add a link to the upgrading docs in the error message

Fixes #1854 Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
UI: fix some glitches
2024-12-31 10:04:43 +01:00 · 2024-12-29 17:16:28 +01:00 · 2024-12-28 18:47:04 +01:00 · 2024-12-26 09:36:58 +01:00 · 2024-12-25 22:53:26 +01:00 · 2024-12-25 11:34:14 +01:00
201 changed files with 10750 additions and 4023 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -2,17 +2,17 @@ freebsd_task:
  name: FreeBSD

  matrix:
-    - name: FreeBSD 14.0
+    - name: FreeBSD 14.1
      freebsd_instance:
-        image_family: freebsd-14-0
+        image_family: freebsd-14-1

  pkginstall_script:
    - pkg update -f
-    - pkg install -y go122
+    - pkg install -y go123
    - pkg install -y git

  setup_script:
-    - ln -s /usr/local/bin/go122 /usr/local/bin/go
+    - ln -s /usr/local/bin/go123 /usr/local/bin/go
    - pw groupadd sftpgo
    - pw useradd sftpgo -g sftpgo -w none -m
    - mkdir /home/sftpgo/sftpgo
@ -20,7 +20,7 @@ freebsd_task:
    - chown -R sftpgo:sftpgo /home/sftpgo/sftpgo

  compile_script:
-    - su sftpgo -c 'cd ~/sftpgo && go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo'
+    - su sftpgo -c 'cd ~/sftpgo && go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo'
    - su sftpgo -c 'cd ~/sftpgo/tests/eventsearcher && go build -trimpath -ldflags "-s -w" -o eventsearcher'
    - su sftpgo -c 'cd ~/sftpgo/tests/ipfilter && go build -trimpath -ldflags "-s -w" -o ipfilter'

@ -28,4 +28,4 @@ freebsd_task:
    - su sftpgo -c 'cd ~/sftpgo && ./sftpgo initprovider && ./sftpgo resetprovider --force'

  test_script:
-    - su sftpgo -c 'cd ~/sftpgo && go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 20m ./... -coverprofile=coverage.txt -covermode=atomic'
+    - su sftpgo -c 'cd ~/sftpgo && go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 20m ./... -coverprofile=coverage.txt -covermode=atomic'
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -8,7 +8,7 @@ body:
      value: |
        ### 👍 Thank you for contributing to our project!
        Before asking for help please check the [support policy](https://github.com/drakkan/sftpgo#support-policy).
-        If you are a commercial user or a project sponsor please contact us using the dedicated [email address](mailto:support@sftpgo.com).
+        If you are a [commercial user](https://sftpgo.com/) or a project sponsor please contact us using the dedicated [email address](mailto:support@sftpgo.com).
  - type: checkboxes
    id: before-posting
    attributes:
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -1,11 +1,11 @@
 version: 2

 updates:
-  - package-ecosystem: "gomod"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    open-pull-requests-limit: 2
+  #- package-ecosystem: "gomod"
+  #  directory: "/"
+  #  schedule:
+  #    interval: "weekly"
+  #  open-pull-requests-limit: 2

  - package-ecosystem: "docker"
    directory: "/"
--- a/.github/workflows/development.yml
+++ b/.github/workflows/development.yml
@ -5,19 +5,18 @@ on:
    branches: [main]
  pull_request:

+permissions:
+  id-token: write
+  contents: read
+
 jobs:
  test-deploy:
    name: Test and deploy
    runs-on: ${{ matrix.os }}
    strategy:
      matrix:
-        go: ['1.22']
+        go: ['1.23']
        os: [ubuntu-latest, macos-latest]
-        upload-coverage: [true]
-        include:
-          - go: '1.22'
-            os: windows-latest
-            upload-coverage: false

    steps:
      - uses: actions/checkout@v4
@ -30,9 +29,8 @@ jobs:
          go-version: ${{ matrix.go }}

      - name: Build for Linux/macOS x86_64
-        if: startsWith(matrix.os, 'windows-') != true
        run: |
-          go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
          cd tests/eventsearcher
          go build -trimpath -ldflags "-s -w" -o eventsearcher
          cd -
@ -44,68 +42,35 @@ jobs:

      - name: Build for macOS arm64
        if: startsWith(matrix.os, 'macos-') == true
-        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
-
-      - name: Build for Windows
-        if: startsWith(matrix.os, 'windows-')
-        run: |
-          $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
-          $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
-          $LATEST_TAG = ((git describe --tags $(git rev-list --tags --max-count=1)) | Out-String).Trim()
-          $REV_LIST=$LATEST_TAG+"..HEAD"
-          $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
-          $FILE_VERSION = $LATEST_TAG.substring(1)  + "." + $COMMITS_FROM_TAG
-          go install github.com/tc-hib/go-winres@latest
-          go-winres simply --arch amd64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o sftpgo.exe
-          cd tests/eventsearcher
-          go build -trimpath -ldflags "-s -w" -o eventsearcher.exe
-          cd ../..
-          cd tests/ipfilter
-          go build -trimpath -ldflags "-s -w" -o ipfilter.exe
-          cd ../..
-          mkdir arm64
-          $Env:CGO_ENABLED='0'
-          $Env:GOOS='windows'
-          $Env:GOARCH='arm64'
-          go-winres simply --arch arm64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\arm64\sftpgo.exe
-          mkdir x86
-          $Env:GOARCH='386'
-          go-winres simply --arch 386 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\x86\sftpgo.exe
-          Remove-Item Env:\CGO_ENABLED
-          Remove-Item Env:\GOOS
-          Remove-Item Env:\GOARCH
+        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64

      - name: Run test cases using SQLite provider
-        run: go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic

      - name: Upload coverage to Codecov
-        if: ${{ matrix.upload-coverage }}
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
        with:
-          file: ./coverage.txt
+          files: ./coverage.txt
          fail_ci_if_error: false
          token: ${{ secrets.CODECOV_TOKEN }}

      - name: Run test cases using bolt provider
        run: |
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 2m ./internal/config -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 5m ./internal/common -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 5m ./internal/httpd -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 8m ./internal/sftpd -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 5m ./internal/ftpd -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 5m ./internal/webdavd -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 2m ./internal/telemetry -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 2m ./internal/mfa -covermode=atomic
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 2m ./internal/command -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/common -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/httpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 8m ./internal/sftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/ftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/webdavd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/telemetry -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/mfa -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/command -covermode=atomic
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: bolt
          SFTPGO_DATA_PROVIDER__NAME: 'sftpgo_bolt.db'

      - name: Run test cases using memory provider
-        run: go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -covermode=atomic
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: memory
          SFTPGO_DATA_PROVIDER__NAME: ''
@ -126,8 +91,124 @@ jobs:
          ./sftpgo gen man -d output/man/man1
          gzip output/man/man1/*

-      - name: Prepare Windows installer
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+      - name: Upload build artifact
+        if: startsWith(matrix.os, 'ubuntu-') != true
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo-${{ matrix.os }}-go-${{ matrix.go }}
+          path: output
+
+  test-deploy-windows:
+    name: Test and deploy Windows
+    environment: signing
+    runs-on: windows-latest
+
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Azure login
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: '1.23'
+
+      - name: Build
+        run: |
+          $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
+          $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
+          $LATEST_TAG = ((git describe --tags $(git rev-list --tags --max-count=1)) | Out-String).Trim()
+          $REV_LIST=$LATEST_TAG+"..HEAD"
+          $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
+          $FILE_VERSION = $LATEST_TAG.substring(1)  + "." + $COMMITS_FROM_TAG
+          go install github.com/tc-hib/go-winres@latest
+          go-winres simply --arch amd64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o sftpgo.exe
+          cd tests/eventsearcher
+          go build -trimpath -ldflags "-s -w" -o eventsearcher.exe
+          cd ../..
+          cd tests/ipfilter
+          go build -trimpath -ldflags "-s -w" -o ipfilter.exe
+          cd ../..
+          mkdir arm64
+          $Env:CGO_ENABLED='0'
+          $Env:GOOS='windows'
+          $Env:GOARCH='arm64'
+          go-winres simply --arch arm64 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\arm64\sftpgo.exe
+          mkdir x86
+          $Env:GOARCH='386'
+          go-winres simply --arch 386 --product-version $LATEST_TAG-dev-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\x86\sftpgo.exe
+          Remove-Item Env:\CGO_ENABLED
+          Remove-Item Env:\GOOS
+          Remove-Item Env:\GOARCH
+
+      - name: Sign binaries
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: |
+            ${{ github.workspace }}\sftpgo.exe
+            ${{ github.workspace }}\arm64\sftpgo.exe
+            ${{ github.workspace }}\x86\sftpgo.exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
+      - name: Run test cases using SQLite provider
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -coverprofile=coverage.txt -covermode=atomic
+
+      - name: Run test cases using bolt provider
+        run: |
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/config -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/common -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/httpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 8m ./internal/sftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/ftpd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 5m ./internal/webdavd -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/telemetry -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/mfa -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 2m ./internal/command -covermode=atomic
+        env:
+          SFTPGO_DATA_PROVIDER__DRIVER: bolt
+          SFTPGO_DATA_PROVIDER__NAME: 'sftpgo_bolt.db'
+
+      - name: Run test cases using memory provider
+        run: go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
+        env:
+          SFTPGO_DATA_PROVIDER__DRIVER: memory
+          SFTPGO_DATA_PROVIDER__NAME: ''
+
+      - name: Initialize data provider
+        run: |
+          rm sftpgo.db
+          ./sftpgo initprovider
+        shell: bash
+
+      - name: Prepare Windows installers
+        if: ${{ github.event_name != 'pull_request' }}
        run: |
          Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
          mkdir output
@ -135,6 +216,7 @@ jobs:
          copy .\sftpgo.json .\output
          copy .\sftpgo.db .\output
          copy .\LICENSE .\output\LICENSE.txt
+          copy .\NOTICE .\output\NOTICE.txt
          mkdir output\templates
          xcopy .\templates .\output\templates\ /E
          mkdir output\static
@ -145,15 +227,7 @@ jobs:
          $REV_LIST=$LATEST_TAG+"..HEAD"
          $COMMITS_FROM_TAG= ((git rev-list $REV_LIST --count) | Out-String).Trim()
          $Env:SFTPGO_ISS_DEV_VERSION = $LATEST_TAG  + "." + $COMMITS_FROM_TAG
-          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
-          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
-          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
-          rm "$CERT_PATH"
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\arm64\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\x86\sftpgo.exe
-          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
+          iscc .\windows-installer\sftpgo.iss

          rm .\output\sftpgo.exe
          rm .\output\sftpgo.db
@ -165,40 +239,60 @@ jobs:
          Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
          Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
          $Env:SFTPGO_ISS_ARCH='arm64'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
+          iscc .\windows-installer\sftpgo.iss

          rm .\output\sftpgo.exe
          copy .\x86\sftpgo.exe .\output
          $Env:SFTPGO_ISS_ARCH='x86'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-          certutil -delstore MY "Nicola Murino"
-        env:
-          CERT_DATA: ${{ secrets.CERT_DATA }}
-          CERT_PASS: ${{ secrets.CERT_PASS }}
+          iscc .\windows-installer\sftpgo.iss
+
+      - name: Sign installers
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: |
+            ${{ github.workspace }}\sftpgo_windows_x86_64.exe
+            ${{ github.workspace }}\sftpgo_windows_arm64.exe
+            ${{ github.workspace }}\sftpgo_windows_x86.exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true

      - name: Upload Windows installer x86_64 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/upload-artifact@v4
        with:
          name: sftpgo_windows_installer_x86_64
          path: ./sftpgo_windows_x86_64.exe

      - name: Upload Windows installer arm64 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/upload-artifact@v4
        with:
          name: sftpgo_windows_installer_arm64
          path: ./sftpgo_windows_arm64.exe

      - name: Upload Windows installer x86 artifact
-        if: ${{ startsWith(matrix.os, 'windows-') && github.event_name != 'pull_request' }}
+        if: ${{ github.event_name != 'pull_request' }}
        uses: actions/upload-artifact@v4
        with:
          name: sftpgo_windows_installer_x86
          path: ./sftpgo_windows_x86.exe

      - name: Prepare build artifact for Windows
-        if: startsWith(matrix.os, 'windows-')
        run: |
          Remove-Item -LiteralPath "output" -Force -Recurse -ErrorAction Ignore
          mkdir output
@ -217,10 +311,9 @@ jobs:
          xcopy .\openapi .\output\openapi\ /E

      - name: Upload build artifact
-        if: startsWith(matrix.os, 'ubuntu-') != true
        uses: actions/upload-artifact@v4
        with:
-          name: sftpgo-${{ matrix.os }}-go-${{ matrix.go }}
+          name: sftpgo-windows-portable
          path: output

  test-build-flags:
@ -233,14 +326,14 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.22'
+          go-version: '1.23'

      - name: Build
        run: |
-          go build -trimpath -tags nopgxregisterdefaulttypes,nogcs,nos3,noportable,nobolt,nomysql,nopgsql,nosqlite,nometrics,noazblob,unixcrypt -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nogcs,nos3,noportable,nobolt,nomysql,nopgsql,nosqlite,nometrics,noazblob,unixcrypt -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
          ./sftpgo -v
          cp -r openapi static templates internal/bundle/
-          go build -trimpath -tags nopgxregisterdefaulttypes,bundle -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,bundle -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
          ./sftpgo -v

  test-postgresql-mysql-crdb:
@ -297,11 +390,11 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.22'
+          go-version: '1.23'

      - name: Build
        run: |
-          go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
          cd tests/eventsearcher
          go build -trimpath -ldflags "-s -w" -o eventsearcher
          cd -
@ -313,7 +406,7 @@ jobs:
        run: |
          ./sftpgo initprovider
          ./sftpgo resetprovider --force
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: mysql
          SFTPGO_DATA_PROVIDER__NAME: sftpgo
@ -326,7 +419,7 @@ jobs:
        run: |
          ./sftpgo initprovider
          ./sftpgo resetprovider --force
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: postgresql
          SFTPGO_DATA_PROVIDER__NAME: sftpgo
@ -339,7 +432,7 @@ jobs:
        run: |
          ./sftpgo initprovider
          ./sftpgo resetprovider --force
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: mysql
          SFTPGO_DATA_PROVIDER__NAME: sftpgo
@ -356,7 +449,7 @@ jobs:
          docker exec crdb cockroach sql --insecure -e 'create database "sftpgo"'
          ./sftpgo initprovider
          ./sftpgo resetprovider --force
-          go test -v -tags nopgxregisterdefaulttypes -p 1 -timeout 15m ./... -covermode=atomic
+          go test -v -tags nopgxregisterdefaulttypes,disable_grpc_modules -p 1 -timeout 15m ./... -covermode=atomic
          docker stop crdb
        env:
          SFTPGO_DATA_PROVIDER__DRIVER: cockroachdb
@ -420,7 +513,7 @@ jobs:
          echo 'export PATH=$PATH:/usr/local/go/bin' >> build.sh
          echo 'go version' >> build.sh
          echo 'cd /usr/local/src' >> build.sh
-          echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo' >> build.sh
+          echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo' >> build.sh

          chmod 755 build.sh
          docker run --rm --name ubuntu-build --mount type=bind,source=`pwd`,target=/usr/local/src ${{ matrix.distro }} /usr/local/src/build.sh
@ -471,7 +564,7 @@ jobs:
            then
              export GOARM=7
            fi
-            go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+            go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_commit.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
            mkdir -p output/{init,bash_completion,zsh_completion}
            cp sftpgo.json output/
            cp -r templates output/
@ -518,9 +611,10 @@ jobs:
      - name: Set up Go
        uses: actions/setup-go@v5
        with:
-          go-version: '1.22'
+          go-version: '1.23'
      - uses: actions/checkout@v4
      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@v6
        with:
+          args: --timeout=10m
          version: latest
--- a/.github/workflows/docker.yml
+++ b/.github/workflows/docker.yml
@ -42,7 +42,7 @@ jobs:
          DOCKERFILE=Dockerfile
          MINOR=""
          MAJOR=""
-          FEATURES="nopgxregisterdefaulttypes"
+          FEATURES="nopgxregisterdefaulttypes,disable_grpc_modules"
          if [ "${{ github.event_name }}" = "schedule" ]; then
            VERSION=nightly
          elif [[ $GITHUB_REF == refs/tags/* ]]; then
@ -163,7 +163,7 @@ jobs:
        if: ${{ github.event_name != 'pull_request' }}

      - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          context: .
          builder: ${{ steps.builder.outputs.name }}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -4,8 +4,12 @@ on:
  push:
    tags: 'v*'

+permissions:
+  id-token: write
+  contents: write
+
 env:
-  GO_VERSION: 1.22.3
+  GO_VERSION: 1.23.3

 jobs:
  prepare-sources-with-deps:
@ -38,12 +42,192 @@ jobs:
          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_src_with_deps.tar.xz
          retention-days: 1

-  prepare-window-mac:
-    name: Prepare binaries
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os: [macos-12, windows-2022]
+  prepare-windows:
+    name: Prepare Windows binaries
+    environment: signing
+    runs-on: windows-2022
+
+    steps:
+      - uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
+        with:
+          go-version: ${{ env.GO_VERSION }}
+
+      - name: Azure login
+        uses: azure/login@v2
+        with:
+          client-id: ${{ secrets.AZURE_CLIENT_ID }}
+          tenant-id: ${{ secrets.AZURE_TENANT_ID }}
+          subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
+
+      - name: Get SFTPGo version
+        id: get_version
+        run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Build
+        run: |
+          $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
+          $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
+          $FILE_VERSION = $Env:SFTPGO_VERSION.substring(1)  + ".0"
+          go install github.com/tc-hib/go-winres@latest
+          go-winres simply --arch amd64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o sftpgo.exe
+          mkdir arm64
+          $Env:CGO_ENABLED='0'
+          $Env:GOOS='windows'
+          $Env:GOARCH='arm64'
+          go-winres simply --arch arm64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\arm64\sftpgo.exe
+          mkdir x86
+          $Env:GOARCH='386'
+          go-winres simply --arch 386 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0 with additional terms" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
+          go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\x86\sftpgo.exe
+          Remove-Item Env:\CGO_ENABLED
+          Remove-Item Env:\GOOS
+          Remove-Item Env:\GOARCH
+        env:
+          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
+
+      - name: Sign binaries
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: |
+            ${{ github.workspace }}\sftpgo.exe
+            ${{ github.workspace }}\arm64\sftpgo.exe
+            ${{ github.workspace }}\x86\sftpgo.exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
+      - name: Initialize data provider
+        run: ./sftpgo initprovider
+        shell: bash
+
+      - name: Prepare Release
+        run: |
+          mkdir output
+          copy .\sftpgo.exe .\output
+          copy .\sftpgo.json .\output
+          copy .\sftpgo.db .\output
+          copy .\LICENSE .\output\LICENSE.txt
+          copy .\NOTICE .\output\NOTICE.txt
+          mkdir output\templates
+          xcopy .\templates .\output\templates\ /E
+          mkdir output\static
+          xcopy .\static .\output\static\ /E
+          mkdir output\openapi
+          xcopy .\openapi .\output\openapi\ /E
+          iscc .\windows-installer\sftpgo.iss
+          rm .\output\sftpgo.exe
+          rm .\output\sftpgo.db
+          copy .\arm64\sftpgo.exe .\output
+          (Get-Content .\output\sftpgo.json).replace('"sqlite"', '"bolt"') | Set-Content .\output\sftpgo.json
+          $Env:SFTPGO_DATA_PROVIDER__DRIVER='bolt'
+          $Env:SFTPGO_DATA_PROVIDER__NAME='.\output\sftpgo.db'
+          .\sftpgo.exe initprovider
+          Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
+          Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
+          $Env:SFTPGO_ISS_ARCH='arm64'
+          iscc .\windows-installer\sftpgo.iss
+
+          rm .\output\sftpgo.exe
+          copy .\x86\sftpgo.exe .\output
+          $Env:SFTPGO_ISS_ARCH='x86'
+          iscc .\windows-installer\sftpgo.iss
+        env:
+          SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
+
+      - name: Sign installers
+        uses: azure/trusted-signing-action@v0.5.0
+        with:
+          endpoint: https://eus.codesigning.azure.net/
+          trusted-signing-account-name: nicola
+          certificate-profile-name: SFTPGo
+          files: |
+            ${{ github.workspace }}\sftpgo_windows_x86_64.exe
+            ${{ github.workspace }}\sftpgo_windows_arm64.exe
+            ${{ github.workspace }}\sftpgo_windows_x86.exe
+          file-digest: SHA256
+          timestamp-rfc3161: http://timestamp.acs.microsoft.com
+          timestamp-digest: SHA256
+          exclude-environment-credential: true
+          exclude-workload-identity-credential: true
+          exclude-managed-identity-credential: true
+          exclude-shared-token-cache-credential: true
+          exclude-visual-studio-credential: true
+          exclude-visual-studio-code-credential: true
+          exclude-azure-cli-credential: false
+          exclude-azure-powershell-credential: true
+          exclude-azure-developer-cli-credential: true
+          exclude-interactive-browser-credential: true
+
+      - name: Prepare Portable Release
+        run: |
+          mkdir win-portable
+          copy .\sftpgo.exe .\win-portable
+          mkdir win-portable\arm64
+          copy .\arm64\sftpgo.exe .\win-portable\arm64
+          mkdir win-portable\x86
+          copy .\x86\sftpgo.exe .\win-portable\x86
+          copy .\sftpgo.json .\win-portable
+          (Get-Content .\win-portable\sftpgo.json).replace('"sqlite"', '"bolt"') | Set-Content .\win-portable\sftpgo.json
+          copy .\output\sftpgo.db .\win-portable
+          copy .\LICENSE .\win-portable\LICENSE.txt
+          copy .\NOTICE .\win-portable\NOTICE.txt
+          mkdir win-portable\templates
+          xcopy .\templates .\win-portable\templates\ /E
+          mkdir win-portable\static
+          xcopy .\static .\win-portable\static\ /E
+          mkdir win-portable\openapi
+          xcopy .\openapi .\win-portable\openapi\ /E
+          Compress-Archive .\win-portable\* sftpgo_portable.zip
+
+      - name: Upload Windows installer x86_64 artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86_64.exe
+          path: ./sftpgo_windows_x86_64.exe
+          retention-days: 1
+
+      - name: Upload Windows installer arm64 artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_arm64.exe
+          path: ./sftpgo_windows_arm64.exe
+          retention-days: 1
+
+      - name: Upload Windows installer x86 artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_x86.exe
+          path: ./sftpgo_windows_x86.exe
+          retention-days: 1
+
+      - name: Upload Windows portable artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_windows_portable.zip
+          path: ./sftpgo_portable.zip
+          retention-days: 1
+
+  prepare-mac:
+    name: Prepare macOS binaries
+    runs-on: macos-12

    steps:
      - uses: actions/checkout@v4
@ -57,64 +241,24 @@ jobs:
        run: echo "VERSION=${GITHUB_REF/refs\/tags\//}" >> $GITHUB_OUTPUT
        shell: bash

-      - name: Get OS name
-        id: get_os_name
-        run: |
-          if [[ $MATRIX_OS =~ ^macos.* ]]
-          then
-            echo "OS=macOS" >> $GITHUB_OUTPUT
-          else
-            echo "OS=windows" >> $GITHUB_OUTPUT
-          fi
-        shell: bash
-        env:
-          MATRIX_OS: ${{ matrix.os }}
-
      - name: Build for macOS x86_64
-        if: startsWith(matrix.os, 'windows-') != true
-        run: go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+        run: go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo

      - name: Build for macOS arm64
-        if: startsWith(matrix.os, 'macos-') == true
-        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64
-
-      - name: Build for Windows
-        if: startsWith(matrix.os, 'windows-')
-        run: |
-          $GIT_COMMIT = (git describe --always --abbrev=8 --dirty) | Out-String
-          $DATE_TIME = ([datetime]::Now.ToUniversalTime().toString("yyyy-MM-ddTHH:mm:ssZ")) | Out-String
-          $FILE_VERSION = $Env:SFTPGO_VERSION.substring(1)  + ".0"
-          go install github.com/tc-hib/go-winres@latest
-          go-winres simply --arch amd64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o sftpgo.exe
-          mkdir arm64
-          $Env:CGO_ENABLED='0'
-          $Env:GOOS='windows'
-          $Env:GOARCH='arm64'
-          go-winres simply --arch arm64 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\arm64\sftpgo.exe
-          mkdir x86
-          $Env:GOARCH='386'
-          go-winres simply --arch 386 --product-version $Env:SFTPGO_VERSION-$GIT_COMMIT --file-version $FILE_VERSION --file-description "SFTPGo server" --product-name SFTPGo --copyright "AGPL-3.0" --original-filename sftpgo.exe --icon  .\windows-installer\icon.ico
-          go build -trimpath -tags nopgxregisterdefaulttypes,nosqlite -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=$GIT_COMMIT -X github.com/drakkan/sftpgo/v2/internal/version.date=$DATE_TIME" -o .\x86\sftpgo.exe
-          Remove-Item Env:\CGO_ENABLED
-          Remove-Item Env:\GOOS
-          Remove-Item Env:\GOARCH
-        env:
-          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
+        run: CGO_ENABLED=1 GOOS=darwin GOARCH=arm64 SDKROOT=$(xcrun --sdk macosx --show-sdk-path) go build -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=`git describe --always --abbrev=8 --dirty` -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo_arm64

      - name: Initialize data provider
        run: ./sftpgo initprovider
        shell: bash

-      - name: Prepare Release for macOS
-        if: startsWith(matrix.os, 'macos-')
+      - name: Prepare Release
        run: |
          mkdir -p output/{init,sqlite,bash_completion,zsh_completion}
          echo "For documentation please take a look here:" > output/README.txt
          echo "" >> output/README.txt
-          echo "https://github.com/drakkan/sftpgo/blob/${SFTPGO_VERSION}/README.md" >> output/README.txt
+          echo "https://docs.sftpgo.com" >> output/README.txt
          cp LICENSE output/
+          cp NOTICE output/
          cp sftpgo output/
          cp sftpgo.json output/
          cp sftpgo.db output/sqlite/
@ -127,130 +271,27 @@ jobs:
          ./sftpgo gen man -d output/man/man1
          gzip output/man/man1/*
          cd output
-          tar cJvf ../sftpgo_${SFTPGO_VERSION}_${OS}_x86_64.tar.xz *
+          tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_x86_64.tar.xz *
          cd ..
          cp sftpgo_arm64 output/sftpgo
          cd output
-          tar cJvf ../sftpgo_${SFTPGO_VERSION}_${OS}_arm64.tar.xz *
+          tar cJvf ../sftpgo_${SFTPGO_VERSION}_macOS_arm64.tar.xz *
          cd ..
        env:
          SFTPGO_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          OS: ${{ steps.get_os_name.outputs.OS }}
-
-      - name: Prepare Release for Windows
-        if: startsWith(matrix.os, 'windows-')
-        run: |
-          mkdir output
-          copy .\sftpgo.exe .\output
-          copy .\sftpgo.json .\output
-          copy .\sftpgo.db .\output
-          copy .\LICENSE .\output\LICENSE.txt
-          mkdir output\templates
-          xcopy .\templates .\output\templates\ /E
-          mkdir output\static
-          xcopy .\static .\output\static\ /E
-          mkdir output\openapi
-          xcopy .\openapi .\output\openapi\ /E
-          $CERT_PATH=(Get-Location -PSProvider FileSystem).ProviderPath + "\cert.pfx"
-          [IO.File]::WriteAllBytes($CERT_PATH,[System.Convert]::FromBase64String($Env:CERT_DATA))
-          certutil -f -p "$Env:CERT_PASS" -importpfx MY "$CERT_PATH"
-          rm "$CERT_PATH"
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\arm64\sftpgo.exe
-          & 'C:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe' sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n "Nicola Murino" /d "SFTPGo" .\x86\sftpgo.exe
-          $INNO_S='/Ssigntool=$qC:/Program Files (x86)/Windows Kits/10/bin/10.0.20348.0/x86/signtool.exe$q sign /sm /tr http://timestamp.sectigo.com /td sha256 /fd sha256 /n $qNicola Murino$q /d $qSFTPGo$q $f'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-
-          rm .\output\sftpgo.exe
-          rm .\output\sftpgo.db
-          copy .\arm64\sftpgo.exe .\output
-          (Get-Content .\output\sftpgo.json).replace('"sqlite"', '"bolt"') | Set-Content .\output\sftpgo.json
-          $Env:SFTPGO_DATA_PROVIDER__DRIVER='bolt'
-          $Env:SFTPGO_DATA_PROVIDER__NAME='.\output\sftpgo.db'
-          .\sftpgo.exe initprovider
-          Remove-Item Env:\SFTPGO_DATA_PROVIDER__DRIVER
-          Remove-Item Env:\SFTPGO_DATA_PROVIDER__NAME
-          $Env:SFTPGO_ISS_ARCH='arm64'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-
-          rm .\output\sftpgo.exe
-          copy .\x86\sftpgo.exe .\output
-          $Env:SFTPGO_ISS_ARCH='x86'
-          iscc "$INNO_S" .\windows-installer\sftpgo.iss
-          certutil -delstore MY "Nicola Murino"
-        env:
-          SFTPGO_ISS_VERSION: ${{ steps.get_version.outputs.VERSION }}
-          SFTPGO_ISS_DOC_URL: https://github.com/drakkan/sftpgo/blob/${{ steps.get_version.outputs.VERSION }}/README.md
-          CERT_DATA: ${{ secrets.CERT_DATA }}
-          CERT_PASS: ${{ secrets.CERT_PASS }}
-
-      - name: Prepare Portable Release for Windows
-        if: startsWith(matrix.os, 'windows-')
-        run: |
-          mkdir win-portable
-          copy .\sftpgo.exe .\win-portable
-          mkdir win-portable\arm64
-          copy .\arm64\sftpgo.exe .\win-portable\arm64
-          mkdir win-portable\x86
-          copy .\x86\sftpgo.exe .\win-portable\x86
-          copy .\sftpgo.json .\win-portable
-          (Get-Content .\win-portable\sftpgo.json).replace('"sqlite"', '"bolt"') | Set-Content .\win-portable\sftpgo.json
-          copy .\output\sftpgo.db .\win-portable
-          copy .\LICENSE .\win-portable\LICENSE.txt
-          mkdir win-portable\templates
-          xcopy .\templates .\win-portable\templates\ /E
-          mkdir win-portable\static
-          xcopy .\static .\win-portable\static\ /E
-          mkdir win-portable\openapi
-          xcopy .\openapi .\win-portable\openapi\ /E
-          Compress-Archive .\win-portable\* sftpgo_portable.zip

      - name: Upload macOS x86_64 artifact
-        if: startsWith(matrix.os, 'macos-')
        uses: actions/upload-artifact@v4
        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.tar.xz
-          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.tar.xz
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz
+          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_x86_64.tar.xz
          retention-days: 1

      - name: Upload macOS arm64 artifact
-        if: startsWith(matrix.os, 'macos-')
        uses: actions/upload-artifact@v4
        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.tar.xz
-          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.tar.xz
-          retention-days: 1
-
-      - name: Upload Windows installer x86_64 artifact
-        if: startsWith(matrix.os, 'windows-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86_64.exe
-          path: ./sftpgo_windows_x86_64.exe
-          retention-days: 1
-
-      - name: Upload Windows installer arm64 artifact
-        if: startsWith(matrix.os, 'windows-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_arm64.exe
-          path: ./sftpgo_windows_arm64.exe
-          retention-days: 1
-
-      - name: Upload Windows installer x86 artifact
-        if: startsWith(matrix.os, 'windows-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_x86.exe
-          path: ./sftpgo_windows_x86.exe
-          retention-days: 1
-
-      - name: Upload Windows portable artifact
-        if: startsWith(matrix.os, 'windows-')
-        uses: actions/upload-artifact@v4
-        with:
-          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_${{ steps.get_os_name.outputs.OS }}_portable.zip
-          path: ./sftpgo_portable.zip
+          name: sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz
+          path: ./sftpgo_${{ steps.get_version.outputs.VERSION }}_macOS_arm64.tar.xz
          retention-days: 1

  prepare-linux:
@ -310,7 +351,7 @@ jobs:
          echo 'export PATH=$PATH:/usr/local/go/bin' >> build.sh
          echo 'go version' >> build.sh
          echo 'cd /usr/local/src' >> build.sh
-          echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo' >> build.sh
+          echo 'go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo' >> build.sh

          chmod 755 build.sh
          docker run --rm --name ubuntu-build --mount type=bind,source=`pwd`,target=/usr/local/src ${{ matrix.distro }} /usr/local/src/build.sh
@ -319,6 +360,7 @@ jobs:
          echo "" >> output/README.txt
          echo "https://github.com/drakkan/sftpgo/blob/${SFTPGO_VERSION}/README.md" >> output/README.txt
          cp LICENSE output/
+          cp NOTICE output/
          cp sftpgo.json output/
          cp -r templates output/
          cp -r static output/
@ -362,12 +404,13 @@ jobs:
          run: |
            export PATH=$PATH:/usr/local/go/bin
            go version
-            go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
+            go build -buildvcs=false -trimpath -tags nopgxregisterdefaulttypes,disable_grpc_modules -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${{ steps.get_version.outputs.COMMIT }} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -o sftpgo
            mkdir -p output/{init,sqlite,bash_completion,zsh_completion}
            echo "For documentation please take a look here:" > output/README.txt
            echo "" >> output/README.txt
            echo "https://github.com/drakkan/sftpgo/blob/${{ steps.get_version.outputs.SFTPGO_VERSION }}/README.md" >> output/README.txt
            cp LICENSE output/
+            cp NOTICE output/
            cp sftpgo.json output/
            cp -r templates output/
            cp -r static output/
@ -475,7 +518,7 @@ jobs:

  create-release:
    name: Release
-    needs: [prepare-linux-bundle, prepare-sources-with-deps, prepare-window-mac]
+    needs: [prepare-linux-bundle, prepare-sources-with-deps, prepare-mac, prepare-windows]
    runs-on: ubuntu-latest

    steps:
--- a/4
+++ b/4
@ -1,4 +1,4 @@
-FROM golang:1.22-bookworm as builder
+FROM golang:1.23-bookworm AS builder

 ENV GOFLAGS="-mod=readonly"

@ -10,7 +10,7 @@ WORKDIR /workspace
 ARG GOPROXY

 COPY go.mod go.sum ./
-RUN go mod download
+RUN go mod download && go mod verify

 ARG COMMIT_SHA

--- a/Dockerfile.alpine
+++ b/Dockerfile.alpine
@ -1,4 +1,4 @@
-FROM golang:1.22-alpine3.19 AS builder
+FROM golang:1.23-alpine3.21 AS builder

 ENV GOFLAGS="-mod=readonly"

@ -10,7 +10,7 @@ WORKDIR /workspace
 ARG GOPROXY

 COPY go.mod go.sum ./
-RUN go mod download
+RUN go mod download && go mod verify

 ARG COMMIT_SHA

@ -25,7 +25,7 @@ RUN set -xe && \
    export COMMIT_SHA=${COMMIT_SHA:-$(git describe --always --abbrev=8 --dirty)} && \
    go build $(if [ -n "${FEATURES}" ]; then echo "-tags ${FEATURES}"; fi) -trimpath -ldflags "-s -w -X github.com/drakkan/sftpgo/v2/internal/version.commit=${COMMIT_SHA} -X github.com/drakkan/sftpgo/v2/internal/version.date=`date -u +%FT%TZ`" -v -o sftpgo

-FROM alpine:3.19
+FROM alpine:3.21

 # Set to "true" to install jq and the optional git and rsync dependencies
 ARG INSTALL_OPTIONAL_PACKAGES=false
--- a/Dockerfile.distroless
+++ b/Dockerfile.distroless
@ -1,4 +1,4 @@
-FROM golang:1.22-bookworm as builder
+FROM golang:1.23-bookworm AS builder

 ENV CGO_ENABLED=0 GOFLAGS="-mod=readonly"

@ -10,7 +10,7 @@ WORKDIR /workspace
 ARG GOPROXY

 COPY go.mod go.sum ./
-RUN go mod download
+RUN go mod download && go mod verify

 ARG COMMIT_SHA

--- a/12
+++ b/12
@ -0,0 +1,12 @@
+Additional terms under GNU AGPL version 3 section 7.3(b) and 13.1:
+
+If you have included SFTPGo so that it is offered through any network
+interactions, including by means of an external user interface, or
+any other integration, even without modifying its source code and then
+SFTPGo is partially, fully or optionally configured via your frontend,
+you must provide reasonable but clear attribution to the SFTPGo project
+and its author(s), not imply any endorsement by or affiliation with the
+SFTPGo project, and you must prominently offer all users interacting
+with it remotely through a computer network an opportunity to receive
+the Corresponding Source of the SFTPGo version you include by providing
+a link to the Corresponding Source in the SFTPGo source code repository.
--- a/README.md
+++ b/README.md
@ -19,13 +19,9 @@ The WebClient UI allows end users to change their credentials, browse and manage

 We strongly believe in Open Source software model, so we decided to make SFTPGo available to everyone, but maintaining and evolving SFTPGo takes a lot of time and work. To make development and maintenance sustainable you should consider to support the project with a [sponsorship](https://github.com/sponsors/drakkan).

-We also provide [professional services](https://sftpgo.com/#pricing) to support you in using SFTPGo to the fullest.
+We love doing the work and we'd like to keep doing it - your support helps make SFTPGo possible.

-The open source license grant you freedom but not assurance of help. So why would you rely on free software without support or any guarantee it will stay healthy and maintained for the upcoming years?
-
-Supporting the project benefit businesses and the community because if the project is financially sustainable, using this business model, we don't have to restrict features and/or switch to an [Open-core](https://en.wikipedia.org/wiki/Open-core_model) model. The technology stays truly open source. Everyone wins.
-
-You should support the project for its ongoing maintenance, even if you don't have any questions or need new features. If SFTPGo is no longer maintained you will have troubles and your company will lose money: bugs and security vulnerabilities will no longer be fixed, new algorithms will not be added to support newer clients, and so on. You will be forced to switch to a similar proprietary product and pay for its license and the migration cost.
+It is important to understand that you should support SFTPGo and any other Open Source project you rely on for ongoing maintenance, even if you don't have any questions or need new features, to mitigate the business risk of a project you depend on going unmaintained, with its security and development velocity implications.

 ### Thank you to our sponsors

@ -47,21 +43,30 @@ You should support the project for its ongoing maintenance, even if you don't ha
 </br></br>
 [<img src="./img/vps2day.png" alt="VPS2day logo" width="234" height="56">](https://www.vps2day.com/)

-## Support policy
+## Support

-You can use SFTPGo for free, respecting the obligations of the Open Source license, but please do not ask or expect free support as well.
+You can use SFTPGo for free, respecting the obligations of the Open Source [license](#license), but please do not ask or expect free support as well.

 Use [discussions](https://github.com/drakkan/sftpgo/discussions) to ask questions and get support from the community.

-If you report an invalid issue and/or ask for step-by-step support, your issue will be closed as invalid without further explanation. Invalid bug reports left open may confuse other users. Thanks for understanding.
+We offer commercial support, guarantees, and advice for SFTPGo:
+
+- With our [plans](https://sftpgo.com/plans) you can safely install and use SFTPGo on-premise in professional environments.
+- With our [SaaS offerings](https://sftpgo.com/saas) you can use SFTPGo hosted in the cloud, fully managed and supported.

 ## Documentation

-You can read more about supported features and documentation at [sftpgo.github.io](https://sftpgo.github.io/).
+You can read more about supported features and documentation at [docs.sftpgo.com](https://docs.sftpgo.com/).
+
+## Internationalization
+
+The translations are available via [Crowdin](https://crowdin.com/project/sftpgo), who have granted us an open source license.
+
+Before start translating please take a look at our contribution [guidelines](https://sftpgo.github.io/latest/web-interfaces/#internationalization).

 ## Release Cadence

-SFTPGo releases are feature-driven, we don't have a fixed time based schedule. As a rough estimate, you can expect 1 or 2 new releases per year.
+SFTPGo releases are feature-driven, we don't have a fixed time based schedule. As a rough estimate, you can expect 1 or 2 new major releases per year and several bug fix releases.

 ## Acknowledgements

@ -79,7 +84,7 @@ Thank you to [Incode](https://www.incode.it/) for helping us to improve the UI/U

 ## License

-SFTPGo source code is licensed under the GNU AGPL-3.0-only.
+SFTPGo source code is licensed under the GNU AGPL-3.0-only with [additional terms](./NOTICE).

 The [theme](https://keenthemes.com/products/templates-mega-bundle) used in WebAdmin and WebClient user interfaces is proprietary, this means:

--- a/examples/backup/README.md
+++ b/examples/backup/README.md
@ -1,6 +1,6 @@
 # Data Backup

-:warning: Since v2.4.0 you can use the [EventManager](https://sftpgo.github.io/latest/eventmanager/) to schedule backups.
+:warning: Since v2.4.0 you can use the [EventManager](https://docs.sftpgo.com/latest/eventmanager/) to schedule backups.

 The `backup` example script shows how to use the SFTPGo REST API to backup your data.

--- a/examples/data-retention/README.md
+++ b/examples/data-retention/README.md
@ -1,6 +1,6 @@
 # File retention policies

-:warning: Since v2.4.0 you can use the [EventManager](https://sftpgo.github.io/latest/eventmanager/) to schedule data retention checks.
+:warning: Since v2.4.0 you can use the [EventManager](https://docs.sftpgo.com/latest/eventmanager/) to schedule data retention checks.

 The `checkretention` example script shows how to use the SFTPGo REST API to manage data retention.

--- a/examples/ldapauth/go.mod
+++ b/examples/ldapauth/go.mod
@ -4,12 +4,12 @@ go 1.22.2

 require (
 	github.com/go-ldap/ldap/v3 v3.4.8
-	golang.org/x/crypto v0.23.0
+	golang.org/x/crypto v0.31.0
 )

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	golang.org/x/sys v0.20.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 )
--- a/examples/ldapauth/go.sum
+++ b/examples/ldapauth/go.sum
@ -45,8 +45,8 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@ -71,16 +71,16 @@ golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
--- a/examples/ldapauthserver/go.mod
+++ b/examples/ldapauthserver/go.mod
@ -3,41 +3,41 @@ module github.com/drakkan/sftpgo/ldapauthserver
 go 1.22.2

 require (
-	github.com/go-chi/chi/v5 v5.0.12
+	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-chi/render v1.0.3
 	github.com/go-ldap/ldap/v3 v3.4.8
 	github.com/nathanaelle/password/v2 v2.0.1
-	github.com/rs/zerolog v1.32.0
-	github.com/spf13/cobra v1.8.0
-	github.com/spf13/viper v1.18.2
-	golang.org/x/crypto v0.23.0
+	github.com/rs/zerolog v1.33.0
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/viper v1.19.0
+	golang.org/x/crypto v0.31.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )

 require (
 	github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
 	github.com/ajg/form v1.5.1 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
 	github.com/go-asn1-ber/asn1-ber v1.5.7 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
 	github.com/spf13/afero v1.11.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/sys v0.20.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
+	golang.org/x/exp v0.0.0-20241210194714-1829a127f884 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/examples/ldapauthserver/go.sum
+++ b/examples/ldapauthserver/go.sum
@ -5,20 +5,20 @@ github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa h1:LHTHcTQiSGT7VVbI0o4wBRNQIgn917usHWOd6VAffYI=
 github.com/alexbrainman/sspi v0.0.0-20231016080023-1a75b4708caa/go.mod h1:cEWa1LVoE5KvSD9ONXsZrj0z6KqySlCCNKHlLzbqAt4=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-asn1-ber/asn1-ber v1.5.5/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
 github.com/go-asn1-ber/asn1-ber v1.5.7 h1:DTX+lbVTWaTw1hQ+PbZPlnDZPEIs0SS/GCZAl535dDk=
 github.com/go-asn1-ber/asn1-ber v1.5.7/go.mod h1:hEBeB/ic+5LoWskz+yKT7vGhhPYkProFKoKdwZRWMe0=
-github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
-github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
+github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-ldap/ldap/v3 v3.4.8 h1:loKJyspcRezt2Q3ZRMq2p/0v8iOurlmeXDPw6fikSvQ=
@ -53,8 +53,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
 github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
@ -65,8 +65,8 @@ github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyua
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/nathanaelle/password/v2 v2.0.1 h1:ItoCTdsuIWzilYmllQPa3DR3YoCXcpfxScWLqr8Ii2s=
 github.com/nathanaelle/password/v2 v2.0.1/go.mod h1:eaoT+ICQEPNtikBRIAatN8ThWwMhVG+r1jTw60BvPJk=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
@ -74,34 +74,32 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
 github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0=
-github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
+github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
+github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cast v1.7.0 h1:ntdiHjuueXFgm5nzDRdOS4yfT43P5Fnud6DH50rz/7w=
+github.com/spf13/cast v1.7.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
@ -115,10 +113,10 @@ golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5y
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.21.0/go.mod h1:0BP7YvVV9gBbVKyeTG0Gyn+gZm94bibOW5BjDEYAOMs=
-golang.org/x/crypto v0.23.0 h1:dIJU/v2J8Mdglj/8rJ6UUOM3Zc9zLZxVZwwxMooUSAI=
-golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/crypto v0.31.0 h1:ihbySMvVjLAeSH1IbfcRTkD/iNscyz8rGzjF/E5hV6U=
+golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/exp v0.0.0-20241210194714-1829a127f884 h1:Y/Mj/94zIQQGHVSv1tTtQBDaQaJe62U9bkDZKKyhPCU=
+golang.org/x/exp v0.0.0-20241210194714-1829a127f884/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
@ -130,8 +128,9 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.22.0 h1:9sGLhx7iRIHEiX0oAJ3MRZMUCElJgy7Br1nO+AMN3Tc=
 golang.org/x/net v0.22.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
+golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
+golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@ -148,24 +147,24 @@ golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
-golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
 golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
-golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
-golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
--- a/examples/quotascan/README.md
+++ b/examples/quotascan/README.md
@ -1,6 +1,6 @@
 # Update user quota

-:warning: Since v2.4.0 you can use the [EventManager](https://sftpgo.github.io/latest/eventmanager/) to schedule quota scans.
+:warning: Since v2.4.0 you can use the [EventManager](https://docs.sftpgo.com/latest/eventmanager/) to schedule quota scans.

 The `scanuserquota` example script shows how to use the SFTPGo REST API to update the users' quota.

--- a/go.mod
+++ b/go.mod
@ -1,190 +1,203 @@
 module github.com/drakkan/sftpgo/v2

-go 1.22.2
+go 1.22.7

 require (
-	cloud.google.com/go/storage v1.41.0
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1
-	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2
+	cloud.google.com/go/storage v1.49.0
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0
 	github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5
 	github.com/alexedwards/argon2id v1.0.0
 	github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964
-	github.com/aws/aws-sdk-go-v2 v1.26.1
-	github.com/aws/aws-sdk-go-v2/config v1.27.13
-	github.com/aws/aws-sdk-go-v2/credentials v1.17.13
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.18
-	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.5
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.54.0
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.7
-	github.com/aws/aws-sdk-go-v2/service/sts v1.28.7
-	github.com/bmatcuk/doublestar/v4 v4.6.1
+	github.com/aws/aws-sdk-go-v2 v1.32.7
+	github.com/aws/aws-sdk-go-v2/config v1.28.7
+	github.com/aws/aws-sdk-go-v2/credentials v1.17.48
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.44
+	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.71.1
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.8
+	github.com/aws/aws-sdk-go-v2/service/sts v1.33.3
+	github.com/bmatcuk/doublestar/v4 v4.7.1
 	github.com/cockroachdb/cockroach-go/v2 v2.3.8
-	github.com/coreos/go-oidc/v3 v3.10.0
-	github.com/drakkan/webdav v0.0.0-20240503091431-218ec83910bb
+	github.com/coreos/go-oidc/v3 v3.11.0
+	github.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b
 	github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001
-	github.com/fclairamb/ftpserverlib v0.24.0
+	github.com/fclairamb/ftpserverlib v0.25.0
 	github.com/fclairamb/go-log v0.5.0
-	github.com/go-acme/lego/v4 v4.16.1
-	github.com/go-chi/chi/v5 v5.0.12
-	github.com/go-chi/jwtauth/v5 v5.3.1
+	github.com/go-acme/lego/v4 v4.21.0
+	github.com/go-chi/chi/v5 v5.2.0
+	github.com/go-chi/jwtauth/v5 v5.3.2
 	github.com/go-chi/render v1.0.3
 	github.com/go-sql-driver/mysql v1.8.1
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
-	github.com/hashicorp/go-plugin v1.6.1
-	github.com/hashicorp/go-retryablehttp v0.7.6
-	github.com/jackc/pgx/v5 v5.5.5
+	github.com/hashicorp/go-plugin v1.6.2
+	github.com/hashicorp/go-retryablehttp v0.7.7
+	github.com/jackc/pgx/v5 v5.7.2
 	github.com/jlaffaye/ftp v0.2.0
-	github.com/klauspost/compress v1.17.8
-	github.com/lestrrat-go/jwx/v2 v2.0.21
-	github.com/lithammer/shortuuid/v3 v3.0.7
-	github.com/mattn/go-sqlite3 v1.14.22
+	github.com/klauspost/compress v1.17.11
+	github.com/lestrrat-go/jwx/v2 v2.1.3
+	github.com/lithammer/shortuuid/v4 v4.2.0
+	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/mhale/smtpd v0.8.3
-	github.com/minio/sio v0.3.1
+	github.com/minio/sio v0.4.1
 	github.com/otiai10/copy v1.14.0
-	github.com/pires/go-proxyproto v0.7.0
-	github.com/pkg/sftp v1.13.7-0.20240410063531-637088883317
+	github.com/pires/go-proxyproto v0.8.0
+	github.com/pkg/sftp v1.13.7
 	github.com/pquerna/otp v1.4.0
-	github.com/prometheus/client_golang v1.19.1
+	github.com/prometheus/client_golang v1.20.5
 	github.com/robfig/cron/v3 v3.0.1
-	github.com/rs/cors v1.11.0
-	github.com/rs/xid v1.5.0
-	github.com/rs/zerolog v1.32.0
-	github.com/sftpgo/sdk v0.1.7
-	github.com/shirou/gopsutil/v3 v3.24.4
+	github.com/rs/cors v1.11.1
+	github.com/rs/xid v1.6.0
+	github.com/rs/zerolog v1.33.0
+	github.com/sftpgo/sdk v0.1.9-0.20241011171103-64fc18a344f9
+	github.com/shirou/gopsutil/v3 v3.24.5
 	github.com/spf13/afero v1.11.0
-	github.com/spf13/cobra v1.8.0
-	github.com/spf13/viper v1.18.2
-	github.com/stretchr/testify v1.9.0
-	github.com/studio-b12/gowebdav v0.9.0
+	github.com/spf13/cobra v1.8.1
+	github.com/spf13/viper v1.19.0
+	github.com/stretchr/testify v1.10.0
+	github.com/studio-b12/gowebdav v0.10.0
 	github.com/subosito/gotenv v1.6.0
-	github.com/unrolled/secure v1.14.0
+	github.com/unrolled/secure v1.17.0
 	github.com/wagslane/go-password-validator v0.3.0
-	github.com/wneessen/go-mail v0.4.1
+	github.com/wneessen/go-mail v0.5.2
 	github.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a
-	go.etcd.io/bbolt v1.3.10
-	go.uber.org/automaxprocs v1.5.3
-	gocloud.dev v0.37.0
-	golang.org/x/crypto v0.23.0
-	golang.org/x/net v0.25.0
-	golang.org/x/oauth2 v0.20.0
-	golang.org/x/sys v0.20.0
-	golang.org/x/term v0.20.0
-	golang.org/x/time v0.5.0
-	google.golang.org/api v0.180.0
+	go.etcd.io/bbolt v1.3.11
+	go.uber.org/automaxprocs v1.6.0
+	gocloud.dev v0.40.0
+	golang.org/x/crypto v0.31.0
+	golang.org/x/net v0.33.0
+	golang.org/x/oauth2 v0.24.0
+	golang.org/x/sys v0.28.0
+	golang.org/x/term v0.27.0
+	golang.org/x/time v0.8.0
+	google.golang.org/api v0.214.0
 	gopkg.in/natefinch/lumberjack.v2 v2.2.1
 )

 require (
-	cloud.google.com/go v0.113.0 // indirect
-	cloud.google.com/go/auth v0.4.1 // indirect
-	cloud.google.com/go/auth/oauth2adapt v0.2.2 // indirect
-	cloud.google.com/go/compute/metadata v0.3.0 // indirect
-	cloud.google.com/go/iam v1.1.8 // indirect
+	cel.dev/expr v0.19.1 // indirect
+	cloud.google.com/go v0.117.0 // indirect
+	cloud.google.com/go/auth v0.13.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.6 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
+	cloud.google.com/go/iam v1.3.0 // indirect
+	cloud.google.com/go/monitoring v1.22.0 // indirect
 	filippo.io/edwards25519 v1.1.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 // indirect
+	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 // indirect
 	github.com/ajg/form v1.5.1 // indirect
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.0 // indirect
-	github.com/aws/smithy-go v1.20.2 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.7 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 // indirect
+	github.com/aws/smithy-go v1.22.1 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
-	github.com/boombuler/barcode v1.0.1 // indirect
+	github.com/boombuler/barcode v1.0.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/census-instrumentation/opencensus-proto v0.4.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.4 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 // indirect
-	github.com/fatih/color v1.17.0 // indirect
+	github.com/envoyproxy/go-control-plane v0.13.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.1.0 // indirect
+	github.com/fatih/color v1.18.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/fsnotify/fsnotify v1.7.0 // indirect
-	github.com/go-jose/go-jose/v4 v4.0.2 // indirect
-	github.com/go-logr/logr v1.4.1 // indirect
+	github.com/fsnotify/fsnotify v1.8.0 // indirect
+	github.com/go-jose/go-jose/v4 v4.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.3.0 // indirect
-	github.com/goccy/go-json v0.10.2 // indirect
-	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
+	github.com/goccy/go-json v0.10.4 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
-	github.com/google/s2a-go v0.1.7 // indirect
-	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
-	github.com/googleapis/gax-go/v2 v2.12.4 // indirect
+	github.com/google/s2a-go v0.1.8 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/yamux v0.1.1 // indirect
+	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
-	github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 // indirect
-	github.com/jackc/puddle/v2 v2.2.1 // indirect
-	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
+	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/kr/fs v0.1.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
-	github.com/lestrrat-go/httprc v1.0.5 // indirect
+	github.com/lestrrat-go/httprc v1.0.6 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.1 // indirect
-	github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae // indirect
-	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 // indirect
+	github.com/magiconair/properties v1.8.9 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/miekg/dns v1.1.59 // indirect
-	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
+	github.com/miekg/dns v1.1.62 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
+	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/oklog/run v1.1.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.53.0 // indirect
-	github.com/prometheus/procfs v0.15.0 // indirect
+	github.com/prometheus/common v0.61.0 // indirect
+	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/locafero v0.6.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/shoenig/go-m1cpu v0.1.6 // indirect
 	github.com/sourcegraph/conc v0.3.0 // indirect
-	github.com/spf13/cast v1.6.0 // indirect
+	github.com/spf13/cast v1.7.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/tklauser/go-sysconf v0.3.14 // indirect
-	github.com/tklauser/numcpus v0.8.0 // indirect
+	github.com/tklauser/numcpus v0.9.0 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 // indirect
-	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 // indirect
-	go.opentelemetry.io/otel v1.26.0 // indirect
-	go.opentelemetry.io/otel/metric v1.26.0 // indirect
-	go.opentelemetry.io/otel/trace v1.26.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/detectors/gcp v1.33.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 // indirect
+	go.opentelemetry.io/otel v1.33.0 // indirect
+	go.opentelemetry.io/otel/metric v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.33.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.33.0 // indirect
+	go.opentelemetry.io/otel/trace v1.33.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 // indirect
-	golang.org/x/mod v0.17.0 // indirect
-	golang.org/x/sync v0.7.0 // indirect
-	golang.org/x/text v0.15.0 // indirect
-	golang.org/x/tools v0.21.0 // indirect
-	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
-	google.golang.org/genproto v0.0.0-20240513163218-0867130af1f8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 // indirect
-	google.golang.org/grpc v1.64.0 // indirect
-	google.golang.org/protobuf v1.34.1 // indirect
+	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 // indirect
+	golang.org/x/mod v0.22.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
+	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da // indirect
+	google.golang.org/genproto v0.0.0-20241219192143-6b3ec007d9bb // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb // indirect
+	google.golang.org/grpc v1.69.2 // indirect
+	google.golang.org/protobuf v1.36.0 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

