c89ed43a5a7cc8.json | 15 +++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 .sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
 create mode 100644 .sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json

diff --git a/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json b/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
new file mode 100644
index 0000000000..ce67e42930
--- /dev/null
+++ b/.sqlx/query-0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59.json
@@ -0,0 +1,22 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "SELECT recovery_codes FROM \"user\" WHERE id = $1",
+  "describe": {
+    "columns": [
+      {
+        "ordinal": 0,
+        "name": "recovery_codes",
+        "type_info": "TextArray"
+      }
+    ],
+    "parameters": {
+      "Left": [
+        "Int8"
+      ]
+    },
+    "nullable": [
+      false
+    ]
+  },
+  "hash": "0ad599ef120ecc02b030bd1276172929d6a612846acf4a5489c36a04cb57de59"
+}
diff --git a/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json b/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json
new file mode 100644
index 0000000000..8d314a5faa
--- /dev/null
+++ b/.sqlx/query-1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8.json
@@ -0,0 +1,15 @@
+{
+  "db_name": "PostgreSQL",
+  "query": "UPDATE session SET expires = $1 WHERE id = $2",
+  "describe": {
+    "columns": [],
+    "parameters": {
+      "Left": [
+        "Timestamp",
+        "Text"
+      ]
+    },
+    "nullable": []
+  },
+  "hash": "1bb3c8ecbd6500717d639678e08ab52c14293fa64d260db812c89ed43a5a7cc8"
+}

From 2fcd28ca008e41c715a6b781b2bacfe9f6fc81eb Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 10:13:22 +0200
Subject: [PATCH 17/73] fixes

---
 src/enterprise/handlers/openid_login.rs |  3 +++
 src/handlers/user.rs                    | 13 ++++++++++++-
 tests/enrollment.rs                     |  2 +-
 tests/user.rs                           |  8 ++++----
 4 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 8f91ccb002..ebc368cbcb 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -23,6 +23,7 @@ use crate::appstate::AppState;
 use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
+use crate::handlers::user::check_username;
 use crate::handlers::{ApiResponse, SESSION_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
 use crate::server_config;
@@ -244,6 +245,8 @@ pub async fn auth_callback(
         // TODO: Make this more robust, maybe trim everything that's forbidden in usernames
         .replace('+', "_");
 
+    check_username(&username)?;
+
     // Handle logging in or creating the user
     let settings = Settings::get_settings(&appstate.pool).await?;
     let user = match User::find_by_email(&appstate.pool, email).await {
diff --git a/src/handlers/user.rs b/src/handlers/user.rs
index bd5268978f..e0d55f92bf 100644
--- a/src/handlers/user.rs
+++ b/src/handlers/user.rs
@@ -35,7 +35,7 @@ use crate::{
 /// - starts with non-special character
 /// - special characters: . - _
 /// - no whitespaces
-fn check_username(username: &str) -> Result<(), WebError> {
+pub fn check_username(username: &str) -> Result<(), WebError> {
     // check length
     let length = username.len();
     if !(3..64).contains(&length) {
@@ -269,6 +269,17 @@ pub async fn add_user(
             status: StatusCode::BAD_REQUEST,
         });
     }
+    // check if email doesn't already exist
+    if User::find_by_email(&appstate.pool, &user_data.email)
+        .await?
+        .is_some()
+    {
+        debug!("User with email {} already exists", user_data.email);
+        return Ok(ApiResponse {
+            json: json!({}),
+            status: StatusCode::BAD_REQUEST,
+        });
+    }
     let password = match &user_data.password {
         Some(password) => {
             // check password strength
diff --git a/tests/enrollment.rs b/tests/enrollment.rs
index ec34283d53..3e2fe00ef8 100644
--- a/tests/enrollment.rs
+++ b/tests/enrollment.rs
@@ -57,7 +57,7 @@ async fn test_initialize_enrollment() {
         username: "adumbledore2".into(),
         last_name: "Dumbledore".into(),
         first_name: "Albus".into(),
-        email: "a.dumbledore@hogwart.edu.uk".into(),
+        email: "a.dumbledore2@hogwart.edu.uk".into(),
         phone: Some("1234".into()),
         password: None,
     };
diff --git a/tests/user.rs b/tests/user.rs
index 24845cd0ff..31466f6320 100644
--- a/tests/user.rs
+++ b/tests/user.rs
@@ -434,12 +434,12 @@ async fn test_check_username() {
     let invalid_usernames = ["ADumble dore", ".1user"];
     let valid_usernames = ["user1", "use2r3", "not_wrong"];
 
-    for username in invalid_usernames {
+    for (i, username) in invalid_usernames.into_iter().enumerate() {
         let new_user = AddUserData {
             username: username.into(),
             last_name: "Dumbledore".into(),
             first_name: "Albus".into(),
-            email: "a.dumbledore@hogwart.edu.uk".into(),
+            email: format!("a.dumbledore{i}@hogwart.edu.uk"),
             phone: Some("1234".into()),
             password: Some("Alohomora!12".into()),
         };
@@ -447,12 +447,12 @@ async fn test_check_username() {
         assert_eq!(response.status(), StatusCode::BAD_REQUEST);
     }
 
-    for username in valid_usernames {
+    for (i, username) in valid_usernames.into_iter().enumerate() {
         let new_user = AddUserData {
             username: username.into(),
             last_name: "Dumbledore".into(),
             first_name: "Albus".into(),
-            email: "a.dumbledore@hogwart.edu.uk".into(),
+            email: format!("a.dumbledore{i}@hogwart.edu.uk"),
             phone: Some("1234".into()),
             password: Some("Alohomora!12".into()),
         };

From 870000521962f6c951579c4194ea0893fb44f570 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 12:35:56 +0200
Subject: [PATCH 18/73] cleanup, refactoring, tests

---
 src/enterprise/handlers/openid_login.rs       |  14 ++
 src/enterprise/handlers/openid_providers.rs   |  13 +-
 tests/openid_login.rs                         |  91 ++++++++
 tests/user.rs                                 |  33 +++
 web/src/i18n/en/index.ts                      |  35 ++-
 web/src/i18n/i18n-types.ts                    | 208 ++++++++++++------
 web/src/i18n/pl/index.ts                      |  53 ++++-
 .../OpenIdSettings/OpenIdSettings.tsx         |   6 +-
 .../components/OpenIdGeneralSettings.tsx      |  26 ++-
 .../components/OpenIdSettingsForm.tsx         |  51 +++--
 .../OpenIdSettings/components/style.scss      |   5 +
 11 files changed, 420 insertions(+), 115 deletions(-)
 create mode 100644 tests/openid_login.rs

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index ebc368cbcb..6b86d7d562 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -373,3 +373,17 @@ pub async fn auth_callback(
     headers.insert(LOCATION, header_value);
     Ok((StatusCode::FOUND, headers, cookies, private_cookies))
 }
+
+#[cfg(test)]
+mod test {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_get_provider_metadata() {
+        let metadata = get_provider_metadata("https://accounts.google.com")
+            .await
+            .unwrap();
+
+        assert_eq!(metadata.issuer().to_string(), "https://accounts.google.com");
+    }
+}
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index aca965cf49..c8ffd54e6d 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -9,7 +9,7 @@ use crate::{
 
 use serde_json::json;
 
-#[derive(Debug, Deserialize)]
+#[derive(Debug, Deserialize, Serialize)]
 pub struct AddProviderData {
     name: String,
     base_url: String,
@@ -17,6 +17,17 @@ pub struct AddProviderData {
     client_secret: String,
 }
 
+impl AddProviderData {
+    pub fn new(name: String, base_url: String, client_id: String, client_secret: String) -> Self {
+        Self {
+            name,
+            base_url,
+            client_id,
+            client_secret,
+        }
+    }
+}
+
 pub async fn add_openid_provider(
     _admin: AdminRole,
     session: SessionInfo,
diff --git a/tests/openid_login.rs b/tests/openid_login.rs
new file mode 100644
index 0000000000..840d0c3b44
--- /dev/null
+++ b/tests/openid_login.rs
@@ -0,0 +1,91 @@
+use std::str::FromStr;
+
+use axum::http::header::ToStrError;
+use claims::assert_err;
+use defguard::{
+    config::DefGuardConfig,
+    db::{
+        models::{oauth2client::OAuth2Client, NewOpenIDClient},
+        DbPool,
+    },
+    enterprise::handlers::openid_providers::AddProviderData,
+    handlers::Auth,
+};
+use openidconnect::{
+    core::{
+        CoreClient, CoreGenderClaim, CoreProviderMetadata, CoreResponseType, CoreTokenResponse,
+    },
+    http::Method,
+    AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken,
+    EmptyAdditionalClaims, HttpRequest, HttpResponse, IssuerUrl, Nonce, OAuth2TokenResponse,
+    PkceCodeChallenge, RedirectUrl, Scope, UserInfoClaims,
+};
+use reqwest::{
+    header::{HeaderName, AUTHORIZATION, CONTENT_TYPE, USER_AGENT},
+    StatusCode, Url,
+};
+use rsa::RsaPrivateKey;
+use serde::Deserialize;
+
+mod common;
+use self::common::{client::TestClient, init_test_db, make_base_client, make_test_client};
+
+async fn make_client() -> TestClient {
+    let (client, _) = make_test_client().await;
+    client
+}
+
+async fn make_client_v2(pool: DbPool, config: DefGuardConfig) -> TestClient {
+    let (client, _) = make_base_client(pool, config).await;
+    client
+}
+
+#[tokio::test]
+async fn test_openid_providers() {
+    let client = make_client().await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    let provider_data = AddProviderData::new(
+        "test".to_string(),
+        "https://accounts.google.com".to_string(),
+        "client_id".to_string(),
+        "client_secret".to_string(),
+    );
+
+    let response = client
+        .post("/api/v1/openid/provider")
+        .json(&provider_data)
+        .send()
+        .await;
+
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    let response = client.get("/api/v1/openid/auth_info").send().await;
+
+    assert_eq!(response.status(), StatusCode::OK);
+
+    #[derive(Deserialize)]
+    struct UrlResponse {
+        url: String,
+    }
+
+    let provider: UrlResponse = response.json::<UrlResponse>().await;
+
+    let url = Url::parse(&provider.url).unwrap();
+
+    let client_id = url
+        .query_pairs()
+        .find(|(key, _)| key == "client_id")
+        .unwrap();
+    assert_eq!(client_id.1, "client_id");
+
+    let nonce = url.query_pairs().find(|(key, _)| key == "nonce");
+    assert!(nonce.is_some());
+    let state = url.query_pairs().find(|(key, _)| key == "state");
+    assert!(state.is_some());
+    let redirect_uri = url.query_pairs().find(|(key, _)| key == "redirect_uri");
+    assert!(redirect_uri.is_some());
+}
diff --git a/tests/user.rs b/tests/user.rs
index 31466f6320..bae25d3dee 100644
--- a/tests/user.rs
+++ b/tests/user.rs
@@ -763,3 +763,36 @@ async fn test_disable() {
         .await;
     assert_eq!(response.status(), StatusCode::OK);
 }
+
+#[tokio::test]
+async fn test_unique_email() {
+    let client = make_client().await;
+
+    let auth = Auth::new("admin", "pass123");
+    let response = client.post("/api/v1/auth").json(&auth).send().await;
+    assert_eq!(response.status(), StatusCode::OK);
+
+    // create user
+    let new_user = AddUserData {
+        username: "adumbledore".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: Some("Password1234543$!".into()),
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::CREATED);
+
+    // create user with same email
+    let new_user = AddUserData {
+        username: "adumbledore2".into(),
+        last_name: "Dumbledore".into(),
+        first_name: "Albus".into(),
+        email: "a.dumbledore@hogwart.edu.uk".into(),
+        phone: Some("1234".into()),
+        password: Some("Password1234543$!".into()),
+    };
+    let response = client.post("/api/v1/user").json(&new_user).send().await;
+    assert_eq!(response.status(), StatusCode::BAD_REQUEST);
+}
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index d048f63dea..00c07552c2 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -922,19 +922,36 @@ const en: BaseTranslation = {
       },
     },
     openIdSettings: {
-      titleClient: 'External OpenID Client Settings',
-      titleGeneral: 'External OpenID Settings',
       general: {
-        createAccount: 'Automatically create user account when logging in through external OpenID for first time.',
+        title: 'External OpenID Settings',
+        helper: 'Here you can change general OpenID behavior in your Defguard instance.',
+        createAccount: {
+          label: 'Automatically create user account when logging in for the first time through external OpenID.',
+          helper: 'If this option is enabled, Defguard automatically creates new accounts for users who log in for the first time using an external OpenID provider. Otherwise, the user account must first be created by an administrator.',
+        },
       },
       form: {
+        title: 'External OpenID Client Settings',
+        helper: 'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
+        custom: "Custom",
+        documentation: 'Documentation',
         labels: {
-          name: 'Name',
-          provider: 'Provider',
-          client_id: 'Client ID',
-          client_secret: 'Client Secret',
-          base_url: 'Provider URL',
-          tenant_id: 'Tenant ID',
+          provider: {
+            label: 'Provider',
+            helper: 'Select your OpenID provider. You can use custom provider and fill in the base URL by yourself.',
+          },
+          client_id: {
+            label: 'Client ID',
+            helper: 'Client ID provided by your OpenID provider.',
+          },
+          client_secret: {
+            label: 'Client Secret',
+            helper: 'Client Secret provided by your OpenID provider.',
+          },
+          base_url: {
+            label: 'Base URL',
+            helper: 'Base URL of your OpenID provider, e.g. https://accounts.google.com. Make sure to check our documentation for more information and examples.',
+          },
         },
       },
     },
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index ec6814c83a..13f1da8b26 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2276,46 +2276,84 @@ type RootTranslation = {
 			}
 		}
 		openIdSettings: {
-			/**
-			 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​C​l​i​e​n​t​ ​S​e​t​t​i​n​g​s
-			 */
-			titleClient: string
-			/**
-			 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​S​e​t​t​i​n​g​s
-			 */
-			titleGeneral: string
 			general: {
 				/**
-				 * A​u​t​o​m​a​t​i​c​a​l​l​y​ ​c​r​e​a​t​e​ ​u​s​e​r​ ​a​c​c​o​u​n​t​ ​w​h​e​n​ ​l​o​g​g​i​n​g​ ​i​n​ ​t​h​r​o​u​g​h​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​f​o​r​ ​f​i​r​s​t​ ​t​i​m​e​.
+				 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​S​e​t​t​i​n​g​s
 				 */
-				createAccount: string
-			}
-			form: {
-				labels: {
-					/**
-					 * N​a​m​e
-					 */
-					name: string
-					/**
-					 * P​r​o​v​i​d​e​r
-					 */
-					provider: string
-					/**
-					 * C​l​i​e​n​t​ ​I​D
-					 */
-					client_id: string
-					/**
-					 * C​l​i​e​n​t​ ​S​e​c​r​e​t
-					 */
-					client_secret: string
+				title: string
+				/**
+				 * H​e​r​e​ ​y​o​u​ ​c​a​n​ ​c​h​a​n​g​e​ ​g​e​n​e​r​a​l​ ​O​p​e​n​I​D​ ​b​e​h​a​v​i​o​r​ ​i​n​ ​y​o​u​r​ ​D​e​f​g​u​a​r​d​ ​i​n​s​t​a​n​c​e​.
+				 */
+				helper: string
+				createAccount: {
 					/**
-					 * P​r​o​v​i​d​e​r​ ​U​R​L
+					 * A​u​t​o​m​a​t​i​c​a​l​l​y​ ​c​r​e​a​t​e​ ​u​s​e​r​ ​a​c​c​o​u​n​t​ ​w​h​e​n​ ​l​o​g​g​i​n​g​ ​i​n​ ​f​o​r​ ​t​h​e​ ​f​i​r​s​t​ ​t​i​m​e​ ​t​h​r​o​u​g​h​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​.
 					 */
-					base_url: string
+					label: string
 					/**
-					 * T​e​n​a​n​t​ ​I​D
+					 * I​f​ ​t​h​i​s​ ​o​p​t​i​o​n​ ​i​s​ ​e​n​a​b​l​e​d​,​ ​D​e​f​g​u​a​r​d​ ​a​u​t​o​m​a​t​i​c​a​l​l​y​ ​c​r​e​a​t​e​s​ ​n​e​w​ ​a​c​c​o​u​n​t​s​ ​f​o​r​ ​u​s​e​r​s​ ​w​h​o​ ​l​o​g​ ​i​n​ ​f​o​r​ ​t​h​e​ ​f​i​r​s​t​ ​t​i​m​e​ ​u​s​i​n​g​ ​a​n​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​.​ ​O​t​h​e​r​w​i​s​e​,​ ​t​h​e​ ​u​s​e​r​ ​a​c​c​o​u​n​t​ ​m​u​s​t​ ​f​i​r​s​t​ ​b​e​ ​c​r​e​a​t​e​d​ ​b​y​ ​a​n​ ​a​d​m​i​n​i​s​t​r​a​t​o​r​.
 					 */
-					tenant_id: string
+					helper: string
+				}
+			}
+			form: {
+				/**
+				 * E​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​C​l​i​e​n​t​ ​S​e​t​t​i​n​g​s
+				 */
+				title: string
+				/**
+				 * H​e​r​e​ ​y​o​u​ ​c​a​n​ ​c​o​n​f​i​g​u​r​e​ ​t​h​e​ ​O​p​e​n​I​D​ ​c​l​i​e​n​t​ ​s​e​t​t​i​n​g​s​ ​w​i​t​h​ ​v​a​l​u​e​s​ ​p​r​o​v​i​d​e​d​ ​b​y​ ​y​o​u​r​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​.
+				 */
+				helper: string
+				/**
+				 * C​u​s​t​o​m
+				 */
+				custom: string
+				/**
+				 * D​o​c​u​m​e​n​t​a​t​i​o​n
+				 */
+				documentation: string
+				labels: {
+					provider: {
+						/**
+						 * P​r​o​v​i​d​e​r
+						 */
+						label: string
+						/**
+						 * S​e​l​e​c​t​ ​y​o​u​r​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​.​ ​Y​o​u​ ​c​a​n​ ​u​s​e​ ​c​u​s​t​o​m​ ​p​r​o​v​i​d​e​r​ ​a​n​d​ ​f​i​l​l​ ​i​n​ ​t​h​e​ ​b​a​s​e​ ​U​R​L​ ​b​y​ ​y​o​u​r​s​e​l​f​.
+						 */
+						helper: string
+					}
+					client_id: {
+						/**
+						 * C​l​i​e​n​t​ ​I​D
+						 */
+						label: string
+						/**
+						 * C​l​i​e​n​t​ ​I​D​ ​p​r​o​v​i​d​e​d​ ​b​y​ ​y​o​u​r​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​.
+						 */
+						helper: string
+					}
+					client_secret: {
+						/**
+						 * C​l​i​e​n​t​ ​S​e​c​r​e​t
+						 */
+						label: string
+						/**
+						 * C​l​i​e​n​t​ ​S​e​c​r​e​t​ ​p​r​o​v​i​d​e​d​ ​b​y​ ​y​o​u​r​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​.
+						 */
+						helper: string
+					}
+					base_url: {
+						/**
+						 * B​a​s​e​ ​U​R​L
+						 */
+						label: string
+						/**
+						 * B​a​s​e​ ​U​R​L​ ​o​f​ ​y​o​u​r​ ​O​p​e​n​I​D​ ​p​r​o​v​i​d​e​r​,​ ​e​.​g​.​ ​h​t​t​p​s​:​/​/​a​c​c​o​u​n​t​s​.​g​o​o​g​l​e​.​c​o​m​.​ ​M​a​k​e​ ​s​u​r​e​ ​t​o​ ​c​h​e​c​k​ ​o​u​r​ ​d​o​c​u​m​e​n​t​a​t​i​o​n​ ​f​o​r​ ​m​o​r​e​ ​i​n​f​o​r​m​a​t​i​o​n​ ​a​n​d​ ​e​x​a​m​p​l​e​s​.
+						 */
+						helper: string
+					}
 				}
 			}
 		}
@@ -6212,46 +6250,84 @@ export type TranslationFunctions = {
 			}
 		}
 		openIdSettings: {
-			/**
-			 * External OpenID Client Settings
-			 */
-			titleClient: () => LocalizedString
-			/**
-			 * External OpenID Settings
-			 */
-			titleGeneral: () => LocalizedString
 			general: {
 				/**
-				 * Automatically create user account when logging in through external OpenID for first time.
+				 * External OpenID Settings
 				 */
-				createAccount: () => LocalizedString
-			}
-			form: {
-				labels: {
-					/**
-					 * Name
-					 */
-					name: () => LocalizedString
-					/**
-					 * Provider
-					 */
-					provider: () => LocalizedString
-					/**
-					 * Client ID
-					 */
-					client_id: () => LocalizedString
-					/**
-					 * Client Secret
-					 */
-					client_secret: () => LocalizedString
+				title: () => LocalizedString
+				/**
+				 * Here you can change general OpenID behavior in your Defguard instance.
+				 */
+				helper: () => LocalizedString
+				createAccount: {
 					/**
-					 * Provider URL
+					 * Automatically create user account when logging in for the first time through external OpenID.
 					 */
-					base_url: () => LocalizedString
+					label: () => LocalizedString
 					/**
-					 * Tenant ID
+					 * If this option is enabled, Defguard automatically creates new accounts for users who log in for the first time using an external OpenID provider. Otherwise, the user account must first be created by an administrator.
 					 */
-					tenant_id: () => LocalizedString
+					helper: () => LocalizedString
+				}
+			}
+			form: {
+				/**
+				 * External OpenID Client Settings
+				 */
+				title: () => LocalizedString
+				/**
+				 * Here you can configure the OpenID client settings with values provided by your external OpenID provider.
+				 */
+				helper: () => LocalizedString
+				/**
+				 * Custom
+				 */
+				custom: () => LocalizedString
+				/**
+				 * Documentation
+				 */
+				documentation: () => LocalizedString
+				labels: {
+					provider: {
+						/**
+						 * Provider
+						 */
+						label: () => LocalizedString
+						/**
+						 * Select your OpenID provider. You can use custom provider and fill in the base URL by yourself.
+						 */
+						helper: () => LocalizedString
+					}
+					client_id: {
+						/**
+						 * Client ID
+						 */
+						label: () => LocalizedString
+						/**
+						 * Client ID provided by your OpenID provider.
+						 */
+						helper: () => LocalizedString
+					}
+					client_secret: {
+						/**
+						 * Client Secret
+						 */
+						label: () => LocalizedString
+						/**
+						 * Client Secret provided by your OpenID provider.
+						 */
+						helper: () => LocalizedString
+					}
+					base_url: {
+						/**
+						 * Base URL
+						 */
+						label: () => LocalizedString
+						/**
+						 * Base URL of your OpenID provider, e.g. https://accounts.google.com. Make sure to check our documentation for more information and examples.
+						 */
+						helper: () => LocalizedString
+					}
 				}
 			}
 		}
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 53e827ce7d..65a9d8e723 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -907,20 +907,55 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         submit: 'Test',
       },
     },
+    // openIdSettings: {
+    //   titleClient: 'Ustawienia klienta zewnętrznego OpenID',
+    //   titleGeneral: 'Ustawienia zewnętrznego OpenID',
+    //   general: {
+    //     createAccount: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
+    //   },
+    //   form: {
+    //     labels: {
+    //       name: 'Nazwa',
+    //       provider: 'Dostawca OpenID',
+    //       client_id: 'ID klienta',
+    //       client_secret: 'Sekret klienta',
+    //       base_url: 'URL dostawcy',
+    //       tenant_id: 'ID dzierżawy (Tenant ID)',
+    //     },
+    //   },
+    // },
     openIdSettings: {
-      titleClient: 'Ustawienia klienta zewnętrznego OpenID',
-      titleGeneral: 'Ustawienia zewnętrznego OpenID',
       general: {
-        createAccount: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
+        title: 'Ustawienia zewnętrznego OpenID',
+        helper: 'Możesz tu zmienić ogólną mechanikę działania zewnętrznego OpenID w twojej instancji Defguarda.',
+        createAccount: {
+          label: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
+          helper: 'Jeśli ta opcja jest włączona, Defguard automatycznie tworzy nowe konta dla użytkowników, którzy logują się po raz pierwszy za pomocą zewnętrznego dostawcy OpenID. W innym przypadku konto użytkownika musi zostać najpierw utworzone przez administratora.',
+        },
       },
       form: {
+        title: 'Ustawienia klienta zewnętrznego OpenID',
+        // helper: 'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
+        helper: 'Tutaj możesz skonfigurować ustawienia klienta OpenID z wartościami dostarczonymi przez zewnętrznego dostawcę OpenID.',
+        custom: "Niestandardowy",
+        documentation: 'Dokumentacja',
         labels: {
-          name: 'Nazwa',
-          provider: 'Dostawca OpenID',
-          client_id: 'ID klienta',
-          client_secret: 'Sekret klienta',
-          base_url: 'URL dostawcy',
-          tenant_id: 'ID dzierżawy (Tenant ID)',
+          provider: {
+            label: 'Dostawca',
+            helper: 'Wybierz swojego dostawcę OpenID. Możesz użyć dostawcy niestandardowego i samodzielnie wypełnić pole URL bazowego.',
+          },
+          client_id: {
+            label: 'ID klienta',
+            helper: 'ID klienta dostarczone przez dostawcę OpenID.',
+          },
+          client_secret: {
+            label: 'Sekret klienta',
+            helper: 'Sekret klienta dostarczony przez dostawcę OpenID.',
+          },
+          base_url: {
+            label: 'URL bazowy',
+            helper: 'Podstawowy adres URL twojego dostawcy OpenID, np. https://accounts.google.com. Sprawdź naszą dokumentację, aby uzyskać więcej informacji i zobaczyć przykłady.',
+          },
         },
       },
     },
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
index 791ac8666e..b4a1b4d0d1 100644
--- a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -1,16 +1,16 @@
 import './style.scss';
 
-import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
 import { OpenIdGeneralSettings } from './components/OpenIdGeneralSettings';
+import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
 
 export const OpenIdSettings = () => {
   return (
     <>
       <div className="left">
-        <OpenIdGeneralSettings />
+        <OpenIdSettingsForm />
       </div>
       <div className="right">
-        <OpenIdSettingsForm />
+        <OpenIdGeneralSettings />
       </div>
     </>
   );
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
index 47cf9f6eeb..e768e9f80c 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
@@ -2,7 +2,9 @@ import './style.scss';
 
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 
+import parse from 'html-react-parser';
 import { useI18nContext } from '../../../../../i18n/i18n-react';
+import { Helper } from '../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import { LabeledCheckbox } from '../../../../../shared/defguard-ui/components/Layout/LabeledCheckbox/LabeledCheckbox';
 import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
@@ -38,17 +40,23 @@ export const OpenIdGeneralSettings = () => {
   return (
     <section id="openid-settings">
       <header>
-        <h2>{localLL.titleGeneral()}</h2>
+        <h2>{localLL.general.title()}</h2>
+        <Helper>{parse(localLL.general.helper())}</Helper>
       </header>
       <div>
-        <LabeledCheckbox
-          disabled={isLoading}
-          label={localLL.general.createAccount()}
-          value={settings.openid_create_account}
-          onChange={() =>
-            mutate({ openid_create_account: !settings.openid_create_account })
-          }
-        />
+        <div>
+          <div className="checkbox-row">
+            <LabeledCheckbox
+              disabled={isLoading}
+              label={localLL.general.createAccount.label()}
+              value={settings.openid_create_account}
+              onChange={() =>
+                mutate({ openid_create_account: !settings.openid_create_account })
+              }
+            />
+            <Helper>{localLL.general.createAccount.helper()}</Helper>
+          </div>
+        </div>
       </div>
     </section>
   );
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index 7252e296f4..fff1539069 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -6,6 +6,7 @@ import { useCallback, useEffect, useMemo, useState } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { z } from 'zod';
 
+import parse from 'html-react-parser';
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
 import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
@@ -14,6 +15,7 @@ import {
   ButtonSize,
   ButtonStyleVariant,
 } from '../../../../../shared/defguard-ui/components/Layout/Button/types';
+import { Helper } from '../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import { Select } from '../../../../../shared/defguard-ui/components/Layout/Select/Select';
 import {
   SelectOption,
@@ -116,7 +118,7 @@ export const OpenIdSettingsForm = () => {
       },
       {
         value: 'Custom',
-        label: 'Custom',
+        label: localLL.form.custom(),
         key: 3,
       },
     ],
@@ -164,7 +166,8 @@ export const OpenIdSettingsForm = () => {
   return (
     <section id="openid-settings">
       <header>
-        <h2>{localLL.titleClient()}</h2>
+        <h2>{localLL.form.title()}</h2>
+        <Helper>{parse(localLL.form.helper())}</Helper>
         <Button
           size={ButtonSize.SMALL}
           styleVariant={ButtonStyleVariant.SAVE}
@@ -176,30 +179,42 @@ export const OpenIdSettingsForm = () => {
         />
       </header>
       <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
-        <FormInput
-          controller={{ control, name: 'client_id' }}
-          label={localLL.form.labels.client_id()}
-        />
-        <FormInput
-          controller={{ control, name: 'client_secret' }}
-          label={localLL.form.labels.client_secret()}
-          type="password"
-        />
         <Select
           sizeVariant={SelectSizeVariant.STANDARD}
           selected={currentProvider?.name ?? undefined}
           options={options}
           renderSelected={renderSelected}
           onChangeSingle={(res) => handleChange(res)}
-          label={localLL.form.labels.provider()}
+          label={localLL.form.labels.provider.label()}
+          labelExtras={<Helper>{parse(localLL.form.labels.provider.helper())}</Helper>}
+        />
+        <FormInput
+          controller={{ control, name: 'base_url' }}
+          label={localLL.form.labels.base_url.label()}
+          labelExtras={<Helper>{parse(localLL.form.labels.base_url.helper())}</Helper>}
+          disabled={currentProvider?.name === 'Google'}
+        />
+        <FormInput
+          controller={{ control, name: 'client_id' }}
+          label={localLL.form.labels.client_id.label()}
+          labelExtras={<Helper>{parse(localLL.form.labels.client_id.helper())}</Helper>}
+        />
+        <FormInput
+          controller={{ control, name: 'client_secret' }}
+          label={localLL.form.labels.client_secret.label()}
+          labelExtras={
+            <Helper>{parse(localLL.form.labels.client_secret.helper())}</Helper>
+          }
+          type="password"
         />
-        {currentProvider?.name !== 'Google' && (
-          <FormInput
-            controller={{ control, name: 'base_url' }}
-            label={localLL.form.labels.base_url()}
-          />
-        )}
       </form>
+      <a
+        // TODO: Add a link to the not yet existing documentation
+        href="https://defguard.gitbook.io/defguard/"
+        target="_blank"
+      >
+        {localLL.form.documentation()}
+      </a>
     </section>
   );
 };
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/style.scss b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
index d0c0181827..017489e228 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/style.scss
+++ b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
@@ -19,4 +19,9 @@
   .select {
     padding-bottom: 25px;
   }
+  .checkbox-row {
+    display: flex;
+    align-items: center;
+    gap: 10px;
+  }
 }

From c9d67bc68eed0993f71dc3201ac46f3801ac034c Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 12:37:33 +0200
Subject: [PATCH 19/73] cargo fix

---
 tests/openid_login.rs | 17 +----------------
 1 file changed, 1 insertion(+), 16 deletions(-)

diff --git a/tests/openid_login.rs b/tests/openid_login.rs
index 840d0c3b44..3f39c9e005 100644
--- a/tests/openid_login.rs
+++ b/tests/openid_login.rs
@@ -1,34 +1,19 @@
-use std::str::FromStr;
 
-use axum::http::header::ToStrError;
-use claims::assert_err;
 use defguard::{
     config::DefGuardConfig,
     db::{
-        models::{oauth2client::OAuth2Client, NewOpenIDClient},
         DbPool,
     },
     enterprise::handlers::openid_providers::AddProviderData,
     handlers::Auth,
 };
-use openidconnect::{
-    core::{
-        CoreClient, CoreGenderClaim, CoreProviderMetadata, CoreResponseType, CoreTokenResponse,
-    },
-    http::Method,
-    AuthenticationFlow, AuthorizationCode, ClientId, ClientSecret, CsrfToken,
-    EmptyAdditionalClaims, HttpRequest, HttpResponse, IssuerUrl, Nonce, OAuth2TokenResponse,
-    PkceCodeChallenge, RedirectUrl, Scope, UserInfoClaims,
-};
 use reqwest::{
-    header::{HeaderName, AUTHORIZATION, CONTENT_TYPE, USER_AGENT},
     StatusCode, Url,
 };
-use rsa::RsaPrivateKey;
 use serde::Deserialize;
 
 mod common;
-use self::common::{client::TestClient, init_test_db, make_base_client, make_test_client};
+use self::common::{client::TestClient, make_base_client, make_test_client};
 
 async fn make_client() -> TestClient {
     let (client, _) = make_test_client().await;

From 2970bba7fe0a74e2e46d20be2cc0ce50d88f2530 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 12:40:34 +0200
Subject: [PATCH 20/73] fix type

---
 web/src/shared/types.ts | 2 --
 1 file changed, 2 deletions(-)

diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 3df675374e..9afb13f866 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -309,8 +309,6 @@ export interface LoginResponse {
 
 export interface OpenIdInfoResponse {
   url: string;
-  nonce: string;
-  csrf: string;
 }
 
 export interface DeleteWebAuthNKeyRequest {

From dace47a4df6bc8ccc0d98bff21f22b0bb62e71f8 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 13:14:23 +0200
Subject: [PATCH 21/73] fmt

---
 tests/openid_login.rs | 11 ++---------
 1 file changed, 2 insertions(+), 9 deletions(-)

diff --git a/tests/openid_login.rs b/tests/openid_login.rs
index 3f39c9e005..2a6af144b6 100644
--- a/tests/openid_login.rs
+++ b/tests/openid_login.rs
@@ -1,15 +1,8 @@
-
 use defguard::{
-    config::DefGuardConfig,
-    db::{
-        DbPool,
-    },
-    enterprise::handlers::openid_providers::AddProviderData,
+    config::DefGuardConfig, db::DbPool, enterprise::handlers::openid_providers::AddProviderData,
     handlers::Auth,
 };
-use reqwest::{
-    StatusCode, Url,
-};
+use reqwest::{StatusCode, Url};
 use serde::Deserialize;
 
 mod common;

From d9e42917f9f094e7fc74dcf75ae4fde36b293db3 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 14:12:31 +0200
Subject: [PATCH 22/73] compress migrations

---
 .../20240603091113_openid_provider.down.sql   |  1 -
 .../20240603091113_openid_provider.up.sql     | 11 --------
 ...20240710100027_make_emails_unique.down.sql |  1 -
 .../20240710100027_make_emails_unique.up.sql  |  8 ------
 ...0240715095940_add_oidc_login_flag.down.sql |  1 -
 .../20240715095940_add_oidc_login_flag.up.sql |  1 -
 ...5_add_oidc_create_account_setting.down.sql |  1 -
 ...955_add_oidc_create_account_setting.up.sql |  1 -
 ...6114732_add_external_openid_login.down.sql |  4 +++
 ...716114732_add_external_openid_login.up.sql | 25 +++++++++++++++++++
 10 files changed, 29 insertions(+), 25 deletions(-)
 delete mode 100644 migrations/20240603091113_openid_provider.down.sql
 delete mode 100644 migrations/20240603091113_openid_provider.up.sql
 delete mode 100644 migrations/20240710100027_make_emails_unique.down.sql
 delete mode 100644 migrations/20240710100027_make_emails_unique.up.sql
 delete mode 100644 migrations/20240715095940_add_oidc_login_flag.down.sql
 delete mode 100644 migrations/20240715095940_add_oidc_login_flag.up.sql
 delete mode 100644 migrations/20240715095955_add_oidc_create_account_setting.down.sql
 delete mode 100644 migrations/20240715095955_add_oidc_create_account_setting.up.sql
 create mode 100644 migrations/20240716114732_add_external_openid_login.down.sql
 create mode 100644 migrations/20240716114732_add_external_openid_login.up.sql

diff --git a/migrations/20240603091113_openid_provider.down.sql b/migrations/20240603091113_openid_provider.down.sql
deleted file mode 100644
index 6ecbdb1291..0000000000
--- a/migrations/20240603091113_openid_provider.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-DROP TABLE openidprovider;
diff --git a/migrations/20240603091113_openid_provider.up.sql b/migrations/20240603091113_openid_provider.up.sql
deleted file mode 100644
index 397dda83e9..0000000000
--- a/migrations/20240603091113_openid_provider.up.sql
+++ /dev/null
@@ -1,11 +0,0 @@
-CREATE TABLE openidprovider (
-    id bigserial PRIMARY KEY,
-    "name" text NOT NULL,
-    "base_url" text NOT NULL,
-    "client_id" text NOT NULL,
-    "client_secret" text NOT NULL,
-    "enabled" boolean NOT NULL DEFAULT FALSE,
-    CONSTRAINT openidprovider_name_unique UNIQUE ("name"),
-    CONSTRAINT openidprovider_client_id_unique UNIQUE ("client_id"),
-    CONSTRAINT openidprovider_client_secret_unique UNIQUE ("client_secret")
-);
diff --git a/migrations/20240710100027_make_emails_unique.down.sql b/migrations/20240710100027_make_emails_unique.down.sql
deleted file mode 100644
index 91a5a0a715..0000000000
--- a/migrations/20240710100027_make_emails_unique.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE "user" DROP CONSTRAINT "user_email_key";
diff --git a/migrations/20240710100027_make_emails_unique.up.sql b/migrations/20240710100027_make_emails_unique.up.sql
deleted file mode 100644
index 2d79a9dff6..0000000000
--- a/migrations/20240710100027_make_emails_unique.up.sql
+++ /dev/null
@@ -1,8 +0,0 @@
--- Deletes duplicated users based on their email. The first (by id) user with a given email is kept.
-DELETE FROM
-    "user" u1
-        USING "user" u2
-WHERE
-    u1.id > u2.id
-    AND u1.email = u2.email;
-ALTER TABLE "user" ADD CONSTRAINT "user_email_key" UNIQUE (email);
diff --git a/migrations/20240715095940_add_oidc_login_flag.down.sql b/migrations/20240715095940_add_oidc_login_flag.down.sql
deleted file mode 100644
index 5eb7de3502..0000000000
--- a/migrations/20240715095940_add_oidc_login_flag.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE "user" DROP COLUMN "openid_login";
diff --git a/migrations/20240715095940_add_oidc_login_flag.up.sql b/migrations/20240715095940_add_oidc_login_flag.up.sql
deleted file mode 100644
index c89fb898f1..0000000000
--- a/migrations/20240715095940_add_oidc_login_flag.up.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE "user" ADD COLUMN "openid_login" BOOLEAN NOT NULL DEFAULT FALSE;
diff --git a/migrations/20240715095955_add_oidc_create_account_setting.down.sql b/migrations/20240715095955_add_oidc_create_account_setting.down.sql
deleted file mode 100644
index 7fc045f9ee..0000000000
--- a/migrations/20240715095955_add_oidc_create_account_setting.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE settings DROP COLUMN openid_create_account;
diff --git a/migrations/20240715095955_add_oidc_create_account_setting.up.sql b/migrations/20240715095955_add_oidc_create_account_setting.up.sql
deleted file mode 100644
index b82357c2d4..0000000000
--- a/migrations/20240715095955_add_oidc_create_account_setting.up.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE settings ADD COLUMN openid_create_account BOOLEAN NOT NULL DEFAULT TRUE;
diff --git a/migrations/20240716114732_add_external_openid_login.down.sql b/migrations/20240716114732_add_external_openid_login.down.sql
new file mode 100644
index 0000000000..92196a2601
--- /dev/null
+++ b/migrations/20240716114732_add_external_openid_login.down.sql
@@ -0,0 +1,4 @@
+DROP TABLE openidprovider;
+ALTER TABLE "user" DROP CONSTRAINT "user_email_key";
+ALTER TABLE "user" DROP COLUMN "openid_login";
+ALTER TABLE settings DROP COLUMN openid_create_account;
diff --git a/migrations/20240716114732_add_external_openid_login.up.sql b/migrations/20240716114732_add_external_openid_login.up.sql
new file mode 100644
index 0000000000..37fa18fbf0
--- /dev/null
+++ b/migrations/20240716114732_add_external_openid_login.up.sql
@@ -0,0 +1,25 @@
+-- External OpenID login
+CREATE TABLE openidprovider (
+    id bigserial PRIMARY KEY,
+    "name" text NOT NULL,
+    "base_url" text NOT NULL,
+    "client_id" text NOT NULL,
+    "client_secret" text NOT NULL,
+    "enabled" boolean NOT NULL DEFAULT FALSE,
+    CONSTRAINT openidprovider_name_unique UNIQUE ("name"),
+    CONSTRAINT openidprovider_client_id_unique UNIQUE ("client_id"),
+    CONSTRAINT openidprovider_client_secret_unique UNIQUE ("client_secret")
+);
+
+ALTER TABLE "user" ADD COLUMN "openid_login" BOOLEAN NOT NULL DEFAULT FALSE;
+ALTER TABLE settings ADD COLUMN openid_create_account BOOLEAN NOT NULL DEFAULT TRUE;
+
+-- Make emails unique
+-- Deletes duplicated users based on their email. The first (by id) user with a given email is kept.
+DELETE FROM
+    "user" u1
+        USING "user" u2
+WHERE
+    u1.id > u2.id
+    AND u1.email = u2.email;
+ALTER TABLE "user" ADD CONSTRAINT "user_email_key" UNIQUE (email);

From ce075e0a49985376b0f0a6e9128048b467c20bf0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 16 Jul 2024 14:47:06 +0200
Subject: [PATCH 23/73] cleanup

---
 web/src/i18n/pl/index.ts | 18 ------------------
 1 file changed, 18 deletions(-)

diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 65a9d8e723..69b847fb4a 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -907,23 +907,6 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         submit: 'Test',
       },
     },
-    // openIdSettings: {
-    //   titleClient: 'Ustawienia klienta zewnętrznego OpenID',
-    //   titleGeneral: 'Ustawienia zewnętrznego OpenID',
-    //   general: {
-    //     createAccount: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
-    //   },
-    //   form: {
-    //     labels: {
-    //       name: 'Nazwa',
-    //       provider: 'Dostawca OpenID',
-    //       client_id: 'ID klienta',
-    //       client_secret: 'Sekret klienta',
-    //       base_url: 'URL dostawcy',
-    //       tenant_id: 'ID dzierżawy (Tenant ID)',
-    //     },
-    //   },
-    // },
     openIdSettings: {
       general: {
         title: 'Ustawienia zewnętrznego OpenID',
@@ -935,7 +918,6 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       },
       form: {
         title: 'Ustawienia klienta zewnętrznego OpenID',
-        // helper: 'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
         helper: 'Tutaj możesz skonfigurować ustawienia klienta OpenID z wartościami dostarczonymi przez zewnętrznego dostawcę OpenID.',
         custom: "Niestandardowy",
         documentation: 'Dokumentacja',

From e81ef9370cfde25f057baae447fa7df46c123819 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 17 Jul 2024 09:42:39 +0200
Subject: [PATCH 24/73] fix frontend

---
 web/src/shared/hooks/store/useAuthStore.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/web/src/shared/hooks/store/useAuthStore.ts b/web/src/shared/hooks/store/useAuthStore.ts
index 3b6c850841..1679f03134 100644
--- a/web/src/shared/hooks/store/useAuthStore.ts
+++ b/web/src/shared/hooks/store/useAuthStore.ts
@@ -3,7 +3,7 @@ import { Subject } from 'rxjs';
 import { createJSONStorage, persist } from 'zustand/middleware';
 import { createWithEqualityFn } from 'zustand/traditional';
 
-import { LoginSubjectData, OpenIdInfoResponse, OpenIdProvider, User } from '../../types';
+import { LoginSubjectData, OpenIdInfoResponse, User } from '../../types';
 
 export const useAuthStore = createWithEqualityFn<AuthStore>()(
   persist(

From 8073db7571981dd115bf7f4919b0cbf5269e39f6 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 17 Jul 2024 09:55:44 +0200
Subject: [PATCH 25/73] enable e2e and dev deployment

---
 .github/workflows/current.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index b2c6aabc92..8fcd706d0c 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -4,6 +4,7 @@ on:
     branches:
       - main
       - dev
+      - openid-login
     paths-ignore:
       - '*.md'
       - 'LICENSE'

From 788df3500a3bc340d5d8d79102b04ef11797b3d0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 17 Jul 2024 10:03:15 +0200
Subject: [PATCH 26/73] license update

---
 LICENSE                | 3 ++-
 src/enterprise/LICENSE | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/LICENSE b/LICENSE
index ec3d63af4f..9d2476c053 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,6 +1,7 @@
 Copyright 2023 teonite ventures sp. z o.o. (teonite)
 
-Note: The following license applies to the entire repository except for the "enterprise" directory.
+NOTE: The following license applies to the entire repository except for all the contents in the "enterprise" directory.
+For the license of the enterprise directory, go to enterprise/LICENSE.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
diff --git a/src/enterprise/LICENSE b/src/enterprise/LICENSE
index 0ba4000c5c..79e35089e6 100644
--- a/src/enterprise/LICENSE
+++ b/src/enterprise/LICENSE
@@ -1 +1 @@
-Files in this directory ("enterprise") are not under the default repository license. Contact sales<at>defguard.net for further information.
\ No newline at end of file
+For enterprise license and usage of this code and binary distribution, please contact us by email at: sales<at>defguard.net

From 69048494dc592f3829c054ddcb94b5fc87325dbf Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 17 Jul 2024 11:20:38 +0200
Subject: [PATCH 27/73] fix test

---
 e2e/tests/vpn/wizard.spec.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/e2e/tests/vpn/wizard.spec.ts b/e2e/tests/vpn/wizard.spec.ts
index 4e9c597e32..8afb9f29ad 100644
--- a/e2e/tests/vpn/wizard.spec.ts
+++ b/e2e/tests/vpn/wizard.spec.ts
@@ -37,6 +37,7 @@ test.describe('Setup VPN (wizard) ', () => {
       ...testUserTemplate,
       firstName: `test${id}`,
       username: `test${id}`,
+      mail: `test${id}@test.com`
     }));
     await loginBasic(page, defaultUserAdmin);
     await apiCreateUsersBulk(page, users);

From f3e5b1787ac41fd8980d653e6e4e0c39995dbfee Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 17 Jul 2024 13:55:18 +0200
Subject: [PATCH 28/73] make changes according to the review

---
 ...20240716114732_add_external_openid_login.up.sql |  8 +-------
 src/db/models/mod.rs                               |  2 +-
 src/db/models/user.rs                              |  7 +++++++
 src/enterprise/handlers/openid_login.rs            | 14 --------------
 src/enterprise/handlers/openid_providers.rs        | 10 +++++-----
 src/grpc/enrollment.rs                             |  4 ++--
 web/src/pages/users/UserProfile/UserProfile.tsx    |  5 +----
 7 files changed, 17 insertions(+), 33 deletions(-)

diff --git a/migrations/20240716114732_add_external_openid_login.up.sql b/migrations/20240716114732_add_external_openid_login.up.sql
index 37fa18fbf0..169801721f 100644
--- a/migrations/20240716114732_add_external_openid_login.up.sql
+++ b/migrations/20240716114732_add_external_openid_login.up.sql
@@ -15,11 +15,5 @@ ALTER TABLE "user" ADD COLUMN "openid_login" BOOLEAN NOT NULL DEFAULT FALSE;
 ALTER TABLE settings ADD COLUMN openid_create_account BOOLEAN NOT NULL DEFAULT TRUE;
 
 -- Make emails unique
--- Deletes duplicated users based on their email. The first (by id) user with a given email is kept.
-DELETE FROM
-    "user" u1
-        USING "user" u2
-WHERE
-    u1.id > u2.id
-    AND u1.email = u2.email;
+-- This migration may fail if there are duplicate emails in the database already
 ALTER TABLE "user" ADD CONSTRAINT "user_email_key" UNIQUE (email);
diff --git a/src/db/models/mod.rs b/src/db/models/mod.rs
index 2b24d74ed5..73722c1026 100644
--- a/src/db/models/mod.rs
+++ b/src/db/models/mod.rs
@@ -99,7 +99,7 @@ impl UserInfo {
             mfa_method: user.mfa_method.clone(),
             authorized_apps,
             is_active: user.is_active,
-            enrolled: user.has_password() || user.openid_login,
+            enrolled: user.is_enrolled(),
         })
     }
 
diff --git a/src/db/models/user.rs b/src/db/models/user.rs
index 9a2a9f51ab..773c87b3af 100644
--- a/src/db/models/user.rs
+++ b/src/db/models/user.rs
@@ -157,6 +157,13 @@ impl User {
         format!("{} {}", self.first_name, self.last_name)
     }
 
+    /// Check if user is enrolled.
+    /// We assume the user is enrolled if they have a password set
+    /// or they have logged in using an external OIDC.
+    pub fn is_enrolled(&self) -> bool {
+        self.password_hash.is_some() || self.openid_login
+    }
+
     /// Generate new TOTP secret, save it, then return it as RFC 4648 base32-encoded string.
     pub async fn new_totp_secret<'e, E>(&mut self, executor: E) -> Result<String, SqlxError>
     where
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 6b86d7d562..ebc368cbcb 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -373,17 +373,3 @@ pub async fn auth_callback(
     headers.insert(LOCATION, header_value);
     Ok((StatusCode::FOUND, headers, cookies, private_cookies))
 }
-
-#[cfg(test)]
-mod test {
-    use super::*;
-
-    #[tokio::test]
-    async fn test_get_provider_metadata() {
-        let metadata = get_provider_metadata("https://accounts.google.com")
-            .await
-            .unwrap();
-
-        assert_eq!(metadata.issuer().to_string(), "https://accounts.google.com");
-    }
-}
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index c8ffd54e6d..58bef9a970 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -18,12 +18,12 @@ pub struct AddProviderData {
 }
 
 impl AddProviderData {
-    pub fn new(name: String, base_url: String, client_id: String, client_secret: String) -> Self {
+    pub fn new(name: &str, base_url: &str, client_id: &str, client_secret: &str) -> Self {
         Self {
-            name,
-            base_url,
-            client_id,
-            client_secret,
+            name: name.to_string(),
+            base_url: base_url.to_string(),
+            client_id: client_id.to_string(),
+            client_secret: client_secret.to_string(),
         }
     }
 }
diff --git a/src/grpc/enrollment.rs b/src/grpc/enrollment.rs
index 4e578e1e36..1e314f8f45 100644
--- a/src/grpc/enrollment.rs
+++ b/src/grpc/enrollment.rs
@@ -516,7 +516,7 @@ impl From<User> for AdminInfo {
 
 impl InitialUserInfo {
     async fn from_user(pool: &DbPool, user: User) -> Result<Self, sqlx::Error> {
-        let is_enrolled = user.has_password() || user.openid_login;
+        let enrolled = user.is_enrolled();
         let devices = user.devices(pool).await?;
         let device_names = devices.into_iter().map(|dev| dev.device.name).collect();
         Ok(Self {
@@ -527,7 +527,7 @@ impl InitialUserInfo {
             phone_number: user.phone,
             is_active: user.is_active,
             device_names,
-            enrolled: is_enrolled,
+            enrolled,
         })
     }
 }
diff --git a/web/src/pages/users/UserProfile/UserProfile.tsx b/web/src/pages/users/UserProfile/UserProfile.tsx
index 5e01288894..fc44b44b03 100644
--- a/web/src/pages/users/UserProfile/UserProfile.tsx
+++ b/web/src/pages/users/UserProfile/UserProfile.tsx
@@ -182,10 +182,7 @@ const EditModeControls = () => {
           size={ButtonSize.SMALL}
           styleVariant={ButtonStyleVariant.SAVE}
           icon={<IconCheckmarkWhite />}
-          onClick={() => {
-            submitSubject.next();
-            console.log('submitSubject.next();');
-          }}
+          onClick={() => submitSubject.next()}
           loading={loading}
         />
       </div>

From 6c7a0d0813c810cf4bda2d84b50c01c0cf58490e Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 11:49:23 +0200
Subject: [PATCH 29/73] flow rework and fixes

---
 src/enterprise/handlers/openid_login.rs       | 75 ++++++++--------
 src/enterprise/handlers/openid_providers.rs   | 17 +++-
 src/handlers/auth.rs                          |  2 +-
 src/lib.rs                                    |  5 +-
 web/src/components/App/App.tsx                |  2 +-
 web/src/components/AppLoader.tsx              | 19 +----
 web/src/i18n/en/index.ts                      |  5 ++
 web/src/i18n/i18n-types.ts                    | 28 ++++++
 web/src/i18n/pl/index.ts                      |  5 ++
 web/src/pages/auth/AuthPage.tsx               |  2 +
 web/src/pages/auth/Callback/Callback.tsx      | 85 +++++++++++++++++++
 web/src/pages/auth/Callback/style.scss        |  5 ++
 web/src/pages/auth/Login/Login.tsx            | 83 +++++++++++-------
 .../components/OpenIdSettingsForm.tsx         | 54 +++++++++---
 .../OpenIdSettings/components/style.scss      |  5 ++
 web/src/shared/hooks/store/useAuthStore.ts    |  4 +-
 web/src/shared/hooks/useApi.tsx               |  4 +
 web/src/shared/mutations.ts                   |  1 +
 web/src/shared/types.ts                       |  8 +-
 19 files changed, 298 insertions(+), 111 deletions(-)
 create mode 100644 web/src/pages/auth/Callback/Callback.tsx
 create mode 100644 web/src/pages/auth/Callback/style.scss

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index ebc368cbcb..0ea72ad6fc 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,30 +1,37 @@
 use axum::http::header::LOCATION;
 use axum::http::{HeaderMap, HeaderValue, StatusCode};
 
+use axum::Json;
 use axum_extra::extract::cookie::{Cookie, SameSite};
 use serde_json::json;
 
 use time::Duration;
 
-use axum::extract::{Query, State};
+use axum::extract::{path, Query, State};
 
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
 use axum_extra::extract::{CookieJar, PrivateCookieJar};
 use axum_extra::headers::UserAgent;
 use axum_extra::TypedHeader;
-use openidconnect::core::{CoreClient, CoreResponseType};
+use openidconnect::core::{
+    CoreClient, CoreGenderClaim, CoreJsonWebKeyType, CoreJweContentEncryptionAlgorithm,
+    CoreJwsSigningAlgorithm, CoreResponseType,
+};
 use openidconnect::{
     core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
     ProviderMetadata, RedirectUrl,
 };
-use openidconnect::{AuthenticationFlow, AuthorizationCode, CsrfToken, Nonce, Scope};
+use openidconnect::{
+    AccessToken, AuthenticationFlow, AuthorizationCode, CsrfToken, EmptyAdditionalClaims, IdToken,
+    Nonce, Scope,
+};
 
 use crate::appstate::AppState;
 use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
 use crate::handlers::user::check_username;
-use crate::handlers::{ApiResponse, SESSION_COOKIE_NAME};
+use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
 use crate::server_config;
 
@@ -71,7 +78,7 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
         Some(provider) => provider,
         None => {
             return Err(WebError::ObjectNotFound(
-                "OpenID provider not found".to_string(),
+                "OpenID provider not set".to_string(),
             ));
         }
     };
@@ -80,7 +87,7 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
     let client_id = ClientId::new(provider.client_id);
     let client_secret = ClientSecret::new(provider.client_secret);
     let config = server_config();
-    let url = format!("{}api/v1/openid/callback", config.url);
+    let url = format!("{}/auth/callback", config.url);
     let redirect_url = match RedirectUrl::new(url) {
         Ok(url) => url,
         Err(err) => {
@@ -106,7 +113,7 @@ pub async fn get_auth_info(
     // Generate the redirect URL and the values needed later for callback authenticity verification
     let (authorize_url, csrf_state, nonce) = client
         .authorize_url(
-            AuthenticationFlow::<CoreResponseType>::AuthorizationCode,
+            AuthenticationFlow::<CoreResponseType>::Implicit(false),
             CsrfToken::new_random,
             Nonce::new_random,
         )
@@ -124,7 +131,7 @@ pub async fn get_auth_info(
         )
         .path("/api/v1/openid/callback")
         .http_only(true)
-        .same_site(SameSite::Lax)
+        .same_site(SameSite::Strict)
         .secure(true)
         .max_age(Duration::days(1))
         .build();
@@ -137,10 +144,11 @@ pub async fn get_auth_info(
         )
         .path("/api/v1/openid/callback")
         .http_only(true)
-        .same_site(SameSite::Lax)
+        .same_site(SameSite::Strict)
         .secure(true)
         .max_age(Duration::days(1))
         .build();
+
     let private_cookies = private_cookies.add(nonce_cookie).add(csrf_cookie);
 
     Ok((
@@ -158,7 +166,13 @@ pub async fn get_auth_info(
 
 #[derive(Deserialize, Serialize, Debug)]
 pub struct AuthenticationResponse {
-    code: AuthorizationCode,
+    id_token: IdToken<
+        EmptyAdditionalClaims,
+        CoreGenderClaim,
+        CoreJweContentEncryptionAlgorithm,
+        CoreJwsSigningAlgorithm,
+        CoreJsonWebKeyType,
+    >,
     state: CsrfToken,
 }
 
@@ -168,9 +182,9 @@ pub async fn auth_callback(
     user_agent: Option<TypedHeader<UserAgent>>,
     forwarded_for_ip: Option<LeftmostXForwardedFor>,
     InsecureClientIp(insecure_ip): InsecureClientIp,
-    Query(params): Query<AuthenticationResponse>,
     State(appstate): State<AppState>,
-) -> Result<(StatusCode, HeaderMap, CookieJar, PrivateCookieJar), WebError> {
+    Json(payload): Json<AuthenticationResponse>,
+) -> Result<(CookieJar, PrivateCookieJar, ApiResponse), WebError> {
     debug!("Auth callback received, logging in user...");
 
     // Get the nonce and csrf cookies, we need them to verify the callback
@@ -189,32 +203,15 @@ pub async fn auth_callback(
         .to_string();
 
     // Verify the csrf token
-    if params.state.secret() != &cookie_csrf {
+    if *payload.state.secret() != cookie_csrf {
         return Err(WebError::Authorization("CSRF token mismatch".to_string()));
     };
 
     // Get the ID token and verify it against the nonce value received in the callback
     let client = make_oidc_client(&appstate.pool).await?;
-    let token = client
-        .exchange_code(params.code)
-        .request_async(async_http_client)
-        .await
-        .map_err(|error| {
-            WebError::Authorization(format!(
-                "Failed to exchange code for token, error: {:?}",
-                error
-            ))
-        })?;
     let nonce = Nonce::new(cookie_nonce);
     let token_verifier = client.id_token_verifier();
-    let id_token = match token.extra_fields().id_token() {
-        Some(token) => token,
-        None => {
-            return Err(WebError::Authorization(
-                "Server did not return an ID token".to_string(),
-            ));
-        }
-    };
+    let id_token = payload.id_token;
 
     private_cookies = private_cookies
         .remove(Cookie::from("nonce"))
@@ -367,9 +364,15 @@ pub async fn auth_callback(
         user.username
     );
 
-    // Redirect to '/' on successful login
-    let mut headers = HeaderMap::new();
-    let header_value = HeaderValue::from_str("/").or(Err(StatusCode::INTERNAL_SERVER_ERROR))?;
-    headers.insert(LOCATION, header_value);
-    Ok((StatusCode::FOUND, headers, cookies, private_cookies))
+    Ok((
+        cookies,
+        private_cookies,
+        ApiResponse {
+            json: json!(AuthResponse {
+                user: user_info,
+                url: None,
+            }),
+            status: StatusCode::OK,
+        },
+    ))
 }
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index 58bef9a970..6c94149d1c 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -1,4 +1,8 @@
-use axum::{extract::State, http::StatusCode, Json};
+use axum::{
+    extract::{Path, State},
+    http::StatusCode,
+    Json,
+};
 
 use crate::{
     appstate::AppState,
@@ -17,6 +21,11 @@ pub struct AddProviderData {
     client_secret: String,
 }
 
+#[derive(Debug, Deserialize, Serialize)]
+pub struct DeleteProviderData {
+    name: String,
+}
+
 impl AddProviderData {
     pub fn new(name: &str, base_url: &str, client_id: &str, client_secret: &str) -> Self {
         Self {
@@ -76,7 +85,7 @@ pub async fn delete_openid_provider(
     _admin: AdminRole,
     session: SessionInfo,
     State(appstate): State<AppState>,
-    Json(provider_data): Json<AddProviderData>,
+    Path(provider_data): Path<DeleteProviderData>,
 ) -> ApiResult {
     debug!(
         "User {} deleting OpenID provider {}",
@@ -86,7 +95,7 @@ pub async fn delete_openid_provider(
     if let Some(provider) = provider {
         provider.delete(&appstate.pool).await?;
         info!(
-            "User {} deleted OpenID client {}",
+            "User {} deleted OpenID provider {}",
             session.user.username, provider_data.name
         );
         Ok(ApiResponse {
@@ -95,7 +104,7 @@ pub async fn delete_openid_provider(
         })
     } else {
         warn!(
-            "User {} failed to delete OpenID client {}. Such client does not exist.",
+            "User {} failed to delete OpenID provider {}. Such provider does not exist.",
             session.user.username, provider_data.name
         );
         Ok(ApiResponse {
diff --git a/src/handlers/auth.rs b/src/handlers/auth.rs
index b4fd350473..088ffdf453 100644
--- a/src/handlers/auth.rs
+++ b/src/handlers/auth.rs
@@ -57,7 +57,7 @@ pub async fn authenticate(
     // check if user can proceed with login
     check_username(&appstate.failed_logins, &username)?;
 
-    let user = match User::find_by_username(&appstate.pool, &username).await {
+    let user: User = match User::find_by_username(&appstate.pool, &username).await {
         Ok(Some(user)) => match user.verify_password(&data.password) {
             Ok(()) => {
                 if user.is_active {
diff --git a/src/lib.rs b/src/lib.rs
index 6c7d91989d..78a38b1123 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -14,7 +14,7 @@ use axum::{
 use assets::{index, svg, web_asset};
 use enterprise::handlers::{
     openid_login::{auth_callback, get_auth_info},
-    openid_providers::{add_openid_provider, get_current_openid_provider},
+    openid_providers::{add_openid_provider, delete_openid_provider, get_current_openid_provider},
 };
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
@@ -406,7 +406,8 @@ pub fn build_webapp(
             // OIDC login
             .route("/openid/provider", get(get_current_openid_provider))
             .route("/openid/provider", post(add_openid_provider))
-            .route("/openid/callback", get(auth_callback))
+            .route("/openid/provider/:name", delete(delete_openid_provider))
+            .route("/openid/callback", post(auth_callback))
             .route("/openid/auth_info", get(get_auth_info)),
     );
 
diff --git a/web/src/components/App/App.tsx b/web/src/components/App/App.tsx
index 6e94143410..56fa6e5eef 100644
--- a/web/src/components/App/App.tsx
+++ b/web/src/components/App/App.tsx
@@ -1,7 +1,7 @@
 import 'react-loading-skeleton/dist/skeleton.css';
 import './App.scss';
 
