Merge remote-tracking branch 'origin/master' into feat-settings-ui

2022-12-23 16:08:47 +11:00 · 2022-12-23 16:08:47 +11:00 · 4a2fd3dea7
parent a186dca3bf 0bb657e11c
commit 4a2fd3dea7
174 changed files with 5917 additions and 3361 deletions
--- a/.all-contributorsrc
+++ b/.all-contributorsrc
@ -825,6 +825,15 @@
        "code",
        "design"
      ]
    },
    {
      "login": "Ohelig",
      "name": "Ohelig",
      "avatar_url": "https://avatars.githubusercontent.com/u/5841980?v=4",
      "profile": "https://github.com/Ohelig",
      "contributions": [
        "doc"
      ]
    }
  ],
  "contributorsPerLine": 7
--- a/.github/ISSUE_TEMPLATE/bug-report.yml
+++ b/.github/ISSUE_TEMPLATE/bug-report.yml
@ -26,6 +26,8 @@ body:
      description: What version(s) of Authelia can you reproduce this bug on?
      multiple: true
      options:
        - v4.37.5
        - v4.37.4
        - v4.37.3
        - v4.37.2
        - v4.37.1
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -10,7 +10,9 @@ Don't hesitate to come help us improve Authelia! See you soon!
 ## Bug Reports and Feature Requests
-If you've found a **bug** or have a **feature request** then please create an issue in this repository (but search first in case a similar issue already exists).
+If you've found a **bug** or have a **feature request** then please create a
 [bug report](https://www.authelia.com/l/bug) or [feature request](https://www.authelia.com/l/fr) respectively in this
 repository (but search first in case a similar issue already exists).
 ## Code
@ -23,13 +25,14 @@ about requirement or implementation. That way you can be sure that the maintaine
 and you can hopefully get a quick merge afterwards. Also, let the maintainers know that you plan to work on a particular
 issue so that no one else starts any duplicate work.
-Pull Requests can only be merged once all status checks are green, which means `authelia-scripts --log-level debug ci` passes, and coverage does not regress.
+Pull Requests can only be merged once all status checks are green, which means `authelia-scripts --log-level debug ci`
 passes, and coverage does not regress.
 ## Do not force push to your pull request branch
-Please do not force push to your PR's branch after you have created your PR, as doing so makes it harder for us to review your work.
+Please do not force push to your PR's branch after you have created your PR, as doing so makes it harder for us to
-PRs will always be squashed by us when we merge your work.
+review your work. PRs will always be squashed by us when we merge your work. Commit as many times as you need in your
-Commit as many times as you need in your pull request branch.
+pull request branch.
 ## Re-requesting a review
--- a/8
+++ b/8
@ -11,15 +11,16 @@ WORKDIR /app
 # Set environment variables
 ENV PATH="/app:${PATH}" \
    PUID=0 \
-    PGID=0
+    PGID=0 \
    X_AUTHELIA_CONFIG="/config/configuration.yml"
 RUN \
-apk --no-cache add ca-certificates su-exec tzdata
+	apk --no-cache add ca-certificates su-exec tzdata
 COPY LICENSE .healthcheck.env entrypoint.sh healthcheck.sh ./
 RUN \
-chmod 0666 /app/.healthcheck.env
+	chmod 0666 /app/.healthcheck.env
 COPY authelia-${TARGETOS}-${TARGETARCH}-musl ./authelia
@ -28,5 +29,4 @@ EXPOSE 9091
 VOLUME /config
 ENTRYPOINT ["/app/entrypoint.sh"]
 CMD ["--config", "/config/configuration.yml"]
 HEALTHCHECK --interval=30s --timeout=3s --start-period=1m CMD /app/healthcheck.sh
--- a/Dockerfile.coverage
+++ b/Dockerfile.coverage
@ -20,14 +20,14 @@ FROM golang:1.19.4-alpine AS builder-backend
 WORKDIR /go/src/app
 RUN \
-echo ">> Downloading required apk's..." && \
+	echo ">> Downloading required apk's..." && \
-apk --no-cache add gcc musl-dev
+	apk --no-cache add gcc musl-dev
 COPY go.mod go.sum ./
 RUN \
-echo ">> Downloading go modules..." && \
+	echo ">> Downloading go modules..." && \
-go mod download
+	go mod download
 COPY / ./
@ -36,12 +36,12 @@ COPY --from=builder-frontend /node/src/internal/server/public_html internal/serv
 ARG LDFLAGS_EXTRA
 RUN \
-mv api internal/server/public_html/api && \
+	mv api internal/server/public_html/api && \
-cd cmd/authelia && \
+	cd cmd/authelia && \
-chmod 0666 /go/src/app/.healthcheck.env && \
+	chmod 0666 /go/src/app/.healthcheck.env && \
-echo ">> Starting go build (coverage via go test)..." && \
+	echo ">> Starting go build (coverage via go test)..." && \
-CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go test -c --tags coverage -covermode=atomic \