 replace (
-	github.com/fclairamb/ftpserverlib => github.com/drakkan/ftpserverlib v0.0.0-20240510125431-4617586dfa1c
+	github.com/fclairamb/ftpserverlib => github.com/drakkan/ftpserverlib v0.0.0-20240603150004-6a8f643fbf2e
 	github.com/jlaffaye/ftp => github.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f
 	github.com/robfig/cron/v3 => github.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0
-	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20240509175024-33071fb6437f
+	golang.org/x/crypto => github.com/drakkan/crypto v0.0.0-20241215104834-a9cd4736223d
 )
--- a/go.sum
+++ b/go.sum
@ -1,116 +1,131 @@
+cel.dev/expr v0.19.1 h1:NciYrtDRIR0lNCnH1LFJegdjspNx9fI59O7TWcua/W4=
+cel.dev/expr v0.19.1/go.mod h1:MrpN08Q+lEBs+bGYdLxxHkZoUSsCp0nSKTs0nTymJgw=
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-cloud.google.com/go v0.113.0 h1:g3C70mn3lWfckKBiCVsAshabrDg01pQ0pnX1MNtnMkA=
-cloud.google.com/go v0.113.0/go.mod h1:glEqlogERKYeePz6ZdkcLJ28Q2I6aERgDDErBg9GzO8=
-cloud.google.com/go/auth v0.4.1 h1:Z7YNIhlWRtrnKlZke7z3GMqzvuYzdc2z98F9D1NV5Hg=
-cloud.google.com/go/auth v0.4.1/go.mod h1:QVBuVEKpCn4Zp58hzRGvL0tjRGU0YqdRTdCHM1IHnro=
-cloud.google.com/go/auth/oauth2adapt v0.2.2 h1:+TTV8aXpjeChS9M+aTtN/TjdQnzJvmzKFt//oWu7HX4=
-cloud.google.com/go/auth/oauth2adapt v0.2.2/go.mod h1:wcYjgpZI9+Yu7LyYBg4pqSiaRkfEK3GQcpb7C/uyF1Q=
-cloud.google.com/go/compute v1.26.0 h1:uHf0NN2nvxl1Gh4QO83yRCOdMK4zivtMS5gv0dEX0hg=
-cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
-cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
-cloud.google.com/go/iam v1.1.8 h1:r7umDwhj+BQyz0ScZMp4QrGXjSTI3ZINnpgU2nlB/K0=
-cloud.google.com/go/iam v1.1.8/go.mod h1:GvE6lyMmfxXauzNq8NbgJbeVQNspG+tcdL/W8QO1+zE=
-cloud.google.com/go/kms v1.16.0 h1:1yZsRPhmargZOmY+fVAh8IKiR9HzCb0U1zsxb5g2nRY=
-cloud.google.com/go/kms v1.16.0/go.mod h1:olQUXy2Xud+1GzYfiBO9N0RhjsJk5IJLU6n/ethLXVc=
-cloud.google.com/go/longrunning v0.5.7 h1:WLbHekDbjK1fVFD3ibpFFVoyizlLRl73I7YKuAKilhU=
-cloud.google.com/go/longrunning v0.5.7/go.mod h1:8GClkudohy1Fxm3owmBGid8W0pSgodEMwEAztp38Xng=
-cloud.google.com/go/storage v1.41.0 h1:RusiwatSu6lHeEXe3kglxakAmAbfV+rhtPqA6i8RBx0=
-cloud.google.com/go/storage v1.41.0/go.mod h1:J1WCa/Z2FcgdEDuPUY8DxT5I+d9mFKsCepp5vR6Sq80=
+cloud.google.com/go v0.117.0 h1:Z5TNFfQxj7WG2FgOGX1ekC5RiXrYgms6QscOm32M/4s=
+cloud.google.com/go v0.117.0/go.mod h1:ZbwhVTb1DBGt2Iwb3tNO6SEK4q+cplHZmLWH+DelYYc=
+cloud.google.com/go/auth v0.13.0 h1:8Fu8TZy167JkW8Tj3q7dIkr2v4cndv41ouecJx0PAHs=
+cloud.google.com/go/auth v0.13.0/go.mod h1:COOjD9gwfKNKz+IIduatIhYJQIc0mG3H102r/EMxX6Q=
+cloud.google.com/go/auth/oauth2adapt v0.2.6 h1:V6a6XDu2lTwPZWOawrAa9HUK+DB2zfJyTuciBG5hFkU=
+cloud.google.com/go/auth/oauth2adapt v0.2.6/go.mod h1:AlmsELtlEBnaNTL7jCj8VQFLy6mbZv0s4Q7NGBeQ5E8=
+cloud.google.com/go/compute/metadata v0.6.0 h1:A6hENjEsCDtC1k8byVsgwvVcioamEHvZ4j01OwKxG9I=
+cloud.google.com/go/compute/metadata v0.6.0/go.mod h1:FjyFAW1MW0C203CEOMDTu3Dk1FlqW3Rga40jzHL4hfg=
+cloud.google.com/go/iam v1.3.0 h1:4Wo2qTaGKFtajbLpF6I4mywg900u3TLlHDb6mriLDPU=
+cloud.google.com/go/iam v1.3.0/go.mod h1:0Ys8ccaZHdI1dEUilwzqng/6ps2YB6vRsjIe00/+6JY=
+cloud.google.com/go/kms v1.20.2 h1:NGTHOxAyhDVUGVU5KngeyGScrg2D39X76Aphe6NC7S0=
+cloud.google.com/go/kms v1.20.2/go.mod h1:LywpNiVCvzYNJWS9JUcGJSVTNSwPwi0vBAotzDqn2nc=
+cloud.google.com/go/logging v1.12.0 h1:ex1igYcGFd4S/RZWOCU51StlIEuey5bjqwH9ZYjHibk=
+cloud.google.com/go/logging v1.12.0/go.mod h1:wwYBt5HlYP1InnrtYI0wtwttpVU1rifnMT7RejksUAM=
+cloud.google.com/go/longrunning v0.6.3 h1:A2q2vuyXysRcwzqDpMMLSI6mb6o39miS52UEG/Rd2ng=
+cloud.google.com/go/longrunning v0.6.3/go.mod h1:k/vIs83RN4bE3YCswdXC5PFfWVILjm3hpEUlSko4PiI=
+cloud.google.com/go/monitoring v1.22.0 h1:mQ0040B7dpuRq1+4YiQD43M2vW9HgoVxY98xhqGT+YI=
+cloud.google.com/go/monitoring v1.22.0/go.mod h1:hS3pXvaG8KgWTSz+dAdyzPrGUYmi2Q+WFX8g2hqVEZU=
+cloud.google.com/go/storage v1.49.0 h1:zenOPBOWHCnojRd9aJZAyQXBYqkJkdQS42dxL55CIMw=
+cloud.google.com/go/storage v1.49.0/go.mod h1:k1eHhhpLvrPjVGfo0mOUPEJ4Y2+a/Hv5PiwehZI9qGU=
+cloud.google.com/go/trace v1.11.2 h1:4ZmaBdL8Ng/ajrgKqY5jfvzqMXbrDcBsUGXOT9aqTtI=
+cloud.google.com/go/trace v1.11.2/go.mod h1:bn7OwXd4pd5rFuAnTrzBuoZ4ax2XQeG3qNgYmfCy0Io=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/Azure/azure-sdk-for-go v68.0.0+incompatible h1:fcYLmCpyNYRnvJbPerq7U0hS+6+I79yEDJBqVNcqUzU=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 h1:sO0/P7g68FrryJzljemN+6GTssUXdANk6aJ7T1ZxnsQ=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1/go.mod h1:h8hyGFDsU5HMivxiS2iYFZsgDbU9OnnJ163x5UGVKYo=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 h1:AifHbc4mg0x9zW52WOpKbsHaDKuRhlI7TVl47thgQ70=
-github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0/go.mod h1:T5RfihdXtBDxt1Ch2wobif3TvzTdumDy29kahv6AV9A=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2 h1:YUUxeiOWgdAQE3pXt2H7QXzZs0q8UBjgRbl56qo8GYM=
-github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.2/go.mod h1:dmXQgZuiSubAecswZE+Sm8jkvEa7kQgTPVRvwL/nd0E=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 h1:JZg6HRh6W6U4OLl6lk7BZ7BLisIzM9dG1R50zUk9C/M=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0/go.mod h1:YL1xnZ6QejvQHWJrX/AvhFl4WW4rqHVoKspWNVwFk0M=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 h1:B/dfvscEQtew9dVuoxqxrUKKv8Ih2f55PydknDamU+g=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0/go.mod h1:fiPSssYvltE08HJchL04dOy+RD4hgrjph0cwGGMntdI=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 h1:ywEEhmNahHBihViHepv3xPBn1663uRv2t2q/ESv9seY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0/go.mod h1:iZDifYGJTIgIIkYRNWPENUnqx6bJ2xnSDFI2tjwZNuY=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0 h1:PiSrjRPpkQNjrM8H0WwKMnZUdu1RGMtd/LdGKUrOo+c=
+github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.6.0/go.mod h1:oDrbWx4ewMylP7xHivfgixbfGBT6APAwsSoHRKotnIc=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 h1:mlmW46Q0B79I+Aj4azKC6xDMFN9a9SyZWESlGWYXbFs=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0/go.mod h1:PXe2h+LKcWTX9afWdZoHyODqR4fBa5boUM/8uJfZ0Jo=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 h1:XHOnouVk1mxXfQidrMEnLlPk9UMeRtyBTnEFtxkV0kU=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5 h1:IEjq88XO4PuBDcvmjQJcQGg+w+UaafSy8G5Kcb5tBhI=
 github.com/GehirnInc/crypt v0.0.0-20230320061759-8cc1b52080c5/go.mod h1:exZ0C/1emQJAw5tHOaUDyY1ycttqBAPcxuzf7QbY6ec=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0 h1:3c8yed4lgqTt+oTQ+JNMDo+F4xprBf+O/il4ZC0nRLw=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp v1.25.0/go.mod h1:obipzmGjfSjam60XLwGfqUkJsfiheAl+TUjG+4yzyPM=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0 h1:o90wcURuxekmXrtxmYWTyNla0+ZEHhud6DI1ZTxd1vI=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.49.0/go.mod h1:6fTWu4m3jocfUZLYF5KsZC1TUfRvEjs7lM4crme/irw=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.49.0 h1:jJKWl98inONJAr/IZrdFQUWcwUO95DLY1XMD1ZIut+g=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/cloudmock v0.49.0/go.mod h1:l2fIqmwB+FKSfvn3bAD/0i+AXAxhIZjTK2svT/mgUXs=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0 h1:GYUJLfvd++4DMuMhCFLgLXvFwofIxh/qOwoGuS/LTew=
+github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.49.0/go.mod h1:wRbFgBQUVm1YXrvWKofAEmq9HNJTDphbAaJSSX01KUI=
 github.com/ajg/form v1.5.1 h1:t9c7v8JUKu/XxOGBU0yjNpaMloxGEJhUkqFRq0ibGeU=
 github.com/ajg/form v1.5.1/go.mod h1:uL1WgH+h2mgNtvBq0339dVnzXdBETtL2LeUXaIv25UY=
 github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHcQQP0w=
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
 github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964 h1:I9YN9WMo3SUh7p/4wKeNvD/IQla3U3SUa61U7ul+xM4=
 github.com/amoghe/go-crypt v0.0.0-20220222110647-20eada5f5964/go.mod h1:eFiR01PwTcpbzXtdMces7zxg6utvFM5puiWHpWB8D/k=
-github.com/aws/aws-sdk-go-v2 v1.26.1 h1:5554eUqIYVWpU0YmeeYZ0wU64H2VLBs8TlhRB2L+EkA=
-github.com/aws/aws-sdk-go-v2 v1.26.1/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2 h1:x6xsQXGSmW6frevwDA+vi/wqhp1ct18mVXYN08/93to=
-github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.2/go.mod h1:lPprDr1e6cJdyYeGXnRaJoP4Md+cDBvi2eOj00BlGmg=
-github.com/aws/aws-sdk-go-v2/config v1.27.13 h1:WbKW8hOzrWoOA/+35S5okqO/2Ap8hkkFUzoW8Hzq24A=
-github.com/aws/aws-sdk-go-v2/config v1.27.13/go.mod h1:XLiyiTMnguytjRER7u5RIkhIqS8Nyz41SwAWb4xEjxs=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.13 h1:XDCJDzk/u5cN7Aple7D/MiAhx1Rjo/0nueJ0La8mRuE=
-github.com/aws/aws-sdk-go-v2/credentials v1.17.13/go.mod h1:FMNcjQrmuBYvOTZDtOLCIu0esmxjF7RuA/89iSXWzQI=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1 h1:FVJ0r5XTHSmIHJV6KuDmdYhEpvlHpiSd38RQWhut5J4=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.1/go.mod h1:zusuAeqezXzAB24LGuzuekqMAEgWkVYukBec3kr3jUg=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.17 h1:9b1Os1s11mF5qTIKLgSsyPG810di2+ySSLIIt9bwe9I=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.17/go.mod h1:9Wp7tDOMhv0+sb/FTRAkbHNQ7abYDnoJRzm5AAtCnTc=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.18 h1:fUHit8Pe+2dWEHtxpOVDTOSQR257iH24HjT17DAz6qs=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.16.18/go.mod h1:IX1n1o870YYxzqN56w26s7FrO5Zaw/hdatxhJDiEf2U=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5 h1:aw39xVGeRWlWx9EzGVnhOR4yOjQDHPQ6o6NmBlscyQg=
-github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.5/go.mod h1:FSaRudD0dXiMPK2UjknVwwTYyZMRsHv3TtkabsZih5I=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5 h1:PG1F3OD1szkuQPzDw3CIQsRIrtTlUC3lP84taWzHlq0=
-github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.5/go.mod h1:jU1li6RFryMz+so64PpKtudI+QzbKoIEivqdf6LNpOc=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 h1:hT8rVHwugYE2lEfdFE0QWVo81lF7jMrYJVDWI+f+VxU=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0/go.mod h1:8tu/lYfQfFe6IGnaOdrpVgEL2IrrDOf6/m9RQum4NkY=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5 h1:81KE7vaZzrl7yHBYHVEzYB8sypz11NMOZ40YlWvPxsU=
-github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.5/go.mod h1:LIt2rg7Mcgn09Ygbdh/RdIm0rQ+3BNkbP1gyVMFtRK0=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
-github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7 h1:ZMeFZ5yk+Ek+jNr1+uwCd2tG89t6oTS5yVWpa6yy2es=
-github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.7/go.mod h1:mxV05U+4JiHqIpGqqYXOHLPKUC6bDXC44bsUhNjOEwY=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7 h1:ogRAwT1/gxJBcSWDMZlgyFUM962F51A5CRhDLbxLdmo=
-github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.7/go.mod h1:YCsIZhXfRPLFFCl5xxY+1T9RKzOKjCut+28JSX2DnAk=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5 h1:f9RyWNtS8oH7cZlbn+/JNPpjUk5+5fLd5lM9M0i49Ys=
-github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.5/go.mod h1:h5CoMZV2VF297/VLhRhO1WF+XYWOzXo+4HsObA4HjBQ=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.5 h1:p2PxN+OO28p2bCCXE79sJfFBaSohwxa24bQdjuyPZCs=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.21.5/go.mod h1:Q01yJLephuOzv6IYzcknrpVAriOqB66+qtGnpqgw9UE=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.53.2 h1:rq2hglTQM3yHZvOPVMtNvLS5x6hijx7JvRDgKiTNDGQ=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.53.2/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.54.0 h1:Ls94RY3P6HtB88JkzXo1lHrXzonHPpNR//OSAV63mSE=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.54.0/go.mod h1:qmdkIIAC+GCLASF7R2whgNrJADz0QZPX+Seiw/i4S3o=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.7 h1:4cziOtpDwtgcb+wTYRzz8C+GoH1XySy0p7j4oBbqPQE=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.28.7/go.mod h1:3Ba++UwWd154xtP4FRX5pUK3Gt4up5sDHCve6kVfE+g=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.6 h1:o5cTaeunSpfXiLTIBx5xo2enQmiChtu1IBbzXnfU9Hs=
-github.com/aws/aws-sdk-go-v2/service/sso v1.20.6/go.mod h1:qGzynb/msuZIE8I75DVRCUXw3o3ZyBmUvMwQ2t/BrGM=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.0 h1:Qe0r0lVURDDeBQJ4yP+BOrJkvkiCo/3FH/t+wY11dmw=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.24.0/go.mod h1:mUYPBhaF2lGiukDEjJX2BLRRKTmoUSitGDUgM4tRxak=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.7 h1:et3Ta53gotFR4ERLXXHIHl/Uuk1qYpP5uU7cvNql8ns=
-github.com/aws/aws-sdk-go-v2/service/sts v1.28.7/go.mod h1:FZf1/nKNEkHdGGJP/cI2MoIMquumuRK6ol3QQJNDxmw=
-github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
-github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
+github.com/aws/aws-sdk-go-v2 v1.32.7 h1:ky5o35oENWi0JYWUZkB7WYvVPP+bcRF5/Iq7JWSb5Rw=
+github.com/aws/aws-sdk-go-v2 v1.32.7/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7 h1:lL7IfaFzngfx0ZwUGOZdsFFnQ5uLvR0hWqqhyE7Q9M8=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.7/go.mod h1:QraP0UcVlQJsmHfioCrveWOC1nbiWUl3ej08h4mXWoc=
+github.com/aws/aws-sdk-go-v2/config v1.28.7 h1:GduUnoTXlhkgnxTD93g1nv4tVPILbdNQOzav+Wpg7AE=
+github.com/aws/aws-sdk-go-v2/config v1.28.7/go.mod h1:vZGX6GVkIE8uECSUHB6MWAUsd4ZcG2Yq/dMa4refR3M=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.48 h1:IYdLD1qTJ0zanRavulofmqut4afs45mOWEI+MzZtTfQ=
+github.com/aws/aws-sdk-go-v2/credentials v1.17.48/go.mod h1:tOscxHN3CGmuX9idQ3+qbkzrjVIx32lqDSU1/0d/qXs=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22 h1:kqOrpojG71DxJm/KDPO+Z/y1phm1JlC8/iT+5XRmAn8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.22/go.mod h1:NtSFajXVVL8TA2QNngagVZmUtXciyrHOt7xgz4faS/M=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.44 h1:2zxMLXLedpB4K1ilbJFxtMKsVKaexOqDttOhc0QGm3Q=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.44/go.mod h1:VuLHdqwjSvgftNC7yqPWyGVhEwPmJpeRi07gOgOfHF8=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26 h1:I/5wmGMffY4happ8NOCuIUEWGUvvFp5NSeQcXl9RHcI=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.26/go.mod h1:FR8f4turZtNy6baO0KJ5FJUmXH/cSkI9fOngs0yl6mA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26 h1:zXFLuEuMMUOvEARXFUVJdfqZ4bvvSgdGRq/ATcrQxzM=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.26/go.mod h1:3o2Wpy0bogG1kyOPrgkXA8pgIfEEv0+m19O9D5+W8y8=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1 h1:VaRN3TlFdd6KxX1x3ILT5ynH6HvKgqdiXoTxAF4HQcQ=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.1/go.mod h1:FbtygfRFze9usAadmnGJNc8KsP346kEe+y2/oyhGAGc=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26 h1:GeNJsIFHB+WW5ap2Tec4K6dzcVTsRbsT1Lra46Hv9ME=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.26/go.mod h1:zfgMpwHDXX2WGoG84xG2H+ZlPTkJUU4YUvx2svLQYWo=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1 h1:iXtILhvDxB6kPvEXgsDhGaZCSC6LQET5ZHSdJozeI0Y=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.12.1/go.mod h1:9nu0fVANtYiAePIBh2/pFUSwtJ402hLnp854CNoDOeE=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.7 h1:tB4tNw83KcajNAzaIMhkhVI2Nt8fAZd5A5ro113FEMY=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.4.7/go.mod h1:lvpyBGkZ3tZ9iSsUIcC2EWp+0ywa7aK3BLT+FwZi+mQ=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7 h1:8eUsivBQzZHqe/3FE+cqwfH+0p5Jo8PFM/QYQSmeZ+M=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.12.7/go.mod h1:kLPQvGUmxn/fqiCrDeohwG33bq2pQpGeY62yRO6Nrh0=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.7 h1:Hi0KGbrnr57bEHWM0bJ1QcBzxLrL/k2DHvGYhb8+W1w=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.18.7/go.mod h1:wKNgWgExdjjrm4qvfbTorkvocEstaoDl4WCvGfeCy9c=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8 h1:A9pJ60b8AKwlXiSbznKBcDaBTA7jIaI6gHSDqQeAZOg=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.25.8/go.mod h1:/aDbp2jKTGdpJwFHuwQeypaIPlCjkxMqDVUB+7GizdU=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.71.1 h1:aOVVZJgWbaH+EJYPvEgkNhCEbXXvH7+oML36oaPK3zE=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.71.1/go.mod h1:r+xl5yzMk9083rMR+sJ5TYj9Tihvf/l1oxzZXDgGj2Q=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.8 h1:WT3EPriVEpHE2jeNqHqj7l43JCIWPoZjNNRluZ7agII=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.34.8/go.mod h1:By/yiMzR0yfhPaqRWE3GrT9B/Z6871z1GfWGc+vf4Y8=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.8 h1:CvuUmnXI7ebaUAhbJcDy9YQx8wHR69eZ9I7q5hszt/g=
+github.com/aws/aws-sdk-go-v2/service/sso v1.24.8/go.mod h1:XDeGv1opzwm8ubxddF0cgqkZWsyOtw4lr6dxwmb6YQg=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7 h1:F2rBfNAL5UyswqoeWv9zs74N/NanhK16ydHW1pahX6E=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.28.7/go.mod h1:JfyQ0g2JG8+Krq0EuZNnRwX0mU0HrwY/tG6JNfcqh4k=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.3 h1:Xgv/hyNgvLda/M9l9qxXc4UFSgppnRczLxlMs5Ae/QY=
+github.com/aws/aws-sdk-go-v2/service/sts v1.33.3/go.mod h1:5Gn+d+VaaRgsjewpMvGazt0WfcFO+Md4wLOuBfGR9Bc=
+github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
+github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
-github.com/bmatcuk/doublestar/v4 v4.6.1 h1:FH9SifrbvJhnlQpztAx++wlkk70QBf0iBWDwNy7PA4I=
-github.com/bmatcuk/doublestar/v4 v4.6.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
+github.com/bmatcuk/doublestar/v4 v4.7.1 h1:fdDeAqgT47acgwd9bd9HxJRDmc9UAmPpc+2m0CXv75Q=
+github.com/bmatcuk/doublestar/v4 v4.7.1/go.mod h1:xBQ8jztBU6kakFMg+8WGxn0c6z1fTSPVIjEY1Wr7jzc=
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
-github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
-github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/boombuler/barcode v1.0.2 h1:79yrbttoZrLGkL/oOI8hBrUKucwOL0oOjUgEguGMcJ4=
+github.com/boombuler/barcode v1.0.2/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/bufbuild/protocompile v0.4.0 h1:LbFKd2XowZvQ/kajzguUp2DC9UEIQhIq77fZZlaQsNA=
 github.com/bufbuild/protocompile v0.4.0/go.mod h1:3v93+mbWn/v3xzN+31nwkJfrEpAUwp+BagBSZWx+TP8=
 github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
 github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/census-instrumentation/opencensus-proto v0.4.1 h1:iKLQ0xPNFxR/2hzXZMrBo8f1j86j5WHzznCCQxV/b8g=
+github.com/census-instrumentation/opencensus-proto v0.4.1/go.mod h1:4T9NM4+4Vw91VeyqjLS6ao50K5bOcLKN6Q42XnYaRYw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57 h1:put7Je9ZyxbHtwr7IqGrW4LLVUupJQ2gbsDshKISSgU=
+github.com/cncf/xds/go v0.0.0-20241213214725-57cfbe6fad57/go.mod h1:W+zGtBO5Y1IgJhy4+A9GOqVhqLpfZi+vwmdNXUehLA8=
 github.com/cockroachdb/cockroach-go/v2 v2.3.8 h1:53yoUo4+EtrC1NrAEgnnad4AS3ntNvGup1PAXZ7UmpE=
 github.com/cockroachdb/cockroach-go/v2 v2.3.8/go.mod h1:9uH5jK4yQ3ZQUT9IXe4I2fHzMIF5+JC/oOdzTRgJYJk=
-github.com/coreos/go-oidc/v3 v3.10.0 h1:tDnXHnLyiTVyT/2zLDGj09pFPkhND8Gl8lnTRhoEaJU=
-github.com/coreos/go-oidc/v3 v3.10.0/go.mod h1:5j11xcw0D3+SGxn6Z/WFADsgcWVMyNAlSQupk0KK3ac=
+github.com/coreos/go-oidc/v3 v3.11.0 h1:Ia3MxdwpSw702YW0xgfmP1GVCMA9aEFWu12XUZ3/OtI=
+github.com/coreos/go-oidc/v3 v3.11.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0=
 github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.4 h1:wfIWP927BUkWJb2NmU/kNDYIBTh/ziUX91+lVfRxZq4=
 github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@ -119,48 +134,52 @@ github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0 h1:rpfIENRNNilwHwZeG5+P150SMrnN
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.3.0/go.mod h1:v57UDF4pDQJcEfFUCRop3lJL149eHGSe9Jvczhzjo/0=
 github.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0 h1:EW9gIJRmt9lzk66Fhh4S8VEtURA6QHZqGeSRE9Nb2/U=
 github.com/drakkan/cron/v3 v3.0.0-20230222140221-217a1e4d96c0/go.mod h1:eQICP3HwyT7UooqI/z+Ov+PtYAWygg1TEWWzGIFLtro=
-github.com/drakkan/crypto v0.0.0-20240509175024-33071fb6437f h1:4+0I7deWH0/8dTS1xVgFrNSq7aaNvKrfaqLlfFBNV64=
-github.com/drakkan/crypto v0.0.0-20240509175024-33071fb6437f/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
+github.com/drakkan/crypto v0.0.0-20241215104834-a9cd4736223d h1:xpQVtm9fMX+Moy260dDuYlKyER0L8jj7WJF6bcLXtL4=
+github.com/drakkan/crypto v0.0.0-20241215104834-a9cd4736223d/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
 github.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f h1:S9JUlrOzjK58UKoLqqb40YLyVlt0bcIFtYrvnanV3zc=
 github.com/drakkan/ftp v0.0.0-20240430173938-7ba8270c8e7f/go.mod h1:4p8lUl4vQ80L598CygL+3IFtm+3nggvvW/palOlViwE=
-github.com/drakkan/ftpserverlib v0.0.0-20240510125431-4617586dfa1c h1:cO3eqB2Bjv8WM8HUDfajAt3bFFGj6FUQ2eIxsxVvyC8=
-github.com/drakkan/ftpserverlib v0.0.0-20240510125431-4617586dfa1c/go.mod h1:+9afJRWESpCq4/O8Vr00Q2jfinRxP6PiCpXph6CgGuc=
-github.com/drakkan/webdav v0.0.0-20240503091431-218ec83910bb h1:067/Uo8cfeY7QC0yzWCr/RImuNcM0rLWAsBUyMks59o=
-github.com/drakkan/webdav v0.0.0-20240503091431-218ec83910bb/go.mod h1:zOVb1QDhwwqWn2L2qZ0U3swMSO4GTSNyIwXCGO/UGWE=
+github.com/drakkan/ftpserverlib v0.0.0-20240603150004-6a8f643fbf2e h1:VBpqQeChkGXSV1FXCtvd3BJTyB+DcMgiu7SfkpsGuKw=
+github.com/drakkan/ftpserverlib v0.0.0-20240603150004-6a8f643fbf2e/go.mod h1:aAwyOAC6IIe+IZeeGD1QjuE3GGDzqW/c5Xtn+Dp0JUM=
+github.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b h1:Y1tLiQ8fnxM5f3wiBjAXsHzHNwiY9BR+mXZA75nZwrs=
+github.com/drakkan/webdav v0.0.0-20241026165615-b8b8f74ae71b/go.mod h1:zOVb1QDhwwqWn2L2qZ0U3swMSO4GTSNyIwXCGO/UGWE=
 github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001 h1:/ZshrfQzayqRSBDodmp3rhNCHJCff+utvgBuWRbiqu4=
 github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001/go.mod h1:kltMsfRMTHSFdMbK66XdS8mfMW77+FZA1fGY1xYMF84=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/go-control-plane v0.13.1 h1:vPfJZCkob6yTMEgS+0TwfTUfbHjfy/6vOJ8hUWX/uXE=
+github.com/envoyproxy/go-control-plane v0.13.1/go.mod h1:X45hY0mufo6Fd0KW3rqsGvQMw58jvjymeCzBU3mWyHw=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v1.1.0 h1:tntQDh69XqOCOZsDz0lVJQez/2L6Uu2PdjCQwWCJ3bM=
+github.com/envoyproxy/protoc-gen-validate v1.1.0/go.mod h1:sXRDRVmzEbkM7CVcM06s9shE/m23dg3wzjl0UWqJ2q4=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
-github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
-github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
 github.com/fclairamb/go-log v0.5.0 h1:Gz9wSamEaA6lta4IU2cjJc2xSq5sV5VYSB5w/SUHhVc=
 github.com/fclairamb/go-log v0.5.0/go.mod h1:XoRO1dYezpsGmLLkZE9I+sHqpqY65p8JA+Vqblb7k40=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
 github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
 github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
-github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=
-github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM=
-github.com/go-acme/lego/v4 v4.16.1 h1:JxZ93s4KG0jL27rZ30UsIgxap6VGzKuREsSkkyzeoCQ=
-github.com/go-acme/lego/v4 v4.16.1/go.mod h1:AVvwdPned/IWpD/ihHhMsKnveF7HHYAz/CmtXi7OZoE=
-github.com/go-chi/chi/v5 v5.0.12 h1:9euLV5sTrTNTRUU9POmDUvfxyj6LAABLUcEWO+JJb4s=
-github.com/go-chi/chi/v5 v5.0.12/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-chi/jwtauth/v5 v5.3.1 h1:1ePWrjVctvp1tyBq5b/2ER8Th/+RbYc7x4qNsc5rh5A=
-github.com/go-chi/jwtauth/v5 v5.3.1/go.mod h1:6Fl2RRmWXs3tJYE1IQGX81FsPoGqDwq9c15j52R5q80=
+github.com/fsnotify/fsnotify v1.8.0 h1:dAwr6QBTBZIkG8roQaJjGof0pp0EeF+tNV7YBP3F/8M=
+github.com/fsnotify/fsnotify v1.8.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
+github.com/go-acme/lego/v4 v4.21.0 h1:arEW+8o5p7VI8Bk1kr/PDlgD1DrxtTH1gJ4b7mehL8o=
+github.com/go-acme/lego/v4 v4.21.0/go.mod h1:HrSWzm3Ckj45Ie3i+p1zKVobbQoMOaGu9m4up0dUeDI=
+github.com/go-chi/chi/v5 v5.2.0 h1:Aj1EtB0qR2Rdo2dG4O94RIU35w2lvQSj6BRA4+qwFL0=
+github.com/go-chi/chi/v5 v5.2.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/jwtauth/v5 v5.3.2 h1:s+ON3ATyyMs3Me0kqyuua6Rwu+2zqIIkL0GCaMarwvs=
+github.com/go-chi/jwtauth/v5 v5.3.2/go.mod h1:O4QvPRuZLZghl9WvfVaON+ARfGzpD2PBX/QY5vUz7aQ=
 github.com/go-chi/render v1.0.3 h1:AsXqd2a1/INaIfUSKq3G5uA8weYx20FOsM7uSoCyyt4=
 github.com/go-chi/render v1.0.3/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
-github.com/go-jose/go-jose/v4 v4.0.2 h1:R3l3kkBds16bO7ZFAEEcofK0MkrAJt3jlJznWZG0nvk=
-github.com/go-jose/go-jose/v4 v4.0.2/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
+github.com/go-jose/go-jose/v4 v4.0.4 h1:VsjPI33J0SB9vQM6PLmNjoHqMQNGPiZ0rHL7Ni7Q6/E=
+github.com/go-jose/go-jose/v4 v4.0.4/go.mod h1:NKb5HO1EZccyMpiZNbdUw/14tiXNyUJh188dfnMCAfc=
 github.com/go-kit/log v0.2.1 h1:MRVx0/zhvdseW+Gza6N9rVzU/IVzaeE1SFI4raAhmBU=
 github.com/go-kit/log v0.2.1/go.mod h1:NwTd00d/i8cPZ3xOwwiv2PO5MOcx78fFErGNcVmBjv0=
 github.com/go-logfmt/logfmt v0.5.1 h1:otpy5pqBCBZ1ng9RQ0dPu4PN7ba75Y/aA+UpowDyNVA=
 github.com/go-logfmt/logfmt v0.5.1/go.mod h1:WYhtIu8zTZfxdn5+rREduYbwxfcBr/Vr6KEVveWlfTs=
 github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
-github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@ -168,17 +187,17 @@ github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
 github.com/go-sql-driver/mysql v1.8.1 h1:LedoTUt/eveggdHS9qUFC1EFSa8bU2+1pZjSRpvNJ1Y=
 github.com/go-sql-driver/mysql v1.8.1/go.mod h1:wEBSXgmK//2ZFJyE+qWnIsVGmvmEKlqwuVSjsCm7DZg=
-github.com/goccy/go-json v0.10.2 h1:CrxCmQqYDkv1z7lO7Wbh2HN93uovUHgrECaO5ZrCXAU=
-github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
+github.com/goccy/go-json v0.10.4 h1:JSwxQzIqKfmFX1swYPpUThQZp/Ka4wzJdK0LWVytLPM=
+github.com/goccy/go-json v0.10.4/go.mod h1:oq7eo15ShAhp70Anwd5lgX2pLfOS3QCiwU/PULtXL6M=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/gofrs/flock v0.8.1 h1:+gYjHKf32LDeiEEFhQaotPbLuUXjY5ZqxKgXy7n59aw=
-github.com/gofrs/flock v0.8.1/go.mod h1:F1TvTiK9OcQqauNUHlbJvyl9Qa1QvF/gOUDKA14jxHU=
+github.com/gofrs/flock v0.12.1 h1:MTLVXXHf8ekldpJk3AKicLij9MdwOWkZ+a/jHHZby9E=
+github.com/gofrs/flock v0.12.1/go.mod h1:9zxTsyu5xtJ9DK+1tFZyibEV7y3uwDxPPfbxeeHCoD0=
 github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
 github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
@ -197,26 +216,23 @@ github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.3/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/martian/v3 v3.3.3 h1:DIhPTQrbPkgs2yJYdXU/eNACCG5DVQjySNRNlflZ9Fc=
 github.com/google/martian/v3 v3.3.3/go.mod h1:iEPrYcgCF7jA9OtScMFQyAlZZ4YXTKEtJ1E6RWzmBA0=
-github.com/google/s2a-go v0.1.7 h1:60BLSyTrOV4/haCDW4zb1guZItoSq8foHCXrAnjBo/o=
-github.com/google/s2a-go v0.1.7/go.mod h1:50CgR4k1jNlWBu4UfS4AcfhVe1r6pdZPygJ3R8F0Qdw=
+github.com/google/s2a-go v0.1.8 h1:zZDs9gcbt9ZPLV0ndSyQk6Kacx2g/X+SKYovpnz3SMM=
+github.com/google/s2a-go v0.1.8/go.mod h1:6iNWHTpQ+nfNRN5E00MSdfDwVesa8hhS32PhPO8deJA=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4=
 github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ=
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/google/uuid v1.2.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/wire v0.6.0 h1:HBkoIh4BdSxoyo9PveV8giw7ZsaBOvzWKfcg/6MrVwI=
 github.com/google/wire v0.6.0/go.mod h1:F4QhpQ9EDIdJ1Mbop/NZBRB+5yrR6qg3BnctaoUk6NA=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2 h1:Vie5ybvEvT75RniqhfFxPRy3Bf7vr3h0cechB90XaQs=
-github.com/googleapis/enterprise-certificate-proxy v0.3.2/go.mod h1:VLSiSSBs/ksPL8kq3OBOQ6WRI2QnaFynd1DCjZ62+V0=
-github.com/googleapis/gax-go/v2 v2.12.4 h1:9gWcmF85Wvq4ryPFvGFaOgPIs1AQX0d0bcbGw4Z96qg=
-github.com/googleapis/gax-go/v2 v2.12.4/go.mod h1:KYEYLorsnIGDi/rPC8b5TdlB9kbKoFubselGIoBMCwI=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4 h1:XYIDZApgAnrN1c855gTgghdIA6Stxb52D5RnLI1SLyw=
+github.com/googleapis/enterprise-certificate-proxy v0.3.4/go.mod h1:YKe7cfqYXjKGpGvmSg28/fFvhNzinZQm8DGnaburhGA=
+github.com/googleapis/gax-go/v2 v2.14.1 h1:hb0FFeiPaQskmvakKu5EbCbpntQn48jyHuvrkurSS/Q=
+github.com/googleapis/gax-go/v2 v2.14.1/go.mod h1:Hb/NubMaVM88SrNkvl8X/o8XWwDJEPqouaLeN2IUxoA=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@ -226,33 +242,28 @@ github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB1
 github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.6.1 h1:P7MR2UP6gNKGPp+y7EZw2kOiq4IR9WiqLvp0XOsVdwI=
-github.com/hashicorp/go-plugin v1.6.1/go.mod h1:XPHFku2tFo3o3QKFgSYo+cghcUhw1NA1hZyMK0PWAw0=
-github.com/hashicorp/go-retryablehttp v0.7.6 h1:TwRYfx2z2C4cLbXmT8I5PgP/xmuqASDyiVuGYfs9GZM=
-github.com/hashicorp/go-retryablehttp v0.7.6/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
+github.com/hashicorp/go-plugin v1.6.2 h1:zdGAEd0V1lCaU0u+MxWQhtSDQmahpkwOun8U8EiRVog=
+github.com/hashicorp/go-plugin v1.6.2/go.mod h1:CkgLQ5CZqNmdL9U9JzM532t8ZiYQ35+pj3b1FD37R0Q=
+github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU=
+github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk=
 github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4=
 github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ=
-github.com/hashicorp/yamux v0.1.1 h1:yrQxtgseBDrq9Y652vSRDvsKCJKOUD+GzTS4Y0Y8pvE=
-github.com/hashicorp/yamux v0.1.1/go.mod h1:CtWFDAQgb7dxtzFs4tWbplKIe2jSi3+5vKbgIO0SLnQ=
+github.com/hashicorp/yamux v0.1.2 h1:XtB8kyFOyHXYVFnwT5C3+Bdo8gArse7j2AQ0DA0Uey8=
+github.com/hashicorp/yamux v0.1.2/go.mod h1:C+zze2n6e/7wshOZep2A70/aQU6QBRWJO/G6FT1wIns=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
-github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9 h1:L0QtFUgDarD7Fpv9jeVMgy/+Ec0mtnmYuImjTz6dtDA=
-github.com/jackc/pgservicefile v0.0.0-20231201235250-de7065d80cb9/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.5.5 h1:amBjrZVmksIdNjxGW/IiIMzxMKZFelXbUoPNb+8sjQw=
-github.com/jackc/pgx/v5 v5.5.5/go.mod h1:ez9gk+OAat140fv9ErkZDYFWmXLfV+++K0uAOiwgm1A=
-github.com/jackc/puddle v1.3.0 h1:eHK/5clGOatcjX3oWGBO/MpxpbHzSwud5EWTSCI+MX0=
-github.com/jackc/puddle/v2 v2.2.1 h1:RhxXJtFG022u4ibrCSMSiu5aOq1i77R3OHKNJj77OAk=
-github.com/jackc/puddle/v2 v2.2.1/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
+github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
+github.com/jackc/pgx/v5 v5.7.2 h1:mLoDLV6sonKlvjIEsV56SkWNCnuNv531l94GaIzO+XI=
+github.com/jackc/pgx/v5 v5.7.2/go.mod h1:ncY89UGWxg82EykZUwSpUKEfccBGGYq1xjrOpsbsfGQ=
+github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
+github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jhump/protoreflect v1.15.1 h1:HUMERORf3I3ZdX05WaQ6MIpd/NJ434hTp5YiKgfCL6c=
 github.com/jhump/protoreflect v1.15.1/go.mod h1:jD/2GMKKE6OqX8qTjhADU1e6DShO+gavG9e0Q693nKo=
-github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
-github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
-github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
-github.com/klauspost/compress v1.17.8 h1:YcnTYrq7MikUT7k0Yb5eceMmALQPYBW/Xltxn0NAMnU=
-github.com/klauspost/compress v1.17.8/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
+github.com/klauspost/compress v1.17.11 h1:In6xLpyWOi1+C7tXUUWv2ot1QvBjxevKAaI6IXrJmUc=
+github.com/klauspost/compress v1.17.11/go.mod h1:pMDklpSncoRMuLFrf1W9Ss9KT+0rH90U12bZKk7uwG0=
 github.com/kr/fs v0.1.0 h1:Jskdu9ieNAYnjxsi0LbQp1ulIKZV1LAFgK1tWhpZgl8=
 github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
@ -265,23 +276,22 @@ github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/httprc v1.0.5 h1:bsTfiH8xaKOJPrg1R+E3iE/AWZr/x0Phj9PBTG/OLUk=
-github.com/lestrrat-go/httprc v1.0.5/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
+github.com/lestrrat-go/httprc v1.0.6 h1:qgmgIRhpvBqexMJjA/PmwSvhNk679oqD1RbovdCGW8k=
+github.com/lestrrat-go/httprc v1.0.6/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx/v2 v2.0.21 h1:jAPKupy4uHgrHFEdjVjNkUgoBKtVDgrQPB/h55FHrR0=
-github.com/lestrrat-go/jwx/v2 v2.0.21/go.mod h1:09mLW8zto6bWL9GbwnqAli+ArLf+5M33QLQPDggkUWM=
+github.com/lestrrat-go/jwx/v2 v2.1.3 h1:Ud4lb2QuxRClYAmRleF50KrbKIoM1TddXgBrneT5/Jo=
+github.com/lestrrat-go/jwx/v2 v2.1.3/go.mod h1:q6uFgbgZfEmQrfJfrCo90QcQOcXFMfbI/fO0NqRtvZo=
 github.com/lestrrat-go/option v1.0.1 h1:oAzP2fvZGQKWkvHa1/SAcFolBEca1oN+mQ7eooNBEYU=
 github.com/lestrrat-go/option v1.0.1/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-github.com/lithammer/shortuuid/v3 v3.0.7 h1:trX0KTHy4Pbwo/6ia8fscyHoGA+mf1jWbPJVuvyJQQ8=
-github.com/lithammer/shortuuid/v3 v3.0.7/go.mod h1:vMk8ke37EmiewwolSO1NLW8vP4ZaKlRuDIi8tWWmAts=
-github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0/go.mod h1:zJYVVT2jmtg6P3p1VtQj7WsuWi/y4VnjVBn7F8KPB3I=
-github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae h1:dIZY4ULFcto4tAFlj1FYZl8ztUZ13bdq+PLY+NOfbyI=
-github.com/lufia/plan9stats v0.0.0-20240513124658-fba389f38bae/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
-github.com/magiconair/properties v1.8.7 h1:IeQXZAiQcpL9mgcAe1Nu6cX9LLw6ExEHKjN0VQdvPDY=
-github.com/magiconair/properties v1.8.7/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
+github.com/lithammer/shortuuid/v4 v4.2.0 h1:LMFOzVB3996a7b8aBuEXxqOBflbfPQAiVzkIcHO0h8c=
+github.com/lithammer/shortuuid/v4 v4.2.0/go.mod h1:D5noHZ2oFw/YaKCfGy0YxyE7M0wMbezmMjPdhyEFe6Y=
+github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683 h1:7UMa6KCCMjZEMDtTVdcGu0B1GmmC7QJKiCCjyTAWQy0=
+github.com/lufia/plan9stats v0.0.0-20240909124753-873cd0166683/go.mod h1:ilwx/Dta8jXAgpFYFvSWEMwxmbWXyiUHkd5FwyKhb5k=
+github.com/magiconair/properties v1.8.9 h1:nWcCbLq1N2v/cpNsy5WvQ37Fb+YElfq20WJ/a8RkpQM=
+github.com/magiconair/properties v1.8.9/go.mod h1:Dhd985XPs7jluiymwWYZ0G4Z61jb3vdS329zhj2hYo0=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=
 github.com/mattn/go-colorable v0.1.12/go.mod h1:u5H1YNBxpqRaxsYJYSkiCWKzEfiAb1Gb520KVy5xxl4=
 github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
@ -292,74 +302,76 @@ github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
-github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
+github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/mhale/smtpd v0.8.3 h1:8j8YNXajksoSLZja3HdwvYVZPuJSqAxFsib3adzRRt8=
 github.com/mhale/smtpd v0.8.3/go.mod h1:MQl+y2hwIEQCXtNhe5+55n0GZOjSmeqORDIXbqUL3x4=
-github.com/miekg/dns v1.1.59 h1:C9EXc/UToRwKLhK5wKU/I4QVsBUc8kE6MkHBkeypWZs=
-github.com/miekg/dns v1.1.59/go.mod h1:nZpewl5p6IvctfgrckopVx2OlSEHPRO/U4SYkRklrEk=
-github.com/minio/sio v0.3.1 h1:d59r5RTHb1OsQaSl1EaTWurzMMDRLA5fgNmjzD4eVu4=
-github.com/minio/sio v0.3.1/go.mod h1:S0ovgVgc+sTlQyhiXA1ppBLv7REM7TYi5yyq2qL/Y6o=
-github.com/mitchellh/go-testing-interface v1.14.1 h1:jrgshOhYAUVNMAJiKbEu7EqAwgJJ2JqpQmpLJOu07cU=
-github.com/mitchellh/go-testing-interface v1.14.1/go.mod h1:gfgS7OtZj6MA4U1UrDRp04twqAjfvlZyCfX3sDjEym8=
+github.com/miekg/dns v1.1.62 h1:cN8OuEF1/x5Rq6Np+h1epln8OiyPWV+lROx9LxcGgIQ=
+github.com/miekg/dns v1.1.62/go.mod h1:mvDlcItzm+br7MToIKqkglaGhlFMHJ9DTNNWONWXbNQ=
+github.com/minio/sio v0.4.1 h1:EMe3YBC1nf+sRQia65Rutxi+Z554XPV0dt8BIBA+a/0=
+github.com/minio/sio v0.4.1/go.mod h1:oBSjJeGbBdRMZZwna07sX9EFzZy+ywu5aofRiV1g79I=
 github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
 github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
+github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/oklog/run v1.1.0 h1:GEenZ1cK0+q0+wsJew9qUg/DyD8k3JzYsZAi5gYi2mA=
 github.com/oklog/run v1.1.0/go.mod h1:sVPdnTZT1zYwAJeCMu2Th4T21pA3FPOQRfWjQlk7DVU=
 github.com/otiai10/copy v1.14.0 h1:dCI/t1iTdYGtkvCuBG2BgR6KZa83PTclw4U5n2wAllU=
 github.com/otiai10/copy v1.14.0/go.mod h1:ECfuL02W+/FkTWZWgQqXPWZgW9oeKCSQ5qVfSc4qc4w=
 github.com/otiai10/mint v1.5.1 h1:XaPLeE+9vGbuyEHem1JNk3bYc7KKqyI/na0/mLd/Kks=
 github.com/otiai10/mint v1.5.1/go.mod h1:MJm72SBthJjz8qhefc4z1PYEieWmy8Bku7CjcAqyUSM=
-github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=
-github.com/pelletier/go-toml/v2 v2.2.2/go.mod h1:1t835xjRzz80PqgE6HHgN2JOsmgYu/h4qDAS4n929Rs=
-github.com/pires/go-proxyproto v0.7.0 h1:IukmRewDQFWC7kfnb66CSomk2q/seBuilHBYFwyq0Hs=
-github.com/pires/go-proxyproto v0.7.0/go.mod h1:Vz/1JPY/OACxWGQNIRY2BeyDmpoaWmEP40O9LbuiFR4=
+github.com/pelletier/go-toml/v2 v2.2.3 h1:YmeHyLY8mFWbdkNWwpr+qIL2bEqT0o95WSdkNHvL12M=
+github.com/pelletier/go-toml/v2 v2.2.3/go.mod h1:MfCQTFTvCcUyyvvwm1+G6H/jORL20Xlb6rzQu9GuUkc=
+github.com/pires/go-proxyproto v0.8.0 h1:5unRmEAPbHXHuLjDg01CxJWf91cw3lKHc/0xzKpXEe0=
+github.com/pires/go-proxyproto v0.8.0/go.mod h1:iknsfgnH8EkjrMeMyvfKByp9TiBZCKZM0jx2xmKqnVY=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
 github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pkg/sftp v1.13.7-0.20240410063531-637088883317 h1:kupFhKi4R3XqKmUmqGSHWn/WZbC9CnwSoW421tL1gGw=
-github.com/pkg/sftp v1.13.7-0.20240410063531-637088883317/go.mod h1:KMKI0t3T6hfA+lTR/ssZdunHo+uwq7ghoN09/FSu3DY=
+github.com/pkg/sftp v1.13.7 h1:uv+I3nNJvlKZIQGSr8JVQLNHFU9YhhNpvC14Y6KgmSM=
+github.com/pkg/sftp v1.13.7/go.mod h1:KMKI0t3T6hfA+lTR/ssZdunHo+uwq7ghoN09/FSu3DY=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 h1:GFCKgmp0tecUJ0sJuv4pzYCqS9+RGSn52M3FUwPs+uo=
+github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1:t/avpk3KcrXxUnYOhZhMXJlSEyie6gQbtLq5NM3loB8=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55 h1:o4JXh1EVt9k/+g42oCprj/FisM4qX9L3sZB3upGN2ZU=
 github.com/power-devops/perfstat v0.0.0-20240221224432-82ca36839d55/go.mod h1:OmDBASR4679mdNQnz2pUhc2G8CO2JrUAVFDRBDP/hJE=
 github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
 github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
 github.com/prashantv/gostub v1.1.0 h1:BTyx3RfQjRHnUWaGF9oQos79AlQ5k8WNktv7VGvVH4g=
 github.com/prashantv/gostub v1.1.0/go.mod h1:A5zLQHz7ieHGG7is6LLXLz7I8+3LZzsrV0P1IAHhP5U=
-github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
-github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
+github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
+github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
 github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.53.0 h1:U2pL9w9nmJwJDa4qqLQ3ZaePJ6ZTwt7cMD3AG3+aLCE=
-github.com/prometheus/common v0.53.0/go.mod h1:BrxBKv3FWBIGXw89Mg1AeBq7FSyRzXWI3l3e7W3RN5U=
-github.com/prometheus/procfs v0.15.0 h1:A82kmvXJq2jTu5YUhSGNlYoxh85zLnKgPz4bMZgI5Ek=
-github.com/prometheus/procfs v0.15.0/go.mod h1:Y0RJ/Y5g5wJpkTisOtqwDSo4HwhGmLB4VQSw2sQJLHk=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/rs/cors v1.11.0 h1:0B9GE/r9Bc2UxRMMtymBkHTenPkHDv0CW4Y98GBY+po=
-github.com/rs/cors v1.11.0/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
-github.com/rs/xid v1.5.0 h1:mKX4bl4iPYJtEIxp6CYiUuLQ/8DYMoz0PUdtGgMFRVc=
+github.com/prometheus/common v0.61.0 h1:3gv/GThfX0cV2lpO7gkTUwZru38mxevy90Bj8YFSRQQ=
+github.com/prometheus/common v0.61.0/go.mod h1:zr29OCN/2BsJRaFwG8QOBr41D6kkchKbpeNH7pAjb/s=
+github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
+github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
+github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
+github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
+github.com/rs/cors v1.11.1 h1:eU3gRzXLRK57F5rKMGMZURNdIG4EoAmX8k94r9wXWHA=
+github.com/rs/cors v1.11.1/go.mod h1:XyqrcTp5zjWr1wsJ8PIRZssZ8b/WMcMf71DJnit4EMU=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
-github.com/rs/zerolog v1.32.0 h1:keLypqrlIjaFsbmJOBdB/qvyF8KEtCWHwobLp5l/mQ0=
-github.com/rs/zerolog v1.32.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
+github.com/rs/xid v1.6.0 h1:fV591PaemRlL6JfRxGDEPl69wICngIQ3shQtzfy2gxU=
+github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0=
+github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
+github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sagikazarmark/locafero v0.4.0 h1:HApY1R9zGo4DBgr7dqsTH/JJxLTTsOt7u6keLGt6kNQ=
-github.com/sagikazarmark/locafero v0.4.0/go.mod h1:Pe1W6UlPYUk/+wc/6KFhbORCfqzgYEpgQ3O5fPuL3H4=
+github.com/sagikazarmark/locafero v0.6.0 h1:ON7AQg37yzcRPU69mt7gwhFEBwxI6P9T4Qu3N51bwOk=
+github.com/sagikazarmark/locafero v0.6.0/go.mod h1:77OmuIc6VTraTXKXIs/uvUxKGUXjE1GbemJYHqdNjX0=
 github.com/sagikazarmark/slog-shim v0.1.0 h1:diDBnUNK9N/354PgrxMywXnAwEr1QZcOr6gto+ugjYE=
 github.com/sagikazarmark/slog-shim v0.1.0/go.mod h1:SrcSrq8aKtyuqEI1uvTDTK1arOWRIczQRv+GVI1AkeQ=
 github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJxNzj3QBOf7dZwupeVC+mG1Lo=
 github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4/go.mod h1:MnkX001NG75g3p8bhFycnyIjeQoOjGL6CEIsdE/nKSY=
 github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
 github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
-github.com/sftpgo/sdk v0.1.7 h1:lzOKBDnKb1PpSMlskqCPxBYKxVWz34uMBhT78r/13iA=
-github.com/sftpgo/sdk v0.1.7/go.mod h1:ler/KG6kMLlsOs/8s6dVN3oom+z+NkbXBVWO//Cv/WA=
-github.com/shirou/gopsutil/v3 v3.24.4 h1:dEHgzZXt4LMNm+oYELpzl9YCqV65Yr/6SfrvgRBtXeU=
-github.com/shirou/gopsutil/v3 v3.24.4/go.mod h1:lTd2mdiOspcqLgAnr9/nGi71NkeMpWKdmhuxm9GusH8=
+github.com/sftpgo/sdk v0.1.9-0.20241011171103-64fc18a344f9 h1:wlXBnaNfJJJRZjHO2AerSS5gp0ckkYUgBzSXivUo0Wo=
+github.com/sftpgo/sdk v0.1.9-0.20241011171103-64fc18a344f9/go.mod h1:ehimvlTP+XTEiE3t1CPwWx9n7+6A6OGvMGlZ7ouvKFk=
+github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
+github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
 github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=
 github.com/shoenig/go-m1cpu v0.1.6/go.mod h1:1JJMcUBvfNwpq05QDQVAnx3gUHr9IYF7GNg9SUEw2VQ=
 github.com/shoenig/test v0.6.4 h1:kVTaSd7WLz5WZ2IaoM0RSzRsUD+m8wRR+5qvntpn4LU=
@ -368,18 +380,17 @@ github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9yS
 github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
 github.com/spf13/afero v1.11.0 h1:WJQKhtpdm3v2IzqG8VMqrr6Rf3UYpEF239Jy9wNepM8=
 github.com/spf13/afero v1.11.0/go.mod h1:GH9Y3pIexgf1MTIWtNGyogA5MwRIDXGUr+hbWNoBjkY=
-github.com/spf13/cast v1.6.0 h1:GEiTHELF+vaR5dhz3VqZfFSzZjYbgeKDpBxQVS4GYJ0=
-github.com/spf13/cast v1.6.0/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
-github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0=
-github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho=
+github.com/spf13/cast v1.7.1 h1:cuNEagBQEHWN1FnbGEjCXL2szYEXqfJPbP2HNUaca9Y=
+github.com/spf13/cast v1.7.1/go.mod h1:ancEpBxwJDODSW/UG4rDrAqiKolqNNh2DX3mk86cAdo=
+github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
+github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
 github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/viper v1.18.2 h1:LUXCnvUvSM6FXAsj6nnfc8Q2tp1dIgUfY9Kc8GsSOiQ=
-github.com/spf13/viper v1.18.2/go.mod h1:EKmWIqdnk5lOcmR72yw6hS+8OPYcwD0jteitLMVB+yk=
+github.com/spf13/viper v1.19.0 h1:RWq5SEjt8o25SROyN3z2OrDB9l7RPd3lwTWU8EcEdcI=
+github.com/spf13/viper v1.19.0/go.mod h1:GQUN9bilAbhU/jgc1bKs99f/suXKeUMct8Adx5+Ntkg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
-github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
@ -387,62 +398,70 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.2/go.mod h1:R6va5+xMeoiuVRoj+gSkQ7d3FALtqAAGI1FQKckRals=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
-github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
-github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
-github.com/studio-b12/gowebdav v0.9.0 h1:1j1sc9gQnNxbXXM4M/CebPOX4aXYtr7MojAVcN4dHjU=
-github.com/studio-b12/gowebdav v0.9.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/studio-b12/gowebdav v0.10.0 h1:Yewz8FFiadcGEu4hxS/AAJQlHelndqln1bns3hcJIYc=
+github.com/studio-b12/gowebdav v0.10.0/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
-github.com/tklauser/go-sysconf v0.3.12/go.mod h1:Ho14jnntGE1fpdOqQEEaiKRpvIavV0hSfmBq8nJbHYI=
 github.com/tklauser/go-sysconf v0.3.14 h1:g5vzr9iPFFz24v2KZXs/pvpvh8/V9Fw6vQK5ZZb78yU=
 github.com/tklauser/go-sysconf v0.3.14/go.mod h1:1ym4lWMLUOhuBOPGtRcJm7tEGX4SCYNEEEtghGG/8uY=
-github.com/tklauser/numcpus v0.6.1/go.mod h1:1XfjsgE2zo8GVw7POkMbHENHzVg3GzmoZ9fESEdAacY=
-github.com/tklauser/numcpus v0.8.0 h1:Mx4Wwe/FjZLeQsK/6kt2EOepwwSl7SmJrK5bV/dXYgY=
-github.com/tklauser/numcpus v0.8.0/go.mod h1:ZJZlAY+dmR4eut8epnzf0u/VwodKmryxR8txiloSqBE=
-github.com/unrolled/secure v1.14.0 h1:u9vJTU/pR4Bny0ntLUMxdfLtmIRGvQf2sEFuA0TG9AE=
-github.com/unrolled/secure v1.14.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
+github.com/tklauser/numcpus v0.9.0 h1:lmyCHtANi8aRUgkckBgoDk1nHCux3n2cgkJLXdQGPDo=
+github.com/tklauser/numcpus v0.9.0/go.mod h1:SN6Nq1O3VychhC1npsWostA+oW+VOQTxZrS604NSRyI=
+github.com/unrolled/secure v1.17.0 h1:Io7ifFgo99Bnh0J7+Q+qcMzWM6kaDPCA5FroFZEdbWU=
+github.com/unrolled/secure v1.17.0/go.mod h1:BmF5hyM6tXczk3MpQkFf1hpKSRqCyhqcbiQtiAF7+40=
 github.com/wagslane/go-password-validator v0.3.0 h1:vfxOPzGHkz5S146HDpavl0cw1DSVP061Ry2PX0/ON6I=
 github.com/wagslane/go-password-validator v0.3.0/go.mod h1:TI1XJ6T5fRdRnHqHt14pvy1tNVnrwe7m3/f1f2fDphQ=
-github.com/wneessen/go-mail v0.4.1 h1:m2rSg/sc8FZQCdtrV5M8ymHYOFrC6KJAQAIcgrXvqoo=
-github.com/wneessen/go-mail v0.4.1/go.mod h1:zxOlafWCP/r6FEhAaRgH4IC1vg2YXxO0Nar9u0IScZ8=
+github.com/wneessen/go-mail v0.5.2 h1:MZKwgHJoRboLJ+EHMLuHpZc95wo+u1xViL/4XSswDT8=
+github.com/wneessen/go-mail v0.5.2/go.mod h1:kRroJvEq2hOSEPFRiKjN7Csrz0G1w+RpiGR3b6yo+Ck=
 github.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a h1:XfF01GyP+0eWCaVp0y6rNN+kFp7pt9Da4UUYrJ5XPWA=
 github.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a/go.mod h1:aXb8yZQEWo1XHGMf1qQfnb83GR/EJ2EBlwtUgAaNBoE=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
 github.com/yusufpapurcu/wmi v1.2.4/go.mod h1:SBZ9tNy3G9/m5Oi98Zks0QjeHVDvuK0qfxQmPyzfmi0=
-go.etcd.io/bbolt v1.3.10 h1:+BqfJTcCzTItrop8mq/lbzL8wSGtj94UO/3U31shqG0=
-go.etcd.io/bbolt v1.3.10/go.mod h1:bK3UQLPJZly7IlNmV7uVHJDxfe5aK9Ll93e/74Y9oEQ=
+go.etcd.io/bbolt v1.3.11 h1:yGEzV1wPz2yVCLsD8ZAiGHhHVlczyC9d1rP43/VCRJ0=
+go.etcd.io/bbolt v1.3.11/go.mod h1:dksAq7YMXoljX0xu6VF5DMZGbhYYoLUalEiSySYAS4I=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0 h1:A3SayB3rNyt+1S6qpI9mHPkeHTZbD7XILEqWnYZb2l0=
-go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.51.0/go.mod h1:27iA5uvhuRNmalO+iEUdVn5ZMj2qy10Mm+XRIpRmyuU=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0 h1:Xs2Ncz0gNihqu9iosIZ5SkBbWo5T8JhhLJFMQL1qmLI=
-go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.51.0/go.mod h1:vy+2G/6NvVMpwGX/NyLqcC41fxepnuKHk16E6IZUcJc=
-go.opentelemetry.io/otel v1.26.0 h1:LQwgL5s/1W7YiiRwxf03QGnWLb2HW4pLiAhaA5cZXBs=
-go.opentelemetry.io/otel v1.26.0/go.mod h1:UmLkJHUAidDval2EICqBMbnAd0/m2vmpf/dAM+fvFs4=
-go.opentelemetry.io/otel/metric v1.26.0 h1:7S39CLuY5Jgg9CrnA9HHiEjGMF/X2VHvoXGgSllRz30=
-go.opentelemetry.io/otel/metric v1.26.0/go.mod h1:SY+rHOI4cEawI9a7N1A4nIg/nTQXe1ccCNWYOJUrpX4=
-go.opentelemetry.io/otel/sdk v1.24.0 h1:YMPPDNymmQN3ZgczicBY3B6sf9n62Dlj9pWD3ucgoDw=
-go.opentelemetry.io/otel/sdk v1.24.0/go.mod h1:KVrIYw6tEubO9E96HQpcmpTKDVn9gdv35HoYiQWGDFg=
-go.opentelemetry.io/otel/trace v1.26.0 h1:1ieeAUb4y0TE26jUFrCIXKpTuVK7uJGN9/Z/2LP5sQA=
-go.opentelemetry.io/otel/trace v1.26.0/go.mod h1:4iDxvGDQuUkHve82hJJ8UqrwswHYsZuWCBllGV2U2y0=
-go.uber.org/automaxprocs v1.5.3 h1:kWazyxZUrS3Gs4qUpbwo5kEIMGe/DAvi5Z4tl2NW4j8=
-go.uber.org/automaxprocs v1.5.3/go.mod h1:eRbA25aqJrxAbsLO0xy5jVwPt7FQnRgjW+efnwa1WM0=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/contrib/detectors/gcp v1.33.0 h1:FVPoXEoILwgbZUu4X7YSgsESsAmGRgoYcnXkzgQPhP4=
+go.opentelemetry.io/contrib/detectors/gcp v1.33.0/go.mod h1:ZHrLmr4ikK2AwRj9QL+c9s2SOlgoSRyMpNVzUj2fZqI=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 h1:PS8wXpbyaDJQ2VDHHncMe9Vct0Zn1fEjpsjrLxGJoSc=
+go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0 h1:yd02MEjBdJkG3uabWP9apV+OuWRIXGDuJEUJbOHmCFU=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.58.0/go.mod h1:umTcuxiv1n/s/S6/c2AT/g2CQ7u5C59sHDNmfSwgz7Q=
+go.opentelemetry.io/otel v1.33.0 h1:/FerN9bax5LoK51X/sI0SVYrjSE0/yUL7DpxW4K3FWw=
+go.opentelemetry.io/otel v1.33.0/go.mod h1:SUUkR6csvUQl+yjReHu5uM3EtVV7MBm5FHKRlNx4I8I=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0 h1:WDdP9acbMYjbKIyJUhTvtzj601sVJOqgWdUxSdR/Ysc=
+go.opentelemetry.io/otel/exporters/stdout/stdoutmetric v1.29.0/go.mod h1:BLbf7zbNIONBLPwvFnwNHGj4zge8uTCM/UPIVW1Mq2I=
+go.opentelemetry.io/otel/metric v1.33.0 h1:r+JOocAyeRVXD8lZpjdQjzMadVZp2M4WmQ+5WtEnklQ=
+go.opentelemetry.io/otel/metric v1.33.0/go.mod h1:L9+Fyctbp6HFTddIxClbQkjtubW6O9QS3Ann/M82u6M=
+go.opentelemetry.io/otel/sdk v1.33.0 h1:iax7M131HuAm9QkZotNHEfstof92xM+N8sr3uHXc2IM=
+go.opentelemetry.io/otel/sdk v1.33.0/go.mod h1:A1Q5oi7/9XaMlIWzPSxLRWOI8nG3FnzHJNbiENQuihM=
+go.opentelemetry.io/otel/sdk/metric v1.33.0 h1:Gs5VK9/WUJhNXZgn8MR6ITatvAmKeIuCtNbsP3JkNqU=
+go.opentelemetry.io/otel/sdk/metric v1.33.0/go.mod h1:dL5ykHZmm1B1nVRk9dDjChwDmt81MjVp3gLkQRwKf/Q=
+go.opentelemetry.io/otel/trace v1.33.0 h1:cCJuF7LRjUFso9LPnEAHJDB2pqzp+hbO8eu1qqW2d/s=
+go.opentelemetry.io/otel/trace v1.33.0/go.mod h1:uIcdVUZMpTAmz0tI1z04GoVSezK37CbGV4fr1f2nBck=
+go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
+go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-gocloud.dev v0.37.0 h1:XF1rN6R0qZI/9DYjN16Uy0durAmSlf58DHOcb28GPro=
-gocloud.dev v0.37.0/go.mod h1:7/O4kqdInCNsc6LqgmuFnS0GRew4XNNYWpA44yQnwco=
+gocloud.dev v0.40.0 h1:f8LgP+4WDqOG/RXoUcyLpeIAGOcAbZrZbDQCUee10ng=
+gocloud.dev v0.40.0/go.mod h1:drz+VyYNBvrMTW0KZiBAYEdl8lbNZx+OQ7oQvdrFmSQ=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842 h1:vr/HnozRka3pE4EsMEg1lgkXJkTFJCVUX+S/ZT6wYzM=
-golang.org/x/exp v0.0.0-20240506185415-9bf2ced13842/go.mod h1:XtvwrStGgqGPLc4cjQfWqZHG1YFdYs6swckp8vpsjnc=
+golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67 h1:1UoZQm6f0P/ZO0w1Ri+f+ifG/gXhegadRdwBIXEFWDo=
+golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67/go.mod h1:qj5a5QZpwLU2NLQudwIN5koi3beDhSAlJwa67PuM98c=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
 golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
-golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
+golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
+golang.org/x/mod v0.15.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
 golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
+golang.org/x/mod v0.22.0 h1:D4nJWe9zXqHOmWqj4VMOJhvzj7bEZg4wEYa759z1pH4=
+golang.org/x/mod v0.22.0/go.mod h1:6SkKJ3Xj0I0BrPOZoBy3bdMptDDU9oJrpohJ3eWZ1fY=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@ -451,19 +470,25 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.21.0/go.mod h1:bIjVDfnllIU7BJ2DNgfnXvpSvtn8VRwhlsaeUTyUS44=
-golang.org/x/net v0.25.0 h1:d/OCCoBEUq33pjydKrGQhw7IlUPI2Oylr+8qLx49kac=
 golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM=
+golang.org/x/net v0.33.0 h1:74SYHlV8BIgHIFC/LrYkOGIwL19eTYXQ5wc6TBuO36I=
+golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.20.0 h1:4mQdhULixXKP1rwYBW0vAijoXnkTG0BLCDRzfe1idMo=
-golang.org/x/oauth2 v0.20.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
+golang.org/x/oauth2 v0.24.0 h1:KTBBxWqUa0ykRPLtV69rRto9TLXcqYkeswu48x/gvNE=
+golang.org/x/oauth2 v0.24.0/go.mod h1:XYTD2NtWslqkgxebSiOHnXEap4TF09sJSc7H1sXbhtI=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
+golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
+golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.10.0 h1:3NQrjDixjgGwUOCaF8w2+VYHv0Ve/vGYSbdkTa98gmQ=
+golang.org/x/sync v0.10.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@ -482,27 +507,31 @@ golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.19.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.20.0 h1:Od9JTbYCk261bKm4M/mw7AklTlFYIa0bIp9BgSm1S8Y=
 golang.org/x/sys v0.20.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.20.0 h1:VnkxpohqXaOBYJtBmEppKUG6mXpi+4O6purfc2+sMhw=
 golang.org/x/term v0.20.0/go.mod h1:8UkIAJTvZgivsXaD6/pH6U9ecQzZ45awqEOzuCvwpFY=
+golang.org/x/term v0.27.0 h1:WP60Sv1nlK1T6SupCHbXzSaN0b9wUmsPoRS9b61A23Q=
+golang.org/x/term v0.27.0/go.mod h1:iMsnZpn0cago0GOrHO2+Y7u7JPn5AylBrcoWkElMTSM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.15.0 h1:h1V/4gjBv8v9cjcR6+AR5+/cIYK5N/WAgiv4xlsEtAk=
 golang.org/x/text v0.15.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/text v0.21.0 h1:zyQAAkrwaneQ066sspRyJaG9VNi/YJ1NfzcGB3hZ/qo=
+golang.org/x/text v0.21.0/go.mod h1:4IBbMaMmOPCJ8SecivzSH54+73PCFmPWxNTLm+vZkEQ=
+golang.org/x/time v0.8.0 h1:9i3RxcPv3PZnitoVGMPDKZSq1xW1gK1Xy3ArNOGZfEg=
+golang.org/x/time v0.8.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
@ -511,34 +540,34 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.21.0 h1:qc0xYgIbsSDt9EyWz05J5wfa7LOVW0YTLOXrqdLAWIw=
-golang.org/x/tools v0.21.0/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
+golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
+golang.org/x/tools v0.28.0 h1:WuB6qZ4RPCQo5aP3WdKZS7i595EdWqWR8vqJTlwTVK8=
+golang.org/x/tools v0.28.0/go.mod h1:dcIOrVd3mfQKTgrDVQHqCPMWy6lnhfhtX3hLXYVLfRw=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 h1:+cNy6SZtPcJQH3LJVLOSmiC7MMxXNOb3PU/VUEz+EhU=
-golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
-google.golang.org/api v0.180.0 h1:M2D87Yo0rGBPWpo1orwfCLehUUL6E7/TYe5gvMQWDh4=
-google.golang.org/api v0.180.0/go.mod h1:51AiyoEg1MJPSZ9zvklA8VnRILPXxn1iVen9v25XHAE=
+golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da h1:noIWHXmPHxILtqtCOPIhSt0ABwskkZKjD3bXGnZGpNY=
+golang.org/x/xerrors v0.0.0-20240903120638-7835f813f4da/go.mod h1:NDW/Ps6MPRej6fsCIbMTohpP40sJ/P/vI1MoTEGwX90=
+google.golang.org/api v0.214.0 h1:h2Gkq07OYi6kusGOaT/9rnNljuXmqPnaig7WGPmKbwA=
+google.golang.org/api v0.214.0/go.mod h1:bYPpLG8AyeMWwDU6NXoB00xC0DFkikVvd5MfwoxjLqE=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20240513163218-0867130af1f8 h1:XpH03M6PDRKTo1oGfZBXu2SzwcbfxUokgobVinuUZoU=
-google.golang.org/genproto v0.0.0-20240513163218-0867130af1f8/go.mod h1:OLh2Ylz+WlYAJaSBRpJIJLP8iQP+8da+fpxbwNEAV/o=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8 h1:W5Xj/70xIA4x60O/IFyXivR5MGqblAb8R3w26pnD6No=
-google.golang.org/genproto/googleapis/api v0.0.0-20240513163218-0867130af1f8/go.mod h1:vPrPUTsDCYxXWjP7clS81mZ6/803D8K4iM9Ma27VKas=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8 h1:mxSlqyb8ZAHsYDCfiXN1EDdNTdvjUJSLY+OnAUtYNYA=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20240513163218-0867130af1f8/go.mod h1:I7Y+G38R2bu5j1aLzfFmQfTcU/WnFuqDwLZAbvKTKpM=
+google.golang.org/genproto v0.0.0-20241219192143-6b3ec007d9bb h1:JGs+s1Q6osip3cDY197L1HmkuPn8wPp9Hfy9jl+Uz+U=
+google.golang.org/genproto v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:o8GgNarfULyZPNaIY8RDfXM7AZcmcKC/tbMWp/ZOFDw=
+google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb h1:B7GIB7sr443wZ/EAEl7VZjmh1V6qzkt5V+RYcUYtS1U=
+google.golang.org/genproto/googleapis/api v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:E5//3O5ZIG2l71Xnt+P/CYUY8Bxs8E7WMoZ9tlcMbAY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb h1:3oy2tynMOP1QbTC0MsNNAV+Se8M2Bd0A5+x1QHyw+pI=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20241219192143-6b3ec007d9bb/go.mod h1:lcTa1sDdWEIHMWlITnIczmw5w60CF9ffkb8Z+DVmmjA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
 google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
 google.golang.org/grpc v1.33.2/go.mod h1:JMHMWHQWaTccqQQlmk3MJZS+GWXOdAesneDmEnv2fbc=
-google.golang.org/grpc v1.63.2 h1:MUeiw1B2maTVZthpU5xvASfTh3LDbxHd6IJ6QQVU+xM=
-google.golang.org/grpc v1.63.2/go.mod h1:WAX/8DgncnokcFUldAxq7GeB5DXHDbMF+lLvDomNkRA=
-google.golang.org/grpc v1.64.0 h1:KH3VH9y/MgNQg1dE7b3XfVK0GsPSIzJwdF617gUSbvY=
-google.golang.org/grpc v1.64.0/go.mod h1:oxjF8E3FBnjp+/gVFYdWacaLDx9na1aqy9oovLpxQYg=
+google.golang.org/grpc v1.69.2 h1:U3S9QEtbXC0bYNvRtcoklF3xGtLViumSYxWykJS+7AU=
+google.golang.org/grpc v1.69.2/go.mod h1:vyjdE6jLBI76dgpDojsFGNaHlxdjXN9ghpnd2o7JGZ4=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@ -548,8 +577,8 @@ google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2
 google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
-google.golang.org/protobuf v1.34.1 h1:9ddQBjfCyZPOHPUiPxpYESBLc+T8P3E+Vo4IbKZgFWg=
-google.golang.org/protobuf v1.34.1/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
+google.golang.org/protobuf v1.36.0 h1:mjIs9gYtt56AzC4ZaffQuh88TZurBGhIJMBZGSxNerQ=
+google.golang.org/protobuf v1.36.0/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@ -558,9 +587,6 @@ gopkg.in/ini.v1 v1.67.0/go.mod h1:pNLf8WUiyNEtQjuu5G5vTm06TEv9tsIgeAvK8hOrP4k=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
-gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/internal/acme/acme.go
+++ b/internal/acme/acme.go
@ -30,6 +30,7 @@ import (
 	"net/url"
 	"os"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@ -43,6 +44,7 @@ import (
 	"github.com/go-acme/lego/v4/log"
 	"github.com/go-acme/lego/v4/providers/http/webroot"
 	"github.com/go-acme/lego/v4/registration"
+	"github.com/hashicorp/go-retryablehttp"
 	"github.com/robfig/cron/v3"

