From 9234826238ff301bcb20c42ebd0cc5527914f7af Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 10:00:02 +0200
Subject: [PATCH 01/63] feat(model): update subscription.go

---
 api/internal/model/subscription.go      | 18 ++++++++++--------
 api/internal/model/subscription_test.go |  2 +-
 api/internal/service/alias.go           |  2 +-
 api/internal/service/processor.go       |  2 +-
 api/internal/service/recipient.go       |  4 ++--
 api/internal/service/subscription.go    |  2 --
 api/internal/service/user.go            |  2 +-
 7 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 3a006e1..ff5e12e 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -17,16 +17,18 @@ var (
 )
 
 type Subscription struct {
-	ID          string           `gorm:"unique" json:"id"`
-	CreatedAt   time.Time        `json:"created_at"`
-	UpdatedAt   time.Time        `json:"-"`
-	UserID      string           `json:"-"`
-	Type        SubscriptionType `json:"type"`
-	ActiveUntil time.Time        `json:"active_until"`
+	ID          string    `gorm:"unique" json:"id"`
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"-"`
+	UserID      string    `json:"-"`
+	ActiveUntil time.Time `json:"active_until"`
+	IsActive    bool      `json:"is_active"`
+	Tier        string    `json:"tier"`
+	TokenHash   string    `json:"-"`
 }
 
-func (s *Subscription) IsActive() bool {
-	return s.ActiveUntil.After(time.Now())
+func (s *Subscription) IsActiveCheck() bool {
+	return s.ActiveUntil.After(time.Now()) || s.IsActive
 }
 
 func (s *Subscription) IsActiveWithGracePeriod(days int) bool {
diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index db337cd..52cedaf 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -33,7 +33,7 @@ func TestSubscription_IsActive(t *testing.T) {
 			s := &Subscription{
 				ActiveUntil: tt.activeUntil,
 			}
-			if got := s.IsActive(); got != tt.want {
+			if got := s.IsActiveCheck(); got != tt.want {
 				t.Errorf("Subscription.IsActive() = %v, want %v", got, tt.want)
 			}
 		})
diff --git a/api/internal/service/alias.go b/api/internal/service/alias.go
index 8073c0b..b9b089e 100644
--- a/api/internal/service/alias.go
+++ b/api/internal/service/alias.go
@@ -84,7 +84,7 @@ func (s *Service) PostAlias(ctx context.Context, alias model.Alias, format strin
 		return model.Alias{}, ErrPostAlias
 	}
 
-	if !sub.IsActive() {
+	if !sub.IsActiveCheck() {
 		log.Println("error creating alias: subscription is not active")
 		return model.Alias{}, ErrPostAlias
 	}
diff --git a/api/internal/service/processor.go b/api/internal/service/processor.go
index 572bab7..0059747 100644
--- a/api/internal/service/processor.go
+++ b/api/internal/service/processor.go
@@ -45,7 +45,7 @@ func (s *Service) ProcessMessage(data []byte) error {
 		}
 
 		// Reply | Send
-		if relayType != model.Forward && !sub.IsActive() {
+		if relayType != model.Forward && !sub.IsActiveCheck() {
 			log.Println("inactive subscription for reply/send")
 			continue
 		}
diff --git a/api/internal/service/recipient.go b/api/internal/service/recipient.go
index 7c1d6ab..1730b24 100644
--- a/api/internal/service/recipient.go
+++ b/api/internal/service/recipient.go
@@ -84,7 +84,7 @@ func (s *Service) PostRecipient(ctx context.Context, recipient model.Recipient)
 		return ErrPostRecipient
 	}
 
-	if !sub.IsActive() {
+	if !sub.IsActiveCheck() {
 		log.Println("error creating recipient: subscription is not active")
 		return ErrPostRecipient
 	}
@@ -182,7 +182,7 @@ func (s *Service) UpdateRecipient(ctx context.Context, recipient model.Recipient
 		return ErrUpdateRecipient
 	}
 
-	if !sub.IsActive() {
+	if !sub.IsActiveCheck() {
 		log.Println("error updating recipient: subscription is not active")
 		return ErrUpdateRecipient
 	}
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 1e07d2d..3c01897 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -42,7 +42,6 @@ func (s *Service) PostSubscription(ctx context.Context, userID string, subID str
 	}
 
 	sub := model.Subscription{
-		Type:        model.Managed,
 		UserID:      userID,
 		ActiveUntil: activeUntilTime,
 	}
@@ -79,7 +78,6 @@ func (s *Service) AddSubscription(ctx context.Context, subscription model.Subscr
 }
 
 func (s *Service) UpdateSubscription(ctx context.Context, subscription model.Subscription) error {
-	subscription.Type = model.Managed
 	err := s.Store.UpdateSubscription(ctx, subscription)
 	if err != nil {
 		log.Printf("error updating subscription: %s", err.Error())
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index 9bba0f7..43940dc 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -256,7 +256,7 @@ func (s *Service) ActivateUser(ctx context.Context, ID string, otp string) error
 		return nil
 	}
 
-	if !sub.IsActive() {
+	if !sub.IsActiveCheck() {
 		log.Println("error creating recipient: subscription is not active")
 		return nil
 	}

From 4b6ccfce9592e14d075015aa00d1672d32f0ac3c Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 10:10:49 +0200
Subject: [PATCH 02/63] feat(api): update config.go

---
 api/.env.sample                    | 98 +++++++++++++++---------------
 api/config/config.go               |  4 ++
 api/internal/model/preauth.go      | 11 ++++
 api/internal/model/subscription.go |  9 +--
 4 files changed, 66 insertions(+), 56 deletions(-)
 create mode 100644 api/internal/model/preauth.go

diff --git a/api/.env.sample b/api/.env.sample
index 86a1c96..d1a3637 100644
--- a/api/.env.sample
+++ b/api/.env.sample
@@ -1,52 +1,54 @@
-FQDN="localhost"
-API_NAME="Service Name"
-API_PORT="3000"
-API_ALLOW_ORIGIN="http://localhost:3001"
-TOKEN_SECRET="secret"
+FQDN=localhost
+API_NAME=Service Name
+API_PORT=3000
+API_ALLOW_ORIGIN=http://localhost:3001
+TOKEN_SECRET=secret
 TOKEN_EXPIRATION=60m
-PSK=""
-PSK_ALLOW_ORIGIN="http://localhost:3001"
-DOMAINS="example1.net,example2.com"
-LOG_FILE="/var/log/api.log"
-BASIC_AUTH_USER=""
-BASIC_AUTH_PASSWORD=""
-NET_SUBNET=""
-NET_GATEWAY=""
-SIGNUP_WEBHOOK_URL=""
-SIGNUP_WEBHOOK_PSK=""
+PSK=
+PSK_ALLOW_ORIGIN=http://localhost:3001
+DOMAINS=example1.net,example2.com
+LOG_FILE=/var/log/api.log
+BASIC_AUTH_USER=
+BASIC_AUTH_PASSWORD=
+NET_SUBNET=
+NET_GATEWAY=
+SIGNUP_WEBHOOK_URL=
+SIGNUP_WEBHOOK_PSK=
+PREAUTH_URL=
+PREAUTH_PSK=
 
-APP_PORT="3001"
+APP_PORT=3001
 
-DB_HOSTS="db"
-DB_PORT="3306"
-DB_NAME="email"
-DB_USER="email"
-DB_PASSWORD="email"
-DB_ROOT_USER="root"
-DB_ROOT_PASSWORD="root"
+DB_HOSTS=db
+DB_PORT=3306
+DB_NAME=email
+DB_USER=email
+DB_PASSWORD=email
+DB_ROOT_USER=root
+DB_ROOT_PASSWORD=root
 
-REDIS_ADDR="redis:6379"
-REDIS_ADDRS=""
-REDIS_MASTER_NAME=""
-REDIS_USERNAME=""
-REDIS_PASSWORD=""
-REDIS_FAILOVER_USERNAME=""
-REDIS_FAILOVER_PASSWORD=""
-REDIS_TLS_ENABLED="false"
-REDIS_CERT_FILE=""
-REDIS_KEY_FILE=""
-REDIS_CA_CERT_FILE=""
-REDIS_TLS_INSECURE_SKIP_VERIFY="false"
+REDIS_ADDR=redis:6379
+REDIS_ADDRS=
+REDIS_MASTER_NAME=
+REDIS_USERNAME=
+REDIS_PASSWORD=
+REDIS_FAILOVER_USERNAME=
+REDIS_FAILOVER_PASSWORD=
+REDIS_TLS_ENABLED=false
+REDIS_CERT_FILE=
+REDIS_KEY_FILE=
+REDIS_CA_CERT_FILE=
+REDIS_TLS_INSECURE_SKIP_VERIFY=false
 
-SMTP_CLIENT_HOST="smtp.example.net"
-SMTP_CLIENT_PORT="2525"
-SMTP_CLIENT_USER=""
-SMTP_CLIENT_PASSWORD=""
-SMTP_CLIENT_SENDER="from@example.net"
-SMTP_CLIENT_SENDER_NAME="From Name"
+SMTP_CLIENT_HOST=smtp.example.net
+SMTP_CLIENT_PORT=2525
+SMTP_CLIENT_USER=
+SMTP_CLIENT_PASSWORD=
+SMTP_CLIENT_SENDER=from@example.net
+SMTP_CLIENT_SENDER_NAME=From Name
 
 OTP_EXPIRATION=15m
-SUBSCRIPTION_TYPE=""
+SUBSCRIPTION_TYPE=
 MAX_CREDENTIALS=10
 MAX_RECIPIENTS=10
 MAX_DAILY_ALIASES=100
@@ -57,10 +59,10 @@ ACCOUNT_GRACE_PERIOD_DAYS=194
 ID_LIMITER_MAX=5
 ID_LIMITER_EXPIRATION=60m
 
-BACKUP_FILENAME="backup"
-BACKUP_CRON_EXPRESSION="0 0 29 2 1"
+BACKUP_FILENAME=backup
+BACKUP_CRON_EXPRESSION=0 0 29 2 1
 BACKUP_RETENTION_DAYS=7
-GPG_PASSPHRASE=""
-AWS_S3_BUCKET_NAME=""
-AWS_ACCESS_KEY_ID=""
-AWS_SECRET_ACCESS_KEY=""
+GPG_PASSPHRASE=
+AWS_S3_BUCKET_NAME=
+AWS_ACCESS_KEY_ID=
+AWS_SECRET_ACCESS_KEY=
diff --git a/api/config/config.go b/api/config/config.go
index 3d9be5b..263ab5d 100644
--- a/api/config/config.go
+++ b/api/config/config.go
@@ -22,6 +22,8 @@ type APIConfig struct {
 	BasicAuthPassword string
 	SignupWebhookURL  string
 	SignupWebhookPSK  string
+	PreauthURL        string
+	PreauthPSK        string
 }
 
 type DBConfig struct {
@@ -155,6 +157,8 @@ func New() (Config, error) {
 			BasicAuthPassword: os.Getenv("BASIC_AUTH_PASSWORD"),
 			SignupWebhookURL:  os.Getenv("SIGNUP_WEBHOOK_URL"),
 			SignupWebhookPSK:  os.Getenv("SIGNUP_WEBHOOK_PSK"),
+			PreauthURL:        os.Getenv("PREAUTH_URL"),
+			PreauthPSK:        os.Getenv("PREAUTH_PSK"),
 		},
 		DB: DBConfig{
 			Hosts:    dbHosts,
diff --git a/api/internal/model/preauth.go b/api/internal/model/preauth.go
new file mode 100644
index 0000000..9d33b88
--- /dev/null
+++ b/api/internal/model/preauth.go
@@ -0,0 +1,11 @@
+package model
+
+import "time"
+
+type Preauth struct {
+	ID          string    `json:"id"`
+	TokenHash   string    `json:"token_hash"`
+	IsActive    bool      `json:"is_active"`
+	ActiveUntil time.Time `json:"active_until"`
+	Tier        string    `json:"tier"`
+}
diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index ff5e12e..626b023 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -5,13 +5,6 @@ import (
 	"time"
 )
 
-type SubscriptionType string
-
-const (
-	Free    SubscriptionType = "Free"
-	Managed SubscriptionType = "Managed"
-)
-
 var (
 	ErrDuplicateSubscription = errors.New("subscription already exists")
 )
@@ -24,7 +17,7 @@ type Subscription struct {
 	ActiveUntil time.Time `json:"active_until"`
 	IsActive    bool      `json:"is_active"`
 	Tier        string    `json:"tier"`
-	TokenHash   string    `json:"-"`
+	TokenHash   string    `gorm:"unique" json:"-"`
 }
 
 func (s *Subscription) IsActiveCheck() bool {

From 66b1e69467286d8df096448ae26f2c73923984c3 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 10:17:41 +0200
Subject: [PATCH 03/63] feat(client): update http.go

---
 api/internal/client/http/http.go | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/api/internal/client/http/http.go b/api/internal/client/http/http.go
index bcef7fd..3e8a9ae 100644
--- a/api/internal/client/http/http.go
+++ b/api/internal/client/http/http.go
@@ -1,12 +1,14 @@
 package http
 
 import (
+	"encoding/json"
 	"errors"
 	"log"
 	"net/http"
 
 	"github.com/gofiber/fiber/v2"
 	"ivpn.net/email/api/config"
+	"ivpn.net/email/api/internal/model"
 )
 
 type Http struct {
@@ -39,3 +41,29 @@ func (h Http) SignupWebhook(subID string) error {
 
 	return nil
 }
+
+func (h Http) GetPreauth(ID string) (model.Preauth, error) {
+	req := fiber.Get(h.Cfg.PreauthURL + "/" + ID)
+	req.Set("Content-Type", "application/json")
+	req.Set("Accept", "application/json")
+	req.Set("Authorization", "Bearer "+h.Cfg.PreauthPSK)
+
+	var preauth model.Preauth
+	status, body, err := req.Bytes()
+	if err != nil {
+		log.Printf("Error calling preauth service: %v", err)
+		return model.Preauth{}, errors.New("error calling preauth service")
+	}
+
+	if status != http.StatusOK {
+		log.Printf("Error calling preauth service, status: %d", status)
+		return model.Preauth{}, errors.New("error response from preauth service")
+	}
+
+	if err := json.Unmarshal(body, &preauth); err != nil {
+		log.Printf("Error parsing preauth response: %v", err)
+		return model.Preauth{}, errors.New("error parsing preauth response")
+	}
+
+	return preauth, nil
+}

From a35970f7c4357c67435504870827da28431b27c0 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 11:26:33 +0200
Subject: [PATCH 04/63] feat(service): update user.go

---
 api/internal/service/subscription.go   | 25 ++++++++-----------------
 api/internal/service/user.go           | 17 ++++++++++++-----
 api/internal/transport/api/req.go      | 14 +++++++++-----
 api/internal/transport/api/user.go     |  5 ++---
 api/internal/transport/api/webauthn.go |  2 +-
 5 files changed, 32 insertions(+), 31 deletions(-)

diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 3c01897..d313ea6 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -5,8 +5,8 @@ import (
 	"errors"
 	"log"
 
-	"github.com/araddon/dateparse"
 	"github.com/go-sql-driver/mysql"
+	"github.com/google/uuid"
 	"ivpn.net/email/api/internal/model"
 )
 
@@ -34,20 +34,17 @@ func (s *Service) GetSubscription(ctx context.Context, userID string) (model.Sub
 	return subscription, nil
 }
 
-func (s *Service) PostSubscription(ctx context.Context, userID string, subID string, activeUntil string) error {
-	activeUntilTime, err := dateparse.ParseAny(activeUntil)
-	if err != nil {
-		log.Printf("error posting subscription: %s", err.Error())
-		return ErrPostSubscription
-	}
-
+func (s *Service) PostSubscription(ctx context.Context, userID string, preauth model.Preauth) error {
 	sub := model.Subscription{
 		UserID:      userID,
-		ActiveUntil: activeUntilTime,
+		ActiveUntil: preauth.ActiveUntil,
+		IsActive:    preauth.IsActive,
+		Tier:        preauth.Tier,
+		TokenHash:   preauth.TokenHash,
 	}
-	sub.ID = subID
+	sub.ID = uuid.New().String()
 
-	err = s.Store.PostSubscription(ctx, sub)
+	err := s.Store.PostSubscription(ctx, sub)
 	if err != nil {
 		log.Printf("error posting subscription: %s", err.Error())
 		var mysqlErr *mysql.MySQLError
@@ -58,12 +55,6 @@ func (s *Service) PostSubscription(ctx context.Context, userID string, subID str
 		}
 	}
 
-	err = s.Cache.Del(ctx, "sub_"+subID)
-	if err != nil {
-		log.Printf("error deleting subscription: %s", err.Error())
-		return ErrPostSubscription
-	}
-
 	return nil
 }
 
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index 43940dc..b2b1c21 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -41,6 +41,7 @@ var (
 	ErrTotpDisable         = errors.New("Unable to disable 2FA.")
 	ErrInvalidTOTPCode     = errors.New("The 2FA code you entered is invalid.")
 	ErrInvalidSubscription = errors.New("Invalid subscription or signup URL.")
+	ErrTokenHashMismatch   = errors.New("Subscription token hash does not match.")
 )
 
 type UserStore interface {
@@ -90,7 +91,7 @@ func (s *Service) GetUserByEmail(ctx context.Context, email string) (model.User,
 	return user, nil
 }
 
-func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string) (model.User, error) {
+func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) (model.User, error) {
 	email := user.Email
 	pass := user.PasswordPlain
 	user, err := s.Store.GetUserByEmailUnfinishedSignup(ctx, email)
@@ -100,7 +101,7 @@ func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.
 			PasswordPlain: pass,
 			IsActive:      false,
 		}
-		err = s.PostUser(ctx, user, subID)
+		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash)
 		if err != nil {
 			log.Printf("error creating user: %s", err.Error())
 			return model.User{}, ErrPostUser
@@ -134,12 +135,18 @@ func (s *Service) SaveUser(ctx context.Context, user model.User) error {
 	return nil
 }
 
-func (s *Service) PostUser(ctx context.Context, user model.User, subID string) error {
-	activeUntil, err := s.Cache.Get(ctx, "sub_"+subID)
+func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) error {
+	preauth, err := s.Http.GetPreauth(preauthID)
 	if err != nil {
+		log.Printf("error creating user: %s", err.Error())
 		return ErrInvalidSubscription
 	}
 
+	if preauth.TokenHash != preauthTokenHash {
+		log.Printf("error creating user: Token hash does not match")
+		return ErrTokenHashMismatch
+	}
+
 	exists, err := s.Store.CheckDuplicateRecipient(ctx, user.Email)
 	if exists || err != nil {
 		log.Printf("error creating user: ErrDuplicateEmail")
@@ -165,7 +172,7 @@ func (s *Service) PostUser(ctx context.Context, user model.User, subID string) e
 		}
 	}
 
-	err = s.PostSubscription(ctx, user.ID, subID, activeUntil)
+	err = s.PostSubscription(ctx, user.ID, preauth)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
 		return ErrPostUser
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index 356d3cd..e59f6e8 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -11,14 +11,18 @@ type EmailReq struct {
 }
 
 type SignupUserReq struct {
-	Email    string `json:"email" validate:"required,emailx"`
-	Password string `json:"password" validate:"password"`
-	SubID    string `json:"subid" validate:"required,uuid"`
+	Email            string `json:"email" validate:"required,emailx"`
+	Password         string `json:"password" validate:"password"`
+	SubID            string `json:"subid" validate:"required,uuid"`
+	PreauthID        string `json:"preauthid" validate:"required,uuid"`
+	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
 }
 
 type SignupEmailReq struct {
-	Email string `json:"email" validate:"required,emailx"`
-	SubID string `json:"subid" validate:"required,uuid"`
+	Email            string `json:"email" validate:"required,emailx"`
+	SubID            string `json:"subid" validate:"required,uuid"`
+	PreauthID        string `json:"preauthid" validate:"required,uuid"`
+	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
 }
 
 type SubscriptionReq struct {
diff --git a/api/internal/transport/api/user.go b/api/internal/transport/api/user.go
index d179dfd..fcb19ab 100644
--- a/api/internal/transport/api/user.go
+++ b/api/internal/transport/api/user.go
@@ -32,13 +32,12 @@ var (
 )
 
 type UserService interface {
-	PostUser(context.Context, model.User, string) error
 	SendUserOTP(context.Context, string) error
 	ActivateUser(context.Context, string, string) error
 	GetUserByCredentials(context.Context, string, string) (model.User, error)
 	GetUserByPassword(context.Context, string, string) (model.User, error)
 	GetUserByEmail(context.Context, string) (model.User, error)
-	GetUnfinishedSignupOrPostUser(context.Context, model.User, string) (model.User, error)
+	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string) (model.User, error)
 	SaveUser(context.Context, model.User) error
 	DeleteUserRequest(context.Context, string) (string, error)
 	DeleteUser(context.Context, string, string) error
@@ -91,7 +90,7 @@ func (h *Handler) Register(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),
diff --git a/api/internal/transport/api/webauthn.go b/api/internal/transport/api/webauthn.go
index 731ef76..f5d2da2 100644
--- a/api/internal/transport/api/webauthn.go
+++ b/api/internal/transport/api/webauthn.go
@@ -75,7 +75,7 @@ func (h *Handler) BeginRegistration(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),

From c5334aca0b906149d57fcb1e2b0cf637b47e2756 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 11:36:14 +0200
Subject: [PATCH 05/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 30 ++++++++++++++++++++++++++----
 app/src/router.ts             |  2 +-
 2 files changed, 27 insertions(+), 5 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index c86cd6a..da8a8cd 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -119,6 +119,9 @@ const apiError = ref('')
 const isLoading = ref(false)
 const passkeySupported = ref(false)
 const subid = ref('')
+const preauthid = ref('')
+const preauthtokenhash = ref('')
+const service = ref('')
 
 const validateEmail = () => {
     emailError.value = !email.value
@@ -148,7 +151,9 @@ const register = async () => {
     const data = {
         email: email.value,
         password: password.value,
-        subid: subid.value
+        subid: subid.value,
+        preauthid: preauthid.value,
+        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -176,7 +181,9 @@ const registerWithPasskey = async () => {
 
     const data = {
         email: emailAuthn.value,
-        subid: subid.value
+        subid: subid.value,
+        preauthid: preauthid.value,
+        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -199,12 +206,27 @@ const registerWithPasskey = async () => {
     }
 }
 
-const parseSubid = () => {
+const parseParams = () => {
     const route = useRoute()
     subid.value = route.params.subid as string
+    preauthid.value = route.params.preauthid as string
+    preauthtokenhash.value = route.params.preauthtokenhash as string
+    service.value = route.params.service as string
     if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
         window.location.href = '/login'
     }
+
+    if (!preauthid.value || !preauthid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
+        window.location.href = '/login'
+    }
+
+    if (!preauthtokenhash.value) {
+        window.location.href = '/login'
+    }
+
+    if (!service.value) {
+        window.location.href = '/login'
+    }
 }
 
 const isLoggedIn = (): boolean => {
@@ -217,7 +239,7 @@ onMounted(() => {
         window.location.href = '/'
     }
     
-    parseSubid()
+    parseParams()
     passkeySupported.value = browserSupportsWebAuthn()
     tabs.autoInit()
 })
diff --git a/app/src/router.ts b/app/src/router.ts
index aa0d9eb..a313e14 100644
--- a/app/src/router.ts
+++ b/app/src/router.ts
@@ -70,7 +70,7 @@ const routes: RouteRecordRaw[] = [
         children: dashboardChildren
     },
     {
-        path: '/signup/:subid',
+        path: '/signup',
         name: `${AppName} - Sign Up`,
         component: Signup
     },

From 4800af702e5ac1f8891eecd936ed0edf16bc5b34 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Fri, 12 Sep 2025 11:40:28 +0200
Subject: [PATCH 06/63] feat(service): update user.go

---
 api/internal/client/http/http.go       | 4 ++--
 api/internal/service/user.go           | 8 ++++----
 api/internal/transport/api/req.go      | 2 ++
 api/internal/transport/api/user.go     | 4 ++--
 api/internal/transport/api/webauthn.go | 2 +-
 5 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/api/internal/client/http/http.go b/api/internal/client/http/http.go
index 3e8a9ae..75044fe 100644
--- a/api/internal/client/http/http.go
+++ b/api/internal/client/http/http.go
@@ -21,12 +21,12 @@ func New(cfg config.APIConfig) *Http {
 	}
 }
 
-func (h Http) SignupWebhook(subID string) error {
+func (h Http) SignupWebhook(subID string, serviceName string) error {
 	req := fiber.Post(h.Cfg.SignupWebhookURL)
 	req.Set("Content-Type", "application/json")
 	req.Set("Accept", "application/json")
 	req.Set("Authorization", "Bearer "+h.Cfg.SignupWebhookPSK)
-	req.Body([]byte(`{"uuid": "` + subID + `"}`))
+	req.Body([]byte(`{"uuid": "` + subID + `", "service": "` + serviceName + `"}`))
 
 	status, _, err := req.Bytes()
 	if err != nil {
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index b2b1c21..1e305d8 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -91,7 +91,7 @@ func (s *Service) GetUserByEmail(ctx context.Context, email string) (model.User,
 	return user, nil
 }
 
