WIP

docs: update "move all data" instructions in FAQ (#8976 )
* Update FAQ.mdx chore(docs): update "move all data" FAQ instructions. * Apply suggestions from code review fix: (apply suggestions) use sql-compliant comments Co-authored-by: Matthew Momjian <50788000+mmomjian@users.noreply.github.com> * fix: Update FAQ.mdx --------- Co-authored-by: Matthew Momjian <50788000+mmomjian@users.noreply.github.com>
2024-04-22 16:51:24 -04:00 · 2024-04-22 12:53:55 +00:00 · 2024-04-22 06:22:59 -05:00 · 2024-04-22 01:35:27 -04:00 · 2024-04-21 19:14:54 +00:00 · 2024-04-21 14:07:17 -05:00
146 changed files with 3081 additions and 1115 deletions
--- a/.github/workflows/build-mobile.yml
+++ b/.github/workflows/build-mobile.yml
@@ -37,15 +37,15 @@ jobs:

      - uses: actions/setup-java@v4
        with:
-          distribution: "zulu"
-          java-version: "11.0.21+9"
-          cache: "gradle"
+          distribution: 'zulu'
+          java-version: '17'
+          cache: 'gradle'

      - name: Setup Flutter SDK
        uses: subosito/flutter-action@v2
        with:
-          channel: "stable"
-          flutter-version: "3.19.3"
+          channel: 'stable'
+          flutter-version: '3.19.3'
          cache: true

      - name: Create the Keystore
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -208,7 +208,7 @@ jobs:
        uses: subosito/flutter-action@v2
        with:
          channel: 'stable'
-          flutter-version: '3.16.9'
+          flutter-version: '3.19.3'
      - name: Run tests
        working-directory: ./mobile
        run: flutter test -j 1
--- a/cli/package-lock.json
+++ b/cli/package-lock.json
@@ -47,7 +47,7 @@
    },
    "../open-api/typescript-sdk": {
      "name": "@immich/sdk",
-      "version": "1.102.0",
+      "version": "1.102.3",
      "dev": true,
      "license": "GNU Affero General Public License version 3",
      "dependencies": {
--- a/docs/docs/FAQ.mdx
+++ b/docs/docs/FAQ.mdx
@@ -117,7 +117,7 @@ For example, say you have existing transcodes with the policy "Videos higher tha

 No. Our design principle is that the original assets should always be untouched.

-### How can I move all data (photos, persons, albums) from one user to another?
+### How can I move all data (photos, persons, albums, libraries) from one user to another?

 This is not officially supported but can be accomplished with some database updates. You can do this on the command line (in the PostgreSQL container using the `psql` command), or you can add, for example, an [Adminer](https://www.adminer.org/) container to the `docker-compose.yml` file so that you can use a web interface.

@@ -128,18 +128,21 @@ This is not officially supported but can be accomplished with some database upda

 2. Find the ID of both the 'source' and the 'destination' user (it's the id column in the `users` table)

-3. Three tables need to be updated:
+3. Four tables need to be updated:

 ```sql
-// Reassign albums
+-- reassign albums
 UPDATE albums SET "ownerId" = '<destinationId>' WHERE "ownerId" = '<sourceId>';

-// Reassign people
+-- reassign people
 UPDATE person SET "ownerId" = '<destinationId>' WHERE "ownerId" = '<sourceId>';

-// reassign assets
+-- reassign assets
 UPDATE assets SET "ownerId" = '<destinationId>' WHERE "ownerId" = '<sourceId>'
 AND CHECKSUM NOT IN (SELECT CHECKSUM FROM assets WHERE "ownerId" = '<destinationId>');
+
+-- reassign external libraries
+UPDATE libraries SET "ownerId" = '<destinationId>' WHERE "ownerId" = '<sourceId>';
 ```

 4. There might be left-over assets in the 'source' user's library if they are skipped by the last query because of duplicate checksums. These are probably duplicates anyway, and can probably be removed.
--- a/e2e/package-lock.json
+++ b/e2e/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "immich-e2e",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "immich-e2e",
-      "version": "1.102.0",
+      "version": "1.102.3",
      "license": "GNU Affero General Public License version 3",
      "devDependencies": {
        "@immich/cli": "file:../cli",
@@ -81,7 +81,7 @@
    },
    "../open-api/typescript-sdk": {
      "name": "@immich/sdk",
-      "version": "1.102.0",
+      "version": "1.102.3",
      "dev": true,
      "license": "GNU Affero General Public License version 3",
      "dependencies": {
--- a/e2e/package.json
+++ b/e2e/package.json
@@ -1,6 +1,6 @@
 {
  "name": "immich-e2e",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "description": "",
  "main": "index.js",
  "type": "module",
--- a/e2e/src/api/specs/asset.e2e-spec.ts
+++ b/e2e/src/api/specs/asset.e2e-spec.ts
@@ -572,6 +572,22 @@ describe('/asset', () => {
    }

    const tests = [
+      {
+        input: 'formats/avif/8bit-sRGB.avif',
+        expected: {
+          type: AssetTypeEnum.Image,
+          originalFileName: '8bit-sRGB.avif',
+          resized: true,
+          exifInfo: {
+            description: '',
+            exifImageHeight: 1080,
+            exifImageWidth: 1617,
+            fileSizeInByte: 862_424,
+            latitude: null,
+            longitude: null,
+          },
+        },
+      },
      {
        input: 'formats/jpg/el_torcal_rocks.jpg',
        expected: {
@@ -596,6 +612,22 @@ describe('/asset', () => {
          },
        },
      },
+      {
+        input: 'formats/jxl/8bit-sRGB.jxl',
+        expected: {
+          type: AssetTypeEnum.Image,
+          originalFileName: '8bit-sRGB.jxl',
+          resized: true,
+          exifInfo: {
+            description: '',
+            exifImageHeight: 1080,
+            exifImageWidth: 1440,
+            fileSizeInByte: 1_780_777,
+            latitude: null,
+            longitude: null,
+          },
+        },
+      },
      {
        input: 'formats/heic/IMG_2682.heic',
        expected: {
@@ -681,6 +713,80 @@ describe('/asset', () => {
          },
        },
      },
+      {
+        input: 'formats/raw/Panasonic/DMC-GH4/4_3.rw2',
+        expected: {
+          type: AssetTypeEnum.Image,
+          originalFileName: '4_3.rw2',
+          resized: true,
+          fileCreatedAt: '2018-05-10T08:42:37.842Z',
+          exifInfo: {
+            make: 'Panasonic',
+            model: 'DMC-GH4',
+            exifImageHeight: 3456,
+            exifImageWidth: 4608,
+            exposureTime: '1/100',
+            fNumber: 3.2,
+            focalLength: 35,
+            iso: 400,
+            fileSizeInByte: 19_587_072,
+            dateTimeOriginal: '2018-05-10T08:42:37.842Z',
+            latitude: null,
+            longitude: null,
+            orientation: '1',
+          },
+        },
+      },
+      {
+        input: 'formats/raw/Sony/ILCE-6300/12bit-compressed-(3_2).arw',
+        expected: {
+          type: AssetTypeEnum.Image,
+          originalFileName: '12bit-compressed-(3_2).arw',
+          resized: true,
+          fileCreatedAt: '2016-09-27T10:51:44.000Z',
+          exifInfo: {
+            make: 'SONY',
+            model: 'ILCE-6300',
+            exifImageHeight: 4024,
+            exifImageWidth: 6048,
+            exposureTime: '1/320',
+            fNumber: 8,
+            focalLength: 97,
+            iso: 100,
+            lensModel: 'E PZ 18-105mm F4 G OSS',
+            fileSizeInByte: 25_001_984,
+            dateTimeOriginal: '2016-09-27T10:51:44.000Z',
+            latitude: null,
+            longitude: null,
+            orientation: '1',
+          },
+        },
+      },
+      {
+        input: 'formats/raw/Sony/ILCE-7M2/14bit-uncompressed-(3_2).arw',
+        expected: {
+          type: AssetTypeEnum.Image,
+          originalFileName: '14bit-uncompressed-(3_2).arw',
+          resized: true,
+          fileCreatedAt: '2016-01-08T15:08:01.000Z',
+          exifInfo: {
+            make: 'SONY',
+            model: 'ILCE-7M2',
+            exifImageHeight: 4024,
+            exifImageWidth: 6048,
+            exposureTime: '1.3',
+            fNumber: 22,
+            focalLength: 25,
+            iso: 100,
+            lensModel: 'E 25mm F2',
+            fileSizeInByte: 49_512_448,
+            dateTimeOriginal: '2016-01-08T15:08:01.000Z',
+            latitude: null,
+            longitude: null,
+            orientation: '1',
+          },
+        },
+      },
    ];

    for (const { input, expected } of tests) {
--- a/e2e/src/api/specs/library.e2e-spec.ts
+++ b/e2e/src/api/specs/library.e2e-spec.ts
@@ -8,7 +8,7 @@ import {
 } from '@immich/sdk';
 import { cpSync, existsSync } from 'node:fs';
 import { Socket } from 'socket.io-client';
-import { userDto, uuidDto } from 'src/fixtures';
+import { createUserDto, uuidDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, asBearerAuth, testAssetDir, testAssetDirInternal, utils } from 'src/utils';
 import request from 'supertest';
@@ -18,7 +18,7 @@ import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
 const scan = async (accessToken: string, id: string, dto: ScanLibraryDto = {}) =>
  scanLibrary({ id, scanLibraryDto: dto }, { headers: asBearerAuth(accessToken) });

-describe('/library', () => {
+describe.skip('/library', () => {
  let admin: LoginResponseDto;
  let user: LoginResponseDto;
  let library: LibraryResponseDto;
@@ -28,7 +28,7 @@ describe('/library', () => {
    await utils.resetDatabase();
    admin = await utils.adminSetup();
    await utils.resetAdminConfig(admin.accessToken);
-    user = await utils.userSetup(admin.accessToken, userDto.user1);
+    user = await utils.userSetup(admin.accessToken, createUserDto.user1);
    library = await utils.createLibrary(admin.accessToken, { ownerId: admin.userId, type: LibraryType.External });
    websocket = await utils.connectWebsocket(admin.accessToken);
    utils.createImageFile(`${testAssetDir}/temp/directoryA/assetA.png`);
--- a/e2e/src/api/specs/server-info.e2e-spec.ts
+++ b/e2e/src/api/specs/server-info.e2e-spec.ts
@@ -1,4 +1,4 @@
-import { LoginResponseDto, getServerConfig } from '@immich/sdk';
+import { LoginResponseDto } from '@immich/sdk';
 import { createUserDto } from 'src/fixtures';
 import { errorDto } from 'src/responses';
 import { app, utils } from 'src/utils';
@@ -162,19 +162,4 @@ describe('/server-info', () => {
      });
    });
  });
-
-  describe('POST /server-info/admin-onboarding', () => {
-    it('should set admin onboarding', async () => {
-      const config = await getServerConfig({});
-      expect(config.isOnboarded).toBe(false);
-
-      const { status } = await request(app)
-        .post('/server-info/admin-onboarding')
-        .set('Authorization', `Bearer ${admin.accessToken}`);
-      expect(status).toBe(204);
-
-      const newConfig = await getServerConfig({});
-      expect(newConfig.isOnboarded).toBe(true);
-    });
-  });
 });
--- a/e2e/src/api/specs/system-metadata.e2e-spec.ts
+++ b/e2e/src/api/specs/system-metadata.e2e-spec.ts
@@ -0,0 +1,76 @@
+import { LoginResponseDto, getServerConfig } from '@immich/sdk';
+import { createUserDto } from 'src/fixtures';
+import { errorDto } from 'src/responses';
+import { app, utils } from 'src/utils';
+import request from 'supertest';
+import { beforeAll, describe, expect, it } from 'vitest';
+
+describe('/server-info', () => {
+  let admin: LoginResponseDto;
+  let nonAdmin: LoginResponseDto;
+
+  beforeAll(async () => {
+    await utils.resetDatabase();
+    admin = await utils.adminSetup({ onboarding: false });
+    nonAdmin = await utils.userSetup(admin.accessToken, createUserDto.user1);
+  });
+
+  describe('POST /system-metadata/admin-onboarding', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).post('/system-metadata/admin-onboarding').send({ isOnboarded: true });
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should only work for admins', async () => {
+      const { status, body } = await request(app)
+        .post('/system-metadata/admin-onboarding')
+        .set('Authorization', `Bearer ${nonAdmin.accessToken}`)
+        .send({ isOnboarded: true });
+      expect(status).toBe(403);
+      expect(body).toEqual(errorDto.forbidden);
+    });
+
+    it('should set admin onboarding', async () => {
+      const config = await getServerConfig({});
+      expect(config.isOnboarded).toBe(false);
+
+      const { status } = await request(app)
+        .post('/system-metadata/admin-onboarding')
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({ isOnboarded: true });
+      expect(status).toBe(204);
+
+      const newConfig = await getServerConfig({});
+      expect(newConfig.isOnboarded).toBe(true);
+    });
+  });
+
+  describe('GET /system-metadata/reverse-geocoding-state', () => {
+    it('should require authentication', async () => {
+      const { status, body } = await request(app).get('/system-metadata/reverse-geocoding-state');
+      expect(status).toBe(401);
+      expect(body).toEqual(errorDto.unauthorized);
+    });
+
+    it('should only work for admins', async () => {
+      const { status, body } = await request(app)
+        .get('/system-metadata/reverse-geocoding-state')
+        .set('Authorization', `Bearer ${nonAdmin.accessToken}`);
+      expect(status).toBe(403);
+      expect(body).toEqual(errorDto.forbidden);
+    });
+
+    it('should get the reverse geocoding state', async () => {
+      const { status, body } = await request(app)
+        .get('/system-metadata/reverse-geocoding-state')
+        .set('Authorization', `Bearer ${admin.accessToken}`);
+
+      expect(status).toBe(200);
+      expect(body).toEqual({
+        lastUpdate: expect.any(String),
+        lastImportFileName: 'cities500.txt',
+      });
+    });
+  });
+});
--- a/e2e/src/api/specs/user.e2e-spec.ts
+++ b/e2e/src/api/specs/user.e2e-spec.ts
@@ -135,7 +135,7 @@ describe('/user', () => {
      expect(body).toEqual(errorDto.unauthorized);
    });

-    for (const key of Object.keys(createUserDto.user1)) {
+    for (const key of ['email', 'password', 'name', 'permissionPreset']) {
      it(`should not allow null ${key}`, async () => {
        const { status, body } = await request(app)
          .post(`/user`)
@@ -146,6 +146,17 @@ describe('/user', () => {
      });
    }

+    it(`should require permissions when using the custom preset `, async () => {
+      const { status, body } = await request(app)
+        .post(`/user`)
+        .set('Authorization', `Bearer ${admin.accessToken}`)
+        .send({ ...createUserDto.user1, permissionPreset: 'custom' });
+      expect(status).toBe(400);
+      expect(body).toEqual(
+        errorDto.badRequest([expect.stringContaining('each value in permissions must be one of the following')]),
+      );
+    });
+
    it('should ignore `isAdmin`', async () => {
      const { status, body } = await request(app)
        .post(`/user`)
@@ -154,6 +165,7 @@ describe('/user', () => {
          email: 'user5@immich.cloud',
          password: 'password123',
          name: 'Immich',
+          permissionPreset: 'user',
        })
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(body).toMatchObject({
@@ -172,6 +184,7 @@ describe('/user', () => {
          password: 'Password123',
          name: 'No Memories',
          memoriesEnabled: false,
+          permissionPreset: 'user',
        })
        .set('Authorization', `Bearer ${admin.accessToken}`);
      expect(body).toMatchObject({
--- a/e2e/src/fixtures.ts
+++ b/e2e/src/fixtures.ts
@@ -1,4 +1,4 @@
-import { UserAvatarColor } from '@immich/sdk';
+import { PermissionPreset, UserAvatarColor } from '@immich/sdk';

 export const uuidDto = {
  invalid: 'invalid-uuid',
@@ -26,33 +26,39 @@ export const createUserDto = {
      email: `${key}@immich.cloud`,
      name: `Generated User ${key}`,
      password: `password-${key}`,
+      permissionPreset: PermissionPreset.User,
    };
  },
  user1: {
    email: 'user1@immich.cloud',
    name: 'User 1',
    password: 'password1',
+    permissionPreset: PermissionPreset.User,
  },
  user2: {
    email: 'user2@immich.cloud',
    name: 'User 2',
    password: 'password12',
+    permissionPreset: PermissionPreset.User,
  },
  user3: {
    email: 'user3@immich.cloud',
    name: 'User 3',
+    permissionPreset: PermissionPreset.User,
    password: 'password123',
  },
  user4: {
    email: 'user4@immich.cloud',
    name: 'User 4',
    password: 'password123',
+    permissionPreset: PermissionPreset.User,
  },
  userQuota: {
    email: 'user-quota@immich.cloud',
    name: 'User Quota',
    password: 'password-quota',
    quotaSizeInBytes: 512,
+    permissionPreset: PermissionPreset.User,
  },
 };

--- a/e2e/src/responses.ts
+++ b/e2e/src/responses.ts
@@ -77,6 +77,91 @@ export const signupResponseDto = {
    quotaUsageInBytes: 0,
    quotaSizeInBytes: null,
    status: 'active',
+    permissions: [
+      'activity.create',
+      'activity.read',
+      'activity.update',
+      'activity.delete',
+      'album.create',
+      'album.read',
+      'album.update',
+      'album.delete',
+      'asset.create',
+      'asset.read',
+      'asset.update',
+      'asset.delete',
+      'apiKey.create',
+      'apiKey.read',
+      'apiKey.update',
+      'apiKey.delete',
+      'authDevice.create',
+      'authDevice.read',
+      'authDevice.update',
+      'authDevice.delete',
+      'face.create',
+      'face.read',
+      'face.update',
+      'face.delete',
+      'library.create',
+      'library.read',
+      'library.update',
+      'library.delete',
+      'memory.create',
+      'memory.read',
+      'memory.update',
+      'memory.delete',
+      'memory.addAsset',
+      'memory.removeAsset',
+      'partner.create',
+      'partner.read',
+      'partner.update',
+      'partner.delete',
+      'person.create',
+      'person.read',
+      'person.update',
+      'person.delete',
+      'report.create',
+      'report.read',
+      'report.update',
+      'report.delete',
+      'sharedLink.create',
+      'sharedLink.read',
+      'sharedLink.update',
+      'sharedLink.delete',
+      'systemConfig.read',
+      'systemConfig.update',
+      'systemConfig.delete',
+      'stack.create',
+      'stack.read',
+      'stack.update',
+      'stack.delete',
+      'tag.create',
+      'tag.read',
+      'tag.update',
+      'tag.delete',
+      'user.create',
+      'user.read',
+      'user.update',
+      'user.delete',
+      'auth.changePassword',
+      'auth.oauth',
+      'album.addAsset',
+      'album.removeAsset',
+      'album.addUser',
+      'album.removeUser',
+      'asset.viewThumb',
+      'asset.viewPreview',
+      'asset.viewOriginal',
+      'asset.upload',
+      'asset.download',
+      'job.read',
+      'job.run',
+      'map.read',
+      'user.readSimple',
+      'user.changePassword',
+      'server.read',
+      'server.setup',
+    ],
  },
 };

--- a/e2e/src/utils.ts
+++ b/e2e/src/utils.ts
@@ -24,8 +24,8 @@ import {
  getConfigDefaults,
  login,
  searchMetadata,
-  setAdminOnboarding,
  signUpAdmin,
+  updateAdminOnboarding,
  updateConfig,
  validate,
 } from '@immich/sdk';
@@ -264,7 +264,10 @@ export const utils = {
    await signUpAdmin({ signUpDto: signupDto.admin });
    const response = await login({ loginCredentialDto: loginDto.admin });
    if (options.onboarding) {
-      await setAdminOnboarding({ headers: asBearerAuth(response.accessToken) });
+      await updateAdminOnboarding(
+        { adminOnboardingUpdateDto: { isOnboarded: true } },
+        { headers: asBearerAuth(response.accessToken) },
+      );
    }
    return response;
  },
--- a/machine-learning/pyproject.toml
+++ b/machine-learning/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "machine-learning"
-version = "1.102.0"
+version = "1.102.3"
 description = ""
 authors = ["Hau Tran <alex.tran1502@gmail.com>"]
 readme = "README.md"
--- a/mobile/android/app/build.gradle
+++ b/mobile/android/app/build.gradle
@@ -1,14 +1,14 @@
+plugins {
+    id "com.android.application"
+    id "kotlin-android"
+    id "dev.flutter.flutter-gradle-plugin"
+    id "kotlin-kapt"
+}
+
 def localProperties = new Properties()
 def localPropertiesFile = rootProject.file('local.properties')
 if (localPropertiesFile.exists()) {
-    localPropertiesFile.withReader('UTF-8') { reader ->
-        localProperties.load(reader)
-    }
-}
-
-def flutterRoot = localProperties.getProperty('flutter.sdk')
-if (flutterRoot == null) {
-    throw new GradleException("Flutter SDK not found. Define location with flutter.sdk in the local.properties file.")
+    localPropertiesFile.withInputStream { localProperties.load(it) }
 }

 def flutterVersionCode = localProperties.getProperty('flutter.versionCode')
@@ -21,18 +21,12 @@ if (flutterVersionName == null) {
    flutterVersionName = '1.0'
 }

-apply plugin: 'com.android.application'
-apply plugin: 'kotlin-android'
-apply plugin: 'kotlin-kapt'
-apply from: "$flutterRoot/packages/flutter_tools/gradle/flutter.gradle"
-
 def keystoreProperties = new Properties()
 def keystorePropertiesFile = rootProject.file('key.properties')
 if (keystorePropertiesFile.exists()) {
-    keystoreProperties.load(new FileInputStream(keystorePropertiesFile))
+    keystorePropertiesFile.withInputStream { keystoreProperties.load(it) }
 }

-
 android {
    compileSdkVersion 34

@@ -50,7 +44,6 @@ android {
    }

    defaultConfig {
-        // TODO: Specify your own unique Application ID (https://developer.android.com/studio/build/application-id.html).
        applicationId "app.alextran.immich"
        minSdkVersion 26
        targetSdkVersion 33
@@ -88,6 +81,13 @@ flutter {
 }

 dependencies {
+    def kotlin_version = '1.9.23'
+    def kotlin_coroutines_version = '1.8.0'
+    def work_version = '2.9.0'
+    def concurrent_version = '1.1.0'
+    def guava_version = '33.1.0-android'
+    def glide_version = '4.16.0'
+
    implementation "org.jetbrains.kotlin:kotlin-stdlib-jdk8:$kotlin_version"
    implementation "org.jetbrains.kotlinx:kotlinx-coroutines-android:$kotlin_coroutines_version"
    implementation "androidx.work:work-runtime-ktx:$work_version"
--- a/mobile/android/app/src/main/kotlin/com/example/mobile/BackupWorker.kt
+++ b/mobile/android/app/src/main/kotlin/com/example/mobile/BackupWorker.kt
@@ -276,7 +276,7 @@ class BackupWorker(ctx: Context, params: WorkerParameters) : ListenableWorker(ct
        private const val NOTIFICATION_CHANNEL_ERROR_ID = "immich/backgroundServiceError"
        private const val NOTIFICATION_DEFAULT_TITLE = "Immich"
        private const val NOTIFICATION_ID = 1
-        private const val NOTIFICATION_ERROR_ID = 2 
+        private const val NOTIFICATION_ERROR_ID = 2
        private const val NOTIFICATION_DETAIL_ID = 3
        private const val ONE_MINUTE = 60000L

@@ -304,7 +304,7 @@ class BackupWorker(ctx: Context, params: WorkerParameters) : ListenableWorker(ct
                val workInfoList = workInfoFuture.get(1000, TimeUnit.MILLISECONDS)
                if (workInfoList != null) {
                    for (workInfo in workInfoList) {
-                        if (workInfo.getState() == WorkInfo.State.ENQUEUED) {
+                        if (workInfo.state == WorkInfo.State.ENQUEUED) {
                            val workRequest = buildWorkRequest(requireWifi, requireCharging)
                            wm.enqueueUniqueWork(TASK_NAME_BACKUP, ExistingWorkPolicy.REPLACE, workRequest)
                            Log.d(TAG, "updateBackupWorker updated BackupWorker constraints")
@@ -346,7 +346,7 @@ class BackupWorker(ctx: Context, params: WorkerParameters) : ListenableWorker(ct
                .setRequiresBatteryNotLow(true)
                .setRequiresCharging(requireCharging)
                .build();
-            
+
            val work = OneTimeWorkRequest.Builder(BackupWorker::class.java)
                .setConstraints(constraints)
                .setBackoffCriteria(BackoffPolicy.EXPONENTIAL, ONE_MINUTE, TimeUnit.MILLISECONDS)
@@ -359,4 +359,4 @@ class BackupWorker(ctx: Context, params: WorkerParameters) : ListenableWorker(ct
    }
 }