 	"github.com/drakkan/sftpgo/v2/internal/common"
@ -249,7 +251,7 @@ func (c *Configuration) Initialize(configDir string) error {
 	if c.RenewDays < 1 {
 		return fmt.Errorf("invalid number of days remaining before renewal: %d", c.RenewDays)
 	}
-	if !util.Contains(supportedKeyTypes, c.KeyType) {
+	if !slices.Contains(supportedKeyTypes, c.KeyType) {
 		return fmt.Errorf("invalid key type %q", c.KeyType)
 	}
 	caURL, err := url.Parse(c.CAEndpoint)
@ -489,7 +491,15 @@ func (c *Configuration) setup() (*account, *lego.Client, error) {
 	config := lego.NewConfig(&account)
 	config.CADirURL = c.CAEndpoint
 	config.Certificate.KeyType = certcrypto.KeyType(c.KeyType)
+	config.Certificate.OverallRequestLimit = 6
 	config.UserAgent = version.GetServerVersion("/", false)
+
+	retryClient := retryablehttp.NewClient()
+	retryClient.RetryMax = 5
+	retryClient.HTTPClient = config.HTTPClient
+
+	config.HTTPClient = retryClient.StandardClient()
+
 	client, err := lego.NewClient(config)
 	if err != nil {
 		acmeLog(logger.LevelError, "unable to get ACME client: %v", err)
@ -557,6 +567,12 @@ func (c *Configuration) tryRecoverRegistration(privateKey crypto.PrivateKey) (*r
 	config.CADirURL = c.CAEndpoint
 	config.UserAgent = version.GetServerVersion("/", false)

+	retryClient := retryablehttp.NewClient()
+	retryClient.RetryMax = 5
+	retryClient.HTTPClient = config.HTTPClient
+
+	config.HTTPClient = retryClient.StandardClient()
+
 	client, err := lego.NewClient(config)
 	if err != nil {
 		acmeLog(logger.LevelError, "unable to get the ACME client: %v", err)
@ -671,7 +687,7 @@ func (c *Configuration) notifyCertificateRenewal(domain string, err error) {
 	params := common.EventParams{
 		Name:      domain,
 		Event:     "Certificate renewal",
-		Timestamp: time.Now().UnixNano(),
+		Timestamp: time.Now(),
 	}
 	if err != nil {
 		params.Status = 2
--- a/internal/cmd/resetpwd.go
+++ b/internal/cmd/resetpwd.go
@ -37,6 +37,7 @@ var (
 		Short: "Reset the password for the specified administrator",
 		Long: `This command reads the data provider connection details from the specified
 configuration file and resets the password for the specified administrator.
+Two-factor authentication is also disabled.
 This command is not supported for the memory provider.
 For embedded providers like bolt and SQLite you should stop the running SFTPGo
 instance to avoid database corruption.
@ -98,6 +99,7 @@ Please take a look at the usage below to customize the options.`,
 				os.Exit(1)
 			}
 			admin.Password = string(pwd)
+			admin.Filters.TOTPConfig.Enabled = false
 			if err := dataprovider.UpdateAdmin(&admin, dataprovider.ActionExecutorSystem, "", ""); err != nil {
 				logger.ErrorToConsole("Unable to update password: %v", err)
 				os.Exit(1)
--- a/internal/cmd/revertprovider.go
+++ b/internal/cmd/revertprovider.go
@ -40,8 +40,8 @@ Please take a look at the usage below to customize the options.`,
 		Run: func(_ *cobra.Command, _ []string) {
 			logger.DisableLogger()
 			logger.EnableConsoleLogger(zerolog.DebugLevel)
-			if revertProviderTargetVersion != 28 {
-				logger.WarnToConsole("Unsupported target version, 28 is the only supported one")
+			if revertProviderTargetVersion != 29 {
+				logger.WarnToConsole("Unsupported target version, 29 is the only supported one")
 				os.Exit(1)
 			}
 			configDir = util.CleanDirInput(configDir)
@ -71,7 +71,7 @@ Please take a look at the usage below to customize the options.`,

 func init() {
 	addConfigFlags(revertProviderCmd)
-	revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 28, `28 means the version supported in v2.5.x`)
+	revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 29, `29 means the version supported in v2.6.x`)

 	rootCmd.AddCommand(revertProviderCmd)
 }
--- a/internal/cmd/serve.go
+++ b/internal/cmd/serve.go
@ -16,13 +16,21 @@ package cmd

 import (
 	"os"
+	"path/filepath"
+	"strconv"
+	"strings"

 	"github.com/spf13/cobra"
+	"github.com/subosito/gotenv"

 	"github.com/drakkan/sftpgo/v2/internal/service"
 	"github.com/drakkan/sftpgo/v2/internal/util"
 )

+const (
+	envFileMaxSize = 1048576
+)
+
 var (
 	serveCmd = &cobra.Command{
 		Use:   "serve",
@ -34,9 +42,11 @@ $ sftpgo serve

 Please take a look at the usage below to customize the startup options`,
 		Run: func(_ *cobra.Command, _ []string) {
+			configDir := util.CleanDirInput(configDir)
+			checkServeParamsFromEnvFiles(configDir)
 			service.SetGraceTime(graceTime)
 			service := service.Service{
-				ConfigDir:         util.CleanDirInput(configDir),
+				ConfigDir:         configDir,
 				ConfigFile:        configFile,
 				LogFilePath:       logFilePath,
 				LogMaxSize:        logMaxSize,
@ -62,6 +72,75 @@ Please take a look at the usage below to customize the startup options`,
 	}
 )

+func setIntFromEnv(receiver *int, val string) {
+	converted, err := strconv.Atoi(val)
+	if err == nil {
+		*receiver = converted
+	}
+}
+
+func setBoolFromEnv(receiver *bool, val string) {
+	converted, err := strconv.ParseBool(strings.TrimSpace(val))
+	if err == nil {
+		*receiver = converted
+	}
+}
+
+func checkServeParamsFromEnvFiles(configDir string) { //nolint:gocyclo
+	// The logger is not yet initialized here, we have no way to report errors.
+	envd := filepath.Join(configDir, "env.d")
+	entries, err := os.ReadDir(envd)
+	if err != nil {
+		return
+	}
+	for _, entry := range entries {
+		info, err := entry.Info()
+		if err == nil && info.Mode().IsRegular() {
+			envFile := filepath.Join(envd, entry.Name())
+			if info.Size() > envFileMaxSize {
+				continue
+			}
+			envVars, err := gotenv.Read(envFile)
+			if err != nil {
+				return
+			}
+			for k, v := range envVars {
+				if _, isSet := os.LookupEnv(k); isSet {
+					continue
+				}
+				switch k {
+				case "SFTPGO_LOG_FILE_PATH":
+					logFilePath = v
+				case "SFTPGO_LOG_MAX_SIZE":
+					setIntFromEnv(&logMaxSize, v)
+				case "SFTPGO_LOG_MAX_BACKUPS":
+					setIntFromEnv(&logMaxBackups, v)
+				case "SFTPGO_LOG_MAX_AGE":
+					setIntFromEnv(&logMaxAge, v)
+				case "SFTPGO_LOG_COMPRESS":
+					setBoolFromEnv(&logCompress, v)
+				case "SFTPGO_LOG_LEVEL":
+					logLevel = v
+				case "SFTPGO_LOG_UTC_TIME":
+					setBoolFromEnv(&logUTCTime, v)
+				case "SFTPGO_CONFIG_FILE":
+					configFile = v
+				case "SFTPGO_LOADDATA_FROM":
+					loadDataFrom = v
+				case "SFTPGO_LOADDATA_MODE":
+					setIntFromEnv(&loadDataMode, v)
+				case "SFTPGO_LOADDATA_CLEAN":
+					setBoolFromEnv(&loadDataClean, v)
+				case "SFTPGO_LOADDATA_QUOTA_SCAN":
+					setIntFromEnv(&loadDataQuotaScan, v)
+				case "SFTPGO_GRACE_TIME":
+					setIntFromEnv(&graceTime, v)
+				}
+			}
+		}
+	}
+}
+
 func init() {
 	rootCmd.AddCommand(serveCmd)
 	addServeFlags(serveCmd)
--- a/internal/cmd/start_windows.go
+++ b/internal/cmd/start_windows.go
@ -17,7 +17,6 @@ package cmd
 import (
 	"fmt"
 	"os"
-	"path/filepath"

 	"github.com/spf13/cobra"

@ -31,21 +30,23 @@ var (
 		Short: "Start the SFTPGo Windows Service",
 		Run: func(_ *cobra.Command, _ []string) {
 			configDir = util.CleanDirInput(configDir)
-			if !filepath.IsAbs(logFilePath) && util.IsFileInputValid(logFilePath) {
-				logFilePath = filepath.Join(configDir, logFilePath)
-			}
+			checkServeParamsFromEnvFiles(configDir)
 			service.SetGraceTime(graceTime)
 			s := service.Service{
-				ConfigDir:     configDir,
-				ConfigFile:    configFile,
-				LogFilePath:   logFilePath,
-				LogMaxSize:    logMaxSize,
-				LogMaxBackups: logMaxBackups,
-				LogMaxAge:     logMaxAge,
-				LogCompress:   logCompress,
-				LogLevel:      logLevel,
-				LogUTCTime:    logUTCTime,
-				Shutdown:      make(chan bool),
+				ConfigDir:         configDir,
+				ConfigFile:        configFile,
+				LogFilePath:       logFilePath,
+				LogMaxSize:        logMaxSize,
+				LogMaxBackups:     logMaxBackups,
+				LogMaxAge:         logMaxAge,
+				LogCompress:       logCompress,
+				LogLevel:          logLevel,
+				LogUTCTime:        logUTCTime,
+				LoadDataFrom:      loadDataFrom,
+				LoadDataMode:      loadDataMode,
+				LoadDataQuotaScan: loadDataQuotaScan,
+				LoadDataClean:     loadDataClean,
+				Shutdown:          make(chan bool),
 			}
 			winService := service.WindowsService{
 				Service: s,
--- a/internal/cmd/startsubsys.go
+++ b/internal/cmd/startsubsys.go
@ -90,6 +90,10 @@ Command-line flags should be specified in the Subsystem declaration.
 				logger.Error(logSender, connectionID, "unable to initialize KMS: %v", err)
 				os.Exit(1)
 			}
+			if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
+				logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
+				os.Exit(1)
+			}
 			mfaConfig := config.GetMFAConfig()
 			err = mfaConfig.Initialize()
 			if err != nil {
@ -109,10 +113,6 @@ Command-line flags should be specified in the Subsystem declaration.
 				logger.Error(logSender, connectionID, "unable to initialize the data provider: %v", err)
 				os.Exit(1)
 			}
-			if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
-				logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
-				os.Exit(1)
-			}
 			smtpConfig := config.GetSMTPConfig()
 			err = smtpConfig.Initialize(configDir, false)
 			if err != nil {
--- a/internal/command/command.go
+++ b/internal/command/command.go
@ -17,10 +17,9 @@ package command

 import (
 	"fmt"
+	"slices"
 	"strings"
 	"time"
-
-	"github.com/drakkan/sftpgo/v2/internal/util"
 )

 const (
@ -117,7 +116,7 @@ func (c Config) Initialize() error {
 		}
 		// don't validate args, we allow to pass empty arguments
 		if cmd.Hook != "" {
-			if !util.Contains(supportedHooks, cmd.Hook) {
+			if !slices.Contains(supportedHooks, cmd.Hook) {
 				return fmt.Errorf("invalid hook name %q, supported values: %+v", cmd.Hook, supportedHooks)
 			}
 		}
--- a/internal/common/actions.go
+++ b/internal/common/actions.go
@ -25,6 +25,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"sync/atomic"
 	"time"
@ -86,13 +87,14 @@ func InitializeActionHandler(handler ActionHandler) {
 func ExecutePreAction(conn *BaseConnection, operation, filePath, virtualPath string, fileSize int64, openFlags int) (int, error) {
 	var event *notifier.FsEvent
 	hasNotifiersPlugin := plugin.Handler.HasNotifiers()
-	hasHook := util.Contains(Config.Actions.ExecuteOn, operation)
+	hasHook := slices.Contains(Config.Actions.ExecuteOn, operation)
 	hasRules := eventManager.hasFsRules()
 	if !hasHook && !hasNotifiersPlugin && !hasRules {
 		return 0, nil
 	}
+	dateTime := time.Now()
 	event = newActionNotification(&conn.User, operation, filePath, virtualPath, "", "", "",
-		conn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, openFlags, conn.getNotificationStatus(nil), 0, nil)
+		conn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, openFlags, conn.getNotificationStatus(nil), 0, dateTime, nil)
 	if hasNotifiersPlugin {
 		plugin.Handler.NotifyFsEvent(event)
 	}
@ -112,7 +114,7 @@ func ExecutePreAction(conn *BaseConnection, operation, filePath, virtualPath str
 			Protocol:          event.Protocol,
 			IP:                event.IP,
 			Role:              event.Role,
-			Timestamp:         event.Timestamp,
+			Timestamp:         dateTime,
 			Email:             conn.User.Email,
 			Object:            nil,
 		}
@ -132,13 +134,14 @@ func ExecuteActionNotification(conn *BaseConnection, operation, filePath, virtua
 	fileSize int64, err error, elapsed int64, metadata map[string]string,
 ) error {
 	hasNotifiersPlugin := plugin.Handler.HasNotifiers()
-	hasHook := util.Contains(Config.Actions.ExecuteOn, operation)
+	hasHook := slices.Contains(Config.Actions.ExecuteOn, operation)
 	hasRules := eventManager.hasFsRules()
 	if !hasHook && !hasNotifiersPlugin && !hasRules {
 		return nil
 	}
+	dateTime := time.Now()
 	notification := newActionNotification(&conn.User, operation, filePath, virtualPath, target, virtualTarget, sshCmd,
-		conn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, 0, conn.getNotificationStatus(err), elapsed, metadata)
+		conn.protocol, conn.GetRemoteIP(), conn.ID, fileSize, 0, conn.getNotificationStatus(err), elapsed, dateTime, metadata)
 	if hasNotifiersPlugin {
 		plugin.Handler.NotifyFsEvent(notification)
 	}
@ -159,7 +162,7 @@ func ExecuteActionNotification(conn *BaseConnection, operation, filePath, virtua
 			Protocol:          notification.Protocol,
 			IP:                notification.IP,
 			Role:              notification.Role,
-			Timestamp:         notification.Timestamp,
+			Timestamp:         dateTime,
 			Email:             conn.User.Email,
 			Object:            nil,
 			Metadata:          metadata,
@ -173,7 +176,7 @@ func ExecuteActionNotification(conn *BaseConnection, operation, filePath, virtua
 		}
 	}
 	if hasHook {
-		if util.Contains(Config.Actions.ExecuteSync, operation) {
+		if slices.Contains(Config.Actions.ExecuteSync, operation) {
 			_, err := actionHandler.Handle(notification)
 			return err
 		}
@ -197,6 +200,7 @@ func newActionNotification(
 	operation, filePath, virtualPath, target, virtualTarget, sshCmd, protocol, ip, sessionID string,
 	fileSize int64,
 	openFlags, status int, elapsed int64,
+	datetime time.Time,
 	metadata map[string]string,
 ) *notifier.FsEvent {
 	var bucket, endpoint string
@ -238,7 +242,7 @@ func newActionNotification(
 		SessionID:         sessionID,
 		OpenFlags:         openFlags,
 		Role:              user.Role,
-		Timestamp:         time.Now().UnixNano(),
+		Timestamp:         datetime.UnixNano(),
 		Elapsed:           elapsed,
 		Metadata:          metadata,
 	}
@ -247,7 +251,7 @@ func newActionNotification(
 type defaultActionHandler struct{}

 func (h *defaultActionHandler) Handle(event *notifier.FsEvent) (int, error) {
-	if !util.Contains(Config.Actions.ExecuteOn, event.Action) {
+	if !slices.Contains(Config.Actions.ExecuteOn, event.Action) {
 		return 0, nil
 	}

--- a/internal/common/actions_test.go
+++ b/internal/common/actions_test.go
@ -22,8 +22,9 @@ import (
 	"path/filepath"
 	"runtime"
 	"testing"
+	"time"

-	"github.com/lithammer/shortuuid/v3"
+	"github.com/lithammer/shortuuid/v4"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
 	"github.com/sftpgo/sdk/plugin/notifier"
@ -71,7 +72,7 @@ func TestNewActionNotification(t *testing.T) {
 	c := NewBaseConnection("id", ProtocolSSH, "", "", user)
 	sessionID := xid.New().String()
 	a := newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSFTP, "", sessionID,
-		123, 0, c.getNotificationStatus(errors.New("fake error")), 0, nil)
+		123, 0, c.getNotificationStatus(errors.New("fake error")), 0, time.Now(), nil)
 	assert.Equal(t, user.Username, a.Username)
 	assert.Equal(t, 0, len(a.Bucket))
 	assert.Equal(t, 0, len(a.Endpoint))
@ -79,38 +80,38 @@ func TestNewActionNotification(t *testing.T) {

 	user.FsConfig.Provider = sdk.S3FilesystemProvider
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSSH, "", sessionID,
-		123, 0, c.getNotificationStatus(nil), 0, nil)
+		123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)
 	assert.Equal(t, "s3bucket", a.Bucket)
 	assert.Equal(t, "endpoint", a.Endpoint)
 	assert.Equal(t, 1, a.Status)

 	user.FsConfig.Provider = sdk.GCSFilesystemProvider
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSCP, "", sessionID,
-		123, 0, c.getNotificationStatus(ErrQuotaExceeded), 0, nil)
+		123, 0, c.getNotificationStatus(ErrQuotaExceeded), 0, time.Now(), nil)
 	assert.Equal(t, "gcsbucket", a.Bucket)
 	assert.Equal(t, 0, len(a.Endpoint))
 	assert.Equal(t, 3, a.Status)
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSCP, "", sessionID,
-		123, 0, c.getNotificationStatus(fmt.Errorf("wrapper quota error: %w", ErrQuotaExceeded)), 0, nil)
+		123, 0, c.getNotificationStatus(fmt.Errorf("wrapper quota error: %w", ErrQuotaExceeded)), 0, time.Now(), nil)
 	assert.Equal(t, "gcsbucket", a.Bucket)
 	assert.Equal(t, 0, len(a.Endpoint))
 	assert.Equal(t, 3, a.Status)

 	user.FsConfig.Provider = sdk.HTTPFilesystemProvider
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSSH, "", sessionID,
-		123, 0, c.getNotificationStatus(nil), 0, nil)
+		123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)
 	assert.Equal(t, "httpendpoint", a.Endpoint)
 	assert.Equal(t, 1, a.Status)

 	user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSCP, "", sessionID,
-		123, 0, c.getNotificationStatus(nil), 0, nil)
+		123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)
 	assert.Equal(t, "azcontainer", a.Bucket)
 	assert.Equal(t, "azendpoint", a.Endpoint)
 	assert.Equal(t, 1, a.Status)

 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSCP, "", sessionID,
-		123, os.O_APPEND, c.getNotificationStatus(nil), 0, nil)
+		123, os.O_APPEND, c.getNotificationStatus(nil), 0, time.Now(), nil)
 	assert.Equal(t, "azcontainer", a.Bucket)
 	assert.Equal(t, "azendpoint", a.Endpoint)
 	assert.Equal(t, 1, a.Status)
@ -118,7 +119,7 @@ func TestNewActionNotification(t *testing.T) {

 	user.FsConfig.Provider = sdk.SFTPFilesystemProvider
 	a = newActionNotification(&user, operationDownload, "path", "vpath", "target", "", "", ProtocolSFTP, "", sessionID,
-		123, 0, c.getNotificationStatus(nil), 0, nil)
+		123, 0, c.getNotificationStatus(nil), 0, time.Now(), nil)
 	assert.Equal(t, "sftpendpoint", a.Endpoint)
 }

@ -135,7 +136,7 @@ func TestActionHTTP(t *testing.T) {
 		},
 	}
 	a := newActionNotification(user, operationDownload, "path", "vpath", "target", "", "", ProtocolSFTP, "",
-		xid.New().String(), 123, 0, 1, 0, nil)
+		xid.New().String(), 123, 0, 1, 0, time.Now(), nil)
 	status, err := actionHandler.Handle(a)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, status)
@ -175,7 +176,7 @@ func TestActionCMD(t *testing.T) {
 	}
 	sessionID := shortuuid.New()
 	a := newActionNotification(user, operationDownload, "path", "vpath", "target", "", "", ProtocolSFTP, "", sessionID,
-		123, 0, 1, 0, map[string]string{"key": "value"})
+		123, 0, 1, 0, time.Now(), map[string]string{"key": "value"})
 	status, err := actionHandler.Handle(a)
 	assert.NoError(t, err)
 	assert.Equal(t, 1, status)
@ -208,7 +209,7 @@ func TestWrongActions(t *testing.T) {
 	}

 	a := newActionNotification(user, operationUpload, "", "", "", "", "", ProtocolSFTP, "", xid.New().String(),
-		123, 0, 1, 0, nil)
+		123, 0, 1, 0, time.Now(), nil)
 	status, err := actionHandler.Handle(a)
 	assert.Error(t, err, "action with bad command must fail")
 	assert.Equal(t, 1, status)
--- a/internal/common/common.go
+++ b/internal/common/common.go
@ -25,6 +25,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@ -124,6 +125,9 @@ func init() {
 	Connections.clients = clientsMap{
 		clients: make(map[string]int),
 	}
+	Connections.transfers = clientsMap{
+		clients: make(map[string]int),
+	}
 	Connections.perUserConns = make(map[string]int)
 	Connections.mapping = make(map[string]int)
 	Connections.sshMapping = make(map[string]int)
@ -163,13 +167,20 @@ var (
 	rateLimiters     map[string][]*rateLimiter
 	isShuttingDown   atomic.Bool
 	ftpLoginCommands = []string{"PASS", "USER"}
+	fnUpdateBranding func(*dataprovider.BrandingConfigs)
 )

+// SetUpdateBrandingFn sets the function to call to update branding configs.
+func SetUpdateBrandingFn(fn func(*dataprovider.BrandingConfigs)) {
+	fnUpdateBranding = fn
+}
+
 // Initialize sets the common configuration
 func Initialize(c Configuration, isShared int) error {
 	isShuttingDown.Store(false)
 	util.SetUmask(c.Umask)
 	version.SetConfig(c.ServerVersion)
+	dataprovider.SetTZ(c.TZ)
 	Config = c
 	Config.Actions.ExecuteOn = util.RemoveDuplicates(Config.Actions.ExecuteOn, true)
 	Config.Actions.ExecuteSync = util.RemoveDuplicates(Config.Actions.ExecuteSync, true)
@ -200,7 +211,7 @@ func Initialize(c Configuration, isShared int) error {
 		Config.rateLimitersList = rateLimitersList
 	}
 	if c.DefenderConfig.Enabled {
-		if !util.Contains(supportedDefenderDrivers, c.DefenderConfig.Driver) {
+		if !slices.Contains(supportedDefenderDrivers, c.DefenderConfig.Driver) {
 			return fmt.Errorf("unsupported defender driver %q", c.DefenderConfig.Driver)
 		}
 		var defender Defender
@ -228,6 +239,9 @@ func Initialize(c Configuration, isShared int) error {
 	if err := c.initializeProxyProtocol(); err != nil {
 		return err
 	}
+	if err := c.EventManager.validate(); err != nil {
+		return err
+	}
 	vfs.SetTempPath(c.TempPath)
 	dataprovider.SetTempPath(c.TempPath)
 	vfs.SetAllowSelfConnections(c.AllowSelfConnections)
@ -236,6 +250,7 @@ func Initialize(c Configuration, isShared int) error {
 	vfs.SetResumeMaxSize(c.ResumeMaxSize)
 	vfs.SetUploadMode(c.UploadMode)
 	dataprovider.SetAllowSelfConnections(c.AllowSelfConnections)
+	dataprovider.EnabledActionCommands = c.EventManager.EnabledCommands
 	transfersChecker = getTransfersChecker(isShared)
 	return nil
 }
@ -327,6 +342,13 @@ func Reload() error {
 	return nil
 }

+// DelayLogin applies the configured login delay
+func DelayLogin(err error) {
+	if Config.defender != nil {
+		Config.defender.DelayLogin(err)
+	}
+}
+
 // IsBanned returns true if the specified IP address is banned
 func IsBanned(ip, protocol string) bool {
 	if plugin.Handler.IsIPBanned(ip, protocol) {
@ -395,6 +417,23 @@ func AddDefenderEvent(ip, protocol string, event HostEvent) bool {
 	return Config.defender.AddEvent(ip, protocol, event)
 }

+func reloadProviderConfigs() {
+	configs, err := dataprovider.GetConfigs()
+	if err != nil {
+		logger.Error(logSender, "", "unable to load config from provider: %v", err)
+		return
+	}
+	configs.SetNilsToEmpty()
+	if fnUpdateBranding != nil {
+		fnUpdateBranding(configs.Branding)
+	}
+	if err := configs.SMTP.TryDecrypt(); err != nil {
+		logger.Error(logSender, "", "unable to decrypt smtp config: %v", err)
+		return
+	}
+	smtp.Activate(configs.SMTP)
+}
+
 func startPeriodicChecks(duration time.Duration, isShared int) {
 	startEventScheduler()
 	spec := fmt.Sprintf("@every %s", duration)
@ -403,7 +442,7 @@ func startPeriodicChecks(duration time.Duration, isShared int) {
 	logger.Info(logSender, "", "scheduled overquota transfers check, schedule %q", spec)
 	if isShared == 1 {
 		logger.Info(logSender, "", "add reload configs task")
-		_, err := eventScheduler.AddFunc("@every 10m", smtp.ReloadProviderConf)
+		_, err := eventScheduler.AddFunc("@every 10m", reloadProviderConfigs)
 		util.PanicOnError(err)
 	}
 	if Config.IdleTimeout > 0 {
@ -477,6 +516,23 @@ type ConnectionTransfer struct {
 	DLSize        int64  `json:"-"`
 }

+// EventManagerConfig defines the configuration for the EventManager
+type EventManagerConfig struct {
+	// EnabledCommands defines the system commands that can be executed via EventManager,
+	// an empty list means that any command is allowed to be executed.
+	// Commands must be set as an absolute path
+	EnabledCommands []string `json:"enabled_commands" mapstructure:"enabled_commands"`
+}
+
+func (c *EventManagerConfig) validate() error {
+	for _, c := range c.EnabledCommands {
+		if !filepath.IsAbs(c) {
+			return fmt.Errorf("invalid command %q: it must be an absolute path", c)
+		}
+	}
+	return nil
+}
+
 // MetadataConfig defines how to handle metadata for cloud storage backends
 type MetadataConfig struct {
 	// If not zero the metadata will be read before downloads and will be
@ -581,8 +637,14 @@ type Configuration struct {
 	Umask string `json:"umask" mapstructure:"umask"`
 	// Defines the server version
 	ServerVersion string `json:"server_version" mapstructure:"server_version"`
+	// TZ defines the time zone to use for the EventManager scheduler and to
+	// control time-based access restrictions. Set to "local" to use the
+	// server's local time, otherwise UTC will be used.
+	TZ string `json:"tz" mapstructure:"tz"`
 	// Metadata configuration
-	Metadata              MetadataConfig `json:"metadata" mapstructure:"metadata"`
+	Metadata MetadataConfig `json:"metadata" mapstructure:"metadata"`
+	// EventManager configuration
+	EventManager          EventManagerConfig `json:"event_manager" mapstructure:"event_manager"`
 	idleTimeoutAsDuration time.Duration
 	idleLoginTimeout      time.Duration
 	defender              Defender
@ -615,7 +677,7 @@ func (c *Configuration) initializeProxyProtocol() error {

 // GetProxyListener returns a wrapper for the given listener that supports the
 // HAProxy Proxy Protocol
-func (c *Configuration) GetProxyListener(listener net.Listener) (*proxyproto.Listener, error) {
+func (c *Configuration) GetProxyListener(listener net.Listener) (net.Listener, error) {
 	if c.ProxyProtocol > 0 {
 		defaultPolicy := proxyproto.REQUIRE
 		if c.ProxyProtocol == 1 {
@ -624,7 +686,7 @@ func (c *Configuration) GetProxyListener(listener net.Listener) (*proxyproto.Lis

 		return &proxyproto.Listener{
 			Listener:          listener,
-			Policy:            getProxyPolicy(c.proxyAllowed, c.proxySkipped, defaultPolicy),
+			ConnPolicy:        getProxyPolicy(c.proxyAllowed, c.proxySkipped, defaultPolicy),
 			ReadHeaderTimeout: 10 * time.Second,
 		}, nil
 	}
@ -742,7 +804,7 @@ func (c *Configuration) checkPostDisconnectHook(remoteAddr, protocol, username,
 	if c.PostDisconnectHook == "" {
 		return
 	}
-	if !util.Contains(disconnHookProtocols, protocol) {
+	if !slices.Contains(disconnHookProtocols, protocol) {
 		return
 	}
 	go c.executePostDisconnectHook(remoteAddr, protocol, username, connID, connectionTime)
@ -799,12 +861,14 @@ func (c *Configuration) ExecutePostConnectHook(ipAddr, protocol string) error {
 	return nil
 }

-func getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy) proxyproto.PolicyFunc {
-	return func(upstream net.Addr) (proxyproto.Policy, error) {
-		upstreamIP, err := util.GetIPFromNetAddr(upstream)
+func getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy) proxyproto.ConnPolicyFunc {
+	return func(connPolicyOptions proxyproto.ConnPolicyOptions) (proxyproto.Policy, error) {
+		upstreamIP, err := util.GetIPFromNetAddr(connPolicyOptions.Upstream)
 		if err != nil {
-			// something is wrong with the source IP, better reject the connection
-			return proxyproto.REJECT, err
+			// Something is wrong with the source IP, better reject the
+			// connection.
+			logger.Error(logSender, "", "reject connection from ip %q, err: %v", connPolicyOptions.Upstream, err)
+			return proxyproto.REJECT, proxyproto.ErrInvalidUpstream
 		}

 		for _, skippedFrom := range skipped {
@ -822,6 +886,11 @@ func getProxyPolicy(allowed, skipped []func(net.IP) bool, def proxyproto.Policy)
 			}
 		}

+		if def == proxyproto.REQUIRE {
+			logger.Debug(logSender, "", "reject connection from ip %q: proxy protocol signature required and not set",
+				upstreamIP)
+			return proxyproto.REJECT, proxyproto.ErrInvalidUpstream
+		}
 		return def, nil
 	}
 }
@ -868,7 +937,9 @@ func (c *SSHConnection) Close() error {
 type ActiveConnections struct {
 	// clients contains both authenticated and estabilished connections and the ones waiting
 	// for authentication
-	clients              clientsMap
+	clients clientsMap
+	// transfers contains active transfers, total and per-user
+	transfers            clientsMap
 	transfersCheckStatus atomic.Bool
 	sync.RWMutex
 	connections    []ActiveConnection
@ -919,6 +990,9 @@ func (conns *ActiveConnections) Add(c ActiveConnection) error {
 			if val := conns.perUserConns[username]; val >= maxSessions {
 				return fmt.Errorf("too many open sessions: %d/%d", val, maxSessions)
 			}
+			if val := conns.transfers.getTotalFrom(username); val >= maxSessions {
+				return fmt.Errorf("too many open transfers: %d/%d", val, maxSessions)
+			}
 		}
 		conns.addUserConnection(username)
 	}
@ -980,7 +1054,7 @@ func (conns *ActiveConnections) Remove(connectionID string) {
 		metric.UpdateActiveConnectionsSize(lastIdx)
 		logger.Debug(conn.GetProtocol(), conn.GetID(), "connection removed, local address %q, remote address %q close fs error: %v, num open connections: %d",
 			conn.GetLocalAddress(), conn.GetRemoteAddress(), err, lastIdx)
-		if conn.GetProtocol() == ProtocolFTP && conn.GetUsername() == "" && !util.Contains(ftpLoginCommands, conn.GetCommand()) {
+		if conn.GetProtocol() == ProtocolFTP && conn.GetUsername() == "" && !slices.Contains(ftpLoginCommands, conn.GetCommand()) {
 			ip := util.GetIPFromRemoteAddress(conn.GetRemoteAddress())
 			logger.ConnectionFailedLog("", ip, dataprovider.LoginMethodNoAuthTried, ProtocolFTP,
 				dataprovider.ErrNoAuthTried.Error())
@ -1179,6 +1253,35 @@ func (conns *ActiveConnections) GetClientConnections() int32 {
 	return conns.clients.getTotal()
 }

+// GetTotalTransfers returns the total number of active transfers
+func (conns *ActiveConnections) GetTotalTransfers() int32 {
+	return conns.transfers.getTotal()
+}
+
+// IsNewTransferAllowed returns an error if the maximum number of concurrent allowed
+// transfers is exceeded
+func (conns *ActiveConnections) IsNewTransferAllowed(username string) error {
+	if isShuttingDown.Load() {
+		return ErrShuttingDown
+	}
+	if Config.MaxTotalConnections == 0 && Config.MaxPerHostConnections == 0 {
+		return nil
+	}
+	if Config.MaxPerHostConnections > 0 {
+		if transfers := conns.transfers.getTotalFrom(username); transfers >= Config.MaxPerHostConnections {
+			logger.Info(logSender, "", "active transfers from user %q: %d/%d", username, transfers, Config.MaxPerHostConnections)
+			return ErrConnectionDenied
+		}
+	}
+	if Config.MaxTotalConnections > 0 {
+		if transfers := conns.transfers.getTotal(); transfers >= int32(Config.MaxTotalConnections) {
+			logger.Info(logSender, "", "active transfers %d/%d", transfers, Config.MaxTotalConnections)
+			return ErrConnectionDenied
+		}
+	}
+	return nil
+}
+
 // IsNewConnectionAllowed returns an error if the maximum number of concurrent allowed
 // connections is exceeded or a whitelist is defined and the specified ipAddr is not listed
 // or the service is shutting down
@ -1219,7 +1322,11 @@ func (conns *ActiveConnections) IsNewConnectionAllowed(ipAddr, protocol string)
 		}

 		// on a single SFTP connection we could have multiple SFTP channels or commands
-		// so we check the estabilished connections too
+		// so we check the estabilished connections and active uploads too
+		if transfers := conns.transfers.getTotal(); transfers >= int32(Config.MaxTotalConnections) {
+			logger.Info(logSender, "", "active transfers %d/%d", transfers, Config.MaxTotalConnections)
+			return ErrConnectionDenied
+		}

 		conns.RLock()
 		defer conns.RUnlock()
--- a/internal/common/common_test.go
+++ b/internal/common/common_test.go
@ -23,6 +23,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"sync"
 	"testing"
 	"time"
@ -216,6 +217,33 @@ func TestConnections(t *testing.T) {
 	Connections.RUnlock()
 }

+func TestEventManagerCommandsInitialization(t *testing.T) {
+	configCopy := Config
+
+	c := Configuration{
+		EventManager: EventManagerConfig{
+			EnabledCommands: []string{"ls"}, // not an absolute path
+		},
+	}
+	err := Initialize(c, 0)
+	assert.ErrorContains(t, err, "invalid command")
+
+	var commands []string
+	if runtime.GOOS == osWindows {
+		commands = []string{"C:\\command"}
+	} else {
+		commands = []string{"/bin/ls"}
+	}
+
+	c.EventManager.EnabledCommands = commands
+	err = Initialize(c, 0)
+	assert.NoError(t, err)
+	assert.Equal(t, commands, dataprovider.EnabledActionCommands)
+
+	dataprovider.EnabledActionCommands = configCopy.EventManager.EnabledCommands
+	Config = configCopy
+}
+
 func TestInitializationProxyErrors(t *testing.T) {
 	configCopy := Config

@ -419,6 +447,9 @@ func TestDefenderIntegration(t *testing.T) {
 		ObservationTime:  15,
 		EntriesSoftLimit: 100,
 		EntriesHardLimit: 150,
+		LoginDelay: LoginDelay{
+			PasswordFailed: 200,
+		},
 	}
 	err = Initialize(Config, 0)
 	// ScoreInvalid cannot be greater than threshold
@ -477,6 +508,16 @@ func TestDefenderIntegration(t *testing.T) {
 	assert.Nil(t, banTime)
 	assert.False(t, DeleteDefenderHost(ip))

+	startTime := time.Now()
+	DelayLogin(nil)
+	elapsed := time.Since(startTime)
+	assert.Less(t, elapsed, time.Millisecond*50)
+
+	startTime = time.Now()
+	DelayLogin(ErrInternalFailure)
+	elapsed = time.Since(startTime)
+	assert.Greater(t, elapsed, time.Millisecond*150)
+
 	Config = configCopy
 }

@ -612,11 +653,17 @@ func TestMaxConnections(t *testing.T) {

 	ipAddr := "192.168.7.8"
 	assert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolFTP))
+	assert.NoError(t, Connections.IsNewTransferAllowed(userTestUsername))

 	Config.MaxTotalConnections = 1
 	Config.MaxPerHostConnections = perHost

 	assert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolHTTP))
+	assert.NoError(t, Connections.IsNewTransferAllowed(userTestUsername))
+	isShuttingDown.Store(true)
+	assert.ErrorIs(t, Connections.IsNewTransferAllowed(userTestUsername), ErrShuttingDown)
+	isShuttingDown.Store(false)
+
 	c := NewBaseConnection("id", ProtocolSFTP, "", "", dataprovider.User{})
 	fakeConn := &fakeConnection{
 		BaseConnection: c,
@ -625,6 +672,10 @@ func TestMaxConnections(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Len(t, Connections.GetStats(""), 1)
 	assert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))
+	Connections.transfers.add(userTestUsername)
+	assert.Error(t, Connections.IsNewTransferAllowed(userTestUsername))
+	Connections.transfers.remove(userTestUsername)
+	assert.Equal(t, int32(0), Connections.GetTotalTransfers())

 	res := Connections.Close(fakeConn.GetID(), "")
 	assert.True(t, res)
@ -636,6 +687,9 @@ func TestMaxConnections(t *testing.T) {
 	assert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))
 	Connections.RemoveClientConnection(ipAddr)
 	assert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolWebDAV))
+	Connections.transfers.add(userTestUsername)
+	assert.Error(t, Connections.IsNewConnectionAllowed(ipAddr, ProtocolSSH))
+	Connections.transfers.remove(userTestUsername)
 	Connections.RemoveClientConnection(ipAddr)

 	Config.MaxTotalConnections = oldValue
@ -1028,9 +1082,13 @@ func TestQuotaScansRole(t *testing.T) {

 func TestProxyPolicy(t *testing.T) {
 	addr := net.TCPAddr{}
+	downstream := net.TCPAddr{IP: net.ParseIP("1.1.1.1")}
 	p := getProxyPolicy(nil, nil, proxyproto.IGNORE)
-	policy, err := p(&addr)
-	assert.Error(t, err)
+	policy, err := p(proxyproto.ConnPolicyOptions{
+		Upstream:   &addr,
+		Downstream: &downstream,
+	})
+	assert.ErrorIs(t, err, proxyproto.ErrInvalidUpstream)
 	assert.Equal(t, proxyproto.REJECT, policy)
 	ip1 := net.ParseIP("10.8.1.1")
 	ip2 := net.ParseIP("10.8.1.2")
@ -1040,31 +1098,55 @@ func TestProxyPolicy(t *testing.T) {
 	skipped, err := util.ParseAllowedIPAndRanges([]string{ip2.String(), ip3.String()})
 	assert.NoError(t, err)
 	p = getProxyPolicy(allowed, skipped, proxyproto.IGNORE)
-	policy, err = p(&net.TCPAddr{IP: ip1})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip1},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.USE, policy)
-	policy, err = p(&net.TCPAddr{IP: ip2})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip2},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.SKIP, policy)
-	policy, err = p(&net.TCPAddr{IP: ip3})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip3},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.SKIP, policy)
-	policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.4")})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: net.ParseIP("10.8.1.4")},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.IGNORE, policy)
 	p = getProxyPolicy(allowed, skipped, proxyproto.REQUIRE)
-	policy, err = p(&net.TCPAddr{IP: ip1})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip1},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.REQUIRE, policy)
-	policy, err = p(&net.TCPAddr{IP: ip2})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip2},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.SKIP, policy)
-	policy, err = p(&net.TCPAddr{IP: ip3})
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: ip3},
+		Downstream: &downstream,
+	})
 	assert.NoError(t, err)
 	assert.Equal(t, proxyproto.SKIP, policy)
-	policy, err = p(&net.TCPAddr{IP: net.ParseIP("10.8.1.5")})
-	assert.NoError(t, err)
-	assert.Equal(t, proxyproto.REQUIRE, policy)
+	policy, err = p(proxyproto.ConnPolicyOptions{
+		Upstream:   &net.TCPAddr{IP: net.ParseIP("10.8.1.5")},
+		Downstream: &downstream,
+	})
+	assert.ErrorIs(t, err, proxyproto.ErrInvalidUpstream)
+	assert.Equal(t, proxyproto.REJECT, policy)
 }

 func TestProxyProtocolVersion(t *testing.T) {
@ -1076,14 +1158,18 @@ func TestProxyProtocolVersion(t *testing.T) {
 		assert.Contains(t, err.Error(), "proxy protocol not configured")
 	}
 	c.ProxyProtocol = 1
-	proxyListener, err := c.GetProxyListener(nil)
+	listener, err := c.GetProxyListener(nil)
 	assert.NoError(t, err)
-	assert.NotNil(t, proxyListener.Policy)
+	proxyListener, ok := listener.(*proxyproto.Listener)
+	require.True(t, ok)
+	assert.NotNil(t, proxyListener.ConnPolicy)

 	c.ProxyProtocol = 2
-	proxyListener, err = c.GetProxyListener(nil)
+	listener, err = c.GetProxyListener(nil)
 	assert.NoError(t, err)
-	assert.NotNil(t, proxyListener.Policy)
+	proxyListener, ok = listener.(*proxyproto.Listener)
+	require.True(t, ok)
+	assert.NotNil(t, proxyListener.ConnPolicy)
 }

 func TestStartupHook(t *testing.T) {
@ -1213,8 +1299,8 @@ func TestFolderCopy(t *testing.T) {
 	folder.ID = 2
 	folder.Users = []string{"user3"}
 	require.Len(t, folderCopy.Users, 2)
-	require.True(t, util.Contains(folderCopy.Users, "user1"))
-	require.True(t, util.Contains(folderCopy.Users, "user2"))
+	require.True(t, slices.Contains(folderCopy.Users, "user1"))
+	require.True(t, slices.Contains(folderCopy.Users, "user2"))
 	require.Equal(t, int64(1), folderCopy.ID)
 	require.Equal(t, folder.Name, folderCopy.Name)
 	require.Equal(t, folder.MappedPath, folderCopy.MappedPath)
@ -1230,7 +1316,7 @@ func TestFolderCopy(t *testing.T) {
 	folderCopy = folder.GetACopy()
 	folder.FsConfig.CryptConfig.Passphrase = kms.NewEmptySecret()
 	require.Len(t, folderCopy.Users, 1)
-	require.True(t, util.Contains(folderCopy.Users, "user3"))
+	require.True(t, slices.Contains(folderCopy.Users, "user3"))
 	require.Equal(t, int64(2), folderCopy.ID)
 	require.Equal(t, folder.Name, folderCopy.Name)
 	require.Equal(t, folder.MappedPath, folderCopy.MappedPath)
--- a/internal/common/connection.go
+++ b/internal/common/connection.go
@ -21,6 +21,7 @@ import (
 	"io/fs"
 	"os"
 	"path"
+	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
@ -62,7 +63,7 @@ type BaseConnection struct {
 // NewBaseConnection returns a new BaseConnection
 func NewBaseConnection(id, protocol, localAddr, remoteAddr string, user dataprovider.User) *BaseConnection {
 	connID := id
-	if util.Contains(supportedProtocols, protocol) {
+	if slices.Contains(supportedProtocols, protocol) {
 		connID = fmt.Sprintf("%s_%s", protocol, id)
 	}
 	user.UploadBandwidth, user.DownloadBandwidth = user.GetBandwidthForIP(util.GetIPFromRemoteAddress(remoteAddr), connID)
@ -131,7 +132,7 @@ func (c *BaseConnection) GetRemoteIP() string {
 // SetProtocol sets the protocol for this connection
 func (c *BaseConnection) SetProtocol(protocol string) {
 	c.protocol = protocol
-	if util.Contains(supportedProtocols, c.protocol) {
+	if slices.Contains(supportedProtocols, c.protocol) {
 		c.ID = fmt.Sprintf("%v_%v", c.protocol, c.ID)
 	}
 }
@ -158,6 +159,8 @@ func (c *BaseConnection) CloseFS() error {

 // AddTransfer associates a new transfer to this connection
 func (c *BaseConnection) AddTransfer(t ActiveTransfer) {
+	Connections.transfers.add(c.User.Username)
+
 	c.Lock()
 	defer c.Unlock()

@ -189,6 +192,8 @@ func (c *BaseConnection) AddTransfer(t ActiveTransfer) {

 // RemoveTransfer removes the specified transfer from the active ones
 func (c *BaseConnection) RemoveTransfer(t ActiveTransfer) {
+	Connections.transfers.remove(c.User.Username)
+
 	c.Lock()
 	defer c.Unlock()

@ -321,10 +326,9 @@ func (c *BaseConnection) ListDir(virtualPath string) (*DirListerAt, error) {
 	}
 	return &DirListerAt{
 		virtualPath: virtualPath,
-		user:        &c.User,
+		conn:        c,
+		fs:          fs,
 		info:        c.User.GetVirtualFoldersInfo(virtualPath),
-		id:          c.ID,
-		protocol:    c.protocol,
 		lister:      lister,
 	}, nil
 }
@ -449,10 +453,7 @@ func (c *BaseConnection) RemoveFile(fs vfs.Fs, fsPath, virtualPath string, info
 	if updateQuota && info.Mode()&os.ModeSymlink == 0 {
 		vfolder, err := c.User.GetVirtualFolderForPath(path.Dir(virtualPath))
 		if err == nil {
-			dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, -1, -size, false) //nolint:errcheck
-			if vfolder.IsIncludedInUserQuota() {
-				dataprovider.UpdateUserQuota(&c.User, -1, -size, false) //nolint:errcheck
-			}
+			dataprovider.UpdateUserFolderQuota(&vfolder, &c.User, -1, -size, false)
 		} else {
 			dataprovider.UpdateUserQuota(&c.User, -1, -size, false) //nolint:errcheck
 		}
@ -622,7 +623,7 @@ func (c *BaseConnection) checkCopy(srcInfo, dstInfo os.FileInfo, virtualSource,
 	return nil
 }

-func (c *BaseConnection) copyFile(virtualSourcePath, virtualTargetPath string, srcSize int64) error {
+func (c *BaseConnection) copyFile(virtualSourcePath, virtualTargetPath string, srcInfo os.FileInfo) error {
 	if !c.User.HasPerm(dataprovider.PermCopy, virtualSourcePath) || !c.User.HasPerm(dataprovider.PermCopy, virtualTargetPath) {
 		return c.GetPermissionDeniedError()
 	}
@ -640,12 +641,12 @@ func (c *BaseConnection) copyFile(virtualSourcePath, virtualTargetPath string, s
 				return err
 			}
 			startTime := time.Now()
-			numFiles, sizeDiff, err := copier.CopyFile(fsSourcePath, fsTargetPath, srcSize)
+			numFiles, sizeDiff, err := copier.CopyFile(fsSourcePath, fsTargetPath, srcInfo)
 			elapsed := time.Since(startTime).Nanoseconds() / 1000000
 			updateUserQuotaAfterFileWrite(c, virtualTargetPath, numFiles, sizeDiff)
 			logger.CommandLog(copyLogSender, fsSourcePath, fsTargetPath, c.User.Username, "", c.ID, c.protocol, -1, -1,
-				"", "", "", srcSize, c.localAddr, c.remoteAddr, elapsed)
-			ExecuteActionNotification(c, operationCopy, fsSourcePath, virtualSourcePath, fsTargetPath, virtualTargetPath, "", srcSize, err, elapsed, nil) //nolint:errcheck
+				"", "", "", srcInfo.Size(), c.localAddr, c.remoteAddr, elapsed)
+			ExecuteActionNotification(c, operationCopy, fsSourcePath, virtualSourcePath, fsTargetPath, virtualTargetPath, "", srcInfo.Size(), err, elapsed, nil) //nolint:errcheck
 			return err
 		}
 	}
@ -657,7 +658,7 @@ func (c *BaseConnection) copyFile(virtualSourcePath, virtualTargetPath string, s
 	defer rCancelFn()
 	defer reader.Close()

-	writer, numFiles, truncatedSize, wCancelFn, err := getFileWriter(c, virtualTargetPath, srcSize)
+	writer, numFiles, truncatedSize, wCancelFn, err := getFileWriter(c, virtualTargetPath, srcInfo.Size())
 	if err != nil {
 		return fmt.Errorf("unable to get writer for path %q: %w", virtualTargetPath, err)
 	}
@ -708,7 +709,7 @@ func (c *BaseConnection) doRecursiveCopy(virtualSourcePath, virtualTargetPath st
 		return nil
 	}

-	return c.copyFile(virtualSourcePath, virtualTargetPath, srcInfo.Size())
+	return c.copyFile(virtualSourcePath, virtualTargetPath, srcInfo)
 }

 func (c *BaseConnection) recursiveCopyEntries(virtualSourcePath, virtualTargetPath string, entries []os.FileInfo, recursion int) error {
@ -789,10 +790,12 @@ func (c *BaseConnection) Copy(virtualSourcePath, virtualTargetPath string) error

 // Rename renames (moves) virtualSourcePath to virtualTargetPath
 func (c *BaseConnection) Rename(virtualSourcePath, virtualTargetPath string) error {
-	return c.renameInternal(virtualSourcePath, virtualTargetPath, false)
+	return c.renameInternal(virtualSourcePath, virtualTargetPath, false, vfs.CheckParentDir)
 }

-func (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath string, checkParentDestination bool) error {
+func (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath string, //nolint:gocyclo
+	checkParentDestination bool, checks int,
+) error {
 	if virtualSourcePath == virtualTargetPath {
 		return fmt.Errorf("the rename source and target cannot be the same: %w", c.GetOpUnsupportedError())
 	}
@ -813,7 +816,11 @@ func (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath str
 		return c.GetPermissionDeniedError()
 	}
 	initialSize := int64(-1)
-	if dstInfo, err := fsDst.Lstat(fsTargetPath); err == nil {
+	dstInfo, err := fsDst.Lstat(fsTargetPath)
+	if err != nil && !fsDst.IsNotExist(err) {
+		return err
+	}
+	if err == nil {
 		checkParentDestination = false
 		if dstInfo.IsDir() {
 			c.Log(logger.LevelWarn, "attempted to rename %q overwriting an existing directory %q",
@ -835,7 +842,7 @@ func (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath str
 			return err
 		}
 	}
-	if !c.hasSpaceForRename(fsSrc, virtualSourcePath, virtualTargetPath, initialSize, fsSourcePath) {
+	if !c.hasSpaceForRename(fsSrc, virtualSourcePath, virtualTargetPath, initialSize, fsSourcePath, srcInfo) {
 		c.Log(logger.LevelInfo, "denying cross rename due to space limit")
 		return c.GetGenericError(ErrQuotaExceeded)
 	}
@ -846,7 +853,7 @@ func (c *BaseConnection) renameInternal(virtualSourcePath, virtualTargetPath str
 	defer close(done)
 	go keepConnectionAlive(c, done, 2*time.Minute)

-	files, size, err := fsDst.Rename(fsSourcePath, fsTargetPath)
+	files, size, err := fsDst.Rename(fsSourcePath, fsTargetPath, checks)
 	if err != nil {
 		c.Log(logger.LevelError, "failed to rename %q -> %q: %+v", fsSourcePath, fsTargetPath, err)
 		return c.GetFsError(fsSrc, err)
@ -918,16 +925,6 @@ func (c *BaseConnection) CreateSymlink(virtualSourcePath, virtualTargetPath stri
 	return nil
 }

-func (c *BaseConnection) getPathForSetStatPerms(fs vfs.Fs, fsPath, virtualPath string) string {
-	pathForPerms := virtualPath
-	if fi, err := fs.Lstat(fsPath); err == nil {
-		if fi.IsDir() {
-			pathForPerms = path.Dir(virtualPath)
-		}
-	}
-	return pathForPerms
-}
-
 func (c *BaseConnection) doStatInternal(virtualPath string, mode int, checkFilePatterns,
 	convertResult bool,
 ) (os.FileInfo, error) {
@ -1064,7 +1061,7 @@ func (c *BaseConnection) SetStat(virtualPath string, attributes *StatAttributes)
 	if err != nil {
 		return err
 	}
-	pathForPerms := c.getPathForSetStatPerms(fs, fsPath, virtualPath)
+	pathForPerms := path.Dir(virtualPath)

 	if attributes.Flags&StatAttrTimes != 0 {
 		if err = c.handleChtimes(fs, fsPath, pathForPerms, attributes); err != nil {
@ -1121,10 +1118,7 @@ func (c *BaseConnection) truncateFile(fs vfs.Fs, fsPath, virtualPath string, siz
 		sizeDiff := initialSize - size
 		vfolder, err := c.User.GetVirtualFolderForPath(path.Dir(virtualPath))
 		if err == nil {
-			dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, 0, -sizeDiff, false) //nolint:errcheck
-			if vfolder.IsIncludedInUserQuota() {
-				dataprovider.UpdateUserQuota(&c.User, 0, -sizeDiff, false) //nolint:errcheck
-			}
+			dataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -sizeDiff, false)
 		} else {
 			dataprovider.UpdateUserQuota(&c.User, 0, -sizeDiff, false) //nolint:errcheck
 		}
@ -1133,11 +1127,11 @@ func (c *BaseConnection) truncateFile(fs vfs.Fs, fsPath, virtualPath string, siz
 }

 func (c *BaseConnection) checkRecursiveRenameDirPermissions(fsSrc, fsDst vfs.Fs, sourcePath, targetPath,
-	virtualSourcePath, virtualTargetPath string, fi os.FileInfo,
+	virtualSourcePath, virtualTargetPath string, srcInfo os.FileInfo,
 ) error {
 	if !c.User.HasPermissionsInside(virtualSourcePath) &&
 		!c.User.HasPermissionsInside(virtualTargetPath) {
-		if !c.isRenamePermitted(fsSrc, fsDst, sourcePath, targetPath, virtualSourcePath, virtualTargetPath, fi) {
+		if !c.isRenamePermitted(fsSrc, fsDst, sourcePath, targetPath, virtualSourcePath, virtualTargetPath, srcInfo) {
 			c.Log(logger.LevelInfo, "rename %q -> %q is not allowed, virtual destination path: %q",
 				sourcePath, targetPath, virtualTargetPath)
 			return c.GetPermissionDeniedError()
@ -1197,7 +1191,7 @@ func (c *BaseConnection) hasRenamePerms(virtualSourcePath, virtualTargetPath str
 }

 func (c *BaseConnection) checkFolderRename(fsSrc, fsDst vfs.Fs, fsSourcePath, fsTargetPath, virtualSourcePath,
-	virtualTargetPath string, fi os.FileInfo) error {
+	virtualTargetPath string, srcInfo os.FileInfo) error {
 	if util.IsDirOverlapped(virtualSourcePath, virtualTargetPath, true, "/") {
 		c.Log(logger.LevelDebug, "renaming the folder %q->%q is not supported: nested folders",
 			virtualSourcePath, virtualTargetPath)
@ -1221,7 +1215,7 @@ func (c *BaseConnection) checkFolderRename(fsSrc, fsDst vfs.Fs, fsSourcePath, fs
 		return fmt.Errorf("folder %q has virtual folders inside it: %w", virtualTargetPath, c.GetOpUnsupportedError())
 	}
 	if err := c.checkRecursiveRenameDirPermissions(fsSrc, fsDst, fsSourcePath, fsTargetPath,
-		virtualSourcePath, virtualTargetPath, fi); err != nil {
+		virtualSourcePath, virtualTargetPath, srcInfo); err != nil {
 		c.Log(logger.LevelDebug, "error checking recursive permissions before renaming %q: %+v", fsSourcePath, err)
 		return err
 	}
@ -1229,7 +1223,7 @@ func (c *BaseConnection) checkFolderRename(fsSrc, fsDst vfs.Fs, fsSourcePath, fs
 }

 func (c *BaseConnection) isRenamePermitted(fsSrc, fsDst vfs.Fs, fsSourcePath, fsTargetPath, virtualSourcePath,
-	virtualTargetPath string, fi os.FileInfo,
+	virtualTargetPath string, srcInfo os.FileInfo,
 ) bool {
 	if !c.IsSameResource(virtualSourcePath, virtualTargetPath) {
 		c.Log(logger.LevelInfo, "rename %q->%q is not allowed: the paths must be on the same resource",
@ -1259,11 +1253,11 @@ func (c *BaseConnection) isRenamePermitted(fsSrc, fsDst vfs.Fs, fsSourcePath, fs
 			virtualTargetPath)
 		return false
 	}
-	return c.hasRenamePerms(virtualSourcePath, virtualTargetPath, fi)
+	return c.hasRenamePerms(virtualSourcePath, virtualTargetPath, srcInfo)
 }

 func (c *BaseConnection) hasSpaceForRename(fs vfs.Fs, virtualSourcePath, virtualTargetPath string, initialSize int64,
-	fsSourcePath string) bool {
+	sourcePath string, srcInfo os.FileInfo) bool {
 	if dataprovider.GetQuotaTracking() == 0 {
 		return true
 	}
@ -1293,30 +1287,28 @@ func (c *BaseConnection) hasSpaceForRename(fs vfs.Fs, virtualSourcePath, virtual
 		// no quota restrictions
 		return true
 	}
-	return c.hasSpaceForCrossRename(fs, quotaResult, initialSize, fsSourcePath)
+	return c.hasSpaceForCrossRename(fs, quotaResult, initialSize, sourcePath, srcInfo)
 }

 // hasSpaceForCrossRename checks the quota after a rename between different folders
-func (c *BaseConnection) hasSpaceForCrossRename(fs vfs.Fs, quotaResult vfs.QuotaCheckResult, initialSize int64, sourcePath string) bool {
+func (c *BaseConnection) hasSpaceForCrossRename(fs vfs.Fs, quotaResult vfs.QuotaCheckResult, initialSize int64,
+	sourcePath string, srcInfo os.FileInfo,
+) bool {
 	if !quotaResult.HasSpace && initialSize == -1 {
 		// we are over quota and this is not a file replace
 		return false
 	}
-	fi, err := fs.Lstat(sourcePath)
-	if err != nil {
-		c.Log(logger.LevelError, "cross rename denied, stat error for path %q: %v", sourcePath, err)
-		return false
-	}
 	var sizeDiff int64
 	var filesDiff int
-	if fi.Mode().IsRegular() {
-		sizeDiff = fi.Size()
+	var err error
+	if srcInfo.Mode().IsRegular() {
+		sizeDiff = srcInfo.Size()
 		filesDiff = 1
 		if initialSize != -1 {
 			sizeDiff -= initialSize
 			filesDiff = 0
 		}
-	} else if fi.IsDir() {
+	} else if srcInfo.IsDir() {
 		filesDiff, sizeDiff, err = fs.GetDirSize(sourcePath)
 		if err != nil {
 			c.Log(logger.LevelError, "cross rename denied, error getting size for directory %q: %v", sourcePath, err)
@ -1343,7 +1335,7 @@ func (c *BaseConnection) hasSpaceForCrossRename(fs vfs.Fs, quotaResult vfs.Quota
 	}
 	if quotaResult.QuotaSize > 0 {
 		remainingSize := quotaResult.GetRemainingSize()
-		c.Log(logger.LevelDebug, "cross rename, source %q remaining size %d to add %d", sourcePath,
+		c.Log(logger.LevelDebug, "cross rename, source %q remaining size %d to add %d", srcInfo.Name(),
 			remainingSize, sizeDiff)
 		if remainingSize < sizeDiff {
 			return false
@ -1518,61 +1510,40 @@ func (c *BaseConnection) updateQuotaMoveBetweenVFolders(sourceFolder, dstFolder
 	if sourceFolder.Name == dstFolder.Name {
 		// both files are inside the same virtual folder
 		if initialSize != -1 {
-			dataprovider.UpdateVirtualFolderQuota(&dstFolder.BaseVirtualFolder, -numFiles, -initialSize, false) //nolint:errcheck
-			if dstFolder.IsIncludedInUserQuota() {
-				dataprovider.UpdateUserQuota(&c.User, -numFiles, -initialSize, false) //nolint:errcheck
-			}
+			dataprovider.UpdateUserFolderQuota(dstFolder, &c.User, -numFiles, -initialSize, false)
 		}
 		return
 	}
 	// files are inside different virtual folders
-	dataprovider.UpdateVirtualFolderQuota(&sourceFolder.BaseVirtualFolder, -numFiles, -filesSize, false) //nolint:errcheck
-	if sourceFolder.IsIncludedInUserQuota() {
-		dataprovider.UpdateUserQuota(&c.User, -numFiles, -filesSize, false) //nolint:errcheck
-	}
+	dataprovider.UpdateUserFolderQuota(sourceFolder, &c.User, -numFiles, -filesSize, false)
 	if initialSize == -1 {
-		dataprovider.UpdateVirtualFolderQuota(&dstFolder.BaseVirtualFolder, numFiles, filesSize, false) //nolint:errcheck
-		if dstFolder.IsIncludedInUserQuota() {
-			dataprovider.UpdateUserQuota(&c.User, numFiles, filesSize, false) //nolint:errcheck
-		}
-	} else {
-		// we cannot have a directory here, initialSize != -1 only for files
-		dataprovider.UpdateVirtualFolderQuota(&dstFolder.BaseVirtualFolder, 0, filesSize-initialSize, false) //nolint:errcheck
-		if dstFolder.IsIncludedInUserQuota() {
-			dataprovider.UpdateUserQuota(&c.User, 0, filesSize-initialSize, false) //nolint:errcheck
-		}
+		dataprovider.UpdateUserFolderQuota(dstFolder, &c.User, numFiles, filesSize, false)
+		return
 	}
+	// we cannot have a directory here, initialSize != -1 only for files
+	dataprovider.UpdateUserFolderQuota(dstFolder, &c.User, 0, filesSize-initialSize, false)
 }

 func (c *BaseConnection) updateQuotaMoveFromVFolder(sourceFolder *vfs.VirtualFolder, initialSize, filesSize int64, numFiles int) {
 	// move between a virtual folder and the user home dir
-	dataprovider.UpdateVirtualFolderQuota(&sourceFolder.BaseVirtualFolder, -numFiles, -filesSize, false) //nolint:errcheck
-	if sourceFolder.IsIncludedInUserQuota() {
-		dataprovider.UpdateUserQuota(&c.User, -numFiles, -filesSize, false) //nolint:errcheck
-	}
+	dataprovider.UpdateUserFolderQuota(sourceFolder, &c.User, -numFiles, -filesSize, false)
 	if initialSize == -1 {
 		dataprovider.UpdateUserQuota(&c.User, numFiles, filesSize, false) //nolint:errcheck
-	} else {
-		// we cannot have a directory here, initialSize != -1 only for files
-		dataprovider.UpdateUserQuota(&c.User, 0, filesSize-initialSize, false) //nolint:errcheck
+		return
 	}
+	// we cannot have a directory here, initialSize != -1 only for files
+	dataprovider.UpdateUserQuota(&c.User, 0, filesSize-initialSize, false) //nolint:errcheck
 }

 func (c *BaseConnection) updateQuotaMoveToVFolder(dstFolder *vfs.VirtualFolder, initialSize, filesSize int64, numFiles int) {
 	// move between the user home dir and a virtual folder
 	dataprovider.UpdateUserQuota(&c.User, -numFiles, -filesSize, false) //nolint:errcheck
 	if initialSize == -1 {
-		dataprovider.UpdateVirtualFolderQuota(&dstFolder.BaseVirtualFolder, numFiles, filesSize, false) //nolint:errcheck
-		if dstFolder.IsIncludedInUserQuota() {
-			dataprovider.UpdateUserQuota(&c.User, numFiles, filesSize, false) //nolint:errcheck
-		}
-	} else {
-		// we cannot have a directory here, initialSize != -1 only for files
-		dataprovider.UpdateVirtualFolderQuota(&dstFolder.BaseVirtualFolder, 0, filesSize-initialSize, false) //nolint:errcheck
-		if dstFolder.IsIncludedInUserQuota() {
-			dataprovider.UpdateUserQuota(&c.User, 0, filesSize-initialSize, false) //nolint:errcheck
-		}
+		dataprovider.UpdateUserFolderQuota(dstFolder, &c.User, numFiles, filesSize, false)
+		return
 	}
+	// we cannot have a directory here, initialSize != -1 only for files
+	dataprovider.UpdateUserFolderQuota(dstFolder, &c.User, 0, filesSize-initialSize, false)
 }

 func (c *BaseConnection) updateQuotaAfterRename(fs vfs.Fs, virtualSourcePath, virtualTargetPath, targetPath string,
@ -1814,20 +1785,19 @@ func (c *BaseConnection) GetFsAndResolvedPath(virtualPath string) (vfs.Fs, strin
 // DirListerAt defines a directory lister implementing the ListAt method.
 type DirListerAt struct {
 	virtualPath string
-	user        *dataprovider.User
+	conn        *BaseConnection
+	fs          vfs.Fs
 	info        []os.FileInfo
-	id          string
-	protocol    string
 	mu          sync.Mutex
 	lister      vfs.DirLister
 }

