Revert "merged"

2025-08-10 07:55:27 +02:00 · 2023-11-22 13:08:53 +02:00 · 2023-11-22 13:08:53 +02:00 · f8882b521e
commit f8882b521e
parent ea73135ab4
93 changed files with 35496 additions and 1165 deletions
--- a/.github/workflows/build-and-push-docker-image-dev.yml
+++ b/.github/workflows/build-and-push-docker-image-dev.yml
@ -1,39 +0,0 @@
 name: Build and push Docker DEV image
 on:
  push:
    paths-ignore:
      - '.github/**'
      - 'charts/**'
      - 'docker-*.sh'
      - '*.md'
    branches: [master]
 jobs:
  build-and-push-docker-image-dev:
    runs-on: self-hosted
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v2
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push
        uses: docker/build-push-action@v4
        with:
          context: .
          platforms: linux/amd64,linux/arm64,linux/arm/v7
          push: true
          tags: |
            ghcr.io/plankanban/planka:dev
--- a/.github/workflows/helm-chart-release.yml
+++ b/.github/workflows/helm-chart-release.yml
@ -38,6 +38,5 @@ jobs:
        uses: helm/chart-releaser-action@v1.5.0
        with:
          charts_dir: charts
          mark_as_latest: false
        env:
          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
--- a/Dockerfile.base
+++ b/Dockerfile.base
@ -1,22 +1,27 @@
-FROM node:18-alpine
+FROM node:lts-alpine
-ARG VIPS_VERSION=8.14.5
+ARG ALPINE_VERSION=3.16
 ARG VIPS_VERSION=8.13.3
 RUN apk -U upgrade \
  && apk add \
-  bash pkgconf \
+  bash giflib glib lcms2 libexif \
-  libjpeg-turbo libexif librsvg cgif tiff libspng libimagequant \
+  libgsf libjpeg-turbo libpng librsvg libwebp \
  orc pango tiff \
  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
  --no-cache \
  && apk add \
-  build-base gobject-introspection-dev meson \
+  build-base giflib-dev glib-dev lcms2-dev libexif-dev \
-  libjpeg-turbo-dev libexif-dev librsvg-dev cgif-dev tiff-dev libspng-dev libimagequant-dev \
+  libgsf-dev libjpeg-turbo-dev libpng-dev librsvg-dev libwebp-dev \
  orc-dev pango-dev tiff-dev \
  --virtual vips-dependencies \
  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/community/ \
  --repository https://alpine.global.ssl.fastly.net/alpine/v${ALPINE_VERSION}/main/ \
  --no-cache \
-  && wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.xz | tar xJC /tmp \
+  && wget -O- https://github.com/libvips/libvips/releases/download/v${VIPS_VERSION}/vips-${VIPS_VERSION}.tar.gz | tar xzC /tmp \
  && cd /tmp/vips-${VIPS_VERSION} \
-  && meson setup build-dir \
+  && ./configure \
-  && cd build-dir \
+  && make \
-  && ninja \
+  && make install-strip \
  && ninja test \
  && ninja install \
  && rm -rf /tmp/vips-${VIPS_VERSION}
--- a/README.md
+++ b/README.md
@ -20,9 +20,10 @@
 ## How to deploy Planka
-There are many ways to install Planka
+There are 2 types of installation:
-
+- [Without Docker](https://docs.planka.cloud/docs/installl-planka/Debian%20&%20Ubuntu) ([for Windows](https://docs.planka.cloud/docs/installl-planka/Windows))
-[Check them out](https://docs.planka.cloud/docs/intro)
+- [Dockerized](https://docs.planka.cloud/docs/installl-planka/Docker%20Compose)
 - [Automated installation](https://github.com/plankanban/planka-installer)
 For configuration, please see the [configuration section](https://docs.planka.cloud/docs/category/configuration).
--- a/charts/planka/Chart.yaml
+++ b/charts/planka/Chart.yaml
@ -15,17 +15,17 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.11
+version: 0.1.2
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "1.15.0"
+appVersion: "1.12.0"
 dependencies:
-  - alias: postgresql
+- alias: postgresql
-    condition: postgresql.enabled
+  condition: postgresql.enabled
-    name: postgresql
+  name: postgresql
-    repository: &bitnami-repo https://charts.bitnami.com/bitnami
+  repository: &bitnami-repo https://charts.bitnami.com/bitnami
-    version: 12.5.1
+  version: 12.5.1
--- a/charts/planka/README.md
+++ b/charts/planka/README.md
@ -21,11 +21,7 @@ git clone https://github.com/Chris-Greaves/planka-helm-chart.git
 cd planka-helm-chart
 helm dependency build
 export SECRETKEY=$(openssl rand -hex 64)
-helm install planka . --set secretkey=$SECRETKEY  \
+helm install planka . --set secretkey=$SECRETKEY
 --set admin_email="demo@demo.demo"  \
 --set admin_password="demo"  \
 --set admin_name="Demo Demo" \
 --set admin_username="demo"
 ```
 > **NOTE:** The command `openssl rand -hex 64` is needed to create a random hexadecimal key for planka. On Windows you can use Git Bash to run that command.
@ -43,19 +39,11 @@ To access Planka externally you can use the following configuration
 ```bash
 # HTTP only
 helm install planka . --set secretkey=$SECRETKEY \
 --set admin_email="demo@demo.demo"  \
 --set admin_password="demo"  \
 --set admin_name="Demo Demo" \
 --set admin_username="demo"
 --set ingress.enabled=true \
 --set ingress.hosts[0].host=planka.example.dev \
 # HTTPS
 helm install planka . --set secretkey=$SECRETKEY \
 --set admin_email="demo@demo.demo"  \
 --set admin_password="demo"  \
 --set admin_name="Demo Demo" \
 --set admin_username="demo"
 --set ingress.enabled=true \
 --set ingress.hosts[0].host=planka.example.dev \
 --set ingress.tls[0].secretName=planka-tls \
@ -66,16 +54,6 @@ or create a values.yaml file like:
 ```yaml
 secretkey: "<InsertSecretKey>"
 # The admin section needs to be present for new instances of Planka, after the first start you can remove the lines starting with admin_. If you want the admin user to be unchangeable admin_email: has to stay
 # After changing the config you have to run ```helm upgrade  planka . -f values.yaml```
 # Admin user
 admin_email: "demo@demo.demo" # Do not remove if you want to prevent this user from being edited/deleted
 admin_password: "demo"
 admin_name: "Demo Demo"
 admin_username: "demo"
 # Admin user
 ingress:
  enabled: true
  hosts:
--- a/charts/planka/templates/deployment.yaml
+++ b/charts/planka/templates/deployment.yaml
@ -35,7 +35,7 @@ spec:
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          ports:
            - name: http
-              containerPort: {{ .Values.service.containerPort | default 1337 }}
+              containerPort: {{ .Values.service.port }}
              protocol: TCP
          livenessProbe:
            httpGet:
@ -75,45 +75,6 @@ spec:
              value: {{ required "A secret key needs to be generated using 'openssl rand -hex 64' and assigned to secretkey." .Values.secretkey }}
            - name: TRUST_PROXY
              value: "0"
            - name: DEFAULT_ADMIN_EMAIL
              value: {{ .Values.admin_email }}
            - name: DEFAULT_ADMIN_PASSWORD
              value: {{ .Values.admin_password }}
            - name: DEFAULT_ADMIN_NAME
              value: {{ .Values.admin_name }}
            - name: DEFAULT_ADMIN_USERNAME
              value: {{ .Values.admin_username }}
          {{ range $k, $v := .Values.env }}
            - name: {{ $k | quote }}
              value: {{ $v | quote }}
          {{- end }}
          {{- if .Values.oidc.enabled }}
          {{- $secretName := default (printf "%s-oidc" (include "planka.fullname" .)) .Values.oidc.existingSecret }}
            - name: OIDC_CLIENT_ID
              valueFrom:
                secretKeyRef:
                  key:  clientId
                  name: {{ $secretName }}
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  key:  clientSecret
                  name: {{ $secretName }}
            - name: OIDC_ISSUER
              value: {{ required "issuerUrl is required when configuring OIDC" .Values.oidc.issuerUrl | quote }}
            - name: OIDC_SCOPES
              value: {{ join " " .Values.oidc.scopes | default "openid profile email" | quote }}
          {{- if .Values.oidc.admin.roles }}
            - name: OIDC_ADMIN_ROLES
              value: {{ join "," .Values.oidc.admin.roles | quote }}
          {{- end }}
            - name: OIDC_ROLES_ATTRIBUTE
              value: {{ .Values.oidc.admin.rolesAttribute | default "groups" | quote }}
          {{- if .Values.oidc.admin.ignoreRoles }}
            - name: OIDC_IGNORE_ROLES
              value: {{ .Values.oidc.admin.ignoreRoles | quote }}
          {{- end }}
          {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
--- a/charts/planka/templates/secret-oidc.yaml
+++ b/charts/planka/templates/secret-oidc.yaml
@ -1,17 +0,0 @@
 {{- if .Values.oidc.enabled }}
 {{- if eq (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (not (empty .Values.oidc.existingSecret)) -}}
  {{- fail "Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`" -}}
 {{- end }}
 {{- if (and (and (not (empty .Values.oidc.clientId)) (not (empty .Values.oidc.clientSecret))) (empty .Values.oidc.existingSecret)) -}}
 apiVersion: v1
 kind: Secret
 metadata:
  name: {{ include "planka.fullname" . }}-oidc
  labels:
    {{- include "planka.labels" . | nindent 4 }}
 type: Opaque
 data:
  clientId: {{ .Values.oidc.clientId | b64enc | quote }}
  clientSecret: {{ .Values.oidc.clientSecret | b64enc | quote }}
 {{- end }}
 {{- end }}
--- a/charts/planka/values.yaml
+++ b/charts/planka/values.yaml
@ -46,10 +46,6 @@ securityContext: {}
 service:
  type: ClusterIP
  port: 1337
  ## @param service.containerPort Planka HTTP container port
  ## If empty will default to 1337
  ##
  containerPort: 1337
 ingress:
  enabled: false
@ -113,68 +109,3 @@ persistence:
  accessMode: ReadWriteOnce
  size: 10Gi
 ## OpenID Identity Management configuration
 ##
 ## Example:
 ## ---------------
 ## oidc:
 ##   enabled: true
 ##   clientId: sxxaAIAxVXlCxTmc1YLHBbQr8NL8MqLI2DUbt42d
 ##   clientSecret: om4RTMRVHRszU7bqxB7RZNkHIzA8e4sGYWxeCwIMYQXPwEBWe4SY5a0wwCe9ltB3zrq5f0dnFnp34cEHD7QSMHsKvV9AiV5Z7eqDraMnv0I8IFivmuV5wovAECAYreSI
 ##   issuerUrl: https://auth.local/application/o/planka/
 ##   admin:
 ##     roles:
 ##       - planka-admin
 ##
 ## ---------------
 ## NOTE: A minimal configuration requires setting `clientId`, `clientSecret` and `issuerUrl`. (plus `admin.roles` for administrators)
 ## ref: https://docs.planka.cloud/docs/Configuration/OIDC
 ##
 oidc:
  ## @param oidc.enabled Enable single sign-on (SSO) with OpenID Connect (OIDC)
  ##
  enabled: false
  ## OIDC credentials
  ## @param oidc.clientId A string unique to the provider that identifies your app.
  ## @param oidc.clientSecret A secret string that the provider uses to confirm ownership of a client ID.
  ##
  ## NOTE: Either specify inline `clientId` and `clientSecret` or refer to them via `existingSecret`
  ##
  clientId: ""
  clientSecret: ""
  ## @param oidc.existingSecret Name of an existing secret containing OIDC credentials
  ## NOTE: Must contain key `clientId` and `clientSecret`
  ## NOTE: When it's set, the `clientId` and `clientSecret` parameters are ignored
  ##
  existingSecret: ""
  ## @param oidc.issuerUrl The OpenID connect metadata document endpoint
  ##
  issuerUrl: ""
  ## @param oidc.scopes A list of scopes required for OIDC client.
  ## If empty will default to `openid`, `profile` and `email`
  ## NOTE: Planka needs the email and name claims
  ##
  scopes: []
  ## Admin permissions configuration
  admin:
    ## @param oidc.admin.ignoreRoles If set to true, the admin roles will be ignored.
    ## It is useful if you want to use OIDC for authentication but not for authorization.
    ## If empty will default to `false`
    ##
    ignoreRoles: false
    ## @param oidc.admin.rolesAttribute The name of a custom group claim that you have configured in your OIDC provider
    ## If empty will default to `groups`
    ##
    rolesAttribute: groups
    ## @param oidc.admin.roles The names of the admin groups
    ##
    roles: []
      # - planka-admin
--- a/client/.env
+++ b/client/.env
@ -1 +1 @@
-REACT_APP_VERSION=1.15.0
+REACT_APP_VERSION=1.12.0
--- a/client/package-lock.json
+++ b/client/package-lock.json
--- a/client/package.json
+++ b/client/package.json
@ -60,15 +60,14 @@
    "dequal": "^2.0.3",
    "easymde": "^2.18.0",
    "history": "^5.3.0",
-    "oidc-client-ts": "^2.4.0",
+    "i18next": "^22.5.1",
    "i18next": "^23.7.6",
    "i18next-browser-languagedetector": "^7.2.0",
    "initials": "^3.1.2",
    "js-cookie": "^3.0.5",
-    "jwt-decode": "^4.0.0",
+    "jwt-decode": "^3.1.2",
    "lodash": "^4.17.21",
-    "nanoid": "^5.0.3",
+    "node-sass": "^8.0.0",
-    "node-sass": "^9.0.0",
+    "oidc-client-ts": "^2.4.0",
    "photoswipe": "^5.4.2",
    "prop-types": "^15.8.1",
    "react": "^18.2.0",
@ -77,13 +76,13 @@
    "react-datepicker": "^4.21.0",
    "react-dom": "^18.2.0",
    "react-dropzone": "^14.2.3",
-    "react-oidc-context": "^2.3.1",
+    "react-i18next": "^12.3.1",
    "react-i18next": "^13.5.0",
    "react-input-mask": "^2.0.4",
    "react-markdown": "^8.0.7",
    "react-oidc-context": "^2.3.1",
    "react-photoswipe-gallery": "^2.2.7",
    "react-redux": "^8.1.3",
-    "react-router-dom": "^6.19.0",
+    "react-router-dom": "^6.18.0",
    "react-scripts": "5.0.1",
    "react-simplemde-editor": "^5.2.0",
    "react-textarea-autosize": "^8.5.3",
@ -91,11 +90,11 @@
    "redux-logger": "^3.0.6",
    "redux-orm": "^0.16.2",
    "redux-saga": "^1.2.3",
-    "semantic-ui-css": "^2.5.0",
+    "remark-breaks": "^3.0.3",
-    "remark-breaks": "^4.0.0",
+    "remark-gfm": "^3.0.1",
    "remark-gfm": "^4.0.0",
    "reselect": "^4.1.8",
    "sails.io.js": "^1.2.1",
    "semantic-ui-css": "^2.5.0",
    "semantic-ui-react": "^2.1.4",
    "socket.io-client": "^2.5.0",
    "validator": "^13.11.0",
@ -103,9 +102,9 @@
    "zxcvbn": "^4.4.2"
  },
  "devDependencies": {
-    "@testing-library/jest-dom": "^6.1.4",
+    "@testing-library/jest-dom": "^5.17.0",
-    "@testing-library/react": "^14.1.0",
+    "@testing-library/react": "^13.4.0",
-    "@testing-library/user-event": "^14.5.1",
+    "@testing-library/user-event": "^13.5.0",
    "babel-preset-airbnb": "^5.0.0",
    "chai": "^4.3.10",
    "eslint": "^8.53.0",
--- a/client/src/actions/core.js
+++ b/client/src/actions/core.js
@ -39,14 +39,6 @@ const initializeCore = (
  },
 });
 // TODO: with success?
 initializeCore.fetchConfig = (config) => ({
  type: ActionTypes.CORE_INITIALIZE__CONFIG_FETCH,
  payload: {
    config,
  },
 });
 const logout = () => ({
  type: ActionTypes.LOGOUT,
  payload: {},
--- a/client/src/actions/login.js
+++ b/client/src/actions/login.js
@ -1,12 +1,5 @@
 import ActionTypes from '../constants/ActionTypes';
 const initializeLogin = (config) => ({
  type: ActionTypes.LOGIN_INITIALIZE,
  payload: {
    config,
  },
 });
 const authenticate = (data) => ({
  type: ActionTypes.AUTHENTICATE,
  payload: {
@ -28,33 +21,12 @@ authenticate.failure = (error) => ({
  },
 });
 const authenticateUsingOidc = () => ({
  type: ActionTypes.USING_OIDC_AUTHENTICATE,
  payload: {},
 });
 authenticateUsingOidc.success = (accessToken) => ({
  type: ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS,
  payload: {
    accessToken,
  },
 });
 authenticateUsingOidc.failure = (error) => ({
  type: ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE,
  payload: {
    error,
  },
 });
 const clearAuthenticateError = () => ({
  type: ActionTypes.AUTHENTICATE_ERROR_CLEAR,
  payload: {},
 });
 export default {
  initializeLogin,
  authenticate,
  authenticateUsingOidc,
  clearAuthenticateError,
 };
--- a/client/src/api/access-tokens.js
+++ b/client/src/api/access-tokens.js
@ -4,15 +4,14 @@ import socket from './socket';
 /* Actions */
 const createAccessToken = (data, headers) => http.post('/access-tokens', data, headers);
-
+const exchangeOidcToken = (accessToken, headers) =>
-const exchangeForAccessTokenUsingOidc = (data, headers) =>
+  http.post('/access-tokens/exchange', { token: accessToken }, headers);
  http.post('/access-tokens/exchange-using-oidc', data, headers);
 const deleteCurrentAccessToken = (headers) =>
  socket.delete('/access-tokens/me', undefined, headers);
 export default {
  createAccessToken,
  exchangeForAccessTokenUsingOidc,
  deleteCurrentAccessToken,
  exchangeOidcToken,
 };
--- a/client/src/api/http.js
+++ b/client/src/api/http.js
@ -5,15 +5,13 @@ import Config from '../constants/Config';
 const http = {};
 // TODO: add all methods
-['GET', 'POST'].forEach((method) => {
+['POST'].forEach((method) => {
  http[method.toLowerCase()] = (url, data, headers) => {
-    const formData =
+    const formData = Object.keys(data).reduce((result, key) => {
-      data &&
+      result.append(key, data[key]);
      Object.keys(data).reduce((result, key) => {
        result.append(key, data[key]);
-        return result;
+      return result;
-      }, new FormData());
+    }, new FormData());
    return fetch(`${Config.SERVER_BASE_URL}/api${url}`, {
      method,
--- a/client/src/api/index.js
+++ b/client/src/api/index.js
@ -1,6 +1,5 @@
 import http from './http';
 import socket from './socket';
 import root from './root';
 import accessTokens from './access-tokens';
 import users from './users';
 import projects from './projects';
@ -21,7 +20,6 @@ import notifications from './notifications';
 export { http, socket };
 export default {
  ...root,
  ...accessTokens,
  ...users,
  ...projects,
--- a/client/src/api/root.js
+++ b/client/src/api/root.js
@ -1,9 +0,0 @@
 import http from './http';
 /* Actions */
 const getConfig = (headers) => http.get('/config', undefined, headers);
 export default {
  getConfig,
 };
--- a/client/src/components/CardModal/CardModal.jsx
+++ b/client/src/components/CardModal/CardModal.jsx
@ -217,7 +217,6 @@ const CardModal = React.memo(
                        onUserSelect={onUserAdd}
                        onUserDeselect={onUserRemove}
                      >
                        {/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
                        <button
                          type="button"
                          aria-label="add user to card"
@ -268,7 +267,6 @@ const CardModal = React.memo(
                        onMove={onLabelMove}
                        onDelete={onLabelDelete}
                      >
                        {/* eslint-disable-next-line jsx-a11y/control-has-associated-label */}
                        <button
                          type="button"
                          aria-label="add label to card"
@ -318,12 +316,11 @@ const CardModal = React.memo(
                      )}
                    </span>
                    {canEdit && (
                      // eslint-disable-next-line jsx-a11y/control-has-associated-label
                      <button
                        onClick={handleToggleStopwatchClick}
                        type="button"
                        aria-label="toggle stopwatch"
                        className={classNames(styles.attachment, styles.dueDate)}
                        onClick={handleToggleStopwatchClick}
                      >
                        <Icon
                          name={stopwatch.startedAt ? 'pause' : 'play'}
--- a/client/src/components/CardModal/Tasks/Tasks.jsx
+++ b/client/src/components/CardModal/Tasks/Tasks.jsx
@ -48,21 +48,14 @@ const Tasks = React.memo(({ items, canEdit, onCreate, onUpdate, onMove, onDelete
  return (
    <>
      {items.length > 0 && (
-        <>
+        <Progress
-          <span className={styles.progressWrapper}>
+          autoSuccess
-            <Progress
+          value={completedItems.length}
-              autoSuccess
+          total={items.length}
-              value={completedItems.length}
+          color="blue"
-              total={items.length}
+          size="tiny"
-              color="blue"
+          className={styles.progress}
-              size="tiny"
+        />
              className={styles.progress}
            />
          </span>
          <span className={styles.count}>
            {completedItems.length}/{items.length}
          </span>
        </>
      )}
      <DragDropContext onDragStart={handleDragStart} onDragEnd={handleDragEnd}>
        <Droppable droppableId="tasks" type={DroppableTypes.TASK}>
--- a/client/src/components/CardModal/Tasks/Tasks.module.scss
+++ b/client/src/components/CardModal/Tasks/Tasks.module.scss
@ -3,23 +3,6 @@
    margin: 0 0 16px;
  }
  .progressWrapper {
    display: inline-block;
    padding: 3px 0;
    vertical-align: top;
    width: calc(100% - 50px);
  }
  .count {
    color: #8c8c8c;
    display: inline-block;
    font-size: 14px;
    line-height: 14px;
    text-align: right;
    vertical-align: top;
    width: 50px;
  }
  .taskButton {
    background: transparent;
    border: none;
--- a/client/src/components/Header/Header.jsx
+++ b/client/src/components/Header/Header.jsx
@ -3,6 +3,7 @@ import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { Link } from 'react-router-dom';
 import { Button, Icon, Menu } from 'semantic-ui-react';
 import { useAuth } from 'react-oidc-context';
 import { usePopup } from '../../lib/popup';
 import Paths from '../../constants/Paths';
@ -29,6 +30,7 @@ const Header = React.memo(
    onUserSettingsClick,
    onLogout,
  }) => {
    const auth = useAuth();
    const handleProjectSettingsClick = useCallback(() => {
      if (canEditProject) {
        onProjectSettingsClick();
@ -38,6 +40,11 @@ const Header = React.memo(
    const NotificationsPopup = usePopup(NotificationsStep, POPUP_PROPS);
    const UserPopup = usePopup(UserStep, POPUP_PROPS);
    const onFullLogout = () => {
      auth.signoutSilent();
      onLogout();
    };
    return (
      <div className={styles.wrapper}>
        {!project && (
@ -88,7 +95,7 @@ const Header = React.memo(
            <UserPopup
              isLogouting={isLogouting}
              onSettingsClick={onUserSettingsClick}
-              onLogout={onLogout}
+              onLogout={onFullLogout}
            >
              <Menu.Item className={classNames(styles.item, styles.itemHoverable)}>
                {user.name}
--- a/client/src/components/Login/Login.jsx
+++ b/client/src/components/Login/Login.jsx
@ -1,9 +1,10 @@
 import isEmail from 'validator/lib/isEmail';