-private const val TAG = "BackupWorker"
+private const val TAG = "BackupWorker"
--- a/mobile/android/build.gradle
+++ b/mobile/android/build.gradle
@@ -1,21 +1,3 @@
-buildscript {
-    ext.kotlin_version = '1.8.20'
-    ext.kotlin_coroutines_version = '1.7.1'
-    ext.work_version = '2.7.1'
-    ext.concurrent_version = '1.1.0'
-    ext.guava_version = '33.0.0-android'
-    ext.glide_version = '4.14.2'
-    repositories {
-        google()
-        mavenCentral()
-    }
-
-    dependencies {
-        classpath 'com.android.tools.build:gradle:7.4.2'
-        classpath "org.jetbrains.kotlin:kotlin-gradle-plugin:$kotlin_version"
-    }
-}
-
 allprojects {
    repositories {
        google()
@@ -34,3 +16,7 @@ subprojects {
 tasks.register("clean", Delete) {
    delete rootProject.buildDir
 }
+
+tasks.named('wrapper') {
+    distributionType = Wrapper.DistributionType.ALL
+}
--- a/mobile/android/fastlane/Fastfile
+++ b/mobile/android/fastlane/Fastfile
@@ -35,8 +35,8 @@ platform :android do
      task: 'bundle', 
      build_type: 'Release',
      properties: {
-        "android.injected.version.code" => 132,
-        "android.injected.version.name" => "1.102.0",
+        "android.injected.version.code" => 136,
+        "android.injected.version.name" => "1.102.3",
      }
    )
    upload_to_play_store(skip_upload_apk: true, skip_upload_images: true, skip_upload_screenshots: true, aab: '../build/app/outputs/bundle/release/app-release.aab')
--- a/mobile/android/fastlane/report.xml
+++ b/mobile/android/fastlane/report.xml
@@ -5,17 +5,17 @@
    
    
      
-      <testcase classname="fastlane.lanes" name="0: default_platform" time="0.000219">
+      <testcase classname="fastlane.lanes" name="0: default_platform" time="0.000261">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="1: bundleRelease" time="67.515419">
+      <testcase classname="fastlane.lanes" name="1: bundleRelease" time="32.48099">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="2: upload_to_play_store" time="35.431743">
+      <testcase classname="fastlane.lanes" name="2: upload_to_play_store" time="30.236974">
        
      </testcase>
    
--- a/mobile/android/gradle/wrapper/gradle-wrapper.properties
+++ b/mobile/android/gradle/wrapper/gradle-wrapper.properties
@@ -1,6 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.3-all.zip
-distributionSha256Sum=6001aba9b2204d26fa25a5800bb9382cf3ee01ccb78fe77317b2872336eb2f80
+distributionUrl=https\://services.gradle.org/distributions/gradle-7.6.4-all.zip
+distributionSha256Sum=fe696c020f241a5f69c30f763c5a7f38eec54b490db19cd2b0962dda420d7d12
--- a/mobile/android/settings.gradle
+++ b/mobile/android/settings.gradle
@@ -1,11 +1,26 @@
-include ':app'
+pluginManagement {
+    def flutterSdkPath = {
+        def properties = new Properties()
+        file("local.properties").withInputStream { properties.load(it) }
+        def flutterSdkPath = properties.getProperty("flutter.sdk")
+        assert flutterSdkPath != null, "flutter.sdk not set in local.properties"
+        return flutterSdkPath
+    }()

-def localPropertiesFile = new File(rootProject.projectDir, "local.properties")
-def properties = new Properties()
+    includeBuild("$flutterSdkPath/packages/flutter_tools/gradle")

-assert localPropertiesFile.exists()
-localPropertiesFile.withReader("UTF-8") { reader -> properties.load(reader) }
+    repositories {
+        google()
+        mavenCentral()
+        gradlePluginPortal()
+    }
+}

-def flutterSdkPath = properties.getProperty("flutter.sdk")
-assert flutterSdkPath != null, "flutter.sdk not set in local.properties"
-apply from: "$flutterSdkPath/packages/flutter_tools/gradle/app_plugin_loader.gradle"
+plugins {
+    id "dev.flutter.flutter-plugin-loader" version "1.0.0"
+    id "com.android.application" version "7.4.2" apply false
+    id "org.jetbrains.kotlin.android" version "1.9.23" apply false
+    id "org.jetbrains.kotlin.kapt" version "1.9.23" apply false
+}
+
+include ":app"
--- a/mobile/assets/i18n/en-US.json
+++ b/mobile/assets/i18n/en-US.json
@@ -296,6 +296,7 @@
  "motion_photos_page_title": "Motion Photos",
  "multiselect_grid_edit_date_time_err_read_only": "Cannot edit date of read only asset(s), skipping",
  "multiselect_grid_edit_gps_err_read_only": "Cannot edit location of read only asset(s), skipping",
+  "no_assets_to_show" : "No assets to show",
  "notification_permission_dialog_cancel": "Cancel",
  "notification_permission_dialog_content": "To enable notifications, go to Settings and select allow.",
  "notification_permission_dialog_settings": "Settings",
--- a/mobile/assets/i18n/fr-FR.json
+++ b/mobile/assets/i18n/fr-FR.json
@@ -296,6 +296,7 @@
  "motion_photos_page_title": "Photos avec mouvement",
  "multiselect_grid_edit_date_time_err_read_only": "Impossible de modifier la date d'un élément d'actif en lecture seule.",
  "multiselect_grid_edit_gps_err_read_only": "Impossible de modifier l'emplacement d'un élément en lecture seule.",
+  "no_assets_to_show" : "Aucun élément à afficher",
  "notification_permission_dialog_cancel": "Annuler",
  "notification_permission_dialog_content": "Pour activer les notifications, allez dans Paramètres et sélectionnez Autoriser.",
  "notification_permission_dialog_settings": "Paramètres",
@@ -509,5 +510,7 @@
  "version_announcement_overlay_title": "Nouvelle version serveur disponible \uD83C\uDF89",
  "viewer_remove_from_stack": "Retirer de la pile",
  "viewer_stack_use_as_main_asset": "Utiliser comme élément principal",
-  "viewer_unstack": "Désempiler"
+  "viewer_unstack": "Désempiler",
+  "haptic_feedback_title": "Retour haptique",
+  "haptic_feedback_switch": "Activer le retour haptique"
 }
--- a/mobile/ios/Runner.xcodeproj/project.pbxproj
+++ b/mobile/ios/Runner.xcodeproj/project.pbxproj
@@ -383,7 +383,7 @@
 				CODE_SIGN_ENTITLEMENTS = Runner/RunnerProfile.entitlements;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 147;
+				CURRENT_PROJECT_VERSION = 150;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
 				INFOPLIST_FILE = Runner/Info.plist;
@@ -525,7 +525,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 147;
+				CURRENT_PROJECT_VERSION = 150;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
 				INFOPLIST_FILE = Runner/Info.plist;
@@ -553,7 +553,7 @@
 				CLANG_ENABLE_MODULES = YES;
 				CODE_SIGN_IDENTITY = "Apple Development";
 				CODE_SIGN_STYLE = Automatic;
-				CURRENT_PROJECT_VERSION = 147;
+				CURRENT_PROJECT_VERSION = 150;
 				DEVELOPMENT_TEAM = 2F67MQ8R79;
 				ENABLE_BITCODE = NO;
 				INFOPLIST_FILE = Runner/Info.plist;
--- a/mobile/ios/Runner/Info.plist
+++ b/mobile/ios/Runner/Info.plist
@@ -58,11 +58,11 @@
    <key>CFBundlePackageType</key>
    <string>APPL</string>
    <key>CFBundleShortVersionString</key>
-    <string>1.101.0</string>
+    <string>1.102.2</string>
    <key>CFBundleSignature</key>
    <string>????</string>
    <key>CFBundleVersion</key>
-    <string>147</string>
+    <string>150</string>
    <key>FLTEnableImpeller</key>
    <true />
    <key>ITSAppUsesNonExemptEncryption</key>
--- a/mobile/ios/fastlane/Fastfile
+++ b/mobile/ios/fastlane/Fastfile
@@ -19,7 +19,7 @@ platform :ios do
  desc "iOS Beta"
  lane :beta do
    increment_version_number(
-      version_number: "1.102.0"
+      version_number: "1.102.3"
    )
    increment_build_number(
      build_number: latest_testflight_build_number + 1,
--- a/mobile/ios/fastlane/report.xml
+++ b/mobile/ios/fastlane/report.xml
@@ -5,32 +5,32 @@
    
    
      
-      <testcase classname="fastlane.lanes" name="0: default_platform" time="0.000242">
+      <testcase classname="fastlane.lanes" name="0: default_platform" time="0.000231">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="1: increment_version_number" time="0.761829">
+      <testcase classname="fastlane.lanes" name="1: increment_version_number" time="0.155919">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="2: latest_testflight_build_number" time="4.47461">
+      <testcase classname="fastlane.lanes" name="2: latest_testflight_build_number" time="4.252784">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="3: increment_build_number" time="0.179512">
+      <testcase classname="fastlane.lanes" name="3: increment_build_number" time="0.210502">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="4: build_app" time="165.636347">
+      <testcase classname="fastlane.lanes" name="4: build_app" time="175.813647">
        
      </testcase>
    
      
-      <testcase classname="fastlane.lanes" name="5: upload_to_testflight" time="77.651963">
+      <testcase classname="fastlane.lanes" name="5: upload_to_testflight" time="73.512517">
        
      </testcase>
    
--- a/mobile/lib/shared/ui/asset_grid/multiselect_grid.dart
+++ b/mobile/lib/shared/ui/asset_grid/multiselect_grid.dart
@@ -63,7 +63,7 @@ class MultiselectGrid extends HookConsumerWidget {
      const Center(child: ImmichLoadingIndicator());

  Widget buildEmptyIndicator() =>
-      emptyIndicator ?? const Center(child: Text("No assets to show"));
+      emptyIndicator ?? Center(child: const Text("no_assets_to_show").tr());

  @override
  Widget build(BuildContext context, WidgetRef ref) {
--- a/mobile/lib/shared/views/splash_screen.dart
+++ b/mobile/lib/shared/views/splash_screen.dart
@@ -25,7 +25,6 @@ class SplashScreenPage extends HookConsumerWidget {
    void performLoggingIn() async {
      bool isSuccess = false;
      bool deviceIsOffline = false;
-
      if (accessToken != null && serverUrl != null) {
        try {
          // Resolve API server endpoint from user provided serverUrl
@@ -51,11 +50,15 @@ class SplashScreenPage extends HookConsumerWidget {
                offlineLogin: deviceIsOffline,
              );
        } catch (error, stackTrace) {
+          ref.read(authenticationProvider.notifier).logout();
+
          log.severe(
            'Cannot set success login info',
            error,
            stackTrace,
          );
+
+          context.pushRoute(const LoginRoute());
        }
      }

@@ -73,11 +76,6 @@ class SplashScreenPage extends HookConsumerWidget {
        }
        context.replaceRoute(const TabControllerRoute());
      } else {
-        log.severe(
-          'Unable to login through offline or online methods - logging out completely',
-        );
-
-        ref.read(authenticationProvider.notifier).logout();
        // User was unable to login through either offline or online methods
        context.replaceRoute(const LoginRoute());
      }
--- a/mobile/openapi/.openapi-generator/FILES
+++ b/mobile/openapi/.openapi-generator/FILES
@@ -13,6 +13,7 @@ doc/ActivityCreateDto.md
 doc/ActivityResponseDto.md
 doc/ActivityStatisticsResponseDto.md
 doc/AddUsersDto.md
+doc/AdminOnboardingUpdateDto.md
 doc/AlbumApi.md
 doc/AlbumCountResponseDto.md
 doc/AlbumResponseDto.md
@@ -69,6 +70,7 @@ doc/FaceApi.md
 doc/FaceDto.md
 doc/FileChecksumDto.md
 doc/FileChecksumResponseDto.md
+doc/FileReportApi.md
 doc/FileReportDto.md
 doc/FileReportFixDto.md
 doc/FileReportItemDto.md
@@ -122,6 +124,7 @@ doc/QueueStatusDto.md
 doc/ReactionLevel.md
 doc/ReactionType.md
 doc/RecognitionConfig.md
+doc/ReverseGeocodingStateResponseDto.md
 doc/ScanLibraryDto.md
 doc/SearchAlbumResponseDto.md
 doc/SearchApi.md
@@ -173,6 +176,7 @@ doc/SystemConfigTemplateStorageOptionDto.md
 doc/SystemConfigThemeDto.md
 doc/SystemConfigTrashDto.md
 doc/SystemConfigUserDto.md
+doc/SystemMetadataApi.md
 doc/TagApi.md
 doc/TagResponseDto.md
 doc/TagTypeEnum.md
@@ -212,6 +216,7 @@ lib/api/audit_api.dart
 lib/api/authentication_api.dart
 lib/api/download_api.dart
 lib/api/face_api.dart
+lib/api/file_report_api.dart
 lib/api/job_api.dart
 lib/api/library_api.dart
 lib/api/memory_api.dart
@@ -224,6 +229,7 @@ lib/api/sessions_api.dart
 lib/api/shared_link_api.dart
 lib/api/sync_api.dart
 lib/api/system_config_api.dart
+lib/api/system_metadata_api.dart
 lib/api/tag_api.dart
 lib/api/timeline_api.dart
 lib/api/trash_api.dart
@@ -240,6 +246,7 @@ lib/model/activity_create_dto.dart
 lib/model/activity_response_dto.dart
 lib/model/activity_statistics_response_dto.dart
 lib/model/add_users_dto.dart
+lib/model/admin_onboarding_update_dto.dart
 lib/model/album_count_response_dto.dart
 lib/model/album_response_dto.dart
 lib/model/all_job_status_response_dto.dart
@@ -341,6 +348,7 @@ lib/model/queue_status_dto.dart
 lib/model/reaction_level.dart
 lib/model/reaction_type.dart
 lib/model/recognition_config.dart
+lib/model/reverse_geocoding_state_response_dto.dart
 lib/model/scan_library_dto.dart
 lib/model/search_album_response_dto.dart
 lib/model/search_asset_response_dto.dart
@@ -417,6 +425,7 @@ test/activity_create_dto_test.dart
 test/activity_response_dto_test.dart
 test/activity_statistics_response_dto_test.dart
 test/add_users_dto_test.dart
+test/admin_onboarding_update_dto_test.dart
 test/album_api_test.dart
 test/album_count_response_dto_test.dart
 test/album_response_dto_test.dart
@@ -478,6 +487,7 @@ test/face_api_test.dart
 test/face_dto_test.dart
 test/file_checksum_dto_test.dart
 test/file_checksum_response_dto_test.dart
+test/file_report_api_test.dart
 test/file_report_dto_test.dart
 test/file_report_fix_dto_test.dart
 test/file_report_item_dto_test.dart
@@ -531,6 +541,7 @@ test/queue_status_dto_test.dart
 test/reaction_level_test.dart
 test/reaction_type_test.dart
 test/recognition_config_test.dart
+test/reverse_geocoding_state_response_dto_test.dart
 test/scan_library_dto_test.dart
 test/search_album_response_dto_test.dart
 test/search_api_test.dart
@@ -582,6 +593,7 @@ test/system_config_template_storage_option_dto_test.dart
 test/system_config_theme_dto_test.dart
 test/system_config_trash_dto_test.dart
 test/system_config_user_dto_test.dart
+test/system_metadata_api_test.dart
 test/tag_api_test.dart
 test/tag_response_dto_test.dart
 test/tag_type_enum_test.dart
--- a/mobile/openapi/README.md
+++ b/mobile/openapi/README.md
@@ -3,7 +3,7 @@ Immich API

 This Dart package is automatically generated by the [OpenAPI Generator](https://openapi-generator.tech) project:

- API version: 1.102.0
+- API version: 1.102.3
 - Build package: org.openapitools.codegen.languages.DartClientCodegen

 ## Requirements
@@ -112,10 +112,7 @@ Class | Method | HTTP request | Description
 *AssetApi* | [**updateAssets**](doc//AssetApi.md#updateassets) | **PUT** /asset | 
 *AssetApi* | [**updateStackParent**](doc//AssetApi.md#updatestackparent) | **PUT** /asset/stack/parent | 
 *AssetApi* | [**uploadFile**](doc//AssetApi.md#uploadfile) | **POST** /asset/upload | 
-*AuditApi* | [**fixAuditFiles**](doc//AuditApi.md#fixauditfiles) | **POST** /audit/file-report/fix | 
 *AuditApi* | [**getAuditDeletes**](doc//AuditApi.md#getauditdeletes) | **GET** /audit/deletes | 
-*AuditApi* | [**getAuditFiles**](doc//AuditApi.md#getauditfiles) | **GET** /audit/file-report | 
-*AuditApi* | [**getFileChecksums**](doc//AuditApi.md#getfilechecksums) | **POST** /audit/file-report/checksum | 
 *AuthenticationApi* | [**changePassword**](doc//AuthenticationApi.md#changepassword) | **POST** /auth/change-password | 
 *AuthenticationApi* | [**login**](doc//AuthenticationApi.md#login) | **POST** /auth/login | 
 *AuthenticationApi* | [**logout**](doc//AuthenticationApi.md#logout) | **POST** /auth/logout | 
@@ -126,6 +123,9 @@ Class | Method | HTTP request | Description
 *DownloadApi* | [**getDownloadInfo**](doc//DownloadApi.md#getdownloadinfo) | **POST** /download/info | 
 *FaceApi* | [**getFaces**](doc//FaceApi.md#getfaces) | **GET** /face | 
 *FaceApi* | [**reassignFacesById**](doc//FaceApi.md#reassignfacesbyid) | **PUT** /face/{id} | 
+*FileReportApi* | [**fixAuditFiles**](doc//FileReportApi.md#fixauditfiles) | **POST** /report/fix | 
+*FileReportApi* | [**getAuditFiles**](doc//FileReportApi.md#getauditfiles) | **GET** /report | 
+*FileReportApi* | [**getFileChecksums**](doc//FileReportApi.md#getfilechecksums) | **POST** /report/checksum | 
 *JobApi* | [**getAllJobsStatus**](doc//JobApi.md#getalljobsstatus) | **GET** /jobs | 
 *JobApi* | [**sendJobCommand**](doc//JobApi.md#sendjobcommand) | **PUT** /jobs/{id} | 
 *LibraryApi* | [**createLibrary**](doc//LibraryApi.md#createlibrary) | **POST** /library | 
@@ -179,7 +179,6 @@ Class | Method | HTTP request | Description
 *ServerInfoApi* | [**getSupportedMediaTypes**](doc//ServerInfoApi.md#getsupportedmediatypes) | **GET** /server-info/media-types | 
 *ServerInfoApi* | [**getTheme**](doc//ServerInfoApi.md#gettheme) | **GET** /server-info/theme | 
 *ServerInfoApi* | [**pingServer**](doc//ServerInfoApi.md#pingserver) | **GET** /server-info/ping | 
-*ServerInfoApi* | [**setAdminOnboarding**](doc//ServerInfoApi.md#setadminonboarding) | **POST** /server-info/admin-onboarding | 
 *SessionsApi* | [**deleteAllSessions**](doc//SessionsApi.md#deleteallsessions) | **DELETE** /sessions | 
 *SessionsApi* | [**deleteSession**](doc//SessionsApi.md#deletesession) | **DELETE** /sessions/{id} | 
 *SessionsApi* | [**getSessions**](doc//SessionsApi.md#getsessions) | **GET** /sessions | 
@@ -198,6 +197,9 @@ Class | Method | HTTP request | Description
 *SystemConfigApi* | [**getMapStyle**](doc//SystemConfigApi.md#getmapstyle) | **GET** /system-config/map/style.json | 
 *SystemConfigApi* | [**getStorageTemplateOptions**](doc//SystemConfigApi.md#getstoragetemplateoptions) | **GET** /system-config/storage-template-options | 
 *SystemConfigApi* | [**updateConfig**](doc//SystemConfigApi.md#updateconfig) | **PUT** /system-config | 
+*SystemMetadataApi* | [**getAdminOnboarding**](doc//SystemMetadataApi.md#getadminonboarding) | **GET** /system-metadata/admin-onboarding | 
+*SystemMetadataApi* | [**getReverseGeocodingState**](doc//SystemMetadataApi.md#getreversegeocodingstate) | **GET** /system-metadata/reverse-geocoding-state | 
+*SystemMetadataApi* | [**updateAdminOnboarding**](doc//SystemMetadataApi.md#updateadminonboarding) | **POST** /system-metadata/admin-onboarding | 
 *TagApi* | [**createTag**](doc//TagApi.md#createtag) | **POST** /tag | 
 *TagApi* | [**deleteTag**](doc//TagApi.md#deletetag) | **DELETE** /tag/{id} | 
 *TagApi* | [**getAllTags**](doc//TagApi.md#getalltags) | **GET** /tag | 
@@ -233,6 +235,7 @@ Class | Method | HTTP request | Description
 - [ActivityResponseDto](doc//ActivityResponseDto.md)
 - [ActivityStatisticsResponseDto](doc//ActivityStatisticsResponseDto.md)
 - [AddUsersDto](doc//AddUsersDto.md)
+ - [AdminOnboardingUpdateDto](doc//AdminOnboardingUpdateDto.md)
 - [AlbumCountResponseDto](doc//AlbumCountResponseDto.md)
 - [AlbumResponseDto](doc//AlbumResponseDto.md)
 - [AllJobStatusResponseDto](doc//AllJobStatusResponseDto.md)
@@ -330,6 +333,7 @@ Class | Method | HTTP request | Description
 - [ReactionLevel](doc//ReactionLevel.md)
 - [ReactionType](doc//ReactionType.md)
 - [RecognitionConfig](doc//RecognitionConfig.md)
+ - [ReverseGeocodingStateResponseDto](doc//ReverseGeocodingStateResponseDto.md)
 - [ScanLibraryDto](doc//ScanLibraryDto.md)
 - [SearchAlbumResponseDto](doc//SearchAlbumResponseDto.md)
 - [SearchAssetResponseDto](doc//SearchAssetResponseDto.md)
--- a/mobile/openapi/doc/AdminOnboardingUpdateDto.md
+++ b/mobile/openapi/doc/AdminOnboardingUpdateDto.md
@@ -0,0 +1,15 @@
+# openapi.model.AdminOnboardingUpdateDto
+
+## Load the model package
+```dart
+import 'package:openapi/api.dart';
+```
+
+## Properties
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**isOnboarded** | **bool** |  | 
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+
--- a/mobile/openapi/doc/AuditApi.md
+++ b/mobile/openapi/doc/AuditApi.md
@@ -9,66 +9,9 @@ All URIs are relative to */api*

 Method | HTTP request | Description
 ------------- | ------------- | -------------
-[**fixAuditFiles**](AuditApi.md#fixauditfiles) | **POST** /audit/file-report/fix | 
 [**getAuditDeletes**](AuditApi.md#getauditdeletes) | **GET** /audit/deletes | 
-[**getAuditFiles**](AuditApi.md#getauditfiles) | **GET** /audit/file-report | 
-[**getFileChecksums**](AuditApi.md#getfilechecksums) | **POST** /audit/file-report/checksum | 


-# **fixAuditFiles**
-> fixAuditFiles(fileReportFixDto)
-
-
-
-### Example
-```dart
-import 'package:openapi/api.dart';
-// TODO Configure API key authorization: cookie
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
-// TODO Configure API key authorization: api_key
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
-// TODO Configure HTTP Bearer authorization: bearer
-// Case 1. Use String Token
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
-// Case 2. Use Function which generate token.
-// String yourTokenGeneratorFunction() { ... }
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
-
-final api_instance = AuditApi();
-final fileReportFixDto = FileReportFixDto(); // FileReportFixDto | 
-
-try {
-    api_instance.fixAuditFiles(fileReportFixDto);
-} catch (e) {
-    print('Exception when calling AuditApi->fixAuditFiles: $e\n');
-}
-```
-
-### Parameters
-
-Name | Type | Description  | Notes
------------- | ------------- | ------------- | -------------
- **fileReportFixDto** | [**FileReportFixDto**](FileReportFixDto.md)|  | 
-
-### Return type
-
-void (empty response body)
-
-### Authorization
-
-[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
-
-### HTTP request headers
-
- - **Content-Type**: application/json
- - **Accept**: Not defined
-
-[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
-
 # **getAuditDeletes**
 > AuditDeletesResponseDto getAuditDeletes(after, entityType, userId)

@@ -128,109 +71,3 @@ Name | Type | Description  | Notes

 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)