+	CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go test -c --tags coverage -covermode=atomic \
-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
+	-ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
 # ===================================
 # ===== Authelia official image =====
@ -58,7 +58,8 @@ EXPOSE 9091
 VOLUME /config
-ENV PATH="/app:${PATH}"
+ENV PATH="/app:${PATH}" \
    X_AUTHELIA_CONFIG="/config/configuration.yml"
-CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE", "--config", "/config/configuration.yml"]
+CMD ["authelia", "-test.coverprofile=/authelia/coverage.txt", "COVERAGE"]
 HEALTHCHECK --interval=30s --timeout=3s CMD /app/healthcheck.sh
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -18,14 +18,14 @@ FROM golang:1.19.4-alpine AS builder-backend
 WORKDIR /go/src/app
 RUN \
-echo ">> Downloading required apk's..." && \
+	echo ">> Downloading required apk's..." && \
-apk --no-cache add gcc musl-dev
+	apk --no-cache add gcc musl-dev
 COPY go.mod go.sum ./
 RUN \
-echo ">> Downloading go modules..." && \
+	echo ">> Downloading go modules..." && \
-go mod download
+	go mod download
 COPY / ./
@ -34,11 +34,11 @@ COPY --from=builder-frontend /node/src/internal/server/public_html internal/serv
 ARG LDFLAGS_EXTRA
 RUN \
-mv api internal/server/public_html/api && \
+	mv api internal/server/public_html/api && \
-chmod 0666 /go/src/app/.healthcheck.env && \
+	chmod 0666 /go/src/app/.healthcheck.env && \
-echo ">> Starting go build..." && \
+	echo ">> Starting go build..." && \
-CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build \
+	CGO_ENABLED=1 CGO_CPPFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" CGO_LDFLAGS="-Wl,-z,relro,-z,now" go build \
-ldflags "-linkmode=external -s -w ${LDFLAGS_EXTRA}" -trimpath -buildmode=pie -o authelia ./cmd/authelia
+	-ldflags "-linkmode=external -s -w ${LDFLAGS_EXTRA}" -trimpath -buildmode=pie -o authelia ./cmd/authelia
 # ===================================
 # ===== Authelia official image =====
@ -50,20 +50,20 @@ WORKDIR /app
 # Set environment variables
 ENV PATH="/app:${PATH}" \
    PUID=0 \
-    PGID=0
+    PGID=0 \
    X_AUTHELIA_CONFIG="/config/configuration.yml"
 RUN \
-apk --no-cache add ca-certificates su-exec tzdata
+	apk --no-cache add ca-certificates su-exec tzdata
 COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
 RUN \
-chmod 0666 /app/.healthcheck.env
+	chmod 0666 /app/.healthcheck.env
 EXPOSE 9091
 VOLUME /config
 ENTRYPOINT ["/app/entrypoint.sh"]
 CMD ["--config", "/config/configuration.yml"]
 HEALTHCHECK --interval=30s --timeout=3s --start-period=1m CMD /app/healthcheck.sh
--- a/README.md
+++ b/README.md
@ -307,6 +307,7 @@ Thanks goes to these wonderful people ([emoji key](https://allcontributors.org/d
    <tr>
      <td align="center"><a href="https://github.com/paul-ohl"><img src="https://avatars.githubusercontent.com/u/37795294?v=4?s=100" width="100px;" alt="Paul Ohl"/><br /><sub><b>Paul Ohl</b></sub></a><br /><a href="https://github.com/authelia/authelia/commits?author=paul-ohl" title="Documentation">📖</a></td>
      <td align="center"><a href="https://github.com/smkent"><img src="https://avatars.githubusercontent.com/u/2831985?v=4?s=100" width="100px;" alt="Stephen Kent"/><br /><sub><b>Stephen Kent</b></sub></a><br /><a href="#ideas-smkent" title="Ideas, Planning, & Feedback">🤔</a> <a href="https://github.com/authelia/authelia/commits?author=smkent" title="Code">💻</a> <a href="#design-smkent" title="Design">🎨</a></td>
      <td align="center"><a href="https://github.com/Ohelig"><img src="https://avatars.githubusercontent.com/u/5841980?v=4?s=100" width="100px;" alt="Ohelig"/><br /><sub><b>Ohelig</b></sub></a><br /><a href="https://github.com/authelia/authelia/commits?author=Ohelig" title="Documentation">📖</a></td>
    </tr>
  </tbody>
 </table>
--- a/api/openapi.yml
+++ b/api/openapi.yml
@ -175,6 +175,240 @@ paths:
          description: Unauthorized
      security:
        - authelia_auth: []
    options:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    post:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    put:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    patch:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    delete:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
    trace:
      tags:
        - Authentication
      summary: Verification
      description: >
        The verify endpoint provides the ability to verify if a user has the necessary permissions to access a specified
        domain.