-func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) (model.User, error) {
+func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string, serviceName string) (model.User, error) {
 	email := user.Email
 	pass := user.PasswordPlain
 	user, err := s.Store.GetUserByEmailUnfinishedSignup(ctx, email)
@@ -101,7 +101,7 @@ func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.
 			PasswordPlain: pass,
 			IsActive:      false,
 		}
-		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash)
+		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash, serviceName)
 		if err != nil {
 			log.Printf("error creating user: %s", err.Error())
 			return model.User{}, ErrPostUser
@@ -135,7 +135,7 @@ func (s *Service) SaveUser(ctx context.Context, user model.User) error {
 	return nil
 }
 
-func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) error {
+func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string, serviceName string) error {
 	preauth, err := s.Http.GetPreauth(preauthID)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
@@ -184,7 +184,7 @@ func (s *Service) PostUser(ctx context.Context, user model.User, subID string, p
 		return ErrPostUser
 	}
 
-	err = s.Http.SignupWebhook(subID)
+	err = s.Http.SignupWebhook(subID, serviceName)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
 		return ErrSignupWebhook
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index e59f6e8..85e1b2c 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -16,6 +16,7 @@ type SignupUserReq struct {
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
 	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
+	ServiceName      string `json:"service" validate:"required"`
 }
 
 type SignupEmailReq struct {
@@ -23,6 +24,7 @@ type SignupEmailReq struct {
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
 	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
+	ServiceName      string `json:"service" validate:"required"`
 }
 
 type SubscriptionReq struct {
diff --git a/api/internal/transport/api/user.go b/api/internal/transport/api/user.go
index fcb19ab..5a60fe6 100644
--- a/api/internal/transport/api/user.go
+++ b/api/internal/transport/api/user.go
@@ -37,7 +37,7 @@ type UserService interface {
 	GetUserByCredentials(context.Context, string, string) (model.User, error)
 	GetUserByPassword(context.Context, string, string) (model.User, error)
 	GetUserByEmail(context.Context, string) (model.User, error)
-	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string) (model.User, error)
+	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string, string) (model.User, error)
 	SaveUser(context.Context, model.User) error
 	DeleteUserRequest(context.Context, string) (string, error)
 	DeleteUser(context.Context, string, string) error
@@ -90,7 +90,7 @@ func (h *Handler) Register(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash, req.ServiceName)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),
diff --git a/api/internal/transport/api/webauthn.go b/api/internal/transport/api/webauthn.go
index f5d2da2..6e8fb44 100644
--- a/api/internal/transport/api/webauthn.go
+++ b/api/internal/transport/api/webauthn.go
@@ -75,7 +75,7 @@ func (h *Handler) BeginRegistration(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash, req.ServiceName)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),

From b6fd6a51e8e0fd3748d29b54abd4b5e315f4afd4 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sat, 20 Sep 2025 08:57:55 +0200
Subject: [PATCH 07/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 20 ++++++++++++--------
 1 file changed, 12 insertions(+), 8 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index da8a8cd..142a474 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -208,24 +208,28 @@ const registerWithPasskey = async () => {
 
 const parseParams = () => {
     const route = useRoute()
-    subid.value = route.params.subid as string
-    preauthid.value = route.params.preauthid as string
-    preauthtokenhash.value = route.params.preauthtokenhash as string
-    service.value = route.params.service as string
+    const q = route.query
+    const first = (v: unknown) => typeof v === 'string' ? v : Array.isArray(v) ? v[0] : ''
+    subid.value = first(q.subid) || (route.params.subid as string) || ''
+    preauthid.value = first(q.preauthid) || (route.params.preauthid as string) || ''
+    preauthtokenhash.value = first(q.preauthtokenhash) || (route.params.preauthtokenhash as string) || ''
+    service.value = first(q.service) || (route.params.service as string) || ''
+    preauthtokenhash.value = preauthtokenhash.value.replace(/ /g, '+')
+
     if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
-        window.location.href = '/login'
+        console.error('Invalid or missing subid')
     }
 
     if (!preauthid.value || !preauthid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
-        window.location.href = '/login'
+        console.error('Invalid or missing preauthid')
     }
 
     if (!preauthtokenhash.value) {
-        window.location.href = '/login'
+        console.error('Invalid or missing preauthtokenhash')
     }
 
     if (!service.value) {
-        window.location.href = '/login'
+        console.error('Invalid or missing service')
     }
 }
 

From 4f9c7d8ecfb5bd3a6f728fbbef3b96accfe2e17f Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 21 Sep 2025 10:40:48 +0200
Subject: [PATCH 08/63] feat(api): update req.go

---
 api/internal/transport/api/req.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index 85e1b2c..b6fb435 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -15,7 +15,7 @@ type SignupUserReq struct {
 	Password         string `json:"password" validate:"password"`
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
-	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
+	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
 	ServiceName      string `json:"service" validate:"required"`
 }
 
@@ -23,7 +23,7 @@ type SignupEmailReq struct {
 	Email            string `json:"email" validate:"required,emailx"`
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
-	PreauthTokenHash string `json:"preauthtokenhash" validate:"required,sha256"`
+	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
 	ServiceName      string `json:"service" validate:"required"`
 }
 

From 0b41f1ca99ec90d0c27df38574d4886f3d2c14ff Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 21 Sep 2025 10:48:02 +0200
Subject: [PATCH 09/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index 142a474..386a955 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -153,7 +153,8 @@ const register = async () => {
         password: password.value,
         subid: subid.value,
         preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value
+        preauthtokenhash: preauthtokenhash.value,
+        service: service.value
     }
 
     try {
@@ -183,7 +184,8 @@ const registerWithPasskey = async () => {
         email: emailAuthn.value,
         subid: subid.value,
         preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value
+        preauthtokenhash: preauthtokenhash.value,
+        service: service.value
     }
 
     try {

From 971482d05ce389d5ae366e0616fb44c537c726a1 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 21 Sep 2025 10:58:04 +0200
Subject: [PATCH 10/63] feat(api): update http.go

---
 api/internal/client/http/http.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/api/internal/client/http/http.go b/api/internal/client/http/http.go
index 75044fe..81841ec 100644
--- a/api/internal/client/http/http.go
+++ b/api/internal/client/http/http.go
@@ -28,14 +28,19 @@ func (h Http) SignupWebhook(subID string, serviceName string) error {
 	req.Set("Authorization", "Bearer "+h.Cfg.SignupWebhookPSK)
 	req.Body([]byte(`{"uuid": "` + subID + `", "service": "` + serviceName + `"}`))
 
-	status, _, err := req.Bytes()
+	// Log request for debugging
+	log.Printf("Signup webhook request: %+v", req)
+
+	status, res, err := req.Bytes()
 	if err != nil {
 		log.Printf("Error calling signup webhook: %v", err)
 		return errors.New("error calling signup webhook")
 	}
 
 	if status != http.StatusOK {
+		// Log response for debugging
 		log.Printf("Error calling signup webhook, status: %d", status)
+		log.Printf("Signup webhook response: %s", string(res))
 		return errors.New("error response from signup webhook")
 	}
 

From df001990f056b4a956ff9cbae934f385dfb723b4 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 25 Sep 2025 18:08:49 +0200
Subject: [PATCH 11/63] feat(api): update http.go

---
 api/internal/client/http/http.go       | 4 ++--
 api/internal/service/user.go           | 8 ++++----
 api/internal/transport/api/req.go      | 2 --
 api/internal/transport/api/user.go     | 4 ++--
 api/internal/transport/api/webauthn.go | 2 +-
 5 files changed, 9 insertions(+), 11 deletions(-)

diff --git a/api/internal/client/http/http.go b/api/internal/client/http/http.go
index 81841ec..cbf0017 100644
--- a/api/internal/client/http/http.go
+++ b/api/internal/client/http/http.go
@@ -21,12 +21,12 @@ func New(cfg config.APIConfig) *Http {
 	}
 }
 
-func (h Http) SignupWebhook(subID string, serviceName string) error {
+func (h Http) SignupWebhook(subID string) error {
 	req := fiber.Post(h.Cfg.SignupWebhookURL)
 	req.Set("Content-Type", "application/json")
 	req.Set("Accept", "application/json")
 	req.Set("Authorization", "Bearer "+h.Cfg.SignupWebhookPSK)
-	req.Body([]byte(`{"uuid": "` + subID + `", "service": "` + serviceName + `"}`))
+	req.Body([]byte(`{"uuid": "` + subID + `", "service": "mail"}`))
 
 	// Log request for debugging
 	log.Printf("Signup webhook request: %+v", req)
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index 1e305d8..b2b1c21 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -91,7 +91,7 @@ func (s *Service) GetUserByEmail(ctx context.Context, email string) (model.User,
 	return user, nil
 }
 
-func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string, serviceName string) (model.User, error) {
+func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) (model.User, error) {
 	email := user.Email
 	pass := user.PasswordPlain
 	user, err := s.Store.GetUserByEmailUnfinishedSignup(ctx, email)
@@ -101,7 +101,7 @@ func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.
 			PasswordPlain: pass,
 			IsActive:      false,
 		}
-		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash, serviceName)
+		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash)
 		if err != nil {
 			log.Printf("error creating user: %s", err.Error())
 			return model.User{}, ErrPostUser
@@ -135,7 +135,7 @@ func (s *Service) SaveUser(ctx context.Context, user model.User) error {
 	return nil
 }
 
-func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string, serviceName string) error {
+func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) error {
 	preauth, err := s.Http.GetPreauth(preauthID)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
@@ -184,7 +184,7 @@ func (s *Service) PostUser(ctx context.Context, user model.User, subID string, p
 		return ErrPostUser
 	}
 
-	err = s.Http.SignupWebhook(subID, serviceName)
+	err = s.Http.SignupWebhook(subID)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
 		return ErrSignupWebhook
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index b6fb435..2275dff 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -16,7 +16,6 @@ type SignupUserReq struct {
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
 	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
-	ServiceName      string `json:"service" validate:"required"`
 }
 
 type SignupEmailReq struct {
@@ -24,7 +23,6 @@ type SignupEmailReq struct {
 	SubID            string `json:"subid" validate:"required,uuid"`
 	PreauthID        string `json:"preauthid" validate:"required,uuid"`
 	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
-	ServiceName      string `json:"service" validate:"required"`
 }
 
 type SubscriptionReq struct {
diff --git a/api/internal/transport/api/user.go b/api/internal/transport/api/user.go
index 5a60fe6..fcb19ab 100644
--- a/api/internal/transport/api/user.go
+++ b/api/internal/transport/api/user.go
@@ -37,7 +37,7 @@ type UserService interface {
 	GetUserByCredentials(context.Context, string, string) (model.User, error)
 	GetUserByPassword(context.Context, string, string) (model.User, error)
 	GetUserByEmail(context.Context, string) (model.User, error)
-	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string, string) (model.User, error)
+	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string) (model.User, error)
 	SaveUser(context.Context, model.User) error
 	DeleteUserRequest(context.Context, string) (string, error)
 	DeleteUser(context.Context, string, string) error
@@ -90,7 +90,7 @@ func (h *Handler) Register(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash, req.ServiceName)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),
diff --git a/api/internal/transport/api/webauthn.go b/api/internal/transport/api/webauthn.go
index 6e8fb44..f5d2da2 100644
--- a/api/internal/transport/api/webauthn.go
+++ b/api/internal/transport/api/webauthn.go
@@ -75,7 +75,7 @@ func (h *Handler) BeginRegistration(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash, req.ServiceName)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),

From b56df437dab9496d8fc406b2ad67335ad4d3873f Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 25 Sep 2025 18:09:56 +0200
Subject: [PATCH 12/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index 386a955..33c7890 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -121,7 +121,6 @@ const passkeySupported = ref(false)
 const subid = ref('')
 const preauthid = ref('')
 const preauthtokenhash = ref('')
-const service = ref('')
 
 const validateEmail = () => {
     emailError.value = !email.value
@@ -153,8 +152,7 @@ const register = async () => {
         password: password.value,
         subid: subid.value,
         preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value,
-        service: service.value
+        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -184,8 +182,7 @@ const registerWithPasskey = async () => {
         email: emailAuthn.value,
         subid: subid.value,
         preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value,
-        service: service.value
+        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -215,7 +212,6 @@ const parseParams = () => {
     subid.value = first(q.subid) || (route.params.subid as string) || ''
     preauthid.value = first(q.preauthid) || (route.params.preauthid as string) || ''
     preauthtokenhash.value = first(q.preauthtokenhash) || (route.params.preauthtokenhash as string) || ''
-    service.value = first(q.service) || (route.params.service as string) || ''
     preauthtokenhash.value = preauthtokenhash.value.replace(/ /g, '+')
 
     if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
@@ -229,10 +225,6 @@ const parseParams = () => {
     if (!preauthtokenhash.value) {
         console.error('Invalid or missing preauthtokenhash')
     }
-
-    if (!service.value) {
-        console.error('Invalid or missing service')
-    }
 }
 
 const isLoggedIn = (): boolean => {

From 579de144a8f62cb325b596164e3945ae87f95cb4 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 2 Oct 2025 12:44:29 +0200
Subject: [PATCH 13/63] feat(model): update subscription.go

---
 api/internal/model/subscription.go   | 21 +++++++++++++--------
 api/internal/service/subscription.go |  6 ++++--
 2 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 626b023..599670d 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -10,14 +10,15 @@ var (
 )
 
 type Subscription struct {
-	ID          string    `gorm:"unique" json:"id"`
-	CreatedAt   time.Time `json:"created_at"`
-	UpdatedAt   time.Time `json:"-"`
-	UserID      string    `json:"-"`
-	ActiveUntil time.Time `json:"active_until"`
-	IsActive    bool      `json:"is_active"`
-	Tier        string    `json:"tier"`
-	TokenHash   string    `gorm:"unique" json:"-"`
+	ID            string    `gorm:"unique" json:"id"`
+	CreatedAt     time.Time `json:"created_at"`
+	UpdatedAt     time.Time `json:"-"`
+	UserID        string    `json:"-"`
+	ActiveUntil   time.Time `json:"active_until"`
+	IsActive      bool      `json:"is_active"`
+	Tier          string    `json:"tier"`
+	TokenHash     string    `gorm:"unique" json:"-"`
+	IsGracePeriod bool      `gorm:"-" json:"is_grace_period"`
 }
 
 func (s *Subscription) IsActiveCheck() bool {
@@ -27,3 +28,7 @@ func (s *Subscription) IsActiveCheck() bool {
 func (s *Subscription) IsActiveWithGracePeriod(days int) bool {
 	return s.ActiveUntil.AddDate(0, 0, days).After(time.Now())
 }
+
+func (s *Subscription) IsGracePeriodCheck(days int) bool {
+	return !s.IsActiveCheck() && s.IsActiveWithGracePeriod(days)
+}
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index d313ea6..cc36fd0 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -26,12 +26,14 @@ type SubscriptionStore interface {
 }
 
 func (s *Service) GetSubscription(ctx context.Context, userID string) (model.Subscription, error) {
-	subscription, err := s.Store.GetSubscription(ctx, userID)
+	sub, err := s.Store.GetSubscription(ctx, userID)
 	if err != nil {
 		return model.Subscription{}, ErrGetSubscription
 	}
 
-	return subscription, nil
+	sub.IsGracePeriod = sub.IsGracePeriodCheck(s.Cfg.Service.ForwardGracePeriodDays)
+
+	return sub, nil
 }
 
 func (s *Service) PostSubscription(ctx context.Context, userID string, preauth model.Preauth) error {

From 60c568826300ac4cf524ffcbe4b6d6484541790c Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 7 Oct 2025 14:00:00 +0200
Subject: [PATCH 14/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue    | 68 +++++++++++--------
 .../components/AccountSubscriptionStatus.vue  | 53 ++++++++++++---
 2 files changed, 84 insertions(+), 37 deletions(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 02e011e..5e81262 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -1,7 +1,7 @@
 <template>
     <div class="mb-5">
         <h2>Account</h2>
-        <p v-if="res.id" class="text-sm">
+        <p v-if="sub.id" class="text-sm">
             <span v-if="isActive()" class="badge success">Active</span>
             <span v-if="!isActive()" class="badge">Inactive</span>
         </p>
@@ -17,18 +17,31 @@
                 {{ activeUntilDate() }}
             </p>
         </div>
-        <div class="mb-3">
-            <h4>Subscription ID:</h4>
-            <div class="hs-tooltip mb-3">
-                <span class="hs-tooltip-toggle">
-                    <button @click="copyAlias(res.id)" class="plain">
-                        {{ res.id }}
-                    </button>
-                    <span class="hs-tooltip-content hs-tooltip-shown:opacity-100 hs-tooltip-shown:visible" role="tooltip">
-                        {{ copyText }}
-                    </span>
-                </span>
-            </div>
+        <div v-if="isLimited()" class="card-tertiary">
+            <footer>
+                <div>
+                    <i class="icon info icon-primary"></i>
+                </div>
+                <div>
+                    <h4>Limited Access Mode</h4>
+                    <p>
+                        Your MailX account is in limited access mode. To regain full access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                    </p>
+                </div>
+            </footer>
+        </div>
+        <div v-if="isPendingDelete()" class="card-tertiary">
+            <footer>
+                <div>
+                    <i class="icon info icon-primary"></i>
+                </div>
+                <div>
+                    <h4>Pending Deletion</h4>
+                    <p>
+                        Your account is pending deletion. To reinstate access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                    </p>
+                </div>
+            </footer>
         </div>
         <p v-if="error" class="error">Error: {{ error }}</p>
     </div>
@@ -41,18 +54,19 @@ import axios from 'axios'
 import { subscriptionApi } from '../api/subscription.ts'
 import events from '../events.ts'
 
-const res = ref({
+const sub = ref({
     id: '',
-    active_until: ''
+    active_until: '',
+    is_active: false,
+    is_grace_period: false,
 })
 const error = ref('')
-const copyText = ref('Click to copy')
 const email = ref(localStorage.getItem('email'))
 
 const getSubscription = async () => {
     try {
-        const response = await subscriptionApi.get()
-        res.value = response.data
+        const res = await subscriptionApi.get()
+        sub.value = res.data
     } catch (err) {
         if (axios.isAxiosError(err)) {
             error.value = err.message
@@ -61,19 +75,19 @@ const getSubscription = async () => {
 }
 
 const isActive = () => {
-    return res.value.active_until > new Date().toISOString()
+    return sub.value.active_until > new Date().toISOString()
 }
 
-const activeUntilDate = () => {
-    return new Date(res.value.active_until).toDateString()
+const isLimited = () => {
+    return sub.value.is_grace_period && !isActive()
 }
 
-const copyAlias = (alias: string) => {
-    navigator.clipboard.writeText(alias)
-    copyText.value = 'Copied!'
-    setTimeout(() => {
-        copyText.value = 'Click to copy'
-    }, 2000)
+const isPendingDelete = () => {
+    return !sub.value.is_grace_period && !isActive()
+}
+
+const activeUntilDate = () => {
+    return new Date(sub.value.active_until).toDateString()
 }
 
 const onUpdateEmail = (event: any) => {
diff --git a/app/src/components/AccountSubscriptionStatus.vue b/app/src/components/AccountSubscriptionStatus.vue
index 6be4e96..d54e9f1 100644
--- a/app/src/components/AccountSubscriptionStatus.vue
+++ b/app/src/components/AccountSubscriptionStatus.vue
@@ -1,8 +1,29 @@
 <template>
-    <div v-if="!isActive && isDashboard" class="card-secondary m-8 mb-0">
-        <p class="m-0">
-            Your <router-link to="/account">subscription</router-link> is inactive
-        </p>
+    <div v-if="isLimited() && isDashboard" class="card-tertiary m-8 mb-0">
+        <footer>
+            <div>
+                <i class="icon info icon-primary"></i>
+            </div>
+            <div>
+                <h4>Limited Access Mode</h4>
+                <p>
+                    Your MailX account is in limited access mode. To regain full access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                </p>
+            </div>
+        </footer>
+    </div>
+    <div v-if="isPendingDelete() && isDashboard" class="card-tertiary m-8 mb-0">
+        <footer>
+            <div>
+                <i class="icon info icon-primary"></i>
+            </div>
+            <div>
+                <h4>Pending Deletion</h4>
+                <p>
+                    Your account is pending deletion. To reinstate access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                </p>
+            </div>
+        </footer>
     </div>
 </template>
 
@@ -11,26 +32,38 @@ import { onMounted, ref, watch } from 'vue'
 import { useRoute } from 'vue-router'
 import { subscriptionApi } from '../api/subscription.ts'
 
-const res = ref({
+const sub = ref({
     id: '',
-    active_until: ''
+    active_until: '',
+    is_active: false,
+    is_grace_period: false,
 })
 
 const route = ref('/')
 const currentRoute = useRoute()
-const isActive = ref(true)
 const props = defineProps(['dashboard'])
 const isDashboard = props.dashboard
 
 const getSubscription = async () => {
     try {
-        const response = await subscriptionApi.get()
-        res.value = response.data
-        isActive.value = res.value.active_until > new Date().toISOString()
+        const res = await subscriptionApi.get()
+        sub.value = res.data
     } catch (err) {
     }
 }
 
+const isActive = () => {
+    return sub.value.active_until > new Date().toISOString()
+}
+
+const isLimited = () => {
+    return sub.value.is_grace_period && !isActive()
+}
+
+const isPendingDelete = () => {
+    return !sub.value.is_grace_period && !isActive()
+}
+
 onMounted(() => {
     getSubscription()
 })

From 3cd9156001974934447d1be9f03102473ebd8590 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 7 Oct 2025 15:37:04 +0200
Subject: [PATCH 15/63] feat(jobs): create subscription.go

---
 .../client/mailer/templates/expiring_sub.tmpl |  15 +++
 api/internal/cron/jobs/subscription.go        | 108 ++++++++++++++++++
 api/internal/model/subscription.go            |   1 +
 3 files changed, 124 insertions(+)
 create mode 100644 api/internal/client/mailer/templates/expiring_sub.tmpl
 create mode 100644 api/internal/cron/jobs/subscription.go

diff --git a/api/internal/client/mailer/templates/expiring_sub.tmpl b/api/internal/client/mailer/templates/expiring_sub.tmpl
new file mode 100644
index 0000000..0fb5d62
--- /dev/null
+++ b/api/internal/client/mailer/templates/expiring_sub.tmpl
@@ -0,0 +1,15 @@
+{{define "header"}}
+Hi,
+
+Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.
+
+Sent by {{.from}}
+{{end}}
+
+{{define "headerHtml"}}
+<div style="font-family: Arial, Helvetica, sans-serif;font-size: 15px;">
+Hi,<br><br>
+Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.<br><br>
+Sent by {{.from}}
+</div>
+{{end}}
diff --git a/api/internal/cron/jobs/subscription.go b/api/internal/cron/jobs/subscription.go
new file mode 100644
index 0000000..964752d
--- /dev/null
+++ b/api/internal/cron/jobs/subscription.go
@@ -0,0 +1,108 @@
+package jobs
+
+import (
+	"log"
+
+	"gorm.io/gorm"
+	"ivpn.net/email/api/config"
+	"ivpn.net/email/api/internal/client/mailer"
+	"ivpn.net/email/api/internal/model"
+	"ivpn.net/email/api/internal/utils"
+)
+
+func NotifyExpiringSubscriptionsJob(cfg *config.Config, db *gorm.DB) {
+	// Reset `notified` for active subscriptions
+	UpdateActiveSubscriptions(db)
+
+	// Get expiring subscriptions
+	subs, err := GetExpiringSubscriptions(db)
+	if err != nil {
+		log.Println("Error getting expiring subscriptions:", err)
+		return
+	}
+
+	if len(subs) == 0 {
+		log.Println("No expiring subscriptions found.")
+		return
+	}
+
+	// Send notifications
+	NotifyExpiringSubscriptions(cfg, db, subs)
+
+	// Mark as notified
+	MarkSubscriptionsNotified(db, subs)
+}
+
+// Set `notified` to false for all subscriptions that are active
+func UpdateActiveSubscriptions(db *gorm.DB) {
+	err := db.Model(&model.Subscription{}).
+		Where("notified = true AND active_until >= NOW()").
+		Update("notified", false).Error
+	if err != nil {
+		log.Println("Error resetting notified flag for active subscriptions:", err)
+	}
+}
+
+// Find subscriptions with `notified` false and `active_until` expired 1 day ago
+func GetExpiringSubscriptions(db *gorm.DB) ([]model.Subscription, error) {
+	subs := []model.Subscription{}
+	err := db.Where("notified = false AND active_until < NOW() - INTERVAL 1 DAY").Find(&subs).Error
+	if err != nil {
+		log.Println("Error fetching expiring subscriptions:", err)
+		return nil, err
+	}
+
+	return subs, nil
+}
+
+// Send email notifications for expiring subscriptions
+func NotifyExpiringSubscriptions(cfg *config.Config, db *gorm.DB, subs []model.Subscription) {
+	for _, sub := range subs {
+		// Send email notification
+		err := sendSubscriptionExpiryEmail(cfg, db, sub)
+		if err != nil {
+			log.Println("Error sending subscription expiry email:", err)
+			continue
+		}
+
+	}
+}
+
+// Mark expiring subscriptions as notified
+func MarkSubscriptionsNotified(db *gorm.DB, subs []model.Subscription) {
+	ids := make([]string, 0, len(subs))
+	for _, sub := range subs {
+		ids = append(ids, sub.ID)
+	}
+
+	err := db.Model(&model.Subscription{}).
+		Where("id IN ?", ids).
+		Update("notified", true).Error
+	if err != nil {
+		log.Println("Error marking subscriptions as notified:", err)
+	}
+}
+
+// Send subscription expiry email
+func sendSubscriptionExpiryEmail(cfg *config.Config, db *gorm.DB, sub model.Subscription) error {
+	user := model.User{}
+	err := db.Where("id = ?", sub.UserID).First(&user).Error
+	if err != nil {
+		return err
+	}
+
+	utils.Background(func() {
+		data := map[string]any{
+			"from": cfg.SMTPClient.SenderName,
+		}
+		mailer := mailer.New(cfg.SMTPClient)
+		mailer.Sender = cfg.SMTPClient.Sender
+		mailer.SenderName = cfg.SMTPClient.SenderName
+		err = mailer.SendTemplate(user.Email, "Limited Access Mode", "expiring_sub.tmpl", data)
+		if err != nil {
+			log.Printf("error sending expiring subscription email: %s", err.Error())
+		}
+	})
+
+	return nil
+}
diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 599670d..e1bca30 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -19,6 +19,7 @@ type Subscription struct {
 	Tier          string    `json:"tier"`
 	TokenHash     string    `gorm:"unique" json:"-"`
 	IsGracePeriod bool      `gorm:"-" json:"is_grace_period"`
+	Notified      bool      `json:"-"`
 }
 
 func (s *Subscription) IsActiveCheck() bool {

From c037329a7c9a02459abd218287bbf44e5ccea69a Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 7 Oct 2025 16:48:50 +0200
Subject: [PATCH 16/63] feat(cron): update subscription.go