-import { BrowserRouter as Router, Navigate, Route, Routes } from 'react-router-dom';
+import { Navigate, Route, BrowserRouter as Router, Routes } from 'react-router-dom';
 
 import { AddDevicePage } from '../../pages/addDevice/AddDevicePage';
 import { OpenidAllowPage } from '../../pages/allow/OpenidAllowPage';
diff --git a/web/src/components/AppLoader.tsx b/web/src/components/AppLoader.tsx
index 82fc8ee459..0e87e4a4d8 100644
--- a/web/src/components/AppLoader.tsx
+++ b/web/src/components/AppLoader.tsx
@@ -30,9 +30,6 @@ export const AppLoader = () => {
     getAppInfo,
     user: { getMe },
     settings: { getEssentialSettings },
-    auth: {
-      openid: { getOpenIdInfo: getOpenidInfo },
-    },
   } = useApi();
   const [userLoading, setUserLoading] = useState(true);
   const { setLocale } = useI18nContext();
@@ -109,21 +106,7 @@ export const AppLoader = () => {
     }
   }, [essentialSettings, setAppStore]);
 
-  const { data: openIdInfo, isLoading: openIdLoading } = useQuery({
-    queryKey: [QueryKeys.FETCH_OPENID_INFO],
-    queryFn: getOpenidInfo,
-    refetchOnMount: true,
-    refetchOnWindowFocus: false,
-    retry: false,
-  });
-
-  useEffect(() => {
-    if (openIdInfo) {
-      setAuthState({ openIdLoginInfo: openIdInfo });
-    }
-  }, [openIdInfo, setAuthState]);
-
-  if (userLoading || (settingsLoading && isUndefined(appSettings)) || openIdLoading) {
+  if (userLoading || (settingsLoading && isUndefined(appSettings))) {
     return <LoaderPage />;
   }
 
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 00c07552c2..a5ed451099 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -935,6 +935,7 @@ const en: BaseTranslation = {
         helper: 'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
         custom: "Custom",
         documentation: 'Documentation',
+        delete: 'Delete provider',
         labels: {
           provider: {
             label: 'Provider',
@@ -1485,6 +1486,10 @@ const en: BaseTranslation = {
   },
   loginPage: {
     pageTitle: 'Enter your credentials',
+    callback: {
+      return: 'Go back to login',
+      error: 'An error occurred during external OpenID login',
+    },
     mfa: {
       title: 'Two-factor authentication',
       controls: {
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 13f1da8b26..27fd686ad4 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2313,6 +2313,10 @@ type RootTranslation = {
 				 * D​o​c​u​m​e​n​t​a​t​i​o​n
 				 */
 				documentation: string
+				/**
+				 * D​e​l​e​t​e​ ​p​r​o​v​i​d​e​r
+				 */
+				'delete': string
 				labels: {
 					provider: {
 						/**
@@ -3536,6 +3540,16 @@ type RootTranslation = {
 		 * E​n​t​e​r​ ​y​o​u​r​ ​c​r​e​d​e​n​t​i​a​l​s
 		 */
 		pageTitle: string
+		callback: {
+			/**
+			 * G​o​ ​b​a​c​k​ ​t​o​ ​l​o​g​i​n
+			 */
+			'return': string
+			/**
+			 * A​n​ ​e​r​r​o​r​ ​o​c​c​u​r​r​e​d​ ​d​u​r​i​n​g​ ​e​x​t​e​r​n​a​l​ ​O​p​e​n​I​D​ ​l​o​g​i​n
+			 */
+			error: string
+		}
 		mfa: {
 			/**
 			 * T​w​o​-​f​a​c​t​o​r​ ​a​u​t​h​e​n​t​i​c​a​t​i​o​n
@@ -6287,6 +6301,10 @@ export type TranslationFunctions = {
 				 * Documentation
 				 */
 				documentation: () => LocalizedString
+				/**
+				 * Delete provider
+				 */
+				'delete': () => LocalizedString
 				labels: {
 					provider: {
 						/**
@@ -7499,6 +7517,16 @@ export type TranslationFunctions = {
 		 * Enter your credentials
 		 */
 		pageTitle: () => LocalizedString
+		callback: {
+			/**
+			 * Go back to login
+			 */
+			'return': () => LocalizedString
+			/**
+			 * An error occurred during external OpenID login
+			 */
+			error: () => LocalizedString
+		}
 		mfa: {
 			/**
 			 * Two-factor authentication
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 69b847fb4a..e557a292c7 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -921,6 +921,7 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
         helper: 'Tutaj możesz skonfigurować ustawienia klienta OpenID z wartościami dostarczonymi przez zewnętrznego dostawcę OpenID.',
         custom: "Niestandardowy",
         documentation: 'Dokumentacja',
+        delete: 'Usuń dostawcę',
         labels: {
           provider: {
             label: 'Dostawca',
@@ -1471,6 +1472,10 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
   },
   loginPage: {
     pageTitle: 'Wprowadź swoje dane logowania',
+    callback: {
+      return: 'Powrót do logowania',
+      error: 'Wystąpił błąd podczas logowania przez zewnętrznego dostawcę OpenID',
+    },
     mfa: {
       title: 'Autoryzacja dwuetapowa.',
       controls: {
diff --git a/web/src/pages/auth/AuthPage.tsx b/web/src/pages/auth/AuthPage.tsx
index ea2c14633c..ff734aed3a 100644
--- a/web/src/pages/auth/AuthPage.tsx
+++ b/web/src/pages/auth/AuthPage.tsx
@@ -16,6 +16,7 @@ import { RedirectPage } from '../redirect/RedirectPage';
 import { Login } from './Login/Login';
 import { MFARoute } from './MFARoute/MFARoute';
 import { useMFAStore } from './shared/hooks/useMFAStore';
+import { OpenIDCallback } from './Callback/Callback';
 
 export const AuthPage = () => {
   const {
@@ -152,6 +153,7 @@ export const AuthPage = () => {
         <Route path="/" element={<Navigate to="login" />} />
         <Route path="login" element={<Login />} />
         <Route path="mfa/*" element={<MFARoute />} />
+        <Route path="callback" element={<OpenIDCallback />} />
         <Route path="*" element={<Navigate to="login" />} />
       </Routes>
     </div>
diff --git a/web/src/pages/auth/Callback/Callback.tsx b/web/src/pages/auth/Callback/Callback.tsx
new file mode 100644
index 0000000000..64d85f3818
--- /dev/null
+++ b/web/src/pages/auth/Callback/Callback.tsx
@@ -0,0 +1,85 @@
+import './style.scss';
+
+import { useMutation } from '@tanstack/react-query';
+import { AxiosError } from 'axios';
+
+import { useEffect, useState } from 'react';
+import useApi from '../../../shared/hooks/useApi';
+import { MutationKeys } from '../../../shared/mutations';
+import { CallbackData } from '../../../shared/types';
+import { useAuthStore } from '../../../shared/hooks/store/useAuthStore';
+import { LoaderSpinner } from '../../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
+import { useToaster } from '../../../shared/hooks/useToaster';
+import { useI18nContext } from '../../../i18n/i18n-react';
+import { Button } from '../../../shared/defguard-ui/components/Layout/Button/Button';
+import { useNavigate } from 'react-router';
+
+export const OpenIDCallback = () => {
+  const {
+    auth: {
+      openid: { callback },
+    },
+  } = useApi();
+  const loginSubject = useAuthStore((state) => state.loginSubject);
+  const toaster = useToaster();
+  const { LL } = useI18nContext();
+  const [error, setError] = useState<string | null>(null);
+  const navigate = useNavigate();
+
+  const callbackMutation = useMutation((data: CallbackData) => callback(data), {
+    mutationKey: [MutationKeys.OPENID_CALLBACK],
+    onSuccess: (data) => {
+      loginSubject.next(data);
+    },
+    onError: (error: AxiosError) => {
+      toaster.error(LL.messages.error());
+      console.error(error);
+    },
+    retry: false,
+  });
+
+  useEffect(() => {
+    if (window.location.hash && window.location.hash.length > 0) {
+      const hashFragment = window.location.hash.substring(1);
+      const params = new URLSearchParams(hashFragment);
+
+      // check if error occured
+      const error = params.get('error');
+
+      if (error) {
+        setError(error);
+        toaster.error(LL.messages.error());
+        return;
+      }
+
+      const id_token = params.get('id_token');
+      const state = params.get('state');
+
+      if (id_token && state) {
+        const data: CallbackData = {
+          id_token,
+          state,
+        };
+        console.log('CALLING CALLBACK MUTATION');
+        callbackMutation.mutate(data);
+      }
+    }
+  }, []);
+
+  // TODO: Perhaphs make it a bit more user friendly
+  return error ? (
+    <div className="error-info">
+      <p>
+        {LL.loginPage.callback.error()}: {error}
+      </p>
+      <Button
+        text={LL.loginPage.callback.return()}
+        onClick={() => {
+          navigate('/auth/login');
+        }}
+      />
+    </div>
+  ) : (
+    <LoaderSpinner size={80} />
+  );
+};
diff --git a/web/src/pages/auth/Callback/style.scss b/web/src/pages/auth/Callback/style.scss
new file mode 100644
index 0000000000..763c165186
--- /dev/null
+++ b/web/src/pages/auth/Callback/style.scss
@@ -0,0 +1,5 @@
+.error-info {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+}
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 121599f793..6d6a46a152 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -1,7 +1,7 @@
 import './style.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
-import { useMutation } from '@tanstack/react-query';
+import { useMutation, useQuery } from '@tanstack/react-query';
 import { AxiosError } from 'axios';
 import { useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
@@ -14,10 +14,12 @@ import {
   ButtonSize,
   ButtonStyleVariant,
 } from '../../../shared/defguard-ui/components/Layout/Button/types';
+import { LoaderSpinner } from '../../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
 import { useAuthStore } from '../../../shared/hooks/store/useAuthStore';
 import useApi from '../../../shared/hooks/useApi';
 import { MutationKeys } from '../../../shared/mutations';
 import { patternSafeUsernameCharacters } from '../../../shared/patterns';
+import { QueryKeys } from '../../../shared/queries';
 import { LoginData } from '../../../shared/types';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings';
 import { OpenIdLoginButton } from './components/OidcButtons';
@@ -29,7 +31,20 @@ type Inputs = {
 
 export const Login = () => {
   const { LL } = useI18nContext();
-  const openIdInfo = useAuthStore((state) => state.openIdLoginInfo);
+  const {
+    auth: {
+      login,
+      openid: { getOpenIdInfo: getOpenidInfo },
+    },
+  } = useApi();
+
+  const { data: openIdInfo, isLoading: openIdLoading } = useQuery({
+    queryKey: [QueryKeys.FETCH_OPENID_INFO],
+    queryFn: getOpenidInfo,
+    refetchOnMount: true,
+    refetchOnWindowFocus: false,
+    retry: false,
+  });
 
   const zodSchema = useMemo(
     () =>
@@ -48,10 +63,6 @@ export const Login = () => {
     [LL.form.error],
   );
 
-  const {
-    auth: { login },
-  } = useApi();
-
   const { handleSubmit, control, setError } = useForm<Inputs>({
     resolver: zodResolver(zodSchema),
     mode: 'all',
@@ -89,33 +100,39 @@ export const Login = () => {
 
   return (
     <section id="login-container">
-      <h1>{LL.loginPage.pageTitle()}</h1>
-      <form onSubmit={handleSubmit(onSubmit)}>
-        <FormInput
-          controller={{ control, name: 'username' }}
-          placeholder={LL.form.placeholders.username()}
-          autoComplete="username"
-          data-testid="login-form-username"
-          required
-        />
-        <FormInput
-          controller={{ control, name: 'password' }}
-          placeholder={LL.form.placeholders.password()}
-          type="password"
-          autoComplete="password"
-          data-testid="login-form-password"
-          required
-        />
-        <Button
-          type="submit"
-          loading={loginMutation.isLoading}
-          size={ButtonSize.LARGE}
-          styleVariant={ButtonStyleVariant.PRIMARY}
-          text={LL.form.login()}
-          data-testid="login-form-submit"
-        />
-        {openIdInfo && <OpenIdLoginButton url={openIdInfo.url} />}
-      </form>
+      {!openIdLoading ? (
+        <>
+          <h1>{LL.loginPage.pageTitle()}</h1>
+          <form onSubmit={handleSubmit(onSubmit)}>
+            <FormInput
+              controller={{ control, name: 'username' }}
+              placeholder={LL.form.placeholders.username()}
+              autoComplete="username"
+              data-testid="login-form-username"
+              required
+            />
+            <FormInput
+              controller={{ control, name: 'password' }}
+              placeholder={LL.form.placeholders.password()}
+              type="password"
+              autoComplete="password"
+              data-testid="login-form-password"
+              required
+            />
+            <Button
+              type="submit"
+              loading={loginMutation.isLoading}
+              size={ButtonSize.LARGE}
+              styleVariant={ButtonStyleVariant.PRIMARY}
+              text={LL.form.login()}
+              data-testid="login-form-submit"
+            />
+            {openIdInfo && <OpenIdLoginButton url={openIdInfo.url} />}
+          </form>
+        </>
+      ) : (
+        <LoaderSpinner size={80} />
+      )}
     </section>
   );
 };
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index fff1539069..336d9c0fad 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -36,7 +36,7 @@ export const OpenIdSettingsForm = () => {
   const queryClient = useQueryClient();
 
   const {
-    settings: { fetchOpenIdProviders, addOpenIdProvider },
+    settings: { fetchOpenIdProviders, addOpenIdProvider, deleteOpenIdProvider },
   } = useApi();
 
   const { isLoading } = useQuery({
@@ -64,6 +64,18 @@ export const OpenIdSettingsForm = () => {
     },
   });
 
+  const { mutate: deleteProvider } = useMutation({
+    mutationFn: deleteOpenIdProvider,
+    onSuccess: () => {
+      queryClient.invalidateQueries([QueryKeys.FETCH_OPENID_PROVIDERS]);
+      toaster.success(LL.settingsPage.messages.editSuccess());
+    },
+    onError: (error) => {
+      toaster.error(LL.messages.error());
+      console.error(error);
+    },
+  });
+
   const schema = useMemo(
     () =>
       z.object({
@@ -104,6 +116,13 @@ export const OpenIdSettingsForm = () => {
     mutate(data);
   };
 
+  const handleDeleteProvider = useCallback(() => {
+    if (currentProvider) {
+      deleteProvider(currentProvider.name);
+      setCurrentProvider(null);
+    }
+  }, [currentProvider, deleteProvider]);
+
   const options: SelectOption<string>[] = useMemo(
     () => [
       {
@@ -168,15 +187,27 @@ export const OpenIdSettingsForm = () => {
       <header>
         <h2>{localLL.form.title()}</h2>
         <Helper>{parse(localLL.form.helper())}</Helper>
-        <Button
-          size={ButtonSize.SMALL}
-          styleVariant={ButtonStyleVariant.SAVE}
-          text={LL.common.controls.saveChanges()}
-          type="submit"
-          loading={isLoading}
-          form="openid-settings-form"
-          icon={<IconCheckmarkWhite />}
-        />
+        <div className="controls">
+          <Button
+            size={ButtonSize.SMALL}
+            styleVariant={ButtonStyleVariant.SAVE}
+            text={LL.common.controls.saveChanges()}
+            type="submit"
+            loading={isLoading}
+            form="openid-settings-form"
+            icon={<IconCheckmarkWhite />}
+          />
+          <Button
+            text={localLL.form.delete()}
+            size={ButtonSize.SMALL}
+            styleVariant={ButtonStyleVariant.CONFIRM}
+            loading={isLoading}
+            onClick={() => {
+              console.log('delete');
+              handleDeleteProvider();
+            }}
+          />
+        </div>
       </header>
       <form id="openid-settings-form" onSubmit={handleSubmit(handleValidSubmit)}>
         <Select
@@ -209,8 +240,7 @@ export const OpenIdSettingsForm = () => {
         />
       </form>
       <a
-        // TODO: Add a link to the not yet existing documentation
-        href="https://defguard.gitbook.io/defguard/"
+        href="https://defguard.gitbook.io/defguard/admin-and-features/external-openid-providers"
         target="_blank"
       >
         {localLL.form.documentation()}
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/style.scss b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
index 017489e228..2318b3d184 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/style.scss
+++ b/web/src/pages/settings/components/OpenIdSettings/components/style.scss
@@ -5,6 +5,11 @@
     & > .btn {
       margin-left: auto;
     }
+
+    & > .controls {
+      display: flex;
+      gap: 10px;
+    }
   }
   form {
     width: 100%;
diff --git a/web/src/shared/hooks/store/useAuthStore.ts b/web/src/shared/hooks/store/useAuthStore.ts
index 1679f03134..ef8e9fa812 100644
--- a/web/src/shared/hooks/store/useAuthStore.ts
+++ b/web/src/shared/hooks/store/useAuthStore.ts
@@ -3,7 +3,7 @@ import { Subject } from 'rxjs';
 import { createJSONStorage, persist } from 'zustand/middleware';
 import { createWithEqualityFn } from 'zustand/traditional';
 
-import { LoginSubjectData, OpenIdInfoResponse, User } from '../../types';
+import { LoginSubjectData, User } from '../../types';
 
 export const useAuthStore = createWithEqualityFn<AuthStore>()(
   persist(
@@ -34,8 +34,6 @@ export interface AuthStore {
   isAdmin?: boolean;
   // If this is set, redirect user to allow page and nowhere else
   openIdParams?: URLSearchParams;
-  // External oidc info required for login
-  openIdLoginInfo?: OpenIdInfoResponse;
   setState: (newState: Partial<AuthStore>) => void;
   resetState: () => void;
 }
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index dfe188ba95..11ca365447 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -452,6 +452,9 @@ const useApi = (props?: HookProps): ApiHook => {
   const editOpenIdProvider: ApiHook['settings']['editOpenIdProvider'] = async (data) =>
     client.put(`/openid/provider/${data.name}`, data).then(unpackRequest);
 
+  const openIdCallback: ApiHook['auth']['openid']['callback'] = (data) =>
+    client.post(`/openid/callback`, data).then(unpackRequest);
+
   useEffect(() => {
     client.interceptors.response.use(
       (res) => {
@@ -544,6 +547,7 @@ const useApi = (props?: HookProps): ApiHook => {
       logout,
       openid: {
         getOpenIdInfo: getOpenidInfo,
+        callback: openIdCallback,
       },
       mfa: {
         disable: mfaDisable,
diff --git a/web/src/shared/mutations.ts b/web/src/shared/mutations.ts
index 1cb4a0d173..da00e7d9c5 100644
--- a/web/src/shared/mutations.ts
+++ b/web/src/shared/mutations.ts
@@ -1,6 +1,7 @@
 export const MutationKeys = {
   DELETE_OPENID_CLIENT: 'DELETE_OPENID_CLIENT',
   LOG_IN: 'LOG_IN',
+  OPENID_CALLBACK: 'OPENID_CALLBACK',
   ADD_OPENID_CLIENT: 'ADD_OPENID_CLIENT',
   EDIT_OPENID_CLIENT: 'EDIT_OPENID_CLIENT',
   REGISTER_SECURITY_KEY_START: 'REGISTER_SECURITY_KEY_START',
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 9afb13f866..2a641e8223 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -166,6 +166,11 @@ export interface LoginData {
   password: string;
 }
 
+export interface CallbackData {
+  id_token: string;
+  state: string;
+}
+
 export type LoginSubjectData = {
   user?: User;
   // URL of an already authorized application
@@ -506,6 +511,7 @@ export interface ApiHook {
     logout: () => EmptyApiResponse;
     openid: {
       getOpenIdInfo: () => Promise<OpenIdInfoResponse>;
+      callback: (data: CallbackData) => Promise<LoginResponse>;
     };
     mfa: {
       disable: () => EmptyApiResponse;
@@ -578,7 +584,7 @@ export interface ApiHook {
     testLdapSettings: () => Promise<EmptyApiResponse>;
     fetchOpenIdProviders: () => Promise<OpenIdProvider>;
     addOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
-    deleteOpenIdProvider: (id: string) => Promise<EmptyApiResponse>;
+    deleteOpenIdProvider: (name: string) => Promise<EmptyApiResponse>;
     editOpenIdProvider: (data: OpenIdProvider) => Promise<EmptyApiResponse>;
   };
   support: {

From 99aec856461a2725a6b5638c5d994fff89f505f6 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 11:50:32 +0200
Subject: [PATCH 30/73] cargo fix

---
 src/enterprise/handlers/openid_login.rs | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 0ea72ad6fc..52f0282dd3 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,5 +1,4 @@
-use axum::http::header::LOCATION;
-use axum::http::{HeaderMap, HeaderValue, StatusCode};
+use axum::http::{StatusCode};
 
 use axum::Json;
 use axum_extra::extract::cookie::{Cookie, SameSite};
@@ -7,7 +6,7 @@ use serde_json::json;
 
 use time::Duration;
 
-use axum::extract::{path, Query, State};
+use axum::extract::{State};
 
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
 use axum_extra::extract::{CookieJar, PrivateCookieJar};
@@ -22,7 +21,7 @@ use openidconnect::{
     ProviderMetadata, RedirectUrl,
 };
 use openidconnect::{
-    AccessToken, AuthenticationFlow, AuthorizationCode, CsrfToken, EmptyAdditionalClaims, IdToken,
+    AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken,
     Nonce, Scope,
 };
 

From 23f8190df60e9d3cf8f12a8e653da8e8317fe591 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 13:15:53 +0200
Subject: [PATCH 31/73] change action to amd64 and temporarily disable e2e
 tests

---
 .github/workflows/current.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index 8fcd706d0c..d5e14e0cfd 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -11,7 +11,7 @@ on:
 
 jobs:
   build-docker:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -49,7 +49,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-  trigger-e2e:
-    needs: build-docker
-    uses: ./.github/workflows/e2e.yml
-    secrets: inherit
+  # trigger-e2e:
+  #   needs: build-docker
+  #   uses: ./.github/workflows/e2e.yml
+  #   secrets: inherit

From d61d3dd71bcec36ac80872044f90449c454102a2 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 13:17:36 +0200
Subject: [PATCH 32/73] x64

---
 .github/workflows/ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4bb06a295b..f67d5a44cc 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ env:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     container: rust:1.77
 
     services:

From a9dd0dd652ee455329d8381cf6439e9bc5012314 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 13:28:19 +0200
Subject: [PATCH 33/73] assign correct runner to most workflows

---
 .github/workflows/dev-deployment.yml | 2 +-
 .github/workflows/docs.yml           | 2 +-
 .github/workflows/e2e.yml            | 2 +-
 .github/workflows/lint-e2e.yml       | 2 +-
 .github/workflows/lint-web.yml       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/dev-deployment.yml b/.github/workflows/dev-deployment.yml
index da8cc336a6..8e903ebbc6 100644
--- a/.github/workflows/dev-deployment.yml
+++ b/.github/workflows/dev-deployment.yml
@@ -4,7 +4,7 @@ on:
 
 jobs:
   deploy-dev:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     environment: DEV
     if: ${{ github.event_name != 'pull_request' && github.ref_name == 'dev' }}
     env:
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index 3ab0a3ba40..8c9be3cd70 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -15,7 +15,7 @@ env:
 
 jobs:
   rustdoc:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     container: rust:1.77
     services:
       postgres:
diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
index bc3f1180ba..3c029171d0 100644
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -5,7 +5,7 @@ on:
 
 jobs:
   test:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     steps:
       - uses: actions/checkout@v4
       - name: Set up Docker Buildx
diff --git a/.github/workflows/lint-e2e.yml b/.github/workflows/lint-e2e.yml
index f3cadcbed3..9ab23a86f1 100644
--- a/.github/workflows/lint-e2e.yml
+++ b/.github/workflows/lint-e2e.yml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   lint-e2e:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
diff --git a/.github/workflows/lint-web.yml b/.github/workflows/lint-web.yml
index 98ab096400..146ce20bc1 100644
--- a/.github/workflows/lint-web.yml
+++ b/.github/workflows/lint-web.yml
@@ -12,7 +12,7 @@ on:
 
 jobs:
   lint-web:
-    runs-on: [self-hosted, Linux]
+    runs-on: [self-hosted, Linux, X64]
     steps:
       - uses: actions/checkout@v4
         with:

From 502b6b150c300e1a565d57e085bb28fa3801d653 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 18 Jul 2024 13:45:01 +0200
Subject: [PATCH 34/73] cargo fmt

---
 src/enterprise/handlers/openid_login.rs | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 52f0282dd3..58660620a6 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,4 +1,4 @@
-use axum::http::{StatusCode};
+use axum::http::StatusCode;
 
 use axum::Json;
 use axum_extra::extract::cookie::{Cookie, SameSite};
@@ -6,7 +6,7 @@ use serde_json::json;
 
 use time::Duration;
 
-use axum::extract::{State};
+use axum::extract::State;
 
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
 use axum_extra::extract::{CookieJar, PrivateCookieJar};
@@ -20,10 +20,7 @@ use openidconnect::{
     core::CoreProviderMetadata, reqwest::async_http_client, ClientId, ClientSecret, IssuerUrl,
     ProviderMetadata, RedirectUrl,
 };
-use openidconnect::{
-    AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken,
-    Nonce, Scope,
-};
+use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken, Nonce, Scope};
 
 use crate::appstate::AppState;
 use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};

From 08aba9a5053d12971c7fe146beeb3d6123b654e1 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 19 Jul 2024 09:25:09 +0200
Subject: [PATCH 35/73] remove double slash

---
 src/enterprise/handlers/openid_login.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 58660620a6..e01d4ac88b 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -83,7 +83,7 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
     let client_id = ClientId::new(provider.client_id);
     let client_secret = ClientSecret::new(provider.client_secret);
     let config = server_config();
-    let url = format!("{}/auth/callback", config.url);
+    let url = format!("{}auth/callback", config.url);
     let redirect_url = match RedirectUrl::new(url) {
         Ok(url) => url,
         Err(err) => {

From 768144608172818c744a0f5d9446aa2dcd8b1944 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 19 Jul 2024 10:10:22 +0200
Subject: [PATCH 36/73] dfg mfa support

---
 src/enterprise/handlers/openid_login.rs  | 100 ++++++++++++++++-------
 web/src/pages/auth/Callback/Callback.tsx |   5 +-
 web/src/shared/hooks/useApi.tsx          |  12 ++-
 3 files changed, 82 insertions(+), 35 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index e01d4ac88b..8aa74399c0 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -23,11 +23,11 @@ use openidconnect::{
 use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken, Nonce, Scope};
 
 use crate::appstate::AppState;
-use crate::db::{AppEvent, DbPool, Session, SessionState, Settings, User, UserInfo};
+use crate::db::{AppEvent, DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
 use crate::handlers::user::check_username;
-use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME};
+use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
 use crate::server_config;
 
@@ -342,33 +342,73 @@ pub async fn auth_callback(
         .max_age(max_age);
     let cookies = cookies.add(auth_cookie);
     let login_event_type = "AUTHENTICATION".to_string();
-    let user_info = UserInfo::from_user(&appstate.pool, &user).await?;
-    appstate.trigger_action(AppEvent::UserCreated(user_info.clone()));
-    check_new_device_login(
-        &appstate.pool,
-        &appstate.mail_tx,
-        &session,
-        &user,
-        ip_address,
-        login_event_type,
-        agent,
-    )
-    .await?;
-
-    info!(
-        "External OpenID authentication successful for user {}",
-        user.username
-    );
 
-    Ok((
-        cookies,
-        private_cookies,
-        ApiResponse {
-            json: json!(AuthResponse {
-                user: user_info,
-                url: None,
-            }),
-            status: StatusCode::OK,
-        },
-    ))
+    info!("Authenticated user {username} with external OpenID provider. Veryfing MFA status...");
+    if user.mfa_enabled {
+        if let Some(mfa_info) = MFAInfo::for_user(&appstate.pool, &user).await? {
+            check_new_device_login(
+                &appstate.pool,
+                &appstate.mail_tx,
+                &session,
+                &user,
+                ip_address,
+                login_event_type,
+                agent,
+            )
+            .await?;
+            Ok((
+                cookies,
+                private_cookies,
+                ApiResponse {
+                    json: json!(mfa_info),
+                    status: StatusCode::CREATED,
+                },
+            ))
+        } else {
+            error!("Couldn't fetch MFA info for user {username} with MFA enabled");
+            Err(WebError::DbError("MFA info read error".into()))
+        }
+    } else {
+        let user_info = UserInfo::from_user(&appstate.pool, &user).await?;
+
+        check_new_device_login(
+            &appstate.pool,
+            &appstate.mail_tx,
+            &session,
+            &user,
+            ip_address,
+            login_event_type,
+            agent,
+        )
+        .await?;
+
+        if let Some(openid_cookie) = private_cookies.get(SIGN_IN_COOKIE_NAME) {
+            debug!("Found openid session cookie.");
+            let redirect_url = openid_cookie.value().to_string();
+            Ok((
+                cookies,
+                private_cookies.remove(openid_cookie),
+                ApiResponse {
+                    json: json!(AuthResponse {
+                        user: user_info,
+                        url: Some(redirect_url)
+                    }),
+                    status: StatusCode::OK,
+                },
+            ))
+        } else {
+            debug!("No OpenID session found");
+            Ok((
+                cookies,
+                private_cookies,
+                ApiResponse {
+                    json: json!(AuthResponse {
+                        user: user_info,
+                        url: None,
+                    }),
+                    status: StatusCode::OK,
+                },
+            ))
+        }
+    }
 }
diff --git a/web/src/pages/auth/Callback/Callback.tsx b/web/src/pages/auth/Callback/Callback.tsx
index 64d85f3818..92256abc29 100644
--- a/web/src/pages/auth/Callback/Callback.tsx
+++ b/web/src/pages/auth/Callback/Callback.tsx
@@ -28,9 +28,7 @@ export const OpenIDCallback = () => {
 
   const callbackMutation = useMutation((data: CallbackData) => callback(data), {
     mutationKey: [MutationKeys.OPENID_CALLBACK],
-    onSuccess: (data) => {
-      loginSubject.next(data);
-    },
+    onSuccess: (data) => loginSubject.next(data),
     onError: (error: AxiosError) => {
       toaster.error(LL.messages.error());
       console.error(error);
@@ -60,7 +58,6 @@ export const OpenIDCallback = () => {
           id_token,
           state,
         };
-        console.log('CALLING CALLBACK MUTATION');
         callbackMutation.mutate(data);
       }
     }
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index 11ca365447..2202f1cab5 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -453,7 +453,17 @@ const useApi = (props?: HookProps): ApiHook => {
     client.put(`/openid/provider/${data.name}`, data).then(unpackRequest);
 
   const openIdCallback: ApiHook['auth']['openid']['callback'] = (data) =>
-    client.post(`/openid/callback`, data).then(unpackRequest);
+    client.post('/openid/callback', data).then((response) => {
+      if (response.status === 200) {
+        return response.data;
+      }
+      if (response.status === 201) {
+        return {
+          mfa: response.data as MFALoginResponse,
+        };
+      }
+      return {};
+    });
 
   useEffect(() => {
     client.interceptors.response.use(

From b84ec5b8dcc94b4ed61b2b39188358a94c5a8154 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 19 Jul 2024 10:54:08 +0200
Subject: [PATCH 37/73] cargo fmt

---
 src/enterprise/handlers/openid_login.rs | 2 +-
 tests/openid_login.rs                   | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 8aa74399c0..5a81583633 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -23,7 +23,7 @@ use openidconnect::{
 use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken, Nonce, Scope};
 
 use crate::appstate::AppState;
-use crate::db::{AppEvent, DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
+use crate::db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
 use crate::error::WebError;
 use crate::handlers::user::check_username;
diff --git a/tests/openid_login.rs b/tests/openid_login.rs
index 2a6af144b6..93c6936a01 100644
--- a/tests/openid_login.rs
+++ b/tests/openid_login.rs
@@ -27,10 +27,10 @@ async fn test_openid_providers() {
     assert_eq!(response.status(), StatusCode::OK);
 
     let provider_data = AddProviderData::new(
-        "test".to_string(),
-        "https://accounts.google.com".to_string(),
-        "client_id".to_string(),
-        "client_secret".to_string(),
+        "test",
+        "https://accounts.google.com",
+        "client_id",
+        "client_secret",
     );
 
     let response = client

From a090cdcb6745f595bdf6ac44b7ccedcf0130cc84 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 2 Aug 2024 12:54:22 +0200
Subject: [PATCH 38/73] rudimentary license handling

---
 Cargo.lock                                    | 279 ++++++++++++++++++
 Cargo.toml                                    |   1 +
 build.rs                                      |   1 +
 .../20240722125306_add-licenses.down.sql      |   1 +
 migrations/20240722125306_add-licenses.up.sql |   1 +
 src/appstate.rs                               |   4 +
 src/bin/defguard.rs                           |   9 +-
 src/db/models/settings.rs                     |   1 +
 src/enterprise/handlers/mod.rs                |  61 ++++
 src/enterprise/handlers/openid_login.rs       |   4 +
 src/grpc/mod.rs                               |   1 +
 src/lib.rs                                    |  33 ++-
 src/license.rs                                | 232 +++++++++++++++
 web/src/components/App/App.tsx                |   2 +-
 web/src/i18n/en/index.ts                      |  17 +-
 web/src/i18n/pl/index.ts                      |  20 +-
 web/src/pages/auth/AuthPage.tsx               |   2 +-
 web/src/pages/auth/Callback/Callback.tsx      |  14 +-
 .../auth/Login/components/OidcButtons.tsx     |   1 +
 .../components/OpenIdGeneralSettings.tsx      |   2 +-
 .../components/OpenIdSettingsForm.tsx         |   3 +-
 21 files changed, 656 insertions(+), 33 deletions(-)
 create mode 100644 migrations/20240722125306_add-licenses.down.sql
 create mode 100644 migrations/20240722125306_add-licenses.up.sql
 create mode 100644 src/license.rs

diff --git a/Cargo.lock b/Cargo.lock
index 5a644ce8b5..0e8d07050f 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -483,6 +483,12 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "bitfield"
+version = "0.14.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2d7e60934ceec538daadb9d8432424ed043a904d8e0243f3c6446bce549a46ac"
+
 [[package]]
 name = "bitflags"
 version = "1.3.2"
@@ -528,6 +534,25 @@ dependencies = [
  "generic-array",
 ]
 
+[[package]]
+name = "block-padding"
+version = "0.3.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a8894febbff9f758034a5b8e12d87918f56dfc64a8e1fe757d65e29041538d93"
+dependencies = [
+ "generic-array",
+]
+
+[[package]]
+name = "blowfish"
+version = "0.9.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e412e2cd0f2b2d93e02543ceae7917b3c70331573df19ee046bcbc35e45e87d7"
+dependencies = [
+ "byteorder",
+ "cipher",
+]
+
 [[package]]
 name = "bstr"
 version = "1.9.1"
@@ -538,6 +563,15 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "buffer-redux"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4c9f8ddd22e0a12391d1e7ada69ec3b0da1914f1cec39c5cf977143c5b2854f5"
+dependencies = [
+ "memchr",
+]
+
 [[package]]
 name = "bumpalo"
 version = "3.16.0"
@@ -565,12 +599,40 @@ dependencies = [
  "serde",
 ]
 
+[[package]]
+name = "camellia"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "3264e2574e9ef2b53ce6f536dea83a69ac0bc600b762d1523ff83fe07230ce30"
+dependencies = [
+ "byteorder",
+ "cipher",
+]
+
+[[package]]
+name = "cast5"
+version = "0.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "26b07d673db1ccf000e90f54b819db9e75a8348d6eb056e9b8ab53231b7a9911"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cc"
 version = "1.0.104"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "74b6a57f98764a267ff415d50a25e6e166f3831a5071af4995296ea97d210490"
 
+[[package]]
+name = "cfb-mode"
+version = "0.8.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "738b8d467867f80a71351933f70461f5b56f24d5c93e0cf216e59229c968d330"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -683,6 +745,17 @@ version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4b82cf0babdbd58558212896d1a4272303a57bdb245c2bf1147185fb45640e70"
 
+[[package]]
+name = "cmac"
+version = "0.7.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8543454e3c3f5126effff9cd44d562af4e31fb8ce1cc0d3dcd8f084515dbc1aa"
+dependencies = [
+ "cipher",
+ "dbl",
+ "digest",
+]
+
 [[package]]
 name = "colorchoice"
 version = "1.0.1"
@@ -834,6 +907,12 @@ version = "2.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "19d374276b40fb8bbdee95aef7c7fa6b5316ec764510eb64b8dd0e2ed0d7e7f5"
 
+[[package]]
+name = "crc24"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fd121741cf3eb82c08dd3023eb55bf2665e5f60ec20f89760cf836ae4562e6a0"
+
 [[package]]
 name = "crc32fast"
 version = "1.4.2"
@@ -983,6 +1062,15 @@ version = "2.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e8566979429cf69b49a5c740c60791108e86440e8be149bbea4fe54d2c32d6e2"
 
+[[package]]
+name = "dbl"
+version = "0.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd2735a791158376708f9347fe8faba9667589d82427ef3aed6794a8981de3d9"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "defguard"
 version = "0.11.0"
@@ -1010,6 +1098,7 @@ dependencies = [
  "model_derive",
  "openidconnect",
  "otpauth",
+ "pgp",
  "prost",
  "prost-build",
  "pulldown-cmark",
@@ -1098,6 +1187,37 @@ dependencies = [
  "syn 2.0.68",
 ]
 
+[[package]]
+name = "derive_builder"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "0350b5cb0331628a5916d6c5c0b72e97393b8b6b03b47a9284f4e7f5a405ffd7"
+dependencies = [
+ "derive_builder_macro",
+]
+
+[[package]]
+name = "derive_builder_core"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d48cda787f839151732d396ac69e3473923d54312c070ee21e9effcaa8ca0b1d"
+dependencies = [
+ "darling",
+ "proc-macro2",
+ "quote",
+ "syn 2.0.68",
+]
+
+[[package]]
+name = "derive_builder_macro"
+version = "0.20.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "206868b8242f27cecce124c19fd88157fbd0dd334df2587f36417bafbc85097b"
+dependencies = [
+ "derive_builder_core",
+ "syn 2.0.68",
+]
+
 [[package]]
 name = "derive_more"
 version = "0.99.18"
@@ -1111,6 +1231,15 @@ dependencies = [
  "syn 2.0.68",
 ]
 
+[[package]]
+name = "des"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ffdd80ce8ce993de27e9f063a444a4d53ce8e8db4c1f00cc03af5ad5a9867a1e"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "deunicode"
 version = "1.6.0"
@@ -1155,12 +1284,41 @@ version = "0.15.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1aaf95b3e5c8f23aa320147307562d361db0ae0d51242340f558153b4eb2439b"
 
+[[package]]
+name = "dsa"
+version = "0.6.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "48bc224a9084ad760195584ce5abb3c2c34a225fa312a128ad245a6b412b7689"
+dependencies = [
+ "digest",
+ "num-bigint-dig",
+ "num-traits",
+ "pkcs8",
+ "rfc6979",
+ "sha2",
+ "signature",
+ "zeroize",
+]
+
 [[package]]
 name = "dyn-clone"
 version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0d6ef0072f8a535281e4876be788938b528e9a1d43900b82c2569af7da799125"
 
+[[package]]
+name = "eax"
+version = "0.5.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9954fabd903b82b9d7a68f65f97dc96dd9ad368e40ccc907a7c19d53e6bfac28"
+dependencies = [
+ "aead",
+ "cipher",
+ "cmac",
+ "ctr",
+ "subtle",
+]
+
 [[package]]
 name = "ecdsa"
 version = "0.16.9"
@@ -2025,6 +2183,15 @@ dependencies = [
  "cc",
 ]
 
+[[package]]
+name = "idea"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "075557004419d7f2031b8bb7f44bb43e55a83ca7b63076a8fb8fe75753836477"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "ident_case"
 version = "1.0.1"
@@ -2157,6 +2324,12 @@ version = "1.70.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f8478577c03552c21db0e2724ffb8986a5ce7af88107e6be5d2ee6e158c12800"
 
+[[package]]
+name = "iter-read"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a598c1abae8e3456ebda517868b254b6bc2a9bb6501ffd5b9d0875bf332e048b"
+
 [[package]]
 name = "itertools"
 version = "0.10.5"
@@ -2216,6 +2389,7 @@ dependencies = [
  "elliptic-curve",
  "once_cell",
  "sha2",
+ "signature",
 ]
 
 [[package]]
@@ -2511,6 +2685,7 @@ dependencies = [
  "num-iter",
  "num-traits",
  "rand",
+ "serde",
  "smallvec",
  "zeroize",
 ]
@@ -2622,6 +2797,18 @@ dependencies = [
  "memchr",
 ]
 
+[[package]]
+name = "ocb3"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c196e0276c471c843dd5777e7543a36a298a4be942a2a688d8111cd43390dedb"
+dependencies = [
+ "aead",
+ "cipher",
+ "ctr",
+ "subtle",
+]
+
 [[package]]
 name = "oid-registry"
 version = "0.4.0"
@@ -2973,6 +3160,70 @@ dependencies = [
  "indexmap 2.2.6",
 ]
 
+[[package]]
+name = "pgp"
+version = "0.13.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "aeab6e08a63a51a29a65e461d0b6fd0f8d350914712ec43773ca22ed51d5501c"
+dependencies = [
+ "aes",
+ "aes-gcm",
+ "argon2",
+ "base64 0.22.1",
+ "bitfield",
+ "block-padding",
+ "blowfish",
+ "bstr",
+ "buffer-redux",
+ "byteorder",
+ "camellia",
+ "cast5",
+ "cfb-mode",
+ "chrono",
+ "cipher",
+ "const-oid",
+ "crc24",
+ "curve25519-dalek",
+ "derive_builder",
+ "des",
+ "digest",
+ "dsa",
+ "eax",
+ "ecdsa",
+ "ed25519-dalek",
+ "elliptic-curve",
+ "flate2",
+ "generic-array",
+ "hex",
+ "hkdf",
+ "idea",
+ "iter-read",
+ "k256",
+ "log",
+ "md-5",
+ "nom",
+ "num-bigint-dig",
+ "num-traits",
+ "num_enum",
+ "ocb3",
+ "p256",
+ "p384",
+ "p521",
+ "rand",
+ "ripemd",
+ "rsa",
+ "sha1",
+ "sha1-checked",
+ "sha2",
+ "sha3",
+ "signature",
+ "smallvec",
+ "thiserror",
+ "twofish",
+ "x25519-dalek",
+ "zeroize",
+]
+
 [[package]]
 name = "phf"
 version = "0.11.2"
@@ -3583,6 +3834,15 @@ dependencies = [
  "windows-sys 0.52.0",
 ]
 
+[[package]]
+name = "ripemd"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bd124222d17ad93a644ed9d011a40f4fb64aa54275c08cc216524a9ea82fb09f"
+dependencies = [
+ "digest",
+]
+
 [[package]]
 name = "rlp"
 version = "0.5.2"
@@ -4128,6 +4388,16 @@ dependencies = [
  "digest",
 ]
 
+[[package]]
+name = "sha1-checked"
+version = "0.10.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "89f599ac0c323ebb1c6082821a54962b839832b03984598375bff3975b804423"
+dependencies = [
+ "digest",
+ "sha1",
+]
+
 [[package]]
 name = "sha2"
 version = "0.10.8"
@@ -5071,6 +5341,15 @@ version = "0.2.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e421abadd41a4225275504ea4d6566923418b7f05506fbc9c0fe86ba7396114b"
 
+[[package]]
+name = "twofish"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a78e83a30223c757c3947cd144a31014ff04298d8719ae10d03c31c0448c8013"
+dependencies = [
+ "cipher",
+]
+
 [[package]]
 name = "typenum"
 version = "1.17.0"
diff --git a/Cargo.toml b/Cargo.toml
index 6dc403ef54..8c4765270d 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -102,6 +102,7 @@ x25519-dalek = { version = "2.0", features = ["static_secrets"] }
 # openapi
 utoipa = { version = "4", features = ["axum_extras"] }
 utoipa-swagger-ui = { version = "7", features = ["axum"] }
+pgp = "0.13.1"
 
 [dev-dependencies]
 bytes = "1.6"
diff --git a/build.rs b/build.rs
index 1fda0abc29..ccf6b16f0d 100644
--- a/build.rs
+++ b/build.rs
@@ -7,6 +7,7 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             "proto/core/auth.proto",
             "proto/core/proxy.proto",
             "proto/core/vpn.proto",
+            "proto/core/license.proto",
             "proto/worker/worker.proto",
             "proto/wireguard/gateway.proto",
         ],
diff --git a/migrations/20240722125306_add-licenses.down.sql b/migrations/20240722125306_add-licenses.down.sql
new file mode 100644
index 0000000000..4da11f6953
--- /dev/null
+++ b/migrations/20240722125306_add-licenses.down.sql
@@ -0,0 +1 @@
+ALTER TABLE settings DROP COLUMN license;
diff --git a/migrations/20240722125306_add-licenses.up.sql b/migrations/20240722125306_add-licenses.up.sql
new file mode 100644
index 0000000000..bf2fe97e7b
--- /dev/null
+++ b/migrations/20240722125306_add-licenses.up.sql
@@ -0,0 +1 @@
+ALTER TABLE settings ADD COLUMN license TEXT DEFAULT NULL;
diff --git a/src/appstate.rs b/src/appstate.rs
index 6a772c47ce..7d0e65e826 100644
--- a/src/appstate.rs
+++ b/src/appstate.rs
@@ -18,6 +18,7 @@ use webauthn_rs::prelude::*;
 use crate::{
     auth::failed_login::FailedLoginMap,
     db::{AppEvent, DbPool, GatewayEvent, WebHook},
+    license::License,
     mail::Mail,
     server_config,
 };
@@ -32,6 +33,7 @@ pub struct AppState {
     pub user_agent_parser: Arc<UserAgentParser>,
     pub failed_logins: Arc<Mutex<FailedLoginMap>>,
     key: Key,
+    pub license: Arc<Mutex<Option<License>>>,
 }
 
 impl AppState {
@@ -104,6 +106,7 @@ impl AppState {
         mail_tx: UnboundedSender<Mail>,
         user_agent_parser: Arc<UserAgentParser>,
         failed_logins: Arc<Mutex<FailedLoginMap>>,
+        license: Arc<Mutex<Option<License>>>,
     ) -> Self {
         spawn(Self::handle_triggers(pool.clone(), rx));
 
@@ -133,6 +136,7 @@ impl AppState {
             user_agent_parser,
             failed_logins,
             key,
+            license,
         }
     }
 }
diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index 2e1d9e64f9..2695cd1327 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -14,6 +14,7 @@ use defguard::{
     grpc::{run_grpc_bidi_stream, run_grpc_server, GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     init_dev_env, init_vpn_location,
+    license::License,
     mail::{run_mail_handler, Mail},
     run_web_server,
     wireguard_peer_disconnect::run_periodic_peer_disconnect,
@@ -106,11 +107,17 @@ async fn main() -> Result<(), anyhow::Error> {
     let failed_logins = FailedLoginMap::new();
     let failed_logins = Arc::new(Mutex::new(failed_logins));
 
+    // load the license from the database
+    let license = match License::load(&pool).await.unwrap() {
+        Some(license) => Arc::new(Mutex::new(Some(license))),
+        None => Arc::new(Mutex::new(None)),
+    };
+
     // run services
     tokio::select! {
         res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone(), user_agent_parser.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
         res = run_grpc_server(Arc::clone(&worker_state), pool.clone(), Arc::clone(&gateway_state), wireguard_tx.clone(), mail_tx.clone(), grpc_cert, grpc_key, failed_logins.clone()) => error!("gRPC server returned early: {res:#?}"),
-        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins) => error!("Web server returned early: {res:#?}"),
+        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, license) => error!("Web server returned early: {res:#?}"),
         res = run_mail_handler(mail_rx, pool.clone()) => error!("Mail handler returned early: {res:#?}"),
         res = run_periodic_peer_disconnect(pool.clone(), wireguard_tx) => error!("Periodic peer disconnect task returned early: {res:#?}"),
         res = run_periodic_stats_purge(pool, config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
diff --git a/src/db/models/settings.rs b/src/db/models/settings.rs
index 8f0d343f06..6f09dd6668 100644
--- a/src/db/models/settings.rs
+++ b/src/db/models/settings.rs
@@ -64,6 +64,7 @@ pub struct Settings {
     pub ldap_member_attr: Option<String>,
     // Whether to create a new account when users try to log in with external OpenID
     pub openid_create_account: bool,
+    pub license: Option<String>,
 }
 
 impl Settings {
diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index 0ffbdd9e5f..ea78ccccc0 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -1,2 +1,63 @@
+use crate::license::License;
+
 pub mod openid_login;
 pub mod openid_providers;
+
+use std::{
+    env,
+    time::{Duration, SystemTime},
+};
+
+use axum::{
+    async_trait,
+    extract::{FromRef, FromRequestParts},
+    http::request::Parts,
+};
+use axum_extra::extract::cookie::CookieJar;
+use jsonwebtoken::{
+    decode, encode, errors::Error as JWTError, DecodingKey, EncodingKey, Header, Validation,
+};
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    appstate::AppState,
+    db::{Group, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User},
+    error::WebError,
+    handlers::SESSION_COOKIE_NAME,
+    server_config,
+};
+
+pub struct LicenseInfo {
+    pub valid: bool,
+}
+
+#[async_trait]
+impl<S> FromRequestParts<S> for LicenseInfo
+where
+    S: Send + Sync,
+    AppState: FromRef<S>,
+{
+    type Rejection = WebError;
+
+    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+        let appstate = AppState::from_ref(state);
+
+        let license = appstate
+            .license
+            .lock()
+            .expect("Failed to acquire lock on the license.");
+
+        let license = match &*license {
+            Some(license) => license,
+            None => {
+                return Err(WebError::ObjectNotFound("License not found.".to_string()));
+            }
+        };
+
+        info!("middleware run, license: {:?}", license);
+
+        Ok(LicenseInfo {
+            valid: !license.is_expired(),
+        })
+    }
+}
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 5a81583633..80280c87a9 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -29,8 +29,11 @@ use crate::error::WebError;
 use crate::handlers::user::check_username;
 use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
+use crate::license::License;
 use crate::server_config;
 
+use super::LicenseInfo;
+
 type ProvMeta = ProviderMetadata<
     openidconnect::EmptyAdditionalProviderMetadata,
     openidconnect::core::CoreAuthDisplay,
@@ -103,6 +106,7 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
 pub async fn get_auth_info(
     private_cookies: PrivateCookieJar,
     State(appstate): State<AppState>,
+    license: LicenseInfo,
 ) -> Result<(PrivateCookieJar, ApiResponse), WebError> {
     let client = make_oidc_client(&appstate.pool).await?;
 
diff --git a/src/grpc/mod.rs b/src/grpc/mod.rs
index 784b40ce89..deac68e59e 100644
--- a/src/grpc/mod.rs
+++ b/src/grpc/mod.rs
@@ -547,6 +547,7 @@ pub async fn run_grpc_server(
         GatewayServer::new(pool, gateway_state, wireguard_tx, mail_tx),
         JwtInterceptor::new(ClaimsType::Gateway),
     );
+
     // Run gRPC server
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), server_config().grpc_port);
     debug!("Starting gRPC services");
diff --git a/src/lib.rs b/src/lib.rs
index 78a38b1123..470016563d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -6,7 +6,8 @@ use std::{
 
 use anyhow::anyhow;
 use axum::{
-    http::{Request, StatusCode},
+    http::{Request, Response, StatusCode},
+    middleware::{self, Next},
     routing::{delete, get, patch, post, put},
     serve, Extension, Json, Router,
 };
@@ -25,6 +26,7 @@ use handlers::{
     yubikey::{delete_yubikey, rename_yubikey},
 };
 use ipnetwork::IpNetwork;
+use license::License;
 use secrecy::ExposeSecret;
 use tokio::{
     net::TcpListener,
@@ -126,6 +128,7 @@ pub mod handlers;
 pub mod headers;
 pub mod hex;
 pub mod ldap;
+pub mod license;
 pub mod mail;
 pub(crate) mod random;
 pub mod secret;
@@ -286,6 +289,7 @@ pub fn build_webapp(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
+    license: Arc<Mutex<Option<License>>>,
 ) -> Router {
     let webapp: Router<AppState> = Router::new()
         .route("/", get(index))
@@ -402,14 +406,24 @@ pub fn build_webapp(
             .route("/webhook/:id", delete(delete_webhook))
             .route("/webhook/:id", post(change_enabled))
             // ldap
-            .route("/ldap/test", get(test_ldap_settings))
-            // OIDC login
-            .route("/openid/provider", get(get_current_openid_provider))
-            .route("/openid/provider", post(add_openid_provider))
-            .route("/openid/provider/:name", delete(delete_openid_provider))
-            .route("/openid/callback", post(auth_callback))
-            .route("/openid/auth_info", get(get_auth_info)),
+            .route("/ldap/test", get(test_ldap_settings)),
     );
+    let enterprise_enabled = true;
+
+    let webapp = if enterprise_enabled {
+        webapp.nest(
+            "/api/v1/openid",
+            Router::new()
+                .route("/provider", get(get_current_openid_provider))
+                .route("/provider", post(add_openid_provider))
+                .route("/provider/:name", delete(delete_openid_provider))
+                .route("/callback", post(auth_callback))
+                .route("/auth_info", get(get_auth_info)),
+        )
+    } else {
+        // return 404
+        webapp.route("/api/v1/openid/*path", get(handle_404))
+    };
 
     #[cfg(feature = "openid")]
     let webapp = webapp
@@ -490,6 +504,7 @@ pub fn build_webapp(
             mail_tx,
             user_agent_parser,
             failed_logins,
+            license,
         ))
         .layer(
             TraceLayer::new_for_http()
@@ -516,6 +531,7 @@ pub async fn run_web_server(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
+    license: Arc<Mutex<Option<License>>>,
 ) -> Result<(), anyhow::Error> {
     let webapp = build_webapp(
         webhook_tx,
@@ -527,6 +543,7 @@ pub async fn run_web_server(
         pool,
         user_agent_parser,
         failed_logins,
+        license,
     );
     info!("Started web services");
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), server_config().http_port);
diff --git a/src/license.rs b/src/license.rs
new file mode 100644
index 0000000000..fd1a9cf2d6
--- /dev/null
+++ b/src/license.rs
@@ -0,0 +1,232 @@
+use std::collections::HashMap;
+
+use anyhow::Result;
+use chrono::{DateTime, Utc};
+use rsa::pkcs8::DecodePublicKey;
+use serde_cbor::Value;
+// use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
+
+use crate::db::{DbPool, Settings};
+use base64::prelude::*;
+use pgp::{Deserializable, Message as PGPMessage, SignedPublicKey, StandaloneSignature};
+use prost::Message;
+use tonic::codec::{Decoder, Encoder};
+
+// mod proto {
+//     tonic::include_proto!("license");
+// }
+tonic::include_proto!("license");
+
+#[allow(dead_code)]
+pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGag50MBCACnwL6q6K4Hkq/HrKn3O/mfvOcqv39AyEuLbXYxsnQM0qYlNvsv
+1QkLuQU9mv0JJapUxayBDBn4YxskJXv8ooYjqjz6UkbpxCRlCgt4HaKKm+Al84J1
+PZydvFD54PJA+LdnwVL2m0ozVgfqUSL4WWBTiXdKXQF6aUYyaQ/Y32sqcqToNApk
+LIux5cN5OMYAsP5L2gvNrU6q43aoeC4JnnCRNLEFvgliQ/Oflwil4V+sgj1ojowq
+3YEz9jAtJL4Lo0oxoq/4zOKm+3lbQKos1CJ3D6a6rAuU3WO+WOSoV0xeoL4cEqk9
+Ki8RDfCt/CE1sO0SJp8dlwGP0UjXrtBlKSX3ABEBAAG0CmFsZWtzYW5kZXKJAVEE
+EwEKADsWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbAwULCQgHAgIiAgYV
+CgkICwIEFgIDAQIeBwIXgAAKCRDiMv6QHne+nP46B/9OErI9eC1h5M/awsyO4HRy
+0QJ8CkBXi4NuRusw1Q1Pmku0ah+3aFagAjZQmHOiUOFHJ7GGU/Lg49riS2UWI/6V
+3ZcqVBoTf6ifw/8jUfP/5AXnLOMBK+iomwyRPC7adEOrJYfOECzTr9E3YA4OChCi
+OKWkgbaj/g8r9OiQeec90GKlB1gAZ7skpI1Xqfjpu0xbQardMP0rhI3TCYmoQuKA
+FisQ3QdUa9UxL8OJJByYagdDyW94C7Nr8wlwY7qu3vSlyGC2NMnHCjTnJcxe2Sof
+nCtfzhBu6w0A+AetdsgbfKNUyWcjj1d+wqDtK3cyYSxkz+4P3rb7vcfF9fvhSPiR
+uQENBGag50MBCAC3uF9DDoQn4nqFDSOcLQRteHTgkBRhq12DRQZFJc6i5n8rgkXf
+Q4lW0PQaBp5mUA/w+vB1u6Gsv/ywnxfG0D9owYmXzUxEd94DTXesOSuuqpSpv+4p
+pz8yrFAvd/HwHFvk0aNtMv3nI8x3WyXo4OG1L3im6oloNe/dmLR3qiEgyPXf+Z13
+WyyrgUdL2sKSEvT9WwbfsKrYuP+MtUYFosTGgDx6uRe3GjJPA6KPLDD7ulkimfM2
+tMV6VF9zcd+RTpcULYlsd0ikKqgpyGl99QETSjqHQWEm0IMVvTm9ogq56zfC5epv
+dIVcTwnq9GHM5oCHBvuUjGnsYmEAn4cqaNrVABEBAAGJATYEGAEKACAWIQRMKEFZ
+KKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbIAAKCRDiMv6QHne+nHmpCACRxdE3V7ez
+wRjQja8fk/wOc/eCEJBo4IxEoA1Gdbr+d1k3Bg+vTKAs9ox3JOD3j8RXDmpDi0Cu
+1XiN55Sd28XKxtFEOsNhoM32Y3oha6x8/FlAt/UdGMQgsYWoYkH/2bFWKG+xuJ7o
++7qwm6fC9LSzQ94uV8CeeM5VUCKC33ppZNjeCCXtsznirARDacACip1ZlT8ydNYR
+U/otbVsYYul1UItWzRHIQlFrnxqpS1YUDE4a5HLeWyi/v5CQYBycZ292eV7k0z/B
+sSNe9GzKBvbx9g9hlpEZ9IQeRnuIwEHRmQ2BhrHuzXjgCc9J/JUWrBn+iuS2GZ7O
+AlDzRbsWdW2suQENBGag50MBCADEPLMX/q3BmZFTIOPn5/O7AYXfQC865DOmOp7t
+Xpens2IMKaL+RL77DIL+FUQzS95hwgAyawhZEAj2VY1k6BtKROSarLuARlI/ZLkr
+3OlPBKq0VRbWnn3Qk0rmtoYC7DUD3XWuR5+n0sdxniQo8F+Xwq0ZCZmex7bN8DXP
+r9ejoNZAmEOqqMIWQy/Blc9BkStqS6WHW0EimzSsHuJbaA1ZbMLr0fES/l8FVhjX
+YBOPY3TqXkbeM3FSjDzLGCTkT0sKPlTluFdqNWKZ+tDW6Pt7PtwEt2gRQdS69+pV
+POcU7uEQiE06TWWYxTS+i+xEq106xXs2tucTSV1R0KN3Ry/9ABEBAAGJATYEGAEK
+ACAWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbDAAKCRDiMv6QHne+nAbo
+CACTVse/+QQD5jW0sGguDLJOwgSLTeqnHV+AuVGVIDzIUNFKa691gZi8N1OJfdVn
+lqOvsyAFjPrg/1SB8x2O3kMvdrOK9K9hvACn44BxTDfRfOS/XeJCGxja10ii9wE+
+Ykl/OuCehh1kz9zIQrFvVZDgpGIUFUSSqTIfvvPsyiOJ+ADooZ80IBtDnN6qyjdl
++ioitVO0bgywfL8ze+2C82xNdjYS/FbAVi3YNgaagQbzkm4BK9w3hQqMkYXizyH1
+OOJ7mYSVH5oXyiNhU0hq8JWmFHRCHaRivHsUj9WqS/szv0ixKjQEf4EMztolzfpg
++QmJLVFn5xVR6dGteYW7/05e
+=06W7
+-----END PGP PUBLIC KEY BLOCK-----
+";
+
+#[derive(Debug, Serialize, Deserialize)]
+pub enum LicenseError {
+    InvalidLicense,
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct RefreshRequestResponse {
+    key: String,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct License {
+    pub customer_id: String,
+    pub subscription: bool,
+    // TODO(aleksander): valid until should be optional?
+    pub valid_until: DateTime<Utc>,
+}
+
+impl License {
+    pub fn new(customer_id: String, subscription: bool, valid_until: DateTime<Utc>) -> Self {
+        Self {
+            customer_id,
+            subscription,
+            valid_until,
+        }
+    }
+
+    /// Fetch a license from the license server
+    async fn exchange(db_pool: &DbPool) -> Result<String, LicenseError> {
+        let old_license_key = Settings::get_settings(db_pool)
+            .await
+            .unwrap()
+            .license
+            .unwrap();
+
+        let client = reqwest::Client::new();
+
+        let request_body = RefreshRequestResponse {
+            key: old_license_key,
+        };
+
+        let new_license_key = match client
+            .post("http://localhost:8002/api/license/refresh")
+            .json(&request_body)
+            .send()
+            .await
+        {
+            Ok(response) => {
+                let response: RefreshRequestResponse = response.json().await.unwrap();
+                response.key
+            }
+            Err(_) => return Err(LicenseError::InvalidLicense),
+        };
+
+        Ok(new_license_key)
+    }
+
+    fn decode(bytes: &[u8]) -> Result<Vec<u8>> {
+        let bytes = BASE64_STANDARD.decode(bytes).unwrap();
+        Ok(bytes)
+    }
+
+    fn from_base64(key: &str) -> Result<License, LicenseError> {
+        let bytes = key.as_bytes();
+        let decoded = Self::decode(bytes).unwrap();
+        let slice: &[u8] = &decoded;
+
+        let license_key = LicenseKey::decode(slice).unwrap();
+        let metadata = license_key.metadata.unwrap();
+        let signature = license_key.signature.unwrap();
+
+        let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
+
+        let metadata_bytes = metadata.encode_to_vec();
+
+        let sig = StandaloneSignature::from_bytes(signature.signature.as_slice()).unwrap();
+
+        match sig.verify(&public_key, metadata_bytes.as_slice()) {
+            Ok(_) => {
+                println!("Signature is valid");
+
+                Ok(License::new(
+                    metadata.customer_id,
+                    metadata.subscription,
+                    DateTime::from_timestamp(metadata.valid_until, 0)
+                        // check if we should really use unwrap or default
+                        .unwrap_or_default(),
+                ))
+            }
+            Err(_) => {
+                println!("Signature is invalid");
+                Err(LicenseError::InvalidLicense)
+            }
+        }
+    }
+
+    /// Load a license from the database
+    async fn get_key_from_database(pool: &DbPool) -> Result<Option<String>, LicenseError> {
+        let settings = Settings::get_settings(pool).await.unwrap();
+        Ok(settings.license)
+    }
+
+    pub async fn load(pool: &DbPool) -> Result<Option<License>, LicenseError> {
+        match Self::get_key_from_database(pool).await.unwrap() {
+            Some(key) => Ok(Some(Self::from_base64(&key).unwrap())),
+            None => {
+                info!("No license key found in the database");
+                Ok(None)
+            }
+        }
+    }
+
+    pub fn is_expired(&self) -> bool {
+        self.valid_until > Utc::now()
+    }
+
+    // pub async fn load(pool: &DbPool) -> Result<String, LicenseError> {
+    //     let key = match Self::get_from_database(pool).await.unwrap() {
+    //         Some(key) => key,
+    //         None => return Err(LicenseError::InvalidLicense),
+    //     };
+
+    //     Self::from_base64(&key).unwrap();
+
+    //     println!("{:?}", key);
+
+    //     // let new_key = Self::exchange(pool).await.unwrap();
+
+    //     // println!("{:?}", new_key);
+
+    //     // let bytes = Self::fetch().await.unwrap();
+
+    //     // let decoded = Self::decode(&bytes).unwrap();
+
+    //     // let slice: &[u8] = &decoded;
+
+    //     // let msg = PGPMessage::from_bytes(slice).unwrap();
+
+    //     // let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
+
+    //     // match msg.verify(&public_key) {
+    //     //     Ok(_) => println!("Signature verified"),
+    //     //     Err(e) => {
+    //     //         println!("Signature not verified: {:?}", e);
+    //     //         return Err(LicenseError::InvalidLicense);
+    //     //     }
+    //     // };
+
+    //     // let content = msg.get_content().unwrap().unwrap();
+
+    //     // let content = content.as_slice();
+
+    //     // let license_metadata: LicenseMetadata = LicenseMetadata::decode(content).unwrap();
+
+    //     // println!("{:?}", license_metadata);
+
+    //     Ok("".to_string())
+    // }
+
+    // fn check(&self) -> Result<(), Error> {
+    //     let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
+    //     let (signature, _) = StandaloneSignature::from_string(SIGNATURE).unwrap();
+
+    //     signature.verify(&public_key, &self.fields_concatenated()).unwrap();
+
+    //     Ok(())
+    // }
+}
diff --git a/web/src/components/App/App.tsx b/web/src/components/App/App.tsx
index 56fa6e5eef..6e94143410 100644
--- a/web/src/components/App/App.tsx
+++ b/web/src/components/App/App.tsx
@@ -1,7 +1,7 @@
 import 'react-loading-skeleton/dist/skeleton.css';
 import './App.scss';
 