-# **getAuditFiles**
-> FileReportDto getAuditFiles()
-
-
-
-### Example
-```dart
-import 'package:openapi/api.dart';
-// TODO Configure API key authorization: cookie
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
-// TODO Configure API key authorization: api_key
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
-// TODO Configure HTTP Bearer authorization: bearer
-// Case 1. Use String Token
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
-// Case 2. Use Function which generate token.
-// String yourTokenGeneratorFunction() { ... }
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
-
-final api_instance = AuditApi();
-
-try {
-    final result = api_instance.getAuditFiles();
-    print(result);
-} catch (e) {
-    print('Exception when calling AuditApi->getAuditFiles: $e\n');
-}
-```
-
-### Parameters
-This endpoint does not need any parameter.
-
-### Return type
-
-[**FileReportDto**](FileReportDto.md)
-
-### Authorization
-
-[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
-
-### HTTP request headers
-
- - **Content-Type**: Not defined
- - **Accept**: application/json
-
-[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
-
-# **getFileChecksums**
-> List<FileChecksumResponseDto> getFileChecksums(fileChecksumDto)
-
-
-
-### Example
-```dart
-import 'package:openapi/api.dart';
-// TODO Configure API key authorization: cookie
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
-// TODO Configure API key authorization: api_key
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
-// TODO Configure HTTP Bearer authorization: bearer
-// Case 1. Use String Token
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
-// Case 2. Use Function which generate token.
-// String yourTokenGeneratorFunction() { ... }
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
-
-final api_instance = AuditApi();
-final fileChecksumDto = FileChecksumDto(); // FileChecksumDto | 
-
-try {
-    final result = api_instance.getFileChecksums(fileChecksumDto);
-    print(result);
-} catch (e) {
-    print('Exception when calling AuditApi->getFileChecksums: $e\n');
-}
-```
-
-### Parameters
-
-Name | Type | Description  | Notes
------------- | ------------- | ------------- | -------------
- **fileChecksumDto** | [**FileChecksumDto**](FileChecksumDto.md)|  | 
-
-### Return type
-
-[**List<FileChecksumResponseDto>**](FileChecksumResponseDto.md)
-
-### Authorization
-
-[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
-
-### HTTP request headers
-
- - **Content-Type**: application/json
- - **Accept**: application/json
-
-[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
-
--- a/mobile/openapi/doc/FileReportApi.md
+++ b/mobile/openapi/doc/FileReportApi.md
@@ -0,0 +1,176 @@
+# openapi.api.FileReportApi
+
+## Load the API package
+```dart
+import 'package:openapi/api.dart';
+```
+
+All URIs are relative to */api*
+
+Method | HTTP request | Description
+------------- | ------------- | -------------
+[**fixAuditFiles**](FileReportApi.md#fixauditfiles) | **POST** /report/fix | 
+[**getAuditFiles**](FileReportApi.md#getauditfiles) | **GET** /report | 
+[**getFileChecksums**](FileReportApi.md#getfilechecksums) | **POST** /report/checksum | 
+
+
+# **fixAuditFiles**
+> fixAuditFiles(fileReportFixDto)
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = FileReportApi();
+final fileReportFixDto = FileReportFixDto(); // FileReportFixDto | 
+
+try {
+    api_instance.fixAuditFiles(fileReportFixDto);
+} catch (e) {
+    print('Exception when calling FileReportApi->fixAuditFiles: $e\n');
+}
+```
+
+### Parameters
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **fileReportFixDto** | [**FileReportFixDto**](FileReportFixDto.md)|  | 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: application/json
+ - **Accept**: Not defined
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
+# **getAuditFiles**
+> FileReportDto getAuditFiles()
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = FileReportApi();
+
+try {
+    final result = api_instance.getAuditFiles();
+    print(result);
+} catch (e) {
+    print('Exception when calling FileReportApi->getAuditFiles: $e\n');
+}
+```
+
+### Parameters
+This endpoint does not need any parameter.
+
+### Return type
+
+[**FileReportDto**](FileReportDto.md)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: Not defined
+ - **Accept**: application/json
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
+# **getFileChecksums**
+> List<FileChecksumResponseDto> getFileChecksums(fileChecksumDto)
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = FileReportApi();
+final fileChecksumDto = FileChecksumDto(); // FileChecksumDto | 
+
+try {
+    final result = api_instance.getFileChecksums(fileChecksumDto);
+    print(result);
+} catch (e) {
+    print('Exception when calling FileReportApi->getFileChecksums: $e\n');
+}
+```
+
+### Parameters
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **fileChecksumDto** | [**FileChecksumDto**](FileChecksumDto.md)|  | 
+
+### Return type
+
+[**List<FileChecksumResponseDto>**](FileChecksumResponseDto.md)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: application/json
+ - **Accept**: application/json
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
--- a/mobile/openapi/doc/ReverseGeocodingStateResponseDto.md
+++ b/mobile/openapi/doc/ReverseGeocodingStateResponseDto.md
@@ -0,0 +1,16 @@
+# openapi.model.ReverseGeocodingStateResponseDto
+
+## Load the model package
+```dart
+import 'package:openapi/api.dart';
+```
+
+## Properties
+Name | Type | Description | Notes
+------------ | ------------- | ------------- | -------------
+**lastImportFileName** | **String** |  | 
+**lastUpdate** | **String** |  | 
+
+[[Back to Model list]](../README.md#documentation-for-models) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to README]](../README.md)
+
+
--- a/mobile/openapi/doc/ServerInfoApi.md
+++ b/mobile/openapi/doc/ServerInfoApi.md
@@ -17,7 +17,6 @@ Method | HTTP request | Description
 [**getSupportedMediaTypes**](ServerInfoApi.md#getsupportedmediatypes) | **GET** /server-info/media-types | 
 [**getTheme**](ServerInfoApi.md#gettheme) | **GET** /server-info/theme | 
 [**pingServer**](ServerInfoApi.md#pingserver) | **GET** /server-info/ping | 
-[**setAdminOnboarding**](ServerInfoApi.md#setadminonboarding) | **POST** /server-info/admin-onboarding | 


 # **getServerConfig**
@@ -344,53 +343,3 @@ No authorization required

 [[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)

-# **setAdminOnboarding**
-> setAdminOnboarding()
-
-
-
-### Example
-```dart
-import 'package:openapi/api.dart';
-// TODO Configure API key authorization: cookie
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
-// TODO Configure API key authorization: api_key
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
-// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
-//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
-// TODO Configure HTTP Bearer authorization: bearer
-// Case 1. Use String Token
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
-// Case 2. Use Function which generate token.
-// String yourTokenGeneratorFunction() { ... }
-//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
-
-final api_instance = ServerInfoApi();
-
-try {
-    api_instance.setAdminOnboarding();
-} catch (e) {
-    print('Exception when calling ServerInfoApi->setAdminOnboarding: $e\n');
-}
-```
-
-### Parameters
-This endpoint does not need any parameter.
-
-### Return type
-
-void (empty response body)
-
-### Authorization
-
-[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
-
-### HTTP request headers
-
- - **Content-Type**: Not defined
- - **Accept**: Not defined
-
-[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
-
--- a/mobile/openapi/doc/SystemMetadataApi.md
+++ b/mobile/openapi/doc/SystemMetadataApi.md
@@ -0,0 +1,172 @@
+# openapi.api.SystemMetadataApi
+
+## Load the API package
+```dart
+import 'package:openapi/api.dart';
+```
+
+All URIs are relative to */api*
+
+Method | HTTP request | Description
+------------- | ------------- | -------------
+[**getAdminOnboarding**](SystemMetadataApi.md#getadminonboarding) | **GET** /system-metadata/admin-onboarding | 
+[**getReverseGeocodingState**](SystemMetadataApi.md#getreversegeocodingstate) | **GET** /system-metadata/reverse-geocoding-state | 
+[**updateAdminOnboarding**](SystemMetadataApi.md#updateadminonboarding) | **POST** /system-metadata/admin-onboarding | 
+
+
+# **getAdminOnboarding**
+> AdminOnboardingUpdateDto getAdminOnboarding()
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = SystemMetadataApi();
+
+try {
+    final result = api_instance.getAdminOnboarding();
+    print(result);
+} catch (e) {
+    print('Exception when calling SystemMetadataApi->getAdminOnboarding: $e\n');
+}
+```
+
+### Parameters
+This endpoint does not need any parameter.
+
+### Return type
+
+[**AdminOnboardingUpdateDto**](AdminOnboardingUpdateDto.md)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: Not defined
+ - **Accept**: application/json
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
+# **getReverseGeocodingState**
+> ReverseGeocodingStateResponseDto getReverseGeocodingState()
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = SystemMetadataApi();
+
+try {
+    final result = api_instance.getReverseGeocodingState();
+    print(result);
+} catch (e) {
+    print('Exception when calling SystemMetadataApi->getReverseGeocodingState: $e\n');
+}
+```
+
+### Parameters
+This endpoint does not need any parameter.
+
+### Return type
+
+[**ReverseGeocodingStateResponseDto**](ReverseGeocodingStateResponseDto.md)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: Not defined
+ - **Accept**: application/json
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
+# **updateAdminOnboarding**
+> updateAdminOnboarding(adminOnboardingUpdateDto)
+
+
+
+### Example
+```dart
+import 'package:openapi/api.dart';
+// TODO Configure API key authorization: cookie
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('cookie').apiKeyPrefix = 'Bearer';
+// TODO Configure API key authorization: api_key
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKey = 'YOUR_API_KEY';
+// uncomment below to setup prefix (e.g. Bearer) for API key, if needed
+//defaultApiClient.getAuthentication<ApiKeyAuth>('api_key').apiKeyPrefix = 'Bearer';
+// TODO Configure HTTP Bearer authorization: bearer
+// Case 1. Use String Token
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken('YOUR_ACCESS_TOKEN');
+// Case 2. Use Function which generate token.
+// String yourTokenGeneratorFunction() { ... }
+//defaultApiClient.getAuthentication<HttpBearerAuth>('bearer').setAccessToken(yourTokenGeneratorFunction);
+
+final api_instance = SystemMetadataApi();
+final adminOnboardingUpdateDto = AdminOnboardingUpdateDto(); // AdminOnboardingUpdateDto | 
+
+try {
+    api_instance.updateAdminOnboarding(adminOnboardingUpdateDto);
+} catch (e) {
+    print('Exception when calling SystemMetadataApi->updateAdminOnboarding: $e\n');
+}
+```
+
+### Parameters
+
+Name | Type | Description  | Notes
+------------- | ------------- | ------------- | -------------
+ **adminOnboardingUpdateDto** | [**AdminOnboardingUpdateDto**](AdminOnboardingUpdateDto.md)|  | 
+
+### Return type
+
+void (empty response body)
+
+### Authorization
+
+[cookie](../README.md#cookie), [api_key](../README.md#api_key), [bearer](../README.md#bearer)
+
+### HTTP request headers
+
+ - **Content-Type**: application/json
+ - **Accept**: Not defined
+
+[[Back to top]](#) [[Back to API list]](../README.md#documentation-for-api-endpoints) [[Back to Model list]](../README.md#documentation-for-models) [[Back to README]](../README.md)
+
--- a/mobile/openapi/lib/api.dart
+++ b/mobile/openapi/lib/api.dart
@@ -37,6 +37,7 @@ part 'api/audit_api.dart';
 part 'api/authentication_api.dart';
 part 'api/download_api.dart';
 part 'api/face_api.dart';
+part 'api/file_report_api.dart';
 part 'api/job_api.dart';
 part 'api/library_api.dart';
 part 'api/memory_api.dart';
@@ -49,6 +50,7 @@ part 'api/sessions_api.dart';
 part 'api/shared_link_api.dart';
 part 'api/sync_api.dart';
 part 'api/system_config_api.dart';
+part 'api/system_metadata_api.dart';
 part 'api/tag_api.dart';
 part 'api/timeline_api.dart';
 part 'api/trash_api.dart';
@@ -62,6 +64,7 @@ part 'model/activity_create_dto.dart';
 part 'model/activity_response_dto.dart';
 part 'model/activity_statistics_response_dto.dart';
 part 'model/add_users_dto.dart';
+part 'model/admin_onboarding_update_dto.dart';
 part 'model/album_count_response_dto.dart';
 part 'model/album_response_dto.dart';
 part 'model/all_job_status_response_dto.dart';
@@ -159,6 +162,7 @@ part 'model/queue_status_dto.dart';
 part 'model/reaction_level.dart';
 part 'model/reaction_type.dart';
 part 'model/recognition_config.dart';
+part 'model/reverse_geocoding_state_response_dto.dart';
 part 'model/scan_library_dto.dart';
 part 'model/search_album_response_dto.dart';
 part 'model/search_asset_response_dto.dart';
--- a/mobile/openapi/lib/api/audit_api.dart
+++ b/mobile/openapi/lib/api/audit_api.dart
@@ -16,45 +16,6 @@ class AuditApi {

  final ApiClient apiClient;

-  /// Performs an HTTP 'POST /audit/file-report/fix' operation and returns the [Response].
-  /// Parameters:
-  ///
-  /// * [FileReportFixDto] fileReportFixDto (required):
-  Future<Response> fixAuditFilesWithHttpInfo(FileReportFixDto fileReportFixDto,) async {
-    // ignore: prefer_const_declarations
-    final path = r'/audit/file-report/fix';
-
-    // ignore: prefer_final_locals
-    Object? postBody = fileReportFixDto;
-
-    final queryParams = <QueryParam>[];
-    final headerParams = <String, String>{};
-    final formParams = <String, String>{};
-
-    const contentTypes = <String>['application/json'];
-
-
-    return apiClient.invokeAPI(
-      path,
-      'POST',
-      queryParams,
-      postBody,
-      headerParams,
-      formParams,
-      contentTypes.isEmpty ? null : contentTypes.first,
-    );
-  }
-
-  /// Parameters:
-  ///
-  /// * [FileReportFixDto] fileReportFixDto (required):
-  Future<void> fixAuditFiles(FileReportFixDto fileReportFixDto,) async {
-    final response = await fixAuditFilesWithHttpInfo(fileReportFixDto,);
-    if (response.statusCode >= HttpStatus.badRequest) {
-      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
-    }
-  }
-
  /// Performs an HTTP 'GET /audit/deletes' operation and returns the [Response].
  /// Parameters:
  ///
@@ -115,95 +76,4 @@ class AuditApi {
    }
    return null;
  }
-
-  /// Performs an HTTP 'GET /audit/file-report' operation and returns the [Response].
-  Future<Response> getAuditFilesWithHttpInfo() async {
-    // ignore: prefer_const_declarations
-    final path = r'/audit/file-report';
-
-    // ignore: prefer_final_locals
-    Object? postBody;
-
-    final queryParams = <QueryParam>[];
-    final headerParams = <String, String>{};
-    final formParams = <String, String>{};
-
-    const contentTypes = <String>[];
-
-
-    return apiClient.invokeAPI(
-      path,
-      'GET',
-      queryParams,
-      postBody,
-      headerParams,
-      formParams,
-      contentTypes.isEmpty ? null : contentTypes.first,
-    );
-  }
-
-  Future<FileReportDto?> getAuditFiles() async {
-    final response = await getAuditFilesWithHttpInfo();
-    if (response.statusCode >= HttpStatus.badRequest) {
-      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
-    }
-    // When a remote server returns no body with a status of 204, we shall not decode it.
-    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
-    // FormatException when trying to decode an empty string.
-    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
-      return await apiClient.deserializeAsync(await _decodeBodyBytes(response), 'FileReportDto',) as FileReportDto;
-    
-    }
-    return null;
-  }
-
-  /// Performs an HTTP 'POST /audit/file-report/checksum' operation and returns the [Response].
-  /// Parameters:
-  ///
-  /// * [FileChecksumDto] fileChecksumDto (required):
-  Future<Response> getFileChecksumsWithHttpInfo(FileChecksumDto fileChecksumDto,) async {
-    // ignore: prefer_const_declarations
-    final path = r'/audit/file-report/checksum';
-
-    // ignore: prefer_final_locals
-    Object? postBody = fileChecksumDto;
-
-    final queryParams = <QueryParam>[];
-    final headerParams = <String, String>{};
-    final formParams = <String, String>{};
-
-    const contentTypes = <String>['application/json'];
-
-
-    return apiClient.invokeAPI(
-      path,
-      'POST',
-      queryParams,
-      postBody,
-      headerParams,
-      formParams,
-      contentTypes.isEmpty ? null : contentTypes.first,
-    );
-  }
-
-  /// Parameters:
-  ///
-  /// * [FileChecksumDto] fileChecksumDto (required):
-  Future<List<FileChecksumResponseDto>?> getFileChecksums(FileChecksumDto fileChecksumDto,) async {
-    final response = await getFileChecksumsWithHttpInfo(fileChecksumDto,);
-    if (response.statusCode >= HttpStatus.badRequest) {
-      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
-    }
-    // When a remote server returns no body with a status of 204, we shall not decode it.
-    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
-    // FormatException when trying to decode an empty string.
-    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
-      final responseBody = await _decodeBodyBytes(response);
-      return (await apiClient.deserializeAsync(responseBody, 'List<FileChecksumResponseDto>') as List)
-        .cast<FileChecksumResponseDto>()
-        .toList(growable: false);
-
-    }
-    return null;
-  }
 }
--- a/mobile/openapi/lib/api/file_report_api.dart
+++ b/mobile/openapi/lib/api/file_report_api.dart
@@ -0,0 +1,148 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+
+class FileReportApi {
+  FileReportApi([ApiClient? apiClient]) : apiClient = apiClient ?? defaultApiClient;
+
+  final ApiClient apiClient;
+
+  /// Performs an HTTP 'POST /report/fix' operation and returns the [Response].
+  /// Parameters:
+  ///
+  /// * [FileReportFixDto] fileReportFixDto (required):
+  Future<Response> fixAuditFilesWithHttpInfo(FileReportFixDto fileReportFixDto,) async {
+    // ignore: prefer_const_declarations
+    final path = r'/report/fix';
+
+    // ignore: prefer_final_locals
+    Object? postBody = fileReportFixDto;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/json'];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'POST',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Parameters:
+  ///
+  /// * [FileReportFixDto] fileReportFixDto (required):
+  Future<void> fixAuditFiles(FileReportFixDto fileReportFixDto,) async {
+    final response = await fixAuditFilesWithHttpInfo(fileReportFixDto,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+  }
+
+  /// Performs an HTTP 'GET /report' operation and returns the [Response].
+  Future<Response> getAuditFilesWithHttpInfo() async {
+    // ignore: prefer_const_declarations
+    final path = r'/report';
+
+    // ignore: prefer_final_locals
+    Object? postBody;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>[];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'GET',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  Future<FileReportDto?> getAuditFiles() async {
+    final response = await getAuditFilesWithHttpInfo();
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      return await apiClient.deserializeAsync(await _decodeBodyBytes(response), 'FileReportDto',) as FileReportDto;
+    
+    }
+    return null;
+  }
+
+  /// Performs an HTTP 'POST /report/checksum' operation and returns the [Response].
+  /// Parameters:
+  ///
+  /// * [FileChecksumDto] fileChecksumDto (required):
+  Future<Response> getFileChecksumsWithHttpInfo(FileChecksumDto fileChecksumDto,) async {
+    // ignore: prefer_const_declarations
+    final path = r'/report/checksum';
+
+    // ignore: prefer_final_locals
+    Object? postBody = fileChecksumDto;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/json'];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'POST',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Parameters:
+  ///
+  /// * [FileChecksumDto] fileChecksumDto (required):
+  Future<List<FileChecksumResponseDto>?> getFileChecksums(FileChecksumDto fileChecksumDto,) async {
+    final response = await getFileChecksumsWithHttpInfo(fileChecksumDto,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      final responseBody = await _decodeBodyBytes(response);
+      return (await apiClient.deserializeAsync(responseBody, 'List<FileChecksumResponseDto>') as List)
+        .cast<FileChecksumResponseDto>()
+        .toList(growable: false);
+
+    }
+    return null;
+  }
+}
--- a/mobile/openapi/lib/api/server_info_api.dart
+++ b/mobile/openapi/lib/api/server_info_api.dart
@@ -343,37 +343,4 @@ class ServerInfoApi {
    }
    return null;
  }
-
-  /// Performs an HTTP 'POST /server-info/admin-onboarding' operation and returns the [Response].
-  Future<Response> setAdminOnboardingWithHttpInfo() async {
-    // ignore: prefer_const_declarations
-    final path = r'/server-info/admin-onboarding';
-
-    // ignore: prefer_final_locals
-    Object? postBody;
-
-    final queryParams = <QueryParam>[];
-    final headerParams = <String, String>{};
-    final formParams = <String, String>{};
-
-    const contentTypes = <String>[];
-
-
-    return apiClient.invokeAPI(
-      path,
-      'POST',
-      queryParams,
-      postBody,
-      headerParams,
-      formParams,
-      contentTypes.isEmpty ? null : contentTypes.first,
-    );
-  }
-
-  Future<void> setAdminOnboarding() async {
-    final response = await setAdminOnboardingWithHttpInfo();
-    if (response.statusCode >= HttpStatus.badRequest) {
-      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
-    }
-  }
 }
--- a/mobile/openapi/lib/api/system_metadata_api.dart
+++ b/mobile/openapi/lib/api/system_metadata_api.dart
@@ -0,0 +1,139 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+
+class SystemMetadataApi {
+  SystemMetadataApi([ApiClient? apiClient]) : apiClient = apiClient ?? defaultApiClient;
+
+  final ApiClient apiClient;
+
+  /// Performs an HTTP 'GET /system-metadata/admin-onboarding' operation and returns the [Response].
+  Future<Response> getAdminOnboardingWithHttpInfo() async {
+    // ignore: prefer_const_declarations
+    final path = r'/system-metadata/admin-onboarding';
+
+    // ignore: prefer_final_locals
+    Object? postBody;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>[];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'GET',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  Future<AdminOnboardingUpdateDto?> getAdminOnboarding() async {
+    final response = await getAdminOnboardingWithHttpInfo();
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      return await apiClient.deserializeAsync(await _decodeBodyBytes(response), 'AdminOnboardingUpdateDto',) as AdminOnboardingUpdateDto;
+    
+    }
+    return null;
+  }
+
+  /// Performs an HTTP 'GET /system-metadata/reverse-geocoding-state' operation and returns the [Response].
+  Future<Response> getReverseGeocodingStateWithHttpInfo() async {
+    // ignore: prefer_const_declarations
+    final path = r'/system-metadata/reverse-geocoding-state';
+
+    // ignore: prefer_final_locals
+    Object? postBody;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>[];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'GET',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  Future<ReverseGeocodingStateResponseDto?> getReverseGeocodingState() async {
+    final response = await getReverseGeocodingStateWithHttpInfo();
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+    // When a remote server returns no body with a status of 204, we shall not decode it.
+    // At the time of writing this, `dart:convert` will throw an "Unexpected end of input"
+    // FormatException when trying to decode an empty string.
+    if (response.body.isNotEmpty && response.statusCode != HttpStatus.noContent) {
+      return await apiClient.deserializeAsync(await _decodeBodyBytes(response), 'ReverseGeocodingStateResponseDto',) as ReverseGeocodingStateResponseDto;
+    
+    }
+    return null;
+  }
+
+  /// Performs an HTTP 'POST /system-metadata/admin-onboarding' operation and returns the [Response].
+  /// Parameters:
+  ///
+  /// * [AdminOnboardingUpdateDto] adminOnboardingUpdateDto (required):
+  Future<Response> updateAdminOnboardingWithHttpInfo(AdminOnboardingUpdateDto adminOnboardingUpdateDto,) async {
+    // ignore: prefer_const_declarations
+    final path = r'/system-metadata/admin-onboarding';
+
+    // ignore: prefer_final_locals
+    Object? postBody = adminOnboardingUpdateDto;
+
+    final queryParams = <QueryParam>[];
+    final headerParams = <String, String>{};
+    final formParams = <String, String>{};
+
+    const contentTypes = <String>['application/json'];
+
+
+    return apiClient.invokeAPI(
+      path,
+      'POST',
+      queryParams,
+      postBody,
+      headerParams,
+      formParams,
+      contentTypes.isEmpty ? null : contentTypes.first,
+    );
+  }
+
+  /// Parameters:
+  ///
+  /// * [AdminOnboardingUpdateDto] adminOnboardingUpdateDto (required):
+  Future<void> updateAdminOnboarding(AdminOnboardingUpdateDto adminOnboardingUpdateDto,) async {
+    final response = await updateAdminOnboardingWithHttpInfo(adminOnboardingUpdateDto,);
+    if (response.statusCode >= HttpStatus.badRequest) {
+      throw ApiException(response.statusCode, await _decodeBodyBytes(response));
+    }
+  }
+}
--- a/mobile/openapi/lib/api_client.dart
+++ b/mobile/openapi/lib/api_client.dart
@@ -198,6 +198,8 @@ class ApiClient {
          return ActivityStatisticsResponseDto.fromJson(value);
        case 'AddUsersDto':
          return AddUsersDto.fromJson(value);
+        case 'AdminOnboardingUpdateDto':
+          return AdminOnboardingUpdateDto.fromJson(value);
        case 'AlbumCountResponseDto':
          return AlbumCountResponseDto.fromJson(value);
        case 'AlbumResponseDto':
@@ -392,6 +394,8 @@ class ApiClient {
          return ReactionTypeTypeTransformer().decode(value);
        case 'RecognitionConfig':
          return RecognitionConfig.fromJson(value);
+        case 'ReverseGeocodingStateResponseDto':
+          return ReverseGeocodingStateResponseDto.fromJson(value);
        case 'ScanLibraryDto':
          return ScanLibraryDto.fromJson(value);
        case 'SearchAlbumResponseDto':
--- a/mobile/openapi/lib/model/admin_onboarding_update_dto.dart
+++ b/mobile/openapi/lib/model/admin_onboarding_update_dto.dart
@@ -0,0 +1,98 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class AdminOnboardingUpdateDto {
+  /// Returns a new [AdminOnboardingUpdateDto] instance.
+  AdminOnboardingUpdateDto({
+    required this.isOnboarded,
+  });
+
+  bool isOnboarded;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is AdminOnboardingUpdateDto &&
+    other.isOnboarded == isOnboarded;
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (isOnboarded.hashCode);
+
+  @override
+  String toString() => 'AdminOnboardingUpdateDto[isOnboarded=$isOnboarded]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+      json[r'isOnboarded'] = this.isOnboarded;
+    return json;
+  }
+
+  /// Returns a new [AdminOnboardingUpdateDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static AdminOnboardingUpdateDto? fromJson(dynamic value) {
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return AdminOnboardingUpdateDto(
+        isOnboarded: mapValueOfType<bool>(json, r'isOnboarded')!,
+      );
+    }
+    return null;
+  }
+
+  static List<AdminOnboardingUpdateDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <AdminOnboardingUpdateDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = AdminOnboardingUpdateDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, AdminOnboardingUpdateDto> mapFromJson(dynamic json) {
+    final map = <String, AdminOnboardingUpdateDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = AdminOnboardingUpdateDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of AdminOnboardingUpdateDto-objects as value to a dart map
+  static Map<String, List<AdminOnboardingUpdateDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<AdminOnboardingUpdateDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = AdminOnboardingUpdateDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'isOnboarded',
+  };
+}
+
--- a/mobile/openapi/lib/model/reverse_geocoding_state_response_dto.dart
+++ b/mobile/openapi/lib/model/reverse_geocoding_state_response_dto.dart
@@ -0,0 +1,114 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+part of openapi.api;
+
+class ReverseGeocodingStateResponseDto {
+  /// Returns a new [ReverseGeocodingStateResponseDto] instance.
+  ReverseGeocodingStateResponseDto({
+    required this.lastImportFileName,
+    required this.lastUpdate,
+  });
+
+  String? lastImportFileName;
+
+  String? lastUpdate;
+
+  @override
+  bool operator ==(Object other) => identical(this, other) || other is ReverseGeocodingStateResponseDto &&
+    other.lastImportFileName == lastImportFileName &&
+    other.lastUpdate == lastUpdate;
+
+  @override
+  int get hashCode =>
+    // ignore: unnecessary_parenthesis
+    (lastImportFileName == null ? 0 : lastImportFileName!.hashCode) +
+    (lastUpdate == null ? 0 : lastUpdate!.hashCode);
+
+  @override
+  String toString() => 'ReverseGeocodingStateResponseDto[lastImportFileName=$lastImportFileName, lastUpdate=$lastUpdate]';
+
+  Map<String, dynamic> toJson() {
+    final json = <String, dynamic>{};
+    if (this.lastImportFileName != null) {
+      json[r'lastImportFileName'] = this.lastImportFileName;
+    } else {
+    //  json[r'lastImportFileName'] = null;
+    }
+    if (this.lastUpdate != null) {
+      json[r'lastUpdate'] = this.lastUpdate;
+    } else {
+    //  json[r'lastUpdate'] = null;
+    }
+    return json;
+  }
+
+  /// Returns a new [ReverseGeocodingStateResponseDto] instance and imports its values from
+  /// [value] if it's a [Map], null otherwise.
+  // ignore: prefer_constructors_over_static_methods
+  static ReverseGeocodingStateResponseDto? fromJson(dynamic value) {
+    if (value is Map) {
+      final json = value.cast<String, dynamic>();
+
+      return ReverseGeocodingStateResponseDto(
+        lastImportFileName: mapValueOfType<String>(json, r'lastImportFileName'),
+        lastUpdate: mapValueOfType<String>(json, r'lastUpdate'),
+      );
+    }
+    return null;
+  }
+
+  static List<ReverseGeocodingStateResponseDto> listFromJson(dynamic json, {bool growable = false,}) {
+    final result = <ReverseGeocodingStateResponseDto>[];
+    if (json is List && json.isNotEmpty) {
+      for (final row in json) {
+        final value = ReverseGeocodingStateResponseDto.fromJson(row);
+        if (value != null) {
+          result.add(value);
+        }
+      }
+    }
+    return result.toList(growable: growable);
+  }
+
+  static Map<String, ReverseGeocodingStateResponseDto> mapFromJson(dynamic json) {
+    final map = <String, ReverseGeocodingStateResponseDto>{};
+    if (json is Map && json.isNotEmpty) {
+      json = json.cast<String, dynamic>(); // ignore: parameter_assignments
+      for (final entry in json.entries) {
+        final value = ReverseGeocodingStateResponseDto.fromJson(entry.value);
+        if (value != null) {
+          map[entry.key] = value;
+        }
+      }
+    }
+    return map;
+  }
+
+  // maps a json object with a list of ReverseGeocodingStateResponseDto-objects as value to a dart map
+  static Map<String, List<ReverseGeocodingStateResponseDto>> mapListFromJson(dynamic json, {bool growable = false,}) {
+    final map = <String, List<ReverseGeocodingStateResponseDto>>{};
+    if (json is Map && json.isNotEmpty) {
+      // ignore: parameter_assignments
+      json = json.cast<String, dynamic>();
+      for (final entry in json.entries) {
+        map[entry.key] = ReverseGeocodingStateResponseDto.listFromJson(entry.value, growable: growable,);
+      }
+    }
+    return map;
+  }
+
+  /// The list of required keys that must be present in a JSON.
+  static const requiredKeys = <String>{
+    'lastImportFileName',
+    'lastUpdate',
+  };
+}
+
--- a/mobile/openapi/test/admin_onboarding_update_dto_test.dart
+++ b/mobile/openapi/test/admin_onboarding_update_dto_test.dart
@@ -0,0 +1,27 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+import 'package:openapi/api.dart';
+import 'package:test/test.dart';
+
+// tests for AdminOnboardingUpdateDto
+void main() {
+  // final instance = AdminOnboardingUpdateDto();
+
+  group('test AdminOnboardingUpdateDto', () {
+    // bool isOnboarded
+    test('to test the property `isOnboarded`', () async {
+      // TODO
+    });
+
+
+  });
+
+}
--- a/mobile/openapi/test/audit_api_test.dart
+++ b/mobile/openapi/test/audit_api_test.dart
@@ -17,25 +17,10 @@ void main() {
  // final instance = AuditApi();

