Fix upgrade problem with otplib existing secrets

Use better-sqlite3 package for sqlite databases
Fix #5274 2fa backup codes not validating properly
2026-02-05 10:22:53 +00:00 · 2026-02-05 13:12:54 +10:00 · 2026-02-05 13:11:57 +10:00 · 2026-02-05 10:51:15 +10:00 · 2026-02-05 08:27:41 +10:00 · 2026-02-05 08:26:49 +10:00
451 changed files with 22018 additions and 4382 deletions
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -0,0 +1,104 @@
 version: 2
 updates:
  - package-ecosystem: "npm"
    directory: "/backend"
    schedule:
      interval: "weekly"
    groups:
      dev-patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
      dev-minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
  - package-ecosystem: "npm"
    directory: "/frontend"
    schedule:
      interval: "weekly"
    groups:
      dev-patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
      dev-minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
  - package-ecosystem: "npm"
    directory: "/docs"
    schedule:
      interval: "weekly"
    groups:
      dev-patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
      dev-minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
  - package-ecosystem: "npm"
    directory: "/test"
    schedule:
      interval: "weekly"
    groups:
      dev-patch-updates:
        dependency-type: "development"
        update-types:
          - "patch"
      dev-minor-updates:
        dependency-type: "development"
        update-types:
          - "minor"
      prod-patch-updates:
        dependency-type: "production"
        update-types:
          - "patch"
      prod-minor-updates:
        dependency-type: "production"
        update-types:
          - "minor"
  - package-ecosystem: "docker"
    directory: "/docker"
    schedule:
      interval: "weekly"
    groups:
      updates:
        update-types:
          - "patch"
          - "minor"
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
      interval: "weekly"
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -8,7 +8,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
        with:
          stale-issue-label: 'stale'
          stale-pr-label: 'stale'
--- a/.version
+++ b/.version
@@ -1 +1 @@
-2.13.0
+2.13.7
--- a/285
+++ b/285
@@ -1,285 +0,0 @@
 import groovy.transform.Field
@Field
 def shOutput = ""
 def buildxPushTags = ""
 pipeline {
 	agent {
 		label 'docker-multiarch'
 	}
 	options {
 		buildDiscarder(logRotator(numToKeepStr: '5'))
 		disableConcurrentBuilds()
 		ansiColor('xterm')
 	}
 	environment {
 		IMAGE                      = 'nginx-proxy-manager'
 		BUILD_VERSION              = getVersion()
 		MAJOR_VERSION              = '2'
 		BRANCH_LOWER               = "${BRANCH_NAME.toLowerCase().replaceAll('\\\\', '-').replaceAll('/', '-').replaceAll('\\.', '-')}"
 		BUILDX_NAME                = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}"
 		COMPOSE_INTERACTIVE_NO_CLI = 1
 	}
 	stages {
 		stage('Environment') {
 			parallel {
 				stage('Master') {
 					when {
 						branch 'master'
 					}
 					steps {
 						script {
 							buildxPushTags = "-t docker.io/jc21/${IMAGE}:${BUILD_VERSION} -t docker.io/jc21/${IMAGE}:${MAJOR_VERSION} -t docker.io/jc21/${IMAGE}:latest"
 						}
 					}
 				}
 				stage('Other') {
 					when {
 						not {
 							branch 'master'
 						}
 					}
 					steps {
 						script {
 							// Defaults to the Branch name, which is applies to all branches AND pr's
 							buildxPushTags = "-t docker.io/nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}"
 						}
 					}
 				}
 				stage('Versions') {
 					steps {
 						sh 'cat frontend/package.json | jq --arg BUILD_VERSION "${BUILD_VERSION}" \'.version = $BUILD_VERSION\' | sponge frontend/package.json'
 						sh 'echo -e "\\E[1;36mFrontend Version is:\\E[1;33m $(cat frontend/package.json | jq -r .version)\\E[0m"'
 						sh 'cat backend/package.json | jq --arg BUILD_VERSION "${BUILD_VERSION}" \'.version = $BUILD_VERSION\' | sponge backend/package.json'
 						sh 'echo -e "\\E[1;36mBackend Version is:\\E[1;33m  $(cat backend/package.json | jq -r .version)\\E[0m"'
 						sh 'sed -i -E "s/(version-)[0-9]+\\.[0-9]+\\.[0-9]+(-green)/\\1${BUILD_VERSION}\\2/" README.md'
 					}
 				}
 				stage('Docker Login') {
 					steps {
 						withCredentials([usernamePassword(credentialsId: 'jc21-dockerhub', passwordVariable: 'dpass', usernameVariable: 'duser')]) {
 							sh 'docker login -u "${duser}" -p "${dpass}"'
 						}
 					}
 				}
 			}
 		}
 		stage('Builds') {
 			parallel {
 				stage('Project') {
 					steps {
 						script {
 							// Frontend and Backend
 							def shStatusCode = sh(label: 'Checking and Building', returnStatus: true, script: '''
 								set -e
 								./scripts/ci/frontend-build > ${WORKSPACE}/tmp-sh-build 2>&1
 								./scripts/ci/test-and-build > ${WORKSPACE}/tmp-sh-build 2>&1
 							''')
 							shOutput = readFile "${env.WORKSPACE}/tmp-sh-build"
 							if (shStatusCode != 0) {
 								error "${shOutput}"
 							}
 						}
 					}
 					post {
 						always {
 							sh 'rm -f ${WORKSPACE}/tmp-sh-build'
 						}
 						failure {
 							npmGithubPrComment("CI Error:\n\n```\n${shOutput}\n```", true)
 						}
 					}
 				}
 				stage('Docs') {
 					steps {
 						dir(path: 'docs') {
 							sh 'yarn install'
 							sh 'yarn build'
 						}
 					}
 				}
 			}
 		}
 		stage('Test Sqlite') {
 			environment {
 				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_sqlite"
 				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.sqlite.yml'
 			}
 			when {
 				not {
 					equals expected: 'UNSTABLE', actual: currentBuild.result
 				}
 			}
 			steps {
 				sh 'rm -rf ./test/results/junit/*'
 				sh './scripts/ci/fulltest-cypress'
 			}
 			post {
 				always {
 					// Dumps to analyze later
 					sh 'mkdir -p debug/sqlite'
 					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/sqlite/docker_fullstack.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q stepca) > debug/sqlite/docker_stepca.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns) > debug/sqlite/docker_pdns.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/sqlite/docker_pdns-db.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/sqlite/docker_dnsrouter.log 2>&1'
 					junit 'test/results/junit/*'
 					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
 					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}
 			}
 		}
 		stage('Test Mysql') {
 			environment {
 				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_mysql"
 				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.mysql.yml'
 			}
 			when {
 				not {
 					equals expected: 'UNSTABLE', actual: currentBuild.result
 				}
 			}
 			steps {
 				sh 'rm -rf ./test/results/junit/*'
 				sh './scripts/ci/fulltest-cypress'
 			}
 			post {
 				always {
 					// Dumps to analyze later
 					sh 'mkdir -p debug/mysql'
 					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/mysql/docker_fullstack.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q stepca) > debug/mysql/docker_stepca.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns) > debug/mysql/docker_pdns.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/mysql/docker_pdns-db.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/mysql/docker_dnsrouter.log 2>&1'
 					junit 'test/results/junit/*'
 					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
 					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}
 			}
 		}
 		stage('Test Postgres') {
 			environment {
 				COMPOSE_PROJECT_NAME = "npm_${BRANCH_LOWER}_${BUILD_NUMBER}_postgres"
 				COMPOSE_FILE         = 'docker/docker-compose.ci.yml:docker/docker-compose.ci.postgres.yml'
 			}
 			when {
 				not {
 					equals expected: 'UNSTABLE', actual: currentBuild.result
 				}
 			}
 			steps {
 				sh 'rm -rf ./test/results/junit/*'
 				sh './scripts/ci/fulltest-cypress'
 			}
 			post {
 				always {
 					// Dumps to analyze later
 					sh 'mkdir -p debug/postgres'
 					sh 'docker logs $(docker compose ps --all -q fullstack) > debug/postgres/docker_fullstack.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q stepca) > debug/postgres/docker_stepca.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns) > debug/postgres/docker_pdns.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q pdns-db) > debug/postgres/docker_pdns-db.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q dnsrouter) > debug/postgres/docker_dnsrouter.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q db-postgres) > debug/postgres/docker_db-postgres.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q authentik) > debug/postgres/docker_authentik.log 2>&1'
 					sh 'docker logs $(docker compose ps --all -q authentik-redis) > debug/postgres/docker_authentik-redis.log 2>&1'
 					sh 'docker logs $(docke rcompose ps --all -q authentik-ldap) > debug/postgres/docker_authentik-ldap.log 2>&1'
 					junit 'test/results/junit/*'
 					sh 'docker compose down --remove-orphans --volumes -t 30 || true'
 				}
 				unstable {
 					dir(path: 'test/results') {
 						archiveArtifacts(allowEmptyArchive: true, artifacts: '**/*', excludes: '**/*.xml')
 					}
 				}
 			}
 		}
 		stage('MultiArch Build') {
 			when {
 				not {
 					equals expected: 'UNSTABLE', actual: currentBuild.result
 				}
 			}
 			steps {
 				sh "./scripts/buildx --push ${buildxPushTags}"
 			}
 		}
 		stage('Docs / Comment') {
 			parallel {
 				stage('Docs Job') {
 					when {
 						allOf {
 							branch pattern: "^(develop|master)\$", comparator: "REGEXP"
 							not {
 								equals expected: 'UNSTABLE', actual: currentBuild.result
 							}
 						}
 					}
 					steps {
 						build wait: false, job: 'nginx-proxy-manager-docs', parameters: [string(name: 'docs_branch', value: "$BRANCH_NAME")]
 					}
 				}
 				stage('PR Comment') {
 					when {
 						allOf {
 							changeRequest()
 							not {
 								equals expected: 'UNSTABLE', actual: currentBuild.result
 							}
 						}
 					}
 					steps {
 						script {
 							npmGithubPrComment("""Docker Image for build ${BUILD_NUMBER} is available on [DockerHub](https://cloud.docker.com/repository/docker/nginxproxymanager/${IMAGE}-dev):
 ```
 nginxproxymanager/${IMAGE}-dev:${BRANCH_LOWER}
 ```
 > [!NOTE]
 > Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
 > This is a different docker image namespace than the official image.
 > [!WARNING]
 > Changes and additions to DNS Providers require verification by at least 2 members of the community!
 """, true)
 						}
 					}
 				}
 			}
 		}
 	}
 	post {
 		always {
 			sh 'echo Reverting ownership'
 			sh 'docker run --rm -v "$(pwd):/data" jc21/ci-tools chown -R "$(id -u):$(id -g)" /data'
 			printResult(true)
 		}
 		failure {
 			archiveArtifacts(artifacts: 'debug/**/*.*', allowEmptyArchive: true)
 		}
 		unstable {
 			archiveArtifacts(artifacts: 'debug/**/*.*', allowEmptyArchive: true)
 		}
 	}
 }
 def getVersion() {
 	ver = sh(script: 'cat .version', returnStdout: true)
 	return ver.trim()
 }
 def getCommit() {
 	ver = sh(script: 'git log -n 1 --format=%h', returnStdout: true)
 	return ver.trim()
 }
--- a/README.md
+++ b/README.md
@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.13.0-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.13.7-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
--- a/backend/app.js
+++ b/backend/app.js
@@ -5,7 +5,7 @@ import fileUpload from "express-fileupload";
 import { isDebugMode } from "./lib/config.js";
 import cors from "./lib/express/cors.js";
 import jwt from "./lib/express/jwt.js";
-import { express as logger } from "./logger.js";
+import { debug, express as logger } from "./logger.js";
 import mainRoutes from "./routes/main.js";
 /**
@@ -80,7 +80,7 @@ app.use((err, req, res, _) => {
 	// Not every error is worth logging - but this is good for now until it gets annoying.