-// Add adds the given os.FileInfo to the internal cache
-func (l *DirListerAt) Add(fi os.FileInfo) {
+// Prepend adds the given os.FileInfo as first element of the internal cache
+func (l *DirListerAt) Prepend(fi os.FileInfo) {
 	l.mu.Lock()
 	defer l.mu.Unlock()

-	l.info = append(l.info, fi)
+	l.info = slices.Insert(l.info, 0, fi)
 }

 // ListAt implements sftp.ListerAt
@ -1840,10 +1810,10 @@ func (l *DirListerAt) ListAt(f []os.FileInfo, _ int64) (int, error) {
 	}
 	if len(f) <= len(l.info) {
 		files := make([]os.FileInfo, 0, len(f))
-		for idx := len(l.info) - 1; idx >= 0; idx-- {
+		for idx := range l.info {
 			files = append(files, l.info[idx])
 			if len(files) == len(f) {
-				l.info = l.info[:idx]
+				l.info = l.info[idx+1:]
 				n := copy(f, files)
 				return n, nil
 			}
@ -1860,14 +1830,12 @@ func (l *DirListerAt) Next(limit int) ([]os.FileInfo, error) {
 	for {
 		files, err := l.lister.Next(limit)
 		if err != nil && !errors.Is(err, io.EOF) {
-			logger.Debug(l.protocol, l.id, "error retrieving directory entries: %+v", err)
-			return files, err
+			l.conn.Log(logger.LevelDebug, "error retrieving directory entries: %+v", err)
+			return files, l.conn.GetFsError(l.fs, err)
 		}
-		files = l.user.FilterListDir(files, l.virtualPath)
+		files = l.conn.User.FilterListDir(files, l.virtualPath)
 		if len(l.info) > 0 {
-			for _, fi := range l.info {
-				files = util.PrependFileInfo(files, fi)
-			}
+			files = slices.Concat(l.info, files)
 			l.info = nil
 		}
 		if err != nil || len(files) > 0 {
--- a/internal/common/connection_test.go
+++ b/internal/common/connection_test.go
@ -22,6 +22,7 @@ import (
 	"path"
 	"path/filepath"
 	"runtime"
+	"slices"
 	"strconv"
 	"testing"
 	"time"
@ -197,25 +198,24 @@ func TestRecursiveRenameWalkError(t *testing.T) {
 }

 func TestCrossRenameFsErrors(t *testing.T) {
+	if runtime.GOOS == osWindows {
+		t.Skip("this test is not available on Windows")
+	}
 	fs := vfs.NewOsFs("", os.TempDir(), "", nil)
 	conn := NewBaseConnection("", ProtocolWebDAV, "", "", dataprovider.User{})
-	res := conn.hasSpaceForCrossRename(fs, vfs.QuotaCheckResult{}, 1, "missingsource")
+	dirPath := filepath.Join(os.TempDir(), "d")
+	err := os.Mkdir(dirPath, os.ModePerm)
+	assert.NoError(t, err)
+	err = os.Chmod(dirPath, 0001)
+	assert.NoError(t, err)
+	srcInfo := vfs.NewFileInfo(filepath.Base(dirPath), true, 0, time.Now(), false)
+	res := conn.hasSpaceForCrossRename(fs, vfs.QuotaCheckResult{}, 1, dirPath, srcInfo)
 	assert.False(t, res)
-	if runtime.GOOS != osWindows {
-		dirPath := filepath.Join(os.TempDir(), "d")
-		err := os.Mkdir(dirPath, os.ModePerm)
-		assert.NoError(t, err)
-		err = os.Chmod(dirPath, 0001)
-		assert.NoError(t, err)

-		res = conn.hasSpaceForCrossRename(fs, vfs.QuotaCheckResult{}, 1, dirPath)
-		assert.False(t, res)
-
-		err = os.Chmod(dirPath, os.ModePerm)
-		assert.NoError(t, err)
-		err = os.Remove(dirPath)
-		assert.NoError(t, err)
-	}
+	err = os.Chmod(dirPath, os.ModePerm)
+	assert.NoError(t, err)
+	err = os.Remove(dirPath)
+	assert.NoError(t, err)
 }

 func TestRenameVirtualFolders(t *testing.T) {
@ -389,7 +389,7 @@ func TestErrorsMapping(t *testing.T) {
 		err := conn.GetFsError(fs, os.ErrNotExist)
 		if protocol == ProtocolSFTP {
 			assert.ErrorIs(t, err, sftp.ErrSSHFxNoSuchFile)
-		} else if util.Contains(osErrorsProtocols, protocol) {
+		} else if slices.Contains(osErrorsProtocols, protocol) {
 			assert.EqualError(t, err, os.ErrNotExist.Error())
 		} else {
 			assert.EqualError(t, err, ErrNotExist.Error())
@ -1090,7 +1090,7 @@ func TestListerAt(t *testing.T) {
 	require.ErrorIs(t, err, io.EOF)
 	require.Len(t, files, 0)
 	_, err = lister.Next(-1)
-	require.ErrorContains(t, err, "invalid limit")
+	require.ErrorContains(t, err, conn.GetGenericError(err).Error())
 	err = lister.Close()
 	require.NoError(t, err)

@ -1134,8 +1134,8 @@ func TestListerAt(t *testing.T) {
 	require.Equal(t, 0, n)
 	lister, err = conn.ListDir("/")
 	require.NoError(t, err)
-	lister.Add(vfs.NewFileInfo("..", true, 0, time.Unix(0, 0), false))
-	lister.Add(vfs.NewFileInfo(".", true, 0, time.Unix(0, 0), false))
+	lister.Prepend(vfs.NewFileInfo("..", true, 0, time.Unix(0, 0), false))
+	lister.Prepend(vfs.NewFileInfo(".", true, 0, time.Unix(0, 0), false))
 	files = make([]os.FileInfo, 1)
 	n, err = lister.ListAt(files, 0)
 	require.NoError(t, err)
--- a/internal/common/dataretention.go
+++ b/internal/common/dataretention.go
@ -269,7 +269,7 @@ func (c *RetentionCheck) cleanupFolder(folderPath string, recursion int) error {
 			return nil
 		}
 		result.Error = fmt.Sprintf("unable to get lister for directory %q", folderPath)
-		c.conn.Log(logger.LevelError, result.Error)
+		c.conn.Log(logger.LevelError, "%s", result.Error)
 		return err
 	}
 	defer lister.Close()
--- a/internal/common/defender.go
+++ b/internal/common/defender.go
@ -53,6 +53,7 @@ type Defender interface {
 	GetBanTime(ip string) (*time.Time, error)
 	GetScore(ip string) (int, error)
 	DeleteHost(ip string) bool
+	DelayLogin(err error)
 }

 // DefenderConfig defines the "defender" configuration
@ -90,6 +91,16 @@ type DefenderConfig struct {
 	// to return when you request for the entire host list from the defender
 	EntriesSoftLimit int `json:"entries_soft_limit" mapstructure:"entries_soft_limit"`
 	EntriesHardLimit int `json:"entries_hard_limit" mapstructure:"entries_hard_limit"`
+	// Configuration to impose a delay between login attempts
+	LoginDelay LoginDelay `json:"login_delay" mapstructure:"login_delay"`
+}
+
+// LoginDelay defines the delays to impose between login attempts.
+type LoginDelay struct {
+	// The number of milliseconds to pause prior to allowing a successful login
+	Success int `json:"success" mapstructure:"success"`
+	// The number of milliseconds to pause prior to reporting a failed login
+	PasswordFailed int `json:"password_failed" mapstructure:"password_failed"`
 }

 type baseDefender struct {
@ -163,6 +174,19 @@ func (d *baseDefender) logBan(ip, protocol string) {
 		Send()
 }

+// DelayLogin applies the configured login delay.
+func (d *baseDefender) DelayLogin(err error) {
+	if err == nil {
+		if d.config.LoginDelay.Success > 0 {
+			time.Sleep(time.Duration(d.config.LoginDelay.Success) * time.Millisecond)
+		}
+		return
+	}
+	if d.config.LoginDelay.PasswordFailed > 0 {
+		time.Sleep(time.Duration(d.config.LoginDelay.PasswordFailed) * time.Millisecond)
+	}
+}
+
 type hostEvent struct {
 	dateTime time.Time
 	score    int
--- a/internal/common/defender_test.go
+++ b/internal/common/defender_test.go
@ -435,6 +435,31 @@ func TestDefenderCleanup(t *testing.T) {
 	assert.Equal(t, 0, score)
 }

+func TestDefenderDelay(t *testing.T) {
+	d := memoryDefender{
+		baseDefender: baseDefender{
+			config: &DefenderConfig{
+				ObservationTime:  1,
+				EntriesSoftLimit: 2,
+				EntriesHardLimit: 3,
+				LoginDelay: LoginDelay{
+					Success:        50,
+					PasswordFailed: 200,
+				},
+			},
+		},
+	}
+	startTime := time.Now()
+	d.DelayLogin(nil)
+	elapsed := time.Since(startTime)
+	assert.Less(t, elapsed, time.Millisecond*100)
+
+	startTime = time.Now()
+	d.DelayLogin(ErrInternalFailure)
+	elapsed = time.Since(startTime)
+	assert.Greater(t, elapsed, time.Millisecond*150)
+}
+
 func TestDefenderConfig(t *testing.T) {
 	c := DefenderConfig{}
 	err := c.validate()
--- a/internal/common/defenderdb.go
+++ b/internal/common/defenderdb.go
@ -110,7 +110,7 @@ func (d *dbDefender) AddEvent(ip, protocol string, event HostEvent) bool {
 			eventManager.handleIPBlockedEvent(EventParams{
 				Event:     ipBlockedEventName,
 				IP:        ip,
-				Timestamp: time.Now().UnixNano(),
+				Timestamp: time.Now(),
 				Status:    1,
 			})
 		}
--- a/internal/common/defendermem.go
+++ b/internal/common/defendermem.go
@ -218,7 +218,7 @@ func (d *memoryDefender) AddEvent(ip, protocol string, event HostEvent) bool {
 			eventManager.handleIPBlockedEvent(EventParams{
 				Event:     ipBlockedEventName,
 				IP:        ip,
-				Timestamp: time.Now().UnixNano(),
+				Timestamp: time.Now(),
 				Status:    1,
 			})
 		} else {
--- a/internal/common/eventmanager.go
+++ b/internal/common/eventmanager.go
@ -31,6 +31,7 @@ import (
 	"os/exec"
 	"path"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@ -57,6 +58,7 @@ const (
 	maxAttachmentsSize       = int64(10 * 1024 * 1024)
 	objDataPlaceholder       = "{{ObjectData}}"
 	objDataPlaceholderString = "{{ObjectDataString}}"
+	dateTimeMillisFormat     = "2006-01-02T15:04:05.000"
 )

 // Supported IDP login events
@ -69,6 +71,9 @@ var (
 	// eventManager handle the supported event rules actions
 	eventManager          eventRulesContainer
 	multipartQuoteEscaper = strings.NewReplacer("\\", "\\\\", `"`, "\\\"")
+	fsEventsWithSize      = []string{operationPreDelete, OperationPreUpload, operationDelete,
+		operationCopy, operationDownload, operationFirstUpload, operationFirstDownload,
+		operationUpload}
 )

 func init() {
@ -88,11 +93,12 @@ func init() {
 				ObjectType: objectType,
 				IP:         ip,
 				Role:       role,
-				Timestamp:  time.Now().UnixNano(),
+				Timestamp:  time.Now(),
 				Object:     object,
 			}
 			if u, ok := object.(*dataprovider.User); ok {
 				p.Email = u.Email
+				p.Groups = u.Groups
 			} else if a, ok := object.(*dataprovider.Admin); ok {
 				p.Email = a.Email
 			}
@ -271,7 +277,8 @@ func (r *eventRulesContainer) addUpdateRuleInternal(rule dataprovider.EventRule)
 func (r *eventRulesContainer) loadRules() {
 	eventManagerLog(logger.LevelDebug, "loading updated rules")
 	modTime := util.GetTimeAsMsSinceEpoch(time.Now())
-	rules, err := dataprovider.GetRecentlyUpdatedRules(r.getLastLoadTime())
+	lastLoadTime := r.getLastLoadTime()
+	rules, err := dataprovider.GetRecentlyUpdatedRules(lastLoadTime)
 	if err != nil {
 		eventManagerLog(logger.LevelError, "unable to load event rules: %v", err)
 		return
@ -307,23 +314,26 @@ func (*eventRulesContainer) checkIPDLoginEventMatch(conditions *dataprovider.Eve
 }

 func (*eventRulesContainer) checkProviderEventMatch(conditions *dataprovider.EventConditions, params *EventParams) bool {
-	if !util.Contains(conditions.ProviderEvents, params.Event) {
+	if !slices.Contains(conditions.ProviderEvents, params.Event) {
 		return false
 	}
 	if !checkEventConditionPatterns(params.Name, conditions.Options.Names) {
 		return false
 	}
+	if !checkEventGroupConditionPatterns(params.Groups, conditions.Options.GroupNames) {
+		return false
+	}
 	if !checkEventConditionPatterns(params.Role, conditions.Options.RoleNames) {
 		return false
 	}
-	if len(conditions.Options.ProviderObjects) > 0 && !util.Contains(conditions.Options.ProviderObjects, params.ObjectType) {
+	if len(conditions.Options.ProviderObjects) > 0 && !slices.Contains(conditions.Options.ProviderObjects, params.ObjectType) {
 		return false
 	}
 	return true
 }

 func (*eventRulesContainer) checkFsEventMatch(conditions *dataprovider.EventConditions, params *EventParams) bool {
-	if !util.Contains(conditions.FsEvents, params.Event) {
+	if !slices.Contains(conditions.FsEvents, params.Event) {
 		return false
 	}
 	if !checkEventConditionPatterns(params.Name, conditions.Options.Names) {
@ -338,10 +348,10 @@ func (*eventRulesContainer) checkFsEventMatch(conditions *dataprovider.EventCond
 	if !checkEventConditionPatterns(params.VirtualPath, conditions.Options.FsPaths) {
 		return false
 	}
-	if len(conditions.Options.Protocols) > 0 && !util.Contains(conditions.Options.Protocols, params.Protocol) {
+	if len(conditions.Options.Protocols) > 0 && !slices.Contains(conditions.Options.Protocols, params.Protocol) {
 		return false
 	}
-	if params.Event == operationUpload || params.Event == operationDownload {
+	if slices.Contains(fsEventsWithSize, params.Event) {
 		if conditions.Options.MinFileSize > 0 {
 			if params.FileSize < conditions.Options.MinFileSize {
 				return false
@ -555,7 +565,7 @@ type EventParams struct {
 	IP                    string
 	Role                  string
 	Email                 string
-	Timestamp             int64
+	Timestamp             time.Time
 	UID                   string
 	IDPCustomFields       *map[string]string
 	Object                plugin.Renderer
@ -639,7 +649,7 @@ func (p *EventParams) setBackupParams(backupPath string) {
 	p.FsPath = backupPath
 	p.ObjectName = filepath.Base(backupPath)
 	p.VirtualPath = "/" + p.ObjectName
-	p.Timestamp = time.Now().UnixNano()
+	p.Timestamp = time.Now()
 	info, err := os.Stat(backupPath)
 	if err == nil {
 		p.FileSize = info.Size()
@ -773,15 +783,23 @@ func (*EventParams) getStringReplacement(val string, jsonEscaped bool) string {
 }

 func (p *EventParams) getStringReplacements(addObjectData, jsonEscaped bool) []string {
+	var dateTimeString string
+	if Config.TZ == "local" {
+		dateTimeString = p.Timestamp.Local().Format(dateTimeMillisFormat)
+	} else {
+		dateTimeString = p.Timestamp.UTC().Format(dateTimeMillisFormat)
+	}
 	replacements := []string{
 		"{{Name}}", p.getStringReplacement(p.Name, jsonEscaped),
 		"{{Event}}", p.Event,
 		"{{Status}}", fmt.Sprintf("%d", p.Status),
 		"{{VirtualPath}}", p.getStringReplacement(p.VirtualPath, jsonEscaped),
+		"{{EscapedVirtualPath}}", p.getStringReplacement(url.QueryEscape(p.VirtualPath), jsonEscaped),
 		"{{FsPath}}", p.getStringReplacement(p.FsPath, jsonEscaped),
 		"{{VirtualTargetPath}}", p.getStringReplacement(p.VirtualTargetPath, jsonEscaped),
 		"{{FsTargetPath}}", p.getStringReplacement(p.FsTargetPath, jsonEscaped),
 		"{{ObjectName}}", p.getStringReplacement(p.ObjectName, jsonEscaped),
+		"{{ObjectBaseName}}", p.getStringReplacement(strings.TrimSuffix(p.ObjectName, p.Extension), jsonEscaped),
 		"{{ObjectType}}", p.ObjectType,
 		"{{FileSize}}", strconv.FormatInt(p.FileSize, 10),
 		"{{Elapsed}}", strconv.FormatInt(p.Elapsed, 10),
@ -789,7 +807,8 @@ func (p *EventParams) getStringReplacements(addObjectData, jsonEscaped bool) []s
 		"{{IP}}", p.IP,
 		"{{Role}}", p.getStringReplacement(p.Role, jsonEscaped),
 		"{{Email}}", p.getStringReplacement(p.Email, jsonEscaped),
-		"{{Timestamp}}", strconv.FormatInt(p.Timestamp, 10),
+		"{{Timestamp}}", strconv.FormatInt(p.Timestamp.UnixNano(), 10),
+		"{{DateTime}}", dateTimeString,
 		"{{StatusString}}", p.getStatusString(),
 		"{{UID}}", p.getStringReplacement(p.UID, jsonEscaped),
 		"{{Ext}}", p.getStringReplacement(p.Extension, jsonEscaped),
@ -908,10 +927,7 @@ func updateUserQuotaAfterFileWrite(conn *BaseConnection, virtualPath string, num
 		dataprovider.UpdateUserQuota(&conn.User, numFiles, fileSize, false) //nolint:errcheck
 		return
 	}
-	dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, numFiles, fileSize, false) //nolint:errcheck
-	if vfolder.IsIncludedInUserQuota() {
-		dataprovider.UpdateUserQuota(&conn.User, numFiles, fileSize, false) //nolint:errcheck
-	}
+	dataprovider.UpdateUserFolderQuota(&vfolder, &conn.User, numFiles, fileSize, false)
 }

 func checkWriterPermsAndQuota(conn *BaseConnection, virtualPath string, numFiles int, expectedSize, truncatedSize int64) error {
@ -1316,7 +1332,7 @@ func writeHTTPPart(m *multipart.Writer, part dataprovider.HTTPPart, h textproto.
 	return nil
 }

-func getHTTPRuleActionBody(c *dataprovider.EventActionHTTPConfig, replacer *strings.Replacer,
+func getHTTPRuleActionBody(c *dataprovider.EventActionHTTPConfig, replacer *strings.Replacer, //nolint:gocyclo
 	cancel context.CancelFunc, user dataprovider.User, params *EventParams, addObjectData bool,
 ) (io.Reader, string, error) {
 	var body io.Reader
@ -1362,6 +1378,9 @@ func getHTTPRuleActionBody(c *dataprovider.EventActionHTTPConfig, replacer *stri
 		go func() {
 			defer w.Close()
 			defer user.CloseFs() //nolint:errcheck
+			if conn != nil {
+				defer conn.CloseFS() //nolint:errcheck
+			}

 			for _, part := range c.Parts {
 				h := make(textproto.MIMEHeader)
@ -1476,6 +1495,9 @@ func executeHTTPRuleAction(c dataprovider.EventActionHTTPConfig, params *EventPa
 }

 func executeCommandRuleAction(c dataprovider.EventActionCommandConfig, params *EventParams) error {
+	if !dataprovider.IsActionCommandAllowed(c.Cmd) {
+		return fmt.Errorf("command %q is not allowed", c.Cmd)
+	}
 	addObjectData := false
 	if params.Object != nil {
 		for _, k := range c.EnvVars {
@ -1576,6 +1598,8 @@ func executeEmailRuleAction(c dataprovider.EventActionEmailConfig, params *Event
 			return fmt.Errorf("error getting email attachments, unable to check root fs for user %q: %w", user.Username, err)
 		}
 		conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+		defer conn.CloseFS() //nolint:errcheck
+
 		res, err := getMailAttachments(conn, fileAttachments, replacer)
 		if err != nil {
 			return err
@ -1637,6 +1661,8 @@ func executeDeleteFsActionForUser(deletes []string, replacer *strings.Replacer,
 		return fmt.Errorf("delete error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+	defer conn.CloseFS() //nolint:errcheck
+
 	for _, item := range replacePathsPlaceholders(deletes, replacer) {
 		info, err := conn.DoStat(item, 0, false)
 		if err != nil {
@ -1705,6 +1731,8 @@ func executeMkDirsFsActionForUser(dirs []string, replacer *strings.Replacer, use
 		return fmt.Errorf("mkdir error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+	defer conn.CloseFS() //nolint:errcheck
+
 	for _, item := range replacePathsPlaceholders(dirs, replacer) {
 		if err = conn.CheckParentDirs(path.Dir(item)); err != nil {
 			return fmt.Errorf("unable to check parent dirs for %q, user %q: %w", item, user.Username, err)
@ -1750,7 +1778,7 @@ func executeMkdirFsRuleAction(dirs []string, replacer *strings.Replacer,
 	return nil
 }

-func executeRenameFsActionForUser(renames []dataprovider.KeyValue, replacer *strings.Replacer,
+func executeRenameFsActionForUser(renames []dataprovider.RenameConfig, replacer *strings.Replacer,
 	user dataprovider.User,
 ) error {
 	user, err := getUserForEventAction(user)
@ -1764,10 +1792,16 @@ func executeRenameFsActionForUser(renames []dataprovider.KeyValue, replacer *str
 		return fmt.Errorf("rename error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+	defer conn.CloseFS() //nolint:errcheck
+
 	for _, item := range renames {
 		source := util.CleanPath(replaceWithReplacer(item.Key, replacer))
 		target := util.CleanPath(replaceWithReplacer(item.Value, replacer))
-		if err = conn.renameInternal(source, target, true); err != nil {
+		checks := 0
+		if item.UpdateModTime {
+			checks += vfs.CheckUpdateModTime
+		}
+		if err = conn.renameInternal(source, target, true, checks); err != nil {
 			return fmt.Errorf("unable to rename %q->%q, user %q: %w", source, target, user.Username, err)
 		}
 		eventManagerLog(logger.LevelDebug, "rename %q->%q ok, user %q", source, target, user.Username)
@ -1775,7 +1809,7 @@ func executeRenameFsActionForUser(renames []dataprovider.KeyValue, replacer *str
 	return nil
 }

-func executeCopyFsActionForUser(copy []dataprovider.KeyValue, replacer *strings.Replacer,
+func executeCopyFsActionForUser(keyVals []dataprovider.KeyValue, replacer *strings.Replacer,
 	user dataprovider.User,
 ) error {
 	user, err := getUserForEventAction(user)
@ -1789,7 +1823,9 @@ func executeCopyFsActionForUser(copy []dataprovider.KeyValue, replacer *strings.
 		return fmt.Errorf("copy error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
-	for _, item := range copy {
+	defer conn.CloseFS() //nolint:errcheck
+
+	for _, item := range keyVals {
 		source := util.CleanPath(replaceWithReplacer(item.Key, replacer))
 		target := util.CleanPath(replaceWithReplacer(item.Value, replacer))
 		if strings.HasSuffix(item.Key, "/") {
@ -1820,6 +1856,8 @@ func executeExistFsActionForUser(exist []string, replacer *strings.Replacer,
 		return fmt.Errorf("existence check error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+	defer conn.CloseFS() //nolint:errcheck
+
 	for _, item := range replacePathsPlaceholders(exist, replacer) {
 		if _, err = conn.DoStat(item, 0, false); err != nil {
 			return fmt.Errorf("error checking existence for path %q, user %q: %w", item, user.Username, err)
@ -1829,7 +1867,7 @@ func executeExistFsActionForUser(exist []string, replacer *strings.Replacer,
 	return nil
 }

-func executeRenameFsRuleAction(renames []dataprovider.KeyValue, replacer *strings.Replacer,
+func executeRenameFsRuleAction(renames []dataprovider.RenameConfig, replacer *strings.Replacer,
 	conditions dataprovider.ConditionOptions, params *EventParams,
 ) error {
 	users, err := params.getUsers()
@ -1863,7 +1901,7 @@ func executeRenameFsRuleAction(renames []dataprovider.KeyValue, replacer *string
 	return nil
 }

-func executeCopyFsRuleAction(copy []dataprovider.KeyValue, replacer *strings.Replacer,
+func executeCopyFsRuleAction(keyVals []dataprovider.KeyValue, replacer *strings.Replacer,
 	conditions dataprovider.ConditionOptions, params *EventParams,
 ) error {
 	users, err := params.getUsers()
@ -1882,7 +1920,7 @@ func executeCopyFsRuleAction(copy []dataprovider.KeyValue, replacer *strings.Rep
 			}
 		}
 		executed++
-		if err = executeCopyFsActionForUser(copy, replacer, user); err != nil {
+		if err = executeCopyFsActionForUser(keyVals, replacer, user); err != nil {
 			failures = append(failures, user.Username)
 			params.AddError(err)
 		}
@ -1978,6 +2016,8 @@ func executeCompressFsActionForUser(c dataprovider.EventActionFsCompress, replac
 		return fmt.Errorf("compress error, unable to check root fs for user %q: %w", user.Username, err)
 	}
 	conn := NewBaseConnection(connectionID, protocolEventAction, "", "", user)
+	defer conn.CloseFS() //nolint:errcheck
+
 	name := util.CleanPath(replaceWithReplacer(c.Name, replacer))
 	conn.CheckParentDirs(path.Dir(name)) //nolint:errcheck
 	paths := make([]string, 0, len(c.Paths))
@ -2448,7 +2488,7 @@ func executePwdExpirationCheckForUser(user *dataprovider.User, config dataprovid
 	}
 	subject := "SFTPGo password expiration notification"
 	startTime := time.Now()
-	if err := smtp.SendEmail([]string{user.Email}, nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {
+	if err := smtp.SendEmail(user.GetEmailAddresses(), nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {
 		eventManagerLog(logger.LevelError, "unable to notify password expiration for user %s: %v, elapsed: %s",
 			user.Username, err, time.Since(startTime))
 		return err
@ -2505,19 +2545,57 @@ func executeAdminCheckAction(c *dataprovider.EventActionIDPAccountCheck, params
 	if err != nil {
 		return nil, err
 	}
-	if newAdmin.Password == "" {
-		newAdmin.Password = util.GenerateUniqueID()
-	}
 	if exists {
 		eventManagerLog(logger.LevelDebug, "updating admin %q after IDP login", params.Name)
+		// Not sure if this makes sense, but it shouldn't hurt.
+		if newAdmin.Password == "" {
+			newAdmin.Password = admin.Password
+		}
+		newAdmin.Filters.TOTPConfig = admin.Filters.TOTPConfig
+		newAdmin.Filters.RecoveryCodes = admin.Filters.RecoveryCodes
 		err = dataprovider.UpdateAdmin(&newAdmin, dataprovider.ActionExecutorSystem, "", "")
 	} else {
 		eventManagerLog(logger.LevelDebug, "creating admin %q after IDP login", params.Name)
+		if newAdmin.Password == "" {
+			newAdmin.Password = util.GenerateUniqueID()
+		}
 		err = dataprovider.AddAdmin(&newAdmin, dataprovider.ActionExecutorSystem, "", "")
 	}
 	return &newAdmin, err
 }

+func preserveUserProfile(user, newUser *dataprovider.User) {
+	if newUser.CanChangePassword() && user.Password != "" {
+		newUser.Password = user.Password
+	}
+	if newUser.CanManagePublicKeys() && len(user.PublicKeys) > 0 {
+		newUser.PublicKeys = user.PublicKeys
+	}
+	if newUser.CanManageTLSCerts() {
+		if len(user.Filters.TLSCerts) > 0 {
+			newUser.Filters.TLSCerts = user.Filters.TLSCerts
+		}
+	}
+	if newUser.CanChangeInfo() {
+		if user.Description != "" {
+			newUser.Description = user.Description
+		}
+		if user.Email != "" {
+			newUser.Email = user.Email
+		}
+		if len(user.Filters.AdditionalEmails) > 0 {
+			newUser.Filters.AdditionalEmails = user.Filters.AdditionalEmails
+		}
+	}
+	if newUser.CanChangeAPIKeyAuth() {
+		newUser.Filters.AllowAPIKeyAuth = user.Filters.AllowAPIKeyAuth
+	}
+	newUser.Filters.RecoveryCodes = user.Filters.RecoveryCodes
+	newUser.Filters.TOTPConfig = user.Filters.TOTPConfig
+	newUser.LastPasswordChange = user.LastPasswordChange
+	newUser.SetEmptySecretsIfNil()
+}
+
 func executeUserCheckAction(c *dataprovider.EventActionIDPAccountCheck, params *EventParams) (*dataprovider.User, error) {
 	user, err := dataprovider.UserExists(params.Name, "")
 	exists := err == nil
@ -2539,6 +2617,7 @@ func executeUserCheckAction(c *dataprovider.EventActionIDPAccountCheck, params *
 	}
 	if exists {
 		eventManagerLog(logger.LevelDebug, "updating user %q after IDP login", params.Name)
+		preserveUserProfile(&user, &newUser)
 		err = dataprovider.UpdateUser(&newUser, dataprovider.ActionExecutorSystem, "", "")
 	} else {
 		eventManagerLog(logger.LevelDebug, "creating user %q after IDP login", params.Name)
@ -2551,9 +2630,14 @@ func executeUserCheckAction(c *dataprovider.EventActionIDPAccountCheck, params *
 	return &u, err
 }

-func executeRuleAction(action dataprovider.BaseEventAction, params *EventParams,
+func executeRuleAction(action dataprovider.BaseEventAction, params *EventParams, //nolint:gocyclo
 	conditions dataprovider.ConditionOptions,
 ) error {
+	if len(conditions.EventStatuses) > 0 && !slices.Contains(conditions.EventStatuses, params.Status) {
+		eventManagerLog(logger.LevelDebug, "skipping action %s, event status %d does not match: %v",
+			action.Name, params.Status, conditions.EventStatuses)
+		return nil
+	}
 	var err error

 	switch action.Type {
@ -2585,6 +2669,8 @@ func executeRuleAction(action dataprovider.BaseEventAction, params *EventParams,
 		err = executeUserExpirationCheckRuleAction(conditions, params)
 	case dataprovider.ActionTypeUserInactivityCheck:
 		err = executeUserInactivityCheckRuleAction(action.Options.UserInactivityConfig, conditions, params, time.Now())
+	case dataprovider.ActionTypeRotateLogs:
+		err = logger.RotateLogFile()
 	default:
 		err = fmt.Errorf("unsupported action type: %d", action.Type)
 	}
--- a/internal/common/eventmanager_test.go
+++ b/internal/common/eventmanager_test.go
@ -800,6 +800,28 @@ func TestEventManagerErrors(t *testing.T) {
 	stopEventScheduler()
 }

+func TestDateTimePlaceholder(t *testing.T) {
+	oldTZ := Config.TZ
+
+	Config.TZ = ""
+	dateTime := time.Now()
+	params := EventParams{
+		Timestamp: dateTime,
+	}
+	replacements := params.getStringReplacements(false, false)
+	r := strings.NewReplacer(replacements...)
+	res := r.Replace("{{DateTime}}")
+	assert.Equal(t, dateTime.UTC().Format(dateTimeMillisFormat), res)
+
+	Config.TZ = "local"
+	replacements = params.getStringReplacements(false, false)
+	r = strings.NewReplacer(replacements...)
+	res = r.Replace("{{DateTime}}")
+	assert.Equal(t, dateTime.Local().Format(dateTimeMillisFormat), res)
+
+	Config.TZ = oldTZ
+}
+
 func TestEventRuleActions(t *testing.T) {
 	actionName := "test rule action"
 	action := dataprovider.BaseEventAction{
@ -1166,10 +1188,12 @@ func TestEventRuleActions(t *testing.T) {
 	action.Options = dataprovider.BaseEventActionOptions{
 		FsConfig: dataprovider.EventActionFilesystemConfig{
 			Type: dataprovider.FilesystemActionRename,
-			Renames: []dataprovider.KeyValue{
+			Renames: []dataprovider.RenameConfig{
 				{
-					Key:   "/source",
-					Value: "/target",
+					KeyValue: dataprovider.KeyValue{
+						Key:   "/source",
+						Value: "/target",
+					},
 				},
 			},
 		},
@ -1386,6 +1410,31 @@ func TestIDPAccountCheckRule(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, username, user.Username)
 	assert.Equal(t, 1, user.Status)
+	assert.Empty(t, user.Password)
+	assert.Len(t, user.PublicKeys, 0)
+	assert.Len(t, user.Filters.TLSCerts, 0)
+	assert.Empty(t, user.Email)
+	assert.Empty(t, user.Description)
+	// Update the profile attribute and make sure they are preserved
+	user.Password = "secret"
+	user.Email = "example@example.com"
+	user.Filters.AdditionalEmails = []string{"alias@example.com"}
+	user.Description = "some desc"
+	user.Filters.TLSCerts = []string{serverCert}
+	user.PublicKeys = []string{"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC03jj0D+djk7pxIf/0OhrxrchJTRZklofJ1NoIu4752Sq02mdXmarMVsqJ1cAjV5LBVy3D1F5U6XW4rppkXeVtd04Pxb09ehtH0pRRPaoHHlALiJt8CoMpbKYMA8b3KXPPriGxgGomvtU2T2RMURSwOZbMtpsugfjYSWenyYX+VORYhylWnSXL961LTyC21ehd6d6QnW9G7E5hYMITMY9TuQZz3bROYzXiTsgN0+g6Hn7exFQp50p45StUMfV/SftCMdCxlxuyGny2CrN/vfjO7xxOo2uv7q1qm10Q46KPWJQv+pgZ/OfL+EDjy07n5QVSKHlbx+2nT4Q0EgOSQaCTYwn3YjtABfIxWwgAFdyj6YlPulCL22qU4MYhDcA6PSBwDdf8hvxBfvsiHdM+JcSHvv8/VeJhk6CmnZxGY0fxBupov27z3yEO8nAg8k+6PaUiW1MSUfuGMF/ktB8LOstXsEPXSszuyXiOv4DaryOXUiSn7bmRqKcEFlJusO6aZP0= nicola@p1"}
+	err = dataprovider.UpdateUser(user, "", "", "")
+	assert.NoError(t, err)
+
+	user, err = executeUserCheckAction(c, params)
+	assert.NoError(t, err)
+	assert.Equal(t, username, user.Username)
+	assert.Equal(t, 1, user.Status)
+	assert.NotEmpty(t, user.Password)
+	assert.Len(t, user.PublicKeys, 1)
+	assert.Len(t, user.Filters.TLSCerts, 1)
+	assert.NotEmpty(t, user.Email)
+	assert.Len(t, user.Filters.AdditionalEmails, 1)
+	assert.NotEmpty(t, user.Description)

 	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
@ -1686,10 +1735,12 @@ func TestFilesystemActionErrors(t *testing.T) {
 	assert.NoError(t, err)
 	err = dataprovider.AddUser(&user, "", "", "")
 	assert.NoError(t, err)
-	err = executeRenameFsActionForUser([]dataprovider.KeyValue{
+	err = executeRenameFsActionForUser([]dataprovider.RenameConfig{
 		{
-			Key:   "/p1",
-			Value: "/p1",
+			KeyValue: dataprovider.KeyValue{
+				Key:   "/p1",
+				Value: "/p1",
+			},
 		},
 	}, testReplacer, user)
 	if assert.Error(t, err) {
@ -1700,10 +1751,12 @@ func TestFilesystemActionErrors(t *testing.T) {
 		Options: dataprovider.BaseEventActionOptions{
 			FsConfig: dataprovider.EventActionFilesystemConfig{
 				Type: dataprovider.FilesystemActionRename,
-				Renames: []dataprovider.KeyValue{
+				Renames: []dataprovider.RenameConfig{
 					{
-						Key:   "/p2",
-						Value: "/p2",
+						KeyValue: dataprovider.KeyValue{
+							Key:   "/p2",
+							Value: "/p2",
+						},
 					},
 				},
 			},
--- a/internal/common/eventscheduler.go
+++ b/internal/common/eventscheduler.go
@ -19,6 +19,8 @@ import (

 	"github.com/robfig/cron/v3"

+	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
+	"github.com/drakkan/sftpgo/v2/internal/logger"
 	"github.com/drakkan/sftpgo/v2/internal/util"
 )

@ -36,7 +38,15 @@ func stopEventScheduler() {
 func startEventScheduler() {
 	stopEventScheduler()

-	eventScheduler = cron.New(cron.WithLocation(time.UTC), cron.WithLogger(cron.DiscardLogger))
+	options := []cron.Option{
+		cron.WithLogger(cron.DiscardLogger),
+	}
+	if !dataprovider.UseLocalTime() {
+		eventManagerLog(logger.LevelDebug, "use UTC time for the scheduler")
+		options = append(options, cron.WithLocation(time.UTC))
+	}
+
+	eventScheduler = cron.New(options...)
 	eventManager.loadRules()
 	_, err := eventScheduler.AddFunc("@every 10m", eventManager.loadRules)
 	util.PanicOnError(err)
--- a/internal/common/protocol_test.go
+++ b/internal/common/protocol_test.go
--- a/internal/common/ratelimiter.go
+++ b/internal/common/ratelimiter.go
@ -17,6 +17,7 @@ package common
 import (
 	"errors"
 	"fmt"
+	"slices"
 	"sort"
 	"sync"
 	"sync/atomic"
@ -94,7 +95,7 @@ func (r *RateLimiterConfig) validate() error {
 	}
 	r.Protocols = util.RemoveDuplicates(r.Protocols, true)
 	for _, protocol := range r.Protocols {
-		if !util.Contains(rateLimiterProtocolValues, protocol) {
+		if !slices.Contains(rateLimiterProtocolValues, protocol) {
 			return fmt.Errorf("invalid protocol %q", protocol)
 		}
 	}
--- a/internal/common/tlsutils.go
+++ b/internal/common/tlsutils.go
@ -25,6 +25,7 @@ import (
 	"math/rand"
 	"os"
 	"path/filepath"
+	"slices"
 	"sync"

 	"github.com/drakkan/sftpgo/v2/internal/logger"
@ -96,7 +97,7 @@ func (m *CertManager) loadCertificates() error {
 		}
 		logger.Debug(m.logSender, "", "TLS certificate %q successfully loaded, id %v", keyPair.Cert, keyPair.ID)
 		certs[keyPair.ID] = &newCert
-		if !util.Contains(m.monitorList, keyPair.Cert) {
+		if !slices.Contains(m.monitorList, keyPair.Cert) {
 			m.monitorList = append(m.monitorList, keyPair.Cert)
 		}
 	}
@ -190,7 +191,7 @@ func (m *CertManager) LoadCRLs() error {

 		logger.Debug(m.logSender, "", "CRL %q successfully loaded", revocationList)
 		crls = append(crls, crl)
-		if !util.Contains(m.monitorList, revocationList) {
+		if !slices.Contains(m.monitorList, revocationList) {
 			m.monitorList = append(m.monitorList, revocationList)
 		}
 	}
--- a/internal/common/transfer.go
+++ b/internal/common/transfer.go
@ -329,6 +329,21 @@ func (t *BaseTransfer) getUploadFileSize() (int64, int, error) {
 	var fileSize int64
 	var deletedFiles int

+	switch dataprovider.GetQuotaTracking() {
+	case 0:
+		return fileSize, deletedFiles, errors.New("quota tracking disabled")
+	case 2:
+		if !t.Connection.User.HasQuotaRestrictions() {
+			vfolder, err := t.Connection.User.GetVirtualFolderForPath(path.Dir(t.requestPath))
+			if err != nil {
+				return fileSize, deletedFiles, errors.New("quota tracking disabled for this user")
+			}
+			if vfolder.IsIncludedInUserQuota() {
+				return fileSize, deletedFiles, errors.New("quota tracking disabled for this user and folder included in user quota")
+			}
+		}
+	}
+
 	info, err := t.Fs.Stat(t.fsPath)
 	if err == nil {
 		fileSize = info.Size()
@ -352,6 +367,9 @@ func (t *BaseTransfer) checkUploadOutsideHomeDir(err error) int {
 	if err == nil {
 		return 0
 	}
+	if t.ErrTransfer == nil {
+		t.ErrTransfer = err
+	}
 	if Config.TempPath == "" {
 		return 0
 	}
@ -391,7 +409,7 @@ func (t *BaseTransfer) Close() error {
 			t.effectiveFsPath, err)
 	} else if t.isAtomicUpload() {
 		if t.ErrTransfer == nil || Config.UploadMode&UploadModeAtomicWithResume != 0 {
-			_, _, err = t.Fs.Rename(t.effectiveFsPath, t.fsPath)
+			_, _, err = t.Fs.Rename(t.effectiveFsPath, t.fsPath, 0)
 			t.Connection.Log(logger.LevelDebug, "atomic upload completed, rename: %q -> %q, error: %v",
 				t.effectiveFsPath, t.fsPath, err)
 			// the file must be removed if it is uploaded to a path outside the home dir and cannot be renamed
@ -410,7 +428,8 @@ func (t *BaseTransfer) Close() error {
 	var uploadFileSize int64
 	if t.transferType == TransferDownload {
 		logger.TransferLog(downloadLogSender, t.fsPath, elapsed, t.BytesSent.Load(), t.Connection.User.Username,
-			t.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode)
+			t.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode,
+			t.ErrTransfer)
 		ExecuteActionNotification(t.Connection, operationDownload, t.fsPath, t.requestPath, "", "", "", //nolint:errcheck
 			t.BytesSent.Load(), t.ErrTransfer, elapsed, t.metadata)
 	} else {
@ -431,7 +450,8 @@ func (t *BaseTransfer) Close() error {
 		t.updateQuota(numFiles, uploadFileSize)
 		t.updateTimes()
 		logger.TransferLog(uploadLogSender, t.fsPath, elapsed, t.BytesReceived.Load(), t.Connection.User.Username,
-			t.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode)
+			t.Connection.ID, t.Connection.protocol, t.Connection.localAddr, t.Connection.remoteAddr, t.ftpMode,
+			t.ErrTransfer)
 	}
 	if t.ErrTransfer != nil {
 		t.Connection.Log(logger.LevelError, "transfer error: %v, path: %q", t.ErrTransfer, t.fsPath)
@ -516,11 +536,8 @@ func (t *BaseTransfer) updateQuota(numFiles int, fileSize int64) bool {
 	if t.transferType == TransferUpload && (numFiles != 0 || sizeDiff != 0) {
 		vfolder, err := t.Connection.User.GetVirtualFolderForPath(path.Dir(t.requestPath))
 		if err == nil {
-			dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, numFiles, //nolint:errcheck
+			dataprovider.UpdateUserFolderQuota(&vfolder, &t.Connection.User, numFiles,
 				sizeDiff, false)
-			if vfolder.IsIncludedInUserQuota() {
-				dataprovider.UpdateUserQuota(&t.Connection.User, numFiles, sizeDiff, false) //nolint:errcheck
-			}
 		} else {
 			dataprovider.UpdateUserQuota(&t.Connection.User, numFiles, sizeDiff, false) //nolint:errcheck
 		}
--- a/internal/common/transfer_test.go
+++ b/internal/common/transfer_test.go
@ -306,8 +306,9 @@ func TestRemovePartialCryptoFile(t *testing.T) {
 	require.NoError(t, err)
 	u := dataprovider.User{
 		BaseUser: sdk.BaseUser{
-			Username: "test",
-			HomeDir:  os.TempDir(),
+			Username:   "test",
+			HomeDir:    os.TempDir(),
+			QuotaFiles: 1000000,
 		},
 	}
 	conn := NewBaseConnection(fs.ConnectionID(), ProtocolSFTP, "", "", u)
@ -323,6 +324,9 @@ func TestRemovePartialCryptoFile(t *testing.T) {
 	assert.Equal(t, int64(0), size)
 	assert.Equal(t, 1, deletedFiles)
 	assert.NoFileExists(t, testFile)
+	err = transfer.Close()
+	assert.Error(t, err)
+	assert.Len(t, conn.GetTransfers(), 0)
 }

 func TestFTPMode(t *testing.T) {
@ -434,6 +438,11 @@ func TestTransferQuota(t *testing.T) {
 	}
 	err = transfer.CheckWrite()
 	assert.True(t, conn.IsQuotaExceededError(err))
+
+	err = transfer.Close()
+	assert.NoError(t, err)
+	assert.Len(t, conn.GetTransfers(), 0)
+	assert.Equal(t, int32(0), Connections.GetTotalTransfers())
 }

 func TestUploadOutsideHomeRenameError(t *testing.T) {
--- a/internal/common/transferschecker_test.go
+++ b/internal/common/transferschecker_test.go
@ -250,6 +250,7 @@ func TestTransfersCheckerDiskQuota(t *testing.T) {
 	Connections.Remove(fakeConn5.GetID())
 	stats := Connections.GetStats("")
 	assert.Len(t, stats, 0)
+	assert.Equal(t, int32(0), Connections.GetTotalTransfers())

 	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
@ -368,11 +369,16 @@ func TestTransferCheckerTransferQuota(t *testing.T) {
 	if assert.Error(t, transfer4.errAbort) {
 		assert.Contains(t, transfer4.errAbort.Error(), ErrReadQuotaExceeded.Error())
 	}
+	err = transfer3.Close()
+	assert.NoError(t, err)
+	err = transfer4.Close()
+	assert.NoError(t, err)

 	Connections.Remove(fakeConn3.GetID())
 	Connections.Remove(fakeConn4.GetID())
 	stats := Connections.GetStats("")
 	assert.Len(t, stats, 0)
+	assert.Equal(t, int32(0), Connections.GetTotalTransfers())

 	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"

@ -91,6 +92,7 @@ var (
 		TLSCipherSuites:      nil,
 		Protocols:            nil,
 		Prefix:               "",
+		ProxyMode:            0,
 		ProxyAllowed:         nil,
 		ClientIPProxyHeader:  "",
 		ClientIPHeaderDepth:  0,
@ -110,11 +112,13 @@ var (
 		ClientAuthType:      0,
 		TLSCipherSuites:     nil,
 		Protocols:           nil,
+		ProxyMode:           0,
 		ProxyAllowed:        nil,
 		ClientIPProxyHeader: "",
 		ClientIPHeaderDepth: 0,
 		HideLoginURL:        0,
 		RenderOpenAPI:       true,
+		Languages:           []string{"en"},
 		OIDC: httpd.OIDC{
 			ClientID:                   "",
 			ClientSecret:               "",
@ -144,6 +148,7 @@ var (
 			ContentSecurityPolicy:   "",
 			PermissionsPolicy:       "",
 			CrossOriginOpenerPolicy: "",
+			CacheControl:            "",
 		},
 		Branding: httpd.Branding{},
 	}
@ -226,13 +231,21 @@ func Init() {
 				ObservationTime:    30,
 				EntriesSoftLimit:   100,
 				EntriesHardLimit:   150,
+				LoginDelay: common.LoginDelay{
+					Success:        0,
+					PasswordFailed: 1000,
+				},
 			},
 			RateLimitersConfig: []common.RateLimiterConfig{defaultRateLimiter},
 			Umask:              "",
 			ServerVersion:      "",
+			TZ:                 "",
 			Metadata: common.MetadataConfig{
 				Read: 0,
 			},
+			EventManager: common.EventManagerConfig{
+				EnabledCommands: []string{},
+			},
 		},
 		ACME: acme.Configuration{
 			Email:      "",
@ -257,6 +270,7 @@ func Init() {
 			HostCertificates:                  []string{},
 			HostKeyAlgorithms:                 []string{},
 			KexAlgorithms:                     []string{},
+			MinDHGroupExchangeKeySize:         2048,
 			Ciphers:                           []string{},
 			MACs:                              []string{},
 			PublicKeyAlgorithms:               []string{},
@ -390,6 +404,9 @@ func Init() {
 			SigningPassphrase:     "",
 			SigningPassphraseFile: "",
 			TokenValidation:       0,
+			CookieLifetime:        20,
+			ShareCookieLifetime:   120,
+			JWTLifetime:           20,
 			MaxUploadFileSize:     0,
 			Cors: httpd.CorsConfig{
 				Enabled:              false,
@ -631,6 +648,15 @@ func getRedactedGlobalConf() globalConfig {
 		binding.OIDC.ClientSecret = getRedactedPassword(binding.OIDC.ClientSecret)
 		conf.HTTPDConfig.Bindings = append(conf.HTTPDConfig.Bindings, binding)
 	}
+	conf.PluginsConfig = nil
+	for _, plugin := range globalConf.PluginsConfig {
+		var args []string
+		for _, arg := range plugin.Args {
+			args = append(args, getRedactedPassword(arg))
+		}
+		plugin.Args = args
+		conf.PluginsConfig = append(conf.PluginsConfig, plugin)
+	}
 	return conf
 }

@ -701,7 +727,7 @@ func checkOverrideDefaultSettings() {
 		}
 	}

-	if util.Contains(viper.AllKeys(), "mfa.totp") {
+	if slices.Contains(viper.AllKeys(), "mfa.totp") {
 		globalConf.MFAConfig.TOTP = nil
 	}
 }
@ -787,6 +813,12 @@ func resetInvalidConfigs() {
 			logger.WarnToConsole("Non-fatal configuration error: %v", warn)
 		}
 	}
+	if globalConf.Common.RenameMode < 0 || globalConf.Common.RenameMode > 1 {
+		warn := fmt.Sprintf("invalid rename mode %d, reset to 0", globalConf.Common.RenameMode)
+		globalConf.Common.RenameMode = 0
+		logger.Warn(logSender, "", "Non-fatal configuration error: %v", warn)
+		logger.WarnToConsole("Non-fatal configuration error: %v", warn)
+	}
 }

 func loadBindingsFromEnv() {
@ -859,13 +891,13 @@ func getRateLimitersFromEnv(idx int) {
 		isSet = true
 	}

-	burst, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__BURST", idx), 0)
+	burst, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__BURST", idx), 32)
 	if ok {
 		rtlConfig.Burst = int(burst)
 		isSet = true
 	}

-	rtlType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__TYPE", idx), 0)
+	rtlType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__TYPE", idx), 32)
 	if ok {
 		rtlConfig.Type = int(rtlType)
 		isSet = true
@ -883,13 +915,13 @@ func getRateLimitersFromEnv(idx int) {
 		isSet = true
 	}

-	softLimit, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_SOFT_LIMIT", idx), 0)
+	softLimit, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_SOFT_LIMIT", idx), 32)
 	if ok {
 		rtlConfig.EntriesSoftLimit = int(softLimit)
 		isSet = true
 	}

-	hardLimit, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_HARD_LIMIT", idx), 0)
+	hardLimit, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMON__RATE_LIMITERS__%v__ENTRIES_HARD_LIMIT", idx), 32)
 	if ok {
 		rtlConfig.EntriesHardLimit = int(hardLimit)
 		isSet = true
@ -925,7 +957,7 @@ func getKMSPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {
 func getAuthPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {
 	isSet := false

-	authScope, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__AUTH_OPTIONS__SCOPE", idx), 0)
+	authScope, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__AUTH_OPTIONS__SCOPE", idx), 32)
 	if ok {
 		pluginConfig.AuthOptions.Scope = int(authScope)
 		isSet = true
@ -970,13 +1002,13 @@ func getNotifierPluginFromEnv(idx int, pluginConfig *plugin.Config) bool {
 		}
 	}

-	notifierRetryMaxTime, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_MAX_TIME", idx), 0)
+	notifierRetryMaxTime, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_MAX_TIME", idx), 32)
 	if ok {
 		pluginConfig.NotifierOptions.RetryMaxTime = int(notifierRetryMaxTime)
 		isSet = true
 	}

-	notifierRetryQueueMaxSize, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_QUEUE_MAX_SIZE", idx), 0)
+	notifierRetryQueueMaxSize, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_PLUGINS__%v__NOTIFIER_OPTIONS__RETRY_QUEUE_MAX_SIZE", idx), 32)
 	if ok {
 		pluginConfig.NotifierOptions.RetryQueueMaxSize = int(notifierRetryQueueMaxSize)
 		isSet = true
@ -1064,7 +1096,7 @@ func getSFTPDBindindFromEnv(idx int) {

 	isSet := false

-	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_SFTPD__BINDINGS__%v__PORT", idx), 0)
+	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_SFTPD__BINDINGS__%v__PORT", idx), 32)
 	if ok {
 		binding.Port = int(port)
 		isSet = true
@ -1151,19 +1183,19 @@ func getFTPDBindingSecurityFromEnv(idx int, binding *ftpd.Binding) bool {
 		isSet = true
 	}

-	tlsMode, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_MODE", idx), 0)
+	tlsMode, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_MODE", idx), 32)
 	if ok {
 		binding.TLSMode = int(tlsMode)
 		isSet = true
 	}

-	tlsSessionReuse, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_SESSION_REUSE", idx), 0)
+	tlsSessionReuse, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__TLS_SESSION_REUSE", idx), 32)
 	if ok {
 		binding.TLSSessionReuse = int(tlsSessionReuse)
 		isSet = true
 	}

-	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__MIN_TLS_VERSION", idx), 0)
+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__MIN_TLS_VERSION", idx), 32)
 	if ok {
 		binding.MinTLSVersion = int(tlsVer)
 		isSet = true
@ -1175,25 +1207,25 @@ func getFTPDBindingSecurityFromEnv(idx int, binding *ftpd.Binding) bool {
 		isSet = true
 	}

-	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 0)
+	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 32)
 	if ok {
 		binding.ClientAuthType = int(clientAuthType)
 		isSet = true
 	}

-	pasvSecurity, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PASSIVE_CONNECTIONS_SECURITY", idx), 0)
+	pasvSecurity, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PASSIVE_CONNECTIONS_SECURITY", idx), 32)
 	if ok {
 		binding.PassiveConnectionsSecurity = int(pasvSecurity)
 		isSet = true
 	}

-	activeSecurity, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__ACTIVE_CONNECTIONS_SECURITY", idx), 0)
+	activeSecurity, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__ACTIVE_CONNECTIONS_SECURITY", idx), 32)
 	if ok {
 		binding.ActiveConnectionsSecurity = int(activeSecurity)
 		isSet = true
 	}

-	ignoreASCIITransferType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%d__IGNORE_ASCII_TRANSFER_TYPE", idx), 0)
+	ignoreASCIITransferType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%d__IGNORE_ASCII_TRANSFER_TYPE", idx), 32)
 	if ok {
 		binding.IgnoreASCIITransferType = int(ignoreASCIITransferType)
 		isSet = true
@ -1206,7 +1238,7 @@ func getFTPDBindingFromEnv(idx int) {
 	binding := getDefaultFTPDBinding(idx)
 	isSet := false

-	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PORT", idx), 0)
+	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_FTPD__BINDINGS__%v__PORT", idx), 32)
 	if ok {
 		binding.Port = int(port)
 		isSet = true
@ -1286,13 +1318,13 @@ func getWebDAVBindingHTTPSConfigsFromEnv(idx int, binding *webdavd.Binding) bool
 		isSet = true
 	}

-	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__MIN_TLS_VERSION", idx), 0)
+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__MIN_TLS_VERSION", idx), 32)
 	if ok {
 		binding.MinTLSVersion = int(tlsVer)
 		isSet = true
 	}

-	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 0)
+	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 32)
 	if ok {
 		binding.ClientAuthType = int(clientAuthType)
 		isSet = true
@ -1316,6 +1348,12 @@ func getWebDAVBindingHTTPSConfigsFromEnv(idx int, binding *webdavd.Binding) bool
 func getWebDAVDBindingProxyConfigsFromEnv(idx int, binding *webdavd.Binding) bool {
 	isSet := false

+	proxyMode, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__PROXY_MODE", idx), 32)
+	if ok {
+		binding.ProxyMode = int(proxyMode)
+		isSet = true
+	}
+
 	proxyAllowed, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__PROXY_ALLOWED", idx))
 	if ok {
 		binding.ProxyAllowed = proxyAllowed
@ -1328,7 +1366,7 @@ func getWebDAVDBindingProxyConfigsFromEnv(idx int, binding *webdavd.Binding) boo
 		isSet = true
 	}

-	clientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH", idx), 0)
+	clientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH", idx), 32)
 	if ok {
 		binding.ClientIPHeaderDepth = int(clientIPHeaderDepth)
 		isSet = true
@ -1366,7 +1404,7 @@ func getWebDAVDBindingFromEnv(idx int) {

 	isSet := false

-	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__PORT", idx), 0)
+	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_WEBDAVD__BINDINGS__%v__PORT", idx), 32)
 	if ok {
 		binding.Port = int(port)
 		isSet = true
@ -1533,6 +1571,12 @@ func getHTTPDSecurityConfFromEnv(idx int) (httpd.SecurityConf, bool) { //nolint:
 		isSet = true
 	}

+	cacheControl, ok := os.LookupEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__SECURITY__CACHE_CONTROL", idx))
+	if ok {
+		result.CacheControl = cacheControl
+		isSet = true
+	}
+
 	return result, isSet
 }

@ -1645,12 +1689,6 @@ func getHTTPDUIBrandingFromEnv(prefix string, branding httpd.UIBranding) (httpd.
 		isSet = true
 	}

-	loginImagePath, ok := os.LookupEnv(fmt.Sprintf("%s__LOGIN_IMAGE_PATH", prefix))
-	if ok {
-		branding.LoginImagePath = loginImagePath
-		isSet = true
-	}
-
 	disclaimerName, ok := os.LookupEnv(fmt.Sprintf("%s__DISCLAIMER_NAME", prefix))
 	if ok {
 		branding.DisclaimerName = disclaimerName
@ -1737,6 +1775,12 @@ func getHTTPDNestedObjectsFromEnv(idx int, binding *httpd.Binding) bool {
 func getHTTPDBindingProxyConfigsFromEnv(idx int, binding *httpd.Binding) bool {
 	isSet := false

+	proxyMode, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PROXY_MODE", idx), 32)
+	if ok {
+		binding.ProxyMode = int(proxyMode)
+		isSet = true
+	}
+
 	proxyAllowed, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PROXY_ALLOWED", idx))
 	if ok {
 		binding.ProxyAllowed = proxyAllowed
@ -1749,7 +1793,7 @@ func getHTTPDBindingProxyConfigsFromEnv(idx int, binding *httpd.Binding) bool {
 		isSet = true
 	}

-	clientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH", idx), 0)
+	clientIPHeaderDepth, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_IP_HEADER_DEPTH", idx), 32)
 	if ok {
 		binding.ClientIPHeaderDepth = int(clientIPHeaderDepth)
 		isSet = true
@ -1762,7 +1806,7 @@ func getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo
 	binding := getDefaultHTTPBinding(idx)
 	isSet := false

-	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PORT", idx), 0)
+	port, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__PORT", idx), 32)
 	if ok {
 		binding.Port = int(port)
 		isSet = true
@ -1804,7 +1848,7 @@ func getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo
 		isSet = true
 	}

-	enabledLoginMethods, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__ENABLED_LOGIN_METHODS", idx), 0)
+	enabledLoginMethods, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__ENABLED_LOGIN_METHODS", idx), 32)
 	if ok {
 		binding.EnabledLoginMethods = int(enabledLoginMethods)
 		isSet = true
@ -1816,19 +1860,25 @@ func getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo
 		isSet = true
 	}

+	languages, ok := lookupStringListFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%d__LANGUAGES", idx))
+	if ok {
+		binding.Languages = languages
+		isSet = true
+	}
+
 	enableHTTPS, ok := lookupBoolFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__ENABLE_HTTPS", idx))
 	if ok {
 		binding.EnableHTTPS = enableHTTPS
 		isSet = true
 	}

-	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__MIN_TLS_VERSION", idx), 0)
+	tlsVer, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__MIN_TLS_VERSION", idx), 32)
 	if ok {
 		binding.MinTLSVersion = int(tlsVer)
 		isSet = true
 	}

-	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 0)
+	clientAuthType, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__CLIENT_AUTH_TYPE", idx), 32)
 	if ok {
 		binding.ClientAuthType = int(clientAuthType)
 		isSet = true
@ -1850,7 +1900,7 @@ func getHTTPDBindingFromEnv(idx int) { //nolint:gocyclo
 		isSet = true
 	}

-	hideLoginURL, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__HIDE_LOGIN_URL", idx), 0)
+	hideLoginURL, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_HTTPD__BINDINGS__%v__HIDE_LOGIN_URL", idx), 32)
 	if ok {
 		binding.HideLoginURL = int(hideLoginURL)
 		isSet = true
@ -1939,7 +1989,7 @@ func getCommandConfigsFromEnv(idx int) {
 		cfg.Path = path
 	}

-	timeout, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMAND__COMMANDS__%v__TIMEOUT", idx), 0)
+	timeout, ok := lookupIntFromEnv(fmt.Sprintf("SFTPGO_COMMAND__COMMANDS__%v__TIMEOUT", idx), 32)
 	if ok {
 		cfg.Timeout = int(timeout)
 	}
@ -1995,9 +2045,13 @@ func setViperDefaults() {
 	viper.SetDefault("common.defender.observation_time", globalConf.Common.DefenderConfig.ObservationTime)
 	viper.SetDefault("common.defender.entries_soft_limit", globalConf.Common.DefenderConfig.EntriesSoftLimit)
 	viper.SetDefault("common.defender.entries_hard_limit", globalConf.Common.DefenderConfig.EntriesHardLimit)
+	viper.SetDefault("common.defender.login_delay.success", globalConf.Common.DefenderConfig.LoginDelay.Success)
+	viper.SetDefault("common.defender.login_delay.password_failed", globalConf.Common.DefenderConfig.LoginDelay.PasswordFailed)
 	viper.SetDefault("common.umask", globalConf.Common.Umask)
 	viper.SetDefault("common.server_version", globalConf.Common.ServerVersion)
+	viper.SetDefault("common.tz", globalConf.Common.TZ)
 	viper.SetDefault("common.metadata.read", globalConf.Common.Metadata.Read)
+	viper.SetDefault("common.event_manager.enabled_commands", globalConf.Common.EventManager.EnabledCommands)
 	viper.SetDefault("acme.email", globalConf.ACME.Email)
 	viper.SetDefault("acme.key_type", globalConf.ACME.KeyType)
 	viper.SetDefault("acme.certs_path", globalConf.ACME.CertsPath)
@ -2013,6 +2067,7 @@ func setViperDefaults() {
 	viper.SetDefault("sftpd.host_certificates", globalConf.SFTPD.HostCertificates)
 	viper.SetDefault("sftpd.host_key_algorithms", globalConf.SFTPD.HostKeyAlgorithms)
 	viper.SetDefault("sftpd.kex_algorithms", globalConf.SFTPD.KexAlgorithms)
+	viper.SetDefault("sftpd.min_dh_group_exchange_key_size", globalConf.SFTPD.MinDHGroupExchangeKeySize)
 	viper.SetDefault("sftpd.ciphers", globalConf.SFTPD.Ciphers)
 	viper.SetDefault("sftpd.macs", globalConf.SFTPD.MACs)
 	viper.SetDefault("sftpd.public_key_algorithms", globalConf.SFTPD.PublicKeyAlgorithms)
@ -2109,6 +2164,9 @@ func setViperDefaults() {
 	viper.SetDefault("httpd.signing_passphrase", globalConf.HTTPDConfig.SigningPassphrase)
 	viper.SetDefault("httpd.signing_passphrase_file", globalConf.HTTPDConfig.SigningPassphraseFile)
 	viper.SetDefault("httpd.token_validation", globalConf.HTTPDConfig.TokenValidation)
+	viper.SetDefault("httpd.cookie_lifetime", globalConf.HTTPDConfig.CookieLifetime)
+	viper.SetDefault("httpd.share_cookie_lifetime", globalConf.HTTPDConfig.ShareCookieLifetime)
+	viper.SetDefault("httpd.jwt_lifetime", globalConf.HTTPDConfig.JWTLifetime)
 	viper.SetDefault("httpd.max_upload_file_size", globalConf.HTTPDConfig.MaxUploadFileSize)
 	viper.SetDefault("httpd.cors.enabled", globalConf.HTTPDConfig.Cors.Enabled)
 	viper.SetDefault("httpd.cors.allowed_origins", globalConf.HTTPDConfig.Cors.AllowedOrigins)
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@ -19,6 +19,7 @@ import (
 	"encoding/json"
 	"os"
 	"path/filepath"
+	"slices"
 	"testing"

 	"github.com/sftpgo/sdk/kms"
@ -36,7 +37,6 @@ import (
 	"github.com/drakkan/sftpgo/v2/internal/plugin"
 	"github.com/drakkan/sftpgo/v2/internal/sftpd"
 	"github.com/drakkan/sftpgo/v2/internal/smtp"
-	"github.com/drakkan/sftpgo/v2/internal/util"
 	"github.com/drakkan/sftpgo/v2/internal/webdavd"
 )

@ -243,6 +243,26 @@ func TestInvalidInstallationHint(t *testing.T) {
 	assert.NoError(t, err)
 }