  group('tests for AuditApi', () {
-    //Future fixAuditFiles(FileReportFixDto fileReportFixDto) async
-    test('test fixAuditFiles', () async {
-      // TODO
-    });
-
    //Future<AuditDeletesResponseDto> getAuditDeletes(DateTime after, EntityType entityType, { String userId }) async
    test('test getAuditDeletes', () async {
      // TODO
    });

-    //Future<FileReportDto> getAuditFiles() async
-    test('test getAuditFiles', () async {
-      // TODO
-    });
-
-    //Future<List<FileChecksumResponseDto>> getFileChecksums(FileChecksumDto fileChecksumDto) async
-    test('test getFileChecksums', () async {
-      // TODO
-    });
-
  });
 }
--- a/mobile/openapi/test/file_report_api_test.dart
+++ b/mobile/openapi/test/file_report_api_test.dart
@@ -0,0 +1,36 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+import 'package:openapi/api.dart';
+import 'package:test/test.dart';
+
+
+/// tests for FileReportApi
+void main() {
+  // final instance = FileReportApi();
+
+  group('tests for FileReportApi', () {
+    //Future fixAuditFiles(FileReportFixDto fileReportFixDto) async
+    test('test fixAuditFiles', () async {
+      // TODO
+    });
+
+    //Future<FileReportDto> getAuditFiles() async
+    test('test getAuditFiles', () async {
+      // TODO
+    });
+
+    //Future<List<FileChecksumResponseDto>> getFileChecksums(FileChecksumDto fileChecksumDto) async
+    test('test getFileChecksums', () async {
+      // TODO
+    });
+
+  });
+}
--- a/mobile/openapi/test/reverse_geocoding_state_response_dto_test.dart
+++ b/mobile/openapi/test/reverse_geocoding_state_response_dto_test.dart
@@ -0,0 +1,32 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+import 'package:openapi/api.dart';
+import 'package:test/test.dart';
+
+// tests for ReverseGeocodingStateResponseDto
+void main() {
+  // final instance = ReverseGeocodingStateResponseDto();
+
+  group('test ReverseGeocodingStateResponseDto', () {
+    // String lastImportFileName
+    test('to test the property `lastImportFileName`', () async {
+      // TODO
+    });
+
+    // String lastUpdate
+    test('to test the property `lastUpdate`', () async {
+      // TODO
+    });
+
+
+  });
+
+}
--- a/mobile/openapi/test/server_info_api_test.dart
+++ b/mobile/openapi/test/server_info_api_test.dart
@@ -57,10 +57,5 @@ void main() {
      // TODO
    });

-    //Future setAdminOnboarding() async
-    test('test setAdminOnboarding', () async {
-      // TODO
-    });
-
  });
 }
--- a/mobile/openapi/test/system_metadata_api_test.dart
+++ b/mobile/openapi/test/system_metadata_api_test.dart
@@ -0,0 +1,36 @@
+//
+// AUTO-GENERATED FILE, DO NOT MODIFY!
+//
+// @dart=2.12
+
+// ignore_for_file: unused_element, unused_import
+// ignore_for_file: always_put_required_named_parameters_first
+// ignore_for_file: constant_identifier_names
+// ignore_for_file: lines_longer_than_80_chars
+
+import 'package:openapi/api.dart';
+import 'package:test/test.dart';
+
+
+/// tests for SystemMetadataApi
+void main() {
+  // final instance = SystemMetadataApi();
+
+  group('tests for SystemMetadataApi', () {
+    //Future<AdminOnboardingUpdateDto> getAdminOnboarding() async
+    test('test getAdminOnboarding', () async {
+      // TODO
+    });
+
+    //Future<ReverseGeocodingStateResponseDto> getReverseGeocodingState() async
+    test('test getReverseGeocodingState', () async {
+      // TODO
+    });
+
+    //Future updateAdminOnboarding(AdminOnboardingUpdateDto adminOnboardingUpdateDto) async
+    test('test updateAdminOnboarding', () async {
+      // TODO
+    });
+
+  });
+}
--- a/mobile/pubspec.lock
+++ b/mobile/pubspec.lock
@@ -1804,5 +1804,5 @@ packages:
    source: hosted
    version: "3.1.2"
 sdks:
-  dart: ">=3.2.0 <4.0.0"
+  dart: ">=3.3.0 <4.0.0"
  flutter: ">=3.16.0"
--- a/mobile/pubspec.yaml
+++ b/mobile/pubspec.yaml
@@ -2,10 +2,10 @@ name: immich_mobile
 description: Immich - selfhosted backup media file on mobile phone

 publish_to: 'none'
-version: 1.102.0+132
+version: 1.102.3+136

 environment:
-  sdk: '>=3.0.0 <4.0.0'
+  sdk: '>=3.3.0 <4.0.0'

 dependencies:
  flutter:
--- a/open-api/immich-openapi-specs.json
+++ b/open-api/immich-openapi-specs.json
@@ -2345,118 +2345,6 @@
        ]
      }
    },
-    "/audit/file-report": {
-      "get": {
-        "operationId": "getAuditFiles",
-        "parameters": [],
-        "responses": {
-          "200": {
-            "content": {
-              "application/json": {
-                "schema": {
-                  "$ref": "#/components/schemas/FileReportDto"
-                }
-              }
-            },
-            "description": ""
-          }
-        },
-        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          }
-        ],
-        "tags": [
-          "Audit"
-        ]
-      }
-    },
-    "/audit/file-report/checksum": {
-      "post": {
-        "operationId": "getFileChecksums",
-        "parameters": [],
-        "requestBody": {
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/FileChecksumDto"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "201": {
-            "content": {
-              "application/json": {
-                "schema": {
-                  "items": {
-                    "$ref": "#/components/schemas/FileChecksumResponseDto"
-                  },
-                  "type": "array"
-                }
-              }
-            },
-            "description": ""
-          }
-        },
-        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          }
-        ],
-        "tags": [
-          "Audit"
-        ]
-      }
-    },
-    "/audit/file-report/fix": {
-      "post": {
-        "operationId": "fixAuditFiles",
-        "parameters": [],
-        "requestBody": {
-          "content": {
-            "application/json": {
-              "schema": {
-                "$ref": "#/components/schemas/FileReportFixDto"
-              }
-            }
-          },
-          "required": true
-        },
-        "responses": {
-          "201": {
-            "description": ""
-          }
-        },
-        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          }
-        ],
-        "tags": [
-          "Audit"
-        ]
-      }
-    },
    "/auth/admin-sign-up": {
      "post": {
        "operationId": "signUpAdmin",
@@ -4429,6 +4317,118 @@
        ]
      }
    },
+    "/report": {
+      "get": {
+        "operationId": "getAuditFiles",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/FileReportDto"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "File Report"
+        ]
+      }
+    },
+    "/report/checksum": {
+      "post": {
+        "operationId": "getFileChecksums",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/FileChecksumDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "items": {
+                    "$ref": "#/components/schemas/FileChecksumResponseDto"
+                  },
+                  "type": "array"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "File Report"
+        ]
+      }
+    },
+    "/report/fix": {
+      "post": {
+        "operationId": "fixAuditFiles",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/FileReportFixDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "201": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "File Report"
+        ]
+      }
+    },
    "/search": {
      "get": {
        "deprecated": true,
@@ -4908,31 +4908,6 @@
        ]
      }
    },
-    "/server-info/admin-onboarding": {
-      "post": {
-        "operationId": "setAdminOnboarding",
-        "parameters": [],
-        "responses": {
-          "204": {
-            "description": ""
-          }
-        },
-        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          }
-        ],
-        "tags": [
-          "Server Info"
-        ]
-      }
-    },
    "/server-info/config": {
      "get": {
        "operationId": "getServerConfig",
@@ -5885,6 +5860,103 @@
        ]
      }
    },
+    "/system-metadata/admin-onboarding": {
+      "get": {
+        "operationId": "getAdminOnboarding",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/AdminOnboardingUpdateDto"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "System Metadata"
+        ]
+      },
+      "post": {
+        "operationId": "updateAdminOnboarding",
+        "parameters": [],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AdminOnboardingUpdateDto"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "204": {
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "System Metadata"
+        ]
+      }
+    },
+    "/system-metadata/reverse-geocoding-state": {
+      "get": {
+        "operationId": "getReverseGeocodingState",
+        "parameters": [],
+        "responses": {
+          "200": {
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ReverseGeocodingStateResponseDto"
+                }
+              }
+            },
+            "description": ""
+          }
+        },
+        "security": [
+          {
+            "bearer": []
+          },
+          {
+            "cookie": []
+          },
+          {
+            "api_key": []
+          }
+        ],
+        "tags": [
+          "System Metadata"
+        ]
+      }
+    },
    "/tag": {
      "get": {
        "operationId": "getAllTags",
@@ -6356,15 +6428,6 @@
          }
        },
        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          },
          {
            "bearer": []
          },
@@ -6492,15 +6555,6 @@
          }
        },
        "security": [
-          {
-            "bearer": []
-          },
-          {
-            "cookie": []
-          },
-          {
-            "api_key": []
-          },
          {
            "bearer": []
          },
@@ -7006,7 +7060,7 @@
  "info": {
    "title": "Immich",
    "description": "Immich API",
-    "version": "1.102.0",
+    "version": "1.102.3",
    "contact": {}
  },
  "tags": [],
@@ -7180,6 +7234,17 @@
        ],
        "type": "object"
      },
+      "AdminOnboardingUpdateDto": {
+        "properties": {
+          "isOnboarded": {
+            "type": "boolean"
+          }
+        },
+        "required": [
+          "isOnboarded"
+        ],
+        "type": "object"
+      },
      "AlbumCountResponseDto": {
        "properties": {
          "notShared": {
@@ -7892,6 +7957,103 @@
        ],
        "type": "object"
      },
+      "AuthorizationPermission": {
+        "enum": [
+          "activity.create",
+          "activity.read",
+          "activity.update",
+          "activity.delete",
+          "album.create",
+          "album.read",
+          "album.update",
+          "album.delete",
+          "asset.create",
+          "asset.read",
+          "asset.update",
+          "asset.delete",
+          "apiKey.create",
+          "apiKey.read",
+          "apiKey.update",
+          "apiKey.delete",
+          "authDevice.create",
+          "authDevice.read",
+          "authDevice.update",
+          "authDevice.delete",
+          "face.create",
+          "face.read",
+          "face.update",
+          "face.delete",
+          "library.create",
+          "library.read",
+          "library.update",
+          "library.delete",
+          "memory.create",
+          "memory.read",
+          "memory.update",
+          "memory.delete",
+          "memory.addAsset",
+          "memory.removeAsset",
+          "partner.create",
+          "partner.read",
+          "partner.update",
+          "partner.delete",
+          "person.create",
+          "person.read",
+          "person.update",
+          "person.delete",
+          "report.create",
+          "report.read",
+          "report.update",
+          "report.delete",
+          "session.create",
+          "session.read",
+          "session.update",
+          "session.delete",
+          "sharedLink.create",
+          "sharedLink.read",
+          "sharedLink.update",
+          "sharedLink.delete",
+          "systemConfig.create",
+          "systemConfig.read",
+          "systemConfig.update",
+          "systemConfig.delete",
+          "systemMetadata.create",
+          "systemMetadata.read",
+          "systemMetadata.update",
+          "systemMetadata.delete",
+          "stack.create",
+          "stack.read",
+          "stack.update",
+          "stack.delete",
+          "tag.create",
+          "tag.read",
+          "tag.update",
+          "tag.delete",
+          "user.create",
+          "user.read",
+          "user.update",
+          "user.delete",
+          "auth.changePassword",
+          "auth.oauth",
+          "album.addAsset",
+          "album.removeAsset",
+          "album.addUser",
+          "album.removeUser",
+          "asset.viewThumb",
+          "asset.viewPreview",
+          "asset.viewOriginal",
+          "asset.upload",
+          "asset.download",
+          "job.read",
+          "job.run",
+          "map.read",
+          "user.readSimple",
+          "user.changePassword",
+          "server.read",
+          "server.setup"
+        ],
+        "type": "string"
+      },
      "BulkIdResponseDto": {
        "properties": {
          "error": {
@@ -8201,6 +8363,15 @@
          "password": {
            "type": "string"
          },
+          "permissionPreset": {
+            "$ref": "#/components/schemas/PermissionPreset"
+          },
+          "permissions": {
+            "items": {
+              "$ref": "#/components/schemas/AuthorizationPermission"
+            },
+            "type": "array"
+          },
          "quotaSizeInBytes": {
            "format": "int64",
            "nullable": true,
@@ -8217,7 +8388,8 @@
        "required": [
          "email",
          "name",
-          "password"
+          "password",
+          "permissionPreset"
        ],
        "type": "object"
      },
@@ -9281,6 +9453,106 @@
          "oauthId": {
            "type": "string"
          },
+          "permissions": {
+            "items": {
+              "enum": [
+                "activity.create",
+                "activity.read",
+                "activity.update",
+                "activity.delete",
+                "album.create",
+                "album.read",
+                "album.update",
+                "album.delete",
+                "asset.create",
+                "asset.read",
+                "asset.update",
+                "asset.delete",
+                "apiKey.create",
+                "apiKey.read",
+                "apiKey.update",
+                "apiKey.delete",
+                "authDevice.create",
+                "authDevice.read",
+                "authDevice.update",
+                "authDevice.delete",
+                "face.create",
+                "face.read",
+                "face.update",
+                "face.delete",
+                "library.create",
+                "library.read",
+                "library.update",
+                "library.delete",
+                "memory.create",
+                "memory.read",
+                "memory.update",
+                "memory.delete",
+                "memory.addAsset",
+                "memory.removeAsset",
+                "partner.create",
+                "partner.read",
+                "partner.update",
+                "partner.delete",
+                "person.create",
+                "person.read",
+                "person.update",
+                "person.delete",
+                "report.create",
+                "report.read",
+                "report.update",
+                "report.delete",
+                "session.create",
+                "session.read",
+                "session.update",
+                "session.delete",
+                "sharedLink.create",
+                "sharedLink.read",
+                "sharedLink.update",
+                "sharedLink.delete",
+                "systemConfig.create",
+                "systemConfig.read",
+                "systemConfig.update",
+                "systemConfig.delete",
+                "systemMetadata.create",
+                "systemMetadata.read",
+                "systemMetadata.update",
+                "systemMetadata.delete",
+                "stack.create",
+                "stack.read",
+                "stack.update",
+                "stack.delete",
+                "tag.create",
+                "tag.read",
+                "tag.update",
+                "tag.delete",
+                "user.create",
+                "user.read",
+                "user.update",
+                "user.delete",
+                "auth.changePassword",
+                "auth.oauth",
+                "album.addAsset",
+                "album.removeAsset",
+                "album.addUser",
+                "album.removeUser",
+                "asset.viewThumb",
+                "asset.viewPreview",
+                "asset.viewOriginal",
+                "asset.upload",
+                "asset.download",
+                "job.read",
+                "job.run",
+                "map.read",
+                "user.readSimple",
+                "user.changePassword",
+                "server.read",
+                "server.setup"
+              ],
+              "type": "string"
+            },
+            "type": "array"
+          },
          "profileImagePath": {
            "type": "string"
          },
@@ -9414,6 +9686,14 @@
        ],
        "type": "object"
      },
+      "PermissionPreset": {
+        "enum": [
+          "user",
+          "admin",
+          "custom"
+        ],
+        "type": "string"
+      },
      "PersonCreateDto": {
        "properties": {
          "birthDate": {
@@ -9618,6 +9898,23 @@
        ],
        "type": "object"
      },
+      "ReverseGeocodingStateResponseDto": {
+        "properties": {
+          "lastImportFileName": {
+            "nullable": true,
+            "type": "string"
+          },
+          "lastUpdate": {
+            "nullable": true,
+            "type": "string"
+          }
+        },
+        "required": [
+          "lastImportFileName",
+          "lastUpdate"
+        ],
+        "type": "object"
+      },
      "ScanLibraryDto": {
        "properties": {
          "refreshAllFiles": {
@@ -11152,6 +11449,15 @@
          "password": {
            "type": "string"
          },
+          "permissionPreset": {
+            "$ref": "#/components/schemas/PermissionPreset"
+          },
+          "permissions": {
+            "items": {
+              "$ref": "#/components/schemas/AuthorizationPermission"
+            },
+            "type": "array"
+          },
          "quotaSizeInBytes": {
            "format": "int64",
            "nullable": true,
@@ -11277,6 +11583,106 @@
          "oauthId": {
            "type": "string"
          },
+          "permissions": {
+            "items": {
+              "enum": [
+                "activity.create",
+                "activity.read",
+                "activity.update",
+                "activity.delete",
+                "album.create",
+                "album.read",
+                "album.update",
+                "album.delete",
+                "asset.create",
+                "asset.read",
+                "asset.update",
+                "asset.delete",
+                "apiKey.create",
+                "apiKey.read",
+                "apiKey.update",
+                "apiKey.delete",
+                "authDevice.create",
+                "authDevice.read",
+                "authDevice.update",
+                "authDevice.delete",
+                "face.create",
+                "face.read",
+                "face.update",
+                "face.delete",
+                "library.create",
+                "library.read",
+                "library.update",
+                "library.delete",
+                "memory.create",
+                "memory.read",
+                "memory.update",
+                "memory.delete",
+                "memory.addAsset",
+                "memory.removeAsset",
+                "partner.create",
+                "partner.read",
+                "partner.update",
+                "partner.delete",
+                "person.create",
+                "person.read",
+                "person.update",
+                "person.delete",
+                "report.create",
+                "report.read",
+                "report.update",
+                "report.delete",
+                "session.create",
+                "session.read",
+                "session.update",
+                "session.delete",
+                "sharedLink.create",
+                "sharedLink.read",
+                "sharedLink.update",
+                "sharedLink.delete",
+                "systemConfig.create",
+                "systemConfig.read",
+                "systemConfig.update",
+                "systemConfig.delete",
+                "systemMetadata.create",
+                "systemMetadata.read",
+                "systemMetadata.update",
+                "systemMetadata.delete",
+                "stack.create",
+                "stack.read",
+                "stack.update",
+                "stack.delete",
+                "tag.create",
+                "tag.read",
+                "tag.update",
+                "tag.delete",
+                "user.create",
+                "user.read",
+                "user.update",
+                "user.delete",
+                "auth.changePassword",
+                "auth.oauth",
+                "album.addAsset",
+                "album.removeAsset",
+                "album.addUser",
+                "album.removeUser",
+                "asset.viewThumb",
+                "asset.viewPreview",
+                "asset.viewOriginal",
+                "asset.upload",
+                "asset.download",
+                "job.read",
+                "job.run",
+                "map.read",
+                "user.readSimple",
+                "user.changePassword",
+                "server.read",
+                "server.setup"
+              ],
+              "type": "string"
+            },
+            "type": "array"
+          },
          "profileImagePath": {
            "type": "string"
          },
--- a/open-api/typescript-sdk/package-lock.json
+++ b/open-api/typescript-sdk/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "@immich/sdk",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@immich/sdk",
-      "version": "1.102.0",
+      "version": "1.102.3",
      "license": "GNU Affero General Public License version 3",
      "dependencies": {
        "@oazapfts/runtime": "^1.0.2"
--- a/open-api/typescript-sdk/package.json
+++ b/open-api/typescript-sdk/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@immich/sdk",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "description": "Auto-generated TypeScript SDK for the Immich API",
  "type": "module",
  "main": "./build/index.js",
--- a/open-api/typescript-sdk/src/fetch-client.ts
+++ b/open-api/typescript-sdk/src/fetch-client.ts
@@ -1,6 +1,6 @@
 /**
 * Immich
- * 1.102.0
+ * 1.102.3
 * DO NOT MODIFY - This file has been generated using oazapfts.
 * See https://www.npmjs.com/package/oazapfts
 */
@@ -71,6 +71,7 @@ export type UserResponseDto = {
    memoriesEnabled?: boolean;
    name: string;
    oauthId: string;
+    permissions?: ("activity.create" | "activity.read" | "activity.update" | "activity.delete" | "album.create" | "album.read" | "album.update" | "album.delete" | "apiKey.create" | "apiKey.read" | "apiKey.update" | "apiKey.delete" | "asset.create" | "asset.read" | "asset.update" | "asset.delete" | "authDevice.create" | "authDevice.read" | "authDevice.update" | "authDevice.delete" | "face.create" | "face.read" | "face.update" | "face.delete" | "memory.create" | "memory.read" | "memory.update" | "memory.delete" | "partner.create" | "partner.read" | "partner.update" | "partner.delete" | "person.create" | "person.read" | "person.update" | "person.delete" | "sharedLink.create" | "sharedLink.read" | "sharedLink.update" | "sharedLink.delete" | "systemConfig.read" | "systemConfig.update" | "systemConfig.delete" | "stack.create" | "stack.read" | "stack.update" | "stack.delete" | "tag.create" | "tag.read" | "tag.update" | "tag.delete" | "user.create" | "user.readSimple" | "user.read" | "user.update" | "user.delete")[];
    profileImagePath: string;
    quotaSizeInBytes: number | null;
    quotaUsageInBytes: number | null;
@@ -316,27 +317,6 @@ export type AuditDeletesResponseDto = {
    ids: string[];
    needsFullSync: boolean;
 };
-export type FileReportItemDto = {
-    checksum?: string;
-    entityId: string;
-    entityType: PathEntityType;
-    pathType: PathType;
-    pathValue: string;
-};
-export type FileReportDto = {
-    extras: string[];
-    orphans: FileReportItemDto[];
-};
-export type FileChecksumDto = {
-    filenames: string[];
-};
-export type FileChecksumResponseDto = {
-    checksum: string;
-    filename: string;
-};
-export type FileReportFixDto = {
-    items: FileReportItemDto[];
-};
 export type SignUpDto = {
    email: string;
    name: string;
@@ -534,6 +514,7 @@ export type PartnerResponseDto = {
    memoriesEnabled?: boolean;
    name: string;
    oauthId: string;
+    permissions?: ("activity.create" | "activity.read" | "activity.update" | "activity.delete" | "album.create" | "album.read" | "album.update" | "album.delete" | "apiKey.create" | "apiKey.read" | "apiKey.update" | "apiKey.delete" | "asset.create" | "asset.read" | "asset.update" | "asset.delete" | "authDevice.create" | "authDevice.read" | "authDevice.update" | "authDevice.delete" | "face.create" | "face.read" | "face.update" | "face.delete" | "memory.create" | "memory.read" | "memory.update" | "memory.delete" | "partner.create" | "partner.read" | "partner.update" | "partner.delete" | "person.create" | "person.read" | "person.update" | "person.delete" | "sharedLink.create" | "sharedLink.read" | "sharedLink.update" | "sharedLink.delete" | "systemConfig.read" | "systemConfig.update" | "systemConfig.delete" | "stack.create" | "stack.read" | "stack.update" | "stack.delete" | "tag.create" | "tag.read" | "tag.update" | "tag.delete" | "user.create" | "user.readSimple" | "user.read" | "user.update" | "user.delete")[];
    profileImagePath: string;
    quotaSizeInBytes: number | null;
    quotaUsageInBytes: number | null;
@@ -599,6 +580,27 @@ export type AssetFaceUpdateDto = {
 export type PersonStatisticsResponseDto = {
    assets: number;
 };
+export type FileReportItemDto = {
+    checksum?: string;
+    entityId: string;
+    entityType: PathEntityType;
+    pathType: PathType;
+    pathValue: string;
+};
+export type FileReportDto = {
+    extras: string[];
+    orphans: FileReportItemDto[];
+};
+export type FileChecksumDto = {
+    filenames: string[];
+};
+export type FileChecksumResponseDto = {
+    checksum: string;
+    filename: string;
+};
+export type FileReportFixDto = {
+    items: FileReportItemDto[];
+};
 export type SearchFacetCountResponseDto = {
    count: number;
    value: string;
@@ -998,6 +1000,13 @@ export type SystemConfigTemplateStorageOptionDto = {
    weekOptions: string[];
    yearOptions: string[];
 };
+export type AdminOnboardingUpdateDto = {
+    isOnboarded: boolean;
+};
+export type ReverseGeocodingStateResponseDto = {
+    lastImportFileName: string | null;
+    lastUpdate: string | null;
+};
 export type CreateTagDto = {
    name: string;
    "type": TagTypeEnum;
@@ -1014,6 +1023,8 @@ export type CreateUserDto = {
    memoriesEnabled?: boolean;
    name: string;
    password: string;
+    permissionPreset: PermissionPreset;
+    permissions?: AuthorizationPermission[];
    quotaSizeInBytes?: number | null;
    shouldChangePassword?: boolean;
    storageLabel?: string | null;
@@ -1026,6 +1037,8 @@ export type UpdateUserDto = {
    memoriesEnabled?: boolean;
    name?: string;
    password?: string;
+    permissionPreset?: PermissionPreset;
+    permissions?: AuthorizationPermission[];
    quotaSizeInBytes?: number | null;
    shouldChangePassword?: boolean;
    storageLabel?: string;
@@ -1651,35 +1664,6 @@ export function getAuditDeletes({ after, entityType, userId }: {
        ...opts
    }));
 }
-export function getAuditFiles(opts?: Oazapfts.RequestOpts) {
-    return oazapfts.ok(oazapfts.fetchJson<{
-        status: 200;
-        data: FileReportDto;
-    }>("/audit/file-report", {
-        ...opts
-    }));
-}
-export function getFileChecksums({ fileChecksumDto }: {
-    fileChecksumDto: FileChecksumDto;
-}, opts?: Oazapfts.RequestOpts) {
-    return oazapfts.ok(oazapfts.fetchJson<{
-        status: 201;
-        data: FileChecksumResponseDto[];
-    }>("/audit/file-report/checksum", oazapfts.json({
-        ...opts,
-        method: "POST",
-        body: fileChecksumDto
-    })));
-}
-export function fixAuditFiles({ fileReportFixDto }: {
-    fileReportFixDto: FileReportFixDto;
-}, opts?: Oazapfts.RequestOpts) {
-    return oazapfts.ok(oazapfts.fetchText("/audit/file-report/fix", oazapfts.json({
-        ...opts,
-        method: "POST",
-        body: fileReportFixDto
-    })));
-}
 export function signUpAdmin({ signUpDto }: {
    signUpDto: SignUpDto;
 }, opts?: Oazapfts.RequestOpts) {
@@ -2206,6 +2190,35 @@ export function getPersonThumbnail({ id }: {
        ...opts
    }));
 }
+export function getAuditFiles(opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 200;
+        data: FileReportDto;
+    }>("/report", {
+        ...opts
+    }));
+}
+export function getFileChecksums({ fileChecksumDto }: {
+    fileChecksumDto: FileChecksumDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 201;
+        data: FileChecksumResponseDto[];
+    }>("/report/checksum", oazapfts.json({
+        ...opts,
+        method: "POST",
+        body: fileChecksumDto
+    })));
+}
+export function fixAuditFiles({ fileReportFixDto }: {
+    fileReportFixDto: FileReportFixDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchText("/report/fix", oazapfts.json({
+        ...opts,
+        method: "POST",
+        body: fileReportFixDto
+    })));
+}
 export function search({ clip, motion, page, q, query, recent, size, smart, $type, withArchived }: {
    clip?: boolean;
    motion?: boolean;
@@ -2330,12 +2343,6 @@ export function getServerInfo(opts?: Oazapfts.RequestOpts) {
        ...opts
    }));
 }
-export function setAdminOnboarding(opts?: Oazapfts.RequestOpts) {
-    return oazapfts.ok(oazapfts.fetchText("/server-info/admin-onboarding", {
-        ...opts,
-        method: "POST"
-    }));
-}
 export function getServerConfig(opts?: Oazapfts.RequestOpts) {
    return oazapfts.ok(oazapfts.fetchJson<{
        status: 200;
@@ -2597,6 +2604,31 @@ export function getStorageTemplateOptions(opts?: Oazapfts.RequestOpts) {
        ...opts
    }));
 }
+export function getAdminOnboarding(opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 200;
+        data: AdminOnboardingUpdateDto;
+    }>("/system-metadata/admin-onboarding", {
+        ...opts
+    }));
+}
+export function updateAdminOnboarding({ adminOnboardingUpdateDto }: {
+    adminOnboardingUpdateDto: AdminOnboardingUpdateDto;
+}, opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchText("/system-metadata/admin-onboarding", oazapfts.json({
+        ...opts,
+        method: "POST",
+        body: adminOnboardingUpdateDto
+    })));
+}
+export function getReverseGeocodingState(opts?: Oazapfts.RequestOpts) {
+    return oazapfts.ok(oazapfts.fetchJson<{
+        status: 200;
+        data: ReverseGeocodingStateResponseDto;
+    }>("/system-metadata/reverse-geocoding-state", {
+        ...opts
+    }));
+}
 export function getAllTags(opts?: Oazapfts.RequestOpts) {
    return oazapfts.ok(oazapfts.fetchJson<{
        status: 200;
@@ -2948,20 +2980,6 @@ export enum EntityType {
    Asset = "ASSET",
    Album = "ALBUM"
 }
-export enum PathEntityType {
-    Asset = "asset",
-    Person = "person",
-    User = "user"
-}
-export enum PathType {
-    Original = "original",
-    Preview = "preview",
-    Thumbnail = "thumbnail",
-    EncodedVideo = "encoded_video",
-    Sidecar = "sidecar",
-    Face = "face",
-    Profile = "profile"
-}
 export enum JobName {
    ThumbnailGeneration = "thumbnailGeneration",
    MetadataExtraction = "metadataExtraction",
@@ -2993,6 +3011,20 @@ export enum Type2 {
 export enum MemoryType {
    OnThisDay = "on_this_day"
 }
+export enum PathEntityType {
+    Asset = "asset",
+    Person = "person",
+    User = "user"
+}
+export enum PathType {
+    Original = "original",
+    Preview = "preview",
+    Thumbnail = "thumbnail",
+    EncodedVideo = "encoded_video",
+    Sidecar = "sidecar",
+    Face = "face",
+    Profile = "profile"
+}
 export enum SearchSuggestionType {
    Country = "country",
    State = "state",
@@ -3077,3 +3109,66 @@ export enum TimeBucketSize {
    Day = "DAY",
    Month = "MONTH"
 }
+export enum PermissionPreset {
+    User = "user",
+    Admin = "admin",
+    Custom = "custom"
+}
+export enum AuthorizationPermission {
+    ActivityCreate = "activity.create",
+    ActivityRead = "activity.read",
+    ActivityUpdate = "activity.update",
+    ActivityDelete = "activity.delete",
+    AlbumCreate = "album.create",
+    AlbumRead = "album.read",
+    AlbumUpdate = "album.update",
+    AlbumDelete = "album.delete",
+    ApiKeyCreate = "apiKey.create",
+    ApiKeyRead = "apiKey.read",
+    ApiKeyUpdate = "apiKey.update",
+    ApiKeyDelete = "apiKey.delete",
+    AssetCreate = "asset.create",
+    AssetRead = "asset.read",
+    AssetUpdate = "asset.update",
+    AssetDelete = "asset.delete",
+    AuthDeviceCreate = "authDevice.create",
+    AuthDeviceRead = "authDevice.read",
+    AuthDeviceUpdate = "authDevice.update",
+    AuthDeviceDelete = "authDevice.delete",
+    FaceCreate = "face.create",
+    FaceRead = "face.read",
+    FaceUpdate = "face.update",
+    FaceDelete = "face.delete",
+    MemoryCreate = "memory.create",
+    MemoryRead = "memory.read",
+    MemoryUpdate = "memory.update",
+    MemoryDelete = "memory.delete",
+    PartnerCreate = "partner.create",
+    PartnerRead = "partner.read",
+    PartnerUpdate = "partner.update",
+    PartnerDelete = "partner.delete",
+    PersonCreate = "person.create",
+    PersonRead = "person.read",
+    PersonUpdate = "person.update",
+    PersonDelete = "person.delete",
+    SharedLinkCreate = "sharedLink.create",
+    SharedLinkRead = "sharedLink.read",
+    SharedLinkUpdate = "sharedLink.update",
+    SharedLinkDelete = "sharedLink.delete",
+    SystemConfigRead = "systemConfig.read",
+    SystemConfigUpdate = "systemConfig.update",
+    SystemConfigDelete = "systemConfig.delete",
+    StackCreate = "stack.create",
+    StackRead = "stack.read",
+    StackUpdate = "stack.update",
+    StackDelete = "stack.delete",
+    TagCreate = "tag.create",
+    TagRead = "tag.read",
+    TagUpdate = "tag.update",
+    TagDelete = "tag.delete",
+    UserCreate = "user.create",
+    UserReadSimple = "user.readSimple",
+    UserRead = "user.read",
+    UserUpdate = "user.update",
+    UserDelete = "user.delete"
+}
--- a/renovate.json
+++ b/renovate.json
@@ -27,7 +27,8 @@
      "matchFileNames": ["mobile/**"],
      "groupName": "mobile",
      "matchUpdateTypes": ["minor", "patch"],
-      "schedule": "on tuesday"
+      "schedule": "on tuesday",
+      "addLabels": ["📱mobile"]
    },
    {
      "groupName": "exiftool",
--- a/server/package-lock.json
+++ b/server/package-lock.json
@@ -1,12 +1,12 @@
 {
  "name": "immich",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "immich",
-      "version": "1.102.0",
+      "version": "1.102.3",
      "license": "GNU Affero General Public License version 3",
      "dependencies": {
        "@nestjs/bullmq": "^10.0.1",
--- a/server/package.json
+++ b/server/package.json
@@ -1,6 +1,6 @@
 {
  "name": "immich",
-  "version": "1.102.0",
+  "version": "1.102.3",
  "description": "",
  "author": "",
  "private": true,
--- a/server/src/controllers/activity.controller.ts
+++ b/server/src/controllers/activity.controller.ts
@@ -8,28 +8,30 @@ import {
  ActivitySearchDto,
  ActivityStatisticsResponseDto,
 } from 'src/dtos/activity.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { ActivityService } from 'src/services/activity.service';
 import { UUIDParamDto } from 'src/validation';