 import React, { useCallback, useEffect, useMemo, useRef } from 'react';
 import { useAuth } from 'react-oidc-context';
 import PropTypes from 'prop-types';
 import classNames from 'classnames';
 import { useTranslation } from 'react-i18next';
-import { Button, Form, Grid, Header, Message } from 'semantic-ui-react';
+import { Form, Grid, Header, Message } from 'semantic-ui-react';
 import { useDidUpdate, usePrevious, useToggle } from '../../lib/hooks';
 import { Input } from '../../lib/custom-ui';
@ -28,21 +29,6 @@ const createMessage = (error) => {
        type: 'error',
        content: 'common.invalidPassword',
      };
    case 'Use single sign-on':
      return {
        type: 'error',
        content: 'common.useSingleSignOn',
      };
    case 'Email already in use':
      return {
        type: 'error',
        content: 'common.emailAlreadyInUse',
      };
    case 'Username already in use':
      return {
        type: 'error',
        content: 'common.usernameAlreadyInUse',
      };
    case 'Failed to fetch':
      return {
        type: 'warning',
@ -62,16 +48,8 @@ const createMessage = (error) => {
 };
 const Login = React.memo(
-  ({
+  ({ defaultData, isSubmitting, error, onAuthenticate, onMessageDismiss }) => {
-    defaultData,
+    const auth = useAuth();
    isSubmitting,
    isSubmittingUsingOidc,
    error,
    withOidc,
    onAuthenticate,
    onAuthenticateUsingOidc,
    onMessageDismiss,
  }) => {
    const [t] = useTranslation();
    const wasSubmitting = usePrevious(isSubmitting);
@ -192,19 +170,12 @@ const Login = React.memo(
                        content={t('action.logIn')}
                        floated="right"
                        loading={isSubmitting}
-                        disabled={isSubmitting || isSubmittingUsingOidc}
+                        disabled={isSubmitting}
                      />
                    </Form>
-                    {withOidc && (
+                    <Form.Button type="button" onClick={() => auth.signinRedirect()}>
-                      <Button
+                      Log in with SSO
-                        type="button"
+                    </Form.Button>
                        loading={isSubmittingUsingOidc}
                        disabled={isSubmitting || isSubmittingUsingOidc}
                        onClick={onAuthenticateUsingOidc}
                      >
                        {t('action.logInWithSSO')}
                      </Button>
                    )}
                  </div>
                </div>
              </Grid.Column>
@ -235,15 +206,10 @@ const Login = React.memo(
 );
 Login.propTypes = {
-  /* eslint-disable react/forbid-prop-types */
+  defaultData: PropTypes.object.isRequired, // eslint-disable-line react/forbid-prop-types
  defaultData: PropTypes.object.isRequired,
  /* eslint-enable react/forbid-prop-types */
  isSubmitting: PropTypes.bool.isRequired,
  isSubmittingUsingOidc: PropTypes.bool.isRequired,
  error: PropTypes.object, // eslint-disable-line react/forbid-prop-types
  withOidc: PropTypes.bool.isRequired,
  onAuthenticate: PropTypes.func.isRequired,
  onAuthenticateUsingOidc: PropTypes.func.isRequired,
  onMessageDismiss: PropTypes.func.isRequired,
 };
--- a/client/src/components/LoginWrapper.jsx
+++ b/client/src/components/LoginWrapper.jsx
@ -1,19 +0,0 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 import { Loader } from 'semantic-ui-react';
 import LoginContainer from '../containers/LoginContainer';
 const LoginWrapper = React.memo(({ isInitializing }) => {
  if (isInitializing) {
    return <Loader active size="massive" />;
  }
  return <LoginContainer />;
 });
 LoginWrapper.propTypes = {
  isInitializing: PropTypes.bool.isRequired,
 };
 export default LoginWrapper;
--- a/client/src/components/OIDC/OidcLogin.jsx
+++ b/client/src/components/OIDC/OidcLogin.jsx
@ -0,0 +1,19 @@
 import { useAuth } from 'react-oidc-context';
 import PropTypes from 'prop-types';
 import React from 'react';
 let isLoggingIn = true;
 const OidcLogin = React.memo(({ onAuthenticate }) => {
  const auth = useAuth();
  if (isLoggingIn && auth.user) {
    isLoggingIn = false;
    const { user } = auth;
    onAuthenticate(user);
  }
 });
 OidcLogin.propTypes = {
  onAuthenticate: PropTypes.func.isRequired,
 };
 export default OidcLogin;
--- a/client/src/components/OIDC/index.js
+++ b/client/src/components/OIDC/index.js
@ -0,0 +1,3 @@
 import OidcLogin from './OidcLogin';
 export default OidcLogin;
--- a/client/src/components/Root.jsx
+++ b/client/src/components/Root.jsx
@ -1,11 +1,12 @@
 import React from 'react';
 import PropTypes from 'prop-types';
 import { AuthProvider } from 'react-oidc-context';
 import { Provider } from 'react-redux';
 import { Route, Routes } from 'react-router-dom';
 import { ReduxRouter } from '../lib/redux-router';
 import Paths from '../constants/Paths';
-import LoginWrapperContainer from '../containers/LoginWrapperContainer';
+import LoginContainer from '../containers/LoginContainer';
 import CoreContainer from '../containers/CoreContainer';
 import NotFound from './NotFound';
@ -14,29 +15,40 @@ import 'photoswipe/dist/photoswipe.css';
 import 'easymde/dist/easymde.min.css';
 import '../lib/custom-ui/styles.css';
 import '../styles.module.scss';
 import OidcLoginContainer from '../containers/OidcLoginContainer';
-function Root({ store, history }) {
+function Root({ store, history, config }) {
  return (
-    <Provider store={store}>
+    <AuthProvider
-      <ReduxRouter history={history}>
+      authority={config.authority}
-        <Routes>
+      client_id={config.clientId}
-          <Route path={Paths.LOGIN} element={<LoginWrapperContainer />} />
+      redirect_uri={config.redirectUri}
-          <Route path={Paths.OIDC_CALLBACK} element={<LoginWrapperContainer />} />
+      scope={config.scopes}
-          <Route path={Paths.ROOT} element={<CoreContainer />} />
+      onSigninCallback={() => {
-          <Route path={Paths.PROJECTS} element={<CoreContainer />} />
+        window.history.replaceState({}, document.title, window.location.pathname);
-          <Route path={Paths.BOARDS} element={<CoreContainer />} />
+      }}
-          <Route path={Paths.CARDS} element={<CoreContainer />} />
+    >
-          <Route path="*" element={<NotFound />} />
+      <Provider store={store}>
-        </Routes>
+        <ReduxRouter history={history}>
-      </ReduxRouter>
+          <Routes>
-    </Provider>
+            <Route path={Paths.LOGIN} element={<LoginContainer />} />
            <Route path={Paths.OIDC_LOGIN} element={<OidcLoginContainer />} />
            <Route path={Paths.ROOT} element={<CoreContainer />} />
            <Route path={Paths.PROJECTS} element={<CoreContainer />} />
            <Route path={Paths.BOARDS} element={<CoreContainer />} />
            <Route path={Paths.CARDS} element={<CoreContainer />} />
            <Route path="*" element={<NotFound />} />
          </Routes>
        </ReduxRouter>
      </Provider>
    </AuthProvider>
  );
 }
 Root.propTypes = {
  /* eslint-disable react/forbid-prop-types */
  store: PropTypes.object.isRequired,
  history: PropTypes.object.isRequired,
  config: PropTypes.object.isRequired,
  /* eslint-enable react/forbid-prop-types */
 };
--- a/client/src/components/UserSettingsModal/UserSettingsModal.jsx
+++ b/client/src/components/UserSettingsModal/UserSettingsModal.jsx
@ -16,8 +16,8 @@ const UserSettingsModal = React.memo(
    phone,
    organization,
    language,
    subscribeToOwnCards,
    isLocked,
    subscribeToOwnCards,
    isAvatarUpdating,
    usernameUpdateForm,
    emailUpdateForm,
@ -106,8 +106,8 @@ UserSettingsModal.propTypes = {
  phone: PropTypes.string,
  organization: PropTypes.string,
  language: PropTypes.string,
  subscribeToOwnCards: PropTypes.bool.isRequired,
  isLocked: PropTypes.bool.isRequired,
  subscribeToOwnCards: PropTypes.bool.isRequired,
  isAvatarUpdating: PropTypes.bool.isRequired,
  /* eslint-disable react/forbid-prop-types */
  usernameUpdateForm: PropTypes.object.isRequired,
--- a/client/src/components/UsersModal/Item/ActionsStep.jsx
+++ b/client/src/components/UsersModal/Item/ActionsStep.jsx
@ -153,15 +153,13 @@ const ActionsStep = React.memo(
                    context: 'title',
                  })}
                </Menu.Item>
                <Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
                  {t('action.deleteUser', {
                    context: 'title',
                  })}
                </Menu.Item>
              </>
            )}
            {!user.isDeletionLocked && (
              <Menu.Item className={styles.menuItem} onClick={handleDeleteClick}>
                {t('action.deleteUser', {
                  context: 'title',
                })}
              </Menu.Item>
            )}
          </Menu>
        </Popup.Content>
      </>
--- a/client/src/components/UsersModal/Item/Item.jsx
+++ b/client/src/components/UsersModal/Item/Item.jsx
@ -18,8 +18,6 @@ const Item = React.memo(
    phone,
    isAdmin,
    isLocked,
    isRoleLocked,
    isDeletionLocked,
    emailUpdateForm,
    passwordUpdateForm,
    usernameUpdateForm,
@ -49,7 +47,7 @@ const Item = React.memo(
        <Table.Cell>{username || '-'}</Table.Cell>
        <Table.Cell>{email}</Table.Cell>
        <Table.Cell>
-          <Radio toggle checked={isAdmin} disabled={isRoleLocked} onChange={handleIsAdminChange} />
+          <Radio toggle checked={isAdmin} disabled={isLocked} onChange={handleIsAdminChange} />
        </Table.Cell>
        <Table.Cell textAlign="right">
          <ActionsPopup
@ -61,7 +59,6 @@ const Item = React.memo(
              phone,
              isAdmin,
              isLocked,
              isDeletionLocked,
              emailUpdateForm,
              passwordUpdateForm,
              usernameUpdateForm,
@ -94,8 +91,6 @@ Item.propTypes = {
  phone: PropTypes.string,
  isAdmin: PropTypes.bool.isRequired,
  isLocked: PropTypes.bool.isRequired,
  isRoleLocked: PropTypes.bool.isRequired,
  isDeletionLocked: PropTypes.bool.isRequired,
  /* eslint-disable react/forbid-prop-types */
  emailUpdateForm: PropTypes.object.isRequired,
  passwordUpdateForm: PropTypes.object.isRequired,
--- a/client/src/components/UsersModal/UsersModal.jsx
+++ b/client/src/components/UsersModal/UsersModal.jsx
@ -111,8 +111,6 @@ const UsersModal = React.memo(
                  phone={item.phone}
                  isAdmin={item.isAdmin}
                  isLocked={item.isLocked}
                  isRoleLocked={item.isRoleLocked}
                  isDeletionLocked={item.isDeletionLocked}
                  emailUpdateForm={item.emailUpdateForm}
                  passwordUpdateForm={item.passwordUpdateForm}
                  usernameUpdateForm={item.usernameUpdateForm}
--- a/client/src/constants/ActionTypes.js
+++ b/client/src/constants/ActionTypes.js
@ -12,19 +12,14 @@ export default {
  /* Login */
  LOGIN_INITIALIZE: 'LOGIN_INITIALIZE',
  AUTHENTICATE: 'AUTHENTICATE',
  AUTHENTICATE__SUCCESS: 'AUTHENTICATE__SUCCESS',
  AUTHENTICATE__FAILURE: 'AUTHENTICATE__FAILURE',
  USING_OIDC_AUTHENTICATE: 'USING_OIDC_AUTHENTICATE',
  USING_OIDC_AUTHENTICATE__SUCCESS: 'USING_OIDC_AUTHENTICATE__SUCCESS',
  USING_OIDC_AUTHENTICATE__FAILURE: 'USING_OIDC_AUTHENTICATE__FAILURE',
  AUTHENTICATE_ERROR_CLEAR: 'AUTHENTICATE_ERROR_CLEAR',
  /* Core */
  CORE_INITIALIZE: 'CORE_INITIALIZE',
  CORE_INITIALIZE__CONFIG_FETCH: 'CORE_INITIALIZE__CONFIG_FETCH',
  LOGOUT: 'LOGOUT',
  LOGOUT__ACCESS_TOKEN_INVALIDATE: 'LOGOUT__ACCESS_TOKEN_INVALIDATE',
--- a/client/src/constants/EntryActionTypes.js
+++ b/client/src/constants/EntryActionTypes.js
@ -11,11 +11,11 @@ export default {
  /* Login */
  AUTHENTICATE: `${PREFIX}/AUTHENTICATE`,
  USING_OIDC_AUTHENTICATE: `${PREFIX}/USING_OIDC_AUTHENTICATE`,
  AUTHENTICATE_ERROR_CLEAR: `${PREFIX}/AUTHENTICATE_ERROR_CLEAR`,
  /* Core */