+func TestInvalidRenameMode(t *testing.T) {
+	reset()
+
+	confName := tempConfigName + ".json"
+	configFilePath := filepath.Join(configDir, confName)
+	commonConfig := config.GetCommonConfig()
+	commonConfig.RenameMode = 10
+	c := make(map[string]any)
+	c["common"] = commonConfig
+	jsonConf, err := json.Marshal(c)
+	assert.NoError(t, err)
+	err = os.WriteFile(configFilePath, jsonConf, os.ModePerm)
+	assert.NoError(t, err)
+	err = config.LoadConfig(configDir, confName)
+	assert.NoError(t, err)
+	assert.Equal(t, 0, config.GetCommonConfig().RenameMode)
+	err = os.Remove(configFilePath)
+	assert.NoError(t, err)
+}
+
 func TestDefenderProviderDriver(t *testing.T) {
 	if config.GetProviderConf().Driver != dataprovider.SQLiteDataProviderName {
 		t.Skip("this test is not supported with the current database provider")
@ -679,8 +699,8 @@ func TestPluginsFromEnv(t *testing.T) {
 	pluginConf := pluginsConf[0]
 	require.Equal(t, "notifier", pluginConf.Type)
 	require.Len(t, pluginConf.NotifierOptions.FsEvents, 2)
-	require.True(t, util.Contains(pluginConf.NotifierOptions.FsEvents, "upload"))
-	require.True(t, util.Contains(pluginConf.NotifierOptions.FsEvents, "download"))
+	require.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, "upload"))
+	require.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, "download"))
 	require.Len(t, pluginConf.NotifierOptions.ProviderEvents, 2)
 	require.Equal(t, "add", pluginConf.NotifierOptions.ProviderEvents[0])
 	require.Equal(t, "update", pluginConf.NotifierOptions.ProviderEvents[1])
@ -729,8 +749,8 @@ func TestPluginsFromEnv(t *testing.T) {
 	pluginConf = pluginsConf[0]
 	require.Equal(t, "notifier", pluginConf.Type)
 	require.Len(t, pluginConf.NotifierOptions.FsEvents, 2)
-	require.True(t, util.Contains(pluginConf.NotifierOptions.FsEvents, "upload"))
-	require.True(t, util.Contains(pluginConf.NotifierOptions.FsEvents, "download"))
+	require.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, "upload"))
+	require.True(t, slices.Contains(pluginConf.NotifierOptions.FsEvents, "download"))
 	require.Len(t, pluginConf.NotifierOptions.ProviderEvents, 2)
 	require.Equal(t, "add", pluginConf.NotifierOptions.ProviderEvents[0])
 	require.Equal(t, "update", pluginConf.NotifierOptions.ProviderEvents[1])
@ -787,8 +807,8 @@ func TestRateLimitersFromEnv(t *testing.T) {
 	require.Equal(t, 2, limiters[0].Type)
 	protocols := limiters[0].Protocols
 	require.Len(t, protocols, 2)
-	require.True(t, util.Contains(protocols, common.ProtocolFTP))
-	require.True(t, util.Contains(protocols, common.ProtocolSSH))
+	require.True(t, slices.Contains(protocols, common.ProtocolFTP))
+	require.True(t, slices.Contains(protocols, common.ProtocolSSH))
 	require.True(t, limiters[0].GenerateDefenderEvents)
 	require.Equal(t, 50, limiters[0].EntriesSoftLimit)
 	require.Equal(t, 100, limiters[0].EntriesHardLimit)
@ -799,10 +819,10 @@ func TestRateLimitersFromEnv(t *testing.T) {
 	require.Equal(t, 2, limiters[1].Type)
 	protocols = limiters[1].Protocols
 	require.Len(t, protocols, 4)
-	require.True(t, util.Contains(protocols, common.ProtocolFTP))
-	require.True(t, util.Contains(protocols, common.ProtocolSSH))
-	require.True(t, util.Contains(protocols, common.ProtocolWebDAV))
-	require.True(t, util.Contains(protocols, common.ProtocolHTTP))
+	require.True(t, slices.Contains(protocols, common.ProtocolFTP))
+	require.True(t, slices.Contains(protocols, common.ProtocolSSH))
+	require.True(t, slices.Contains(protocols, common.ProtocolWebDAV))
+	require.True(t, slices.Contains(protocols, common.ProtocolHTTP))
 	require.False(t, limiters[1].GenerateDefenderEvents)
 	require.Equal(t, 100, limiters[1].EntriesSoftLimit)
 	require.Equal(t, 150, limiters[1].EntriesHardLimit)
@ -1074,6 +1094,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS", "0")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES", "TLS_RSA_WITH_AES_128_CBC_SHA ")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS", "http/1.1 ")
+	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_MODE", "1")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED", "192.168.10.1")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER", "X-Forwarded-For")
 	os.Setenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH", "2")
@ -1093,6 +1114,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__ENABLE_HTTPS")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_CIPHER_SUITES")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__TLS_PROTOCOLS")
+		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_MODE")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__PROXY_ALLOWED")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_PROXY_HEADER")
 		os.Unsetenv("SFTPGO_WEBDAVD__BINDINGS__1__CLIENT_IP_HEADER_DEPTH")
@ -1117,6 +1139,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	require.Equal(t, 12, bindings[0].MinTLSVersion)
 	require.Len(t, bindings[0].TLSCipherSuites, 0)
 	require.Len(t, bindings[0].Protocols, 0)
+	require.Equal(t, 0, bindings[0].ProxyMode)
 	require.Empty(t, bindings[0].Prefix)
 	require.Equal(t, 0, bindings[0].ClientIPHeaderDepth)
 	require.False(t, bindings[0].DisableWWWAuthHeader)
@ -1129,6 +1152,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	require.Equal(t, "TLS_RSA_WITH_AES_128_CBC_SHA", bindings[1].TLSCipherSuites[0])
 	require.Len(t, bindings[1].Protocols, 1)
 	assert.Equal(t, "http/1.1", bindings[1].Protocols[0])
+	require.Equal(t, 1, bindings[1].ProxyMode)
 	require.Equal(t, "192.168.10.1", bindings[1].ProxyAllowed[0])
 	require.Equal(t, "X-Forwarded-For", bindings[1].ClientIPProxyHeader)
 	require.Equal(t, 2, bindings[1].ClientIPHeaderDepth)
@ -1139,6 +1163,7 @@ func TestWebDAVBindingsFromEnv(t *testing.T) {
 	require.True(t, bindings[2].EnableHTTPS)
 	require.Equal(t, 13, bindings[2].MinTLSVersion)
 	require.Equal(t, 1, bindings[2].ClientAuthType)
+	require.Equal(t, 0, bindings[2].ProxyMode)
 	require.Nil(t, bindings[2].TLSCipherSuites)
 	require.Equal(t, "/dav2", bindings[2].Prefix)
 	require.Equal(t, "webdav.crt", bindings[2].CertificateFile)
@ -1168,11 +1193,13 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_REST_API", "0")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLED_LOGIN_METHODS", "3")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI", "0")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__LANGUAGES", "en,es")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_HTTPS", "1 ")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__MIN_TLS_VERSION", "13")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES", " TLS_AES_256_GCM_SHA384 , TLS_CHACHA20_POLY1305_SHA256")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS", "h2, http/1.1")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_MODE", "1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED", " 192.168.9.1 , 172.16.25.0/24")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER", "X-Real-IP")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH", "2")
@ -1203,11 +1230,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_SECURITY_POLICY", "script-src $NONCE")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__PERMISSIONS_POLICY", "fullscreen=(), geolocation=()")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_OPENER_POLICY", "same-origin")
+	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CACHE_CONTROL", "private")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__0__PATH", "path1")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__1__PATH", "path2")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__FAVICON_PATH", "favicon.ico")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__LOGO_PATH", "logo.png")
-	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__LOGIN_IMAGE_PATH", "login_image.png")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DISCLAIMER_NAME", "disclaimer")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__DISCLAIMER_PATH", "disclaimer.html")
 	os.Setenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DEFAULT_CSS", "default.css")
@ -1235,9 +1262,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLE_REST_API")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__ENABLED_LOGIN_METHODS")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__RENDER_OPENAPI")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__LANGUAGES")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_AUTH_TYPE")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_CIPHER_SUITES")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__TLS_PROTOCOLS")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_MODE")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__PROXY_ALLOWED")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_PROXY_HEADER")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__CLIENT_IP_HEADER_DEPTH")
@ -1268,11 +1297,11 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CONTENT_SECURITY_POLICY")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__PERMISSIONS_POLICY")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CROSS_ORIGIN_OPENER_POLICY")
+		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__SECURITY__CACHE_CONTROL")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__0__PATH")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__EXTRA_CSS__1__PATH")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__FAVICON_PATH")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__LOGO_PATH")
-		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__LOGIN_IMAGE_PATH")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DISCLAIMER_NAME")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_ADMIN__DISCLAIMER_PATH")
 		os.Unsetenv("SFTPGO_HTTPD__BINDINGS__2__BRANDING__WEB_CLIENT__DEFAULT_CSS")
@ -1295,7 +1324,10 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.True(t, bindings[0].EnableRESTAPI)
 	require.Equal(t, 0, bindings[0].EnabledLoginMethods)
 	require.True(t, bindings[0].RenderOpenAPI)
+	require.Len(t, bindings[0].Languages, 1)
+	assert.Contains(t, bindings[0].Languages, "en")
 	require.Len(t, bindings[0].TLSCipherSuites, 1)
+	require.Equal(t, 0, bindings[0].ProxyMode)
 	require.Empty(t, bindings[0].OIDC.ConfigURL)
 	require.Equal(t, "TLS_AES_128_GCM_SHA256", bindings[0].TLSCipherSuites[0])
 	require.Equal(t, 0, bindings[0].HideLoginURL)
@ -1313,6 +1345,8 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.True(t, bindings[1].EnableRESTAPI)
 	require.Equal(t, 0, bindings[1].EnabledLoginMethods)
 	require.True(t, bindings[1].RenderOpenAPI)
+	require.Len(t, bindings[1].Languages, 1)
+	assert.Contains(t, bindings[1].Languages, "en")
 	require.Nil(t, bindings[1].TLSCipherSuites)
 	require.Equal(t, 1, bindings[1].HideLoginURL)
 	require.Empty(t, bindings[1].OIDC.ClientID)
@ -1322,6 +1356,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.False(t, bindings[1].Security.Enabled)
 	require.Equal(t, "Web Admin", bindings[1].Branding.WebAdmin.Name)
 	require.Equal(t, "WebClient", bindings[1].Branding.WebClient.ShortName)
+	require.Equal(t, 0, bindings[1].ProxyMode)
 	require.Equal(t, 0, bindings[1].ClientIPHeaderDepth)
 	require.Equal(t, 9000, bindings[2].Port)
 	require.Equal(t, "127.0.1.1", bindings[2].Address)
@ -1332,6 +1367,9 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.False(t, bindings[2].EnableRESTAPI)
 	require.Equal(t, 3, bindings[2].EnabledLoginMethods)
 	require.False(t, bindings[2].RenderOpenAPI)
+	require.Len(t, bindings[2].Languages, 2)
+	assert.Contains(t, bindings[2].Languages, "en")
+	assert.Contains(t, bindings[2].Languages, "es")
 	require.Equal(t, 1, bindings[2].ClientAuthType)
 	require.Len(t, bindings[2].TLSCipherSuites, 2)
 	require.Equal(t, "TLS_AES_256_GCM_SHA384", bindings[2].TLSCipherSuites[0])
@ -1339,6 +1377,7 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Len(t, bindings[2].Protocols, 2)
 	require.Equal(t, "h2", bindings[2].Protocols[0])
 	require.Equal(t, "http/1.1", bindings[2].Protocols[1])
+	require.Equal(t, 1, bindings[2].ProxyMode)
 	require.Len(t, bindings[2].ProxyAllowed, 2)
 	require.Equal(t, "192.168.9.1", bindings[2].ProxyAllowed[0])
 	require.Equal(t, "172.16.25.0/24", bindings[2].ProxyAllowed[1])
@ -1378,9 +1417,9 @@ func TestHTTPDBindingsFromEnv(t *testing.T) {
 	require.Equal(t, "script-src $NONCE", bindings[2].Security.ContentSecurityPolicy)
 	require.Equal(t, "fullscreen=(), geolocation=()", bindings[2].Security.PermissionsPolicy)
 	require.Equal(t, "same-origin", bindings[2].Security.CrossOriginOpenerPolicy)
+	require.Equal(t, "private", bindings[2].Security.CacheControl)
 	require.Equal(t, "favicon.ico", bindings[2].Branding.WebAdmin.FaviconPath)
 	require.Equal(t, "logo.png", bindings[2].Branding.WebClient.LogoPath)
-	require.Equal(t, "login_image.png", bindings[2].Branding.WebAdmin.LoginImagePath)
 	require.Equal(t, "disclaimer", bindings[2].Branding.WebClient.DisclaimerName)
 	require.Equal(t, "disclaimer.html", bindings[2].Branding.WebAdmin.DisclaimerPath)
 	require.Equal(t, []string{"default.css"}, bindings[2].Branding.WebClient.DefaultCSS)
--- a/internal/dataprovider/actions.go
+++ b/internal/dataprovider/actions.go
@ -21,6 +21,7 @@ import (
 	"net/url"
 	"os/exec"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"

@ -78,8 +79,8 @@ func executeAction(operation, executor, ip, objectType, objectName, role string,
 	if config.Actions.Hook == "" {
 		return
 	}
-	if !util.Contains(config.Actions.ExecuteOn, operation) ||
-		!util.Contains(config.Actions.ExecuteFor, objectType) {
+	if !slices.Contains(config.Actions.ExecuteOn, operation) ||
+		!slices.Contains(config.Actions.ExecuteFor, objectType) {
 		return
 	}

@ -141,7 +142,7 @@ func executeNotificationCommand(operation, executor, ip, objectType, objectName,

 	cmd := exec.CommandContext(ctx, config.Actions.Hook, args...)
 	cmd.Env = append(env,
-		fmt.Sprintf("SFTPGO_PROVIDER_ACTION=%vs", operation),
+		fmt.Sprintf("SFTPGO_PROVIDER_ACTION=%s", operation),
 		fmt.Sprintf("SFTPGO_PROVIDER_OBJECT_TYPE=%s", objectType),
 		fmt.Sprintf("SFTPGO_PROVIDER_OBJECT_NAME=%s", objectName),
 		fmt.Sprintf("SFTPGO_PROVIDER_USERNAME=%s", executor),
--- a/internal/dataprovider/admin.go
+++ b/internal/dataprovider/admin.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"slices"
 	"strconv"
 	"strings"

@ -44,19 +45,12 @@ const (
 	PermAdminViewConnections  = "view_conns"
 	PermAdminCloseConnections = "close_conns"
 	PermAdminViewServerStatus = "view_status"
-	PermAdminManageAdmins     = "manage_admins"
 	PermAdminManageGroups     = "manage_groups"
 	PermAdminManageFolders    = "manage_folders"
-	PermAdminManageAPIKeys    = "manage_apikeys"
 	PermAdminQuotaScans       = "quota_scans"
-	PermAdminManageSystem     = "manage_system"
 	PermAdminManageDefender   = "manage_defender"
 	PermAdminViewDefender     = "view_defender"
-	PermAdminRetentionChecks  = "retention_checks"
 	PermAdminViewEvents       = "view_events"
-	PermAdminManageEventRules = "manage_event_rules"
-	PermAdminManageRoles      = "manage_roles"
-	PermAdminManageIPLists    = "manage_ip_lists"
 	PermAdminDisableMFA       = "disable_mfa"
 )

@ -72,12 +66,9 @@ const (
 var (
 	validAdminPerms = []string{PermAdminAny, PermAdminAddUsers, PermAdminChangeUsers, PermAdminDeleteUsers,
 		PermAdminViewUsers, PermAdminManageFolders, PermAdminManageGroups, PermAdminViewConnections,
-		PermAdminCloseConnections, PermAdminViewServerStatus, PermAdminManageAdmins, PermAdminManageRoles,
-		PermAdminManageEventRules, PermAdminManageAPIKeys, PermAdminQuotaScans, PermAdminManageSystem,
-		PermAdminManageDefender, PermAdminViewDefender, PermAdminManageIPLists, PermAdminRetentionChecks,
-		PermAdminViewEvents, PermAdminDisableMFA}
-	forbiddenPermsForRoleAdmins = []string{PermAdminAny, PermAdminManageAdmins, PermAdminManageSystem,
-		PermAdminManageEventRules, PermAdminManageIPLists, PermAdminManageRoles}
+		PermAdminCloseConnections, PermAdminViewServerStatus, PermAdminQuotaScans,
+		PermAdminManageDefender, PermAdminViewDefender, PermAdminViewEvents, PermAdminDisableMFA}
+	forbiddenPermsForRoleAdmins = []string{PermAdminAny}
 )

 // AdminTOTPConfig defines the time-based one time password configuration
@ -96,7 +87,7 @@ func (c *AdminTOTPConfig) validate(username string) error {
 	if c.ConfigName == "" {
 		return util.NewValidationError("totp: config name is mandatory")
 	}
-	if !util.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {
+	if !slices.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {
 		return util.NewValidationError(fmt.Sprintf("totp: config name %q not found", c.ConfigName))
 	}
 	if c.Secret.IsEmpty() {
@ -265,12 +256,7 @@ type Admin struct {
 	// Last login as unix timestamp in milliseconds
 	LastLogin int64 `json:"last_login"`
 	// Role name. If set the admin can only administer users with the same role.
-	// Role admins cannot have the following permissions:
-	// - manage_admins
-	// - manage_apikeys
-	// - manage_system
-	// - manage_event_rules
-	// - manage_roles
+	// Role admins cannot be super administrators
 	Role string `json:"role,omitempty"`
 }

@ -337,22 +323,18 @@ func (a *Admin) validatePermissions() error {
 			util.I18nErrorPermissionsRequired,
 		)
 	}
-	if util.Contains(a.Permissions, PermAdminAny) {
+	if slices.Contains(a.Permissions, PermAdminAny) {
 		a.Permissions = []string{PermAdminAny}
 	}
 	for _, perm := range a.Permissions {
-		if !util.Contains(validAdminPerms, perm) {
+		if !slices.Contains(validAdminPerms, perm) {
 			return util.NewValidationError(fmt.Sprintf("invalid permission: %q", perm))
 		}
 		if a.Role != "" {
-			if util.Contains(forbiddenPermsForRoleAdmins, perm) {
-				deniedPerms := strings.Join(forbiddenPermsForRoleAdmins, ",")
+			if slices.Contains(forbiddenPermsForRoleAdmins, perm) {
 				return util.NewI18nError(
-					util.NewValidationError(fmt.Sprintf("a role admin cannot have the following permissions: %q", deniedPerms)),
+					util.NewValidationError("a role admin cannot be a super admin"),
 					util.I18nErrorRoleAdminPerms,
-					util.I18nErrorArgs(map[string]any{
-						"val": deniedPerms,
-					}),
 				)
 			}
 		}
@ -559,10 +541,20 @@ func (a *Admin) SetNilSecretsIfEmpty() {

 // HasPermission returns true if the admin has the specified permission
 func (a *Admin) HasPermission(perm string) bool {
-	if util.Contains(a.Permissions, PermAdminAny) {
+	if slices.Contains(a.Permissions, PermAdminAny) {
 		return true
 	}
-	return util.Contains(a.Permissions, perm)
+	return slices.Contains(a.Permissions, perm)
+}
+
+// HasPermissions returns true if the admin has all the specified permissions
+func (a *Admin) HasPermissions(perms ...string) bool {
+	for _, perm := range perms {
+		if !a.HasPermission(perm) {
+			return false
+		}
+	}
+	return len(perms) > 0
 }

 // GetAllowedIPAsString returns the allowed IP as comma separated string
--- a/internal/dataprovider/bolt.go
+++ b/internal/dataprovider/bolt.go
@ -25,7 +25,9 @@ import (
 	"fmt"
 	"net/netip"
 	"path/filepath"
+	"slices"
 	"sort"
+	"strconv"
 	"time"

 	bolt "go.etcd.io/bbolt"
@ -181,6 +183,50 @@ func (p *BoltProvider) updateAPIKeyLastUse(keyID string) error {
 	})
 }

+func (p *BoltProvider) getAdminSignature(username string) (string, error) {
+	var updatedAt int64
+	err := p.dbHandle.View(func(tx *bolt.Tx) error {
+		bucket, err := p.getAdminsBucket(tx)
+		if err != nil {
+			return err
+		}
+		u := bucket.Get([]byte(username))
+		var admin Admin
+		err = json.Unmarshal(u, &admin)
+		if err != nil {
+			return err
+		}
+		updatedAt = admin.UpdatedAt
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(updatedAt, 10), nil
+}
+
+func (p *BoltProvider) getUserSignature(username string) (string, error) {
+	var updatedAt int64
+	err := p.dbHandle.View(func(tx *bolt.Tx) error {
+		bucket, err := p.getUsersBucket(tx)
+		if err != nil {
+			return err
+		}
+		u := bucket.Get([]byte(username))
+		var user User
+		err = json.Unmarshal(u, &user)
+		if err != nil {
+			return err
+		}
+		updatedAt = user.UpdatedAt
+		return nil
+	})
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(updatedAt, 10), nil
+}
+
 func (p *BoltProvider) setUpdatedAt(username string) {
 	p.dbHandle.Update(func(tx *bolt.Tx) error { //nolint:errcheck
 		bucket, err := p.getUsersBucket(tx)
@ -3134,15 +3180,11 @@ func (p *BoltProvider) migrateDatabase() error {
 	case version == boltDatabaseVersion:
 		providerLog(logger.LevelDebug, "bolt database is up to date, current version: %d", version)
 		return ErrNoInitRequired
-	case version < 28:
-		err = fmt.Errorf("database schema version %d is too old, please see the upgrading docs", version)
+	case version < 29:
+		err = errSchemaVersionTooOld(version)
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
-	case version == 28:
-		logger.InfoToConsole("updating database schema version: %d -> 29", version)
-		providerLog(logger.LevelInfo, "updating database schema version: %d -> 29", version)
-		return updateBoltDatabaseVersion(p.dbHandle, 29)
 	default:
 		if version > boltDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@ -3164,10 +3206,6 @@ func (p *BoltProvider) revertDatabase(targetVersion int) error { //nolint:gocycl
 		return errors.New("current version match target version, nothing to do")
 	}
 	switch dbVersion.Version {
-	case 29:
-		logger.InfoToConsole("downgrading database schema version: %d -> 28", dbVersion.Version)
-		providerLog(logger.LevelInfo, "downgrading database schema version: %d -> 28", dbVersion.Version)
-		return updateBoltDatabaseVersion(p.dbHandle, 28)
 	default:
 		return fmt.Errorf("database schema version not handled: %v", dbVersion.Version)
 	}
@ -3328,7 +3366,7 @@ func (p *BoltProvider) addAdminToRole(username, roleName string, bucket *bolt.Bu
 	if err != nil {
 		return err
 	}
-	if !util.Contains(role.Admins, username) {
+	if !slices.Contains(role.Admins, username) {
 		role.Admins = append(role.Admins, username)
 		buf, err := json.Marshal(role)
 		if err != nil {
@ -3353,7 +3391,7 @@ func (p *BoltProvider) removeAdminFromRole(username, roleName string, bucket *bo
 	if err != nil {
 		return err
 	}
-	if util.Contains(role.Admins, username) {
+	if slices.Contains(role.Admins, username) {
 		var admins []string
 		for _, admin := range role.Admins {
 			if admin != username {
@ -3383,7 +3421,7 @@ func (p *BoltProvider) addUserToRole(username, roleName string, bucket *bolt.Buc
 	if err != nil {
 		return err
 	}
-	if !util.Contains(role.Users, username) {
+	if !slices.Contains(role.Users, username) {
 		role.Users = append(role.Users, username)
 		buf, err := json.Marshal(role)
 		if err != nil {
@ -3408,7 +3446,7 @@ func (p *BoltProvider) removeUserFromRole(username, roleName string, bucket *bol
 	if err != nil {
 		return err
 	}
-	if util.Contains(role.Users, username) {
+	if slices.Contains(role.Users, username) {
 		var users []string
 		for _, user := range role.Users {
 			if user != username {
@ -3436,7 +3474,7 @@ func (p *BoltProvider) addRuleToActionMapping(ruleName, actionName string, bucke
 	if err != nil {
 		return err
 	}
-	if !util.Contains(action.Rules, ruleName) {
+	if !slices.Contains(action.Rules, ruleName) {
 		action.Rules = append(action.Rules, ruleName)
 		buf, err := json.Marshal(action)
 		if err != nil {
@ -3458,7 +3496,7 @@ func (p *BoltProvider) removeRuleFromActionMapping(ruleName, actionName string,
 	if err != nil {
 		return err
 	}
-	if util.Contains(action.Rules, ruleName) {
+	if slices.Contains(action.Rules, ruleName) {
 		var rules []string
 		for _, r := range action.Rules {
 			if r != ruleName {
@ -3485,7 +3523,7 @@ func (p *BoltProvider) addUserToGroupMapping(username, groupname string, bucket
 	if err != nil {
 		return err
 	}
-	if !util.Contains(group.Users, username) {
+	if !slices.Contains(group.Users, username) {
 		group.Users = append(group.Users, username)
 		buf, err := json.Marshal(group)
 		if err != nil {
@ -3530,7 +3568,7 @@ func (p *BoltProvider) addAdminToGroupMapping(username, groupname string, bucket
 	if err != nil {
 		return err
 	}
-	if !util.Contains(group.Admins, username) {
+	if !slices.Contains(group.Admins, username) {
 		group.Admins = append(group.Admins, username)
 		buf, err := json.Marshal(group)
 		if err != nil {
@ -3601,11 +3639,11 @@ func (p *BoltProvider) addRelationToFolderMapping(folderName string, user *User,
 		return err
 	}
 	updated := false
-	if user != nil && !util.Contains(folder.Users, user.Username) {
+	if user != nil && !slices.Contains(folder.Users, user.Username) {
 		folder.Users = append(folder.Users, user.Username)
 		updated = true
 	}
-	if group != nil && !util.Contains(folder.Groups, group.Name) {
+	if group != nil && !slices.Contains(folder.Groups, group.Name) {
 		folder.Groups = append(folder.Groups, group.Name)
 		updated = true
 	}
@ -3899,7 +3937,7 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) {
 		v := bucket.Get(dbVersionKey)
 		if v == nil {
 			dbVersion = schemaVersion{
-				Version: 28,
+				Version: 29,
 			}
 			return nil
 		}
@ -3908,7 +3946,7 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) {
 	return dbVersion, err
 }

-func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {
+/*func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {
 	err := dbHandle.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket(dbVersionBucket)
 		if bucket == nil {
@ -3924,4 +3962,4 @@ func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {
 		return bucket.Put(dbVersionKey, buf)
 	})
 	return err
-}
+}*/
--- a/internal/dataprovider/configs.go
+++ b/internal/dataprovider/configs.go
@ -15,8 +15,12 @@
 package dataprovider

 import (
+	"bytes"
 	"encoding/json"
 	"fmt"
+	"image/png"
+	"net/url"
+	"slices"

 	"golang.org/x/crypto/ssh"

@ -102,7 +106,7 @@ func (c *SFTPDConfigs) validate() error {
 		if algo == ssh.CertAlgoRSAv01 {
 			continue
 		}
-		if !util.Contains(supportedHostKeyAlgos, algo) {
+		if !slices.Contains(supportedHostKeyAlgos, algo) {
 			return util.NewValidationError(fmt.Sprintf("unsupported host key algorithm %q", algo))
 		}
 		hostKeyAlgos = append(hostKeyAlgos, algo)
@ -113,24 +117,24 @@ func (c *SFTPDConfigs) validate() error {
 		if algo == "diffie-hellman-group18-sha512" || algo == ssh.KeyExchangeDHGEXSHA256 {
 			continue
 		}
-		if !util.Contains(supportedKexAlgos, algo) {
+		if !slices.Contains(supportedKexAlgos, algo) {
 			return util.NewValidationError(fmt.Sprintf("unsupported KEX algorithm %q", algo))
 		}
 		kexAlgos = append(kexAlgos, algo)
 	}
 	c.KexAlgorithms = kexAlgos
 	for _, cipher := range c.Ciphers {
-		if !util.Contains(supportedCiphers, cipher) {
+		if !slices.Contains(supportedCiphers, cipher) {
 			return util.NewValidationError(fmt.Sprintf("unsupported cipher %q", cipher))
 		}
 	}
 	for _, mac := range c.MACs {
-		if !util.Contains(supportedMACs, mac) {
+		if !slices.Contains(supportedMACs, mac) {
 			return util.NewValidationError(fmt.Sprintf("unsupported MAC algorithm %q", mac))
 		}
 	}
 	for _, algo := range c.PublicKeyAlgos {
-		if !util.Contains(supportedPublicKeyAlgos, algo) {
+		if !slices.Contains(supportedPublicKeyAlgos, algo) {
 			return util.NewValidationError(fmt.Sprintf("unsupported public key algorithm %q", algo))
 		}
 	}
@ -193,19 +197,19 @@ func (c *SMTPOAuth2) validate() error {
 	if c.ClientID == "" {
 		return util.NewI18nError(
 			util.NewValidationError("smtp oauth2: client id is required"),
-			util.I18nErrorSMTPClientIDRequired,
+			util.I18nErrorClientIDRequired,
 		)
 	}
-	if c.ClientSecret == nil {
+	if c.ClientSecret == nil || c.ClientSecret.IsEmpty() {
 		return util.NewI18nError(
 			util.NewValidationError("smtp oauth2: client secret is required"),
-			util.I18nErrorSMTPClientSecretRequired,
+			util.I18nErrorClientSecretRequired,
 		)
 	}
-	if c.RefreshToken == nil {
+	if c.RefreshToken == nil || c.RefreshToken.IsEmpty() {
 		return util.NewI18nError(
 			util.NewValidationError("smtp oauth2: refresh token is required"),
-			util.I18nErrorSMTPRefreshTokenRequired,
+			util.I18nErrorRefreshTokenRequired,
 		)
 	}
 	if err := validateSMTPSecret(c.ClientSecret, "oauth2 client secret"); err != nil {
@ -305,6 +309,27 @@ func (c *SMTPConfigs) TryDecrypt() error {
 	return nil
 }

+func (c *SMTPConfigs) prepareForRendering() {
+	if c.Password != nil {
+		c.Password.Hide()
+		if c.Password.IsEmpty() {
+			c.Password = nil
+		}
+	}
+	if c.OAuth2.ClientSecret != nil {
+		c.OAuth2.ClientSecret.Hide()
+		if c.OAuth2.ClientSecret.IsEmpty() {
+			c.OAuth2.ClientSecret = nil
+		}
+	}
+	if c.OAuth2.RefreshToken != nil {
+		c.OAuth2.RefreshToken.Hide()
+		if c.OAuth2.RefreshToken.IsEmpty() {
+			c.OAuth2.RefreshToken = nil
+		}
+	}
+}
+
 func (c *SMTPConfigs) getACopy() *SMTPConfigs {
 	var password *kms.Secret
 	if c.Password != nil {
@ -387,13 +412,137 @@ func (c *ACMEConfigs) getACopy() *ACMEConfigs {
 	}
 }

+// BrandingConfig defines the branding configuration
+type BrandingConfig struct {
+	Name           string `json:"name"`
+	ShortName      string `json:"short_name"`
+	Logo           []byte `json:"logo"`
+	Favicon        []byte `json:"favicon"`
+	DisclaimerName string `json:"disclaimer_name"`
+	DisclaimerURL  string `json:"disclaimer_url"`
+}
+
+func (c *BrandingConfig) isEmpty() bool {
+	if c.Name != "" {
+		return false
+	}
+	if c.ShortName != "" {
+		return false
+	}
+	if len(c.Logo) > 0 {
+		return false
+	}
+	if len(c.Favicon) > 0 {
+		return false
+	}
+	if c.DisclaimerName != "" && c.DisclaimerURL != "" {
+		return false
+	}
+	return true
+}
+
+func (*BrandingConfig) validatePNG(b []byte, maxWidth, maxHeight int) error {
+	if len(b) == 0 {
+		return nil
+	}
+	// DecodeConfig is more efficient, but I'm not sure if this would lead to
+	// accepting invalid images in some edge cases and performance does not
+	// matter here.
+	img, err := png.Decode(bytes.NewBuffer(b))
+	if err != nil {
+		return util.NewI18nError(
+			util.NewValidationError("invalid PNG image"),
+			util.I18nErrorInvalidPNG,
+		)
+	}
+	bounds := img.Bounds()
+	if bounds.Dx() > maxWidth || bounds.Dy() > maxHeight {
+		return util.NewI18nError(
+			util.NewValidationError("invalid PNG image size"),
+			util.I18nErrorInvalidPNGSize,
+		)
+	}
+	return nil
+}
+
+func (c *BrandingConfig) validateDisclaimerURL() error {
+	if c.DisclaimerURL == "" {
+		return nil
+	}
+	u, err := url.Parse(c.DisclaimerURL)
+	if err != nil {
+		return util.NewI18nError(
+			util.NewValidationError("invalid disclaimer URL"),
+			util.I18nErrorInvalidDisclaimerURL,
+		)
+	}
+	if u.Scheme != "http" && u.Scheme != "https" {
+		return util.NewI18nError(
+			util.NewValidationError("invalid disclaimer URL scheme"),
+			util.I18nErrorInvalidDisclaimerURL,
+		)
+	}
+	return nil
+}
+
+func (c *BrandingConfig) validate() error {
+	if err := c.validateDisclaimerURL(); err != nil {
+		return err
+	}
+	if err := c.validatePNG(c.Logo, 512, 512); err != nil {
+		return err
+	}
+	return c.validatePNG(c.Favicon, 256, 256)
+}
+
+func (c *BrandingConfig) getACopy() BrandingConfig {
+	logo := make([]byte, len(c.Logo))
+	copy(logo, c.Logo)
+	favicon := make([]byte, len(c.Favicon))
+	copy(favicon, c.Favicon)
+
+	return BrandingConfig{
+		Name:           c.Name,
+		ShortName:      c.ShortName,
+		Logo:           logo,
+		Favicon:        favicon,
+		DisclaimerName: c.DisclaimerName,
+		DisclaimerURL:  c.DisclaimerURL,
+	}
+}
+
+// BrandingConfigs defines the branding configuration for WebAdmin and WebClient UI
+type BrandingConfigs struct {
+	WebAdmin  BrandingConfig
+	WebClient BrandingConfig
+}
+
+func (c *BrandingConfigs) isEmpty() bool {
+	return c.WebAdmin.isEmpty() && c.WebClient.isEmpty()
+}
+
+func (c *BrandingConfigs) validate() error {
+	if err := c.WebAdmin.validate(); err != nil {
+		return err
+	}
+	return c.WebClient.validate()
+}
+
+func (c *BrandingConfigs) getACopy() *BrandingConfigs {
+	return &BrandingConfigs{
+		WebAdmin:  c.WebAdmin.getACopy(),
+		WebClient: c.WebClient.getACopy(),
+	}
+}
+
 // Configs allows to set configuration keys disabled by default without
 // modifying the config file or setting env vars
 type Configs struct {
-	SFTPD     *SFTPDConfigs `json:"sftpd,omitempty"`
-	SMTP      *SMTPConfigs  `json:"smtp,omitempty"`
-	ACME      *ACMEConfigs  `json:"acme,omitempty"`
-	UpdatedAt int64         `json:"updated_at,omitempty"`
+	SFTPD     *SFTPDConfigs    `json:"sftpd,omitempty"`
+	SMTP      *SMTPConfigs     `json:"smtp,omitempty"`
+	ACME      *ACMEConfigs     `json:"acme,omitempty"`
+	Branding  *BrandingConfigs `json:"branding,omitempty"`
+	UpdatedAt int64            `json:"updated_at,omitempty"`
 }

 func (c *Configs) validate() error {
@ -412,6 +561,11 @@ func (c *Configs) validate() error {
 			return err
 		}
 	}
+	if c.Branding != nil {
+		if err := c.Branding.validate(); err != nil {
+			return err
+		}
+	}
 	return nil
 }

@ -428,25 +582,11 @@ func (c *Configs) PrepareForRendering() {
 	if c.ACME != nil && c.ACME.isEmpty() {
 		c.ACME = nil
 	}
+	if c.Branding != nil && c.Branding.isEmpty() {
+		c.Branding = nil
+	}
 	if c.SMTP != nil {
-		if c.SMTP.Password != nil {
-			c.SMTP.Password.Hide()
-			if c.SMTP.Password.IsEmpty() {
-				c.SMTP.Password = nil
-			}
-		}
-		if c.SMTP.OAuth2.ClientSecret != nil {
-			c.SMTP.OAuth2.ClientSecret.Hide()
-			if c.SMTP.OAuth2.ClientSecret.IsEmpty() {
-				c.SMTP.OAuth2.ClientSecret = nil
-			}
-		}
-		if c.SMTP.OAuth2.RefreshToken != nil {
-			c.SMTP.OAuth2.RefreshToken.Hide()
-			if c.SMTP.OAuth2.RefreshToken.IsEmpty() {
-				c.SMTP.OAuth2.RefreshToken = nil
-			}
-		}
+		c.SMTP.prepareForRendering()
 	}
 }

@ -470,6 +610,9 @@ func (c *Configs) SetNilsToEmpty() {
 	if c.ACME == nil {
 		c.ACME = &ACMEConfigs{}
 	}
+	if c.Branding == nil {
+		c.Branding = &BrandingConfigs{}
+	}
 }

 // RenderAsJSON implements the renderer interface used within plugins
@ -498,6 +641,9 @@ func (c *Configs) getACopy() Configs {
 	if c.ACME != nil {
 		result.ACME = c.ACME.getACopy()
 	}
+	if c.Branding != nil {
+		result.Branding = c.Branding.getACopy()
+	}
 	result.UpdatedAt = c.UpdatedAt
 	return result
 }
--- a/internal/dataprovider/dataprovider.go
+++ b/internal/dataprovider/dataprovider.go
@ -44,6 +44,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"runtime"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@ -187,6 +188,7 @@ var (
 	ErrDuplicatedKey = errors.New("duplicated key not allowed")
 	// ErrForeignKeyViolated occurs when there is a foreign key constraint violation
 	ErrForeignKeyViolated   = errors.New("violates foreign key constraint")
+	tz                      = ""
 	isAdminCreated          atomic.Bool
 	validTLSUsernames       = []string{string(sdk.TLSUsernameNone), string(sdk.TLSUsernameCN)}
 	config                  Config
@ -518,7 +520,7 @@ type Config struct {
 // GetShared returns the provider share mode.
 // This method is called before the provider is initialized
 func (c *Config) GetShared() int {
-	if !util.Contains(sharedProviders, c.Driver) {
+	if !slices.Contains(sharedProviders, c.Driver) {
 		return 0
 	}
 	return c.IsShared
@ -590,6 +592,16 @@ func (c *Config) doBackup() (string, error) {
 	return outputFile, nil
 }

+// SetTZ sets the configured timezone.
+func SetTZ(val string) {
+	tz = val
+}
+
+// UseLocalTime returns true if local time should be used instead of UTC.
+func UseLocalTime() bool {
+	return tz == "local"
+}
+
 // ExecuteBackup executes a backup
 func ExecuteBackup() (string, error) {
 	return config.doBackup()
@ -759,6 +771,8 @@ type Provider interface {
 	updateLastLogin(username string) error
 	updateAdminLastLogin(username string) error
 	setUpdatedAt(username string)
+	getAdminSignature(username string) (string, error)
+	getUserSignature(username string) (string, error)
 	getFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtualFolder, error)
 	getFolderByName(name string) (vfs.BaseVirtualFolder, error)
 	addFolder(folder *vfs.BaseVirtualFolder) error
@ -874,7 +888,7 @@ func SetTempPath(fsPath string) {
 }

 func checkSharedMode() {
-	if !util.Contains(sharedProviders, config.Driver) {
+	if !slices.Contains(sharedProviders, config.Driver) {
 		config.IsShared = 0
 	}
 }
@ -929,12 +943,13 @@ func checkDatabase(checkAdmins bool) error {
 	if config.UpdateMode == 0 {
 		err := provider.initializeDatabase()
 		if err != nil && err != ErrNoInitRequired {
-			logger.WarnToConsole("Unable to initialize data provider: %v", err)
-			providerLog(logger.LevelError, "Unable to initialize data provider: %v", err)
+			logger.WarnToConsole("unable to initialize data provider: %v", err)
+			providerLog(logger.LevelError, "unable to initialize data provider: %v", err)
 			return err
 		}
 		if err == nil {
-			logger.DebugToConsole("Data provider successfully initialized")
+			logger.DebugToConsole("data provider successfully initialized")
+			providerLog(logger.LevelInfo, "data provider successfully initialized")
 		}
 		err = provider.migrateDatabase()
 		if err != nil && err != ErrNoInitRequired {
@ -1503,6 +1518,15 @@ func UpdateUserQuota(user *User, filesAdd int, sizeAdd int64, reset bool) error
 	return nil
 }

+// UpdateUserFolderQuota updates the quota for the given user and virtual folder.
+func UpdateUserFolderQuota(folder *vfs.VirtualFolder, user *User, filesAdd int, sizeAdd int64, reset bool) {
+	if folder.IsIncludedInUserQuota() {
+		UpdateUserQuota(user, filesAdd, sizeAdd, reset) //nolint:errcheck
+		return
+	}
+	UpdateVirtualFolderQuota(&folder.BaseVirtualFolder, filesAdd, sizeAdd, reset) //nolint:errcheck
+}
+
 // UpdateVirtualFolderQuota updates the quota for the given virtual folder adding filesAdd and sizeAdd.
 // If reset is true filesAdd and sizeAdd indicates the total files and the total size instead of the difference.
 func UpdateVirtualFolderQuota(vfolder *vfs.BaseVirtualFolder, filesAdd int, sizeAdd int64, reset bool) error {
@ -1693,7 +1717,7 @@ func IPListEntryExists(ipOrNet string, listType IPListType) (IPListEntry, error)

 // GetIPListEntries returns the IP list entries applying the specified criteria and search limit
 func GetIPListEntries(listType IPListType, filter, from, order string, limit int) ([]IPListEntry, error) {
-	if !util.Contains(supportedIPListType, listType) {
+	if !slices.Contains(supportedIPListType, listType) {
 		return nil, util.NewValidationError(fmt.Sprintf("invalid list type %d", listType))
 	}
 	return provider.getIPListEntries(listType, filter, from, order, limit)
@ -2064,6 +2088,20 @@ func UserExists(username, role string) (User, error) {
 	return provider.userExists(username, role)
 }

+// GetAdminSignature returns the signature for the admin with the specified
+// username.
+func GetAdminSignature(username string) (string, error) {
+	username = config.convertName(username)
+	return provider.getAdminSignature(username)
+}
+
+// GetUserSignature returns the signature for the user with the specified
+// username.
+func GetUserSignature(username string) (string, error) {
+	username = config.convertName(username)
+	return provider.getUserSignature(username)
+}
+
 // GetUserWithGroupSettings tries to return the user with the specified username
 // loading also the group settings
 func GetUserWithGroupSettings(username, role string) (User, error) {
@ -2352,7 +2390,7 @@ func GetFolders(limit, offset int, order string, minimal bool) ([]vfs.BaseVirtua
 }

 func dumpUsers(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeUsers) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeUsers) {
 		users, err := provider.dumpUsers()
 		if err != nil {
 			return err
@ -2363,7 +2401,7 @@ func dumpUsers(data *BackupData, scopes []string) error {
 }

 func dumpFolders(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeFolders) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeFolders) {
 		folders, err := provider.dumpFolders()
 		if err != nil {
 			return err
@ -2374,7 +2412,7 @@ func dumpFolders(data *BackupData, scopes []string) error {
 }

 func dumpGroups(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeGroups) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeGroups) {
 		groups, err := provider.dumpGroups()
 		if err != nil {
 			return err
@ -2385,7 +2423,7 @@ func dumpGroups(data *BackupData, scopes []string) error {
 }

 func dumpAdmins(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeAdmins) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeAdmins) {
 		admins, err := provider.dumpAdmins()
 		if err != nil {
 			return err
@ -2396,7 +2434,7 @@ func dumpAdmins(data *BackupData, scopes []string) error {
 }

 func dumpAPIKeys(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeAPIKeys) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeAPIKeys) {
 		apiKeys, err := provider.dumpAPIKeys()
 		if err != nil {
 			return err
@ -2407,7 +2445,7 @@ func dumpAPIKeys(data *BackupData, scopes []string) error {
 }

 func dumpShares(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeShares) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeShares) {
 		shares, err := provider.dumpShares()
 		if err != nil {
 			return err
@ -2418,7 +2456,7 @@ func dumpShares(data *BackupData, scopes []string) error {
 }

 func dumpActions(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeActions) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeActions) {
 		actions, err := provider.dumpEventActions()
 		if err != nil {
 			return err
@ -2429,7 +2467,7 @@ func dumpActions(data *BackupData, scopes []string) error {
 }

 func dumpRules(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeRules) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeRules) {
 		rules, err := provider.dumpEventRules()
 		if err != nil {
 			return err
@ -2440,7 +2478,7 @@ func dumpRules(data *BackupData, scopes []string) error {
 }

 func dumpRoles(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeRoles) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeRoles) {
 		roles, err := provider.dumpRoles()
 		if err != nil {
 			return err
@ -2451,7 +2489,7 @@ func dumpRoles(data *BackupData, scopes []string) error {
 }

 func dumpIPLists(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeIPLists) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeIPLists) {
 		ipLists, err := provider.dumpIPListEntries()
 		if err != nil {
 			return err
@ -2462,7 +2500,7 @@ func dumpIPLists(data *BackupData, scopes []string) error {
 }

 func dumpConfigs(data *BackupData, scopes []string) error {
-	if len(scopes) == 0 || util.Contains(scopes, DumpScopeConfigs) {
+	if len(scopes) == 0 || slices.Contains(scopes, DumpScopeConfigs) {
 		configs, err := provider.getConfigs()
 		if err != nil {
 			return err
@ -2568,9 +2606,8 @@ func createProvider(basePath string) error {
 		return initializeBoltProvider(basePath)
 	case MemoryDataProviderName:
 		if err := initializeMemoryProvider(basePath); err != nil {
-			msg := fmt.Sprintf("provider initialized but data loading failed: %v", err)
-			logger.Warn(logSender, "", msg)
-			logger.WarnToConsole(msg)
+			logger.Warn(logSender, "", "provider initialized but data loading failed: %v", err)
+			logger.WarnToConsole("provider initialized but data loading failed: %v", err)
 		}
 		return nil
 	default:
@ -2766,7 +2803,7 @@ func validateUserTOTPConfig(c *UserTOTPConfig, username string) error {
 	if c.ConfigName == "" {
 		return util.NewValidationError("totp: config name is mandatory")
 	}
-	if !util.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {
+	if !slices.Contains(mfa.GetAvailableTOTPConfigNames(), c.ConfigName) {
 		return util.NewValidationError(fmt.Sprintf("totp: config name %q not found", c.ConfigName))
 	}
 	if c.Secret.IsEmpty() {
@ -2782,7 +2819,7 @@ func validateUserTOTPConfig(c *UserTOTPConfig, username string) error {
 		return util.NewValidationError("totp: specify at least one protocol")
 	}
 	for _, protocol := range c.Protocols {
-		if !util.Contains(MFAProtocols, protocol) {
+		if !slices.Contains(MFAProtocols, protocol) {
 			return util.NewValidationError(fmt.Sprintf("totp: invalid protocol %q", protocol))
 		}
 	}
@ -2815,7 +2852,7 @@ func validateUserPermissions(permsToCheck map[string][]string) (map[string][]str
 			return permissions, util.NewValidationError("invalid permissions")
 		}
 		for _, p := range perms {
-			if !util.Contains(ValidPerms, p) {
+			if !slices.Contains(ValidPerms, p) {
 				return permissions, util.NewValidationError(fmt.Sprintf("invalid permission: %q", p))
 			}
 		}
@ -2829,7 +2866,7 @@ func validateUserPermissions(permsToCheck map[string][]string) (map[string][]str
 		if dir != cleanedDir && cleanedDir == "/" {
 			return permissions, util.NewValidationError(fmt.Sprintf("cannot set permissions for invalid subdirectory: %q is an alias for \"/\"", dir))
 		}
-		if util.Contains(perms, PermAny) {
+		if slices.Contains(perms, PermAny) {
 			permissions[cleanedDir] = []string{PermAny}
 		} else {
 			permissions[cleanedDir] = util.RemoveDuplicates(perms, false)
@ -2870,11 +2907,18 @@ func validatePublicKeys(user *User) error {
 				util.I18nErrorPubKeyInvalid,
 			)
 		}
+		if out.Type() == ssh.InsecureKeyAlgoDSA {
+			providerLog(logger.LevelError, "dsa public key not accepted, position: %d", idx)
+			return util.NewI18nError(
+				util.NewValidationError(fmt.Sprintf("DSA key format is insecure and it is not allowed for key at position %d", idx)),
+				util.I18nErrorKeyInsecure,
+			)
+		}
 		if k, ok := out.(ssh.CryptoPublicKey); ok {
 			cryptoKey := k.CryptoPublicKey()
 			if rsaKey, ok := cryptoKey.(*rsa.PublicKey); ok {
 				if size := rsaKey.N.BitLen(); size < 2048 {
-					providerLog(logger.LevelError, "rsa key with size %d not accepted, minimum 2048", size)
+					providerLog(logger.LevelError, "rsa key with size %d at position %d not accepted, minimum 2048", size, idx)
 					return util.NewI18nError(
 						util.NewValidationError(fmt.Sprintf("invalid size %d for rsa key at position %d, minimum 2048",
 							size, idx)),
@ -2905,7 +2949,7 @@ func validateFiltersPatternExtensions(baseFilters *sdk.BaseUserFilters) error {
 				util.I18nErrorFilePatternPathInvalid,
 			)
 		}
-		if util.Contains(filteredPaths, cleanedPath) {
+		if slices.Contains(filteredPaths, cleanedPath) {
 			return util.NewI18nError(
 				util.NewValidationError(fmt.Sprintf("duplicate file patterns filter for path %q", f.Path)),
 				util.I18nErrorFilePatternDuplicated,
@ -3024,13 +3068,13 @@ func validateFilterProtocols(filters *sdk.BaseUserFilters) error {
 		return util.NewValidationError("invalid denied_protocols")
 	}
 	for _, p := range filters.DeniedProtocols {
-		if !util.Contains(ValidProtocols, p) {
+		if !slices.Contains(ValidProtocols, p) {
 			return util.NewValidationError(fmt.Sprintf("invalid denied protocol %q", p))
 		}
 	}

 	for _, p := range filters.TwoFactorAuthProtocols {
-		if !util.Contains(MFAProtocols, p) {
+		if !slices.Contains(MFAProtocols, p) {
 			return util.NewValidationError(fmt.Sprintf("invalid two factor protocol %q", p))
 		}
 	}
@ -3086,7 +3130,7 @@ func validateBaseFilters(filters *sdk.BaseUserFilters) error {
 		return util.NewValidationError("invalid denied_login_methods")
 	}
 	for _, loginMethod := range filters.DeniedLoginMethods {
-		if !util.Contains(ValidLoginMethods, loginMethod) {
+		if !slices.Contains(ValidLoginMethods, loginMethod) {
 			return util.NewValidationError(fmt.Sprintf("invalid login method: %q", loginMethod))
 		}
 	}
@ -3094,7 +3138,7 @@ func validateBaseFilters(filters *sdk.BaseUserFilters) error {
 		return err
 	}
 	if filters.TLSUsername != "" {
-		if !util.Contains(validTLSUsernames, string(filters.TLSUsername)) {
+		if !slices.Contains(validTLSUsernames, string(filters.TLSUsername)) {
 			return util.NewValidationError(fmt.Sprintf("invalid TLS username: %q", filters.TLSUsername))
 		}
 	}
@ -3104,7 +3148,7 @@ func validateBaseFilters(filters *sdk.BaseUserFilters) error {
 	}
 	filters.TLSCerts = certs
 	for _, opts := range filters.WebClient {
-		if !util.Contains(sdk.WebClientOptions, opts) {
+		if !slices.Contains(sdk.WebClientOptions, opts) {
 			return util.NewValidationError(fmt.Sprintf("invalid web client options %q", opts))
 		}
 	}
@ -3172,19 +3216,19 @@ func validateAccessTimeFilters(filters *sdk.BaseUserFilters) error {
 }

 func validateCombinedUserFilters(user *User) error {
-	if user.Filters.TOTPConfig.Enabled && util.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
+	if user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
 		return util.NewI18nError(
 			util.NewValidationError("two-factor authentication cannot be disabled for a user with an active configuration"),
 			util.I18nErrorDisableActive2FA,
 		)
 	}
-	if user.Filters.RequirePasswordChange && util.Contains(user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled) {
+	if user.Filters.RequirePasswordChange && slices.Contains(user.Filters.WebClient, sdk.WebClientPasswordChangeDisabled) {
 		return util.NewI18nError(
 			util.NewValidationError("you cannot require password change and at the same time disallow it"),
 			util.I18nErrorPwdChangeConflict,
 		)
 	}
-	if len(user.Filters.TwoFactorAuthProtocols) > 0 && util.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
+	if len(user.Filters.TwoFactorAuthProtocols) > 0 && slices.Contains(user.Filters.WebClient, sdk.WebClientMFADisabled) {
 		return util.NewI18nError(
 			util.NewValidationError("you cannot require two-factor authentication and at the same time disallow it"),
 			util.I18nError2FAConflict,
@ -3193,6 +3237,24 @@ func validateCombinedUserFilters(user *User) error {
 	return nil
 }

+func validateEmails(user *User) error {
+	if user.Email != "" && !util.IsEmailValid(user.Email) {
+		return util.NewI18nError(
+			util.NewValidationError(fmt.Sprintf("email %q is not valid", user.Email)),
+			util.I18nErrorInvalidEmail,
+		)
+	}
+	for _, email := range user.Filters.AdditionalEmails {
+		if !util.IsEmailValid(email) {
+			return util.NewI18nError(
+				util.NewValidationError(fmt.Sprintf("email %q is not valid", email)),
+				util.I18nErrorInvalidEmail,
+			)
+		}
+	}
+	return nil
+}
+
 func validateBaseParams(user *User) error {
 	if user.Username == "" {
 		return util.NewI18nError(util.NewValidationError("username is mandatory"), util.I18nErrorUsernameRequired)
@ -3200,11 +3262,8 @@ func validateBaseParams(user *User) error {
 	if err := checkReservedUsernames(user.Username); err != nil {
 		return util.NewI18nError(err, util.I18nErrorReservedUsername)
 	}
-	if user.Email != "" && !util.IsEmailValid(user.Email) {
-		return util.NewI18nError(
-			util.NewValidationError(fmt.Sprintf("email %q is not valid", user.Email)),
-			util.I18nErrorInvalidEmail,
-		)
+	if err := validateEmails(user); err != nil {
+		return err
 	}
 	if config.NamingRules&1 == 0 && !usernameRegex.MatchString(user.Username) {
 		return util.NewI18nError(
@ -3505,7 +3564,7 @@ func checkUserPasscode(user *User, password, protocol string) (string, error) {
 	if user.Filters.TOTPConfig.Enabled {
 		switch protocol {
 		case protocolFTP:
-			if util.Contains(user.Filters.TOTPConfig.Protocols, protocol) {
+			if slices.Contains(user.Filters.TOTPConfig.Protocols, protocol) {
 				// the TOTP passcode has six digits
 				pwdLen := len(password)
 				if pwdLen < 7 {
@ -3711,7 +3770,7 @@ func doBuiltinKeyboardInteractiveAuth(user *User, client ssh.KeyboardInteractive
 	if err := user.LoadAndApplyGroupSettings(); err != nil {
 		return 0, err
 	}
-	hasSecondFactor := user.Filters.TOTPConfig.Enabled && util.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH)
+	hasSecondFactor := user.Filters.TOTPConfig.Enabled && slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH)
 	if !isPartialAuth || !hasSecondFactor {
 		answers, err := client("", "", []string{"Password: "}, []bool{false})
 		if err != nil {
@ -3729,7 +3788,7 @@ func doBuiltinKeyboardInteractiveAuth(user *User, client ssh.KeyboardInteractive
 }

 func checkKeyboardInteractiveSecondFactor(user *User, client ssh.KeyboardInteractiveChallenge, protocol string) (int, error) {
-	if !user.Filters.TOTPConfig.Enabled || !util.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
+	if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
 		return 1, nil
 	}
 	err := user.Filters.TOTPConfig.Secret.TryDecrypt()
@ -3853,7 +3912,7 @@ func getKeyboardInteractiveAnswers(client ssh.KeyboardInteractiveChallenge, resp
 	}
 	if len(answers) == 1 && response.CheckPwd > 0 {
 		if response.CheckPwd == 2 {
-			if !user.Filters.TOTPConfig.Enabled || !util.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
+			if !user.Filters.TOTPConfig.Enabled || !slices.Contains(user.Filters.TOTPConfig.Protocols, protocolSSH) {
 				providerLog(logger.LevelInfo, "keyboard interactive auth error: unable to check TOTP passcode, TOTP is not enabled for user %q",
 					user.Username)
 				return answers, errors.New("TOTP not enabled for SSH protocol")
@ -4442,12 +4501,13 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv
 		// preserve TOTP config and recovery codes
 		user.Filters.TOTPConfig = u.Filters.TOTPConfig
 		user.Filters.RecoveryCodes = u.Filters.RecoveryCodes
-		err = provider.updateUser(&user)
+		user, err = updateUserAfterExternalAuth(&user)
 		if err == nil {
 			if protocol != protocolWebDAV {
 				webDAVUsersCache.swap(&user, password)
 			}
 			cachedUserPasswords.Add(user.Username, password, user.Password)
+			executeAction(operationUpdate, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
 		}
 		return user, err
 	}
@ -4455,6 +4515,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv
 	if err != nil {
 		return user, err
 	}
+	executeAction(operationAdd, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
 	return provider.userExists(user.Username, "")
 }

@ -4514,12 +4575,13 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
 		// preserve TOTP config and recovery codes
 		user.Filters.TOTPConfig = u.Filters.TOTPConfig
 		user.Filters.RecoveryCodes = u.Filters.RecoveryCodes
-		err = provider.updateUser(&user)
+		user, err = updateUserAfterExternalAuth(&user)
 		if err == nil {
 			if protocol != protocolWebDAV {
 				webDAVUsersCache.swap(&user, password)
 			}
 			cachedUserPasswords.Add(user.Username, password, user.Password)
+			executeAction(operationUpdate, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
 		}
 		return user, err
 	}
@ -4527,6 +4589,14 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
 	if err != nil {
 		return user, err
 	}
+	executeAction(operationAdd, ActionExecutorSelf, "", actionObjectUser, user.Username, "", &user)
+	return provider.userExists(user.Username, "")
+}
+
+func updateUserAfterExternalAuth(user *User) (User, error) {
+	if err := provider.updateUser(user); err != nil {
+		return *user, err
+	}
 	return provider.userExists(user.Username, "")
 }

@ -4612,12 +4682,16 @@ func getConfigPath(name, configDir string) string {
 }

 func checkReservedUsernames(username string) error {
-	if util.Contains(reservedUsers, username) {
+	if slices.Contains(reservedUsers, username) {
 		return util.NewValidationError("this username is reserved")
 	}
 	return nil
 }

+func errSchemaVersionTooOld(version int) error {
+	return fmt.Errorf("database schema version %d is too old, please see the upgrading docs: https://docs.sftpgo.com/latest/data-provider/#upgrading", version)
+}
+
 func providerLog(level logger.LogLevel, format string, v ...any) {
 	logger.Log(level, logSender, "", format, v...)
 }
--- a/internal/dataprovider/eventrule.go
+++ b/internal/dataprovider/eventrule.go
@ -23,6 +23,7 @@ import (
 	"net/http"
 	"path"
 	"path/filepath"
+	"slices"
 	"strings"
 	"time"

@ -49,17 +50,21 @@ const (
 	ActionTypeUserExpirationCheck
 	ActionTypeIDPAccountCheck
 	ActionTypeUserInactivityCheck
+	ActionTypeRotateLogs
 )

 var (
 	supportedEventActions = []int{ActionTypeHTTP, ActionTypeCommand, ActionTypeEmail, ActionTypeFilesystem,
 		ActionTypeBackup, ActionTypeUserQuotaReset, ActionTypeFolderQuotaReset, ActionTypeTransferQuotaReset,
-		ActionTypeDataRetentionCheck, ActionTypePasswordExpirationCheck,
-		ActionTypeUserExpirationCheck, ActionTypeUserInactivityCheck, ActionTypeIDPAccountCheck}
+		ActionTypeDataRetentionCheck, ActionTypePasswordExpirationCheck, ActionTypeUserExpirationCheck,
+		ActionTypeUserInactivityCheck, ActionTypeIDPAccountCheck, ActionTypeRotateLogs}
+	// EnabledActionCommands defines the system commands that can be executed via EventManager,
+	// an empty list means that no command is allowed to be executed.
+	EnabledActionCommands []string
 )

 func isActionTypeValid(action int) bool {
-	return util.Contains(supportedEventActions, action)
+	return slices.Contains(supportedEventActions, action)
 }

 func getActionTypeAsString(action int) string {
@ -88,6 +93,8 @@ func getActionTypeAsString(action int) string {
 		return util.I18nActionTypeUserInactivityCheck
 	case ActionTypeIDPAccountCheck:
 		return util.I18nActionTypeIDPCheck
+	case ActionTypeRotateLogs:
+		return util.I18nActionTypeRotateLogs
 	default:
 		return util.I18nActionTypeCommand
 	}
@ -112,7 +119,7 @@ var (
 )

 func isEventTriggerValid(trigger int) bool {
-	return util.Contains(supportedEventTriggers, trigger)
+	return slices.Contains(supportedEventTriggers, trigger)
 }

 func getTriggerTypeAsString(trigger int) string {
@ -166,7 +173,7 @@ var (
 )

 func isFilesystemActionValid(value int) bool {
-	return util.Contains(supportedFsActions, value)
+	return slices.Contains(supportedFsActions, value)
 }

 func getFsActionTypeAsString(value int) string {
@ -335,7 +342,7 @@ func (c *EventActionHTTPConfig) validateMultiparts() error {
 			)
 		}
 		for _, k := range c.Headers {
-			if strings.ToLower(k.Key) == "content-type" {
+			if strings.EqualFold(k.Key, "content-type") {
 				return util.NewI18nError(
 					util.NewValidationError("content type is automatically set for multipart requests"),
 					util.I18nErrorMultipartCType,
@ -377,7 +384,7 @@ func (c *EventActionHTTPConfig) validate(additionalData string) error {
 			return util.NewValidationError(fmt.Sprintf("could not encrypt HTTP password: %v", err))
 		}
 	}
-	if !util.Contains(SupportedHTTPActionMethods, c.Method) {
+	if !slices.Contains(SupportedHTTPActionMethods, c.Method) {
 		return util.NewValidationError(fmt.Sprintf("unsupported HTTP method: %s", c.Method))
 	}
 	for _, kv := range c.QueryParameters {
@ -398,11 +405,11 @@ func (c *EventActionHTTPConfig) GetContext() (context.Context, context.CancelFun

 // HasObjectData returns true if the {{ObjectData}} placeholder is defined
 func (c *EventActionHTTPConfig) HasObjectData() bool {
-	if strings.Contains(c.Body, "{{ObjectData}}") {
+	if strings.Contains(c.Body, "{{ObjectData}}") || strings.Contains(c.Body, "{{ObjectDataString}}") {
 		return true
 	}
 	for _, part := range c.Parts {
-		if strings.Contains(part.Body, "{{ObjectData}}") {
+		if strings.Contains(part.Body, "{{ObjectData}}") || strings.Contains(part.Body, "{{ObjectDataString}}") {
 			return true
 		}
 	}
@ -446,6 +453,11 @@ func (c *EventActionHTTPConfig) GetHTTPClient() *http.Client {
 	return client
 }

+// IsActionCommandAllowed returns true if the specified command is allowed
+func IsActionCommandAllowed(cmd string) bool {
+	return slices.Contains(EnabledActionCommands, cmd)
+}
+
 // EventActionCommandConfig defines the configuration for a command event target
 type EventActionCommandConfig struct {
 	Cmd     string     `json:"cmd,omitempty"`
@ -458,6 +470,9 @@ func (c *EventActionCommandConfig) validate() error {
 	if c.Cmd == "" {
 		return util.NewI18nError(util.NewValidationError("command is required"), util.I18nErrorCommandRequired)
 	}
+	if !IsActionCommandAllowed(c.Cmd) {
+		return util.NewValidationError(fmt.Sprintf("command %q is not allowed", c.Cmd))
+	}
 	if !filepath.IsAbs(c.Cmd) {
 		return util.NewI18nError(
 			util.NewValidationError("invalid command, it must be an absolute path"),
@ -656,12 +671,21 @@ func (c *EventActionFsCompress) validate() error {
 	return nil
 }