---
 api/internal/client/mailer/templates/expiring_sub.tmpl |  4 ++--
 api/internal/cron/cron.go                              |  6 ++++++
 api/internal/cron/jobs/subscription.go                 | 10 +++++-----
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/api/internal/client/mailer/templates/expiring_sub.tmpl b/api/internal/client/mailer/templates/expiring_sub.tmpl
index 0fb5d62..0c4165d 100644
--- a/api/internal/client/mailer/templates/expiring_sub.tmpl
+++ b/api/internal/client/mailer/templates/expiring_sub.tmpl
@@ -1,4 +1,4 @@
-{{define "header"}}
+{{define "body"}}
 Hi,
 
 Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.
@@ -6,7 +6,7 @@ Your {{.from}} account is in limited access mode. To regain full access add time
 Sent by {{.from}}
 {{end}}
 
-{{define "headerHtml"}}
+{{define "bodyHtml"}}
 <div style="font-family: Arial, Helvetica, sans-serif;font-size: 15px;">
 Hi,<br><br>
 Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.<br><br>
diff --git a/api/internal/cron/cron.go b/api/internal/cron/cron.go
index 46e7b88..4479620 100644
--- a/api/internal/cron/cron.go
+++ b/api/internal/cron/cron.go
@@ -52,6 +52,12 @@ func New(db *gorm.DB) {
 		return
 	}
 
+	err = gocron.Every(1).Hour().Do(jobs.NotifyExpiringSubscriptionsJob, cfg, db)
+	if err != nil {
+		log.Println("Error scheduling job:", err)
+		return
+	}
+
 	gocron.Start()
 
 	log.Println("Cron jobs started")
diff --git a/api/internal/cron/jobs/subscription.go b/api/internal/cron/jobs/subscription.go
index 964752d..3fdc75a 100644
--- a/api/internal/cron/jobs/subscription.go
+++ b/api/internal/cron/jobs/subscription.go
@@ -10,7 +10,7 @@ import (
 	"ivpn.net/email/api/internal/utils"
 )
 
-func NotifyExpiringSubscriptionsJob(cfg *config.Config, db *gorm.DB) {
+func NotifyExpiringSubscriptionsJob(cfg config.Config, db *gorm.DB) {
 	// Reset `notified` for active subscriptions
 	UpdateActiveSubscriptions(db)
 
@@ -22,11 +22,11 @@ func NotifyExpiringSubscriptionsJob(cfg *config.Config, db *gorm.DB) {
 	}
 
 	if len(subs) == 0 {
-		log.Println("No expiring subscriptions found.")
 		return
 	}
 
 	// Send notifications
+	log.Printf("Notifying %d expiring subscriptions...", len(subs))
 	NotifyExpiringSubscriptions(cfg, db, subs)
 
 	// Mark as notified
@@ -36,7 +36,7 @@ func NotifyExpiringSubscriptionsJob(cfg *config.Config, db *gorm.DB) {
 // Set `notified` to false for all subscriptions that are active
 func UpdateActiveSubscriptions(db *gorm.DB) {
 	err := db.Model(&model.Subscription{}).
-		Where("notified = true AND active_until >= NOW()").
+		Where("active_until >= NOW()").
 		Update("notified", false).Error
 	if err != nil {
 		log.Println("Error resetting notified flag for active subscriptions:", err)
@@ -56,7 +56,7 @@ func GetExpiringSubscriptions(db *gorm.DB) ([]model.Subscription, error) {
 }
 
 // Send email notifications for expiring subscriptions
-func NotifyExpiringSubscriptions(cfg *config.Config, db *gorm.DB, subs []model.Subscription) {
+func NotifyExpiringSubscriptions(cfg config.Config, db *gorm.DB, subs []model.Subscription) {
 	for _, sub := range subs {
 		// Send email notification
 		err := sendSubscriptionExpiryEmail(cfg, db, sub)
@@ -84,7 +84,7 @@ func MarkSubscriptionsNotified(db *gorm.DB, subs []model.Subscription) {
 }
 
 // Send subscription expiry email
-func sendSubscriptionExpiryEmail(cfg *config.Config, db *gorm.DB, sub model.Subscription) error {
+func sendSubscriptionExpiryEmail(cfg config.Config, db *gorm.DB, sub model.Subscription) error {
 	user := model.User{}
 	err := db.Where("id = ?", sub.UserID).First(&user).Error
 	if err != nil {

From 94f816170885c0f927951a20610749b959f80570 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 7 Oct 2025 18:07:18 +0200
Subject: [PATCH 17/63] feat(model): update subscription.go

---
 api/internal/model/subscription.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index e1bca30..5e6eeee 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -12,7 +12,7 @@ var (
 type Subscription struct {
 	ID            string    `gorm:"unique" json:"id"`
 	CreatedAt     time.Time `json:"created_at"`
-	UpdatedAt     time.Time `json:"-"`
+	UpdatedAt     time.Time `json:"updated_at"`
 	UserID        string    `json:"-"`
 	ActiveUntil   time.Time `json:"active_until"`
 	IsActive      bool      `json:"is_active"`

From 047169e5893c50506cd35c0797454829881a66c0 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 7 Oct 2025 20:28:36 +0200
Subject: [PATCH 18/63] feat(cron): update subscription.go

---
 api/internal/cron/jobs/subscription.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/internal/cron/jobs/subscription.go b/api/internal/cron/jobs/subscription.go
index 3fdc75a..191dd7c 100644
--- a/api/internal/cron/jobs/subscription.go
+++ b/api/internal/cron/jobs/subscription.go
@@ -37,7 +37,7 @@ func NotifyExpiringSubscriptionsJob(cfg config.Config, db *gorm.DB) {
 func UpdateActiveSubscriptions(db *gorm.DB) {
 	err := db.Model(&model.Subscription{}).
 		Where("active_until >= NOW()").
-		Update("notified", false).Error
+		UpdateColumn("notified", false).Error
 	if err != nil {
 		log.Println("Error resetting notified flag for active subscriptions:", err)
 	}
@@ -77,7 +77,7 @@ func MarkSubscriptionsNotified(db *gorm.DB, subs []model.Subscription) {
 
 	err := db.Model(&model.Subscription{}).
 		Where("id IN ?", ids).
-		Update("notified", true).Error
+		UpdateColumn("notified", true).Error
 	if err != nil {
 		log.Println("Error marking subscriptions as notified:", err)
 	}

From 44ea10155ea4094cb355b305c2cba2a00e34dc8c Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 8 Oct 2025 11:56:44 +0200
Subject: [PATCH 19/63] feat(service): update subscription.go

---
 api/internal/repository/subscription.go    | 15 ++----
 api/internal/service/subscription.go       | 31 +++++++++++-
 api/internal/transport/api/req.go          |  6 ++-
 api/internal/transport/api/routes.go       |  6 +--
 api/internal/transport/api/subscription.go | 55 +---------------------
 5 files changed, 40 insertions(+), 73 deletions(-)

diff --git a/api/internal/repository/subscription.go b/api/internal/repository/subscription.go
index f0aea7d..bea472c 100644
--- a/api/internal/repository/subscription.go
+++ b/api/internal/repository/subscription.go
@@ -17,19 +17,12 @@ func (d *Database) GetSubscription(ctx context.Context, userID string) (model.Su
 	return subscription, q.Error
 }
 
-func (d *Database) PostSubscription(ctx context.Context, subscription model.Subscription) error {
-	return d.Client.Create(&subscription).Error
+func (d *Database) PostSubscription(ctx context.Context, sub model.Subscription) error {
+	return d.Client.Create(&sub).Error
 }
 
-func (d *Database) UpdateSubscription(ctx context.Context, subscription model.Subscription) error {
-	sub := model.Subscription{}
-	sub.ID = subscription.ID
-	err := d.Client.First(&sub).Error
-	if err != nil {
-		return err
-	}
-
-	return d.Client.Updates(subscription).Error
+func (d *Database) UpdateSubscription(ctx context.Context, sub model.Subscription) error {
+	return d.Client.Select("*").Updates(&sub).Error
 }
 
 func (d *Database) DeleteSubscription(ctx context.Context, userID string) error {
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index cc36fd0..e70971b 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -70,13 +70,40 @@ func (s *Service) AddSubscription(ctx context.Context, subscription model.Subscr
 	return nil
 }
 
-func (s *Service) UpdateSubscription(ctx context.Context, subscription model.Subscription) error {
-	err := s.Store.UpdateSubscription(ctx, subscription)
+func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription, subID string, preauthID string, preauthTokenHash string) error {
+	preauth, err := s.Http.GetPreauth(preauthID)
+	if err != nil {
+		log.Printf("error creating user: %s", err.Error())
+		return ErrInvalidSubscription
+	}
+
+	if preauth.TokenHash != preauthTokenHash {
+		log.Printf("error creating user: Token hash does not match")
+		return ErrTokenHashMismatch
+	}
+
+	sub.ActiveUntil = preauth.ActiveUntil
+	sub.IsActive = preauth.IsActive
+	sub.Tier = preauth.Tier
+	sub.TokenHash = preauth.TokenHash
+
+	if sub.ID == "" {
+		log.Printf("error updating subscription: Subscription ID is required")
+		return ErrInvalidSubscription
+	}
+
+	err = s.Store.UpdateSubscription(ctx, sub)
 	if err != nil {
 		log.Printf("error updating subscription: %s", err.Error())
 		return ErrUpdateSubscription
 	}
 
+	err = s.Http.SignupWebhook(subID)
+	if err != nil {
+		log.Printf("error creating user: %s", err.Error())
+		return ErrSignupWebhook
+	}
+
 	return nil
 }
 
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index 2275dff..fd5e779 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -26,8 +26,10 @@ type SignupEmailReq struct {
 }
 
 type SubscriptionReq struct {
-	ID          string `json:"id" validate:"required,uuid"`
-	ActiveUntil string `json:"active_until" validate:"required"`
+	ID               string `json:"id" validate:"required,uuid"`
+	SubID            string `json:"subid" validate:"required,uuid"`
+	PreauthID        string `json:"preauthid" validate:"required,uuid"`
+	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
 }
 
 type AliasReq struct {
diff --git a/api/internal/transport/api/routes.go b/api/internal/transport/api/routes.go
index e47b68b..29cb8fe 100644
--- a/api/internal/transport/api/routes.go
+++ b/api/internal/transport/api/routes.go
@@ -33,11 +33,6 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	h.Server.Post("/v1/login/begin", limiter.New(), h.BeginLogin)
 	h.Server.Post("/v1/login/finish", limiter.New(), h.FinishLogin)
 
-	sub := h.Server.Group("/v1/subscription")
-	sub.Use(auth.NewPSKCORS(cfg))
-	sub.Use(auth.NewPSK(cfg))
-	sub.Post("/add", h.AddSubscription)
-
 	v1 := h.Server.Group("/v1")
 	v1.Use(auth.New(cfg, h.Cache, h.Service))
 
@@ -59,6 +54,7 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	v1.Put("/user/totp/disable", limit.New(5, 10*time.Minute), h.TotpDisable)
 
 	v1.Get("/sub", h.GetSubscription)
+	v1.Post("/sub/update", limiter.New(), h.UpdateSubscription)
 
 	v1.Get("/settings", h.GetSettings)
 	v1.Put("/settings", h.UpdateSettings)
diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index b0e7169..f699beb 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -3,7 +3,6 @@ package api
 import (
 	"context"
 
-	"github.com/araddon/dateparse"
 	"github.com/gofiber/fiber/v2"
 	"ivpn.net/email/api/internal/middleware/auth"
 	"ivpn.net/email/api/internal/model"
@@ -16,8 +15,7 @@ var (
 
 type SubscriptionService interface {
 	GetSubscription(context.Context, string) (model.Subscription, error)
-	AddSubscription(context.Context, model.Subscription, string) error
-	UpdateSubscription(context.Context, model.Subscription) error
+	UpdateSubscription(context.Context, model.Subscription, string, string, string) error
 }
 
 // @Summary Get subscription
@@ -42,47 +40,6 @@ func (h *Handler) GetSubscription(c *fiber.Ctx) error {
 	return c.JSON(sub)
 }
 
-// @Summary Add subscription
-// @Description Add subscription
-// @Tags subscription
-// @Accept json
-// @Produce json
-// @Security ApiKeyAuth
-// @Param body body SubscriptionReq true "Subscription request"
-// @Success 200 {object} SuccessRes
-// @Failure 400 {object} ErrorRes
-// @Router /subscription/add [post]
-func (h *Handler) AddSubscription(c *fiber.Ctx) error {
-	req := SubscriptionReq{}
-	err := c.BodyParser(&req)
-	if err != nil {
-		return c.Status(400).JSON(fiber.Map{
-			"error": ErrInvalidRequest,
-		})
-	}
-
-	err = h.Validator.Struct(req)
-	if err != nil {
-		return c.Status(400).JSON(fiber.Map{
-			"error": ErrInvalidRequest,
-		})
-	}
-
-	sub := model.Subscription{}
-	sub.ID = req.ID
-
-	err = h.Service.AddSubscription(c.Context(), sub, req.ActiveUntil)
-	if err != nil {
-		return c.Status(400).JSON(fiber.Map{
-			"error": err.Error(),
-		})
-	}
-
-	return c.Status(200).JSON(fiber.Map{
-		"message": AddSubscriptionSuccess,
-	})
-}
-
 // @Summary Update subscription
 // @Description Update subscription
 // @Tags subscription
@@ -109,18 +66,10 @@ func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
 		})
 	}
 
-	activeUntil, err := dateparse.ParseAny(req.ActiveUntil)
-	if err != nil {
-		return c.Status(400).JSON(fiber.Map{
-			"error": ErrInvalidRequest,
-		})
-	}
-
 	sub := model.Subscription{}
 	sub.ID = req.ID
-	sub.ActiveUntil = activeUntil
 
-	err = h.Service.UpdateSubscription(c.Context(), sub)
+	err = h.Service.UpdateSubscription(c.Context(), sub, req.SubID, req.PreauthID, req.PreauthTokenHash)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),

From 8920d9a1baf7e9dcf648e9bb83bf8e1b728ccc08 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 8 Oct 2025 14:21:09 +0200
Subject: [PATCH 20/63] feat(api): update routes.go

---
 api/internal/transport/api/routes.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/internal/transport/api/routes.go b/api/internal/transport/api/routes.go
index 29cb8fe..afba0e6 100644
--- a/api/internal/transport/api/routes.go
+++ b/api/internal/transport/api/routes.go
@@ -54,7 +54,7 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	v1.Put("/user/totp/disable", limit.New(5, 10*time.Minute), h.TotpDisable)
 
 	v1.Get("/sub", h.GetSubscription)
-	v1.Post("/sub/update", limiter.New(), h.UpdateSubscription)
+	v1.Put("/sub/update", limiter.New(), h.UpdateSubscription)
 
 	v1.Get("/settings", h.GetSettings)
 	v1.Put("/settings", h.UpdateSettings)

From a15c27a1808bb99d7b8f395e40bd4ebe2c0be256 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 8 Oct 2025 16:26:32 +0200
Subject: [PATCH 21/63] feat(app): update AccountSubscription.vue

---
 app/src/api/subscription.ts                |  1 +
 app/src/components/AccountSubscription.vue | 64 +++++++++++++++++++++-
 app/src/style/components/badge.css         |  4 ++
 3 files changed, 67 insertions(+), 2 deletions(-)

diff --git a/app/src/api/subscription.ts b/app/src/api/subscription.ts
index a816da2..a45f189 100644
--- a/app/src/api/subscription.ts
+++ b/app/src/api/subscription.ts
@@ -2,4 +2,5 @@ import { api } from './api'
 
 export const subscriptionApi = {
     get: () => api.get('/sub'),
+    update: (data: any) => api.put('/sub/update', data),
 }
\ No newline at end of file
diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 5e81262..c561fd9 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -1,10 +1,13 @@
 <template>
     <div class="mb-5">
         <h2>Account</h2>
-        <p v-if="sub.id" class="text-sm">
+        <p v-if="sub.id && !syncing" class="text-sm">
             <span v-if="isActive()" class="badge success">Active</span>
             <span v-if="!isActive()" class="badge">Inactive</span>
         </p>
+        <p v-if="syncing" class="text-sm">
+            <span v-if="isActive()" class="badge progress">Syncing...</span>
+        </p>
         <div class="mb-3">
             <h4>Account email:</h4>
             <p class="mb-3">
@@ -48,7 +51,8 @@
 </template>
 
 <script setup lang="ts">
-import { onMounted, ref } from 'vue'
+import { onMounted, ref, watch } from 'vue'
+import { useRoute } from 'vue-router'
 import tooltip from '@preline/tooltip'
 import axios from 'axios'
 import { subscriptionApi } from '../api/subscription.ts'
@@ -62,6 +66,11 @@ const sub = ref({
 })
 const error = ref('')
 const email = ref(localStorage.getItem('email'))
+const subid = ref('')
+const preauthid = ref('')
+const preauthtokenhash = ref('')
+const currentRoute = useRoute()
+const syncing = ref(false)
 
 const getSubscription = async () => {
     try {
@@ -74,6 +83,29 @@ const getSubscription = async () => {
     }
 }
 
+const updateSubscription = async () => {
+    if (!subid.value || !preauthid.value || !preauthtokenhash.value) {
+        return
+    }
+
+    syncing.value = true
+    try {
+        await subscriptionApi.update({
+            id: sub.value.id,
+            subid: subid.value,
+            preauthid: preauthid.value,
+            preauthtokenhash: preauthtokenhash.value,
+        })
+        await getSubscription()
+    } catch (err) {
+        if (axios.isAxiosError(err)) {
+            error.value = err.message
+        }
+    } finally {
+        syncing.value = false
+    }
+}
+
 const isActive = () => {
     return sub.value.active_until > new Date().toISOString()
 }
@@ -94,9 +126,37 @@ const onUpdateEmail = (event: any) => {
     email.value = event.email
 }
 
+const parseParams = () => {
+    const route = useRoute()
+    const q = route.query
+    const first = (v: unknown) => typeof v === 'string' ? v : Array.isArray(v) ? v[0] : ''
+    subid.value = first(q.subid) || (route.params.subid as string) || ''
+    preauthid.value = first(q.preauthid) || (route.params.preauthid as string) || ''
+    preauthtokenhash.value = first(q.preauthtokenhash) || (route.params.preauthtokenhash as string) || ''
+    preauthtokenhash.value = preauthtokenhash.value.replace(/ /g, '+')
+
+    if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
+        return
+    }
+
+    if (!preauthid.value || !preauthid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
+        return
+    }
+
+    if (!preauthtokenhash.value) {
+        return
+    }
+
+    updateSubscription()
+}
+
 onMounted(() => {
     getSubscription()
     tooltip.autoInit()
     events.on('user.update', onUpdateEmail)
 })
+
+watch(currentRoute, () => {
+    parseParams()
+}, { immediate: true })
 </script>
\ No newline at end of file
diff --git a/app/src/style/components/badge.css b/app/src/style/components/badge.css
index ebcc48d..d29023e 100644
--- a/app/src/style/components/badge.css
+++ b/app/src/style/components/badge.css
@@ -5,5 +5,9 @@
         &.success {
             @apply bg-success text-white font-semibold;
         }
+
+        &.progress {
+            @apply bg-accent text-white font-semibold;
+        }
     }
 }
\ No newline at end of file

From 1c8c94d2616827a3a97a2a58f008709dcda7d2a8 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 9 Oct 2025 11:40:32 +0200
Subject: [PATCH 22/63] docs(api): update docs.go