 	if (typeof err.stack !== "undefined" && err.stack) {
-		logger.debug(err.stack);
+		debug(logger, err.stack);
 		if (typeof err.public === "undefined" || !err.public) {
 			logger.warn(err.message);
 		}
--- a/backend/biome.json
+++ b/backend/biome.json
@@ -1,5 +1,5 @@
 {
-    "$schema": "https://biomejs.dev/schemas/2.3.1/schema.json",
+    "$schema": "https://biomejs.dev/schemas/2.3.14/schema.json",
    "vcs": {
        "enabled": true,
        "clientKind": "git",
--- a/backend/certbot/dns-plugins.json
+++ b/backend/certbot/dns-plugins.json
@@ -26,8 +26,8 @@
 	"azure": {
 		"name": "Azure",
 		"package_name": "certbot-dns-azure",
-		"version": "~=1.2.0",
+		"version": "~=2.6.1",
-		"dependencies": "",
+		"dependencies": "azure-mgmt-dns==8.2.0",
 		"credentials": "# This plugin supported API authentication using either Service Principals or utilizing a Managed Identity assigned to the virtual machine.\n# Regardless which authentication method used, the identity will need the “DNS Zone Contributor” role assigned to it.\n# As multiple Azure DNS Zones in multiple resource groups can exist, the config file needs a mapping of zone to resource group ID. Multiple zones -> ID mappings can be listed by using the key dns_azure_zoneX where X is a unique number. At least 1 zone mapping is required.\n\n# Using a service principal (option 1)\ndns_azure_sp_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\ndns_azure_sp_client_secret = E-xqXU83Y-jzTI6xe9fs2YC~mck3ZzUih9\ndns_azure_tenant_id = ed1090f3-ab18-4b12-816c-599af8a88cf7\n\n# Using used assigned MSI (option 2)\n# dns_azure_msi_client_id = 912ce44a-0156-4669-ae22-c16a17d34ca5\n\n# Using system assigned MSI (option 3)\n# dns_azure_msi_system_assigned = true\n\n# Zones (at least one always required)\ndns_azure_zone1 = example.com:/subscriptions/c135abce-d87d-48df-936c-15596c6968a5/resourceGroups/dns1\ndns_azure_zone2 = example.org:/subscriptions/99800903-fb14-4992-9aff-12eaf2744622/resourceGroups/dns2",
 		"full_plugin_name": "dns-azure"
 	},
@@ -74,7 +74,7 @@
 	"cloudns": {
 		"name": "ClouDNS",
 		"package_name": "certbot-dns-cloudns",
-		"version": "~=0.6.0",
+		"version": "~=0.7.0",
 		"dependencies": "",
 		"credentials": "# Target user ID (see https://www.cloudns.net/api-settings/)\n\tdns_cloudns_auth_id=1234\n\t# Alternatively, one of the following two options can be set:\n\t# dns_cloudns_sub_auth_id=1234\n\t# dns_cloudns_sub_auth_user=foobar\n\n\t# API password\n\tdns_cloudns_auth_password=password1",
 		"full_plugin_name": "dns-cloudns"
@@ -255,6 +255,14 @@
 		"credentials": "dns_gcore_apitoken = 0123456789abcdef0123456789abcdef01234567",
 		"full_plugin_name": "dns-gcore"
 	},
 	"glesys": {
 		"name": "Glesys",
 		"package_name": "certbot-dns-glesys",
 		"version": "~=2.1.0",
 		"dependencies": "",
 		"credentials": "dns_glesys_user = CL00000\ndns_glesys_password = apikeyvalue",
 		"full_plugin_name": "dns-glesys"
 	},
 	"godaddy": {
 		"name": "GoDaddy",
 		"package_name": "certbot-dns-godaddy",
@@ -287,6 +295,14 @@
 		"credentials": "dns_he_user = Me\ndns_he_pass = my HE password",
 		"full_plugin_name": "dns-he"
 	},
 	"he-ddns": {
 		"name": "Hurricane Electric - DDNS",
 		"package_name": "certbot-dns-he-ddns",
 		"version": "~=0.1.0",
 		"dependencies": "",
 		"credentials": "dns_he_ddns_password = verysecurepassword",
 		"full_plugin_name": "dns-he-ddns"
 	},
 	"hetzner": {
 		"name": "Hetzner",
 		"package_name": "certbot-dns-hetzner",
@@ -295,6 +311,14 @@
 		"credentials": "dns_hetzner_api_token = 0123456789abcdef0123456789abcdef",
 		"full_plugin_name": "dns-hetzner"
 	},
 	"hetzner-cloud": {
 		"name": "Hetzner Cloud",
 		"package_name": "certbot-dns-hetzner-cloud",
 		"version": "~=1.0.4",
 		"dependencies": "",
 		"credentials": "dns_hetzner_cloud_api_token = your_api_token_here",
 		"full_plugin_name": "dns-hetzner-cloud"
    },
 	"hostingnl": {
 		"name": "Hosting.nl",
 		"package_name": "certbot-dns-hostingnl",
@@ -359,10 +383,18 @@
 		"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
 		"full_plugin_name": "dns-joker"
 	},
 	"kas": {
        "name": "All-Inkl",
        "package_name": "certbot-dns-kas",
        "version": "~=0.1.1",
        "dependencies": "kasserver",
        "credentials": "dns_kas_user = your_kas_user\ndns_kas_password = your_kas_password",
        "full_plugin_name": "dns-kas"
    },
 	"leaseweb": {
 		"name": "LeaseWeb",
 		"package_name": "certbot-dns-leaseweb",
-		"version": "~=1.0.1",
+		"version": "~=1.0.3",
 		"dependencies": "",
 		"credentials": "dns_leaseweb_api_token = 01234556789",
 		"full_plugin_name": "dns-leaseweb"
@@ -391,6 +423,14 @@
 		"credentials": "dns_luadns_email = user@example.com\ndns_luadns_token = 0123456789abcdef0123456789abcdef",
 		"full_plugin_name": "dns-luadns"
 	},
 	"mchost24": {
 		"name": "MC-HOST24",
 		"package_name": "certbot-dns-mchost24",
 		"version": "",
 		"dependencies": "",
 		"credentials": "# Obtain API token using https://github.com/JoeJoeTV/mchost24-api-python\ndns_mchost24_api_token=<insert obtained API token here>",
 		"full_plugin_name": "dns-mchost24"
 	},
 	"mijnhost": {
 		"name": "mijn.host",
 		"package_name": "certbot-dns-mijn-host",
@@ -466,7 +506,7 @@
 	"porkbun": {
 		"name": "Porkbun",
 		"package_name": "certbot-dns-porkbun",
-		"version": "~=0.9",
+		"version": "~=0.11.0",
 		"dependencies": "",
 		"credentials": "dns_porkbun_key=your-porkbun-api-key\ndns_porkbun_secret=your-porkbun-api-secret",
 		"full_plugin_name": "dns-porkbun"
@@ -511,6 +551,14 @@
 		"credentials": "[default]\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
 		"full_plugin_name": "dns-route53"
 	},
 	"simply": {
 		"name": "Simply",
 		"package_name": "certbot-dns-simply",
 		"version": "~=0.1.2",
 		"dependencies": "",
 		"credentials": "dns_simply_account_name = UExxxxxx\ndns_simply_api_key = DsHJdsjh2812872sahj",
 		"full_plugin_name": "dns-simply"
 	},
 	"spaceship": {
 		"name": "Spaceship",
 		"package_name": "certbot-dns-spaceship",
--- a/backend/db.js
+++ b/backend/db.js
@@ -1,6 +1,8 @@
 import knex from "knex";
 import {configGet, configHas} from "./lib/config.js";
 let instance = null;
 const generateDbConfig = () => {
 	if (!configHas("database")) {
 		throw new Error(
@@ -21,7 +23,8 @@ const generateDbConfig = () => {
 			user: cfg.user,
 			password: cfg.password,
 			database: cfg.name,
-			port: cfg.port,
+			port:     cfg.port,
 			...(cfg.ssl ? { ssl: cfg.ssl } : {})
 		},
 		migrations: {
 			tableName: "migrations",
@@ -29,4 +32,11 @@ const generateDbConfig = () => {
 	};
 };
-export default knex(generateDbConfig());
+const getInstance = () => {
 	if (!instance) {
 		instance = knex(generateDbConfig());
 	}
 	return instance;
 }
 export default getInstance;
--- a/backend/internal/2fa.js
+++ b/backend/internal/2fa.js
@@ -0,0 +1,302 @@
 import crypto from "node:crypto";
 import bcrypt from "bcrypt";
 import { createGuardrails, generateSecret, generateURI, verify } from "otplib";
 import errs from "../lib/error.js";
 import authModel from "../models/auth.js";
 import internalUser from "./user.js";
 const APP_NAME = "Nginx Proxy Manager";
 const BACKUP_CODE_COUNT = 8;
 /**
 * Generate backup codes
 * @returns {Promise<{plain: string[], hashed: string[]}>}
 */
 const generateBackupCodes = async () => {
 	const plain = [];
 	const hashed = [];
 	for (let i = 0; i < BACKUP_CODE_COUNT; i++) {
 		const code = crypto.randomBytes(4).toString("hex").toUpperCase();
 		plain.push(code);
 		const hash = await bcrypt.hash(code, 10);
 		hashed.push(hash);
 	}
 	return { plain, hashed };
 };
 const internal2fa = {
 	/**
 	 * Check if user has 2FA enabled
 	 * @param {number} userId
 	 * @returns {Promise<boolean>}
 	 */
 	isEnabled: async (userId) => {
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		return auth?.meta?.totp_enabled === true;
 	},
 	/**
 	 * Get 2FA status for user
 	 * @param   {Access}  access
 	 * @param   {number}  userId
 	 * @returns {Promise<{enabled: boolean, backup_codes_remaining: number}>}
 	 */
 	getStatus: async (access, userId) => {
 		await access.can("users:password", userId);
 		await internalUser.get(access, { id: userId });
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		const enabled = auth?.meta?.totp_enabled === true;
 		let backup_codes_remaining = 0;
 		if (enabled) {
 			const backupCodes = auth.meta.backup_codes || [];
 			backup_codes_remaining = backupCodes.length;
 		}
 		return {
 			enabled,
 			backup_codes_remaining,
 		};
 	},
 	/**
 	 * Start 2FA setup - store pending secret
 	 *
 	 * @param   {Access}  access
 	 * @param   {number} userId
 	 * @returns {Promise<{secret: string, otpauth_url: string}>}
 	 */
 	startSetup: async (access, userId) => {
 		await access.can("users:password", userId);
 		const user = await internalUser.get(access, { id: userId });
 		const secret = generateSecret();
 		const otpauth_url = generateURI({
 			issuer: APP_NAME,
 			label: user.email,
 			secret: secret,
 		});
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		// ensure user isn't already setup for 2fa
 		const enabled = auth?.meta?.totp_enabled === true;
 		if (enabled) {
 			throw new errs.ValidationError("2FA is already enabled");
 		}
 		const meta = auth.meta || {};
 		meta.totp_pending_secret = secret;
 		await authModel
 			.query()
 			.where("id", auth.id)
 			.andWhere("user_id", userId)
 			.andWhere("type", "password")
 			.patch({ meta });
 		return { secret, otpauth_url };
 	},
 	/**
 	 * Enable 2FA after verifying code
 	 *
 	 * @param   {Access}  access
 	 * @param   {number}  userId
 	 * @param   {string}  code
 	 * @returns {Promise<{backup_codes: string[]}>}
 	 */
 	enable: async (access, userId, code) => {
 		await access.can("users:password", userId);
 		await internalUser.get(access, { id: userId });
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		const secret = auth?.meta?.totp_pending_secret || false;
 		if (!secret) {
 			throw new errs.ValidationError("No pending 2FA setup found");
 		}
 		const result = await verify({ token: code, secret });
 		if (!result.valid) {
 			throw new errs.ValidationError("Invalid verification code");
 		}
 		const { plain, hashed } = await generateBackupCodes();
 		const meta = {
 			...auth.meta,
 			totp_secret: secret,
 			totp_enabled: true,
 			totp_enabled_at: new Date().toISOString(),
 			backup_codes: hashed,
 		};
 		delete meta.totp_pending_secret;
 		await authModel
 			.query()
 			.where("id", auth.id)
 			.andWhere("user_id", userId)
 			.andWhere("type", "password")
 			.patch({ meta });
 		return { backup_codes: plain };
 	},
 	/**
 	 * Disable 2FA
 	 *
 	 * @param   {Access}  access
 	 * @param   {number} userId
 	 * @param   {string} code
 	 * @returns {Promise<void>}
 	 */
 	disable: async (access, userId, code) => {
 		await access.can("users:password", userId);
 		await internalUser.get(access, { id: userId });
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		const enabled = auth?.meta?.totp_enabled === true;
 		if (!enabled) {
 			throw new errs.ValidationError("2FA is not enabled");
 		}
 		const result = await verify({
 			token: code,
 			secret: auth.meta.totp_secret,
 		});
 		if (!result.valid) {
 			throw new errs.AuthError("Invalid verification code");
 		}
 		const meta = { ...auth.meta };
 		delete meta.totp_secret;
 		delete meta.totp_enabled;
 		delete meta.totp_enabled_at;
 		delete meta.backup_codes;
 		await authModel
 			.query()
 			.where("id", auth.id)
 			.andWhere("user_id", userId)
 			.andWhere("type", "password")
 			.patch({ meta });
 	},
 	/**
 	 * Verify 2FA code for login
 	 *
 	 * @param   {number} userId
 	 * @param   {string} token
 	 * @returns {Promise<boolean>}
 	 */
 	verifyForLogin: async (userId, token) => {
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		const secret = auth?.meta?.totp_secret || false;
 		if (!secret) {
 			return false;
 		}
 		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
 		// and the backup codes are 8 chars.
 		if (token.length === 6) {
 			const result = await verify({
 				token,
 				secret,
 				// These guardrails lower the minimum length requirement for secrets.
 				// In v12 of otplib the default minimum length is 10 and in v13 it is 16.
 				// Since there are 2fa secrets in the wild generated with v12 we need to allow shorter secrets
 				// so people won't be locked out when upgrading.