@ApiTags('Activity')
@Controller('activity')
-@Authenticated()
 export class ActivityController {
  constructor(private service: ActivityService) {}

  @Get()
+  @Authenticated(Permission.ACTIVITY_READ)
  getActivities(@Auth() auth: AuthDto, @Query() dto: ActivitySearchDto): Promise<ActivityResponseDto[]> {
    return this.service.getAll(auth, dto);
  }

  @Get('statistics')
+  @Authenticated(Permission.ACTIVITY_READ)
  getActivityStatistics(@Auth() auth: AuthDto, @Query() dto: ActivityDto): Promise<ActivityStatisticsResponseDto> {
    return this.service.getStatistics(auth, dto);
  }

  @Post()
+  @Authenticated(Permission.ACTIVITY_CREATE)
  async createActivity(
    @Auth() auth: AuthDto,
    @Body() dto: ActivityCreateDto,
@@ -43,6 +45,7 @@ export class ActivityController {
  }

  @Delete(':id')
+  @Authenticated(Permission.ACTIVITY_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteActivity(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(auth, id);
--- a/server/src/controllers/album.controller.ts
+++ b/server/src/controllers/album.controller.ts
@@ -10,34 +10,36 @@ import {
  UpdateAlbumDto,
 } from 'src/dtos/album.dto';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
-import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
+import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AlbumService } from 'src/services/album.service';
 import { ParseMeUUIDPipe, UUIDParamDto } from 'src/validation';

@ApiTags('Album')
@Controller('album')
-@Authenticated()
 export class AlbumController {
  constructor(private service: AlbumService) {}

  @Get('count')
+  @Authenticated(Permission.ALBUM_READ)
  getAlbumCount(@Auth() auth: AuthDto): Promise<AlbumCountResponseDto> {
    return this.service.getCount(auth);
  }

  @Get()
+  @Authenticated(Permission.ALBUM_READ)
  getAllAlbums(@Auth() auth: AuthDto, @Query() query: GetAlbumsDto): Promise<AlbumResponseDto[]> {
    return this.service.getAll(auth, query);
  }

  @Post()
+  @Authenticated(Permission.ALBUM_CREATE)
  createAlbum(@Auth() auth: AuthDto, @Body() dto: CreateAlbumDto): Promise<AlbumResponseDto> {
    return this.service.create(auth, dto);
  }

-  @SharedLinkRoute()
  @Get(':id')
+  @Authenticated(Permission.ALBUM_READ, { sharedLink: true })
  getAlbumInfo(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -47,6 +49,7 @@ export class AlbumController {
  }

  @Patch(':id')
+  @Authenticated(Permission.ALBUM_UPDATE)
  updateAlbumInfo(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -56,12 +59,13 @@ export class AlbumController {
  }

  @Delete(':id')
+  @Authenticated(Permission.ALBUM_DELETE)
  deleteAlbum(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto) {
    return this.service.delete(auth, id);
  }

-  @SharedLinkRoute()
  @Put(':id/assets')
+  @Authenticated(Permission.ALBUM_ADD_ASSET, { sharedLink: true })
  addAssetsToAlbum(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -71,6 +75,7 @@ export class AlbumController {
  }

  @Delete(':id/assets')
+  @Authenticated(Permission.ALBUM_REMOVE_ASSET)
  removeAssetFromAlbum(
    @Auth() auth: AuthDto,
    @Body() dto: BulkIdsDto,
@@ -80,6 +85,7 @@ export class AlbumController {
  }

  @Put(':id/users')
+  @Authenticated(Permission.ALBUM_ADD_USER)
  addUsersToAlbum(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -89,6 +95,7 @@ export class AlbumController {
  }

  @Delete(':id/user/:userId')
+  @Authenticated(Permission.ALBUM_REMOVE_USER, { bypassParamId: 'userId' })
  removeUserFromAlbum(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/api-key.controller.ts
+++ b/server/src/controllers/api-key.controller.ts
@@ -1,33 +1,36 @@
 import { Body, Controller, Delete, Get, Param, Post, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { APIKeyCreateDto, APIKeyCreateResponseDto, APIKeyResponseDto, APIKeyUpdateDto } from 'src/dtos/api-key.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { APIKeyService } from 'src/services/api-key.service';
 import { UUIDParamDto } from 'src/validation';

@ApiTags('API Key')
@Controller('api-key')
-@Authenticated()
 export class APIKeyController {
  constructor(private service: APIKeyService) {}

  @Post()
+  @Authenticated(Permission.API_KEY_CREATE)
  createApiKey(@Auth() auth: AuthDto, @Body() dto: APIKeyCreateDto): Promise<APIKeyCreateResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get()
+  @Authenticated(Permission.API_KEY_READ)
  getApiKeys(@Auth() auth: AuthDto): Promise<APIKeyResponseDto[]> {
    return this.service.getAll(auth);
  }

  @Get(':id')
+  @Authenticated(Permission.API_KEY_READ)
  getApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<APIKeyResponseDto> {
    return this.service.getById(auth, id);
  }

  @Put(':id')
+  @Authenticated(Permission.API_KEY_UPDATE)
  updateApiKey(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -37,6 +40,7 @@ export class APIKeyController {
  }

  @Delete(':id')
+  @Authenticated(Permission.API_KEY_DELETE)
  deleteApiKey(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(auth, id);
  }
--- a/server/src/controllers/app.controller.ts
+++ b/server/src/controllers/app.controller.ts
@@ -1,6 +1,5 @@
 import { Controller, Get, Header } from '@nestjs/common';
 import { ApiExcludeEndpoint } from '@nestjs/swagger';
-import { PublicRoute } from 'src/middleware/auth.guard';
 import { SystemConfigService } from 'src/services/system-config.service';

@Controller()
@@ -18,7 +17,6 @@ export class AppController {
  }

  @ApiExcludeEndpoint()
-  @PublicRoute()
  @Get('custom.css')
  @Header('Content-Type', 'text/css')
  getCustomCss() {
--- a/server/src/controllers/asset-v1.controller.ts
+++ b/server/src/controllers/asset-v1.controller.ts
@@ -31,8 +31,8 @@ import {
  GetAssetThumbnailDto,
  ServeFileDto,
 } from 'src/dtos/asset-v1.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
-import { Auth, Authenticated, FileResponse, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
+import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { FileUploadInterceptor, ImmichFile, Route, mapToUploadFile } from 'src/middleware/file-upload.interceptor';
 import { AssetServiceV1 } from 'src/services/asset-v1.service';
 import { sendFile } from 'src/utils/file';
@@ -46,12 +46,11 @@ interface UploadFiles {

@ApiTags('Asset')
@Controller(Route.ASSET)
-@Authenticated()
 export class AssetControllerV1 {
  constructor(private service: AssetServiceV1) {}

-  @SharedLinkRoute()
  @Post('upload')
+  @Authenticated(Permission.ASSET_UPLOAD, { sharedLink: true })
  @UseInterceptors(FileUploadInterceptor)
  @ApiConsumes('multipart/form-data')
  @ApiBody({
@@ -85,8 +84,8 @@ export class AssetControllerV1 {
    return responseDto;
  }

-  @SharedLinkRoute()
  @Get('/file/:id')
+  @Authenticated(Permission.ASSET_VIEW_ORIGINAL, { sharedLink: true })
  @FileResponse()
  async serveFile(
    @Res() res: Response,
@@ -98,8 +97,8 @@ export class AssetControllerV1 {
    await sendFile(res, next, () => this.service.serveFile(auth, id, dto));
  }

-  @SharedLinkRoute()
  @Get('/thumbnail/:id')
+  @Authenticated(Permission.ASSET_VIEW_THUMB, { sharedLink: true })
  @FileResponse()
  async getAssetThumbnail(
    @Res() res: Response,
@@ -112,16 +111,19 @@ export class AssetControllerV1 {
  }

  @Get('/curated-objects')
+  @Authenticated(Permission.ASSET_READ)
  getCuratedObjects(@Auth() auth: AuthDto): Promise<CuratedObjectsResponseDto[]> {
    return this.service.getCuratedObject(auth);
  }

  @Get('/curated-locations')
+  @Authenticated(Permission.ASSET_READ)
  getCuratedLocations(@Auth() auth: AuthDto): Promise<CuratedLocationsResponseDto[]> {
    return this.service.getCuratedLocation(auth);
  }

  @Get('/search-terms')
+  @Authenticated(Permission.ASSET_READ)
  getAssetSearchTerms(@Auth() auth: AuthDto): Promise<string[]> {
    return this.service.getAssetSearchTerm(auth);
  }
@@ -130,6 +132,7 @@ export class AssetControllerV1 {
   * Get all AssetEntity belong to the user
   */
  @Get('/')
+  @Authenticated(Permission.ASSET_READ)
  @ApiHeader({
    name: 'if-none-match',
    description: 'ETag of data already cached on the client',
@@ -144,6 +147,7 @@ export class AssetControllerV1 {
   * Checks if multiple assets exist on the server and returns all existing - used by background backup
   */
  @Post('/exist')
+  @Authenticated(Permission.ASSET_READ)
  @HttpCode(HttpStatus.OK)
  checkExistingAssets(
    @Auth() auth: AuthDto,
@@ -156,6 +160,7 @@ export class AssetControllerV1 {
   * Checks if assets exist by checksums
   */
  @Post('/bulk-upload-check')
+  @Authenticated(Permission.ASSET_READ)
  @HttpCode(HttpStatus.OK)
  checkBulkUpload(
    @Auth() auth: AuthDto,
--- a/server/src/controllers/asset.controller.ts
+++ b/server/src/controllers/asset.controller.ts
@@ -11,10 +11,10 @@ import {
  RandomAssetsDto,
  UpdateAssetDto,
 } from 'src/dtos/asset.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { MapMarkerDto, MapMarkerResponseDto, MemoryLaneDto, MetadataSearchDto } from 'src/dtos/search.dto';
 import { UpdateStackParentDto } from 'src/dtos/stack.dto';
-import { Auth, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { Route } from 'src/middleware/file-upload.interceptor';
 import { AssetService } from 'src/services/asset.service';
 import { SearchService } from 'src/services/search.service';
@@ -22,11 +22,11 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Asset')
@Controller('assets')
-@Authenticated()
 export class AssetsController {
  constructor(private searchService: SearchService) {}

  @Get()
+  @Authenticated(Permission.ASSET_READ)
  @ApiOperation({ deprecated: true })
  async searchAssets(@Auth() auth: AuthDto, @Query() dto: MetadataSearchDto): Promise<AssetResponseDto[]> {
    const {
@@ -38,21 +38,23 @@ export class AssetsController {

@ApiTags('Asset')
@Controller(Route.ASSET)
-@Authenticated()
 export class AssetController {
  constructor(private service: AssetService) {}

  @Get('map-marker')
+  @Authenticated(Permission.ASSET_READ)
  getMapMarkers(@Auth() auth: AuthDto, @Query() options: MapMarkerDto): Promise<MapMarkerResponseDto[]> {
    return this.service.getMapMarkers(auth, options);
  }

  @Get('memory-lane')
+  @Authenticated(Permission.MEMORY_READ)
  getMemoryLane(@Auth() auth: AuthDto, @Query() dto: MemoryLaneDto): Promise<MemoryLaneResponseDto[]> {
    return this.service.getMemoryLane(auth, dto);
  }

  @Get('random')
+  @Authenticated(Permission.ASSET_READ)
  getRandom(@Auth() auth: AuthDto, @Query() dto: RandomAssetsDto): Promise<AssetResponseDto[]> {
    return this.service.getRandom(auth, dto.count ?? 1);
  }
@@ -61,46 +63,54 @@ export class AssetController {
   * Get all asset of a device that are in the database, ID only.
   */
  @Get('/device/:deviceId')
+  @Authenticated(Permission.ASSET_READ)
  getAllUserAssetsByDeviceId(@Auth() auth: AuthDto, @Param() { deviceId }: DeviceIdDto) {
    return this.service.getUserAssetsByDeviceId(auth, deviceId);
  }

  @Get('statistics')
+  @Authenticated(Permission.ASSET_READ)
  getAssetStatistics(@Auth() auth: AuthDto, @Query() dto: AssetStatsDto): Promise<AssetStatsResponseDto> {
    return this.service.getStatistics(auth, dto);
  }

  @Post('jobs')
+  // TODO
+  @Authenticated(Permission.ASSET_READ)
  @HttpCode(HttpStatus.NO_CONTENT)
  runAssetJobs(@Auth() auth: AuthDto, @Body() dto: AssetJobsDto): Promise<void> {
    return this.service.run(auth, dto);
  }

  @Put()
+  @Authenticated(Permission.ASSET_UPDATE)
  @HttpCode(HttpStatus.NO_CONTENT)
  updateAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkUpdateDto): Promise<void> {
    return this.service.updateAll(auth, dto);
  }

  @Delete()
+  @Authenticated(Permission.ASSET_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteAssets(@Auth() auth: AuthDto, @Body() dto: AssetBulkDeleteDto): Promise<void> {
    return this.service.deleteAll(auth, dto);
  }