+// RenameConfig defines the configuration for a filesystem rename
+type RenameConfig struct {
+	// key is the source and target the value
+	KeyValue
+	// This setting only applies to storage providers that support
+	// changing modification times.
+	UpdateModTime bool `json:"update_modtime,omitempty"`
+}
+
 // EventActionFilesystemConfig defines the configuration for filesystem actions
 type EventActionFilesystemConfig struct {
 	// Filesystem actions, see the above enum
 	Type int `json:"type,omitempty"`
-	// files/dirs to rename, key is the source and target the value
-	Renames []KeyValue `json:"renames,omitempty"`
+	// files/dirs to rename
+	Renames []RenameConfig `json:"renames,omitempty"`
 	// directories to create
 	MkDirs []string `json:"mkdirs,omitempty"`
 	// files/dirs to delete
@ -702,9 +726,9 @@ func (c *EventActionFilesystemConfig) validateRenames() error {
 	if len(c.Renames) == 0 {
 		return util.NewI18nError(util.NewValidationError("no path to rename specified"), util.I18nErrorPathRequired)
 	}
-	for idx, kv := range c.Renames {
-		key := strings.TrimSpace(kv.Key)
-		value := strings.TrimSpace(kv.Value)
+	for idx, cfg := range c.Renames {
+		key := strings.TrimSpace(cfg.Key)
+		value := strings.TrimSpace(cfg.Value)
 		if key == "" || value == "" {
 			return util.NewValidationError("invalid paths to rename")
 		}
@ -722,9 +746,12 @@ func (c *EventActionFilesystemConfig) validateRenames() error {
 				util.I18nErrorRootNotAllowed,
 			)
 		}
-		c.Renames[idx] = KeyValue{
-			Key:   key,
-			Value: value,
+		c.Renames[idx] = RenameConfig{
+			KeyValue: KeyValue{
+				Key:   key,
+				Value: value,
+			},
+			UpdateModTime: cfg.UpdateModTime,
 		}
 	}
 	return nil
@ -888,7 +915,7 @@ func (c *EventActionFilesystemConfig) getACopy() EventActionFilesystemConfig {

 	return EventActionFilesystemConfig{
 		Type:    c.Type,
-		Renames: cloneKeyValues(c.Renames),
+		Renames: cloneRenameConfigs(c.Renames),
 		MkDirs:  mkdirs,
 		Deletes: deletes,
 		Exist:   exist,
@ -1277,7 +1304,7 @@ func (a *EventAction) validateAssociation(trigger int, fsEvents []string) error
 		}
 		if trigger == EventTriggerFsEvent {
 			for _, ev := range fsEvents {
-				if !util.Contains(allowedSyncFsEvents, ev) {
+				if !slices.Contains(allowedSyncFsEvents, ev) {
 					return util.NewI18nError(
 						util.NewValidationError("sync execution is only supported for upload and pre-* events"),
 						util.I18nErrorEvSyncUnsupportedFs,
@ -1320,6 +1347,7 @@ type ConditionOptions struct {
 	ProviderObjects []string           `json:"provider_objects,omitempty"`
 	MinFileSize     int64              `json:"min_size,omitempty"`
 	MaxFileSize     int64              `json:"max_size,omitempty"`
+	EventStatuses   []int              `json:"event_statuses,omitempty"`
 	// allow to execute scheduled tasks concurrently from multiple instances
 	ConcurrentExecution bool `json:"concurrent_execution,omitempty"`
 }
@ -1329,6 +1357,8 @@ func (f *ConditionOptions) getACopy() ConditionOptions {
 	copy(protocols, f.Protocols)
 	providerObjects := make([]string, len(f.ProviderObjects))
 	copy(providerObjects, f.ProviderObjects)
+	statuses := make([]int, len(f.EventStatuses))
+	copy(statuses, f.EventStatuses)

 	return ConditionOptions{
 		Names:               cloneConditionPatterns(f.Names),
@ -1339,10 +1369,20 @@ func (f *ConditionOptions) getACopy() ConditionOptions {
 		ProviderObjects:     providerObjects,
 		MinFileSize:         f.MinFileSize,
 		MaxFileSize:         f.MaxFileSize,
+		EventStatuses:       statuses,
 		ConcurrentExecution: f.ConcurrentExecution,
 	}
 }

+func (f *ConditionOptions) validateStatuses() error {
+	for _, status := range f.EventStatuses {
+		if status < 0 || status > 3 {
+			return util.NewValidationError(fmt.Sprintf("invalid event_status %d", status))
+		}
+	}
+	return nil
+}
+
 func (f *ConditionOptions) validate() error {
 	if err := validateConditionPatterns(f.Names); err != nil {
 		return err
@ -1358,12 +1398,12 @@ func (f *ConditionOptions) validate() error {
 	}

 	for _, p := range f.Protocols {
-		if !util.Contains(SupportedRuleConditionProtocols, p) {
+		if !slices.Contains(SupportedRuleConditionProtocols, p) {
 			return util.NewValidationError(fmt.Sprintf("unsupported rule condition protocol: %q", p))
 		}
 	}
 	for _, p := range f.ProviderObjects {
-		if !util.Contains(SupporteRuleConditionProviderObjects, p) {
+		if !slices.Contains(SupporteRuleConditionProviderObjects, p) {
 			return util.NewValidationError(fmt.Sprintf("unsupported provider object: %q", p))
 		}
 	}
@ -1373,6 +1413,9 @@ func (f *ConditionOptions) validate() error {
 				util.ByteCountSI(f.MaxFileSize), util.ByteCountSI(f.MinFileSize)))
 		}
 	}
+	if err := f.validateStatuses(); err != nil {
+		return err
+	}
 	if config.IsShared == 0 {
 		f.ConcurrentExecution = false
 	}
@ -1465,16 +1508,16 @@ func (c *EventConditions) validate(trigger int) error {
 			)
 		}
 		for _, ev := range c.FsEvents {
-			if !util.Contains(SupportedFsEvents, ev) {
+			if !slices.Contains(SupportedFsEvents, ev) {
 				return util.NewValidationError(fmt.Sprintf("unsupported fs event: %q", ev))
 			}
 		}
 	case EventTriggerProviderEvent:
 		c.FsEvents = nil
 		c.Schedules = nil
-		c.Options.GroupNames = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.IDPLoginEvent = 0
@ -1485,7 +1528,7 @@ func (c *EventConditions) validate(trigger int) error {
 			)
 		}
 		for _, ev := range c.ProviderEvents {
-			if !util.Contains(SupportedProviderEvents, ev) {
+			if !slices.Contains(SupportedProviderEvents, ev) {
 				return util.NewValidationError(fmt.Sprintf("unsupported provider event: %q", ev))
 			}
 		}
@ -1494,6 +1537,7 @@ func (c *EventConditions) validate(trigger int) error {
 		c.ProviderEvents = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.Options.ProviderObjects = nil
@ -1509,6 +1553,7 @@ func (c *EventConditions) validate(trigger int) error {
 		c.Options.RoleNames = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.Schedules = nil
@ -1518,6 +1563,7 @@ func (c *EventConditions) validate(trigger int) error {
 		c.ProviderEvents = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.Options.ProviderObjects = nil
@ -1531,10 +1577,11 @@ func (c *EventConditions) validate(trigger int) error {
 		c.Options.RoleNames = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.Schedules = nil
-		if !util.Contains(supportedIDPLoginEvents, c.IDPLoginEvent) {
+		if !slices.Contains(supportedIDPLoginEvents, c.IDPLoginEvent) {
 			return util.NewValidationError(fmt.Sprintf("invalid Identity Provider login event %d", c.IDPLoginEvent))
 		}
 	default:
@ -1544,6 +1591,7 @@ func (c *EventConditions) validate(trigger int) error {
 		c.Options.RoleNames = nil
 		c.Options.FsPaths = nil
 		c.Options.Protocols = nil
+		c.Options.EventStatuses = nil
 		c.Options.MinFileSize = 0
 		c.Options.MaxFileSize = 0
 		c.Schedules = nil
@ -1687,7 +1735,7 @@ func (r *EventRule) validateMandatorySyncActions() error {
 		return nil
 	}
 	for _, ev := range r.Conditions.FsEvents {
-		if util.Contains(mandatorySyncFsEvents, ev) {
+		if slices.Contains(mandatorySyncFsEvents, ev) {
 			return util.NewI18nError(
 				util.NewValidationError(fmt.Sprintf("event %q requires at least a sync action", ev)),
 				util.I18nErrorRuleSyncActionRequired,
@ -1705,7 +1753,7 @@ func (r *EventRule) checkIPBlockedAndCertificateActions() error {
 		ActionTypeDataRetentionCheck, ActionTypeFilesystem, ActionTypePasswordExpirationCheck,
 		ActionTypeUserExpirationCheck}
 	for _, action := range r.Actions {
-		if util.Contains(unavailableActions, action.Type) {
+		if slices.Contains(unavailableActions, action.Type) {
 			return fmt.Errorf("action %q, type %q is not supported for event trigger %q",
 				action.Name, getActionTypeAsString(action.Type), getTriggerTypeAsString(r.Trigger))
 		}
@ -1721,7 +1769,7 @@ func (r *EventRule) checkProviderEventActions(providerObjectType string) error {
 		ActionTypeDataRetentionCheck, ActionTypeFilesystem,
 		ActionTypePasswordExpirationCheck, ActionTypeUserExpirationCheck}
 	for _, action := range r.Actions {
-		if util.Contains(userSpecificActions, action.Type) && providerObjectType != actionObjectUser {
+		if slices.Contains(userSpecificActions, action.Type) && providerObjectType != actionObjectUser {
 			return fmt.Errorf("action %q, type %q is only supported for provider user events",
 				action.Name, getActionTypeAsString(action.Type))
 		}
@ -1829,6 +1877,20 @@ func (r *EventRule) RenderAsJSON(reload bool) ([]byte, error) {
 	return json.Marshal(r)
 }

+func cloneRenameConfigs(renames []RenameConfig) []RenameConfig {
+	res := make([]RenameConfig, 0, len(renames))
+	for _, c := range renames {
+		res = append(res, RenameConfig{
+			KeyValue: KeyValue{
+				Key:   c.Key,
+				Value: c.Value,
+			},
+			UpdateModTime: c.UpdateModTime,
+		})
+	}
+	return res
+}
+
 func cloneKeyValues(keyVals []KeyValue) []KeyValue {
 	res := make([]KeyValue, 0, len(keyVals))
 	for _, kv := range keyVals {
--- a/internal/dataprovider/iplist.go
+++ b/internal/dataprovider/iplist.go
@ -19,6 +19,7 @@ import (
 	"fmt"
 	"net"
 	"net/netip"
+	"slices"
 	"strings"
 	"sync"
 	"sync/atomic"
@ -85,7 +86,7 @@ var (

 // CheckIPListType returns an error if the provided IP list type is not valid
 func CheckIPListType(t IPListType) error {
-	if !util.Contains(supportedIPListType, t) {
+	if !slices.Contains(supportedIPListType, t) {
 		return util.NewValidationError(fmt.Sprintf("invalid list type %d", t))
 	}
 	return nil
--- a/internal/dataprovider/memory.go
+++ b/internal/dataprovider/memory.go
@ -22,7 +22,9 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"slices"
 	"sort"
+	"strconv"
 	"sync"
 	"time"

@ -206,6 +208,32 @@ func (p *MemoryProvider) updateAPIKeyLastUse(keyID string) error {
 	return nil
 }

+func (p *MemoryProvider) getAdminSignature(username string) (string, error) {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return "", errMemoryProviderClosed
+	}
+	admin, err := p.adminExistsInternal(username)
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(admin.UpdatedAt, 10), nil
+}
+
+func (p *MemoryProvider) getUserSignature(username string) (string, error) {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return "", errMemoryProviderClosed
+	}
+	user, err := p.userExistsInternal(username)
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(user.UpdatedAt, 10), nil
+}
+
 func (p *MemoryProvider) setUpdatedAt(username string) {
 	p.dbHandle.Lock()
 	defer p.dbHandle.Unlock()
@ -1210,7 +1238,7 @@ func (p *MemoryProvider) addRuleToActionMapping(ruleName, actionName string) err
 	if err != nil {
 		return util.NewGenericError(fmt.Sprintf("action %q does not exist", actionName))
 	}
-	if !util.Contains(a.Rules, ruleName) {
+	if !slices.Contains(a.Rules, ruleName) {
 		a.Rules = append(a.Rules, ruleName)
 		p.dbHandle.actions[actionName] = a
 	}
@ -1223,7 +1251,7 @@ func (p *MemoryProvider) removeRuleFromActionMapping(ruleName, actionName string
 		providerLog(logger.LevelWarn, "action %q does not exist, cannot remove from mapping", actionName)
 		return
 	}
-	if util.Contains(a.Rules, ruleName) {
+	if slices.Contains(a.Rules, ruleName) {
 		var rules []string
 		for _, r := range a.Rules {
 			if r != ruleName {
@ -1240,7 +1268,7 @@ func (p *MemoryProvider) addAdminToGroupMapping(username, groupname string) erro
 	if err != nil {
 		return err
 	}
-	if !util.Contains(g.Admins, username) {
+	if !slices.Contains(g.Admins, username) {
 		g.Admins = append(g.Admins, username)
 		p.dbHandle.groups[groupname] = g
 	}
@ -1283,7 +1311,7 @@ func (p *MemoryProvider) addUserToGroupMapping(username, groupname string) error
 	if err != nil {
 		return err
 	}
-	if !util.Contains(g.Users, username) {
+	if !slices.Contains(g.Users, username) {
 		g.Users = append(g.Users, username)
 		p.dbHandle.groups[groupname] = g
 	}
@ -1313,7 +1341,7 @@ func (p *MemoryProvider) addAdminToRole(username, role string) error {
 	if err != nil {
 		return fmt.Errorf("%w: role %q does not exist", ErrForeignKeyViolated, role)
 	}
-	if !util.Contains(r.Admins, username) {
+	if !slices.Contains(r.Admins, username) {
 		r.Admins = append(r.Admins, username)
 		p.dbHandle.roles[role] = r
 	}
@ -1347,7 +1375,7 @@ func (p *MemoryProvider) addUserToRole(username, role string) error {
 	if err != nil {
 		return fmt.Errorf("%w: role %q does not exist", ErrForeignKeyViolated, role)
 	}
-	if !util.Contains(r.Users, username) {
+	if !slices.Contains(r.Users, username) {
 		r.Users = append(r.Users, username)
 		p.dbHandle.roles[role] = r
 	}
@ -1378,7 +1406,7 @@ func (p *MemoryProvider) addUserToFolderMapping(username, foldername string) err
 	if err != nil {
 		return util.NewGenericError(fmt.Sprintf("unable to get folder %q: %v", foldername, err))
 	}
-	if !util.Contains(f.Users, username) {
+	if !slices.Contains(f.Users, username) {
 		f.Users = append(f.Users, username)
 		p.dbHandle.vfolders[foldername] = f
 	}
@ -1390,7 +1418,7 @@ func (p *MemoryProvider) addGroupToFolderMapping(name, foldername string) error
 	if err != nil {
 		return util.NewGenericError(fmt.Sprintf("unable to get folder %q: %v", foldername, err))
 	}
-	if !util.Contains(f.Groups, name) {
+	if !slices.Contains(f.Groups, name) {
 		f.Groups = append(f.Groups, name)
 		p.dbHandle.vfolders[foldername] = f
 	}
--- a/internal/dataprovider/mysql.go
+++ b/internal/dataprovider/mysql.go
@ -95,8 +95,8 @@ const (
 		"`last_login` bigint NOT NULL, `filters` longtext NULL, `filesystem` longtext NULL, `additional_info` longtext NULL, " +
 		"`created_at` bigint NOT NULL, `updated_at` bigint NOT NULL, `email` varchar(255) NULL, " +
 		"`upload_data_transfer` integer NOT NULL, `download_data_transfer` integer NOT NULL, " +
-		"`total_data_transfer` integer NOT NULL, `used_upload_data_transfer` integer NOT NULL, " +
-		"`used_download_data_transfer` integer NOT NULL, `deleted_at` bigint NOT NULL, `first_download` bigint NOT NULL, " +
+		"`total_data_transfer` integer NOT NULL, `used_upload_data_transfer` bigint NOT NULL, " +
+		"`used_download_data_transfer` bigint NOT NULL, `deleted_at` bigint NOT NULL, `first_download` bigint NOT NULL, " +
 		"`first_upload` bigint NOT NULL, `last_password_change` bigint NOT NULL, `role_id` integer NULL);" +
 		"CREATE TABLE `{{groups_folders_mapping}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, " +
 		"`group_id` integer NOT NULL, `folder_id` integer NOT NULL, " +
@ -193,11 +193,7 @@ const (
 		"CREATE INDEX `{{prefix}}ip_lists_updated_at_idx` ON `{{ip_lists}}` (`updated_at`);" +
 		"CREATE INDEX `{{prefix}}ip_lists_deleted_at_idx` ON `{{ip_lists}}` (`deleted_at`);" +
 		"CREATE INDEX `{{prefix}}ip_lists_first_last_idx` ON `{{ip_lists}}` (`first`, `last`);" +
-		"INSERT INTO {{schema_version}} (version) VALUES (28);"
-	mysqlV29SQL = "ALTER TABLE `{{users}}` MODIFY `used_download_data_transfer` bigint NOT NULL;" +
-		"ALTER TABLE `{{users}}` MODIFY `used_upload_data_transfer` bigint NOT NULL;"
-	mysqlV29DownSQL = "ALTER TABLE `{{users}}` MODIFY `used_upload_data_transfer` integer NOT NULL;" +
-		"ALTER TABLE `{{users}}` MODIFY `used_download_data_transfer` integer NOT NULL;"
+		"INSERT INTO {{schema_version}} (version) VALUES (29);"
 )

 // MySQLProvider defines the auth provider for MySQL/MariaDB database
@ -329,6 +325,14 @@ func (p *MySQLProvider) getUsedQuota(username string) (int, int64, int64, int64,
 	return sqlCommonGetUsedQuota(username, p.dbHandle)
 }

+func (p *MySQLProvider) getAdminSignature(username string) (string, error) {
+	return sqlCommonGetAdminSignature(username, p.dbHandle)
+}
+
+func (p *MySQLProvider) getUserSignature(username string) (string, error) {
+	return sqlCommonGetUserSignature(username, p.dbHandle)
+}
+
 func (p *MySQLProvider) setUpdatedAt(username string) {
 	sqlCommonSetUpdatedAt(username, p.dbHandle)
 }
@ -776,11 +780,11 @@ func (p *MySQLProvider) initializeDatabase() error {
 	if errors.Is(err, sql.ErrNoRows) {
 		return errSchemaVersionEmpty
 	}
-	logger.InfoToConsole("creating initial database schema, version 28")
-	providerLog(logger.LevelInfo, "creating initial database schema, version 28")
+	logger.InfoToConsole("creating initial database schema, version 29")
+	providerLog(logger.LevelInfo, "creating initial database schema, version 29")
 	initialSQL := sqlReplaceAll(mysqlInitialSQL)

-	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(initialSQL, ";"), 28, true)
+	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(initialSQL, ";"), 29, true)
 }

 func (p *MySQLProvider) migrateDatabase() error {
@ -793,13 +797,11 @@ func (p *MySQLProvider) migrateDatabase() error {
 	case version == sqlDatabaseVersion:
 		providerLog(logger.LevelDebug, "sql database is up to date, current version: %d", version)
 		return ErrNoInitRequired
-	case version < 28:
-		err = fmt.Errorf("database schema version %d is too old, please see the upgrading docs", version)
+	case version < 29:
+		err = errSchemaVersionTooOld(version)
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
-	case version == 28:
-		return updateMySQLDatabaseFrom28To29(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@ -822,8 +824,6 @@ func (p *MySQLProvider) revertDatabase(targetVersion int) error {
 	}

 	switch dbVersion.Version {
-	case 29:
-		return downgradeMySQLDatabaseFrom29To28(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@ -861,19 +861,3 @@ func (p *MySQLProvider) normalizeError(err error, fieldType int) error {
 	}
 	return err
 }
-
-func updateMySQLDatabaseFrom28To29(dbHandle *sql.DB) error {
-	logger.InfoToConsole("updating database schema version: 28 -> 29")
-	providerLog(logger.LevelInfo, "updating database schema version: 28 -> 29")
-
-	sql := strings.ReplaceAll(mysqlV29SQL, "{{users}}", sqlTableUsers)
-	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 29, true)
-}
-
-func downgradeMySQLDatabaseFrom29To28(dbHandle *sql.DB) error {
-	logger.InfoToConsole("downgrading database schema version: 29 -> 28")
-	providerLog(logger.LevelInfo, "downgrading database schema version: 29 -> 28")
-
-	sql := strings.ReplaceAll(mysqlV29DownSQL, "{{users}}", sqlTableUsers)
-	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 28, false)
-}
--- a/internal/dataprovider/node.go
+++ b/internal/dataprovider/node.go
@ -17,10 +17,11 @@ package dataprovider
 import (
 	"bytes"
 	"context"
+	"crypto/sha256"
+	"encoding/hex"
 	"encoding/json"
 	"errors"
 	"fmt"
-	"hash/fnv"
 	"io"
 	"net/http"
 	"strconv"
@ -99,7 +100,7 @@ func (n *NodeData) validate() error {
 	if n.Proto != NodeProtoHTTP && n.Proto != NodeProtoHTTPS {
 		return util.NewValidationError(fmt.Sprintf("invalid node proto: %s", n.Proto))
 	}
-	n.Key = kms.NewPlainSecret(util.BytesToString(util.GenerateRandomBytes(32)))
+	n.Key = kms.NewPlainSecret(util.GenerateOpaqueString())
 	n.Key.SetAdditionalData(n.Host)
 	if err := n.Key.Encrypt(); err != nil {
 		return fmt.Errorf("unable to encrypt node key: %w", err)
@ -108,12 +109,12 @@ func (n *NodeData) validate() error {
 }

 func (n *NodeData) getNodeName() string {
-	h := fnv.New64a()
+	h := sha256.New()
 	var b bytes.Buffer

 	b.WriteString(fmt.Sprintf("%s:%d", n.Host, n.Port))
 	h.Write(b.Bytes())
-	return strconv.FormatUint(h.Sum64(), 10)
+	return hex.EncodeToString(h.Sum(nil))
 }

 // Node defines a cluster node
@ -183,6 +184,7 @@ func (n *Node) generateAuthToken(username, role string) (string, error) {
 	t := jwt.New()
 	t.Set("admin", username)                          //nolint:errcheck
 	t.Set("role", role)                               //nolint:errcheck
+	t.Set(jwt.IssuedAtKey, now)                       //nolint:errcheck
 	t.Set(jwt.JwtIDKey, xid.New().String())           //nolint:errcheck
 	t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck
 	t.Set(jwt.ExpirationKey, now.Add(1*time.Minute))  //nolint:errcheck
--- a/internal/dataprovider/pgsql.go
+++ b/internal/dataprovider/pgsql.go
@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@ -95,7 +96,7 @@ CREATE TABLE "{{users}}" ("id" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS
 "download_bandwidth" integer NOT NULL, "last_login" bigint NOT NULL, "filters" text NULL, "filesystem" text NULL,
 "additional_info" text NULL, "created_at" bigint NOT NULL, "updated_at" bigint NOT NULL, "email" varchar(255) NULL,
 "upload_data_transfer" integer NOT NULL, "download_data_transfer" integer NOT NULL, "total_data_transfer" integer NOT NULL,
-"used_upload_data_transfer" integer NOT NULL, "used_download_data_transfer" integer NOT NULL, "deleted_at" bigint NOT NULL,
+"used_upload_data_transfer" bigint NOT NULL, "used_download_data_transfer" bigint NOT NULL, "deleted_at" bigint NOT NULL,
 "first_download" bigint NOT NULL, "first_upload" bigint NOT NULL, "last_password_change" bigint NOT NULL, "role_id" integer NULL);
 CREATE TABLE "{{groups_folders_mapping}}" ("id" integer NOT NULL PRIMARY KEY GENERATED ALWAYS AS IDENTITY, "group_id" integer NOT NULL,
 "folder_id" integer NOT NULL, "virtual_path" text NOT NULL, "quota_size" bigint NOT NULL, "quota_files" integer NOT NULL);
@ -205,16 +206,10 @@ CREATE INDEX "{{prefix}}ip_lists_ipornet_idx" ON "{{ip_lists}}" ("ipornet");
 CREATE INDEX "{{prefix}}ip_lists_updated_at_idx" ON "{{ip_lists}}" ("updated_at");
 CREATE INDEX "{{prefix}}ip_lists_deleted_at_idx" ON "{{ip_lists}}" ("deleted_at");
 CREATE INDEX "{{prefix}}ip_lists_first_last_idx" ON "{{ip_lists}}" ("first", "last");
-INSERT INTO {{schema_version}} (version) VALUES (28);
+INSERT INTO {{schema_version}} (version) VALUES (29);
 `
 	// not supported in CockroachDB
 	ipListsLikeIndex = `CREATE INDEX "{{prefix}}ip_lists_ipornet_like_idx" ON "{{ip_lists}}" ("ipornet" varchar_pattern_ops);`
-	pgsqlV29SQL      = `ALTER TABLE "{{users}}" ALTER COLUMN "used_download_data_transfer" TYPE bigint;
-ALTER TABLE "{{users}}" ALTER COLUMN "used_upload_data_transfer" TYPE bigint;
-`
-	pgsqlV29DownSQL = `ALTER TABLE "{{users}}" ALTER COLUMN "used_upload_data_transfer" TYPE integer;
-ALTER TABLE "{{users}}" ALTER COLUMN "used_download_data_transfer" TYPE integer;
-`
 )

 var (
@ -311,7 +306,7 @@ func getPGSQLConnectionString(redactedPwd bool) string {
 		if config.DisableSNI {
 			connectionString += " sslsni=0"
 		}
-		if util.Contains(pgSQLTargetSessionAttrs, config.TargetSessionAttrs) {
+		if slices.Contains(pgSQLTargetSessionAttrs, config.TargetSessionAttrs) {
 			connectionString += fmt.Sprintf(" target_session_attrs='%s'", config.TargetSessionAttrs)
 		}
 	} else {
@ -348,6 +343,14 @@ func (p *PGSQLProvider) getUsedQuota(username string) (int, int64, int64, int64,
 	return sqlCommonGetUsedQuota(username, p.dbHandle)
 }

+func (p *PGSQLProvider) getAdminSignature(username string) (string, error) {
+	return sqlCommonGetAdminSignature(username, p.dbHandle)
+}
+
+func (p *PGSQLProvider) getUserSignature(username string) (string, error) {
+	return sqlCommonGetUserSignature(username, p.dbHandle)
+}
+
 func (p *PGSQLProvider) setUpdatedAt(username string) {
 	sqlCommonSetUpdatedAt(username, p.dbHandle)
 }
@ -795,8 +798,8 @@ func (p *PGSQLProvider) initializeDatabase() error {
 	if errors.Is(err, sql.ErrNoRows) {
 		return errSchemaVersionEmpty
 	}
-	logger.InfoToConsole("creating initial database schema, version 28")
-	providerLog(logger.LevelInfo, "creating initial database schema, version 28")
+	logger.InfoToConsole("creating initial database schema, version 29")
+	providerLog(logger.LevelInfo, "creating initial database schema, version 29")
 	var initialSQL string
 	if config.Driver == CockroachDataProviderName {
 		initialSQL = sqlReplaceAll(pgsqlInitial)
@ -805,7 +808,7 @@ func (p *PGSQLProvider) initializeDatabase() error {
 		initialSQL = sqlReplaceAll(pgsqlInitial + ipListsLikeIndex)
 	}

-	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{initialSQL}, 28, true)
+	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{initialSQL}, 29, true)
 }

 func (p *PGSQLProvider) migrateDatabase() error { //nolint:dupl
@ -818,13 +821,11 @@ func (p *PGSQLProvider) migrateDatabase() error { //nolint:dupl
 	case version == sqlDatabaseVersion:
 		providerLog(logger.LevelDebug, "sql database is up to date, current version: %d", version)
 		return ErrNoInitRequired
-	case version < 28:
-		err = fmt.Errorf("database schema version %d is too old, please see the upgrading docs", version)
+	case version < 29:
+		err = errSchemaVersionTooOld(version)
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
-	case version == 28:
-		return updatePGSQLDatabaseFrom28To29(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@ -847,8 +848,6 @@ func (p *PGSQLProvider) revertDatabase(targetVersion int) error {
 	}

 	switch dbVersion.Version {
-	case 29:
-		return downgradePGSQLDatabaseFrom29To28(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@ -886,19 +885,3 @@ func (p *PGSQLProvider) normalizeError(err error, fieldType int) error {
 	}
 	return err
 }
-
-func updatePGSQLDatabaseFrom28To29(dbHandle *sql.DB) error {
-	logger.InfoToConsole("updating database schema version: 28 -> 29")
-	providerLog(logger.LevelInfo, "updating database schema version: 28 -> 29")
-
-	sql := strings.ReplaceAll(pgsqlV29SQL, "{{users}}", sqlTableUsers)
-	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 29, true)
-}
-
-func downgradePGSQLDatabaseFrom29To28(dbHandle *sql.DB) error {
-	logger.InfoToConsole("downgrading database schema version: 29 -> 28")
-	providerLog(logger.LevelInfo, "downgrading database schema version: 29 -> 28")
-
-	sql := strings.ReplaceAll(pgsqlV29DownSQL, "{{users}}", sqlTableUsers)
-	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 28, false)
-}
--- a/internal/dataprovider/share.go
+++ b/internal/dataprovider/share.go
@ -89,6 +89,11 @@ func (s *Share) GetAllowedFromAsString() string {
 	return strings.Join(s.AllowFrom, ",")
 }

+// IsPasswordHashed returns true if the password is hashed
+func (s *Share) IsPasswordHashed() bool {
+	return util.IsStringPrefixInSlice(s.Password, hashPwdPrefixes)
+}
+
 func (s *Share) getACopy() Share {
 	allowFrom := make([]string, len(s.AllowFrom))
 	copy(allowFrom, s.AllowFrom)
--- a/internal/dataprovider/sqlcommon.go
+++ b/internal/dataprovider/sqlcommon.go
@ -23,6 +23,7 @@ import (
 	"fmt"
 	"net/netip"
 	"runtime/debug"
+	"strconv"
 	"strings"
 	"time"

@ -1248,6 +1249,32 @@ func sqlCommonUpdateQuota(username string, filesAdd int, sizeAdd int64, reset bo
 	return err
 }

+func sqlCommonGetAdminSignature(username string, dbHandle *sql.DB) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getAdminSignatureQuery()
+	var updatedAt int64
+	err := dbHandle.QueryRowContext(ctx, q, username).Scan(&updatedAt)
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(updatedAt, 10), nil
+}
+
+func sqlCommonGetUserSignature(username string, dbHandle *sql.DB) (string, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getUserSignatureQuery()
+	var updatedAt int64
+	err := dbHandle.QueryRowContext(ctx, q, username).Scan(&updatedAt)
+	if err != nil {
+		return "", err
+	}
+	return strconv.FormatInt(updatedAt, 10), nil
+}
+
 func sqlCommonGetUsedQuota(username string, dbHandle *sql.DB) (int, int64, int64, int64, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
 	defer cancel()
--- a/internal/dataprovider/sqlite.go
+++ b/internal/dataprovider/sqlite.go
@ -12,8 +12,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.

-//go:build !nosqlite
-// +build !nosqlite
+//go:build !nosqlite && cgo
+// +build !nosqlite,cgo

 package dataprovider

@ -178,7 +178,7 @@ CREATE INDEX "{{prefix}}ip_lists_ip_type_idx" ON "{{ip_lists}}" ("ip_type");
 CREATE INDEX "{{prefix}}ip_lists_ip_updated_at_idx" ON "{{ip_lists}}" ("updated_at");
 CREATE INDEX "{{prefix}}ip_lists_ip_deleted_at_idx" ON "{{ip_lists}}" ("deleted_at");
 CREATE INDEX "{{prefix}}ip_lists_first_last_idx" ON "{{ip_lists}}" ("first", "last");
-INSERT INTO {{schema_version}} (version) VALUES (28);
+INSERT INTO {{schema_version}} (version) VALUES (29);
 `
 )

@ -215,7 +215,7 @@ func initializeSQLiteProvider(basePath string) error {
 	providerLog(logger.LevelDebug, "sqlite database handle created, connection string: %q", connectionString)
 	dbHandle.SetMaxOpenConns(1)
 	provider = &SQLiteProvider{dbHandle: dbHandle}
-	return nil
+	return executePragmaOptimize(dbHandle)
 }

 func (p *SQLiteProvider) checkAvailability() error {
@ -246,6 +246,14 @@ func (p *SQLiteProvider) getUsedQuota(username string) (int, int64, int64, int64
 	return sqlCommonGetUsedQuota(username, p.dbHandle)
 }

+func (p *SQLiteProvider) getAdminSignature(username string) (string, error) {
+	return sqlCommonGetAdminSignature(username, p.dbHandle)
+}
+
+func (p *SQLiteProvider) getUserSignature(username string) (string, error) {
+	return sqlCommonGetUserSignature(username, p.dbHandle)
+}
+
 func (p *SQLiteProvider) setUpdatedAt(username string) {
 	sqlCommonSetUpdatedAt(username, p.dbHandle)
 }
@ -693,10 +701,10 @@ func (p *SQLiteProvider) initializeDatabase() error {
 	if errors.Is(err, sql.ErrNoRows) {
 		return errSchemaVersionEmpty
 	}
-	logger.InfoToConsole("creating initial database schema, version 28")
-	providerLog(logger.LevelInfo, "creating initial database schema, version 28")
+	logger.InfoToConsole("creating initial database schema, version 29")
+	providerLog(logger.LevelInfo, "creating initial database schema, version 29")
 	sql := sqlReplaceAll(sqliteInitialSQL)
-	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 28, true)
+	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 29, true)
 }

 func (p *SQLiteProvider) migrateDatabase() error { //nolint:dupl
@ -709,13 +717,11 @@ func (p *SQLiteProvider) migrateDatabase() error { //nolint:dupl
 	case version == sqlDatabaseVersion:
 		providerLog(logger.LevelDebug, "sql database is up to date, current version: %d", version)
 		return ErrNoInitRequired
-	case version < 28:
-		err = fmt.Errorf("database schema version %d is too old, please see the upgrading docs", version)
+	case version < 29:
+		err = errSchemaVersionTooOld(version)
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
-	case version == 28:
-		return updateSQLiteDatabaseFrom28To29(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@ -738,8 +744,6 @@ func (p *SQLiteProvider) revertDatabase(targetVersion int) error {
 	}

 	switch dbVersion.Version {
-	case 29:
-		return downgradeSQLiteDatabaseFrom29To28(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@ -777,24 +781,12 @@ func (p *SQLiteProvider) normalizeError(err error, fieldType int) error {
 	return err
 }

-func updateSQLiteDatabaseFrom28To29(dbHandle *sql.DB) error {
-	logger.InfoToConsole("updating database schema version: 28 -> 29")
-	providerLog(logger.LevelInfo, "updating database schema version: 28 -> 29")
-
+func executePragmaOptimize(dbHandle *sql.DB) error {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
 	defer cancel()

-	return sqlCommonUpdateDatabaseVersion(ctx, dbHandle, 29)
-}
-
-func downgradeSQLiteDatabaseFrom29To28(dbHandle *sql.DB) error {
-	logger.InfoToConsole("downgrading database schema version: 29 -> 28")
-	providerLog(logger.LevelInfo, "downgrading database schema version: 29 -> 28")
-
-	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
-	defer cancel()
-
-	return sqlCommonUpdateDatabaseVersion(ctx, dbHandle, 28)
+	_, err := dbHandle.ExecContext(ctx, "PRAGMA optimize;")
+	return err
 }

 /*func setPragmaFK(dbHandle *sql.DB, value string) error {
--- a/internal/dataprovider/sqlite_disabled.go
+++ b/internal/dataprovider/sqlite_disabled.go
@ -12,8 +12,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.

-//go:build nosqlite
-// +build nosqlite
+//go:build nosqlite || !cgo
+// +build nosqlite !cgo

 package dataprovider

--- a/internal/dataprovider/sqlqueries.go
+++ b/internal/dataprovider/sqlqueries.go
@ -650,6 +650,14 @@ func getUpdateQuotaQuery(reset bool) string {
 		WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3])
 }

+func getAdminSignatureQuery() string {
+	return fmt.Sprintf(`SELECT updated_at FROM %s WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0])
+}
+
+func getUserSignatureQuery() string {
+	return fmt.Sprintf(`SELECT updated_at FROM %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0])
+}
+
 func getSetUpdateAtQuery() string {
 	return fmt.Sprintf(`UPDATE %s SET updated_at = %s WHERE username = %s`, sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1])
 }
--- a/internal/dataprovider/unixcrypt.go
+++ b/internal/dataprovider/unixcrypt.go
@ -12,8 +12,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.

-//go:build unixcrypt
-// +build unixcrypt
+//go:build unixcrypt && cgo
+// +build unixcrypt,cgo

 package dataprovider

--- a/internal/dataprovider/unixcrypt_disabled.go
+++ b/internal/dataprovider/unixcrypt_disabled.go
@ -12,8 +12,8 @@
 // You should have received a copy of the GNU Affero General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.

-//go:build !unixcrypt
-// +build !unixcrypt
+//go:build !unixcrypt || !cgo
+// +build !unixcrypt !cgo

 package dataprovider

--- a/internal/dataprovider/user.go
+++ b/internal/dataprovider/user.go
@ -22,6 +22,7 @@ import (
 	"net"
 	"os"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@ -123,6 +124,8 @@ type UserFilters struct {
 	sdk.BaseUserFilters
 	// User must change password from WebClient/REST API at next login.
 	RequirePasswordChange bool `json:"require_password_change,omitempty"`
+	// AdditionalEmails defines additional email addresses
+	AdditionalEmails []string `json:"additional_emails,omitempty"`
 	// Time-based one time passwords configuration
 	TOTPConfig UserTOTPConfig `json:"totp_config,omitempty"`
 	// Recovery codes to use if the user loses access to their second factor auth device.
@ -342,7 +345,11 @@ func (u *User) isTimeBasedAccessAllowed(when time.Time) bool {
 	if when.IsZero() {
 		when = time.Now()
 	}
-	when = when.UTC()
+	if UseLocalTime() {
+		when = when.Local()
+	} else {
+		when = when.UTC()
+	}
 	weekDay := when.Weekday()
 	hhMM := when.Format("15:04")
 	for _, p := range u.Filters.AccessTime {
@ -399,6 +406,15 @@ func (u *User) CheckMaxShareExpiration(expiresAt time.Time) error {
 	return nil
 }

+// GetEmailAddresses returns all the email addresses.
+func (u *User) GetEmailAddresses() []string {
+	var res []string
+	if u.Email != "" {
+		res = append(res, u.Email)
+	}
+	return slices.Concat(res, u.Filters.AdditionalEmails)
+}
+
 // GetSubDirPermissions returns permissions for sub directories
 func (u *User) GetSubDirPermissions() []sdk.DirectoryPermissions {
 	var result []sdk.DirectoryPermissions
@ -840,20 +856,20 @@ func (u *User) HasPermissionsInside(virtualPath string) bool {
 // HasPerm returns true if the user has the given permission or any permission
 func (u *User) HasPerm(permission, path string) bool {
 	perms := u.GetPermissionsForPath(path)
-	if util.Contains(perms, PermAny) {
+	if slices.Contains(perms, PermAny) {
 		return true
 	}
-	return util.Contains(perms, permission)
+	return slices.Contains(perms, permission)
 }

 // HasAnyPerm returns true if the user has at least one of the given permissions
 func (u *User) HasAnyPerm(permissions []string, path string) bool {
 	perms := u.GetPermissionsForPath(path)
-	if util.Contains(perms, PermAny) {
+	if slices.Contains(perms, PermAny) {
 		return true
 	}
 	for _, permission := range permissions {
-		if util.Contains(perms, permission) {
+		if slices.Contains(perms, permission) {
 			return true
 		}
 	}
@ -863,11 +879,11 @@ func (u *User) HasAnyPerm(permissions []string, path string) bool {
 // HasPerms returns true if the user has all the given permissions
 func (u *User) HasPerms(permissions []string, path string) bool {
 	perms := u.GetPermissionsForPath(path)
-	if util.Contains(perms, PermAny) {
+	if slices.Contains(perms, PermAny) {
 		return true
 	}
 	for _, permission := range permissions {
-		if !util.Contains(perms, permission) {
+		if !slices.Contains(perms, permission) {
 			return false
 		}
 	}
@ -927,11 +943,11 @@ func (u *User) IsLoginMethodAllowed(loginMethod, protocol string) bool {
 	if len(u.Filters.DeniedLoginMethods) == 0 {
 		return true
 	}
-	if util.Contains(u.Filters.DeniedLoginMethods, loginMethod) {
+	if slices.Contains(u.Filters.DeniedLoginMethods, loginMethod) {
 		return false
 	}
 	if protocol == protocolSSH && loginMethod == LoginMethodPassword {
-		if util.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {
+		if slices.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {
 			return false
 		}
 	}
@ -965,10 +981,10 @@ func (u *User) IsPartialAuth() bool {
 			method == SSHLoginMethodPassword {
 			continue
 		}
-		if method == LoginMethodPassword && util.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {
+		if method == LoginMethodPassword && slices.Contains(u.Filters.DeniedLoginMethods, SSHLoginMethodPassword) {
 			continue
 		}
-		if !util.Contains(SSHMultiStepsLoginMethods, method) {
+		if !slices.Contains(SSHMultiStepsLoginMethods, method) {
 			return false
 		}
 	}
@ -982,7 +998,7 @@ func (u *User) GetAllowedLoginMethods() []string {
 		if method == SSHLoginMethodPassword {
 			continue
 		}
-		if !util.Contains(u.Filters.DeniedLoginMethods, method) {
+		if !slices.Contains(u.Filters.DeniedLoginMethods, method) {
 			allowedMethods = append(allowedMethods, method)
 		}
 	}
@ -1052,7 +1068,7 @@ func (u *User) IsFileAllowed(virtualPath string) (bool, int) {

 // CanManageMFA returns true if the user can add a multi-factor authentication configuration
 func (u *User) CanManageMFA() bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientMFADisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientMFADisabled) {
 		return false
 	}
 	return len(mfa.GetAvailableTOTPConfigs()) > 0
@ -1073,39 +1089,39 @@ func (u *User) skipExternalAuth() bool {

 // CanManageShares returns true if the user can add, update and list shares
 func (u *User) CanManageShares() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientSharesDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientSharesDisabled)
 }

 // CanResetPassword returns true if this user is allowed to reset its password
 func (u *User) CanResetPassword() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientPasswordResetDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientPasswordResetDisabled)
 }

 // CanChangePassword returns true if this user is allowed to change its password
 func (u *User) CanChangePassword() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientPasswordChangeDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientPasswordChangeDisabled)
 }

 // CanChangeAPIKeyAuth returns true if this user is allowed to enable/disable API key authentication
 func (u *User) CanChangeAPIKeyAuth() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientAPIKeyAuthChangeDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientAPIKeyAuthChangeDisabled)
 }

 // CanChangeInfo returns true if this user is allowed to change its info such as email and description
 func (u *User) CanChangeInfo() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientInfoChangeDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientInfoChangeDisabled)
 }

 // CanManagePublicKeys returns true if this user is allowed to manage public keys
 // from the WebClient. Used in WebClient UI
 func (u *User) CanManagePublicKeys() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientPubKeyChangeDisabled)
 }

 // CanManageTLSCerts returns true if this user is allowed to manage TLS certificates
 // from the WebClient. Used in WebClient UI
 func (u *User) CanManageTLSCerts() bool {
-	return !util.Contains(u.Filters.WebClient, sdk.WebClientTLSCertChangeDisabled)
+	return !slices.Contains(u.Filters.WebClient, sdk.WebClientTLSCertChangeDisabled)
 }

 // CanUpdateProfile returns true if the user is allowed to update the profile.
@ -1117,7 +1133,7 @@ func (u *User) CanUpdateProfile() bool {
 // CanAddFilesFromWeb returns true if the client can add files from the web UI.
 // The specified target is the directory where the files must be uploaded
 func (u *User) CanAddFilesFromWeb(target string) bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
 		return false
 	}
 	return u.HasPerm(PermUpload, target) || u.HasPerm(PermOverwrite, target)
@ -1126,7 +1142,7 @@ func (u *User) CanAddFilesFromWeb(target string) bool {
 // CanAddDirsFromWeb returns true if the client can add directories from the web UI.
 // The specified target is the directory where the new directory must be created
 func (u *User) CanAddDirsFromWeb(target string) bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
 		return false
 	}
 	return u.HasPerm(PermCreateDirs, target)
@ -1135,7 +1151,7 @@ func (u *User) CanAddDirsFromWeb(target string) bool {
 // CanRenameFromWeb returns true if the client can rename objects from the web UI.
 // The specified src and dest are the source and target directories for the rename.
 func (u *User) CanRenameFromWeb(src, dest string) bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
 		return false
 	}
 	return u.HasAnyPerm(permsRenameAny, src) && u.HasAnyPerm(permsRenameAny, dest)
@ -1144,7 +1160,7 @@ func (u *User) CanRenameFromWeb(src, dest string) bool {
 // CanDeleteFromWeb returns true if the client can delete objects from the web UI.
 // The specified target is the parent directory for the object to delete
 func (u *User) CanDeleteFromWeb(target string) bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
 		return false
 	}
 	return u.HasAnyPerm(permsDeleteAny, target)
@ -1153,7 +1169,7 @@ func (u *User) CanDeleteFromWeb(target string) bool {
 // CanCopyFromWeb returns true if the client can copy objects from the web UI.
 // The specified src and dest are the source and target directories for the copy.
 func (u *User) CanCopyFromWeb(src, dest string) bool {
-	if util.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
+	if slices.Contains(u.Filters.WebClient, sdk.WebClientWriteDisabled) {
 		return false
 	}
 	if !u.HasPerm(PermListItems, src) {
@ -1213,7 +1229,7 @@ func (u *User) MustSetSecondFactor() bool {
 			return true
 		}
 		for _, p := range u.Filters.TwoFactorAuthProtocols {
-			if !util.Contains(u.Filters.TOTPConfig.Protocols, p) {
+			if !slices.Contains(u.Filters.TOTPConfig.Protocols, p) {
 				return true
 			}
 		}
@ -1224,11 +1240,11 @@ func (u *User) MustSetSecondFactor() bool {
 // MustSetSecondFactorForProtocol returns true if the user must set a second factor authentication
 // for the specified protocol
 func (u *User) MustSetSecondFactorForProtocol(protocol string) bool {
-	if util.Contains(u.Filters.TwoFactorAuthProtocols, protocol) {
+	if slices.Contains(u.Filters.TwoFactorAuthProtocols, protocol) {
 		if !u.Filters.TOTPConfig.Enabled {
 			return true
 		}
-		if !util.Contains(u.Filters.TOTPConfig.Protocols, protocol) {
+		if !slices.Contains(u.Filters.TOTPConfig.Protocols, protocol) {
 			return true
 		}
 	}
@ -1779,6 +1795,8 @@ func (u *User) getACopy() User {
 	filters.TOTPConfig.Secret = u.Filters.TOTPConfig.Secret.Clone()
 	filters.TOTPConfig.Protocols = make([]string, len(u.Filters.TOTPConfig.Protocols))
 	copy(filters.TOTPConfig.Protocols, u.Filters.TOTPConfig.Protocols)
+	filters.AdditionalEmails = make([]string, len(u.Filters.AdditionalEmails))
+	copy(filters.AdditionalEmails, u.Filters.AdditionalEmails)
 	filters.RecoveryCodes = make([]RecoveryCode, 0, len(u.Filters.RecoveryCodes))
 	for _, code := range u.Filters.RecoveryCodes {
 		if code.Secret == nil {
--- a/internal/ftpd/cryptfs_test.go
+++ b/internal/ftpd/cryptfs_test.go
@ -134,6 +134,7 @@ func TestBasicFTPHandlingCryptFs(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func TestBufferedCryptFs(t *testing.T) {
@ -179,6 +180,7 @@ func TestBufferedCryptFs(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func TestZeroBytesTransfersCryptFs(t *testing.T) {
--- a/internal/ftpd/ftpd_test.go
+++ b/internal/ftpd/ftpd_test.go
@ -37,6 +37,7 @@ import (

 	ftpserver "github.com/fclairamb/ftpserverlib"
 	"github.com/jlaffaye/ftp"
+	"github.com/pkg/sftp"
 	"github.com/pquerna/otp"
 	"github.com/pquerna/otp/totp"
 	"github.com/rs/zerolog"
@ -44,6 +45,7 @@ import (
 	sdkkms "github.com/sftpgo/sdk/kms"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/crypto/ssh"

 	"github.com/drakkan/sftpgo/v2/internal/common"
 	"github.com/drakkan/sftpgo/v2/internal/config"
@ -671,6 +673,7 @@ func TestBasicFTPHandling(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func TestHTTPFs(t *testing.T) {
@ -715,6 +718,7 @@ func TestHTTPFs(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func TestListDirWithWildcards(t *testing.T) {
@ -1735,6 +1739,66 @@ func TestMaxPerHostConnections(t *testing.T) {
 	common.Config.MaxPerHostConnections = oldValue
 }

+func TestMaxTransfers(t *testing.T) {
+	oldValue := common.Config.MaxPerHostConnections
+	common.Config.MaxPerHostConnections = 2
+
+	assert.Eventually(t, func() bool {
+		return common.Connections.GetClientConnections() == 0
+	}, 1000*time.Millisecond, 50*time.Millisecond)
+
+	user := getTestUser()
+	err := dataprovider.AddUser(&user, "", "", "")
+	assert.NoError(t, err)
+	user.Password = ""
+
+	testFilePath := filepath.Join(homeBasePath, testFileName)
+	testFileSize := int64(65535)
+	err = createTestFile(testFilePath, testFileSize)
+	assert.NoError(t, err)
+
+	conn, sftpClient, err := getSftpClient(user)
+	assert.NoError(t, err)
+	defer conn.Close()
+	defer sftpClient.Close()
+
+	f1, err := sftpClient.Create("file1")
+	assert.NoError(t, err)
+	f2, err := sftpClient.Create("file2")
+	assert.NoError(t, err)
+	_, err = f1.Write([]byte(" "))
+	assert.NoError(t, err)
+	_, err = f2.Write([]byte(" "))
+	assert.NoError(t, err)
+
+	client, err := getFTPClient(user, true, nil)
+	if assert.NoError(t, err) {
+		err = checkBasicFTP(client)
+		assert.NoError(t, err)
+		err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
+		assert.Error(t, err)
+		localDownloadPath := filepath.Join(homeBasePath, testDLFileName)
+		err = ftpDownloadFile(testFileName, localDownloadPath, testFileSize, client, 0)
+		assert.Error(t, err)
+		err := client.Quit()
+		assert.NoError(t, err)
+		err = os.Remove(localDownloadPath)
+		assert.NoError(t, err)
+	}
+
+	err = f1.Close()
+	assert.NoError(t, err)
+	err = f2.Close()
+	assert.NoError(t, err)
+
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
+	assert.NoError(t, err)
+	err = os.RemoveAll(user.GetHomeDir())
+	assert.NoError(t, err)
+
+	common.Config.MaxPerHostConnections = oldValue
+}
+
 func TestRateLimiter(t *testing.T) {
 	oldConfig := config.GetCommonConfig()

@ -2544,14 +2608,14 @@ func TestRename(t *testing.T) {
 				assert.NoError(t, err)
 				err = client.MakeDir(path.Join(otherDir, testDir))
 				assert.NoError(t, err)
-				code, response, err := client.SendCommand(fmt.Sprintf("SITE CHMOD 0001 %v", otherDir))
+				code, response, err := client.SendCommand("SITE CHMOD 0001 %v", otherDir)
 				assert.NoError(t, err)
 				assert.Equal(t, ftp.StatusCommandOK, code)
 				assert.Equal(t, "SITE CHMOD command successful", response)
 				err = client.Rename(testDir, path.Join(otherDir, testDir))
 				assert.Error(t, err)

-				code, response, err = client.SendCommand(fmt.Sprintf("SITE CHMOD 755 %v", otherDir))
+				code, response, err = client.SendCommand("SITE CHMOD 755 %v", otherDir)
 				assert.NoError(t, err)
 				assert.Equal(t, ftp.StatusCommandOK, code)
 				assert.Equal(t, "SITE CHMOD command successful", response)
@ -2611,7 +2675,7 @@ func TestSymlink(t *testing.T) {
 			assert.NoError(t, err)
 			err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
 			assert.NoError(t, err)
-			code, _, err := client.SendCommand(fmt.Sprintf("SITE SYMLINK %v %v", testFileName, testFileName+".link"))
+			code, _, err := client.SendCommand("SITE SYMLINK %v %v", testFileName, testFileName+".link")
 			assert.NoError(t, err)
 			assert.Equal(t, ftp.StatusCommandOK, code)

@ -2622,15 +2686,15 @@ func TestSymlink(t *testing.T) {
 				assert.NoError(t, err)
 				err = client.MakeDir(path.Join(otherDir, testDir))
 				assert.NoError(t, err)
-				code, response, err := client.SendCommand(fmt.Sprintf("SITE CHMOD 0001 %v", otherDir))
+				code, response, err := client.SendCommand("SITE CHMOD 0001 %v", otherDir)
 				assert.NoError(t, err)
 				assert.Equal(t, ftp.StatusCommandOK, code)
 				assert.Equal(t, "SITE CHMOD command successful", response)
-				code, _, err = client.SendCommand(fmt.Sprintf("SITE SYMLINK %v %v", testDir, path.Join(otherDir, testDir)))
+				code, _, err = client.SendCommand("SITE SYMLINK %v %v", testDir, path.Join(otherDir, testDir))
 				assert.NoError(t, err)
 				assert.Equal(t, ftp.StatusFileUnavailable, code)

-				code, response, err = client.SendCommand(fmt.Sprintf("SITE CHMOD 755 %v", otherDir))
+				code, response, err = client.SendCommand("SITE CHMOD 755 %v", otherDir)
 				assert.NoError(t, err)
 				assert.Equal(t, ftp.StatusCommandOK, code)
 				assert.Equal(t, "SITE CHMOD command successful", response)
@ -2718,6 +2782,7 @@ func TestStat(t *testing.T) {

 func TestUploadOverwriteVfolder(t *testing.T) {
 	u := getTestUser()
+	u.QuotaFiles = 1000
 	vdir := "/vdir"
 	mappedPath := filepath.Join(os.TempDir(), "vdir")
 	folderName := filepath.Base(mappedPath)
@ -2749,14 +2814,24 @@ func TestUploadOverwriteVfolder(t *testing.T) {
 		assert.NoError(t, err)
 		folder, _, err := httpdtest.GetFolderByName(folderName, http.StatusOK)
 		assert.NoError(t, err)
-		assert.Equal(t, testFileSize, folder.UsedQuotaSize)
-		assert.Equal(t, 1, folder.UsedQuotaFiles)
+		assert.Equal(t, int64(0), folder.UsedQuotaSize)
+		assert.Equal(t, 0, folder.UsedQuotaFiles)
+		user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)
+		assert.NoError(t, err)
+		assert.Equal(t, testFileSize, user.UsedQuotaSize)
+		assert.Equal(t, 1, user.UsedQuotaFiles)
+
 		err = ftpUploadFile(testFilePath, path.Join(vdir, testFileName), testFileSize, client, 0)
 		assert.NoError(t, err)
 		folder, _, err = httpdtest.GetFolderByName(folderName, http.StatusOK)
 		assert.NoError(t, err)
-		assert.Equal(t, testFileSize, folder.UsedQuotaSize)
-		assert.Equal(t, 1, folder.UsedQuotaFiles)
+		assert.Equal(t, int64(0), folder.UsedQuotaSize)
+		assert.Equal(t, 0, folder.UsedQuotaFiles)
+		user, _, err = httpdtest.GetUserByUsername(user.Username, http.StatusOK)
+		assert.NoError(t, err)
+		assert.Equal(t, testFileSize, user.UsedQuotaSize)
+		assert.Equal(t, 1, user.UsedQuotaFiles)
+
 		err = client.Quit()
 		assert.NoError(t, err)
 		err = os.Remove(testFilePath)
@ -3051,7 +3126,7 @@ func TestChtimes(t *testing.T) {
 			assert.NoError(t, err)

 			mtime := time.Now().Format("20060102150405")
-			code, response, err := client.SendCommand(fmt.Sprintf("MFMT %v %v", mtime, testFileName))
+			code, response, err := client.SendCommand("MFMT %v %v", mtime, testFileName)
 			assert.NoError(t, err)
 			assert.Equal(t, ftp.StatusFile, code)
 			assert.Equal(t, fmt.Sprintf("Modify=%v; %v", mtime, testFileName), response)
@ -3128,7 +3203,7 @@ func TestSTAT(t *testing.T) {
 		assert.NoError(t, err)
 		err = ftpUploadFile(testFilePath, path.Join(testDir, testFileName+"_1"), testFileSize, client, 0)
 		assert.NoError(t, err)
-		code, response, err := client.SendCommand(fmt.Sprintf("STAT %s", testDir))
+		code, response, err := client.SendCommand("STAT %s", testDir)
 		assert.NoError(t, err)
 		assert.Equal(t, ftp.StatusDirectory, code)
 		assert.Contains(t, response, fmt.Sprintf("STAT %s", testDir))
@ -3162,7 +3237,7 @@ func TestChown(t *testing.T) {
 		assert.NoError(t, err)
 		err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
 		assert.NoError(t, err)
-		code, response, err := client.SendCommand(fmt.Sprintf("SITE CHOWN 1000:1000 %v", testFileName))
+		code, response, err := client.SendCommand("SITE CHOWN 1000:1000 %v", testFileName)
 		assert.NoError(t, err)
 		assert.Equal(t, ftp.StatusFileUnavailable, code)
 		assert.Equal(t, "Couldn't chown: operation unsupported", response)
@ -3200,7 +3275,7 @@ func TestChmod(t *testing.T) {
 			err = ftpUploadFile(testFilePath, testFileName, testFileSize, client, 0)
 			assert.NoError(t, err)

-			code, response, err := client.SendCommand(fmt.Sprintf("SITE CHMOD 600 %v", testFileName))
+			code, response, err := client.SendCommand("SITE CHMOD 600 %v", testFileName)
 			assert.NoError(t, err)
 			assert.Equal(t, ftp.StatusCommandOK, code)
 			assert.Equal(t, "SITE CHMOD command successful", response)
@ -3363,12 +3438,12 @@ func TestHASH(t *testing.T) {
 			err = f.Close()
 			assert.NoError(t, err)

-			code, response, err := client.SendCommand(fmt.Sprintf("XSHA256 %v", testFileName))
+			code, response, err := client.SendCommand("XSHA256 %v", testFileName)
 			assert.NoError(t, err)
 			assert.Equal(t, ftp.StatusRequestedFileActionOK, code)
 			assert.Contains(t, response, hash)

-			code, response, err = client.SendCommand(fmt.Sprintf("HASH %v", testFileName))
+			code, response, err = client.SendCommand("HASH %v", testFileName)
 			assert.NoError(t, err)
 			assert.Equal(t, ftp.StatusFile, code)
 			assert.Contains(t, response, hash)
@ -3424,7 +3499,7 @@ func TestCombine(t *testing.T) {
 			err = ftpUploadFile(testFilePath, testFileName+".2", testFileSize, client, 0)
 			assert.NoError(t, err)

-			code, response, err := client.SendCommand(fmt.Sprintf("COMB %v %v %v", testFileName, testFileName+".1", testFileName+".2"))
+			code, response, err := client.SendCommand("COMB %v %v %v", testFileName, testFileName+".1", testFileName+".2")
 			assert.NoError(t, err)
 			if user.Username == defaultUsername {
 				assert.Equal(t, ftp.StatusRequestedFileActionOK, code)
@ -3951,6 +4026,7 @@ func TestNestedVirtualFolders(t *testing.T) {
 	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func checkBasicFTP(client *ftp.ServerConn) error {
@ -4202,6 +4278,30 @@ func getPreLoginScriptContent(user dataprovider.User, nonJSONResponse bool) []by
 	return content
 }

+func getSftpClient(user dataprovider.User) (*ssh.Client, *sftp.Client, error) {
+	var sftpClient *sftp.Client
+	config := &ssh.ClientConfig{
+		User:            user.Username,
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
+		Timeout:         5 * time.Second,
+	}
+	if user.Password != "" {
+		config.Auth = []ssh.AuthMethod{ssh.Password(user.Password)}
+	} else {
+		config.Auth = []ssh.AuthMethod{ssh.Password(defaultPassword)}
+	}
+
+	conn, err := ssh.Dial("tcp", sftpServerAddr, config)
+	if err != nil {
+		return conn, sftpClient, err
+	}
+	sftpClient, err = sftp.NewClient(conn)
+	if err != nil {
+		conn.Close()
+	}
+	return conn, sftpClient, err
+}
+
 func getExitCodeScriptContent(exitCode int) []byte {
 	content := []byte("#!/bin/sh\n\n")
 	content = append(content, []byte(fmt.Sprintf("exit %v", exitCode))...)
--- a/internal/ftpd/handler.go
+++ b/internal/ftpd/handler.go
@ -331,6 +331,11 @@ func (c *Connection) GetHandle(name string, flags int, offset int64) (ftpserver.
 		return nil, errCOMBNotSupported
 	}

+	if err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {
+		c.Log(logger.LevelInfo, "denying transfer due to count limits")
+		return nil, c.GetPermissionDeniedError()
+	}
+
 	if flags&os.O_WRONLY != 0 {
 		return c.uploadFile(fs, p, name, flags)
 	}
@ -465,7 +470,7 @@ func (c *Connection) handleFTPUploadToExistingFile(fs vfs.Fs, flags int, resolve
 	}

 	if common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {
-		_, _, err = fs.Rename(resolvedPath, filePath)
+		_, _, err = fs.Rename(resolvedPath, filePath, 0)
 		if err != nil {
 			c.Log(logger.LevelError, "error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v",
 				resolvedPath, filePath, err)
@ -493,10 +498,7 @@ func (c *Connection) handleFTPUploadToExistingFile(fs vfs.Fs, flags int, resolve
 		if vfs.HasTruncateSupport(fs) {
 			vfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))
 			if err == nil {
-				dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, 0, -fileSize, false) //nolint:errcheck
-				if vfolder.IsIncludedInUserQuota() {
-					dataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck
-				}
+				dataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)
 			} else {
 				dataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck
 			}
--- a/internal/ftpd/internal_test.go
+++ b/internal/ftpd/internal_test.go
@ -404,7 +404,7 @@ func (fs MockOsFs) Remove(name string, _ bool) error {
 }

 // Rename renames (moves) source to target
-func (fs MockOsFs) Rename(source, target string) (int, int64, error) {
+func (fs MockOsFs) Rename(source, target string, _ int) (int, int64, error) {
 	if fs.err != nil {
 		return -1, -1, fs.err
 	}
@ -664,6 +664,7 @@ func TestClientVersion(t *testing.T) {
 		common.Connections.Remove(connection.GetID())
 	}
 	assert.Len(t, common.Connections.GetStats(""), 0)
+	assert.Equal(t, int32(0), common.Connections.GetTotalTransfers())
 }

 func TestDriverMethodsNotImplemented(t *testing.T) {
@ -885,7 +886,6 @@ func TestTransferErrors(t *testing.T) {
 	fs := newMockOsFs(nil, nil, false, connID, user.GetHomeDir())
 	connection := &Connection{
 		BaseConnection: common.NewBaseConnection(connID, common.ProtocolFTP, "", "", user),
-		clientContext:  mockCC,
 	}
 	baseTransfer := common.NewBaseTransfer(file, connection.BaseConnection, nil, file.Name(), file.Name(), testfile,
 		common.TransferDownload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})
@ -919,6 +919,7 @@ func TestTransferErrors(t *testing.T) {
 	pipeWriter := vfs.NewPipeWriter(w)
 	baseTransfer = common.NewBaseTransfer(nil, connection.BaseConnection, nil, testfile, testfile, testfile,
 		common.TransferUpload, 0, 0, 0, 0, false, fs, dataprovider.TransferQuota{})
+	tr.Connection.RemoveTransfer(tr)
 	tr = newTransfer(baseTransfer, pipeWriter, nil, 0)

 	err = r.Close()
@ -934,6 +935,7 @@ func TestTransferErrors(t *testing.T) {
 	if assert.Error(t, err) {
 		assert.EqualError(t, err, common.ErrOpUnsupported.Error())
 	}
+	tr.Connection.RemoveTransfer(tr)
 	err = os.Remove(testfile)
 	assert.NoError(t, err)
 }
--- a/internal/ftpd/server.go
+++ b/internal/ftpd/server.go
@ -22,6 +22,7 @@ import (
 	"net"
 	"os"
 	"path/filepath"
+	"slices"

 	ftpserver "github.com/fclairamb/ftpserverlib"
 	"github.com/sftpgo/sdk/plugin/notifier"
@ -187,20 +188,18 @@ func (s *Server) AuthUser(cc ftpserver.ClientContext, username, password string)
 	user, err := dataprovider.CheckUserAndPass(username, password, ipAddr, common.ProtocolFTP)
 	if err != nil {
 		user.Username = username
-		updateLoginMetrics(&user, ipAddr, loginMethod, err)
+		updateLoginMetrics(&user, ipAddr, loginMethod, err, nil)
 		return nil, dataprovider.ErrInvalidCredentials
 	}

 	connection, err := s.validateUser(user, cc, loginMethod)

-	defer updateLoginMetrics(&user, ipAddr, loginMethod, err)
+	defer updateLoginMetrics(&user, ipAddr, loginMethod, err, connection)

 	if err != nil {
 		return nil, err
 	}
 	setStartDirectory(user.Filters.StartDirectory, cc)
-	connection.Log(logger.LevelInfo, "User %q logged in with %q from ip %q, TLS enabled? %t",
-		user.Username, loginMethod, ipAddr, cc.HasTLSForControl())
 	dataprovider.UpdateLastLogin(&user)
 	return connection, nil
 }
@ -245,7 +244,7 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo
 			dbUser, err := dataprovider.CheckUserBeforeTLSAuth(user, ipAddr, common.ProtocolFTP, state.PeerCertificates[0])
 			if err != nil {
 				dbUser.Username = user
-				updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err)
+				updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, nil)
 				return nil, dataprovider.ErrInvalidCredentials
 			}
 			if dbUser.IsTLSVerificationEnabled() {
@ -259,14 +258,12 @@ func (s *Server) VerifyConnection(cc ftpserver.ClientContext, user string, tlsCo
 				if dbUser.IsLoginMethodAllowed(dataprovider.LoginMethodTLSCertificate, common.ProtocolFTP) {
 					connection, err := s.validateUser(dbUser, cc, dataprovider.LoginMethodTLSCertificate)

-					defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err)
+					defer updateLoginMetrics(&dbUser, ipAddr, dataprovider.LoginMethodTLSCertificate, err, connection)

 					if err != nil {
 						return nil, err
 					}
 					setStartDirectory(dbUser.Filters.StartDirectory, cc)
-					connection.Log(logger.LevelInfo, "User id: %d, logged in with FTP using a TLS certificate, username: %q, home_dir: %q remote addr: %q",
-						dbUser.ID, dbUser.Username, dbUser.HomeDir, ipAddr)
 					dataprovider.UpdateLastLogin(&dbUser)
 					return connection, nil
 				}
@ -361,7 +358,7 @@ func (s *Server) validateUser(user dataprovider.User, cc ftpserver.ClientContext
 			user.Username, user.HomeDir)
 		return nil, fmt.Errorf("cannot login user with invalid home dir: %q", user.HomeDir)
 	}
-	if util.Contains(user.Filters.DeniedProtocols, common.ProtocolFTP) {
+	if slices.Contains(user.Filters.DeniedProtocols, common.ProtocolFTP) {
 		logger.Info(logSender, connectionID, "cannot login user %q, protocol FTP is not allowed", user.Username)
 		return nil, fmt.Errorf("protocol FTP is not allowed for user %q", user.Username)
 	}
@ -416,13 +413,15 @@ func setStartDirectory(startDirectory string, cc ftpserver.ClientContext) {
 	cc.SetPath(startDirectory)
 }