      parameters:
        - $ref: '#/components/parameters/originalURLParam'
        - $ref: '#/components/parameters/forwardedMethodParam'
        - $ref: '#/components/parameters/authParam'
      responses:
        "200":
          description: Successful Operation
          headers:
            remote-user:
              description: Username
              schema:
                type: string
                example: john
            remote-name:
              description: Name
              schema:
                type: string
                example: John Doe
            remote-email:
              description: Email
              schema:
                type: string
                example: john.doe@authelia.com
            remote-groups:
              description: Comma separated list of Groups
              schema:
                type: string
                example: admin,devs
        "401":
          description: Unauthorized
      security:
        - authelia_auth: []
  /api/firstfactor:
    post:
      tags:
--- a/cmd/authelia-gen/templates.go
+++ b/cmd/authelia-gen/templates.go
@ -5,18 +5,14 @@ import (
 	"fmt"
 	"strings"
 	"text/template"
 	"github.com/authelia/authelia/v4/internal/templates"
 )
 //go:embed templates/*
 var templatesFS embed.FS
 var (
 	funcMap = template.FuncMap{
 		"stringsContains": strings.Contains,
 		"join":            strings.Join,
 		"joinX":           fmJoinX,
 	}
 	tmplCodeConfigurationSchemaKeys = template.Must(newTMPL("internal_configuration_schema_keys.go"))
 	tmplGitHubIssueTemplateBug      = template.Must(newTMPL("github_issue_template_bug_report.yml"))
 	tmplIssueTemplateFeature        = template.Must(newTMPL("github_issue_template_feature.yml"))
@ -27,33 +23,14 @@ var (
 	tmplServer                      = template.Must(newTMPL("server_gen.go"))
 )
 func fmJoinX(elems []string, sep string, n int, p string) string {
 	buf := strings.Builder{}
 	c := 0
 	e := len(elems) - 1
 	for i := 0; i <= e; i++ {
 		if c+len(elems[i])+1 > n {
 			c = 0
 			buf.WriteString(p)
 		}
 		c += len(elems[i]) + 1
 		buf.WriteString(elems[i])
 		if i < e {
 			buf.WriteString(sep)
 		}
 	}
 	return buf.String()
 }
 func newTMPL(name string) (tmpl *template.Template, err error) {
-	return template.New(name).Funcs(funcMap).Parse(mustLoadTmplFS(name))
+	return template.New(name).
 		Funcs(template.FuncMap{
 			"stringsContains": strings.Contains,
 			"join":            strings.Join,
 			"joinX":           templates.StringJoinXFunc,
 		}).
 		Parse(mustLoadTmplFS(name))
 }
 func mustLoadTmplFS(tmpl string) string {
--- a/config.template.yml
+++ b/config.template.yml
@ -284,8 +284,10 @@ authentication_backend:
  # ldap:
    ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
    ## Acceptable options are as follows:
-    ## - 'activedirectory' - For Microsoft Active Directory.
+    ## - 'activedirectory' - for Microsoft Active Directory.
-    ## - 'custom' - For custom specifications of attributes and filters.
+    ## - 'freeipa' - for FreeIPA.