---
 api/docs/docs.go      | 101 ++++++++++++++++--------------------------
 api/docs/swagger.json | 101 ++++++++++++++++--------------------------
 api/docs/swagger.yaml |  70 ++++++++++++-----------------
 3 files changed, 107 insertions(+), 165 deletions(-)

diff --git a/api/docs/docs.go b/api/docs/docs.go
index b6bd70e..83532fc 100644
--- a/api/docs/docs.go
+++ b/api/docs/docs.go
@@ -1033,51 +1033,6 @@ const docTemplate = `{
                 }
             }
         },
-        "/subscription/add": {
-            "post": {
-                "security": [
-                    {
-                        "ApiKeyAuth": []
-                    }
-                ],
-                "description": "Add subscription",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "subscription"
-                ],
-                "summary": "Add subscription",
-                "parameters": [
-                    {
-                        "description": "Subscription request",
-                        "name": "body",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/api.SubscriptionReq"
-                        }
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/api.SuccessRes"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/api.ErrorRes"
-                        }
-                    }
-                }
-            }
-        },
         "/subscription/update": {
             "put": {
                 "security": [
@@ -1821,12 +1776,20 @@ const docTemplate = `{
             "type": "object",
             "required": [
                 "email",
+                "preauthid",
+                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "email": {
                     "type": "string"
                 },
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
                 "subid": {
                     "type": "string"
                 }
@@ -1836,6 +1799,8 @@ const docTemplate = `{
             "type": "object",
             "required": [
                 "email",
+                "preauthid",
+                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
@@ -1845,6 +1810,12 @@ const docTemplate = `{
                 "password": {
                     "type": "string"
                 },
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
                 "subid": {
                     "type": "string"
                 }
@@ -1853,14 +1824,22 @@ const docTemplate = `{
         "api.SubscriptionReq": {
             "type": "object",
             "required": [
-                "active_until",
-                "id"
+                "id",
+                "preauthid",
+                "preauthtokenhash",
+                "subid"
             ],
             "properties": {
-                "active_until": {
+                "id": {
                     "type": "string"
                 },
-                "id": {
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
+                "subid": {
                     "type": "string"
                 }
             }
@@ -2043,22 +2022,20 @@ const docTemplate = `{
                 "id": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/model.SubscriptionType"
+                "is_active": {
+                    "type": "boolean"
+                },
+                "is_grace_period": {
+                    "type": "boolean"
+                },
+                "tier": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "model.SubscriptionType": {
-            "type": "string",
-            "enum": [
-                "Free",
-                "Managed"
-            ],
-            "x-enum-varnames": [
-                "Free",
-                "Managed"
-            ]
-        },
         "model.TOTPBackup": {
             "type": "object",
             "properties": {
diff --git a/api/docs/swagger.json b/api/docs/swagger.json
index d614cf7..1b9921d 100644
--- a/api/docs/swagger.json
+++ b/api/docs/swagger.json
@@ -1022,51 +1022,6 @@
                 }
             }
         },
-        "/subscription/add": {
-            "post": {
-                "security": [
-                    {
-                        "ApiKeyAuth": []
-                    }
-                ],
-                "description": "Add subscription",
-                "consumes": [
-                    "application/json"
-                ],
-                "produces": [
-                    "application/json"
-                ],
-                "tags": [
-                    "subscription"
-                ],
-                "summary": "Add subscription",
-                "parameters": [
-                    {
-                        "description": "Subscription request",
-                        "name": "body",
-                        "in": "body",
-                        "required": true,
-                        "schema": {
-                            "$ref": "#/definitions/api.SubscriptionReq"
-                        }
-                    }
-                ],
-                "responses": {
-                    "200": {
-                        "description": "OK",
-                        "schema": {
-                            "$ref": "#/definitions/api.SuccessRes"
-                        }
-                    },
-                    "400": {
-                        "description": "Bad Request",
-                        "schema": {
-                            "$ref": "#/definitions/api.ErrorRes"
-                        }
-                    }
-                }
-            }
-        },
         "/subscription/update": {
             "put": {
                 "security": [
@@ -1810,12 +1765,20 @@
             "type": "object",
             "required": [
                 "email",
+                "preauthid",
+                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "email": {
                     "type": "string"
                 },
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
                 "subid": {
                     "type": "string"
                 }
@@ -1825,6 +1788,8 @@
             "type": "object",
             "required": [
                 "email",
+                "preauthid",
+                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
@@ -1834,6 +1799,12 @@
                 "password": {
                     "type": "string"
                 },
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
                 "subid": {
                     "type": "string"
                 }
@@ -1842,14 +1813,22 @@
         "api.SubscriptionReq": {
             "type": "object",
             "required": [
-                "active_until",
-                "id"
+                "id",
+                "preauthid",
+                "preauthtokenhash",
+                "subid"
             ],
             "properties": {
-                "active_until": {
+                "id": {
                     "type": "string"
                 },
-                "id": {
+                "preauthid": {
+                    "type": "string"
+                },
+                "preauthtokenhash": {
+                    "type": "string"
+                },
+                "subid": {
                     "type": "string"
                 }
             }
@@ -2032,22 +2011,20 @@
                 "id": {
                     "type": "string"
                 },
-                "type": {
-                    "$ref": "#/definitions/model.SubscriptionType"
+                "is_active": {
+                    "type": "boolean"
+                },
+                "is_grace_period": {
+                    "type": "boolean"
+                },
+                "tier": {
+                    "type": "string"
+                },
+                "updated_at": {
+                    "type": "string"
                 }
             }
         },
-        "model.SubscriptionType": {
-            "type": "string",
-            "enum": [
-                "Free",
-                "Managed"
-            ],
-            "x-enum-varnames": [
-                "Free",
-                "Managed"
-            ]
-        },
         "model.TOTPBackup": {
             "type": "object",
             "properties": {
diff --git a/api/docs/swagger.yaml b/api/docs/swagger.yaml
index 073b425..a72fb92 100644
--- a/api/docs/swagger.yaml
+++ b/api/docs/swagger.yaml
@@ -93,10 +93,16 @@ definitions:
     properties:
       email:
         type: string
+      preauthid:
+        type: string
+      preauthtokenhash:
+        type: string
       subid:
         type: string
     required:
     - email
+    - preauthid
+    - preauthtokenhash
     - subid
     type: object
   api.SignupUserReq:
@@ -105,21 +111,33 @@ definitions:
         type: string
       password:
         type: string
+      preauthid:
+        type: string
+      preauthtokenhash:
+        type: string
       subid:
         type: string
     required:
     - email
+    - preauthid
+    - preauthtokenhash
     - subid
     type: object
   api.SubscriptionReq:
     properties:
-      active_until:
-        type: string
       id:
         type: string
+      preauthid:
+        type: string
+      preauthtokenhash:
+        type: string
+      subid:
+        type: string
     required:
-    - active_until
     - id
+    - preauthid
+    - preauthtokenhash
+    - subid
     type: object
   api.SuccessRes:
     properties:
@@ -238,17 +256,15 @@ definitions:
         type: string
       id:
         type: string
-      type:
-        $ref: '#/definitions/model.SubscriptionType'
+      is_active:
+        type: boolean
+      is_grace_period:
+        type: boolean
+      tier:
+        type: string
+      updated_at:
+        type: string
     type: object
-  model.SubscriptionType:
-    enum:
-    - Free
-    - Managed
-    type: string
-    x-enum-varnames:
-    - Free
-    - Managed
   model.TOTPBackup:
     properties:
       backup:
@@ -943,34 +959,6 @@ paths:
       summary: Get subscription
       tags:
       - subscription
-  /subscription/add:
-    post:
-      consumes:
-      - application/json
-      description: Add subscription
-      parameters:
-      - description: Subscription request
-        in: body
-        name: body
-        required: true
-        schema:
-          $ref: '#/definitions/api.SubscriptionReq'
-      produces:
-      - application/json
-      responses:
-        "200":
-          description: OK
-          schema:
-            $ref: '#/definitions/api.SuccessRes'
-        "400":
-          description: Bad Request
-          schema:
-            $ref: '#/definitions/api.ErrorRes'
-      security:
-      - ApiKeyAuth: []
-      summary: Add subscription
-      tags:
-      - subscription
   /subscription/update:
     put:
       consumes:

From f46c7b620d8785c1cc3913ef08570970c11f2242 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 9 Oct 2025 19:39:39 +0200
Subject: [PATCH 23/63] feat(api): update go.mod

---
 api/go.mod | 1 -
 api/go.sum | 6 ------
 2 files changed, 7 deletions(-)

diff --git a/api/go.mod b/api/go.mod
index 257f856..9393995 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -5,7 +5,6 @@ go 1.23.1
 require (
 	github.com/ProtonMail/gopenpgp/v3 v3.1.2
 	github.com/alexedwards/argon2id v1.0.0
-	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/go-playground/validator/v10 v10.20.0
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/go-webauthn/webauthn v0.11.2
diff --git a/api/go.sum b/api/go.sum
index f3b07c7..b2185a3 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -12,8 +12,6 @@ github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHc
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
-github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
-github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -97,7 +95,6 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
@@ -119,15 +116,12 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/redis/go-redis/v9 v9.5.5 h1:51VEyMF8eOO+NUHFm8fpg+IOc1xFuFOhxs3R+kPu1FM=
 github.com/redis/go-redis/v9 v9.5.5/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
-github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
-github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/swaggo/files/v2 v2.0.0 h1:hmAt8Dkynw7Ssz46F6pn8ok6YmGZqHSVLZ+HQM7i0kw=

From 3b451e6fe547101647c11f91c5cd4aece34f786e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 12 Oct 2025 13:27:31 +0200
Subject: [PATCH 24/63] feat(model): update subscription.go

---
 api/.env.sample                         |  1 -
 api/config/config.go                    |  7 --
 api/internal/model/subscription.go      | 69 ++++++++++++++-----
 api/internal/model/subscription_test.go | 90 -------------------------
 api/internal/service/alias.go           |  2 +-
 api/internal/service/processor.go       |  4 +-
 api/internal/service/recipient.go       |  4 +-
 api/internal/service/subscription.go    |  2 +-
 api/internal/service/user.go            |  2 +-
 9 files changed, 61 insertions(+), 120 deletions(-)

diff --git a/api/.env.sample b/api/.env.sample
index d1a3637..5c952fd 100644
--- a/api/.env.sample
+++ b/api/.env.sample
@@ -54,7 +54,6 @@ MAX_RECIPIENTS=10
 MAX_DAILY_ALIASES=100
 MAX_DAILY_SEND_REPLY=100
 MAX_SESSIONS=10
-FORWARD_GRACE_PERIOD_DAYS=14
 ACCOUNT_GRACE_PERIOD_DAYS=194
 ID_LIMITER_MAX=5
 ID_LIMITER_EXPIRATION=60m
diff --git a/api/config/config.go b/api/config/config.go
index 263ab5d..4a75de3 100644
--- a/api/config/config.go
+++ b/api/config/config.go
@@ -66,7 +66,6 @@ type ServiceConfig struct {
 	MaxDailyAliases        int
 	MaxDailySendReply      int
 	MaxSessions            int
-	ForwardGracePeriodDays int
 	AccountGracePeriodDays int
 	IdLimiterMax           int
 	IdLimiterExpiration    time.Duration
@@ -128,11 +127,6 @@ func New() (Config, error) {
 		return Config{}, err
 	}
 
-	forwardGracePeriodDays, err := strconv.Atoi(os.Getenv("FORWARD_GRACE_PERIOD_DAYS"))
-	if err != nil {
-		return Config{}, err
-	}
-
 	accountGracePeriodDays, err := strconv.Atoi(os.Getenv("ACCOUNT_GRACE_PERIOD_DAYS"))
 	if err != nil {
 		return Config{}, err
@@ -198,7 +192,6 @@ func New() (Config, error) {
 			MaxDailyAliases:        maxDailyAliases,
 			MaxDailySendReply:      maxDailySendReply,
 			MaxSessions:            maxSessions,
-			ForwardGracePeriodDays: forwardGracePeriodDays,
 			AccountGracePeriodDays: accountGracePeriodDays,
 			IdLimiterMax:           idLimiterMax,
 			IdLimiterExpiration:    idLimiterExpiration,
diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 5e6eeee..51fb0a5 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -9,27 +9,66 @@ var (
 	ErrDuplicateSubscription = errors.New("subscription already exists")
 )
 
+type SubscriptionStatus string
+
+const (
+	Active        SubscriptionStatus = "active"
+	GracePeriod   SubscriptionStatus = "grace_period"
+	LimitedAccess SubscriptionStatus = "limited_access"
+	PendingDelete SubscriptionStatus = "pending_delete"
+)
+
 type Subscription struct {
-	ID            string    `gorm:"unique" json:"id"`
-	CreatedAt     time.Time `json:"created_at"`
-	UpdatedAt     time.Time `json:"updated_at"`
-	UserID        string    `json:"-"`
-	ActiveUntil   time.Time `json:"active_until"`
-	IsActive      bool      `json:"is_active"`
-	Tier          string    `json:"tier"`
-	TokenHash     string    `gorm:"unique" json:"-"`
-	IsGracePeriod bool      `gorm:"-" json:"is_grace_period"`
-	Notified      bool      `json:"-"`
+	ID          string             `gorm:"unique" json:"id"`
+	CreatedAt   time.Time          `json:"created_at"`
+	UpdatedAt   time.Time          `json:"updated_at"`
+	UserID      string             `json:"-"`
+	ActiveUntil time.Time          `json:"active_until"`
+	IsActive    bool               `json:"-"`
+	Tier        string             `json:"tier"`
+	TokenHash   string             `gorm:"unique" json:"-"`
+	Notified    bool               `json:"-"`
+	Status      SubscriptionStatus `gorm:"-" json:"status"`
+	Outage      bool               `gorm:"-" json:"outage"`
+}
+
+func (s *Subscription) Active() bool {
+	return s.ActiveUntil.After(time.Now())
+}
+
+func (s *Subscription) GracePeriod() bool {
+	return s.IsOutage() && s.GracePeriodDays(3)
+}
+
+func (s *Subscription) LimitedAccess() bool {
+	return s.GracePeriodDays(14)
+}
+
+func (s *Subscription) PendingDelete() bool {
+	return !s.GracePeriodDays(14)
+}
+
+func (s *Subscription) ActiveStatus() bool {
+	return s.Active() || s.GracePeriod()
 }
 
-func (s *Subscription) IsActiveCheck() bool {
-	return s.ActiveUntil.After(time.Now()) || s.IsActive
+func (s *Subscription) IsOutage() bool {
+	return s.UpdatedAt.Add(time.Duration(24) * time.Hour).Before(time.Now())
 }
 
-func (s *Subscription) IsActiveWithGracePeriod(days int) bool {
+func (s *Subscription) GracePeriodDays(days int) bool {
 	return s.ActiveUntil.AddDate(0, 0, days).After(time.Now())
 }
 
-func (s *Subscription) IsGracePeriodCheck(days int) bool {
-	return !s.IsActiveCheck() && s.IsActiveWithGracePeriod(days)
+func (s *Subscription) GetStatus() SubscriptionStatus {
+	if s.Active() {
+		return Active
+	}
+	if s.GracePeriod() {
+		return GracePeriod
+	}
+	if s.LimitedAccess() {
+		return LimitedAccess
+	}
+	return PendingDelete
 }
diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index 52cedaf..8b53790 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -1,91 +1 @@
 package model
-
-import (
-	"testing"
-	"time"
-)
-
-func TestSubscription_IsActive(t *testing.T) {
-	tests := []struct {
-		name        string
-		activeUntil time.Time
-		want        bool
-	}{
-		{
-			name:        "active subscription",
-			activeUntil: time.Now().Add(24 * time.Hour), // 1 day in the future
-			want:        true,
-		},
-		{
-			name:        "expired subscription",
-			activeUntil: time.Now().Add(-24 * time.Hour), // 1 day in the past
-			want:        false,
-		},
-		{
-			name:        "subscription expires now",
-			activeUntil: time.Now(),
-			want:        false, // time.Now() is not After time.Now()
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := &Subscription{
-				ActiveUntil: tt.activeUntil,
-			}
-			if got := s.IsActiveCheck(); got != tt.want {
-				t.Errorf("Subscription.IsActive() = %v, want %v", got, tt.want)
-			}
-		})
-	}
-}
-func TestSubscription_IsActiveWithGracePeriod(t *testing.T) {
-	tests := []struct {
-		name        string
-		activeUntil time.Time
-		graceDays   int
-		want        bool
-	}{
-		{
-			name:        "active subscription",
-			activeUntil: time.Now().Add(24 * time.Hour), // 1 day in the future
-			graceDays:   0,
-			want:        true,
-		},
-		{
-			name:        "expired subscription but within grace period",
-			activeUntil: time.Now().Add(-2 * 24 * time.Hour), // 2 days in the past
-			graceDays:   3,
-			want:        true,
-		},
-		{
-			name:        "expired subscription outside grace period",
-			activeUntil: time.Now().Add(-5 * 24 * time.Hour), // 5 days in the past
-			graceDays:   3,
-			want:        false,
-		},
-		{
-			name:        "subscription expires today with grace period",
-			activeUntil: time.Now(),
-			graceDays:   1,
-			want:        true,
-		},
-		{
-			name:        "subscription expires today without grace period",
-			activeUntil: time.Now(),
-			graceDays:   0,
-			want:        false, // time.Now() is not After time.Now()
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			s := &Subscription{
-				ActiveUntil: tt.activeUntil,
-			}
-			if got := s.IsActiveWithGracePeriod(tt.graceDays); got != tt.want {
-				t.Errorf("Subscription.IsActiveWithGracePeriod(%v) = %v, want %v", tt.graceDays, got, tt.want)
-			}
-		})
-	}
-}
diff --git a/api/internal/service/alias.go b/api/internal/service/alias.go
index b9b089e..e5ed5f9 100644
--- a/api/internal/service/alias.go
+++ b/api/internal/service/alias.go
@@ -84,7 +84,7 @@ func (s *Service) PostAlias(ctx context.Context, alias model.Alias, format strin
 		return model.Alias{}, ErrPostAlias
 	}
 
-	if !sub.IsActiveCheck() {
+	if !sub.ActiveStatus() {
 		log.Println("error creating alias: subscription is not active")
 		return model.Alias{}, ErrPostAlias
 	}
diff --git a/api/internal/service/processor.go b/api/internal/service/processor.go
index 0059747..79a2051 100644
--- a/api/internal/service/processor.go
+++ b/api/internal/service/processor.go
@@ -39,13 +39,13 @@ func (s *Service) ProcessMessage(data []byte) error {
 		}
 
 		// Forward
-		if relayType == model.Forward && !sub.IsActiveWithGracePeriod(s.Cfg.Service.ForwardGracePeriodDays) {
+		if relayType == model.Forward && sub.PendingDelete() {
 			log.Println("inactive subscription for forward")
 			continue
 		}
 
 		// Reply | Send
-		if relayType != model.Forward && !sub.IsActiveCheck() {
+		if relayType != model.Forward && !sub.ActiveStatus() {
 			log.Println("inactive subscription for reply/send")
 			continue
 		}
diff --git a/api/internal/service/recipient.go b/api/internal/service/recipient.go
index 1730b24..c9d5b00 100644
--- a/api/internal/service/recipient.go
+++ b/api/internal/service/recipient.go
@@ -84,7 +84,7 @@ func (s *Service) PostRecipient(ctx context.Context, recipient model.Recipient)
 		return ErrPostRecipient
 	}
 
-	if !sub.IsActiveCheck() {
+	if !sub.ActiveStatus() {
 		log.Println("error creating recipient: subscription is not active")
 		return ErrPostRecipient
 	}
@@ -182,7 +182,7 @@ func (s *Service) UpdateRecipient(ctx context.Context, recipient model.Recipient
 		return ErrUpdateRecipient
 	}
 
-	if !sub.IsActiveCheck() {
+	if !sub.ActiveStatus() {
 		log.Println("error updating recipient: subscription is not active")
 		return ErrUpdateRecipient
 	}
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index e70971b..6c16bb0 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -31,7 +31,7 @@ func (s *Service) GetSubscription(ctx context.Context, userID string) (model.Sub
 		return model.Subscription{}, ErrGetSubscription
 	}
 
-	sub.IsGracePeriod = sub.IsGracePeriodCheck(s.Cfg.Service.ForwardGracePeriodDays)
+	sub.Status = sub.GetStatus()
 
 	return sub, nil
 }
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index b2b1c21..4a969f2 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -263,7 +263,7 @@ func (s *Service) ActivateUser(ctx context.Context, ID string, otp string) error
 		return nil
 	}
 
-	if !sub.IsActiveCheck() {
+	if !sub.ActiveStatus() {
 		log.Println("error creating recipient: subscription is not active")
 		return nil
 	}

From 6f7c123339ea9ebc7bb79dfd5147057f7c46c6af Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 12 Oct 2025 13:46:34 +0200
Subject: [PATCH 25/63] tests: update subscription_test.go

---
 api/internal/model/subscription_test.go | 338 ++++++++++++++++++++++++
 api/internal/service/subscription.go    |   1 +
 2 files changed, 339 insertions(+)

diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index 8b53790..59ef6d8 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -1 +1,339 @@
 package model
+
+import (
+	"testing"
+	"time"
+)
+
+func TestSubscriptionActive(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		activeUntil time.Time
+		want        bool
+	}{
+		{
+			name:        "future time returns true",
+			activeUntil: now.Add(2 * time.Second),
+			want:        true,
+		},
+		{
+			name:        "past time returns false",
+			activeUntil: now.Add(-2 * time.Second),
+			want:        false,
+		},
+		{
+			name:        "equal to now returns false",
+			activeUntil: now, // ActiveUntil.After(time.Now()) is strictly greater, so should be false
+			want:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{ActiveUntil: tc.activeUntil}
+			got := s.Active()
+			if got != tc.want {
+				t.Fatalf("Active() = %v, want %v (activeUntil=%v, now=%v)", got, tc.want, tc.activeUntil, time.Now())
+			}
+		})
+	}
+}
+
+func TestSubscriptionGracePeriod(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		updatedAt   time.Time
+		activeUntil time.Time
+		want        bool
+	}{
+		{
+			name:        "outage and within 3-day window => true",
+			updatedAt:   now.Add(-25 * time.Hour), // outage (older than 24h)
+			activeUntil: now.Add(-48 * time.Hour), // 2 days ago (+3d => +1d > now)
+			want:        true,
+		},
+		{
+			name:        "not outage and within 3-day window => false",
+			updatedAt:   now.Add(-23 * time.Hour), // not outage
+			activeUntil: now.Add(-24 * time.Hour), // 1 day ago (+3d => +2d > now)
+			want:        false,
+		},
+		{
+			name:        "outage but outside 3-day window => false",
+			updatedAt:   now.Add(-26 * time.Hour),     // outage
+			activeUntil: now.Add(-5 * 24 * time.Hour), // 5 days ago (+3d => 2 days before now)
+			want:        false,
+		},
+		{
+			name:        "near outage boundary but not outage => false",
+			updatedAt:   now.Add(-24 * time.Hour).Add(1 * time.Second), // UpdatedAt +24h ~ now +1s => not outage
+			activeUntil: now.Add(-2 * 24 * time.Hour),                  // 2 days ago (+3d => +1d > now)
+			want:        false,
+		},
+		{
+			name:        "outage and just inside 3-day window boundary => true",
+			updatedAt:   now.Add(-25 * time.Hour),                   // outage
+			activeUntil: now.AddDate(0, 0, -3).Add(2 * time.Second), // ActiveUntil +3d ~ now +2s > now
+			want:        true,
+		},
+		{
+			name:        "outage and exactly outside 3-day window => false",
+			updatedAt:   now.Add(-25 * time.Hour),                    // outage
+			activeUntil: now.AddDate(0, 0, -3).Add(-2 * time.Second), // ActiveUntil +3d ~ now -2s < now
+			want:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{
+				UpdatedAt:   tc.updatedAt,
+				ActiveUntil: tc.activeUntil,
+			}
+			got := s.GracePeriod()
+			if got != tc.want {
+				t.Fatalf("GracePeriod() = %v, want %v (updatedAt=%v activeUntil=%v now=%v)", got, tc.want, tc.updatedAt, tc.activeUntil, time.Now())
+			}
+		})
+	}
+}
+
+func TestSubscriptionLimitedAccess(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		activeUntil time.Time
+		want        bool
+	}{
+		{
+			name:        "active in future => true",
+			activeUntil: now.Add(1 * time.Hour),
+			want:        true,
+		},
+		{
+			name:        "just expired 1s ago (<14d) => true",
+			activeUntil: now.Add(-1 * time.Second),
+			want:        true,
+		},
+		{
+			name:        "13d 23h 59m 59s ago (<14d) => true",
+			activeUntil: now.Add(-14*24*time.Hour + 1*time.Second),
+			want:        true,
+		},
+		{
+			name:        "exactly 14d ago boundary => false",
+			activeUntil: now.Add(-14 * 24 * time.Hour),
+			want:        false,
+		},
+		{
+			name:        "14d and 1s ago => false",
+			activeUntil: now.Add(-14*24*time.Hour - 1*time.Second),
+			want:        false,
+		},
+		{
+			name:        "30d ago => false",
+			activeUntil: now.Add(-30 * 24 * time.Hour),
+			want:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{ActiveUntil: tc.activeUntil}
+			got := s.LimitedAccess()
+			if got != tc.want {
+				t.Fatalf("LimitedAccess() = %v, want %v (activeUntil=%v now=%v)", got, tc.want, tc.activeUntil, time.Now())
+			}
+		})
+	}
+}
+
+func TestSubscriptionPendingDelete(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		activeUntil time.Time
+		want        bool
+	}{
+		{
+			name:        "still active in future => false",
+			activeUntil: now.Add(1 * time.Hour),
+			want:        false,
+		},
+		{
+			name:        "expired 1s ago (<14d) => false",
+			activeUntil: now.Add(-1 * time.Second),
+			want:        false,
+		},
+		{
+			name:        "13d 23h 59m 59s ago (<14d) => false",
+			activeUntil: now.Add(-14*24*time.Hour + 1*time.Second),
+			want:        false,
+		},
+		{
+			name:        "exactly 14d ago boundary => true",
+			activeUntil: now.Add(-14 * 24 * time.Hour),
+			want:        true,
+		},
+		{
+			name:        "14d and 1s ago => true",
+			activeUntil: now.Add(-14*24*time.Hour - 1*time.Second),
+			want:        true,
+		},
+		{
+			name:        "30d ago => true",
+			activeUntil: now.Add(-30 * 24 * time.Hour),
+			want:        true,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{ActiveUntil: tc.activeUntil}
+			got := s.PendingDelete()
+			if got != tc.want {
+				t.Fatalf("PendingDelete() = %v, want %v (activeUntil=%v now=%v)", got, tc.want, tc.activeUntil, time.Now())
+			}
+		})
+	}
+}
+
+func TestSubscriptionIsOutage(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name      string
+		updatedAt time.Time
+		want      bool
+	}{
+		{
+			name:      "updated 25h ago => outage",
+			updatedAt: now.Add(-25 * time.Hour),
+			want:      true,
+		},
+		{
+			name:      "updated 24h + 1s ago => outage",
+			updatedAt: now.Add(-24*time.Hour - 1*time.Second),
+			want:      true,
+		},
+		{
+			name:      "updated 24h - 1s ago => not outage",
+			updatedAt: now.Add(-24*time.Hour + 1*time.Second),
+			want:      false,
+		},
+		{
+			name:      "updated 23h ago => not outage",
+			updatedAt: now.Add(-23 * time.Hour),
+			want:      false,
+		},
+		{
+			name:      "just updated (now) => not outage",
+			updatedAt: now,
+			want:      false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{UpdatedAt: tc.updatedAt}
+			got := s.IsOutage()
+			if got != tc.want {
+				t.Fatalf("IsOutage() = %v, want %v (updatedAt=%v now=%v threshold=%v)", got, tc.want, tc.updatedAt, time.Now(), tc.updatedAt.Add(24*time.Hour))
+			}
+		})
+	}
+}
+
+func TestSubscriptionGracePeriodDays(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		activeUntil time.Time
+		days        int
+		want        bool
+	}{
+		{
+			name:        "future activeUntil with 3 days window => true",
+			activeUntil: now.Add(2 * time.Hour),
+			days:        3,
+			want:        true,
+		},
+		{
+			name:        "exact boundary 3 days ago => false",
+			activeUntil: now.AddDate(0, 0, -3),
+			days:        3,
+			want:        false,
+		},
+		{
+			name:        "just inside boundary 3 days => true",
+			activeUntil: now.AddDate(0, 0, -3).Add(1 * time.Second),
+			days:        3,
+			want:        true,
+		},
+		{
+			name:        "just outside boundary 3 days => false",
+			activeUntil: now.AddDate(0, 0, -3).Add(-1 * time.Second),
+			days:        3,
+			want:        false,
+		},
+		{
+			name:        "exact boundary 14 days => false",
+			activeUntil: now.AddDate(0, 0, -14),
+			days:        14,
+			want:        false,
+		},
+		{
+			name:        "just inside boundary 14 days => true",
+			activeUntil: now.AddDate(0, 0, -14).Add(1 * time.Second),
+			days:        14,
+			want:        true,
+		},
+		{
+			name:        "past boundary 14 days => false",
+			activeUntil: now.AddDate(0, 0, -14).Add(-1 * time.Second),
+			days:        14,
+			want:        false,
+		},
+		{
+			name:        "exact boundary 1 day => false",
+			activeUntil: now.Add(-24 * time.Hour),
+			days:        1,
+			want:        false,
+		},
+		{
+			name:        "just inside boundary 1 day => true",
+			activeUntil: now.Add(-24*time.Hour + 1*time.Second),
+			days:        1,
+			want:        true,
+		},
+		{
+			name:        "far past even with large window => false",
+			activeUntil: now.AddDate(0, 0, -30),
+			days:        14,
+			want:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{ActiveUntil: tc.activeUntil}
+			got := s.GracePeriodDays(tc.days)
+			if got != tc.want {
+				t.Fatalf("GracePeriodDays(%d) = %v, want %v (activeUntil=%v now=%v boundary=%v)", tc.days, got, tc.want, tc.activeUntil, time.Now(), tc.activeUntil.AddDate(0, 0, tc.days))
+			}
+		})
+	}
+}
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 6c16bb0..c1c6891 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -32,6 +32,7 @@ func (s *Service) GetSubscription(ctx context.Context, userID string) (model.Sub
 	}
 
 	sub.Status = sub.GetStatus()
+	sub.Outage = sub.IsOutage()
 
 	return sub, nil
 }

From 06df0007d2abb1ea0e2f7d4c091e646436f777dc Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 12 Oct 2025 13:48:39 +0200
Subject: [PATCH 26/63] tests: update subscription_test.go