  CORE_INITIALIZE: `${PREFIX}/CORE_INITIALIZE`,
  LOGOUT: `${PREFIX}/LOGOUT`,
  /* Modals */
--- a/client/src/constants/Paths.js
+++ b/client/src/constants/Paths.js
@ -2,7 +2,7 @@ import Config from './Config';
 const ROOT = `${Config.BASE_PATH}/`;
 const LOGIN = `${Config.BASE_PATH}/login`;
-const OIDC_CALLBACK = `${Config.BASE_PATH}/oidc-callback`;
+const OIDC_LOGIN = `${Config.BASE_PATH}/oidclogin`;
 const PROJECTS = `${Config.BASE_PATH}/projects/:id`;
 const BOARDS = `${Config.BASE_PATH}/boards/:id`;
 const CARDS = `${Config.BASE_PATH}/cards/:id`;
@ -10,8 +10,8 @@ const CARDS = `${Config.BASE_PATH}/cards/:id`;
 export default {
  ROOT,
  LOGIN,
  OIDC_CALLBACK,
  PROJECTS,
  BOARDS,
  CARDS,
  OIDC_LOGIN,
 };
--- a/client/src/containers/CoreContainer.js
+++ b/client/src/containers/CoreContainer.js
@ -4,18 +4,18 @@ import selectors from '../selectors';
 import Core from '../components/Core';
 const mapStateToProps = (state) => {
-  const isInitializing = selectors.selectIsInitializing(state);
+  const isCoreInitializing = selectors.selectIsCoreInitializing(state);
  const isSocketDisconnected = selectors.selectIsSocketDisconnected(state);
  const currentModal = selectors.selectCurrentModal(state);
  const currentProject = selectors.selectCurrentProject(state);
  const currentBoard = selectors.selectCurrentBoard(state);
  return {
    isInitializing,
    isSocketDisconnected,
    currentModal,
    currentProject,
    currentBoard,
    isInitializing: isCoreInitializing,
  };
 };
--- a/client/src/containers/LoginContainer.js
+++ b/client/src/containers/LoginContainer.js
@ -1,33 +1,23 @@
 import { bindActionCreators } from 'redux';
 import { connect } from 'react-redux';
 import selectors from '../selectors';
 import entryActions from '../entry-actions';
 import Login from '../components/Login';
-const mapStateToProps = (state) => {
+const mapStateToProps = ({
-  const oidcConfig = selectors.selectOidcConfig(state);
+  ui: {
-
+    authenticateForm: { data: defaultData, isSubmitting, error },
-  const {
+  },
-    ui: {
+}) => ({
-      authenticateForm: { data: defaultData, isSubmitting, isSubmittingUsingOidc, error },
+  defaultData,
-    },
+  isSubmitting,
-  } = state;
+  error,
-
+});
  return {
    defaultData,
    isSubmitting,
    isSubmittingUsingOidc,
    error,
    withOidc: !!oidcConfig,
  };
 };
 const mapDispatchToProps = (dispatch) =>
  bindActionCreators(
    {
      onAuthenticate: entryActions.authenticate,
      onAuthenticateUsingOidc: entryActions.authenticateUsingOidc,
      onMessageDismiss: entryActions.clearAuthenticateError,
    },
    dispatch,
--- a/client/src/containers/LoginWrapperContainer.js
+++ b/client/src/containers/LoginWrapperContainer.js
@ -1,14 +0,0 @@
 import { connect } from 'react-redux';
 import selectors from '../selectors';
 import LoginWrapper from '../components/LoginWrapper';
 const mapStateToProps = (state) => {
  const isInitializing = selectors.selectIsInitializing(state);
  return {
    isInitializing,
  };
 };
 export default connect(mapStateToProps)(LoginWrapper);
--- a/client/src/containers/OidcLoginContainer.js
+++ b/client/src/containers/OidcLoginContainer.js
@ -0,0 +1,26 @@
 import { bindActionCreators } from 'redux';
 import { connect } from 'react-redux';
 import entryActions from '../entry-actions';
 import OidcLogin from '../components/OIDC';
 const mapStateToProps = ({
  ui: {
    authenticateForm: { data: defaultData, isSubmitting, error },
  },
 }) => ({
  defaultData,
  isSubmitting,
  error,
 });
 const mapDispatchToProps = (dispatch) =>
  bindActionCreators(
    {
      onAuthenticate: entryActions.authenticate,
      onMessageDismiss: entryActions.clearAuthenticateError,
    },
    dispatch,
  );
 export default connect(mapStateToProps, mapDispatchToProps)(OidcLogin);
--- a/client/src/containers/UserSettingsModalContainer.js
+++ b/client/src/containers/UserSettingsModalContainer.js
@ -14,8 +14,8 @@ const mapStateToProps = (state) => {
    phone,
    organization,
    language,
    subscribeToOwnCards,
    isLocked,
    subscribeToOwnCards,
    isAvatarUpdating,
    emailUpdateForm,
    passwordUpdateForm,
@ -30,8 +30,8 @@ const mapStateToProps = (state) => {
    phone,
    organization,
    language,
    subscribeToOwnCards,
    isLocked,
    subscribeToOwnCards,
    isAvatarUpdating,
    emailUpdateForm,
    passwordUpdateForm,
--- a/client/src/entry-actions/core.js
+++ b/client/src/entry-actions/core.js
@ -1,10 +1,16 @@
 import EntryActionTypes from '../constants/EntryActionTypes';
 const initializeCore = () => ({
  type: EntryActionTypes.CORE_INITIALIZE,
  payload: {},
 });
 const logout = () => ({
  type: EntryActionTypes.LOGOUT,
  payload: {},
 });
 export default {
  initializeCore,
  logout,
 };
--- a/client/src/entry-actions/login.js
+++ b/client/src/entry-actions/login.js
@ -7,11 +7,6 @@ const authenticate = (data) => ({
  },
 });
 const authenticateUsingOidc = () => ({
  type: EntryActionTypes.USING_OIDC_AUTHENTICATE,
  payload: {},
 });
 const clearAuthenticateError = () => ({
  type: EntryActionTypes.AUTHENTICATE_ERROR_CLEAR,
  payload: {},
@ -19,6 +14,5 @@ const clearAuthenticateError = () => ({
 export default {
  authenticate,
  authenticateUsingOidc,
  clearAuthenticateError,
 };
--- a/client/src/index.js
+++ b/client/src/index.js
@ -1,11 +1,15 @@
 import React from 'react';
 import ReactDOM from 'react-dom/client';
 import Config from './constants/Config';
 import store from './store';
 import history from './history';
 import Root from './components/Root';
 import './i18n';
-const root = ReactDOM.createRoot(document.getElementById('root'));
+fetch(`${Config.SERVER_BASE_URL}/api/appconfig`).then((response) => {
-root.render(React.createElement(Root, { store, history }));
+  response.json().then((config) => {
    const root = ReactDOM.createRoot(document.getElementById('root'));
    root.render(React.createElement(Root, { store, history, config }));
  });
 });
--- a/client/src/locales/en/login.js
+++ b/client/src/locales/en/login.js
@ -11,12 +11,10 @@ export default {
      projectManagement: 'Project management',
      serverConnectionFailed: 'Server connection failed',
      unknownError: 'Unknown error, try again later',
      useSingleSignOn: 'Use single sign-on',
    },
    action: {
      logIn: 'Log in',
      logInWithSSO: 'Log in with SSO',
    },
  },
 };
--- a/client/src/locales/ja/core.js
+++ b/client/src/locales/ja/core.js
@ -8,7 +8,7 @@ export default {
    time: 'HH:mm',
    dateTime: '$t(format:date) $t(format:time)',
    longDate: 'MMMMd日',
-    longDateTime: "MMMMd'日 ' HH:mm",
+    longDateTime: "MMMMd'日 ' HH:MM",
  },
  translation: {
--- a/client/src/models/User.js
+++ b/client/src/models/User.js
@ -43,14 +43,16 @@ export default class extends BaseModel {
    organization: attr(),
    language: attr(),
    subscribeToOwnCards: attr(),
    isAdmin: attr(),
    isLocked: attr(),
    isRoleLocked: attr(),
    isDeletionLocked: attr(),
    deletedAt: attr(),
    createdAt: attr({
      getDefault: () => new Date(),
    }),
    deletedAt: attr(),
    isAdmin: attr({
      getDefault: () => false,
    }),
    isLocked: attr({
      getDefault: () => false,
    }),
    isAvatarUpdating: attr({
      getDefault: () => false,
    }),
--- a/client/src/reducers/auth.js
+++ b/client/src/reducers/auth.js
@ -10,7 +10,6 @@ const initialState = {
 export default (state = initialState, { type, payload }) => {
  switch (type) {
    case ActionTypes.AUTHENTICATE__SUCCESS:
    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
      return {
        ...state,
        accessToken: payload.accessToken,
--- a/client/src/reducers/core.js
+++ b/client/src/reducers/core.js
@ -4,6 +4,7 @@ import ActionTypes from '../constants/ActionTypes';
 import ModalTypes from '../constants/ModalTypes';
 const initialState = {
  isInitializing: true,
  isLogouting: false,
  currentModal: null,
 };
@ -17,6 +18,11 @@ export default (state = initialState, { type, payload }) => {
        ...state,
        currentModal: null,
      };
    case ActionTypes.CORE_INITIALIZE:
      return {
        ...state,
        isInitializing: false,
      };
    case ActionTypes.LOGOUT__ACCESS_TOKEN_INVALIDATE:
      return {
        ...state,
--- a/client/src/reducers/index.js
+++ b/client/src/reducers/index.js
@ -3,7 +3,6 @@ import { combineReducers } from 'redux';
 import router from './router';
 import socket from './socket';
 import orm from './orm';
 import root from './root';
 import auth from './auth';
 import core from './core';
 import ui from './ui';
@ -12,7 +11,6 @@ export default combineReducers({
  router,
  socket,
  orm,
  root,
  auth,
  core,
  ui,
--- a/client/src/reducers/root.js
+++ b/client/src/reducers/root.js
@ -1,36 +0,0 @@
 import ActionTypes from '../constants/ActionTypes';
 const initialState = {
  isInitializing: true,
  config: null,
 };
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
  switch (type) {
    case ActionTypes.LOGIN_INITIALIZE:
      return {
        ...state,
        isInitializing: false,
        config: payload.config,
      };
    case ActionTypes.AUTHENTICATE__SUCCESS:
    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
      return {
        ...state,
        isInitializing: true,
      };
    case ActionTypes.CORE_INITIALIZE:
      return {
        ...state,
        isInitializing: false,
      };
    case ActionTypes.CORE_INITIALIZE__CONFIG_FETCH:
      return {
        ...state,
        config: payload.config,
      };
    default:
      return state;
  }
 };
--- a/client/src/reducers/ui/authenticate-form.js
+++ b/client/src/reducers/ui/authenticate-form.js
@ -1,7 +1,4 @@
 import { LOCATION_CHANGE_HANDLE } from '../../lib/redux-router';
 import ActionTypes from '../../constants/ActionTypes';
 import Paths from '../../constants/Paths';
 const initialState = {
  data: {
@ -9,22 +6,12 @@ const initialState = {
    password: '',
  },
  isSubmitting: false,
  isSubmittingUsingOidc: false,
  error: null,
 };
 // eslint-disable-next-line default-param-last
 export default (state = initialState, { type, payload }) => {
  switch (type) {
    case LOCATION_CHANGE_HANDLE:
      if (payload.location.pathname === Paths.OIDC_CALLBACK) {
        return {
          ...state,
          isSubmittingUsingOidc: true,
        };
      }
      return state;
    case ActionTypes.AUTHENTICATE:
      return {
        ...state,
@ -35,7 +22,6 @@ export default (state = initialState, { type, payload }) => {
        isSubmitting: true,
      };
    case ActionTypes.AUTHENTICATE__SUCCESS:
    case ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS:
      return initialState;
    case ActionTypes.AUTHENTICATE__FAILURE:
      return {
@ -43,12 +29,6 @@ export default (state = initialState, { type, payload }) => {
        isSubmitting: false,
        error: payload.error,
      };
    case ActionTypes.USING_OIDC_AUTHENTICATE__FAILURE:
      return {
        ...state,
        isSubmittingUsingOidc: false,
        error: payload.error,
      };
    case ActionTypes.AUTHENTICATE_ERROR_CLEAR:
      return {
        ...state,
--- a/client/src/sagas/core/index.js
+++ b/client/src/sagas/core/index.js
@ -1,8 +1,7 @@
-import { all, apply, fork, select, take } from 'redux-saga/effects';
+import { all, apply, fork, take } from 'redux-saga/effects';
 import watchers from './watchers';
 import services from './services';
 import selectors from '../../selectors';
 import { socket } from '../../api';
 import ActionTypes from '../../constants/ActionTypes';
 import Paths from '../../constants/Paths';
@ -15,12 +14,5 @@ export default function* coreSaga() {
  yield take(ActionTypes.LOGOUT);
-  const oidcConfig = yield select(selectors.selectOidcConfig);
+  window.location.href = Paths.LOGIN;
  if (oidcConfig && oidcConfig.endSessionUrl !== null) {
    // Redirect the user to the IDP to log out.