 				guardrails: createGuardrails({
 					MIN_SECRET_BYTES: 10,
 				}),
 			});
 			if (result.valid) {
 				return true;
 			}
 		}
 		// Try backup codes
 		const backupCodes = auth?.meta?.backup_codes || [];
 		for (let i = 0; i < backupCodes.length; i++) {
 			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
 			if (match) {
 				// Remove used backup code
 				const updatedCodes = [...backupCodes];
 				updatedCodes.splice(i, 1);
 				const meta = { ...auth.meta, backup_codes: updatedCodes };
 				await authModel
 					.query()
 					.where("id", auth.id)
 					.andWhere("user_id", userId)
 					.andWhere("type", "password")
 					.patch({ meta });
 				return true;
 			}
 		}
 		return false;
 	},
 	/**
 	 * Regenerate backup codes
 	 *
 	 * @param   {Access}  access
 	 * @param   {number}  userId
 	 * @param   {string}  token
 	 * @returns {Promise<{backup_codes: string[]}>}
 	 */
 	regenerateBackupCodes: async (access, userId, token) => {
 		await access.can("users:password", userId);
 		await internalUser.get(access, { id: userId });
 		const auth = await internal2fa.getUserPasswordAuth(userId);
 		const enabled = auth?.meta?.totp_enabled === true;
 		const secret = auth?.meta?.totp_secret || false;
 		if (!enabled) {
 			throw new errs.ValidationError("2FA is not enabled");
 		}
 		if (!secret) {
 			throw new errs.ValidationError("No 2FA secret found");
 		}
 		const result = await verify({
 			token,
 			secret,
 		});
 		if (!result.valid) {
 			throw new errs.ValidationError("Invalid verification code");
 		}
 		const { plain, hashed } = await generateBackupCodes();
 		const meta = { ...auth.meta, backup_codes: hashed };
 		await authModel
 			.query()
 			.where("id", auth.id)
 			.andWhere("user_id", userId)
 			.andWhere("type", "password")
 			.patch({ meta });
 		return { backup_codes: plain };
 	},
 	getUserPasswordAuth: async (userId) => {
 		const auth = await authModel
 			.query()
 			.where("user_id", userId)
 			.andWhere("type", "password")
 			.first();
 		if (!auth) {
 			throw new errs.ItemNotFoundError("Auth not found");
 		}
 		return auth;
 	},
 };
 export default internal2fa;
--- a/backend/internal/certificate.js
+++ b/backend/internal/certificate.js
@@ -4,13 +4,14 @@ import path from "path";
 import archiver from "archiver";
 import _ from "lodash";
 import moment from "moment";
 import { ProxyAgent } from "proxy-agent";
 import tempWrite from "temp-write";
 import dnsPlugins from "../certbot/dns-plugins.json" with { type: "json" };
 import { installPlugin } from "../lib/certbot.js";
 import { useLetsencryptServer, useLetsencryptStaging } from "../lib/config.js";
 import error from "../lib/error.js";
 import utils from "../lib/utils.js";
-import { ssl as logger } from "../logger.js";
+import { debug, ssl as logger } from "../logger.js";
 import certificateModel from "../models/certificate.js";
 import tokenModel from "../models/token.js";
 import userModel from "../models/user.js";
@@ -355,7 +356,7 @@ const internalCertificate = {
 			const opName = `/tmp/${downloadName}`;
 			await internalCertificate.zipFiles(certFiles, opName);
-			logger.debug("zip completed : ", opName);
+			debug(logger, "zip completed : ", opName);
 			return {
 				fileName: opName,
 			};
@@ -375,7 +376,7 @@ const internalCertificate = {
 		return new Promise((resolve, reject) => {
 			source.map((fl) => {
 				const fileName = path.basename(fl);
-				logger.debug(fl, "added to certificate zip");
+				debug(logger, fl, "added to certificate zip");
 				archive.file(fl, { name: fileName });
 				return true;
 			});
@@ -797,6 +798,11 @@ const internalCertificate = {
 			certificate.domain_names.join(","),
 		];
 		// Add key-type parameter if specified
 		if (certificate.meta?.key_type) {
 			args.push("--key-type", certificate.meta.key_type);
 		}
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
 		args.push(...adds.args);
@@ -857,6 +863,11 @@ const internalCertificate = {
 			);
 		}
 		// Add key-type parameter if specified
 		if (certificate.meta?.key_type) {
 			args.push("--key-type", certificate.meta.key_type);
 		}
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
@@ -937,6 +948,11 @@ const internalCertificate = {
 			"--disable-hook-validation",
 		];
 		// Add key-type parameter if specified
 		if (certificate.meta?.key_type) {
 			args.push("--key-type", certificate.meta.key_type);
 		}
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
@@ -978,6 +994,11 @@ const internalCertificate = {
 			"--no-random-sleep-on-renew",
 		];
 		// Add key-type parameter if specified
 		if (certificate.meta?.key_type) {
 			args.push("--key-type", certificate.meta.key_type);
 		}
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
@@ -1114,6 +1135,7 @@ const internalCertificate = {
 	performTestForDomain: async (domain) => {
 		logger.info(`Testing http challenge for ${domain}`);
 		const agent = new ProxyAgent();
 		const url = `http://${domain}/.well-known/acme-challenge/test-challenge`;
 		const formBody = `method=G&url=${encodeURI(url)}&bodytype=T&requestbody=&headername=User-Agent&headervalue=None&locationid=1&ch=false&cc=false`;
 		const options = {
@@ -1123,6 +1145,7 @@ const internalCertificate = {
 				"Content-Type": "application/x-www-form-urlencoded",
 				"Content-Length": Buffer.byteLength(formBody),
 			},
 			agent,
 		};
 		const result = await new Promise((resolve) => {
--- a/backend/internal/ip_ranges.js
+++ b/backend/internal/ip_ranges.js
@@ -2,6 +2,7 @@ import fs from "node:fs";
 import https from "node:https";
 import { dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { ProxyAgent } from "proxy-agent";
 import errs from "../lib/error.js";
 import utils from "../lib/utils.js";
 import { ipRanges as logger } from "../logger.js";
@@ -29,10 +30,11 @@ const internalIpRanges = {
 	},
 	fetchUrl: (url) => {
 		const agent = new ProxyAgent();
 		return new Promise((resolve, reject) => {
 			logger.info(`Fetching ${url}`);
 			return https
-				.get(url, (res) => {
+				.get(url, { agent }, (res) => {
 					res.setEncoding("utf8");
 					let raw_data = "";
 					res.on("data", (chunk) => {
--- a/backend/internal/nginx.js
+++ b/backend/internal/nginx.js
@@ -4,7 +4,7 @@ import { fileURLToPath } from "node:url";
 import _ from "lodash";
 import errs from "../lib/error.js";
 import utils from "../lib/utils.js";
-import { nginx as logger } from "../logger.js";
+import { debug, nginx as logger } from "../logger.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
@@ -68,7 +68,7 @@ const internalNginx = {
 							return true;
 						});
-						logger.debug("Nginx test failed:", valid_lines.join("\n"));
+						debug(logger, "Nginx test failed:", valid_lines.join("\n"));
 						// config is bad, update meta and delete config
 						combined_meta = _.assign({}, host.meta, {
@@ -102,7 +102,7 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	test: () => {
-		logger.debug("Testing Nginx configuration");
+		debug(logger, "Testing Nginx configuration");
 		return utils.execFile("/usr/sbin/nginx", ["-t", "-g", "error_log off;"]);
 	},
@@ -190,7 +190,7 @@ const internalNginx = {
 		const host = JSON.parse(JSON.stringify(host_row));
 		const nice_host_type = internalNginx.getFileFriendlyHostType(host_type);
-		logger.debug(`Generating ${nice_host_type} Config:`, JSON.stringify(host, null, 2));
+		debug(logger, `Generating ${nice_host_type} Config:`, JSON.stringify(host, null, 2));
 		const renderEngine = utils.getRenderEngine();
@@ -216,6 +216,11 @@ const internalNginx = {
 				}
 			}
 			// For redirection hosts, if the scheme is not http or https, set it to $scheme
 			if (nice_host_type === "redirection_host" && ['http', 'https'].indexOf(host.forward_scheme.toLowerCase()) === -1) {
 				host.forward_scheme = "$scheme";
 			}
 			if (host.locations) {
 				//logger.info ('host.locations = ' + JSON.stringify(host.locations, null, 2));
 				origLocations = [].concat(host.locations);
@@ -241,7 +246,7 @@ const internalNginx = {
 					.parseAndRender(template, host)
 					.then((config_text) => {
 						fs.writeFileSync(filename, config_text, { encoding: "utf8" });
-						logger.debug("Wrote config:", filename, config_text);
+						debug(logger, "Wrote config:", filename, config_text);
 						// Restore locations array
 						host.locations = origLocations;
@@ -249,7 +254,7 @@ const internalNginx = {
 						resolve(true);
 					})
 					.catch((err) => {
-						logger.debug(`Could not write ${filename}:`, err.message);
+						debug(logger, `Could not write ${filename}:`, err.message);
 						reject(new errs.ConfigurationError(err.message));
 					});
 			});
@@ -265,7 +270,7 @@ const internalNginx = {
 	 * @returns {Promise}
 	 */
 	generateLetsEncryptRequestConfig: (certificate) => {
-		logger.debug("Generating LetsEncrypt Request Config:", certificate);
+		debug(logger, "Generating LetsEncrypt Request Config:", certificate);
 		const renderEngine = utils.getRenderEngine();
 		return new Promise((resolve, reject) => {
@@ -285,11 +290,11 @@ const internalNginx = {
 				.parseAndRender(template, certificate)
 				.then((config_text) => {
 					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
-					logger.debug("Wrote config:", filename, config_text);
+					debug(logger, "Wrote config:", filename, config_text);
 					resolve(true);
 				})
 				.catch((err) => {
-					logger.debug(`Could not write ${filename}:`, err.message);
+					debug(logger, `Could not write ${filename}:`, err.message);
 					reject(new errs.ConfigurationError(err.message));
 				});
 		});
@@ -305,10 +310,10 @@ const internalNginx = {
 			return;
 		}
 		try {
-			logger.debug(`Deleting file: ${filename}`);
+			debug(logger, `Deleting file: ${filename}`);
 			fs.unlinkSync(filename);
 		} catch (err) {
-			logger.debug("Could not delete file:", JSON.stringify(err, null, 2));
+			debug(logger, "Could not delete file:", JSON.stringify(err, null, 2));
 		}
 	},
--- a/backend/internal/remote-version.js
+++ b/backend/internal/remote-version.js
@@ -0,0 +1,84 @@
 import https from "node:https";
 import { ProxyAgent } from "proxy-agent";
 import { debug, remoteVersion as logger } from "../logger.js";
 import pjson from "../package.json" with { type: "json" };
 const VERSION_URL = "https://api.github.com/repos/NginxProxyManager/nginx-proxy-manager/releases/latest";
 const internalRemoteVersion = {
 	cache_timeout: 1000 * 60 * 15, // 15 minutes
 	last_result: null,
 	last_fetch_time: null,
 	/**
 	 * Fetch the latest version info, using a cached result if within the cache timeout period.
 	 * @return {Promise<{current: string, latest: string, update_available: boolean}>} Version info
 	 */
 	get: async () => {
 		if (
 			!internalRemoteVersion.last_result ||
 			!internalRemoteVersion.last_fetch_time ||
 			Date.now() - internalRemoteVersion.last_fetch_time > internalRemoteVersion.cache_timeout
 		) {
 			const raw = await internalRemoteVersion.fetchUrl(VERSION_URL);
 			const data = JSON.parse(raw);
 			internalRemoteVersion.last_result = data;
 			internalRemoteVersion.last_fetch_time = Date.now();
 		} else {
 			debug(logger, "Using cached remote version result");
 		}
 		const latestVersion = internalRemoteVersion.last_result.tag_name;
 		const version = pjson.version.split("-").shift().split(".");
 		const currentVersion = `v${version[0]}.${version[1]}.${version[2]}`;
 		return {
 			current: currentVersion,
 			latest: latestVersion,
 			update_available: internalRemoteVersion.compareVersions(currentVersion, latestVersion),
 		};
 	},
 	fetchUrl: (url) => {
 		const agent = new ProxyAgent();
 		const headers = {
 			"User-Agent": `NginxProxyManager v${pjson.version}`,
 		};
 		return new Promise((resolve, reject) => {
 			logger.info(`Fetching ${url}`);
 			return https
 				.get(url, { agent, headers }, (res) => {
 					res.setEncoding("utf8");
 					let raw_data = "";
 					res.on("data", (chunk) => {
 						raw_data += chunk;
 					});
 					res.on("end", () => {
 						resolve(raw_data);
 					});
 				})
 				.on("error", (err) => {
 					reject(err);
 				});
 		});
 	},
 	compareVersions: (current, latest) => {
 		const cleanCurrent = current.replace(/^v/, "");
 		const cleanLatest = latest.replace(/^v/, "");
 		const currentParts = cleanCurrent.split(".").map(Number);
 		const latestParts = cleanLatest.split(".").map(Number);
 		for (let i = 0; i < Math.max(currentParts.length, latestParts.length); i++) {
 			const curr = currentParts[i] || 0;
 			const lat = latestParts[i] || 0;
 			if (lat > curr) return true;
 			if (lat < curr) return false;
 		}
 		return false;
 	},
 };
 export default internalRemoteVersion;
--- a/backend/internal/report.js
+++ b/backend/internal/report.js
@@ -15,10 +15,10 @@ const internalReport = {
 				const userId = access.token.getUserId(1);
 				const promises = [
-					internalProxyHost.getCount(userId, access_data.visibility),
+					internalProxyHost.getCount(userId, access_data.permission_visibility),
-					internalRedirectionHost.getCount(userId, access_data.visibility),
+					internalRedirectionHost.getCount(userId, access_data.permission_visibility),
-					internalStream.getCount(userId, access_data.visibility),
+					internalStream.getCount(userId, access_data.permission_visibility),
-					internalDeadHost.getCount(userId, access_data.visibility),
+					internalDeadHost.getCount(userId, access_data.permission_visibility),
 				];
 				return Promise.all(promises);
--- a/backend/internal/token.js
+++ b/backend/internal/token.js
@@ -4,9 +4,12 @@ import { parseDatePeriod } from "../lib/helpers.js";
 import authModel from "../models/auth.js";
 import TokenModel from "../models/token.js";
 import userModel from "../models/user.js";
 import twoFactor from "./2fa.js";
 const ERROR_MESSAGE_INVALID_AUTH = "Invalid email or password";
 const ERROR_MESSAGE_INVALID_AUTH_I18N = "error.invalid-auth";
 const ERROR_MESSAGE_INVALID_2FA = "Invalid verification code";
 const ERROR_MESSAGE_INVALID_2FA_I18N = "error.invalid-2fa";
 export default {
 	/**
@@ -59,6 +62,25 @@ export default {
 			throw new errs.AuthError(`Invalid scope: ${data.scope}`);
 		}
 		// Check if 2FA is enabled
 		const has2FA = await twoFactor.isEnabled(user.id);
 		if (has2FA) {
 			// Return challenge token instead of full token
 			const challengeToken = await Token.create({
 				iss: issuer || "api",
 				attrs: {
 					id: user.id,
 				},
 				scope: ["2fa-challenge"],
 				expiresIn: "5m",
 			});
 			return {
 				requires_2fa: true,
 				challenge_token: challengeToken.token,
 			};
 		}
 		// Create a moment of the expiry expression
 		const expiry = parseDatePeriod(data.expiry);
 		if (expiry === null) {
@@ -129,6 +151,65 @@ export default {
 		throw new error.AssertionFailedError("Existing token contained invalid user data");
 	},
 	/**
 	 * Verify 2FA code and return full token
 	 * @param {string} challengeToken
 	 * @param {string} code
 	 * @param {string} [expiry]
 	 * @returns {Promise}
 	 */
 	verify2FA: async (challengeToken, code, expiry) => {
 		const Token = TokenModel();
 		const tokenExpiry = expiry || "1d";
 		// Verify challenge token
 		let tokenData;
 		try {
 			tokenData = await Token.load(challengeToken);
 		} catch {
 			throw new errs.AuthError("Invalid or expired challenge token");
 		}
 		// Check scope
 		if (!tokenData.scope || tokenData.scope[0] !== "2fa-challenge") {
 			throw new errs.AuthError("Invalid challenge token");
 		}
 		const userId = tokenData.attrs?.id;
 		if (!userId) {
 			throw new errs.AuthError("Invalid challenge token");
 		}
 		// Verify 2FA code
 		const valid = await twoFactor.verifyForLogin(userId, code);
 		if (!valid) {
 			throw new errs.AuthError(
 				ERROR_MESSAGE_INVALID_2FA,
 				ERROR_MESSAGE_INVALID_2FA_I18N,
 			);
 		}
 		// Create full token
 		const expiryDate = parseDatePeriod(tokenExpiry);
 		if (expiryDate === null) {
 			throw new errs.AuthError(`Invalid expiry time: ${tokenExpiry}`);
 		}
 		const signed = await Token.create({
 			iss: "api",
 			attrs: {
 				id: userId,
 			},
 			scope: ["user"],
 			expiresIn: tokenExpiry,
 		});
 		return {
 			token: signed.token,