---
 api/internal/model/subscription_test.go | 6 ------
 1 file changed, 6 deletions(-)

diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index 59ef6d8..bf75f07 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -31,7 +31,6 @@ func TestSubscriptionActive(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{ActiveUntil: tc.activeUntil}
 			got := s.Active()
@@ -90,7 +89,6 @@ func TestSubscriptionGracePeriod(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{
 				UpdatedAt:   tc.updatedAt,
@@ -145,7 +143,6 @@ func TestSubscriptionLimitedAccess(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{ActiveUntil: tc.activeUntil}
 			got := s.LimitedAccess()
@@ -197,7 +194,6 @@ func TestSubscriptionPendingDelete(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{ActiveUntil: tc.activeUntil}
 			got := s.PendingDelete()
@@ -244,7 +240,6 @@ func TestSubscriptionIsOutage(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{UpdatedAt: tc.updatedAt}
 			got := s.IsOutage()
@@ -327,7 +322,6 @@ func TestSubscriptionGracePeriodDays(t *testing.T) {
 	}
 
 	for _, tc := range tests {
-		tc := tc
 		t.Run(tc.name, func(t *testing.T) {
 			s := &Subscription{ActiveUntil: tc.activeUntil}
 			got := s.GracePeriodDays(tc.days)

From fd26de3e6d1fa5789f2f14f477580d3b926ea3bf Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 14 Oct 2025 13:43:58 +0200
Subject: [PATCH 27/63] docs(api): update docs.go

---
 api/docs/docs.go      | 21 ++++++++++++++++++---
 api/docs/swagger.json | 21 ++++++++++++++++++---
 api/docs/swagger.yaml | 18 +++++++++++++++---
 3 files changed, 51 insertions(+), 9 deletions(-)

diff --git a/api/docs/docs.go b/api/docs/docs.go
index 83532fc..cfb9b01 100644
--- a/api/docs/docs.go
+++ b/api/docs/docs.go
@@ -2022,11 +2022,11 @@ const docTemplate = `{
                 "id": {
                     "type": "string"
                 },
-                "is_active": {
+                "outage": {
                     "type": "boolean"
                 },
-                "is_grace_period": {
-                    "type": "boolean"
+                "status": {
+                    "$ref": "#/definitions/model.SubscriptionStatus"
                 },
                 "tier": {
                     "type": "string"
@@ -2036,6 +2036,21 @@ const docTemplate = `{
                 }
             }
         },
+        "model.SubscriptionStatus": {
+            "type": "string",
+            "enum": [
+                "active",
+                "grace_period",
+                "limited_access",
+                "pending_delete"
+            ],
+            "x-enum-varnames": [
+                "Active",
+                "GracePeriod",
+                "LimitedAccess",
+                "PendingDelete"
+            ]
+        },
         "model.TOTPBackup": {
             "type": "object",
             "properties": {
diff --git a/api/docs/swagger.json b/api/docs/swagger.json
index 1b9921d..62e6409 100644
--- a/api/docs/swagger.json
+++ b/api/docs/swagger.json
@@ -2011,11 +2011,11 @@
                 "id": {
                     "type": "string"
                 },
-                "is_active": {
+                "outage": {
                     "type": "boolean"
                 },
-                "is_grace_period": {
-                    "type": "boolean"
+                "status": {
+                    "$ref": "#/definitions/model.SubscriptionStatus"
                 },
                 "tier": {
                     "type": "string"
@@ -2025,6 +2025,21 @@
                 }
             }
         },
+        "model.SubscriptionStatus": {
+            "type": "string",
+            "enum": [
+                "active",
+                "grace_period",
+                "limited_access",
+                "pending_delete"
+            ],
+            "x-enum-varnames": [
+                "Active",
+                "GracePeriod",
+                "LimitedAccess",
+                "PendingDelete"
+            ]
+        },
         "model.TOTPBackup": {
             "type": "object",
             "properties": {
diff --git a/api/docs/swagger.yaml b/api/docs/swagger.yaml
index a72fb92..6c3af6a 100644
--- a/api/docs/swagger.yaml
+++ b/api/docs/swagger.yaml
@@ -256,15 +256,27 @@ definitions:
         type: string
       id:
         type: string
-      is_active:
-        type: boolean
-      is_grace_period:
+      outage:
         type: boolean
+      status:
+        $ref: '#/definitions/model.SubscriptionStatus'
       tier:
         type: string
       updated_at:
         type: string
     type: object
+  model.SubscriptionStatus:
+    enum:
+    - active
+    - grace_period
+    - limited_access
+    - pending_delete
+    type: string
+    x-enum-varnames:
+    - Active
+    - GracePeriod
+    - LimitedAccess
+    - PendingDelete
   model.TOTPBackup:
     properties:
       backup:

From cf81674bd8ca59e4f905df80102e3a65978c1ea2 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 16 Oct 2025 12:10:08 +0200
Subject: [PATCH 28/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue    | 27 +++++++++++++++++--
 .../components/AccountSubscriptionStatus.vue  |  4 +--
 2 files changed, 27 insertions(+), 4 deletions(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index c561fd9..2799ba9 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -28,7 +28,7 @@
                 <div>
                     <h4>Limited Access Mode</h4>
                     <p>
-                        Your MailX account is in limited access mode. To regain full access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                        Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
                     </p>
                 </div>
             </footer>
@@ -41,7 +41,20 @@
                 <div>
                     <h4>Pending Deletion</h4>
                     <p>
-                        Your account is pending deletion. To reinstate access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                        Your account is pending deletion. To reinstate access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
+                    </p>
+                </div>
+            </footer>
+        </div>
+        <div v-if="isOutage()" class="card-tertiary">
+            <footer>
+                <div>
+                    <i class="icon info icon-primary"></i>
+                </div>
+                <div>
+                    <h4>Out of sync</h4>
+                    <p>
+                        Your account status last update was at {{ updatedAtDate() }}. <a target="_blank" href="https://www.ivpn.net/account/">Sync with IVPN</a>
                     </p>
                 </div>
             </footer>
@@ -62,7 +75,9 @@ const sub = ref({
     id: '',
     active_until: '',
     is_active: false,
+    updated_at: '',
     is_grace_period: false,
+    outage: false,
 })
 const error = ref('')
 const email = ref(localStorage.getItem('email'))
@@ -122,10 +137,18 @@ const activeUntilDate = () => {
     return new Date(sub.value.active_until).toDateString()
 }
 
+const updatedAtDate = () => {
+    return new Date(sub.value.updated_at).toLocaleString()
+}
+
 const onUpdateEmail = (event: any) => {
     email.value = event.email
 }
 
+const isOutage = () => {
+    return sub.value.outage
+}
+
 const parseParams = () => {
     const route = useRoute()
     const q = route.query
diff --git a/app/src/components/AccountSubscriptionStatus.vue b/app/src/components/AccountSubscriptionStatus.vue
index d54e9f1..31f4093 100644
--- a/app/src/components/AccountSubscriptionStatus.vue
+++ b/app/src/components/AccountSubscriptionStatus.vue
@@ -7,7 +7,7 @@
             <div>
                 <h4>Limited Access Mode</h4>
                 <p>
-                    Your MailX account is in limited access mode. To regain full access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                    Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
                 </p>
             </div>
         </footer>
@@ -20,7 +20,7 @@
             <div>
                 <h4>Pending Deletion</h4>
                 <p>
-                    Your account is pending deletion. To reinstate access add time to your <a href="https://www.ivpn.net/account/">IVPN account</a>.
+                    Your account is pending deletion. To reinstate access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
                 </p>
             </div>
         </footer>

From e06824c0c2f19fd4ea19b362d326e410108064de Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 16 Oct 2025 13:01:02 +0200
Subject: [PATCH 29/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 2799ba9..ad82f6d 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -54,7 +54,7 @@
                 <div>
                     <h4>Out of sync</h4>
                     <p>
-                        Your account status last update was at {{ updatedAtDate() }}. <a target="_blank" href="https://www.ivpn.net/account/">Sync with IVPN</a>
+                        Your last account status update was {{ updatedAtDate() }}. <a target="_blank" href="https://www.ivpn.net/account/">Sync with IVPN</a>
                     </p>
                 </div>
             </footer>

From 845d339bf4dc36da0ce1be68353e2ef8ada11335 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 19 Oct 2025 17:27:04 +0200
Subject: [PATCH 30/63] feat(service): update subscription.go

---
 api/internal/model/pa_session.go           |  7 ++++
 api/internal/service/subscription.go       | 35 ++++++++++++++++++
 api/internal/transport/api/req.go          |  6 +++
 api/internal/transport/api/routes.go       |  4 ++
 api/internal/transport/api/subscription.go | 43 ++++++++++++++++++++++
 5 files changed, 95 insertions(+)
 create mode 100644 api/internal/model/pa_session.go

diff --git a/api/internal/model/pa_session.go b/api/internal/model/pa_session.go
new file mode 100644
index 0000000..43179e7
--- /dev/null
+++ b/api/internal/model/pa_session.go
@@ -0,0 +1,7 @@
+package model
+
+type PASession struct {
+	ID        string `json:"id"`
+	Token     string `json:"token"`
+	PreAuthID string `json:"preauth_id"`
+}
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index c1c6891..13d1e11 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -2,8 +2,10 @@ package service
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"log"
+	"time"
 
 	"github.com/go-sql-driver/mysql"
 	"github.com/google/uuid"
@@ -117,3 +119,36 @@ func (s *Service) DeleteSubscription(ctx context.Context, userID string) error {
 
 	return nil
 }
+
+func (s *Service) AddPASession(ctx context.Context, paSession model.PASession) error {
+	data, err := json.Marshal(paSession)
+	if err != nil {
+		log.Println("failed to marshal pre-auth session to JSON:", err)
+		return err
+	}
+
+	err = s.Cache.Set(ctx, "pasession_"+paSession.ID, string(data), 15*time.Minute)
+	if err != nil {
+		log.Println("failed to set pre-auth session in Redis:", err)
+		return err
+	}
+
+	return nil
+}
+
+func (s *Service) GetPASession(ctx context.Context, id string) (model.PASession, error) {
+	data, err := s.Cache.Get(ctx, "pasession_"+id)
+	if err != nil {
+		log.Println("failed to get pre-auth session from Redis:", err)
+		return model.PASession{}, err
+	}
+
+	var paSession model.PASession
+	err = json.Unmarshal([]byte(data), &paSession)
+	if err != nil {
+		log.Println("failed to unmarshal pre-auth session JSON:", err)
+		return model.PASession{}, err
+	}
+
+	return paSession, nil
+}
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index fd5e779..416f293 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -77,3 +77,9 @@ type ActivateReq struct {
 type TotpReq struct {
 	OTP string `json:"otp" validate:"required,min=6,max=8"`
 }
+
+type PASessionReq struct {
+	ID        string `json:"id" validate:"required,uuid"`
+	PreAuthID string `json:"preauth_id" validate:"required,uuid"`
+	Token     string `json:"token" validate:"required"`
+}
diff --git a/api/internal/transport/api/routes.go b/api/internal/transport/api/routes.go
index afba0e6..f95c03b 100644
--- a/api/internal/transport/api/routes.go
+++ b/api/internal/transport/api/routes.go
@@ -33,6 +33,10 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	h.Server.Post("/v1/login/begin", limiter.New(), h.BeginLogin)
 	h.Server.Post("/v1/login/finish", limiter.New(), h.FinishLogin)
 
+	session := h.Server.Group("/v1/sub/session")
+	session.Use(auth.NewPSK(cfg))
+	session.Post("", h.AddPASession)
+
 	v1 := h.Server.Group("/v1")
 	v1.Use(auth.New(cfg, h.Cache, h.Service))
 
diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index f699beb..7c8f325 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -16,6 +16,7 @@ var (
 type SubscriptionService interface {
 	GetSubscription(context.Context, string) (model.Subscription, error)
 	UpdateSubscription(context.Context, model.Subscription, string, string, string) error
+	AddPASession(context.Context, model.PASession) error
 }
 
 // @Summary Get subscription
@@ -80,3 +81,45 @@ func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
 		"message": UpdateSubscriptionSuccess,
 	})
 }
+
+// @Summary Add pre-auth session
+// @Description Add pre-auth session
+// @Tags subscription
+// @Accept json
+// @Produce json
+// @Security ApiKeyAuth
+// @Param body body PASessionReq true "Pre-auth session request"
+// @Success 200 {object} SuccessRes
+// @Failure 400 {object} ErrorRes
+// @Router /sub/session [post]
+func (h *Handler) AddPASession(c *fiber.Ctx) error {
+	req := PASessionReq{}
+	err := c.BodyParser(&req)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": ErrInvalidRequest,
+		})
+	}
+
+	err = h.Validator.Struct(req)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": ErrInvalidRequest,
+		})
+	}
+
+	paSession := model.PASession{
+		ID:        req.ID,
+		PreAuthID: req.PreAuthID,
+		Token:     req.Token,
+	}
+
+	err = h.Service.AddPASession(c.Context(), paSession)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": err.Error(),
+		})
+	}
+
+	return nil
+}

From 2dacd84b7ce144540459b6d83a3cec3e3ba31425 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Sun, 19 Oct 2025 17:54:04 +0200
Subject: [PATCH 31/63] feat(api): update subscription.go

---
 api/internal/middleware/auth/auth.go       | 11 ++++++
 api/internal/service/subscription.go       | 31 +++++++++++++++++
 api/internal/transport/api/req.go          |  4 +++
 api/internal/transport/api/routes.go       |  1 +
 api/internal/transport/api/subscription.go | 39 ++++++++++++++++++++++
 5 files changed, 86 insertions(+)

diff --git a/api/internal/middleware/auth/auth.go b/api/internal/middleware/auth/auth.go
index 3ab9237..b2e4169 100644
--- a/api/internal/middleware/auth/auth.go
+++ b/api/internal/middleware/auth/auth.go
@@ -134,6 +134,17 @@ func NewCookieTempAuthn(token string, path string, cfg config.APIConfig) *fiber.
 	}
 }
 
+func NewCookiePASession(id string) *fiber.Cookie {
+	return &fiber.Cookie{
+		Name:     "pasession",
+		Value:    id,
+		HTTPOnly: true,
+		Secure:   true,
+		MaxAge:   900, // 15 minutes
+		Expires:  time.Now().Add(15 * time.Minute),
+	}
+}
+
 func NewWebAuthn(cfg config.APIConfig) *webauthn.WebAuthn {
 	var webAuthn *webauthn.WebAuthn
 	config := &webauthn.Config{
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 13d1e11..8260c8d 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -152,3 +152,34 @@ func (s *Service) GetPASession(ctx context.Context, id string) (model.PASession,
 
 	return paSession, nil
 }
+
+func (s *Service) RotatePASessionId(ctx context.Context, id string) (string, error) {
+	paSession, err := s.GetPASession(ctx, id)
+	if err != nil {
+		log.Println("failed to get pre-auth session for rotation:", err)
+		return "", err
+	}
+
+	newID := uuid.New().String()
+	paSession.ID = newID
+
+	data, err := json.Marshal(paSession)
+	if err != nil {
+		log.Println("failed to marshal rotated pre-auth session to JSON:", err)
+		return "", err
+	}
+
+	err = s.Cache.Set(ctx, "pasession_"+newID, string(data), 15*time.Minute)
+	if err != nil {
+		log.Println("failed to set rotated pre-auth session in Redis:", err)
+		return "", err
+	}
+
+	err = s.Cache.Del(ctx, "pasession_"+id)
+	if err != nil {
+		log.Println("failed to delete old pre-auth session from Redis:", err)
+		return "", err
+	}
+
+	return newID, nil
+}
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index 416f293..aa1277c 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -83,3 +83,7 @@ type PASessionReq struct {
 	PreAuthID string `json:"preauth_id" validate:"required,uuid"`
 	Token     string `json:"token" validate:"required"`
 }
+
+type RotatePASessionReq struct {
+	ID string `json:"id" validate:"required,uuid"`
+}
diff --git a/api/internal/transport/api/routes.go b/api/internal/transport/api/routes.go
index f95c03b..77a84c3 100644
--- a/api/internal/transport/api/routes.go
+++ b/api/internal/transport/api/routes.go
@@ -27,6 +27,7 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	h.Server.Post("/v1/login", limit.New(5, 10*time.Minute), h.Login)
 	h.Server.Post("/v1/initiatepasswordreset", limiter.New(), h.InitiatePasswordReset)
 	h.Server.Put("/v1/resetpassword", limiter.New(), h.ResetPassword)
+	h.Server.Put("/v1/rotatepasession", limiter.New(), h.RotatePASession)
 
 	h.Server.Post("/v1/register/begin", limiter.New(), h.BeginRegistration)
 	h.Server.Post("/v1/register/finish", limiter.New(), h.FinishRegistration)
diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index 7c8f325..e30c18e 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -11,12 +11,14 @@ import (
 var (
 	UpdateSubscriptionSuccess = "Subscription updated successfully."
 	AddSubscriptionSuccess    = "Subscription added successfully."
+	InvalidPASessionId        = "Invalid pre-auth session ID."
 )
 
 type SubscriptionService interface {
 	GetSubscription(context.Context, string) (model.Subscription, error)
 	UpdateSubscription(context.Context, model.Subscription, string, string, string) error
 	AddPASession(context.Context, model.PASession) error
+	RotatePASessionId(context.Context, string) (string, error)
 }
 
 // @Summary Get subscription
@@ -123,3 +125,40 @@ func (h *Handler) AddPASession(c *fiber.Ctx) error {
 
 	return nil
 }
+
+// @Summary Rotate pre-auth session ID
+// @Description Rotate pre-auth session ID
+// @Tags subscription
+// @Accept json
+// @Produce json
+// @Param body body RotatePASessionReq true "Rotate pre-auth session request"
+// @Success 200 {object} SuccessRes
+// @Failure 400 {object} ErrorRes
+// @Router /rotatepasession [put]
+func (h *Handler) RotatePASession(c *fiber.Ctx) error {
+	req := RotatePASessionReq{}
+	err := c.BodyParser(&req)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": InvalidPASessionId,
+		})
+	}
+
+	err = h.Validator.Struct(req)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": InvalidPASessionId,
+		})
+	}
+
+	newID, err := h.Service.RotatePASessionId(c.Context(), req.ID)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": InvalidPASessionId,
+		})
+	}
+
+	c.Cookie(auth.NewCookiePASession(newID))
+
+	return c.SendStatus(fiber.StatusOK)
+}

From 34030b9b2dc7a9f69e623f08804eea33bf64f62d Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 12:53:43 +0200
Subject: [PATCH 32/63] feat(api): update req.go

---
 api/internal/transport/api/req.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index aa1277c..02a5b65 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -85,5 +85,5 @@ type PASessionReq struct {
 }
 
 type RotatePASessionReq struct {
-	ID string `json:"id" validate:"required,uuid"`
+	ID string `json:"sessionid" validate:"required,uuid"`
 }

From 0f8a940de22e2e825c01306e620a9f3933f1bc1f Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 12:59:35 +0200
Subject: [PATCH 33/63] feat(app): update AccountSubscription.vue

---
 app/src/api/subscription.ts                |  1 +
 app/src/components/AccountSubscription.vue | 39 ++++++++++++++--------
 2 files changed, 26 insertions(+), 14 deletions(-)

diff --git a/app/src/api/subscription.ts b/app/src/api/subscription.ts
index a45f189..f1cc2db 100644
--- a/app/src/api/subscription.ts
+++ b/app/src/api/subscription.ts
@@ -3,4 +3,5 @@ import { api } from './api'
 export const subscriptionApi = {
     get: () => api.get('/sub'),
     update: (data: any) => api.put('/sub/update', data),
+    rotateSessionId: (data: any) => api.put('/rotateSession', data),
 }
\ No newline at end of file
diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index ad82f6d..ba36431 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -82,8 +82,7 @@ const sub = ref({
 const error = ref('')
 const email = ref(localStorage.getItem('email'))
 const subid = ref('')
-const preauthid = ref('')
-const preauthtokenhash = ref('')
+const sessionid = ref('')
 const currentRoute = useRoute()
 const syncing = ref(false)
 
@@ -99,7 +98,7 @@ const getSubscription = async () => {
 }
 
 const updateSubscription = async () => {
-    if (!subid.value || !preauthid.value || !preauthtokenhash.value) {
+    if (!subid.value) {
         return
     }
 
@@ -108,8 +107,6 @@ const updateSubscription = async () => {
         await subscriptionApi.update({
             id: sub.value.id,
             subid: subid.value,
-            preauthid: preauthid.value,
-            preauthtokenhash: preauthtokenhash.value,
         })
         await getSubscription()
     } catch (err) {
@@ -121,6 +118,26 @@ const updateSubscription = async () => {
     }
 }
 
+const rotateSessionId = async () => {
+    if (!sessionid.value) {
+        return
+    }
+
+    syncing.value = true
+    try {
+        await subscriptionApi.rotateSessionId({
+            sessionid: sessionid.value,
+        })
+        await updateSubscription()
+    } catch (err) {
+        if (axios.isAxiosError(err)) {
+            error.value = err.message
+        }
+    } finally {
+        syncing.value = false
+    }
+}
+
 const isActive = () => {
     return sub.value.active_until > new Date().toISOString()
 }
@@ -154,23 +171,17 @@ const parseParams = () => {
     const q = route.query
     const first = (v: unknown) => typeof v === 'string' ? v : Array.isArray(v) ? v[0] : ''
     subid.value = first(q.subid) || (route.params.subid as string) || ''
-    preauthid.value = first(q.preauthid) || (route.params.preauthid as string) || ''
-    preauthtokenhash.value = first(q.preauthtokenhash) || (route.params.preauthtokenhash as string) || ''
-    preauthtokenhash.value = preauthtokenhash.value.replace(/ /g, '+')
+    sessionid.value = first(q.sessionid) || (route.params.sessionid as string) || ''
 
     if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
         return
     }
 
-    if (!preauthid.value || !preauthid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
-        return
-    }
-
-    if (!preauthtokenhash.value) {
+    if (!sessionid.value || !sessionid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
         return
     }
 