-import { Navigate, Route, BrowserRouter as Router, Routes } from 'react-router-dom';
+import { BrowserRouter as Router, Navigate, Route, Routes } from 'react-router-dom';
 
 import { AddDevicePage } from '../../pages/addDevice/AddDevicePage';
 import { OpenidAllowPage } from '../../pages/allow/OpenidAllowPage';
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index a5ed451099..0b7e4221d5 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -926,20 +926,24 @@ const en: BaseTranslation = {
         title: 'External OpenID Settings',
         helper: 'Here you can change general OpenID behavior in your Defguard instance.',
         createAccount: {
-          label: 'Automatically create user account when logging in for the first time through external OpenID.',
-          helper: 'If this option is enabled, Defguard automatically creates new accounts for users who log in for the first time using an external OpenID provider. Otherwise, the user account must first be created by an administrator.',
+          label:
+            'Automatically create user account when logging in for the first time through external OpenID.',
+          helper:
+            'If this option is enabled, Defguard automatically creates new accounts for users who log in for the first time using an external OpenID provider. Otherwise, the user account must first be created by an administrator.',
         },
       },
       form: {
         title: 'External OpenID Client Settings',
-        helper: 'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
-        custom: "Custom",
+        helper:
+          'Here you can configure the OpenID client settings with values provided by your external OpenID provider.',
+        custom: 'Custom',
         documentation: 'Documentation',
         delete: 'Delete provider',
         labels: {
           provider: {
             label: 'Provider',
-            helper: 'Select your OpenID provider. You can use custom provider and fill in the base URL by yourself.',
+            helper:
+              'Select your OpenID provider. You can use custom provider and fill in the base URL by yourself.',
           },
           client_id: {
             label: 'Client ID',
@@ -951,7 +955,8 @@ const en: BaseTranslation = {
           },
           base_url: {
             label: 'Base URL',
-            helper: 'Base URL of your OpenID provider, e.g. https://accounts.google.com. Make sure to check our documentation for more information and examples.',
+            helper:
+              'Base URL of your OpenID provider, e.g. https://accounts.google.com. Make sure to check our documentation for more information and examples.',
           },
         },
       },
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index e557a292c7..53484b6311 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -910,22 +910,27 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
     openIdSettings: {
       general: {
         title: 'Ustawienia zewnętrznego OpenID',
-        helper: 'Możesz tu zmienić ogólną mechanikę działania zewnętrznego OpenID w twojej instancji Defguarda.',
+        helper:
+          'Możesz tu zmienić ogólną mechanikę działania zewnętrznego OpenID w twojej instancji Defguarda.',
         createAccount: {
-          label: 'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
-          helper: 'Jeśli ta opcja jest włączona, Defguard automatycznie tworzy nowe konta dla użytkowników, którzy logują się po raz pierwszy za pomocą zewnętrznego dostawcy OpenID. W innym przypadku konto użytkownika musi zostać najpierw utworzone przez administratora.',
+          label:
+            'Automatycznie twórz konta w momencie logowania przez zewnętrznego dostawcę OpenID',
+          helper:
+            'Jeśli ta opcja jest włączona, Defguard automatycznie tworzy nowe konta dla użytkowników, którzy logują się po raz pierwszy za pomocą zewnętrznego dostawcy OpenID. W innym przypadku konto użytkownika musi zostać najpierw utworzone przez administratora.',
         },
       },
       form: {
         title: 'Ustawienia klienta zewnętrznego OpenID',
-        helper: 'Tutaj możesz skonfigurować ustawienia klienta OpenID z wartościami dostarczonymi przez zewnętrznego dostawcę OpenID.',
-        custom: "Niestandardowy",
+        helper:
+          'Tutaj możesz skonfigurować ustawienia klienta OpenID z wartościami dostarczonymi przez zewnętrznego dostawcę OpenID.',
+        custom: 'Niestandardowy',
         documentation: 'Dokumentacja',
         delete: 'Usuń dostawcę',
         labels: {
           provider: {
             label: 'Dostawca',
-            helper: 'Wybierz swojego dostawcę OpenID. Możesz użyć dostawcy niestandardowego i samodzielnie wypełnić pole URL bazowego.',
+            helper:
+              'Wybierz swojego dostawcę OpenID. Możesz użyć dostawcy niestandardowego i samodzielnie wypełnić pole URL bazowego.',
           },
           client_id: {
             label: 'ID klienta',
@@ -937,7 +942,8 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
           },
           base_url: {
             label: 'URL bazowy',
-            helper: 'Podstawowy adres URL twojego dostawcy OpenID, np. https://accounts.google.com. Sprawdź naszą dokumentację, aby uzyskać więcej informacji i zobaczyć przykłady.',
+            helper:
+              'Podstawowy adres URL twojego dostawcy OpenID, np. https://accounts.google.com. Sprawdź naszą dokumentację, aby uzyskać więcej informacji i zobaczyć przykłady.',
           },
         },
       },
diff --git a/web/src/pages/auth/AuthPage.tsx b/web/src/pages/auth/AuthPage.tsx
index ff734aed3a..950934b20e 100644
--- a/web/src/pages/auth/AuthPage.tsx
+++ b/web/src/pages/auth/AuthPage.tsx
@@ -13,10 +13,10 @@ import useApi from '../../shared/hooks/useApi';
 import { useToaster } from '../../shared/hooks/useToaster';
 import { UserMFAMethod } from '../../shared/types';
 import { RedirectPage } from '../redirect/RedirectPage';
+import { OpenIDCallback } from './Callback/Callback';
 import { Login } from './Login/Login';
 import { MFARoute } from './MFARoute/MFARoute';
 import { useMFAStore } from './shared/hooks/useMFAStore';
-import { OpenIDCallback } from './Callback/Callback';
 
 export const AuthPage = () => {
   const {
diff --git a/web/src/pages/auth/Callback/Callback.tsx b/web/src/pages/auth/Callback/Callback.tsx
index 92256abc29..c2b322d4f0 100644
--- a/web/src/pages/auth/Callback/Callback.tsx
+++ b/web/src/pages/auth/Callback/Callback.tsx
@@ -2,17 +2,17 @@ import './style.scss';
 
 import { useMutation } from '@tanstack/react-query';
 import { AxiosError } from 'axios';
-
 import { useEffect, useState } from 'react';
+import { useNavigate } from 'react-router';
+
+import { useI18nContext } from '../../../i18n/i18n-react';
+import { Button } from '../../../shared/defguard-ui/components/Layout/Button/Button';
+import { LoaderSpinner } from '../../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
+import { useAuthStore } from '../../../shared/hooks/store/useAuthStore';
 import useApi from '../../../shared/hooks/useApi';
+import { useToaster } from '../../../shared/hooks/useToaster';
 import { MutationKeys } from '../../../shared/mutations';
 import { CallbackData } from '../../../shared/types';
-import { useAuthStore } from '../../../shared/hooks/store/useAuthStore';
-import { LoaderSpinner } from '../../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
-import { useToaster } from '../../../shared/hooks/useToaster';
-import { useI18nContext } from '../../../i18n/i18n-react';
-import { Button } from '../../../shared/defguard-ui/components/Layout/Button/Button';
-import { useNavigate } from 'react-router';
 
 export const OpenIDCallback = () => {
   const {
diff --git a/web/src/pages/auth/Login/components/OidcButtons.tsx b/web/src/pages/auth/Login/components/OidcButtons.tsx
index a073a238ec..3a40d9dd08 100644
--- a/web/src/pages/auth/Login/components/OidcButtons.tsx
+++ b/web/src/pages/auth/Login/components/OidcButtons.tsx
@@ -1,4 +1,5 @@
 import './style.scss';
+
 import { Button } from '../../../../shared/defguard-ui/components/Layout/Button/Button';
 import {
   ButtonSize,
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
index e768e9f80c..f3d0a600c9 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
@@ -1,8 +1,8 @@
 import './style.scss';
 
 import { useMutation, useQueryClient } from '@tanstack/react-query';
-
 import parse from 'html-react-parser';
+
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import { Helper } from '../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import { LabeledCheckbox } from '../../../../../shared/defguard-ui/components/Layout/LabeledCheckbox/LabeledCheckbox';
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index 336d9c0fad..13a2ab05f7 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -2,11 +2,11 @@ import './style.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import parse from 'html-react-parser';
 import { useCallback, useEffect, useMemo, useState } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { z } from 'zod';
 
-import parse from 'html-react-parser';
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import IconCheckmarkWhite from '../../../../../shared/components/svg/IconCheckmarkWhite';
 import { FormInput } from '../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
@@ -242,6 +242,7 @@ export const OpenIdSettingsForm = () => {
       <a
         href="https://defguard.gitbook.io/defguard/admin-and-features/external-openid-providers"
         target="_blank"
+        rel="noreferrer"
       >
         {localLL.form.documentation()}
       </a>

From fb8d950c62e507e07001997a49bc3c3d0396d69d Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 8 Aug 2024 00:28:33 +0200
Subject: [PATCH 39/73] further improvements, renewal service

---
 e2e/pnpm-lock.yaml                            | 2418 +++++++++--------
 src/appstate.rs                               |    2 +-
 src/bin/defguard.rs                           |   25 +-
 src/config.rs                                 |    8 +
 src/enterprise/handlers/mod.rs                |   21 +-
 src/enterprise/handlers/openid_login.rs       |    5 +-
 src/enterprise/handlers/openid_providers.rs   |    7 +
 src/enterprise/license.rs                     |  449 +++
 src/enterprise/mod.rs                         |    1 +
 src/error.rs                                  |    3 +
 src/handlers/app_info.rs                      |   12 +
 src/handlers/mod.rs                           |    8 +
 src/handlers/settings.rs                      |   11 +
 src/lib.rs                                    |    6 +-
 src/license.rs                                |  232 --
 web/src/components/AppLoader.tsx              |    1 +
 web/src/i18n/en/index.ts                      |   12 +
 web/src/i18n/i18n-types.ts                    |   48 +
 web/src/i18n/pl/index.ts                      |   12 +
 web/src/pages/auth/AuthPage.tsx               |    3 +-
 web/src/pages/auth/Login/Login.tsx            |    7 +-
 web/src/pages/settings/SettingsPage.tsx       |   19 +-
 .../GlobalSettings/GlobalSettings.tsx         |    2 +
 .../LicenseSettings/LicenseSettings.tsx       |  118 +
 .../components/LicenseSettings/styles.scss    |   12 +
 web/src/shared/types.ts                       |    8 +-
 26 files changed, 2102 insertions(+), 1348 deletions(-)
 create mode 100644 src/enterprise/license.rs
 delete mode 100644 src/license.rs
 create mode 100644 web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
 create mode 100644 web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss

diff --git a/e2e/pnpm-lock.yaml b/e2e/pnpm-lock.yaml
index 40171809c8..b4f041267b 100644
--- a/e2e/pnpm-lock.yaml
+++ b/e2e/pnpm-lock.yaml
@@ -1,96 +1,1107 @@
-lockfileVersion: '6.0'
+lockfileVersion: '9.0'
 
 settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
-dependencies:
-  '@faker-js/faker':
-    specifier: ^8.0.2
-    version: 8.0.2
-  '@playwright/test':
-    specifier: ^1.32.3
-    version: 1.32.3
-  '@scure/base':
-    specifier: ^1.1.3
-    version: 1.1.3
-  '@types/lodash':
-    specifier: ^4.14.195
-    version: 4.14.195
-  '@types/pg':
-    specifier: ^8.10.9
-    version: 8.10.9
-  axios:
-    specifier: ^1.4.0
-    version: 1.4.0
-  dotenv:
-    specifier: ^16.0.3
-    version: 16.0.3
-  lodash:
-    specifier: ^4.17.21
-    version: 4.17.21
-  pg:
-    specifier: ^8.11.3
-    version: 8.11.3
-  playwright:
-    specifier: ^1.32.3
-    version: 1.32.3
-  totp-generator:
-    specifier: ^0.0.14
-    version: 0.0.14
-
-devDependencies:
-  '@types/node':
-    specifier: ^18.16.0
-    version: 18.16.0
-  '@types/totp-generator':
-    specifier: ^0.0.5
-    version: 0.0.5
-  '@typescript-eslint/eslint-plugin':
-    specifier: ^5.59.0
-    version: 5.59.0(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)(typescript@5.0.4)
-  '@typescript-eslint/parser':
-    specifier: ^5.59.0
-    version: 5.59.0(eslint@8.39.0)(typescript@5.0.4)
-  eslint:
-    specifier: ^8.39.0
-    version: 8.39.0
-  eslint-config-prettier:
-    specifier: ^8.8.0
-    version: 8.8.0(eslint@8.39.0)
-  eslint-plugin-import:
-    specifier: ^2.27.5
-    version: 2.27.5(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)
-  eslint-plugin-prettier:
-    specifier: ^4.2.1
-    version: 4.2.1(eslint-config-prettier@8.8.0)(eslint@8.39.0)(prettier@2.8.8)
-  eslint-plugin-simple-import-sort:
-    specifier: ^10.0.0
-    version: 10.0.0(eslint@8.39.0)
-  prettier:
-    specifier: ^2.8.8
-    version: 2.8.8
+importers:
+
+  .:
+    dependencies:
+      '@faker-js/faker':
+        specifier: ^8.0.2
+        version: 8.0.2
+      '@playwright/test':
+        specifier: ^1.32.3
+        version: 1.32.3
+      '@scure/base':
+        specifier: ^1.1.3
+        version: 1.1.3
+      '@types/lodash':
+        specifier: ^4.14.195
+        version: 4.14.195
+      '@types/pg':
+        specifier: ^8.10.9
+        version: 8.10.9
+      axios:
+        specifier: ^1.4.0
+        version: 1.4.0
+      dotenv:
+        specifier: ^16.0.3
+        version: 16.0.3
+      lodash:
+        specifier: ^4.17.21
+        version: 4.17.21
+      pg:
+        specifier: ^8.11.3
+        version: 8.11.3
+      playwright:
+        specifier: ^1.32.3
+        version: 1.32.3
+      totp-generator:
+        specifier: ^0.0.14
+        version: 0.0.14
+    devDependencies:
+      '@types/node':
+        specifier: ^18.16.0
+        version: 18.16.0
+      '@types/totp-generator':
+        specifier: ^0.0.5
+        version: 0.0.5
+      '@typescript-eslint/eslint-plugin':
+        specifier: ^5.59.0
+        version: 5.59.0(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)(typescript@5.0.4)
+      '@typescript-eslint/parser':
+        specifier: ^5.59.0
+        version: 5.59.0(eslint@8.39.0)(typescript@5.0.4)
+      eslint:
+        specifier: ^8.39.0
+        version: 8.39.0
+      eslint-config-prettier:
+        specifier: ^8.8.0
+        version: 8.8.0(eslint@8.39.0)
+      eslint-plugin-import:
+        specifier: ^2.27.5
+        version: 2.27.5(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)
+      eslint-plugin-prettier:
+        specifier: ^4.2.1
+        version: 4.2.1(eslint-config-prettier@8.8.0)(eslint@8.39.0)(prettier@2.8.8)
+      eslint-plugin-simple-import-sort:
+        specifier: ^10.0.0
+        version: 10.0.0(eslint@8.39.0)
+      prettier:
+        specifier: ^2.8.8
+        version: 2.8.8
 
 packages:
 
-  /@eslint-community/eslint-utils@4.4.0(eslint@8.39.0):
+  '@eslint-community/eslint-utils@4.4.0':
     resolution: {integrity: sha512-1/sA4dwrzBAyeUoQ6oxahHKmrZvsnLCg4RfxW3ZFGGmQkSNQPFNLV9CUEFQP1x9EYXHTo5p6xdhZM1Ne9p/AfA==}
     engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
     peerDependencies:
       eslint: ^6.0.0 || ^7.0.0 || >=8.0.0
+
+  '@eslint-community/regexpp@4.5.0':
+    resolution: {integrity: sha512-vITaYzIcNmjn5tF5uxcZ/ft7/RXGrMUIS9HalWckEOF6ESiwXKoMzAQf2UW0aVd6rnOeExTJVd5hmWXucBKGXQ==}
+    engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
+
+  '@eslint/eslintrc@2.0.2':
+    resolution: {integrity: sha512-3W4f5tDUra+pA+FzgugqL2pRimUTDJWKr7BINqOpkZrC0uYI0NIc0/JFgBROCU07HR6GieA5m3/rsPIhDmCXTQ==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  '@eslint/js@8.39.0':
+    resolution: {integrity: sha512-kf9RB0Fg7NZfap83B3QOqOGg9QmD9yBudqQXzzOtn3i4y7ZUXe5ONeW34Gwi+TxhH4mvj72R1Zc300KUMa9Bng==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  '@faker-js/faker@8.0.2':
+    resolution: {integrity: sha512-Uo3pGspElQW91PCvKSIAXoEgAUlRnH29sX2/p89kg7sP1m2PzCufHINd0FhTXQf6DYGiUlVncdSPa2F9wxed2A==}
+    engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0, npm: '>=6.14.13'}
+
+  '@humanwhocodes/config-array@0.11.8':
+    resolution: {integrity: sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==}
+    engines: {node: '>=10.10.0'}
+
+  '@humanwhocodes/module-importer@1.0.1':
+    resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==}
+    engines: {node: '>=12.22'}
+
+  '@humanwhocodes/object-schema@1.2.1':
+    resolution: {integrity: sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==}
+
+  '@nodelib/fs.scandir@2.1.5':
+    resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==}
+    engines: {node: '>= 8'}
+
+  '@nodelib/fs.stat@2.0.5':
+    resolution: {integrity: sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==}
+    engines: {node: '>= 8'}
+
+  '@nodelib/fs.walk@1.2.8':
+    resolution: {integrity: sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==}
+    engines: {node: '>= 8'}
+
+  '@playwright/test@1.32.3':
+    resolution: {integrity: sha512-BvWNvK0RfBriindxhLVabi8BRe3X0J9EVjKlcmhxjg4giWBD/xleLcg2dz7Tx0agu28rczjNIPQWznwzDwVsZQ==}
+    engines: {node: '>=14'}
+    hasBin: true
+
+  '@scure/base@1.1.3':
+    resolution: {integrity: sha512-/+SgoRjLq7Xlf0CWuLHq2LUZeL/w65kfzAPG5NH9pcmBhs+nunQTn4gvdwgMTIXnt9b2C/1SeL2XiysZEyIC9Q==}
+
+  '@types/json-schema@7.0.11':
+    resolution: {integrity: sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==}
+
+  '@types/json5@0.0.29':
+    resolution: {integrity: sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==}
+
+  '@types/lodash@4.14.195':
+    resolution: {integrity: sha512-Hwx9EUgdwf2GLarOjQp5ZH8ZmblzcbTBC2wtQWNKARBSxM9ezRIAUpeDTgoQRAFB0+8CNWXVA9+MaSOzOF3nPg==}
+
+  '@types/node@18.16.0':
+    resolution: {integrity: sha512-BsAaKhB+7X+H4GnSjGhJG9Qi8Tw+inU9nJDwmD5CgOmBLEI6ArdhikpLX7DjbjDRDTbqZzU2LSQNZg8WGPiSZQ==}
+
+  '@types/pg@8.10.9':
+    resolution: {integrity: sha512-UksbANNE/f8w0wOMxVKKIrLCbEMV+oM1uKejmwXr39olg4xqcfBDbXxObJAt6XxHbDa4XTKOlUEcEltXDX+XLQ==}
+
+  '@types/semver@7.3.13':
+    resolution: {integrity: sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==}
+
+  '@types/totp-generator@0.0.5':
+    resolution: {integrity: sha512-ryo6U5lfQg2/7pNQnpEXG49EPX7/cmRi/FX7sPBYO7QVJf0z6turM3km3w+98mpqlM4E+vkoOrN+gcjqCBmX0g==}
+
+  '@typescript-eslint/eslint-plugin@5.59.0':
+    resolution: {integrity: sha512-p0QgrEyrxAWBecR56gyn3wkG15TJdI//eetInP3zYRewDh0XS+DhB3VUAd3QqvziFsfaQIoIuZMxZRB7vXYaYw==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      '@typescript-eslint/parser': ^5.0.0
+      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+      typescript: '*'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  '@typescript-eslint/parser@5.59.0':
+    resolution: {integrity: sha512-qK9TZ70eJtjojSUMrrEwA9ZDQ4N0e/AuoOIgXuNBorXYcBDk397D2r5MIe1B3cok/oCtdNC5j+lUUpVB+Dpb+w==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+      typescript: '*'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  '@typescript-eslint/scope-manager@5.59.0':
+    resolution: {integrity: sha512-tsoldKaMh7izN6BvkK6zRMINj4Z2d6gGhO2UsI8zGZY3XhLq1DndP3Ycjhi1JwdwPRwtLMW4EFPgpuKhbCGOvQ==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  '@typescript-eslint/type-utils@5.59.0':
+    resolution: {integrity: sha512-d/B6VSWnZwu70kcKQSCqjcXpVH+7ABKH8P1KNn4K7j5PXXuycZTPXF44Nui0TEm6rbWGi8kc78xRgOC4n7xFgA==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      eslint: '*'
+      typescript: '*'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  '@typescript-eslint/types@5.59.0':
+    resolution: {integrity: sha512-yR2h1NotF23xFFYKHZs17QJnB51J/s+ud4PYU4MqdZbzeNxpgUr05+dNeCN/bb6raslHvGdd6BFCkVhpPk/ZeA==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  '@typescript-eslint/typescript-estree@5.59.0':
+    resolution: {integrity: sha512-sUNnktjmI8DyGzPdZ8dRwW741zopGxltGs/SAPgGL/AAgDpiLsCFLcMNSpbfXfmnNeHmK9h3wGmCkGRGAoUZAg==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      typescript: '*'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  '@typescript-eslint/utils@5.59.0':
+    resolution: {integrity: sha512-GGLFd+86drlHSvPgN/el6dRQNYYGOvRSDVydsUaQluwIW3HvbXuxyuD5JETvBt/9qGYe+lOrDk6gRrWOHb/FvA==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    peerDependencies:
+      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+
+  '@typescript-eslint/visitor-keys@5.59.0':
+    resolution: {integrity: sha512-qZ3iXxQhanchCeaExlKPV3gDQFxMUmU35xfd5eCXB6+kUw1TUAbIy2n7QIrwz9s98DQLzNWyHp61fY0da4ZcbA==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  acorn-jsx@5.3.2:
+    resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
+    peerDependencies:
+      acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
+
+  acorn@8.8.2:
+    resolution: {integrity: sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==}
+    engines: {node: '>=0.4.0'}
+    hasBin: true
+
+  ajv@6.12.6:
+    resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
+
+  ansi-regex@5.0.1:
+    resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
+    engines: {node: '>=8'}
+
+  ansi-styles@4.3.0:
+    resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
+    engines: {node: '>=8'}
+
+  argparse@2.0.1:
+    resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
+
+  array-buffer-byte-length@1.0.0:
+    resolution: {integrity: sha512-LPuwb2P+NrQw3XhxGc36+XSvuBPopovXYTR9Ew++Du9Yb/bx5AzBfrIsBoj0EZUifjQU+sHL21sseZ3jerWO/A==}
+
+  array-includes@3.1.6:
+    resolution: {integrity: sha512-sgTbLvL6cNnw24FnbaDyjmvddQ2ML8arZsgaJhoABMoplz/4QRhtrYS+alr1BUM1Bwp6dhx8vVCBSLG+StwOFw==}
+    engines: {node: '>= 0.4'}
+
+  array-union@2.1.0:
+    resolution: {integrity: sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==}
+    engines: {node: '>=8'}
+
+  array.prototype.flat@1.3.1:
+    resolution: {integrity: sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==}
+    engines: {node: '>= 0.4'}
+
+  array.prototype.flatmap@1.3.1:
+    resolution: {integrity: sha512-8UGn9O1FDVvMNB0UlLv4voxRMze7+FpHyF5mSMRjWHUMlpoDViniy05870VlxhfgTnLbpuwTzvD76MTtWxB/mQ==}
+    engines: {node: '>= 0.4'}
+
+  asynckit@0.4.0:
+    resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
+
+  available-typed-arrays@1.0.5:
+    resolution: {integrity: sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==}
+    engines: {node: '>= 0.4'}
+
+  axios@1.4.0:
+    resolution: {integrity: sha512-S4XCWMEmzvo64T9GfvQDOXgYRDJ/wsSZc7Jvdgx5u1sd0JwsuPLqb3SYmusag+edF6ziyMensPVqLTSc1PiSEA==}
+
+  balanced-match@1.0.2:
+    resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
+
+  brace-expansion@1.1.11:
+    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+
+  braces@3.0.2:
+    resolution: {integrity: sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==}
+    engines: {node: '>=8'}
+
+  buffer-writer@2.0.0:
+    resolution: {integrity: sha512-a7ZpuTZU1TRtnwyCNW3I5dc0wWNC3VR9S++Ewyk2HHZdrO3CQJqSpd+95Us590V6AL7JqUAH2IwZ/398PmNFgw==}
+    engines: {node: '>=4'}
+
+  call-bind@1.0.2:
+    resolution: {integrity: sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==}
+
+  callsites@3.1.0:
+    resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
+    engines: {node: '>=6'}
+
+  chalk@4.1.2:
+    resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
+    engines: {node: '>=10'}
+
+  color-convert@2.0.1:
+    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
+    engines: {node: '>=7.0.0'}
+
+  color-name@1.1.4:
+    resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
+
+  combined-stream@1.0.8:
+    resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
+    engines: {node: '>= 0.8'}
+
+  concat-map@0.0.1:
+    resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
+
+  cross-spawn@7.0.3:
+    resolution: {integrity: sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==}
+    engines: {node: '>= 8'}
+
+  debug@3.2.7:
+    resolution: {integrity: sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  debug@4.3.4:
+    resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
+    engines: {node: '>=6.0'}
+    peerDependencies:
+      supports-color: '*'
+    peerDependenciesMeta:
+      supports-color:
+        optional: true
+
+  deep-is@0.1.4:
+    resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
+
+  define-properties@1.2.0:
+    resolution: {integrity: sha512-xvqAVKGfT1+UAvPwKTVw/njhdQ8ZhXK4lI0bCIuCMrp2up9nPnaDftrLtmpTazqd1o+UY4zgzU+avtMbDP+ldA==}
+    engines: {node: '>= 0.4'}
+
+  delayed-stream@1.0.0:
+    resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==}
+    engines: {node: '>=0.4.0'}
+
+  dir-glob@3.0.1:
+    resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==}
+    engines: {node: '>=8'}
+
+  doctrine@2.1.0:
+    resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
+    engines: {node: '>=0.10.0'}
+
+  doctrine@3.0.0:
+    resolution: {integrity: sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==}
+    engines: {node: '>=6.0.0'}
+
+  dotenv@16.0.3:
+    resolution: {integrity: sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ==}
+    engines: {node: '>=12'}
+
+  es-abstract@1.21.2:
+    resolution: {integrity: sha512-y/B5POM2iBnIxCiernH1G7rC9qQoM77lLIMQLuob0zhp8C56Po81+2Nj0WFKnd0pNReDTnkYryc+zhOzpEIROg==}
+    engines: {node: '>= 0.4'}
+
+  es-set-tostringtag@2.0.1:
+    resolution: {integrity: sha512-g3OMbtlwY3QewlqAiMLI47KywjWZoEytKr8pf6iTC8uJq5bIAH52Z9pnQ8pVL6whrCto53JZDuUIsifGeLorTg==}
+    engines: {node: '>= 0.4'}
+
+  es-shim-unscopables@1.0.0:
+    resolution: {integrity: sha512-Jm6GPcCdC30eMLbZ2x8z2WuRwAws3zTBBKuusffYVUrNj/GVSUAZ+xKMaUpfNDR5IbyNA5LJbaecoUVbmUcB1w==}
+
+  es-to-primitive@1.2.1:
+    resolution: {integrity: sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==}
+    engines: {node: '>= 0.4'}
+
+  escape-string-regexp@4.0.0:
+    resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==}
+    engines: {node: '>=10'}
+
+  eslint-config-prettier@8.8.0:
+    resolution: {integrity: sha512-wLbQiFre3tdGgpDv67NQKnJuTlcUVYHas3k+DZCc2U2BadthoEY4B7hLPvAxaqdyOGCzuLfii2fqGph10va7oA==}
+    hasBin: true
+    peerDependencies:
+      eslint: '>=7.0.0'
+
+  eslint-import-resolver-node@0.3.7:
+    resolution: {integrity: sha512-gozW2blMLJCeFpBwugLTGyvVjNoeo1knonXAcatC6bjPBZitotxdWf7Gimr25N4c0AAOo4eOUfaG82IJPDpqCA==}
+
+  eslint-module-utils@2.8.0:
+    resolution: {integrity: sha512-aWajIYfsqCKRDgUfjEXNN/JlrzauMuSEy5sbd7WXbtW3EH6A6MpwEh42c7qD+MqQo9QMJ6fWLAeIJynx0g6OAw==}
+    engines: {node: '>=4'}
+    peerDependencies:
+      '@typescript-eslint/parser': '*'
+      eslint: '*'
+      eslint-import-resolver-node: '*'
+      eslint-import-resolver-typescript: '*'
+      eslint-import-resolver-webpack: '*'
+    peerDependenciesMeta:
+      '@typescript-eslint/parser':
+        optional: true
+      eslint:
+        optional: true
+      eslint-import-resolver-node:
+        optional: true
+      eslint-import-resolver-typescript:
+        optional: true
+      eslint-import-resolver-webpack:
+        optional: true
+
+  eslint-plugin-import@2.27.5:
+    resolution: {integrity: sha512-LmEt3GVofgiGuiE+ORpnvP+kAm3h6MLZJ4Q5HCyHADofsb4VzXFsRiWj3c0OFiV+3DWFh0qg3v9gcPlfc3zRow==}
+    engines: {node: '>=4'}
+    peerDependencies:
+      '@typescript-eslint/parser': '*'
+      eslint: ^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8
+    peerDependenciesMeta:
+      '@typescript-eslint/parser':
+        optional: true
+
+  eslint-plugin-prettier@4.2.1:
+    resolution: {integrity: sha512-f/0rXLXUt0oFYs8ra4w49wYZBG5GKZpAYsJSm6rnYL5uVDjd+zowwMwVZHnAjf4edNrKpCDYfXDgmRE/Ak7QyQ==}
+    engines: {node: '>=12.0.0'}
+    peerDependencies:
+      eslint: '>=7.28.0'
+      eslint-config-prettier: '*'
+      prettier: '>=2.0.0'
+    peerDependenciesMeta:
+      eslint-config-prettier:
+        optional: true
+
+  eslint-plugin-simple-import-sort@10.0.0:
+    resolution: {integrity: sha512-AeTvO9UCMSNzIHRkg8S6c3RPy5YEwKWSQPx3DYghLedo2ZQxowPFLGDN1AZ2evfg6r6mjBSZSLxLFsWSu3acsw==}
+    peerDependencies:
+      eslint: '>=5.0.0'
+
+  eslint-scope@5.1.1:
+    resolution: {integrity: sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==}
+    engines: {node: '>=8.0.0'}
+
+  eslint-scope@7.2.0:
+    resolution: {integrity: sha512-DYj5deGlHBfMt15J7rdtyKNq/Nqlv5KfU4iodrQ019XESsRnwXH9KAE0y3cwtUHDo2ob7CypAnCqefh6vioWRw==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  eslint-visitor-keys@3.4.0:
+    resolution: {integrity: sha512-HPpKPUBQcAsZOsHAFwTtIKcYlCje62XB7SEAcxjtmW6TD1WVpkS6i6/hOVtTZIl4zGj/mBqpFVGvaDneik+VoQ==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  eslint@8.39.0:
+    resolution: {integrity: sha512-mwiok6cy7KTW7rBpo05k6+p4YVZByLNjAZ/ACB9DRCu4YDRwjXI01tWHp6KAUWelsBetTxKK/2sHB0vdS8Z2Og==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+    hasBin: true
+
+  espree@9.5.1:
+    resolution: {integrity: sha512-5yxtHSZXRSW5pvv3hAlXM5+/Oswi1AUFqBmbibKb5s6bp3rGIDkyXU6xCoyuuLhijr4SFwPrXRoZjz0AZDN9tg==}
+    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+
+  esquery@1.5.0:
+    resolution: {integrity: sha512-YQLXUplAwJgCydQ78IMJywZCceoqk1oH01OERdSAJc/7U2AylwjhSCLDEtqwg811idIS/9fIU5GjG73IgjKMVg==}
+    engines: {node: '>=0.10'}
+
+  esrecurse@4.3.0:
+    resolution: {integrity: sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==}
+    engines: {node: '>=4.0'}
+
+  estraverse@4.3.0:
+    resolution: {integrity: sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==}
+    engines: {node: '>=4.0'}
+
+  estraverse@5.3.0:
+    resolution: {integrity: sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==}
+    engines: {node: '>=4.0'}
+
+  esutils@2.0.3:
+    resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
+    engines: {node: '>=0.10.0'}
+
+  fast-deep-equal@3.1.3:
+    resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
+
+  fast-diff@1.2.0:
+    resolution: {integrity: sha512-xJuoT5+L99XlZ8twedaRf6Ax2TgQVxvgZOYoPKqZufmJib0tL2tegPBOZb1pVNgIhlqDlA0eO0c3wBvQcmzx4w==}
+
+  fast-glob@3.2.12:
+    resolution: {integrity: sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==}
+    engines: {node: '>=8.6.0'}
+
+  fast-json-stable-stringify@2.1.0:
+    resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==}
+
+  fast-levenshtein@2.0.6:
+    resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}
+
+  fastq@1.15.0:
+    resolution: {integrity: sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==}
+
+  file-entry-cache@6.0.1:
+    resolution: {integrity: sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==}
+    engines: {node: ^10.12.0 || >=12.0.0}
+
+  fill-range@7.0.1:
+    resolution: {integrity: sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==}
+    engines: {node: '>=8'}
+
+  find-up@5.0.0:
+    resolution: {integrity: sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==}
+    engines: {node: '>=10'}
+
+  flat-cache@3.0.4:
+    resolution: {integrity: sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==}
+    engines: {node: ^10.12.0 || >=12.0.0}
+
+  flatted@3.2.7:
+    resolution: {integrity: sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==}
+
+  follow-redirects@1.15.2:
+    resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==}
+    engines: {node: '>=4.0'}
+    peerDependencies:
+      debug: '*'
+    peerDependenciesMeta:
+      debug:
+        optional: true
+
+  for-each@0.3.3:
+    resolution: {integrity: sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==}
+
+  form-data@4.0.0:
+    resolution: {integrity: sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==}
+    engines: {node: '>= 6'}
+
+  fs.realpath@1.0.0:
+    resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}
+
+  fsevents@2.3.2:
+    resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
+    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
+    os: [darwin]
+
+  function-bind@1.1.1:
+    resolution: {integrity: sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==}
+
+  function.prototype.name@1.1.5:
+    resolution: {integrity: sha512-uN7m/BzVKQnCUF/iW8jYea67v++2u7m5UgENbHRtdDVclOUP+FMPlCNdmk0h/ysGyo2tavMJEDqJAkJdRa1vMA==}
+    engines: {node: '>= 0.4'}
+
+  functions-have-names@1.2.3:
+    resolution: {integrity: sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==}
+
+  get-intrinsic@1.2.0:
+    resolution: {integrity: sha512-L049y6nFOuom5wGyRc3/gdTLO94dySVKRACj1RmJZBQXlbTMhtNIgkWkUHq+jYmZvKf14EW1EoJnnjbmoHij0Q==}
+
+  get-symbol-description@1.0.0:
+    resolution: {integrity: sha512-2EmdH1YvIQiZpltCNgkuiUnyukzxM/R6NDJX31Ke3BG1Nq5b0S2PhX59UKi9vZpPDQVdqn+1IcaAwnzTT5vCjw==}
+    engines: {node: '>= 0.4'}
+
+  glob-parent@5.1.2:
+    resolution: {integrity: sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==}
+    engines: {node: '>= 6'}
+
+  glob-parent@6.0.2:
+    resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==}
+    engines: {node: '>=10.13.0'}
+
+  glob@7.2.3:
+    resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
+
+  globals@13.20.0:
+    resolution: {integrity: sha512-Qg5QtVkCy/kv3FUSlu4ukeZDVf9ee0iXLAUYX13gbR17bnejFTzr4iS9bY7kwCf1NztRNm1t91fjOiyx4CSwPQ==}
+    engines: {node: '>=8'}
+
+  globalthis@1.0.3:
+    resolution: {integrity: sha512-sFdI5LyBiNTHjRd7cGPWapiHWMOXKyuBNX/cWJ3NfzrZQVa8GI/8cofCl74AOVqq9W5kNmguTIzJ/1s2gyI9wA==}
+    engines: {node: '>= 0.4'}
+
+  globby@11.1.0:
+    resolution: {integrity: sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==}
+    engines: {node: '>=10'}
+
+  gopd@1.0.1:
+    resolution: {integrity: sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==}
+
+  grapheme-splitter@1.0.4:
+    resolution: {integrity: sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==}
+
+  has-bigints@1.0.2:
+    resolution: {integrity: sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==}
+
+  has-flag@4.0.0:
+    resolution: {integrity: sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==}
+    engines: {node: '>=8'}
+
+  has-property-descriptors@1.0.0:
+    resolution: {integrity: sha512-62DVLZGoiEBDHQyqG4w9xCuZ7eJEwNmJRWw2VY84Oedb7WFcA27fiEVe8oUQx9hAUJ4ekurquucTGwsyO1XGdQ==}
+
+  has-proto@1.0.1:
+    resolution: {integrity: sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==}
+    engines: {node: '>= 0.4'}
+
+  has-symbols@1.0.3:
+    resolution: {integrity: sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==}
+    engines: {node: '>= 0.4'}
+
+  has-tostringtag@1.0.0:
+    resolution: {integrity: sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==}
+    engines: {node: '>= 0.4'}
+
+  has@1.0.3:
+    resolution: {integrity: sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==}
+    engines: {node: '>= 0.4.0'}
+
+  ignore@5.2.4:
+    resolution: {integrity: sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==}
+    engines: {node: '>= 4'}
+
+  import-fresh@3.3.0:
+    resolution: {integrity: sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==}
+    engines: {node: '>=6'}
+
+  imurmurhash@0.1.4:
+    resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==}
+    engines: {node: '>=0.8.19'}
+
+  inflight@1.0.6:
+    resolution: {integrity: sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==}
+
+  inherits@2.0.4:
+    resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
+
+  internal-slot@1.0.5:
+    resolution: {integrity: sha512-Y+R5hJrzs52QCG2laLn4udYVnxsfny9CpOhNhUvk/SSSVyF6T27FzRbF0sroPidSu3X8oEAkOn2K804mjpt6UQ==}
+    engines: {node: '>= 0.4'}
+
+  is-array-buffer@3.0.2:
+    resolution: {integrity: sha512-y+FyyR/w8vfIRq4eQcM1EYgSTnmHXPqaF+IgzgraytCFq5Xh8lllDVmAZolPJiZttZLeFSINPYMaEJ7/vWUa1w==}
+
+  is-bigint@1.0.4:
+    resolution: {integrity: sha512-zB9CruMamjym81i2JZ3UMn54PKGsQzsJeo6xvN3HJJ4CAsQNB6iRutp2To77OfCNuoxspsIhzaPoO1zyCEhFOg==}
+
+  is-boolean-object@1.1.2:
+    resolution: {integrity: sha512-gDYaKHJmnj4aWxyj6YHyXVpdQawtVLHU5cb+eztPGczf6cjuTdwve5ZIEfgXqH4e57An1D1AKf8CZ3kYrQRqYA==}
+    engines: {node: '>= 0.4'}
+
+  is-callable@1.2.7:
+    resolution: {integrity: sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==}
+    engines: {node: '>= 0.4'}
+
+  is-core-module@2.12.0:
+    resolution: {integrity: sha512-RECHCBCd/viahWmwj6enj19sKbHfJrddi/6cBDsNTKbNq0f7VeaUkBo60BqzvPqo/W54ChS62Z5qyun7cfOMqQ==}
+
+  is-date-object@1.0.5:
+    resolution: {integrity: sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==}
+    engines: {node: '>= 0.4'}
+
+  is-extglob@2.1.1:
+    resolution: {integrity: sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==}
+    engines: {node: '>=0.10.0'}
+
+  is-glob@4.0.3:
+    resolution: {integrity: sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==}
+    engines: {node: '>=0.10.0'}
+
+  is-negative-zero@2.0.2:
+    resolution: {integrity: sha512-dqJvarLawXsFbNDeJW7zAz8ItJ9cd28YufuuFzh0G8pNHjJMnY08Dv7sYX2uF5UpQOwieAeOExEYAWWfu7ZZUA==}
+    engines: {node: '>= 0.4'}
+
+  is-number-object@1.0.7:
+    resolution: {integrity: sha512-k1U0IRzLMo7ZlYIfzRu23Oh6MiIFasgpb9X76eqfFZAqwH44UI4KTBvBYIZ1dSL9ZzChTB9ShHfLkR4pdW5krQ==}
+    engines: {node: '>= 0.4'}
+
+  is-number@7.0.0:
+    resolution: {integrity: sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==}
+    engines: {node: '>=0.12.0'}
+
+  is-path-inside@3.0.3:
+    resolution: {integrity: sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==}
+    engines: {node: '>=8'}
+
+  is-regex@1.1.4:
+    resolution: {integrity: sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==}
+    engines: {node: '>= 0.4'}
+
+  is-shared-array-buffer@1.0.2:
+    resolution: {integrity: sha512-sqN2UDu1/0y6uvXyStCOzyhAjCSlHceFoMKJW8W9EU9cvic/QdsZ0kEU93HEy3IUEFZIiH/3w+AH/UQbPHNdhA==}
+
+  is-string@1.0.7:
+    resolution: {integrity: sha512-tE2UXzivje6ofPW7l23cjDOMa09gb7xlAqG6jG5ej6uPV32TlWP3NKPigtaGeHNu9fohccRYvIiZMfOOnOYUtg==}
+    engines: {node: '>= 0.4'}
+
+  is-symbol@1.0.4:
+    resolution: {integrity: sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==}
+    engines: {node: '>= 0.4'}
+
+  is-typed-array@1.1.10:
+    resolution: {integrity: sha512-PJqgEHiWZvMpaFZ3uTc8kHPM4+4ADTlDniuQL7cU/UDA0Ql7F70yGfHph3cLNe+c9toaigv+DFzTJKhc2CtO6A==}
+    engines: {node: '>= 0.4'}
+
+  is-weakref@1.0.2:
+    resolution: {integrity: sha512-qctsuLZmIQ0+vSSMfoVvyFe2+GSEvnmZ2ezTup1SBse9+twCCeial6EEi3Nc2KFcf6+qz2FBPnjXsk8xhKSaPQ==}
+
+  isexe@2.0.0:
+    resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
+
+  js-sdsl@4.4.0:
+    resolution: {integrity: sha512-FfVSdx6pJ41Oa+CF7RDaFmTnCaFhua+SNYQX74riGOpl96x+2jQCqEfQ2bnXu/5DPCqlRuiqyvTJM0Qjz26IVg==}
+
+  js-yaml@4.1.0:
+    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
+    hasBin: true
+
+  json-schema-traverse@0.4.1:
+    resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}
+
+  json-stable-stringify-without-jsonify@1.0.1:
+    resolution: {integrity: sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==}
+
+  json5@1.0.2:
+    resolution: {integrity: sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==}
+    hasBin: true
+
+  jssha@3.3.0:
+    resolution: {integrity: sha512-w9OtT4ALL+fbbwG3gw7erAO0jvS5nfvrukGPMWIAoea359B26ALXGpzy4YJSp9yGnpUvuvOw1nSjSoHDfWSr1w==}
+
+  levn@0.4.1:
+    resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
+    engines: {node: '>= 0.8.0'}
+
+  locate-path@6.0.0:
+    resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==}
+    engines: {node: '>=10'}
+
+  lodash.merge@4.6.2:
+    resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
+
+  lodash@4.17.21:
+    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
+
+  lru-cache@6.0.0:
+    resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
+    engines: {node: '>=10'}
+
+  merge2@1.4.1:
+    resolution: {integrity: sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==}
+    engines: {node: '>= 8'}
+
+  micromatch@4.0.5:
+    resolution: {integrity: sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==}
+    engines: {node: '>=8.6'}
+
+  mime-db@1.52.0:
+    resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==}
+    engines: {node: '>= 0.6'}
+
+  mime-types@2.1.35:
+    resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==}
+    engines: {node: '>= 0.6'}
+
+  minimatch@3.1.2:
+    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
+
+  minimist@1.2.8:
+    resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
+
+  ms@2.1.2:
+    resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==}
+
+  ms@2.1.3:
+    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
+
+  natural-compare-lite@1.4.0:
+    resolution: {integrity: sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==}
+
+  natural-compare@1.4.0:
+    resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
+
+  object-inspect@1.12.3:
+    resolution: {integrity: sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==}
+
+  object-keys@1.1.1:
+    resolution: {integrity: sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==}
+    engines: {node: '>= 0.4'}
+
+  object.assign@4.1.4:
+    resolution: {integrity: sha512-1mxKf0e58bvyjSCtKYY4sRe9itRk3PJpquJOjeIkz885CczcI4IvJJDLPS72oowuSh+pBxUFROpX+TU++hxhZQ==}
+    engines: {node: '>= 0.4'}
+
+  object.values@1.1.6:
+    resolution: {integrity: sha512-FVVTkD1vENCsAcwNs9k6jea2uHC/X0+JcjG8YA60FN5CMaJmG95wT9jek/xX9nornqGRrBkKtzuAu2wuHpKqvw==}
+    engines: {node: '>= 0.4'}
+
+  obuf@1.1.2:
+    resolution: {integrity: sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg==}
+
+  once@1.4.0:
+    resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
+
+  optionator@0.9.1:
+    resolution: {integrity: sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==}
+    engines: {node: '>= 0.8.0'}
+
+  p-limit@3.1.0:
+    resolution: {integrity: sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==}
+    engines: {node: '>=10'}
+
+  p-locate@5.0.0:
+    resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==}
+    engines: {node: '>=10'}
+
+  packet-reader@1.0.0:
+    resolution: {integrity: sha512-HAKu/fG3HpHFO0AA8WE8q2g+gBJaZ9MG7fcKk+IJPLTGAD6Psw4443l+9DGRbOIh3/aXr7Phy0TjilYivJo5XQ==}
+
+  parent-module@1.0.1:
+    resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==}
+    engines: {node: '>=6'}
+
+  path-exists@4.0.0:
+    resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
+    engines: {node: '>=8'}
+
+  path-is-absolute@1.0.1:
+    resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
+    engines: {node: '>=0.10.0'}
+
+  path-key@3.1.1:
+    resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
+    engines: {node: '>=8'}
+
+  path-parse@1.0.7:
+    resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==}
+
+  path-type@4.0.0:
+    resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
+    engines: {node: '>=8'}
+
+  pg-cloudflare@1.1.1:
+    resolution: {integrity: sha512-xWPagP/4B6BgFO+EKz3JONXv3YDgvkbVrGw2mTo3D6tVDQRh1e7cqVGvyR3BE+eQgAvx1XhW/iEASj4/jCWl3Q==}
+
+  pg-connection-string@2.6.2:
+    resolution: {integrity: sha512-ch6OwaeaPYcova4kKZ15sbJ2hKb/VP48ZD2gE7i1J+L4MspCtBMAx8nMgz7bksc7IojCIIWuEhHibSMFH8m8oA==}
+
+  pg-int8@1.0.1:
+    resolution: {integrity: sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==}
+    engines: {node: '>=4.0.0'}
+
+  pg-numeric@1.0.2:
+    resolution: {integrity: sha512-BM/Thnrw5jm2kKLE5uJkXqqExRUY/toLHda65XgFTBTFYZyopbKjBe29Ii3RbkvlsMoFwD+tHeGaCjjv0gHlyw==}
+    engines: {node: '>=4'}
+
+  pg-pool@3.6.1:
+    resolution: {integrity: sha512-jizsIzhkIitxCGfPRzJn1ZdcosIt3pz9Sh3V01fm1vZnbnCMgmGl5wvGGdNN2EL9Rmb0EcFoCkixH4Pu+sP9Og==}
+    peerDependencies:
+      pg: '>=8.0'
+
+  pg-protocol@1.6.0:
+    resolution: {integrity: sha512-M+PDm637OY5WM307051+bsDia5Xej6d9IR4GwJse1qA1DIhiKlksvrneZOYQq42OM+spubpcNYEo2FcKQrDk+Q==}
+
+  pg-types@2.2.0:
+    resolution: {integrity: sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==}
+    engines: {node: '>=4'}
+
+  pg-types@4.0.1:
+    resolution: {integrity: sha512-hRCSDuLII9/LE3smys1hRHcu5QGcLs9ggT7I/TCs0IE+2Eesxi9+9RWAAwZ0yaGjxoWICF/YHLOEjydGujoJ+g==}
+    engines: {node: '>=10'}
+
+  pg@8.11.3:
+    resolution: {integrity: sha512-+9iuvG8QfaaUrrph+kpF24cXkH1YOOUeArRNYIxq1viYHZagBxrTno7cecY1Fa44tJeZvaoG+Djpkc3JwehN5g==}
+    engines: {node: '>= 8.0.0'}
+    peerDependencies:
+      pg-native: '>=3.0.1'
+    peerDependenciesMeta:
+      pg-native:
+        optional: true
+
+  pgpass@1.0.5:
+    resolution: {integrity: sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==}
+
+  picomatch@2.3.1:
+    resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==}
+    engines: {node: '>=8.6'}
+
+  playwright-core@1.32.3:
+    resolution: {integrity: sha512-SB+cdrnu74ZIn5Ogh/8278ngEh9NEEV0vR4sJFmK04h2iZpybfbqBY0bX6+BLYWVdV12JLLI+JEFtSnYgR+mWg==}
+    engines: {node: '>=14'}
+    hasBin: true
+
+  playwright@1.32.3:
+    resolution: {integrity: sha512-h/ylpgoj6l/EjkfUDyx8cdOlfzC96itPpPe8BXacFkqpw/YsuxkpPyVbzEq4jw+bAJh5FLgh31Ljg2cR6HV3uw==}
+    engines: {node: '>=14'}
+    hasBin: true
+
+  postgres-array@2.0.0:
+    resolution: {integrity: sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==}
+    engines: {node: '>=4'}
+
+  postgres-array@3.0.2:
+    resolution: {integrity: sha512-6faShkdFugNQCLwucjPcY5ARoW1SlbnrZjmGl0IrrqewpvxvhSLHimCVzqeuULCbG0fQv7Dtk1yDbG3xv7Veog==}
+    engines: {node: '>=12'}
+
+  postgres-bytea@1.0.0:
+    resolution: {integrity: sha512-xy3pmLuQqRBZBXDULy7KbaitYqLcmxigw14Q5sj8QBVLqEwXfeybIKVWiqAXTlcvdvb0+xkOtDbfQMOf4lST1w==}
+    engines: {node: '>=0.10.0'}
+
+  postgres-bytea@3.0.0:
+    resolution: {integrity: sha512-CNd4jim9RFPkObHSjVHlVrxoVQXz7quwNFpz7RY1okNNme49+sVyiTvTRobiLV548Hx/hb1BG+iE7h9493WzFw==}
+    engines: {node: '>= 6'}
+
+  postgres-date@1.0.7:
+    resolution: {integrity: sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==}
+    engines: {node: '>=0.10.0'}
+
+  postgres-date@2.0.1:
+    resolution: {integrity: sha512-YtMKdsDt5Ojv1wQRvUhnyDJNSr2dGIC96mQVKz7xufp07nfuFONzdaowrMHjlAzY6GDLd4f+LUHHAAM1h4MdUw==}
+    engines: {node: '>=12'}
+
+  postgres-interval@1.2.0:
+    resolution: {integrity: sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==}
+    engines: {node: '>=0.10.0'}
+
+  postgres-interval@3.0.0:
+    resolution: {integrity: sha512-BSNDnbyZCXSxgA+1f5UU2GmwhoI0aU5yMxRGO8CdFEcY2BQF9xm/7MqKnYoM1nJDk8nONNWDk9WeSmePFhQdlw==}
+    engines: {node: '>=12'}
+
+  postgres-range@1.1.3:
+    resolution: {integrity: sha512-VdlZoocy5lCP0c/t66xAfclglEapXPCIVhqqJRncYpvbCgImF0w67aPKfbqUMr72tO2k5q0TdTZwCLjPTI6C9g==}
+
+  prelude-ls@1.2.1:
+    resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
+    engines: {node: '>= 0.8.0'}
+
+  prettier-linter-helpers@1.0.0:
+    resolution: {integrity: sha512-GbK2cP9nraSSUF9N2XwUwqfzlAFlMNYYl+ShE/V+H8a9uNl/oUqB1w2EL54Jh0OlyRSd8RfWYJ3coVS4TROP2w==}
+    engines: {node: '>=6.0.0'}
+
+  prettier@2.8.8:
+    resolution: {integrity: sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==}
+    engines: {node: '>=10.13.0'}
+    hasBin: true
+
+  proxy-from-env@1.1.0:
+    resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
+
+  punycode@2.3.0:
+    resolution: {integrity: sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==}
+    engines: {node: '>=6'}
+
+  queue-microtask@1.2.3:
+    resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==}
+
+  regexp.prototype.flags@1.5.0:
+    resolution: {integrity: sha512-0SutC3pNudRKgquxGoRGIz946MZVHqbNfPjBdxeOhBrdgDKlRoXmYLQN9xRbrR09ZXWeGAdPuif7egofn6v5LA==}
+    engines: {node: '>= 0.4'}
+
+  resolve-from@4.0.0:
+    resolution: {integrity: sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==}
+    engines: {node: '>=4'}
+
+  resolve@1.22.2:
+    resolution: {integrity: sha512-Sb+mjNHOULsBv818T40qSPeRiuWLyaGMa5ewydRLFimneixmVy2zdivRl+AF6jaYPC8ERxGDmFSiqui6SfPd+g==}
+    hasBin: true
+
+  reusify@1.0.4:
+    resolution: {integrity: sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==}
+    engines: {iojs: '>=1.0.0', node: '>=0.10.0'}
+
+  rimraf@3.0.2:
+    resolution: {integrity: sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==}
+    hasBin: true
+
+  run-parallel@1.2.0:
+    resolution: {integrity: sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==}
+
+  safe-regex-test@1.0.0:
+    resolution: {integrity: sha512-JBUUzyOgEwXQY1NuPtvcj/qcBDbDmEvWufhlnXZIm75DEHp+afM1r1ujJpJsV/gSM4t59tpDyPi1sd6ZaPFfsA==}
+
+  semver@6.3.0:
+    resolution: {integrity: sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==}
+    hasBin: true
+
+  semver@7.5.0:
+    resolution: {integrity: sha512-+XC0AD/R7Q2mPSRuy2Id0+CGTZ98+8f+KvwirxOKIEyid+XSx6HbC63p+O4IndTHuX5Z+JxQ0TghCkO5Cg/2HA==}
+    engines: {node: '>=10'}
+    hasBin: true
+
+  shebang-command@2.0.0:
+    resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==}
+    engines: {node: '>=8'}
+
+  shebang-regex@3.0.0:
+    resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
+    engines: {node: '>=8'}
+
+  side-channel@1.0.4:
+    resolution: {integrity: sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==}
+
+  slash@3.0.0:
+    resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==}
+    engines: {node: '>=8'}
+
+  split2@4.2.0:
+    resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==}
+    engines: {node: '>= 10.x'}
+
+  string.prototype.trim@1.2.7:
+    resolution: {integrity: sha512-p6TmeT1T3411M8Cgg9wBTMRtY2q9+PNy9EV1i2lIXUN/btt763oIfxwN3RR8VU6wHX8j/1CFy0L+YuThm6bgOg==}
+    engines: {node: '>= 0.4'}
+
+  string.prototype.trimend@1.0.6:
+    resolution: {integrity: sha512-JySq+4mrPf9EsDBEDYMOb/lM7XQLulwg5R/m1r0PXEFqrV0qHvl58sdTilSXtKOflCsK2E8jxf+GKC0T07RWwQ==}
+
+  string.prototype.trimstart@1.0.6:
+    resolution: {integrity: sha512-omqjMDaY92pbn5HOX7f9IccLA+U1tA9GvtU4JrodiXFfYB7jPzzHpRzpglLAjtUV6bB557zwClJezTqnAiYnQA==}
+
+  strip-ansi@6.0.1:
+    resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
+    engines: {node: '>=8'}
+
+  strip-bom@3.0.0:
+    resolution: {integrity: sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==}
+    engines: {node: '>=4'}
+
+  strip-json-comments@3.1.1:
+    resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
+    engines: {node: '>=8'}
+
+  supports-color@7.2.0:
+    resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==}
+    engines: {node: '>=8'}
+
+  supports-preserve-symlinks-flag@1.0.0:
+    resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
+    engines: {node: '>= 0.4'}
+
+  text-table@0.2.0:
+    resolution: {integrity: sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==}
+
+  to-regex-range@5.0.1:
+    resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
+    engines: {node: '>=8.0'}
+
+  totp-generator@0.0.14:
+    resolution: {integrity: sha512-vFZ8N2TdF4mCj8bUW460jI73LqS+JKccsZ8cttQSuXa3dkTmZo8q81Pq2yAuiPxCI5fPfUrfaKuU+7adjx5s4w==}
+
+  tsconfig-paths@3.14.2:
+    resolution: {integrity: sha512-o/9iXgCYc5L/JxCHPe3Hvh8Q/2xm5Z+p18PESBU6Ff33695QnCHBEjcytY2q19ua7Mbl/DavtBOLq+oG0RCL+g==}
+
+  tslib@1.14.1:
+    resolution: {integrity: sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==}
+
+  tsutils@3.21.0:
+    resolution: {integrity: sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==}
+    engines: {node: '>= 6'}
+    peerDependencies:
+      typescript: '>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta'
+
+  type-check@0.4.0:
+    resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
+    engines: {node: '>= 0.8.0'}
+
+  type-fest@0.20.2:
+    resolution: {integrity: sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==}
+    engines: {node: '>=10'}
+
+  typed-array-length@1.0.4:
+    resolution: {integrity: sha512-KjZypGq+I/H7HI5HlOoGHkWUUGq+Q0TPhQurLbyrVrvnKTBgzLhIJ7j6J/XTQOi0d1RjyZ0wdas8bKs2p0x3Ng==}
+
+  typescript@5.0.4:
+    resolution: {integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==}
+    engines: {node: '>=12.20'}
+    hasBin: true
+
+  unbox-primitive@1.0.2:
+    resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
+
+  uri-js@4.4.1:
+    resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
+
+  which-boxed-primitive@1.0.2:
+    resolution: {integrity: sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==}
+
+  which-typed-array@1.1.9:
+    resolution: {integrity: sha512-w9c4xkx6mPidwp7180ckYWfMmvxpjlZuIudNtDf4N/tTAUB8VJbX25qZoAsrtGuYNnGw3pa0AXgbGKRB8/EceA==}
+    engines: {node: '>= 0.4'}
+
+  which@2.0.2:
+    resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
+    engines: {node: '>= 8'}
+    hasBin: true
+
+  word-wrap@1.2.3:
+    resolution: {integrity: sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==}
+    engines: {node: '>=0.10.0'}
+
+  wrappy@1.0.2:
+    resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
+
+  xtend@4.0.2:
+    resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
+    engines: {node: '>=0.4'}
+
+  yallist@4.0.0:
+    resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==}
+
+  yocto-queue@0.1.0:
+    resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
+    engines: {node: '>=10'}
+
+snapshots:
+
+  '@eslint-community/eslint-utils@4.4.0(eslint@8.39.0)':
     dependencies:
       eslint: 8.39.0
       eslint-visitor-keys: 3.4.0
-    dev: true
 