    window.location.href = oidcConfig.endSessionUrl;
  } else {
    window.location.href = Paths.LOGIN;
  }
 }
--- a/client/src/sagas/core/services/core.js
+++ b/client/src/sagas/core/services/core.js
@ -1,23 +1,13 @@
-import { call, put, select, take } from 'redux-saga/effects';
+import { call, put, take } from 'redux-saga/effects';
 import request from '../request';
 import requests from '../requests';
 import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
 import i18n from '../../../i18n';
 import { removeAccessToken } from '../../../utils/access-token-storage';
 export function* initializeCore() {
  const currentConfig = yield select(selectors.selectConfig); // TODO: add boolean selector?
  let config;
  if (!currentConfig) {
    ({ item: config } = yield call(api.getConfig)); // TODO: handle error
    yield put(actions.initializeCore.fetchConfig(config));
  }
  const {
    user,
    board,
--- a/client/src/sagas/core/services/router.js
+++ b/client/src/sagas/core/services/router.js
@ -33,16 +33,15 @@ export function* handleLocationChange() {
  switch (pathsMatch.pattern.path) {
    case Paths.LOGIN:
    case Paths.OIDC_CALLBACK:
      yield call(goToRoot);
-      return;
+      break;
    default:
  }
-  const isInitializing = yield select(selectors.selectIsInitializing);
+  const isCoreInitializing = yield select(selectors.selectIsCoreInitializing);
-  if (isInitializing) {
+  if (isCoreInitializing) {
    yield take(ActionTypes.CORE_INITIALIZE);
  }
--- a/client/src/sagas/core/watchers/core.js
+++ b/client/src/sagas/core/watchers/core.js
@ -4,5 +4,8 @@ import services from '../services';
 import EntryActionTypes from '../../../constants/EntryActionTypes';
 export default function* coreWatchers() {
-  yield all([takeEvery(EntryActionTypes.LOGOUT, () => services.logout())]);
+  yield all([
    takeEvery(EntryActionTypes.CORE_INITIALIZE, () => services.initializeCore()),
    takeEvery(EntryActionTypes.LOGOUT, () => services.logout()),
  ]);
 }
--- a/client/src/sagas/login/index.js
+++ b/client/src/sagas/login/index.js
@ -7,9 +7,7 @@ import ActionTypes from '../../constants/ActionTypes';
 export default function* loginSaga() {
  const watcherTasks = yield all(watchers.map((watcher) => fork(watcher)));
-  yield fork(services.initializeLogin);
+  yield take(ActionTypes.AUTHENTICATE__SUCCESS);
  yield take([ActionTypes.AUTHENTICATE__SUCCESS, ActionTypes.USING_OIDC_AUTHENTICATE__SUCCESS]);
  yield cancel(watcherTasks);
  yield call(services.goToRoot);
--- a/client/src/sagas/login/services/login.js
+++ b/client/src/sagas/login/services/login.js
@ -1,25 +1,19 @@
-import { nanoid } from 'nanoid';
+import { call, put } from 'redux-saga/effects';
 import { call, put, select } from 'redux-saga/effects';
 import { replace } from '../../../lib/redux-router';
 import selectors from '../../../selectors';
 import actions from '../../../actions';
 import api from '../../../api';
 import { setAccessToken } from '../../../utils/access-token-storage';
 import Paths from '../../../constants/Paths';
 export function* initializeLogin() {
  const { item: config } = yield call(api.getConfig); // TODO: handle error
  yield put(actions.initializeLogin(config));
 }
 export function* authenticate(data) {
  yield put(actions.authenticate(data));
-  let accessToken;
+  let accessToken = data.access_token;
  try {
-    ({ item: accessToken } = yield call(api.createAccessToken, data));
+    if (accessToken) {
      ({ item: accessToken } = yield call(api.exchangeOidcToken, accessToken));
    } else {
      ({ item: accessToken } = yield call(api.createAccessToken, data));
    }
  } catch (error) {
    yield put(actions.authenticate.failure(error));
    return;
@ -29,76 +23,11 @@ export function* authenticate(data) {
  yield put(actions.authenticate.success(accessToken));
 }
 export function* authenticateUsingOidc() {
  const oidcConfig = yield select(selectors.selectOidcConfig);
  const nonce = nanoid();
  window.sessionStorage.setItem('oidc-nonce', nonce);
  window.location.href = `${oidcConfig.authorizationUrl}&nonce=${encodeURIComponent(nonce)}`;
 }
 export function* authenticateUsingOidcCallback() {
  // https://github.com/plankanban/planka/issues/511#issuecomment-1771385639
  const params = new URLSearchParams(window.location.hash.substring(1) || window.location.search);
  yield put(replace(Paths.LOGIN));
  if (params.get('error') !== null) {
    yield put(
      actions.authenticateUsingOidc.failure(
        new Error(
          `OIDC Authorization error: ${params.get('error')}: ${params.get('error_description')}`,
        ),
      ),
    );
    return;
  }
  const nonce = window.sessionStorage.getItem('oidc-nonce');
  if (nonce === null) {
    yield put(
      actions.authenticateUsingOidc.failure(
        new Error('Unable to process OIDC response: no nonce issued'),
      ),
    );
    return;
  }
  const code = params.get('code');
  if (code === null) {
    yield put(
      actions.authenticateUsingOidc.failure(new Error('Invalid OIDC response: no code parameter')),
    );
    return;
  }
  window.sessionStorage.removeItem('oidc-nonce');
  if (code !== null) {
    let accessToken;
    try {
      ({ item: accessToken } = yield call(api.exchangeForAccessTokenUsingOidc, {
        code,
        nonce,
      }));
    } catch (error) {
      yield put(actions.authenticateUsingOidc.failure(error));
      return;
    }
    yield call(setAccessToken, accessToken);
    yield put(actions.authenticateUsingOidc.success(accessToken));
  }
 }
 export function* clearAuthenticateError() {
  yield put(actions.clearAuthenticateError());
 }
 export default {
  initializeLogin,
  authenticate,
  authenticateUsingOidc,
  authenticateUsingOidcCallback,
  clearAuthenticateError,
 };
--- a/client/src/sagas/login/services/router.js
+++ b/client/src/sagas/login/services/router.js
@ -1,9 +1,7 @@
-import { call, put, select, take } from 'redux-saga/effects';
+import { call, put, select } from 'redux-saga/effects';
 import { push } from '../../../lib/redux-router';
 import { authenticateUsingOidcCallback } from './login';
 import selectors from '../../../selectors';
 import ActionTypes from '../../../constants/ActionTypes';
 import Paths from '../../../constants/Paths';
 export function* goToLogin() {
@ -29,17 +27,6 @@ export function* handleLocationChange() {
      yield call(goToLogin);
      break;
    case Paths.OIDC_CALLBACK: {
      const isInitializing = yield select(selectors.selectIsInitializing);
      if (isInitializing) {
        yield take(ActionTypes.LOGIN_INITIALIZE);
      }
      yield call(authenticateUsingOidcCallback);
      break;
    }
    default:
  }
 }
--- a/client/src/sagas/login/watchers/login.js
+++ b/client/src/sagas/login/watchers/login.js
@ -8,7 +8,6 @@ export default function* loginWatchers() {
    takeEvery(EntryActionTypes.AUTHENTICATE, ({ payload: { data } }) =>
      services.authenticate(data),
    ),
    takeEvery(EntryActionTypes.USING_OIDC_AUTHENTICATE, () => services.authenticateUsingOidc()),
    takeEvery(EntryActionTypes.AUTHENTICATE_ERROR_CLEAR, () => services.clearAuthenticateError()),
  ]);
 }
--- a/client/src/selectors/core.js
+++ b/client/src/selectors/core.js
@ -6,6 +6,8 @@ import Config from '../constants/Config';
 export const selectAccessToken = ({ auth: { accessToken } }) => accessToken;
 export const selectIsCoreInitializing = ({ core: { isInitializing } }) => isInitializing;
 export const selectIsLogouting = ({ core: { isLogouting } }) => isLogouting;
 const nextPosition = (items, index, excludedId) => {
@ -113,6 +115,7 @@ export const selectNextTaskPosition = createSelector(
 export default {
  selectAccessToken,
  selectIsCoreInitializing,
  selectIsLogouting,
  selectNextBoardPosition,
  selectNextLabelPosition,
--- a/client/src/selectors/index.js
+++ b/client/src/selectors/index.js
@ -1,6 +1,5 @@
 import router from './router';
 import socket from './socket';
 import root from './root';
 import core from './core';
 import modals from './modals';
 import users from './users';
@ -17,7 +16,6 @@ import attachments from './attachments';
 export default {
  ...router,
  ...socket,
  ...root,
  ...core,
  ...modals,
  ...users,
--- a/client/src/selectors/root.js
+++ b/client/src/selectors/root.js
@ -1,11 +0,0 @@
 export const selectIsInitializing = ({ root: { isInitializing } }) => isInitializing;
 export const selectConfig = ({ root: { config } }) => config;
 export const selectOidcConfig = (state) => selectConfig(state).oidc;
 export default {
  selectIsInitializing,
  selectConfig,
  selectOidcConfig,
 };
--- a/client/src/utils/access-token-storage.js
+++ b/client/src/utils/access-token-storage.js
@ -1,5 +1,5 @@
 import Cookies from 'js-cookie';
-import { jwtDecode } from 'jwt-decode';
+import jwtDecode from 'jwt-decode';
 import Config from '../constants/Config';
--- a/docker-compose-db.yml
+++ b/docker-compose-db.yml
@ -1,16 +0,0 @@
 version: '3'
 services:
  postgres:
    image: postgres:alpine
    restart: unless-stopped
    volumes:
      - db-data:/var/lib/postgresql/data
    ports:
      - 5432:5432
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust
 volumes:
  db-data:
--- a/docker-compose-dev.yml
+++ b/docker-compose-dev.yml
@ -1,65 +1,16 @@
 version: '3'
 services:
  planka:
    image: ghcr.io/plankanban/planka:dev
    command: >
      bash -c
        "for i in `seq 1 30`; do
          ./start.sh &&
          s=$$? && break || s=$$?;
          echo \"Tried $$i times. Waiting 5 seconds...\";
          sleep 5;
        done; (exit $$s)"
    restart: unless-stopped
    volumes:
      - user-avatars:/app/public/user-avatars
      - project-background-images:/app/public/project-background-images
      - attachments:/app/private/attachments
    ports:
      - 3000:1337
    environment:
      - BASE_URL=http://localhost:3000
      - DATABASE_URL=postgresql://postgres@postgres/planka
      - SECRET_KEY=notsecretkey
      # - TRUST_PROXY=0
      # - TOKEN_EXPIRES_IN=365 # In days
      # related: https://github.com/knex/knex/issues/2354
      # As knex does not pass query parameters from the connection string we
      # have to use environment variables in order to pass the desired values, e.g.
      # - PGSSLMODE=<value>
      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      # - DEFAULT_ADMIN_PASSWORD=demo
      # - DEFAULT_ADMIN_NAME=Demo Demo
      # - DEFAULT_ADMIN_USERNAME=demo
      # - OIDC_ISSUER=
      # - OIDC_CLIENT_ID=
      # - OIDC_CLIENT_SECRET=
      # - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_ROLES=true
    depends_on:
      - postgres
  postgres:
-    image: postgres:14-alpine
+    image: postgres:alpine
    restart: unless-stopped
    volumes:
      - db-data:/var/lib/postgresql/data
    ports:
      - 5432:5432
    environment:
      - POSTGRES_DB=planka
      - POSTGRES_HOST_AUTH_METHOD=trust
 volumes:
  user-avatars:
  project-background-images:
  attachments:
  db-data:
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -20,11 +20,15 @@ services:
      - 3000:1337
    environment:
      - BASE_URL=http://localhost:3000
      - TRUST_PROXY=0
      - DATABASE_URL=postgresql://postgres@postgres/planka
      - SECRET_KEY=notsecretkey
-      # - TRUST_PROXY=0
+      # Can be removed after installation
-      # - TOKEN_EXPIRES_IN=365 # In days
+      - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      - DEFAULT_ADMIN_PASSWORD=demo
      - DEFAULT_ADMIN_NAME=Demo Demo
      - DEFAULT_ADMIN_USERNAME=demo
      - MAIL_HOST=smtp.gmail.com
@ -36,19 +40,6 @@ services:
      # Configure knex to accept SSL certificates
      # - KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
      # - DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
      # - DEFAULT_ADMIN_PASSWORD=demo
      # - DEFAULT_ADMIN_NAME=Demo Demo
      # - DEFAULT_ADMIN_USERNAME=demo
      # - OIDC_ISSUER=
      # - OIDC_CLIENT_ID=
      # - OIDC_CLIENT_SECRET=
      # - OIDC_SCOPES=openid email profile
      # - OIDC_ADMIN_ROLES=admin
      # - OIDC_ROLES_ATTRIBUTE=groups
      # - OIDC_IGNORE_ROLES=true
    depends_on:
      - postgres
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@ -1,6 +1,6 @@
 {
  "name": "planka",
-  "version": "1.15.0",
+  "version": "1.12.0",
  "private": true,
  "homepage": "https://plankanban.github.io/planka",
  "repository": {
@ -56,17 +56,17 @@
    }
  },
  "dependencies": {
    "concurrently": "^7.6.0",
    "husky": "^8.0.2",
    "lint-staged": "^13.0.3",
    "nodemailer": "^6.9.7",
    "nodemailer-direct-transport": "^3.3.2",
-    "nodemailer-smtp-transport": "^2.7.4",
+    "nodemailer-smtp-transport": "^2.7.4"
    "concurrently": "^8.2.2",
    "husky": "^8.0.3",
    "lint-staged": "^15.1.0"
  },
  "devDependencies": {
-    "eslint": "^8.53.0",
+    "eslint": "^8.28.0",
-    "eslint-config-prettier": "^9.0.0",
+    "eslint-config-prettier": "^8.5.0",
-    "eslint-plugin-prettier": "^5.0.1",
+    "eslint-plugin-prettier": "^4.2.1",
-    "prettier": "^3.1.0"
+    "prettier": "^2.7.1"
  }
 }
--- a/server/.env.sample
+++ b/server/.env.sample
@ -4,6 +4,13 @@ BASE_URL=http://localhost:1337
 DATABASE_URL=postgresql://postgres@localhost/planka
 SECRET_KEY=notsecretkey
 ## Can be removed after installation
 DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
 DEFAULT_ADMIN_PASSWORD=demo
 DEFAULT_ADMIN_NAME=Demo Demo
 DEFAULT_ADMIN_USERNAME=demo
 ## Optional
 # TRUST_PROXY=0
@ -17,19 +24,6 @@ SECRET_KEY=notsecretkey
 # Configure knex to accept SSL certificates
 # KNEX_REJECT_UNAUTHORIZED_SSL_CERTIFICATE=false
 # DEFAULT_ADMIN_EMAIL=demo@demo.demo # Do not remove if you want to prevent this user from being edited/deleted
 # DEFAULT_ADMIN_PASSWORD=demo
 # DEFAULT_ADMIN_NAME=Demo Demo
 # DEFAULT_ADMIN_USERNAME=demo
 # OIDC_ISSUER=
 # OIDC_CLIENT_ID=
 # OIDC_CLIENT_SECRET=
 # OIDC_SCOPES=openid email profile
 # OIDC_ADMIN_ROLES=admin
 # OIDC_ROLES_ATTRIBUTE=groups
 # OIDC_IGNORE_ROLES=true
 ## Do not edit this
 TZ=UTC
--- a/server/api/controllers/access-tokens/create.js
+++ b/server/api/controllers/access-tokens/create.js
@ -10,9 +10,6 @@ const Errors = {
  INVALID_PASSWORD: {
    invalidPassword: 'Invalid password',
  },
  USE_SINGLE_SIGN_ON: {
    useSingleSignOn: 'Use single sign-on',
  },
 };
 const emailOrUsernameValidator = (value) =>
@ -40,9 +37,6 @@ module.exports = {
    invalidPassword: {
      responseType: 'unauthorized',
    },
    useSingleSignOn: {
      responseType: 'forbidden',
    },
  },
  async fn(inputs) {
@ -57,10 +51,6 @@ module.exports = {
      throw Errors.INVALID_EMAIL_OR_USERNAME;
    }
    if (user.isSso) {
      throw Errors.USE_SINGLE_SIGN_ON;
    }
    if (!bcrypt.compareSync(inputs.password, user.password)) {
      sails.log.warn(`Invalid password! (IP: ${remoteAddress})`);
      throw Errors.INVALID_PASSWORD;
--- a/server/api/controllers/access-tokens/exchange-using-oidc.js
+++ b/server/api/controllers/access-tokens/exchange-using-oidc.js
@ -1,71 +0,0 @@
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 const Errors = {
  INVALID_CODE_OR_NONCE: {
    invalidCodeOrNonce: 'Invalid code or nonce',
  },
  EMAIL_ALREADY_IN_USE: {
    emailAlreadyInUse: 'Email already in use',
  },
  USERNAME_ALREADY_IN_USE: {
    usernameAlreadyInUse: 'Username already in use',
  },
  MISSING_VALUES: {
    missingValues: 'Unable to retrieve required values (email, name)',
  },
 };
 module.exports = {
  inputs: {
    code: {
      type: 'string',
      required: true,
    },
    nonce: {
      type: 'string',
      required: true,
    },
  },
  exits: {
    invalidCodeOrNonce: {
      responseType: 'unauthorized',
    },
    emailAlreadyInUse: {
      responseType: 'conflict',
    },
    usernameAlreadyInUse: {
      responseType: 'conflict',
    },
    missingValues: {
      responseType: 'unprocessableEntity',
    },
  },
  async fn(inputs) {
    const remoteAddress = getRemoteAddress(this.req);
    const user = await sails.helpers.users
      .getOrCreateOneUsingOidc(inputs.code, inputs.nonce)
      .intercept('invalidCodeOrNonce', () => {
        sails.log.warn(`Invalid code or nonce! (IP: ${remoteAddress})`);
        return Errors.INVALID_CODE_OR_NONCE;
      })
      .intercept('emailAlreadyInUse', () => Errors.EMAIL_ALREADY_IN_USE)
      .intercept('usernameAlreadyInUse', () => Errors.USERNAME_ALREADY_IN_USE)
      .intercept('missingValues', () => Errors.MISSING_VALUES);
    const accessToken = sails.helpers.utils.createToken(user.id);
    await Session.create({
      accessToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });
    return {
      item: accessToken,
    };
  },
 };
--- a/server/api/controllers/access-tokens/exchange.js
+++ b/server/api/controllers/access-tokens/exchange.js
@ -0,0 +1,177 @@
 const jwt = require('jsonwebtoken');
 const jwksClient = require('jwks-rsa');
 const openidClient = require('openid-client');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 const Errors = {
  INVALID_TOKEN: {
    invalidToken: 'Access Token is invalid',
  },
  MISSING_VALUES: {
    missingValues:
      'Unable to retrieve required values. Verify the access token or UserInfo endpoint has email, username and name claims',
  },
 };
 const jwks = jwksClient({
  jwksUri: sails.config.custom.oidcJwksUri,
  requestHeaders: {}, // Optional
  timeout: 30000, // Defaults to 30s
 });
 const getJwtVerificationOptions = () => {
  const options = {};
  if (sails.config.custom.oidcIssuer) {
    options.issuer = sails.config.custom.oidcIssuer;
  }
  if (sails.config.custom.oidcAudience) {
    options.audience = sails.config.custom.oidcAudience;
  }
  return options;
 };
 const validateAndDecodeToken = async (accessToken, options) => {
  const keys = await jwks.getSigningKeys();
  let validToken = {};
  const isTokenValid = keys.some((signingKey) => {
    try {
      const key = signingKey.getPublicKey();
      validToken = jwt.verify(accessToken, key, options);
      return 'true';
    } catch (error) {
      sails.log.error(error);
    }
    return false;
  });
  if (!isTokenValid) {
    const tokenForLogging = jwt.decode(accessToken);
    const remoteAddress = getRemoteAddress(this.req);
    sails.log.warn(
      `invalid token: sub: "${tokenForLogging.sub}" issuer: "${tokenForLogging.iss}" audience: "${tokenForLogging.aud}" exp: ${tokenForLogging.exp} (IP: ${remoteAddress})`,
    );
    throw Errors.INVALID_TOKEN;
  }
  return validToken;
 };
 const getUserInfo = async (accessToken, options) => {
  if (sails.config.custom.oidcSkipUserInfo) {
    return {};
  }
  const issuer = await openidClient.Issuer.discover(options.issuer);
  const oidcClient = new issuer.Client({
    client_id: 'irrelevant',
  });
  const userInfo = await oidcClient.userinfo(accessToken);
  return userInfo;
 };
 const mergeUserData = (validToken, userInfo) => {
  const oidcUser = { ...validToken, ...userInfo };
  return oidcUser;
 };
 const getOrCreateUser = async (newUser) => {
  const user = await User.findOne({
    where: {
      username: newUser.username,
    },
  });
  if (user) {
    return user;
  }
  return User.create(newUser).fetch();
 };
 module.exports = {
  inputs: {
    token: {
      type: 'string',
      required: true,
    },
  },
  exits: {
    invalidToken: {
      responseType: 'unauthorized',
    },
    missingValues: {
      responseType: 'unauthorized',
    },
  },
  async fn(inputs) {
    const options = getJwtVerificationOptions();
    const validToken = await validateAndDecodeToken(inputs.token, options);
    const userInfo = await getUserInfo(inputs.token, options);
    const oidcUser = mergeUserData(validToken, userInfo);
    const now = new Date();
    let isAdmin = false;
    if (sails.config.custom.oidcAdminRoles.includes('*')) isAdmin = true;
    else if (Array.isArray(oidcUser[sails.config.custom.oidcRolesAttribute])) {
      const userRoles = new Set(oidcUser[sails.config.custom.oidcRolesAttribute]);
      isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
    }
    const newUser = {
      email: oidcUser.email,
      isAdmin,
      name: oidcUser.name,