 			expires: expiryDate.toISOString(),
 		};
 	},
 	/**
 	 * @param   {Object} user
 	 * @returns {Promise}
--- a/backend/lib/access.js
+++ b/backend/lib/access.js
@@ -265,7 +265,7 @@ export default function (tokenString) {
 					schemas: [roleSchema, permsSchema, objectSchema, permissionSchema],
 				});
-				const valid = ajv.validate("permissions", dataSchema);
+				const valid = await ajv.validate("permissions", dataSchema);
 				return valid && dataSchema[permission];
 			} catch (err) {
 				err.permission = permission;
--- a/backend/lib/config.js
+++ b/backend/lib/config.js
@@ -5,7 +5,7 @@ import { global as logger } from "../logger.js";
 const keysFile         = '/data/keys.json';
 const mysqlEngine      = 'mysql2';
 const postgresEngine   = 'pg';
-const sqliteClientName = 'sqlite3';
+const sqliteClientName = 'better-sqlite3';
 let instance = null;
@@ -25,15 +25,26 @@ const configure = () => {
 		if (configData?.database) {
 			logger.info(`Using configuration from file: ${filename}`);
 			// Migrate those who have "mysql" engine to "mysql2"
 			if (configData.database.engine === "mysql") {
 				configData.database.engine = mysqlEngine;
 			}
 			instance = configData;
 			instance.keys = getKeys();
 			return;
 		}
 	}
-	const envMysqlHost = process.env.DB_MYSQL_HOST || null;
+	const toBool = (v) => /^(1|true|yes|on)$/i.test((v || '').trim());
-	const envMysqlUser = process.env.DB_MYSQL_USER || null;
+
-	const envMysqlName = process.env.DB_MYSQL_NAME || null;
+	const envMysqlHost                  = process.env.DB_MYSQL_HOST || null;
 	const envMysqlUser                  = process.env.DB_MYSQL_USER || null;
 	const envMysqlName                  = process.env.DB_MYSQL_NAME || null;
 	const envMysqlSSL                   = toBool(process.env.DB_MYSQL_SSL);
 	const envMysqlSSLRejectUnauthorized	= process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED === undefined ? true : toBool(process.env.DB_MYSQL_SSL_REJECT_UNAUTHORIZED);
 	const envMysqlSSLVerifyIdentity		= process.env.DB_MYSQL_SSL_VERIFY_IDENTITY === undefined ? true : toBool(process.env.DB_MYSQL_SSL_VERIFY_IDENTITY);
 	if (envMysqlHost && envMysqlUser && envMysqlName) {
 		// we have enough mysql creds to go with mysql
 		logger.info("Using MySQL configuration");
@@ -44,7 +55,8 @@ const configure = () => {
 				port: process.env.DB_MYSQL_PORT || 3306,
 				user: envMysqlUser,
 				password: process.env.DB_MYSQL_PASSWORD,
-				name: envMysqlName,
+				name:     envMysqlName,
 				ssl:      envMysqlSSL ? { rejectUnauthorized: envMysqlSSLRejectUnauthorized, verifyIdentity: envMysqlSSLVerifyIdentity } : false,
 			},
 			keys: getKeys(),
 		};
@@ -72,6 +84,7 @@ const configure = () => {
 	}
 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {
@@ -90,7 +103,9 @@ const configure = () => {
 const getKeys = () => {
 	// Get keys from file
-	logger.debug("Cheecking for keys file:", keysFile);
+	if (isDebugMode()) {
 		logger.debug("Checking for keys file:", keysFile);
 	}
 	if (!fs.existsSync(keysFile)) {
 		generateKeys();
 	} else if (process.env.DEBUG) {
--- a/backend/lib/utils.js
+++ b/backend/lib/utils.js
@@ -3,14 +3,14 @@ import { dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import { Liquid } from "liquidjs";
 import _ from "lodash";
-import { global as logger } from "../logger.js";
+import { debug, global as logger } from "../logger.js";
 import errs from "./error.js";
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 const exec = async (cmd, options = {}) => {
-	logger.debug("CMD:", cmd);
+	debug(logger, "CMD:", cmd);
 	const { stdout, stderr } = await new Promise((resolve, reject) => {
 		const child = nodeExec(cmd, options, (isError, stdout, stderr) => {
 			if (isError) {
@@ -34,7 +34,7 @@ const exec = async (cmd, options = {}) => {
 * @returns {Promise}
 */
 const execFile = (cmd, args, options) => {
-	logger.debug(`CMD: ${cmd} ${args ? args.join(" ") : ""}`);
+	debug(logger, `CMD: ${cmd} ${args ? args.join(" ") : ""}`);
 	const opts = options || {};
 	return new Promise((resolve, reject) => {
--- a/backend/logger.js
+++ b/backend/logger.js
@@ -1,4 +1,5 @@
 import signale from "signale";
 import { isDebugMode } from "./lib/config.js";
 const opts = {
 	logLevel: "info",
@@ -14,5 +15,12 @@ const certbot = new signale.Signale({ scope: "Certbot  ", ...opts });
 const importer = new signale.Signale({ scope: "Importer ", ...opts });
 const setup = new signale.Signale({ scope: "Setup    ", ...opts });
 const ipRanges = new signale.Signale({ scope: "IP Ranges", ...opts });
 const remoteVersion = new signale.Signale({ scope: "Remote Version", ...opts });
-export { global, migrate, express, access, nginx, ssl, certbot, importer, setup, ipRanges };
+const debug = (logger, ...args) => {
 	if (isDebugMode()) {
 		logger.debug(...args);
 	}
 };
 export { debug, global, migrate, express, access, nginx, ssl, certbot, importer, setup, ipRanges, remoteVersion };
--- a/backend/migrate.js
+++ b/backend/migrate.js
@@ -2,9 +2,9 @@ import db from "./db.js";
 import { migrate as logger } from "./logger.js";
 const migrateUp = async () => {
-	const version = await db.migrate.currentVersion();
+	const version = await db().migrate.currentVersion();
 	logger.info("Current database version:", version);
-	return await db.migrate.latest({
+	return await db().migrate.latest({
 		tableName: "migrations",
 		directory: "migrations",
 	});
--- a/backend/migrations/20251111090000_redirect_auto_scheme.js
+++ b/backend/migrations/20251111090000_redirect_auto_scheme.js
@@ -0,0 +1,50 @@
 import { migrate as logger } from "../logger.js";
 const migrateName = "redirect_auto_scheme";
 /**
 * Migrate
 *
 * @see http://knexjs.org/#Schema
 *
 * @param   {Object} knex
 * @returns {Promise}
 */
 const up = (knex) => {
 	logger.info(`[${migrateName}] Migrating Up...`);
 	return knex.schema
 		.table("redirection_host", async (table) => {
 			// change the column default from $scheme to auto
 			await table.string("forward_scheme").notNull().defaultTo("auto").alter();
 			await knex('redirection_host')
 				.where('forward_scheme', '$scheme')
 				.update({ forward_scheme: 'auto' });
 		})
 		.then(() => {
 			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };
 /**
 * Undo Migrate
 *
 * @param   {Object} knex
 * @returns {Promise}
 */
 const down = (knex) => {
 	logger.info(`[${migrateName}] Migrating Down...`);
 	return knex.schema
 		.table("redirection_host", async (table) => {
 			await table.string("forward_scheme").notNull().defaultTo("$scheme").alter();
 			await knex('redirection_host')
 				.where('forward_scheme', 'auto')
 				.update({ forward_scheme: '$scheme' });
 		})
 		.then(() => {
 			logger.info(`[${migrateName}] redirection_host Table altered`);
 		});
 };
 export { up, down };
--- a/backend/models/access_list.js
+++ b/backend/models/access_list.js
@@ -10,7 +10,7 @@ import now from "./now_helper.js";
 import ProxyHostModel from "./proxy_host.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted", "satisfy_any", "pass_auth"];
--- a/backend/models/access_list_auth.js
+++ b/backend/models/access_list_auth.js
@@ -6,7 +6,7 @@ import db from "../db.js";
 import accessListModel from "./access_list.js";
 import now from "./now_helper.js";
-Model.knex(db);
+Model.knex(db());
 class AccessListAuth extends Model {
 	$beforeInsert() {
--- a/backend/models/access_list_client.js
+++ b/backend/models/access_list_client.js
@@ -6,7 +6,7 @@ import db from "../db.js";
 import accessListModel from "./access_list.js";
 import now from "./now_helper.js";
-Model.knex(db);
+Model.knex(db());
 class AccessListClient extends Model {
 	$beforeInsert() {
--- a/backend/models/audit-log.js
+++ b/backend/models/audit-log.js
@@ -6,7 +6,7 @@ import db from "../db.js";
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 class AuditLog extends Model {
 	$beforeInsert() {
--- a/backend/models/auth.js
+++ b/backend/models/auth.js
@@ -8,7 +8,7 @@ import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.j
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted"];
--- a/backend/models/certificate.js
+++ b/backend/models/certificate.js
@@ -11,7 +11,7 @@ import redirectionHostModel from "./redirection_host.js";
 import streamModel from "./stream.js";
 import userModel from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted"];
--- a/backend/models/dead_host.js
+++ b/backend/models/dead_host.js
@@ -8,7 +8,7 @@ import Certificate from "./certificate.js";
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted", "ssl_forced", "http2_support", "enabled", "hsts_enabled", "hsts_subdomains"];
--- a/backend/models/now_helper.js
+++ b/backend/models/now_helper.js
@@ -2,7 +2,7 @@ import { Model } from "objection";
 import db from "../db.js";
 import { isSqlite } from "../lib/config.js";
-Model.knex(db);
+Model.knex(db());
 export default () => {
 	if (isSqlite()) {
--- a/backend/models/proxy_host.js
+++ b/backend/models/proxy_host.js
@@ -9,7 +9,7 @@ import Certificate from "./certificate.js";
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = [
 	"is_deleted",
--- a/backend/models/redirection_host.js
+++ b/backend/models/redirection_host.js
@@ -8,7 +8,7 @@ import Certificate from "./certificate.js";
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = [
 	"is_deleted",
--- a/backend/models/setting.js
+++ b/backend/models/setting.js
@@ -4,7 +4,7 @@
 import { Model } from "objection";
 import db from "../db.js";
-Model.knex(db);
+Model.knex(db());
 class Setting extends Model {
 	$beforeInsert () {
--- a/backend/models/stream.js
+++ b/backend/models/stream.js
@@ -5,7 +5,7 @@ import Certificate from "./certificate.js";
 import now from "./now_helper.js";
 import User from "./user.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted", "enabled", "tcp_forwarding", "udp_forwarding"];
--- a/backend/models/user.js
+++ b/backend/models/user.js
@@ -7,7 +7,7 @@ import { convertBoolFieldsToInt, convertIntFieldsToBool } from "../lib/helpers.j
 import now from "./now_helper.js";
 import UserPermission from "./user_permission.js";
-Model.knex(db);
+Model.knex(db());
 const boolFields = ["is_deleted", "is_disabled"];
--- a/backend/models/user_permission.js
+++ b/backend/models/user_permission.js
@@ -5,7 +5,7 @@ import { Model } from "objection";
 import db from "../db.js";
 import now from "./now_helper.js";
-Model.knex(db);
+Model.knex(db());
 class UserPermission extends Model {
 	$beforeInsert () {
--- a/backend/package.json
+++ b/backend/package.json
@@ -12,35 +12,38 @@
 		"validate-schema": "node validate-schema.js"
 	},
 	"dependencies": {
-		"@apidevtools/json-schema-ref-parser": "^11.7.0",
+		"@apidevtools/json-schema-ref-parser": "^14.1.1",
 		"ajv": "^8.17.1",
-		"archiver": "^5.3.0",
+		"archiver": "^7.0.1",
 		"batchflow": "^0.4.0",
-		"bcrypt": "^5.0.0",
+		"bcrypt": "^6.0.0",
-		"body-parser": "^1.20.3",
+		"better-sqlite3": "^12.6.2",
 		"body-parser": "^2.2.2",
 		"compression": "^1.7.4",
-		"express": "^4.20.0",
+		"express": "^5.2.1",
-		"express-fileupload": "^1.1.9",
+		"express-fileupload": "^1.5.2",
-		"gravatar": "^1.8.0",
+		"gravatar": "^1.8.2",
-		"jsonwebtoken": "^9.0.0",
+		"jsonwebtoken": "^9.0.3",
-		"knex": "2.4.2",
+		"knex": "3.1.0",
-		"liquidjs": "10.6.1",
+		"liquidjs": "10.24.0",
-		"lodash": "^4.17.21",
+		"lodash": "^4.17.23",
 		"moment": "^2.30.1",
-		"mysql2": "^3.15.3",
+		"mysql2": "^3.16.3",
 		"node-rsa": "^1.1.1",
-		"objection": "3.0.1",
+		"objection": "3.1.5",
 		"otplib": "^13.2.1",
 		"path": "^0.12.7",
-		"pg": "^8.16.3",
+		"pg": "^8.18.0",
 		"proxy-agent": "^6.5.0",
 		"signale": "1.4.0",
 		"sqlite3": "^5.1.7",
 		"temp-write": "^4.0.0"
 	},
 	"devDependencies": {
-		"@apidevtools/swagger-parser": "^10.1.0",
+		"@apidevtools/swagger-parser": "^12.1.0",
-		"@biomejs/biome": "^2.3.1",
+		"@biomejs/biome": "^2.3.14",
-		"chalk": "4.1.2",
+		"chalk": "5.6.2",
-		"nodemon": "^2.0.2"
+		"nodemon": "^3.1.11"
 	},
 	"signale": {
 		"displayDate": true,
--- a/backend/routes/audit-log.js
+++ b/backend/routes/audit-log.js
@@ -2,7 +2,7 @@ import express from "express";
 import internalAuditLog from "../internal/audit-log.js";
 import jwtdecode from "../lib/express/jwt-decode.js";
 import validator from "../lib/validator/index.js";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 const router = express.Router({
 	caseSensitive: true,
@@ -47,7 +47,7 @@ router
 			const rows = await internalAuditLog.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -99,7 +99,7 @@ router
 			});
 			res.status(200).send(item);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/main.js
+++ b/backend/routes/main.js
@@ -14,6 +14,7 @@ import schemaRoutes from "./schema.js";
 import settingsRoutes from "./settings.js";
 import tokensRoutes from "./tokens.js";
 import usersRoutes from "./users.js";
 import versionRoutes from "./version.js";
 const router = express.Router({
 	caseSensitive: true,
@@ -46,6 +47,7 @@ router.use("/users", usersRoutes);
 router.use("/audit-log", auditLogRoutes);
 router.use("/reports", reportsRoutes);
 router.use("/settings", settingsRoutes);
 router.use("/version", versionRoutes);
 router.use("/nginx/proxy-hosts", proxyHostsRoutes);
 router.use("/nginx/redirection-hosts", redirectionHostsRoutes);
 router.use("/nginx/dead-hosts", deadHostsRoutes);
--- a/backend/routes/nginx/access_lists.js
+++ b/backend/routes/nginx/access_lists.js
@@ -3,7 +3,7 @@ import internalAccessList from "../../internal/access-list.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -49,7 +49,7 @@ router
 			const rows = await internalAccessList.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -65,7 +65,7 @@ router
 			const result = await internalAccessList.create(res.locals.access, payload);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -113,7 +113,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -130,7 +130,7 @@ router
 			const result = await internalAccessList.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -147,7 +147,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/nginx/certificates.js
+++ b/backend/routes/nginx/certificates.js
@@ -5,7 +5,7 @@ import errs from "../../lib/error.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -58,7 +58,7 @@ router
 			);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -81,7 +81,7 @@ router
 			);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -115,7 +115,7 @@ router
 			clean.sort((a, b) => a.name.localeCompare(b.name));
 			res.status(200).send(clean);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -151,7 +151,7 @@ router
 			);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -185,7 +185,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -236,7 +236,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -253,7 +253,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -288,7 +288,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -318,7 +318,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -347,7 +347,7 @@ router
 			});
 			res.status(200).download(result.fileName);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/nginx/dead_hosts.js
+++ b/backend/routes/nginx/dead_hosts.js
@@ -3,7 +3,7 @@ import internalDeadHost from "../../internal/dead-host.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -49,7 +49,7 @@ router
 			const rows = await internalDeadHost.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -65,7 +65,7 @@ router
 			const result = await internalDeadHost.create(res.locals.access, payload);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -113,7 +113,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -130,7 +130,7 @@ router
 			const result = await internalDeadHost.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -147,7 +147,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -174,7 +174,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -199,7 +199,7 @@ router
 			const result = internalDeadHost.disable(res.locals.access, { id: Number.parseInt(req.params.host_id, 10) });
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/nginx/proxy_hosts.js
+++ b/backend/routes/nginx/proxy_hosts.js
@@ -3,7 +3,7 @@ import internalProxyHost from "../../internal/proxy-host.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -49,7 +49,7 @@ router