    ## - 'lldap' - for lldap.
    ## - 'custom' - for custom specifications of attributes and filters.
    ## This currently defaults to 'custom' to maintain existing behaviour.
    ##
    ## Depending on the option here certain other values in this section have a default value, notably all of the
--- a/docs/content/en/configuration/methods/files.md
+++ b/docs/content/en/configuration/methods/files.md
@ -12,6 +12,23 @@ weight: 101200
 toc: true
 ---
 ## Loading Behaviour and Discovery
 There are several options which affect the loading of files:
 |       Name        |            Argument             |    Environment Variable     |                                    Description                                     |
 |:-----------------:|:-------------------------------:|:---------------------------:|:----------------------------------------------------------------------------------:|
 | Files/Directories |        `--config`, `-c`         |     `X_AUTHELIA_CONFIG`     | A list of file or directory (non-recursive) paths to load configuration files from |
 |      Filters      | `--config.experimental.filters` | `X_AUTHELIA_CONFIG_FILTERS` |   A list of filters applied to every file from the Files or Directories options    |
 __*Note:* when specifying directories and files, the individual files specified must not be within any of the
 directories specified.__
 Configuration options can be discovered via either the Argument or Environment Variable, but not both at the same time.
 If both are specified the Argument takes precedence and the Environment Variable is ignored. It is generally recommended
 that if you're using a container that you use the Environment Variable as this will allow you to execute other commands
 from the context of the container more easily.
 ## Formats
 The only supported configuration file format is [YAML](#yaml).
@ -124,3 +141,167 @@ spec:
 See the Kubernetes [workloads documentation](https://kubernetes.io/docs/concepts/workloads/pods/#pod-templates) or the
 [Container API docs](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.23/#container-v1-core) for more
 information.
 ## File Filters
 Experimental file filters exist which allow modification of all configuration files after reading them from the
 filesystem but before parsing their content. These filters are _**NOT**_ covered by our
 [Standard Versioning Policy](../../policies/versioning.md). There __*WILL*__ be a point where the name of the CLI
 argument or environment variable will change and usage of these will either break or just not work.
 The filters are configured as a list of filter names by the `--config.experimental.filters` CLI argument and
 `X_AUTHELIA_CONFIG_EXPERIMENTAL_FILTERS` environment variable. We recommend using the environment variable as it ensures
 commands executed from the container use the same filters. If both the CLI argument and environment variable are used
 the environment variable is completely ignored.
 Filters can either be used on their own, in combination, or not at all. The filters are processed in order as they are
 defined.
 Examples:
 ```bash
 authelia --config config.yml --config.experimental.filters expand-env,template
 ```
 ```text
 X_AUTHELIA_CONFIG_EXPERIMENTAL_FILTERS=expand-env,template
 ```
 ### Expand Environment Variable Filter
 The name used to enable this filter is `expand-env`.
 This filter is the most common filter type used by many other applications. It is similar to using `envsubst` where it
 replaces a string like `$EXAMPLE` or `${EXAMPLE}` with the value of the `EXAMPLE` environment variable.
 ### Go Template Filter
 The name used to enable this filter is `template`.
 This filter uses the [Go template engine](https://pkg.go.dev/text/template) to render the configuration files. It uses
 similar syntax to Jinja2 templates with different function names.
 Comprehensive examples are beyond what we support and people wishing to use this should consult the official
 [Go template engine](https://pkg.go.dev/text/template) documentation for syntax instructions. We also log the generated
 output at each filter stage as a base64 string when trace logging is enabled.
 #### Functions
 In addition to the standard builtin functions we support several other functions.
 ##### iterate
 The `iterate` function generates a list of numbers from 0 to the input provided. Useful for ranging over a list of
 numbers.
 Example:
 ```yaml
 numbers:
 {{- range $i := iterate 5 }}
  -  {{ $i }}
 {{- end }}
 ```
 ##### env
 The `env` function returns the value of an environment variable or a blank string.
 Example:
 ```yaml
 default_redirection_url: 'https://{{ env "DOMAIN" }}'
 ```
 ##### split
 The `split` function splits a string by the separator.
 Example:
 ```yaml
 access_control:
  rules:
    - domain: 'app.{{ env "DOMAIN" }}'
      policy: bypass
      methods:
      {{ range _, $method := split "GET,POST" "," }}
        - {{ $method }}
      {{ end }}
 ```
 ##### join
 The `join` function is similar to [split](#split) but does the complete oppiste, joining an array of strings with a
 separator.
 Example:
 ```yaml
 access_control:
  rules:
    - domain: ['app.{{ join (split (env "DOMAINS") ",") "', 'app." }}']
      policy: bypass
 ```
 ##### contains
 The `contains` function is a test function which checks if one string contains another string.