-  /@eslint-community/regexpp@4.5.0:
-    resolution: {integrity: sha512-vITaYzIcNmjn5tF5uxcZ/ft7/RXGrMUIS9HalWckEOF6ESiwXKoMzAQf2UW0aVd6rnOeExTJVd5hmWXucBKGXQ==}
-    engines: {node: ^12.0.0 || ^14.0.0 || >=16.0.0}
-    dev: true
+  '@eslint-community/regexpp@4.5.0': {}
 
-  /@eslint/eslintrc@2.0.2:
-    resolution: {integrity: sha512-3W4f5tDUra+pA+FzgugqL2pRimUTDJWKr7BINqOpkZrC0uYI0NIc0/JFgBROCU07HR6GieA5m3/rsPIhDmCXTQ==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+  '@eslint/eslintrc@2.0.2':
     dependencies:
       ajv: 6.12.6
       debug: 4.3.4
@@ -103,115 +1114,63 @@ packages:
       strip-json-comments: 3.1.1
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@eslint/js@8.39.0:
-    resolution: {integrity: sha512-kf9RB0Fg7NZfap83B3QOqOGg9QmD9yBudqQXzzOtn3i4y7ZUXe5ONeW34Gwi+TxhH4mvj72R1Zc300KUMa9Bng==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    dev: true
+  '@eslint/js@8.39.0': {}
 
-  /@faker-js/faker@8.0.2:
-    resolution: {integrity: sha512-Uo3pGspElQW91PCvKSIAXoEgAUlRnH29sX2/p89kg7sP1m2PzCufHINd0FhTXQf6DYGiUlVncdSPa2F9wxed2A==}
-    engines: {node: ^14.17.0 || ^16.13.0 || >=18.0.0, npm: '>=6.14.13'}
-    dev: false
+  '@faker-js/faker@8.0.2': {}
 
-  /@humanwhocodes/config-array@0.11.8:
-    resolution: {integrity: sha512-UybHIJzJnR5Qc/MsD9Kr+RpO2h+/P1GhOwdiLPXK5TWk5sgTdu88bTD9UP+CKbPPh5Rni1u0GjAdYQLemG8g+g==}
-    engines: {node: '>=10.10.0'}
+  '@humanwhocodes/config-array@0.11.8':
     dependencies:
       '@humanwhocodes/object-schema': 1.2.1
       debug: 4.3.4
       minimatch: 3.1.2
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@humanwhocodes/module-importer@1.0.1:
-    resolution: {integrity: sha512-bxveV4V8v5Yb4ncFTT3rPSgZBOpCkjfK0y4oVVVJwIuDVBRMDXrPyXRL988i5ap9m9bnyEEjWfm5WkBmtffLfA==}
-    engines: {node: '>=12.22'}
-    dev: true
+  '@humanwhocodes/module-importer@1.0.1': {}
 
-  /@humanwhocodes/object-schema@1.2.1:
-    resolution: {integrity: sha512-ZnQMnLV4e7hDlUvw8H+U8ASL02SS2Gn6+9Ac3wGGLIe7+je2AeAOxPY+izIPJDfFDb7eDjev0Us8MO1iFRN8hA==}
-    dev: true
+  '@humanwhocodes/object-schema@1.2.1': {}
 
-  /@nodelib/fs.scandir@2.1.5:
-    resolution: {integrity: sha512-vq24Bq3ym5HEQm2NKCr3yXDwjc7vTsEThRDnkp2DK9p1uqLR+DHurm/NOTo0KG7HYHU7eppKZj3MyqYuMBf62g==}
-    engines: {node: '>= 8'}
+  '@nodelib/fs.scandir@2.1.5':
     dependencies:
       '@nodelib/fs.stat': 2.0.5
       run-parallel: 1.2.0
-    dev: true
 
-  /@nodelib/fs.stat@2.0.5:
-    resolution: {integrity: sha512-RkhPPp2zrqDAQA/2jNhnztcPAlv64XdhIp7a7454A5ovI7Bukxgt7MX7udwAu3zg1DcpPU0rz3VV1SeaqvY4+A==}
-    engines: {node: '>= 8'}
-    dev: true
+  '@nodelib/fs.stat@2.0.5': {}
 
-  /@nodelib/fs.walk@1.2.8:
-    resolution: {integrity: sha512-oGB+UxlgWcgQkgwo8GcEGwemoTFt3FIO9ababBmaGwXIoBKZ+GTy0pP185beGg7Llih/NSHSV2XAs1lnznocSg==}
-    engines: {node: '>= 8'}
+  '@nodelib/fs.walk@1.2.8':
     dependencies:
       '@nodelib/fs.scandir': 2.1.5
       fastq: 1.15.0
-    dev: true
 
-  /@playwright/test@1.32.3:
-    resolution: {integrity: sha512-BvWNvK0RfBriindxhLVabi8BRe3X0J9EVjKlcmhxjg4giWBD/xleLcg2dz7Tx0agu28rczjNIPQWznwzDwVsZQ==}
-    engines: {node: '>=14'}
-    hasBin: true
+  '@playwright/test@1.32.3':
     dependencies:
       '@types/node': 18.16.0
       playwright-core: 1.32.3
     optionalDependencies:
       fsevents: 2.3.2
-    dev: false
 
-  /@scure/base@1.1.3:
-    resolution: {integrity: sha512-/+SgoRjLq7Xlf0CWuLHq2LUZeL/w65kfzAPG5NH9pcmBhs+nunQTn4gvdwgMTIXnt9b2C/1SeL2XiysZEyIC9Q==}
-    dev: false
+  '@scure/base@1.1.3': {}
 
-  /@types/json-schema@7.0.11:
-    resolution: {integrity: sha512-wOuvG1SN4Us4rez+tylwwwCV1psiNVOkJeM3AUWUNWg/jDQY2+HE/444y5gc+jBmRqASOm2Oeh5c1axHobwRKQ==}
-    dev: true
+  '@types/json-schema@7.0.11': {}
 
-  /@types/json5@0.0.29:
-    resolution: {integrity: sha512-dRLjCWHYg4oaA77cxO64oO+7JwCwnIzkZPdrrC71jQmQtlhM556pwKo5bUzqvZndkVbeFLIIi+9TC40JNF5hNQ==}
-    dev: true
+  '@types/json5@0.0.29': {}
 
-  /@types/lodash@4.14.195:
-    resolution: {integrity: sha512-Hwx9EUgdwf2GLarOjQp5ZH8ZmblzcbTBC2wtQWNKARBSxM9ezRIAUpeDTgoQRAFB0+8CNWXVA9+MaSOzOF3nPg==}
-    dev: false
+  '@types/lodash@4.14.195': {}
 
-  /@types/node@18.16.0:
-    resolution: {integrity: sha512-BsAaKhB+7X+H4GnSjGhJG9Qi8Tw+inU9nJDwmD5CgOmBLEI6ArdhikpLX7DjbjDRDTbqZzU2LSQNZg8WGPiSZQ==}
+  '@types/node@18.16.0': {}
 
-  /@types/pg@8.10.9:
-    resolution: {integrity: sha512-UksbANNE/f8w0wOMxVKKIrLCbEMV+oM1uKejmwXr39olg4xqcfBDbXxObJAt6XxHbDa4XTKOlUEcEltXDX+XLQ==}
+  '@types/pg@8.10.9':
     dependencies:
       '@types/node': 18.16.0
       pg-protocol: 1.6.0
       pg-types: 4.0.1
-    dev: false
 
-  /@types/semver@7.3.13:
-    resolution: {integrity: sha512-21cFJr9z3g5dW8B0CVI9g2O9beqaThGQ6ZFBqHfwhzLDKUxaqTIy3vnfah/UPkfOiF2pLq+tGz+W8RyCskuslw==}
-    dev: true
+  '@types/semver@7.3.13': {}
 
-  /@types/totp-generator@0.0.5:
-    resolution: {integrity: sha512-ryo6U5lfQg2/7pNQnpEXG49EPX7/cmRi/FX7sPBYO7QVJf0z6turM3km3w+98mpqlM4E+vkoOrN+gcjqCBmX0g==}
-    dev: true
+  '@types/totp-generator@0.0.5': {}
 
-  /@typescript-eslint/eslint-plugin@5.59.0(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)(typescript@5.0.4):
-    resolution: {integrity: sha512-p0QgrEyrxAWBecR56gyn3wkG15TJdI//eetInP3zYRewDh0XS+DhB3VUAd3QqvziFsfaQIoIuZMxZRB7vXYaYw==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    peerDependencies:
-      '@typescript-eslint/parser': ^5.0.0
-      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-      typescript: '*'
-    peerDependenciesMeta:
-      typescript:
-        optional: true
+  '@typescript-eslint/eslint-plugin@5.59.0(@typescript-eslint/parser@5.59.0)(eslint@8.39.0)(typescript@5.0.4)':
     dependencies:
       '@eslint-community/regexpp': 4.5.0
       '@typescript-eslint/parser': 5.59.0(eslint@8.39.0)(typescript@5.0.4)
@@ -228,17 +1187,8 @@ packages:
       typescript: 5.0.4
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@typescript-eslint/parser@5.59.0(eslint@8.39.0)(typescript@5.0.4):
-    resolution: {integrity: sha512-qK9TZ70eJtjojSUMrrEwA9ZDQ4N0e/AuoOIgXuNBorXYcBDk397D2r5MIe1B3cok/oCtdNC5j+lUUpVB+Dpb+w==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    peerDependencies:
-      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
-      typescript: '*'
-    peerDependenciesMeta:
-      typescript:
-        optional: true
+  '@typescript-eslint/parser@5.59.0(eslint@8.39.0)(typescript@5.0.4)':
     dependencies:
       '@typescript-eslint/scope-manager': 5.59.0
       '@typescript-eslint/types': 5.59.0
@@ -248,25 +1198,13 @@ packages:
       typescript: 5.0.4
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@typescript-eslint/scope-manager@5.59.0:
-    resolution: {integrity: sha512-tsoldKaMh7izN6BvkK6zRMINj4Z2d6gGhO2UsI8zGZY3XhLq1DndP3Ycjhi1JwdwPRwtLMW4EFPgpuKhbCGOvQ==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+  '@typescript-eslint/scope-manager@5.59.0':
     dependencies:
       '@typescript-eslint/types': 5.59.0
       '@typescript-eslint/visitor-keys': 5.59.0
-    dev: true
 
-  /@typescript-eslint/type-utils@5.59.0(eslint@8.39.0)(typescript@5.0.4):
-    resolution: {integrity: sha512-d/B6VSWnZwu70kcKQSCqjcXpVH+7ABKH8P1KNn4K7j5PXXuycZTPXF44Nui0TEm6rbWGi8kc78xRgOC4n7xFgA==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    peerDependencies:
-      eslint: '*'
-      typescript: '*'
-    peerDependenciesMeta:
-      typescript:
-        optional: true
+  '@typescript-eslint/type-utils@5.59.0(eslint@8.39.0)(typescript@5.0.4)':
     dependencies:
       '@typescript-eslint/typescript-estree': 5.59.0(typescript@5.0.4)
       '@typescript-eslint/utils': 5.59.0(eslint@8.39.0)(typescript@5.0.4)
@@ -276,21 +1214,10 @@ packages:
       typescript: 5.0.4
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@typescript-eslint/types@5.59.0:
-    resolution: {integrity: sha512-yR2h1NotF23xFFYKHZs17QJnB51J/s+ud4PYU4MqdZbzeNxpgUr05+dNeCN/bb6raslHvGdd6BFCkVhpPk/ZeA==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    dev: true
+  '@typescript-eslint/types@5.59.0': {}
 
-  /@typescript-eslint/typescript-estree@5.59.0(typescript@5.0.4):
-    resolution: {integrity: sha512-sUNnktjmI8DyGzPdZ8dRwW741zopGxltGs/SAPgGL/AAgDpiLsCFLcMNSpbfXfmnNeHmK9h3wGmCkGRGAoUZAg==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    peerDependencies:
-      typescript: '*'
-    peerDependenciesMeta:
-      typescript:
-        optional: true
+  '@typescript-eslint/typescript-estree@5.59.0(typescript@5.0.4)':
     dependencies:
       '@typescript-eslint/types': 5.59.0
       '@typescript-eslint/visitor-keys': 5.59.0
@@ -302,13 +1229,8 @@ packages:
       typescript: 5.0.4
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /@typescript-eslint/utils@5.59.0(eslint@8.39.0)(typescript@5.0.4):
-    resolution: {integrity: sha512-GGLFd+86drlHSvPgN/el6dRQNYYGOvRSDVydsUaQluwIW3HvbXuxyuD5JETvBt/9qGYe+lOrDk6gRrWOHb/FvA==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    peerDependencies:
-      eslint: ^6.0.0 || ^7.0.0 || ^8.0.0
+  '@typescript-eslint/utils@5.59.0(eslint@8.39.0)(typescript@5.0.4)':
     dependencies:
       '@eslint-community/eslint-utils': 4.4.0(eslint@8.39.0)
       '@types/json-schema': 7.0.11
@@ -322,260 +1244,149 @@ packages:
     transitivePeerDependencies:
       - supports-color
       - typescript
-    dev: true
 
-  /@typescript-eslint/visitor-keys@5.59.0:
-    resolution: {integrity: sha512-qZ3iXxQhanchCeaExlKPV3gDQFxMUmU35xfd5eCXB6+kUw1TUAbIy2n7QIrwz9s98DQLzNWyHp61fY0da4ZcbA==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+  '@typescript-eslint/visitor-keys@5.59.0':
     dependencies:
       '@typescript-eslint/types': 5.59.0
       eslint-visitor-keys: 3.4.0
-    dev: true
 
-  /acorn-jsx@5.3.2(acorn@8.8.2):
-    resolution: {integrity: sha512-rq9s+JNhf0IChjtDXxllJ7g41oZk5SlXtp0LHwyA5cejwn7vKmKp4pPri6YEePv2PU65sAsegbXtIinmDFDXgQ==}
-    peerDependencies:
-      acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
+  acorn-jsx@5.3.2(acorn@8.8.2):
     dependencies:
       acorn: 8.8.2
-    dev: true
 
-  /acorn@8.8.2:
-    resolution: {integrity: sha512-xjIYgE8HBrkpd/sJqOGNspf8uHG+NOHGOw6a/Urj8taM2EXfdNAH2oFcPeIFfsv3+kz/mJrS5VuMqbNLjCa2vw==}
-    engines: {node: '>=0.4.0'}
-    hasBin: true
-    dev: true
+  acorn@8.8.2: {}
 
-  /ajv@6.12.6:
-    resolution: {integrity: sha512-j3fVLgvTo527anyYyJOGTYJbG+vnnQYvE0m5mmkc1TK+nxAppkCLMIL0aZ4dblVCNoGShhm+kzE4ZUykBoMg4g==}
+  ajv@6.12.6:
     dependencies:
       fast-deep-equal: 3.1.3
       fast-json-stable-stringify: 2.1.0
       json-schema-traverse: 0.4.1
       uri-js: 4.4.1
-    dev: true
 
-  /ansi-regex@5.0.1:
-    resolution: {integrity: sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==}
-    engines: {node: '>=8'}
-    dev: true
+  ansi-regex@5.0.1: {}
 
-  /ansi-styles@4.3.0:
-    resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
-    engines: {node: '>=8'}
+  ansi-styles@4.3.0:
     dependencies:
       color-convert: 2.0.1
-    dev: true
 
-  /argparse@2.0.1:
-    resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
-    dev: true
+  argparse@2.0.1: {}
 
-  /array-buffer-byte-length@1.0.0:
-    resolution: {integrity: sha512-LPuwb2P+NrQw3XhxGc36+XSvuBPopovXYTR9Ew++Du9Yb/bx5AzBfrIsBoj0EZUifjQU+sHL21sseZ3jerWO/A==}
+  array-buffer-byte-length@1.0.0:
     dependencies:
       call-bind: 1.0.2
       is-array-buffer: 3.0.2
-    dev: true
 
-  /array-includes@3.1.6:
-    resolution: {integrity: sha512-sgTbLvL6cNnw24FnbaDyjmvddQ2ML8arZsgaJhoABMoplz/4QRhtrYS+alr1BUM1Bwp6dhx8vVCBSLG+StwOFw==}
-    engines: {node: '>= 0.4'}
+  array-includes@3.1.6:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
       get-intrinsic: 1.2.0
       is-string: 1.0.7
-    dev: true
 
-  /array-union@2.1.0:
-    resolution: {integrity: sha512-HGyxoOTYUyCM6stUe6EJgnd4EoewAI7zMdfqO+kGjnlZmBDz/cR5pf8r/cR4Wq60sL/p0IkcjUEEPwS3GFrIyw==}
-    engines: {node: '>=8'}
-    dev: true
+  array-union@2.1.0: {}
 
-  /array.prototype.flat@1.3.1:
-    resolution: {integrity: sha512-roTU0KWIOmJ4DRLmwKd19Otg0/mT3qPNt0Qb3GWW8iObuZXxrjB/pzn0R3hqpRSWg4HCwqx+0vwOnWnvlOyeIA==}
-    engines: {node: '>= 0.4'}
+  array.prototype.flat@1.3.1:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
       es-shim-unscopables: 1.0.0
-    dev: true
 
-  /array.prototype.flatmap@1.3.1:
-    resolution: {integrity: sha512-8UGn9O1FDVvMNB0UlLv4voxRMze7+FpHyF5mSMRjWHUMlpoDViniy05870VlxhfgTnLbpuwTzvD76MTtWxB/mQ==}
-    engines: {node: '>= 0.4'}
+  array.prototype.flatmap@1.3.1:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
       es-shim-unscopables: 1.0.0
-    dev: true
 
-  /asynckit@0.4.0:
-    resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
-    dev: false
+  asynckit@0.4.0: {}
 
-  /available-typed-arrays@1.0.5:
-    resolution: {integrity: sha512-DMD0KiN46eipeziST1LPP/STfDU0sufISXmjSgvVsoU2tqxctQeASejWcfNtxYKqETM1UxQ8sp2OrSBWpHY6sw==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  available-typed-arrays@1.0.5: {}
 
-  /axios@1.4.0:
-    resolution: {integrity: sha512-S4XCWMEmzvo64T9GfvQDOXgYRDJ/wsSZc7Jvdgx5u1sd0JwsuPLqb3SYmusag+edF6ziyMensPVqLTSc1PiSEA==}
+  axios@1.4.0:
     dependencies:
       follow-redirects: 1.15.2
       form-data: 4.0.0
       proxy-from-env: 1.1.0
     transitivePeerDependencies:
       - debug
-    dev: false
 
-  /balanced-match@1.0.2:
-    resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
-    dev: true
+  balanced-match@1.0.2: {}
 
-  /brace-expansion@1.1.11:
-    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+  brace-expansion@1.1.11:
     dependencies:
       balanced-match: 1.0.2
       concat-map: 0.0.1
-    dev: true
 
-  /braces@3.0.2:
-    resolution: {integrity: sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==}
-    engines: {node: '>=8'}
+  braces@3.0.2:
     dependencies:
       fill-range: 7.0.1
-    dev: true
 
-  /buffer-writer@2.0.0:
-    resolution: {integrity: sha512-a7ZpuTZU1TRtnwyCNW3I5dc0wWNC3VR9S++Ewyk2HHZdrO3CQJqSpd+95Us590V6AL7JqUAH2IwZ/398PmNFgw==}
-    engines: {node: '>=4'}
-    dev: false
+  buffer-writer@2.0.0: {}
 
-  /call-bind@1.0.2:
-    resolution: {integrity: sha512-7O+FbCihrB5WGbFYesctwmTKae6rOiIzmz1icreWJ+0aA7LJfuqhEso2T9ncpcFtzMQtzXf2QGGueWJGTYsqrA==}
+  call-bind@1.0.2:
     dependencies:
       function-bind: 1.1.1
       get-intrinsic: 1.2.0
-    dev: true
 
-  /callsites@3.1.0:
-    resolution: {integrity: sha512-P8BjAsXvZS+VIDUI11hHCQEv74YT67YUi5JJFNWIqL235sBmjX4+qx9Muvls5ivyNENctx46xQLQ3aTuE7ssaQ==}
-    engines: {node: '>=6'}
-    dev: true
+  callsites@3.1.0: {}
 
-  /chalk@4.1.2:
-    resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
-    engines: {node: '>=10'}
+  chalk@4.1.2:
     dependencies:
       ansi-styles: 4.3.0
       supports-color: 7.2.0
-    dev: true
 
-  /color-convert@2.0.1:
-    resolution: {integrity: sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==}
-    engines: {node: '>=7.0.0'}
+  color-convert@2.0.1:
     dependencies:
       color-name: 1.1.4
-    dev: true
 
-  /color-name@1.1.4:
-    resolution: {integrity: sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==}
-    dev: true
+  color-name@1.1.4: {}
 
-  /combined-stream@1.0.8:
-    resolution: {integrity: sha512-FQN4MRfuJeHf7cBbBMJFXhKSDq+2kAArBlmRBvcvFE5BB1HZKXtSFASDhdlz9zOYwxh8lDdnvmMOe/+5cdoEdg==}
-    engines: {node: '>= 0.8'}
+  combined-stream@1.0.8:
     dependencies:
       delayed-stream: 1.0.0
-    dev: false
 
-  /concat-map@0.0.1:
-    resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
-    dev: true
+  concat-map@0.0.1: {}
 
-  /cross-spawn@7.0.3:
-    resolution: {integrity: sha512-iRDPJKUPVEND7dHPO8rkbOnPpyDygcDFtWjpeWNCgy8WP2rXcxXL8TskReQl6OrB2G7+UJrags1q15Fudc7G6w==}
-    engines: {node: '>= 8'}
+  cross-spawn@7.0.3:
     dependencies:
       path-key: 3.1.1
       shebang-command: 2.0.0
       which: 2.0.2
-    dev: true
 
-  /debug@3.2.7:
-    resolution: {integrity: sha512-CFjzYYAi4ThfiQvizrFQevTTXHtnCqWfe7x1AhgEscTz6ZbLbfoLRLPugTQyBth6f8ZERVUSyWHFD/7Wu4t1XQ==}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
+  debug@3.2.7:
     dependencies:
       ms: 2.1.3
-    dev: true
 
-  /debug@4.3.4:
-    resolution: {integrity: sha512-PRWFHuSU3eDtQJPvnNY7Jcket1j0t5OuOsFzPPzsekD52Zl8qUfFIPEiswXqIvHWGVHOgX+7G/vCNNhehwxfkQ==}
-    engines: {node: '>=6.0'}
-    peerDependencies:
-      supports-color: '*'
-    peerDependenciesMeta:
-      supports-color:
-        optional: true
+  debug@4.3.4:
     dependencies:
       ms: 2.1.2
-    dev: true
 
-  /deep-is@0.1.4:
-    resolution: {integrity: sha512-oIPzksmTg4/MriiaYGO+okXDT7ztn/w3Eptv/+gSIdMdKsJo0u4CfYNFJPy+4SKMuCqGw2wxnA+URMg3t8a/bQ==}
-    dev: true
+  deep-is@0.1.4: {}
 
-  /define-properties@1.2.0:
-    resolution: {integrity: sha512-xvqAVKGfT1+UAvPwKTVw/njhdQ8ZhXK4lI0bCIuCMrp2up9nPnaDftrLtmpTazqd1o+UY4zgzU+avtMbDP+ldA==}
-    engines: {node: '>= 0.4'}
+  define-properties@1.2.0:
     dependencies:
       has-property-descriptors: 1.0.0
       object-keys: 1.1.1
-    dev: true
 
-  /delayed-stream@1.0.0:
-    resolution: {integrity: sha512-ZySD7Nf91aLB0RxL4KGrKHBXl7Eds1DAmEdcoVawXnLD7SDhpNgtuII2aAkg7a7QS41jxPSZ17p4VdGnMHk3MQ==}
-    engines: {node: '>=0.4.0'}
-    dev: false
+  delayed-stream@1.0.0: {}
 
-  /dir-glob@3.0.1:
-    resolution: {integrity: sha512-WkrWp9GR4KXfKGYzOLmTuGVi1UWFfws377n9cc55/tb6DuqyF6pcQ5AbiHEshaDpY9v6oaSr2XCDidGmMwdzIA==}
-    engines: {node: '>=8'}
+  dir-glob@3.0.1:
     dependencies:
       path-type: 4.0.0
-    dev: true
 
-  /doctrine@2.1.0:
-    resolution: {integrity: sha512-35mSku4ZXK0vfCuHEDAwt55dg2jNajHZ1odvF+8SSr82EsZY4QmXfuWso8oEd8zRhVObSN18aM0CjSdoBX7zIw==}
-    engines: {node: '>=0.10.0'}
+  doctrine@2.1.0:
     dependencies:
       esutils: 2.0.3
-    dev: true
 
-  /doctrine@3.0.0:
-    resolution: {integrity: sha512-yS+Q5i3hBf7GBkd4KG8a7eBNNWNGLTaEwwYWUijIYM7zrlYDM0BFXHjjPWlWZ1Rg7UaddZeIDmi9jF3HmqiQ2w==}
-    engines: {node: '>=6.0.0'}
+  doctrine@3.0.0:
     dependencies:
       esutils: 2.0.3
-    dev: true
 
-  /dotenv@16.0.3:
-    resolution: {integrity: sha512-7GO6HghkA5fYG9TYnNxi14/7K9f5occMlp3zXAuSxn7CKCxt9xbNWG7yF8hTCSUchlfWSe3uLmlPfigevRItzQ==}
-    engines: {node: '>=12'}
-    dev: false
+  dotenv@16.0.3: {}
 
-  /es-abstract@1.21.2:
-    resolution: {integrity: sha512-y/B5POM2iBnIxCiernH1G7rC9qQoM77lLIMQLuob0zhp8C56Po81+2Nj0WFKnd0pNReDTnkYryc+zhOzpEIROg==}
-    engines: {node: '>= 0.4'}
+  es-abstract@1.21.2:
     dependencies:
       array-buffer-byte-length: 1.0.0
       available-typed-arrays: 1.0.5
@@ -611,76 +1422,38 @@ packages:
       typed-array-length: 1.0.4
       unbox-primitive: 1.0.2
       which-typed-array: 1.1.9
-    dev: true
 
-  /es-set-tostringtag@2.0.1:
-    resolution: {integrity: sha512-g3OMbtlwY3QewlqAiMLI47KywjWZoEytKr8pf6iTC8uJq5bIAH52Z9pnQ8pVL6whrCto53JZDuUIsifGeLorTg==}
-    engines: {node: '>= 0.4'}
+  es-set-tostringtag@2.0.1:
     dependencies:
       get-intrinsic: 1.2.0
       has: 1.0.3
       has-tostringtag: 1.0.0
-    dev: true
 
-  /es-shim-unscopables@1.0.0:
-    resolution: {integrity: sha512-Jm6GPcCdC30eMLbZ2x8z2WuRwAws3zTBBKuusffYVUrNj/GVSUAZ+xKMaUpfNDR5IbyNA5LJbaecoUVbmUcB1w==}
+  es-shim-unscopables@1.0.0:
     dependencies:
       has: 1.0.3
-    dev: true
 
-  /es-to-primitive@1.2.1:
-    resolution: {integrity: sha512-QCOllgZJtaUo9miYBcLChTUaHNjJF3PYs1VidD7AwiEj1kYxKeQTctLAezAOH5ZKRH0g2IgPn6KwB4IT8iRpvA==}
-    engines: {node: '>= 0.4'}
+  es-to-primitive@1.2.1:
     dependencies:
       is-callable: 1.2.7
       is-date-object: 1.0.5
       is-symbol: 1.0.4
-    dev: true
 
-  /escape-string-regexp@4.0.0:
-    resolution: {integrity: sha512-TtpcNJ3XAzx3Gq8sWRzJaVajRs0uVxA2YAkdb1jm2YkPz4G6egUFAyA3n5vtEIZefPk5Wa4UXbKuS5fKkJWdgA==}
-    engines: {node: '>=10'}
-    dev: true
+  escape-string-regexp@4.0.0: {}
 
-  /eslint-config-prettier@8.8.0(eslint@8.39.0):
-    resolution: {integrity: sha512-wLbQiFre3tdGgpDv67NQKnJuTlcUVYHas3k+DZCc2U2BadthoEY4B7hLPvAxaqdyOGCzuLfii2fqGph10va7oA==}
-    hasBin: true
-    peerDependencies:
-      eslint: '>=7.0.0'
+  eslint-config-prettier@8.8.0(eslint@8.39.0):
     dependencies:
       eslint: 8.39.0
-    dev: true
 
-  /eslint-import-resolver-node@0.3.7:
-    resolution: {integrity: sha512-gozW2blMLJCeFpBwugLTGyvVjNoeo1knonXAcatC6bjPBZitotxdWf7Gimr25N4c0AAOo4eOUfaG82IJPDpqCA==}
+  eslint-import-resolver-node@0.3.7:
     dependencies:
       debug: 3.2.7
       is-core-module: 2.12.0
       resolve: 1.22.2
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /eslint-module-utils@2.8.0(@typescript-eslint/parser@5.59.0)(eslint-import-resolver-node@0.3.7)(eslint@8.39.0):
-    resolution: {integrity: sha512-aWajIYfsqCKRDgUfjEXNN/JlrzauMuSEy5sbd7WXbtW3EH6A6MpwEh42c7qD+MqQo9QMJ6fWLAeIJynx0g6OAw==}
-    engines: {node: '>=4'}
-    peerDependencies:
-      '@typescript-eslint/parser': '*'
-      eslint: '*'
-      eslint-import-resolver-node: '*'
-      eslint-import-resolver-typescript: '*'
-      eslint-import-resolver-webpack: '*'
-    peerDependenciesMeta:
-      '@typescript-eslint/parser':
-        optional: true
-      eslint:
-        optional: true
-      eslint-import-resolver-node:
-        optional: true
-      eslint-import-resolver-typescript:
-        optional: true
-      eslint-import-resolver-webpack:
-        optional: true
+  eslint-module-utils@2.8.0(@typescript-eslint/parser@5.59.0)(eslint-import-resolver-node@0.3.7)(eslint@8.39.0):
     dependencies:
       '@typescript-eslint/parser': 5.59.0(eslint@8.39.0)(typescript@5.0.4)
       debug: 3.2.7
@@ -688,17 +1461,8 @@ packages:
       eslint-import-resolver-node: 0.3.7
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /eslint-plugin-import@2.27.5(@typescript-eslint/parser@5.59.0)(eslint@8.39.0):
-    resolution: {integrity: sha512-LmEt3GVofgiGuiE+ORpnvP+kAm3h6MLZJ4Q5HCyHADofsb4VzXFsRiWj3c0OFiV+3DWFh0qg3v9gcPlfc3zRow==}
-    engines: {node: '>=4'}
-    peerDependencies:
-      '@typescript-eslint/parser': '*'
-      eslint: ^2 || ^3 || ^4 || ^5 || ^6 || ^7.2.0 || ^8
-    peerDependenciesMeta:
-      '@typescript-eslint/parser':
-        optional: true
+  eslint-plugin-import@2.27.5(@typescript-eslint/parser@5.59.0)(eslint@8.39.0):
     dependencies:
       '@typescript-eslint/parser': 5.59.0(eslint@8.39.0)(typescript@5.0.4)
       array-includes: 3.1.6
@@ -721,58 +1485,31 @@ packages:
       - eslint-import-resolver-typescript
       - eslint-import-resolver-webpack
       - supports-color
-    dev: true
 
-  /eslint-plugin-prettier@4.2.1(eslint-config-prettier@8.8.0)(eslint@8.39.0)(prettier@2.8.8):
-    resolution: {integrity: sha512-f/0rXLXUt0oFYs8ra4w49wYZBG5GKZpAYsJSm6rnYL5uVDjd+zowwMwVZHnAjf4edNrKpCDYfXDgmRE/Ak7QyQ==}
-    engines: {node: '>=12.0.0'}
-    peerDependencies:
-      eslint: '>=7.28.0'
-      eslint-config-prettier: '*'
-      prettier: '>=2.0.0'
-    peerDependenciesMeta:
-      eslint-config-prettier:
-        optional: true
+  eslint-plugin-prettier@4.2.1(eslint-config-prettier@8.8.0)(eslint@8.39.0)(prettier@2.8.8):
     dependencies:
       eslint: 8.39.0
       eslint-config-prettier: 8.8.0(eslint@8.39.0)
       prettier: 2.8.8
       prettier-linter-helpers: 1.0.0
-    dev: true
 
-  /eslint-plugin-simple-import-sort@10.0.0(eslint@8.39.0):
-    resolution: {integrity: sha512-AeTvO9UCMSNzIHRkg8S6c3RPy5YEwKWSQPx3DYghLedo2ZQxowPFLGDN1AZ2evfg6r6mjBSZSLxLFsWSu3acsw==}
-    peerDependencies:
-      eslint: '>=5.0.0'
+  eslint-plugin-simple-import-sort@10.0.0(eslint@8.39.0):
     dependencies:
       eslint: 8.39.0
-    dev: true
 
-  /eslint-scope@5.1.1:
-    resolution: {integrity: sha512-2NxwbF/hZ0KpepYN0cNbo+FN6XoK7GaHlQhgx/hIZl6Va0bF45RQOOwhLIy8lQDbuCiadSLCBnH2CFYquit5bw==}
-    engines: {node: '>=8.0.0'}
+  eslint-scope@5.1.1:
     dependencies:
       esrecurse: 4.3.0
       estraverse: 4.3.0
-    dev: true
 
-  /eslint-scope@7.2.0:
-    resolution: {integrity: sha512-DYj5deGlHBfMt15J7rdtyKNq/Nqlv5KfU4iodrQ019XESsRnwXH9KAE0y3cwtUHDo2ob7CypAnCqefh6vioWRw==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+  eslint-scope@7.2.0:
     dependencies:
       esrecurse: 4.3.0
       estraverse: 5.3.0
-    dev: true
 
-  /eslint-visitor-keys@3.4.0:
-    resolution: {integrity: sha512-HPpKPUBQcAsZOsHAFwTtIKcYlCje62XB7SEAcxjtmW6TD1WVpkS6i6/hOVtTZIl4zGj/mBqpFVGvaDneik+VoQ==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    dev: true
+  eslint-visitor-keys@3.4.0: {}
 
-  /eslint@8.39.0:
-    resolution: {integrity: sha512-mwiok6cy7KTW7rBpo05k6+p4YVZByLNjAZ/ACB9DRCu4YDRwjXI01tWHp6KAUWelsBetTxKK/2sHB0vdS8Z2Og==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
-    hasBin: true
+  eslint@8.39.0:
     dependencies:
       '@eslint-community/eslint-utils': 4.4.0(eslint@8.39.0)
       '@eslint-community/regexpp': 4.5.0
@@ -816,200 +1553,115 @@ packages:
       text-table: 0.2.0
     transitivePeerDependencies:
       - supports-color
-    dev: true
 
-  /espree@9.5.1:
-    resolution: {integrity: sha512-5yxtHSZXRSW5pvv3hAlXM5+/Oswi1AUFqBmbibKb5s6bp3rGIDkyXU6xCoyuuLhijr4SFwPrXRoZjz0AZDN9tg==}
-    engines: {node: ^12.22.0 || ^14.17.0 || >=16.0.0}
+  espree@9.5.1:
     dependencies:
       acorn: 8.8.2
       acorn-jsx: 5.3.2(acorn@8.8.2)
       eslint-visitor-keys: 3.4.0
-    dev: true
 
-  /esquery@1.5.0:
-    resolution: {integrity: sha512-YQLXUplAwJgCydQ78IMJywZCceoqk1oH01OERdSAJc/7U2AylwjhSCLDEtqwg811idIS/9fIU5GjG73IgjKMVg==}
-    engines: {node: '>=0.10'}
+  esquery@1.5.0:
     dependencies:
       estraverse: 5.3.0
-    dev: true
 
-  /esrecurse@4.3.0:
-    resolution: {integrity: sha512-KmfKL3b6G+RXvP8N1vr3Tq1kL/oCFgn2NYXEtqP8/L3pKapUA4G8cFVaoF3SU323CD4XypR/ffioHmkti6/Tag==}
-    engines: {node: '>=4.0'}
+  esrecurse@4.3.0:
     dependencies:
       estraverse: 5.3.0
-    dev: true
 
-  /estraverse@4.3.0:
-    resolution: {integrity: sha512-39nnKffWz8xN1BU/2c79n9nB9HDzo0niYUqx6xyqUnyoAnQyyWpOTdZEeiCch8BBu515t4wp9ZmgVfVhn9EBpw==}
-    engines: {node: '>=4.0'}
-    dev: true
+  estraverse@4.3.0: {}
 
-  /estraverse@5.3.0:
-    resolution: {integrity: sha512-MMdARuVEQziNTeJD8DgMqmhwR11BRQ/cBP+pLtYdSTnf3MIO8fFeiINEbX36ZdNlfU/7A9f3gUw49B3oQsvwBA==}
-    engines: {node: '>=4.0'}
-    dev: true
+  estraverse@5.3.0: {}
 
-  /esutils@2.0.3:
-    resolution: {integrity: sha512-kVscqXk4OCp68SZ0dkgEKVi6/8ij300KBWTJq32P/dYeWTSwK41WyTxalN1eRmA5Z9UU/LX9D7FWSmV9SAYx6g==}
-    engines: {node: '>=0.10.0'}
-    dev: true
+  esutils@2.0.3: {}
 
-  /fast-deep-equal@3.1.3:
-    resolution: {integrity: sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==}
-    dev: true
+  fast-deep-equal@3.1.3: {}
 
-  /fast-diff@1.2.0:
-    resolution: {integrity: sha512-xJuoT5+L99XlZ8twedaRf6Ax2TgQVxvgZOYoPKqZufmJib0tL2tegPBOZb1pVNgIhlqDlA0eO0c3wBvQcmzx4w==}
-    dev: true
+  fast-diff@1.2.0: {}
 
-  /fast-glob@3.2.12:
-    resolution: {integrity: sha512-DVj4CQIYYow0BlaelwK1pHl5n5cRSJfM60UA0zK891sVInoPri2Ekj7+e1CT3/3qxXenpI+nBBmQAcJPJgaj4w==}
-    engines: {node: '>=8.6.0'}
+  fast-glob@3.2.12:
     dependencies:
       '@nodelib/fs.stat': 2.0.5
       '@nodelib/fs.walk': 1.2.8
       glob-parent: 5.1.2
       merge2: 1.4.1
       micromatch: 4.0.5
-    dev: true
 
-  /fast-json-stable-stringify@2.1.0:
-    resolution: {integrity: sha512-lhd/wF+Lk98HZoTCtlVraHtfh5XYijIjalXck7saUtuanSDyLMxnHhSXEDJqHxD7msR8D0uCmqlkwjCV8xvwHw==}
-    dev: true
+  fast-json-stable-stringify@2.1.0: {}
 
-  /fast-levenshtein@2.0.6:
-    resolution: {integrity: sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==}
-    dev: true
+  fast-levenshtein@2.0.6: {}
 
-  /fastq@1.15.0:
-    resolution: {integrity: sha512-wBrocU2LCXXa+lWBt8RoIRD89Fi8OdABODa/kEnyeyjS5aZO5/GNvI5sEINADqP/h8M29UHTHUb53sUu5Ihqdw==}
+  fastq@1.15.0:
     dependencies:
       reusify: 1.0.4
-    dev: true
 
-  /file-entry-cache@6.0.1:
-    resolution: {integrity: sha512-7Gps/XWymbLk2QLYK4NzpMOrYjMhdIxXuIvy2QBsLE6ljuodKvdkWs/cpyJJ3CVIVpH0Oi1Hvg1ovbMzLdFBBg==}
-    engines: {node: ^10.12.0 || >=12.0.0}
+  file-entry-cache@6.0.1:
     dependencies:
       flat-cache: 3.0.4
-    dev: true
 
-  /fill-range@7.0.1:
-    resolution: {integrity: sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==}
-    engines: {node: '>=8'}
+  fill-range@7.0.1:
     dependencies:
       to-regex-range: 5.0.1
-    dev: true
 
-  /find-up@5.0.0:
-    resolution: {integrity: sha512-78/PXT1wlLLDgTzDs7sjq9hzz0vXD+zn+7wypEe4fXQxCmdmqfGsEPQxmiCSQI3ajFV91bVSsvNtrJRiW6nGng==}
-    engines: {node: '>=10'}
+  find-up@5.0.0:
     dependencies:
       locate-path: 6.0.0
       path-exists: 4.0.0
-    dev: true
 
-  /flat-cache@3.0.4:
-    resolution: {integrity: sha512-dm9s5Pw7Jc0GvMYbshN6zchCA9RgQlzzEZX3vylR9IqFfS8XciblUXOKfW6SiuJ0e13eDYZoZV5wdrev7P3Nwg==}
-    engines: {node: ^10.12.0 || >=12.0.0}
+  flat-cache@3.0.4:
     dependencies:
       flatted: 3.2.7
       rimraf: 3.0.2
-    dev: true
 
-  /flatted@3.2.7:
-    resolution: {integrity: sha512-5nqDSxl8nn5BSNxyR3n4I6eDmbolI6WT+QqR547RwxQapgjQBmtktdP+HTBb/a/zLsbzERTONyUB5pefh5TtjQ==}
-    dev: true
+  flatted@3.2.7: {}
 
-  /follow-redirects@1.15.2:
-    resolution: {integrity: sha512-VQLG33o04KaQ8uYi2tVNbdrWp1QWxNNea+nmIB4EVM28v0hmP17z7aG1+wAkNzVq4KeXTq3221ye5qTJP91JwA==}
-    engines: {node: '>=4.0'}
-    peerDependencies:
-      debug: '*'
-    peerDependenciesMeta:
-      debug:
-        optional: true
-    dev: false
+  follow-redirects@1.15.2: {}
 
-  /for-each@0.3.3:
-    resolution: {integrity: sha512-jqYfLp7mo9vIyQf8ykW2v7A+2N4QjeCeI5+Dz9XraiO1ign81wjiH7Fb9vSOWvQfNtmSa4H2RoQTrrXivdUZmw==}
+  for-each@0.3.3:
     dependencies:
       is-callable: 1.2.7
-    dev: true
 
-  /form-data@4.0.0:
-    resolution: {integrity: sha512-ETEklSGi5t0QMZuiXoA/Q6vcnxcLQP5vdugSpuAyi6SVGi2clPPp+xgEhuMaHC+zGgn31Kd235W35f7Hykkaww==}
-    engines: {node: '>= 6'}
+  form-data@4.0.0:
     dependencies:
       asynckit: 0.4.0
       combined-stream: 1.0.8
       mime-types: 2.1.35
-    dev: false
 
-  /fs.realpath@1.0.0:
-    resolution: {integrity: sha512-OO0pH2lK6a0hZnAdau5ItzHPI6pUlvI7jMVnxUQRtw4owF2wk8lOSabtGDCTP4Ggrg2MbGnWO9X8K1t4+fGMDw==}
-    dev: true
+  fs.realpath@1.0.0: {}
 
-  /fsevents@2.3.2:
-    resolution: {integrity: sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==}
-    engines: {node: ^8.16.0 || ^10.6.0 || >=11.0.0}
-    os: [darwin]
-    requiresBuild: true
-    dev: false
+  fsevents@2.3.2:
     optional: true
 
-  /function-bind@1.1.1:
-    resolution: {integrity: sha512-yIovAzMX49sF8Yl58fSCWJ5svSLuaibPxXQJFLmBObTuCr0Mf1KiPopGM9NiFjiYBCbfaa2Fh6breQ6ANVTI0A==}
-    dev: true
+  function-bind@1.1.1: {}
 
-  /function.prototype.name@1.1.5:
-    resolution: {integrity: sha512-uN7m/BzVKQnCUF/iW8jYea67v++2u7m5UgENbHRtdDVclOUP+FMPlCNdmk0h/ysGyo2tavMJEDqJAkJdRa1vMA==}
-    engines: {node: '>= 0.4'}
+  function.prototype.name@1.1.5:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
       functions-have-names: 1.2.3
-    dev: true
 
-  /functions-have-names@1.2.3:
-    resolution: {integrity: sha512-xckBUXyTIqT97tq2x2AMb+g163b5JFysYk0x4qxNFwbfQkmNZoiRHb6sPzI9/QV33WeuvVYBUIiD4NzNIyqaRQ==}
-    dev: true
+  functions-have-names@1.2.3: {}
 
-  /get-intrinsic@1.2.0:
-    resolution: {integrity: sha512-L049y6nFOuom5wGyRc3/gdTLO94dySVKRACj1RmJZBQXlbTMhtNIgkWkUHq+jYmZvKf14EW1EoJnnjbmoHij0Q==}
+  get-intrinsic@1.2.0:
     dependencies:
       function-bind: 1.1.1
       has: 1.0.3
       has-symbols: 1.0.3
-    dev: true
 
-  /get-symbol-description@1.0.0:
-    resolution: {integrity: sha512-2EmdH1YvIQiZpltCNgkuiUnyukzxM/R6NDJX31Ke3BG1Nq5b0S2PhX59UKi9vZpPDQVdqn+1IcaAwnzTT5vCjw==}
-    engines: {node: '>= 0.4'}
+  get-symbol-description@1.0.0:
     dependencies:
       call-bind: 1.0.2
       get-intrinsic: 1.2.0
-    dev: true
 
-  /glob-parent@5.1.2:
-    resolution: {integrity: sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==}
-    engines: {node: '>= 6'}
+  glob-parent@5.1.2:
     dependencies:
       is-glob: 4.0.3
-    dev: true
 
-  /glob-parent@6.0.2:
-    resolution: {integrity: sha512-XxwI8EOhVQgWp6iDL+3b0r86f4d6AX6zSU55HfB4ydCEuXLXc5FcYeOu+nnGftS4TEju/11rt4KJPTMgbfmv4A==}
-    engines: {node: '>=10.13.0'}
+  glob-parent@6.0.2:
     dependencies:
       is-glob: 4.0.3
-    dev: true
 
-  /glob@7.2.3:
-    resolution: {integrity: sha512-nFR0zLpU2YCaRxwoCJvL6UvCH2JFyFVIvwTLsIf21AuHlMskA1hhTdk+LlYJtOlYt9v6dvszD2BGRqBL+iQK9Q==}
+  glob@7.2.3:
     dependencies:
       fs.realpath: 1.0.0
       inflight: 1.0.6
@@ -1017,25 +1669,16 @@ packages:
       minimatch: 3.1.2
       once: 1.4.0
       path-is-absolute: 1.0.1
-    dev: true
 
-  /globals@13.20.0:
-    resolution: {integrity: sha512-Qg5QtVkCy/kv3FUSlu4ukeZDVf9ee0iXLAUYX13gbR17bnejFTzr4iS9bY7kwCf1NztRNm1t91fjOiyx4CSwPQ==}
-    engines: {node: '>=8'}
+  globals@13.20.0:
     dependencies:
       type-fest: 0.20.2
-    dev: true
 
-  /globalthis@1.0.3:
-    resolution: {integrity: sha512-sFdI5LyBiNTHjRd7cGPWapiHWMOXKyuBNX/cWJ3NfzrZQVa8GI/8cofCl74AOVqq9W5kNmguTIzJ/1s2gyI9wA==}
-    engines: {node: '>= 0.4'}
+  globalthis@1.0.3:
     dependencies:
       define-properties: 1.2.0
-    dev: true
 
-  /globby@11.1.0:
-    resolution: {integrity: sha512-jhIXaOzy1sb8IyocaruWSn1TjmnBVs8Ayhcy83rmxNJ8q2uWKCAj3CnJY+KpGSXCueAPc0i05kVvVKtP1t9S3g==}
-    engines: {node: '>=10'}
+  globby@11.1.0:
     dependencies:
       array-union: 2.1.0
       dir-glob: 3.0.1
@@ -1043,370 +1686,211 @@ packages:
       ignore: 5.2.4
       merge2: 1.4.1
       slash: 3.0.0
-    dev: true
 
-  /gopd@1.0.1:
-    resolution: {integrity: sha512-d65bNlIadxvpb/A2abVdlqKqV563juRnZ1Wtk6s1sIR8uNsXR70xqIzVqxVf1eTqDunwT2MkczEeaezCKTZhwA==}
+  gopd@1.0.1:
     dependencies:
       get-intrinsic: 1.2.0
-    dev: true
 
-  /grapheme-splitter@1.0.4:
-    resolution: {integrity: sha512-bzh50DW9kTPM00T8y4o8vQg89Di9oLJVLW/KaOGIXJWP/iqCN6WKYkbNOF04vFLJhwcpYUh9ydh/+5vpOqV4YQ==}
-    dev: true
+  grapheme-splitter@1.0.4: {}
 
-  /has-bigints@1.0.2:
-    resolution: {integrity: sha512-tSvCKtBr9lkF0Ex0aQiP9N+OpV4zi2r/Nee5VkRDbaqv35RLYMzbwQfFSZZH0kR+Rd6302UJZ2p/bJCEoR3VoQ==}
-    dev: true
+  has-bigints@1.0.2: {}
 
-  /has-flag@4.0.0:
-    resolution: {integrity: sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==}
-    engines: {node: '>=8'}
-    dev: true
+  has-flag@4.0.0: {}
 
-  /has-property-descriptors@1.0.0:
-    resolution: {integrity: sha512-62DVLZGoiEBDHQyqG4w9xCuZ7eJEwNmJRWw2VY84Oedb7WFcA27fiEVe8oUQx9hAUJ4ekurquucTGwsyO1XGdQ==}
+  has-property-descriptors@1.0.0:
     dependencies:
       get-intrinsic: 1.2.0
-    dev: true
 
-  /has-proto@1.0.1:
-    resolution: {integrity: sha512-7qE+iP+O+bgF9clE5+UoBFzE65mlBiVj3tKCrlNQ0Ogwm0BjpT/gK4SlLYDMybDh5I3TCTKnPPa0oMG7JDYrhg==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  has-proto@1.0.1: {}
 
-  /has-symbols@1.0.3:
-    resolution: {integrity: sha512-l3LCuF6MgDNwTDKkdYGEihYjt5pRPbEg46rtlmnSPlUbgmB8LOIrKJbYYFBSbnPaJexMKtiPO8hmeRjRz2Td+A==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  has-symbols@1.0.3: {}
 
-  /has-tostringtag@1.0.0:
-    resolution: {integrity: sha512-kFjcSNhnlGV1kyoGk7OXKSawH5JOb/LzUc5w9B02hOTO0dfFRjbHQKvg1d6cf3HbeUmtU9VbbV3qzZ2Teh97WQ==}
-    engines: {node: '>= 0.4'}
+  has-tostringtag@1.0.0:
     dependencies:
       has-symbols: 1.0.3
-    dev: true
 
-  /has@1.0.3:
-    resolution: {integrity: sha512-f2dvO0VU6Oej7RkWJGrehjbzMAjFp5/VKPp5tTpWIV4JHHZK1/BxbFRtf/siA2SWTe09caDmVtYYzWEIbBS4zw==}
-    engines: {node: '>= 0.4.0'}
+  has@1.0.3:
     dependencies:
       function-bind: 1.1.1
-    dev: true
 
-  /ignore@5.2.4:
-    resolution: {integrity: sha512-MAb38BcSbH0eHNBxn7ql2NH/kX33OkB3lZ1BNdh7ENeRChHTYsTvWrMubiIAMNS2llXEEgZ1MUOBtXChP3kaFQ==}
-    engines: {node: '>= 4'}
-    dev: true
+  ignore@5.2.4: {}
 
-  /import-fresh@3.3.0:
-    resolution: {integrity: sha512-veYYhQa+D1QBKznvhUHxb8faxlrwUnxseDAbAp457E0wLNio2bOSKnjYDhMj+YiAq61xrMGhQk9iXVk5FzgQMw==}
-    engines: {node: '>=6'}
+  import-fresh@3.3.0:
     dependencies:
       parent-module: 1.0.1
       resolve-from: 4.0.0
-    dev: true
 
-  /imurmurhash@0.1.4:
-    resolution: {integrity: sha512-JmXMZ6wuvDmLiHEml9ykzqO6lwFbof0GG4IkcGaENdCRDDmMVnny7s5HsIgHCbaq0w2MyPhDqkhTUgS2LU2PHA==}
-    engines: {node: '>=0.8.19'}
-    dev: true
+  imurmurhash@0.1.4: {}
 
-  /inflight@1.0.6:
-    resolution: {integrity: sha512-k92I/b08q4wvFscXCLvqfsHCrjrF7yiXsQuIVvVE7N82W3+aqpzuUdBbfhWcy/FZR3/4IgflMgKLOsvPDrGCJA==}
+  inflight@1.0.6:
     dependencies:
       once: 1.4.0
       wrappy: 1.0.2
-    dev: true
 
-  /inherits@2.0.4:
-    resolution: {integrity: sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==}
-    dev: true
+  inherits@2.0.4: {}
 
-  /internal-slot@1.0.5:
-    resolution: {integrity: sha512-Y+R5hJrzs52QCG2laLn4udYVnxsfny9CpOhNhUvk/SSSVyF6T27FzRbF0sroPidSu3X8oEAkOn2K804mjpt6UQ==}
-    engines: {node: '>= 0.4'}
+  internal-slot@1.0.5:
     dependencies:
       get-intrinsic: 1.2.0
       has: 1.0.3
       side-channel: 1.0.4
-    dev: true
 
-  /is-array-buffer@3.0.2:
-    resolution: {integrity: sha512-y+FyyR/w8vfIRq4eQcM1EYgSTnmHXPqaF+IgzgraytCFq5Xh8lllDVmAZolPJiZttZLeFSINPYMaEJ7/vWUa1w==}
+  is-array-buffer@3.0.2:
     dependencies:
       call-bind: 1.0.2
       get-intrinsic: 1.2.0
       is-typed-array: 1.1.10
-    dev: true
 
-  /is-bigint@1.0.4:
-    resolution: {integrity: sha512-zB9CruMamjym81i2JZ3UMn54PKGsQzsJeo6xvN3HJJ4CAsQNB6iRutp2To77OfCNuoxspsIhzaPoO1zyCEhFOg==}
+  is-bigint@1.0.4:
     dependencies:
       has-bigints: 1.0.2
-    dev: true
 
-  /is-boolean-object@1.1.2:
-    resolution: {integrity: sha512-gDYaKHJmnj4aWxyj6YHyXVpdQawtVLHU5cb+eztPGczf6cjuTdwve5ZIEfgXqH4e57An1D1AKf8CZ3kYrQRqYA==}
-    engines: {node: '>= 0.4'}
+  is-boolean-object@1.1.2:
     dependencies:
       call-bind: 1.0.2
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-callable@1.2.7:
-    resolution: {integrity: sha512-1BC0BVFhS/p0qtw6enp8e+8OD0UrK0oFLztSjNzhcKA3WDuJxxAPXzPuPtKkjEY9UUoEWlX/8fgKeu2S8i9JTA==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  is-callable@1.2.7: {}
 
-  /is-core-module@2.12.0:
-    resolution: {integrity: sha512-RECHCBCd/viahWmwj6enj19sKbHfJrddi/6cBDsNTKbNq0f7VeaUkBo60BqzvPqo/W54ChS62Z5qyun7cfOMqQ==}
+  is-core-module@2.12.0:
     dependencies:
       has: 1.0.3
-    dev: true
 
-  /is-date-object@1.0.5:
-    resolution: {integrity: sha512-9YQaSxsAiSwcvS33MBk3wTCVnWK+HhF8VZR2jRxehM16QcVOdHqPn4VPHmRK4lSr38n9JriurInLcP90xsYNfQ==}
-    engines: {node: '>= 0.4'}
+  is-date-object@1.0.5:
     dependencies:
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-extglob@2.1.1:
-    resolution: {integrity: sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==}
-    engines: {node: '>=0.10.0'}
-    dev: true
+  is-extglob@2.1.1: {}
 
-  /is-glob@4.0.3:
-    resolution: {integrity: sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==}
-    engines: {node: '>=0.10.0'}
+  is-glob@4.0.3:
     dependencies:
       is-extglob: 2.1.1
-    dev: true
 
-  /is-negative-zero@2.0.2:
-    resolution: {integrity: sha512-dqJvarLawXsFbNDeJW7zAz8ItJ9cd28YufuuFzh0G8pNHjJMnY08Dv7sYX2uF5UpQOwieAeOExEYAWWfu7ZZUA==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  is-negative-zero@2.0.2: {}
 
-  /is-number-object@1.0.7:
-    resolution: {integrity: sha512-k1U0IRzLMo7ZlYIfzRu23Oh6MiIFasgpb9X76eqfFZAqwH44UI4KTBvBYIZ1dSL9ZzChTB9ShHfLkR4pdW5krQ==}
-    engines: {node: '>= 0.4'}
+  is-number-object@1.0.7:
     dependencies:
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-number@7.0.0:
-    resolution: {integrity: sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==}
-    engines: {node: '>=0.12.0'}
-    dev: true
+  is-number@7.0.0: {}
 
-  /is-path-inside@3.0.3:
-    resolution: {integrity: sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==}
-    engines: {node: '>=8'}
-    dev: true
+  is-path-inside@3.0.3: {}
 
-  /is-regex@1.1.4:
-    resolution: {integrity: sha512-kvRdxDsxZjhzUX07ZnLydzS1TU/TJlTUHHY4YLL87e37oUA49DfkLqgy+VjFocowy29cKvcSiu+kIv728jTTVg==}
-    engines: {node: '>= 0.4'}
+  is-regex@1.1.4:
     dependencies:
       call-bind: 1.0.2
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-shared-array-buffer@1.0.2:
-    resolution: {integrity: sha512-sqN2UDu1/0y6uvXyStCOzyhAjCSlHceFoMKJW8W9EU9cvic/QdsZ0kEU93HEy3IUEFZIiH/3w+AH/UQbPHNdhA==}
+  is-shared-array-buffer@1.0.2:
     dependencies:
       call-bind: 1.0.2
-    dev: true
 
-  /is-string@1.0.7:
-    resolution: {integrity: sha512-tE2UXzivje6ofPW7l23cjDOMa09gb7xlAqG6jG5ej6uPV32TlWP3NKPigtaGeHNu9fohccRYvIiZMfOOnOYUtg==}
-    engines: {node: '>= 0.4'}
+  is-string@1.0.7:
     dependencies:
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-symbol@1.0.4:
-    resolution: {integrity: sha512-C/CPBqKWnvdcxqIARxyOh4v1UUEOCHpgDa0WYgpKDFMszcrPcffg5uhwSgPCLD2WWxmq6isisz87tzT01tuGhg==}
-    engines: {node: '>= 0.4'}
+  is-symbol@1.0.4:
     dependencies:
       has-symbols: 1.0.3
-    dev: true
 
-  /is-typed-array@1.1.10:
-    resolution: {integrity: sha512-PJqgEHiWZvMpaFZ3uTc8kHPM4+4ADTlDniuQL7cU/UDA0Ql7F70yGfHph3cLNe+c9toaigv+DFzTJKhc2CtO6A==}
-    engines: {node: '>= 0.4'}
+  is-typed-array@1.1.10:
     dependencies:
       available-typed-arrays: 1.0.5
       call-bind: 1.0.2
       for-each: 0.3.3
       gopd: 1.0.1
       has-tostringtag: 1.0.0
-    dev: true
 
-  /is-weakref@1.0.2:
-    resolution: {integrity: sha512-qctsuLZmIQ0+vSSMfoVvyFe2+GSEvnmZ2ezTup1SBse9+twCCeial6EEi3Nc2KFcf6+qz2FBPnjXsk8xhKSaPQ==}
+  is-weakref@1.0.2:
     dependencies:
       call-bind: 1.0.2
-    dev: true
 
-  /isexe@2.0.0:
-    resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
-    dev: true
+  isexe@2.0.0: {}
 
-  /js-sdsl@4.4.0:
-    resolution: {integrity: sha512-FfVSdx6pJ41Oa+CF7RDaFmTnCaFhua+SNYQX74riGOpl96x+2jQCqEfQ2bnXu/5DPCqlRuiqyvTJM0Qjz26IVg==}
-    dev: true
+  js-sdsl@4.4.0: {}
 
-  /js-yaml@4.1.0:
-    resolution: {integrity: sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==}
-    hasBin: true
+  js-yaml@4.1.0:
     dependencies:
       argparse: 2.0.1
-    dev: true
 
-  /json-schema-traverse@0.4.1:
-    resolution: {integrity: sha512-xbbCH5dCYU5T8LcEhhuh7HJ88HXuW3qsI3Y0zOZFKfZEHcpWiHU/Jxzk629Brsab/mMiHQti9wMP+845RPe3Vg==}
-    dev: true
+  json-schema-traverse@0.4.1: {}
 
-  /json-stable-stringify-without-jsonify@1.0.1:
-    resolution: {integrity: sha512-Bdboy+l7tA3OGW6FjyFHWkP5LuByj1Tk33Ljyq0axyzdk9//JSi2u3fP1QSmd1KNwq6VOKYGlAu87CisVir6Pw==}
-    dev: true
+  json-stable-stringify-without-jsonify@1.0.1: {}
 
-  /json5@1.0.2:
-    resolution: {integrity: sha512-g1MWMLBiz8FKi1e4w0UyVL3w+iJceWAFBAaBnnGKOpNa5f8TLktkbre1+s6oICydWAm+HRUGTmI+//xv2hvXYA==}
-    hasBin: true
+  json5@1.0.2:
     dependencies:
       minimist: 1.2.8
-    dev: true
 
-  /jssha@3.3.0:
-    resolution: {integrity: sha512-w9OtT4ALL+fbbwG3gw7erAO0jvS5nfvrukGPMWIAoea359B26ALXGpzy4YJSp9yGnpUvuvOw1nSjSoHDfWSr1w==}
-    dev: false
+  jssha@3.3.0: {}
 
-  /levn@0.4.1:
-    resolution: {integrity: sha512-+bT2uH4E5LGE7h/n3evcS/sQlJXCpIp6ym8OWJ5eV6+67Dsql/LaaT7qJBAt2rzfoa/5QBGBhxDix1dMt2kQKQ==}
-    engines: {node: '>= 0.8.0'}
+  levn@0.4.1:
     dependencies:
       prelude-ls: 1.2.1
       type-check: 0.4.0
-    dev: true
 