 			const rows = await internalProxyHost.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -65,7 +65,7 @@ router
 			const result = await internalProxyHost.create(res.locals.access, payload);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err} ${JSON.stringify(err.debug, null, 2)}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err} ${JSON.stringify(err.debug, null, 2)}`);
 			next(err);
 		}
 	});
@@ -113,7 +113,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -130,7 +130,7 @@ router
 			const result = await internalProxyHost.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -147,7 +147,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -174,7 +174,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -201,7 +201,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/nginx/redirection_hosts.js
+++ b/backend/routes/nginx/redirection_hosts.js
@@ -3,7 +3,7 @@ import internalRedirectionHost from "../../internal/redirection-host.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -49,7 +49,7 @@ router
 			const rows = await internalRedirectionHost.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -65,7 +65,7 @@ router
 			const result = await internalRedirectionHost.create(res.locals.access, payload);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -113,7 +113,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -133,7 +133,7 @@ router
 			const result = await internalRedirectionHost.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -150,7 +150,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -177,7 +177,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -204,7 +204,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/nginx/streams.js
+++ b/backend/routes/nginx/streams.js
@@ -3,7 +3,7 @@ import internalStream from "../../internal/stream.js";
 import jwtdecode from "../../lib/express/jwt-decode.js";
 import apiValidator from "../../lib/validator/api.js";
 import validator from "../../lib/validator/index.js";
-import { express as logger } from "../../logger.js";
+import { debug, express as logger } from "../../logger.js";
 import { getValidationSchema } from "../../schema/index.js";
 const router = express.Router({
@@ -49,7 +49,7 @@ router
 			const rows = await internalStream.getAll(res.locals.access, data.expand, data.query);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -65,7 +65,7 @@ router
 			const result = await internalStream.create(res.locals.access, payload);
 			res.status(201).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -113,7 +113,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -130,7 +130,7 @@ router
 			const result = await internalStream.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -147,7 +147,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -174,7 +174,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -201,7 +201,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/reports.js
+++ b/backend/routes/reports.js
@@ -1,7 +1,7 @@
 import express from "express";
 import internalReport from "../internal/report.js";
 import jwtdecode from "../lib/express/jwt-decode.js";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 const router = express.Router({
 	caseSensitive: true,
@@ -24,7 +24,7 @@ router
 			const data = await internalReport.getHostsReport(res.locals.access);
 			res.status(200).send(data);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/schema.js
+++ b/backend/routes/schema.js
@@ -1,5 +1,5 @@
 import express from "express";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 import PACKAGE from "../package.json" with { type: "json" };
 import { getCompiledSchema } from "../schema/index.js";
@@ -36,7 +36,7 @@ router
 			swaggerJSON.servers[0].url = `${origin}/api`;
 			res.status(200).send(swaggerJSON);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/settings.js
+++ b/backend/routes/settings.js
@@ -3,7 +3,7 @@ import internalSetting from "../internal/setting.js";
 import jwtdecode from "../lib/express/jwt-decode.js";
 import apiValidator from "../lib/validator/api.js";
 import validator from "../lib/validator/index.js";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 import { getValidationSchema } from "../schema/index.js";
 const router = express.Router({
@@ -32,7 +32,7 @@ router
 			const rows = await internalSetting.getAll(res.locals.access);
 			res.status(200).send(rows);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -76,7 +76,7 @@ router
 			});
 			res.status(200).send(row);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -93,7 +93,7 @@ router
 			const result = await internalSetting.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/tokens.js
+++ b/backend/routes/tokens.js
@@ -2,7 +2,7 @@ import express from "express";
 import internalToken from "../internal/token.js";
 import jwtdecode from "../lib/express/jwt-decode.js";
 import apiValidator from "../lib/validator/api.js";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 import { getValidationSchema } from "../schema/index.js";
 const router = express.Router({
@@ -32,7 +32,7 @@ router
 			});
 			res.status(200).send(data);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -48,7 +48,29 @@ router
 			const result = await internalToken.getTokenFromEmail(data);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
 router
 	.route("/2fa")
 	.options((_, res) => {
 		res.sendStatus(204);
 	})
 	/**
 	 * POST /tokens/2fa
 	 *
 	 * Verify 2FA code and get full token
 	 */
 	.post(async (req, res, next) => {
 		try {
 			const { challenge_token, code } = await apiValidator(getValidationSchema("/tokens/2fa", "post"), req.body);
 			const result = await internalToken.verify2FA(challenge_token, code);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/users.js
+++ b/backend/routes/users.js
@@ -1,4 +1,5 @@
 import express from "express";
 import internal2FA from "../internal/2fa.js";
 import internalUser from "../internal/user.js";
 import Access from "../lib/access.js";
 import { isCI } from "../lib/config.js";
@@ -7,7 +8,7 @@ import jwtdecode from "../lib/express/jwt-decode.js";
 import userIdFromMe from "../lib/express/user-id-from-me.js";
 import apiValidator from "../lib/validator/api.js";
 import validator from "../lib/validator/index.js";
-import { express as logger } from "../logger.js";
+import { debug, express as logger } from "../logger.js";
 import { getValidationSchema } from "../schema/index.js";
 import { isSetup } from "../setup.js";
@@ -61,7 +62,7 @@ router
 			);
 			res.status(200).send(users);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -101,7 +102,7 @@ router
 			const user = await internalUser.create(res.locals.access, payload);
 			res.status(201).send(user);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -124,7 +125,7 @@ router
 				await internalUser.deleteAll();
 				res.status(200).send(true);
 			} catch (err) {
-				logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+				debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 				next(err);
 			}
 			return;
@@ -185,7 +186,7 @@ router
 			});
 			res.status(200).send(user);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -205,7 +206,7 @@ router
 			const result = await internalUser.update(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
@@ -222,7 +223,7 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -255,7 +256,7 @@ router
 			const result = await internalUser.setPassword(res.locals.access, payload);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -291,7 +292,7 @@ router
 			);
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
@@ -320,7 +321,133 @@ router
 			});
 			res.status(200).send(result);
 		} catch (err) {
-			logger.debug(`${req.method.toUpperCase()} ${req.path}: ${err}`);
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
 /**
 * User 2FA status
 *
 * /api/users/123/2fa
 */
 router
 	.route("/:user_id/2fa")
 	.options((_, res) => {
 		res.sendStatus(204);
 	})
 	.all(jwtdecode())
 	.all(userIdFromMe)
 	/**
 	 * POST /api/users/123/2fa
 	 *
 	 * Start 2FA setup, returns QR code URL
 	 */
 	.post(async (req, res, next) => {
 		try {
 			const result = await internal2FA.startSetup(res.locals.access, req.params.user_id);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
 	/**
 	 * GET /api/users/123/2fa
 	 *
 	 * Get 2FA status for a user
 	 */
 	.get(async (req, res, next) => {
 		try {
 			const status = await internal2FA.getStatus(res.locals.access, req.params.user_id);
 			res.status(200).send(status);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	})
 	/**
 	 * DELETE /api/users/123/2fa?code=XXXXXX
 	 *
 	 * Disable 2FA for a user
 	 */
 	.delete(async (req, res, next) => {
 		try {
 			const code = typeof req.query.code === "string" ? req.query.code : null;
 			if (!code) {
 				throw new errs.ValidationError("Missing required parameter: code");
 			}
 			await internal2FA.disable(res.locals.access, req.params.user_id, code);
 			res.status(200).send(true);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
 /**
 * User 2FA enable
 *
 * /api/users/123/2fa/enable
 */
 router
 	.route("/:user_id/2fa/enable")
 	.options((_, res) => {
 		res.sendStatus(204);
 	})
 	.all(jwtdecode())
 	.all(userIdFromMe)
 	/**
 	 * POST /api/users/123/2fa/enable
 	 *
 	 * Verify code and enable 2FA
 	 */
 	.post(async (req, res, next) => {
 		try {
 			const { code } = await apiValidator(
 				getValidationSchema("/users/{userID}/2fa/enable", "post"),
 				req.body,
 			);
 			const result = await internal2FA.enable(res.locals.access, req.params.user_id, code);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
 /**
 * User 2FA backup codes
 *
 * /api/users/123/2fa/backup-codes
 */
 router
 	.route("/:user_id/2fa/backup-codes")
 	.options((_, res) => {
 		res.sendStatus(204);
 	})
 	.all(jwtdecode())
 	.all(userIdFromMe)
 	/**
 	 * POST /api/users/123/2fa/backup-codes
 	 *
 	 * Regenerate backup codes
 	 */
 	.post(async (req, res, next) => {
 		try {
 			const { code } = await apiValidator(
 				getValidationSchema("/users/{userID}/2fa/backup-codes", "post"),
 				req.body,
 			);
 			const result = await internal2FA.regenerateBackupCodes(res.locals.access, req.params.user_id, code);
 			res.status(200).send(result);
 		} catch (err) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
 			next(err);
 		}
 	});
--- a/backend/routes/version.js
+++ b/backend/routes/version.js
@@ -0,0 +1,40 @@
 import express from "express";
 import internalRemoteVersion from "../internal/remote-version.js";
 import { debug, express as logger } from "../logger.js";
 const router = express.Router({
 	caseSensitive: true,
 	strict: true,
 	mergeParams: true,
 });
 /**
 * /api/version/check
 */
 router
 	.route("/check")
 	.options((_, res) => {
 		res.sendStatus(204);
 	})
 	/**
 	 * GET /api/version/check
 	 *
 	 * Check for available updates
 	 */
 	.get(async (req, res, _next) => {
 		try {
 			const data = await internalRemoteVersion.get();
 			res.status(200).send(data);
 		} catch (error) {
 			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${error}`);
 			// Send 200 even though there's an error to avoid triggering update checks repeatedly
 			res.status(200).send({
 				current: null,
 				latest: null,
 				update_available: false,
 			});
 		}
 	});
 export default router;
--- a/backend/schema/common.json
+++ b/backend/schema/common.json
@@ -7,7 +7,8 @@
 			"description": "Unique identifier",
 			"readOnly": true,
 			"type": "integer",
-			"minimum": 1
+			"minimum": 1,
 			"example": 11
 		},
 		"expand": {
 			"anyOf": [
@@ -38,35 +39,42 @@
 		"created_on": {
 			"description": "Date and time of creation",
 			"readOnly": true,
-			"type": "string"
+			"type": "string",
 			"example": "2025-10-28T04:17:54.000Z"
 		},
 		"modified_on": {
 			"description": "Date and time of last update",
 			"readOnly": true,
-			"type": "string"
+			"type": "string",
 			"example": "2025-10-28T04:17:54.000Z"
 		},
 		"user_id": {
 			"description": "User ID",
 			"type": "integer",
-			"minimum": 1
+			"minimum": 1,
 			"example": 2
 		},
 		"certificate_id": {
 			"description": "Certificate ID",
 			"anyOf": [
 				{
 					"type": "integer",
-					"minimum": 0
+					"minimum": 0,
 					"example": 5
 				},
 				{
 					"type": "string",
-					"pattern": "^new$"
+					"pattern": "^new$",
 					"example": "new"
 				}
-			]
+			],
 			"example": 5
 		},
 		"access_list_id": {
 			"description": "Access List ID",
 			"type": "integer",
-			"minimum": 0
+			"minimum": 0,
 			"example": 3
 		},
 		"domain_names": {
 			"description": "Domain Names separated by a comma",
@@ -77,44 +85,157 @@
 			"items": {
 				"type": "string",
 				"pattern": "^[^&| @!#%^();:/\\\\}{=+?<>,~`'\"]+$"
-			}
+			},
 			"example": ["example.com", "www.example.com"]
 		},
 		"enabled": {
 			"description": "Is Enabled",
-			"type": "boolean"
+			"type": "boolean",
 			"example": false
 		},
 		"ssl_forced": {
 			"description": "Is SSL Forced",
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"hsts_enabled": {
 			"description": "Is HSTS Enabled",
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"hsts_subdomains": {
 			"description": "Is HSTS applicable to all subdomains",
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"ssl_provider": {
 			"type": "string",
-			"pattern": "^(letsencrypt|other)$"
+			"pattern": "^(letsencrypt|other)$",
 			"example": "letsencrypt"
 		},
 		"http2_support": {
 			"description": "HTTP2 Protocol Support",
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"block_exploits": {
 			"description": "Should we block common exploits",
-			"type": "boolean"
+			"type": "boolean",
 			"example": false
 		},
 		"caching_enabled": {
 			"description": "Should we cache assets",
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"email": {
 			"description": "Email address",
 			"type": "string",
-			"pattern": "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$"
+			"pattern": "^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Za-z]{2,}$",
 			"example": "me@example.com"
 		},
 		"directive": {
 			"type": "string",
 			"enum": ["allow", "deny"],
 			"example": "allow"
 		},
 		"address": {
 			"oneOf": [
 				{
 					"type": "string",
 					"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
 				},
 				{
 					"type": "string",
 					"pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$"
 				},
 				{
 					"type": "string",
 					"pattern": "^all$"
 				}
 			],
 			"example": "192.168.0.11"
 		},
 		"access_items": {
 			"type": "array",
 			"items": {
 				"type": "object",
 				"additionalProperties": false,
 				"properties": {
 					"username": {
 						"type": "string",
 						"minLength": 1
 					},
 					"password": {
 						"type": "string"
 					}
 				},
 				"example": {
 					"username": "admin",
 					"password": "pass"
 				}
 			},
 			"example": [
 				{
 					"username": "admin",
 					"password": "pass"
 				}
 			]
 		},
 		"access_clients": {
 			"type": "array",
 			"items": {
 				"type": "object",
 				"additionalProperties": false,
 				"properties": {
 					"address": {
 						"$ref": "#/properties/address"
 					},
 					"directive": {
 						"$ref": "#/properties/directive"
 					}
 				},
 				"example": {
 					"directive": "allow",
 					"address": "192.168.0.0/24"
 				}
 			},
 			"example": [
 				{
 					"directive": "allow",
 					"address": "192.168.0.0/24"
 				}
 			]
 		},
 		"certificate_files": {
 			"description": "Certificate Files",
 			"content": {
 				"multipart/form-data": {
 					"schema": {
 						"type": "object",
 						"additionalProperties": false,
 						"required": ["certificate", "certificate_key"],
 						"properties": {
 							"certificate": {
 								"type": "string",
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							},
 							"certificate_key": {
 								"type": "string",
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							},
 							"intermediate_certificate": {
 								"type": "string",
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							}
 						}
 					},
 					"example": {