 Example:
 ```yaml
 {{ if contains (env "DOMAIN") "https://" }}
 default_redirection_url: '{{ env "DOMAIN" }}'
 {{ else }}
 default_redirection_url: 'https://{{ env "DOMAIN" }}'
 {{ end }}
 ```
 ##### hasPrefix
 The `hasPrefix` function is a test function which checks if one string is prefixed with another string.
 Example:
 ```yaml
 {{ if hasPrefix (env "DOMAIN") "https://" }}
 default_redirection_url: '{{ env "DOMAIN" }}'
 {{ else }}
 default_redirection_url: 'https://{{ env "DOMAIN" }}'
 {{ end }}
 ```
 ##### hasSuffix
 The `hasSuffix` function is a test function which checks if one string is suffixed with another string.
 Example:
 ```yaml
 {{ if hasSuffix (env "DOMAIN") "/" }}
 default_redirection_url: 'https://{{ env "DOMAIN" }}'
 {{ else }}
 default_redirection_url: 'https://{{ env "DOMAIN" }}/'
 {{ end }}
 ```
 ##### lower
 The `lower` function is a conversion function which converts a string to all lowercase.
 Example:
 ```yaml
 default_redirection_url: 'https://{{ env "DOMAIN" | lower }}'
 ```
 ##### upper
 The `upper` function is a conversion function which converts a string to all uppercase.
 Example:
 ```yaml
 default_redirection_url: 'https://{{ env "DOMAIN" | upper }}'
 ```
--- a/docs/content/en/configuration/notifications/smtp.md
+++ b/docs/content/en/configuration/notifications/smtp.md
@ -209,8 +209,9 @@ Some SMTP servers ignore SMTP specifications and claim to support STARTTLS when
 For security reasons Authelia refuses to send messages to these servers.
 This option disables this measure and is enabled  *__AT YOUR OWN RISK__*. It's *__strongly recommended__*
 that instead of enabling this option you either fix the issue with the SMTP server's configuration or
-have the administrators of the server fix it. If the issue can't be fixed by configuration we recommend
+have the administrators of the server fix it. If the issue can't be fixed via the SMTP server configuration we recommend
 lodging an issue with the authors of the SMTP server.
 See [security] for more information.
 ### disable_html_emails
--- a/docs/content/en/configuration/second-factor/time-based-one-time-password.md
+++ b/docs/content/en/configuration/second-factor/time-based-one-time-password.md
@ -169,23 +169,8 @@ This may be inconvenient for some users who wish to export TOTP keys from Authel
 a command specifically for exporting TOTP configurations from the database. These commands require the configuration or
 at least a minimal configuration that has the storage backend connection details and the encryption key.
-Export in [Key URI Format](https://github.com/google/google-authenticator/wiki/Key-Uri-Format):
+See the [CLI Documentation](../../reference/cli/authelia/authelia_storage_user_totp_export.md) for methods to perform
-
+exports.
 ```bash
 authelia storage user totp export --format uri
 ```
 Export as CSV:
 ```bash
 authelia storage user totp export --format csv
 ```
 Help:
 ```bash
 authelia storage user totp export --help
 ```
 [RFC4226]: https://www.rfc-editor.org/rfc/rfc4226.html
 [RFC6238]: https://www.rfc-editor.org/rfc/rfc6238.html
--- a/docs/content/en/integration/openid-connect/introduction.md
+++ b/docs/content/en/integration/openid-connect/introduction.md
@ -93,7 +93,7 @@ Reference values.
 The values this [Claim] has are not strictly defined by the [OpenID Connect] specification. As such, some backends may
 expect a specification other than [RFC8176] for this purpose. If you have such an application and wish for us to support
-it then you're encouraged to create an issue.
+it then you're encouraged to create a [feature request](https://www.authelia.com/l/fr).
 Below is a list of the potential values we place in the [Claim] and their meaning:
--- a/docs/content/en/overview/security/measures.md
+++ b/docs/content/en/overview/security/measures.md
@ -346,14 +346,17 @@ typically located at `/etc/fail2ban/filter.d`.