-  /locate-path@6.0.0:
-    resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==}
-    engines: {node: '>=10'}
+  locate-path@6.0.0:
     dependencies:
       p-locate: 5.0.0
-    dev: true
 
-  /lodash.merge@4.6.2:
-    resolution: {integrity: sha512-0KpjqXRVvrYyCsX1swR/XTK0va6VQkQM6MNo7PqW77ByjAhoARA8EfrP1N4+KlKj8YS0ZUCtRT/YUuhyYDujIQ==}
-    dev: true
+  lodash.merge@4.6.2: {}
 
-  /lodash@4.17.21:
-    resolution: {integrity: sha512-v2kDEe57lecTulaDIuNTPy3Ry4gLGJ6Z1O3vE1krgXZNrsQ+LFTGHVxVjcXPs17LhbZVGedAJv8XZ1tvj5FvSg==}
-    dev: false
+  lodash@4.17.21: {}
 
-  /lru-cache@6.0.0:
-    resolution: {integrity: sha512-Jo6dJ04CmSjuznwJSS3pUeWmd/H0ffTlkXXgwZi+eq1UCmqQwCh+eLsYOYCwY991i2Fah4h1BEMCx4qThGbsiA==}
-    engines: {node: '>=10'}
+  lru-cache@6.0.0:
     dependencies:
       yallist: 4.0.0
-    dev: true
 
-  /merge2@1.4.1:
-    resolution: {integrity: sha512-8q7VEgMJW4J8tcfVPy8g09NcQwZdbwFEqhe/WZkoIzjn/3TGDwtOCYtXGxA3O8tPzpczCCDgv+P2P5y00ZJOOg==}
-    engines: {node: '>= 8'}
-    dev: true
+  merge2@1.4.1: {}
 
-  /micromatch@4.0.5:
-    resolution: {integrity: sha512-DMy+ERcEW2q8Z2Po+WNXuw3c5YaUSFjAO5GsJqfEl7UjvtIuFKO6ZrKvcItdy98dwFI2N1tg3zNIdKaQT+aNdA==}
-    engines: {node: '>=8.6'}
+  micromatch@4.0.5:
     dependencies:
       braces: 3.0.2
       picomatch: 2.3.1
-    dev: true
 
-  /mime-db@1.52.0:
-    resolution: {integrity: sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==}
-    engines: {node: '>= 0.6'}
-    dev: false
+  mime-db@1.52.0: {}
 
-  /mime-types@2.1.35:
-    resolution: {integrity: sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==}
-    engines: {node: '>= 0.6'}
+  mime-types@2.1.35:
     dependencies:
       mime-db: 1.52.0
-    dev: false
 
-  /minimatch@3.1.2:
-    resolution: {integrity: sha512-J7p63hRiAjw1NDEww1W7i37+ByIrOWO5XQQAzZ3VOcL0PNybwpfmV/N05zFAzwQ9USyEcX6t3UO+K5aqBQOIHw==}
+  minimatch@3.1.2:
     dependencies:
       brace-expansion: 1.1.11
-    dev: true
 
-  /minimist@1.2.8:
-    resolution: {integrity: sha512-2yyAR8qBkN3YuheJanUpWC5U3bb5osDywNB8RzDVlDwDHbocAJveqqj1u8+SVD7jkWT4yvsHCpWqqWqAxb0zCA==}
-    dev: true
+  minimist@1.2.8: {}
 
-  /ms@2.1.2:
-    resolution: {integrity: sha512-sGkPx+VjMtmA6MX27oA4FBFELFCZZ4S4XqeGOXCv68tT+jb3vk/RyaKWP0PTKyWtmLSM0b+adUTEvbs1PEaH2w==}
-    dev: true
+  ms@2.1.2: {}
 
-  /ms@2.1.3:
-    resolution: {integrity: sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==}
-    dev: true
+  ms@2.1.3: {}
 
-  /natural-compare-lite@1.4.0:
-    resolution: {integrity: sha512-Tj+HTDSJJKaZnfiuw+iaF9skdPpTo2GtEly5JHnWV/hfv2Qj/9RKsGISQtLh2ox3l5EAGw487hnBee0sIJ6v2g==}
-    dev: true
+  natural-compare-lite@1.4.0: {}
 
-  /natural-compare@1.4.0:
-    resolution: {integrity: sha512-OWND8ei3VtNC9h7V60qff3SVobHr996CTwgxubgyQYEpg290h9J0buyECNNJexkFm5sOajh5G116RYA1c8ZMSw==}
-    dev: true
+  natural-compare@1.4.0: {}
 
-  /object-inspect@1.12.3:
-    resolution: {integrity: sha512-geUvdk7c+eizMNUDkRpW1wJwgfOiOeHbxBR/hLXK1aT6zmVSO0jsQcs7fj6MGw89jC/cjGfLcNOrtMYtGqm81g==}
-    dev: true
+  object-inspect@1.12.3: {}
 
-  /object-keys@1.1.1:
-    resolution: {integrity: sha512-NuAESUOUMrlIXOfHKzD6bpPu3tYt3xvjNdRIQ+FeT0lNb4K8WR70CaDxhuNguS2XG+GjkyMwOzsN5ZktImfhLA==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  object-keys@1.1.1: {}
 
-  /object.assign@4.1.4:
-    resolution: {integrity: sha512-1mxKf0e58bvyjSCtKYY4sRe9itRk3PJpquJOjeIkz885CczcI4IvJJDLPS72oowuSh+pBxUFROpX+TU++hxhZQ==}
-    engines: {node: '>= 0.4'}
+  object.assign@4.1.4:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       has-symbols: 1.0.3
       object-keys: 1.1.1
-    dev: true
 
-  /object.values@1.1.6:
-    resolution: {integrity: sha512-FVVTkD1vENCsAcwNs9k6jea2uHC/X0+JcjG8YA60FN5CMaJmG95wT9jek/xX9nornqGRrBkKtzuAu2wuHpKqvw==}
-    engines: {node: '>= 0.4'}
+  object.values@1.1.6:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
-    dev: true
 
-  /obuf@1.1.2:
-    resolution: {integrity: sha512-PX1wu0AmAdPqOL1mWhqmlOd8kOIZQwGZw6rh7uby9fTc5lhaOWFLX3I6R1hrF9k3zUY40e6igsLGkDXK92LJNg==}
-    dev: false
+  obuf@1.1.2: {}
 
-  /once@1.4.0:
-    resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
+  once@1.4.0:
     dependencies:
       wrappy: 1.0.2
-    dev: true
 
-  /optionator@0.9.1:
-    resolution: {integrity: sha512-74RlY5FCnhq4jRxVUPKDaRwrVNXMqsGsiW6AJw4XK8hmtm10wC0ypZBLw5IIp85NZMr91+qd1RvvENwg7jjRFw==}
-    engines: {node: '>= 0.8.0'}
+  optionator@0.9.1:
     dependencies:
       deep-is: 0.1.4
       fast-levenshtein: 2.0.6
@@ -1414,103 +1898,55 @@ packages:
       prelude-ls: 1.2.1
       type-check: 0.4.0
       word-wrap: 1.2.3
-    dev: true
 
-  /p-limit@3.1.0:
-    resolution: {integrity: sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==}
-    engines: {node: '>=10'}
+  p-limit@3.1.0:
     dependencies:
       yocto-queue: 0.1.0
-    dev: true
 
-  /p-locate@5.0.0:
-    resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==}
-    engines: {node: '>=10'}
+  p-locate@5.0.0:
     dependencies:
       p-limit: 3.1.0
-    dev: true
 
-  /packet-reader@1.0.0:
-    resolution: {integrity: sha512-HAKu/fG3HpHFO0AA8WE8q2g+gBJaZ9MG7fcKk+IJPLTGAD6Psw4443l+9DGRbOIh3/aXr7Phy0TjilYivJo5XQ==}
-    dev: false
+  packet-reader@1.0.0: {}
 
-  /parent-module@1.0.1:
-    resolution: {integrity: sha512-GQ2EWRpQV8/o+Aw8YqtfZZPfNRWZYkbidE9k5rpl/hC3vtHHBfGm2Ifi6qWV+coDGkrUKZAxE3Lot5kcsRlh+g==}
-    engines: {node: '>=6'}
+  parent-module@1.0.1:
     dependencies:
       callsites: 3.1.0
-    dev: true
 
-  /path-exists@4.0.0:
-    resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
-    engines: {node: '>=8'}
-    dev: true
+  path-exists@4.0.0: {}
 
-  /path-is-absolute@1.0.1:
-    resolution: {integrity: sha512-AVbw3UJ2e9bq64vSaS9Am0fje1Pa8pbGqTTsmXfaIiMpnr5DlDhfJOuLj9Sf95ZPVDAUerDfEk88MPmPe7UCQg==}
-    engines: {node: '>=0.10.0'}
-    dev: true
+  path-is-absolute@1.0.1: {}
 
-  /path-key@3.1.1:
-    resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
-    engines: {node: '>=8'}
-    dev: true
+  path-key@3.1.1: {}
 
-  /path-parse@1.0.7:
-    resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==}
-    dev: true
+  path-parse@1.0.7: {}
 
-  /path-type@4.0.0:
-    resolution: {integrity: sha512-gDKb8aZMDeD/tZWs9P6+q0J9Mwkdl6xMV8TjnGP3qJVJ06bdMgkbBlLU8IdfOsIsFz2BW1rNVT3XuNEl8zPAvw==}
-    engines: {node: '>=8'}
-    dev: true
+  path-type@4.0.0: {}
 
-  /pg-cloudflare@1.1.1:
-    resolution: {integrity: sha512-xWPagP/4B6BgFO+EKz3JONXv3YDgvkbVrGw2mTo3D6tVDQRh1e7cqVGvyR3BE+eQgAvx1XhW/iEASj4/jCWl3Q==}
-    requiresBuild: true
-    dev: false
+  pg-cloudflare@1.1.1:
     optional: true
 
-  /pg-connection-string@2.6.2:
-    resolution: {integrity: sha512-ch6OwaeaPYcova4kKZ15sbJ2hKb/VP48ZD2gE7i1J+L4MspCtBMAx8nMgz7bksc7IojCIIWuEhHibSMFH8m8oA==}
-    dev: false
+  pg-connection-string@2.6.2: {}
 
-  /pg-int8@1.0.1:
-    resolution: {integrity: sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==}
-    engines: {node: '>=4.0.0'}
-    dev: false
+  pg-int8@1.0.1: {}
 
-  /pg-numeric@1.0.2:
-    resolution: {integrity: sha512-BM/Thnrw5jm2kKLE5uJkXqqExRUY/toLHda65XgFTBTFYZyopbKjBe29Ii3RbkvlsMoFwD+tHeGaCjjv0gHlyw==}
-    engines: {node: '>=4'}
-    dev: false
+  pg-numeric@1.0.2: {}
 
-  /pg-pool@3.6.1(pg@8.11.3):
-    resolution: {integrity: sha512-jizsIzhkIitxCGfPRzJn1ZdcosIt3pz9Sh3V01fm1vZnbnCMgmGl5wvGGdNN2EL9Rmb0EcFoCkixH4Pu+sP9Og==}
-    peerDependencies:
-      pg: '>=8.0'
+  pg-pool@3.6.1(pg@8.11.3):
     dependencies:
       pg: 8.11.3
-    dev: false
 
-  /pg-protocol@1.6.0:
-    resolution: {integrity: sha512-M+PDm637OY5WM307051+bsDia5Xej6d9IR4GwJse1qA1DIhiKlksvrneZOYQq42OM+spubpcNYEo2FcKQrDk+Q==}
-    dev: false
+  pg-protocol@1.6.0: {}
 
-  /pg-types@2.2.0:
-    resolution: {integrity: sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==}
-    engines: {node: '>=4'}
+  pg-types@2.2.0:
     dependencies:
       pg-int8: 1.0.1
       postgres-array: 2.0.0
       postgres-bytea: 1.0.0
       postgres-date: 1.0.7
       postgres-interval: 1.2.0
-    dev: false
 
-  /pg-types@4.0.1:
-    resolution: {integrity: sha512-hRCSDuLII9/LE3smys1hRHcu5QGcLs9ggT7I/TCs0IE+2Eesxi9+9RWAAwZ0yaGjxoWICF/YHLOEjydGujoJ+g==}
-    engines: {node: '>=10'}
+  pg-types@4.0.1:
     dependencies:
       pg-int8: 1.0.1
       pg-numeric: 1.0.2
@@ -1519,16 +1955,8 @@ packages:
       postgres-date: 2.0.1
       postgres-interval: 3.0.0
       postgres-range: 1.1.3
-    dev: false
 
-  /pg@8.11.3:
-    resolution: {integrity: sha512-+9iuvG8QfaaUrrph+kpF24cXkH1YOOUeArRNYIxq1viYHZagBxrTno7cecY1Fa44tJeZvaoG+Djpkc3JwehN5g==}
-    engines: {node: '>= 8.0.0'}
-    peerDependencies:
-      pg-native: '>=3.0.1'
-    peerDependenciesMeta:
-      pg-native:
-        optional: true
+  pg@8.11.3:
     dependencies:
       buffer-writer: 2.0.0
       packet-reader: 1.0.0
@@ -1539,353 +1967,197 @@ packages:
       pgpass: 1.0.5
     optionalDependencies:
       pg-cloudflare: 1.1.1
-    dev: false
 
-  /pgpass@1.0.5:
-    resolution: {integrity: sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==}
+  pgpass@1.0.5:
     dependencies:
       split2: 4.2.0
-    dev: false
 
-  /picomatch@2.3.1:
-    resolution: {integrity: sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==}
-    engines: {node: '>=8.6'}
-    dev: true
+  picomatch@2.3.1: {}
 
-  /playwright-core@1.32.3:
-    resolution: {integrity: sha512-SB+cdrnu74ZIn5Ogh/8278ngEh9NEEV0vR4sJFmK04h2iZpybfbqBY0bX6+BLYWVdV12JLLI+JEFtSnYgR+mWg==}
-    engines: {node: '>=14'}
-    hasBin: true
-    dev: false
+  playwright-core@1.32.3: {}
 
-  /playwright@1.32.3:
-    resolution: {integrity: sha512-h/ylpgoj6l/EjkfUDyx8cdOlfzC96itPpPe8BXacFkqpw/YsuxkpPyVbzEq4jw+bAJh5FLgh31Ljg2cR6HV3uw==}
-    engines: {node: '>=14'}
-    hasBin: true
-    requiresBuild: true
+  playwright@1.32.3:
     dependencies:
       playwright-core: 1.32.3
-    dev: false
 
-  /postgres-array@2.0.0:
-    resolution: {integrity: sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==}
-    engines: {node: '>=4'}
-    dev: false
+  postgres-array@2.0.0: {}
 
-  /postgres-array@3.0.2:
-    resolution: {integrity: sha512-6faShkdFugNQCLwucjPcY5ARoW1SlbnrZjmGl0IrrqewpvxvhSLHimCVzqeuULCbG0fQv7Dtk1yDbG3xv7Veog==}
-    engines: {node: '>=12'}
-    dev: false
+  postgres-array@3.0.2: {}
 
-  /postgres-bytea@1.0.0:
-    resolution: {integrity: sha512-xy3pmLuQqRBZBXDULy7KbaitYqLcmxigw14Q5sj8QBVLqEwXfeybIKVWiqAXTlcvdvb0+xkOtDbfQMOf4lST1w==}
-    engines: {node: '>=0.10.0'}
-    dev: false
+  postgres-bytea@1.0.0: {}
 
-  /postgres-bytea@3.0.0:
-    resolution: {integrity: sha512-CNd4jim9RFPkObHSjVHlVrxoVQXz7quwNFpz7RY1okNNme49+sVyiTvTRobiLV548Hx/hb1BG+iE7h9493WzFw==}
-    engines: {node: '>= 6'}
+  postgres-bytea@3.0.0:
     dependencies:
       obuf: 1.1.2
-    dev: false
 
-  /postgres-date@1.0.7:
-    resolution: {integrity: sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==}
-    engines: {node: '>=0.10.0'}
-    dev: false
+  postgres-date@1.0.7: {}
 
-  /postgres-date@2.0.1:
-    resolution: {integrity: sha512-YtMKdsDt5Ojv1wQRvUhnyDJNSr2dGIC96mQVKz7xufp07nfuFONzdaowrMHjlAzY6GDLd4f+LUHHAAM1h4MdUw==}
-    engines: {node: '>=12'}
-    dev: false
+  postgres-date@2.0.1: {}
 
-  /postgres-interval@1.2.0:
-    resolution: {integrity: sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==}
-    engines: {node: '>=0.10.0'}
+  postgres-interval@1.2.0:
     dependencies:
       xtend: 4.0.2
-    dev: false
 
-  /postgres-interval@3.0.0:
-    resolution: {integrity: sha512-BSNDnbyZCXSxgA+1f5UU2GmwhoI0aU5yMxRGO8CdFEcY2BQF9xm/7MqKnYoM1nJDk8nONNWDk9WeSmePFhQdlw==}
-    engines: {node: '>=12'}
-    dev: false
+  postgres-interval@3.0.0: {}
 
-  /postgres-range@1.1.3:
-    resolution: {integrity: sha512-VdlZoocy5lCP0c/t66xAfclglEapXPCIVhqqJRncYpvbCgImF0w67aPKfbqUMr72tO2k5q0TdTZwCLjPTI6C9g==}
-    dev: false
+  postgres-range@1.1.3: {}
 
-  /prelude-ls@1.2.1:
-    resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
-    engines: {node: '>= 0.8.0'}
-    dev: true
+  prelude-ls@1.2.1: {}
 
-  /prettier-linter-helpers@1.0.0:
-    resolution: {integrity: sha512-GbK2cP9nraSSUF9N2XwUwqfzlAFlMNYYl+ShE/V+H8a9uNl/oUqB1w2EL54Jh0OlyRSd8RfWYJ3coVS4TROP2w==}
-    engines: {node: '>=6.0.0'}
+  prettier-linter-helpers@1.0.0:
     dependencies:
       fast-diff: 1.2.0
-    dev: true
 
-  /prettier@2.8.8:
-    resolution: {integrity: sha512-tdN8qQGvNjw4CHbY+XXk0JgCXn9QiF21a55rBe5LJAU+kDyC4WQn4+awm2Xfk2lQMk5fKup9XgzTZtGkjBdP9Q==}
-    engines: {node: '>=10.13.0'}
-    hasBin: true
-    dev: true
+  prettier@2.8.8: {}
 
-  /proxy-from-env@1.1.0:
-    resolution: {integrity: sha512-D+zkORCbA9f1tdWRK0RaCR3GPv50cMxcrz4X8k5LTSUD1Dkw47mKJEZQNunItRTkWwgtaUSo1RVFRIG9ZXiFYg==}
-    dev: false
+  proxy-from-env@1.1.0: {}
 
-  /punycode@2.3.0:
-    resolution: {integrity: sha512-rRV+zQD8tVFys26lAGR9WUuS4iUAngJScM+ZRSKtvl5tKeZ2t5bvdNFdNHBW9FWR4guGHlgmsZ1G7BSm2wTbuA==}
-    engines: {node: '>=6'}
-    dev: true
+  punycode@2.3.0: {}
 
-  /queue-microtask@1.2.3:
-    resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==}
-    dev: true
+  queue-microtask@1.2.3: {}
 
-  /regexp.prototype.flags@1.5.0:
-    resolution: {integrity: sha512-0SutC3pNudRKgquxGoRGIz946MZVHqbNfPjBdxeOhBrdgDKlRoXmYLQN9xRbrR09ZXWeGAdPuif7egofn6v5LA==}
-    engines: {node: '>= 0.4'}
+  regexp.prototype.flags@1.5.0:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       functions-have-names: 1.2.3
-    dev: true
 
-  /resolve-from@4.0.0:
-    resolution: {integrity: sha512-pb/MYmXstAkysRFx8piNI1tGFNQIFA3vkE3Gq4EuA1dF6gHp/+vgZqsCGJapvy8N3Q+4o7FwvquPJcnZ7RYy4g==}
-    engines: {node: '>=4'}
-    dev: true
+  resolve-from@4.0.0: {}
 
-  /resolve@1.22.2:
-    resolution: {integrity: sha512-Sb+mjNHOULsBv818T40qSPeRiuWLyaGMa5ewydRLFimneixmVy2zdivRl+AF6jaYPC8ERxGDmFSiqui6SfPd+g==}
-    hasBin: true
+  resolve@1.22.2:
     dependencies:
       is-core-module: 2.12.0
       path-parse: 1.0.7
       supports-preserve-symlinks-flag: 1.0.0
-    dev: true
 
-  /reusify@1.0.4:
-    resolution: {integrity: sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==}
-    engines: {iojs: '>=1.0.0', node: '>=0.10.0'}
-    dev: true
+  reusify@1.0.4: {}
 
-  /rimraf@3.0.2:
-    resolution: {integrity: sha512-JZkJMZkAGFFPP2YqXZXPbMlMBgsxzE8ILs4lMIX/2o0L9UBw9O/Y3o6wFw/i9YLapcUJWwqbi3kdxIPdC62TIA==}
-    hasBin: true
+  rimraf@3.0.2:
     dependencies:
       glob: 7.2.3
-    dev: true
 
-  /run-parallel@1.2.0:
-    resolution: {integrity: sha512-5l4VyZR86LZ/lDxZTR6jqL8AFE2S0IFLMP26AbjsLVADxHdhB/c0GUsH+y39UfCi3dzz8OlQuPmnaJOMoDHQBA==}
+  run-parallel@1.2.0:
     dependencies:
       queue-microtask: 1.2.3
-    dev: true
 
-  /safe-regex-test@1.0.0:
-    resolution: {integrity: sha512-JBUUzyOgEwXQY1NuPtvcj/qcBDbDmEvWufhlnXZIm75DEHp+afM1r1ujJpJsV/gSM4t59tpDyPi1sd6ZaPFfsA==}
+  safe-regex-test@1.0.0:
     dependencies:
       call-bind: 1.0.2
       get-intrinsic: 1.2.0
       is-regex: 1.1.4
-    dev: true
 
-  /semver@6.3.0:
-    resolution: {integrity: sha512-b39TBaTSfV6yBrapU89p5fKekE2m/NwnDocOVruQFS1/veMgdzuPcnOM34M6CwxW8jH/lxEa5rBoDeUwu5HHTw==}
-    hasBin: true
-    dev: true
+  semver@6.3.0: {}
 
-  /semver@7.5.0:
-    resolution: {integrity: sha512-+XC0AD/R7Q2mPSRuy2Id0+CGTZ98+8f+KvwirxOKIEyid+XSx6HbC63p+O4IndTHuX5Z+JxQ0TghCkO5Cg/2HA==}
-    engines: {node: '>=10'}
-    hasBin: true
+  semver@7.5.0:
     dependencies:
       lru-cache: 6.0.0
-    dev: true
 
-  /shebang-command@2.0.0:
-    resolution: {integrity: sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==}
-    engines: {node: '>=8'}
+  shebang-command@2.0.0:
     dependencies:
       shebang-regex: 3.0.0
-    dev: true
 
-  /shebang-regex@3.0.0:
-    resolution: {integrity: sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==}
-    engines: {node: '>=8'}
-    dev: true
+  shebang-regex@3.0.0: {}
 
-  /side-channel@1.0.4:
-    resolution: {integrity: sha512-q5XPytqFEIKHkGdiMIrY10mvLRvnQh42/+GoBlFW3b2LXLE2xxJpZFdm94we0BaoV3RwJyGqg5wS7epxTv0Zvw==}
+  side-channel@1.0.4:
     dependencies:
       call-bind: 1.0.2
       get-intrinsic: 1.2.0
       object-inspect: 1.12.3
-    dev: true
 
-  /slash@3.0.0:
-    resolution: {integrity: sha512-g9Q1haeby36OSStwb4ntCGGGaKsaVSjQ68fBxoQcutl5fS1vuY18H3wSt3jFyFtrkx+Kz0V1G85A4MyAdDMi2Q==}
-    engines: {node: '>=8'}
-    dev: true
+  slash@3.0.0: {}
 
-  /split2@4.2.0:
-    resolution: {integrity: sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==}
-    engines: {node: '>= 10.x'}
-    dev: false
+  split2@4.2.0: {}
 
-  /string.prototype.trim@1.2.7:
-    resolution: {integrity: sha512-p6TmeT1T3411M8Cgg9wBTMRtY2q9+PNy9EV1i2lIXUN/btt763oIfxwN3RR8VU6wHX8j/1CFy0L+YuThm6bgOg==}
-    engines: {node: '>= 0.4'}
+  string.prototype.trim@1.2.7:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
-    dev: true
 
-  /string.prototype.trimend@1.0.6:
-    resolution: {integrity: sha512-JySq+4mrPf9EsDBEDYMOb/lM7XQLulwg5R/m1r0PXEFqrV0qHvl58sdTilSXtKOflCsK2E8jxf+GKC0T07RWwQ==}
+  string.prototype.trimend@1.0.6:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
-    dev: true
 
-  /string.prototype.trimstart@1.0.6:
-    resolution: {integrity: sha512-omqjMDaY92pbn5HOX7f9IccLA+U1tA9GvtU4JrodiXFfYB7jPzzHpRzpglLAjtUV6bB557zwClJezTqnAiYnQA==}
+  string.prototype.trimstart@1.0.6:
     dependencies:
       call-bind: 1.0.2
       define-properties: 1.2.0
       es-abstract: 1.21.2
-    dev: true
 
-  /strip-ansi@6.0.1:
-    resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==}
-    engines: {node: '>=8'}
+  strip-ansi@6.0.1:
     dependencies:
       ansi-regex: 5.0.1
-    dev: true
 
-  /strip-bom@3.0.0:
-    resolution: {integrity: sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==}
-    engines: {node: '>=4'}
-    dev: true
+  strip-bom@3.0.0: {}
 
-  /strip-json-comments@3.1.1:
-    resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
-    engines: {node: '>=8'}
-    dev: true
+  strip-json-comments@3.1.1: {}
 
-  /supports-color@7.2.0:
-    resolution: {integrity: sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==}
-    engines: {node: '>=8'}
+  supports-color@7.2.0:
     dependencies:
       has-flag: 4.0.0
-    dev: true
 
-  /supports-preserve-symlinks-flag@1.0.0:
-    resolution: {integrity: sha512-ot0WnXS9fgdkgIcePe6RHNk1WA8+muPa6cSjeR3V8K27q9BB1rTE3R1p7Hv0z1ZyAc8s6Vvv8DIyWf681MAt0w==}
-    engines: {node: '>= 0.4'}
-    dev: true
+  supports-preserve-symlinks-flag@1.0.0: {}
 
-  /text-table@0.2.0:
-    resolution: {integrity: sha512-N+8UisAXDGk8PFXP4HAzVR9nbfmVJ3zYLAWiTIoqC5v5isinhr+r5uaO8+7r3BMfuNIufIsA7RdpVgacC2cSpw==}
-    dev: true
+  text-table@0.2.0: {}
 
-  /to-regex-range@5.0.1:
-    resolution: {integrity: sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==}
-    engines: {node: '>=8.0'}
+  to-regex-range@5.0.1:
     dependencies:
       is-number: 7.0.0
-    dev: true
 
-  /totp-generator@0.0.14:
-    resolution: {integrity: sha512-vFZ8N2TdF4mCj8bUW460jI73LqS+JKccsZ8cttQSuXa3dkTmZo8q81Pq2yAuiPxCI5fPfUrfaKuU+7adjx5s4w==}
+  totp-generator@0.0.14:
     dependencies:
       jssha: 3.3.0
-    dev: false
 
-  /tsconfig-paths@3.14.2:
-    resolution: {integrity: sha512-o/9iXgCYc5L/JxCHPe3Hvh8Q/2xm5Z+p18PESBU6Ff33695QnCHBEjcytY2q19ua7Mbl/DavtBOLq+oG0RCL+g==}
+  tsconfig-paths@3.14.2:
     dependencies:
       '@types/json5': 0.0.29
       json5: 1.0.2
       minimist: 1.2.8
       strip-bom: 3.0.0
-    dev: true
 
-  /tslib@1.14.1:
-    resolution: {integrity: sha512-Xni35NKzjgMrwevysHTCArtLDpPvye8zV/0E4EyYn43P7/7qvQwPh9BGkHewbMulVntbigmcT7rdX3BNo9wRJg==}
-    dev: true
+  tslib@1.14.1: {}
 
-  /tsutils@3.21.0(typescript@5.0.4):
-    resolution: {integrity: sha512-mHKK3iUXL+3UF6xL5k0PEhKRUBKPBCv/+RkEOpjRWxxx27KKRBmmA60A9pgOUvMi8GKhRMPEmjBRPzs2W7O1OA==}
-    engines: {node: '>= 6'}
-    peerDependencies:
-      typescript: '>=2.8.0 || >= 3.2.0-dev || >= 3.3.0-dev || >= 3.4.0-dev || >= 3.5.0-dev || >= 3.6.0-dev || >= 3.6.0-beta || >= 3.7.0-dev || >= 3.7.0-beta'
+  tsutils@3.21.0(typescript@5.0.4):
     dependencies:
       tslib: 1.14.1
       typescript: 5.0.4
-    dev: true
 
-  /type-check@0.4.0:
-    resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
-    engines: {node: '>= 0.8.0'}
+  type-check@0.4.0:
     dependencies:
       prelude-ls: 1.2.1
-    dev: true
 
-  /type-fest@0.20.2:
-    resolution: {integrity: sha512-Ne+eE4r0/iWnpAxD852z3A+N0Bt5RN//NjJwRd2VFHEmrywxf5vsZlh4R6lixl6B+wz/8d+maTSAkN1FIkI3LQ==}
-    engines: {node: '>=10'}
-    dev: true
+  type-fest@0.20.2: {}
 
-  /typed-array-length@1.0.4:
-    resolution: {integrity: sha512-KjZypGq+I/H7HI5HlOoGHkWUUGq+Q0TPhQurLbyrVrvnKTBgzLhIJ7j6J/XTQOi0d1RjyZ0wdas8bKs2p0x3Ng==}
+  typed-array-length@1.0.4:
     dependencies:
       call-bind: 1.0.2
       for-each: 0.3.3
       is-typed-array: 1.1.10
-    dev: true
 
-  /typescript@5.0.4:
-    resolution: {integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==}
-    engines: {node: '>=12.20'}
-    hasBin: true
-    dev: true
+  typescript@5.0.4: {}
 
-  /unbox-primitive@1.0.2:
-    resolution: {integrity: sha512-61pPlCD9h51VoreyJ0BReideM3MDKMKnh6+V9L08331ipq6Q8OFXZYiqP6n/tbHx4s5I9uRhcye6BrbkizkBDw==}
+  unbox-primitive@1.0.2:
     dependencies:
       call-bind: 1.0.2
       has-bigints: 1.0.2
       has-symbols: 1.0.3
       which-boxed-primitive: 1.0.2
-    dev: true
 
-  /uri-js@4.4.1:
-    resolution: {integrity: sha512-7rKUyy33Q1yc98pQ1DAmLtwX109F7TIfWlW1Ydo8Wl1ii1SeHieeh0HHfPeL2fMXK6z0s8ecKs9frCuLJvndBg==}
+  uri-js@4.4.1:
     dependencies:
       punycode: 2.3.0
-    dev: true
 
-  /which-boxed-primitive@1.0.2:
-    resolution: {integrity: sha512-bwZdv0AKLpplFY2KZRX6TvyuN7ojjr7lwkg6ml0roIy9YeuSr7JS372qlNW18UQYzgYK9ziGcerWqZOmEn9VNg==}
+  which-boxed-primitive@1.0.2:
     dependencies:
       is-bigint: 1.0.4
       is-boolean-object: 1.1.2
       is-number-object: 1.0.7
       is-string: 1.0.7
       is-symbol: 1.0.4
-    dev: true
 
-  /which-typed-array@1.1.9:
-    resolution: {integrity: sha512-w9c4xkx6mPidwp7180ckYWfMmvxpjlZuIudNtDf4N/tTAUB8VJbX25qZoAsrtGuYNnGw3pa0AXgbGKRB8/EceA==}
-    engines: {node: '>= 0.4'}
+  which-typed-array@1.1.9:
     dependencies:
       available-typed-arrays: 1.0.5
       call-bind: 1.0.2
@@ -1893,35 +2165,17 @@ packages:
       gopd: 1.0.1
       has-tostringtag: 1.0.0
       is-typed-array: 1.1.10
-    dev: true
 
-  /which@2.0.2:
-    resolution: {integrity: sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==}
-    engines: {node: '>= 8'}
-    hasBin: true
+  which@2.0.2:
     dependencies:
       isexe: 2.0.0
-    dev: true
 
-  /word-wrap@1.2.3:
-    resolution: {integrity: sha512-Hz/mrNwitNRh/HUAtM/VT/5VH+ygD6DV7mYKZAtHOrbs8U7lvPS6xf7EJKMF0uW1KJCl0H701g3ZGus+muE5vQ==}
-    engines: {node: '>=0.10.0'}
-    dev: true
+  word-wrap@1.2.3: {}
 
-  /wrappy@1.0.2:
-    resolution: {integrity: sha512-l4Sp/DRseor9wL6EvV2+TuQn63dMkPjZ/sp9XkghTEbV9KlPS1xUsZ3u7/IQO4wxtcFB4bgpQPRcR3QCvezPcQ==}
-    dev: true
+  wrappy@1.0.2: {}
 
-  /xtend@4.0.2:
-    resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
-    engines: {node: '>=0.4'}
-    dev: false
+  xtend@4.0.2: {}
 
-  /yallist@4.0.0:
-    resolution: {integrity: sha512-3wdGidZyq5PB084XLES5TpOSRA3wjXAlIWMhum2kRcv/41Sn2emQ0dycQW4uZXLejwKvg6EsvbdlVL+FYEct7A==}
-    dev: true
+  yallist@4.0.0: {}
 
-  /yocto-queue@0.1.0:
-    resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
-    engines: {node: '>=10'}
-    dev: true
+  yocto-queue@0.1.0: {}
diff --git a/src/appstate.rs b/src/appstate.rs
index 7d0e65e826..926bd251b3 100644
--- a/src/appstate.rs
+++ b/src/appstate.rs
@@ -18,7 +18,7 @@ use webauthn_rs::prelude::*;
 use crate::{
     auth::failed_login::FailedLoginMap,
     db::{AppEvent, DbPool, GatewayEvent, WebHook},
-    license::License,
+    enterprise::license::License,
     mail::Mail,
     server_config,
 };
diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index 2695cd1327..c95bca07b1 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -11,10 +11,10 @@ use defguard::{
     auth::failed_login::FailedLoginMap,
     config::{Command, DefGuardConfig},
     db::{init_db, AppEvent, GatewayEvent, Settings, User},
+    enterprise::license::{run_periodic_license_check, License},
     grpc::{run_grpc_bidi_stream, run_grpc_server, GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     init_dev_env, init_vpn_location,
-    license::License,
     mail::{run_mail_handler, Mail},
     run_web_server,
     wireguard_peer_disconnect::run_periodic_peer_disconnect,
@@ -107,20 +107,31 @@ async fn main() -> Result<(), anyhow::Error> {
     let failed_logins = FailedLoginMap::new();
     let failed_logins = Arc::new(Mutex::new(failed_logins));
 
-    // load the license from the database
-    let license = match License::load(&pool).await.unwrap() {
-        Some(license) => Arc::new(Mutex::new(Some(license))),
-        None => Arc::new(Mutex::new(None)),
+    let mut enterprise_enabled = false;
+
+    let license = match License::load_or_renew(&pool).await {
+        Ok(license) => {
+            enterprise_enabled = true;
+            Arc::new(Mutex::new(license))
+        }
+        Err(err) => {
+            warn!(
+                "There was an error while loading the license, error: {}",
+                err
+            );
+            Arc::new(Mutex::new(None))
+        }
     };
 
     // run services
     tokio::select! {
         res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone(), user_agent_parser.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
         res = run_grpc_server(Arc::clone(&worker_state), pool.clone(), Arc::clone(&gateway_state), wireguard_tx.clone(), mail_tx.clone(), grpc_cert, grpc_key, failed_logins.clone()) => error!("gRPC server returned early: {res:#?}"),
-        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, license) => error!("Web server returned early: {res:#?}"),
+        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, license.clone(), enterprise_enabled) => error!("Web server returned early: {res:#?}"),
         res = run_mail_handler(mail_rx, pool.clone()) => error!("Mail handler returned early: {res:#?}"),
         res = run_periodic_peer_disconnect(pool.clone(), wireguard_tx) => error!("Periodic peer disconnect task returned early: {res:#?}"),
-        res = run_periodic_stats_purge(pool, config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
+        res = run_periodic_stats_purge(pool.clone(), config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
+        res = run_periodic_license_check(pool, license) => error!("Periodic license check task returned early: {res:#?}"),
     }
     Ok(())
 }
diff --git a/src/config.rs b/src/config.rs
index 3b66f28b22..2a9bf70afa 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -163,6 +163,14 @@ pub struct DefGuardConfig {
     #[serde(skip_serializing)]
     pub gateway_disconnection_notification_timeout: Duration,
 
+    #[arg(
+        long,
+        env = "DEFGUARD_LICENSE_SERVER_URL",
+        default_value = "http://localhost:8002/api/license/refresh"
+    )]
+    #[serde(skip_serializing)]
+    pub license_server_url: Option<String>,
+
     #[command(subcommand)]
     #[serde(skip_serializing)]
     pub cmd: Option<Command>,
diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index ea78ccccc0..c861cf8944 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -1,4 +1,4 @@
-use crate::license::License;
+use crate::enterprise::license::{validate_license, License};
 
 pub mod openid_login;
 pub mod openid_providers;
@@ -39,7 +39,7 @@ where
 {
     type Rejection = WebError;
 
-    async fn from_request_parts(parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
+    async fn from_request_parts(_parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
         let appstate = AppState::from_ref(state);
 
         let license = appstate
@@ -47,17 +47,10 @@ where
             .lock()
             .expect("Failed to acquire lock on the license.");
 
-        let license = match &*license {
-            Some(license) => license,
-            None => {
-                return Err(WebError::ObjectNotFound("License not found.".to_string()));
-            }
-        };
-
-        info!("middleware run, license: {:?}", license);
-
-        Ok(LicenseInfo {
-            valid: !license.is_expired(),
-        })
+        match validate_license((*license).as_ref()) {
+            // Useless struct, but may come in handy later
+            Ok(_) => Ok(LicenseInfo { valid: true }),
+            Err(e) => Err(WebError::Forbidden(e.to_string())),
+        }
     }
 }
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 80280c87a9..53e14f401b 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -25,11 +25,11 @@ use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToke
 use crate::appstate::AppState;
 use crate::db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
+use crate::enterprise::license::License;
 use crate::error::WebError;
 use crate::handlers::user::check_username;
 use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
-use crate::license::License;
 use crate::server_config;
 
 use super::LicenseInfo;
@@ -104,9 +104,9 @@ async fn make_oidc_client(pool: &DbPool) -> Result<CoreClient, WebError> {
 }
 
 pub async fn get_auth_info(
+    _license: LicenseInfo,
     private_cookies: PrivateCookieJar,
     State(appstate): State<AppState>,
-    license: LicenseInfo,
 ) -> Result<(PrivateCookieJar, ApiResponse), WebError> {
     let client = make_oidc_client(&appstate.pool).await?;
 
@@ -177,6 +177,7 @@ pub struct AuthenticationResponse {
 }
 
 pub async fn auth_callback(
+    _license: LicenseInfo,
     cookies: CookieJar,
     private_cookies: PrivateCookieJar,
     user_agent: Option<TypedHeader<UserAgent>>,
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index 6c94149d1c..ff88dd2848 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -13,6 +13,8 @@ use crate::{
 
 use serde_json::json;
 
+use super::LicenseInfo;
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct AddProviderData {
     name: String,
@@ -38,6 +40,7 @@ impl AddProviderData {
 }
 
 pub async fn add_openid_provider(
+    _license: LicenseInfo,
     _admin: AdminRole,
     session: SessionInfo,
     State(appstate): State<AppState>,
@@ -66,6 +69,7 @@ pub async fn add_openid_provider(
 }
 
 pub async fn get_current_openid_provider(
+    _license: LicenseInfo,
     _admin: AdminRole,
     State(appstate): State<AppState>,
 ) -> ApiResult {
@@ -82,6 +86,7 @@ pub async fn get_current_openid_provider(
 }
 
 pub async fn delete_openid_provider(
+    _license: LicenseInfo,
     _admin: AdminRole,
     session: SessionInfo,
     State(appstate): State<AppState>,
@@ -115,6 +120,7 @@ pub async fn delete_openid_provider(
 }
 
 pub async fn modify_openid_provider(
+    _license: LicenseInfo,
     _admin: AdminRole,
     session: SessionInfo,
     State(appstate): State<AppState>,
@@ -151,6 +157,7 @@ pub async fn modify_openid_provider(
 }
 
 pub async fn list_openid_providers(
+    _license: LicenseInfo,
     _admin: AdminRole,
     State(appstate): State<AppState>,
 ) -> ApiResult {
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
new file mode 100644
index 0000000000..b3a0777031
--- /dev/null
+++ b/src/enterprise/license.rs
@@ -0,0 +1,449 @@
+use std::{
+    collections::HashMap,
+    sync::{Arc, Mutex},
+    time::Duration,
+};
+
+use anyhow::Result;
+use chrono::{DateTime, TimeDelta, Utc};
+use rsa::pkcs8::DecodePublicKey;
+use serde_cbor::Value;
+use tokio::time::sleep;
+// use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
+
+use crate::{
+    db::{DbPool, Settings},
+    grpc::gateway::update,
+    license,
+};
+use base64::{prelude::*, DecodeError};
+use pgp::{Deserializable, Message as PGPMessage, SignedPublicKey, StandaloneSignature};
+use prost::Message;
+use sqlx::error::Error as SqlxError;
+use thiserror::Error;
+use tonic::codec::{Decoder, Encoder};
+// mod proto {
+//     tonic::include_proto!("license");
+// }
+tonic::include_proto!("license");
+
+#[allow(dead_code)]
+pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGag50MBCACnwL6q6K4Hkq/HrKn3O/mfvOcqv39AyEuLbXYxsnQM0qYlNvsv
+1QkLuQU9mv0JJapUxayBDBn4YxskJXv8ooYjqjz6UkbpxCRlCgt4HaKKm+Al84J1
+PZydvFD54PJA+LdnwVL2m0ozVgfqUSL4WWBTiXdKXQF6aUYyaQ/Y32sqcqToNApk
+LIux5cN5OMYAsP5L2gvNrU6q43aoeC4JnnCRNLEFvgliQ/Oflwil4V+sgj1ojowq
+3YEz9jAtJL4Lo0oxoq/4zOKm+3lbQKos1CJ3D6a6rAuU3WO+WOSoV0xeoL4cEqk9
+Ki8RDfCt/CE1sO0SJp8dlwGP0UjXrtBlKSX3ABEBAAG0CmFsZWtzYW5kZXKJAVEE
+EwEKADsWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbAwULCQgHAgIiAgYV
+CgkICwIEFgIDAQIeBwIXgAAKCRDiMv6QHne+nP46B/9OErI9eC1h5M/awsyO4HRy
+0QJ8CkBXi4NuRusw1Q1Pmku0ah+3aFagAjZQmHOiUOFHJ7GGU/Lg49riS2UWI/6V
+3ZcqVBoTf6ifw/8jUfP/5AXnLOMBK+iomwyRPC7adEOrJYfOECzTr9E3YA4OChCi
+OKWkgbaj/g8r9OiQeec90GKlB1gAZ7skpI1Xqfjpu0xbQardMP0rhI3TCYmoQuKA
+FisQ3QdUa9UxL8OJJByYagdDyW94C7Nr8wlwY7qu3vSlyGC2NMnHCjTnJcxe2Sof
+nCtfzhBu6w0A+AetdsgbfKNUyWcjj1d+wqDtK3cyYSxkz+4P3rb7vcfF9fvhSPiR
+uQENBGag50MBCAC3uF9DDoQn4nqFDSOcLQRteHTgkBRhq12DRQZFJc6i5n8rgkXf
+Q4lW0PQaBp5mUA/w+vB1u6Gsv/ywnxfG0D9owYmXzUxEd94DTXesOSuuqpSpv+4p
+pz8yrFAvd/HwHFvk0aNtMv3nI8x3WyXo4OG1L3im6oloNe/dmLR3qiEgyPXf+Z13
+WyyrgUdL2sKSEvT9WwbfsKrYuP+MtUYFosTGgDx6uRe3GjJPA6KPLDD7ulkimfM2
+tMV6VF9zcd+RTpcULYlsd0ikKqgpyGl99QETSjqHQWEm0IMVvTm9ogq56zfC5epv
+dIVcTwnq9GHM5oCHBvuUjGnsYmEAn4cqaNrVABEBAAGJATYEGAEKACAWIQRMKEFZ
+KKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbIAAKCRDiMv6QHne+nHmpCACRxdE3V7ez
+wRjQja8fk/wOc/eCEJBo4IxEoA1Gdbr+d1k3Bg+vTKAs9ox3JOD3j8RXDmpDi0Cu
+1XiN55Sd28XKxtFEOsNhoM32Y3oha6x8/FlAt/UdGMQgsYWoYkH/2bFWKG+xuJ7o
++7qwm6fC9LSzQ94uV8CeeM5VUCKC33ppZNjeCCXtsznirARDacACip1ZlT8ydNYR
+U/otbVsYYul1UItWzRHIQlFrnxqpS1YUDE4a5HLeWyi/v5CQYBycZ292eV7k0z/B
+sSNe9GzKBvbx9g9hlpEZ9IQeRnuIwEHRmQ2BhrHuzXjgCc9J/JUWrBn+iuS2GZ7O
+AlDzRbsWdW2suQENBGag50MBCADEPLMX/q3BmZFTIOPn5/O7AYXfQC865DOmOp7t
+Xpens2IMKaL+RL77DIL+FUQzS95hwgAyawhZEAj2VY1k6BtKROSarLuARlI/ZLkr
+3OlPBKq0VRbWnn3Qk0rmtoYC7DUD3XWuR5+n0sdxniQo8F+Xwq0ZCZmex7bN8DXP
+r9ejoNZAmEOqqMIWQy/Blc9BkStqS6WHW0EimzSsHuJbaA1ZbMLr0fES/l8FVhjX
+YBOPY3TqXkbeM3FSjDzLGCTkT0sKPlTluFdqNWKZ+tDW6Pt7PtwEt2gRQdS69+pV
+POcU7uEQiE06TWWYxTS+i+xEq106xXs2tucTSV1R0KN3Ry/9ABEBAAGJATYEGAEK
+ACAWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbDAAKCRDiMv6QHne+nAbo
+CACTVse/+QQD5jW0sGguDLJOwgSLTeqnHV+AuVGVIDzIUNFKa691gZi8N1OJfdVn
+lqOvsyAFjPrg/1SB8x2O3kMvdrOK9K9hvACn44BxTDfRfOS/XeJCGxja10ii9wE+
+Ykl/OuCehh1kz9zIQrFvVZDgpGIUFUSSqTIfvvPsyiOJ+ADooZ80IBtDnN6qyjdl
++ioitVO0bgywfL8ze+2C82xNdjYS/FbAVi3YNgaagQbzkm4BK9w3hQqMkYXizyH1
+OOJ7mYSVH5oXyiNhU0hq8JWmFHRCHaRivHsUj9WqS/szv0ixKjQEf4EMztolzfpg
++QmJLVFn5xVR6dGteYW7/05e
+=06W7
+-----END PGP PUBLIC KEY BLOCK-----
+";
+
+#[derive(Debug, Error)]
+pub enum LicenseError {
+    #[error("Provided license is invalid: {0}")]
+    InvalidLicense(String),
+    #[error("Provided signature is does not match the license")]
+    SignatureMismatch,
+    #[error("Provided signature is invalid")]
+    InvalidSignature,
+    #[error("Database error")]
+    DbError(#[from] SqlxError),
+    #[error("License decoding error: {0}")]
+    DecodeError(String),
+    #[error("License is expired and has reached its maximum overdue time, please contact sales")]
+    LicenseExpired,
+    #[error("License is not found")]
+    LicenseNotFound,
+    #[error("License server error: {0}")]
+    LicenseServerError(String),
+}
+
+#[derive(Debug, Serialize, Deserialize)]
+struct RefreshRequestResponse {
+    key: String,
+}
+
+#[derive(Debug, Serialize, Deserialize, Clone)]
+pub struct License {
+    pub customer_id: String,
+    pub subscription: bool,
+    pub valid_until: Option<DateTime<Utc>>,
+}
+
+impl License {
+    pub fn new(
+        customer_id: String,
+        subscription: bool,
+        valid_until: Option<DateTime<Utc>>,
+    ) -> Self {
+        Self {
+            customer_id,
+            subscription,
+            valid_until,
+        }
+    }
+
+    fn decode(bytes: &[u8]) -> Result<Vec<u8>, LicenseError> {
+        let bytes = BASE64_STANDARD.decode(bytes).map_err(|_| {
+            LicenseError::DecodeError("Failed to decode the Base64 license key".to_string())
+        })?;
+        Ok(bytes)
+    }
+
+    fn verify_signature(data: &[u8], signature: &[u8]) -> Result<(), LicenseError> {
+        // A hardcoded public key should be always valid, so we can unwrap here
+        let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
+        let sig = StandaloneSignature::from_bytes(signature)
+            .map_err(|_| LicenseError::InvalidSignature)?;
+        sig.verify(&public_key, data)
+            .map_err(|_| LicenseError::SignatureMismatch)
+    }
+
+    pub fn from_base64(key: &str) -> Result<License, LicenseError> {
+        let bytes = key.as_bytes();
+        let decoded = Self::decode(bytes)?;
+        let slice: &[u8] = &decoded;
+
+        let license_key = LicenseKey::decode(slice).map_err(|_| {
+            LicenseError::DecodeError("Failed to decode the binary license key".to_string())
+        })?;
+        let metadata = license_key.metadata.ok_or(LicenseError::InvalidLicense(
+            "License metadata is missing from the license key".to_string(),
+        ))?;
+        let signature = license_key.signature.ok_or(LicenseError::InvalidLicense(
+            "License signature is missing from the license key".to_string(),
+        ))?;
+        let metadata_bytes = metadata.encode_to_vec();
+
+        match Self::verify_signature(&metadata_bytes, &signature.signature) {
+            Ok(_) => {
+                info!("Successfully validated license signature");
+                let valid_until = match metadata.valid_until {
+                    Some(until) => DateTime::from_timestamp(until, 0),
+                    None => None,
+                };
+
+                Ok(License::new(
+                    metadata.customer_id,
+                    metadata.subscription,
+                    valid_until,
+                ))
+            }
+            Err(_) => Err(LicenseError::SignatureMismatch),
+        }
+    }
+
+    /// Get the key from the database
+    async fn get_key(pool: &DbPool) -> Result<Option<String>, LicenseError> {
+        let settings = Settings::get_settings(pool).await?;
+        match settings.license {
+            Some(key) => {
+                if key.is_empty() {
+                    Ok(None)
+                } else {
+                    Ok(Some(key))
+                }
+            }
+            None => Ok(None),
+        }
+    }
+
+    pub async fn load(pool: &DbPool) -> Result<Option<License>, LicenseError> {
+        match Self::get_key(pool).await? {
+            Some(key) => Ok(Some(Self::from_base64(&key)?)),
+            None => {
+                info!("No license key found in the database");
+                Ok(None)
+            }
+        }
+    }
+
+    /// Try to load the license from the database, if the license requires a renewal, try to renew it.
+    pub async fn load_or_renew(pool: &DbPool) -> Result<Option<License>, LicenseError> {
+        match Self::load(pool).await? {
+            Some(license) => {
+                if license.requires_renewal() {
+                    if !license.is_max_overdue() {
+                        match renew_license(pool).await {
+                            Ok(new_key) => {
+                                let new_license = License::from_base64(&new_key)?;
+                                save_license_key(pool, &new_key).await?;
+                                Ok(Some(new_license))
+                            }
+                            Err(err) => {
+                                error!("Failed to renew the license: {}", err);
+                                Ok(Some(license))
+                            }
+                        }
+                    } else {
+                        Err(LicenseError::LicenseExpired)
+                    }
+                } else {
+                    Ok(Some(license))
+                }
+            }
+            None => Ok(None),
+        }
+    }
+
+    /// Checks whether the license is past its expiry date (`valid_until` field)
+    ///
+    /// NOTE: license should be considered valid for an additional period of `MAX_OVERDUE_TIME`.
+    /// If you want to check if the license reached this point, use `is_max_overdue` instead.
+    pub fn is_expired(&self) -> bool {
+        match self.valid_until {
+            Some(time) => time < Utc::now(),
+            None => false,
+        }
+    }
+
+    /// Checks how much time has left until the `valid_until` time.
+    pub fn time_left(&self) -> Option<TimeDelta> {
+        self.valid_until.map(|time| time - Utc::now())
+    }
+
+    /// Gets the time the license is past its expiry date.
+    /// If the license doesn't have a `valid_until` field, it will return 0.
+    pub fn time_overdue(&self) -> TimeDelta {
+        match self.valid_until {
+            Some(time) => {
+                let delta = Utc::now() - time;
+                if delta <= TimeDelta::zero() {
+                    TimeDelta::zero()
+                } else {
+                    delta
+                }
+            }
+            None => TimeDelta::zero(),
+        }
+    }
+
+    /// Checks whether we should try to renew the license.
+    pub fn requires_renewal(&self) -> bool {
+        if self.subscription {
+            if let Some(remaining) = self.time_left() {
+                remaining <= RENEWAL_TIME
+            } else {
+                false
+            }
+        } else {
+            false
+        }
+    }
+
+    /// Checks if the license has reached its maximum overdue time.
+    pub fn is_max_overdue(&self) -> bool {
+        self.time_overdue() > MAX_OVERDUE_TIME
+    }
+}
+
+/// Exchange the currently stored key for a new one from the license server.
+///
+/// Doesn't update the cached license, nor does it save the new key in the database.
+async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
+    info!("Exchanging license for a new one...");
+    let old_license_key = match Settings::get_settings(db_pool).await?.license {
+        Some(key) => key,
+        None => return Err(LicenseError::LicenseNotFound),
+    };
+
+    let client = reqwest::Client::new();
+
+    let request_body = RefreshRequestResponse {
+        key: old_license_key,
+    };
+
+    let new_license_key = match client
+        .post("http://localhost:8002/api/license/refresh")
+        .json(&request_body)
+        .send()
+        .await
+    {
+        Ok(response) => match response.status() {
+            reqwest::StatusCode::OK => {
+                let response: RefreshRequestResponse = response.json().await.map_err(|err| {
+                    error!("Failed to parse the response from the license server while trying to renew the license: {:?}", err);
+                    LicenseError::LicenseServerError(err.to_string())
+                })?;
+                response.key
+            }
+            status => {
+                let status_message = response.text().await.unwrap_or_else(|_| "".to_string());
+                let message = format!(
+                    "Failed to renew the license, the license server returned a status code {} with error: {}",
+                    status, status_message
+                );
+                return Err(LicenseError::LicenseServerError(message));
+            }
+        },
+        Err(err) => {
+            return Err(LicenseError::LicenseServerError(err.to_string()));
+        }
+    };
+
+    info!("Successfully exchanged the license for a new one");
+
+    Ok(new_license_key)
+}
+
+/// Helper function used to check if the cached license should be considered valid.
+/// As the license is often passed around in the form of `Option<License>`, this function takes care
+/// of the whole logic related to checking whether the license is even present in the first place.
+///
+/// This function checks the following two things:
+/// 1. Does the cached license exist
+/// 2. Does the cached license is past its maximum expiry date
+pub fn validate_license(license: Option<&License>) -> Result<(), LicenseError> {
+    match license {
+        Some(license) => {
+            if license.is_max_overdue() {
+                return Err(LicenseError::LicenseExpired);
+            }
+            Ok(())
+        }
+        None => Err(LicenseError::LicenseNotFound),
+    }
+}
+
+/// Helper function to save the license key string in the database
+async fn save_license_key(pool: &DbPool, key: &str) -> Result<(), LicenseError> {
+    let mut settings = Settings::get_settings(pool).await?;
+    settings.license = Some(key.to_string());
+    settings.save(pool).await?;
+    Ok(())
+}
+
+/// Helper function to update the cached license mutex. The mutex is used mainly in the appstate.
+pub fn update_cached_license(
+    key: Option<&str>,
+    license_mutex: Arc<Mutex<Option<License>>>,
+) -> Result<(), LicenseError> {
+    let license = if let Some(key) = key {
+        // Handle the Some("") case
+        if key.is_empty() {
+            None
+        } else {
+            Some(License::from_base64(key)?)
+        }
+    } else {
+        None
+    };
+    *license_mutex
+        .lock()
+        .expect("Failed to acquire lock on the license mutex.") = license;
+    Ok(())
+}
+
+/// Amount of time before the license expiry date we should start the renewal attempts.
+const RENEWAL_TIME: TimeDelta = TimeDelta::hours(24);
+
+/// Maximum amount of time a license can be over its expiry date.
+const MAX_OVERDUE_TIME: TimeDelta = TimeDelta::hours(24);
+
+pub async fn run_periodic_license_check(
+    pool: DbPool,
+    license_mutex: Arc<Mutex<Option<License>>>,
+) -> Result<(), LicenseError> {
+    let mut check_period = Duration::from_secs(10);
+    info!("Starting periodic license check every {:?}", check_period);
+    loop {
+        // Check if the license is present in the mutex, if not skip the check
+        if license_mutex
+            .lock()
+            .expect("Failed to acquire lock on the license mutex.")
+            .is_none()
+        {
+            info!("No license found, skipping license check");
+            sleep(Duration::from_secs(5)).await;
+            continue;
+        }
+
+        // Check if the license requires renewal, uses the cached value to be more efficient
+        // The block here is to avoid holding the lock through awaits
+        let requires_renewal = {
+            let license = license_mutex
+                .lock()
+                .expect("Failed to acquire lock on the license mutex.");
+            info!(
+                "Checking if the license {:?} requires a renewal...",
+                license
+            );
+
+            match &*license {
+                Some(license) => {
+                    if license.requires_renewal() {
+                        if !license.is_max_overdue() {
+                            true
+                        } else {
+                            check_period = Duration::from_secs(5);
+                            error!("Your license has expired and reached its maximum overdue date, please contant sales.");
+                            false
+                        }
+                    } else {
+                        false
+                    }
+                }
+                None => false,
+            }
+        };
+
+        if requires_renewal {
+            info!("License requires renewal, renewing license...");
+            info!("Changing check period to {} second", 1);
+            check_period = Duration::from_secs(1);
+            match renew_license(&pool).await {
+                Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
+                    Ok(_) => {
+                        update_cached_license(Some(&new_license_key), license_mutex.clone())?;
+                        info!("Changing check period to {} seconds", 5);
+                        check_period = Duration::from_secs(5);
+                    }
+                    Err(err) => {
+                        error!("Couldn't save the newly fetched license key to the database, error: {}", err);
+                    }
+                },
+                Err(err) => {
+                    error!("Failed to renew the license: {}", err);
+                }
+            }
+        } else {
+            info!("License isn't eligible for renewal, skipping...");
+        }
+
+        sleep(check_period).await;
+    }
+}
diff --git a/src/enterprise/mod.rs b/src/enterprise/mod.rs
index 212ebefc90..6af234a386 100644
--- a/src/enterprise/mod.rs
+++ b/src/enterprise/mod.rs
@@ -1,2 +1,3 @@
 pub mod db;
 pub mod handlers;
+pub mod license;
diff --git a/src/error.rs b/src/error.rs
index cda17066fa..9a7e991877 100644
--- a/src/error.rs
+++ b/src/error.rs
@@ -9,6 +9,7 @@ use crate::{
         device::DeviceError, enrollment::TokenError, error::ModelError,
         wireguard::WireguardNetworkError,
     },
+    enterprise::license::LicenseError,
     grpc::GatewayMapError,
     ldap::error::LdapError,
     templates::TemplateError,
@@ -53,6 +54,8 @@ pub enum WebError {
     TemplateError(#[from] TemplateError),
     #[error("Server config missing")]
     ServerConfigMissing,
+    #[error("License error: {0}")]
+    LicenseError(#[from] LicenseError),
 }
 
 impl From<tonic::Status> for WebError {
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index fd3a66a091..1e378d4d39 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -1,4 +1,6 @@
 use super::{ApiResponse, ApiResult, VERSION};
+use crate::enterprise;
+use crate::enterprise::license::{validate_license, License};
 use crate::{appstate::AppState, auth::SessionInfo, db::WireguardNetwork};
 
 use crate::db::Settings;
@@ -11,6 +13,8 @@ pub struct AppInfo {
     version: String,
     network_present: bool,
     smtp_enabled: bool,
+    /// Whether the core has an enterprise license.
+    enterprise: bool,
 }
 
 pub(crate) async fn get_app_info(
@@ -19,10 +23,18 @@ pub(crate) async fn get_app_info(
 ) -> ApiResult {
     let networks = WireguardNetwork::all(&appstate.pool).await?;
     let settings = Settings::get_settings(&appstate.pool).await?;
+    let license = appstate
+        .license
+        .lock()
+        .expect("Failed to acquire lock on the license.");
+    info!("license: {:?}", license);
+    let enterprise = validate_license((*license).as_ref()).is_ok();
+    info!("enterprise: {}", enterprise);
     let res = AppInfo {
         network_present: !networks.is_empty(),
         smtp_enabled: settings.smtp_configured(),
         version: VERSION.into(),
+        enterprise,
     };
 