-func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error) {
+func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err error, c *Connection) {
 	metric.AddLoginAttempt(loginMethod)
 	if err == nil {
+		logger.LoginLog(user.Username, ip, loginMethod, common.ProtocolFTP, c.ID, c.GetClientVersion(),
+			c.clientContext.HasTLSForControl(), "")
 		plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, common.ProtocolFTP, user.Username, ip, "", nil)
+		common.DelayLogin(nil)
 	} else if err != common.ErrInternalFailure {
-		logger.ConnectionFailedLog(user.Username, ip, loginMethod,
-			common.ProtocolFTP, err.Error())
+		logger.ConnectionFailedLog(user.Username, ip, loginMethod, common.ProtocolFTP, err.Error())
 		event := common.HostEventLoginFailed
 		logEv := notifier.LogEventTypeLoginFailed
 		if errors.Is(err, util.ErrNotFound) {
@ -431,6 +430,9 @@ func updateLoginMetrics(user *dataprovider.User, ip, loginMethod string, err err
 		}
 		common.AddDefenderEvent(ip, common.ProtocolFTP, event)
 		plugin.Handler.NotifyLogEvent(logEv, common.ProtocolFTP, user.Username, ip, "", err)
+		if loginMethod != dataprovider.LoginMethodTLSCertificate {
+			common.DelayLogin(err)
+		}
 	}
 	metric.AddLoginResult(loginMethod, err)
 	dataprovider.ExecutePostLoginHook(user, loginMethod, ip, common.ProtocolFTP, err)
--- a/internal/httpd/api_admin.go
+++ b/internal/httpd/api_admin.go
@ -149,8 +149,8 @@ func updateAdmin(w http.ResponseWriter, r *http.Request) {
 				http.StatusBadRequest)
 			return
 		}
-		if claims.isCriticalPermRemoved(updatedAdmin.Permissions) {
-			sendAPIResponse(w, r, errors.New("you cannot remove these permissions to yourself"), "", http.StatusBadRequest)
+		if !util.SlicesEqual(admin.Permissions, updatedAdmin.Permissions) {
+			sendAPIResponse(w, r, errors.New("you cannot change your permissions"), "", http.StatusBadRequest)
 			return
 		}
 		if updatedAdmin.Status == 0 {
@ -297,6 +297,7 @@ func changeAdminPassword(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
+	invalidateToken(r)
 	sendAPIResponse(w, r, err, "Password updated", http.StatusOK)
 }

--- a/internal/httpd/api_configs.go
+++ b/internal/httpd/api_configs.go
@ -85,7 +85,7 @@ type oauth2TokenRequest struct {
 	BaseRedirectURL string `json:"base_redirect_url"`
 }

-func handleSMTPOAuth2TokenRequestPost(w http.ResponseWriter, r *http.Request) {
+func (s *httpdServer) handleSMTPOAuth2TokenRequestPost(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)

 	var req oauth2TokenRequest
@ -115,7 +115,7 @@ func handleSMTPOAuth2TokenRequestPost(w http.ResponseWriter, r *http.Request) {
 	clientSecret.SetAdditionalData(xid.New().String())
 	pendingAuth := newOAuth2PendingAuth(req.Provider, cfg.RedirectURL, cfg.ClientID, clientSecret)
 	oauth2Mgr.addPendingAuth(pendingAuth)
-	stateToken := createOAuth2Token(pendingAuth.State, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	stateToken := createOAuth2Token(s.csrfTokenAuth, pendingAuth.State, util.GetIPFromRemoteAddress(r.RemoteAddr))
 	if stateToken == "" {
 		sendAPIResponse(w, r, nil, "unable to create state token", http.StatusInternalServerError)
 		return
--- a/internal/httpd/api_http_user.go
+++ b/internal/httpd/api_http_user.go
@ -317,6 +317,13 @@ func uploadUserFiles(w http.ResponseWriter, r *http.Request) {
 	}
 	defer common.Connections.Remove(connection.GetID())

+	if err := common.Connections.IsNewTransferAllowed(connection.User.Username); err != nil {
+		connection.Log(logger.LevelInfo, "denying file write due to number of transfer limits")
+		sendAPIResponse(w, r, err, "Denying file write due to transfer count limits",
+			http.StatusConflict)
+		return
+	}
+
 	transferQuota := connection.GetTransferQuota()
 	if !transferQuota.HasUploadSpace() {
 		connection.Log(logger.LevelInfo, "denying file write due to transfer quota limits")
@ -469,8 +476,9 @@ func getUserProfile(w http.ResponseWriter, r *http.Request) {
 			Description:     user.Description,
 			AllowAPIKeyAuth: user.Filters.AllowAPIKeyAuth,
 		},
-		PublicKeys: user.PublicKeys,
-		TLSCerts:   user.Filters.TLSCerts,
+		AdditionalEmails: user.Filters.AdditionalEmails,
+		PublicKeys:       user.PublicKeys,
+		TLSCerts:         user.Filters.TLSCerts,
 	}
 	render.JSON(w, r, resp)
 }
@ -508,6 +516,7 @@ func updateUserProfile(w http.ResponseWriter, r *http.Request) {
 	}
 	if userMerged.CanChangeInfo() {
 		user.Email = req.Email
+		user.Filters.AdditionalEmails = req.AdditionalEmails
 		user.Description = req.Description
 	}
 	if err := dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, util.GetIPFromRemoteAddress(r.RemoteAddr), user.Role); err != nil {
@ -531,6 +540,7 @@ func changeUserPassword(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
+	invalidateToken(r)
 	sendAPIResponse(w, r, err, "Password updated", http.StatusOK)
 }

--- a/internal/httpd/api_maintenance.go
+++ b/internal/httpd/api_maintenance.go
@ -551,9 +551,10 @@ func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota i
 			return fmt.Errorf("unable to restore user %q: %w", user.Username, err)
 		}
 		if scanQuota == 1 || (scanQuota == 2 && user.HasQuotaRestrictions()) {
-			if common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
+			user, err = dataprovider.GetUserWithGroupSettings(user.Username, "")
+			if err == nil && common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
 				logger.Debug(logSender, "", "starting quota scan for restored user: %q", user.Username)
-				go doUserQuotaScan(user) //nolint:errcheck
+				go doUserQuotaScan(&user) //nolint:errcheck
 			}
 		}
 	}
--- a/internal/httpd/api_mfa.go
+++ b/internal/httpd/api_mfa.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"slices"
 	"strconv"
 	"strings"

@ -138,8 +139,7 @@ func saveTOTPConfig(w http.ResponseWriter, r *http.Request) {
 	if claims.MustSetTwoFactorAuth {
 		// force logout
 		defer func() {
-			c := jwtTokenClaims{}
-			c.removeCookie(w, r, baseURL)
+			removeCookie(w, r, baseURL)
 		}()
 	}

@ -276,7 +276,7 @@ func saveUserTOTPConfig(username string, r *http.Request, recoveryCodes []datapr
 		return util.NewValidationError("two-factor authentication must be enabled")
 	}
 	for _, p := range userMerged.Filters.TwoFactorAuthProtocols {
-		if !util.Contains(user.Filters.TOTPConfig.Protocols, p) {
+		if !slices.Contains(user.Filters.TOTPConfig.Protocols, p) {
 			return util.NewValidationError(fmt.Sprintf("totp: the following protocols are required: %q",
 				strings.Join(userMerged.Filters.TwoFactorAuthProtocols, ", ")))
 		}
--- a/internal/httpd/api_quota.go
+++ b/internal/httpd/api_quota.go
@ -219,7 +219,7 @@ func doStartUserQuotaScan(w http.ResponseWriter, r *http.Request, username strin
 			http.StatusConflict)
 		return
 	}
-	go doUserQuotaScan(user) //nolint:errcheck
+	go doUserQuotaScan(&user) //nolint:errcheck
 	sendAPIResponse(w, r, err, "Scan started", http.StatusAccepted)
 }

@ -242,14 +242,14 @@ func doStartFolderQuotaScan(w http.ResponseWriter, r *http.Request, name string)
 	sendAPIResponse(w, r, err, "Scan started", http.StatusAccepted)
 }

-func doUserQuotaScan(user dataprovider.User) error {
+func doUserQuotaScan(user *dataprovider.User) error {
 	defer common.QuotaScans.RemoveUserQuotaScan(user.Username)
 	numFiles, size, err := user.ScanQuota()
 	if err != nil {
 		logger.Warn(logSender, "", "error scanning user quota %q: %v", user.Username, err)
 		return err
 	}
-	err = dataprovider.UpdateUserQuota(&user, numFiles, size, true)
+	err = dataprovider.UpdateUserQuota(user, numFiles, size, true)
 	logger.Debug(logSender, "", "user quota scanned, user: %q, error: %v", user.Username, err)
 	return err
 }
--- a/internal/httpd/api_shares.go
+++ b/internal/httpd/api_shares.go
@ -22,6 +22,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"slices"
 	"strings"
 	"time"

@ -107,7 +108,7 @@ func addShare(w http.ResponseWriter, r *http.Request) {
 		share.Name = share.ShareID
 	}
 	if share.Password == "" {
-		if util.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
+		if slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
 			sendAPIResponse(w, r, nil, "You are not authorized to share files/folders without a password",
 				http.StatusForbidden)
 			return
@ -155,7 +156,7 @@ func updateShare(w http.ResponseWriter, r *http.Request) {
 		updatedShare.Password = share.Password
 	}
 	if updatedShare.Password == "" {
-		if util.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
+		if slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
 			sendAPIResponse(w, r, nil, "You are not authorized to share files/folders without a password",
 				http.StatusForbidden)
 			return
@ -379,6 +380,12 @@ func (s *httpdServer) uploadFilesToShare(w http.ResponseWriter, r *http.Request)
 	if err != nil {
 		return
 	}
+	if err := common.Connections.IsNewTransferAllowed(connection.User.Username); err != nil {
+		connection.Log(logger.LevelInfo, "denying file write due to number of transfer limits")
+		sendAPIResponse(w, r, err, "Denying file write due to transfer count limits",
+			http.StatusConflict)
+		return
+	}

 	transferQuota := connection.GetTransferQuota()
 	if !transferQuota.HasUploadSpace() {
@ -425,36 +432,42 @@ func (s *httpdServer) uploadFilesToShare(w http.ResponseWriter, r *http.Request)
 	}
 }

+func (s *httpdServer) getShareClaims(r *http.Request, shareID string) (context.Context, *jwtTokenClaims, error) {
+	token, err := jwtauth.VerifyRequest(s.tokenAuth, r, jwtauth.TokenFromCookie)
+	if err != nil || token == nil {
+		return nil, nil, errInvalidToken
+	}
+	tokenString := jwtauth.TokenFromCookie(r)
+	if tokenString == "" || invalidatedJWTTokens.Get(tokenString) {
+		return nil, nil, errInvalidToken
+	}
+	if !slices.Contains(token.Audience(), tokenAudienceWebShare) {
+		logger.Debug(logSender, "", "invalid token audience for share %q", shareID)
+		return nil, nil, errInvalidToken
+	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := validateIPForToken(token, ipAddr); err != nil {
+		logger.Debug(logSender, "", "token for share %q is not valid for the ip address %q", shareID, ipAddr)
+		return nil, nil, err
+	}
+	ctx := jwtauth.NewContext(r.Context(), token, nil)
+	claims, err := getTokenClaims(r.WithContext(ctx))
+	if err != nil || claims.Username != shareID {
+		logger.Debug(logSender, "", "token not valid for share %q", shareID)
+		return nil, nil, errInvalidToken
+	}
+	return ctx, &claims, nil
+}
+
 func (s *httpdServer) checkWebClientShareCredentials(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) error {
 	doRedirect := func() {
 		redirectURL := path.Join(webClientPubSharesPath, share.ShareID, fmt.Sprintf("login?next=%s", url.QueryEscape(r.RequestURI)))
 		http.Redirect(w, r, redirectURL, http.StatusFound)
 	}

-	token, err := jwtauth.VerifyRequest(s.tokenAuth, r, jwtauth.TokenFromCookie)
-	if err != nil || token == nil {
+	if _, _, err := s.getShareClaims(r, share.ShareID); err != nil {
 		doRedirect()
-		return errInvalidToken
-	}
-	if !util.Contains(token.Audience(), tokenAudienceWebShare) {
-		logger.Debug(logSender, "", "invalid token audience for share %q", share.ShareID)
-		doRedirect()
-		return errInvalidToken
-	}
-	if tokenValidationMode != tokenValidationNoIPMatch {
-		ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-		if !util.Contains(token.Audience(), ipAddr) {
-			logger.Debug(logSender, "", "token for share %q is not valid for the ip address %q", share.ShareID, ipAddr)
-			doRedirect()
-			return errInvalidToken
-		}
-	}
-	ctx := jwtauth.NewContext(r.Context(), token, nil)
-	claims, err := getTokenClaims(r.WithContext(ctx))
-	if err != nil || claims.Username != share.ShareID {
-		logger.Debug(logSender, "", "token not valid for share %q", share.ShareID)
-		doRedirect()
-		return errInvalidToken
+		return err
 	}
 	return nil
 }
@ -480,7 +493,7 @@ func (s *httpdServer) checkPublicShare(w http.ResponseWriter, r *http.Request, v
 		renderError(err, "", statusCode)
 		return share, nil, err
 	}
-	if !util.Contains(validScopes, share.Scope) {
+	if !slices.Contains(validScopes, share.Scope) {
 		err := errors.New("invalid share scope")
 		renderError(util.NewI18nError(err, util.I18nErrorShareScope), "", http.StatusForbidden)
 		return share, nil, err
@ -512,6 +525,7 @@ func (s *httpdServer) checkPublicShare(w http.ResponseWriter, r *http.Request, v
 				return share, nil, dataprovider.ErrInvalidCredentials
 			}
 		}
+		common.DelayLogin(nil)
 	}
 	user, err := getUserForShare(share)
 	if err != nil {
@ -536,7 +550,7 @@ func getUserForShare(share dataprovider.Share) (dataprovider.User, error) {
 	if !user.CanManageShares() {
 		return user, util.NewI18nError(util.NewRecordNotFoundError("this share does not exist"), util.I18nError404Message)
 	}
-	if share.Password == "" && util.Contains(user.Filters.WebClient, sdk.WebClientShareNoPasswordDisabled) {
+	if share.Password == "" && slices.Contains(user.Filters.WebClient, sdk.WebClientShareNoPasswordDisabled) {
 		return user, util.NewI18nError(
 			fmt.Errorf("sharing without a password was disabled: %w", os.ErrPermission),
 			util.I18nError403Message,
@ -561,6 +575,7 @@ func validateBrowsableShare(share dataprovider.Share, connection *Connection) er
 	basePath := share.Paths[0]
 	info, err := connection.Stat(basePath, 0)
 	if err != nil {
+		connection.CloseFS() //nolint:errcheck
 		return util.NewI18nError(
 			fmt.Errorf("unable to check the share directory: %w", err),
 			util.I18nErrorShareInvalidPath,
--- a/internal/httpd/api_user.go
+++ b/internal/httpd/api_user.go
@ -278,6 +278,9 @@ func updateEncryptedSecrets(fsConfig *vfs.Filesystem, currentFsConfig *vfs.Files
 		if fsConfig.S3Config.AccessSecret.IsNotPlainAndNotEmpty() {
 			fsConfig.S3Config.AccessSecret = currentFsConfig.S3Config.AccessSecret
 		}
+		if fsConfig.S3Config.SSECustomerKey.IsNotPlainAndNotEmpty() {
+			fsConfig.S3Config.SSECustomerKey = currentFsConfig.S3Config.SSECustomerKey
+		}
 	case sdk.AzureBlobFilesystemProvider:
 		if fsConfig.AzBlobConfig.AccountKey.IsNotPlainAndNotEmpty() {
 			fsConfig.AzBlobConfig.AccountKey = currentFsConfig.AzBlobConfig.AccountKey
--- a/internal/httpd/api_utils.go
+++ b/internal/httpd/api_utils.go
@ -27,6 +27,7 @@ import (
 	"net/url"
 	"os"
 	"path"
+	"slices"
 	"strconv"
 	"strings"
 	"sync"
@ -36,6 +37,7 @@ import (
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/render"
 	"github.com/klauspost/compress/zip"
+	"github.com/rs/xid"
 	"github.com/sftpgo/sdk/plugin/notifier"

 	"github.com/drakkan/sftpgo/v2/internal/common"
@ -70,8 +72,9 @@ type adminProfile struct {

 type userProfile struct {
 	baseProfile
-	PublicKeys []string `json:"public_keys,omitempty"`
-	TLSCerts   []string `json:"tls_certs,omitempty"`
+	AdditionalEmails []string `json:"additional_emails,omitempty"`
+	PublicKeys       []string `json:"public_keys,omitempty"`
+	TLSCerts         []string `json:"tls_certs,omitempty"`
 }

 func sendAPIResponse(w http.ResponseWriter, r *http.Request, err error, message string, code int) {
@ -362,6 +365,16 @@ func streamJSONArray(w http.ResponseWriter, chunkSize int, dataGetter func(limit
 	streamData(w, []byte("]"))
 }

+func renderPNGImage(w http.ResponseWriter, r *http.Request, b []byte) {
+	if len(b) == 0 {
+		ctx := context.WithValue(r.Context(), render.StatusCtxKey, http.StatusNotFound)
+		render.PlainText(w, r.WithContext(ctx), http.StatusText(http.StatusNotFound))
+		return
+	}
+	w.Header().Set("Content-Type", "image/png")
+	streamData(w, b)
+}
+
 func getCompressedFileName(username string, files []string) string {
 	if len(files) == 1 {
 		name := path.Base(files[0])
@ -686,10 +699,11 @@ func handleDefenderEventLoginFailed(ipAddr string, err error) error {
 		err = dataprovider.ErrInvalidCredentials
 	}
 	common.AddDefenderEvent(ipAddr, common.ProtocolHTTP, event)
+	common.DelayLogin(err)
 	return err
 }

-func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error) {
+func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err error, r *http.Request) {
 	metric.AddLoginAttempt(loginMethod)
 	var protocol string
 	switch loginMethod {
@ -699,7 +713,9 @@ func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err err
 		protocol = common.ProtocolHTTP
 	}
 	if err == nil {
+		logger.LoginLog(user.Username, ip, loginMethod, protocol, "", r.UserAgent(), r.TLS != nil, "")
 		plugin.Handler.NotifyLogEvent(notifier.LogEventTypeLoginOK, protocol, user.Username, ip, "", nil)
+		common.DelayLogin(nil)
 	} else if err != common.ErrInternalFailure && err != common.ErrNoCredentials {
 		logger.ConnectionFailedLog(user.Username, ip, loginMethod, protocol, err.Error())
 		err = handleDefenderEventLoginFailed(ip, err)
@ -714,7 +730,7 @@ func updateLoginMetrics(user *dataprovider.User, loginMethod, ip string, err err
 }

 func checkHTTPClientUser(user *dataprovider.User, r *http.Request, connectionID string, checkSessions bool) error {
-	if util.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {
+	if slices.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {
 		logger.Info(logSender, connectionID, "cannot login user %q, protocol HTTP is not allowed", user.Username)
 		return util.NewI18nError(
 			fmt.Errorf("protocol HTTP is not allowed for user %q", user.Username),
@ -746,8 +762,34 @@ func checkHTTPClientUser(user *dataprovider.User, r *http.Request, connectionID
 	return nil
 }

+func getActiveAdmin(username, ipAddr string) (dataprovider.Admin, error) {
+	admin, err := dataprovider.AdminExists(username)
+	if err != nil {
+		return admin, err
+	}
+	if err := admin.CanLogin(ipAddr); err != nil {
+		return admin, util.NewRecordNotFoundError(fmt.Sprintf("admin %q cannot login: %v", username, err))
+	}
+	return admin, nil
+}
+
+func getActiveUser(username string, r *http.Request) (dataprovider.User, error) {
+	user, err := dataprovider.GetUserWithGroupSettings(username, "")
+	if err != nil {
+		return user, err
+	}
+	if err := user.CheckLoginConditions(); err != nil {
+		return user, util.NewRecordNotFoundError(fmt.Sprintf("user %q cannot login: %v", username, err))
+	}
+	if err := checkHTTPClientUser(&user, r, xid.New().String(), false); err != nil {
+		return user, util.NewRecordNotFoundError(fmt.Sprintf("user %q cannot login: %v", username, err))
+	}
+	return user, nil
+}
+
 func handleForgotPassword(r *http.Request, username string, isAdmin bool) error {
-	var email, subject string
+	var emails []string
+	var subject string
 	var err error
 	var admin dataprovider.Admin
 	var user dataprovider.User
@ -756,12 +798,14 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error
 		return util.NewI18nError(util.NewValidationError("username is mandatory"), util.I18nErrorUsernameRequired)
 	}
 	if isAdmin {
-		admin, err = dataprovider.AdminExists(username)
-		email = admin.Email
+		admin, err = getActiveAdmin(username, util.GetIPFromRemoteAddress(r.RemoteAddr))
+		if admin.Email != "" {
+			emails = []string{admin.Email}
+		}
 		subject = fmt.Sprintf("Email Verification Code for admin %q", username)
 	} else {
-		user, err = dataprovider.GetUserWithGroupSettings(username, "")
-		email = user.Email
+		user, err = getActiveUser(username, r)
+		emails = user.GetEmailAddresses()
 		subject = fmt.Sprintf("Email Verification Code for user %q", username)
 		if err == nil {
 			if !isUserAllowedToResetPassword(r, &user) {
@ -775,13 +819,14 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error
 	if err != nil {
 		if errors.Is(err, util.ErrNotFound) {
 			handleDefenderEventLoginFailed(util.GetIPFromRemoteAddress(r.RemoteAddr), err) //nolint:errcheck
-			logger.Debug(logSender, middleware.GetReqID(r.Context()), "username %q does not exists, reset password request silently ignored, is admin? %v",
-				username, isAdmin)
+			logger.Debug(logSender, middleware.GetReqID(r.Context()),
+				"username %q does not exists or cannot login, reset password request silently ignored, is admin? %t, err: %v",
+				username, isAdmin, err)
 			return nil
 		}
 		return util.NewI18nError(util.NewGenericError("Error retrieving your account, please try again later"), util.I18nErrorGetUser)
 	}
-	if email == "" {
+	if len(emails) == 0 {
 		return util.NewI18nError(
 			util.NewValidationError("Your account does not have an email address, it is not possible to reset your password by sending an email verification code"),
 			util.I18nErrorPwdResetNoEmail,
@ -796,7 +841,7 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error
 		return util.NewGenericError("Unable to render password reset template")
 	}
 	startTime := time.Now()
-	if err := smtp.SendEmail([]string{email}, nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {
+	if err := smtp.SendEmail(emails, nil, subject, body.String(), smtp.EmailContentTypeTextHTML); err != nil {
 		logger.Warn(logSender, middleware.GetReqID(r.Context()), "unable to send password reset code via email: %v, elapsed: %v",
 			err, time.Since(startTime))
 		return util.NewI18nError(
@ -804,8 +849,8 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error
 			util.I18nErrorPwdResetSendEmail,
 		)
 	}
-	logger.Debug(logSender, middleware.GetReqID(r.Context()), "reset code sent via email to %q, email: %q, is admin? %v, elapsed: %v",
-		username, email, isAdmin, time.Since(startTime))
+	logger.Debug(logSender, middleware.GetReqID(r.Context()), "reset code sent via email to %q, emails: %+v, is admin? %v, elapsed: %v",
+		username, emails, isAdmin, time.Since(startTime))
 	return resetCodesMgr.Add(c)
 }

@ -836,7 +881,7 @@ func handleResetPassword(r *http.Request, code, newPassword, confirmPassword str
 		return &admin, &user, util.NewValidationError("invalid confirmation code")
 	}
 	if isAdmin {
-		admin, err = dataprovider.AdminExists(resetCode.Username)
+		admin, err = getActiveAdmin(resetCode.Username, ipAddr)
 		if err != nil {
 			return &admin, &user, util.NewValidationError("unable to associate the confirmation code with an existing admin")
 		}
@ -849,7 +894,7 @@ func handleResetPassword(r *http.Request, code, newPassword, confirmPassword str
 		err = resetCodesMgr.Delete(code)
 		return &admin, &user, err
 	}
-	user, err = dataprovider.GetUserWithGroupSettings(resetCode.Username, "")
+	user, err = getActiveUser(resetCode.Username, r)
 	if err != nil {
 		return &admin, &user, util.NewValidationError("Unable to associate the confirmation code with an existing user")
 	}
@ -873,7 +918,7 @@ func isUserAllowedToResetPassword(r *http.Request, user *dataprovider.User) bool
 	if !user.CanResetPassword() {
 		return false
 	}
-	if util.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {
+	if slices.Contains(user.Filters.DeniedProtocols, common.ProtocolHTTP) {
 		return false
 	}
 	if !user.IsLoginMethodAllowed(dataprovider.LoginMethodPassword, common.ProtocolHTTP) {
@ -893,7 +938,7 @@ func getProtocolFromRequest(r *http.Request) string {
 }

 func hideConfidentialData(claims *jwtTokenClaims, r *http.Request) bool {
-	if !claims.hasPerm(dataprovider.PermAdminManageSystem) {
+	if !claims.hasPerm(dataprovider.PermAdminAny) {
 		return true
 	}
 	return r.URL.Query().Get("confidential_data") != "1"
--- a/internal/httpd/auth_utils.go
+++ b/internal/httpd/auth_utils.go
@ -18,6 +18,7 @@ import (
 	"errors"
 	"fmt"
 	"net/http"
+	"slices"
 	"time"

 	"github.com/go-chi/jwtauth/v5"
@ -41,13 +42,13 @@ const (
 	tokenAudienceAPIUser          tokenAudience = "APIUser"
 	tokenAudienceCSRF             tokenAudience = "CSRF"
 	tokenAudienceOAuth2           tokenAudience = "OAuth2"
+	tokenAudienceWebLogin         tokenAudience = "WebLogin"
 )

-type tokenValidation = int
-
 const (
-	tokenValidationFull                      = iota
-	tokenValidationNoIPMatch tokenValidation = iota
+	tokenValidationModeDefault       = 0
+	tokenValidationModeNoIPMatch     = 1
+	tokenValidationModeUserSignature = 2
 )

 const (
@ -60,20 +61,74 @@ const (
 	claimMustSetSecondFactorKey     = "2fa_required"
 	claimRequiredTwoFactorProtocols = "2fa_protos"
 	claimHideUserPageSection        = "hus"
+	claimRef                        = "ref"
 	basicRealm                      = "Basic realm=\"SFTPGo\""
 	jwtCookieKey                    = "jwt"
 )

 var (
-	tokenDuration      = 20 * time.Minute
-	shareTokenDuration = 12 * time.Hour
+	apiTokenDuration    = 20 * time.Minute
+	cookieTokenDuration = 20 * time.Minute
+	shareTokenDuration  = 2 * time.Hour
 	// csrf token duration is greater than normal token duration to reduce issues
 	// with the login form
-	csrfTokenDuration     = 6 * time.Hour
-	tokenRefreshThreshold = 10 * time.Minute
-	tokenValidationMode   = tokenValidationFull
+	csrfTokenDuration      = 4 * time.Hour
+	cookieRefreshThreshold = 10 * time.Minute
+	maxTokenDuration       = 12 * time.Hour
+	tokenValidationMode    = tokenValidationModeDefault
 )

+func isTokenDurationValid(minutes int) bool {
+	return minutes >= 1 && minutes <= 720
+}
+
+func updateTokensDuration(api, cookie, share int) {
+	if isTokenDurationValid(api) {
+		apiTokenDuration = time.Duration(api) * time.Minute
+	}
+	if isTokenDurationValid(cookie) {
+		cookieTokenDuration = time.Duration(cookie) * time.Minute
+		cookieRefreshThreshold = cookieTokenDuration / 2
+		if cookieTokenDuration > csrfTokenDuration {
+			csrfTokenDuration = cookieTokenDuration
+		}
+	}
+	if isTokenDurationValid(share) {
+		shareTokenDuration = time.Duration(share) * time.Minute
+	}
+	logger.Debug(logSender, "", "API token duration %s, cookie token duration %s, cookie refresh threshold %s, share token duration %s",
+		apiTokenDuration, cookieTokenDuration, cookieRefreshThreshold, shareTokenDuration)
+}
+
+func getTokenDuration(audience tokenAudience) time.Duration {
+	switch audience {
+	case tokenAudienceWebShare:
+		return shareTokenDuration
+	case tokenAudienceWebLogin, tokenAudienceCSRF:
+		return csrfTokenDuration
+	case tokenAudienceAPI, tokenAudienceAPIUser:
+		return apiTokenDuration
+	case tokenAudienceWebAdmin, tokenAudienceWebClient:
+		return cookieTokenDuration
+	case tokenAudienceWebAdminPartial, tokenAudienceWebClientPartial, tokenAudienceOAuth2:
+		return 5 * time.Minute
+	default:
+		logger.Error(logSender, "", "token duration not handled for audience: %q", audience)
+		return 20 * time.Minute
+	}
+}
+
+func getMaxCookieDuration() time.Duration {
+	result := csrfTokenDuration
+	if shareTokenDuration > result {
+		result = shareTokenDuration
+	}
+	if cookieTokenDuration > result {
+		result = cookieTokenDuration
+	}
+	return result
+}
+
 type jwtTokenClaims struct {
 	Username                   string
 	Permissions                []string
@ -86,6 +141,9 @@ type jwtTokenClaims struct {
 	MustChangePassword         bool
 	RequiredTwoFactorProtocols []string
 	HideUserPageSections       int
+	JwtID                      string
+	JwtIssuedAt                time.Time
+	Ref                        string
 }

 func (c *jwtTokenClaims) hasUserAudience() bool {
@ -103,6 +161,15 @@ func (c *jwtTokenClaims) asMap() map[string]any {

 	claims[claimUsernameKey] = c.Username
 	claims[claimPermissionsKey] = c.Permissions
+	if c.JwtID != "" {
+		claims[jwt.JwtIDKey] = c.JwtID
+	}
+	if !c.JwtIssuedAt.IsZero() {
+		claims[jwt.IssuedAtKey] = c.JwtIssuedAt
+	}
+	if c.Ref != "" {
+		claims[claimRef] = c.Ref
+	}
 	if c.Role != "" {
 		claims[claimRole] = c.Role
 	}
@ -169,6 +236,7 @@ func (c *jwtTokenClaims) Decode(token map[string]any) {
 	c.Permissions = nil
 	c.Username = c.decodeString(token[claimUsernameKey])
 	c.Signature = c.decodeString(token[jwt.SubjectKey])
+	c.JwtID = c.decodeString(token[jwt.JwtIDKey])

 	audience := token[jwt.AudienceKey]
 	switch v := audience.(type) {
@ -176,6 +244,10 @@ func (c *jwtTokenClaims) Decode(token map[string]any) {
 		c.Audience = v
 	}

+	if val, ok := token[claimRef]; ok {
+		c.Ref = c.decodeString(val)
+	}
+
 	if val, ok := token[claimAPIKey]; ok {
 		c.APIKeyID = c.decodeString(val)
 	}
@ -211,34 +283,26 @@ func (c *jwtTokenClaims) Decode(token map[string]any) {
 	}
 }

-func (c *jwtTokenClaims) isCriticalPermRemoved(permissions []string) bool {
-	if util.Contains(permissions, dataprovider.PermAdminAny) {
-		return false
-	}
-	if (util.Contains(c.Permissions, dataprovider.PermAdminManageAdmins) ||
-		util.Contains(c.Permissions, dataprovider.PermAdminAny)) &&
-		!util.Contains(permissions, dataprovider.PermAdminManageAdmins) &&
-		!util.Contains(permissions, dataprovider.PermAdminAny) {
-		return true
-	}
-	return false
-}
-
 func (c *jwtTokenClaims) hasPerm(perm string) bool {
-	if util.Contains(c.Permissions, dataprovider.PermAdminAny) {
+	if slices.Contains(c.Permissions, dataprovider.PermAdminAny) {
 		return true
 	}

-	return util.Contains(c.Permissions, perm)
+	return slices.Contains(c.Permissions, perm)
 }

 func (c *jwtTokenClaims) createToken(tokenAuth *jwtauth.JWTAuth, audience tokenAudience, ip string) (jwt.Token, string, error) {
 	claims := c.asMap()
 	now := time.Now().UTC()

-	claims[jwt.JwtIDKey] = xid.New().String()
+	if _, ok := claims[jwt.JwtIDKey]; !ok {
+		claims[jwt.JwtIDKey] = xid.New().String()
+	}
+	if _, ok := claims[jwt.IssuedAtKey]; !ok {
+		claims[jwt.IssuedAtKey] = now
+	}
 	claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
-	claims[jwt.ExpirationKey] = now.Add(tokenDuration)
+	claims[jwt.ExpirationKey] = now.Add(getTokenDuration(audience))
 	claims[jwt.AudienceKey] = []string{audience, ip}

 	return tokenAuth.Encode(claims)
@ -270,25 +334,26 @@ func (c *jwtTokenClaims) createAndSetCookie(w http.ResponseWriter, r *http.Reque
 	} else {
 		basePath = webBaseClientPath
 	}
-	duration := tokenDuration
-	if audience == tokenAudienceWebShare {
-		duration = shareTokenDuration
-	}
+	setCookie(w, r, basePath, resp["access_token"].(string), getTokenDuration(audience))
+
+	return nil
+}
+
+func setCookie(w http.ResponseWriter, r *http.Request, cookiePath, cookieValue string, duration time.Duration) {
 	http.SetCookie(w, &http.Cookie{
 		Name:     jwtCookieKey,
-		Value:    resp["access_token"].(string),
-		Path:     basePath,
+		Value:    cookieValue,
+		Path:     cookiePath,
 		Expires:  time.Now().Add(duration),
 		MaxAge:   int(duration / time.Second),
 		HttpOnly: true,
 		Secure:   isTLS(r),
 		SameSite: http.SameSiteStrictMode,
 	})
-
-	return nil
 }

-func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request, cookiePath string) {
+func removeCookie(w http.ResponseWriter, r *http.Request, cookiePath string) {
+	invalidateToken(r)
 	http.SetCookie(w, &http.Cookie{
 		Name:     jwtCookieKey,
 		Value:    "",
@ -300,10 +365,9 @@ func (c *jwtTokenClaims) removeCookie(w http.ResponseWriter, r *http.Request, co
 		SameSite: http.SameSiteStrictMode,
 	})
 	w.Header().Add("Cache-Control", `no-cache="Set-Cookie"`)
-	invalidateToken(r)
 }

-func tokenFromContext(r *http.Request) string {
+func oidcTokenFromContext(r *http.Request) string {
 	if token, ok := r.Context().Value(oidcGeneratedToken).(string); ok {
 		return token
 	}
@ -324,7 +388,7 @@ func isTokenInvalidated(r *http.Request) bool {
 	var findTokenFns []func(r *http.Request) string
 	findTokenFns = append(findTokenFns, jwtauth.TokenFromHeader)
 	findTokenFns = append(findTokenFns, jwtauth.TokenFromCookie)
-	findTokenFns = append(findTokenFns, tokenFromContext)
+	findTokenFns = append(findTokenFns, oidcTokenFromContext)

 	isTokenFound := false
 	for _, fn := range findTokenFns {
@ -343,14 +407,23 @@ func isTokenInvalidated(r *http.Request) bool {
 func invalidateToken(r *http.Request) {
 	tokenString := jwtauth.TokenFromHeader(r)
 	if tokenString != "" {
-		invalidatedJWTTokens.Add(tokenString, time.Now().Add(tokenDuration).UTC())
+		invalidateTokenString(r, tokenString, apiTokenDuration)
 	}
 	tokenString = jwtauth.TokenFromCookie(r)
 	if tokenString != "" {
-		invalidatedJWTTokens.Add(tokenString, time.Now().Add(tokenDuration).UTC())
+		invalidateTokenString(r, tokenString, getMaxCookieDuration())
 	}
 }

+func invalidateTokenString(r *http.Request, tokenString string, fallbackDuration time.Duration) {
+	token, _, err := jwtauth.FromContext(r.Context())
+	if err != nil || token == nil {
+		invalidatedJWTTokens.Add(tokenString, time.Now().Add(fallbackDuration).UTC())
+		return
+	}
+	invalidatedJWTTokens.Add(tokenString, token.Expiration().Add(1*time.Minute).UTC())
+}
+
 func getUserFromToken(r *http.Request) *dataprovider.User {
 	user := &dataprovider.User{}
 	_, claims, err := jwtauth.FromContext(r.Context())
@ -380,15 +453,40 @@ func getAdminFromToken(r *http.Request) *dataprovider.Admin {
 	return admin
 }

-func createCSRFToken(ip string) string {
+func createLoginCookie(w http.ResponseWriter, r *http.Request, csrfTokenAuth *jwtauth.JWTAuth, tokenID, basePath, ip string,
+) {
+	c := jwtTokenClaims{
+		JwtID: tokenID,
+	}
+	resp, err := c.createTokenResponse(csrfTokenAuth, tokenAudienceWebLogin, ip)
+	if err != nil {
+		return
+	}
+	setCookie(w, r, basePath, resp["access_token"].(string), csrfTokenDuration)
+}
+
+func createCSRFToken(w http.ResponseWriter, r *http.Request, csrfTokenAuth *jwtauth.JWTAuth, tokenID,
+	basePath string,
+) string {
+	ip := util.GetIPFromRemoteAddress(r.RemoteAddr)
 	claims := make(map[string]any)
 	now := time.Now().UTC()

 	claims[jwt.JwtIDKey] = xid.New().String()
+	claims[jwt.IssuedAtKey] = now
 	claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
 	claims[jwt.ExpirationKey] = now.Add(csrfTokenDuration)
 	claims[jwt.AudienceKey] = []string{tokenAudienceCSRF, ip}
-
+	if tokenID != "" {
+		createLoginCookie(w, r, csrfTokenAuth, tokenID, basePath, ip)
+		claims[claimRef] = tokenID
+	} else {
+		if c, err := getTokenClaims(r); err == nil {
+			claims[claimRef] = c.JwtID
+		} else {
+			logger.Error(logSender, "", "unable to add reference to CSRF token: %v", err)
+		}
+	}
 	_, tokenString, err := csrfTokenAuth.Encode(claims)
 	if err != nil {
 		logger.Debug(logSender, "", "unable to create CSRF token: %v", err)
@ -397,35 +495,84 @@ func createCSRFToken(ip string) string {
 	return tokenString
 }

-func verifyCSRFToken(tokenString, ip string) error {
+func verifyCSRFToken(r *http.Request, csrfTokenAuth *jwtauth.JWTAuth) error {
+	tokenString := r.Form.Get(csrfFormToken)
 	token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)
 	if err != nil || token == nil {
 		logger.Debug(logSender, "", "error validating CSRF token %q: %v", tokenString, err)
 		return fmt.Errorf("unable to verify form token: %v", err)
 	}

-	if !util.Contains(token.Audience(), tokenAudienceCSRF) {
+	if !slices.Contains(token.Audience(), tokenAudienceCSRF) {
 		logger.Debug(logSender, "", "error validating CSRF token audience")
 		return errors.New("the form token is not valid")
 	}

-	if tokenValidationMode != tokenValidationNoIPMatch {
-		if !util.Contains(token.Audience(), ip) {
-			logger.Debug(logSender, "", "error validating CSRF token IP audience")
-			return errors.New("the form token is not valid")
-		}
+	if err := validateIPForToken(token, util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {
+		logger.Debug(logSender, "", "error validating CSRF token IP audience")
+		return errors.New("the form token is not valid")
+	}
+	return checkCSRFTokenRef(r, token)
+}
+
+func checkCSRFTokenRef(r *http.Request, token jwt.Token) error {
+	claims, err := getTokenClaims(r)
+	if err != nil {
+		logger.Debug(logSender, "", "error getting token claims for CSRF validation: %v", err)
+		return err
+	}
+	ref, ok := token.Get(claimRef)
+	if !ok {
+		logger.Debug(logSender, "", "error validating CSRF token, missing reference")
+		return errors.New("the form token is not valid")
+	}
+	if claims.JwtID == "" || claims.JwtID != ref.(string) {
+		logger.Debug(logSender, "", "error validating CSRF reference, id %q, reference %q", claims.JwtID, ref)
+		return errors.New("unexpected form token")
 	}

 	return nil
 }

-func createOAuth2Token(state, ip string) string {
+func verifyLoginCookie(r *http.Request) error {
+	token, _, err := jwtauth.FromContext(r.Context())
+	if err != nil || token == nil {
+		logger.Debug(logSender, "", "error getting login token: %v", err)
+		return errInvalidToken
+	}
+	if isTokenInvalidated(r) {
+		logger.Debug(logSender, "", "the login token has been invalidated")
+		return errInvalidToken
+	}
+	if !slices.Contains(token.Audience(), tokenAudienceWebLogin) {
+		logger.Debug(logSender, "", "the token with id %q is not valid for audience %q", token.JwtID(), tokenAudienceWebLogin)
+		return errInvalidToken
+	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := validateIPForToken(token, ipAddr); err != nil {
+		return err
+	}
+	return nil
+}
+
+func verifyLoginCookieAndCSRFToken(r *http.Request, csrfTokenAuth *jwtauth.JWTAuth) error {
+	if err := verifyLoginCookie(r); err != nil {
+		return err
+	}
+	if err := verifyCSRFToken(r, csrfTokenAuth); err != nil {
+		return err
+	}
+	return nil
+}
+
+func createOAuth2Token(csrfTokenAuth *jwtauth.JWTAuth, state, ip string) string {
 	claims := make(map[string]any)
 	now := time.Now().UTC()

 	claims[jwt.JwtIDKey] = state
+	claims[jwt.IssuedAtKey] = now
 	claims[jwt.NotBeforeKey] = now.Add(-30 * time.Second)
-	claims[jwt.ExpirationKey] = now.Add(3 * time.Minute)
+	claims[jwt.ExpirationKey] = now.Add(getTokenDuration(tokenAudienceOAuth2))
 	claims[jwt.AudienceKey] = []string{tokenAudienceOAuth2, ip}

 	_, tokenString, err := csrfTokenAuth.Encode(claims)
@ -436,7 +583,7 @@ func createOAuth2Token(state, ip string) string {
 	return tokenString
 }

-func verifyOAuth2Token(tokenString, ip string) (string, error) {
+func verifyOAuth2Token(csrfTokenAuth *jwtauth.JWTAuth, tokenString, ip string) (string, error) {
 	token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)
 	if err != nil || token == nil {
 		logger.Debug(logSender, "", "error validating OAuth2 token %q: %v", tokenString, err)
@ -446,16 +593,14 @@ func verifyOAuth2Token(tokenString, ip string) (string, error) {
 		)
 	}

-	if !util.Contains(token.Audience(), tokenAudienceOAuth2) {
+	if !slices.Contains(token.Audience(), tokenAudienceOAuth2) {
 		logger.Debug(logSender, "", "error validating OAuth2 token audience")
 		return "", util.NewI18nError(errors.New("invalid OAuth2 state"), util.I18nOAuth2InvalidState)
 	}

-	if tokenValidationMode != tokenValidationNoIPMatch {
-		if !util.Contains(token.Audience(), ip) {
-			logger.Debug(logSender, "", "error validating OAuth2 token IP audience")
-			return "", util.NewI18nError(errors.New("invalid OAuth2 state"), util.I18nOAuth2InvalidState)
-		}
+	if err := validateIPForToken(token, ip); err != nil {
+		logger.Debug(logSender, "", "error validating OAuth2 token IP audience")
+		return "", util.NewI18nError(errors.New("invalid OAuth2 state"), util.I18nOAuth2InvalidState)
 	}
 	if val, ok := token.Get(jwt.JwtIDKey); ok {
 		if state, ok := val.(string); ok {
@ -465,3 +610,53 @@ func verifyOAuth2Token(tokenString, ip string) (string, error) {
 	logger.Debug(logSender, "", "jti not found in OAuth2 token")
 	return "", util.NewI18nError(errors.New("invalid OAuth2 state"), util.I18nOAuth2InvalidState)
 }
+
+func validateIPForToken(token jwt.Token, ip string) error {
+	if tokenValidationMode&tokenValidationModeNoIPMatch == 0 {
+		if !slices.Contains(token.Audience(), ip) {
+			return errInvalidToken
+		}
+	}
+	return nil
+}
+
+func checkTokenSignature(r *http.Request, token jwt.Token) error {
+	if _, ok := r.Context().Value(oidcTokenKey).(string); ok {
+		return nil
+	}
+	var err error
+	if tokenValidationMode&tokenValidationModeUserSignature != 0 {
+		for _, audience := range token.Audience() {
+			switch audience {
+			case tokenAudienceAPI, tokenAudienceWebAdmin:
+				err = validateSignatureForToken(token, dataprovider.GetAdminSignature)
+			case tokenAudienceAPIUser, tokenAudienceWebClient:
+				err = validateSignatureForToken(token, dataprovider.GetUserSignature)
+			}
+		}
+	}
+	if err != nil {
+		invalidateToken(r)
+	}
+	return err
+}
+
+func validateSignatureForToken(token jwt.Token, getter func(string) (string, error)) error {
+	username := ""
+	if u, ok := token.Get(claimUsernameKey); ok {
+		c := jwtTokenClaims{}
+		username = c.decodeString(u)
+	}
+
+	signature, err := getter(username)
+	if err != nil {
+		logger.Debug(logSender, "", "unable to get signature for username %q: %v", username, err)
+		return errInvalidToken
+	}
+	if signature != "" && signature == token.Subject() {
+		return nil
+	}
+	logger.Debug(logSender, "", "signature mismatch for username %q, signature %q, token signature %q",
+		username, signature, token.Subject())
+	return errInvalidToken
+}
--- a/internal/httpd/handler.go
+++ b/internal/httpd/handler.go
@ -97,6 +97,11 @@ func (c *Connection) ReadDir(name string) (vfs.DirLister, error) {
 func (c *Connection) getFileReader(name string, offset int64, method string) (io.ReadCloser, error) {
 	c.UpdateLastActivity()

+	if err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {
+		c.Log(logger.LevelInfo, "denying file read due to transfer count limits")
+		return nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)
+	}
+
 	transferQuota := c.GetTransferQuota()
 	if !transferQuota.HasDownloadSpace() {
 		c.Log(logger.LevelInfo, "denying file read due to quota limits")
@ -176,7 +181,7 @@ func (c *Connection) getFileWriter(name string) (io.WriteCloser, error) {
 	}

 	if common.Config.IsAtomicUploadEnabled() && fs.IsAtomicUploadSupported() {
-		_, _, err = fs.Rename(p, filePath)
+		_, _, err = fs.Rename(p, filePath, 0)
 		if err != nil {
 			c.Log(logger.LevelError, "error renaming existing file for atomic upload, source: %q, dest: %q, err: %+v",
 				p, filePath, err)
@ -188,6 +193,10 @@ func (c *Connection) getFileWriter(name string) (io.WriteCloser, error) {
 }

 func (c *Connection) handleUploadFile(fs vfs.Fs, resolvedPath, filePath, requestPath string, isNewFile bool, fileSize int64) (io.WriteCloser, error) {
+	if err := common.Connections.IsNewTransferAllowed(c.User.Username); err != nil {
+		c.Log(logger.LevelInfo, "denying file write due to transfer count limits")
+		return nil, util.NewI18nError(c.GetPermissionDeniedError(), util.I18nError403Message)
+	}
 	diskQuota, transferQuota := c.HasSpace(isNewFile, false, requestPath)
 	if !diskQuota.HasSpace || !transferQuota.HasUploadSpace() {
 		c.Log(logger.LevelInfo, "denying file write due to quota limits")
@ -213,10 +222,7 @@ func (c *Connection) handleUploadFile(fs vfs.Fs, resolvedPath, filePath, request
 		if vfs.HasTruncateSupport(fs) {
 			vfolder, err := c.User.GetVirtualFolderForPath(path.Dir(requestPath))
 			if err == nil {
-				dataprovider.UpdateVirtualFolderQuota(&vfolder.BaseVirtualFolder, 0, -fileSize, false) //nolint:errcheck
-				if vfolder.IsIncludedInUserQuota() {
-					dataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck
-				}
+				dataprovider.UpdateUserFolderQuota(&vfolder, &c.User, 0, -fileSize, false)
 			} else {
 				dataprovider.UpdateUserQuota(&c.User, 0, -fileSize, false) //nolint:errcheck
 			}
--- a/internal/httpd/httpd.go
+++ b/internal/httpd/httpd.go
@ -28,11 +28,10 @@ import (
 	"path/filepath"
 	"runtime"
 	"strings"
+	"sync"
 	"time"

 	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/v2/jwa"

 	"github.com/drakkan/sftpgo/v2/internal/acme"
 	"github.com/drakkan/sftpgo/v2/internal/common"
@ -196,7 +195,6 @@ var (
 	cleanupTicker                  *time.Ticker
 	cleanupDone                    chan bool
 	invalidatedJWTTokens           tokenManager
-	csrfTokenAuth                  *jwtauth.JWTAuth
 	webRootPath                    string
 	webBasePath                    string
 	webBaseAdminPath               string
@ -288,12 +286,88 @@ var (
 	installationCodeHint       string
 	fnInstallationCodeResolver FnInstallationCodeResolver
 	configurationDir           string
+	dbBrandingConfig           brandingCache
 )

 func init() {
 	updateWebAdminURLs("")
 	updateWebClientURLs("")
 	acme.SetReloadHTTPDCertsFn(ReloadCertificateMgr)
+	common.SetUpdateBrandingFn(dbBrandingConfig.Set)
+}
+
+type brandingCache struct {
+	mu      sync.RWMutex
+	configs *dataprovider.BrandingConfigs
+}
+
+func (b *brandingCache) Set(configs *dataprovider.BrandingConfigs) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+
+	b.configs = configs
+}
+
+func (b *brandingCache) getWebAdminLogo() []byte {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	return b.configs.WebAdmin.Logo
+}
+
+func (b *brandingCache) getWebAdminFavicon() []byte {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	return b.configs.WebAdmin.Favicon
+}
+
+func (b *brandingCache) getWebClientLogo() []byte {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	return b.configs.WebClient.Logo
+}
+
+func (b *brandingCache) getWebClientFavicon() []byte {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	return b.configs.WebClient.Favicon
+}
+
+func (b *brandingCache) mergeBrandingConfig(branding UIBranding, isWebClient bool) UIBranding {
+	b.mu.RLock()
+	defer b.mu.RUnlock()
+
+	var urlPrefix string
+	var cfg dataprovider.BrandingConfig
+	if isWebClient {
+		cfg = b.configs.WebClient
+		urlPrefix = "webclient"
+	} else {
+		cfg = b.configs.WebAdmin
+		urlPrefix = "webadmin"
+	}
+	if cfg.Name != "" {
+		branding.Name = cfg.Name
+	}
+	if cfg.ShortName != "" {
+		branding.ShortName = cfg.ShortName
+	}
+	if cfg.DisclaimerName != "" {
+		branding.DisclaimerName = cfg.DisclaimerName
+	}
+	if cfg.DisclaimerURL != "" {
+		branding.DisclaimerPath = cfg.DisclaimerURL
+	}
+	if len(cfg.Logo) > 0 {
+		branding.LogoPath = path.Join("/", "branding", urlPrefix, "logo.png")
+	}
+	if len(cfg.Favicon) > 0 {
+		branding.FaviconPath = path.Join("/", "branding", urlPrefix, "favicon.png")
+	}
+	return branding
 }

 // FnInstallationCodeResolver defines a method to get the installation code.
@ -342,7 +416,9 @@ type SecurityConf struct {
 	PermissionsPolicy string `json:"permissions_policy" mapstructure:"permissions_policy"`
 	// CrossOriginOpenerPolicy allows to set the `Cross-Origin-Opener-Policy` header value. Default is "".
 	CrossOriginOpenerPolicy string `json:"cross_origin_opener_policy" mapstructure:"cross_origin_opener_policy"`
-	proxyHeaders            []string
+	// CacheControl allow to set the Cache-Control header value.
+	CacheControl string `json:"cache_control" mapstructure:"cache_control"`
+	proxyHeaders []string
 }

 func (s *SecurityConf) updateProxyHeaders() {
@ -398,8 +474,6 @@ type UIBranding struct {
 	// For example, if you create a directory named "branding" inside the static dir and
 	// put the "mylogo.png" file in it, you must set "/branding/mylogo.png" as logo path.
 	LogoPath string `json:"logo_path" mapstructure:"logo_path"`
-	// Path to the image to show on the login screen relative to "static_files_path"
-	LoginImagePath string `json:"login_image_path" mapstructure:"login_image_path"`
 	// Path to your favicon relative to "static_files_path"
 	FaviconPath string `json:"favicon_path" mapstructure:"favicon_path"`
 	// DisclaimerName defines the name for the link to your optional disclaimer
@ -411,24 +485,23 @@ type UIBranding struct {
 	// the default CSS files
 	DefaultCSS []string `json:"default_css" mapstructure:"default_css"`
 	// Additional CSS file paths, relative to "static_files_path", to include
-	ExtraCSS []string `json:"extra_css" mapstructure:"extra_css"`
+	ExtraCSS           []string `json:"extra_css" mapstructure:"extra_css"`
+	DefaultLogoPath    string   `json:"-" mapstructure:"-"`
+	DefaultFaviconPath string   `json:"-" mapstructure:"-"`
 }

 func (b *UIBranding) check() {
+	b.DefaultLogoPath = "/img/logo.png"
+	b.DefaultFaviconPath = "/favicon.png"
 	if b.LogoPath != "" {
 		b.LogoPath = util.CleanPath(b.LogoPath)
 	} else {
-		b.LogoPath = "/img/logo.png"
-	}
-	if b.LoginImagePath != "" {
-		b.LoginImagePath = util.CleanPath(b.LoginImagePath)
-	} else {
-		b.LoginImagePath = "/img/login_image.png"
+		b.LogoPath = b.DefaultLogoPath
 	}
 	if b.FaviconPath != "" {
 		b.FaviconPath = util.CleanPath(b.FaviconPath)
 	} else {
-		b.FaviconPath = "/favicon.ico"
+		b.FaviconPath = b.DefaultFaviconPath
 	}
 	if b.DisclaimerPath != "" {
 		if !strings.HasPrefix(b.DisclaimerPath, "https://") && !strings.HasPrefix(b.DisclaimerPath, "http://") {
@ -513,6 +586,9 @@ type Binding struct {
 	TLSCipherSuites []string `json:"tls_cipher_suites" mapstructure:"tls_cipher_suites"`
 	// HTTP protocols in preference order. Supported values: http/1.1, h2
 	Protocols []string `json:"tls_protocols" mapstructure:"tls_protocols"`
+	// Defines whether to use the common proxy protocol configuration or the
+	// binding-specific proxy header configuration.
+	ProxyMode int `json:"proxy_mode" mapstructure:"proxy_mode"`
 	// List of IP addresses and IP ranges allowed to set client IP proxy headers and
 	// X-Forwarded-Proto header.
 	ProxyAllowed []string `json:"proxy_allowed" mapstructure:"proxy_allowed"`
@ -532,6 +608,8 @@ type Binding struct {
 	HideLoginURL int `json:"hide_login_url" mapstructure:"hide_login_url"`
 	// Enable the built-in OpenAPI renderer
 	RenderOpenAPI bool `json:"render_openapi" mapstructure:"render_openapi"`
+	// Languages defines the list of enabled translations for the WebAdmin and WebClient UI.
+	Languages []string `json:"languages" mapstructure:"languages"`
 	// Defining an OIDC configuration the web admin and web client UI will use OpenID to authenticate users.
 	OIDC OIDC `json:"oidc" mapstructure:"oidc"`
 	// Security defines security headers to add to HTTP responses and allows to restrict allowed hosts
@ -558,6 +636,18 @@ func (b *Binding) checkBranding() {
 	}
 }

+func (b *Binding) webAdminBranding() UIBranding {
+	return dbBrandingConfig.mergeBrandingConfig(b.Branding.WebAdmin, false)
+}
+
+func (b *Binding) webClientBranding() UIBranding {
+	return dbBrandingConfig.mergeBrandingConfig(b.Branding.WebClient, true)
+}
+
+func (b *Binding) languages() []string {
+	return b.Languages
+}
+
 func (b *Binding) parseAllowedProxy() error {
 	if filepath.IsAbs(b.Address) && len(b.ProxyAllowed) > 0 {
 		// unix domain socket
@ -671,6 +761,17 @@ func (b *Binding) showClientLoginURL() bool {
 	return true
 }

+func (b *Binding) isMutualTLSEnabled() bool {
+	return b.ClientAuthType == 1
+}
+
+func (b *Binding) listenerWrapper() func(net.Listener) (net.Listener, error) {
+	if b.ProxyMode == 1 {
+		return common.Config.GetProxyListener
+	}
+	return nil
+}
+
 type defenderStatus struct {
 	IsActive bool `json:"is_active"`
 }
@ -764,6 +865,12 @@ type Conf struct {
 	// By default all the available security checks are enabled. Set to 1 to disable the requirement
 	// that a token must be used by the same IP for which it was issued.
 	TokenValidation int `json:"token_validation" mapstructure:"token_validation"`
+	// CookieLifetime defines the duration of cookies for WebAdmin and WebClient
+	CookieLifetime int `json:"cookie_lifetime" mapstructure:"cookie_lifetime"`
+	// ShareCookieLifetime defines the duration of cookies for public shares
+	ShareCookieLifetime int `json:"share_cookie_lifetime" mapstructure:"share_cookie_lifetime"`
+	// JWTLifetime defines the duration of JWT tokens used in REST API
+	JWTLifetime int `json:"jwt_lifetime" mapstructure:"jwt_lifetime"`
 	// MaxUploadFileSize Defines the maximum request body size, in bytes, for Web Client/API HTTP upload requests.
 	// 0 means no limit
 	MaxUploadFileSize int64 `json:"max_upload_file_size" mapstructure:"max_upload_file_size"`
@ -872,11 +979,7 @@ func (c *Conf) getKeyPairs(configDir string) []common.TLSKeyPair {
 }

 func (c *Conf) setTokenValidationMode() {
-	if c.TokenValidation == 1 {
-		tokenValidationMode = tokenValidationNoIPMatch
-	} else {
-		tokenValidationMode = tokenValidationFull
-	}
+	tokenValidationMode = c.TokenValidation
 }

 func (c *Conf) loadFromProvider() error {
@ -885,6 +988,7 @@ func (c *Conf) loadFromProvider() error {
 		return fmt.Errorf("unable to load config from provider: %w", err)
 	}
 	configs.SetNilsToEmpty()
+	dbBrandingConfig.Set(configs.Branding)
 	if configs.ACME.Domain == "" || !configs.ACME.HasProtocol(common.ProtocolHTTP) {
 		return nil
 	}
@ -970,7 +1074,6 @@ func (c *Conf) Initialize(configDir string, isShared int) error {
 		c.SigningPassphrase = passphrase
 	}

-	csrfTokenAuth = jwtauth.New(jwa.HS256.String(), getSigningKey(c.SigningPassphrase), nil)
 	hideSupportLink = c.HideSupportLink

 	exitChannel := make(chan error, 1)
@ -1004,7 +1107,8 @@ func (c *Conf) Initialize(configDir string, isShared int) error {
 	maxUploadFileSize = c.MaxUploadFileSize
 	installationCode = c.Setup.InstallationCode
 	installationCodeHint = c.Setup.InstallationCodeHint
-	startCleanupTicker(tokenDuration / 2)
+	updateTokensDuration(c.JWTLifetime, c.CookieLifetime, c.ShareCookieLifetime)
+	startCleanupTicker(10 * time.Minute)
 	c.setTokenValidationMode()
 	return <-exitChannel
 }
@ -1218,11 +1322,14 @@ func stopCleanupTicker() {
 }

 func getSigningKey(signingPassphrase string) []byte {
+	var key []byte
 	if signingPassphrase != "" {
-		sk := sha256.Sum256([]byte(signingPassphrase))
-		return sk[:]
+		key = []byte(signingPassphrase)
+	} else {
+		key = util.GenerateRandomBytes(32)
 	}
-	return util.GenerateRandomBytes(32)
+	sk := sha256.Sum256(key)
+	return sk[:]
 }

 // SetInstallationCodeResolver sets a function to call to resolve the installation code
--- a/internal/httpd/httpd_test.go
+++ b/internal/httpd/httpd_test.go
--- a/internal/httpd/internal_test.go
+++ b/internal/httpd/internal_test.go
--- a/internal/httpd/middleware.go
+++ b/internal/httpd/middleware.go
@ -20,10 +20,10 @@ import (
 	"io/fs"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"

 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"

@ -75,12 +75,6 @@ func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudi
 		return errInvalidToken
 	}

-	err = jwt.Validate(token)
-	if err != nil {
-		logger.Debug(logSender, "", "error validating jwt token: %v", err)
-		doRedirect(http.StatusText(http.StatusUnauthorized), err)
-		return errInvalidToken
-	}
 	if isTokenInvalidated(r) {
 		logger.Debug(logSender, "", "the token has been invalidated")
 		doRedirect("Your token is no longer valid", nil)
@ -90,18 +84,20 @@ func validateJWTToken(w http.ResponseWriter, r *http.Request, audience tokenAudi
 	if err := checkPartialAuth(w, r, audience, token.Audience()); err != nil {
 		return err
 	}
-	if !util.Contains(token.Audience(), audience) {
+	if !slices.Contains(token.Audience(), audience) {
 		logger.Debug(logSender, "", "the token is not valid for audience %q", audience)
 		doRedirect("Your token audience is not valid", nil)
 		return errInvalidToken
 	}
-	if tokenValidationMode != tokenValidationNoIPMatch {
-		ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-		if !util.Contains(token.Audience(), ipAddr) {
-			logger.Debug(logSender, "", "the token with id %q is not valid for the ip address %q", token.JwtID(), ipAddr)
-			doRedirect("Your token is not valid", nil)
-			return errInvalidToken
-		}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := validateIPForToken(token, ipAddr); err != nil {
+		logger.Debug(logSender, "", "the token with id %q is not valid for the ip address %q", token.JwtID(), ipAddr)
+		doRedirect("Your token is not valid", nil)
+		return err
+	}
+	if err := checkTokenSignature(r, token); err != nil {
+		doRedirect("Your token is no longer valid", nil)
+		return err
 	}
 	return nil
 }
@ -114,7 +110,7 @@ func (s *httpdServer) validateJWTPartialToken(w http.ResponseWriter, r *http.Req
 	} else {
 		notFoundFunc = s.renderClientNotFoundPage
 	}
-	if err != nil || token == nil || jwt.Validate(token) != nil {
+	if err != nil || token == nil {
 		notFoundFunc(w, r, nil)
 		return errInvalidToken
 	}
@ -122,11 +118,17 @@ func (s *httpdServer) validateJWTPartialToken(w http.ResponseWriter, r *http.Req
 		notFoundFunc(w, r, nil)
 		return errInvalidToken
 	}
-	if !util.Contains(token.Audience(), audience) {
-		logger.Debug(logSender, "", "the token is not valid for audience %q", audience)
+	if !slices.Contains(token.Audience(), audience) {
+		logger.Debug(logSender, "", "the partial token with id %q is not valid for audience %q", token.JwtID(), audience)
 		notFoundFunc(w, r, nil)
 		return errInvalidToken
 	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := validateIPForToken(token, ipAddr); err != nil {
+		logger.Debug(logSender, "", "the partial token with id %q is not valid for the ip address %q", token.JwtID(), ipAddr)
+		notFoundFunc(w, r, nil)
+		return err
+	}

 	return nil
 }
@ -295,7 +297,7 @@ func (s *httpdServer) requireBuiltinLogin(next http.Handler) http.Handler {
 	})
 }

-func (s *httpdServer) checkPerm(perm string) func(next http.Handler) http.Handler {
+func (s *httpdServer) checkPerms(perms ...string) func(next http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			_, claims, err := jwtauth.FromContext(r.Context())
@ -310,13 +312,15 @@ func (s *httpdServer) checkPerm(perm string) func(next http.Handler) http.Handle
 			tokenClaims := jwtTokenClaims{}
 			tokenClaims.Decode(claims)

-			if !tokenClaims.hasPerm(perm) {
-				if isWebRequest(r) {
-					s.renderForbiddenPage(w, r, util.NewI18nError(fs.ErrPermission, util.I18nError403Message))
-				} else {
-					sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			for _, perm := range perms {
+				if !tokenClaims.hasPerm(perm) {
+					if isWebRequest(r) {
+						s.renderForbiddenPage(w, r, util.NewI18nError(fs.ErrPermission, util.I18nError403Message))
+					} else {
+						sendAPIResponse(w, r, nil, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+					}
+					return
 				}
-				return
 			}

 			next.ServeHTTP(w, r)
@ -324,28 +328,30 @@ func (s *httpdServer) checkPerm(perm string) func(next http.Handler) http.Handle
 	}
 }

-func verifyCSRFHeader(next http.Handler) http.Handler {
+func (s *httpdServer) verifyCSRFHeader(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tokenString := r.Header.Get(csrfHeaderToken)
-		token, err := jwtauth.VerifyToken(csrfTokenAuth, tokenString)
+		token, err := jwtauth.VerifyToken(s.csrfTokenAuth, tokenString)
 		if err != nil || token == nil {
 			logger.Debug(logSender, "", "error validating CSRF header: %v", err)
 			sendAPIResponse(w, r, err, "Invalid token", http.StatusForbidden)
 			return
 		}

-		if !util.Contains(token.Audience(), tokenAudienceCSRF) {
+		if !slices.Contains(token.Audience(), tokenAudienceCSRF) {
 			logger.Debug(logSender, "", "error validating CSRF header token audience")
 			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
 			return
 		}