  @Put('stack/parent')
+  @Authenticated(Permission.STACK_UPDATE)
  @HttpCode(HttpStatus.OK)
  updateStackParent(@Auth() auth: AuthDto, @Body() dto: UpdateStackParentDto): Promise<void> {
    return this.service.updateStackParent(auth, dto);
  }

-  @SharedLinkRoute()
  @Get(':id')
+  @Authenticated(Permission.ASSET_READ, { sharedLink: true })
  getAssetInfo(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto> {
    return this.service.get(auth, id) as Promise<AssetResponseDto>;
  }

  @Put(':id')
+  @Authenticated(Permission.ASSET_UPDATE)
  updateAsset(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/audit.controller.ts
+++ b/server/src/controllers/audit.controller.ts
@@ -1,43 +1,18 @@
-import { Body, Controller, Get, Post, Query } from '@nestjs/common';
+import { Controller, Get, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import {
-  AuditDeletesDto,
-  AuditDeletesResponseDto,
-  FileChecksumDto,
-  FileChecksumResponseDto,
-  FileReportDto,
-  FileReportFixDto,
-} from 'src/dtos/audit.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
-import { AdminRoute, Auth, Authenticated } from 'src/middleware/auth.guard';
+import { AuditDeletesDto, AuditDeletesResponseDto } from 'src/dtos/audit.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
+import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { AuditService } from 'src/services/audit.service';

@ApiTags('Audit')
@Controller('audit')
-@Authenticated()
 export class AuditController {
  constructor(private service: AuditService) {}

  @Get('deletes')
+  @Authenticated(Permission.ASSET_READ)
  getAuditDeletes(@Auth() auth: AuthDto, @Query() dto: AuditDeletesDto): Promise<AuditDeletesResponseDto> {
    return this.service.getDeletes(auth, dto);
  }
-
-  @AdminRoute()
-  @Get('file-report')
-  getAuditFiles(): Promise<FileReportDto> {
-    return this.service.getFileReport();
-  }
-
-  @AdminRoute()
-  @Post('file-report/checksum')
-  getFileChecksums(@Body() dto: FileChecksumDto): Promise<FileChecksumResponseDto[]> {
-    return this.service.getChecksums(dto);
-  }
-
-  @AdminRoute()
-  @Post('file-report/fix')
-  fixAuditFiles(@Body() dto: FileReportFixDto): Promise<void> {
-    return this.service.fixItems(dto.items);
-  }
 }
--- a/server/src/controllers/auth.controller.ts
+++ b/server/src/controllers/auth.controller.ts
@@ -9,21 +9,20 @@ import {
  LoginCredentialDto,
  LoginResponseDto,
  LogoutResponseDto,
+  Permission,
  SignUpDto,
  ValidateAccessTokenResponseDto,
 } from 'src/dtos/auth.dto';
 import { UserResponseDto, mapUser } from 'src/dtos/user.dto';
-import { Auth, Authenticated, GetLoginDetails, PublicRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
 import { AuthService, LoginDetails } from 'src/services/auth.service';
 import { respondWithCookie, respondWithoutCookie } from 'src/utils/response';

@ApiTags('Authentication')
@Controller('auth')
-@Authenticated()
 export class AuthController {
  constructor(private service: AuthService) {}

-  @PublicRoute()
  @Post('login')
  async login(
    @Body() loginCredential: LoginCredentialDto,
@@ -41,25 +40,27 @@ export class AuthController {
    });
  }

-  @PublicRoute()
  @Post('admin-sign-up')
  signUpAdmin(@Body() dto: SignUpDto): Promise<UserResponseDto> {
    return this.service.adminSignUp(dto);
  }

  @Post('validateToken')
+  @Authenticated(Permission.AUTH_DEVICE_READ)
  @HttpCode(HttpStatus.OK)
  validateAccessToken(): ValidateAccessTokenResponseDto {
    return { authStatus: true };
  }

  @Post('change-password')
+  @Authenticated(Permission.AUTH_CHANGE_PASSWORD)
  @HttpCode(HttpStatus.OK)
  changePassword(@Auth() auth: AuthDto, @Body() dto: ChangePasswordDto): Promise<UserResponseDto> {
    return this.service.changePassword(auth, dto).then(mapUser);
  }

  @Post('logout')
+  @Authenticated(Permission.AUTH_DEVICE_DELETE)
  @HttpCode(HttpStatus.OK)
  async logout(
    @Req() request: Request,
--- a/server/src/controllers/download.controller.ts
+++ b/server/src/controllers/download.controller.ts
@@ -2,35 +2,34 @@ import { Body, Controller, HttpCode, HttpStatus, Next, Param, Post, Res, Streama
 import { ApiTags } from '@nestjs/swagger';
 import { NextFunction, Response } from 'express';
 import { AssetIdsDto } from 'src/dtos/asset.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { DownloadInfoDto, DownloadResponseDto } from 'src/dtos/download.dto';
-import { Auth, Authenticated, FileResponse, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { DownloadService } from 'src/services/download.service';
 import { asStreamableFile, sendFile } from 'src/utils/file';
 import { UUIDParamDto } from 'src/validation';

@ApiTags('Download')
@Controller('download')
-@Authenticated()
 export class DownloadController {
  constructor(private service: DownloadService) {}

-  @SharedLinkRoute()
  @Post('info')
+  @Authenticated(Permission.ASSET_READ, { sharedLink: true })
  getDownloadInfo(@Auth() auth: AuthDto, @Body() dto: DownloadInfoDto): Promise<DownloadResponseDto> {
    return this.service.getDownloadInfo(auth, dto);
  }

-  @SharedLinkRoute()
  @Post('archive')
+  @Authenticated(Permission.ASSET_DOWNLOAD, { sharedLink: true })
  @HttpCode(HttpStatus.OK)
  @FileResponse()
  downloadArchive(@Auth() auth: AuthDto, @Body() dto: AssetIdsDto): Promise<StreamableFile> {
    return this.service.downloadArchive(auth, dto).then(asStreamableFile);
  }

-  @SharedLinkRoute()
  @Post('asset/:id')
+  @Authenticated(Permission.ASSET_DOWNLOAD, { sharedLink: true })
  @HttpCode(HttpStatus.OK)
  @FileResponse()
  async downloadFile(
--- a/server/src/controllers/face.controller.ts
+++ b/server/src/controllers/face.controller.ts
@@ -1,6 +1,6 @@
 import { Body, Controller, Get, Param, Put, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { AssetFaceResponseDto, FaceDto, PersonResponseDto } from 'src/dtos/person.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { PersonService } from 'src/services/person.service';
@@ -8,16 +8,17 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Face')
@Controller('face')
-@Authenticated()
 export class FaceController {
  constructor(private service: PersonService) {}

  @Get()
+  @Authenticated(Permission.FACE_READ)
  getFaces(@Auth() auth: AuthDto, @Query() dto: FaceDto): Promise<AssetFaceResponseDto[]> {
    return this.service.getFacesById(auth, dto);
  }

  @Put(':id')
+  @Authenticated(Permission.FACE_UPDATE)
  reassignFacesById(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/file-report.controller.ts
+++ b/server/src/controllers/file-report.controller.ts
@@ -0,0 +1,30 @@
+import { Body, Controller, Get, Post } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+import { FileChecksumDto, FileChecksumResponseDto, FileReportDto, FileReportFixDto } from 'src/dtos/audit.dto';
+import { Permission } from 'src/dtos/auth.dto';
+import { Authenticated } from 'src/middleware/auth.guard';
+import { AuditService } from 'src/services/audit.service';
+
+@ApiTags('File Report')
+@Controller('report')
+export class ReportController {
+  constructor(private service: AuditService) {}
+
+  @Get()
+  @Authenticated(Permission.REPORT_READ)
+  getAuditFiles(): Promise<FileReportDto> {
+    return this.service.getFileReport();
+  }
+
+  @Post('/checksum')
+  @Authenticated(Permission.REPORT_READ)
+  getFileChecksums(@Body() dto: FileChecksumDto): Promise<FileChecksumResponseDto[]> {
+    return this.service.getChecksums(dto);
+  }
+
+  @Post('/fix')
+  @Authenticated(Permission.REPORT_UPDATE)
+  fixAuditFiles(@Body() dto: FileReportFixDto): Promise<void> {
+    return this.service.fixItems(dto.items);
+  }
+}
--- a/server/src/controllers/index.ts
+++ b/server/src/controllers/index.ts
@@ -8,6 +8,7 @@ import { AuditController } from 'src/controllers/audit.controller';
 import { AuthController } from 'src/controllers/auth.controller';
 import { DownloadController } from 'src/controllers/download.controller';
 import { FaceController } from 'src/controllers/face.controller';
+import { ReportController } from 'src/controllers/file-report.controller';
 import { JobController } from 'src/controllers/job.controller';
 import { LibraryController } from 'src/controllers/library.controller';
 import { MemoryController } from 'src/controllers/memory.controller';
@@ -20,19 +21,20 @@ import { SessionController } from 'src/controllers/session.controller';
 import { SharedLinkController } from 'src/controllers/shared-link.controller';
 import { SyncController } from 'src/controllers/sync.controller';
 import { SystemConfigController } from 'src/controllers/system-config.controller';
+import { SystemMetadataController } from 'src/controllers/system-metadata.controller';
 import { TagController } from 'src/controllers/tag.controller';
 import { TimelineController } from 'src/controllers/timeline.controller';
 import { TrashController } from 'src/controllers/trash.controller';
 import { UserController } from 'src/controllers/user.controller';

 export const controllers = [
-  ActivityController,
-  AssetsController,
-  AssetControllerV1,
-  AssetController,
-  AppController,
-  AlbumController,
  APIKeyController,
+  ActivityController,
+  AlbumController,
+  AppController,
+  AssetController,
+  AssetControllerV1,
+  AssetsController,
  AuditController,
  AuthController,
  DownloadController,
@@ -42,15 +44,17 @@ export const controllers = [
  MemoryController,
  OAuthController,
  PartnerController,
+  PersonController,
+  ReportController,
  SearchController,
  ServerInfoController,
  SessionController,
  SharedLinkController,
  SyncController,
  SystemConfigController,
+  SystemMetadataController,
  TagController,
  TimelineController,
  TrashController,
  UserController,
-  PersonController,
 ];
--- a/server/src/controllers/job.controller.ts
+++ b/server/src/controllers/job.controller.ts
@@ -1,21 +1,23 @@
 import { Body, Controller, Get, Param, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
+import { Permission } from 'src/dtos/auth.dto';
 import { AllJobStatusResponseDto, JobCommandDto, JobIdParamDto, JobStatusDto } from 'src/dtos/job.dto';
 import { Authenticated } from 'src/middleware/auth.guard';
 import { JobService } from 'src/services/job.service';

@ApiTags('Job')
@Controller('jobs')
-@Authenticated({ admin: true })
 export class JobController {
  constructor(private service: JobService) {}

  @Get()
+  @Authenticated(Permission.JOB_READ)
  getAllJobsStatus(): Promise<AllJobStatusResponseDto> {
    return this.service.getAllJobsStatus();
  }

  @Put(':id')
+  @Authenticated(Permission.JOB_RUN)
  sendJobCommand(@Param() { id }: JobIdParamDto, @Body() dto: JobCommandDto): Promise<JobStatusDto> {
    return this.service.handleCommand(id, dto);
  }
--- a/server/src/controllers/library.controller.ts
+++ b/server/src/controllers/library.controller.ts
@@ -1,5 +1,6 @@
 import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
+import { Permission } from 'src/dtos/auth.dto';
 import {
  CreateLibraryDto,
  LibraryResponseDto,
@@ -10,38 +11,41 @@ import {
  ValidateLibraryDto,
  ValidateLibraryResponseDto,
 } from 'src/dtos/library.dto';
-import { AdminRoute, Authenticated } from 'src/middleware/auth.guard';
+import { Authenticated } from 'src/middleware/auth.guard';
 import { LibraryService } from 'src/services/library.service';
 import { UUIDParamDto } from 'src/validation';

@ApiTags('Library')
@Controller('library')
-@Authenticated()
-@AdminRoute()
 export class LibraryController {
  constructor(private service: LibraryService) {}

  @Get()
+  @Authenticated(Permission.LIBRARY_READ)
  getAllLibraries(@Query() dto: SearchLibraryDto): Promise<LibraryResponseDto[]> {
    return this.service.getAll(dto);
  }

  @Post()
+  @Authenticated(Permission.LIBRARY_CREATE)
  createLibrary(@Body() dto: CreateLibraryDto): Promise<LibraryResponseDto> {
    return this.service.create(dto);
  }

  @Put(':id')
+  @Authenticated(Permission.LIBRARY_UPDATE)
  updateLibrary(@Param() { id }: UUIDParamDto, @Body() dto: UpdateLibraryDto): Promise<LibraryResponseDto> {
    return this.service.update(id, dto);
  }

  @Get(':id')
+  @Authenticated(Permission.LIBRARY_READ)
  getLibrary(@Param() { id }: UUIDParamDto): Promise<LibraryResponseDto> {
    return this.service.get(id);
  }

  @Post(':id/validate')
+  @Authenticated(Permission.LIBRARY_READ)
  @HttpCode(200)
  // TODO: change endpoint to validate current settings instead
  validate(@Param() { id }: UUIDParamDto, @Body() dto: ValidateLibraryDto): Promise<ValidateLibraryResponseDto> {
@@ -49,23 +53,27 @@ export class LibraryController {
  }

  @Delete(':id')
+  @Authenticated(Permission.LIBRARY_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteLibrary(@Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(id);
  }

  @Get(':id/statistics')
+  @Authenticated(Permission.LIBRARY_READ)
  getLibraryStatistics(@Param() { id }: UUIDParamDto): Promise<LibraryStatsResponseDto> {
    return this.service.getStatistics(id);
  }

  @Post(':id/scan')
+  @Authenticated(Permission.LIBRARY_UPDATE)
  @HttpCode(HttpStatus.NO_CONTENT)
  scanLibrary(@Param() { id }: UUIDParamDto, @Body() dto: ScanLibraryDto) {
    return this.service.queueScan(id, dto);
  }

  @Post(':id/removeOffline')
+  @Authenticated(Permission.LIBRARY_UPDATE)
  @HttpCode(HttpStatus.NO_CONTENT)
  removeOfflineFiles(@Param() { id }: UUIDParamDto) {
    return this.service.queueRemoveOffline(id);
--- a/server/src/controllers/memory.controller.ts
+++ b/server/src/controllers/memory.controller.ts
@@ -1,7 +1,7 @@
 import { Body, Controller, Delete, Get, HttpCode, HttpStatus, Param, Post, Put } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { BulkIdResponseDto, BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { MemoryCreateDto, MemoryResponseDto, MemoryUpdateDto } from 'src/dtos/memory.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { MemoryService } from 'src/services/memory.service';
@@ -9,26 +9,29 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Memory')
@Controller('memories')
-@Authenticated()
 export class MemoryController {
  constructor(private service: MemoryService) {}

  @Get()
+  @Authenticated(Permission.MEMORY_READ)
  searchMemories(@Auth() auth: AuthDto): Promise<MemoryResponseDto[]> {
    return this.service.search(auth);
  }

  @Post()
+  @Authenticated(Permission.MEMORY_CREATE)
  createMemory(@Auth() auth: AuthDto, @Body() dto: MemoryCreateDto): Promise<MemoryResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get(':id')
+  @Authenticated(Permission.MEMORY_READ)
  getMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<MemoryResponseDto> {
    return this.service.get(auth, id);
  }

  @Put(':id')
+  @Authenticated(Permission.MEMORY_UPDATE)
  updateMemory(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -38,12 +41,14 @@ export class MemoryController {
  }

  @Delete(':id')
+  @Authenticated(Permission.MEMORY_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteMemory(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }

  @Put(':id/assets')
+  @Authenticated(Permission.MEMORY_ADD_ASSET)
  addMemoryAssets(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -53,6 +58,7 @@ export class MemoryController {
  }

  @Delete(':id/assets')
+  @Authenticated(Permission.MEMORY_REMOVE_ASSET)
  @HttpCode(HttpStatus.OK)
  removeMemoryAssets(
    @Auth() auth: AuthDto,
--- a/server/src/controllers/oauth.controller.ts
+++ b/server/src/controllers/oauth.controller.ts
@@ -9,19 +9,18 @@ import {
  OAuthAuthorizeResponseDto,
  OAuthCallbackDto,
  OAuthConfigDto,
+  Permission,
 } from 'src/dtos/auth.dto';
 import { UserResponseDto } from 'src/dtos/user.dto';
-import { Auth, Authenticated, GetLoginDetails, PublicRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
 import { AuthService, LoginDetails } from 'src/services/auth.service';
 import { respondWithCookie } from 'src/utils/response';

@ApiTags('OAuth')
@Controller('oauth')
-@Authenticated()
 export class OAuthController {
  constructor(private service: AuthService) {}

-  @PublicRoute()
  @Get('mobile-redirect')
  @Redirect()
  redirectOAuthToMobile(@Req() request: Request) {
@@ -31,13 +30,11 @@ export class OAuthController {
    };
  }

-  @PublicRoute()
  @Post('authorize')
  startOAuth(@Body() dto: OAuthConfigDto): Promise<OAuthAuthorizeResponseDto> {
    return this.service.authorize(dto);
  }

-  @PublicRoute()
  @Post('callback')
  async finishOAuth(
    @Res({ passthrough: true }) res: Response,
@@ -56,11 +53,13 @@ export class OAuthController {
  }

  @Post('link')
+  @Authenticated(Permission.AUTH_OAUTH)
  linkOAuthAccount(@Auth() auth: AuthDto, @Body() dto: OAuthCallbackDto): Promise<UserResponseDto> {
    return this.service.link(auth, dto);
  }

  @Post('unlink')
+  @Authenticated(Permission.AUTH_OAUTH)
  unlinkOAuthAccount(@Auth() auth: AuthDto): Promise<UserResponseDto> {
    return this.service.unlink(auth);
  }
--- a/server/src/controllers/partner.controller.ts
+++ b/server/src/controllers/partner.controller.ts
@@ -1,6 +1,6 @@
 import { Body, Controller, Delete, Get, Param, Post, Put, Query } from '@nestjs/common';
 import { ApiQuery, ApiTags } from '@nestjs/swagger';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { PartnerResponseDto, UpdatePartnerDto } from 'src/dtos/partner.dto';
 import { PartnerDirection } from 'src/interfaces/partner.interface';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
@@ -9,11 +9,11 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Partner')
@Controller('partner')
-@Authenticated()
 export class PartnerController {
  constructor(private service: PartnerService) {}

  @Get()
+  @Authenticated(Permission.PARTNER_READ)
  @ApiQuery({ name: 'direction', type: 'string', enum: PartnerDirection, required: true })
  // TODO: remove 'direction' and convert to full query dto
  getPartners(@Auth() auth: AuthDto, @Query('direction') direction: PartnerDirection): Promise<PartnerResponseDto[]> {
@@ -21,11 +21,13 @@ export class PartnerController {
  }

  @Post(':id')
+  @Authenticated(Permission.PARTNER_CREATE)
  createPartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PartnerResponseDto> {
    return this.service.create(auth, id);
  }

  @Put(':id')
+  @Authenticated(Permission.PARTNER_UPDATE)
  updatePartner(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -35,6 +37,7 @@ export class PartnerController {
  }

  @Delete(':id')
+  @Authenticated(Permission.PARTNER_DELETE)
  removePartner(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }
--- a/server/src/controllers/person.controller.ts
+++ b/server/src/controllers/person.controller.ts
@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { NextFunction, Response } from 'express';
 import { BulkIdResponseDto } from 'src/dtos/asset-ids.response.dto';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import {
  AssetFaceUpdateDto,
  MergePersonDto,
@@ -22,31 +22,35 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Person')
@Controller('person')
-@Authenticated()
 export class PersonController {
  constructor(private service: PersonService) {}

  @Get()
+  @Authenticated(Permission.PERSON_READ)
  getAllPeople(@Auth() auth: AuthDto, @Query() withHidden: PersonSearchDto): Promise<PeopleResponseDto> {
    return this.service.getAll(auth, withHidden);
  }

  @Post()
+  @Authenticated(Permission.PERSON_CREATE)
  createPerson(@Auth() auth: AuthDto, @Body() dto: PersonCreateDto): Promise<PersonResponseDto> {
    return this.service.create(auth, dto);
  }

  @Put()
+  @Authenticated(Permission.PERSON_UPDATE)
  updatePeople(@Auth() auth: AuthDto, @Body() dto: PeopleUpdateDto): Promise<BulkIdResponseDto[]> {
    return this.service.updateAll(auth, dto);
  }

  @Get(':id')
+  @Authenticated(Permission.PERSON_READ)
  getPerson(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonResponseDto> {
    return this.service.getById(auth, id);
  }

  @Put(':id')
+  @Authenticated(Permission.PERSON_UPDATE)
  updatePerson(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -56,11 +60,13 @@ export class PersonController {
  }

  @Get(':id/statistics')
+  @Authenticated(Permission.PERSON_READ)
  getPersonStatistics(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<PersonStatisticsResponseDto> {
    return this.service.getStatistics(auth, id);
  }

  @Get(':id/thumbnail')
+  @Authenticated(Permission.PERSON_READ)
  @FileResponse()
  async getPersonThumbnail(
    @Res() res: Response,
@@ -72,11 +78,13 @@ export class PersonController {
  }

  @Get(':id/assets')
+  @Authenticated(Permission.ASSET_READ)
  getPersonAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> {
    return this.service.getAssets(auth, id);
  }

  @Put(':id/reassign')
+  @Authenticated(Permission.PERSON_UPDATE)
  reassignFaces(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -86,6 +94,7 @@ export class PersonController {
  }

  @Post(':id/merge')
+  @Authenticated(Permission.PERSON_UPDATE)
  mergePerson(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/search.controller.ts
+++ b/server/src/controllers/search.controller.ts
@@ -1,7 +1,7 @@
 import { Body, Controller, Get, HttpCode, HttpStatus, Post, Query } from '@nestjs/common';
 import { ApiOperation, ApiTags } from '@nestjs/swagger';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { PersonResponseDto } from 'src/dtos/person.dto';
 import {
  MetadataSearchDto,
@@ -19,49 +19,56 @@ import { SearchService } from 'src/services/search.service';

@ApiTags('Search')
@Controller('search')
-@Authenticated()
 export class SearchController {
  constructor(private service: SearchService) {}

  @Get()
+  @Authenticated(Permission.ASSET_READ)
  @ApiOperation({ deprecated: true })
  search(@Auth() auth: AuthDto, @Query() dto: SearchDto): Promise<SearchResponseDto> {
    return this.service.search(auth, dto);
  }

  @Post('metadata')
+  @Authenticated(Permission.ASSET_READ)
  @HttpCode(HttpStatus.OK)
  searchMetadata(@Auth() auth: AuthDto, @Body() dto: MetadataSearchDto): Promise<SearchResponseDto> {
    return this.service.searchMetadata(auth, dto);
  }

  @Post('smart')
+  @Authenticated(Permission.ASSET_READ)
  @HttpCode(HttpStatus.OK)
  searchSmart(@Auth() auth: AuthDto, @Body() dto: SmartSearchDto): Promise<SearchResponseDto> {
    return this.service.searchSmart(auth, dto);
  }

  @Get('explore')
+  @Authenticated(Permission.ASSET_READ)
  getExploreData(@Auth() auth: AuthDto): Promise<SearchExploreResponseDto[]> {
    return this.service.getExploreData(auth) as Promise<SearchExploreResponseDto[]>;
  }

  @Get('person')
+  @Authenticated(Permission.PERSON_READ)
  searchPerson(@Auth() auth: AuthDto, @Query() dto: SearchPeopleDto): Promise<PersonResponseDto[]> {
    return this.service.searchPerson(auth, dto);
  }

  @Get('places')
+  @Authenticated(Permission.ASSET_READ)
  searchPlaces(@Query() dto: SearchPlacesDto): Promise<PlacesResponseDto[]> {
    return this.service.searchPlaces(dto);
  }

  @Get('cities')
+  @Authenticated(Permission.ASSET_READ)
  getAssetsByCity(@Auth() auth: AuthDto): Promise<AssetResponseDto[]> {
    return this.service.getAssetsByCity(auth);
  }

  @Get('suggestions')
+  @Authenticated(Permission.ASSET_READ)
  getSearchSuggestions(@Auth() auth: AuthDto, @Query() dto: SearchSuggestionRequestDto): Promise<string[]> {
    return this.service.getSearchSuggestions(auth, dto);
  }
--- a/server/src/controllers/server-info.controller.ts
+++ b/server/src/controllers/server-info.controller.ts
@@ -1,5 +1,6 @@
-import { Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { Controller, Get } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
+import { Permission } from 'src/dtos/auth.dto';
 import {
  ServerConfigDto,
  ServerFeaturesDto,
@@ -10,66 +11,53 @@ import {
  ServerThemeDto,
  ServerVersionResponseDto,
 } from 'src/dtos/server-info.dto';
-import { AdminRoute, Authenticated, PublicRoute } from 'src/middleware/auth.guard';
+import { Authenticated } from 'src/middleware/auth.guard';
 import { ServerInfoService } from 'src/services/server-info.service';

@ApiTags('Server Info')
@Controller('server-info')
-@Authenticated()
 export class ServerInfoController {
  constructor(private service: ServerInfoService) {}

  @Get()
+  @Authenticated(Permission.SERVER_READ)
  getServerInfo(): Promise<ServerInfoResponseDto> {
    return this.service.getInfo();
  }

-  @PublicRoute()
  @Get('ping')
  pingServer(): ServerPingResponse {
    return this.service.ping();
  }