      username: oidcUser.preferred_username,
      subscribeToOwnCards: false,
      createdAt: now,
      updatedAt: now,
      locked: true,
    };
    if (!newUser.email || !newUser.username || !newUser.name) {
      sails.log.error(Errors.MISSING_VALUES.missingValues);
      throw Errors.MISSING_VALUES;
    }
    const identityProviderUser = await IdentityProviderUser.findOne({
      where: {
        issuer: oidcUser.iss,
        sub: oidcUser.sub,
      },
    }).populate('userId');
    let user = identityProviderUser ? identityProviderUser.userId : {};
    if (!identityProviderUser) {
      user = await getOrCreateUser(newUser);
      await IdentityProviderUser.create({
        issuer: oidcUser.iss,
        sub: oidcUser.sub,
        userId: user.id,
      });
    }
    const controlledFields = ['email', 'password', 'isAdmin', 'name', 'username'];
    const updateFields = {};
    controlledFields.forEach((field) => {
      if (user[field] !== newUser[field]) {
        updateFields[field] = newUser[field];
      }
    });
    if (Object.keys(updateFields).length > 0) {
      updateFields.updatedAt = now;
      await User.updateOne({ id: user.id }).set(updateFields);
    }
    const plankaToken = sails.helpers.utils.createToken(user.id);
    const remoteAddress = getRemoteAddress(this.req);
    await Session.create({
      accessToken: plankaToken,
      remoteAddress,
      userId: user.id,
      userAgent: this.req.headers['user-agent'],
    });
    return {
      item: plankaToken,
    };
  },
 };
--- a/server/api/controllers/appconfig/index.js
+++ b/server/api/controllers/appconfig/index.js
@ -0,0 +1,11 @@
 module.exports = {
  async fn() {
    const config = {
      authority: sails.config.custom.oidcIssuer,
      clientId: sails.config.custom.oidcClientId,
      redirectUri: sails.config.custom.oidcredirectUri,
      scopes: sails.config.custom.oidcScopes,
    };
    return config;
  },
 };
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -1,22 +0,0 @@
 module.exports = {
  fn() {
    let oidc = null;
    if (sails.hooks.oidc.isActive()) {
      const oidcClient = sails.hooks.oidc.getClient();
      oidc = {
        authorizationUrl: oidcClient.authorizationUrl({
          scope: sails.config.custom.oidcScopes,
          response_mode: 'fragment',
        }),
        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
      };
    }
    return {
      item: {
        oidc,
      },
    };
  },
 };
--- a/server/api/controllers/users/delete.js
+++ b/server/api/controllers/users/delete.js
@ -1,7 +1,4 @@
 const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
@ -17,9 +14,6 @@ module.exports = {
  },
  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
@ -33,7 +27,7 @@ module.exports = {
    }
    if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.NOT_ENOUGH_RIGHTS;
+      throw Errors.USER_NOT_FOUND; // Forbidden
    }
    user = await sails.helpers.users.deleteOne.with({
--- a/server/api/controllers/users/update-email.js
+++ b/server/api/controllers/users/update-email.js
@ -1,9 +1,6 @@
 const bcrypt = require('bcrypt');
 const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
@ -34,9 +31,6 @@ module.exports = {
  },
  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
@ -65,8 +59,8 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }
-    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
+    if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.NOT_ENOUGH_RIGHTS;
+      throw Errors.USER_NOT_FOUND; // Forbidden
    }
    if (
--- a/server/api/controllers/users/update-password.js
+++ b/server/api/controllers/users/update-password.js
@ -4,9 +4,6 @@ const zxcvbn = require('zxcvbn');
 const { getRemoteAddress } = require('../../../utils/remoteAddress');
 const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
@ -36,9 +33,6 @@ module.exports = {
  },
  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
@ -64,8 +58,8 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }
-    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
+    if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.NOT_ENOUGH_RIGHTS;
+      throw Errors.USER_NOT_FOUND; // Forbidden
    }
    if (
--- a/server/api/controllers/users/update-username.js
+++ b/server/api/controllers/users/update-username.js
@ -1,9 +1,6 @@
 const bcrypt = require('bcrypt');
 const Errors = {
  NOT_ENOUGH_RIGHTS: {
    notEnoughRights: 'Not enough rights',
  },
  USER_NOT_FOUND: {
    userNotFound: 'User not found',
  },
@ -36,9 +33,6 @@ module.exports = {
  },
  exits: {
    notEnoughRights: {
      responseType: 'forbidden',
    },
    userNotFound: {
      responseType: 'notFound',
    },
@ -67,8 +61,8 @@ module.exports = {
      throw Errors.USER_NOT_FOUND;
    }
-    if (user.email === sails.config.custom.defaultAdminEmail || user.isSso) {
+    if (user.email === sails.config.custom.defaultAdminEmail) {
-      throw Errors.NOT_ENOUGH_RIGHTS;
+      throw Errors.USER_NOT_FOUND; // Forbidden
    }
    if (
--- a/server/api/controllers/users/update.js
+++ b/server/api/controllers/users/update.js
@ -72,12 +72,6 @@ module.exports = {
      delete inputs.isAdmin;
      delete inputs.name;
      /* eslint-enable no-param-reassign */
    } else if (user.isSso) {
      if (!sails.config.custom.oidcIgnoreRoles) {
        delete inputs.isAdmin; // eslint-disable-line no-param-reassign
      }
      delete inputs.name; // eslint-disable-line no-param-reassign
    }
    const values = {
--- a/server/api/helpers/users/create-one.js
+++ b/server/api/helpers/users/create-one.js
@ -9,7 +9,7 @@ const valuesValidator = (value) => {
    return false;
  }
-  if (!_.isNil(value.password) && !_.isString(value.password)) {
+  if (!_.isString(value.password)) {
    return false;
  }
@ -40,10 +40,6 @@ module.exports = {
  async fn(inputs) {
    const { values } = inputs;
    if (values.password) {
      values.password = bcrypt.hashSync(values.password, 10);
    }
    if (values.username) {
      values.username = values.username.toLowerCase();
    }
@ -51,6 +47,7 @@ module.exports = {
    const user = await User.create({
      ...values,
      email: values.email.toLowerCase(),
      password: bcrypt.hashSync(values.password, 10),
    })
      .intercept(
        {
--- a/server/api/helpers/users/delete-one.js
+++ b/server/api/helpers/users/delete-one.js
@ -10,10 +10,6 @@ module.exports = {
  },
  async fn(inputs) {
    await IdentityProviderUser.destroy({
      userId: inputs.record.id,
    });
    await ProjectManager.destroy({
      userId: inputs.record.id,
    });
--- a/server/api/helpers/users/get-or-create-one-using-oidc.js
+++ b/server/api/helpers/users/get-or-create-one-using-oidc.js
@ -1,113 +0,0 @@
 module.exports = {
  inputs: {
    code: {
      type: 'string',
      required: true,
    },
    nonce: {
      type: 'string',
      required: true,
    },
  },
  exits: {
    invalidCodeOrNonce: {},
    missingValues: {},
    emailAlreadyInUse: {},
    usernameAlreadyInUse: {},
  },
  async fn(inputs) {
    const client = sails.hooks.oidc.getClient();
    let userInfo;
    try {
      const tokenSet = await client.callback(
        sails.config.custom.oidcRedirectUri,
        { code: inputs.code },
        { nonce: inputs.nonce },
      );
      userInfo = await client.userinfo(tokenSet);
    } catch (e) {
      sails.log.warn(`Error while exchanging OIDC code: ${e}`);
      throw 'invalidCodeOrNonce';
    }
    if (!userInfo.email || !userInfo.name) {
      throw 'missingValues';
    }
    let isAdmin = false;
    if (sails.config.custom.oidcAdminRoles.includes('*')) {
      isAdmin = true;
    } else {
      const roles = userInfo[sails.config.custom.oidcRolesAttribute];
      if (Array.isArray(roles)) {
        // Use a Set here to avoid quadratic time complexity
        const userRoles = new Set(userInfo[sails.config.custom.oidcRolesAttribute]);
        isAdmin = sails.config.custom.oidcAdminRoles.findIndex((role) => userRoles.has(role)) > -1;
      }
    }
    const values = {
      isAdmin,
      email: userInfo.email,
      isSso: true,
      name: userInfo.name,
      username: userInfo.preferred_username,
      subscribeToOwnCards: false,
    };
    let user;
    // This whole block technically needs to be executed in a transaction
    // with SERIALIZABLE isolation level (but Waterline does not support
    // that), so this will result in errors if for example users are deleted
    // concurrently with logging in via OIDC.
    let identityProviderUser = await IdentityProviderUser.findOne({
      issuer: sails.config.custom.oidcIssuer,
      sub: userInfo.sub,
    });
    if (identityProviderUser) {
      user = await sails.helpers.users.getOne(identityProviderUser.userId);
    } else {
      // If no IDP/User mapping exists, search for the user by email.
      user = await sails.helpers.users.getOne({
        email: values.email.toLowerCase(),
      });
      // Otherwise, create a new user.
      if (!user) {
        user = await sails.helpers.users
          .createOne(values)
          .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
      }
      identityProviderUser = await IdentityProviderUser.create({
        userId: user.id,
        issuer: sails.config.custom.oidcIssuer,
        sub: userInfo.sub,
      });
    }
    const updateFieldKeys = ['email', 'isSso', 'name', 'username'];
    if (!sails.config.custom.oidcIgnoreRoles) {
      updateFieldKeys.push('isAdmin');
    }
    const updateValues = {};
    // eslint-disable-next-line no-restricted-syntax
    for (const k of updateFieldKeys) {
      if (values[k] !== user[k]) updateValues[k] = values[k];
    }
    if (Object.keys(updateValues).length > 0) {
      user = await sails.helpers.users
        .updateOne(user, updateValues, {}) // FIXME: hack for last parameter
        .intercept('emailAlreadyInUse', 'emailAlreadyInUse')
        .intercept('usernameAlreadyInUse', 'usernameAlreadyInUse');
    }
    return user;
  },
 };
--- a/server/api/hooks/oidc/index.js
+++ b/server/api/hooks/oidc/index.js
@ -1,33 +0,0 @@
 const openidClient = require('openid-client');
 module.exports = function oidcServiceHook(sails) {
  let client = null;
  return {
    /**
     * Runs when this Sails app loads/lifts.