-		if tokenValidationMode != tokenValidationNoIPMatch {
-			if !util.Contains(token.Audience(), util.GetIPFromRemoteAddress(r.RemoteAddr)) {
-				logger.Debug(logSender, "", "error validating CSRF header IP audience")
-				sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
-				return
-			}
+		if err := validateIPForToken(token, util.GetIPFromRemoteAddress(r.RemoteAddr)); err != nil {
+			logger.Debug(logSender, "", "error validating CSRF header IP audience")
+			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
+			return
+		}
+		if err := checkCSRFTokenRef(r, token); err != nil {
+			sendAPIResponse(w, r, errors.New("the token is not valid"), "", http.StatusForbidden)
+			return
 		}

 		next.ServeHTTP(w, r)
@ -440,6 +446,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 						"", http.StatusUnauthorized)
 					return
 				}
+				common.DelayLogin(nil)
 			} else {
 				if k.User != "" {
 					apiUser = k.User
@ -448,7 +455,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 					logger.Debug(logSender, "", "unable to authenticate user %q associated with api key %q: %v",
 						apiUser, apiKey, err)
 					updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
-						dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err)
+						dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), err, r)
 					code := http.StatusUnauthorized
 					if errors.Is(err, common.ErrInternalFailure) {
 						code = http.StatusInternalServerError
@ -458,7 +465,7 @@ func checkAPIKeyAuth(tokenAuth *jwtauth.JWTAuth, scope dataprovider.APIKeyScope)
 					return
 				}
 				updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: apiUser}},
-					dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil)
+					dataprovider.LoginMethodPassword, util.GetIPFromRemoteAddress(r.RemoteAddr), nil, r)
 			}
 			dataprovider.UpdateAPIKeyLastUse(&k) //nolint:errcheck

@ -512,6 +519,7 @@ func authenticateAdminWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTA
 	}
 	r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
 	dataprovider.UpdateAdminLastLogin(&admin)
+	common.DelayLogin(nil)
 	return nil
 }

@ -521,7 +529,7 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
 	if username == "" {
 		err := errors.New("the provided key is not associated with any user and no username was provided")
 		updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
-			dataprovider.LoginMethodPassword, ipAddr, err)
+			dataprovider.LoginMethodPassword, ipAddr, err, r)
 		return err
 	}
 	if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
@ -530,27 +538,27 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
 	user, err := dataprovider.GetUserWithGroupSettings(username, "")
 	if err != nil {
 		updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
-			dataprovider.LoginMethodPassword, ipAddr, err)
+			dataprovider.LoginMethodPassword, ipAddr, err, r)
 		return err
 	}
 	if !user.Filters.AllowAPIKeyAuth {
 		err := fmt.Errorf("API key authentication disabled for user %q", user.Username)
-		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
+		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
 		return err
 	}
 	if err := user.CheckLoginConditions(); err != nil {
-		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
+		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
 		return err
 	}
 	connectionID := fmt.Sprintf("%v_%v", protocol, xid.New().String())
 	if err := checkHTTPClientUser(&user, r, connectionID, true); err != nil {
-		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err)
+		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, err, r)
 		return err
 	}
 	defer user.CloseFs() //nolint:errcheck
 	err = user.CheckFsRoot(connectionID)
 	if err != nil {
-		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure)
+		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
 		return common.ErrInternalFailure
 	}
 	c := jwtTokenClaims{
@ -563,24 +571,38 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu

 	resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPIUser, ipAddr)
 	if err != nil {
-		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure)
+		updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, common.ErrInternalFailure, r)
 		return err
 	}
 	r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", resp["access_token"]))
 	dataprovider.UpdateLastLogin(&user)
-	updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil)
+	updateLoginMetrics(&user, dataprovider.LoginMethodPassword, ipAddr, nil, r)

 	return nil
 }

 func checkPartialAuth(w http.ResponseWriter, r *http.Request, audience string, tokenAudience []string) error {
-	if audience == tokenAudienceWebAdmin && util.Contains(tokenAudience, tokenAudienceWebAdminPartial) {
+	if audience == tokenAudienceWebAdmin && slices.Contains(tokenAudience, tokenAudienceWebAdminPartial) {
 		http.Redirect(w, r, webAdminTwoFactorPath, http.StatusFound)
 		return errInvalidToken
 	}
-	if audience == tokenAudienceWebClient && util.Contains(tokenAudience, tokenAudienceWebClientPartial) {
+	if audience == tokenAudienceWebClient && slices.Contains(tokenAudience, tokenAudienceWebClientPartial) {
 		http.Redirect(w, r, webClientTwoFactorPath, http.StatusFound)
 		return errInvalidToken
 	}
 	return nil
 }
+
+func cacheControlMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate, private")
+		next.ServeHTTP(w, r)
+	})
+}
+
+func cleanCacheControlMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Del("Cache-Control")
+		next.ServeHTTP(w, r)
+	})
+}
--- a/internal/httpd/oauth2.go
+++ b/internal/httpd/oauth2.go
@ -20,8 +20,6 @@ import (
 	"sync"
 	"time"

-	"github.com/rs/xid"
-
 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
 	"github.com/drakkan/sftpgo/v2/internal/kms"
 	"github.com/drakkan/sftpgo/v2/internal/logger"
@ -54,7 +52,7 @@ type oauth2PendingAuth struct {

 func newOAuth2PendingAuth(provider int, redirectURL, clientID string, clientSecret *kms.Secret) oauth2PendingAuth {
 	return oauth2PendingAuth{
-		State:        xid.New().String(),
+		State:        util.GenerateOpaqueString(),
 		Provider:     provider,
 		ClientID:     clientID,
 		ClientSecret: clientSecret,
--- a/internal/httpd/oidc.go
+++ b/internal/httpd/oidc.go
@ -20,6 +20,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"slices"
 	"strings"
 	"time"

@ -142,7 +143,7 @@ func (o *OIDC) initialize() error {
 	if o.RedirectBaseURL == "" {
 		return errors.New("oidc: redirect base URL cannot be empty")
 	}
-	if !util.Contains(o.Scopes, oidc.ScopeOpenID) {
+	if !slices.Contains(o.Scopes, oidc.ScopeOpenID) {
 		return fmt.Errorf("oidc: required scope %q is not set", oidc.ScopeOpenID)
 	}
 	if o.ClientSecretFile != "" {
@ -202,29 +203,32 @@ type oidcPendingAuth struct {

 func newOIDCPendingAuth(audience tokenAudience) oidcPendingAuth {
 	return oidcPendingAuth{
-		State:    xid.New().String(),
-		Nonce:    xid.New().String(),
+		State:    util.GenerateOpaqueString(),
+		Nonce:    util.GenerateOpaqueString(),
 		Audience: audience,
 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now()),
 	}
 }

 type oidcToken struct {
-	AccessToken          string          `json:"access_token"`
-	TokenType            string          `json:"token_type,omitempty"`
-	RefreshToken         string          `json:"refresh_token,omitempty"`
-	ExpiresAt            int64           `json:"expires_at,omitempty"`
-	SessionID            string          `json:"session_id"`
-	IDToken              string          `json:"id_token"`
-	Nonce                string          `json:"nonce"`
-	Username             string          `json:"username"`
-	Permissions          []string        `json:"permissions"`
-	HideUserPageSections int             `json:"hide_user_page_sections,omitempty"`
-	TokenRole            string          `json:"token_role,omitempty"` // SFTPGo role name
-	Role                 any             `json:"role"`                 // oidc user role: SFTPGo user or admin
-	CustomFields         *map[string]any `json:"custom_fields,omitempty"`
-	Cookie               string          `json:"cookie"`
-	UsedAt               int64           `json:"used_at"`
+	AccessToken                string          `json:"access_token"`
+	TokenType                  string          `json:"token_type,omitempty"`
+	RefreshToken               string          `json:"refresh_token,omitempty"`
+	ExpiresAt                  int64           `json:"expires_at,omitempty"`
+	SessionID                  string          `json:"session_id"`
+	IDToken                    string          `json:"id_token"`
+	Nonce                      string          `json:"nonce"`
+	Username                   string          `json:"username"`
+	Permissions                []string        `json:"permissions"`
+	HideUserPageSections       int             `json:"hide_user_page_sections,omitempty"`
+	MustSetTwoFactorAuth       bool            `json:"must_set_2fa,omitempty"`
+	MustChangePassword         bool            `json:"must_change_password,omitempty"`
+	RequiredTwoFactorProtocols []string        `json:"required_two_factor_protocols,omitempty"`
+	TokenRole                  string          `json:"token_role,omitempty"` // SFTPGo role name
+	Role                       any             `json:"role"`                 // oidc user role: SFTPGo user or admin
+	CustomFields               *map[string]any `json:"custom_fields,omitempty"`
+	Cookie                     string          `json:"cookie"`
+	UsedAt                     int64           `json:"used_at"`
 }

 func (t *oidcToken) parseClaims(claims map[string]any, usernameField, roleField string, customFields []string,
@ -345,14 +349,15 @@ func (t *oidcToken) refresh(ctx context.Context, config OAuth2Config, verifier O
 		logger.Debug(logSender, "", "unable to verify refreshed id token for cookie %q: %v", t.Cookie, err)
 		return err
 	}
-	if idToken.Nonce != t.Nonce {
-		logger.Debug(logSender, "", "unable to verify refreshed id token for cookie %q: nonce mismatch", t.Cookie)
+	if idToken.Nonce != "" && idToken.Nonce != t.Nonce {
+		logger.Warn(logSender, "", "unable to verify refreshed id token for cookie %q: nonce mismatch, expected: %q, actual: %q",
+			t.Cookie, t.Nonce, idToken.Nonce)
 		return errors.New("the refreshed token nonce mismatch")
 	}
 	claims := make(map[string]any)
 	err = idToken.Claims(&claims)
 	if err != nil {
-		logger.Debug(logSender, "", "unable to get refreshed id token claims for cookie %q: %v", t.Cookie, err)
+		logger.Warn(logSender, "", "unable to get refreshed id token claims for cookie %q: %v", t.Cookie, err)
 		return err
 	}
 	sid, ok := claims["sid"].(string)
@ -396,6 +401,9 @@ func (t *oidcToken) refreshUser(r *http.Request) error {
 	}
 	t.Permissions = user.Filters.WebClient
 	t.TokenRole = user.Role
+	t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
+	t.MustChangePassword = user.MustChangePassword()
+	t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
 	return nil
 }

@ -405,7 +413,7 @@ func (t *oidcToken) getUser(r *http.Request) error {
 		Name:      t.Username,
 		IP:        ipAddr,
 		Protocol:  common.ProtocolOIDC,
-		Timestamp: time.Now().UnixNano(),
+		Timestamp: time.Now(),
 		Status:    1,
 	}
 	if t.isAdmin() {
@ -428,6 +436,7 @@ func (t *oidcToken) getUser(r *http.Request) error {
 		t.TokenRole = admin.Role
 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
 		dataprovider.UpdateAdminLastLogin(admin)
+		common.DelayLogin(nil)
 		return nil
 	}
 	params.Event = common.IDPLoginUser
@ -443,29 +452,32 @@ func (t *oidcToken) getUser(r *http.Request) error {
 		user = &u
 	}
 	if err := common.Config.ExecutePostConnectHook(ipAddr, common.ProtocolOIDC); err != nil {
-		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
+		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
 		return fmt.Errorf("access denied: %w", err)
 	}
 	if err := user.CheckLoginConditions(); err != nil {
-		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
+		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
 		return err
 	}
 	connectionID := fmt.Sprintf("%s_%s", common.ProtocolOIDC, xid.New().String())
 	if err := checkHTTPClientUser(user, r, connectionID, true); err != nil {
-		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err)
+		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, err, r)
 		return err
 	}
 	defer user.CloseFs() //nolint:errcheck
 	err = user.CheckFsRoot(connectionID)
 	if err != nil {
 		logger.Warn(logSender, connectionID, "unable to check fs root: %v", err)
-		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure)
+		updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, common.ErrInternalFailure, r)
 		return err
 	}
-	updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil)
+	updateLoginMetrics(user, dataprovider.LoginMethodIDP, ipAddr, nil, r)
 	dataprovider.UpdateLastLogin(user)
 	t.Permissions = user.Filters.WebClient
 	t.TokenRole = user.Role
+	t.MustSetTwoFactorAuth = user.MustSetSecondFactor()
+	t.MustChangePassword = user.MustChangePassword()
+	t.RequiredTwoFactorProtocols = user.Filters.TwoFactorAuthProtocols
 	return nil
 }

@ -540,11 +552,17 @@ func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next h
 				return
 			}
 			jwtTokenClaims := jwtTokenClaims{
+				JwtID:                token.Cookie,
 				Username:             token.Username,
 				Permissions:          token.Permissions,
 				Role:                 token.TokenRole,
 				HideUserPageSections: token.HideUserPageSections,
 			}
+			if audience == tokenAudienceWebClient {
+				jwtTokenClaims.MustSetTwoFactorAuth = token.MustSetTwoFactorAuth
+				jwtTokenClaims.MustChangePassword = token.MustChangePassword
+				jwtTokenClaims.RequiredTwoFactorProtocols = token.RequiredTwoFactorProtocols
+			}
 			_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))
 			if err != nil {
 				setFlashMessage(w, r, newFlashMessage("Unable to create cookie", util.I18nError500Message))
@ -593,6 +611,7 @@ func (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request)
 	authReq, err := oidcMgr.getPendingAuth(state)
 	if err != nil {
 		logger.Debug(logSender, "", "oidc authentication state did not match")
+		oidcMgr.removePendingAuth(state)
 		s.renderClientMessagePage(w, r, util.I18nInvalidAuthReqTitle, http.StatusBadRequest,
 			util.NewI18nError(err, util.I18nInvalidAuth), "")
 		return
@ -660,7 +679,7 @@ func (s *httpdServer) handleOIDCRedirect(w http.ResponseWriter, r *http.Request)
 		RefreshToken: oauth2Token.RefreshToken,
 		IDToken:      rawIDToken,
 		Nonce:        idToken.Nonce,
-		Cookie:       xid.New().String(),
+		Cookie:       util.GenerateOpaqueString(),
 	}
 	if !oauth2Token.Expiry.IsZero() {
 		token.ExpiresAt = util.GetTimeAsMsSinceEpoch(oauth2Token.Expiry)
--- a/internal/httpd/oidc_test.go
+++ b/internal/httpd/oidc_test.go
@ -33,7 +33,6 @@ import (

 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
 	"github.com/stretchr/testify/assert"
@ -136,6 +135,8 @@ func TestOIDCInitialization(t *testing.T) {
 }

 func TestOIDCLoginLogout(t *testing.T) {
+	tokenValidationMode = 2
+
 	oidcMgr, ok := oidcMgr.(*memoryOIDCManager)
 	require.True(t, ok)
 	server := getTestOIDCServer()
@ -151,8 +152,8 @@ func TestOIDCLoginLogout(t *testing.T) {
 	assert.Contains(t, rr.Body.String(), util.I18nInvalidAuth)

 	expiredAuthReq := oidcPendingAuth{
-		State:    xid.New().String(),
-		Nonce:    xid.New().String(),
+		State:    util.GenerateOpaqueString(),
+		Nonce:    util.GenerateOpaqueString(),
 		Audience: tokenAudienceWebClient,
 		IssuedAt: util.GetTimeAsMsSinceEpoch(time.Now().Add(-10 * time.Minute)),
 	}
@ -553,6 +554,8 @@ func TestOIDCLoginLogout(t *testing.T) {
 	assert.NoError(t, err)
 	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
+
+	tokenValidationMode = 0
 }

 func TestOIDCRefreshToken(t *testing.T) {
@ -561,7 +564,7 @@ func TestOIDCRefreshToken(t *testing.T) {
 	r, err := http.NewRequest(http.MethodGet, webUsersPath, nil)
 	assert.NoError(t, err)
 	token := oidcToken{
-		Cookie:      xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
 		AccessToken: xid.New().String(),
 		TokenType:   "Bearer",
 		ExpiresAt:   util.GetTimeAsMsSinceEpoch(time.Now().Add(-1 * time.Minute)),
@ -627,7 +630,9 @@ func TestOIDCRefreshToken(t *testing.T) {
 		},
 	}
 	verifier = mockOIDCVerifier{
-		token: &oidc.IDToken{},
+		token: &oidc.IDToken{
+			Nonce: xid.New().String(), // nonce is different from the expected one
+		},
 	}
 	err = token.refresh(context.Background(), &config, &verifier, r)
 	if assert.Error(t, err) {
@ -635,7 +640,7 @@ func TestOIDCRefreshToken(t *testing.T) {
 	}
 	verifier = mockOIDCVerifier{
 		token: &oidc.IDToken{
-			Nonce: token.Nonce,
+			Nonce: "", // empty token is fine on refresh but claims are not set
 		},
 	}
 	err = token.refresh(context.Background(), &config, &verifier, r)
@ -663,7 +668,7 @@ func TestOIDCRefreshToken(t *testing.T) {

 func TestOIDCRefreshUser(t *testing.T) {
 	token := oidcToken{
-		Cookie:      xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
 		AccessToken: xid.New().String(),
 		TokenType:   "Bearer",
 		ExpiresAt:   util.GetTimeAsMsSinceEpoch(time.Now().Add(1 * time.Minute)),
@ -777,7 +782,7 @@ func TestValidateOIDCToken(t *testing.T) {
 		},
 	}
 	token := oidcToken{
-		Cookie:      xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
 		AccessToken: xid.New().String(),
 		ExpiresAt:   util.GetTimeAsMsSinceEpoch(time.Now().Add(-2 * time.Minute)),
 	}
@ -793,8 +798,8 @@ func TestValidateOIDCToken(t *testing.T) {

 	server.tokenAuth = jwtauth.New("PS256", util.GenerateRandomBytes(32), nil)
 	token = oidcToken{
-		Cookie:      xid.New().String(),
-		AccessToken: xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
+		AccessToken: util.GenerateUniqueID(),
 	}
 	oidcMgr.addToken(token)
 	rr = httptest.NewRecorder()
@ -808,7 +813,7 @@ func TestValidateOIDCToken(t *testing.T) {
 	assert.Len(t, oidcMgr.tokens, 0)

 	token = oidcToken{
-		Cookie:      xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
 		AccessToken: xid.New().String(),
 		Role:        "admin",
 	}
@ -1102,7 +1107,7 @@ func TestMemoryOIDCManager(t *testing.T) {
 		AccessToken: xid.New().String(),
 		Nonce:       xid.New().String(),
 		SessionID:   xid.New().String(),
-		Cookie:      xid.New().String(),
+		Cookie:      util.GenerateOpaqueString(),
 		Username:    xid.New().String(),
 		Role:        "admin",
 		Permissions: []string{dataprovider.PermAdminAny},
@ -1152,7 +1157,7 @@ func TestMemoryOIDCManager(t *testing.T) {
 	token.UsedAt = usedAt
 	oidcMgr.tokens[token.Cookie] = token
 	newToken := oidcToken{
-		Cookie: xid.New().String(),
+		Cookie: util.GenerateOpaqueString(),
 	}
 	oidcMgr.addToken(newToken)
 	oidcMgr.cleanup()
@ -1584,12 +1589,9 @@ func TestOIDCWithLoginFormsDisabled(t *testing.T) {
 		tokenCookie = k
 	}
 	// we should be able to create admins without setting a password
-	if csrfTokenAuth == nil {
-		csrfTokenAuth = jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
-	}
 	adminUsername := "testAdmin"
 	form := make(url.Values)
-	form.Set(csrfFormToken, createCSRFToken(""))
+	form.Set(csrfFormToken, createCSRFToken(rr, r, server.csrfTokenAuth, tokenCookie, webBaseAdminPath))
 	form.Set("username", adminUsername)
 	form.Set("password", "")
 	form.Set("status", "1")
@ -1661,7 +1663,7 @@ func TestDbOIDCManager(t *testing.T) {
 	}

 	token := oidcToken{
-		Cookie:       xid.New().String(),
+		Cookie:       util.GenerateOpaqueString(),
 		AccessToken:  xid.New().String(),
 		TokenType:    "Bearer",
 		RefreshToken: xid.New().String(),
--- a/internal/httpd/server.go
+++ b/internal/httpd/server.go
--- a/internal/httpd/web.go
+++ b/internal/httpd/web.go
@ -67,38 +67,45 @@ type loginPage struct {
 	OpenIDLoginURL string
 	Title          string
 	Branding       UIBranding
+	Languages      []string
 	FormDisabled   bool
 	CheckRedirect  bool
 }

 type twoFactorPage struct {
 	commonBasePage
-	CurrentURL  string
-	Error       *util.I18nError
-	CSRFToken   string
-	RecoveryURL string
-	Title       string
-	Branding    UIBranding
+	CurrentURL    string
+	Error         *util.I18nError
+	CSRFToken     string
+	RecoveryURL   string
+	Title         string
+	Branding      UIBranding
+	Languages     []string
+	CheckRedirect bool
 }

 type forgotPwdPage struct {
 	commonBasePage
-	CurrentURL string
-	Error      *util.I18nError
-	CSRFToken  string
-	LoginURL   string
-	Title      string
-	Branding   UIBranding
+	CurrentURL    string
+	Error         *util.I18nError
+	CSRFToken     string
+	LoginURL      string
+	Title         string
+	Branding      UIBranding
+	Languages     []string
+	CheckRedirect bool
 }

 type resetPwdPage struct {
 	commonBasePage
-	CurrentURL string
-	Error      *util.I18nError
-	CSRFToken  string
-	LoginURL   string
-	Title      string
-	Branding   UIBranding
+	CurrentURL    string
+	Error         *util.I18nError
+	CSRFToken     string
+	LoginURL      string
+	Title         string
+	Branding      UIBranding
+	Languages     []string
+	CheckRedirect bool
 }

 func getSliceFromDelimitedValues(values, delimiter string) []string {
--- a/internal/httpd/webadmin.go
+++ b/internal/httpd/webadmin.go
--- a/internal/httpd/webclient.go
+++ b/internal/httpd/webclient.go
@ -27,6 +27,7 @@ import (
 	"os"
 	"path"
 	"path/filepath"
+	"slices"
 	"strconv"
 	"strings"
 	"time"
@ -81,21 +82,23 @@ func isZeroTime(t time.Time) bool {

 type baseClientPage struct {
 	commonBasePage
-	Title        string
-	CurrentURL   string
-	FilesURL     string
-	SharesURL    string
-	ShareURL     string
-	ProfileURL   string
-	PingURL      string
-	ChangePwdURL string
-	LogoutURL    string
-	LoginURL     string
-	EditURL      string
-	MFAURL       string
-	CSRFToken    string
-	LoggedUser   *dataprovider.User
-	Branding     UIBranding
+	Title           string
+	CurrentURL      string
+	FilesURL        string
+	SharesURL       string
+	ShareURL        string
+	ProfileURL      string
+	PingURL         string
+	ChangePwdURL    string
+	LogoutURL       string
+	LoginURL        string
+	EditURL         string
+	MFAURL          string
+	CSRFToken       string
+	LoggedUser      *dataprovider.User
+	IsLoggedToShare bool
+	Branding        UIBranding
+	Languages       []string
 }

 type dirMapping struct {
@ -105,9 +108,10 @@ type dirMapping struct {

 type viewPDFPage struct {
 	commonBasePage
-	Title    string
-	URL      string
-	Branding UIBranding
+	Title     string
+	URL       string
+	Branding  UIBranding
+	Languages []string
 }

 type editFilePage struct {
@ -150,6 +154,7 @@ type shareLoginPage struct {
 	CSRFToken  string
 	Title      string
 	Branding   UIBranding
+	Languages  []string
 }

 type shareDownloadPage struct {
@ -172,13 +177,15 @@ type clientMessagePage struct {

 type clientProfilePage struct {
 	baseClientPage
-	PublicKeys      []string
-	TLSCerts        []string
-	CanSubmit       bool
-	AllowAPIKeyAuth bool
-	Email           string
-	Description     string
-	Error           *util.I18nError
+	PublicKeys             []string
+	TLSCerts               []string
+	CanSubmit              bool
+	AllowAPIKeyAuth        bool
+	Email                  string
+	AdditionalEmails       []string
+	AdditionalEmailsString string
+	Description            string
+	Error                  *util.I18nError
 }

 type changeClientPasswordPage struct {
@ -523,28 +530,30 @@ func loadClientTemplates(templatesPath string) {
 	clientTemplates[templateShareDownload] = shareDownloadTmpl
 }

-func (s *httpdServer) getBaseClientPageData(title, currentURL string, r *http.Request) baseClientPage {
+func (s *httpdServer) getBaseClientPageData(title, currentURL string, w http.ResponseWriter, r *http.Request) baseClientPage {
 	var csrfToken string
 	if currentURL != "" {
-		csrfToken = createCSRFToken(util.GetIPFromRemoteAddress(r.RemoteAddr))
+		csrfToken = createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath)
 	}

 	data := baseClientPage{
-		commonBasePage: getCommonBasePage(r),
-		Title:          title,
-		CurrentURL:     currentURL,
-		FilesURL:       webClientFilesPath,
-		SharesURL:      webClientSharesPath,
-		ShareURL:       webClientSharePath,
-		ProfileURL:     webClientProfilePath,
-		PingURL:        webClientPingPath,
-		ChangePwdURL:   webChangeClientPwdPath,
-		LogoutURL:      webClientLogoutPath,
-		EditURL:        webClientEditFilePath,
-		MFAURL:         webClientMFAPath,
-		CSRFToken:      csrfToken,
-		LoggedUser:     getUserFromToken(r),
-		Branding:       s.binding.Branding.WebClient,
+		commonBasePage:  getCommonBasePage(r),
+		Title:           title,
+		CurrentURL:      currentURL,
+		FilesURL:        webClientFilesPath,
+		SharesURL:       webClientSharesPath,
+		ShareURL:        webClientSharePath,
+		ProfileURL:      webClientProfilePath,
+		PingURL:         webClientPingPath,
+		ChangePwdURL:    webChangeClientPwdPath,
+		LogoutURL:       webClientLogoutPath,
+		EditURL:         webClientEditFilePath,
+		MFAURL:          webClientMFAPath,
+		CSRFToken:       csrfToken,
+		LoggedUser:      getUserFromToken(r),
+		IsLoggedToShare: false,
+		Branding:        s.binding.webClientBranding(),
+		Languages:       s.binding.languages(),
 	}
 	if !strings.HasPrefix(r.RequestURI, webClientPubSharesPath) {
 		data.LoginURL = webClientLoginPath
@ -552,40 +561,43 @@ func (s *httpdServer) getBaseClientPageData(title, currentURL string, r *http.Re
 	return data
 }

-func (s *httpdServer) renderClientForgotPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError, ip string) {
+func (s *httpdServer) renderClientForgotPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := forgotPwdPage{
 		commonBasePage: getCommonBasePage(r),
 		CurrentURL:     webClientForgotPwdPath,
 		Error:          err,
-		CSRFToken:      createCSRFToken(ip),
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseClientPath),
 		LoginURL:       webClientLoginPath,
 		Title:          util.I18nForgotPwdTitle,
-		Branding:       s.binding.Branding.WebClient,
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	renderClientTemplate(w, templateForgotPassword, data)
 }

-func (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError, ip string) {
+func (s *httpdServer) renderClientResetPwdPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := resetPwdPage{
 		commonBasePage: getCommonBasePage(r),
 		CurrentURL:     webClientResetPwdPath,
 		Error:          err,
-		CSRFToken:      createCSRFToken(ip),
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath),
 		LoginURL:       webClientLoginPath,
 		Title:          util.I18nResetPwdTitle,
-		Branding:       s.binding.Branding.WebClient,
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	renderClientTemplate(w, templateResetPassword, data)
 }

-func (s *httpdServer) renderShareLoginPage(w http.ResponseWriter, r *http.Request, err *util.I18nError, ip string) {
+func (s *httpdServer) renderShareLoginPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := shareLoginPage{
 		commonBasePage: getCommonBasePage(r),
 		Title:          util.I18nShareLoginTitle,
 		CurrentURL:     r.RequestURI,
 		Error:          err,
-		CSRFToken:      createCSRFToken(ip),
-		Branding:       s.binding.Branding.WebClient,
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, xid.New().String(), webBaseClientPath),
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	renderClientTemplate(w, templateShareLogin, data)
 }
@ -599,7 +611,7 @@ func renderClientTemplate(w http.ResponseWriter, tmplName string, data any) {

 func (s *httpdServer) renderClientMessagePage(w http.ResponseWriter, r *http.Request, title string, statusCode int, err error, message string) {
 	data := clientMessagePage{
-		baseClientPage: s.getBaseClientPageData(title, "", r),
+		baseClientPage: s.getBaseClientPageData(title, "", w, r),
 		Error:          getI18nError(err),
 		Success:        message,
 	}
@ -627,15 +639,16 @@ func (s *httpdServer) renderClientNotFoundPage(w http.ResponseWriter, r *http.Re
 		util.NewI18nError(err, util.I18nError404Message), "")
 }

-func (s *httpdServer) renderClientTwoFactorPage(w http.ResponseWriter, r *http.Request, err *util.I18nError, ip string) {
+func (s *httpdServer) renderClientTwoFactorPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := twoFactorPage{
 		commonBasePage: getCommonBasePage(r),
 		Title:          pageTwoFactorTitle,
 		CurrentURL:     webClientTwoFactorPath,
 		Error:          err,
-		CSRFToken:      createCSRFToken(ip),
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath),
 		RecoveryURL:    webClientTwoFactorRecoveryPath,
-		Branding:       s.binding.Branding.WebClient,
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	if next := r.URL.Query().Get("next"); strings.HasPrefix(next, webClientFilesPath) {
 		data.CurrentURL += "?next=" + url.QueryEscape(next)
@ -643,21 +656,22 @@ func (s *httpdServer) renderClientTwoFactorPage(w http.ResponseWriter, r *http.R
 	renderClientTemplate(w, templateTwoFactor, data)
 }

-func (s *httpdServer) renderClientTwoFactorRecoveryPage(w http.ResponseWriter, r *http.Request, err *util.I18nError, ip string) {
+func (s *httpdServer) renderClientTwoFactorRecoveryPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := twoFactorPage{
 		commonBasePage: getCommonBasePage(r),
 		Title:          pageTwoFactorRecoveryTitle,
 		CurrentURL:     webClientTwoFactorRecoveryPath,
 		Error:          err,
-		CSRFToken:      createCSRFToken(ip),
-		Branding:       s.binding.Branding.WebClient,
+		CSRFToken:      createCSRFToken(w, r, s.csrfTokenAuth, "", webBaseClientPath),
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	renderClientTemplate(w, templateTwoFactorRecovery, data)
 }

 func (s *httpdServer) renderClientMFAPage(w http.ResponseWriter, r *http.Request) {
 	data := clientMFAPage{
-		baseClientPage:  s.getBaseClientPageData(util.I18n2FATitle, webClientMFAPath, r),
+		baseClientPage:  s.getBaseClientPageData(util.I18n2FATitle, webClientMFAPath, w, r),
 		TOTPConfigs:     mfa.GetAvailableTOTPConfigNames(),
 		GenerateTOTPURL: webClientTOTPGeneratePath,
 		ValidateTOTPURL: webClientTOTPValidatePath,
@ -681,7 +695,7 @@ func (s *httpdServer) renderEditFilePage(w http.ResponseWriter, r *http.Request,
 		title = util.I18nEditFileTitle
 	}
 	data := editFilePage{
-		baseClientPage: s.getBaseClientPageData(title, webClientEditFilePath, r),
+		baseClientPage: s.getBaseClientPageData(title, webClientEditFilePath, w, r),
 		Path:           fileName,
 		Name:           path.Base(fileName),
 		CurrentDir:     path.Dir(fileName),
@ -701,8 +715,11 @@ func (s *httpdServer) renderAddUpdateSharePage(w http.ResponseWriter, r *http.Re
 		currentURL = fmt.Sprintf("%v/%v", webClientSharePath, url.PathEscape(share.ShareID))
 		title = util.I18nShareUpdateTitle
 	}
+	if share.IsPasswordHashed() {
+		share.Password = redactedSecret
+	}
 	data := clientSharePage{
-		baseClientPage: s.getBaseClientPageData(title, currentURL, r),
+		baseClientPage: s.getBaseClientPageData(title, currentURL, w, r),
 		Share:          share,
 		Error:          err,
 		IsAdd:          isAdd,
@ -736,9 +753,11 @@ func (s *httpdServer) renderSharedFilesPage(w http.ResponseWriter, r *http.Reque
 	err *util.I18nError, share dataprovider.Share,
 ) {
 	currentURL := path.Join(webClientPubSharesPath, share.ShareID, "browse")
-	baseData := s.getBaseClientPageData(util.I18nSharedFilesTitle, currentURL, r)
+	baseData := s.getBaseClientPageData(util.I18nSharedFilesTitle, currentURL, w, r)
 	baseData.FilesURL = currentURL
 	baseSharePath := path.Join(webClientPubSharesPath, share.ShareID)
+	baseData.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	baseData.IsLoggedToShare = share.Password != ""

 	data := filesPage{
 		baseClientPage: baseData,
@ -766,28 +785,39 @@ func (s *httpdServer) renderSharedFilesPage(w http.ResponseWriter, r *http.Reque
 	renderClientTemplate(w, templateClientFiles, data)
 }

-func (s *httpdServer) renderShareDownloadPage(w http.ResponseWriter, r *http.Request, downloadLink string) {
+func (s *httpdServer) renderShareDownloadPage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share,
+	downloadLink string,
+) {
 	data := shareDownloadPage{
-		baseClientPage: s.getBaseClientPageData(util.I18nShareDownloadTitle, "", r),
+		baseClientPage: s.getBaseClientPageData(util.I18nShareDownloadTitle, "", w, r),
 		DownloadLink:   downloadLink,
 	}
+	data.LogoutURL = ""
+	if share.Password != "" {
+		data.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	}
+
 	renderClientTemplate(w, templateShareDownload, data)
 }

-func (s *httpdServer) renderUploadToSharePage(w http.ResponseWriter, r *http.Request, share dataprovider.Share) {
+func (s *httpdServer) renderUploadToSharePage(w http.ResponseWriter, r *http.Request, share *dataprovider.Share) {
 	currentURL := path.Join(webClientPubSharesPath, share.ShareID, "upload")
 	data := shareUploadPage{
-		baseClientPage: s.getBaseClientPageData(util.I18nShareUploadTitle, currentURL, r),
-		Share:          &share,
+		baseClientPage: s.getBaseClientPageData(util.I18nShareUploadTitle, currentURL, w, r),
+		Share:          share,
 		UploadBasePath: path.Join(webClientPubSharesPath, share.ShareID),
 	}
+	data.LogoutURL = ""
+	if share.Password != "" {
+		data.LogoutURL = path.Join(webClientPubSharesPath, share.ShareID, "logout")
+	}
 	renderClientTemplate(w, templateUploadToShare, data)
 }

 func (s *httpdServer) renderFilesPage(w http.ResponseWriter, r *http.Request, dirName string,
 	err *util.I18nError, user *dataprovider.User) {
 	data := filesPage{
-		baseClientPage:     s.getBaseClientPageData(util.I18nFilesTitle, webClientFilesPath, r),
+		baseClientPage:     s.getBaseClientPageData(util.I18nFilesTitle, webClientFilesPath, w, r),
 		Error:              err,
 		CurrentDir:         url.QueryEscape(dirName),
 		DownloadURL:        webClientDownloadZipPath,
@ -813,7 +843,7 @@ func (s *httpdServer) renderFilesPage(w http.ResponseWriter, r *http.Request, di

 func (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := clientProfilePage{
-		baseClientPage: s.getBaseClientPageData(util.I18nProfileTitle, webClientProfilePath, r),
+		baseClientPage: s.getBaseClientPageData(util.I18nProfileTitle, webClientProfilePath, w, r),
 		Error:          err,
 	}
 	user, userMerged, errUser := dataprovider.GetUserVariants(data.LoggedUser.Username, "")
@ -825,6 +855,8 @@ func (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Req
 	data.TLSCerts = user.Filters.TLSCerts
 	data.AllowAPIKeyAuth = user.Filters.AllowAPIKeyAuth
 	data.Email = user.Email
+	data.AdditionalEmails = user.Filters.AdditionalEmails
+	data.AdditionalEmailsString = strings.Join(data.AdditionalEmails, ", ")
 	data.Description = user.Description
 	data.CanSubmit = userMerged.CanUpdateProfile()
 	renderClientTemplate(w, templateClientProfile, data)
@ -832,7 +864,7 @@ func (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Req

 func (s *httpdServer) renderClientChangePasswordPage(w http.ResponseWriter, r *http.Request, err *util.I18nError) {
 	data := changeClientPasswordPage{
-		baseClientPage: s.getBaseClientPageData(util.I18nChangePwdTitle, webChangeClientPwdPath, r),
+		baseClientPage: s.getBaseClientPageData(util.I18nChangePwdTitle, webChangeClientPwdPath, w, r),
 		Error:          err,
 	}

@ -850,8 +882,7 @@ func (s *httpdServer) handleWebClientDownloadZip(w http.ResponseWriter, r *http.
 		s.renderClientBadRequestPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))
 		return
 	}
-	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+	if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {
 		s.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
@ -1023,7 +1054,7 @@ func (s *httpdServer) handleClientUploadToShare(w http.ResponseWriter, r *http.R
 		http.Redirect(w, r, path.Join(webClientPubSharesPath, share.ShareID, "browse"), http.StatusFound)
 		return
 	}
-	s.renderUploadToSharePage(w, r, share)
+	s.renderUploadToSharePage(w, r, &share)
 }

 func (s *httpdServer) handleShareGetFiles(w http.ResponseWriter, r *http.Request) {
@ -1088,7 +1119,8 @@ func (s *httpdServer) handleShareViewPDF(w http.ResponseWriter, r *http.Request)
 		Title:          path.Base(name),
 		URL: fmt.Sprintf("%s?path=%s&_=%d", path.Join(webClientPubSharesPath, share.ShareID, "getpdf"),
 			url.QueryEscape(name), time.Now().UTC().Unix()),
-		Branding: s.binding.Branding.WebClient,
+		Branding:  s.binding.webClientBranding(),
+		Languages: s.binding.languages(),
 	}
 	renderClientTemplate(w, templateClientViewPDF, data)
 }
@ -1418,7 +1450,6 @@ func (s *httpdServer) handleClientUpdateShareGet(w http.ResponseWriter, r *http.
 	shareID := getURLParam(r, "id")
 	share, err := dataprovider.ShareExists(shareID, claims.Username)
 	if err == nil {
-		share.HideConfidentialData()
 		s.renderAddUpdateSharePage(w, r, &share, nil, false)
 	} else if errors.Is(err, util.ErrNotFound) {
 		s.renderClientNotFoundPage(w, r, err)
@ -1440,7 +1471,7 @@ func (s *httpdServer) handleClientAddSharePost(w http.ResponseWriter, r *http.Re
 		return
 	}
 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+	if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {
 		s.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
@ -1449,7 +1480,7 @@ func (s *httpdServer) handleClientAddSharePost(w http.ResponseWriter, r *http.Re
 	share.LastUseAt = 0
 	share.Username = claims.Username
 	if share.Password == "" {
-		if util.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
+		if slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
 			s.renderAddUpdateSharePage(w, r, share,
 				util.NewI18nError(util.NewValidationError("You are not allowed to share files/folders without password"), util.I18nErrorShareNoPwd),
 				true)
@ -1508,7 +1539,7 @@ func (s *httpdServer) handleClientUpdateSharePost(w http.ResponseWriter, r *http
 		return
 	}
 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+	if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {
 		s.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
@ -1518,7 +1549,7 @@ func (s *httpdServer) handleClientUpdateSharePost(w http.ResponseWriter, r *http
 		updatedShare.Password = share.Password
 	}
 	if updatedShare.Password == "" {
-		if util.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
+		if slices.Contains(claims.Permissions, sdk.WebClientShareNoPasswordDisabled) {
 			s.renderAddUpdateSharePage(w, r, updatedShare,
 				util.NewI18nError(util.NewValidationError("You are not allowed to share files/folders without password"), util.I18nErrorShareNoPwd),
 				false)
@ -1579,7 +1610,7 @@ func (s *httpdServer) handleClientGetShares(w http.ResponseWriter, r *http.Reque
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)

 	data := clientSharesPage{
-		baseClientPage:      s.getBaseClientPageData(util.I18nSharesTitle, webClientSharesPath, r),
+		baseClientPage:      s.getBaseClientPageData(util.I18nSharesTitle, webClientSharesPath, w, r),
 		BasePublicSharesURL: webClientPubSharesPath,
 	}
 	renderClientTemplate(w, templateClientShares, data)
@ -1603,7 +1634,7 @@ func (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http.
 		return
 	}
 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+	if err := verifyCSRFToken(r, s.csrfTokenAuth); err != nil {
 		s.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
@ -1646,6 +1677,15 @@ func (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http.
 	if userMerged.CanChangeInfo() {
 		user.Email = strings.TrimSpace(r.Form.Get("email"))
 		user.Description = r.Form.Get("description")
+		for k := range r.Form {
+			if hasPrefixAndSuffix(k, "additional_emails[", "][additional_email]") {
+				email := strings.TrimSpace(r.Form.Get(k))
+				if email != "" {
+					r.Form.Add("additional_emails", email)
+				}
+			}
+		}
+		user.Filters.AdditionalEmails = r.Form["additional_emails"]
 	}
 	err = dataprovider.UpdateUser(&user, dataprovider.ActionExecutorSelf, ipAddr, user.Role)
 	if err != nil {
@ -1662,12 +1702,12 @@ func (s *httpdServer) handleWebClientMFA(w http.ResponseWriter, r *http.Request)

 func (s *httpdServer) handleWebClientTwoFactor(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	s.renderClientTwoFactorPage(w, r, nil, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	s.renderClientTwoFactorPage(w, r, nil)
 }

 func (s *httpdServer) handleWebClientTwoFactorRecovery(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	s.renderClientTwoFactorRecoveryPage(w, r, nil, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	s.renderClientTwoFactorRecoveryPage(w, r, nil)
 }

 func getShareFromPostFields(r *http.Request) (*dataprovider.Share, error) {
@ -1719,26 +1759,25 @@ func (s *httpdServer) handleWebClientForgotPwd(w http.ResponseWriter, r *http.Re
 		s.renderClientNotFoundPage(w, r, errors.New("this page does not exist"))
 		return
 	}
-	s.renderClientForgotPwdPage(w, r, nil, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	s.renderClientForgotPwdPage(w, r, nil)
 }

 func (s *httpdServer) handleWebClientForgotPwdPost(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)

-	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
 	err := r.ParseForm()
 	if err != nil {
-		s.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm), ipAddr)
+		s.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))
 		return
 	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+	if err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {
 		s.renderClientForbiddenPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
 	username := strings.TrimSpace(r.Form.Get("username"))
 	err = handleForgotPassword(r, username, false)
 	if err != nil {
-		s.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorPwdResetGeneric), ipAddr)
+		s.renderClientForgotPwdPage(w, r, util.NewI18nError(err, util.I18nErrorPwdResetGeneric))
 		return
 	}
 	http.Redirect(w, r, webClientResetPwdPath, http.StatusFound)
@ -1750,7 +1789,7 @@ func (s *httpdServer) handleWebClientPasswordReset(w http.ResponseWriter, r *htt
 		s.renderClientNotFoundPage(w, r, errors.New("this page does not exist"))
 		return
 	}
-	s.renderClientResetPwdPage(w, r, nil, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	s.renderClientResetPwdPage(w, r, nil)
 }

 func (s *httpdServer) handleClientViewPDF(w http.ResponseWriter, r *http.Request) {
@ -1765,7 +1804,8 @@ func (s *httpdServer) handleClientViewPDF(w http.ResponseWriter, r *http.Request
 		commonBasePage: getCommonBasePage(r),
 		Title:          path.Base(name),
 		URL:            fmt.Sprintf("%s?path=%s&_=%d", webClientGetPDFPath, url.QueryEscape(name), time.Now().UTC().Unix()),
-		Branding:       s.binding.Branding.WebClient,
+		Branding:       s.binding.webClientBranding(),
+		Languages:      s.binding.languages(),
 	}
 	renderClientTemplate(w, templateClientViewPDF, data)
 }
@ -1853,43 +1893,46 @@ func (s *httpdServer) ensurePDF(w http.ResponseWriter, r *http.Request, name str

 func (s *httpdServer) handleClientShareLoginGet(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
-	s.renderShareLoginPage(w, r, nil, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	s.renderShareLoginPage(w, r, nil)
 }

 func (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
 	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
 	if err := r.ParseForm(); err != nil {
-		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm), ipAddr)
+		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidForm))
 		return
 	}
-	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
-		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF), ipAddr)
+	if err := verifyLoginCookieAndCSRFToken(r, s.csrfTokenAuth); err != nil {
+		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCSRF))
 		return
 	}
+	invalidateToken(r)
 	shareID := getURLParam(r, "id")
 	share, err := dataprovider.ShareExists(shareID, "")
 	if err != nil {
-		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials), ipAddr)
+		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nErrorInvalidCredentials))
 		return
 	}
 	match, err := share.CheckCredentials(strings.TrimSpace(r.Form.Get("share_password")))
 	if !match || err != nil {
-		s.renderShareLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials),
-			ipAddr)
-		return
-	}
-	c := jwtTokenClaims{
-		Username: shareID,
-	}
-	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebShare, ipAddr)
-	if err != nil {
-		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nError500Message), ipAddr)
+		s.renderShareLoginPage(w, r, util.NewI18nError(dataprovider.ErrInvalidCredentials, util.I18nErrorInvalidCredentials))
 		return
 	}
 	next := path.Clean(r.URL.Query().Get("next"))
 	baseShareURL := path.Join(webClientPubSharesPath, share.ShareID)
 	isRedirect, redirectTo := checkShareRedirectURL(next, baseShareURL)
+	c := jwtTokenClaims{
+		Username: shareID,
+	}
+	if isRedirect {
+		c.Ref = next
+	}
+	err = c.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebShare, ipAddr)
+	if err != nil {
+		s.renderShareLoginPage(w, r, util.NewI18nError(err, util.I18nError500Message))
+		return
+	}
 	if isRedirect {
 		http.Redirect(w, r, redirectTo, http.StatusFound)
 		return
@ -1897,6 +1940,22 @@ func (s *httpdServer) handleClientShareLoginPost(w http.ResponseWriter, r *http.
 	s.renderClientMessagePage(w, r, util.I18nSharedFilesTitle, http.StatusOK, nil, util.I18nShareLoginOK)
 }

+func (s *httpdServer) handleClientShareLogout(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxLoginBodySize)
+
+	shareID := getURLParam(r, "id")
+	ctx, claims, err := s.getShareClaims(r, shareID)
+	if err != nil {
+		s.renderClientMessagePage(w, r, util.I18nShareAccessErrorTitle, http.StatusForbidden,
+			util.NewI18nError(err, util.I18nErrorInvalidToken), "")
+		return
+	}
+	removeCookie(w, r.WithContext(ctx), webBaseClientPath)
+
+	redirectURL := path.Join(webClientPubSharesPath, shareID, fmt.Sprintf("login?next=%s", url.QueryEscape(claims.Ref)))
+	http.Redirect(w, r, redirectURL, http.StatusFound)
+}
+
 func (s *httpdServer) handleClientSharedFile(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
 	validScopes := []dataprovider.ShareScope{dataprovider.ShareScopeRead}
@ -1908,7 +1967,7 @@ func (s *httpdServer) handleClientSharedFile(w http.ResponseWriter, r *http.Requ
 	if r.URL.RawQuery != "" {
 		query = "?" + r.URL.RawQuery
 	}
-	s.renderShareDownloadPage(w, r, path.Join(webClientPubSharesPath, share.ShareID)+query)
+	s.renderShareDownloadPage(w, r, &share, path.Join(webClientPubSharesPath, share.ShareID)+query)
 }

 func (s *httpdServer) handleClientCheckExist(w http.ResponseWriter, r *http.Request) {
@ -1983,7 +2042,7 @@ func doCheckExist(w http.ResponseWriter, r *http.Request, connection *Connection
 		}
 		existing := make([]map[string]any, 0)
 		for _, info := range contents {
-			if util.Contains(filesList.Files, info.Name()) {
+			if slices.Contains(filesList.Files, info.Name()) {
 				res := make(map[string]any)
 				res["name"] = info.Name()
 				if info.IsDir() {
--- a/internal/httpdtest/httpdtest.go
+++ b/internal/httpdtest/httpdtest.go
@ -25,6 +25,7 @@ import (
 	"net/http"
 	"net/url"
 	"path"
+	"slices"
 	"strconv"
 	"strings"

@ -36,7 +37,6 @@ import (
 	"github.com/drakkan/sftpgo/v2/internal/httpclient"
 	"github.com/drakkan/sftpgo/v2/internal/httpd"
 	"github.com/drakkan/sftpgo/v2/internal/kms"
-	"github.com/drakkan/sftpgo/v2/internal/util"
 	"github.com/drakkan/sftpgo/v2/internal/version"
 	"github.com/drakkan/sftpgo/v2/internal/vfs"
 )
@ -1662,7 +1662,7 @@ func compareConditionPatternOptions(expected, actual []dataprovider.ConditionPat
 	return nil
 }

-func checkEventConditionOptions(expected, actual dataprovider.ConditionOptions) error {
+func checkEventConditionOptions(expected, actual dataprovider.ConditionOptions) error { //nolint:gocyclo
 	if err := compareConditionPatternOptions(expected.Names, actual.Names); err != nil {
 		return errors.New("condition names mismatch")
 	}
@ -1679,15 +1679,23 @@ func checkEventConditionOptions(expected, actual dataprovider.ConditionOptions)
 		return errors.New("condition protocols mismatch")
 	}
 	for _, v := range expected.Protocols {
-		if !util.Contains(actual.Protocols, v) {
+		if !slices.Contains(actual.Protocols, v) {
 			return errors.New("condition protocols content mismatch")
 		}
 	}
+	if len(expected.EventStatuses) != len(actual.EventStatuses) {
+		return errors.New("condition statuses mismatch")
+	}
+	for _, v := range expected.EventStatuses {
+		if !slices.Contains(actual.EventStatuses, v) {
+			return errors.New("condition statuses content mismatch")
+		}
+	}
 	if len(expected.ProviderObjects) != len(actual.ProviderObjects) {
 		return errors.New("condition provider objects mismatch")
 	}
 	for _, v := range expected.ProviderObjects {
-		if !util.Contains(actual.ProviderObjects, v) {
+		if !slices.Contains(actual.ProviderObjects, v) {
 			return errors.New("condition provider objects content mismatch")
 		}
 	}
@ -1705,7 +1713,7 @@ func checkEventConditions(expected, actual dataprovider.EventConditions) error {
 		return errors.New("fs events mismatch")
 	}
 	for _, v := range expected.FsEvents {
-		if !util.Contains(actual.FsEvents, v) {
+		if !slices.Contains(actual.FsEvents, v) {
 			return errors.New("fs events content mismatch")
 		}
 	}
@ -1713,7 +1721,7 @@ func checkEventConditions(expected, actual dataprovider.EventConditions) error {
 		return errors.New("provider events mismatch")
 	}
 	for _, v := range expected.ProviderEvents {
-		if !util.Contains(actual.ProviderEvents, v) {
+		if !slices.Contains(actual.ProviderEvents, v) {
 			return errors.New("provider events content mismatch")
 		}
 	}
@ -1948,7 +1956,7 @@ func checkAdmin(expected, actual *dataprovider.Admin) error {
 		return errors.New("permissions mismatch")
 	}
 	for _, p := range expected.Permissions {
-		if !util.Contains(actual.Permissions, p) {
+		if !slices.Contains(actual.Permissions, p) {
 			return errors.New("permissions content mismatch")
 		}
 	}
@ -1966,7 +1974,7 @@ func compareAdminFilters(expected, actual dataprovider.AdminFilters) error {
 		return errors.New("allow list mismatch")
 	}
 	for _, v := range expected.AllowList {
-		if !util.Contains(actual.AllowList, v) {
+		if !slices.Contains(actual.AllowList, v) {
 			return errors.New("allow list content mismatch")
 		}
 	}
@ -2029,6 +2037,9 @@ func checkUser(expected *dataprovider.User, actual *dataprovider.User) error {
 	if expected.Email != actual.Email {
 		return errors.New("email mismatch")
 	}
+	if !slices.Equal(expected.Filters.AdditionalEmails, actual.Filters.AdditionalEmails) {
+		return errors.New("additional emails mismatch")
+	}
 	if expected.Filters.RequirePasswordChange != actual.Filters.RequirePasswordChange {
 		return errors.New("require_password_change mismatch")
 	}
@ -2057,7 +2068,7 @@ func compareUserPermissions(expected map[string][]string, actual map[string][]st
 	for dir, perms := range expected {
 		if actualPerms, ok := actual[dir]; ok {
 			for _, v := range actualPerms {
-				if !util.Contains(perms, v) {
+				if !slices.Contains(perms, v) {
 					return errors.New("permissions contents mismatch")
 				}
 			}
@ -2188,6 +2199,9 @@ func compareS3Config(expected *vfs.Filesystem, actual *vfs.Filesystem) error { /
 	if err := checkEncryptedSecret(expected.S3Config.AccessSecret, actual.S3Config.AccessSecret); err != nil {
 		return fmt.Errorf("fs S3 access secret mismatch: %v", err)
 	}
+	if err := checkEncryptedSecret(expected.S3Config.SSECustomerKey, actual.S3Config.SSECustomerKey); err != nil {
+		return fmt.Errorf("fs S3 SSE customer key mismatch: %v", err)
+	}
 	if expected.S3Config.Endpoint != actual.S3Config.Endpoint {
 		return errors.New("fs S3 endpoint mismatch")
 	}
@ -2310,7 +2324,7 @@ func compareSFTPFsConfig(expected *vfs.Filesystem, actual *vfs.Filesystem) error
 		return errors.New("SFTPFs fingerprints mismatch")
 	}
 	for _, value := range actual.SFTPConfig.Fingerprints {
-		if !util.Contains(expected.SFTPConfig.Fingerprints, value) {
+		if !slices.Contains(expected.SFTPConfig.Fingerprints, value) {
 			return errors.New("SFTPFs fingerprints mismatch")
 		}
 	}
@ -2401,27 +2415,27 @@ func checkEncryptedSecret(expected, actual *kms.Secret) error {

 func compareUserFilterSubStructs(expected sdk.BaseUserFilters, actual sdk.BaseUserFilters) error {
 	for _, IPMask := range expected.AllowedIP {
-		if !util.Contains(actual.AllowedIP, IPMask) {
+		if !slices.Contains(actual.AllowedIP, IPMask) {
 			return errors.New("allowed IP contents mismatch")
 		}
 	}
 	for _, IPMask := range expected.DeniedIP {
-		if !util.Contains(actual.DeniedIP, IPMask) {
+		if !slices.Contains(actual.DeniedIP, IPMask) {
 			return errors.New("denied IP contents mismatch")
 		}
 	}
 	for _, method := range expected.DeniedLoginMethods {
-		if !util.Contains(actual.DeniedLoginMethods, method) {
+		if !slices.Contains(actual.DeniedLoginMethods, method) {
 			return errors.New("denied login methods contents mismatch")
 		}
 	}
 	for _, protocol := range expected.DeniedProtocols {
-		if !util.Contains(actual.DeniedProtocols, protocol) {
+		if !slices.Contains(actual.DeniedProtocols, protocol) {
 			return errors.New("denied protocols contents mismatch")
 		}
 	}
 	for _, options := range expected.WebClient {
-		if !util.Contains(actual.WebClient, options) {
+		if !slices.Contains(actual.WebClient, options) {
 			return errors.New("web client options contents mismatch")
 		}
 	}
@ -2430,7 +2444,7 @@ func compareUserFilterSubStructs(expected sdk.BaseUserFilters, actual sdk.BaseUs
 		return errors.New("TLS certs mismatch")
 	}
 	for _, cert := range expected.TLSCerts {
-		if !util.Contains(actual.TLSCerts, cert) {
+		if !slices.Contains(actual.TLSCerts, cert) {
 			return errors.New("TLS certs content mismatch")
 		}
 	}
@ -2527,7 +2541,7 @@ func checkFilterMatch(expected []string, actual []string) bool {
 		return false
 	}
 	for _, e := range expected {
-		if !util.Contains(actual, strings.ToLower(e)) {
+		if !slices.Contains(actual, strings.ToLower(e)) {
 			return false
 		}
 	}
@ -2570,7 +2584,7 @@ func compareUserBandwidthLimitFilters(expected sdk.BaseUserFilters, actual sdk.B
 			return errors.New("bandwidth filters sources mismatch")
 		}
 		for _, source := range actual.BandwidthLimits[idx].Sources {
-			if !util.Contains(l.Sources, source) {
+			if !slices.Contains(l.Sources, source) {
 				return errors.New("bandwidth filters source mismatch")
 			}
 		}
@ -2601,9 +2615,28 @@ func compareUserFilePatternsFilters(expected sdk.BaseUserFilters, actual sdk.Bas
 	return nil
 }

+func compareRenameConfigs(expected, actual []dataprovider.RenameConfig) error {
+	if len(expected) != len(actual) {
+		return errors.New("rename configs mismatch")
+	}
+	for _, ex := range expected {
+		found := false
+		for _, ac := range actual {
+			if ac.Key == ex.Key && ac.Value == ex.Value && ac.UpdateModTime == ex.UpdateModTime {
+				found = true
+				break
+			}
+		}
+		if !found {
+			return errors.New("rename configs mismatch")
+		}
+	}
+	return nil
+}
+
 func compareKeyValues(expected, actual []dataprovider.KeyValue) error {
 	if len(expected) != len(actual) {
-		return errors.New("kay values mismatch")
+		return errors.New("key values mismatch")
 	}
 	for _, ex := range expected {
 		found := false
@ -2614,7 +2647,7 @@ func compareKeyValues(expected, actual []dataprovider.KeyValue) error {
 			}
 		}
 		if !found {
-			return errors.New("kay values mismatch")
+			return errors.New("key values mismatch")
 		}
 	}
 	return nil
@ -2680,7 +2713,7 @@ func compareEventActionEmailConfigFields(expected, actual dataprovider.EventActi
 		return errors.New("email recipients mismatch")
 	}
 	for _, v := range expected.Recipients {
-		if !util.Contains(actual.Recipients, v) {
+		if !slices.Contains(actual.Recipients, v) {
 			return errors.New("email recipients content mismatch")
 		}
 	}
@ -2688,7 +2721,7 @@ func compareEventActionEmailConfigFields(expected, actual dataprovider.EventActi
 		return errors.New("email bcc mismatch")
 	}
 	for _, v := range expected.Bcc {
-		if !util.Contains(actual.Bcc, v) {
+		if !slices.Contains(actual.Bcc, v) {
 			return errors.New("email bcc content mismatch")
 		}
 	}
@ -2705,7 +2738,7 @@ func compareEventActionEmailConfigFields(expected, actual dataprovider.EventActi
 		return errors.New("email attachments mismatch")
 	}
 	for _, v := range expected.Attachments {
-		if !util.Contains(actual.Attachments, v) {
+		if !slices.Contains(actual.Attachments, v) {
 			return errors.New("email attachments content mismatch")
 		}
 	}
@ -2720,7 +2753,7 @@ func compareEventActionFsCompressFields(expected, actual dataprovider.EventActio
 		return errors.New("fs compress paths mismatch")
 	}
 	for _, v := range expected.Paths {
-		if !util.Contains(actual.Paths, v) {
+		if !slices.Contains(actual.Paths, v) {
 			return errors.New("fs compress paths content mismatch")
 		}
 	}
@ -2731,7 +2764,7 @@ func compareEventActionFsConfigFields(expected, actual dataprovider.EventActionF
 	if expected.Type != actual.Type {
 		return errors.New("fs type mismatch")
 	}
-	if err := compareKeyValues(expected.Renames, actual.Renames); err != nil {
+	if err := compareRenameConfigs(expected.Renames, actual.Renames); err != nil {
 		return errors.New("fs renames mismatch")
 	}
 	if err := compareKeyValues(expected.Copy, actual.Copy); err != nil {
@ -2741,7 +2774,7 @@ func compareEventActionFsConfigFields(expected, actual dataprovider.EventActionF
 		return errors.New("fs deletes mismatch")
 	}
 	for _, v := range expected.Deletes {
-		if !util.Contains(actual.Deletes, v) {
+		if !slices.Contains(actual.Deletes, v) {
 			return errors.New("fs deletes content mismatch")
 		}
 	}
@ -2749,7 +2782,7 @@ func compareEventActionFsConfigFields(expected, actual dataprovider.EventActionF
 		return errors.New("fs mkdirs mismatch")
 	}
 	for _, v := range expected.MkDirs {
-		if !util.Contains(actual.MkDirs, v) {
+		if !slices.Contains(actual.MkDirs, v) {
 			return errors.New("fs mkdir content mismatch")
 		}
 	}
@ -2757,7 +2790,7 @@ func compareEventActionFsConfigFields(expected, actual dataprovider.EventActionF
 		return errors.New("fs exist mismatch")
 	}
 	for _, v := range expected.Exist {
-		if !util.Contains(actual.Exist, v) {
+		if !slices.Contains(actual.Exist, v) {
 			return errors.New("fs exist content mismatch")
 		}
 	}
@ -2788,7 +2821,7 @@ func compareEventActionCmdConfigFields(expected, actual dataprovider.EventAction
 		return errors.New("cmd args mismatch")
 	}
 	for _, v := range expected.Args {
-		if !util.Contains(actual.Args, v) {
+		if !slices.Contains(actual.Args, v) {
 			return errors.New("cmd args content mismatch")
 		}
 	}
--- a/internal/kms/kms.go
+++ b/internal/kms/kms.go
@ -73,7 +73,8 @@ var (
 	// ErrInvalidSecret defines the error to return if a secret is not valid
 	ErrInvalidSecret    = errors.New("invalid secret")
 	validSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox,
-		sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusRedacted}
+		sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusAzureKeyVault,
+		sdkkms.SecretStatusOracleKeyVault, sdkkms.SecretStatusRedacted}
 	config          Configuration
 	secretProviders = make(map[string]registeredSecretProvider)
 )
--- a/internal/logger/hclog.go
+++ b/internal/logger/hclog.go
@ -29,6 +29,11 @@ type HCLogAdapter struct {

 // Log emits a message and key/value pairs at a provided log level
 func (l *HCLogAdapter) Log(level hclog.Level, msg string, args ...any) {
+	// Workaround to avoid logging plugin arguments that may contain sensitive data.
+	// Check everytime we update go-plugin library.
+	if msg == "starting plugin" {
+		return
+	}
 	var ev *zerolog.Event
 	switch level {
 	case hclog.Info:
--- a/internal/logger/lego.go
+++ b/internal/logger/lego.go
@ -28,10 +28,10 @@ type LegoAdapter struct {
 // Fatal emits a log at Error level
 func (l *LegoAdapter) Fatal(args ...any) {
 	if l.LogToConsole {
-		ErrorToConsole(fmt.Sprint(args...))
+		ErrorToConsole("%s", fmt.Sprint(args...))
 		return
 	}
-	Log(LevelError, legoLogSender, "", fmt.Sprint(args...))
+	Log(LevelError, legoLogSender, "", "%s", fmt.Sprint(args...))
 }

 // Fatalln is the same as Fatal
@ -51,10 +51,10 @@ func (l *LegoAdapter) Fatalf(format string, args ...any) {
 // Print emits a log at Info level
 func (l *LegoAdapter) Print(args ...any) {
 	if l.LogToConsole {
-		InfoToConsole(fmt.Sprint(args...))
+		InfoToConsole("%s", fmt.Sprint(args...))
 		return
 	}
-	Log(LevelInfo, legoLogSender, "", fmt.Sprint(args...))
+	Log(LevelInfo, legoLogSender, "", "%s", fmt.Sprint(args...))
 }

 // Println is the same as Print
--- a/internal/logger/logger.go
+++ b/internal/logger/logger.go
@ -203,9 +203,15 @@ func ErrorToConsole(format string, v ...any) {

 // TransferLog logs uploads or downloads
 func TransferLog(operation, path string, elapsed int64, size int64, user, connectionID, protocol, localAddr,
-	remoteAddr, ftpMode string,
+	remoteAddr, ftpMode string, err error,
 ) {
-	ev := logger.Info().
+	var ev *zerolog.Event
+	if err != nil {
+		ev = logger.Error()
+	} else {
+		ev = logger.Info()
+	}
+	ev.
 		Timestamp().
 		Str("sender", operation).
 		Str("local_addr", localAddr).
@ -219,7 +225,7 @@ func TransferLog(operation, path string, elapsed int64, size int64, user, connec
 	if ftpMode != "" {
 		ev.Str("ftp_mode", ftpMode)
 	}
-	ev.Send()
+	ev.AnErr("error", err).Send()
 }

 // CommandLog logs an SFTP/SCP/SSH command
@ -262,6 +268,26 @@ func ConnectionFailedLog(user, ip, loginType, protocol, errorString string) {
 		Send()
 }

+// LoginLog logs successful logins.
+func LoginLog(user, ip, loginMethod, protocol, connectionID, clientVersion string, encrypted bool, info string) {
+	ev := logger.Info()
+	ev.Timestamp().
+		Str("sender", "login").
+		Str("ip", ip).
+		Str("username", user).
+		Str("method", loginMethod).
+		Str("protocol", protocol)
+	if connectionID != "" {
+		ev.Str("connection_id", connectionID)
+	}
+	ev.Str("client", clientVersion).
+		Bool("encrypted", encrypted)
+	if info != "" {
+		ev.Str("info", info)
+	}
+	ev.Send()
+}
+
 func isLogFilePathValid(logFilePath string) bool {
 	cleanInput := filepath.Clean(logFilePath)
 	if cleanInput == "." || cleanInput == ".." {
@ -284,7 +310,7 @@ func (l *StdLoggerWrapper) Write(p []byte) (n int, err error) {
 		p = p[0 : n-1]
 	}

-	Log(LevelError, l.Sender, "", bytesToString(p))
+	Log(LevelError, l.Sender, "", "%s", bytesToString(p))
 	return
 }

--- a/Show more
+++ b/Show more