 # the failregex rule counts every failed 1FA attempt (first line, wrong username or password) and failed 2FA attempt
 # second line) as a failure.
-# the ignoreregex rule ignores debug, info and warning messages as all authentication failures are flagged as errors
+# the ignoreregex rule ignores info and warning messages as all authentication failures are flagged as errors
 # the third line catches incorrect usernames entered at the password reset form
 # the fourth line catches attempts to spam via the password reset form or 2fa device reset form. This requires debug logging to be enabled
 [Definition]
 failregex = ^.*Unsuccessful 1FA authentication attempt by user .*remote_ip="?<HOST>"? stack.*
            ^.*Unsuccessful (TOTP|Duo|U2F) authentication attempt by user .*remote_ip="?<HOST>"? stack.*
            ^.*user not found.*path=/api/reset-password/identity/start remote_ip="?<HOST>"? stack.*
            ^.*Sending an email to user.*path=/api/.*/start remote_ip="?<HOST>"?
-ignoreregex = ^.*level=debug.*
+ignoreregex = ^.*level=info.*
              ^.*level=info.*
              ^.*level=warning.*
 ```
--- a/docs/content/en/policies/privacy.md
+++ b/docs/content/en/policies/privacy.md
@ -16,9 +16,14 @@ aliases:
  - /privacy.html
 ---
 ## Website
 This section applies to the public website at https://www.authelia.com and does not apply to the _Authelia_ application
 itself.
 __TLDR__: We do not use cookies and we do not collect any personal data.
-## Website visitors
+### Website visitors
 * No personal information is collected.
 * No information is stored in the browser.
@ -27,6 +32,32 @@ __TLDR__: We do not use cookies and we do not collect any personal data.
 * No information is mined and harvested for personal and behavioral trends.
 * No information is monetized.
 ## Application
 This section applies to the _Authelia_ application itself and does not apply to the public website
 at https://www.authelia.com. It's important for users of _Authelia_ to note that this policy only applies to what the
 _Authelia_ application itself does automatically. Individual installations of _Authelia_ may differ from this policy
 depending on the administrator who deploys the application. It is beyond our ability to include this in our policy and
 you should refer to their privacy policy.
 __TLDR__: We collect only information necessary to operate the application and properly perform security audits. This
 information is only stored in the local SQL database and is NOT sent to any external service.
 ### Application visitors
 * Information collected is stored locally in the database and not sent to any external service.
 * No personal information is collected other than:
  * Username and IP address are recorded and logged for security related events for auditing purposes.
 * The information stored in the browser is:
  * Cookies:
    * A session cookie necessary for the application to operate.
  * Local Storage:
    * A language preference necessary for the application to operate.
 * No information is shared with, sent to or sold to third-parties.
 * No information is shared with advertising companies.
 * No information is mined and harvested for personal and behavioral trends.
 * No information is monetized.
 ## Contact us
 [Contact us](../information/contact.md) if you have any questions.
--- a/docs/content/en/policies/versioning.md
+++ b/docs/content/en/policies/versioning.md
@ -0,0 +1,52 @@
 ---
 title: "Versioning Policy"
 description: "The Authelia Versioning Policy which is important reading for administrators"
 date: 2022-12-21T20:48:14+11:00
 draft: false
 images: []
 aliases:
  - /versioning-policy
  - /versioning
 ---
 The __Authelia__ team aims to abide by the [Semantic Versioning 2.0.0](https://semver.org/spec/v2.0.0.html) policy. This
 means that we use the format `major.minor.patch` for our version numbers, where a change to `major` denotes a breaking
 change which will likely require user interaction to upgrade, `minor` which denotes a new feature, and `patch` denotes a
 fix.
 It is therefore recommended users do not automatically upgrade the `minor` version without reading the patch notes, and
 it's critically important users do not upgrade the `major` version without reading the patch notes. You should pin your
 version to `4.37` for example to prevent automatic upgrades from negatively affecting you.
 ## Exceptions
 There are exceptions to this versioning policy.
 ### Advanced Customizations
 Some advanced customizations are not guaranteed by the versioning policy. These features require the administrator to
 ensure they keep up to date with the changes relevant to their version. While the customizations exist as a feature we
 cannot allow these customizations to hinder the development process.
 Notable Advanced Customizations:
 - Templates:
  - Email
  - Content Security Policy header
 - Localization Assets
 ### Breaking Changes
 All features which are marked as:
 - beta
 - experimental
 Notable examples:
 - OpenID Connect 1.0
 - File Filters
 The reasoning is as we develop these features there may be mistakes and we may need to make a change that should be
 considered breaking. As these features graduate from their status to generally available they will move into our
 standard versioning policy from this exception.