     Ok(ApiResponse::new(json!(res), StatusCode::OK))
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index 0612666d9a..a61aafdece 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -105,6 +105,14 @@ impl From<WebError> for ApiResponse {
                     StatusCode::INTERNAL_SERVER_ERROR,
                 )
             }
+            WebError::LicenseError(err) => {
+                error!("License error: {err}");
+                ApiResponse::new(
+                    // FIXME: Come up with a better error code
+                    json!({"msg": "Internal server error"}),
+                    StatusCode::INTERNAL_SERVER_ERROR,
+                )
+            }
         }
     }
 }
diff --git a/src/handlers/settings.rs b/src/handlers/settings.rs
index 1185317849..3ec27b6d40 100644
--- a/src/handlers/settings.rs
+++ b/src/handlers/settings.rs
@@ -1,3 +1,5 @@
+use std::ops::Not;
+
 use axum::{
     extract::{Json, Path, State},
     http::StatusCode,
@@ -12,6 +14,7 @@ use crate::{
         models::settings::{SettingsEssentials, SettingsPatch},
         Settings,
     },
+    enterprise::license::{self, update_cached_license, License},
     error::WebError,
     ldap::LDAPConnection,
     AppState,
@@ -48,6 +51,7 @@ pub async fn update_settings(
     Json(mut data): Json<Settings>,
 ) -> ApiResult {
     debug!("User {} updating settings", session.user.username);
+    update_cached_license(data.license.as_deref(), appstate.license)?;
     data.id = Some(1);
     data.save(&appstate.pool).await?;
     info!("User {} updated settings", session.user.username);
@@ -108,6 +112,13 @@ pub async fn patch_settings(
 ) -> ApiResult {
     debug!("Admin {} patching settings.", &session.user.username);
     let mut settings = Settings::get_settings(&appstate.pool).await?;
+
+    // Handle updating the cached license
+    if let Some(license_key) = &data.license {
+        info!("Patching license: {:?}", license_key);
+        update_cached_license(license_key.as_deref(), appstate.license)?;
+    };
+
     settings.apply(data);
     settings.save(&appstate.pool).await?;
     info!("Admin {} patched settings.", &session.user.username);
diff --git a/src/lib.rs b/src/lib.rs
index 470016563d..ddd14d19c3 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -17,6 +17,7 @@ use enterprise::handlers::{
     openid_login::{auth_callback, get_auth_info},
     openid_providers::{add_openid_provider, delete_openid_provider, get_current_openid_provider},
 };
+use enterprise::license;
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
 };
@@ -26,7 +27,6 @@ use handlers::{
     yubikey::{delete_yubikey, rename_yubikey},
 };
 use ipnetwork::IpNetwork;
-use license::License;
 use secrecy::ExposeSecret;
 use tokio::{
     net::TcpListener,
@@ -290,6 +290,7 @@ pub fn build_webapp(
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
     license: Arc<Mutex<Option<License>>>,
+    enterprise_enabled: bool,
 ) -> Router {
     let webapp: Router<AppState> = Router::new()
         .route("/", get(index))
@@ -408,7 +409,6 @@ pub fn build_webapp(
             // ldap
             .route("/ldap/test", get(test_ldap_settings)),
     );
-    let enterprise_enabled = true;
 
     let webapp = if enterprise_enabled {
         webapp.nest(
@@ -532,6 +532,7 @@ pub async fn run_web_server(
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
     license: Arc<Mutex<Option<License>>>,
+    enterprise_enabled: bool,
 ) -> Result<(), anyhow::Error> {
     let webapp = build_webapp(
         webhook_tx,
@@ -544,6 +545,7 @@ pub async fn run_web_server(
         user_agent_parser,
         failed_logins,
         license,
+        enterprise_enabled,
     );
     info!("Started web services");
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), server_config().http_port);
diff --git a/src/license.rs b/src/license.rs
deleted file mode 100644
index fd1a9cf2d6..0000000000
--- a/src/license.rs
+++ /dev/null
@@ -1,232 +0,0 @@
-use std::collections::HashMap;
-
-use anyhow::Result;
-use chrono::{DateTime, Utc};
-use rsa::pkcs8::DecodePublicKey;
-use serde_cbor::Value;
-// use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
-
-use crate::db::{DbPool, Settings};
-use base64::prelude::*;
-use pgp::{Deserializable, Message as PGPMessage, SignedPublicKey, StandaloneSignature};
-use prost::Message;
-use tonic::codec::{Decoder, Encoder};
-
-// mod proto {
-//     tonic::include_proto!("license");
-// }
-tonic::include_proto!("license");
-
-#[allow(dead_code)]
-pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQENBGag50MBCACnwL6q6K4Hkq/HrKn3O/mfvOcqv39AyEuLbXYxsnQM0qYlNvsv
-1QkLuQU9mv0JJapUxayBDBn4YxskJXv8ooYjqjz6UkbpxCRlCgt4HaKKm+Al84J1
-PZydvFD54PJA+LdnwVL2m0ozVgfqUSL4WWBTiXdKXQF6aUYyaQ/Y32sqcqToNApk
-LIux5cN5OMYAsP5L2gvNrU6q43aoeC4JnnCRNLEFvgliQ/Oflwil4V+sgj1ojowq
-3YEz9jAtJL4Lo0oxoq/4zOKm+3lbQKos1CJ3D6a6rAuU3WO+WOSoV0xeoL4cEqk9
-Ki8RDfCt/CE1sO0SJp8dlwGP0UjXrtBlKSX3ABEBAAG0CmFsZWtzYW5kZXKJAVEE
-EwEKADsWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbAwULCQgHAgIiAgYV
-CgkICwIEFgIDAQIeBwIXgAAKCRDiMv6QHne+nP46B/9OErI9eC1h5M/awsyO4HRy
-0QJ8CkBXi4NuRusw1Q1Pmku0ah+3aFagAjZQmHOiUOFHJ7GGU/Lg49riS2UWI/6V
-3ZcqVBoTf6ifw/8jUfP/5AXnLOMBK+iomwyRPC7adEOrJYfOECzTr9E3YA4OChCi
-OKWkgbaj/g8r9OiQeec90GKlB1gAZ7skpI1Xqfjpu0xbQardMP0rhI3TCYmoQuKA
-FisQ3QdUa9UxL8OJJByYagdDyW94C7Nr8wlwY7qu3vSlyGC2NMnHCjTnJcxe2Sof
-nCtfzhBu6w0A+AetdsgbfKNUyWcjj1d+wqDtK3cyYSxkz+4P3rb7vcfF9fvhSPiR
-uQENBGag50MBCAC3uF9DDoQn4nqFDSOcLQRteHTgkBRhq12DRQZFJc6i5n8rgkXf
-Q4lW0PQaBp5mUA/w+vB1u6Gsv/ywnxfG0D9owYmXzUxEd94DTXesOSuuqpSpv+4p
-pz8yrFAvd/HwHFvk0aNtMv3nI8x3WyXo4OG1L3im6oloNe/dmLR3qiEgyPXf+Z13
-WyyrgUdL2sKSEvT9WwbfsKrYuP+MtUYFosTGgDx6uRe3GjJPA6KPLDD7ulkimfM2
-tMV6VF9zcd+RTpcULYlsd0ikKqgpyGl99QETSjqHQWEm0IMVvTm9ogq56zfC5epv
-dIVcTwnq9GHM5oCHBvuUjGnsYmEAn4cqaNrVABEBAAGJATYEGAEKACAWIQRMKEFZ
-KKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbIAAKCRDiMv6QHne+nHmpCACRxdE3V7ez
-wRjQja8fk/wOc/eCEJBo4IxEoA1Gdbr+d1k3Bg+vTKAs9ox3JOD3j8RXDmpDi0Cu
-1XiN55Sd28XKxtFEOsNhoM32Y3oha6x8/FlAt/UdGMQgsYWoYkH/2bFWKG+xuJ7o
-+7qwm6fC9LSzQ94uV8CeeM5VUCKC33ppZNjeCCXtsznirARDacACip1ZlT8ydNYR
-U/otbVsYYul1UItWzRHIQlFrnxqpS1YUDE4a5HLeWyi/v5CQYBycZ292eV7k0z/B
-sSNe9GzKBvbx9g9hlpEZ9IQeRnuIwEHRmQ2BhrHuzXjgCc9J/JUWrBn+iuS2GZ7O
-AlDzRbsWdW2suQENBGag50MBCADEPLMX/q3BmZFTIOPn5/O7AYXfQC865DOmOp7t
-Xpens2IMKaL+RL77DIL+FUQzS95hwgAyawhZEAj2VY1k6BtKROSarLuARlI/ZLkr
-3OlPBKq0VRbWnn3Qk0rmtoYC7DUD3XWuR5+n0sdxniQo8F+Xwq0ZCZmex7bN8DXP
-r9ejoNZAmEOqqMIWQy/Blc9BkStqS6WHW0EimzSsHuJbaA1ZbMLr0fES/l8FVhjX
-YBOPY3TqXkbeM3FSjDzLGCTkT0sKPlTluFdqNWKZ+tDW6Pt7PtwEt2gRQdS69+pV
-POcU7uEQiE06TWWYxTS+i+xEq106xXs2tucTSV1R0KN3Ry/9ABEBAAGJATYEGAEK
-ACAWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbDAAKCRDiMv6QHne+nAbo
-CACTVse/+QQD5jW0sGguDLJOwgSLTeqnHV+AuVGVIDzIUNFKa691gZi8N1OJfdVn
-lqOvsyAFjPrg/1SB8x2O3kMvdrOK9K9hvACn44BxTDfRfOS/XeJCGxja10ii9wE+
-Ykl/OuCehh1kz9zIQrFvVZDgpGIUFUSSqTIfvvPsyiOJ+ADooZ80IBtDnN6qyjdl
-+ioitVO0bgywfL8ze+2C82xNdjYS/FbAVi3YNgaagQbzkm4BK9w3hQqMkYXizyH1
-OOJ7mYSVH5oXyiNhU0hq8JWmFHRCHaRivHsUj9WqS/szv0ixKjQEf4EMztolzfpg
-+QmJLVFn5xVR6dGteYW7/05e
-=06W7
------END PGP PUBLIC KEY BLOCK-----
-";
-
-#[derive(Debug, Serialize, Deserialize)]
-pub enum LicenseError {
-    InvalidLicense,
-}
-
-#[derive(Debug, Serialize, Deserialize)]
-struct RefreshRequestResponse {
-    key: String,
-}
-
-#[derive(Debug, Serialize, Deserialize, Clone)]
-pub struct License {
-    pub customer_id: String,
-    pub subscription: bool,
-    // TODO(aleksander): valid until should be optional?
-    pub valid_until: DateTime<Utc>,
-}
-
-impl License {
-    pub fn new(customer_id: String, subscription: bool, valid_until: DateTime<Utc>) -> Self {
-        Self {
-            customer_id,
-            subscription,
-            valid_until,
-        }
-    }
-
-    /// Fetch a license from the license server
-    async fn exchange(db_pool: &DbPool) -> Result<String, LicenseError> {
-        let old_license_key = Settings::get_settings(db_pool)
-            .await
-            .unwrap()
-            .license
-            .unwrap();
-
-        let client = reqwest::Client::new();
-
-        let request_body = RefreshRequestResponse {
-            key: old_license_key,
-        };
-
-        let new_license_key = match client
-            .post("http://localhost:8002/api/license/refresh")
-            .json(&request_body)
-            .send()
-            .await
-        {
-            Ok(response) => {
-                let response: RefreshRequestResponse = response.json().await.unwrap();
-                response.key
-            }
-            Err(_) => return Err(LicenseError::InvalidLicense),
-        };
-
-        Ok(new_license_key)
-    }
-
-    fn decode(bytes: &[u8]) -> Result<Vec<u8>> {
-        let bytes = BASE64_STANDARD.decode(bytes).unwrap();
-        Ok(bytes)
-    }
-
-    fn from_base64(key: &str) -> Result<License, LicenseError> {
-        let bytes = key.as_bytes();
-        let decoded = Self::decode(bytes).unwrap();
-        let slice: &[u8] = &decoded;
-
-        let license_key = LicenseKey::decode(slice).unwrap();
-        let metadata = license_key.metadata.unwrap();
-        let signature = license_key.signature.unwrap();
-
-        let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
-
-        let metadata_bytes = metadata.encode_to_vec();
-
-        let sig = StandaloneSignature::from_bytes(signature.signature.as_slice()).unwrap();
-
-        match sig.verify(&public_key, metadata_bytes.as_slice()) {
-            Ok(_) => {
-                println!("Signature is valid");
-
-                Ok(License::new(
-                    metadata.customer_id,
-                    metadata.subscription,
-                    DateTime::from_timestamp(metadata.valid_until, 0)
-                        // check if we should really use unwrap or default
-                        .unwrap_or_default(),
-                ))
-            }
-            Err(_) => {
-                println!("Signature is invalid");
-                Err(LicenseError::InvalidLicense)
-            }
-        }
-    }
-
-    /// Load a license from the database
-    async fn get_key_from_database(pool: &DbPool) -> Result<Option<String>, LicenseError> {
-        let settings = Settings::get_settings(pool).await.unwrap();
-        Ok(settings.license)
-    }
-
-    pub async fn load(pool: &DbPool) -> Result<Option<License>, LicenseError> {
-        match Self::get_key_from_database(pool).await.unwrap() {
-            Some(key) => Ok(Some(Self::from_base64(&key).unwrap())),
-            None => {
-                info!("No license key found in the database");
-                Ok(None)
-            }
-        }
-    }
-
-    pub fn is_expired(&self) -> bool {
-        self.valid_until > Utc::now()
-    }
-
-    // pub async fn load(pool: &DbPool) -> Result<String, LicenseError> {
-    //     let key = match Self::get_from_database(pool).await.unwrap() {
-    //         Some(key) => key,
-    //         None => return Err(LicenseError::InvalidLicense),
-    //     };
-
-    //     Self::from_base64(&key).unwrap();
-
-    //     println!("{:?}", key);
-
-    //     // let new_key = Self::exchange(pool).await.unwrap();
-
-    //     // println!("{:?}", new_key);
-
-    //     // let bytes = Self::fetch().await.unwrap();
-
-    //     // let decoded = Self::decode(&bytes).unwrap();
-
-    //     // let slice: &[u8] = &decoded;
-
-    //     // let msg = PGPMessage::from_bytes(slice).unwrap();
-
-    //     // let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
-
-    //     // match msg.verify(&public_key) {
-    //     //     Ok(_) => println!("Signature verified"),
-    //     //     Err(e) => {
-    //     //         println!("Signature not verified: {:?}", e);
-    //     //         return Err(LicenseError::InvalidLicense);
-    //     //     }
-    //     // };
-
-    //     // let content = msg.get_content().unwrap().unwrap();
-
-    //     // let content = content.as_slice();
-
-    //     // let license_metadata: LicenseMetadata = LicenseMetadata::decode(content).unwrap();
-
-    //     // println!("{:?}", license_metadata);
-
-    //     Ok("".to_string())
-    // }
-
-    // fn check(&self) -> Result<(), Error> {
-    //     let (public_key, _headers_public) = SignedPublicKey::from_string(PUBLIC_KEY).unwrap();
-    //     let (signature, _) = StandaloneSignature::from_string(SIGNATURE).unwrap();
-
-    //     signature.verify(&public_key, &self.fields_concatenated()).unwrap();
-
-    //     Ok(())
-    // }
-}
diff --git a/web/src/components/AppLoader.tsx b/web/src/components/AppLoader.tsx
index 0e87e4a4d8..37f377934e 100644
--- a/web/src/components/AppLoader.tsx
+++ b/web/src/components/AppLoader.tsx
@@ -56,6 +56,7 @@ export const AppLoader = () => {
 
   useQuery([QueryKeys.FETCH_APP_INFO], getAppInfo, {
     onSuccess: (data) => {
+      console.log('App Info:', data);
       setAppStore({ appInfo: data });
     },
     onError: (err) => {
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 0b7e4221d5..d7334fe0e4 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1041,6 +1041,18 @@ const en: BaseTranslation = {
           </a>
 			`,
     },
+    license: {
+      header: 'Enterprise',
+      form: {
+        title: 'License',
+        fields: {
+          key: {
+            label: 'License key',
+            placeholder: 'Your Defguard license key',
+          },
+        },
+      },
+    },
     smtp: {
       form: {
         title: 'SMTP configuration',
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 27fd686ad4..851afa7dba 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2522,6 +2522,30 @@ type RootTranslation = {
 			 */
 			helper: RequiredParams<'documentationLink'>
 		}
+		license: {
+			/**
+			 * E​n​t​e​r​p​r​i​s​e
+			 */
+			header: string
+			form: {
+				/**
+				 * L​i​c​e​n​s​e
+				 */
+				title: string
+				fields: {
+					key: {
+						/**
+						 * L​i​c​e​n​s​e​ ​k​e​y
+						 */
+						label: string
+						/**
+						 * Y​o​u​r​ ​D​e​f​g​u​a​r​d​ ​l​i​c​e​n​s​e​ ​k​e​y
+						 */
+						placeholder: string
+					}
+				}
+			}
+		}
 		smtp: {
 			form: {
 				/**
@@ -6507,6 +6531,30 @@ export type TranslationFunctions = {
 			 */
 			helper: (arg: { documentationLink: string }) => LocalizedString
 		}
+		license: {
+			/**
+			 * Enterprise
+			 */
+			header: () => LocalizedString
+			form: {
+				/**
+				 * License
+				 */
+				title: () => LocalizedString
+				fields: {
+					key: {
+						/**
+						 * License key
+						 */
+						label: () => LocalizedString
+						/**
+						 * Your Defguard license key
+						 */
+						placeholder: () => LocalizedString
+					}
+				}
+			}
+		}
 		smtp: {
 			form: {
 				/**
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 53484b6311..9b097782f1 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1028,6 +1028,18 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
           </a>
 			`,
     },
+    license: {
+      header: 'Funkcje enterprise',
+      form: {
+        title: 'Licencja',
+        fields: {
+          key: {
+            label: 'Klucz licencji',
+            placeholder: 'Klucz licencji dla twojej instancji Defguard',
+          },
+        },
+      },
+    },
     smtp: {
       form: {
         title: 'Ustawienia',
diff --git a/web/src/pages/auth/AuthPage.tsx b/web/src/pages/auth/AuthPage.tsx
index 950934b20e..c2c015fcfa 100644
--- a/web/src/pages/auth/AuthPage.tsx
+++ b/web/src/pages/auth/AuthPage.tsx
@@ -48,6 +48,7 @@ export const AuthPage = () => {
   const toaster = useToaster();
 
   const setAppStore = useAppStore((state) => state.setState);
+  const appInfo = useAppStore((state) => state.appInfo);
 
   const [params] = useSearchParams();
   const redirectUrl = params.get('r');
@@ -153,7 +154,7 @@ export const AuthPage = () => {
         <Route path="/" element={<Navigate to="login" />} />
         <Route path="login" element={<Login />} />
         <Route path="mfa/*" element={<MFARoute />} />
-        <Route path="callback" element={<OpenIDCallback />} />
+        {appInfo?.enterprise && <Route path="callback" element={<OpenIDCallback />} />}
         <Route path="*" element={<Navigate to="login" />} />
       </Routes>
     </div>
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 6d6a46a152..6187e2ce20 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -23,6 +23,7 @@ import { QueryKeys } from '../../../shared/queries';
 import { LoginData } from '../../../shared/types';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings';
 import { OpenIdLoginButton } from './components/OidcButtons';
+import { useAppStore } from '../../../shared/hooks/store/useAppStore';
 
 type Inputs = {
   username: string;
@@ -38,7 +39,9 @@ export const Login = () => {
     },
   } = useApi();
 
+  const appInfo = useAppStore((state) => state.appInfo);
   const { data: openIdInfo, isLoading: openIdLoading } = useQuery({
+    enabled: appInfo?.enterprise,
     queryKey: [QueryKeys.FETCH_OPENID_INFO],
     queryFn: getOpenidInfo,
     refetchOnMount: true,
@@ -127,7 +130,9 @@ export const Login = () => {
               text={LL.form.login()}
               data-testid="login-form-submit"
             />
-            {openIdInfo && <OpenIdLoginButton url={openIdInfo.url} />}
+            {appInfo?.enterprise && openIdInfo && (
+              <OpenIdLoginButton url={openIdInfo.url} />
+            )}
           </form>
         </>
       ) : (
diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index 8c2b8e1afb..17d9b62c15 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -17,6 +17,7 @@ import { LdapSettings } from './components/LdapSettings/LdapSettings';
 import { OpenIdSettings } from './components/OpenIdSettings/OpenIdSettings';
 import { SmtpSettings } from './components/SmtpSettings/SmtpSettings';
 import { useSettingsPage } from './hooks/useSettingsPage';
+import { useAppStore } from '../../shared/hooks/store/useAppStore';
 
 const tabsContent: ReactNode[] = [
   <GlobalSettings key={0} />,
@@ -40,6 +41,8 @@ export const SettingsPage = () => {
 
   const settings = useSettingsPage((state) => state.settings);
 
+  const appInfo = useAppStore((state) => state.appInfo);
+
   const { data: settingsData, isLoading } = useQuery({
     queryFn: getSettings,
     queryKey: [QueryKeys.FETCH_SETTINGS],
@@ -47,8 +50,8 @@ export const SettingsPage = () => {
     refetchOnWindowFocus: false,
   });
 
-  const tabs = useMemo(
-    (): CardTabsData[] => [
+  const tabs = useMemo((): CardTabsData[] => {
+    let tabs = [
       {
         key: 0,
         content: LL.settingsPage.tabs.global(),
@@ -73,9 +76,15 @@ export const SettingsPage = () => {
         active: activeCard === 3,
         onClick: () => setActiveCard(3),
       },
-    ],
-    [LL.settingsPage.tabs, activeCard],
-  );
+    ];
+
+    // Fitler out enterprise tabs if not enterprise
+    if (!appInfo?.enterprise) {
+      tabs = tabs.filter((tab) => tab.key !== 3);
+    }
+
+    return tabs;
+  }, [LL.settingsPage.tabs, activeCard, appInfo?.enterprise]);
 
   // set store
   useEffect(() => {
diff --git a/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx b/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
index d641199739..8c0680d5c4 100644
--- a/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
@@ -1,4 +1,5 @@
 import { BrandingSettings } from './components/BrandingSettings/BrandingSettings';
+import { LicenseSettings } from './components/LicenseSettings/LicenseSettings';
 import { ModulesSettings } from './components/ModulesSettings/ModulesSettings';
 import { Web3Settings } from './components/Web3Settings/Web3Settings';
 
@@ -10,6 +11,7 @@ export const GlobalSettings = () => (
     </div>
     <div className="right">
       <Web3Settings />
+      <LicenseSettings />
     </div>
   </>
 );
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
new file mode 100644
index 0000000000..81a92a736d
--- /dev/null
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -0,0 +1,118 @@
+import './styles.scss';
+
+import { zodResolver } from '@hookform/resolvers/zod';
+import { useMutation, useQueryClient } from '@tanstack/react-query';
+import parse from 'html-react-parser';
+import { useEffect, useMemo } from 'react';
+import { SubmitHandler, useForm } from 'react-hook-form';
+import { useBreakpoint } from 'use-breakpoint';
+import { z } from 'zod';
+
+import { useI18nContext } from '../../../../../../i18n/i18n-react';
+import IconCheckmarkWhite from '../../../../../../shared/components/svg/IconCheckmarkWhite';
+import { deviceBreakpoints } from '../../../../../../shared/constants';
+import { FormInput } from '../../../../../../shared/defguard-ui/components/Form/FormInput/FormInput';
+import { Button } from '../../../../../../shared/defguard-ui/components/Layout/Button/Button';
+import {
+  ButtonSize,
+  ButtonStyleVariant,
+} from '../../../../../../shared/defguard-ui/components/Layout/Button/types';
+import { Card } from '../../../../../../shared/defguard-ui/components/Layout/Card/Card';
+import { Helper } from '../../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
+import useApi from '../../../../../../shared/hooks/useApi';
+import { useToaster } from '../../../../../../shared/hooks/useToaster';
+import { externalLink } from '../../../../../../shared/links';
+import { MutationKeys } from '../../../../../../shared/mutations';
+import { QueryKeys } from '../../../../../../shared/queries';
+import { Settings } from '../../../../../../shared/types';
+import { useSettingsPage } from '../../../../hooks/useSettingsPage';
+
+type FormFields = {
+  license: string;
+};
+
+export const LicenseSettings = () => {
+  const { LL } = useI18nContext();
+  const toaster = useToaster();
+  const {
+    settings: { patchSettings },
+  } = useApi();
+
+  const settings = useSettingsPage((state) => state.settings);
+
+  const queryClient = useQueryClient();
+  const { breakpoint } = useBreakpoint(deviceBreakpoints);
+
+  const { mutate, isLoading } = useMutation(patchSettings, {
+    onSuccess: () => {
+      toaster.success(LL.settingsPage.messages.editSuccess());
+      queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
+      queryClient.invalidateQueries([QueryKeys.FETCH_APP_INFO]);
+    },
+    onError: (err) => {
+      toaster.error(LL.messages.error());
+      console.error(err);
+    },
+  });
+
+  const zodSchema = useMemo(
+    () =>
+      z.object({
+        license: z.string(),
+      }),
+    [],
+  );
+
+  const defaultValues = useMemo((): FormFields => {
+    return {
+      license: settings?.license || '',
+    };
+  }, [settings?.license]);
+
+  const { control, handleSubmit, reset } = useForm<Settings>({
+    defaultValues,
+    mode: 'all',
+    resolver: zodResolver(zodSchema),
+  });
+
+  useEffect(() => {
+    reset();
+  }, [reset, defaultValues]);
+
+  const onSubmit: SubmitHandler<FormFields> = (submitted) => {
+    mutate(submitted);
+  };
+
+  return (
+    <section id="license-settings">
+      <header>
+        <h2>{LL.settingsPage.license.header()}</h2>
+      </header>
+      <Card shaded bordered>
+        <div className="controls">
+          <h3>{LL.settingsPage.license.form.title()}:</h3>
+          <Button
+            form="license-form"
+            text={
+              breakpoint !== 'mobile'
+                ? LL.settingsPage.instanceBranding.form.controls.submit()
+                : undefined
+            }
+            icon={<IconCheckmarkWhite />}
+            size={ButtonSize.SMALL}
+            styleVariant={ButtonStyleVariant.SAVE}
+            loading={isLoading}
+            type="submit"
+          />
+        </div>
+        <form id="license-form" onSubmit={handleSubmit(onSubmit)}>
+          <FormInput
+            label={LL.settingsPage.license.form.fields.key.label()}
+            controller={{ control, name: 'license' }}
+            placeholder={LL.settingsPage.license.form.fields.key.placeholder()}
+          />
+        </form>
+      </Card>
+    </section>
+  );
+};
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss
new file mode 100644
index 0000000000..7a1fc6bb76
--- /dev/null
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss
@@ -0,0 +1,12 @@
+@use '@scssutils' as *;
+
+#license-settings {
+  & > .card {
+    display: flex;
+    flex-flow: column;
+    row-gap: 16px;
+    @include media-breakpoint-up(lg) {
+      padding: 16px 15px;
+    }
+  }
+}
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 2a641e8223..6e27323330 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -360,6 +360,7 @@ export interface AppInfo {
   version: string;
   network_present: boolean;
   smtp_enabled: boolean;
+  enterprise: boolean;
 }
 
 export type GetDeviceConfigRequest = {
@@ -804,7 +805,8 @@ export type Settings = SettingsModules &
   SettingsEnrollment &
   SettingsBranding &
   SettingsLDAP &
-  SettingsOpenID;
+  SettingsOpenID &
+  SettingsLicense;
 
 // essentials for core frontend, includes only those that are required for frontend operations
 export type SettingsEssentials = SettingsModules & SettingsBranding;
@@ -861,6 +863,10 @@ export type SettingsOpenID = {
   openid_create_account: boolean;
 };
 
+export type SettingsLicense = {
+  license: string;
+};
+
 export interface Webhook {
   id: string;
   url: string;

From 98cc1a7a4e839142be5f367591f707c6b54b2e58 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 8 Aug 2024 14:10:29 +0200
Subject: [PATCH 40/73] cleanup

---
 src/enterprise/handlers/mod.rs          | 14 +----
 src/enterprise/handlers/openid_login.rs |  1 -
 src/enterprise/license.rs               | 72 +++++++------------------
 src/handlers/app_info.rs                |  3 +-
 src/handlers/settings.rs                |  3 +-
 src/lib.rs                              | 16 +++---
 tests/common/mod.rs                     | 11 ++++
 7 files changed, 42 insertions(+), 78 deletions(-)

diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index c861cf8944..fabb4ecf9f 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -1,30 +1,18 @@
-use crate::enterprise::license::{validate_license, License};
+use crate::enterprise::license::validate_license;
 
 pub mod openid_login;
 pub mod openid_providers;
 
-use std::{
-    env,
-    time::{Duration, SystemTime},
-};
 
 use axum::{
     async_trait,
     extract::{FromRef, FromRequestParts},
     http::request::Parts,
 };
-use axum_extra::extract::cookie::CookieJar;
-use jsonwebtoken::{
-    decode, encode, errors::Error as JWTError, DecodingKey, EncodingKey, Header, Validation,
-};
-use serde::{Deserialize, Serialize};
 
 use crate::{
     appstate::AppState,
-    db::{Group, OAuth2AuthorizedApp, OAuth2Token, Session, SessionState, User},
     error::WebError,
-    handlers::SESSION_COOKIE_NAME,
-    server_config,
 };
 
 pub struct LicenseInfo {
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 53e14f401b..a77456fe00 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -25,7 +25,6 @@ use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToke
 use crate::appstate::AppState;
 use crate::db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
-use crate::enterprise::license::License;
 use crate::error::WebError;
 use crate::handlers::user::check_username;
 use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_COOKIE_NAME};
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index b3a0777031..00dbe76ec9 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -1,74 +1,40 @@
 use std::{
-    collections::HashMap,
     sync::{Arc, Mutex},
     time::Duration,
 };
 
 use anyhow::Result;
 use chrono::{DateTime, TimeDelta, Utc};
-use rsa::pkcs8::DecodePublicKey;
-use serde_cbor::Value;
 use tokio::time::sleep;
 // use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
 
-use crate::{
-    db::{DbPool, Settings},
-    grpc::gateway::update,
-    license,
-};
-use base64::{prelude::*, DecodeError};
-use pgp::{Deserializable, Message as PGPMessage, SignedPublicKey, StandaloneSignature};
+use crate::db::{DbPool, Settings};
+use base64::prelude::*;
+use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
 use prost::Message;
 use sqlx::error::Error as SqlxError;
 use thiserror::Error;
-use tonic::codec::{Decoder, Encoder};
-// mod proto {
-//     tonic::include_proto!("license");
-// }
+
 tonic::include_proto!("license");
 
 #[allow(dead_code)]
 pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
 
-mQENBGag50MBCACnwL6q6K4Hkq/HrKn3O/mfvOcqv39AyEuLbXYxsnQM0qYlNvsv
-1QkLuQU9mv0JJapUxayBDBn4YxskJXv8ooYjqjz6UkbpxCRlCgt4HaKKm+Al84J1
-PZydvFD54PJA+LdnwVL2m0ozVgfqUSL4WWBTiXdKXQF6aUYyaQ/Y32sqcqToNApk
-LIux5cN5OMYAsP5L2gvNrU6q43aoeC4JnnCRNLEFvgliQ/Oflwil4V+sgj1ojowq
-3YEz9jAtJL4Lo0oxoq/4zOKm+3lbQKos1CJ3D6a6rAuU3WO+WOSoV0xeoL4cEqk9
-Ki8RDfCt/CE1sO0SJp8dlwGP0UjXrtBlKSX3ABEBAAG0CmFsZWtzYW5kZXKJAVEE
-EwEKADsWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbAwULCQgHAgIiAgYV
-CgkICwIEFgIDAQIeBwIXgAAKCRDiMv6QHne+nP46B/9OErI9eC1h5M/awsyO4HRy
-0QJ8CkBXi4NuRusw1Q1Pmku0ah+3aFagAjZQmHOiUOFHJ7GGU/Lg49riS2UWI/6V
-3ZcqVBoTf6ifw/8jUfP/5AXnLOMBK+iomwyRPC7adEOrJYfOECzTr9E3YA4OChCi
-OKWkgbaj/g8r9OiQeec90GKlB1gAZ7skpI1Xqfjpu0xbQardMP0rhI3TCYmoQuKA
-FisQ3QdUa9UxL8OJJByYagdDyW94C7Nr8wlwY7qu3vSlyGC2NMnHCjTnJcxe2Sof
-nCtfzhBu6w0A+AetdsgbfKNUyWcjj1d+wqDtK3cyYSxkz+4P3rb7vcfF9fvhSPiR
-uQENBGag50MBCAC3uF9DDoQn4nqFDSOcLQRteHTgkBRhq12DRQZFJc6i5n8rgkXf
-Q4lW0PQaBp5mUA/w+vB1u6Gsv/ywnxfG0D9owYmXzUxEd94DTXesOSuuqpSpv+4p
-pz8yrFAvd/HwHFvk0aNtMv3nI8x3WyXo4OG1L3im6oloNe/dmLR3qiEgyPXf+Z13
-WyyrgUdL2sKSEvT9WwbfsKrYuP+MtUYFosTGgDx6uRe3GjJPA6KPLDD7ulkimfM2
-tMV6VF9zcd+RTpcULYlsd0ikKqgpyGl99QETSjqHQWEm0IMVvTm9ogq56zfC5epv
-dIVcTwnq9GHM5oCHBvuUjGnsYmEAn4cqaNrVABEBAAGJATYEGAEKACAWIQRMKEFZ
-KKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbIAAKCRDiMv6QHne+nHmpCACRxdE3V7ez
-wRjQja8fk/wOc/eCEJBo4IxEoA1Gdbr+d1k3Bg+vTKAs9ox3JOD3j8RXDmpDi0Cu
-1XiN55Sd28XKxtFEOsNhoM32Y3oha6x8/FlAt/UdGMQgsYWoYkH/2bFWKG+xuJ7o
-+7qwm6fC9LSzQ94uV8CeeM5VUCKC33ppZNjeCCXtsznirARDacACip1ZlT8ydNYR
-U/otbVsYYul1UItWzRHIQlFrnxqpS1YUDE4a5HLeWyi/v5CQYBycZ292eV7k0z/B
-sSNe9GzKBvbx9g9hlpEZ9IQeRnuIwEHRmQ2BhrHuzXjgCc9J/JUWrBn+iuS2GZ7O
-AlDzRbsWdW2suQENBGag50MBCADEPLMX/q3BmZFTIOPn5/O7AYXfQC865DOmOp7t
-Xpens2IMKaL+RL77DIL+FUQzS95hwgAyawhZEAj2VY1k6BtKROSarLuARlI/ZLkr
-3OlPBKq0VRbWnn3Qk0rmtoYC7DUD3XWuR5+n0sdxniQo8F+Xwq0ZCZmex7bN8DXP
-r9ejoNZAmEOqqMIWQy/Blc9BkStqS6WHW0EimzSsHuJbaA1ZbMLr0fES/l8FVhjX
-YBOPY3TqXkbeM3FSjDzLGCTkT0sKPlTluFdqNWKZ+tDW6Pt7PtwEt2gRQdS69+pV
-POcU7uEQiE06TWWYxTS+i+xEq106xXs2tucTSV1R0KN3Ry/9ABEBAAGJATYEGAEK
-ACAWIQRMKEFZKKzXbMAJKQTiMv6QHne+nAUCZqDnQwIbDAAKCRDiMv6QHne+nAbo
-CACTVse/+QQD5jW0sGguDLJOwgSLTeqnHV+AuVGVIDzIUNFKa691gZi8N1OJfdVn
-lqOvsyAFjPrg/1SB8x2O3kMvdrOK9K9hvACn44BxTDfRfOS/XeJCGxja10ii9wE+
-Ykl/OuCehh1kz9zIQrFvVZDgpGIUFUSSqTIfvvPsyiOJ+ADooZ80IBtDnN6qyjdl
-+ioitVO0bgywfL8ze+2C82xNdjYS/FbAVi3YNgaagQbzkm4BK9w3hQqMkYXizyH1
-OOJ7mYSVH5oXyiNhU0hq8JWmFHRCHaRivHsUj9WqS/szv0ixKjQEf4EMztolzfpg
-+QmJLVFn5xVR6dGteYW7/05e
-=06W7
+mQENBGa0jtoBCAC63WkY0btyVzHI8JGVfIkFClNggcDgK+X/if5ndJtHKRXcW6DB
+bRTBNCdUr7sDzCMEYWu8t400Yn/mrLKuubA3G6rp3Eo2nHnOicoZ6mfAdUQL862l
+m9M8zpJtFodWR5G0nznyvabQi9kI1JT87DEIAdfLhN4eoMpgEm+jASSgFeT63oJ9
+fLHofMZLwYZW/mqsnGxElmUsfnVWeseUSgmKBP4IgdtX4LsCx8XiOyQJww6bEUTj
+ZBSqwwuRa1ybtsV3ihEKjDBmXQo5+J3fsadm/6m5PRJVk5rq9/LGVKIBG9m/x6Pn
+xeYaLsjNyAwOSHH2KpeBLPVEfjsqWRt8fyAzABEBAAG0HEF1dG9nZW5lcmF0ZWQg
+S2V5IDxkZWZndWFyZD6JAU4EEwEKADgWIQTyH9Rb8S5I78bRYzghGgZ+AdnRKwUC
+ZrSO2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAhGgZ+AdnRKyzzCACW
+oGBnAPHkCuvlnZjcYUAJVrjI/S02x4t3wFjaFOu+GQSjeB+AjDawF/S4D5ReQ8iq
+D3dTvno3lk/F5HvqV/ZDU9WMmkDFzJoEwKbNIlWwQvvrTnoyy7lpKskNxwwsErEL
+2+rW+lW/N5KNHFaUh2d5JhK08VRPfyl0WA8gqQ99Wnhq4rHF7ijKFm3im0RlzkMI
+NTXxxee/9J0/Pzh+7zFZlMxnnjwiHlxJXpQFwh7+TS9C3IpChW3ipyPgp1DkzsNv
+Xry1crUOhOyEozdKYh2H6tZEi3bjtGwpYkXJs/g3f6HPKjS8rDOMXw4Japb7LYtC
+Aao60J8cOm8J96u1MsUK
+=6cHp
 -----END PGP PUBLIC KEY BLOCK-----
 ";
 
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index 1e378d4d39..7cc5f9f795 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -1,6 +1,5 @@
 use super::{ApiResponse, ApiResult, VERSION};
-use crate::enterprise;
-use crate::enterprise::license::{validate_license, License};
+use crate::enterprise::license::validate_license;
 use crate::{appstate::AppState, auth::SessionInfo, db::WireguardNetwork};
 
 use crate::db::Settings;
diff --git a/src/handlers/settings.rs b/src/handlers/settings.rs
index 3ec27b6d40..849e21de1b 100644
--- a/src/handlers/settings.rs
+++ b/src/handlers/settings.rs
@@ -1,4 +1,3 @@
-use std::ops::Not;
 
 use axum::{
     extract::{Json, Path, State},
@@ -14,7 +13,7 @@ use crate::{
         models::settings::{SettingsEssentials, SettingsPatch},
         Settings,
     },
-    enterprise::license::{self, update_cached_license, License},
+    enterprise::license::{update_cached_license},
     error::WebError,
     ldap::LDAPConnection,
     AppState,
diff --git a/src/lib.rs b/src/lib.rs
index ddd14d19c3..26c80755a4 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -6,18 +6,21 @@ use std::{
 
 use anyhow::anyhow;
 use axum::{
-    http::{Request, Response, StatusCode},
-    middleware::{self, Next},
+    http::{Request, StatusCode},
     routing::{delete, get, patch, post, put},
     serve, Extension, Json, Router,
 };
 
 use assets::{index, svg, web_asset};
-use enterprise::handlers::{
-    openid_login::{auth_callback, get_auth_info},
-    openid_providers::{add_openid_provider, delete_openid_provider, get_current_openid_provider},
+use enterprise::{
+    handlers::{
+        openid_login::{auth_callback, get_auth_info},
+        openid_providers::{
+            add_openid_provider, delete_openid_provider, get_current_openid_provider,
+        },
+    },
+    license::License,
 };
-use enterprise::license;
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
 };
@@ -128,7 +131,6 @@ pub mod handlers;
 pub mod headers;
 pub mod hex;
 pub mod ldap;
-pub mod license;
 pub mod mail;
 pub(crate) mod random;
 pub mod secret;
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
index df003efbe8..311b7620eb 100644
--- a/tests/common/mod.rs
+++ b/tests/common/mod.rs
@@ -7,6 +7,7 @@ use defguard::{
     build_webapp,
     config::DefGuardConfig,
     db::{init_db, AppEvent, DbPool, GatewayEvent, User, UserDetails},
+    enterprise::license::License,
     grpc::{GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     mail::Mail,
@@ -133,6 +134,14 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
         config.clone(),
     );
 
+    let enterprise_enabled = true;
+
+    let license = Arc::new(Mutex::new(Some(License {
+        customer_id: "test".to_string(),
+        subscription: false,
+        valid_until: None,
+    })));
+
     // Uncomment this to enable tracing in tests.
     // It only works for running a single test, so leave it commented out for running all tests.
     // use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -154,6 +163,8 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
         pool,
         user_agent_parser,
         failed_logins,
+        license,
+        enterprise_enabled,
     );
     (TestClient::new(webapp).await, client_state)
 }

From b6dea3f5be63ccb0acd901086f1f546f776b39f9 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 8 Aug 2024 14:25:15 +0200
Subject: [PATCH 41/73] move license protobuf

---
 build.rs                           |  9 +++++++--
 src/enterprise/proto/license.proto | 17 +++++++++++++++++
 2 files changed, 24 insertions(+), 2 deletions(-)
 create mode 100644 src/enterprise/proto/license.proto

diff --git a/build.rs b/build.rs
index ccf6b16f0d..334ce9cb46 100644
--- a/build.rs
+++ b/build.rs
@@ -7,11 +7,16 @@ fn main() -> Result<(), Box<dyn std::error::Error>> {
             "proto/core/auth.proto",
             "proto/core/proxy.proto",
             "proto/core/vpn.proto",
-            "proto/core/license.proto",
+            "src/enterprise/proto/license.proto",
             "proto/worker/worker.proto",
             "proto/wireguard/gateway.proto",
         ],
-        &["proto/core", "proto/worker", "proto/wireguard"],
+        &[
+            "proto/core",
+            "proto/worker",
+            "proto/wireguard",
+            "src/enterprise/proto",
+        ],
     )?;
     println!("cargo:rerun-if-changed=proto");
     println!("cargo:rerun-if-changed=migrations");
diff --git a/src/enterprise/proto/license.proto b/src/enterprise/proto/license.proto
new file mode 100644
index 0000000000..54a3f949ab
--- /dev/null
+++ b/src/enterprise/proto/license.proto
@@ -0,0 +1,17 @@
+syntax = "proto3";
+package license;
+
+message LicenseMetadata {
+    string customer_id = 1;
+    bool subscription = 2;
+    optional int64 valid_until = 3;
+}
+
+message LicenseSignature {
+    bytes signature = 1;
+}
+
+message LicenseKey {
+    LicenseMetadata metadata = 1;
+    LicenseSignature signature = 2;
+}

From 20aa7bd32909f4f29e03de997f8f21d030528d46 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Thu, 8 Aug 2024 14:43:37 +0200
Subject: [PATCH 42/73] cleanup

---
 .github/workflows/current.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index fced3dc76c..c926a9ef74 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -4,7 +4,6 @@ on:
     branches:
       - main
       - dev
-      - openid-login
     paths-ignore:
       - "*.md"
       - "LICENSE"
@@ -49,7 +48,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-  # trigger-e2e:
-  #   needs: build-docker
-  #   uses: ./.github/workflows/e2e.yml
-  #   secrets: inherit
+  trigger-e2e:
+    needs: build-docker
+    uses: ./.github/workflows/e2e.yml
+    secrets: inherit

From 31b7f802220f9789b162fd5e074ae6149a960f7c Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 10:32:13 +0200
Subject: [PATCH 43/73] tweaks, env variables

---
 src/config.rs             | 24 +++++++++++++++++++++--
 src/enterprise/license.rs | 40 ++++++++++++++++++++++++++-------------
 src/lib.rs                |  9 ++-------
 3 files changed, 51 insertions(+), 22 deletions(-)

diff --git a/src/config.rs b/src/config.rs
index 2a9bf70afa..859ee0e0b3 100644
--- a/src/config.rs
+++ b/src/config.rs
@@ -166,10 +166,30 @@ pub struct DefGuardConfig {
     #[arg(
         long,
         env = "DEFGUARD_LICENSE_SERVER_URL",
-        default_value = "http://localhost:8002/api/license/refresh"
+        default_value = "https://update-service-dev.teonite.net/api/license/refresh"
     )]
     #[serde(skip_serializing)]
-    pub license_server_url: Option<String>,
+    pub license_server_url: String,
+
+    #[arg(long, env = "DEFGUARD_LICENSE_CHECK_PERIOD", default_value = "10s")]
+    #[serde(skip_serializing)]
+    pub license_check_period: Duration,
+
+    #[arg(
+        long,
+        env = "DEFGUARD_LICENSE_CHECK_PERIOD_RENEWAL_WINDOW",
+        default_value = "5s"
+    )]
+    #[serde(skip_serializing)]
+    pub license_check_period_renewal_window: Duration,
+
+    #[arg(
+        long,
+        env = "DEFGUARD_LICENSE_CHECK_PERIOD_NO_LICENSE",
+        default_value = "15s"
+    )]
+    #[serde(skip_serializing)]
+    pub license_check_period_no_license: Duration,
 
     #[command(subcommand)]
     #[serde(skip_serializing)]
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 00dbe76ec9..3bdd776214 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -8,7 +8,10 @@ use chrono::{DateTime, TimeDelta, Utc};
 use tokio::time::sleep;
 // use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
 
-use crate::db::{DbPool, Settings};
+use crate::{
+    db::{DbPool, Settings},
+    server_config,
+};
 use base64::prelude::*;
 use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
 use prost::Message;
@@ -85,7 +88,10 @@ impl License {
 
     fn decode(bytes: &[u8]) -> Result<Vec<u8>, LicenseError> {
         let bytes = BASE64_STANDARD.decode(bytes).map_err(|_| {
-            LicenseError::DecodeError("Failed to decode the Base64 license key".to_string())
+            LicenseError::DecodeError(
+                "Failed to decode the Base64 license key, check if the provided key is correct."
+                    .to_string(),
+            )
         })?;
         Ok(bytes)
     }
@@ -99,13 +105,18 @@ impl License {
             .map_err(|_| LicenseError::SignatureMismatch)
     }
 
+    /// Deserialize the license object from a base64 encoded string
+    /// Also verifies the signature of the license
     pub fn from_base64(key: &str) -> Result<License, LicenseError> {
         let bytes = key.as_bytes();
         let decoded = Self::decode(bytes)?;
         let slice: &[u8] = &decoded;
 
         let license_key = LicenseKey::decode(slice).map_err(|_| {
-            LicenseError::DecodeError("Failed to decode the binary license key".to_string())
+            LicenseError::DecodeError(
+                "Failed to decode the binary license key, check if the provided key is correct."
+                    .to_string(),
+            )
         })?;
         let metadata = license_key.metadata.ok_or(LicenseError::InvalidLicense(
             "License metadata is missing from the license key".to_string(),
@@ -253,8 +264,10 @@ async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
         key: old_license_key,
     };
 
+    let license_server_url = &server_config().license_server_url;
+
     let new_license_key = match client
-        .post("http://localhost:8002/api/license/refresh")
+        .post(license_server_url)
         .json(&request_body)
         .send()
         .await
@@ -344,7 +357,7 @@ pub async fn run_periodic_license_check(
     pool: DbPool,
     license_mutex: Arc<Mutex<Option<License>>>,
 ) -> Result<(), LicenseError> {
-    let mut check_period = Duration::from_secs(10);
+    let mut check_period = server_config().license_check_period;
     info!("Starting periodic license check every {:?}", check_period);
     loop {
         // Check if the license is present in the mutex, if not skip the check
@@ -354,7 +367,7 @@ pub async fn run_periodic_license_check(
             .is_none()
         {
             info!("No license found, skipping license check");
-            sleep(Duration::from_secs(5)).await;
+            sleep(*server_config().license_check_period_no_license).await;
             continue;
         }
 
@@ -375,8 +388,9 @@ pub async fn run_periodic_license_check(
                         if !license.is_max_overdue() {
                             true
                         } else {
-                            check_period = Duration::from_secs(5);
-                            error!("Your license has expired and reached its maximum overdue date, please contant sales.");
+                            check_period = server_config().license_check_period;
+                            warn!("Your license has expired and reached its maximum overdue date, please contact sales at sales<at>defguard.net");
+                            info!("Changing check period to {}", check_period);
                             false
                         }
                     } else {
@@ -389,14 +403,14 @@ pub async fn run_periodic_license_check(
 
         if requires_renewal {
             info!("License requires renewal, renewing license...");
-            info!("Changing check period to {} second", 1);
-            check_period = Duration::from_secs(1);
+            check_period = server_config().license_check_period_renewal_window;
+            info!("Changing check period to {}", check_period);
             match renew_license(&pool).await {
                 Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
                     Ok(_) => {
                         update_cached_license(Some(&new_license_key), license_mutex.clone())?;
-                        info!("Changing check period to {} seconds", 5);
-                        check_period = Duration::from_secs(5);
+                        check_period = server_config().license_check_period;
+                        info!("Changing check period to {} seconds", check_period);
                     }
                     Err(err) => {
                         error!("Couldn't save the newly fetched license key to the database, error: {}", err);
@@ -410,6 +424,6 @@ pub async fn run_periodic_license_check(
             info!("License isn't eligible for renewal, skipping...");
         }
 
-        sleep(check_period).await;
+        sleep(*check_period).await;
     }
 }
diff --git a/src/lib.rs b/src/lib.rs
index 1c06943414..ea7eca39c6 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -409,15 +409,10 @@ pub fn build_webapp(
             .route("/webhook/:id", delete(delete_webhook))
             .route("/webhook/:id", post(change_enabled))
             // ldap
-            .route("/ldap/test", get(test_ldap_settings))
-            // OIDC login
-            .route("/openid/provider", get(get_current_openid_provider))
-            .route("/openid/provider", post(add_openid_provider))
-            .route("/openid/provider/:name", delete(delete_openid_provider))
-            .route("/openid/callback", post(auth_callback))
-            .route("/openid/auth_info", get(get_auth_info)),
+            .route("/ldap/test", get(test_ldap_settings)),
     );
 
+    // Enterprise features
     let webapp = if enterprise_enabled {
         webapp.nest(
             "/api/v1/openid",

From e2985667fcc8718638e3dcb031811bf5e339e2da Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 13:10:28 +0200
Subject: [PATCH 44/73] add better comment

---
 src/enterprise/license.rs | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 3bdd776214..baaba89563 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -170,6 +170,7 @@ impl License {
     }
 
     /// Try to load the license from the database, if the license requires a renewal, try to renew it.
+    /// If the renewal fails, it will return the old license for the renewal service to renew it later.
     pub async fn load_or_renew(pool: &DbPool) -> Result<Option<License>, LicenseError> {
         match Self::load(pool).await? {
             Some(license) => {

From 85176897766e349ade89f9ca42a10e4b79c0216a Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 13:11:53 +0200
Subject: [PATCH 45/73] remove old migrations

---
 migrations/20240722125306_add-licenses.down.sql | 1 -
 migrations/20240722125306_add-licenses.up.sql   | 1 -
 2 files changed, 2 deletions(-)
 delete mode 100644 migrations/20240722125306_add-licenses.down.sql
 delete mode 100644 migrations/20240722125306_add-licenses.up.sql

diff --git a/migrations/20240722125306_add-licenses.down.sql b/migrations/20240722125306_add-licenses.down.sql
deleted file mode 100644
index 4da11f6953..0000000000
--- a/migrations/20240722125306_add-licenses.down.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE settings DROP COLUMN license;
diff --git a/migrations/20240722125306_add-licenses.up.sql b/migrations/20240722125306_add-licenses.up.sql
deleted file mode 100644
index bf2fe97e7b..0000000000
--- a/migrations/20240722125306_add-licenses.up.sql
+++ /dev/null
@@ -1 +0,0 @@
-ALTER TABLE settings ADD COLUMN license TEXT DEFAULT NULL;

From 75e7eb7f9bf39ff804d5ed59ff57f921fffaedcc Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 13:19:04 +0200
Subject: [PATCH 46/73] cleanup

---
 src/enterprise/license.rs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index baaba89563..b222c43897 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -1,7 +1,4 @@
-use std::{
-    sync::{Arc, Mutex},
-    time::Duration,
-};
+use std::sync::{Arc, Mutex};
 
 use anyhow::Result;
 use chrono::{DateTime, TimeDelta, Utc};

From e903423e8aae265e0e2e1001296878e6bb7551c6 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 13:45:05 +0200
Subject: [PATCH 47/73] add temporary build

---
 .github/workflows/current.yml                    | 16 +++++++++++-----
 .../LicenseSettings/LicenseSettings.tsx          |  4 ----
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index c926a9ef74..64b3d10d7a 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -4,6 +4,7 @@ on:
     branches:
       - main
       - dev
+      - enterprise-license
     paths-ignore:
       - "*.md"
       - "LICENSE"
@@ -22,8 +23,13 @@ jobs:
         with:
           images: |
             ghcr.io/defguard/defguard
+          # tags: |
+          #   type=raw,value=current
+          #   type=ref,event=branch
+          #   type=sha
+          flavor: |
+            latest=false
           tags: |
-            type=raw,value=current
             type=ref,event=branch
             type=sha
       - name: Login to GitHub container registry
@@ -48,7 +54,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-  trigger-e2e:
-    needs: build-docker
-    uses: ./.github/workflows/e2e.yml
-    secrets: inherit
+  # trigger-e2e:
+  #   needs: build-docker
+  #   uses: ./.github/workflows/e2e.yml
+  #   secrets: inherit
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index 81a92a736d..8a6d9da86a 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -2,7 +2,6 @@ import './styles.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
-import parse from 'html-react-parser';
 import { useEffect, useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { useBreakpoint } from 'use-breakpoint';
@@ -18,11 +17,8 @@ import {
   ButtonStyleVariant,
 } from '../../../../../../shared/defguard-ui/components/Layout/Button/types';
 import { Card } from '../../../../../../shared/defguard-ui/components/Layout/Card/Card';
-import { Helper } from '../../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import useApi from '../../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../../shared/hooks/useToaster';
-import { externalLink } from '../../../../../../shared/links';
-import { MutationKeys } from '../../../../../../shared/mutations';
 import { QueryKeys } from '../../../../../../shared/queries';
 import { Settings } from '../../../../../../shared/types';
 import { useSettingsPage } from '../../../../hooks/useSettingsPage';

From 23a9c4dd7e7924057a443e79e1a58f911cd8378b Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Fri, 9 Aug 2024 13:47:14 +0200
Subject: [PATCH 48/73] sqlx prepare

---
 ...87eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0.json} |  7 ++++---
 ...9d1a93839a587d727a9d036505203b4260603cf0ee6.json} |  7 ++++---
 ...d032e34f24ab82b04015634f99ddac9284e47b10f8d.json} | 12 +++++++++---
 ...1da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16.json} | 12 +++++++++---
 4 files changed, 26 insertions(+), 12 deletions(-)
 rename .sqlx/{query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json => query-367204ba11a051f52d4b287eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0.json} (83%)
 rename .sqlx/{query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json => query-9c8efc3773f13460b73bd9d1a93839a587d727a9d036505203b4260603cf0ee6.json} (90%)
 rename .sqlx/{query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json => query-b90afee0fbb1a4590e0e9d032e34f24ab82b04015634f99ddac9284e47b10f8d.json} (95%)
 rename .sqlx/{query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json => query-e626ef3ad2f23b3981f911da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16.json} (95%)

diff --git a/.sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json b/.sqlx/query-367204ba11a051f52d4b287eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0.json
similarity index 83%
rename from .sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json
rename to .sqlx/query-367204ba11a051f52d4b287eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0.json
index 9b24a3350d..8b98d1ab2a 100644
--- a/.sqlx/query-fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa.json
+++ b/.sqlx/query-367204ba11a051f52d4b287eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "INSERT INTO \"settings\" (\"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\",\"smtp_user\",\"smtp_password\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$31,$32) RETURNING id",
+  "query": "INSERT INTO \"settings\" (\"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\",\"smtp_user\",\"smtp_password\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\",\"license\") VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9,$10,$11,$12,$13,$14,$15,$16,$17,$18,$19,$20,$21,$22,$23,$24,$25,$26,$27,$28,$29,$30,$31,$32,$33) RETURNING id",
   "describe": {
     "columns": [
       {
@@ -53,12 +53,13 @@
         "Text",
         "Text",
         "Text",
-        "Bool"
+        "Bool",
+        "Text"
       ]
     },
     "nullable": [
       false
     ]
   },
-  "hash": "fdb364b8984eff1c2ca14153eaf44fa0ccc6a7e26874afecc62b00de993a12aa"
+  "hash": "367204ba11a051f52d4b287eea7ca6a5c5c81a0ebc294a31c49e68e3fdbb20f0"
 }
diff --git a/.sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json b/.sqlx/query-9c8efc3773f13460b73bd9d1a93839a587d727a9d036505203b4260603cf0ee6.json
similarity index 90%
rename from .sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json
rename to .sqlx/query-9c8efc3773f13460b73bd9d1a93839a587d727a9d036505203b4260603cf0ee6.json
index ff55394f7a..9c3826048a 100644
--- a/.sqlx/query-e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f.json
+++ b/.sqlx/query-9c8efc3773f13460b73bd9d1a93839a587d727a9d036505203b4260603cf0ee6.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "UPDATE \"settings\" SET \"openid_enabled\" = $2,\"wireguard_enabled\" = $3,\"webhooks_enabled\" = $4,\"worker_enabled\" = $5,\"challenge_template\" = $6,\"instance_name\" = $7,\"main_logo_url\" = $8,\"nav_logo_url\" = $9,\"smtp_server\" = $10,\"smtp_port\" = $11,\"smtp_encryption\" = $12,\"smtp_user\" = $13,\"smtp_password\" = $14,\"smtp_sender\" = $15,\"enrollment_vpn_step_optional\" = $16,\"enrollment_welcome_message\" = $17,\"enrollment_welcome_email\" = $18,\"enrollment_welcome_email_subject\" = $19,\"enrollment_use_welcome_message_as_email\" = $20,\"uuid\" = $21,\"ldap_url\" = $22,\"ldap_bind_username\" = $23,\"ldap_bind_password\" = $24,\"ldap_group_search_base\" = $25,\"ldap_user_search_base\" = $26,\"ldap_user_obj_class\" = $27,\"ldap_group_obj_class\" = $28,\"ldap_username_attr\" = $29,\"ldap_groupname_attr\" = $30,\"ldap_group_member_attr\" = $31,\"ldap_member_attr\" = $32,\"openid_create_account\" = $33 WHERE id = $1",
+  "query": "UPDATE \"settings\" SET \"openid_enabled\" = $2,\"wireguard_enabled\" = $3,\"webhooks_enabled\" = $4,\"worker_enabled\" = $5,\"challenge_template\" = $6,\"instance_name\" = $7,\"main_logo_url\" = $8,\"nav_logo_url\" = $9,\"smtp_server\" = $10,\"smtp_port\" = $11,\"smtp_encryption\" = $12,\"smtp_user\" = $13,\"smtp_password\" = $14,\"smtp_sender\" = $15,\"enrollment_vpn_step_optional\" = $16,\"enrollment_welcome_message\" = $17,\"enrollment_welcome_email\" = $18,\"enrollment_welcome_email_subject\" = $19,\"enrollment_use_welcome_message_as_email\" = $20,\"uuid\" = $21,\"ldap_url\" = $22,\"ldap_bind_username\" = $23,\"ldap_bind_password\" = $24,\"ldap_group_search_base\" = $25,\"ldap_user_search_base\" = $26,\"ldap_user_obj_class\" = $27,\"ldap_group_obj_class\" = $28,\"ldap_username_attr\" = $29,\"ldap_groupname_attr\" = $30,\"ldap_group_member_attr\" = $31,\"ldap_member_attr\" = $32,\"openid_create_account\" = $33,\"license\" = $34 WHERE id = $1",
   "describe": {
     "columns": [],
     "parameters": {
@@ -48,10 +48,11 @@
         "Text",
         "Text",
         "Text",
-        "Bool"
+        "Bool",
+        "Text"
       ]
     },
     "nullable": []
   },
-  "hash": "e769bdd845a133b817d33627fd43862607a138b42416ccb2dabfb2ea953b482f"
+  "hash": "9c8efc3773f13460b73bd9d1a93839a587d727a9d036505203b4260603cf0ee6"
 }
diff --git a/.sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json b/.sqlx/query-b90afee0fbb1a4590e0e9d032e34f24ab82b04015634f99ddac9284e47b10f8d.json
similarity index 95%
rename from .sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json
rename to .sqlx/query-b90afee0fbb1a4590e0e9d032e34f24ab82b04015634f99ddac9284e47b10f8d.json
index 5441c96029..4949c3e336 100644
--- a/.sqlx/query-fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85.json
+++ b/.sqlx/query-b90afee0fbb1a4590e0e9d032e34f24ab82b04015634f99ddac9284e47b10f8d.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\" FROM \"settings\" WHERE id = $1",
+  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\",\"license\" FROM \"settings\" WHERE id = $1",
   "describe": {
     "columns": [
       {
@@ -178,6 +178,11 @@
         "ordinal": 32,
         "name": "openid_create_account",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 33,
+        "name": "license",
+        "type_info": "Text"
       }
     ],
     "parameters": {
@@ -218,8 +223,9 @@
       true,
       true,
       true,
-      false
+      false,
+      true
     ]
   },
-  "hash": "fb71770a725becd8d8f53554ded17e189c90b658aa343fc682b05be24f410b85"
+  "hash": "b90afee0fbb1a4590e0e9d032e34f24ab82b04015634f99ddac9284e47b10f8d"
 }
diff --git a/.sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json b/.sqlx/query-e626ef3ad2f23b3981f911da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16.json
similarity index 95%
rename from .sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json
rename to .sqlx/query-e626ef3ad2f23b3981f911da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16.json
index 83250222b3..3d8c671501 100644
--- a/.sqlx/query-a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c.json
+++ b/.sqlx/query-e626ef3ad2f23b3981f911da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16.json
@@ -1,6 +1,6 @@
 {
   "db_name": "PostgreSQL",
-  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\" FROM \"settings\"",
+  "query": "SELECT id \"id?\", \"openid_enabled\",\"wireguard_enabled\",\"webhooks_enabled\",\"worker_enabled\",\"challenge_template\",\"instance_name\",\"main_logo_url\",\"nav_logo_url\",\"smtp_server\",\"smtp_port\",\"smtp_encryption\" \"smtp_encryption: _\",\"smtp_user\",\"smtp_password\" \"smtp_password?: SecretString\",\"smtp_sender\",\"enrollment_vpn_step_optional\",\"enrollment_welcome_message\",\"enrollment_welcome_email\",\"enrollment_welcome_email_subject\",\"enrollment_use_welcome_message_as_email\",\"uuid\",\"ldap_url\",\"ldap_bind_username\",\"ldap_bind_password\" \"ldap_bind_password?: SecretString\",\"ldap_group_search_base\",\"ldap_user_search_base\",\"ldap_user_obj_class\",\"ldap_group_obj_class\",\"ldap_username_attr\",\"ldap_groupname_attr\",\"ldap_group_member_attr\",\"ldap_member_attr\",\"openid_create_account\",\"license\" FROM \"settings\"",
   "describe": {
     "columns": [
       {
@@ -178,6 +178,11 @@
         "ordinal": 32,
         "name": "openid_create_account",
         "type_info": "Bool"
+      },
+      {
+        "ordinal": 33,
+        "name": "license",
+        "type_info": "Text"
       }
     ],
     "parameters": {
@@ -216,8 +221,9 @@
       true,
       true,
       true,
-      false
+      false,
+      true
     ]
   },
-  "hash": "a9d694c5efe301ef975e1b6fc0ca0acc741c16c3efdd7a92475a419e9e30db4c"
+  "hash": "e626ef3ad2f23b3981f911da0c81d452f3b0e9c64f20488bf7f5d6c2fdd38a16"
 }