-  @PublicRoute()
  @Get('version')
  getServerVersion(): ServerVersionResponseDto {
    return this.service.getVersion();
  }

-  @PublicRoute()
  @Get('features')
  getServerFeatures(): Promise<ServerFeaturesDto> {
    return this.service.getFeatures();
  }

-  @PublicRoute()
  @Get('theme')
  getTheme(): Promise<ServerThemeDto> {
    return this.service.getTheme();
  }

-  @PublicRoute()
  @Get('config')
  getServerConfig(): Promise<ServerConfigDto> {
    return this.service.getConfig();
  }

-  @AdminRoute()
  @Get('statistics')
+  @Authenticated(Permission.SERVER_READ)
  getServerStatistics(): Promise<ServerStatsResponseDto> {
    return this.service.getStatistics();
  }

-  @PublicRoute()
  @Get('media-types')
  getSupportedMediaTypes(): ServerMediaTypesResponseDto {
    return this.service.getSupportedMediaTypes();
  }
-
-  @AdminRoute()
-  @Post('admin-onboarding')
-  @HttpCode(HttpStatus.NO_CONTENT)
-  setAdminOnboarding(): Promise<void> {
-    return this.service.setAdminOnboarding();
-  }
 }
--- a/server/src/controllers/session.controller.ts
+++ b/server/src/controllers/session.controller.ts
@@ -1,6 +1,6 @@
 import { Controller, Delete, Get, HttpCode, HttpStatus, Param } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { SessionResponseDto } from 'src/dtos/session.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { SessionService } from 'src/services/session.service';
@@ -8,22 +8,24 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Sessions')
@Controller('sessions')
-@Authenticated()
 export class SessionController {
  constructor(private service: SessionService) {}

  @Get()
+  @Authenticated(Permission.SESSION_READ)
  getSessions(@Auth() auth: AuthDto): Promise<SessionResponseDto[]> {
    return this.service.getAll(auth);
  }

  @Delete()
+  @Authenticated(Permission.SESSION_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteAllSessions(@Auth() auth: AuthDto): Promise<void> {
    return this.service.deleteAll(auth);
  }

  @Delete(':id')
+  @Authenticated(Permission.SESSION_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteSession(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.delete(auth, id);
--- a/server/src/controllers/shared-link.controller.ts
+++ b/server/src/controllers/shared-link.controller.ts
@@ -3,14 +3,14 @@ import { ApiTags } from '@nestjs/swagger';
 import { Request, Response } from 'express';
 import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto';
 import { AssetIdsDto } from 'src/dtos/asset.dto';
-import { AuthDto, ImmichCookie } from 'src/dtos/auth.dto';
+import { AuthDto, ImmichCookie, Permission } from 'src/dtos/auth.dto';
 import {
  SharedLinkCreateDto,
  SharedLinkEditDto,
  SharedLinkPasswordDto,
  SharedLinkResponseDto,
 } from 'src/dtos/shared-link.dto';
-import { Auth, Authenticated, GetLoginDetails, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, GetLoginDetails } from 'src/middleware/auth.guard';
 import { LoginDetails } from 'src/services/auth.service';
 import { SharedLinkService } from 'src/services/shared-link.service';
 import { respondWithCookie } from 'src/utils/response';
@@ -18,17 +18,17 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Shared Link')
@Controller('shared-link')
-@Authenticated()
 export class SharedLinkController {
  constructor(private service: SharedLinkService) {}

  @Get()
+  @Authenticated(Permission.SHARED_LINK_READ)
  getAllSharedLinks(@Auth() auth: AuthDto): Promise<SharedLinkResponseDto[]> {
    return this.service.getAll(auth);
  }

-  @SharedLinkRoute()
  @Get('me')
+  @Authenticated(Permission.SHARED_LINK_READ, { sharedLink: true })
  async getMySharedLink(
    @Auth() auth: AuthDto,
    @Query() dto: SharedLinkPasswordDto,
@@ -48,16 +48,19 @@ export class SharedLinkController {
  }

  @Get(':id')
+  @Authenticated(Permission.SHARED_LINK_READ)
  getSharedLinkById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<SharedLinkResponseDto> {
    return this.service.get(auth, id);
  }

  @Post()
+  @Authenticated(Permission.SHARED_LINK_CREATE)
  createSharedLink(@Auth() auth: AuthDto, @Body() dto: SharedLinkCreateDto) {
    return this.service.create(auth, dto);
  }

  @Patch(':id')
+  @Authenticated(Permission.SHARED_LINK_UPDATE)
  updateSharedLink(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -67,12 +70,13 @@ export class SharedLinkController {
  }

  @Delete(':id')
+  @Authenticated(Permission.SHARED_LINK_DELETE)
  removeSharedLink(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }

-  @SharedLinkRoute()
  @Put(':id/assets')
+  @Authenticated(Permission.SHARED_LINK_UPDATE, { sharedLink: true })
  addSharedLinkAssets(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -81,8 +85,8 @@ export class SharedLinkController {
    return this.service.addAssets(auth, id, dto);
  }

-  @SharedLinkRoute()
  @Delete(':id/assets')
+  @Authenticated(Permission.SHARED_LINK_DELETE, { sharedLink: true })
  removeSharedLinkAssets(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
--- a/server/src/controllers/sync.controller.ts
+++ b/server/src/controllers/sync.controller.ts
@@ -1,23 +1,24 @@
 import { Controller, Get, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { AssetDeltaSyncDto, AssetDeltaSyncResponseDto, AssetFullSyncDto } from 'src/dtos/sync.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { SyncService } from 'src/services/sync.service';

@ApiTags('Sync')
@Controller('sync')
-@Authenticated()
 export class SyncController {
  constructor(private service: SyncService) {}

  @Get('full-sync')
+  @Authenticated(Permission.ASSET_READ)
  getAllForUserFullSync(@Auth() auth: AuthDto, @Query() dto: AssetFullSyncDto): Promise<AssetResponseDto[]> {
    return this.service.getAllAssetsForUserFullSync(auth, dto);
  }

  @Get('delta-sync')
+  @Authenticated(Permission.ASSET_READ)
  getDeltaSync(@Auth() auth: AuthDto, @Query() dto: AssetDeltaSyncDto): Promise<AssetDeltaSyncResponseDto> {
    return this.service.getChangesForDeltaSync(auth, dto);
  }
--- a/server/src/controllers/system-config.controller.ts
+++ b/server/src/controllers/system-config.controller.ts
@@ -1,38 +1,41 @@
 import { Body, Controller, Get, Put, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
+import { Permission } from 'src/dtos/auth.dto';
 import { MapThemeDto, SystemConfigDto, SystemConfigTemplateStorageOptionDto } from 'src/dtos/system-config.dto';
-import { AdminRoute, Authenticated, SharedLinkRoute } from 'src/middleware/auth.guard';
+import { Authenticated } from 'src/middleware/auth.guard';
 import { SystemConfigService } from 'src/services/system-config.service';

@ApiTags('System Config')
@Controller('system-config')
-@Authenticated({ admin: true })
 export class SystemConfigController {
  constructor(private service: SystemConfigService) {}

  @Get()
+  @Authenticated(Permission.SYSTEM_CONFIG_READ)
  getConfig(): Promise<SystemConfigDto> {
    return this.service.getConfig();
  }

  @Get('defaults')
+  @Authenticated(Permission.SYSTEM_CONFIG_READ)
  getConfigDefaults(): SystemConfigDto {
    return this.service.getDefaults();
  }

  @Put()
+  @Authenticated(Permission.SYSTEM_CONFIG_UPDATE)
  updateConfig(@Body() dto: SystemConfigDto): Promise<SystemConfigDto> {
    return this.service.updateConfig(dto);
  }

  @Get('storage-template-options')
+  @Authenticated(Permission.SYSTEM_CONFIG_READ)
  getStorageTemplateOptions(): SystemConfigTemplateStorageOptionDto {
    return this.service.getStorageTemplateOptions();
  }

-  @AdminRoute(false)
-  @SharedLinkRoute()
  @Get('map/style.json')
+  @Authenticated(Permission.MAP_READ, { sharedLink: true })
  getMapStyle(@Query() dto: MapThemeDto) {
    return this.service.getMapStyle(dto.theme);
  }
--- a/server/src/controllers/system-metadata.controller.ts
+++ b/server/src/controllers/system-metadata.controller.ts
@@ -0,0 +1,31 @@
+import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { ApiTags } from '@nestjs/swagger';
+import { Permission } from 'src/dtos/auth.dto';
+import { AdminOnboardingUpdateDto, ReverseGeocodingStateResponseDto } from 'src/dtos/system-metadata.dto';
+import { Authenticated } from 'src/middleware/auth.guard';
+import { SystemMetadataService } from 'src/services/system-metadata.service';
+
+@ApiTags('System Metadata')
+@Controller('system-metadata')
+export class SystemMetadataController {
+  constructor(private service: SystemMetadataService) {}
+
+  @Get('admin-onboarding')
+  @Authenticated(Permission.SYSTEM_METADATA_READ)
+  getAdminOnboarding(): Promise<AdminOnboardingUpdateDto> {
+    return this.service.getAdminOnboarding();
+  }
+
+  @Post('admin-onboarding')
+  @Authenticated(Permission.SYSTEM_METADATA_UPDATE)
+  @HttpCode(HttpStatus.NO_CONTENT)
+  updateAdminOnboarding(@Body() dto: AdminOnboardingUpdateDto): Promise<void> {
+    return this.service.updateAdminOnboarding(dto);
+  }
+
+  @Get('reverse-geocoding-state')
+  @Authenticated(Permission.SYSTEM_METADATA_READ)
+  getReverseGeocodingState(): Promise<ReverseGeocodingStateResponseDto> {
+    return this.service.getReverseGeocodingState();
+  }
+}
--- a/server/src/controllers/tag.controller.ts
+++ b/server/src/controllers/tag.controller.ts
@@ -3,7 +3,7 @@ import { ApiTags } from '@nestjs/swagger';
 import { AssetIdsResponseDto } from 'src/dtos/asset-ids.response.dto';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
 import { AssetIdsDto } from 'src/dtos/asset.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { CreateTagDto, TagResponseDto, UpdateTagDto } from 'src/dtos/tag.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { TagService } from 'src/services/tag.service';
@@ -11,41 +11,47 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('Tag')
@Controller('tag')
-@Authenticated()
 export class TagController {
  constructor(private service: TagService) {}

  @Post()
+  @Authenticated(Permission.TAG_CREATE)
  createTag(@Auth() auth: AuthDto, @Body() dto: CreateTagDto): Promise<TagResponseDto> {
    return this.service.create(auth, dto);
  }

  @Get()
+  @Authenticated(Permission.TAG_READ)
  getAllTags(@Auth() auth: AuthDto): Promise<TagResponseDto[]> {
    return this.service.getAll(auth);
  }

  @Get(':id')
+  @Authenticated(Permission.TAG_READ)
  getTagById(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<TagResponseDto> {
    return this.service.getById(auth, id);
  }

  @Patch(':id')
+  @Authenticated(Permission.TAG_UPDATE)
  updateTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto, @Body() dto: UpdateTagDto): Promise<TagResponseDto> {
    return this.service.update(auth, id, dto);
  }

  @Delete(':id')
+  @Authenticated(Permission.TAG_DELETE)
  deleteTag(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<void> {
    return this.service.remove(auth, id);
  }

  @Get(':id/assets')
+  @Authenticated(Permission.TAG_READ)
  getTagAssets(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<AssetResponseDto[]> {
    return this.service.getAssets(auth, id);
  }

  @Put(':id/assets')
+  @Authenticated(Permission.TAG_UPDATE)
  tagAssets(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -55,6 +61,7 @@ export class TagController {
  }

  @Delete(':id/assets')
+  @Authenticated(Permission.TAG_UPDATE)
  untagAssets(
    @Auth() auth: AuthDto,
    @Body() dto: AssetIdsDto,
--- a/server/src/controllers/timeline.controller.ts
+++ b/server/src/controllers/timeline.controller.ts
@@ -1,24 +1,23 @@
 import { Controller, Get, Query } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { AssetResponseDto } from 'src/dtos/asset-response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { TimeBucketAssetDto, TimeBucketDto, TimeBucketResponseDto } from 'src/dtos/time-bucket.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { TimelineService } from 'src/services/timeline.service';

@ApiTags('Timeline')
@Controller('timeline')
-@Authenticated()
 export class TimelineController {
  constructor(private service: TimelineService) {}

-  @Authenticated({ isShared: true })
+  @Authenticated(Permission.ASSET_READ, { sharedLink: true })
  @Get('buckets')
  getTimeBuckets(@Auth() auth: AuthDto, @Query() dto: TimeBucketDto): Promise<TimeBucketResponseDto[]> {
    return this.service.getTimeBuckets(auth, dto);
  }

-  @Authenticated({ isShared: true })
+  @Authenticated(Permission.ASSET_READ, { sharedLink: true })
  @Get('bucket')
  getTimeBucket(@Auth() auth: AuthDto, @Query() dto: TimeBucketAssetDto): Promise<AssetResponseDto[]> {
    return this.service.getTimeBucket(auth, dto) as Promise<AssetResponseDto[]>;
--- a/server/src/controllers/trash.controller.ts
+++ b/server/src/controllers/trash.controller.ts
@@ -1,29 +1,31 @@
 import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
 import { ApiTags } from '@nestjs/swagger';
 import { BulkIdsDto } from 'src/dtos/asset-ids.response.dto';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { Auth, Authenticated } from 'src/middleware/auth.guard';
 import { TrashService } from 'src/services/trash.service';

@ApiTags('Trash')
@Controller('trash')
-@Authenticated()
 export class TrashController {
  constructor(private service: TrashService) {}

  @Post('empty')
+  @Authenticated(Permission.ASSET_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  emptyTrash(@Auth() auth: AuthDto): Promise<void> {
    return this.service.empty(auth);
  }

  @Post('restore')
+  @Authenticated(Permission.ASSET_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  restoreTrash(@Auth() auth: AuthDto): Promise<void> {
    return this.service.restore(auth);
  }

  @Post('restore/assets')
+  @Authenticated(Permission.ASSET_DELETE)
  @HttpCode(HttpStatus.NO_CONTENT)
  restoreAssets(@Auth() auth: AuthDto, @Body() dto: BulkIdsDto): Promise<void> {
    return this.service.restoreAssets(auth, dto);
--- a/server/src/controllers/user.controller.ts
+++ b/server/src/controllers/user.controller.ts
@@ -16,10 +16,10 @@ import {
 } from '@nestjs/common';
 import { ApiBody, ApiConsumes, ApiTags } from '@nestjs/swagger';
 import { NextFunction, Response } from 'express';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { CreateProfileImageDto, CreateProfileImageResponseDto } from 'src/dtos/user-profile.dto';
 import { CreateUserDto, DeleteUserDto, UpdateUserDto, UserResponseDto } from 'src/dtos/user.dto';
-import { AdminRoute, Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
+import { Auth, Authenticated, FileResponse } from 'src/middleware/auth.guard';
 import { FileUploadInterceptor, Route } from 'src/middleware/file-upload.interceptor';
 import { UserService } from 'src/services/user.service';
 import { sendFile } from 'src/utils/file';
@@ -27,39 +27,42 @@ import { UUIDParamDto } from 'src/validation';

@ApiTags('User')
@Controller(Route.USER)
-@Authenticated()
 export class UserController {
  constructor(private service: UserService) {}

  @Get()
+  @Authenticated(Permission.USER_READ)
  getAllUsers(@Auth() auth: AuthDto, @Query('isAll') isAll: boolean): Promise<UserResponseDto[]> {
    return this.service.getAll(auth, isAll);
  }

  @Get('info/:id')
+  @Authenticated(Permission.USER_READ)
  getUserById(@Param() { id }: UUIDParamDto): Promise<UserResponseDto> {
    return this.service.get(id);
  }

  @Get('me')
+  @Authenticated(Permission.USER_READ)
  getMyUserInfo(@Auth() auth: AuthDto): Promise<UserResponseDto> {
    return this.service.getMe(auth);
  }

-  @AdminRoute()
  @Post()
+  @Authenticated(Permission.USER_CREATE)
  createUser(@Body() createUserDto: CreateUserDto): Promise<UserResponseDto> {
    return this.service.create(createUserDto);
  }

  @Delete('profile-image')
+  @Authenticated(Permission.USER_UPDATE)
  @HttpCode(HttpStatus.NO_CONTENT)
  deleteProfileImage(@Auth() auth: AuthDto): Promise<void> {
    return this.service.deleteProfileImage(auth);
  }

-  @AdminRoute()
  @Delete(':id')
+  @Authenticated(Permission.USER_DELETE)
  deleteUser(
    @Auth() auth: AuthDto,
    @Param() { id }: UUIDParamDto,
@@ -68,14 +71,15 @@ export class UserController {
    return this.service.delete(auth, id, dto);
  }

-  @AdminRoute()
  @Post(':id/restore')
+  @Authenticated(Permission.USER_DELETE)
  restoreUser(@Auth() auth: AuthDto, @Param() { id }: UUIDParamDto): Promise<UserResponseDto> {
    return this.service.restore(auth, id);
  }

  // TODO: replace with @Put(':id')
  @Put()
+  @Authenticated(Permission.USER_UPDATE)
  updateUser(@Auth() auth: AuthDto, @Body() updateUserDto: UpdateUserDto): Promise<UserResponseDto> {
    return this.service.update(auth, updateUserDto);
  }
@@ -84,6 +88,7 @@ export class UserController {
  @ApiConsumes('multipart/form-data')
  @ApiBody({ description: 'A new avatar for the user', type: CreateProfileImageDto })
  @Post('profile-image')
+  @Authenticated(Permission.USER_UPDATE)
  createProfileImage(
    @Auth() auth: AuthDto,
    @UploadedFile() fileInfo: Express.Multer.File,
@@ -92,6 +97,7 @@ export class UserController {
  }

  @Get('profile-image/:id')
+  @Authenticated(Permission.USER_READ)
  @FileResponse()
  async getProfileImage(@Res() res: Response, @Next() next: NextFunction, @Param() { id }: UUIDParamDto) {
    await sendFile(res, next, () => this.service.getProfileImage(id));
--- a/server/src/cores/access.core.ts
+++ b/server/src/cores/access.core.ts
@@ -4,7 +4,7 @@ import { SharedLinkEntity } from 'src/entities/shared-link.entity';
 import { IAccessRepository } from 'src/interfaces/access.interface';
 import { setDifference, setIsEqual, setUnion } from 'src/utils/set';

-export enum Permission {
+export enum AccessPermission {
  ACTIVITY_CREATE = 'activity.create',
  ACTIVITY_DELETE = 'activity.delete',

@@ -74,7 +74,7 @@ export class AccessCore {
   * Check if user has access to all ids, for the given permission.
   * Throws error if user does not have access to any of the ids.
   */
-  async requirePermission(auth: AuthDto, permission: Permission, ids: string[] | string) {
+  async requirePermission(auth: AuthDto, permission: AccessPermission, ids: string[] | string) {
    ids = Array.isArray(ids) ? ids : [ids];
    const allowedIds = await this.checkAccess(auth, permission, ids);
    if (!setIsEqual(new Set(ids), allowedIds)) {
@@ -88,7 +88,7 @@ export class AccessCore {
   *
   * @returns Set<string>
   */
-  async checkAccess(auth: AuthDto, permission: Permission, ids: Set<string> | string[]): Promise<Set<string>> {
+  async checkAccess(auth: AuthDto, permission: AccessPermission, ids: Set<string> | string[]): Promise<Set<string>> {
    const idSet = Array.isArray(ids) ? new Set(ids) : ids;
    if (idSet.size === 0) {
      return new Set();
@@ -103,40 +103,40 @@ export class AccessCore {

  private async checkAccessSharedLink(
    sharedLink: SharedLinkEntity,
-    permission: Permission,
+    permission: AccessPermission,
    ids: Set<string>,
  ): Promise<Set<string>> {
    const sharedLinkId = sharedLink.id;

    switch (permission) {
-      case Permission.ASSET_READ: {
+      case AccessPermission.ASSET_READ: {
        return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids);
      }

-      case Permission.ASSET_VIEW: {
+      case AccessPermission.ASSET_VIEW: {
        return await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids);
      }

-      case Permission.ASSET_DOWNLOAD: {
+      case AccessPermission.ASSET_DOWNLOAD: {
        return sharedLink.allowDownload
          ? await this.repository.asset.checkSharedLinkAccess(sharedLinkId, ids)
          : new Set();
      }

-      case Permission.ASSET_UPLOAD: {
+      case AccessPermission.ASSET_UPLOAD: {
        return sharedLink.allowUpload ? ids : new Set();
      }

-      case Permission.ASSET_SHARE: {
+      case AccessPermission.ASSET_SHARE: {
        // TODO: fix this to not use sharedLink.userId for access control
        return await this.repository.asset.checkOwnerAccess(sharedLink.userId, ids);
      }

-      case Permission.ALBUM_READ: {
+      case AccessPermission.ALBUM_READ: {
        return await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids);
      }

-      case Permission.ALBUM_DOWNLOAD: {
+      case AccessPermission.ALBUM_DOWNLOAD: {
        return sharedLink.allowDownload
          ? await this.repository.album.checkSharedLinkAccess(sharedLinkId, ids)
          : new Set();
@@ -148,15 +148,15 @@ export class AccessCore {
    }
  }

-  private async checkAccessOther(auth: AuthDto, permission: Permission, ids: Set<string>): Promise<Set<string>> {
+  private async checkAccessOther(auth: AuthDto, permission: AccessPermission, ids: Set<string>): Promise<Set<string>> {
    switch (permission) {
      // uses album id
-      case Permission.ACTIVITY_CREATE: {
+      case AccessPermission.ACTIVITY_CREATE: {
        return await this.repository.activity.checkCreateAccess(auth.user.id, ids);
      }

      // uses activity id
-      case Permission.ACTIVITY_DELETE: {
+      case AccessPermission.ACTIVITY_DELETE: {
        const isOwner = await this.repository.activity.checkOwnerAccess(auth.user.id, ids);
        const isAlbumOwner = await this.repository.activity.checkAlbumOwnerAccess(
          auth.user.id,
@@ -165,7 +165,7 @@ export class AccessCore {
        return setUnion(isOwner, isAlbumOwner);
      }

-      case Permission.ASSET_READ: {
+      case AccessPermission.ASSET_READ: {
        const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
        const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
        const isPartner = await this.repository.asset.checkPartnerAccess(
@@ -175,13 +175,13 @@ export class AccessCore {
        return setUnion(isOwner, isAlbum, isPartner);
      }

-      case Permission.ASSET_SHARE: {
+      case AccessPermission.ASSET_SHARE: {
        const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
        const isPartner = await this.repository.asset.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
        return setUnion(isOwner, isPartner);
      }

-      case Permission.ASSET_VIEW: {
+      case AccessPermission.ASSET_VIEW: {
        const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
        const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
        const isPartner = await this.repository.asset.checkPartnerAccess(
@@ -191,7 +191,7 @@ export class AccessCore {
        return setUnion(isOwner, isAlbum, isPartner);
      }

-      case Permission.ASSET_DOWNLOAD: {
+      case AccessPermission.ASSET_DOWNLOAD: {
        const isOwner = await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
        const isAlbum = await this.repository.asset.checkAlbumAccess(auth.user.id, setDifference(ids, isOwner));
        const isPartner = await this.repository.asset.checkPartnerAccess(
@@ -201,101 +201,101 @@ export class AccessCore {
        return setUnion(isOwner, isAlbum, isPartner);
      }

-      case Permission.ASSET_UPDATE: {
+      case AccessPermission.ASSET_UPDATE: {
        return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ASSET_DELETE: {
+      case AccessPermission.ASSET_DELETE: {
        return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ASSET_RESTORE: {
+      case AccessPermission.ASSET_RESTORE: {
        return await this.repository.asset.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ALBUM_READ: {
+      case AccessPermission.ALBUM_READ: {
        const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids);
        const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner));
        return setUnion(isOwner, isShared);
      }

-      case Permission.ALBUM_UPDATE: {
+      case AccessPermission.ALBUM_UPDATE: {
        return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ALBUM_DELETE: {
+      case AccessPermission.ALBUM_DELETE: {
        return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ALBUM_SHARE: {
+      case AccessPermission.ALBUM_SHARE: {
        return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ALBUM_DOWNLOAD: {
+      case AccessPermission.ALBUM_DOWNLOAD: {
        const isOwner = await this.repository.album.checkOwnerAccess(auth.user.id, ids);
        const isShared = await this.repository.album.checkSharedAlbumAccess(auth.user.id, setDifference(ids, isOwner));
        return setUnion(isOwner, isShared);
      }

-      case Permission.ALBUM_REMOVE_ASSET: {
+      case AccessPermission.ALBUM_REMOVE_ASSET: {
        return await this.repository.album.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ASSET_UPLOAD: {
+      case AccessPermission.ASSET_UPLOAD: {
        return await this.repository.library.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.ARCHIVE_READ: {
+      case AccessPermission.ARCHIVE_READ: {
        return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
      }

-      case Permission.AUTH_DEVICE_DELETE: {
+      case AccessPermission.AUTH_DEVICE_DELETE: {
        return await this.repository.authDevice.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.TIMELINE_READ: {
+      case AccessPermission.TIMELINE_READ: {
        const isOwner = ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set<string>();
        const isPartner = await this.repository.timeline.checkPartnerAccess(auth.user.id, setDifference(ids, isOwner));
        return setUnion(isOwner, isPartner);
      }

-      case Permission.TIMELINE_DOWNLOAD: {
+      case AccessPermission.TIMELINE_DOWNLOAD: {
        return ids.has(auth.user.id) ? new Set([auth.user.id]) : new Set();
      }