 						"certificate": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----",
 						"certificate_key": "-----BEGIN PRIVATE\nMIID...-----END CERTIFICATE-----"
 					}
 				}
 			}
 		}
 	}
 }
--- a/backend/schema/components/access-list-object.json
+++ b/backend/schema/components/access-list-object.json
@@ -1,8 +1,7 @@
 {
 	"type": "object",
 	"description": "Access List object",
-	"required": ["id", "created_on", "modified_on", "owner_user_id", "name", "directive", "address", "satisfy_any", "pass_auth", "meta"],
+	"required": ["id", "created_on", "modified_on", "owner_user_id", "name", "meta", "satisfy_any", "pass_auth", "proxy_host_count"],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
 			"$ref": "../common.json#/properties/id"
@@ -18,36 +17,25 @@
 		},
 		"name": {
 			"type": "string",
-			"minLength": 1
+			"minLength": 1,
-		},
+			"example": "My Access List"
 		"directive": {
 			"type": "string",
 			"enum": ["allow", "deny"]
 		},
 		"address": {
 			"oneOf": [
 				{
 					"type": "string",
 					"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
 				},
 				{
 					"type": "string",
 					"pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$"
 				},
 				{
 					"type": "string",
 					"pattern": "^all$"
 				}
 			]
 		},
 		"satisfy_any": {
 			"type": "boolean"
 		},
 		"pass_auth": {
 			"type": "boolean"
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
 			"example": {}
 		},
 		"satisfy_any": {
 			"type": "boolean",
 			"example": true
 		},
 		"pass_auth": {
 			"type": "boolean",
 			"example": false
 		},
 		"proxy_host_count": {
 			"type": "integer",
 			"minimum": 0,
 			"example": 3
 		}
 	}
 }
--- a/backend/schema/components/audit-log-object.json
+++ b/backend/schema/components/audit-log-object.json
@@ -26,16 +26,19 @@
 			"$ref": "../common.json#/properties/user_id"
 		},
 		"object_type": {
-			"type": "string"
+			"type": "string",
 			"example": "certificate"
 		},
 		"object_id": {
 			"$ref": "../common.json#/properties/id"
 		},
 		"action": {
-			"type": "string"
+			"type": "string",
 			"example": "created"
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
 			"example": {}
 		},
 		"user": {
 			"$ref": "./user-object.json"
--- a/backend/schema/components/certificate-object.json
+++ b/backend/schema/components/certificate-object.json
@@ -21,7 +21,8 @@
 		},
 		"nice_name": {
 			"type": "string",
-			"description": "Nice Name for the custom certificate"
+			"description": "Nice Name for the custom certificate",
 			"example": "My Custom Cert"
 		},
 		"domain_names": {
 			"description": "Domain Names separated by a comma",
@@ -31,12 +32,14 @@
 			"items": {
 				"type": "string",
 				"pattern": "^[^&| @!#%^();:/\\\\}{=+?<>,~`'\"]+$"
-			}
+			},
 			"example": ["example.com", "www.example.com"]
 		},
 		"expires_on": {
 			"description": "Date and time of expiration",
 			"readOnly": true,
-			"type": "string"
+			"type": "string",
 			"example": "2025-10-28T04:17:54.000Z"
 		},
 		"owner": {
 			"$ref": "./user-object.json"
@@ -56,10 +59,10 @@
 				"dns_challenge": {
 					"type": "boolean"
 				},
-				"dns_provider": {
+				"dns_provider_credentials": {
 					"type": "string"
 				},
-				"dns_provider_credentials": {
+				"dns_provider": {
 					"type": "string"
 				},
 				"letsencrypt_certificate": {
@@ -68,7 +71,15 @@
 				"propagation_seconds": {
 					"type": "integer",
 					"minimum": 0
 				},
 				"key_type": {
 					"type": "string",
 					"enum": ["rsa", "ecdsa"],
 					"default": "rsa"
 				}
 			},
 			"example": {
 				"dns_challenge": false
 			}
 		}
 	}
--- a/backend/schema/components/check-version-object.json
+++ b/backend/schema/components/check-version-object.json
@@ -0,0 +1,23 @@
 {
 	"type": "object",
 	"description": "Check Version object",
 	"additionalProperties": false,
 	"required": ["current", "latest", "update_available"],
 	"properties": {
 		"current": {
 			"type": ["string", "null"],
 			"description": "Current version string",
 			"example": "v2.10.1"
 		},
 		"latest": {
 			"type": ["string", "null"],
 			"description": "Latest version string",
 			"example": "v2.13.4"
 		},
 		"update_available": {
 			"type": "boolean",
 			"description": "Whether there's an update available",
 			"example": true
 		}
 	}
 }
--- a/backend/schema/components/dead-host-object.json
+++ b/backend/schema/components/dead-host-object.json
@@ -35,13 +35,30 @@
 			"$ref": "../common.json#/properties/http2_support"
 		},
 		"advanced_config": {
-			"type": "string"
+			"type": "string",
 			"example": ""
 		},
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
 			"example": {}
 		},
 		"certificate": {
 			"oneOf": [
 				{
 					"type": "null",
 					"example": null
 				},
 				{
 					"$ref": "./certificate-object.json"
 				}
 			],
 			"example": null
 		},
 		"owner": {
 			"$ref": "./user-object.json"
 		}
 	}
 }
--- a/backend/schema/components/error-object.json
+++ b/backend/schema/components/error-object.json
@@ -5,10 +5,12 @@
 	"required": ["code", "message"],
 	"properties": {
 		"code": {
-			"type": "integer"
+			"type": "integer",
 			"example": 400
 		},
 		"message": {
-			"type": "string"
+			"type": "string",
 			"example": "Bad Request"
 		}
 	}
 }
--- a/backend/schema/components/health-object.json
+++ b/backend/schema/components/health-object.json
@@ -27,15 +27,18 @@
 			"properties": {
 				"major": {
 					"type": "integer",
-					"minimum": 0
+					"minimum": 0,
 					"example": 2
 				},
 				"minor": {
 					"type": "integer",
-					"minimum": 0
+					"minimum": 0,
 					"example": 10
 				},
 				"revision": {
 					"type": "integer",
-					"minimum": 0
+					"minimum": 0,
 					"example": 1
 				}
 			}
 		}
--- a/backend/schema/components/permission-object.json
+++ b/backend/schema/components/permission-object.json
@@ -5,37 +5,44 @@
 		"visibility": {
 			"type": "string",
 			"description": "Visibility Type",
-			"enum": ["all", "user"]
+			"enum": ["all", "user"],
 			"example": "all"
 		},
 		"access_lists": {
 			"type": "string",
 			"description": "Access Lists Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "view"
 		},
 		"dead_hosts": {
 			"type": "string",
 			"description": "404 Hosts Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "manage"
 		},
 		"proxy_hosts": {
 			"type": "string",
 			"description": "Proxy Hosts Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "hidden"
 		},
 		"redirection_hosts": {
 			"type": "string",
 			"description": "Redirection Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "view"
 		},
 		"streams": {
 			"type": "string",
 			"description": "Streams Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "manage"
 		},
 		"certificates": {
 			"type": "string",
 			"description": "Certificates Permissions",
-			"enum": ["hidden", "view", "manage"]
+			"enum": ["hidden", "view", "manage"],
 			"example": "hidden"
 		}
 	}
 }
--- a/backend/schema/components/proxy-host-object.json
+++ b/backend/schema/components/proxy-host-object.json
@@ -24,7 +24,6 @@
 		"hsts_enabled",
 		"hsts_subdomains"
 	],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
 			"$ref": "../common.json#/properties/id"
@@ -44,12 +43,14 @@
 		"forward_host": {
 			"type": "string",
 			"minLength": 1,
-			"maxLength": 255
+			"maxLength": 255,
 			"example": "127.0.0.1"
 		},
 		"forward_port": {
 			"type": "integer",
 			"minimum": 1,
-			"maximum": 65535
+			"maximum": 65535,
 			"example": 8080
 		},
 		"access_list_id": {
 			"$ref": "../common.json#/properties/access_list_id"
@@ -67,22 +68,28 @@
 			"$ref": "../common.json#/properties/block_exploits"
 		},
 		"advanced_config": {
-			"type": "string"
+			"type": "string",
 			"example": ""
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
 			"example": {
 				"nginx_online": true,
 				"nginx_err": null
 			}
 		},
 		"allow_websocket_upgrade": {
 			"description": "Allow Websocket Upgrade for all paths",
-			"example": true,
+			"type": "boolean",
-			"type": "boolean"
+			"example": true
 		},
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
 		"forward_scheme": {
 			"type": "string",
-			"enum": ["http", "https"]
+			"enum": ["http", "https"],
 			"example": "http"
 		},
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"
@@ -118,7 +125,15 @@
 						"type": "string"
 					}
 				}
-			}
+			},
 			"example": [
 				{
 					"path": "/app",
 					"forward_scheme": "http",
 					"forward_host": "example.com",
 					"forward_port": 80
 				}
 			]
 		},
 		"hsts_enabled": {
 			"$ref": "../common.json#/properties/hsts_enabled"
@@ -129,12 +144,14 @@
 		"certificate": {
 			"oneOf": [
 				{
-					"type": "null"
+					"type": "null",
 					"example": null
 				},
 				{
 					"$ref": "./certificate-object.json"
 				}
-			]
+			],
 			"example": null
 		},
 		"owner": {
 			"$ref": "./user-object.json"
@@ -142,12 +159,14 @@
 		"access_list": {
 			"oneOf": [
 				{
-					"type": "null"
+					"type": "null",
 					"example": null
 				},
 				{
 					"$ref": "./access-list-object.json"
 				}
-			]
+			],
 			"example": null
 		}
 	}
 }
--- a/backend/schema/components/redirection-host-object.json
+++ b/backend/schema/components/redirection-host-object.json
@@ -1,7 +1,26 @@
 {
 	"type": "object",
 	"description": "Redirection Host object",
-	"required": ["id", "created_on", "modified_on", "owner_user_id", "domain_names", "forward_http_code", "forward_scheme", "forward_domain_name", "preserve_path", "certificate_id", "ssl_forced", "hsts_enabled", "hsts_subdomains", "http2_support", "block_exploits", "advanced_config", "enabled", "meta"],
+	"required": [
 		"id",
 		"created_on",
 		"modified_on",
 		"owner_user_id",
 		"domain_names",
 		"forward_http_code",
 		"forward_scheme",
 		"forward_domain_name",
 		"preserve_path",
 		"certificate_id",
 		"ssl_forced",
 		"hsts_enabled",
 		"hsts_subdomains",
 		"http2_support",
 		"block_exploits",
 		"advanced_config",
 		"enabled",
 		"meta"
 	],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
@@ -21,25 +40,30 @@
 		},
 		"forward_http_code": {
 			"description": "Redirect HTTP Status Code",
 			"example": 302,
 			"type": "integer",
 			"minimum": 300,
-			"maximum": 308
+			"maximum": 308,
 			"example": 302
 		},
 		"forward_scheme": {
 			"type": "string",
-			"enum": ["auto", "http", "https"]
+			"enum": [
 				"auto",
 				"http",
 				"https"
 			],
 			"example": "http"
 		},
 		"forward_domain_name": {
 			"description": "Domain Name",
 			"example": "jc21.com",
 			"type": "string",
-			"pattern": "^(?:[^.*]+\\.?)+[^.]$"
+			"pattern": "^(?:[^.*]+\\.?)+[^.]$",
 			"example": "jc21.com"
 		},
 		"preserve_path": {
 			"description": "Should the path be preserved",
-			"example": true,
+			"type": "boolean",
-			"type": "boolean"
+			"example": true
 		},
 		"certificate_id": {
 			"$ref": "../common.json#/properties/certificate_id"
@@ -60,13 +84,33 @@
 			"$ref": "../common.json#/properties/block_exploits"
 		},
 		"advanced_config": {
-			"type": "string"
+			"type": "string",
 			"example": ""
 		},
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
 			"example": {
 				"nginx_online": true,
 				"nginx_err": null
 			}
 		},
 		"certificate": {
 			"oneOf": [
 				{
 					"type": "null",
 					"example": null
 				},
 				{
 					"$ref": "./certificate-object.json"
 				}
 			],
 			"example": null
 		},
 		"owner": {
 			"$ref": "./user-object.json"
 		}
 	}
 }
--- a/backend/schema/components/security-schemes.json
+++ b/backend/schema/components/security-schemes.json
@@ -1,6 +1,8 @@
 {
-	"BearerAuth": {
+	"bearerAuth": {
 		"type": "http",
-		"scheme": "bearer"
+		"scheme": "bearer",
 		"bearerFormat": "JWT",
 		"description": "JWT Bearer Token authentication"
 	}
 }
--- a/backend/schema/components/stream-object.json
+++ b/backend/schema/components/stream-object.json
@@ -1,7 +1,19 @@
 {
 	"type": "object",
 	"description": "Stream object",
-	"required": ["id", "created_on", "modified_on", "owner_user_id", "incoming_port", "forwarding_host", "forwarding_port", "tcp_forwarding", "udp_forwarding", "enabled", "meta"],
+	"required": [
 		"id",
 		"created_on",
 		"modified_on",
 		"owner_user_id",
 		"incoming_port",
 		"forwarding_host",
 		"forwarding_port",
 		"tcp_forwarding",
 		"udp_forwarding",
 		"enabled",
 		"meta"
 	],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
@@ -19,15 +31,16 @@
 		"incoming_port": {
 			"type": "integer",
 			"minimum": 1,
-			"maximum": 65535
+			"maximum": 65535,
 			"example": 9090
 		},
 		"forwarding_host": {
 			"anyOf": [
 				{
 					"description": "Domain Name",
 					"example": "jc21.com",
 					"type": "string",
-					"pattern": "^(?:[^.*]+\\.?)+[^.]$"
+					"pattern": "^(?:[^.*]+\\.?)+[^.]$",
 					"example": "example.com"
 				},
 				{
 					"type": "string",
@@ -37,18 +50,22 @@
 					"type": "string",
 					"format": "ipv6"
 				}
-			]
+			],
 			"example": "example.com"
 		},
 		"forwarding_port": {
 			"type": "integer",
 			"minimum": 1,
-			"maximum": 65535
+			"maximum": 65535,
 			"example": 80
 		},
 		"tcp_forwarding": {
-			"type": "boolean"
+			"type": "boolean",
 			"example": true
 		},
 		"udp_forwarding": {
-			"type": "boolean"
+			"type": "boolean",
 			"example": false
 		},
 		"enabled": {
 			"$ref": "../common.json#/properties/enabled"
@@ -57,10 +74,8 @@
 			"$ref": "../common.json#/properties/certificate_id"
 		},
 		"meta": {
-			"type": "object"
+			"type": "object",
-		},
+			"example": {}
 		"owner": {
 			"$ref": "./user-object.json"
 		},
 		"certificate": {
 			"oneOf": [
@@ -70,7 +85,11 @@
 				{
 					"$ref": "./certificate-object.json"
 				}
-			]
+			],
 			"example": null
 		},
 		"owner": {
 			"$ref": "./user-object.json"
 		}
 	}
 }
--- a/backend/schema/components/token-challenge.json
+++ b/backend/schema/components/token-challenge.json
@@ -0,0 +1,18 @@
 {
 	"type": "object",
 	"description": "Token object",
 	"required": ["requires_2fa", "challenge_token"],
 	"additionalProperties": false,
 	"properties": {
 		"requires_2fa": {
 			"description": "Whether this token request requires two-factor authentication",
 			"example": true,
 			"type": "boolean"
 		},
 		"challenge_token": {
 			"description": "Challenge Token used in subsequent 2FA verification",
 			"example": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
 			"type": "string"
 		}
 	}
 }
--- a/backend/schema/components/user-object.json
+++ b/backend/schema/components/user-object.json
@@ -77,37 +77,37 @@
 				"proxy_hosts": {
 					"type": "string",
 					"description": "Proxy Hosts access level",
-					"example": "all",
+					"example": "manage",
 					"pattern": "^(manage|view|hidden)$"
 				},
 				"redirection_hosts": {
 					"type": "string",
 					"description": "Redirection Hosts access level",
-					"example": "all",
+					"example": "manage",
 					"pattern": "^(manage|view|hidden)$"
 				},
 				"dead_hosts": {
 					"type": "string",
 					"description": "Dead Hosts access level",
-					"example": "all",
+					"example": "manage",
 					"pattern": "^(manage|view|hidden)$"
 				},
 				"streams": {
 					"type": "string",
 					"description": "Streams access level",
-					"example": "all",
+					"example": "manage",
 					"pattern": "^(manage|view|hidden)$"
 				},
 				"access_lists": {
 					"type": "string",
 					"description": "Access Lists access level",
-					"example": "all",
+					"example": "hidden",
 					"pattern": "^(manage|view|hidden)$"
 				},
 				"certificates": {
 					"type": "string",
 					"description": "Certificates access level",
-					"example": "all",
+					"example": "view",
 					"pattern": "^(manage|view|hidden)$"
 				}
 			}
--- a/backend/schema/paths/audit-log/get.json
+++ b/backend/schema/paths/audit-log/get.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "getAuditLogs",
 	"summary": "Get Audit Logs",
-	"tags": ["Audit Log"],
+	"tags": ["audit-log"],
 	"security": [
 		{
-			"BearerAuth": ["audit-log"]
+			"bearerAuth": ["admin"]
 		}
 	],
 	"responses": {
--- a/backend/schema/paths/audit-log/id/get.json
+++ b/backend/schema/paths/audit-log/id/get.json
@@ -1,13 +1,11 @@
 {