From 2f692e1b66bf44b43d04f1fa41f95abdae7e27f4 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 12 Aug 2024 14:15:53 +0200
Subject: [PATCH 49/73] fixes, more logs

---
 src/enterprise/handlers/mod.rs                | 23 ++++++++++--
 src/enterprise/license.rs                     | 28 ++++++++++++--
 src/handlers/mod.rs                           | 37 +++++++++++++++----
 src/handlers/settings.rs                      |  5 +--
 src/lib.rs                                    |  3 ++
 web/src/components/AppLoader.tsx              | 16 +++++++-
 web/src/pages/auth/AuthPage.tsx               |  5 ++-
 web/src/pages/auth/Login/Login.tsx            |  8 ++--
 web/src/pages/settings/SettingsPage.tsx       |  6 +--
 .../LicenseSettings/LicenseSettings.tsx       |  2 +-
 web/src/shared/hooks/store/useAppStore.ts     |  2 +
 web/src/shared/hooks/useApi.tsx               |  3 ++
 web/src/shared/queries.ts                     |  1 +
 web/src/shared/types.ts                       |  6 ++-
 14 files changed, 115 insertions(+), 30 deletions(-)

diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index 319f4ddcf9..2fecdab1ba 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -1,12 +1,15 @@
-use crate::enterprise::license::validate_license;
+use crate::{
+    enterprise::license::validate_license,
+    handlers::{ApiResponse, ApiResult},
+};
 
 pub mod openid_login;
 pub mod openid_providers;
 
 use axum::{
     async_trait,
-    extract::{FromRef, FromRequestParts},
-    http::request::Parts,
+    extract::{FromRef, FromRequestParts, State},
+    http::{request::Parts, StatusCode},
 };
 
 use crate::{appstate::AppState, error::WebError};
@@ -38,3 +41,17 @@ where
         }
     }
 }
+
+pub async fn check_enterprise_status(State(appstate): State<AppState>) -> ApiResult {
+    let license = appstate
+        .license
+        .lock()
+        .expect("Failed to acquire lock on the license.");
+
+    let valid = validate_license((*license).as_ref()).is_ok();
+
+    Ok(ApiResponse {
+        json: serde_json::json!({ "enabled": valid }),
+        status: StatusCode::OK,
+    })
+}
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index b222c43897..77056d7d48 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -105,9 +105,11 @@ impl License {
     /// Deserialize the license object from a base64 encoded string
     /// Also verifies the signature of the license
     pub fn from_base64(key: &str) -> Result<License, LicenseError> {
+        debug!("Decoding the license key from a provided base64 string...");
         let bytes = key.as_bytes();
         let decoded = Self::decode(bytes)?;
         let slice: &[u8] = &decoded;
+        debug!("Decoded the license key, deserializing the license object...");
 
         let license_key = LicenseKey::decode(slice).map_err(|_| {
             LicenseError::DecodeError(
@@ -123,9 +125,11 @@ impl License {
         ))?;
         let metadata_bytes = metadata.encode_to_vec();
 
+        debug!("Deserialized the license object, verifying the license signature...");
+
         match Self::verify_signature(&metadata_bytes, &signature.signature) {
             Ok(_) => {
-                info!("Successfully validated license signature");
+                info!("Successfully validated the license signature");
                 let valid_until = match metadata.valid_until {
                     Some(until) => DateTime::from_timestamp(until, 0),
                     None => None,
@@ -305,6 +309,7 @@ async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
 /// 1. Does the cached license exist
 /// 2. Does the cached license is past its maximum expiry date
 pub fn validate_license(license: Option<&License>) -> Result<(), LicenseError> {
+    debug!("Validating if the license is present and not expired...");
     match license {
         Some(license) => {
             if license.is_max_overdue() {
@@ -318,9 +323,11 @@ pub fn validate_license(license: Option<&License>) -> Result<(), LicenseError> {
 
 /// Helper function to save the license key string in the database
 async fn save_license_key(pool: &DbPool, key: &str) -> Result<(), LicenseError> {
+    debug!("Saving the license key to the database...");
     let mut settings = Settings::get_settings(pool).await?;
     settings.license = Some(key.to_string());
     settings.save(pool).await?;
+    info!("Successfully saved the license key to the database.");
     Ok(())
 }
 
@@ -329,11 +336,14 @@ pub fn update_cached_license(
     key: Option<&str>,
     license_mutex: Arc<Mutex<Option<License>>>,
 ) -> Result<(), LicenseError> {
+    debug!("Updating the cached license information with the provided key...");
     let license = if let Some(key) = key {
         // Handle the Some("") case
         if key.is_empty() {
+            debug!("The new license key is empty, clearing the cached license");
             None
         } else {
+            debug!("A new license key has been provided, decoding and validating it...");
             Some(License::from_base64(key)?)
         }
     } else {
@@ -342,6 +352,7 @@ pub fn update_cached_license(
     *license_mutex
         .lock()
         .expect("Failed to acquire lock on the license mutex.") = license;
+    info!("Successfully updated the cached license information.");
     Ok(())
 }
 
@@ -383,6 +394,8 @@ pub async fn run_periodic_license_check(
             match &*license {
                 Some(license) => {
                     if license.requires_renewal() {
+                        // check if we are pass the maximum expiration date, after which we don't
+                        // want to try to renew the license anymore
                         if !license.is_max_overdue() {
                             true
                         } else {
@@ -392,10 +405,19 @@ pub async fn run_periodic_license_check(
                             false
                         }
                     } else {
+                        // This if is only for logging purposes, to provide more detailed information
+                        if license.subscription {
+                            info!("License doesn't need to be renewed yet, skipping renewal check")
+                        } else {
+                            info!("License is not a subscription, skipping renewal check")
+                        }
                         false
                     }
                 }
-                None => false,
+                None => {
+                    info!("No license found, skipping license check");
+                    false
+                }
             }
         };
 
@@ -418,8 +440,6 @@ pub async fn run_periodic_license_check(
                     error!("Failed to renew the license: {}", err);
                 }
             }
-        } else {
-            info!("License isn't eligible for renewal, skipping...");
         }
 
         sleep(*check_period).await;
diff --git a/src/handlers/mod.rs b/src/handlers/mod.rs
index a61aafdece..1e012a3a09 100644
--- a/src/handlers/mod.rs
+++ b/src/handlers/mod.rs
@@ -12,6 +12,7 @@ use crate::db::Device;
 use crate::{
     auth::SessionInfo,
     db::{DbPool, User, UserInfo},
+    enterprise::license::LicenseError,
     error::WebError,
     VERSION,
 };
@@ -105,14 +106,34 @@ impl From<WebError> for ApiResponse {
                     StatusCode::INTERNAL_SERVER_ERROR,
                 )
             }
-            WebError::LicenseError(err) => {
-                error!("License error: {err}");
-                ApiResponse::new(
-                    // FIXME: Come up with a better error code
-                    json!({"msg": "Internal server error"}),
-                    StatusCode::INTERNAL_SERVER_ERROR,
-                )
-            }
+            WebError::LicenseError(err) => match err {
+                LicenseError::DecodeError(msg) | LicenseError::InvalidLicense(msg) => {
+                    warn!(msg);
+                    ApiResponse::new(json!({ "msg": msg }), StatusCode::BAD_REQUEST)
+                }
+                LicenseError::SignatureMismatch => {
+                    let msg = "License signature doesn't match its content";
+                    warn!(msg);
+                    ApiResponse::new(json!({ "msg": msg }), StatusCode::BAD_REQUEST)
+                }
+                LicenseError::InvalidSignature => {
+                    let msg = "License signature is malformed and couldn't be read";
+                    warn!(msg);
+                    ApiResponse::new(json!({ "msg": msg }), StatusCode::BAD_REQUEST)
+                }
+                LicenseError::LicenseNotFound => {
+                    let msg = "License not found";
+                    warn!(msg);
+                    ApiResponse::new(json!({ "msg": msg }), StatusCode::NOT_FOUND)
+                }
+                _ => {
+                    error!("License error: {err}");
+                    ApiResponse::new(
+                        json!({"msg": "Internal server error"}),
+                        StatusCode::FORBIDDEN,
+                    )
+                }
+            },
         }
     }
 }
diff --git a/src/handlers/settings.rs b/src/handlers/settings.rs
index 849e21de1b..7652b52df2 100644
--- a/src/handlers/settings.rs
+++ b/src/handlers/settings.rs
@@ -1,4 +1,3 @@
-
 use axum::{
     extract::{Json, Path, State},
     http::StatusCode,
@@ -13,7 +12,7 @@ use crate::{
         models::settings::{SettingsEssentials, SettingsPatch},
         Settings,
     },
-    enterprise::license::{update_cached_license},
+    enterprise::license::update_cached_license,
     error::WebError,
     ldap::LDAPConnection,
     AppState,
@@ -114,8 +113,8 @@ pub async fn patch_settings(
 
     // Handle updating the cached license
     if let Some(license_key) = &data.license {
-        info!("Patching license: {:?}", license_key);
         update_cached_license(license_key.as_deref(), appstate.license)?;
+        debug!("Saving the new license key to the database as part of the settings patch");
     };
 
     settings.apply(data);
diff --git a/src/lib.rs b/src/lib.rs
index ea7eca39c6..e3ea57945d 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -14,6 +14,7 @@ use axum::{
 use assets::{index, svg, web_asset};
 use enterprise::{
     handlers::{
+        check_enterprise_status,
         openid_login::{auth_callback, get_auth_info},
         openid_providers::{
             add_openid_provider, delete_openid_provider, get_current_openid_provider,
@@ -428,6 +429,8 @@ pub fn build_webapp(
         webapp.route("/api/v1/openid/*path", get(handle_404))
     };
 
+    let webapp = webapp.route("/api/v1/enterprise_status", get(check_enterprise_status));
+
     #[cfg(feature = "openid")]
     let webapp = webapp
         .nest(
diff --git a/web/src/components/AppLoader.tsx b/web/src/components/AppLoader.tsx
index 37f377934e..facf1ecd00 100644
--- a/web/src/components/AppLoader.tsx
+++ b/web/src/components/AppLoader.tsx
@@ -28,6 +28,7 @@ export const AppLoader = () => {
   const appSettings = useAppStore((state) => state.settings);
   const {
     getAppInfo,
+    getEnterpriseStatus,
     user: { getMe },
     settings: { getEssentialSettings },
   } = useApi();
@@ -56,7 +57,6 @@ export const AppLoader = () => {
 
   useQuery([QueryKeys.FETCH_APP_INFO], getAppInfo, {
     onSuccess: (data) => {
-      console.log('App Info:', data);
       setAppStore({ appInfo: data });
     },
     onError: (err) => {
@@ -68,6 +68,20 @@ export const AppLoader = () => {
     enabled: !isUndefined(currentUser),
   });
 
+  useQuery([QueryKeys.FETCH_ENTERPRISE_STATUS], getEnterpriseStatus, {
+    onSuccess: (status) => {
+      console.log(status)
+      setAppStore({ enterprise_enabled: status.enabled });
+    },
+    onError: (err) => {
+      // FIXME: Add a proper error message
+      toaster.error(LL.messages.errorVersion());
+      console.error(err);
+    },
+    refetchOnWindowFocus: false,
+    retry: false,
+  });
+
   const { isLoading: settingsLoading, data: essentialSettings } = useQuery(
     [QueryKeys.FETCH_ESSENTIAL_SETTINGS],
     getEssentialSettings,
diff --git a/web/src/pages/auth/AuthPage.tsx b/web/src/pages/auth/AuthPage.tsx
index ece94d9c38..3131bf2852 100644
--- a/web/src/pages/auth/AuthPage.tsx
+++ b/web/src/pages/auth/AuthPage.tsx
@@ -48,7 +48,8 @@ export const AuthPage = () => {
   const toaster = useToaster();
 
   const setAppStore = useAppStore((state) => state.setState);
-  const appInfo = useAppStore((state) => state.appInfo);
+
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
 
   const [params] = useSearchParams();
   const redirectUrl = params.get('r');
@@ -154,7 +155,7 @@ export const AuthPage = () => {
         <Route path="/" element={<Navigate to="login" />} />
         <Route path="login" element={<Login />} />
         <Route path="mfa/*" element={<MFARoute />} />
-        {appInfo?.enterprise && <Route path="callback" element={<OpenIDCallback />} />}
+        {enterpriseEnabled && <Route path="callback" element={<OpenIDCallback />} />}
         <Route path="*" element={<Navigate to="login" />} />
       </Routes>
     </div>
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 9ea748158f..7cf283d3d6 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -39,9 +39,9 @@ export const Login = () => {
     },
   } = useApi();
 
-  const appInfo = useAppStore((state) => state.appInfo);
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
   const { data: openIdInfo, isLoading: openIdLoading } = useQuery({
-    enabled: appInfo?.enterprise,
+    enabled: enterpriseEnabled,
     queryKey: [QueryKeys.FETCH_OPENID_INFO],
     queryFn: getOpenidInfo,
     refetchOnMount: true,
@@ -103,7 +103,7 @@ export const Login = () => {
 
   return (
     <section id="login-container">
-      {!openIdLoading ? (
+      {(!enterpriseEnabled || !openIdLoading) ? (
         <>
           <h1>{LL.loginPage.pageTitle()}</h1>
           <form onSubmit={handleSubmit(onSubmit)}>
@@ -131,7 +131,7 @@ export const Login = () => {
               data-testid="login-form-submit"
             />
             {
-              appInfo?.enterprise && openIdInfo && (
+              enterpriseEnabled && openIdInfo && (
                 <OpenIdLoginButton url={openIdInfo.url} />
               )
             }
diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index 17d9b62c15..94a9fa0b61 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -41,7 +41,7 @@ export const SettingsPage = () => {
 
   const settings = useSettingsPage((state) => state.settings);
 
-  const appInfo = useAppStore((state) => state.appInfo);
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
 
   const { data: settingsData, isLoading } = useQuery({
     queryFn: getSettings,
@@ -79,12 +79,12 @@ export const SettingsPage = () => {
     ];
 
     // Fitler out enterprise tabs if not enterprise
-    if (!appInfo?.enterprise) {
+    if (!enterpriseEnabled) {
       tabs = tabs.filter((tab) => tab.key !== 3);
     }
 
     return tabs;
-  }, [LL.settingsPage.tabs, activeCard, appInfo?.enterprise]);
+  }, [LL.settingsPage.tabs, activeCard, enterpriseEnabled]);
 
   // set store
   useEffect(() => {
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index 8a6d9da86a..0682a0e100 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -43,7 +43,7 @@ export const LicenseSettings = () => {
     onSuccess: () => {
       toaster.success(LL.settingsPage.messages.editSuccess());
       queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
-      queryClient.invalidateQueries([QueryKeys.FETCH_APP_INFO]);
+      queryClient.invalidateQueries([QueryKeys.FETCH_ENTERPRISE_STATUS]);
     },
     onError: (err) => {
       toaster.error(LL.messages.error());
diff --git a/web/src/shared/hooks/store/useAppStore.ts b/web/src/shared/hooks/store/useAppStore.ts
index af24661b0c..c978975759 100644
--- a/web/src/shared/hooks/store/useAppStore.ts
+++ b/web/src/shared/hooks/store/useAppStore.ts
@@ -9,6 +9,7 @@ const defaultValues: StoreValues = {
   settings: undefined,
   language: undefined,
   appInfo: undefined,
+  enterprise_enabled: false,
 };
 
 const persistKeys: Array<keyof StoreValues> = ['language'];
@@ -35,6 +36,7 @@ type StoreValues = {
   settings?: SettingsEssentials;
   language?: Locales;
   appInfo?: AppInfo;
+  enterprise_enabled?: boolean;
 };
 
 type StoreMethods = {
diff --git a/web/src/shared/hooks/useApi.tsx b/web/src/shared/hooks/useApi.tsx
index 2202f1cab5..7b66824ce1 100644
--- a/web/src/shared/hooks/useApi.tsx
+++ b/web/src/shared/hooks/useApi.tsx
@@ -360,6 +360,8 @@ const useApi = (props?: HookProps): ApiHook => {
   const editSettings = async (settings: Settings) =>
     client.put('/settings', settings).then(unpackRequest);
 
+  const getEnterpriseStatus = () => client.get('/enterprise_status').then(unpackRequest);
+
   const mfaEnable = () => client.put('/auth/mfa').then(unpackRequest);
 
   const recovery: ApiHook['auth']['mfa']['recovery'] = (data) =>
@@ -494,6 +496,7 @@ const useApi = (props?: HookProps): ApiHook => {
   return {
     getAppInfo,
     changePasswordSelf,
+    getEnterpriseStatus,
     oAuth: {
       consent: oAuthConsent,
     },
diff --git a/web/src/shared/queries.ts b/web/src/shared/queries.ts
index 1087fcbb58..7834db9ad0 100644
--- a/web/src/shared/queries.ts
+++ b/web/src/shared/queries.ts
@@ -28,4 +28,5 @@ export const QueryKeys = {
   FETCH_AUTHENTICATION_KEYS_INFO: 'FETCH_AUTHENTICATION_KEYS_INFO',
   FETCH_OPENID_PROVIDERS: 'FETCH_OPENID_PROVIDERS',
   FETCH_OPENID_INFO: 'FETCH_OPENID_INFO',
+  FETCH_ENTERPRISE_STATUS: 'FETCH_ENTERPRISE_STATUS',
 };
diff --git a/web/src/shared/types.ts b/web/src/shared/types.ts
index 6e27323330..57d02628f9 100644
--- a/web/src/shared/types.ts
+++ b/web/src/shared/types.ts
@@ -360,7 +360,6 @@ export interface AppInfo {
   version: string;
   network_present: boolean;
   smtp_enabled: boolean;
-  enterprise: boolean;
 }
 
 export type GetDeviceConfigRequest = {
@@ -434,9 +433,14 @@ export type AuthenticationKey = {
   key: string;
 };
 
+export type EnterpriseStatusResponse = {
+  enabled: boolean;
+};
+
 export interface ApiHook {
   getAppInfo: () => Promise<AppInfo>;
   changePasswordSelf: (data: ChangePasswordSelfRequest) => Promise<EmptyApiResponse>;
+  getEnterpriseStatus: () => Promise<EnterpriseStatusResponse>;
   oAuth: {
     consent: (params: unknown) => Promise<EmptyApiResponse>;
   };

From b74fad2443f6431b581e301abaaddeae8f8900f0 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 12 Aug 2024 15:43:48 +0200
Subject: [PATCH 50/73] fix log levels

---
 src/enterprise/license.rs | 22 +++++++++++++---------
 1 file changed, 13 insertions(+), 9 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 77056d7d48..db133ad5fe 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -3,7 +3,6 @@ use std::sync::{Arc, Mutex};
 use anyhow::Result;
 use chrono::{DateTime, TimeDelta, Utc};
 use tokio::time::sleep;
-// use rsa::{pkcs8::FromPublicKey, PaddingScheme, PublicKey, RsaPublicKey};
 
 use crate::{
     db::{DbPool, Settings},
@@ -160,6 +159,8 @@ impl License {
         }
     }
 
+    /// Create the license object based on the license key stored in the database.
+    /// Automatically decodes and deserializes the keys and verifies the signature.
     pub async fn load(pool: &DbPool) -> Result<Option<License>, LicenseError> {
         match Self::get_key(pool).await? {
             Some(key) => Ok(Some(Self::from_base64(&key)?)),
@@ -369,13 +370,14 @@ pub async fn run_periodic_license_check(
     let mut check_period = server_config().license_check_period;
     info!("Starting periodic license check every {:?}", check_period);
     loop {
+        debug!("Checking the license status...");
         // Check if the license is present in the mutex, if not skip the check
         if license_mutex
             .lock()
             .expect("Failed to acquire lock on the license mutex.")
             .is_none()
         {
-            info!("No license found, skipping license check");
+            debug!("No license found, skipping license check");
             sleep(*server_config().license_check_period_no_license).await;
             continue;
         }
@@ -386,7 +388,7 @@ pub async fn run_periodic_license_check(
             let license = license_mutex
                 .lock()
                 .expect("Failed to acquire lock on the license mutex.");
-            info!(
+            debug!(
                 "Checking if the license {:?} requires a renewal...",
                 license
             );
@@ -397,25 +399,26 @@ pub async fn run_periodic_license_check(
                         // check if we are pass the maximum expiration date, after which we don't
                         // want to try to renew the license anymore
                         if !license.is_max_overdue() {
+                            debug!("License requires renewal, as it is about to expire and is not past the maximum overdue time");
                             true
                         } else {
                             check_period = server_config().license_check_period;
                             warn!("Your license has expired and reached its maximum overdue date, please contact sales at sales<at>defguard.net");
-                            info!("Changing check period to {}", check_period);
+                            debug!("Changing check period to {}", check_period);
                             false
                         }
                     } else {
                         // This if is only for logging purposes, to provide more detailed information
                         if license.subscription {
-                            info!("License doesn't need to be renewed yet, skipping renewal check")
+                            debug!("License doesn't need to be renewed yet, skipping renewal check")
                         } else {
-                            info!("License is not a subscription, skipping renewal check")
+                            debug!("License is not a subscription, skipping renewal check")
                         }
                         false
                     }
                 }
                 None => {
-                    info!("No license found, skipping license check");
+                    debug!("No license found, skipping license check");
                     false
                 }
             }
@@ -424,13 +427,14 @@ pub async fn run_periodic_license_check(
         if requires_renewal {
             info!("License requires renewal, renewing license...");
             check_period = server_config().license_check_period_renewal_window;
-            info!("Changing check period to {}", check_period);
+            debug!("Changing check period to {}", check_period);
             match renew_license(&pool).await {
                 Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
                     Ok(_) => {
                         update_cached_license(Some(&new_license_key), license_mutex.clone())?;
                         check_period = server_config().license_check_period;
-                        info!("Changing check period to {} seconds", check_period);
+                        debug!("Changing check period to {} seconds", check_period);
+                        info!("Successfully renewed the license, new license key saved to the database");
                     }
                     Err(err) => {
                         error!("Couldn't save the newly fetched license key to the database, error: {}", err);

From 360ea36f0e372da6138925a1d3374145deeaad06 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 12 Aug 2024 16:11:17 +0200
Subject: [PATCH 51/73] cleanup

---
 web/src/components/AppLoader.tsx                 |  1 -
 web/src/pages/auth/Login/Login.tsx               | 16 +++++++---------
 web/src/pages/settings/SettingsPage.tsx          |  2 +-
 .../components/OpenIdSettingsForm.tsx            |  1 -
 4 files changed, 8 insertions(+), 12 deletions(-)

diff --git a/web/src/components/AppLoader.tsx b/web/src/components/AppLoader.tsx
index facf1ecd00..c0a4726cf4 100644
--- a/web/src/components/AppLoader.tsx
+++ b/web/src/components/AppLoader.tsx
@@ -70,7 +70,6 @@ export const AppLoader = () => {
 
   useQuery([QueryKeys.FETCH_ENTERPRISE_STATUS], getEnterpriseStatus, {
     onSuccess: (status) => {
-      console.log(status)
       setAppStore({ enterprise_enabled: status.enabled });
     },
     onError: (err) => {
diff --git a/web/src/pages/auth/Login/Login.tsx b/web/src/pages/auth/Login/Login.tsx
index 7cf283d3d6..56f501b7bf 100644
--- a/web/src/pages/auth/Login/Login.tsx
+++ b/web/src/pages/auth/Login/Login.tsx
@@ -15,6 +15,7 @@ import {
   ButtonStyleVariant,
 } from '../../../shared/defguard-ui/components/Layout/Button/types';
 import { LoaderSpinner } from '../../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
+import { useAppStore } from '../../../shared/hooks/store/useAppStore';
 import { useAuthStore } from '../../../shared/hooks/store/useAuthStore';
 import useApi from '../../../shared/hooks/useApi';
 import { MutationKeys } from '../../../shared/mutations';
@@ -23,7 +24,6 @@ import { QueryKeys } from '../../../shared/queries';
 import { LoginData } from '../../../shared/types';
 import { trimObjectStrings } from '../../../shared/utils/trimObjectStrings';
 import { OpenIdLoginButton } from './components/OidcButtons';
-import { useAppStore } from '../../../shared/hooks/store/useAppStore';
 
 type Inputs = {
   username: string;
@@ -103,7 +103,7 @@ export const Login = () => {
 
   return (
     <section id="login-container">
-      {(!enterpriseEnabled || !openIdLoading) ? (
+      {!enterpriseEnabled || !openIdLoading ? (
         <>
           <h1>{LL.loginPage.pageTitle()}</h1>
           <form onSubmit={handleSubmit(onSubmit)}>
@@ -130,16 +130,14 @@ export const Login = () => {
               text={LL.form.login()}
               data-testid="login-form-submit"
             />
-            {
-              enterpriseEnabled && openIdInfo && (
-                <OpenIdLoginButton url={openIdInfo.url} />
-              )
-            }
-          </form >
+            {enterpriseEnabled && openIdInfo && (
+              <OpenIdLoginButton url={openIdInfo.url} />
+            )}
+          </form>
         </>
       ) : (
         <LoaderSpinner size={80} />
       )}
-    </section >
+    </section>
   );
 };
diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index 94a9fa0b61..e9ee5a6b73 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -10,6 +10,7 @@ import { Card } from '../../shared/defguard-ui/components/Layout/Card/Card';
 import { CardTabs } from '../../shared/defguard-ui/components/Layout/CardTabs/CardTabs';
 import { CardTabsData } from '../../shared/defguard-ui/components/Layout/CardTabs/types';
 import { LoaderSpinner } from '../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
+import { useAppStore } from '../../shared/hooks/store/useAppStore';
 import useApi from '../../shared/hooks/useApi';
 import { QueryKeys } from '../../shared/queries';
 import { GlobalSettings } from './components/GlobalSettings/GlobalSettings';
@@ -17,7 +18,6 @@ import { LdapSettings } from './components/LdapSettings/LdapSettings';
 import { OpenIdSettings } from './components/OpenIdSettings/OpenIdSettings';
 import { SmtpSettings } from './components/SmtpSettings/SmtpSettings';
 import { useSettingsPage } from './hooks/useSettingsPage';
-import { useAppStore } from '../../shared/hooks/store/useAppStore';
 
 const tabsContent: ReactNode[] = [
   <GlobalSettings key={0} />,
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index e027f861b0..f47663856c 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -205,7 +205,6 @@ export const OpenIdSettingsForm = () => {
             styleVariant={ButtonStyleVariant.CONFIRM}
             loading={isLoading}
             onClick={() => {
-              console.log('delete');
               handleDeleteProvider();
             }}
           />

From 1a395bce2bdf8bac502bc317a61be2a635088bcc Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 11:02:33 +0200
Subject: [PATCH 52/73] Apply suggestions from code review

Co-authored-by: Adam <aciarcinski@teonite.com>
---
 Cargo.toml                |  2 +-
 src/bin/defguard.rs       |  2 +-
 src/enterprise/license.rs | 20 ++++++++++----------
 src/handlers/app_info.rs  |  2 +-
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index e4e1adcda5..e4e5e83f97 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -102,7 +102,7 @@ x25519-dalek = { version = "2.0", features = ["static_secrets"] }
 # openapi
 utoipa = { version = "4", features = ["axum_extras"] }
 utoipa-swagger-ui = { version = "7", features = ["axum"] }
-pgp = "0.13.1"
+pgp = "0.13"
 tonic-health = "0.11"
 
 [dev-dependencies]
diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index c56ccdf5a5..c3c4971911 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -111,7 +111,7 @@ async fn main() -> Result<(), anyhow::Error> {
         }
         Err(err) => {
             warn!(
-                "There was an error while loading the license, error: {}",
+                "There was an error while loading the license, error: {err}",
                 err
             );
             Arc::new(Mutex::new(None))
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index db133ad5fe..6b0c63de3d 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -51,7 +51,7 @@ pub enum LicenseError {
     DecodeError(String),
     #[error("License is expired and has reached its maximum overdue time, please contact sales")]
     LicenseExpired,
-    #[error("License is not found")]
+    #[error("License not found")]
     LicenseNotFound,
     #[error("License server error: {0}")]
     LicenseServerError(String),
@@ -185,7 +185,7 @@ impl License {
                                 Ok(Some(new_license))
                             }
                             Err(err) => {
-                                error!("Failed to renew the license: {}", err);
+                                error!("Failed to renew the license: {err}");
                                 Ok(Some(license))
                             }
                         }
@@ -278,15 +278,15 @@ async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
         Ok(response) => match response.status() {
             reqwest::StatusCode::OK => {
                 let response: RefreshRequestResponse = response.json().await.map_err(|err| {
-                    error!("Failed to parse the response from the license server while trying to renew the license: {:?}", err);
+                    error!("Failed to parse the response from the license server while trying to renew the license: {err:?}");
                     LicenseError::LicenseServerError(err.to_string())
                 })?;
                 response.key
             }
             status => {
-                let status_message = response.text().await.unwrap_or_else(|_| "".to_string());
+                let status_message = response.text().await.unwrap_or_default();
                 let message = format!(
-                    "Failed to renew the license, the license server returned a status code {} with error: {}",
+                    "Failed to renew the license, the license server returned a status code {status} with error: {status_message}",
                     status, status_message
                 );
                 return Err(LicenseError::LicenseServerError(message));
@@ -368,7 +368,7 @@ pub async fn run_periodic_license_check(
     license_mutex: Arc<Mutex<Option<License>>>,
 ) -> Result<(), LicenseError> {
     let mut check_period = server_config().license_check_period;
-    info!("Starting periodic license check every {:?}", check_period);
+    info!("Starting periodic license check every {check_period:?});
     loop {
         debug!("Checking the license status...");
         // Check if the license is present in the mutex, if not skip the check
@@ -389,7 +389,7 @@ pub async fn run_periodic_license_check(
                 .lock()
                 .expect("Failed to acquire lock on the license mutex.");
             debug!(
-                "Checking if the license {:?} requires a renewal...",
+                "Checking if the license {license:?} requires a renewal...",
                 license
             );
 
@@ -404,7 +404,7 @@ pub async fn run_periodic_license_check(
                         } else {
                             check_period = server_config().license_check_period;
                             warn!("Your license has expired and reached its maximum overdue date, please contact sales at sales<at>defguard.net");
-                            debug!("Changing check period to {}", check_period);
+                            debug!("Changing check period to {check_period});
                             false
                         }
                     } else {
@@ -427,7 +427,7 @@ pub async fn run_periodic_license_check(
         if requires_renewal {
             info!("License requires renewal, renewing license...");
             check_period = server_config().license_check_period_renewal_window;
-            debug!("Changing check period to {}", check_period);
+            debug!("Changing check period to {check_period});
             match renew_license(&pool).await {
                 Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
                     Ok(_) => {
@@ -441,7 +441,7 @@ pub async fn run_periodic_license_check(
                     }
                 },
                 Err(err) => {
-                    error!("Failed to renew the license: {}", err);
+                    error!("Failed to renew the license: {err}");
                 }
             }
         }
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index 7cc5f9f795..5c95c7f235 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -26,7 +26,7 @@ pub(crate) async fn get_app_info(
         .license
         .lock()
         .expect("Failed to acquire lock on the license.");
-    info!("license: {:?}", license);
+    info!("license: {license:?});
     let enterprise = validate_license((*license).as_ref()).is_ok();
     info!("enterprise: {}", enterprise);
     let res = AppInfo {

From d35975397b1d9717795a2098891458da6ed7dc32 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 11:13:17 +0200
Subject: [PATCH 53/73] sort dependencies

---
 Cargo.toml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index e4e5e83f97..6c955912dc 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -40,6 +40,7 @@ model_derive = { path = "model-derive" }
 openidconnect = { version = "3.5", default-features = false, optional = true, features = [
     "reqwest",
 ] }
+pgp = "0.13"
 prost = "0.12"
 pulldown-cmark = "0.11"
 rand = "0.8"
@@ -87,11 +88,15 @@ tokio = { version = "1", features = [
 ] }
 tokio-stream = "0.1"
 tonic = { version = "0.11", features = ["gzip", "tls", "tls-roots"] }
+tonic-health = "0.11"
 totp-lite = { version = "2.0" }
 tower-http = { version = "0.5", features = ["fs", "trace"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 uaparser = "0.6"
+# openapi
+utoipa = { version = "4", features = ["axum_extras"] }
+utoipa-swagger-ui = { version = "7", features = ["axum"] }
 uuid = { version = "1.9", features = ["v4"] }
 webauthn-authenticator-rs = { version = "0.5" }
 webauthn-rs = { version = "0.5", features = [
@@ -99,11 +104,6 @@ webauthn-rs = { version = "0.5", features = [
 ] }
 webauthn-rs-proto = "0.5"
 x25519-dalek = { version = "2.0", features = ["static_secrets"] }
-# openapi
-utoipa = { version = "4", features = ["axum_extras"] }
-utoipa-swagger-ui = { version = "7", features = ["axum"] }
-pgp = "0.13"
-tonic-health = "0.11"
 
 [dev-dependencies]
 bytes = "1.6"

From a328ebef238ba82a5c03791b357d0ad1d433a6c8 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 11:18:04 +0200
Subject: [PATCH 54/73] organize imports

---
 src/bin/defguard.rs                         |  7 ++-
 src/db/models/auth_code.rs                  |  5 +-
 src/db/models/device.rs                     |  3 +-
 src/db/models/oauth2authorizedapp.rs        |  3 +-
 src/db/models/oauth2client.rs               |  5 +-
 src/db/models/oauth2token.rs                |  5 +-
 src/db/models/webhook.rs                    |  5 +-
 src/db/models/wireguard.rs                  |  3 +-
 src/enterprise/handlers/openid_login.rs     | 15 ++----
 src/enterprise/handlers/openid_providers.rs |  6 +--
 src/enterprise/license.rs                   | 19 ++++----
 src/grpc/desktop_client_mfa.rs              | 10 ++--
 src/grpc/enrollment.rs                      | 24 ++++-----
 src/grpc/interceptor.rs                     |  3 +-
 src/grpc/password_reset.rs                  |  9 ++--
 src/grpc/worker.rs                          | 14 +++---
 src/handlers/app_info.rs                    | 14 +++---
 src/handlers/user.rs                        |  3 +-
 src/lib.rs                                  | 54 ++++++++++-----------
 src/templates.rs                            |  2 +-
 src/wireguard_peer_disconnect.rs            | 10 ++--
 src/wireguard_stats_purge.rs                |  6 ++-
 22 files changed, 115 insertions(+), 110 deletions(-)

diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index c3c4971911..b154ba101f 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -3,10 +3,6 @@ use std::{
     sync::{Arc, Mutex},
 };
 
-use secrecy::ExposeSecret;
-use tokio::sync::{broadcast, mpsc::unbounded_channel};
-use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
-
 use defguard::{
     auth::failed_login::FailedLoginMap,
     config::{Command, DefGuardConfig},
@@ -21,6 +17,9 @@ use defguard::{
     wireguard_stats_purge::run_periodic_stats_purge,
     SERVER_CONFIG, VERSION,
 };
+use secrecy::ExposeSecret;
+use tokio::sync::{broadcast, mpsc::unbounded_channel};
+use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
 #[macro_use]
 extern crate tracing;
diff --git a/src/db/models/auth_code.rs b/src/db/models/auth_code.rs
index f25aa9066b..52ad8bf8d8 100644
--- a/src/db/models/auth_code.rs
+++ b/src/db/models/auth_code.rs
@@ -1,9 +1,10 @@
-use super::DbPool;
-use crate::random::gen_alphanumeric;
 use chrono::Utc;
 use model_derive::Model;
 use sqlx::{query_as, Error as SqlxError};
 
+use super::DbPool;
+use crate::random::gen_alphanumeric;
+
 #[derive(Model, Clone)]
 #[table(authorization_code)]
 pub struct AuthCode {
diff --git a/src/db/models/device.rs b/src/db/models/device.rs
index c137e779c0..47383b9c1c 100644
--- a/src/db/models/device.rs
+++ b/src/db/models/device.rs
@@ -621,9 +621,10 @@ impl Device {
 
 #[cfg(test)]
 mod test {
+    use claims::{assert_err, assert_ok};
+
     use super::*;
     use crate::db::User;
-    use claims::{assert_err, assert_ok};
 
     impl Device {
         /// Create new device and assign IP in a given network
diff --git a/src/db/models/oauth2authorizedapp.rs b/src/db/models/oauth2authorizedapp.rs
index 011221b93d..f4566ce26a 100644
--- a/src/db/models/oauth2authorizedapp.rs
+++ b/src/db/models/oauth2authorizedapp.rs
@@ -1,7 +1,8 @@
-use super::DbPool;
 use model_derive::Model;
 use sqlx::{query_as, Error as SqlxError};
 
+use super::DbPool;
+
 #[derive(Model)]
 pub struct OAuth2AuthorizedApp {
     pub id: Option<i64>,
diff --git a/src/db/models/oauth2client.rs b/src/db/models/oauth2client.rs
index db13edf321..113d92be60 100644
--- a/src/db/models/oauth2client.rs
+++ b/src/db/models/oauth2client.rs
@@ -1,8 +1,9 @@
-use super::{DbPool, NewOpenIDClient};
-use crate::random::gen_alphanumeric;
 use model_derive::Model;
 use sqlx::{query_as, Error as SqlxError};
 
+use super::{DbPool, NewOpenIDClient};
+use crate::random::gen_alphanumeric;
+
 #[derive(Deserialize, Model, Serialize)]
 pub struct OAuth2Client {
     pub id: Option<i64>,
diff --git a/src/db/models/oauth2token.rs b/src/db/models/oauth2token.rs
index a49a04ffa3..94c5e10a6f 100644
--- a/src/db/models/oauth2token.rs
+++ b/src/db/models/oauth2token.rs
@@ -1,8 +1,9 @@
-use super::DbPool;
-use crate::{random::gen_alphanumeric, server_config};
 use chrono::{Duration, Utc};
 use sqlx::{query, query_as, Error as SqlxError};
 
+use super::DbPool;
+use crate::{random::gen_alphanumeric, server_config};
+
 pub struct OAuth2Token {
     pub oauth2authorizedapp_id: i64,
     pub access_token: String,
diff --git a/src/db/models/webhook.rs b/src/db/models/webhook.rs
index 5ffd2e4a63..ed8f31d172 100644
--- a/src/db/models/webhook.rs
+++ b/src/db/models/webhook.rs
@@ -1,8 +1,9 @@
-use super::UserInfo;
-use crate::DbPool;
 use model_derive::Model;
 use sqlx::{query_as, Error as SqlxError, FromRow};
 
+use super::UserInfo;
+use crate::DbPool;
+
 /// App events which triggers webhook action
 #[derive(Debug)]
 pub enum AppEvent {
diff --git a/src/db/models/wireguard.rs b/src/db/models/wireguard.rs
index 15f61fc1ea..54cdad5a61 100644
--- a/src/db/models/wireguard.rs
+++ b/src/db/models/wireguard.rs
@@ -1020,9 +1020,8 @@ pub struct WireguardNetworkStats {
 mod test {
     use chrono::{Duration, SubsecRound};
 
-    use crate::db::models::device::WireguardNetworkDevice;
-
     use super::*;
+    use crate::db::models::device::WireguardNetworkDevice;
 
     async fn add_devices(pool: &DbPool, network: &WireguardNetwork, count: usize) {
         let mut user = User::new(
diff --git a/src/enterprise/handlers/openid_login.rs b/src/enterprise/handlers/openid_login.rs
index 6023cc7d5f..549f5f06ca 100644
--- a/src/enterprise/handlers/openid_login.rs
+++ b/src/enterprise/handlers/openid_login.rs
@@ -1,14 +1,8 @@
+use axum::extract::State;
 use axum::http::StatusCode;
-
 use axum::Json;
-use axum_extra::extract::cookie::{Cookie, SameSite};
-use serde_json::json;
-
-use time::Duration;
-
-use axum::extract::State;
-
 use axum_client_ip::{InsecureClientIp, LeftmostXForwardedFor};
+use axum_extra::extract::cookie::{Cookie, SameSite};
 use axum_extra::extract::{CookieJar, PrivateCookieJar};
 use axum_extra::headers::UserAgent;
 use axum_extra::TypedHeader;
@@ -21,7 +15,10 @@ use openidconnect::{
     ProviderMetadata, RedirectUrl,
 };
 use openidconnect::{AuthenticationFlow, CsrfToken, EmptyAdditionalClaims, IdToken, Nonce, Scope};
+use serde_json::json;
+use time::Duration;
 
+use super::LicenseInfo;
 use crate::appstate::AppState;
 use crate::db::{DbPool, MFAInfo, Session, SessionState, Settings, User, UserInfo};
 use crate::enterprise::db::models::openid_provider::OpenIdProvider;
@@ -31,8 +28,6 @@ use crate::handlers::{ApiResponse, AuthResponse, SESSION_COOKIE_NAME, SIGN_IN_CO
 use crate::headers::{check_new_device_login, get_user_agent_device, parse_user_agent};
 use crate::server_config;
 
-use super::LicenseInfo;
-
 type ProvMeta = ProviderMetadata<
     openidconnect::EmptyAdditionalProviderMetadata,
     openidconnect::core::CoreAuthDisplay,
diff --git a/src/enterprise/handlers/openid_providers.rs b/src/enterprise/handlers/openid_providers.rs
index ff88dd2848..928dcb235e 100644
--- a/src/enterprise/handlers/openid_providers.rs
+++ b/src/enterprise/handlers/openid_providers.rs
@@ -3,7 +3,9 @@ use axum::{
     http::StatusCode,
     Json,
 };
+use serde_json::json;
 
+use super::LicenseInfo;
 use crate::{
     appstate::AppState,
     auth::{AdminRole, SessionInfo},
@@ -11,10 +13,6 @@ use crate::{
     handlers::{ApiResponse, ApiResult},
 };
 
-use serde_json::json;
-
-use super::LicenseInfo;
-
 #[derive(Debug, Deserialize, Serialize)]
 pub struct AddProviderData {
     name: String,
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 6b0c63de3d..cbc2a2199d 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -1,18 +1,18 @@
 use std::sync::{Arc, Mutex};
 
 use anyhow::Result;
+use base64::prelude::*;
 use chrono::{DateTime, TimeDelta, Utc};
+use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
+use prost::Message;
+use sqlx::error::Error as SqlxError;
+use thiserror::Error;
 use tokio::time::sleep;
 
 use crate::{
     db::{DbPool, Settings},
     server_config,
 };
-use base64::prelude::*;
-use pgp::{Deserializable, SignedPublicKey, StandaloneSignature};
-use prost::Message;
-use sqlx::error::Error as SqlxError;
-use thiserror::Error;
 
 tonic::include_proto!("license");
 
@@ -70,6 +70,7 @@ pub struct License {
 }
 
 impl License {
+    #[must_use]
     pub fn new(
         customer_id: String,
         subscription: bool,
@@ -368,7 +369,7 @@ pub async fn run_periodic_license_check(
     license_mutex: Arc<Mutex<Option<License>>>,
 ) -> Result<(), LicenseError> {
     let mut check_period = server_config().license_check_period;
-    info!("Starting periodic license check every {check_period:?});
+    info!("Starting periodic license check every {check_period:?}");
     loop {
         debug!("Checking the license status...");
         // Check if the license is present in the mutex, if not skip the check
@@ -404,7 +405,7 @@ pub async fn run_periodic_license_check(
                         } else {
                             check_period = server_config().license_check_period;
                             warn!("Your license has expired and reached its maximum overdue date, please contact sales at sales<at>defguard.net");
-                            debug!("Changing check period to {check_period});
+                            debug!("Changing check period to {check_period}");
                             false
                         }
                     } else {
@@ -427,13 +428,13 @@ pub async fn run_periodic_license_check(
         if requires_renewal {
             info!("License requires renewal, renewing license...");
             check_period = server_config().license_check_period_renewal_window;
-            debug!("Changing check period to {check_period});
+            debug!("Changing check period to {check_period}");
             match renew_license(&pool).await {
                 Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
                     Ok(_) => {
                         update_cached_license(Some(&new_license_key), license_mutex.clone())?;
                         check_period = server_config().license_check_period;
-                        debug!("Changing check period to {} seconds", check_period);
+                        debug!("Changing check period to {check_period} seconds");
                         info!("Successfully renewed the license, new license key saved to the database");
                     }
                     Err(err) => {
diff --git a/src/grpc/desktop_client_mfa.rs b/src/grpc/desktop_client_mfa.rs
index 3d7eb091d6..4fb5e5d32b 100644
--- a/src/grpc/desktop_client_mfa.rs
+++ b/src/grpc/desktop_client_mfa.rs
@@ -1,3 +1,9 @@
+use std::collections::HashMap;
+
+use chrono::Utc;
+use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender};
+use tonic::Status;
+
 use super::proto::{
     ClientMfaFinishRequest, ClientMfaFinishResponse, ClientMfaStartRequest, ClientMfaStartResponse,
     MfaMethod,
@@ -11,10 +17,6 @@ use crate::{
     handlers::mail::send_email_mfa_code_email,
     mail::Mail,
 };
-use chrono::Utc;
-use std::collections::HashMap;
-use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender};
-use tonic::Status;
 
 const CLIENT_SESSION_TIMEOUT: u64 = 60 * 5; // 10 minutes
 
diff --git a/src/grpc/enrollment.rs b/src/grpc/enrollment.rs
index 1e314f8f45..37f8888acd 100644
--- a/src/grpc/enrollment.rs
+++ b/src/grpc/enrollment.rs
@@ -1,5 +1,17 @@
 use std::sync::Arc;
 
+use ipnetwork::IpNetwork;
+use reqwest::Url;
+use sqlx::Transaction;
+use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender};
+use tonic::Status;
+use uaparser::UserAgentParser;
+
+use super::proto::{
+    ActivateUserRequest, AdminInfo, Device as ProtoDevice, DeviceConfig as ProtoDeviceConfig,
+    DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice,
+    InitialUserInfo, NewDevice,
+};
 use crate::{
     db::{
         models::{
@@ -16,18 +28,6 @@ use crate::{
     server_config,
     templates::{self, TemplateLocation},
 };
-use ipnetwork::IpNetwork;
-use reqwest::Url;
-use sqlx::Transaction;
-use tokio::sync::{broadcast::Sender, mpsc::UnboundedSender};
-use tonic::Status;
-use uaparser::UserAgentParser;
-
-use super::proto::{
-    ActivateUserRequest, AdminInfo, Device as ProtoDevice, DeviceConfig as ProtoDeviceConfig,
-    DeviceConfigResponse, EnrollmentStartRequest, EnrollmentStartResponse, ExistingDevice,
-    InitialUserInfo, NewDevice,
-};
 
 pub(super) struct EnrollmentServer {
     pool: DbPool,
diff --git a/src/grpc/interceptor.rs b/src/grpc/interceptor.rs
index 4872a327bb..75d254459b 100644
--- a/src/grpc/interceptor.rs
+++ b/src/grpc/interceptor.rs
@@ -1,6 +1,7 @@
-use crate::auth::{Claims, ClaimsType};
 use tonic::{service::Interceptor, Status};
 
+use crate::auth::{Claims, ClaimsType};
+
 /// Auth interceptor used by GRPC services. Verifies JWT token sent
 /// in GRPC metadata under "authorization" key.
 #[derive(Clone)]
diff --git a/src/grpc/password_reset.rs b/src/grpc/password_reset.rs
index d94c25c7c1..98e021bdda 100644
--- a/src/grpc/password_reset.rs
+++ b/src/grpc/password_reset.rs
@@ -1,6 +1,10 @@
 use tokio::sync::mpsc::UnboundedSender;
 use tonic::Status;
 
+use super::proto::{
+    PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
+    PasswordResetStartResponse,
+};
 use crate::{
     db::{
         models::enrollment::{Token, PASSWORD_RESET_TOKEN_TYPE},
@@ -15,11 +19,6 @@ use crate::{
     server_config,
 };
 
-use super::proto::{
-    PasswordResetInitializeRequest, PasswordResetRequest, PasswordResetStartRequest,
-    PasswordResetStartResponse,
-};
-
 pub(super) struct PasswordResetServer {
     pool: DbPool,
     mail_tx: UnboundedSender<Mail>,
diff --git a/src/grpc/worker.rs b/src/grpc/worker.rs
index cf08b0d7b2..4636cc85e6 100644
--- a/src/grpc/worker.rs
+++ b/src/grpc/worker.rs
@@ -1,9 +1,3 @@
-use super::{Job, JobResponse, WorkerDetail, WorkerInfo, WorkerState};
-use crate::db::{
-    models::authentication_key::{AuthenticationKey, AuthenticationKeyType},
-    AppEvent, DbPool, HWKeyUserData, User, YubiKey,
-};
-use sqlx::query;
 use std::{
     collections::hash_map::{Entry, HashMap},
     env,
@@ -11,9 +5,17 @@ use std::{
     sync::{Arc, Mutex},
     time::Instant,
 };
+
+use sqlx::query;
 use tokio::sync::mpsc::UnboundedSender;
 use tonic::{Request, Response, Status};
 
+use super::{Job, JobResponse, WorkerDetail, WorkerInfo, WorkerState};
+use crate::db::{
+    models::authentication_key::{AuthenticationKey, AuthenticationKeyType},
+    AppEvent, DbPool, HWKeyUserData, User, YubiKey,
+};
+
 tonic::include_proto!("worker");
 
 impl WorkerInfo {
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index 5c95c7f235..04ce038019 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -1,11 +1,13 @@
-use super::{ApiResponse, ApiResult, VERSION};
-use crate::enterprise::license::validate_license;
-use crate::{appstate::AppState, auth::SessionInfo, db::WireguardNetwork};
-
-use crate::db::Settings;
 use axum::{extract::State, http::StatusCode};
 use serde_json::json;
 
+use super::{ApiResponse, ApiResult, VERSION};
+use crate::db::Settings;
+use crate::{
+    appstate::AppState, auth::SessionInfo, db::WireguardNetwork,
+    enterprise::license::validate_license,
+};
+
 /// Additional information about core state.
 #[derive(Serialize)]
 pub struct AppInfo {
@@ -26,7 +28,7 @@ pub(crate) async fn get_app_info(
         .license
         .lock()
         .expect("Failed to acquire lock on the license.");
-    info!("license: {license:?});
+    info!("license: {license:?}");
     let enterprise = validate_license((*license).as_ref()).is_ok();
     info!("enterprise: {}", enterprise);
     let res = AppInfo {
diff --git a/src/handlers/user.rs b/src/handlers/user.rs
index e0d55f92bf..ef8c60f3dc 100644
--- a/src/handlers/user.rs
+++ b/src/handlers/user.rs
@@ -1368,9 +1368,10 @@ pub async fn delete_authorized_app(
 
 #[cfg(test)]
 mod test {
-    use super::*;
     use claims::{assert_err, assert_ok};
 
+    use super::*;
+
     #[test]
     fn test_username_validation() {
         // valid usernames
diff --git a/src/lib.rs b/src/lib.rs
index e3ea57945d..649874a514 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -5,13 +5,12 @@ use std::{
 };
 
 use anyhow::anyhow;
+use assets::{index, svg, web_asset};
 use axum::{
     http::{Request, StatusCode},
     routing::{delete, get, patch, post, put},
     serve, Extension, Json, Router,
 };
-
-use assets::{index, svg, web_asset};
 use enterprise::{
     handlers::{
         check_enterprise_status,
@@ -43,13 +42,33 @@ use tokio::{
 use tower_http::trace::{DefaultOnResponse, TraceLayer};
 use tracing::Level;
 use uaparser::UserAgentParser;
-
 use utoipa::{
     openapi::security::{ApiKey, ApiKeyValue, SecurityScheme},
     Modify, OpenApi,
 };
 use utoipa_swagger_ui::SwaggerUi;
 
+#[cfg(feature = "wireguard")]
+use self::handlers::wireguard::{
+    add_device, add_user_devices, create_network, create_network_token, delete_device,
+    delete_network, download_config, gateway_status, get_device, import_network, list_devices,
+    list_networks, list_user_devices, modify_device, modify_network, network_details,
+    network_stats, remove_gateway, user_stats,
+};
+#[cfg(feature = "worker")]
+use self::handlers::worker::{
+    create_job, create_worker_token, job_status, list_workers, remove_worker,
+};
+#[cfg(feature = "openid")]
+use self::handlers::{
+    openid_clients::{
+        add_openid_client, change_openid_client, change_openid_client_state, delete_openid_client,
+        get_openid_client, list_openid_clients,
+    },
+    openid_flow::{
+        authorization, discovery_keys, openid_configuration, secure_authorization, token, userinfo,
+    },
+};
 use self::{
     appstate::AppState,
     auth::{Claims, ClaimsType},
@@ -90,28 +109,6 @@ use self::{
     },
     mail::Mail,
 };
-
-#[cfg(feature = "wireguard")]
-use self::handlers::wireguard::{
-    add_device, add_user_devices, create_network, create_network_token, delete_device,
-    delete_network, download_config, gateway_status, get_device, import_network, list_devices,
-    list_networks, list_user_devices, modify_device, modify_network, network_details,
-    network_stats, remove_gateway, user_stats,
-};
-#[cfg(feature = "worker")]
-use self::handlers::worker::{
-    create_job, create_worker_token, job_status, list_workers, remove_worker,
-};
-#[cfg(feature = "openid")]
-use self::handlers::{
-    openid_clients::{
-        add_openid_client, change_openid_client, change_openid_client_state, delete_openid_client,
-        get_openid_client, list_openid_clients,
-    },
-    openid_flow::{
-        authorization, discovery_keys, openid_configuration, secure_authorization, token, userinfo,
-    },
-};
 #[cfg(any(feature = "openid", feature = "worker"))]
 use self::{
     auth::failed_login::FailedLoginMap,
@@ -160,14 +157,12 @@ pub(crate) fn server_config() -> &'static DefGuardConfig {
 pub(crate) const KEY_LENGTH: usize = 32;
 
 mod openapi {
-    use super::*;
     use db::{
         models::device::{ModifyDevice, UserDevice},
         AddDevice, UserDetails, UserInfo,
     };
     use error::WebError;
-    use utoipa::OpenApi;
-
+    use handlers::wireguard as device;
     use handlers::{
         group::{self, BulkAssignToGroupsRequest, Groups},
         user::{self, WalletInfoShort},
@@ -175,8 +170,9 @@ mod openapi {
         ApiResponse, EditGroupInfo, GroupInfo, PasswordChange, PasswordChangeSelf,
         StartEnrollmentRequest, Username, WalletChange, WalletSignature,
     };
+    use utoipa::OpenApi;
 
-    use handlers::wireguard as device;
+    use super::*;
 
     #[derive(OpenApi)]
     #[openapi(
diff --git a/src/templates.rs b/src/templates.rs
index 1702cb61c0..f0578b2498 100644
--- a/src/templates.rs
+++ b/src/templates.rs
@@ -306,10 +306,10 @@ pub fn email_password_reset_success_mail(
 
 #[cfg(test)]
 mod test {
-    use crate::{config::DefGuardConfig, SERVER_CONFIG};
     use claims::assert_ok;
 
     use super::*;
+    use crate::{config::DefGuardConfig, SERVER_CONFIG};
 
     fn get_welcome_context() -> Context {
         let mut context = Context::new();
diff --git a/src/wireguard_peer_disconnect.rs b/src/wireguard_peer_disconnect.rs
index 70b4926fb0..eab1aa2be1 100644
--- a/src/wireguard_peer_disconnect.rs
+++ b/src/wireguard_peer_disconnect.rs
@@ -4,6 +4,12 @@
 //! it should be removed from gateway configuration and marked as "not allowed",
 //! which enforces an authentication requirement to connect again.
 