-    updateSubscription()
+    rotateSessionId()
 }
 
 onMounted(() => {

From 9671238279b0de30463ed4993bc12a28eaf6a5e5 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 13:04:33 +0200
Subject: [PATCH 34/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 46 +++++++++++++++++++++++------------
 1 file changed, 30 insertions(+), 16 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index 33c7890..0e4b2f3 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -104,6 +104,7 @@ import { ref, onMounted, onUpdated } from 'vue'
 import { useRoute } from 'vue-router'
 import axios from 'axios'
 import { userApi } from '../api/user.ts'
+import { subscriptionApi } from '../api/subscription.ts'
 import { startRegistration, browserSupportsWebAuthn } from '@simplewebauthn/browser'
 import tabs from '@preline/tabs'
 import Footer from './Footer.vue'
@@ -119,8 +120,8 @@ const apiError = ref('')
 const isLoading = ref(false)
 const passkeySupported = ref(false)
 const subid = ref('')
-const preauthid = ref('')
-const preauthtokenhash = ref('')
+const sessionid = ref('')
+const syncing = ref(false)
 
 const validateEmail = () => {
     emailError.value = !email.value
@@ -129,7 +130,7 @@ const validateEmail = () => {
 
 const validateEmailAuthn = () => {
     emailAuthnError.value = !emailAuthn.value
-    return !emailAuthnError.value
+    return !emailAuthnError.value && syncing.value === false
 }
 
 const validatePassword = () => {
@@ -140,7 +141,7 @@ const validatePassword = () => {
 const validate = () => {
     const validEmail = validateEmail()
     const validPass = validatePassword()
-    return validEmail && validPass
+    return validEmail && validPass && syncing.value === false
 }
 
 const register = async () => {
@@ -151,8 +152,6 @@ const register = async () => {
         email: email.value,
         password: password.value,
         subid: subid.value,
-        preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -181,8 +180,6 @@ const registerWithPasskey = async () => {
     const data = {
         email: emailAuthn.value,
         subid: subid.value,
-        preauthid: preauthid.value,
-        preauthtokenhash: preauthtokenhash.value
     }
 
     try {
@@ -205,26 +202,43 @@ const registerWithPasskey = async () => {
     }
 }
 
+const rotateSessionId = async () => {
+    if (!sessionid.value) {
+        return
+    }
+
+    syncing.value = true
+    try {
+        await subscriptionApi.rotateSessionId({
+            sessionid: sessionid.value,
+        })
+    } catch (err) {
+        if (axios.isAxiosError(err)) {
+            apiError.value = err.message
+        }
+    } finally {
+        syncing.value = false
+    }
+}
+
 const parseParams = () => {
     const route = useRoute()
     const q = route.query
     const first = (v: unknown) => typeof v === 'string' ? v : Array.isArray(v) ? v[0] : ''
     subid.value = first(q.subid) || (route.params.subid as string) || ''
-    preauthid.value = first(q.preauthid) || (route.params.preauthid as string) || ''
-    preauthtokenhash.value = first(q.preauthtokenhash) || (route.params.preauthtokenhash as string) || ''
-    preauthtokenhash.value = preauthtokenhash.value.replace(/ /g, '+')
+    sessionid.value = first(q.sessionid) || (route.params.sessionid as string) || ''
 
     if (!subid.value || !subid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
         console.error('Invalid or missing subid')
+        return
     }
 
-    if (!preauthid.value || !preauthid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
-        console.error('Invalid or missing preauthid')
+    if (!sessionid.value || !sessionid.value.match(/^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$/)) {
+        console.error('Invalid or missing sessionid')
+        return
     }
 
-    if (!preauthtokenhash.value) {
-        console.error('Invalid or missing preauthtokenhash')
-    }
+    rotateSessionId()
 }
 
 const isLoggedIn = (): boolean => {

From 579d87f2df3823e41fd5a3e8fa036fb3dd8a1c66 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 16:01:30 +0200
Subject: [PATCH 35/63] feat(service): update subscription.go

---
 api/internal/middleware/auth/auth.go       |  3 ++-
 api/internal/model/pa_session.go           |  2 +-
 api/internal/service/subscription.go       | 21 ++++++++++++++++++---
 api/internal/transport/api/req.go          |  8 +++-----
 api/internal/transport/api/subscription.go |  8 +++++---
 5 files changed, 29 insertions(+), 13 deletions(-)

diff --git a/api/internal/middleware/auth/auth.go b/api/internal/middleware/auth/auth.go
index b2e4169..b0448ee 100644
--- a/api/internal/middleware/auth/auth.go
+++ b/api/internal/middleware/auth/auth.go
@@ -24,6 +24,7 @@ const (
 	AUTH_COOKIE       = "auth"
 	AUTHN_COOKIE      = "authn"
 	AUTHN_TEMP_COOKIE = "authntemp"
+	PA_SESSION_COOKIE = "pasession"
 	USER_ID           = "user_id"
 )
 
@@ -136,7 +137,7 @@ func NewCookieTempAuthn(token string, path string, cfg config.APIConfig) *fiber.
 
 func NewCookiePASession(id string) *fiber.Cookie {
 	return &fiber.Cookie{
-		Name:     "pasession",
+		Name:     PA_SESSION_COOKIE,
 		Value:    id,
 		HTTPOnly: true,
 		Secure:   true,
diff --git a/api/internal/model/pa_session.go b/api/internal/model/pa_session.go
index 43179e7..e71f25d 100644
--- a/api/internal/model/pa_session.go
+++ b/api/internal/model/pa_session.go
@@ -3,5 +3,5 @@ package model
 type PASession struct {
 	ID        string `json:"id"`
 	Token     string `json:"token"`
-	PreAuthID string `json:"preauth_id"`
+	PreauthId string `json:"preauth_id"`
 }
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 8260c8d..f167643 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -2,6 +2,8 @@ package service
 
 import (
 	"context"
+	"crypto/sha256"
+	"encoding/base64"
 	"encoding/json"
 	"errors"
 	"log"
@@ -18,6 +20,8 @@ var (
 	ErrPostSubscription   = errors.New("Unable to create subscription.")
 	ErrUpdateSubscription = errors.New("Unable to update subscription.")
 	ErrDeleteSubscription = errors.New("Unable to delete subscription.")
+	ErrPANotFound         = errors.New("Pre-auth entry not found.")
+	ErrPASessionNotFound  = errors.New("Pre-auth session not found.")
 )
 
 type SubscriptionStore interface {
@@ -73,14 +77,25 @@ func (s *Service) AddSubscription(ctx context.Context, subscription model.Subscr
 	return nil
 }
 
-func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription, subID string, preauthID string, preauthTokenHash string) error {
+func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription, subID string, sessionId string) error {
+	paSession, err := s.GetPASession(ctx, sessionId)
+	if err != nil {
+		log.Printf("error creating user: %s", err.Error())
+		return ErrPASessionNotFound
+	}
+
+	preauthID := paSession.PreauthId
+	token := paSession.Token
+	tokenHash := sha256.Sum256([]byte(token))
+	tokenHashStr := base64.StdEncoding.EncodeToString(tokenHash[:])
+
 	preauth, err := s.Http.GetPreauth(preauthID)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
-		return ErrInvalidSubscription
+		return ErrPANotFound
 	}
 
-	if preauth.TokenHash != preauthTokenHash {
+	if preauth.TokenHash != tokenHashStr {
 		log.Printf("error creating user: Token hash does not match")
 		return ErrTokenHashMismatch
 	}
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index 02a5b65..e8297a2 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -26,10 +26,8 @@ type SignupEmailReq struct {
 }
 
 type SubscriptionReq struct {
-	ID               string `json:"id" validate:"required,uuid"`
-	SubID            string `json:"subid" validate:"required,uuid"`
-	PreauthID        string `json:"preauthid" validate:"required,uuid"`
-	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
+	ID    string `json:"id" validate:"required,uuid"`
+	SubID string `json:"subid" validate:"required,uuid"`
 }
 
 type AliasReq struct {
@@ -80,7 +78,7 @@ type TotpReq struct {
 
 type PASessionReq struct {
 	ID        string `json:"id" validate:"required,uuid"`
-	PreAuthID string `json:"preauth_id" validate:"required,uuid"`
+	PreauthId string `json:"preauth_id" validate:"required,uuid"`
 	Token     string `json:"token" validate:"required"`
 }
 
diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index e30c18e..be32263 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -16,7 +16,7 @@ var (
 
 type SubscriptionService interface {
 	GetSubscription(context.Context, string) (model.Subscription, error)
-	UpdateSubscription(context.Context, model.Subscription, string, string, string) error
+	UpdateSubscription(context.Context, model.Subscription, string, string) error
 	AddPASession(context.Context, model.PASession) error
 	RotatePASessionId(context.Context, string) (string, error)
 }
@@ -54,6 +54,8 @@ func (h *Handler) GetSubscription(c *fiber.Ctx) error {
 // @Failure 400 {object} ErrorRes
 // @Router /subscription/update [put]
 func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
+	sessionId := c.Cookies(auth.PA_SESSION_COOKIE)
+
 	req := SubscriptionReq{}
 	err := c.BodyParser(&req)
 	if err != nil {
@@ -72,7 +74,7 @@ func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
 	sub := model.Subscription{}
 	sub.ID = req.ID
 
-	err = h.Service.UpdateSubscription(c.Context(), sub, req.SubID, req.PreauthID, req.PreauthTokenHash)
+	err = h.Service.UpdateSubscription(c.Context(), sub, req.SubID, sessionId)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),
@@ -112,7 +114,7 @@ func (h *Handler) AddPASession(c *fiber.Ctx) error {
 
 	paSession := model.PASession{
 		ID:        req.ID,
-		PreAuthID: req.PreAuthID,
+		PreauthId: req.PreauthId,
 		Token:     req.Token,
 	}
 

From a2eac230869977b1d8c6ee19767844c1238c58a1 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 16:09:16 +0200
Subject: [PATCH 36/63] feat(service): update user.go

---
 api/internal/service/subscription.go   |  4 ++--
 api/internal/service/user.go           | 23 ++++++++++++++++++-----
 api/internal/transport/api/req.go      | 14 +++++---------
 api/internal/transport/api/user.go     |  7 +++++--
 api/internal/transport/api/webauthn.go |  5 ++++-
 5 files changed, 34 insertions(+), 19 deletions(-)

diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index f167643..165a0eb 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -84,12 +84,12 @@ func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription
 		return ErrPASessionNotFound
 	}
 
-	preauthID := paSession.PreauthId
+	preauthId := paSession.PreauthId
 	token := paSession.Token
 	tokenHash := sha256.Sum256([]byte(token))
 	tokenHashStr := base64.StdEncoding.EncodeToString(tokenHash[:])
 
-	preauth, err := s.Http.GetPreauth(preauthID)
+	preauth, err := s.Http.GetPreauth(preauthId)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
 		return ErrPANotFound
diff --git a/api/internal/service/user.go b/api/internal/service/user.go
index 4a969f2..0d361fe 100644
--- a/api/internal/service/user.go
+++ b/api/internal/service/user.go
@@ -2,7 +2,9 @@ package service
 
 import (
 	"context"
+	"crypto/sha256"
 	"encoding/base32"
+	"encoding/base64"
 	"errors"
 	"log"
 	"strings"
@@ -91,7 +93,7 @@ func (s *Service) GetUserByEmail(ctx context.Context, email string) (model.User,
 	return user, nil
 }
 
-func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) (model.User, error) {
+func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.User, subID string, sessionId string) (model.User, error) {
 	email := user.Email
 	pass := user.PasswordPlain
 	user, err := s.Store.GetUserByEmailUnfinishedSignup(ctx, email)
@@ -101,7 +103,7 @@ func (s *Service) GetUnfinishedSignupOrPostUser(ctx context.Context, user model.
 			PasswordPlain: pass,
 			IsActive:      false,
 		}
-		err = s.PostUser(ctx, user, subID, preauthID, preauthTokenHash)
+		err = s.PostUser(ctx, user, subID, sessionId)
 		if err != nil {
 			log.Printf("error creating user: %s", err.Error())
 			return model.User{}, ErrPostUser
@@ -135,14 +137,25 @@ func (s *Service) SaveUser(ctx context.Context, user model.User) error {
 	return nil
 }
 
-func (s *Service) PostUser(ctx context.Context, user model.User, subID string, preauthID string, preauthTokenHash string) error {
-	preauth, err := s.Http.GetPreauth(preauthID)
+func (s *Service) PostUser(ctx context.Context, user model.User, subID string, sessionId string) error {
+	paSession, err := s.GetPASession(ctx, sessionId)
+	if err != nil {
+		log.Printf("error creating user: %s", err.Error())
+		return ErrPASessionNotFound
+	}
+
+	preauthId := paSession.PreauthId
+	token := paSession.Token
+	tokenHash := sha256.Sum256([]byte(token))
+	tokenHashStr := base64.StdEncoding.EncodeToString(tokenHash[:])
+
+	preauth, err := s.Http.GetPreauth(preauthId)
 	if err != nil {
 		log.Printf("error creating user: %s", err.Error())
 		return ErrInvalidSubscription
 	}
 
-	if preauth.TokenHash != preauthTokenHash {
+	if preauth.TokenHash != tokenHashStr {
 		log.Printf("error creating user: Token hash does not match")
 		return ErrTokenHashMismatch
 	}
diff --git a/api/internal/transport/api/req.go b/api/internal/transport/api/req.go
index e8297a2..c4931c6 100644
--- a/api/internal/transport/api/req.go
+++ b/api/internal/transport/api/req.go
@@ -11,18 +11,14 @@ type EmailReq struct {
 }
 
 type SignupUserReq struct {
-	Email            string `json:"email" validate:"required,emailx"`
-	Password         string `json:"password" validate:"password"`
-	SubID            string `json:"subid" validate:"required,uuid"`
-	PreauthID        string `json:"preauthid" validate:"required,uuid"`
-	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
+	Email    string `json:"email" validate:"required,emailx"`
+	Password string `json:"password" validate:"password"`
+	SubID    string `json:"subid" validate:"required,uuid"`
 }
 
 type SignupEmailReq struct {
-	Email            string `json:"email" validate:"required,emailx"`
-	SubID            string `json:"subid" validate:"required,uuid"`
-	PreauthID        string `json:"preauthid" validate:"required,uuid"`
-	PreauthTokenHash string `json:"preauthtokenhash" validate:"required"`
+	Email string `json:"email" validate:"required,emailx"`
+	SubID string `json:"subid" validate:"required,uuid"`
 }
 
 type SubscriptionReq struct {
diff --git a/api/internal/transport/api/user.go b/api/internal/transport/api/user.go
index fcb19ab..7f60c4f 100644
--- a/api/internal/transport/api/user.go
+++ b/api/internal/transport/api/user.go
@@ -37,7 +37,7 @@ type UserService interface {
 	GetUserByCredentials(context.Context, string, string) (model.User, error)
 	GetUserByPassword(context.Context, string, string) (model.User, error)
 	GetUserByEmail(context.Context, string) (model.User, error)
-	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string, string) (model.User, error)
+	GetUnfinishedSignupOrPostUser(context.Context, model.User, string, string) (model.User, error)
 	SaveUser(context.Context, model.User) error
 	DeleteUserRequest(context.Context, string) (string, error)
 	DeleteUser(context.Context, string, string) error
@@ -65,6 +65,9 @@ type UserService interface {
 // @Failure 400 {object} ErrorRes
 // @Router /register [post]
 func (h *Handler) Register(c *fiber.Ctx) error {
+	// Get session ID from cookie
+	sessionId := c.Cookies(auth.PA_SESSION_COOKIE)
+
 	// Parse the request
 	req := SignupUserReq{}
 	err := c.BodyParser(&req)
@@ -90,7 +93,7 @@ func (h *Handler) Register(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, sessionId)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),
diff --git a/api/internal/transport/api/webauthn.go b/api/internal/transport/api/webauthn.go
index f5d2da2..4b230bb 100644
--- a/api/internal/transport/api/webauthn.go
+++ b/api/internal/transport/api/webauthn.go
@@ -51,6 +51,9 @@ type CredentialService interface {
 // @Failure 400 {object} ErrorRes
 // @Router /register/begin [post]
 func (h *Handler) BeginRegistration(c *fiber.Ctx) error {
+	// Get session ID from cookie
+	sessionId := c.Cookies(auth.PA_SESSION_COOKIE)
+
 	// Parse the request
 	req := SignupEmailReq{}
 	err := c.BodyParser(&req)
@@ -75,7 +78,7 @@ func (h *Handler) BeginRegistration(c *fiber.Ctx) error {
 	}
 
 	// Get unfinished signup user or create new user
-	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, req.PreauthID, req.PreauthTokenHash)
+	user, err = h.Service.GetUnfinishedSignupOrPostUser(c.Context(), user, req.SubID, sessionId)
 	if err != nil {
 		return c.Status(400).JSON(fiber.Map{
 			"error": err.Error(),

From e0facc5eae61c7be69d0850926a73d364c1fb733 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 16:11:17 +0200
Subject: [PATCH 37/63] docs: update docs.go

---
 api/docs/docs.go      | 139 ++++++++++++++++++++++++++++++++++--------
 api/docs/swagger.json | 139 ++++++++++++++++++++++++++++++++++--------
 api/docs/swagger.yaml |  92 ++++++++++++++++++++++------
 3 files changed, 304 insertions(+), 66 deletions(-)

diff --git a/api/docs/docs.go b/api/docs/docs.go
index cfb9b01..47f083d 100644
--- a/api/docs/docs.go
+++ b/api/docs/docs.go
@@ -922,6 +922,46 @@ const docTemplate = `{
                 }
             }
         },
+        "/rotatepasession": {
+            "put": {
+                "description": "Rotate pre-auth session ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "subscription"
+                ],
+                "summary": "Rotate pre-auth session ID",
+                "parameters": [
+                    {
+                        "description": "Rotate pre-auth session request",
+                        "name": "body",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/api.RotatePASessionReq"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.SuccessRes"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/api.ErrorRes"
+                        }
+                    }
+                }
+            }
+        },
         "/settings": {
             "get": {
                 "security": [
@@ -1033,6 +1073,51 @@ const docTemplate = `{
                 }
             }
         },
+        "/sub/session": {
+            "post": {
+                "security": [
+                    {
+                        "ApiKeyAuth": []
+                    }
+                ],
+                "description": "Add pre-auth session",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "subscription"
+                ],
+                "summary": "Add pre-auth session",
+                "parameters": [
+                    {
+                        "description": "Pre-auth session request",
+                        "name": "body",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/api.PASessionReq"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.SuccessRes"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/api.ErrorRes"
+                        }
+                    }
+                }
+            }
+        },
         "/subscription/update": {
             "put": {
                 "security": [
@@ -1715,6 +1800,25 @@ const docTemplate = `{
                 }
             }
         },
+        "api.PASessionReq": {
+            "type": "object",
+            "required": [
+                "id",
+                "preauth_id",
+                "token"
+            ],
+            "properties": {
+                "id": {
+                    "type": "string"
+                },
+                "preauth_id": {
+                    "type": "string"
+                },
+                "token": {
+                    "type": "string"
+                }
+            }
+        },
         "api.RecipientReq": {
             "type": "object",
             "required": [
@@ -1749,6 +1853,17 @@ const docTemplate = `{
                 }
             }
         },
+        "api.RotatePASessionReq": {
+            "type": "object",
+            "required": [
+                "sessionid"
+            ],
+            "properties": {
+                "sessionid": {
+                    "type": "string"
+                }
+            }
+        },
         "api.SettingsReq": {
             "type": "object",
             "required": [
@@ -1776,20 +1891,12 @@ const docTemplate = `{
             "type": "object",
             "required": [
                 "email",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "email": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
@@ -1799,8 +1906,6 @@ const docTemplate = `{
             "type": "object",
             "required": [
                 "email",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
@@ -1810,12 +1915,6 @@ const docTemplate = `{
                 "password": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
@@ -1825,20 +1924,12 @@ const docTemplate = `{
             "type": "object",
             "required": [
                 "id",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "id": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
diff --git a/api/docs/swagger.json b/api/docs/swagger.json
index 62e6409..6a54d6c 100644
--- a/api/docs/swagger.json
+++ b/api/docs/swagger.json
@@ -911,6 +911,46 @@
                 }
             }
         },
+        "/rotatepasession": {
+            "put": {
+                "description": "Rotate pre-auth session ID",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "subscription"
+                ],
+                "summary": "Rotate pre-auth session ID",
+                "parameters": [
+                    {
+                        "description": "Rotate pre-auth session request",
+                        "name": "body",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/api.RotatePASessionReq"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.SuccessRes"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/api.ErrorRes"
+                        }
+                    }
+                }
+            }
+        },
         "/settings": {
             "get": {
                 "security": [
@@ -1022,6 +1062,51 @@
                 }
             }
         },
+        "/sub/session": {
+            "post": {
+                "security": [
+                    {
+                        "ApiKeyAuth": []
+                    }
+                ],
+                "description": "Add pre-auth session",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "subscription"
+                ],
+                "summary": "Add pre-auth session",
+                "parameters": [
+                    {
+                        "description": "Pre-auth session request",
+                        "name": "body",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/api.PASessionReq"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/api.SuccessRes"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/api.ErrorRes"
+                        }
+                    }
+                }
+            }
+        },
         "/subscription/update": {
             "put": {
                 "security": [
@@ -1704,6 +1789,25 @@
                 }
             }
         },
+        "api.PASessionReq": {
+            "type": "object",
+            "required": [
+                "id",
+                "preauth_id",
+                "token"
+            ],
+            "properties": {
+                "id": {
+                    "type": "string"
+                },
+                "preauth_id": {
+                    "type": "string"
+                },
+                "token": {
+                    "type": "string"
+                }
+            }
+        },
         "api.RecipientReq": {
             "type": "object",
             "required": [
@@ -1738,6 +1842,17 @@
                 }
             }
         },
+        "api.RotatePASessionReq": {
+            "type": "object",
+            "required": [
+                "sessionid"
+            ],
+            "properties": {
+                "sessionid": {
+                    "type": "string"
+                }
+            }
+        },
         "api.SettingsReq": {
             "type": "object",
             "required": [
@@ -1765,20 +1880,12 @@
             "type": "object",
             "required": [
                 "email",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "email": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
@@ -1788,8 +1895,6 @@
             "type": "object",
             "required": [
                 "email",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
@@ -1799,12 +1904,6 @@
                 "password": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
@@ -1814,20 +1913,12 @@
             "type": "object",
             "required": [
                 "id",
-                "preauthid",
-                "preauthtokenhash",
                 "subid"
             ],
             "properties": {
                 "id": {
                     "type": "string"
                 },
-                "preauthid": {
-                    "type": "string"
-                },
-                "preauthtokenhash": {
-                    "type": "string"
-                },
                 "subid": {
                     "type": "string"
                 }
diff --git a/api/docs/swagger.yaml b/api/docs/swagger.yaml
index 6c3af6a..e3417e5 100644
--- a/api/docs/swagger.yaml
+++ b/api/docs/swagger.yaml
@@ -52,6 +52,19 @@ definitions:
       error:
         type: string
     type: object
+  api.PASessionReq:
+    properties:
+      id:
+        type: string
+      preauth_id:
+        type: string
+      token:
+        type: string
+    required:
+    - id
+    - preauth_id
+    - token
+    type: object
   api.RecipientReq:
     properties:
       id:
@@ -74,6 +87,13 @@ definitions:
     required:
     - otp
     type: object
+  api.RotatePASessionReq:
+    properties:
+      sessionid:
+        type: string
+    required:
+    - sessionid
+    type: object
   api.SettingsReq:
     properties:
       alias_format:
@@ -93,16 +113,10 @@ definitions:
     properties:
       email:
         type: string
-      preauthid:
-        type: string
-      preauthtokenhash:
-        type: string
       subid:
         type: string
     required:
     - email
-    - preauthid
-    - preauthtokenhash
     - subid
     type: object
   api.SignupUserReq:
@@ -111,32 +125,20 @@ definitions:
         type: string
       password:
         type: string
-      preauthid:
-        type: string
-      preauthtokenhash:
-        type: string
       subid:
         type: string
     required:
     - email
-    - preauthid
-    - preauthtokenhash
     - subid
     type: object
   api.SubscriptionReq:
     properties:
       id:
         type: string
-      preauthid:
-        type: string
-      preauthtokenhash:
-        type: string
       subid:
         type: string
     required:
     - id
-    - preauthid
-    - preauthtokenhash
     - subid
     type: object
   api.SuccessRes:
@@ -902,6 +904,32 @@ paths:
       summary: Reset password
       tags:
       - user
+  /rotatepasession:
+    put:
+      consumes:
+      - application/json
+      description: Rotate pre-auth session ID
+      parameters:
+      - description: Rotate pre-auth session request
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/api.RotatePASessionReq'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api.SuccessRes'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.ErrorRes'
+      summary: Rotate pre-auth session ID
+      tags:
+      - subscription
   /settings:
     get:
       consumes:
@@ -971,6 +999,34 @@ paths:
       summary: Get subscription
       tags:
       - subscription
+  /sub/session:
+    post:
+      consumes:
+      - application/json
+      description: Add pre-auth session
+      parameters:
+      - description: Pre-auth session request
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/api.PASessionReq'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api.SuccessRes'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api.ErrorRes'
+      security:
+      - ApiKeyAuth: []
+      summary: Add pre-auth session
+      tags:
+      - subscription
   /subscription/update:
     put:
       consumes:

From 6e40351970a885481410804c54c4af868903bd62 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 17:48:21 +0200
Subject: [PATCH 38/63] feat(app): update api/subscription.ts

---
 app/src/api/subscription.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/src/api/subscription.ts b/app/src/api/subscription.ts
index f1cc2db..23c25c4 100644
--- a/app/src/api/subscription.ts
+++ b/app/src/api/subscription.ts
@@ -3,5 +3,5 @@ import { api } from './api'
 export const subscriptionApi = {
     get: () => api.get('/sub'),
     update: (data: any) => api.put('/sub/update', data),
-    rotateSessionId: (data: any) => api.put('/rotateSession', data),
+    rotateSessionId: (data: any) => api.put('/rotatepasession', data),
 }
\ No newline at end of file

From fe390ce263c2d5c7e96214735a40e244aa3ea92e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 17:50:29 +0200
Subject: [PATCH 39/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 1 +
 1 file changed, 1 insertion(+)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index ba36431..13f41ea 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -128,6 +128,7 @@ const rotateSessionId = async () => {
         await subscriptionApi.rotateSessionId({
             sessionid: sessionid.value,
         })
+        await getSubscription()
         await updateSubscription()
     } catch (err) {
         if (axios.isAxiosError(err)) {

From d60253419de025e947049461a3fdda8bb10bd325 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 20 Oct 2025 19:44:14 +0200
Subject: [PATCH 40/63] feat(api): update routes.go

---
 api/internal/transport/api/routes.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/internal/transport/api/routes.go b/api/internal/transport/api/routes.go
index 77a84c3..abeab80 100644
--- a/api/internal/transport/api/routes.go
+++ b/api/internal/transport/api/routes.go
@@ -34,9 +34,9 @@ func (h *Handler) SetupRoutes(cfg config.APIConfig) {
 	h.Server.Post("/v1/login/begin", limiter.New(), h.BeginLogin)
 	h.Server.Post("/v1/login/finish", limiter.New(), h.FinishLogin)
 
-	session := h.Server.Group("/v1/sub/session")
+	session := h.Server.Group("/v1/pasession")
 	session.Use(auth.NewPSK(cfg))
-	session.Post("", h.AddPASession)
+	session.Post("/add", h.AddPASession)
 
 	v1 := h.Server.Group("/v1")
 	v1.Use(auth.New(cfg, h.Cache, h.Service))

From e0fdb4769b008c448f0c46408e6191419b7c6304 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 10:49:13 +0200
Subject: [PATCH 41/63] feat(service): update subscription.go

---
 api/internal/service/subscription.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 165a0eb..05df547 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -80,7 +80,7 @@ func (s *Service) AddSubscription(ctx context.Context, subscription model.Subscr
 func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription, subID string, sessionId string) error {
 	paSession, err := s.GetPASession(ctx, sessionId)
 	if err != nil {
-		log.Printf("error creating user: %s", err.Error())
+		log.Printf("error updating subscription: %s", err.Error())
 		return ErrPASessionNotFound
 	}
 
@@ -91,12 +91,12 @@ func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription
 
 	preauth, err := s.Http.GetPreauth(preauthId)
 	if err != nil {
-		log.Printf("error creating user: %s", err.Error())
+		log.Printf("error updating subscription: %s", err.Error())
 		return ErrPANotFound
 	}
 
 	if preauth.TokenHash != tokenHashStr {
-		log.Printf("error creating user: Token hash does not match")
+		log.Printf("error updating subscription: Token hash does not match")
 		return ErrTokenHashMismatch
 	}
 
@@ -118,7 +118,7 @@ func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription
 
 	err = s.Http.SignupWebhook(subID)
 	if err != nil {
-		log.Printf("error creating user: %s", err.Error())
+		log.Printf("error updating subscription: %s", err.Error())
 		return ErrSignupWebhook
 	}
 

From e250f4bb8e7093e6f3b4ae465b27edc91de54c5e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 10:59:49 +0200
Subject: [PATCH 42/63] feat(api): update subscription.go

---
 api/internal/service/subscription.go       | 2 +-
 api/internal/transport/api/subscription.go | 7 +++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 05df547..415e586 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -105,7 +105,7 @@ func (s *Service) UpdateSubscription(ctx context.Context, sub model.Subscription
 	sub.Tier = preauth.Tier
 	sub.TokenHash = preauth.TokenHash
 
-	if sub.ID == "" {
+	if sub.ID == "" || sub.UserID == "" {
 		log.Printf("error updating subscription: Subscription ID is required")
 		return ErrInvalidSubscription
 	}
diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index be32263..f043031 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -55,6 +55,7 @@ func (h *Handler) GetSubscription(c *fiber.Ctx) error {
 // @Router /subscription/update [put]
 func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
 	sessionId := c.Cookies(auth.PA_SESSION_COOKIE)
+	userID := auth.GetUserID(c)
 
 	req := SubscriptionReq{}
 	err := c.BodyParser(&req)
@@ -73,6 +74,12 @@ func (h *Handler) UpdateSubscription(c *fiber.Ctx) error {
 
 	sub := model.Subscription{}
 	sub.ID = req.ID
+	sub, err = h.Service.GetSubscription(c.Context(), userID)
+	if err != nil {
+		return c.Status(400).JSON(fiber.Map{
+			"error": err.Error(),
+		})
+	}
 
 	err = h.Service.UpdateSubscription(c.Context(), sub, req.SubID, sessionId)
 	if err != nil {

From a7fea4dfa1717dd176fa10ac8c42ce4c6efb4e8d Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 11:01:07 +0200
Subject: [PATCH 43/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 13f41ea..28c9a81 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -92,7 +92,7 @@ const getSubscription = async () => {
         sub.value = res.data
     } catch (err) {
         if (axios.isAxiosError(err)) {
-            error.value = err.message
+            error.value = err.response?.data.error || err.message
         }
     }
 }
@@ -111,7 +111,7 @@ const updateSubscription = async () => {
         await getSubscription()
     } catch (err) {
         if (axios.isAxiosError(err)) {
-            error.value = err.message
+            error.value = err.response?.data.error || err.message
         }
     } finally {
         syncing.value = false
@@ -132,7 +132,7 @@ const rotateSessionId = async () => {
         await updateSubscription()
     } catch (err) {
         if (axios.isAxiosError(err)) {
-            error.value = err.message
+            error.value = err.response?.data.error || err.message
         }
     } finally {
         syncing.value = false

From c6bda9f4048d475b766d036798233e1148aba8af Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 11:02:32 +0200
Subject: [PATCH 44/63] feat(api): update main.go

---
 api/cmd/main.go | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/api/cmd/main.go b/api/cmd/main.go
index b4258c2..3aa83de 100644
--- a/api/cmd/main.go
+++ b/api/cmd/main.go
@@ -8,7 +8,6 @@ import (
 	"ivpn.net/email/api/internal/repository"
 	"ivpn.net/email/api/internal/service"
 	"ivpn.net/email/api/internal/transport/api"
-	"ivpn.net/email/api/internal/utils"
 )
 
 func Run() error {
@@ -17,8 +16,6 @@ func Run() error {
 		return err
 	}
 
-	utils.NewLogger(cfg.API)
-
 	db, err := repository.NewDB(cfg.DB)
 	if err != nil {
 		return err

From db17d332a4020ce9e2a768e95d1d6c715e766f4e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 11:18:31 +0200
Subject: [PATCH 45/63] feat(app): update AccountSubscriptionStatus.vue

---
 app/src/components/AccountSubscriptionStatus.vue | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/src/components/AccountSubscriptionStatus.vue b/app/src/components/AccountSubscriptionStatus.vue
index 31f4093..000b5de 100644
--- a/app/src/components/AccountSubscriptionStatus.vue
+++ b/app/src/components/AccountSubscriptionStatus.vue
@@ -1,5 +1,5 @@
 <template>
-    <div v-if="isLimited() && isDashboard" class="card-tertiary m-8 mb-0">
+    <div v-if="isLimited() && isDashboard && sub.id" class="card-tertiary m-8 mb-0">
         <footer>
             <div>
                 <i class="icon info icon-primary"></i>
@@ -12,7 +12,7 @@
             </div>
         </footer>
     </div>
-    <div v-if="isPendingDelete() && isDashboard" class="card-tertiary m-8 mb-0">
+    <div v-if="isPendingDelete() && isDashboard && sub.id" class="card-tertiary m-8 mb-0">
         <footer>
             <div>
                 <i class="icon info icon-primary"></i>

From ab0ecaa1494ab13dd21e2e52d6bd0152b84fbb92 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Tue, 21 Oct 2025 11:41:49 +0200
Subject: [PATCH 46/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue       | 11 +++++------
 app/src/components/AccountSubscriptionStatus.vue | 13 +++++--------
 2 files changed, 10 insertions(+), 14 deletions(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 28c9a81..db43157 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -73,10 +73,9 @@ import events from '../events.ts'
 
 const sub = ref({
     id: '',
-    active_until: '',
-    is_active: false,
     updated_at: '',
-    is_grace_period: false,
+    active_until: '',
+    status: '',
     outage: false,
 })
 const error = ref('')
@@ -140,15 +139,15 @@ const rotateSessionId = async () => {
 }
 
 const isActive = () => {
-    return sub.value.active_until > new Date().toISOString()
+    return sub.value.status === 'active'
 }
 
 const isLimited = () => {
-    return sub.value.is_grace_period && !isActive()
+    return sub.value.status === 'limited_access'
 }
 
 const isPendingDelete = () => {
-    return !sub.value.is_grace_period && !isActive()
+    return sub.value.status === 'pending_delete'
 }
 
 const activeUntilDate = () => {
diff --git a/app/src/components/AccountSubscriptionStatus.vue b/app/src/components/AccountSubscriptionStatus.vue
index 000b5de..0687db7 100644
--- a/app/src/components/AccountSubscriptionStatus.vue
+++ b/app/src/components/AccountSubscriptionStatus.vue
@@ -34,9 +34,10 @@ import { subscriptionApi } from '../api/subscription.ts'
 
 const sub = ref({
     id: '',
+    updated_at: '',
     active_until: '',
-    is_active: false,
-    is_grace_period: false,
+    status: '',
+    outage: false,
 })
 
 const route = ref('/')
@@ -52,16 +53,12 @@ const getSubscription = async () => {
     }
 }
 
-const isActive = () => {
-    return sub.value.active_until > new Date().toISOString()
-}
-
 const isLimited = () => {
-    return sub.value.is_grace_period && !isActive()
+    return sub.value.status === 'limited_access'
 }
 
 const isPendingDelete = () => {
-    return !sub.value.is_grace_period && !isActive()
+    return sub.value.status === 'pending_delete'
 }
 
 onMounted(() => {

From 7ebb5d3dc0445471fba175cd8aa352ca34c14cb4 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 23 Oct 2025 16:06:25 +0200
Subject: [PATCH 47/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index db43157..c89af55 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -139,7 +139,7 @@ const rotateSessionId = async () => {
 }
 
 const isActive = () => {
-    return sub.value.status === 'active'
+    return sub.value.status === 'active' || sub.value.status === 'grace_period'
 }
 
 const isLimited = () => {

From c1eb4466dea929119f62f3d8ad86ce5b923050c8 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 26 Nov 2025 09:31:20 +0100
Subject: [PATCH 48/63] chore(api): update go.mod

---
 api/go.mod | 1 +
 api/go.sum | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/api/go.mod b/api/go.mod
index 9393995..257f856 100644
--- a/api/go.mod
+++ b/api/go.mod
@@ -5,6 +5,7 @@ go 1.23.1
 require (
 	github.com/ProtonMail/gopenpgp/v3 v3.1.2
 	github.com/alexedwards/argon2id v1.0.0
+	github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de
 	github.com/go-playground/validator/v10 v10.20.0
 	github.com/go-sql-driver/mysql v1.7.1
 	github.com/go-webauthn/webauthn v0.11.2
diff --git a/api/go.sum b/api/go.sum
index b2185a3..f3b07c7 100644
--- a/api/go.sum
+++ b/api/go.sum
@@ -12,6 +12,8 @@ github.com/alexedwards/argon2id v1.0.0 h1:wJzDx66hqWX7siL/SRUmgz3F8YMrd/nfX/xHHc
 github.com/alexedwards/argon2id v1.0.0/go.mod h1:tYKkqIjzXvZdzPvADMWOEZ+l6+BD6CtBXMj5fnJppiw=
 github.com/andybalholm/brotli v1.0.5 h1:8uQZIdzKmjc/iuPu7O2ioW48L81FgatrcpfFmiq/cCs=
 github.com/andybalholm/brotli v1.0.5/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de h1:FxWPpzIjnTlhPwqqXc4/vE0f7GvRjuAsbW+HOIe8KnA=
+github.com/araddon/dateparse v0.0.0-20210429162001-6b43995a97de/go.mod h1:DCaWoUhZrYW9p1lxo/cm8EmUOOzAPSEZNGF2DK1dJgw=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
 github.com/bsm/ginkgo/v2 v2.12.0/go.mod h1:SwYbGRRDovPVboqFv0tPTcG1sN61LM1Z4ARdbAV9g4c=
 github.com/bsm/gomega v1.27.10 h1:yeMWxP2pV2fG3FgAODIY8EiRE3dy0aeFYt4l7wh6yKA=
@@ -95,6 +97,7 @@ github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovk
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
 github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-runewidth v0.0.10/go.mod h1:RAqKPSqVFrSLVXbA8x7dzmKdmGzieGRCM46jaSJTDAk=
 github.com/mattn/go-runewidth v0.0.15 h1:UNAjwbU9l54TA3KzvqLGxwWjHmMgBUVhBiTjelZgg3U=
 github.com/mattn/go-runewidth v0.0.15/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
@@ -116,12 +119,15 @@ github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZb
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/redis/go-redis/v9 v9.5.5 h1:51VEyMF8eOO+NUHFm8fpg+IOc1xFuFOhxs3R+kPu1FM=
 github.com/redis/go-redis/v9 v9.5.5/go.mod h1:hdY0cQFCN4fnSYT6TkisLufl/4W5UIXyv0b/CLO2V2M=
+github.com/rivo/uniseg v0.1.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.2.0 h1:S1pD9weZBuJdFmowNwbpi7BJ8TNftyUImj/0WQi72jY=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
+github.com/scylladb/termtables v0.0.0-20191203121021-c4c0b6d42ff4/go.mod h1:C1a7PQSMz9NShzorzCiG2fk9+xuCgLkPeCvMHYR2OWg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/swaggo/files/v2 v2.0.0 h1:hmAt8Dkynw7Ssz46F6pn8ok6YmGZqHSVLZ+HQM7i0kw=

From 023a17bc9b2be91b585f2ae83dedc908a91c16d0 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 27 Nov 2025 09:14:40 +0100
Subject: [PATCH 49/63] feat(model): update subscription.go

---
 api/internal/model/subscription.go      |  2 +-
 api/internal/model/subscription_test.go | 18 +++++++++---------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 51fb0a5..9d28482 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -53,7 +53,7 @@ func (s *Subscription) ActiveStatus() bool {
 }
 
 func (s *Subscription) IsOutage() bool {
-	return s.UpdatedAt.Add(time.Duration(24) * time.Hour).Before(time.Now())
+	return s.UpdatedAt.Add(time.Duration(48) * time.Hour).Before(time.Now())
 }
 
 func (s *Subscription) GracePeriodDays(days int) bool {
diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index bf75f07..f89738c 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -213,23 +213,23 @@ func TestSubscriptionIsOutage(t *testing.T) {
 		want      bool
 	}{
 		{
-			name:      "updated 25h ago => outage",
-			updatedAt: now.Add(-25 * time.Hour),
+			name:      "updated 49h ago => outage",
+			updatedAt: now.Add(-49 * time.Hour),
 			want:      true,
 		},
 		{
-			name:      "updated 24h + 1s ago => outage",
-			updatedAt: now.Add(-24*time.Hour - 1*time.Second),
+			name:      "updated 48h + 1s ago => outage",
+			updatedAt: now.Add(-48*time.Hour - 1*time.Second),
 			want:      true,
 		},
 		{
-			name:      "updated 24h - 1s ago => not outage",
-			updatedAt: now.Add(-24*time.Hour + 1*time.Second),
+			name:      "updated 48h - 1s ago => not outage",
+			updatedAt: now.Add(-48*time.Hour + 1*time.Second),
 			want:      false,
 		},
 		{
-			name:      "updated 23h ago => not outage",
-			updatedAt: now.Add(-23 * time.Hour),
+			name:      "updated 47h ago => not outage",
+			updatedAt: now.Add(-47 * time.Hour),
 			want:      false,
 		},
 		{
@@ -244,7 +244,7 @@ func TestSubscriptionIsOutage(t *testing.T) {
 			s := &Subscription{UpdatedAt: tc.updatedAt}
 			got := s.IsOutage()
 			if got != tc.want {
-				t.Fatalf("IsOutage() = %v, want %v (updatedAt=%v now=%v threshold=%v)", got, tc.want, tc.updatedAt, time.Now(), tc.updatedAt.Add(24*time.Hour))
+				t.Fatalf("IsOutage() = %v, want %v (updatedAt=%v now=%v threshold=%v)", got, tc.want, tc.updatedAt, time.Now(), tc.updatedAt.Add(48*time.Hour))
 			}
 		})
 	}

From 3bc626da53b1f7b88e25cfec7ed444d1af767559 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 27 Nov 2025 09:18:30 +0100
Subject: [PATCH 50/63] tests: update subscription_test.go

---
 api/internal/model/subscription_test.go | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index f89738c..206134c 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -52,37 +52,37 @@ func TestSubscriptionGracePeriod(t *testing.T) {
 	}{
 		{
 			name:        "outage and within 3-day window => true",
-			updatedAt:   now.Add(-25 * time.Hour), // outage (older than 24h)
+			updatedAt:   now.Add(-49 * time.Hour), // outage (older than 48h)
 			activeUntil: now.Add(-48 * time.Hour), // 2 days ago (+3d => +1d > now)
 			want:        true,
 		},
 		{
 			name:        "not outage and within 3-day window => false",
-			updatedAt:   now.Add(-23 * time.Hour), // not outage
+			updatedAt:   now.Add(-47 * time.Hour), // not outage
 			activeUntil: now.Add(-24 * time.Hour), // 1 day ago (+3d => +2d > now)
 			want:        false,
 		},
 		{
 			name:        "outage but outside 3-day window => false",
-			updatedAt:   now.Add(-26 * time.Hour),     // outage
+			updatedAt:   now.Add(-50 * time.Hour),     // outage
 			activeUntil: now.Add(-5 * 24 * time.Hour), // 5 days ago (+3d => 2 days before now)
 			want:        false,
 		},
 		{
 			name:        "near outage boundary but not outage => false",
-			updatedAt:   now.Add(-24 * time.Hour).Add(1 * time.Second), // UpdatedAt +24h ~ now +1s => not outage
+			updatedAt:   now.Add(-48 * time.Hour).Add(1 * time.Second), // UpdatedAt +48h ~ now +1s => not outage
 			activeUntil: now.Add(-2 * 24 * time.Hour),                  // 2 days ago (+3d => +1d > now)
 			want:        false,
 		},
 		{
 			name:        "outage and just inside 3-day window boundary => true",
-			updatedAt:   now.Add(-25 * time.Hour),                   // outage
+			updatedAt:   now.Add(-49 * time.Hour),                   // outage
 			activeUntil: now.AddDate(0, 0, -3).Add(2 * time.Second), // ActiveUntil +3d ~ now +2s > now
 			want:        true,
 		},
 		{
 			name:        "outage and exactly outside 3-day window => false",
-			updatedAt:   now.Add(-25 * time.Hour),                    // outage
+			updatedAt:   now.Add(-49 * time.Hour),                    // outage
 			activeUntil: now.AddDate(0, 0, -3).Add(-2 * time.Second), // ActiveUntil +3d ~ now -2s < now
 			want:        false,
 		},

From c19909ac3438ff0dad653941b5217572214a2898 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 21 Jan 2026 14:32:25 +0100
Subject: [PATCH 51/63] feat(api): update config.go

---
 api/.env.sample                      | 1 +
 api/config/config.go                 | 8 ++++++++
 api/internal/service/subscription.go | 2 +-
 3 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/api/.env.sample b/api/.env.sample
index bb137f5..d499482 100644
--- a/api/.env.sample
+++ b/api/.env.sample
@@ -17,6 +17,7 @@ SIGNUP_WEBHOOK_URL=
 SIGNUP_WEBHOOK_PSK=
 PREAUTH_URL=
 PREAUTH_PSK=
+PREAUTH_TTL=60m
 
 APP_PORT=3001
 
diff --git a/api/config/config.go b/api/config/config.go
index 0a9fe86..f5241e3 100644
--- a/api/config/config.go
+++ b/api/config/config.go
@@ -25,6 +25,7 @@ type APIConfig struct {
 	SignupWebhookPSK   string
 	PreauthURL         string
 	PreauthPSK         string
+	PreauthTTL         time.Duration
 }
 
 type DBConfig struct {
@@ -142,6 +143,12 @@ func New() (Config, error) {
 	dbHosts := strings.Split(os.Getenv("DB_HOSTS"), ",")
 	redisAddrs := strings.Split(os.Getenv("REDIS_ADDRESSES"), ",")
 
+	preauthTTLStr := os.Getenv("PREAUTH_TTL")
+	preauthTTL, err := time.ParseDuration(preauthTTLStr)
+	if err != nil {
+		return Config{}, err
+	}
+
 	return Config{
 		API: APIConfig{
 			FQDN:               os.Getenv("FQDN"),
@@ -161,6 +168,7 @@ func New() (Config, error) {
 			SignupWebhookPSK:   os.Getenv("SIGNUP_WEBHOOK_PSK"),
 			PreauthURL:         os.Getenv("PREAUTH_URL"),
 			PreauthPSK:         os.Getenv("PREAUTH_PSK"),
+			PreauthTTL:         preauthTTL,
 		},
 		DB: DBConfig{
 			Hosts:    dbHosts,
diff --git a/api/internal/service/subscription.go b/api/internal/service/subscription.go
index 415e586..3504350 100644
--- a/api/internal/service/subscription.go
+++ b/api/internal/service/subscription.go
@@ -142,7 +142,7 @@ func (s *Service) AddPASession(ctx context.Context, paSession model.PASession) e
 		return err
 	}
 
-	err = s.Cache.Set(ctx, "pasession_"+paSession.ID, string(data), 15*time.Minute)
+	err = s.Cache.Set(ctx, "pasession_"+paSession.ID, string(data), s.Cfg.API.PreauthTTL)
 	if err != nil {
 		log.Println("failed to set pre-auth session in Redis:", err)
 		return err

From a0cfb9571e3b1b690db8c0615f1bb6135f531f3e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 21 Jan 2026 14:43:25 +0100
Subject: [PATCH 52/63] feat(api): update subscription.go

---
 api/internal/transport/api/subscription.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/api/internal/transport/api/subscription.go b/api/internal/transport/api/subscription.go
index f043031..512610d 100644
--- a/api/internal/transport/api/subscription.go
+++ b/api/internal/transport/api/subscription.go
@@ -11,7 +11,7 @@ import (
 var (
 	UpdateSubscriptionSuccess = "Subscription updated successfully."
 	AddSubscriptionSuccess    = "Subscription added successfully."
-	InvalidPASessionId        = "Invalid pre-auth session ID."
+	InvalidPASessionId        = "This signup link has expired."
 )
 
 type SubscriptionService interface {

From 10e492e0b58da23dba184fcd6645fa0d1274ea94 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 21 Jan 2026 15:00:41 +0100
Subject: [PATCH 53/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index 0e4b2f3..069be8c 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -214,7 +214,11 @@ const rotateSessionId = async () => {
         })
     } catch (err) {
         if (axios.isAxiosError(err)) {
-            apiError.value = err.message
+            apiError.value = err.response?.data.error || err.message
+
+            if (err.response?.status === 429) {
+                apiError.value = 'Too many requests, please try again later.'
+            }
         }
     } finally {
         syncing.value = false

From ad656810597aeeeec6fd21bdd3a0dee9898640e3 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 21 Jan 2026 15:12:18 +0100
Subject: [PATCH 54/63] feat(app): update Signup.vue