--- a/docs/content/en/reference/cli/authelia/authelia.md
+++ b/docs/content/en/reference/cli/authelia/authelia.md
@ -24,7 +24,8 @@ An open-source authentication and authorization server providing
 two-factor authentication and single sign-on (SSO) for your
 applications via a web portal.
-Documentation is available at: https://www.authelia.com/
+General documentation is available at: https://www.authelia.com/
 CLI documentation is available at: https://www.authelia.com/reference/cli/authelia/authelia/
 ```
 authelia [flags]
@ -41,7 +42,8 @@ authelia --config /etc/authelia/config/
 ### Options
 ```
-  -c, --config strings   configuration files to load
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
  -h, --help                                  help for authelia
 ```
@ -50,7 +52,6 @@ authelia --config /etc/authelia/config/
 * [authelia access-control](authelia_access-control.md)	 - Helpers for the access control system
 * [authelia build-info](authelia_build-info.md)	 - Show the build information of Authelia
 * [authelia crypto](authelia_crypto.md)	 - Perform cryptographic operations
 * [authelia hash-password](authelia_hash-password.md)	 - Hash a password to be used in file-based users database
 * [authelia storage](authelia_storage.md)	 - Manage the Authelia storage
 * [authelia validate-config](authelia_validate-config.md)	 - Check a configuration against the internal configuration validation mechanisms
--- a/docs/content/en/reference/cli/authelia/authelia_access-control.md
+++ b/docs/content/en/reference/cli/authelia/authelia_access-control.md
@ -32,6 +32,13 @@ authelia access-control --help
  -h, --help   help for access-control
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md
+++ b/docs/content/en/reference/cli/authelia/authelia_access-control_check-policy.md
@ -53,7 +53,6 @@ authelia access-control check-policy --config config.yml --url https://example.c
 ### Options
 ```
  -c, --config strings    configuration files to load (default [configuration.yml])
      --groups strings    the groups of the subject
  -h, --help              help for check-policy
      --ip string         the ip of the subject
@ -63,6 +62,13 @@ authelia access-control check-policy --config config.yml --url https://example.c
      --verbose           enables verbose output
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia access-control](authelia_access-control.md)	 - Helpers for the access control system
--- a/docs/content/en/reference/cli/authelia/authelia_build-info.md
+++ b/docs/content/en/reference/cli/authelia/authelia_build-info.md
@ -45,6 +45,13 @@ authelia build-info
  -h, --help   help for build-info
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/cli/authelia/authelia_crypto.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto.md
@ -34,6 +34,13 @@ authelia crypto --help
  -h, --help   help for crypto
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate.md
@ -34,6 +34,13 @@ authelia crypto certificate --help
  -h, --help   help for certificate
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto](authelia_crypto.md)	 - Perform cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa.md
@ -34,6 +34,13 @@ authelia crypto certificate ecdsa --help
  -h, --help   help for ecdsa
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate](authelia_crypto_certificate.md)	 - Perform certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_generate.md
@ -36,7 +36,7 @@ authelia crypto certificate ecdsa generate --help
 ```
      --ca                            create the certificate as a certificate authority certificate
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -b, --curve string                  Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
@ -59,6 +59,13 @@ authelia crypto certificate ecdsa generate --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate ecdsa](authelia_crypto_certificate_ecdsa.md)	 - Perform ECDSA certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ecdsa_request.md
@ -35,7 +35,7 @@ authelia crypto certificate ecdsa request --help
 ### Options
 ```
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -b, --curve string                  Sets the elliptic curve which can be P224, P256, P384, or P521 (default "P256")
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
@ -54,6 +54,13 @@ authelia crypto certificate ecdsa request --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate ecdsa](authelia_crypto_certificate_ecdsa.md)	 - Perform ECDSA certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519.md
@ -34,6 +34,13 @@ authelia crypto certificate ed25519 --help
  -h, --help   help for ed25519
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate](authelia_crypto_certificate.md)	 - Perform certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_generate.md
@ -36,7 +36,7 @@ authelia crypto certificate ed25519 request --help
 ```
      --ca                            create the certificate as a certificate authority certificate
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
      --duration duration             duration of time the certificate is valid for (default 8760h0m0s)
@ -58,6 +58,13 @@ authelia crypto certificate ed25519 request --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate ed25519](authelia_crypto_certificate_ed25519.md)	 - Perform Ed25519 certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_ed25519_request.md
@ -35,7 +35,7 @@ authelia crypto certificate ed25519 request --help
 ### Options
 ```
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
      --duration duration             duration of time the certificate is valid for (default 8760h0m0s)
@ -53,6 +53,13 @@ authelia crypto certificate ed25519 request --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate ed25519](authelia_crypto_certificate_ed25519.md)	 - Perform Ed25519 certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa.md
@ -34,6 +34,13 @@ authelia crypto certificate rsa --help
  -h, --help   help for rsa