+use std::time::Duration;
+
+use sqlx::{query_as, Error as SqlxError};
+use thiserror::Error;
+use tokio::{sync::broadcast::Sender, time::sleep};
+
 use crate::db::{
     models::{
         device::{DeviceInfo, DeviceNetworkInfo, WireguardNetworkDevice},
@@ -12,10 +18,6 @@ use crate::db::{
     },
     DbPool, Device, GatewayEvent, WireguardNetwork,
 };
-use sqlx::{query_as, Error as SqlxError};
-use std::time::Duration;
-use thiserror::Error;
-use tokio::{sync::broadcast::Sender, time::sleep};
 
 // How long to sleep between loop iterations
 const DISCONNECT_LOOP_SLEEP_SECONDS: u64 = 60; // 1 minute
diff --git a/src/wireguard_stats_purge.rs b/src/wireguard_stats_purge.rs
index 2280a075fb..b1949ee90e 100644
--- a/src/wireguard_stats_purge.rs
+++ b/src/wireguard_stats_purge.rs
@@ -1,10 +1,12 @@
-use crate::db::{DbPool, WireguardPeerStats};
+use std::time::Duration;
+
 use chrono::{DateTime, Duration as ChronoDuration, NaiveDateTime, Utc};
 use humantime::format_duration;
 use sqlx::{query, query_scalar, Error as SqlxError, PgExecutor};
-use std::time::Duration;
 use tokio::time::sleep;
 
+use crate::db::{DbPool, WireguardPeerStats};
+
 // How long to sleep between loop iterations
 const PURGE_LOOP_SLEEP_SECONDS: u64 = 300; // 5 minutes
 

From 22477ede078574624ba1c9294fa28444a8656160 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 11:29:09 +0200
Subject: [PATCH 55/73] remove redundant arguments

---
 src/enterprise/license.rs | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index cbc2a2199d..67c372d753 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -287,8 +287,7 @@ async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
             status => {
                 let status_message = response.text().await.unwrap_or_default();
                 let message = format!(
-                    "Failed to renew the license, the license server returned a status code {status} with error: {status_message}",
-                    status, status_message
+                    "Failed to renew the license, the license server returned a status code {status} with error: {status_message}"
                 );
                 return Err(LicenseError::LicenseServerError(message));
             }
@@ -389,10 +388,7 @@ pub async fn run_periodic_license_check(
             let license = license_mutex
                 .lock()
                 .expect("Failed to acquire lock on the license mutex.");
-            debug!(
-                "Checking if the license {license:?} requires a renewal...",
-                license
-            );
+            debug!("Checking if the license {license:?} requires a renewal...");
 
             match &*license {
                 Some(license) => {

From c6ac3a0a147b3bbe1bd1b07ff4fcb01c254cc661 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 12:26:39 +0200
Subject: [PATCH 56/73] fix redundant argument

---
 src/bin/defguard.rs | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index b154ba101f..5026855286 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -109,10 +109,7 @@ async fn main() -> Result<(), anyhow::Error> {
             Arc::new(Mutex::new(license))
         }
         Err(err) => {
-            warn!(
-                "There was an error while loading the license, error: {err}",
-                err
-            );
+            warn!("There was an error while loading the license, error: {err}");
             Arc::new(Mutex::new(None))
         }
     };

From 764d92fdb813ad91ba975e9bf0f228ffaf5395cc Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Tue, 13 Aug 2024 19:36:53 +0200
Subject: [PATCH 57/73] missing enterprise version view

---
 src/enterprise/license.rs                     |  1 +
 web/src/i18n/en/index.ts                      |  5 ++++
 web/src/i18n/i18n-types.ts                    | 28 +++++++++++++++++++
 web/src/i18n/pl/index.ts                      |  5 ++++
 web/src/pages/settings/SettingsPage.tsx       | 13 ++-------
 .../OpenIdSettings/OpenIdSettings.tsx         | 22 +++++++++++++++
 .../components/OpenIdGeneralSettings.tsx      |  4 ++-
 .../components/OpenIdSettingsForm.tsx         | 10 ++++++-
 .../components/OpenIdSettings/style.scss      | 23 +++++++++++++++
 9 files changed, 98 insertions(+), 13 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 67c372d753..76a6a7a671 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -268,6 +268,7 @@ async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
         key: old_license_key,
     };
 
+    // FIXME: this should be a hardcoded IP, make sure to add appropriate host headers
     let license_server_url = &server_config().license_server_url;
 
     let new_license_key = match client
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index d7334fe0e4..6462d59c92 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -895,6 +895,11 @@ const en: BaseTranslation = {
       editSuccess: 'Settings updated',
       challengeSuccess: 'Challenge message changed',
     },
+    enterpriseOnly: {
+      title: "This feature is available only in Defguard Enterprise.",
+      subtitle: "To learn more, visit our ",
+      website: "website",
+    },
     ldapSettings: {
       title: 'LDAP Settings',
       form: {
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 851afa7dba..91c6cb1925 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2201,6 +2201,20 @@ type RootTranslation = {
 			 */
 			challengeSuccess: string
 		}
+		enterpriseOnly: {
+			/**
+			 * T​h​i​s​ ​f​e​a​t​u​r​e​ ​i​s​ ​a​v​a​i​l​a​b​l​e​ ​o​n​l​y​ ​i​n​ ​D​e​f​g​u​a​r​d​ ​E​n​t​e​r​p​r​i​s​e​.
+			 */
+			title: string
+			/**
+			 * T​o​ ​l​e​a​r​n​ ​m​o​r​e​,​ ​v​i​s​i​t​ ​o​u​r​ 
+			 */
+			subtitle: string
+			/**
+			 * w​e​b​s​i​t​e
+			 */
+			website: string
+		}
 		ldapSettings: {
 			/**
 			 * L​D​A​P​ ​S​e​t​t​i​n​g​s
@@ -6213,6 +6227,20 @@ export type TranslationFunctions = {
 			 */
 			challengeSuccess: () => LocalizedString
 		}
+		enterpriseOnly: {
+			/**
+			 * This feature is available only in Defguard Enterprise.
+			 */
+			title: () => LocalizedString
+			/**
+			 * To learn more, visit our 
+			 */
+			subtitle: () => LocalizedString
+			/**
+			 * website
+			 */
+			website: () => LocalizedString
+		}
 		ldapSettings: {
 			/**
 			 * LDAP Settings
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 9b097782f1..b86c820b89 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -881,6 +881,11 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       editSuccess: 'Ustawienia zaktualizowane.',
       challengeSuccess: 'Zmieniono wiadomość do podpisu.',
     },
+    enterpriseOnly: {
+      title: "Ta funkcja jest dostępna tylko w wersji Defguard Enterprise",
+      subtitle: "Aby uzyskać więcej informacji, odwiedź naszą ",
+      website: "stronę internetową",
+    },
     ldapSettings: {
       title: 'Ustawienia LDAP',
       form: {
diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index e9ee5a6b73..2459a71497 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -41,8 +41,6 @@ export const SettingsPage = () => {
 
   const settings = useSettingsPage((state) => state.settings);
 
-  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
-
   const { data: settingsData, isLoading } = useQuery({
     queryFn: getSettings,
     queryKey: [QueryKeys.FETCH_SETTINGS],
@@ -51,7 +49,7 @@ export const SettingsPage = () => {
   });
 
   const tabs = useMemo((): CardTabsData[] => {
-    let tabs = [
+    return [
       {
         key: 0,
         content: LL.settingsPage.tabs.global(),
@@ -77,14 +75,7 @@ export const SettingsPage = () => {
         onClick: () => setActiveCard(3),
       },
     ];
-
-    // Fitler out enterprise tabs if not enterprise
-    if (!enterpriseEnabled) {
-      tabs = tabs.filter((tab) => tab.key !== 3);
-    }
-
-    return tabs;
-  }, [LL.settingsPage.tabs, activeCard, enterpriseEnabled]);
+  }, [LL.settingsPage.tabs, activeCard]);
 
   // set store
   useEffect(() => {
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
index b4a1b4d0d1..a3fb77df9a 100644
--- a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -2,10 +2,32 @@ import './style.scss';
 
 import { OpenIdGeneralSettings } from './components/OpenIdGeneralSettings';
 import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
+import { useAppStore } from '../../../../shared/hooks/store/useAppStore';
+import { useI18nContext } from '../../../../i18n/i18n-react';
 
 export const OpenIdSettings = () => {
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
+  const { LL } = useI18nContext();
+  const localLL = LL.settingsPage.enterpriseOnly;
+
   return (
     <>
+      {
+        !enterpriseEnabled &&
+        <div className='enterprise-info-backdrop'>
+          <div className='enterprise-info'>
+            <div>
+              <h2>
+                {localLL.title()}
+              </h2>
+              <p>
+                {localLL.subtitle()} <a href='https://defguard.net/pricing/'
+                  target='_blank' rel='noreferrer'
+                >{localLL.website()}</a>.
+              </p>
+            </div>
+          </div></div>
+      }
       <div className="left">
         <OpenIdSettingsForm />
       </div>
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
index f3d0a600c9..0580ea4fc3 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
@@ -11,6 +11,7 @@ import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { MutationKeys } from '../../../../../shared/mutations';
 import { QueryKeys } from '../../../../../shared/queries';
 import { useSettingsPage } from '../../../hooks/useSettingsPage';
+import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 
 export const OpenIdGeneralSettings = () => {
   const { LL } = useI18nContext();
@@ -21,6 +22,7 @@ export const OpenIdGeneralSettings = () => {
   } = useApi();
 
   const settings = useSettingsPage((state) => state.settings);
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
 
   const queryClient = useQueryClient();
 
@@ -47,7 +49,7 @@ export const OpenIdGeneralSettings = () => {
         <div>
           <div className="checkbox-row">
             <LabeledCheckbox
-              disabled={isLoading}
+              disabled={isLoading || !enterpriseEnabled}
               label={localLL.general.createAccount.label()}
               value={settings.openid_create_account}
               onChange={() =>
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index f47663856c..71d3065434 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -26,6 +26,7 @@ import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../shared/queries';
 import { OpenIdProvider } from '../../../../../shared/types';
+import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 
 type FormFields = OpenIdProvider;
 
@@ -36,6 +37,7 @@ export const OpenIdSettingsForm = () => {
   const queryClient = useQueryClient();
   const docsLink =
     'https://defguard.gitbook.io/defguard/admin-and-features/external-openid-providers';
+  const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
 
   const {
     settings: { fetchOpenIdProviders, addOpenIdProvider, deleteOpenIdProvider },
@@ -50,6 +52,7 @@ export const OpenIdSettingsForm = () => {
       setCurrentProvider(provider);
     },
     retry: false,
+    enabled: enterpriseEnabled,
   });
 
   const toaster = useToaster();
@@ -198,6 +201,7 @@ export const OpenIdSettingsForm = () => {
             loading={isLoading}
             form="openid-settings-form"
             icon={<IconCheckmarkWhite />}
+            disabled={!enterpriseEnabled}
           />
           <Button
             text={localLL.form.delete()}
@@ -207,6 +211,7 @@ export const OpenIdSettingsForm = () => {
             onClick={() => {
               handleDeleteProvider();
             }}
+            disabled={!enterpriseEnabled}
           />
         </div>
       </header>
@@ -219,17 +224,19 @@ export const OpenIdSettingsForm = () => {
           onChangeSingle={(res) => handleChange(res)}
           label={localLL.form.labels.provider.label()}
           labelExtras={<Helper>{parse(localLL.form.labels.provider.helper())}</Helper>}
+          disabled={!enterpriseEnabled}
         />
         <FormInput
           controller={{ control, name: 'base_url' }}
           label={localLL.form.labels.base_url.label()}
           labelExtras={<Helper>{parse(localLL.form.labels.base_url.helper())}</Helper>}
-          disabled={currentProvider?.name === 'Google'}
+          disabled={currentProvider?.name === 'Google' || !enterpriseEnabled}
         />
         <FormInput
           controller={{ control, name: 'client_id' }}
           label={localLL.form.labels.client_id.label()}
           labelExtras={<Helper>{parse(localLL.form.labels.client_id.helper())}</Helper>}
+          disabled={!enterpriseEnabled}
         />
         <FormInput
           controller={{ control, name: 'client_secret' }}
@@ -238,6 +245,7 @@ export const OpenIdSettingsForm = () => {
             <Helper>{parse(localLL.form.labels.client_secret.helper())}</Helper>
           }
           type="password"
+          disabled={!enterpriseEnabled}
         />
       </form>
       <a href={docsLink} target="_blank" rel="noreferrer">
diff --git a/web/src/pages/settings/components/OpenIdSettings/style.scss b/web/src/pages/settings/components/OpenIdSettings/style.scss
index e69de29bb2..da1ee2c134 100644
--- a/web/src/pages/settings/components/OpenIdSettings/style.scss
+++ b/web/src/pages/settings/components/OpenIdSettings/style.scss
@@ -0,0 +1,23 @@
+.settings-card {
+    position: relative;
+}
+
+.enterprise-info {
+    position: absolute;
+    inset: 0;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    backdrop-filter: blur(1.5px);
+    z-index: 100;
+    border-radius: 15px;
+    border-top-left-radius: 0px;
+    background-color: rgba(#f9f9f9, 0.75);
+}
+
+.enterprise-info>div {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 0.5rem;
+}
\ No newline at end of file

From 9fca81553ed7cafa05223c9ba89772b34a917957 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 09:16:50 +0200
Subject: [PATCH 58/73] global state rework

---
 src/appstate.rs                |  4 ----
 src/bin/defguard.rs            | 12 +++++-----
 src/enterprise/handlers/mod.rs | 20 ++++++----------
 src/enterprise/license.rs      | 42 +++++++++++++++++-----------------
 src/handlers/app_info.rs       |  6 ++---
 src/handlers/settings.rs       |  4 ++--
 src/lib.rs                     | 17 ++++----------
 7 files changed, 42 insertions(+), 63 deletions(-)

diff --git a/src/appstate.rs b/src/appstate.rs
index 926bd251b3..6a772c47ce 100644
--- a/src/appstate.rs
+++ b/src/appstate.rs
@@ -18,7 +18,6 @@ use webauthn_rs::prelude::*;
 use crate::{
     auth::failed_login::FailedLoginMap,
     db::{AppEvent, DbPool, GatewayEvent, WebHook},
-    enterprise::license::License,
     mail::Mail,
     server_config,
 };
@@ -33,7 +32,6 @@ pub struct AppState {
     pub user_agent_parser: Arc<UserAgentParser>,
     pub failed_logins: Arc<Mutex<FailedLoginMap>>,
     key: Key,
-    pub license: Arc<Mutex<Option<License>>>,
 }
 
 impl AppState {
@@ -106,7 +104,6 @@ impl AppState {
         mail_tx: UnboundedSender<Mail>,
         user_agent_parser: Arc<UserAgentParser>,
         failed_logins: Arc<Mutex<FailedLoginMap>>,
-        license: Arc<Mutex<Option<License>>>,
     ) -> Self {
         spawn(Self::handle_triggers(pool.clone(), rx));
 
@@ -136,7 +133,6 @@ impl AppState {
             user_agent_parser,
             failed_logins,
             key,
-            license,
         }
     }
 }
diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index 5026855286..ed0dde8761 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -7,7 +7,7 @@ use defguard::{
     auth::failed_login::FailedLoginMap,
     config::{Command, DefGuardConfig},
     db::{init_db, AppEvent, GatewayEvent, Settings, User},
-    enterprise::license::{run_periodic_license_check, License},
+    enterprise::license::{run_periodic_license_check, set_cached_license, License},
     grpc::{run_grpc_bidi_stream, run_grpc_server, GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     init_dev_env, init_vpn_location,
@@ -103,14 +103,14 @@ async fn main() -> Result<(), anyhow::Error> {
 
     let mut enterprise_enabled = false;
 
-    let license = match License::load_or_renew(&pool).await {
+    match License::load_or_renew(&pool).await {
         Ok(license) => {
             enterprise_enabled = true;
-            Arc::new(Mutex::new(license))
+            set_cached_license(license);
         }
         Err(err) => {
             warn!("There was an error while loading the license, error: {err}");
-            Arc::new(Mutex::new(None))
+            set_cached_license(None);
         }
     };
 
@@ -118,11 +118,11 @@ async fn main() -> Result<(), anyhow::Error> {
     tokio::select! {
         res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone(), user_agent_parser.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
         res = run_grpc_server(Arc::clone(&worker_state), pool.clone(), Arc::clone(&gateway_state), wireguard_tx.clone(), mail_tx.clone(), grpc_cert, grpc_key, failed_logins.clone()) => error!("gRPC server returned early: {res:#?}"),
-        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, license.clone(), enterprise_enabled) => error!("Web server returned early: {res:#?}"),
+        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, enterprise_enabled) => error!("Web server returned early: {res:#?}"),
         res = run_mail_handler(mail_rx, pool.clone()) => error!("Mail handler returned early: {res:#?}"),
         res = run_periodic_peer_disconnect(pool.clone(), wireguard_tx) => error!("Periodic peer disconnect task returned early: {res:#?}"),
         res = run_periodic_stats_purge(pool.clone(), config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
-        res = run_periodic_license_check(pool, license) => error!("Periodic license check task returned early: {res:#?}"),
+        res = run_periodic_license_check(pool) => error!("Periodic license check task returned early: {res:#?}"),
     }
     Ok(())
 }
diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index 2fecdab1ba..da63435565 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -8,12 +8,14 @@ pub mod openid_providers;
 
 use axum::{
     async_trait,
-    extract::{FromRef, FromRequestParts, State},
+    extract::{FromRef, FromRequestParts},
     http::{request::Parts, StatusCode},
 };
 
 use crate::{appstate::AppState, error::WebError};
 
+use super::license::get_cached_license;
+
 pub struct LicenseInfo {
     pub valid: bool,
 }
@@ -26,13 +28,8 @@ where
 {
     type Rejection = WebError;
 
-    async fn from_request_parts(_parts: &mut Parts, state: &S) -> Result<Self, Self::Rejection> {
-        let appstate = AppState::from_ref(state);
-
-        let license = appstate
-            .license
-            .lock()
-            .expect("Failed to acquire lock on the license.");
+    async fn from_request_parts(_parts: &mut Parts, _state: &S) -> Result<Self, Self::Rejection> {
+        let license = get_cached_license();
 
         match validate_license((*license).as_ref()) {
             // Useless struct, but may come in handy later
@@ -42,11 +39,8 @@ where
     }
 }
 
-pub async fn check_enterprise_status(State(appstate): State<AppState>) -> ApiResult {
-    let license = appstate
-        .license
-        .lock()
-        .expect("Failed to acquire lock on the license.");
+pub async fn check_enterprise_status() -> ApiResult {
+    let license = get_cached_license();
 
     let valid = validate_license((*license).as_ref()).is_ok();
 
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 76a6a7a671..f4c6851a03 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -1,4 +1,4 @@
-use std::sync::{Arc, Mutex};
+use std::sync::{Mutex, MutexGuard};
 
 use anyhow::Result;
 use base64::prelude::*;
@@ -14,6 +14,20 @@ use crate::{
     server_config,
 };
 
+pub static LICENSE: Mutex<Option<License>> = Mutex::new(None);
+
+pub fn set_cached_license(license: Option<License>) {
+    *LICENSE
+        .lock()
+        .expect("Failed to acquire lock on the license mutex.") = license;
+}
+
+pub fn get_cached_license() -> MutexGuard<'static, Option<License>> {
+    LICENSE
+        .lock()
+        .expect("Failed to acquire lock on the license mutex.")
+}
+
 tonic::include_proto!("license");
 
 #[allow(dead_code)]
@@ -334,10 +348,7 @@ async fn save_license_key(pool: &DbPool, key: &str) -> Result<(), LicenseError>
 }
 
 /// Helper function to update the cached license mutex. The mutex is used mainly in the appstate.
-pub fn update_cached_license(
-    key: Option<&str>,
-    license_mutex: Arc<Mutex<Option<License>>>,
-) -> Result<(), LicenseError> {
+pub fn update_cached_license(key: Option<&str>) -> Result<(), LicenseError> {
     debug!("Updating the cached license information with the provided key...");
     let license = if let Some(key) = key {
         // Handle the Some("") case
@@ -351,9 +362,7 @@ pub fn update_cached_license(
     } else {
         None
     };
-    *license_mutex
-        .lock()
-        .expect("Failed to acquire lock on the license mutex.") = license;
+    set_cached_license(license);
     info!("Successfully updated the cached license information.");
     Ok(())
 }
@@ -364,20 +373,13 @@ const RENEWAL_TIME: TimeDelta = TimeDelta::hours(24);
 /// Maximum amount of time a license can be over its expiry date.
 const MAX_OVERDUE_TIME: TimeDelta = TimeDelta::hours(24);
 
-pub async fn run_periodic_license_check(
-    pool: DbPool,
-    license_mutex: Arc<Mutex<Option<License>>>,
-) -> Result<(), LicenseError> {
+pub async fn run_periodic_license_check(pool: DbPool) -> Result<(), LicenseError> {
     let mut check_period = server_config().license_check_period;
     info!("Starting periodic license check every {check_period:?}");
     loop {
         debug!("Checking the license status...");
         // Check if the license is present in the mutex, if not skip the check
-        if license_mutex
-            .lock()
-            .expect("Failed to acquire lock on the license mutex.")
-            .is_none()
-        {
+        if get_cached_license().is_none() {
             debug!("No license found, skipping license check");
             sleep(*server_config().license_check_period_no_license).await;
             continue;
@@ -386,9 +388,7 @@ pub async fn run_periodic_license_check(
         // Check if the license requires renewal, uses the cached value to be more efficient
         // The block here is to avoid holding the lock through awaits
         let requires_renewal = {
-            let license = license_mutex
-                .lock()
-                .expect("Failed to acquire lock on the license mutex.");
+            let license = get_cached_license();
             debug!("Checking if the license {license:?} requires a renewal...");
 
             match &*license {
@@ -429,7 +429,7 @@ pub async fn run_periodic_license_check(
             match renew_license(&pool).await {
                 Ok(new_license_key) => match save_license_key(&pool, &new_license_key).await {
                     Ok(_) => {
-                        update_cached_license(Some(&new_license_key), license_mutex.clone())?;
+                        update_cached_license(Some(&new_license_key))?;
                         check_period = server_config().license_check_period;
                         debug!("Changing check period to {check_period} seconds");
                         info!("Successfully renewed the license, new license key saved to the database");
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index 04ce038019..d8aa1bec85 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -3,6 +3,7 @@ use serde_json::json;
 
 use super::{ApiResponse, ApiResult, VERSION};
 use crate::db::Settings;
+use crate::enterprise::license::get_cached_license;
 use crate::{
     appstate::AppState, auth::SessionInfo, db::WireguardNetwork,
     enterprise::license::validate_license,
@@ -24,10 +25,7 @@ pub(crate) async fn get_app_info(
 ) -> ApiResult {
     let networks = WireguardNetwork::all(&appstate.pool).await?;
     let settings = Settings::get_settings(&appstate.pool).await?;
-    let license = appstate
-        .license
-        .lock()
-        .expect("Failed to acquire lock on the license.");
+    let license = get_cached_license();
     info!("license: {license:?}");
     let enterprise = validate_license((*license).as_ref()).is_ok();
     info!("enterprise: {}", enterprise);
diff --git a/src/handlers/settings.rs b/src/handlers/settings.rs
index 7652b52df2..16c167d686 100644
--- a/src/handlers/settings.rs
+++ b/src/handlers/settings.rs
@@ -49,7 +49,7 @@ pub async fn update_settings(
     Json(mut data): Json<Settings>,
 ) -> ApiResult {
     debug!("User {} updating settings", session.user.username);
-    update_cached_license(data.license.as_deref(), appstate.license)?;
+    update_cached_license(data.license.as_deref())?;
     data.id = Some(1);
     data.save(&appstate.pool).await?;
     info!("User {} updated settings", session.user.username);
@@ -113,7 +113,7 @@ pub async fn patch_settings(
 
     // Handle updating the cached license
     if let Some(license_key) = &data.license {
-        update_cached_license(license_key.as_deref(), appstate.license)?;
+        update_cached_license(license_key.as_deref())?;
         debug!("Saving the new license key to the database as part of the settings patch");
     };
 
diff --git a/src/lib.rs b/src/lib.rs
index 649874a514..d74fdefbee 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -11,15 +11,10 @@ use axum::{
     routing::{delete, get, patch, post, put},
     serve, Extension, Json, Router,
 };
-use enterprise::{
-    handlers::{
-        check_enterprise_status,
-        openid_login::{auth_callback, get_auth_info},
-        openid_providers::{
-            add_openid_provider, delete_openid_provider, get_current_openid_provider,
-        },
-    },
-    license::License,
+use enterprise::handlers::{
+    check_enterprise_status,
+    openid_login::{auth_callback, get_auth_info},
+    openid_providers::{add_openid_provider, delete_openid_provider, get_current_openid_provider},
 };
 use handlers::ssh_authorized_keys::{
     add_authentication_key, delete_authentication_key, fetch_authentication_keys,
@@ -288,7 +283,6 @@ pub fn build_webapp(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
-    license: Arc<Mutex<Option<License>>>,
     enterprise_enabled: bool,
 ) -> Router {
     let webapp: Router<AppState> = Router::new()
@@ -506,7 +500,6 @@ pub fn build_webapp(
             mail_tx,
             user_agent_parser,
             failed_logins,
-            license,
         ))
         .layer(
             TraceLayer::new_for_http()
@@ -533,7 +526,6 @@ pub async fn run_web_server(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
-    license: Arc<Mutex<Option<License>>>,
     enterprise_enabled: bool,
 ) -> Result<(), anyhow::Error> {
     let webapp = build_webapp(
@@ -546,7 +538,6 @@ pub async fn run_web_server(
         pool,
         user_agent_parser,
         failed_logins,
-        license,
         enterprise_enabled,
     );
     info!("Started web services");

From 1cb5e20d9ca3c87eb34246873609bdfea82872a6 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 09:17:16 +0200
Subject: [PATCH 59/73] cargo fmt

---
 src/enterprise/handlers/mod.rs | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/src/enterprise/handlers/mod.rs b/src/enterprise/handlers/mod.rs
index da63435565..d926bf0bbf 100644
--- a/src/enterprise/handlers/mod.rs
+++ b/src/enterprise/handlers/mod.rs
@@ -12,9 +12,8 @@ use axum::{
     http::{request::Parts, StatusCode},
 };
 
-use crate::{appstate::AppState, error::WebError};
-
 use super::license::get_cached_license;
+use crate::{appstate::AppState, error::WebError};
 
 pub struct LicenseInfo {
     pub valid: bool,

From c95d9a16961c5b9a0090d9cda608d0aabf71d5e5 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 09:23:29 +0200
Subject: [PATCH 60/73] cleanup

---
 src/enterprise/license.rs                     |  2 +-
 web/src/i18n/en/index.ts                      |  6 ++--
 web/src/i18n/pl/index.ts                      |  6 ++--
 .../OpenIdSettings/OpenIdSettings.tsx         | 28 +++++++++----------
 .../components/OpenIdGeneralSettings.tsx      |  2 +-
 .../components/OpenIdSettingsForm.tsx         |  2 +-
 6 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index f4c6851a03..d994c7e979 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -14,7 +14,7 @@ use crate::{
     server_config,
 };
 
-pub static LICENSE: Mutex<Option<License>> = Mutex::new(None);
+static LICENSE: Mutex<Option<License>> = Mutex::new(None);
 
 pub fn set_cached_license(license: Option<License>) {
     *LICENSE
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 71829a2e01..264536d6d5 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -897,9 +897,9 @@ const en: BaseTranslation = {
       challengeSuccess: 'Challenge message changed',
     },
     enterpriseOnly: {
-      title: "This feature is available only in Defguard Enterprise.",
-      subtitle: "To learn more, visit our ",
-      website: "website",
+      title: 'This feature is available only in Defguard Enterprise.',
+      subtitle: 'To learn more, visit our ',
+      website: 'website',
     },
     ldapSettings: {
       title: 'LDAP Settings',
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index ddc28e3bda..2cc1c3b43a 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -884,9 +884,9 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
       challengeSuccess: 'Zmieniono wiadomość do podpisu.',
     },
     enterpriseOnly: {
-      title: "Ta funkcja jest dostępna tylko w wersji Defguard Enterprise",
-      subtitle: "Aby uzyskać więcej informacji, odwiedź naszą ",
-      website: "stronę internetową",
+      title: 'Ta funkcja jest dostępna tylko w wersji Defguard Enterprise',
+      subtitle: 'Aby uzyskać więcej informacji, odwiedź naszą ',
+      website: 'stronę internetową',
     },
     ldapSettings: {
       title: 'Ustawienia LDAP',
diff --git a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
index a3fb77df9a..014327dfc1 100644
--- a/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/OpenIdSettings.tsx
@@ -1,9 +1,9 @@
 import './style.scss';
 
+import { useI18nContext } from '../../../../i18n/i18n-react';
+import { useAppStore } from '../../../../shared/hooks/store/useAppStore';
 import { OpenIdGeneralSettings } from './components/OpenIdGeneralSettings';
 import { OpenIdSettingsForm } from './components/OpenIdSettingsForm';
-import { useAppStore } from '../../../../shared/hooks/store/useAppStore';
-import { useI18nContext } from '../../../../i18n/i18n-react';
 
 export const OpenIdSettings = () => {
   const enterpriseEnabled = useAppStore((state) => state.enterprise_enabled);
@@ -12,22 +12,22 @@ export const OpenIdSettings = () => {
 
   return (
     <>
-      {
-        !enterpriseEnabled &&
-        <div className='enterprise-info-backdrop'>
-          <div className='enterprise-info'>
+      {!enterpriseEnabled && (
+        <div className="enterprise-info-backdrop">
+          <div className="enterprise-info">
             <div>
-              <h2>
-                {localLL.title()}
-              </h2>
+              <h2>{localLL.title()}</h2>
               <p>
-                {localLL.subtitle()} <a href='https://defguard.net/pricing/'
-                  target='_blank' rel='noreferrer'
-                >{localLL.website()}</a>.
+                {localLL.subtitle()}{' '}
+                <a href="https://defguard.net/pricing/" target="_blank" rel="noreferrer">
+                  {localLL.website()}
+                </a>
+                .
               </p>
             </div>
-          </div></div>
-      }
+          </div>
+        </div>
+      )}
       <div className="left">
         <OpenIdSettingsForm />
       </div>
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
index 0580ea4fc3..94a9b5fe14 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdGeneralSettings.tsx
@@ -6,12 +6,12 @@ import parse from 'html-react-parser';
 import { useI18nContext } from '../../../../../i18n/i18n-react';
 import { Helper } from '../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import { LabeledCheckbox } from '../../../../../shared/defguard-ui/components/Layout/LabeledCheckbox/LabeledCheckbox';
+import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { MutationKeys } from '../../../../../shared/mutations';
 import { QueryKeys } from '../../../../../shared/queries';
 import { useSettingsPage } from '../../../hooks/useSettingsPage';
-import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 
 export const OpenIdGeneralSettings = () => {
   const { LL } = useI18nContext();
diff --git a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
index 71d3065434..9567860217 100644
--- a/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
+++ b/web/src/pages/settings/components/OpenIdSettings/components/OpenIdSettingsForm.tsx
@@ -22,11 +22,11 @@ import {
   SelectSelectedValue,
   SelectSizeVariant,
 } from '../../../../../shared/defguard-ui/components/Layout/Select/types';
+import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 import useApi from '../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../shared/queries';
 import { OpenIdProvider } from '../../../../../shared/types';
-import { useAppStore } from '../../../../../shared/hooks/store/useAppStore';
 
 type FormFields = OpenIdProvider;
 

From 17f6e79bfa837171e03ce5f7451ddbadf326c70f Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 09:48:34 +0200
Subject: [PATCH 61/73] fix tests

---
 src/bin/defguard.rs       | 3 ++-
 src/enterprise/license.rs | 3 +++
 tests/common/mod.rs       | 1 -
 3 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index ed0dde8761..2517e14327 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -103,13 +103,14 @@ async fn main() -> Result<(), anyhow::Error> {
 
     let mut enterprise_enabled = false;
 
+    debug!("Checking for enterprise license");
     match License::load_or_renew(&pool).await {
         Ok(license) => {
             enterprise_enabled = true;
             set_cached_license(license);
         }
         Err(err) => {
-            warn!("There was an error while loading the license, error: {err}");
+            warn!("There was an error while loading the license, error: {err}. The enterprise features will be disabled.");
             set_cached_license(None);
         }
     };
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index d994c7e979..a95025aa46 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -193,10 +193,12 @@ impl License {
             Some(license) => {
                 if license.requires_renewal() {
                     if !license.is_max_overdue() {
+                        info!("License requires renewal, trying to renew it...");
                         match renew_license(pool).await {
                             Ok(new_key) => {
                                 let new_license = License::from_base64(&new_key)?;
                                 save_license_key(pool, &new_key).await?;
+                                info!("Successfully renewed the license, new license key saved to the database");
                                 Ok(Some(new_license))
                             }
                             Err(err) => {
@@ -208,6 +210,7 @@ impl License {
                         Err(LicenseError::LicenseExpired)
                     }
                 } else {
+                    info!("Successfully loaded the license from the database");
                     Ok(Some(license))
                 }
             }
diff --git a/tests/common/mod.rs b/tests/common/mod.rs
index 311b7620eb..67db8862f3 100644
--- a/tests/common/mod.rs
+++ b/tests/common/mod.rs
@@ -163,7 +163,6 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
         pool,
         user_agent_parser,
         failed_logins,
-        license,
         enterprise_enabled,
     );
     (TestClient::new(webapp).await, client_state)

From cb871403e9708d2a42d126fbd78a20b84dd8be82 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 09:51:23 +0200
Subject: [PATCH 62/73] delete unused import

---
 web/src/pages/settings/SettingsPage.tsx | 1 -
 1 file changed, 1 deletion(-)

diff --git a/web/src/pages/settings/SettingsPage.tsx b/web/src/pages/settings/SettingsPage.tsx
index 2459a71497..c66e05973c 100644
--- a/web/src/pages/settings/SettingsPage.tsx
+++ b/web/src/pages/settings/SettingsPage.tsx
@@ -10,7 +10,6 @@ import { Card } from '../../shared/defguard-ui/components/Layout/Card/Card';
 import { CardTabs } from '../../shared/defguard-ui/components/Layout/CardTabs/CardTabs';
 import { CardTabsData } from '../../shared/defguard-ui/components/Layout/CardTabs/types';
 import { LoaderSpinner } from '../../shared/defguard-ui/components/Layout/LoaderSpinner/LoaderSpinner';
-import { useAppStore } from '../../shared/hooks/store/useAppStore';
 import useApi from '../../shared/hooks/useApi';
 import { QueryKeys } from '../../shared/queries';
 import { GlobalSettings } from './components/GlobalSettings/GlobalSettings';

From 9df2320a2b2fd711a0d180029262f7252f97497d Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:51:17 +0200
Subject: [PATCH 63/73] fixes

---
 src/bin/defguard.rs                           |  7 ++---
 src/enterprise/license.rs                     |  4 +--
 src/lib.rs                                    | 27 +++++++------------
 web/src/i18n/en/index.ts                      |  1 +
 web/src/i18n/i18n-types.ts                    |  8 ++++++
 web/src/i18n/pl/index.ts                      |  1 +
 .../LicenseSettings/LicenseSettings.tsx       | 10 +++++--
 7 files changed, 31 insertions(+), 27 deletions(-)

diff --git a/src/bin/defguard.rs b/src/bin/defguard.rs
index 2517e14327..a25f50a836 100644
--- a/src/bin/defguard.rs
+++ b/src/bin/defguard.rs
@@ -101,12 +101,9 @@ async fn main() -> Result<(), anyhow::Error> {
     let failed_logins = FailedLoginMap::new();
     let failed_logins = Arc::new(Mutex::new(failed_logins));
 
-    let mut enterprise_enabled = false;
-
-    debug!("Checking for enterprise license");
+    debug!("Checking enterprise license status");
     match License::load_or_renew(&pool).await {
         Ok(license) => {
-            enterprise_enabled = true;
             set_cached_license(license);
         }
         Err(err) => {
@@ -119,7 +116,7 @@ async fn main() -> Result<(), anyhow::Error> {
     tokio::select! {
         res = run_grpc_bidi_stream(pool.clone(), wireguard_tx.clone(), mail_tx.clone(), user_agent_parser.clone()), if config.proxy_url.is_some() => error!("Proxy gRPC stream returned early: {res:#?}"),
         res = run_grpc_server(Arc::clone(&worker_state), pool.clone(), Arc::clone(&gateway_state), wireguard_tx.clone(), mail_tx.clone(), grpc_cert, grpc_key, failed_logins.clone()) => error!("gRPC server returned early: {res:#?}"),
-        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins, enterprise_enabled) => error!("Web server returned early: {res:#?}"),
+        res = run_web_server(worker_state, gateway_state, webhook_tx, webhook_rx, wireguard_tx.clone(), mail_tx, pool.clone(), user_agent_parser, failed_logins) => error!("Web server returned early: {res:#?}"),
         res = run_mail_handler(mail_rx, pool.clone()) => error!("Mail handler returned early: {res:#?}"),
         res = run_periodic_peer_disconnect(pool.clone(), wireguard_tx) => error!("Periodic peer disconnect task returned early: {res:#?}"),
         res = run_periodic_stats_purge(pool.clone(), config.stats_purge_frequency.into(), config.stats_purge_threshold.into()), if !config.disable_stats_purge => error!("Periodic stats purge task returned early: {res:#?}"),
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index a95025aa46..f077b1898c 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -198,7 +198,7 @@ impl License {
                             Ok(new_key) => {
                                 let new_license = License::from_base64(&new_key)?;
                                 save_license_key(pool, &new_key).await?;
-                                info!("Successfully renewed the license, new license key saved to the database");
+                                info!("Successfully renewed and loaded the license, new license key saved to the database");
                                 Ok(Some(new_license))
                             }
                             Err(err) => {
@@ -210,7 +210,7 @@ impl License {
                         Err(LicenseError::LicenseExpired)
                     }
                 } else {
-                    info!("Successfully loaded the license from the database");
+                    info!("Successfully loaded the license from the database.");
                     Ok(Some(license))
                 }
             }
diff --git a/src/lib.rs b/src/lib.rs
index d74fdefbee..3dc4549046 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -283,7 +283,6 @@ pub fn build_webapp(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
-    enterprise_enabled: bool,
 ) -> Router {
     let webapp: Router<AppState> = Router::new()
         .route("/", get(index))
@@ -404,21 +403,15 @@ pub fn build_webapp(
     );
 
     // Enterprise features
-    let webapp = if enterprise_enabled {
-        webapp.nest(
-            "/api/v1/openid",
-            Router::new()
-                .route("/provider", get(get_current_openid_provider))
-                .route("/provider", post(add_openid_provider))
-                .route("/provider/:name", delete(delete_openid_provider))
-                .route("/callback", post(auth_callback))
-                .route("/auth_info", get(get_auth_info)),
-        )
-    } else {
-        // return 404
-        webapp.route("/api/v1/openid/*path", get(handle_404))
-    };
-
+    let webapp = webapp.nest(
+        "/api/v1/openid",
+        Router::new()
+            .route("/provider", get(get_current_openid_provider))
+            .route("/provider", post(add_openid_provider))
+            .route("/provider/:name", delete(delete_openid_provider))
+            .route("/callback", post(auth_callback))
+            .route("/auth_info", get(get_auth_info)),
+    );
     let webapp = webapp.route("/api/v1/enterprise_status", get(check_enterprise_status));
 
     #[cfg(feature = "openid")]
@@ -526,7 +519,6 @@ pub async fn run_web_server(
     pool: DbPool,
     user_agent_parser: Arc<UserAgentParser>,
     failed_logins: Arc<Mutex<FailedLoginMap>>,
-    enterprise_enabled: bool,
 ) -> Result<(), anyhow::Error> {
     let webapp = build_webapp(
         webhook_tx,
@@ -538,7 +530,6 @@ pub async fn run_web_server(
         pool,
         user_agent_parser,
         failed_logins,
-        enterprise_enabled,
     );
     info!("Started web services");
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::UNSPECIFIED), server_config().http_port);
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 264536d6d5..5522989380 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -33,6 +33,7 @@ const en: BaseTranslation = {
     success: 'Operation succeeded',
     errorVersion: 'Failed to get application version.',
     insecureContext: 'Context is not secure.',
+    details: 'Details:',
     clipboard: {
       error: 'Clipboard is not accessible.',
       success: 'Content copied to clipboard.',
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index ea8b70ee8d..2d2e83521b 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -117,6 +117,10 @@ type RootTranslation = {
 		 * C​o​n​t​e​x​t​ ​i​s​ ​n​o​t​ ​s​e​c​u​r​e​.
 		 */
 		insecureContext: string
+		/**
+		 * D​e​t​a​i​l​s​:
+		 */
+		details: string
 		clipboard: {
 			/**
 			 * C​l​i​p​b​o​a​r​d​ ​i​s​ ​n​o​t​ ​a​c​c​e​s​s​i​b​l​e​.
@@ -4167,6 +4171,10 @@ export type TranslationFunctions = {
 		 * Context is not secure.
 		 */
 		insecureContext: () => LocalizedString
+		/**
+		 * Details:
+		 */
+		details: () => LocalizedString
 		clipboard: {
 			/**
 			 * Clipboard is not accessible.
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 2cc1c3b43a..0003b20667 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -32,6 +32,7 @@ const pl: Translation = {
     error: 'Wystąpił błąd.',
     success: 'Operacja zakończyła się sukcesem',
     errorVersion: 'Nie udało się uzyskać wersji aplikacji.',
+    details: 'Szczegóły:',
     clipboard: {
       success: 'Skopiowano do schowka',
       error: 'Schowek nie jest dostępny',
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index 0682a0e100..c05f9b14a6 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -22,11 +22,16 @@ import { useToaster } from '../../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../../shared/queries';
 import { Settings } from '../../../../../../shared/types';
 import { useSettingsPage } from '../../../../hooks/useSettingsPage';
+import { AxiosError } from 'axios';
 
 type FormFields = {
   license: string;
 };
 
+type LicenseErrorResponse = {
+  msg: string;
+};
+
 export const LicenseSettings = () => {
   const { LL } = useI18nContext();
   const toaster = useToaster();
@@ -45,8 +50,9 @@ export const LicenseSettings = () => {
       queryClient.invalidateQueries([QueryKeys.FETCH_SETTINGS]);
       queryClient.invalidateQueries([QueryKeys.FETCH_ENTERPRISE_STATUS]);
     },
-    onError: (err) => {
-      toaster.error(LL.messages.error());
+    onError: (err: AxiosError) => {
+      const errorResponse = err.response?.data as LicenseErrorResponse;
+      toaster.error(`${LL.messages.error()} ${LL.messages.details()} ${errorResponse.msg}`);
       console.error(err);
     },
   });

From 8d5cb36120a43390bc72458130dbdbb6d0527585 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 10:54:55 +0200
Subject: [PATCH 64/73] cleanup

---
 tests/common/mod.rs | 10 ----------
 1 file changed, 10 deletions(-)

diff --git a/tests/common/mod.rs b/tests/common/mod.rs
index 67db8862f3..df003efbe8 100644
--- a/tests/common/mod.rs
+++ b/tests/common/mod.rs
@@ -7,7 +7,6 @@ use defguard::{
     build_webapp,
     config::DefGuardConfig,
     db::{init_db, AppEvent, DbPool, GatewayEvent, User, UserDetails},
-    enterprise::license::License,
     grpc::{GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     mail::Mail,
@@ -134,14 +133,6 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
         config.clone(),
     );
 
-    let enterprise_enabled = true;
-
-    let license = Arc::new(Mutex::new(Some(License {
-        customer_id: "test".to_string(),
-        subscription: false,
-        valid_until: None,
-    })));
-
     // Uncomment this to enable tracing in tests.
     // It only works for running a single test, so leave it commented out for running all tests.
     // use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -163,7 +154,6 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
         pool,
         user_agent_parser,
         failed_logins,
-        enterprise_enabled,
     );
     (TestClient::new(webapp).await, client_state)
 }

From 44447fe94cc143c00ff8ed02c06262298245e3f3 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 11:17:48 +0200
Subject: [PATCH 65/73] fix tests

---
 tests/common/mod.rs | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tests/common/mod.rs b/tests/common/mod.rs
index df003efbe8..7eed5c45ef 100644
--- a/tests/common/mod.rs
+++ b/tests/common/mod.rs
@@ -2,11 +2,13 @@ pub(crate) mod client;
 
 use std::sync::{Arc, Mutex};
 
+use chrono::{DateTime, TimeZone, Utc};
 use defguard::{
     auth::failed_login::FailedLoginMap,
     build_webapp,
     config::DefGuardConfig,
     db::{init_db, AppEvent, DbPool, GatewayEvent, User, UserDetails},
+    enterprise::license::{set_cached_license, License},
     grpc::{GatewayMap, WorkerState},
     headers::create_user_agent_parser,
     mail::Mail,
@@ -120,6 +122,16 @@ pub async fn make_base_client(pool: DbPool, config: DefGuardConfig) -> (TestClie
 
     let user_agent_parser = create_user_agent_parser();
 
+    let license = License::new(
+        "test_customer".to_string(),
+        true,
+        // Some(Utc.with_ymd_and_hms(2030, 1, 1, 0, 0, 0).unwrap()),
+        // Permanent license
+        None,
+    );
+
+    set_cached_license(Some(license));
+
     let client_state = ClientState::new(
         pool.clone(),
         worker_state.clone(),

From 31e6a3f94a21138c3736ce66f7e1eb524a741b21 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 11:41:24 +0200
Subject: [PATCH 66/73] eslint fix

---
 .../components/LicenseSettings/LicenseSettings.tsx          | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index c05f9b14a6..5e068b8f85 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -2,6 +2,7 @@ import './styles.scss';
 
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
+import { AxiosError } from 'axios';
 import { useEffect, useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { useBreakpoint } from 'use-breakpoint';
@@ -22,7 +23,6 @@ import { useToaster } from '../../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../../shared/queries';
 import { Settings } from '../../../../../../shared/types';
 import { useSettingsPage } from '../../../../hooks/useSettingsPage';
-import { AxiosError } from 'axios';
 
 type FormFields = {
   license: string;
@@ -52,7 +52,9 @@ export const LicenseSettings = () => {
     },
     onError: (err: AxiosError) => {
       const errorResponse = err.response?.data as LicenseErrorResponse;
-      toaster.error(`${LL.messages.error()} ${LL.messages.details()} ${errorResponse.msg}`);
+      toaster.error(
+        `${LL.messages.error()} ${LL.messages.details()} ${errorResponse.msg}`,
+      );
       console.error(err);
     },
   });

From ddb5906d49a334d45367553632b516aa61a641f9 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 11:58:28 +0200
Subject: [PATCH 67/73] add a test

---
 src/enterprise/license.rs | 45 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index f077b1898c..78e2c185e8 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -30,7 +30,29 @@ pub fn get_cached_license() -> MutexGuard<'static, Option<License>> {
 
 tonic::include_proto!("license");
 
-#[allow(dead_code)]
+// Mock license key
+#[cfg(test)]
+pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQENBGa0jtoBCAC63WkY0btyVzHI8JGVfIkFClNggcDgK+X/if5ndJtHKRXcW6DB
+bRTBNCdUr7sDzCMEYWu8t400Yn/mrLKuubA3G6rp3Eo2nHnOicoZ6mfAdUQL862l
+m9M8zpJtFodWR5G0nznyvabQi9kI1JT87DEIAdfLhN4eoMpgEm+jASSgFeT63oJ9
+fLHofMZLwYZW/mqsnGxElmUsfnVWeseUSgmKBP4IgdtX4LsCx8XiOyQJww6bEUTj
+ZBSqwwuRa1ybtsV3ihEKjDBmXQo5+J3fsadm/6m5PRJVk5rq9/LGVKIBG9m/x6Pn
+xeYaLsjNyAwOSHH2KpeBLPVEfjsqWRt8fyAzABEBAAG0HEF1dG9nZW5lcmF0ZWQg
+S2V5IDxkZWZndWFyZD6JAU4EEwEKADgWIQTyH9Rb8S5I78bRYzghGgZ+AdnRKwUC
+ZrSO2gIbLwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRAhGgZ+AdnRKyzzCACW
+oGBnAPHkCuvlnZjcYUAJVrjI/S02x4t3wFjaFOu+GQSjeB+AjDawF/S4D5ReQ8iq
+D3dTvno3lk/F5HvqV/ZDU9WMmkDFzJoEwKbNIlWwQvvrTnoyy7lpKskNxwwsErEL
+2+rW+lW/N5KNHFaUh2d5JhK08VRPfyl0WA8gqQ99Wnhq4rHF7ijKFm3im0RlzkMI
+NTXxxee/9J0/Pzh+7zFZlMxnnjwiHlxJXpQFwh7+TS9C3IpChW3ipyPgp1DkzsNv
+Xry1crUOhOyEozdKYh2H6tZEi3bjtGwpYkXJs/g3f6HPKjS8rDOMXw4Japb7LYtC
+Aao60J8cOm8J96u1MsUK
+=6cHp
+-----END PGP PUBLIC KEY BLOCK-----
+";
+
+#[cfg(not(test))]
 pub(crate) const PUBLIC_KEY: &str = "-----BEGIN PGP PUBLIC KEY BLOCK-----
 
 mQENBGa0jtoBCAC63WkY0btyVzHI8JGVfIkFClNggcDgK+X/if5ndJtHKRXcW6DB
@@ -450,3 +472,24 @@ pub async fn run_periodic_license_check(pool: DbPool) -> Result<(), LicenseError
         sleep(*check_period).await;
     }
 }
+
+#[cfg(test)]
+mod test {
+    use chrono::TimeZone;
+
+    use super::*;
+
+    #[test]
+    fn test_license() {
+        let license = "ChMKCTEyMzEyMzEyMxABGMju8bUGErkCCrYCiQEzBAABCgAdFiEE8h/UW/EuSO/G0WM4IRoGfgHZ0SsFAma8d0sACgkQIRoGfgHZ0SvTlwf/TGAsexg4lwBREpb2LaaVGhPIZQE6Jm9IvQXiAkpgqdFruu7A5+wnw90RwKtS8tPlLsCEj6vHHeZUVEAgMZ6HKF56Vkk3fTBvVsLIFoGxLj9GEqBdaxjTZumsHCGUxy7aun/kwprvREsiw/V/tibuXakHUX0SgJZKU/a2bNEg/xdyyqrovYCQVUDFZunLP1Pk8EJbRRLzvlupTq6e726cu3axhDNqKysG3M40WUzMqTicjh/bA7ZXCLiZm0q3vmvwCdPRs51m/Kijo7xTaPzusTjXcicsqiEBinH8i3w/ZwA+pqEo2U92t4oSosJVg/5RKRnGmZSGanEQj6NEp/7Yew==";
+        let license = License::from_base64(license).unwrap();
+        assert_eq!(license.customer_id, "123123123");
+        assert!(license.subscription);
+        assert_eq!(
+            license.valid_until.unwrap(),
+            Utc.with_ymd_and_hms(2024, 8, 14, 9, 22, 16).unwrap()
+        );
+
+        assert!(license.is_expired());
+    }
+}

From 1ea0cf2606814d6b569cbe2e40f3ec93aab402b4 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 12:06:15 +0200
Subject: [PATCH 68/73] add comment

---
 src/enterprise/license.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 78e2c185e8..581b7b60c8 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -412,6 +412,9 @@ pub async fn run_periodic_license_check(pool: DbPool) -> Result<(), LicenseError
 
         // Check if the license requires renewal, uses the cached value to be more efficient
         // The block here is to avoid holding the lock through awaits
+        //
+        // Multiple locks here may cause a race condition if the user decides to update the license key
+        // while the renewal is in progress. However this seems like a rare case and shouldn't be very problematic.
         let requires_renewal = {
             let license = get_cached_license();
             debug!("Checking if the license {license:?} requires a renewal...");

From b2875771c4948c6ecd181ad85ca4f772938cca33 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 13:24:25 +0200
Subject: [PATCH 69/73] fix css

---
 .../components/OpenIdSettings/style.scss      | 34 +++++++++----------
 1 file changed, 17 insertions(+), 17 deletions(-)

diff --git a/web/src/pages/settings/components/OpenIdSettings/style.scss b/web/src/pages/settings/components/OpenIdSettings/style.scss
index da1ee2c134..475fc4d206 100644
--- a/web/src/pages/settings/components/OpenIdSettings/style.scss
+++ b/web/src/pages/settings/components/OpenIdSettings/style.scss
@@ -1,23 +1,23 @@
 .settings-card {
-    position: relative;
+  position: relative;
 }
 
 .enterprise-info {
-    position: absolute;
-    inset: 0;
-    display: flex;
-    justify-content: center;
-    align-items: center;
-    backdrop-filter: blur(1.5px);
-    z-index: 100;
-    border-radius: 15px;
-    border-top-left-radius: 0px;
-    background-color: rgba(#f9f9f9, 0.75);
+  position: absolute;
+  inset: 0;
+  display: flex;
+  justify-content: center;
+  align-items: center;
+  backdrop-filter: blur(1.5px);
+  z-index: 100;
+  border-radius: 15px;
+  border-top-left-radius: 0px;
+  background-color: rgba(#f9f9f9, 0.75);
 }
 
-.enterprise-info>div {
-    display: flex;
-    flex-direction: column;
-    align-items: center;
-    gap: 0.5rem;
-}
\ No newline at end of file
+.enterprise-info > div {
+  display: flex;
+  flex-direction: column;
+  align-items: center;
+  gap: 0.5rem;
+}

From f36f6ab7ff4f6e7fccc72b9985dafc788d6c8a84 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 14:11:28 +0200
Subject: [PATCH 70/73] cleanup

---
 .github/workflows/current.yml | 16 +++++-----------
 src/enterprise/license.rs     |  2 +-
 2 files changed, 6 insertions(+), 12 deletions(-)

diff --git a/.github/workflows/current.yml b/.github/workflows/current.yml
index 64b3d10d7a..c926a9ef74 100644
--- a/.github/workflows/current.yml
+++ b/.github/workflows/current.yml
@@ -4,7 +4,6 @@ on:
     branches:
       - main
       - dev
-      - enterprise-license
     paths-ignore:
       - "*.md"
       - "LICENSE"
@@ -23,13 +22,8 @@ jobs:
         with:
           images: |
             ghcr.io/defguard/defguard
-          # tags: |
-          #   type=raw,value=current
-          #   type=ref,event=branch
-          #   type=sha
-          flavor: |
-            latest=false
           tags: |
+            type=raw,value=current
             type=ref,event=branch
             type=sha
       - name: Login to GitHub container registry
@@ -54,7 +48,7 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
-  # trigger-e2e:
-  #   needs: build-docker
-  #   uses: ./.github/workflows/e2e.yml
-  #   secrets: inherit
+  trigger-e2e:
+    needs: build-docker
+    uses: ./.github/workflows/e2e.yml
+    secrets: inherit
diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 581b7b60c8..598b466a5c 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -467,7 +467,7 @@ pub async fn run_periodic_license_check(pool: DbPool) -> Result<(), LicenseError
                     }
                 },
                 Err(err) => {
-                    error!("Failed to renew the license: {err}");
+                    warn!("Failed to renew the license: {err}. Retrying in {check_period} seconds");
                 }
             }
         }

From 0cd0f5df376f2abd10db8dbad67281032ec627e6 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 14:32:59 +0200
Subject: [PATCH 71/73] change logs

---
 src/enterprise/license.rs | 27 +++++++++++++++++++--------
 src/handlers/app_info.rs  |  2 --
 2 files changed, 19 insertions(+), 10 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 598b466a5c..687fdb59e8 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -165,17 +165,28 @@ impl License {
 
         match Self::verify_signature(&metadata_bytes, &signature.signature) {
             Ok(_) => {
-                info!("Successfully validated the license signature");
+                info!("Successfully decoded the license validated the license signature");
                 let valid_until = match metadata.valid_until {
                     Some(until) => DateTime::from_timestamp(until, 0),
                     None => None,
                 };
 
-                Ok(License::new(
-                    metadata.customer_id,
-                    metadata.subscription,
-                    valid_until,
-                ))
+                let license =
+                    License::new(metadata.customer_id, metadata.subscription, valid_until);
+
+                if license.requires_renewal() {
+                    if license.is_max_overdue() {
+                        warn!("The provided license has expired and reached its maximum overdue time, please contact sales<at>defguard.net");
+                    } else {
+                        warn!("The provided license is about to expire and requires a renewal. An automatic renewal process will attempt to renew the license soon. Alternatively, automatic renewal attempt will be also performed at the next defguard start.");
+                    }
+                }
+
+                if !license.subscription && license.is_expired() {
+                    warn!("The provided license is not a subscription and has expired, please contact sales<at>defguard.net");
+                }
+
+                Ok(license)
             }
             Err(_) => Err(LicenseError::SignatureMismatch),
         }
@@ -202,7 +213,7 @@ impl License {
         match Self::get_key(pool).await? {
             Some(key) => Ok(Some(Self::from_base64(&key)?)),
             None => {
-                info!("No license key found in the database");
+                debug!("No license key found in the database");
                 Ok(None)
             }
         }
@@ -295,7 +306,7 @@ impl License {
 ///
 /// Doesn't update the cached license, nor does it save the new key in the database.
 async fn renew_license(db_pool: &DbPool) -> Result<String, LicenseError> {
-    info!("Exchanging license for a new one...");
+    debug!("Exchanging license for a new one...");
     let old_license_key = match Settings::get_settings(db_pool).await?.license {
         Some(key) => key,
         None => return Err(LicenseError::LicenseNotFound),
diff --git a/src/handlers/app_info.rs b/src/handlers/app_info.rs
index d8aa1bec85..dc7f387e42 100644
--- a/src/handlers/app_info.rs
+++ b/src/handlers/app_info.rs
@@ -26,9 +26,7 @@ pub(crate) async fn get_app_info(
     let networks = WireguardNetwork::all(&appstate.pool).await?;
     let settings = Settings::get_settings(&appstate.pool).await?;
     let license = get_cached_license();
-    info!("license: {license:?}");
     let enterprise = validate_license((*license).as_ref()).is_ok();
-    info!("enterprise: {}", enterprise);
     let res = AppInfo {
         network_present: !networks.is_empty(),
         smtp_enabled: settings.smtp_configured(),

From e5a8546536328ce5595ff57b18643ca5eaa11c4e Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 22:59:54 +0200
Subject: [PATCH 72/73] ux changes

---
 src/enterprise/license.rs                     |  9 ++--
 web/src/i18n/en/index.ts                      | 10 +++++
 web/src/i18n/i18n-types.ts                    | 44 +++++++++++++++++++
 web/src/i18n/pl/index.ts                      | 10 +++++
 .../GlobalSettings/GlobalSettings.tsx         |  2 +-
 .../LicenseSettings/LicenseSettings.tsx       | 18 +++++++-
 .../components/LicenseSettings/styles.scss    | 10 ++++-
 7 files changed, 94 insertions(+), 9 deletions(-)

diff --git a/src/enterprise/license.rs b/src/enterprise/license.rs
index 687fdb59e8..4cffd1ea3e 100644
--- a/src/enterprise/license.rs
+++ b/src/enterprise/license.rs
@@ -122,7 +122,7 @@ impl License {
     fn decode(bytes: &[u8]) -> Result<Vec<u8>, LicenseError> {
         let bytes = BASE64_STANDARD.decode(bytes).map_err(|_| {
             LicenseError::DecodeError(
-                "Failed to decode the Base64 license key, check if the provided key is correct."
+                "Failed to decode the license key, check if the provided key is correct."
                     .to_string(),
             )
         })?;
@@ -149,15 +149,14 @@ impl License {
 
         let license_key = LicenseKey::decode(slice).map_err(|_| {
             LicenseError::DecodeError(
-                "Failed to decode the binary license key, check if the provided key is correct."
-                    .to_string(),
+                "The license key is malformed, check if the provided key is correct.".to_string(),
             )
         })?;
         let metadata = license_key.metadata.ok_or(LicenseError::InvalidLicense(
-            "License metadata is missing from the license key".to_string(),
+            "License metadata is missing from the license key, the provided license key is incorrect.".to_string(),
         ))?;
         let signature = license_key.signature.ok_or(LicenseError::InvalidLicense(
-            "License signature is missing from the license key".to_string(),
+            "License signature is missing from the license key, the provided license key is incorrect.".to_string(),
         ))?;
         let metadata_bytes = metadata.encode_to_vec();
 
diff --git a/web/src/i18n/en/index.ts b/web/src/i18n/en/index.ts
index 5522989380..cc514323b0 100644
--- a/web/src/i18n/en/index.ts
+++ b/web/src/i18n/en/index.ts
@@ -1050,6 +1050,16 @@ const en: BaseTranslation = {
     },
     license: {
       header: 'Enterprise',
+      helpers: {
+        enterpriseHeader: {
+          text: 'Here you can manage your Defguard Enterprise version license.',
+          link: 'To learn more about Defguard Enterprise, visit our webiste.',
+        },
+        licenseKey: {
+          text: 'Enter your Defguard Enterprise license key below. You should receive it via email after purchasing the license.',
+          link: 'You can purchase the license here.',
+        },
+      },
       form: {
         title: 'License',
         fields: {
diff --git a/web/src/i18n/i18n-types.ts b/web/src/i18n/i18n-types.ts
index 2d2e83521b..3f502de045 100644
--- a/web/src/i18n/i18n-types.ts
+++ b/web/src/i18n/i18n-types.ts
@@ -2549,6 +2549,28 @@ type RootTranslation = {
 			 * E​n​t​e​r​p​r​i​s​e
 			 */
 			header: string
+			helpers: {
+				enterpriseHeader: {
+					/**
+					 * H​e​r​e​ ​y​o​u​ ​c​a​n​ ​m​a​n​a​g​e​ ​y​o​u​r​ ​D​e​f​g​u​a​r​d​ ​E​n​t​e​r​p​r​i​s​e​ ​v​e​r​s​i​o​n​ ​l​i​c​e​n​s​e​.
+					 */
+					text: string
+					/**
+					 * T​o​ ​l​e​a​r​n​ ​m​o​r​e​ ​a​b​o​u​t​ ​D​e​f​g​u​a​r​d​ ​E​n​t​e​r​p​r​i​s​e​,​ ​v​i​s​i​t​ ​o​u​r​ ​w​e​b​i​s​t​e​.
+					 */
+					link: string
+				}
+				licenseKey: {
+					/**
+					 * E​n​t​e​r​ ​y​o​u​r​ ​D​e​f​g​u​a​r​d​ ​E​n​t​e​r​p​r​i​s​e​ ​l​i​c​e​n​s​e​ ​k​e​y​ ​b​e​l​o​w​.​ ​Y​o​u​ ​s​h​o​u​l​d​ ​r​e​c​e​i​v​e​ ​i​t​ ​v​i​a​ ​e​m​a​i​l​ ​a​f​t​e​r​ ​p​u​r​c​h​a​s​i​n​g​ ​t​h​e​ ​l​i​c​e​n​s​e​.
+					 */
+					text: string
+					/**
+					 * Y​o​u​ ​c​a​n​ ​p​u​r​c​h​a​s​e​ ​t​h​e​ ​l​i​c​e​n​s​e​ ​h​e​r​e​.
+					 */
+					link: string
+				}
+			}
 			form: {
 				/**
 				 * L​i​c​e​n​s​e
@@ -6580,6 +6602,28 @@ export type TranslationFunctions = {
 			 * Enterprise
 			 */
 			header: () => LocalizedString
+			helpers: {
+				enterpriseHeader: {
+					/**
+					 * Here you can manage your Defguard Enterprise version license.
+					 */
+					text: () => LocalizedString
+					/**
+					 * To learn more about Defguard Enterprise, visit our webiste.
+					 */
+					link: () => LocalizedString
+				}
+				licenseKey: {
+					/**
+					 * Enter your Defguard Enterprise license key below. You should receive it via email after purchasing the license.
+					 */
+					text: () => LocalizedString
+					/**
+					 * You can purchase the license here.
+					 */
+					link: () => LocalizedString
+				}
+			}
 			form: {
 				/**
 				 * License
diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 0003b20667..28dc325079 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1038,6 +1038,16 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
     },
     license: {
       header: 'Funkcje enterprise',
+      helpers: {
+        enterpriseHeader: {
+          text: 'Tutaj możesz zarządzać swoją licencją Defguard Enterprise.',
+          link: 'By dowiedzieć się więcej, odwiedź naszą stronę.',
+        },
+        licenseKey: {
+          text: "Wprowadź poniżej klucz licencyjny Defguard Enterprise. Powinieneś otrzymać go na swoją skrzynkę e-mailową po zakupie licencji.",
+          link: 'Licencję możesz zakupić tutaj.',
+        },
+      },
       form: {
         title: 'Licencja',
         fields: {
diff --git a/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx b/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
index 8c0680d5c4..6025d59c0b 100644
--- a/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/GlobalSettings.tsx
@@ -10,8 +10,8 @@ export const GlobalSettings = () => (
       <ModulesSettings />
     </div>
     <div className="right">
-      <Web3Settings />
       <LicenseSettings />
+      <Web3Settings />
     </div>
   </>
 );
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index 5e068b8f85..336f16be35 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -3,6 +3,7 @@ import './styles.scss';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { AxiosError } from 'axios';
+import parse from 'html-react-parser';
 import { useEffect, useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { useBreakpoint } from 'use-breakpoint';
@@ -18,6 +19,7 @@ import {
   ButtonStyleVariant,
 } from '../../../../../../shared/defguard-ui/components/Layout/Button/types';
 import { Card } from '../../../../../../shared/defguard-ui/components/Layout/Card/Card';
+import { Helper } from '../../../../../../shared/defguard-ui/components/Layout/Helper/Helper';
 import useApi from '../../../../../../shared/hooks/useApi';
 import { useToaster } from '../../../../../../shared/hooks/useToaster';
 import { QueryKeys } from '../../../../../../shared/queries';
@@ -91,10 +93,24 @@ export const LicenseSettings = () => {
     <section id="license-settings">
       <header>
         <h2>{LL.settingsPage.license.header()}</h2>
+        <Helper>
+          <p>{LL.settingsPage.license.helpers.enterpriseHeader.text()}</p>
+          <a href="https://defguard.net/pricing/" target="_blank" rel="noreferrer">
+            {LL.settingsPage.license.helpers.enterpriseHeader.link()}
+          </a>
+        </Helper>
       </header>
       <Card shaded bordered>
         <div className="controls">
-          <h3>{LL.settingsPage.license.form.title()}:</h3>
+          <div className="header">
+            <h3>{LL.settingsPage.license.form.title()}:</h3>
+            <Helper>
+              <p>{LL.settingsPage.license.helpers.licenseKey.text()}</p>
+              <a href="https://defguard.net/pricing/" target="_blank" rel="noreferrer">
+                {LL.settingsPage.license.helpers.licenseKey.link()}
+              </a>
+            </Helper>
+          </div>
           <Button
             form="license-form"
             text={
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss
index 7a1fc6bb76..772a403508 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/styles.scss
@@ -1,12 +1,18 @@
-@use '@scssutils' as *;
-
 #license-settings {
   & > .card {
     display: flex;
     flex-flow: column;
     row-gap: 16px;
+
     @include media-breakpoint-up(lg) {
       padding: 16px 15px;
     }
   }
 }
+
+.controls > .header {
+  display: flex;
+  justify-content: space-between;
+  align-items: center;
+  gap: 10px;
+}

From eb9efc8eebbb3ec24e5dd8254db838013a10651b Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Wed, 14 Aug 2024 23:06:08 +0200
Subject: [PATCH 73/73] linter fixes

---
 web/src/i18n/pl/index.ts                                        | 2 +-
 .../components/LicenseSettings/LicenseSettings.tsx              | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/web/src/i18n/pl/index.ts b/web/src/i18n/pl/index.ts
index 28dc325079..1ca5148c84 100644
--- a/web/src/i18n/pl/index.ts
+++ b/web/src/i18n/pl/index.ts
@@ -1044,7 +1044,7 @@ Uwaga, podane tutaj konfiguracje nie posiadają klucza prywatnego. Musisz uzupe
           link: 'By dowiedzieć się więcej, odwiedź naszą stronę.',
         },
         licenseKey: {
-          text: "Wprowadź poniżej klucz licencyjny Defguard Enterprise. Powinieneś otrzymać go na swoją skrzynkę e-mailową po zakupie licencji.",
+          text: 'Wprowadź poniżej klucz licencyjny Defguard Enterprise. Powinieneś otrzymać go na swoją skrzynkę e-mailową po zakupie licencji.',
           link: 'Licencję możesz zakupić tutaj.',
         },
       },
diff --git a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
index 336f16be35..bfe0af118a 100644
--- a/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
+++ b/web/src/pages/settings/components/GlobalSettings/components/LicenseSettings/LicenseSettings.tsx
@@ -3,7 +3,6 @@ import './styles.scss';
 import { zodResolver } from '@hookform/resolvers/zod';
 import { useMutation, useQueryClient } from '@tanstack/react-query';
 import { AxiosError } from 'axios';
-import parse from 'html-react-parser';
 import { useEffect, useMemo } from 'react';
 import { SubmitHandler, useForm } from 'react-hook-form';
 import { useBreakpoint } from 'use-breakpoint';