-      case Permission.MEMORY_READ: {
+      case AccessPermission.MEMORY_READ: {
        return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.MEMORY_WRITE: {
+      case AccessPermission.MEMORY_WRITE: {
        return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.MEMORY_DELETE: {
+      case AccessPermission.MEMORY_DELETE: {
        return this.repository.memory.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PERSON_READ: {
+      case AccessPermission.PERSON_READ: {
        return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PERSON_WRITE: {
+      case AccessPermission.PERSON_WRITE: {
        return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PERSON_MERGE: {
+      case AccessPermission.PERSON_MERGE: {
        return await this.repository.person.checkOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PERSON_CREATE: {
+      case AccessPermission.PERSON_CREATE: {
        return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PERSON_REASSIGN: {
+      case AccessPermission.PERSON_REASSIGN: {
        return this.repository.person.checkFaceOwnerAccess(auth.user.id, ids);
      }

-      case Permission.PARTNER_UPDATE: {
+      case AccessPermission.PARTNER_UPDATE: {
        return await this.repository.partner.checkUpdateAccess(auth.user.id, ids);
      }

--- a/server/src/cores/user.core.ts
+++ b/server/src/cores/user.core.ts
@@ -48,6 +48,10 @@ export class UserCore {
      throw new BadRequestException('The server already has an admin');
    }

+    if (dto.permissions) {
+      // TODO validate granted permissions
+    }
+
    if (dto.email) {
      const duplicate = await this.userRepository.getByEmail(dto.email);
      if (duplicate && duplicate.id !== id) {
@@ -93,6 +97,11 @@ export class UserCore {
    if (payload.storageLabel) {
      payload.storageLabel = sanitize(payload.storageLabel.replaceAll('.', ''));
    }
+
+    if (payload.permissions) {
+      // TODO validate permissions
+    }
+
    const userEntity = await this.userRepository.create(payload);
    await this.libraryRepository.create({
      owner: { id: userEntity.id } as UserEntity,
--- a/server/src/dtos/auth.dto.ts
+++ b/server/src/dtos/auth.dto.ts
@@ -25,6 +25,195 @@ export type CookieResponse = {
  values: Array<{ key: ImmichCookie; value: string }>;
 };

+export enum PermissionPreset {
+  USER = 'user',
+  ADMIN = 'admin',
+  CUSTOM = 'custom',
+}
+
+export enum Permission {
+  ACTIVITY_CREATE = 'activity.create',
+  ACTIVITY_READ = 'activity.read',
+  ACTIVITY_UPDATE = 'activity.update',
+  ACTIVITY_DELETE = 'activity.delete',
+
+  ALBUM_CREATE = 'album.create',
+  ALBUM_READ = 'album.read',
+  ALBUM_UPDATE = 'album.update',
+  ALBUM_DELETE = 'album.delete',
+
+  ASSET_CREATE = 'asset.create',
+  ASSET_READ = 'asset.read',
+  ASSET_UPDATE = 'asset.update',
+  ASSET_DELETE = 'asset.delete',
+
+  API_KEY_CREATE = 'apiKey.create',
+  API_KEY_READ = 'apiKey.read',
+  API_KEY_UPDATE = 'apiKey.update',
+  API_KEY_DELETE = 'apiKey.delete',
+
+  AUTH_DEVICE_CREATE = 'authDevice.create',
+  AUTH_DEVICE_READ = 'authDevice.read',
+  AUTH_DEVICE_UPDATE = 'authDevice.update',
+  AUTH_DEVICE_DELETE = 'authDevice.delete',
+
+  FACE_CREATE = 'face.create',
+  FACE_READ = 'face.read',
+  FACE_UPDATE = 'face.update',
+  FACE_DELETE = 'face.delete',
+
+  LIBRARY_CREATE = 'library.create',
+  LIBRARY_READ = 'library.read',
+  LIBRARY_UPDATE = 'library.update',
+  LIBRARY_DELETE = 'library.delete',
+
+  MEMORY_CREATE = 'memory.create',
+  MEMORY_READ = 'memory.read',
+  MEMORY_UPDATE = 'memory.update',
+  MEMORY_DELETE = 'memory.delete',
+  MEMORY_ADD_ASSET = 'memory.addAsset',
+  MEMORY_REMOVE_ASSET = 'memory.removeAsset',
+
+  PARTNER_CREATE = 'partner.create',
+  PARTNER_READ = 'partner.read',
+  PARTNER_UPDATE = 'partner.update',
+  PARTNER_DELETE = 'partner.delete',
+
+  PERSON_CREATE = 'person.create',
+  PERSON_READ = 'person.read',
+  PERSON_UPDATE = 'person.update',
+  PERSON_DELETE = 'person.delete',
+
+  REPORT_CREATE = 'report.create',
+  REPORT_READ = 'report.read',
+  REPORT_UPDATE = 'report.update',
+  REPORT_DELETE = 'report.delete',
+
+  SESSION_CREATE = 'session.create',
+  SESSION_READ = 'session.read',
+  SESSION_UPDATE = 'session.update',
+  SESSION_DELETE = 'session.delete',
+
+  SHARED_LINK_CREATE = 'sharedLink.create',
+  SHARED_LINK_READ = 'sharedLink.read',
+  SHARED_LINK_UPDATE = 'sharedLink.update',
+  SHARED_LINK_DELETE = 'sharedLink.delete',
+
+  SYSTEM_CONFIG_CREATE = 'systemConfig.create',
+  SYSTEM_CONFIG_READ = 'systemConfig.read',
+  SYSTEM_CONFIG_UPDATE = 'systemConfig.update',
+  SYSTEM_CONFIG_DELETE = 'systemConfig.delete',
+
+  SYSTEM_METADATA_CREATE = 'systemMetadata.create',
+  SYSTEM_METADATA_READ = 'systemMetadata.read',
+  SYSTEM_METADATA_UPDATE = 'systemMetadata.update',
+  SYSTEM_METADATA_DELETE = 'systemMetadata.delete',
+
+  STACK_CREATE = 'stack.create',
+  STACK_READ = 'stack.read',
+  STACK_UPDATE = 'stack.update',
+  STACK_DELETE = 'stack.delete',
+
+  TAG_CREATE = 'tag.create',
+  TAG_READ = 'tag.read',
+  TAG_UPDATE = 'tag.update',
+  TAG_DELETE = 'tag.delete',
+
+  USER_CREATE = 'user.create',
+  USER_READ = 'user.read',
+  USER_UPDATE = 'user.update',
+  USER_DELETE = 'user.delete',
+
+  // other
+  AUTH_CHANGE_PASSWORD = 'auth.changePassword',
+  AUTH_OAUTH = 'auth.oauth',
+
+  ALBUM_ADD_ASSET = 'album.addAsset',
+  ALBUM_REMOVE_ASSET = 'album.removeAsset',
+  ALBUM_ADD_USER = 'album.addUser',
+  ALBUM_REMOVE_USER = 'album.removeUser',
+
+  ASSET_VIEW_THUMB = 'asset.viewThumb',
+  ASSET_VIEW_PREVIEW = 'asset.viewPreview',
+  ASSET_VIEW_ORIGINAL = 'asset.viewOriginal',
+  ASSET_UPLOAD = 'asset.upload',
+  ASSET_DOWNLOAD = 'asset.download',
+
+  JOB_READ = 'job.read',
+  JOB_RUN = 'job.run',
+
+  MAP_READ = 'map.read',
+
+  USER_READ_SIMPLE = 'user.readSimple',
+  USER_CHANGE_PASSWORD = 'user.changePassword',
+
+  SERVER_READ = 'server.read',
+  SERVER_SETUP = 'server.setup',
+}
+
+export const presetToPermissions = ({
+  permissionPreset: preset,
+  permissions,
+}: {
+  permissionPreset?: PermissionPreset;
+  permissions?: Permission[];
+}) => {
+  switch (preset) {
+    case PermissionPreset.ADMIN: {
+      return ALL_PERMISSIONS;
+    }
+
+    case PermissionPreset.USER: {
+      return USER_PERMISSIONS;
+    }
+
+    case PermissionPreset.CUSTOM: {
+      return permissions ?? [];
+    }
+
+    default: {
+      return;
+    }
+  }
+};
+
+export const ALL_PERMISSIONS = Object.values(Permission);
+export const USER_PERMISSIONS = ALL_PERMISSIONS.filter((permission) => {
+  switch (permission) {
+    case Permission.JOB_READ:
+    case Permission.JOB_RUN:
+
+    case Permission.LIBRARY_READ:
+    case Permission.LIBRARY_CREATE:
+    case Permission.LIBRARY_UPDATE:
+    case Permission.LIBRARY_DELETE:
+
+    // TODO this can't be an admin permission yet because non-admins still use it
+    case Permission.USER_READ:
+    case Permission.USER_CREATE:
+    case Permission.USER_UPDATE:
+    case Permission.USER_DELETE:
+
+    case Permission.SYSTEM_CONFIG_CREATE:
+    case Permission.SYSTEM_CONFIG_READ:
+    case Permission.SYSTEM_CONFIG_UPDATE:
+    case Permission.SYSTEM_CONFIG_DELETE:
+
+    case Permission.SYSTEM_METADATA_CREATE:
+    case Permission.SYSTEM_METADATA_READ:
+    case Permission.SYSTEM_METADATA_UPDATE:
+    case Permission.SYSTEM_METADATA_DELETE: {
+      return false;
+    }
+
+    default: {
+      return true;
+    }
+  }
+});
+
+export type AuthorizationPermissions = Set<Permission>;
+
 export class AuthDto {
  user!: UserEntity;

--- a/server/src/dtos/system-metadata.dto.ts
+++ b/server/src/dtos/system-metadata.dto.ts
@@ -0,0 +1,15 @@
+import { IsBoolean } from 'class-validator';
+
+export class AdminOnboardingUpdateDto {
+  @IsBoolean()
+  isOnboarded!: boolean;
+}
+
+export class AdminOnboardingResponseDto {
+  isOnboarded!: boolean;
+}
+
+export class ReverseGeocodingStateResponseDto {
+  lastUpdate!: string | null;
+  lastImportFileName!: string | null;
+}
--- a/server/src/dtos/user.dto.spec.ts
+++ b/server/src/dtos/user.dto.spec.ts
@@ -1,5 +1,6 @@
 import { plainToInstance } from 'class-transformer';
 import { validate } from 'class-validator';
+import { PermissionPreset } from 'src/dtos/auth.dto';
 import { CreateAdminDto, CreateUserDto, CreateUserOAuthDto, UpdateUserDto } from 'src/dtos/user.dto';

 describe('update user DTO', () => {
@@ -22,6 +23,7 @@ describe('create user DTO', () => {
      email: undefined,
      password: 'password',
      name: 'name',
+      permissionPreset: PermissionPreset.USER,
    };
    let dto: CreateUserDto = plainToInstance(CreateUserDto, params);
    let errors = await validate(dto);
@@ -45,6 +47,7 @@ describe('create user DTO', () => {
      email: someEmail,
      password: 'some password',
      name: 'some name',
+      permissionPreset: 'user',
    });
    const errors = await validate(dto);
    expect(errors).toHaveLength(0);
--- a/server/src/dtos/user.dto.ts
+++ b/server/src/dtos/user.dto.ts
@@ -1,10 +1,14 @@
-import { ApiProperty } from '@nestjs/swagger';
+import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
 import { Transform } from 'class-transformer';
-import { IsEmail, IsEnum, IsNotEmpty, IsNumber, IsPositive, IsString, IsUUID } from 'class-validator';
+import { IsEmail, IsEnum, IsNotEmpty, IsNumber, IsPositive, IsString, IsUUID, ValidateIf } from 'class-validator';
+import { Permission, PermissionPreset } from 'src/dtos/auth.dto';
 import { getRandomAvatarColor } from 'src/dtos/user-profile.dto';
 import { UserAvatarColor, UserEntity, UserStatus } from 'src/entities/user.entity';
 import { Optional, ValidateBoolean, toEmail, toSanitized } from 'src/validation';

+const isCustomPreset = ({ permissionPreset }: CreateUserDto) =>
+  permissionPreset && permissionPreset === PermissionPreset.CUSTOM;
+
 export class CreateUserDto {
  @IsEmail({ require_tld: false })
  @Transform(toEmail)
@@ -34,6 +38,15 @@ export class CreateUserDto {

  @ValidateBoolean({ optional: true })
  shouldChangePassword?: boolean;
+
+  @IsEnum(PermissionPreset)
+  @ApiProperty({ enum: PermissionPreset, enumName: 'PermissionPreset' })
+  permissionPreset!: PermissionPreset;
+
+  @ValidateIf(isCustomPreset)
+  @IsEnum(Permission, { each: true })
+  @ApiPropertyOptional({ enum: Permission, enumName: 'AuthorizationPermission' })
+  permissions?: Permission[];
 }

 export class CreateAdminDto {
@@ -112,6 +125,16 @@ export class UpdateUserDto {
  @IsPositive()
  @ApiProperty({ type: 'integer', format: 'int64' })
  quotaSizeInBytes?: number | null;
+
+  @Optional()
+  @IsEnum(PermissionPreset)
+  @ApiProperty({ enum: PermissionPreset, enumName: 'PermissionPreset' })
+  permissionPreset?: PermissionPreset;
+
+  @ValidateIf(isCustomPreset)
+  @IsEnum(Permission, { each: true })
+  @ApiPropertyOptional({ enum: Permission, enumName: 'AuthorizationPermission' })
+  permissions?: Permission[];
 }

 export class UserDto {
@@ -139,6 +162,7 @@ export class UserResponseDto extends UserDto {
  quotaUsageInBytes!: number | null;
  @ApiProperty({ enumName: 'UserStatus', enum: UserStatus })
  status!: string;
+  permissions?: Permission[];
 }

 export const mapSimpleUser = (entity: UserEntity): UserDto => {
@@ -165,5 +189,6 @@ export function mapUser(entity: UserEntity): UserResponseDto {
    quotaSizeInBytes: entity.quotaSizeInBytes,
    quotaUsageInBytes: entity.quotaUsageInBytes,
    status: entity.status,
+    permissions: entity.permissions,
  };
 }
--- a/server/src/entities/user.entity.ts
+++ b/server/src/entities/user.entity.ts
@@ -1,3 +1,4 @@
+import { Permission } from 'src/dtos/auth.dto';
 import { AssetEntity } from 'src/entities/asset.entity';
 import { TagEntity } from 'src/entities/tag.entity';
 import {
@@ -87,4 +88,7 @@ export class UserEntity {

  @Column({ type: 'bigint', default: 0 })
  quotaUsageInBytes!: number;
+
+  @Column({ type: 'varchar', array: true })
+  permissions!: Permission[];
 }
--- a/server/src/interfaces/session.interface.ts
+++ b/server/src/interfaces/session.interface.ts
@@ -2,10 +2,12 @@ import { SessionEntity } from 'src/entities/session.entity';

 export const ISessionRepository = 'ISessionRepository';

+type E = SessionEntity;
+
 export interface ISessionRepository {
-  create(dto: Partial<SessionEntity>): Promise<SessionEntity>;
-  update(dto: Partial<SessionEntity>): Promise<SessionEntity>;
+  create<T extends Partial<E>>(dto: T): Promise<T>;
+  update<T extends Partial<E>>(dto: T): Promise<T>;
  delete(id: string): Promise<void>;
-  getByToken(token: string): Promise<SessionEntity | null>;
-  getByUserId(userId: string): Promise<SessionEntity[]>;
+  getByToken(token: string): Promise<E | null>;
+  getByUserId(userId: string): Promise<E[]>;
 }
--- a/server/src/middleware/auth.guard.ts
+++ b/server/src/middleware/auth.guard.ts
@@ -10,49 +10,40 @@ import {
 import { Reflector } from '@nestjs/core';
 import { ApiBearerAuth, ApiCookieAuth, ApiOkResponse, ApiQuery, ApiSecurity } from '@nestjs/swagger';
 import { Request } from 'express';
-import { AuthDto } from 'src/dtos/auth.dto';
+import { AuthDto, Permission } from 'src/dtos/auth.dto';
 import { ILoggerRepository } from 'src/interfaces/logger.interface';
 import { AuthService, LoginDetails } from 'src/services/auth.service';
 import { UAParser } from 'ua-parser-js';

 export enum Metadata {
-  AUTH_ROUTE = 'auth_route',
-  ADMIN_ROUTE = 'admin_route',
  SHARED_ROUTE = 'shared_route',
  PUBLIC_SECURITY = 'public_security',
  API_KEY_SECURITY = 'api_key',
+  PERMISSION = 'auth_permission',
 }

-export interface AuthenticatedOptions {
-  admin?: true;
-  isShared?: true;
-}
+type AuthenticatedOptions = {
+  sharedLink?: true;
+  /** skip permission check when param id matches calling user */
+  bypassParamId?: string;
+};

-export const Authenticated = (options: AuthenticatedOptions = {}) => {
-  const decorators: MethodDecorator[] = [
+export const Authenticated = (permission: Permission, options?: AuthenticatedOptions) => {
+  const { sharedLink } = { sharedLink: false, ...options };
+
+  const decorators = sharedLink
+    ? [SetMetadata(Metadata.SHARED_ROUTE, true), ApiQuery({ name: 'key', type: String, required: false })]
+    : [];
+
+  return applyDecorators(
    ApiBearerAuth(),
    ApiCookieAuth(),
    ApiSecurity(Metadata.API_KEY_SECURITY),
-    SetMetadata(Metadata.AUTH_ROUTE, true),
-  ];
-
-  if (options.admin) {
-    decorators.push(AdminRoute());
-  }
-
-  if (options.isShared) {
-    decorators.push(SharedLinkRoute());
-  }
-
-  return applyDecorators(...decorators);
+    SetMetadata(Metadata.PERMISSION, permission),
+    ...decorators,
+  );
 };

-export const PublicRoute = () =>
-  applyDecorators(SetMetadata(Metadata.AUTH_ROUTE, false), ApiSecurity(Metadata.PUBLIC_SECURITY));
-export const SharedLinkRoute = () =>
-  applyDecorators(SetMetadata(Metadata.SHARED_ROUTE, true), ApiQuery({ name: 'key', type: String, required: false }));
-export const AdminRoute = (value = true) => SetMetadata(Metadata.ADMIN_ROUTE, value);
-
 export const Auth = createParamDecorator((data, context: ExecutionContext): AuthDto => {
  return context.switchToHttp().getRequest<{ user: AuthDto }>().user;
 });
@@ -89,26 +80,29 @@ export class AuthGuard implements CanActivate {
  }

  async canActivate(context: ExecutionContext): Promise<boolean> {
-    const targets = [context.getHandler(), context.getClass()];
+    const method = context.getHandler();

-    const isAuthRoute = this.reflector.getAllAndOverride(Metadata.AUTH_ROUTE, targets);
-    const isAdminRoute = this.reflector.getAllAndOverride(Metadata.ADMIN_ROUTE, targets);
-    const isSharedRoute = this.reflector.getAllAndOverride(Metadata.SHARED_ROUTE, targets);
+    const permission = this.reflector.get<Permission>(Metadata.PERMISSION, method);
+    const isSharedRoute = this.reflector.get<boolean>(Metadata.SHARED_ROUTE, method);

-    if (!isAuthRoute) {
+    // public
+    if (!permission) {
      return true;
    }

    const request = context.switchToHttp().getRequest<AuthRequest>();

    const authDto = await this.authService.validate(request.headers, request.query as Record<string, string>);
+    const isApiKey = !!authDto.apiKey;
+    const isUserToken = !!authDto.session;
+
    if (authDto.sharedLink && !isSharedRoute) {
      this.logger.warn(`Denied access to non-shared route: ${request.path}`);
      return false;
    }

-    if (isAdminRoute && !authDto.user.isAdmin) {
-      this.logger.warn(`Denied access to admin only route: ${request.path}`);
+    if ((isApiKey || isUserToken) && !authDto.user.permissions.includes(permission)) {
+      this.logger.warn(`Denied access to route: no ${permission} permission: ${request.path}. `);
      return false;
    }

--- a/server/src/migrations/1713389653857-AddUserPermissions.ts
+++ b/server/src/migrations/1713389653857-AddUserPermissions.ts
@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class AddUserPermissions1713389653857 implements MigrationInterface {
+    name = 'AddUserPermissions1713389653857'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "users" ADD "permissions" character varying array NOT NULL`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`ALTER TABLE "users" DROP COLUMN "permissions"`);
+    }
+
+}
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Jason Rasmussen	f7285191bd	WIP	2024-04-22 16:51:24 -04:00
Aaron Berndsen	c9a079201a	docs: update "move all data" instructions in FAQ (#8976 ) * Update FAQ.mdx chore(docs): update "move all data" FAQ instructions. * Apply suggestions from code review fix: (apply suggestions) use sql-compliant comments Co-authored-by: Matthew Momjian <50788000+mmomjian@users.noreply.github.com> * fix: Update FAQ.mdx --------- Co-authored-by: Matthew Momjian <50788000+mmomjian@users.noreply.github.com>	2024-04-22 12:53:55 +00:00
Alex	be4a783845	fix(web): wrong month on timeline scrollbar cursor (#8996 ) * fix(web): wrong month on timeline scrollbar cursor * revert unnesessary change	2024-04-22 06:22:59 -05:00
Mert	c30cd3b378	chore: test more formats in e2e (#9001 )	2024-04-22 01:35:27 -04:00
TruongSinh Tran-Nguyen	0d3cc28f45	feat(web): support 360 video (equirectangular) (#8762 ) * [web]: support 360 video * lint * lint * fix typing --------- Co-authored-by: Alex <alex.tran1502@gmail.com>	2024-04-21 19:14:54 +00:00
Conner Hnatiuk	f004487be0	fix(web): trash page now auto refreshes (#8978 ) * fix(web): the trash page now auto refreshes when restore all or empty trash is clicked. Also shows number of assets affected. * formatting	2024-04-21 14:07:17 -05:00
clementdelestre	21231d53a5	feat(mobile): add i18n in multiselect-grid and update translation (en and fr) (#8993 ) * add i18n in multiselect grid (en-fr) * add FR translations from (haptic feedback) * revert settings	2024-04-21 13:26:19 -05:00
Daniel Dietzler	a99862120d	feat: mobile label for renovate pull requests (#8991 ) mobile lable for renovate pull requests	2024-04-21 13:11:03 -05:00
shenlong	776023b149	dep(mobile): upgrade gradle (#8409 ) * dep(mobile): upgrade gradle * chore(deps): update kotlin & guava * build: change java version and flutter test version --------- Co-authored-by: shenlong-tanwen <139912620+shalong-tanwen@users.noreply.github.com>	2024-04-20 23:07:32 -05:00
martin	7d4187962a	feat(web): new look option for slideshow (#8924 ) feat: new look option for slideshow	2024-04-20 23:06:49 -05:00
Jason Rasmussen	a93534fc3c	refactor(server): session interface types (#8977 )	2024-04-20 23:45:55 -04:00
Alex	cef84f6ced	chore(mobile): override appbundle on PlayStore before getting released (#8960 )	2024-04-20 19:56:03 -05:00
Alex The Bot	a2180a467d	Version v1.102.3	2024-04-20 20:17:39 +00:00
Jason Rasmussen	1e3dceea4d	fix(server): session refresh (#8974 )	2024-04-20 15:15:25 -05:00
Mert	fd4514711f	feat(server): enable AV1 encoding for NVENC (#8959 ) allow av1 for nvenc	2024-04-20 14:52:50 -04:00
Alex	2dd7c13b88	Revert "feat(android) Check server is reachable before starting background backup (#8594 )" (#8958 ) This reverts commit `71b6d8b569`.	2024-04-20 12:15:26 -05:00
Alex	40931b5668	chore: post release tasks	2024-04-20 11:15:41 -05:00
Alex The Bot	25549b87c9	Version v1.102.2	2024-04-20 15:55:32 +00:00
Alex	7ec62f12b5	Revert "fix(mobile): random logout (#8739 )" (#8954 ) This reverts commit `97c099e26d`.	2024-04-20 10:53:52 -05:00
Jaryl Chng	caf76f0713	feat(server): enable AV1 encoding for QSV (#8942 )	2024-04-20 10:36:00 -04:00
martin	6778653825	fix(web): keep focus when searching people (#8950 ) fix: keep focus when searching people Co-authored-by: Alex <alex.tran1502@gmail.com>	2024-04-20 14:18:31 +00:00
Alex	c858b43717	chore: post release tasks	2024-04-20 09:12:11 -05:00
Alex The Bot	6eb1b82541	Version v1.102.1	2024-04-20 13:43:46 +00:00
devjn	71b6d8b569	feat(android) Check server is reachable before starting background backup (#8594 ) * Bump androidx work version to 2.9.0 * Check that server is reachable before starting backup work * Dart format * Cleanup debug logs * Fix analysis	2024-04-20 08:39:04 -05:00
Conner	3abfe3c99e	fix(web): restore button in asset viewer (#8935 ) * fix(web): restore button added to trashed asset-view to restore single item * fixed the asset-viewer menu to update upon restoration * prettier formatting complete, testing passed * chore: clean up --------- Co-authored-by: Jason Rasmussen <jrasm91@gmail.com>	2024-04-20 01:19:50 +00:00
Jason Rasmussen	171b6bb0a6	refactor: system metadata (#8923 ) refactor(server): system metadata	2024-04-19 20:36:15 -04:00
Daniel Dietzler	78c7ff855d	refactor(server): move file file report endpoints to their own controller (#8925 ) * move file report to its own controller * chore: open api	2024-04-19 20:35:54 -04:00
Alex	57be9182d4	chore: post release tasks	2024-04-19 15:32:45 -05:00