     */
    async initialize() {
      if (sails.config.custom.oidcIssuer) {
        const issuer = await openidClient.Issuer.discover(sails.config.custom.oidcIssuer);
        client = new issuer.Client({
          client_id: sails.config.custom.oidcClientId,
          client_secret: sails.config.custom.oidcClientSecret,
          redirect_uris: [sails.config.custom.oidcRedirectUri],
          response_types: ['code'],
        });
        sails.log.info('OIDC hook has been loaded successfully');
      }
    },
    getClient() {
      return client;
    },
    isActive() {
      return client !== null;
    },
  };
 };
--- a/server/api/models/User.js
+++ b/server/api/models/User.js
@ -24,11 +24,6 @@ module.exports = {
      defaultsTo: false,
      columnName: 'is_admin',
    },
    isSso: {
      type: 'boolean',
      defaultsTo: false,
      columnName: 'is_sso',
    },
    name: {
      type: 'string',
      required: true,
@ -72,6 +67,10 @@ module.exports = {
      type: 'ref',
      columnName: 'password_changed_at',
    },
    locked: {
      type: 'boolean',
      columnName: 'locked',
    },
    //  ╔═╗╔╦╗╔╗ ╔═╗╔╦╗╔═╗
    //  ║╣ ║║║╠╩╗║╣  ║║╚═╗
@ -110,16 +109,12 @@ module.exports = {
  tableName: 'user_account',
  customToJSON() {
    const isDefaultAdmin = this.email === sails.config.custom.defaultAdminEmail;
    return {
-      ..._.omit(this, ['password', 'isSso', 'avatar', 'passwordChangedAt']),
+      ..._.omit(this, ['password', 'avatar', 'passwordChangedAt']),
      isLocked: this.isSso || isDefaultAdmin,
      isRoleLocked: (this.isSso && !sails.config.custom.oidcIgnoreRoles) || isDefaultAdmin,
      isDeletionLocked: isDefaultAdmin,
      avatarUrl:
        this.avatar &&
        `${sails.config.custom.userAvatarsUrl}/${this.avatar.dirname}/square-100.${this.avatar.extension}`,
      isLocked: this.email === sails.config.custom.defaultAdminEmail,
    };
  },
 };
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -31,20 +31,18 @@ module.exports.custom = {
  attachmentsPath: path.join(sails.config.appPath, 'private', 'attachments'),
  attachmentsUrl: `${process.env.BASE_URL}/attachments`,
  oidcIssuer: process.env.OIDC_ISSUER,
  oidcAudience: process.env.OIDC_AUDIENCE,
  oidcClientId: process.env.OIDC_CLIENT_ID,
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
  oidcredirectUri: process.env.OIDC_REDIRECT_URI,
  oidcJwksUri: process.env.OIDC_JWKS_URI,
  oidcScopes: process.env.OIDC_SCOPES || 'openid profile email',
  oidcSkipUserInfo: process.env.OIDC_SKIP_USER_INFO === 'true',
  defaultAdminEmail: process.env.DEFAULT_ADMIN_EMAIL,
  oidcIssuer: process.env.OIDC_ISSUER,
  oidcClientId: process.env.OIDC_CLIENT_ID,
  oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
  oidcRolesAttribute: process.env.OIDC_ROLES_ATTRIBUTE || 'groups',
  oidcIgnoreRoles: process.env.OIDC_IGNORE_ROLES === 'true',
  // TODO: move client base url to environment variable?
  oidcRedirectUri: `${
    sails.config.environment === 'production' ? process.env.BASE_URL : 'http://localhost:3000'
  }/oidc-callback`,
  mailConnectorHost: process.env.MAIL_HOST,
  mailConnectorPort: process.env.MAIL_PORT || 25,
  mailConnectorEmail: 'Planka <planka-noreplay@test.com>',
--- a/server/config/policies.js
+++ b/server/config/policies.js
@ -23,8 +23,8 @@ module.exports.policies = {
  'projects/create': ['is-authenticated', 'is-admin'],
  'show-config': true,
  'access-tokens/create': true,
-  'access-tokens/exchange-using-oidc': true,
+  'access-tokens/exchange': true,
  'appconfig/index': true,
  'mail/index': true,
 };
--- a/server/config/routes.js
+++ b/server/config/routes.js
@ -9,12 +9,12 @@
 */
 module.exports.routes = {
-  'GET /api/config': 'show-config',
+  'GET /api/appconfig': 'appconfig/index',
  'POST /api/mail': 'mail/index',
  'POST /api/access-tokens': 'access-tokens/create',
-  'POST /api/access-tokens/exchange-using-oidc': 'access-tokens/exchange-using-oidc',
+  'POST /api/access-tokens/exchange': 'access-tokens/exchange',
  'DELETE /api/access-tokens/me': 'access-tokens/delete',
  'GET /api/users': 'users/index',
--- a/server/db/migrations/20230809022050_create_identity_provider_user.js
+++ b/server/db/migrations/20230809022050_create_identity_provider_user.js
@ -0,0 +1,24 @@
 module.exports.up = (knex) =>
  knex.schema.createTable('identity_provider_user', (table) => {
    /* Columns */
    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
    table.timestamp('created_at', true);
    table.timestamp('updated_at', true);
    table
      .bigInteger('user_id')
      .notNullable()
      .references('id')
      .inTable('user_account')
      .onDelete('CASCADE');
    table.text('issuer').notNullable();
    table.text('sub').notNullable();
    /* Indexes */
    table.index('user_id');
  });
 module.exports.down = (knex) => knex.schema.dropTable('identity_provider_user');
--- a/server/db/migrations/20230809022050_oidc_with_pkce_flow.js
+++ b/server/db/migrations/20230809022050_oidc_with_pkce_flow.js
@ -1,44 +0,0 @@
 module.exports.up = async (knex) => {
  await knex.schema.createTable('identity_provider_user', (table) => {
    /* Columns */
    table.bigInteger('id').primary().defaultTo(knex.raw('next_id()'));
    table.bigInteger('user_id').notNullable();
    table.text('issuer').notNullable();
    table.text('sub').notNullable();
    table.timestamp('created_at', true);
    table.timestamp('updated_at', true);
    /* Indexes */
    table.unique(['issuer', 'sub']);
    table.index('user_id');
  });
  await knex.schema.table('user_account', (table) => {
    /* Columns */
    table.boolean('is_sso').notNullable().default(false);
    /* Modifications */
    table.setNullable('password');
  });
  return knex.schema.alterTable('user_account', (table) => {
    table.boolean('is_sso').notNullable().alter();
  });
 };
 module.exports.down = async (knex) => {
  await knex.schema.dropTable('identity_provider_user');
  return knex.schema.table('user_account', (table) => {
    table.dropColumn('is_sso');
    table.dropNullable('password');
  });
 };
--- a/server/db/migrations/20230809024146_all_null_password_field.js
+++ b/server/db/migrations/20230809024146_all_null_password_field.js
@ -0,0 +1,11 @@
 module.exports.up = async (knex) => {
  return knex.schema.table('user_account', (table) => {
    table.setNullable('password');
  });
 };
 module.exports.down = async (knex) => {
  return knex.schema.table('user_account', (table) => {
    table.dropNullable('password');
  });
 };
--- a/server/db/migrations/20230809025904_add_lock_to_user_account.js
+++ b/server/db/migrations/20230809025904_add_lock_to_user_account.js
@ -0,0 +1,11 @@
 module.exports.up = async (knex) => {
  return knex.schema.table('user_account', (table) => {
    table.boolean('locked').default(false);
  });
 };
 module.exports.down = async (knex) => {
  return knex.schema.table('user_account', (table) => {
    table.dropColumn('locked');
  });
 };
--- a/server/db/seeds/default.js
+++ b/server/db/seeds/default.js
@ -3,7 +3,6 @@ const bcrypt = require('bcrypt');
 const buildData = () => {
  const data = {
    isAdmin: true,
    isSso: false,
  };
  if (process.env.DEFAULT_ADMIN_PASSWORD) {
@ -34,6 +33,10 @@ exports.seed = async (knex) => {
      createdAt: new Date().toISOString(),
    });
  } catch (error) {
    if (Object.keys(data).length === 0) {
      return;
    }
    await knex('user_account').update(data).where('email', process.env.DEFAULT_ADMIN_EMAIL);
  }
 };
--- a/server/package-lock.json
+++ b/server/package-lock.json
--- a/server/package.json
+++ b/server/package.json
@ -27,39 +27,40 @@
    }
  },
  "dependencies": {
-    "bcrypt": "^5.1.1",
+    "bcrypt": "^5.1.0",
-    "dotenv": "^16.3.1",
+    "dotenv": "^16.0.3",
-    "dotenv-cli": "^7.3.0",
+    "dotenv-cli": "^6.0.0",
    "filenamify": "^4.3.0",
-    "jsonwebtoken": "^9.0.2",
+    "jsonwebtoken": "^9.0.0",
-    "knex": "^3.0.1",
+    "jwks-rsa": "^3.0.1",
    "knex": "^2.3.0",
    "lodash": "^4.17.21",
    "moment": "^2.29.4",
    "move-file": "^2.1.0",
    "nodemailer": "^6.9.7",
-    "openid-client": "^5.6.1",
+    "openid-client": "^5.4.3",
-    "rimraf": "^5.0.5",
+    "rimraf": "^3.0.2",
-    "sails": "^1.5.7",
+    "sails": "^1.5.3",
    "sails-hook-orm": "^4.0.2",
-    "sails-hook-sockets": "^2.0.4",
+    "sails-hook-sockets": "^2.0.3",
    "sails-postgresql-redacted": "^1.0.2-9",
-    "sharp": "^0.32.6",
+    "sharp": "^0.31.2",
    "stream-to-array": "^2.3.0",
-    "uuid": "^9.0.1",
+    "uuid": "^9.0.0",
-    "validator": "^13.11.0",
+    "validator": "^13.7.0",
-    "winston": "^3.11.0",
+    "winston": "^3.8.2",
    "zxcvbn": "^4.4.2"
  },
  "devDependencies": {
-    "chai": "^4.3.10",
+    "chai": "^4.3.7",
-    "eslint": "^8.53.0",
+    "eslint": "^8.28.0",
    "eslint-config-airbnb-base": "^15.0.0",
-    "eslint-plugin-import": "^2.29.0",
+    "eslint-plugin-import": "^2.26.0",
-    "mocha": "^10.2.0",
+    "mocha": "^10.1.0",
-    "nodemon": "^3.0.1",
+    "nodemon": "^2.0.20",
-    "supertest": "^6.3.3"
+    "supertest": "^6.3.1"
  },
  "engines": {
-    "node": ">=18"
+    "node": "^12.10"
  }
 }
`@ -1 +1 @@`
	`REACT_APP_VERSION=1.15.0`	`REACT_APP_VERSION=1.12.0`
		`@ -0,0 +1,3 @@`
							`import OidcLogin from './OidcLogin';`

							`export default OidcLogin;`