 	"operationId": "getAuditLog",
 	"summary": "Get Audit Log Event",
-	"tags": [
+	"tags": ["audit-log"],
 		"Audit Log"
 	],
 	"security": [
 		{
-			"BearerAuth": [
+			"bearerAuth": [
-				"audit-log"
+				"admin"
 			]
 		}
 	],
@@ -15,6 +13,7 @@
 		{
 			"in": "path",
 			"name": "id",
 			"description": "Audit Log Event ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/get.json
+++ b/backend/schema/paths/get.json
@@ -1,7 +1,7 @@
 {
 	"operationId": "health",
 	"summary": "Returns the API health status",
-	"tags": ["Public"],
+	"tags": ["public"],
 	"responses": {
 		"200": {
 			"description": "200 response",
--- a/backend/schema/paths/nginx/access-lists/get.json
+++ b/backend/schema/paths/nginx/access-lists/get.json
@@ -1,10 +1,12 @@
 {
 	"operationId": "getAccessLists",
 	"summary": "Get all access lists",
-	"tags": ["Access Lists"],
+	"tags": ["access-lists"],
 	"security": [
 		{
-			"BearerAuth": ["access_lists"]
+			"bearerAuth": [
 				"access_lists.view"
 			]
 		}
 	],
 	"parameters": [
@@ -14,7 +16,12 @@
 			"description": "Expansions",
 			"schema": {
 				"type": "string",
-				"enum": ["owner", "items", "clients", "proxy_hosts"]
+				"enum": [
 					"owner",
 					"items",
 					"clients",
 					"proxy_hosts"
 				]
 			}
 		}
 	],
@@ -23,22 +30,16 @@
 			"description": "200 response",
 			"content": {
 				"application/json": {
-					"examples": {
+					"example": {
-						"default": {
+						"id": 1,
-							"value": [
+						"created_on": "2024-10-08T22:15:40.000Z",
-								{
+						"modified_on": "2024-10-08T22:15:40.000Z",
-									"id": 1,
+						"owner_user_id": 1,
-									"created_on": "2024-10-08T22:15:40.000Z",
+						"name": "test1234",
-									"modified_on": "2024-10-08T22:15:40.000Z",
+						"meta": {},
-									"owner_user_id": 1,
+						"satisfy_any": true,
-									"name": "test1234",
+						"pass_auth": false,
-									"meta": {},
+						"proxy_host_count": 0
 									"satisfy_any": true,
 									"pass_auth": false,
 									"proxy_host_count": 0
 								}
 							]
 						}
 					},
 					"schema": {
 						"$ref": "../../../components/access-list-object.json"
--- a/backend/schema/paths/nginx/access-lists/listID/delete.json
+++ b/backend/schema/paths/nginx/access-lists/listID/delete.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "deleteAccessList",
 	"summary": "Delete a Access List",
-	"tags": ["Access Lists"],
+	"tags": ["access-lists"],
 	"security": [
 		{
-			"BearerAuth": ["access_lists"]
+			"bearerAuth": ["access_lists.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "listID",
 			"description": "Access List ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/access-lists/listID/get.json
+++ b/backend/schema/paths/nginx/access-lists/listID/get.json
@@ -1,49 +1,54 @@
 {
-	"operationId": "getAccessList",
+    "operationId": "getAccessList",
-	"summary": "Get a access List",
+    "summary": "Get a access List",
-	"tags": ["Access Lists"],
+    "tags": [
-	"security": [
+        "access-lists"
-		{
+    ],
-			"BearerAuth": ["access_lists"]
+    "security": [
-		}
+        {
-	],
+            "bearerAuth": [
-	"parameters": [
+                "access_lists.view"
-		{
+            ]
-			"in": "path",
+        }
-			"name": "listID",
+    ],
-			"schema": {
+    "parameters": [
-				"type": "integer",
+        {
-				"minimum": 1
+            "in": "path",
-			},
+            "name": "listID",
-			"required": true,
+            "description": "Access List ID",
-			"example": 1
+            "schema": {
-		}
+                "type": "integer",
-	],
+                "minimum": 1
-	"responses": {
+            },
-		"200": {
+            "required": true,
-			"description": "200 response",
+            "example": 1
-			"content": {
+        }
-				"application/json": {
+    ],
-					"examples": {
+    "responses": {
-						"default": {
+        "200": {
-							"value": {
+            "description": "200 response",
-								"id": 1,
+            "content": {
-								"created_on": "2020-01-30T09:36:08.000Z",
+                "application/json": {
-								"modified_on": "2020-01-30T09:41:04.000Z",
+                    "examples": {
-								"is_disabled": false,
+                        "default": {
-								"email": "jc@jc21.com",
+                            "value": {
-								"name": "Jamie Curnow",
+                                "id": 1,
-								"nickname": "James",
+                                "created_on": "2025-10-28T04:06:55.000Z",
-								"avatar": "//www.gravatar.com/avatar/6193176330f8d38747f038c170ddb193?default=mm",
+                                "modified_on": "2025-10-29T22:48:20.000Z",
-								"roles": ["admin"]
+                                "owner_user_id": 1,
-							}
+                                "name": "My Access List",
-						}
+                                "meta": {},
-					},
+                                "satisfy_any": false,
-					"schema": {
+                                "pass_auth": false,
-						"$ref": "../../../../components/access-list-object.json"
+                                "proxy_host_count": 1
-					}
+                            }
-				}
+                        }
-			}
+                    },
-		}
+                    "schema": {
-	}
+                        "$ref": "../../../../components/access-list-object.json"
                    }
                }
            }
        }
    }
 }
--- a/backend/schema/paths/nginx/access-lists/listID/put.json
+++ b/backend/schema/paths/nginx/access-lists/listID/put.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "updateAccessList",
 	"summary": "Update a Access List",
-	"tags": ["Access Lists"],
+	"tags": ["access-lists"],
 	"security": [
 		{
-			"BearerAuth": ["access_lists"]
+			"bearerAuth": ["access_lists.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "listID",
 			"description": "Access List ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -39,50 +40,29 @@
 							"$ref": "../../../../components/access-list-object.json#/properties/pass_auth"
 						},
 						"items": {
-							"type": "array",
+							"$ref": "../../../../common.json#/properties/access_items"
 							"items": {
 								"type": "object",
 								"additionalProperties": false,
 								"properties": {
 									"username": {
 										"type": "string",
 										"minLength": 1
 									},
 									"password": {
 										"type": "string"
 									}
 								}
 							}
 						},
 						"clients": {
-							"type": "array",
+							"$ref": "../../../../common.json#/properties/access_clients"
 							"items": {
 								"type": "object",
 								"additionalProperties": false,
 								"properties": {
 									"address": {
 										"oneOf": [
 											{
 												"type": "string",
 												"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
 											},
 											{
 												"type": "string",
 												"pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$"
 											},
 											{
 												"type": "string",
 												"pattern": "^all$"
 											}
 										]
 									},
 									"directive": {
 										"$ref": "../../../../components/access-list-object.json#/properties/directive"
 									}
 								}
 							}
 						}
 					}
 				},
 				"example": {
 					"name": "My Access List",
 					"satisfy_any": true,
 					"pass_auth": false,
 					"items": [
 						{
 							"username": "admin2",
 							"password": "pass2"
 						}
 					],
 					"clients": [
 						{
 							"directive": "allow",
 							"address": "192.168.0.0/24"
 						}
 					]
 				}
 			}
 		}
@@ -108,7 +88,6 @@
 									"id": 1,
 									"created_on": "2024-10-07T22:43:55.000Z",
 									"modified_on": "2024-10-08T12:52:54.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
 									"email": "admin@example.com",
 									"name": "Administrator",
--- a/backend/schema/paths/nginx/access-lists/post.json
+++ b/backend/schema/paths/nginx/access-lists/post.json
@@ -1,10 +1,12 @@
 {
 	"operationId": "createAccessList",
 	"summary": "Create a Access List",
-	"tags": ["Access Lists"],
+	"tags": ["access-lists"],
 	"security": [
 		{
-			"BearerAuth": ["access_lists"]
+			"bearerAuth": [
 				"access_lists.manage"
 			]
 		}
 	],
 	"requestBody": {
@@ -15,7 +17,9 @@
 				"schema": {
 					"type": "object",
 					"additionalProperties": false,
-					"required": ["name"],
+					"required": [
 						"name"
 					],
 					"properties": {
 						"name": {
 							"$ref": "../../../components/access-list-object.json#/properties/name"
@@ -27,54 +31,29 @@
 							"$ref": "../../../components/access-list-object.json#/properties/pass_auth"
 						},
 						"items": {
-							"type": "array",
+							"$ref": "../../../common.json#/properties/access_items"
 							"items": {
 								"type": "object",
 								"additionalProperties": false,
 								"properties": {
 									"username": {
 										"type": "string",
 										"minLength": 1
 									},
 									"password": {
 										"type": "string",
 										"minLength": 1
 									}
 								}
 							}
 						},
 						"clients": {
-							"type": "array",
+							"$ref": "../../../common.json#/properties/access_clients"
 							"items": {
 								"type": "object",
 								"additionalProperties": false,
 								"properties": {
 									"address": {
 										"oneOf": [
 											{
 												"type": "string",
 												"pattern": "^([0-9]{1,3}\\.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$"
 											},
 											{
 												"type": "string",
 												"pattern": "^s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]d|1dd|[1-9]?d)(.(25[0-5]|2[0-4]d|1dd|[1-9]?d)){3}))|:)))(%.+)?s*(/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8]))?$"
 											},
 											{
 												"type": "string",
 												"pattern": "^all$"
 											}
 										]
 									},
 									"directive": {
 										"$ref": "../../../components/access-list-object.json#/properties/directive"
 									}
 								}
 							}
 						},
 						"meta": {
 							"$ref": "../../../components/access-list-object.json#/properties/meta"
 						}
 					}
 				},
 				"example": {
 					"name": "My Access List",
 					"satisfy_any": true,
 					"pass_auth": false,
 					"items": [
 						{
 							"username": "admin",
 							"password": "pass"
 						}
 					],
 					"clients": [
 						{
 							"directive": "allow",
 							"address": "192.168.0.0/24"
 						}
 					]
 				}
 			}
 		}
@@ -100,13 +79,14 @@
 									"id": 1,
 									"created_on": "2024-10-07T22:43:55.000Z",
 									"modified_on": "2024-10-08T12:52:54.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
 									"email": "admin@example.com",
 									"name": "Administrator",
 									"nickname": "some guy",
 									"avatar": "//www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?default=mm",
-									"roles": ["admin"]
+									"roles": [
 										"admin"
 									]
 								},
 								"items": [
 									{
--- a/backend/schema/paths/nginx/certificates/certID/delete.json
+++ b/backend/schema/paths/nginx/certificates/certID/delete.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "deleteCertificate",
 	"summary": "Delete a Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "certID",
 			"description": "Certificate ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/certificates/certID/download/get.json
+++ b/backend/schema/paths/nginx/certificates/certID/download/get.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "downloadCertificate",
 	"summary": "Downloads a Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "certID",
 			"description": "Certificate ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/certificates/certID/get.json
+++ b/backend/schema/paths/nginx/certificates/certID/get.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "getCertificate",
 	"summary": "Get a Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.view"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "certID",
 			"description": "Certificate ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/certificates/certID/renew/post.json
+++ b/backend/schema/paths/nginx/certificates/certID/renew/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "renewCertificate",
 	"summary": "Renews a Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "certID",
 			"description": "Certificate ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -32,7 +33,6 @@
 								"id": 4,
 								"created_on": "2024-10-09T05:31:58.000Z",
 								"owner_user_id": 1,
 								"is_deleted": false,
 								"provider": "letsencrypt",
 								"nice_name": "My Test Cert",
 								"domain_names": ["test.jc21.supernerd.pro"],
--- a/backend/schema/paths/nginx/certificates/certID/upload/post.json
+++ b/backend/schema/paths/nginx/certificates/certID/upload/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "uploadCertificate",
 	"summary": "Uploads a custom Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "certID",
 			"description": "Certificate ID",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -20,28 +21,7 @@
 		}
 	],
 	"requestBody": {
-		"description": "Certificate Files",
+		"$ref": "../../../../../common.json#/properties/certificate_files"
 		"required": true,
 		"content": {
 			"multipart/form-data": {
 				"schema": {
 					"type": "object",
 					"additionalProperties": false,
 					"required": ["certificate", "certificate_key"],
 					"properties": {
 						"certificate": {
 							"type": "string"
 						},
 						"certificate_key": {
 							"type": "string"
 						},
 						"intermediate_certificate": {
 							"type": "string"
 						}
 					}
 				}
 			}
 		}
 	},
 	"responses": {
 		"200": {
@@ -63,15 +43,18 @@
 						"properties": {
 							"certificate": {
 								"type": "string",
-								"minLength": 1
+								"minLength": 1,
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							},
 							"certificate_key": {
 								"type": "string",
-								"minLength": 1
+								"minLength": 1,
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							},
 							"intermediate_certificate": {
 								"type": "string",
-								"minLength": 1
+								"minLength": 1,
 								"example": "-----BEGIN CERTIFICATE-----\nMIID...-----END CERTIFICATE-----"
 							}
 						}
 					}
--- a/backend/schema/paths/nginx/certificates/dns-providers/get.json
+++ b/backend/schema/paths/nginx/certificates/dns-providers/get.json
@@ -1,14 +1,10 @@
 {
 	"operationId": "getDNSProviders",
 	"summary": "Get DNS Providers for Certificates",
-	"tags": [
+	"tags": ["certificates"],
 		"Certificates"
 	],
 	"security": [
 		{
-			"BearerAuth": [
+			"bearerAuth": ["certificates.view"]
 				"certificates"
 			]
 		}
 	],
 	"responses": {
--- a/backend/schema/paths/nginx/certificates/get.json
+++ b/backend/schema/paths/nginx/certificates/get.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "getCertificates",
 	"summary": "Get all certificates",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.view"]
 		}
 	],
 	"parameters": [
--- a/backend/schema/paths/nginx/certificates/post.json
+++ b/backend/schema/paths/nginx/certificates/post.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "createCertificate",
 	"summary": "Create a Certificate",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"requestBody": {
@@ -30,6 +30,13 @@
 							"$ref": "../../../components/certificate-object.json#/properties/meta"
 						}
 					}
 				},
 				"example": {
 					"provider": "letsencrypt",
 					"domain_names": ["test.example.com"],
 					"meta": {
 						"dns_challenge": false
 					}
 				}
 			}
 		}
@@ -47,7 +54,6 @@
 								"id": 5,
 								"created_on": "2024-10-09 05:28:35",
 								"owner_user_id": 1,
 								"is_deleted": false,
 								"provider": "letsencrypt",
 								"nice_name": "test.example.com",
 								"domain_names": ["test.example.com"],
--- a/backend/schema/paths/nginx/certificates/test-http/post.json
+++ b/backend/schema/paths/nginx/certificates/test-http/post.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "testHttpReach",