---
 app/src/components/Signup.vue | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/app/src/components/Signup.vue b/app/src/components/Signup.vue
index 069be8c..de25e30 100644
--- a/app/src/components/Signup.vue
+++ b/app/src/components/Signup.vue
@@ -18,16 +18,18 @@
                                     id="email_authn"
                                     type="email"
                                     class="email"
+                                    :disabled="!!rotateSessionError"
                                     @keypress.enter.prevent
                                 >
                                 <p v-if="emailAuthnError" class="error">Required</p>
                             </div>
                             <div class="flex items-center w-full">
-                                <button @click="registerWithPasskey" :disabled="isLoading" class="cta full">
+                                <button @click="registerWithPasskey" :disabled="isLoading || !!rotateSessionError" class="cta full">
                                     Sign Up with Passkey
                                 </button>
                             </div>
                             <p v-if="apiError" class="error mt-6">Error: {{ apiError }}</p>
+                            <p v-if="rotateSessionError" class="error mt-5">Error: {{ rotateSessionError }}</p>
                         </div>
                     </div>
                     <div
@@ -48,6 +50,7 @@
                                     id="email"
                                     type="email"
                                     class="email"
+                                    :disabled="!!rotateSessionError"
                                     @keypress.enter.prevent
                                 >
                                 <p v-if="emailError" class="error">Required</p>
@@ -60,17 +63,19 @@
                                     id="password"
                                     type="password"
                                     class="password"
+                                    :disabled="!!rotateSessionError"
                                     @keypress.enter.prevent
                                 >
                                 <p v-if="passwordError" class="error">Required</p>
                             </div>
                             <p class="text-sm mb-5">Must be 12+ characters and contain uppercase, lowercase, number, and special character (e.g. -_+=~!@#$%^&*(),;.?":{}|<>)</p>
                             <div class="flex items-center w-full">
-                                <button @click="register" :disabled="isLoading" class="cta full">
+                                <button @click="register" :disabled="isLoading || !!rotateSessionError" class="cta full">
                                     Sign Up
                                 </button>
                             </div>
                             <p v-if="apiError" class="error mt-5">Error: {{ apiError }}</p>
+                            <p v-if="rotateSessionError" class="error mt-5">Error: {{ rotateSessionError }}</p>
                         </div>
                     </div>
                 </div>
@@ -117,6 +122,7 @@ const emailAuthnError = ref(false)
 const passwordError = ref(false)
 const apiSuccess = ref('')
 const apiError = ref('')
+const rotateSessionError = ref('')
 const isLoading = ref(false)
 const passkeySupported = ref(false)
 const subid = ref('')
@@ -212,12 +218,13 @@ const rotateSessionId = async () => {
         await subscriptionApi.rotateSessionId({
             sessionid: sessionid.value,
         })
+        rotateSessionError.value = ''
     } catch (err) {
         if (axios.isAxiosError(err)) {
-            apiError.value = err.response?.data.error || err.message
+            rotateSessionError.value = err.response?.data.error || err.message
 
             if (err.response?.status === 429) {
-                apiError.value = 'Too many requests, please try again later.'
+                rotateSessionError.value = 'Too many requests, please try again later.'
             }
         }
     } finally {

From 42f83437d46e4a94e03666468ffdf6b68302faa9 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 4 Feb 2026 15:26:29 +0100
Subject: [PATCH 55/63] feat(app): update .env.sample

---
 .github/workflows/ci_production.yml | 1 +
 .github/workflows/ci_staging.yml    | 1 +
 app/.env.sample                     | 3 ++-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci_production.yml b/.github/workflows/ci_production.yml
index 75be357..60d0f0a 100644
--- a/.github/workflows/ci_production.yml
+++ b/.github/workflows/ci_production.yml
@@ -29,6 +29,7 @@ jobs:
           echo "VITE_API_URL=${{ secrets.PROD_VITE_API_URL }}" >> app/.env
           echo "VITE_DOMAINS=${{ secrets.PROD_VITE_DOMAINS }}" >> app/.env
           echo "VITE_APP_NAME=${{ secrets.PROD_VITE_APP_NAME }}" >> app/.env
+          echo "VITE_RESYNC_URL=${{ secrets.PROD_VITE_RESYNC_URL }}" >> app/.env
 
       - name: Build api image
         run: docker build -t $REGISTRY/$API_IMAGE:$TAG api/.
diff --git a/.github/workflows/ci_staging.yml b/.github/workflows/ci_staging.yml
index 0ff4d17..9ca811d 100644
--- a/.github/workflows/ci_staging.yml
+++ b/.github/workflows/ci_staging.yml
@@ -29,6 +29,7 @@ jobs:
           echo "VITE_API_URL=${{ secrets.STAGING_VITE_API_URL }}" >> app/.env
           echo "VITE_DOMAINS=${{ secrets.STAGING_VITE_DOMAINS }}" >> app/.env
           echo "VITE_APP_NAME=${{ secrets.STAGING_VITE_APP_NAME }}" >> app/.env
+          echo "VITE_RESYNC_URL=${{ secrets.STAGING_VITE_RESYNC_URL }}" >> app/.env
 
       - name: Build api image
         run: docker build -t $REGISTRY/$API_IMAGE:$TAG api/.
diff --git a/app/.env.sample b/app/.env.sample
index 6227369..c5e8904 100644
--- a/app/.env.sample
+++ b/app/.env.sample
@@ -1,3 +1,4 @@
 VITE_API_URL=http://localhost:3000
 VITE_DOMAINS=example1.net,example2.net
-VITE_APP_NAME=App
\ No newline at end of file
+VITE_APP_NAME=App
+VITE_RESYNC_URL=http://localhost:8010/en/account/?action=resync
\ No newline at end of file

From 17c02f5b3fb90da0dc8c8359ff060e1db91b7b5e Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 4 Feb 2026 15:33:46 +0100
Subject: [PATCH 56/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue       | 8 +++++---
 app/src/components/AccountSubscriptionStatus.vue | 5 +++--
 2 files changed, 8 insertions(+), 5 deletions(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index c89af55..00faff2 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -28,7 +28,7 @@
                 <div>
                     <h4>Limited Access Mode</h4>
                     <p>
-                        Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
+                        Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" :href="activateUrl">IVPN account</a>.
                     </p>
                 </div>
             </footer>
@@ -41,7 +41,7 @@
                 <div>
                     <h4>Pending Deletion</h4>
                     <p>
-                        Your account is pending deletion. To reinstate access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
+                        Your account is pending deletion. To reinstate access add time to your <a target="_blank" :href="activateUrl">IVPN account</a>.
                     </p>
                 </div>
             </footer>
@@ -54,7 +54,7 @@
                 <div>
                     <h4>Out of sync</h4>
                     <p>
-                        Your last account status update was {{ updatedAtDate() }}. <a target="_blank" href="https://www.ivpn.net/account/">Sync with IVPN</a>
+                        Your last account status update was {{ updatedAtDate() }}. <a target="_blank" :href="resyncUrl">Sync with IVPN</a>
                     </p>
                 </div>
             </footer>
@@ -84,6 +84,8 @@ const subid = ref('')
 const sessionid = ref('')
 const currentRoute = useRoute()
 const syncing = ref(false)
+const activateUrl = import.meta.env.VITE_RESYNC_URL
+const resyncUrl = import.meta.env.VITE_RESYNC_URL + '?action=resync'
 
 const getSubscription = async () => {
     try {
diff --git a/app/src/components/AccountSubscriptionStatus.vue b/app/src/components/AccountSubscriptionStatus.vue
index 0687db7..4353096 100644
--- a/app/src/components/AccountSubscriptionStatus.vue
+++ b/app/src/components/AccountSubscriptionStatus.vue
@@ -7,7 +7,7 @@
             <div>
                 <h4>Limited Access Mode</h4>
                 <p>
-                    Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
+                    Your MailX account is in limited access mode. To regain full access add time to your <a target="_blank" :href="activateUrl">IVPN account</a>.
                 </p>
             </div>
         </footer>
@@ -20,7 +20,7 @@
             <div>
                 <h4>Pending Deletion</h4>
                 <p>
-                    Your account is pending deletion. To reinstate access add time to your <a target="_blank" href="https://www.ivpn.net/account/">IVPN account</a>.
+                    Your account is pending deletion. To reinstate access add time to your <a target="_blank" :href="activateUrl">IVPN account</a>.
                 </p>
             </div>
         </footer>
@@ -44,6 +44,7 @@ const route = ref('/')
 const currentRoute = useRoute()
 const props = defineProps(['dashboard'])
 const isDashboard = props.dashboard
+const activateUrl = import.meta.env.VITE_RESYNC_URL
 
 const getSubscription = async () => {
     try {

From 9b1b7d31dd28f41021be3544858904dccc4f6f04 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 4 Feb 2026 16:03:02 +0100
Subject: [PATCH 57/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 00faff2..46d70ba 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -85,7 +85,7 @@ const sessionid = ref('')
 const currentRoute = useRoute()
 const syncing = ref(false)
 const activateUrl = import.meta.env.VITE_RESYNC_URL
-const resyncUrl = import.meta.env.VITE_RESYNC_URL + '?action=resync'
+const resyncUrl = import.meta.env.VITE_RESYNC_URL + '?action=sync'
 
 const getSubscription = async () => {
     try {

From f4060c70afa516a43a815d50b2a50c2ee7e71a7d Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Wed, 4 Feb 2026 16:07:13 +0100
Subject: [PATCH 58/63] feat(app): update .env.sample

---
 app/.env.sample | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/.env.sample b/app/.env.sample
index c5e8904..b14d80a 100644
--- a/app/.env.sample
+++ b/app/.env.sample
@@ -1,4 +1,4 @@
 VITE_API_URL=http://localhost:3000
 VITE_DOMAINS=example1.net,example2.net
 VITE_APP_NAME=App
-VITE_RESYNC_URL=http://localhost:8010/en/account/?action=resync
\ No newline at end of file
+VITE_RESYNC_URL=http://localhost:8010/en/account/
\ No newline at end of file

From ecf00d975c6946220dfa367afd49fcf0cf822811 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 5 Feb 2026 12:50:16 +0100
Subject: [PATCH 59/63] feat(app): update AccountSubscription.vue

---
 app/src/components/AccountSubscription.vue | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/src/components/AccountSubscription.vue b/app/src/components/AccountSubscription.vue
index 46d70ba..d69d418 100644
--- a/app/src/components/AccountSubscription.vue
+++ b/app/src/components/AccountSubscription.vue
@@ -60,6 +60,7 @@
             </footer>
         </div>
         <p v-if="error" class="error">Error: {{ error }}</p>
+        <p v-if="success" class="success">{{ success }}</p>
     </div>
 </template>
 
@@ -79,6 +80,7 @@ const sub = ref({
     outage: false,
 })
 const error = ref('')
+const success = ref('')
 const email = ref(localStorage.getItem('email'))
 const subid = ref('')
 const sessionid = ref('')
@@ -105,13 +107,16 @@ const updateSubscription = async () => {
 
     syncing.value = true
     try {
-        await subscriptionApi.update({
+        const res = await subscriptionApi.update({
             id: sub.value.id,
             subid: subid.value,
         })
+        success.value = res.data.message
+        error.value = ''
         await getSubscription()
     } catch (err) {
         if (axios.isAxiosError(err)) {
+            success.value = ''
             error.value = err.response?.data.error || err.message
         }
     } finally {

From 3d4333f8c57ca9c4030e0eb55e0a85ce147cd480 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Thu, 5 Feb 2026 15:47:59 +0100
Subject: [PATCH 60/63] feat(model): update subscription.go

---
 api/internal/model/subscription.go      |   4 +-
 api/internal/model/subscription_test.go | 161 +++++++++++++++++++++++-
 2 files changed, 160 insertions(+), 5 deletions(-)

diff --git a/api/internal/model/subscription.go b/api/internal/model/subscription.go
index 9d28482..f94007f 100644
--- a/api/internal/model/subscription.go
+++ b/api/internal/model/subscription.go
@@ -2,6 +2,7 @@ package model
 
 import (
 	"errors"
+	"strings"
 	"time"
 )
 
@@ -16,6 +17,7 @@ const (
 	GracePeriod   SubscriptionStatus = "grace_period"
 	LimitedAccess SubscriptionStatus = "limited_access"
 	PendingDelete SubscriptionStatus = "pending_delete"
+	Tier1         string             = "Tier 1"
 )
 
 type Subscription struct {
@@ -33,7 +35,7 @@ type Subscription struct {
 }
 
 func (s *Subscription) Active() bool {
-	return s.ActiveUntil.After(time.Now())
+	return s.ActiveUntil.After(time.Now()) && !strings.Contains(s.Tier, Tier1)
 }
 
 func (s *Subscription) GracePeriod() bool {
diff --git a/api/internal/model/subscription_test.go b/api/internal/model/subscription_test.go
index 206134c..0f798ac 100644
--- a/api/internal/model/subscription_test.go
+++ b/api/internal/model/subscription_test.go
@@ -11,31 +11,53 @@ func TestSubscriptionActive(t *testing.T) {
 	tests := []struct {
 		name        string
 		activeUntil time.Time
+		tier        string
 		want        bool
 	}{
 		{
-			name:        "future time returns true",
+			name:        "future time with Tier 2 returns true",
 			activeUntil: now.Add(2 * time.Second),
+			tier:        "Tier 2",
 			want:        true,
 		},
 		{
 			name:        "past time returns false",
 			activeUntil: now.Add(-2 * time.Second),
+			tier:        "Tier 2",
 			want:        false,
 		},
 		{
 			name:        "equal to now returns false",
-			activeUntil: now, // ActiveUntil.After(time.Now()) is strictly greater, so should be false
+			activeUntil: now,
+			tier:        "Tier 2",
 			want:        false,
 		},
+		{
+			name:        "future time but Tier 1 returns false",
+			activeUntil: now.Add(2 * time.Second),
+			tier:        "Tier 1",
+			want:        false,
+		},
+		{
+			name:        "future time but tier contains Tier 1 returns false",
+			activeUntil: now.Add(2 * time.Second),
+			tier:        "Plan Tier 1 Special",
+			want:        false,
+		},
+		{
+			name:        "future time with empty tier returns true",
+			activeUntil: now.Add(2 * time.Second),
+			tier:        "",
+			want:        true,
+		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			s := &Subscription{ActiveUntil: tc.activeUntil}
+			s := &Subscription{ActiveUntil: tc.activeUntil, Tier: tc.tier}
 			got := s.Active()
 			if got != tc.want {
-				t.Fatalf("Active() = %v, want %v (activeUntil=%v, now=%v)", got, tc.want, tc.activeUntil, time.Now())
+				t.Fatalf("Active() = %v, want %v (activeUntil=%v, tier=%q, now=%v)", got, tc.want, tc.activeUntil, tc.tier, time.Now())
 			}
 		})
 	}
@@ -331,3 +353,134 @@ func TestSubscriptionGracePeriodDays(t *testing.T) {
 		})
 	}
 }
+
+func TestSubscriptionActiveStatus(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		updatedAt   time.Time
+		activeUntil time.Time
+		tier        string
+		want        bool
+	}{
+		{
+			name:        "active subscription => true",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(24 * time.Hour),
+			tier:        "Tier 2",
+			want:        true,
+		},
+		{
+			name:        "in grace period => true",
+			updatedAt:   now.Add(-49 * time.Hour),
+			activeUntil: now.Add(-48 * time.Hour),
+			tier:        "Tier 2",
+			want:        true,
+		},
+		{
+			name:        "expired and no outage => false",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(-1 * time.Second),
+			tier:        "Tier 2",
+			want:        false,
+		},
+		{
+			name:        "Tier 1 even if has future time => false (not Active, but may be GracePeriod)",
+			updatedAt:   now.Add(-49 * time.Hour),
+			activeUntil: now.Add(24 * time.Hour),
+			tier:        "Tier 1",
+			want:        true, // GracePeriod returns true if outage and within 3-day window
+		},
+		{
+			name:        "Tier 1 without outage => false",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(24 * time.Hour),
+			tier:        "Tier 1",
+			want:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{
+				UpdatedAt:   tc.updatedAt,
+				ActiveUntil: tc.activeUntil,
+				Tier:        tc.tier,
+			}
+			got := s.ActiveStatus()
+			if got != tc.want {
+				t.Fatalf("ActiveStatus() = %v, want %v (updatedAt=%v activeUntil=%v tier=%q now=%v)", got, tc.want, tc.updatedAt, tc.activeUntil, tc.tier, time.Now())
+			}
+		})
+	}
+}
+
+func TestSubscriptionGetStatus(t *testing.T) {
+	now := time.Now()
+
+	tests := []struct {
+		name        string
+		updatedAt   time.Time
+		activeUntil time.Time
+		tier        string
+		want        SubscriptionStatus
+	}{
+		{
+			name:        "active tier 2 subscription => Active",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(24 * time.Hour),
+			tier:        "Tier 2",
+			want:        Active,
+		},
+		{
+			name:        "in grace period => GracePeriod",
+			updatedAt:   now.Add(-49 * time.Hour),
+			activeUntil: now.Add(-48 * time.Hour),
+			tier:        "Tier 2",
+			want:        GracePeriod,
+		},
+		{
+			name:        "limited access (14d window) => LimitedAccess",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(-5 * 24 * time.Hour),
+			tier:        "Tier 2",
+			want:        LimitedAccess,
+		},
+		{
+			name:        "pending delete (>14d) => PendingDelete",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(-30 * 24 * time.Hour),
+			tier:        "Tier 2",
+			want:        PendingDelete,
+		},
+		{
+			name:        "Tier 1 with future time and outage => GracePeriod",
+			updatedAt:   now.Add(-49 * time.Hour),
+			activeUntil: now.Add(24 * time.Hour),
+			tier:        "Tier 1",
+			want:        GracePeriod,
+		},
+		{
+			name:        "Tier 1 without outage but within 14d => LimitedAccess",
+			updatedAt:   now.Add(-24 * time.Hour),
+			activeUntil: now.Add(-5 * 24 * time.Hour),
+			tier:        "Tier 1",
+			want:        LimitedAccess,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			s := &Subscription{
+				UpdatedAt:   tc.updatedAt,
+				ActiveUntil: tc.activeUntil,
+				Tier:        tc.tier,
+			}
+			got := s.GetStatus()
+			if got != tc.want {
+				t.Fatalf("GetStatus() = %v, want %v (updatedAt=%v activeUntil=%v tier=%q now=%v)", got, tc.want, tc.updatedAt, tc.activeUntil, tc.tier, time.Now())
+			}
+		})
+	}
+}

From c8a376ada3e37166aec3afd3982ef6848479bc24 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 9 Feb 2026 11:50:25 +0100
Subject: [PATCH 61/63] feat(client): update expiring_sub.tmpl

---
 .../client/mailer/templates/expiring_sub.tmpl   | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/api/internal/client/mailer/templates/expiring_sub.tmpl b/api/internal/client/mailer/templates/expiring_sub.tmpl
index 0c4165d..d8920d6 100644
--- a/api/internal/client/mailer/templates/expiring_sub.tmpl
+++ b/api/internal/client/mailer/templates/expiring_sub.tmpl
@@ -1,15 +1,24 @@
 {{define "body"}}
-Hi,
+Hello,
 
-Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.
+Your {{.from}} account is in limited access mode. 
+
+You cannot create new aliases or recipients, reply to forwards or send emails via {{.from}}. 
+
+Incoming forwards are still processed for 14 days from the date of this message.
+
+To regain full access with no restrictions, add time to your IVPN account.
 
 Sent by {{.from}}
 {{end}}
 
 {{define "bodyHtml"}}
 <div style="font-family: Arial, Helvetica, sans-serif;font-size: 15px;">
-Hi,<br><br>
-Your {{.from}} account is in limited access mode. To regain full access add time to your IVPN account.<br><br>
+Hello,<br><br>
+Your {{.from}} account is in limited access mode.<br><br>
+You cannot create new aliases or recipients, reply to forwards or send emails via {{.from}}.<br><br>
+Incoming forwards are still processed for 14 days from the date of this message.<br><br>
+To regain full access with no restrictions, add time to your IVPN account.<br><br>
 Sent by {{.from}}
 </div>
 {{end}}

From 917bfaea6622a217a4c18fb70add1ad5562fa3c0 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 9 Feb 2026 12:35:18 +0100
Subject: [PATCH 62/63] feat(service): update processor.go

---
 api/internal/model/log.go          |  7 ++++---
 api/internal/service/processor.go  | 26 ++++++++++++++++++++++++++
 app/src/style/components/badge.css |  4 ++++
 3 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/api/internal/model/log.go b/api/internal/model/log.go
index 1f370d9..90a64ed 100644
--- a/api/internal/model/log.go
+++ b/api/internal/model/log.go
@@ -5,9 +5,10 @@ import "time"
 type LogType string
 
 const (
-	BounceMessage    LogType = "bounce"
-	DisabledAlias    LogType = "disabled_alias"
-	UnauthorisedSend LogType = "unauthorised_send"
+	BounceMessage        LogType = "bounce"
+	DisabledAlias        LogType = "disabled_alias"
+	UnauthorisedSend     LogType = "unauthorised_send"
+	InactiveSubscription LogType = "inactive_subscription"
 )
 
 type Log struct {
diff --git a/api/internal/service/processor.go b/api/internal/service/processor.go
index 65a1ec5..75f8e28 100644
--- a/api/internal/service/processor.go
+++ b/api/internal/service/processor.go
@@ -104,12 +104,38 @@ func (s *Service) ProcessMessage(data []byte) error {
 		// Forward
 		if relayType == model.Forward && sub.PendingDelete() {
 			log.Println("inactive subscription for forward")
+			settings, err := s.GetSettings(context.Background(), alias.UserID)
+			if err != nil {
+				log.Println("error getting settings", err)
+				continue
+			}
+
+			if settings.LogIssues {
+				err := s.ProcessDiscardLog(alias, msg.From, to, ErrInactiveSubscription.Error(), model.InactiveSubscription)
+				if err != nil {
+					log.Println("error processing discard log", err)
+				}
+			}
+
 			continue
 		}
 
 		// Reply | Send
 		if relayType != model.Forward && !sub.ActiveStatus() {
 			log.Println("inactive subscription for reply/send")
+			settings, err := s.GetSettings(context.Background(), alias.UserID)
+			if err != nil {
+				log.Println("error getting settings", err)
+				continue
+			}
+
+			if settings.LogIssues {
+				err := s.ProcessDiscardLog(alias, msg.From, to, ErrInactiveSubscription.Error(), model.InactiveSubscription)
+				if err != nil {
+					log.Println("error processing discard log", err)
+				}
+			}
+
 			continue
 		}
 
diff --git a/app/src/style/components/badge.css b/app/src/style/components/badge.css
index c8cc91e..952d361 100644
--- a/app/src/style/components/badge.css
+++ b/app/src/style/components/badge.css
@@ -22,6 +22,10 @@
             @apply bg-violet-500 dark:bg-violet-700 text-white font-semibold;
         }
 
+        &.inactive_subscription {
+            @apply bg-gray-500 text-white font-semibold;
+        }
+
         &.small {
             @apply py-0.5 px-1.5 text-xs;
         }

From d18c2e3bfdab1237f678c7fbf6b9acc02222f387 Mon Sep 17 00:00:00 2001
From: Juraj Hilje <juraj.hilje@gmail.com>
Date: Mon, 9 Feb 2026 14:52:53 +0100
Subject: [PATCH 63/63] feat(service): update processor.go

---
 api/internal/service/alias.go     | 1 -
 api/internal/service/processor.go | 2 --
 2 files changed, 3 deletions(-)

diff --git a/api/internal/service/alias.go b/api/internal/service/alias.go
index 7dab327..d5b5bf6 100644
--- a/api/internal/service/alias.go
+++ b/api/internal/service/alias.go
@@ -96,7 +96,6 @@ func (s *Service) PostAlias(ctx context.Context, alias model.Alias, format strin
 	}
 
 	if !sub.ActiveStatus() {
-		log.Println("error creating alias: subscription is not active")
 		return model.Alias{}, ErrPostAlias
 	}
 
diff --git a/api/internal/service/processor.go b/api/internal/service/processor.go
index 75f8e28..c65a148 100644
--- a/api/internal/service/processor.go
+++ b/api/internal/service/processor.go
@@ -103,7 +103,6 @@ func (s *Service) ProcessMessage(data []byte) error {
 
 		// Forward
 		if relayType == model.Forward && sub.PendingDelete() {
-			log.Println("inactive subscription for forward")
 			settings, err := s.GetSettings(context.Background(), alias.UserID)
 			if err != nil {
 				log.Println("error getting settings", err)
@@ -122,7 +121,6 @@ func (s *Service) ProcessMessage(data []byte) error {
 
 		// Reply | Send
 		if relayType != model.Forward && !sub.ActiveStatus() {
-			log.Println("inactive subscription for reply/send")
 			settings, err := s.GetSettings(context.Background(), alias.UserID)
 			if err != nil {
 				log.Println("error getting settings", err)