 	"summary": "Test HTTP Reachability",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.view"]
 		}
 	],
 	"requestBody": {
--- a/backend/schema/paths/nginx/certificates/validate/post.json
+++ b/backend/schema/paths/nginx/certificates/validate/post.json
@@ -1,35 +1,14 @@
 {
 	"operationId": "validateCertificates",
 	"summary": "Validates given Custom Certificates",
-	"tags": ["Certificates"],
+	"tags": ["certificates"],
 	"security": [
 		{
-			"BearerAuth": ["certificates"]
+			"bearerAuth": ["certificates.manage"]
 		}
 	],
 	"requestBody": {
-		"description": "Certificate Files",
+		"$ref": "../../../../common.json#/properties/certificate_files"
 		"required": true,
 		"content": {
 			"multipart/form-data": {
 				"schema": {
 					"type": "object",
 					"additionalProperties": false,
 					"required": ["certificate", "certificate_key"],
 					"properties": {
 						"certificate": {
 							"type": "string"
 						},
 						"certificate_key": {
 							"type": "string"
 						},
 						"intermediate_certificate": {
 							"type": "string"
 						}
 					}
 				}
 			}
 		}
 	},
 	"responses": {
 		"200": {
@@ -62,10 +41,12 @@
 								"required": ["cn", "issuer", "dates"],
 								"properties": {
 									"cn": {
-										"type": "string"
+										"type": "string",
 										"example": "example.com"
 									},
 									"issuer": {
-										"type": "string"
+										"type": "string",
 										"example": "C = US, O = Let's Encrypt, CN = E5"
 									},
 									"dates": {
 										"type": "object",
@@ -78,12 +59,17 @@
 											"to": {
 												"type": "integer"
 											}
 										},
 										"example": {
 											"from": 1728448218,
 											"to": 1736224217
 										}
 									}
 								}
 							},
 							"certificate_key": {
-								"type": "boolean"
+								"type": "boolean",
 								"example": true
 							}
 						}
 					}
--- a/backend/schema/paths/nginx/dead-hosts/get.json
+++ b/backend/schema/paths/nginx/dead-hosts/get.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "getDeadHosts",
 	"summary": "Get all 404 hosts",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.view"]
 		}
 	],
 	"parameters": [
--- a/backend/schema/paths/nginx/dead-hosts/hostID/delete.json
+++ b/backend/schema/paths/nginx/dead-hosts/hostID/delete.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "deleteDeadHost",
 	"summary": "Delete a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the 404 Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/dead-hosts/hostID/disable/post.json
+++ b/backend/schema/paths/nginx/dead-hosts/hostID/disable/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "disableDeadHost",
 	"summary": "Disable a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the 404 Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/dead-hosts/hostID/enable/post.json
+++ b/backend/schema/paths/nginx/dead-hosts/hostID/enable/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "enableDeadHost",
 	"summary": "Enable a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the 404 Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/dead-hosts/hostID/get.json
+++ b/backend/schema/paths/nginx/dead-hosts/hostID/get.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "getDeadHost",
 	"summary": "Get a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.view"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the 404 Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/dead-hosts/hostID/put.json
+++ b/backend/schema/paths/nginx/dead-hosts/hostID/put.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "updateDeadHost",
 	"summary": "Update a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": ["dead_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the 404 Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -86,7 +87,6 @@
 									"id": 1,
 									"created_on": "2024-10-09T00:59:56.000Z",
 									"modified_on": "2024-10-09T00:59:56.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
 									"email": "admin@example.com",
 									"name": "Administrator",
--- a/backend/schema/paths/nginx/dead-hosts/post.json
+++ b/backend/schema/paths/nginx/dead-hosts/post.json
@@ -1,10 +1,12 @@
 {
 	"operationId": "create404Host",
 	"summary": "Create a 404 Host",
-	"tags": ["404 Hosts"],
+	"tags": ["404-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["dead_hosts"]
+			"bearerAuth": [
 				"dead_hosts.manage"
 			]
 		}
 	],
 	"requestBody": {
@@ -15,7 +17,9 @@
 				"schema": {
 					"type": "object",
 					"additionalProperties": false,
-					"required": ["domain_names"],
+					"required": [
 						"domain_names"
 					],
 					"properties": {
 						"domain_names": {
 							"$ref": "../../../components/dead-host-object.json#/properties/domain_names"
@@ -42,6 +46,18 @@
 							"$ref": "../../../components/dead-host-object.json#/properties/meta"
 						}
 					}
 				},
 				"example": {
 					"domain_names": [
 						"test.example.com"
 					],
 					"certificate_id": 0,
 					"ssl_forced": false,
 					"advanced_config": "",
 					"http2_support": false,
 					"hsts_enabled": false,
 					"hsts_subdomains": false,
 					"meta": {}
 				}
 			}
 		}
@@ -58,7 +74,9 @@
 								"created_on": "2024-10-09T01:38:52.000Z",
 								"modified_on": "2024-10-09T01:38:52.000Z",
 								"owner_user_id": 1,
-								"domain_names": ["test.example.com"],
+								"domain_names": [
 									"test.example.com"
 								],
 								"certificate_id": 0,
 								"ssl_forced": false,
 								"advanced_config": "",
@@ -72,13 +90,14 @@
 									"id": 1,
 									"created_on": "2024-10-09T00:59:56.000Z",
 									"modified_on": "2024-10-09T00:59:56.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
 									"email": "admin@example.com",
 									"name": "Administrator",
 									"nickname": "Admin",
 									"avatar": "",
-									"roles": ["admin"]
+									"roles": [
 										"admin"
 									]
 								}
 							}
 						}
--- a/backend/schema/paths/nginx/proxy-hosts/get.json
+++ b/backend/schema/paths/nginx/proxy-hosts/get.json
@@ -1,10 +1,12 @@
 {
 	"operationId": "getProxyHosts",
 	"summary": "Get all proxy hosts",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": [
 				"proxy_hosts.view"
 			]
 		}
 	],
 	"parameters": [
@@ -14,7 +16,11 @@
 			"description": "Expansions",
 			"schema": {
 				"type": "string",
-				"enum": ["access_list", "owner", "certificate"]
+				"enum": [
 					"access_list",
 					"owner",
 					"certificate"
 				]
 			}
 		}
 	],
@@ -28,14 +34,16 @@
 							"value": [
 								{
 									"id": 1,
-									"created_on": "2024-10-08T23:23:03.000Z",
+									"created_on": "2025-10-28T01:10:26.000Z",
-									"modified_on": "2024-10-08T23:23:04.000Z",
+									"modified_on": "2025-10-28T04:07:16.000Z",
 									"owner_user_id": 1,
-									"domain_names": ["test.example.com"],
+									"domain_names": [
 										"test.jc21com"
 									],
 									"forward_host": "127.0.0.1",
-									"forward_port": 8989,
+									"forward_port": 8081,
-									"access_list_id": 0,
+									"access_list_id": 1,
-									"certificate_id": 0,
+									"certificate_id": 1,
 									"ssl_forced": false,
 									"caching_enabled": false,
 									"block_exploits": false,
@@ -48,7 +56,7 @@
 									"http2_support": false,
 									"forward_scheme": "http",
 									"enabled": true,
-									"locations": null,
+									"locations": [],
 									"hsts_enabled": false,
 									"hsts_subdomains": false
 								}
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/delete.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/delete.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "deleteProxyHost",
 	"summary": "Delete a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": ["proxy_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Proxy Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/disable/post.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/disable/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "disableProxyHost",
 	"summary": "Disable a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": ["proxy_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Proxy Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/enable/post.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/enable/post.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "enableProxyHost",
 	"summary": "Enable a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": ["proxy_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Proxy Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/get.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/get.json
@@ -1,16 +1,19 @@
 {
 	"operationId": "getProxyHost",
 	"summary": "Get a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": [
 				"proxy_hosts.view"
 			]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Proxy Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -27,13 +30,15 @@
 					"examples": {
 						"default": {
 							"value": {
-								"id": 1,
+								"id": 3,
-								"created_on": "2024-10-08T23:23:03.000Z",
+								"created_on": "2025-10-30T01:12:05.000Z",
-								"modified_on": "2024-10-08T23:26:38.000Z",
+								"modified_on": "2025-10-30T01:12:05.000Z",
 								"owner_user_id": 1,
-								"domain_names": ["test.example.com"],
+								"domain_names": [
-								"forward_host": "192.168.0.10",
+									"test.example.com"
-								"forward_port": 8989,
+								],
 								"forward_host": "127.0.0.1",
 								"forward_port": 8080,
 								"access_list_id": 0,
 								"certificate_id": 0,
 								"ssl_forced": false,
@@ -48,9 +53,22 @@
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
-								"locations": null,
+								"locations": [],
 								"hsts_enabled": false,
-								"hsts_subdomains": false
+								"hsts_subdomains": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2025-10-28T00:50:24.000Z",
 									"modified_on": "2025-10-28T00:50:24.000Z",
 									"is_disabled": false,
 									"email": "jc@jc21.com",
 									"name": "jamiec",
 									"nickname": "jamiec",
 									"avatar": "//www.gravatar.com/avatar/6193176330f8d38747f038c170ddb193?default=mm",
 									"roles": [
 										"admin"
 									]
 								}
 							}
 						}
 					},
--- a/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
+++ b/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
@@ -1,16 +1,19 @@
 {
 	"operationId": "updateProxyHost",
 	"summary": "Update a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": [
 				"proxy_hosts.manage"
 			]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Proxy Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
@@ -93,13 +96,15 @@
 					"examples": {
 						"default": {
 							"value": {
-								"id": 1,
+								"id": 3,
-								"created_on": "2024-10-08T23:23:03.000Z",
+								"created_on": "2025-10-30T01:12:05.000Z",
-								"modified_on": "2024-10-08T23:26:37.000Z",
+								"modified_on": "2025-10-30T01:17:06.000Z",
 								"owner_user_id": 1,
-								"domain_names": ["test.example.com"],
+								"domain_names": [
-								"forward_host": "192.168.0.10",
+									"test.example.com"
-								"forward_port": 8989,
+								],
 								"forward_host": "127.0.0.1",
 								"forward_port": 8080,
 								"access_list_id": 0,
 								"certificate_id": 0,
 								"ssl_forced": false,
@@ -114,19 +119,21 @@
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
 								"owner": {
 									"id": 1,
-									"created_on": "2024-10-07T22:43:55.000Z",
+									"created_on": "2025-10-28T00:50:24.000Z",
-									"modified_on": "2024-10-08T12:52:54.000Z",
+									"modified_on": "2025-10-28T00:50:24.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
-									"email": "admin@example.com",
+									"email": "jc@jc21.com",
-									"name": "Administrator",
+									"name": "jamiec",
-									"nickname": "some guy",
+									"nickname": "jamiec",
-									"avatar": "//www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?default=mm",
+									"avatar": "//www.gravatar.com/avatar/6193176330f8d38747f038c170ddb193?default=mm",
-									"roles": ["admin"]
+									"roles": [
 										"admin"
 									]
 								},
 								"certificate": null,
 								"access_list": null
--- a/backend/schema/paths/nginx/proxy-hosts/post.json
+++ b/backend/schema/paths/nginx/proxy-hosts/post.json
@@ -1,10 +1,12 @@
 {
 	"operationId": "createProxyHost",
 	"summary": "Create a Proxy Host",
-	"tags": ["Proxy Hosts"],
+	"tags": ["proxy-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["proxy_hosts"]
+			"bearerAuth": [
 				"proxy_hosts.manage"
 			]
 		}
 	],
 	"requestBody": {
@@ -15,7 +17,12 @@
 				"schema": {
 					"type": "object",
 					"additionalProperties": false,
-					"required": ["domain_names", "forward_scheme", "forward_host", "forward_port"],
+					"required": [
 						"domain_names",
 						"forward_scheme",
 						"forward_host",
 						"forward_port"
 					],
 					"properties": {
 						"domain_names": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/domain_names"
@@ -69,6 +76,14 @@
 							"$ref": "../../../components/proxy-host-object.json#/properties/locations"
 						}
 					}
 				},
 				"example": {
 					"domain_names": [
 						"test.example.com"
 					],
 					"forward_scheme": "http",
 					"forward_host": "127.0.0.1",
 					"forward_port": 8080
 				}
 			}
 		}
@@ -81,13 +96,15 @@
 					"examples": {
 						"default": {
 							"value": {
-								"id": 1,
+								"id": 3,
-								"created_on": "2024-10-08T23:23:03.000Z",
+								"created_on": "2025-10-30T01:12:05.000Z",
-								"modified_on": "2024-10-08T23:23:03.000Z",
+								"modified_on": "2025-10-30T01:12:05.000Z",
 								"owner_user_id": 1,
-								"domain_names": ["test.example.com"],
+								"domain_names": [
 									"test.example.com"
 								],
 								"forward_host": "127.0.0.1",
-								"forward_port": 8989,
+								"forward_port": 8080,
 								"access_list_id": 0,
 								"certificate_id": 0,
 								"ssl_forced": false,
@@ -99,20 +116,22 @@
 								"http2_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
 								"certificate": null,
 								"owner": {
 									"id": 1,
-									"created_on": "2024-10-07T22:43:55.000Z",
+									"created_on": "2025-10-28T00:50:24.000Z",
-									"modified_on": "2024-10-08T12:52:54.000Z",
+									"modified_on": "2025-10-28T00:50:24.000Z",
 									"is_deleted": false,
 									"is_disabled": false,
-									"email": "admin@example.com",
+									"email": "jc@jc21.com",
-									"name": "Administrator",
+									"name": "jamiec",
-									"nickname": "some guy",
+									"nickname": "jamiec",
-									"avatar": "//www.gravatar.com/avatar/e64c7d89f26bd1972efa854d13d7dd61?default=mm",
+									"avatar": "//www.gravatar.com/avatar/6193176330f8d38747f038c170ddb193?default=mm",
-									"roles": ["admin"]
+									"roles": [
 										"admin"
 									]
 								},
 								"access_list": null
 							}
--- a/backend/schema/paths/nginx/redirection-hosts/get.json
+++ b/backend/schema/paths/nginx/redirection-hosts/get.json
@@ -1,10 +1,10 @@
 {
 	"operationId": "getRedirectionHosts",
 	"summary": "Get all Redirection hosts",
-	"tags": ["Redirection Hosts"],
+	"tags": ["redirection-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["redirection_hosts"]
+			"bearerAuth": ["redirection_hosts.view"]
 		}
 	],
 	"parameters": [
--- a/backend/schema/paths/nginx/redirection-hosts/hostID/delete.json
+++ b/backend/schema/paths/nginx/redirection-hosts/hostID/delete.json
@@ -1,16 +1,17 @@
 {
 	"operationId": "deleteRedirectionHost",
 	"summary": "Delete a Redirection Host",
-	"tags": ["Redirection Hosts"],
+	"tags": ["redirection-hosts"],
 	"security": [
 		{
-			"BearerAuth": ["redirection_hosts"]
+			"bearerAuth": ["redirection_hosts.manage"]
 		}
 	],
 	"parameters": [
 		{
 			"in": "path",
 			"name": "hostID",
 			"description": "The ID of the Redirection Host",
 			"schema": {
 				"type": "integer",
 				"minimum": 1
--- a/Show More
+++ b/Show More