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate](authelia_crypto_certificate.md)	 - Perform certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_generate.md
@ -37,7 +37,7 @@ authelia crypto certificate rsa generate --help
 ```
  -b, --bits int                      number of RSA bits for the certificate (default 2048)
      --ca                            create the certificate as a certificate authority certificate
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
      --duration duration             duration of time the certificate is valid for (default 8760h0m0s)
@ -59,6 +59,13 @@ authelia crypto certificate rsa generate --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate rsa](authelia_crypto_certificate_rsa.md)	 - Perform RSA certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_certificate_rsa_request.md
@ -36,7 +36,7 @@ authelia crypto certificate rsa request --help
 ```
  -b, --bits int                      number of RSA bits for the certificate (default 2048)
-  -c, --common-name string            certificate common name
+  -n, --common-name string            certificate common name
      --country strings               certificate country
  -d, --directory string              directory where the generated keys, certificates, etc will be stored
      --duration duration             duration of time the certificate is valid for (default 8760h0m0s)
@ -54,6 +54,13 @@ authelia crypto certificate rsa request --help
  -s, --street-address strings        certificate street address
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto certificate rsa](authelia_crypto_certificate_rsa.md)	 - Perform RSA certificate cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash.md
@ -34,6 +34,13 @@ authelia crypto hash --help
  -h, --help   help for hash
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto](authelia_crypto.md)	 - Perform cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate.md
@ -37,7 +37,6 @@ authelia crypto hash generate --help
 ### Options
 ```
  -c, --config strings             configuration files to load (default [configuration.yml])
  -h, --help                       help for generate
      --no-confirm                 skip the password confirmation prompt
      --password string            manually supply the password rather than using the terminal prompt
@ -47,6 +46,13 @@ authelia crypto hash generate --help
      --random.length int          sets the character length for the random string (default 72)
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto hash](authelia_crypto_hash.md)	 - Perform cryptographic hash operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_argon2.md
@ -48,7 +48,8 @@ authelia crypto hash generate argon2 --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings             configuration files to load (default [configuration.yml])
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --no-confirm                            skip the password confirmation prompt
      --password string                       manually supply the password rather than using the terminal prompt
      --random                                uses a randomly generated password
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_bcrypt.md
@ -43,7 +43,8 @@ authelia crypto hash generate bcrypt --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings             configuration files to load (default [configuration.yml])
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --no-confirm                            skip the password confirmation prompt
      --password string                       manually supply the password rather than using the terminal prompt
      --random                                uses a randomly generated password
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_pbkdf2.md
@ -44,7 +44,8 @@ authelia crypto hash generate pbkdf2 --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings             configuration files to load (default [configuration.yml])
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --no-confirm                            skip the password confirmation prompt
      --password string                       manually supply the password rather than using the terminal prompt
      --random                                uses a randomly generated password
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_scrypt.md
@ -46,7 +46,8 @@ authelia crypto hash generate scrypt --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings             configuration files to load (default [configuration.yml])
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --no-confirm                            skip the password confirmation prompt
      --password string                       manually supply the password rather than using the terminal prompt
      --random                                uses a randomly generated password
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_generate_sha2crypt.md
@ -44,7 +44,8 @@ authelia crypto hash generate sha2crypt --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings             configuration files to load (default [configuration.yml])
+  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --no-confirm                            skip the password confirmation prompt
      --password string                       manually supply the password rather than using the terminal prompt
      --random                                uses a randomly generated password
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_hash_validate.md
@ -40,6 +40,13 @@ authelia crypto hash validate '$5$rounds=500000$WFjMpdCQxIkbNl0k$M0qZaZoK8Gwdh8C
      --password string   manually supply the password rather than using the terminal prompt
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto hash](authelia_crypto_hash.md)	 - Perform cryptographic hash operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair.md
@ -34,6 +34,13 @@ authelia crypto pair --help
  -h, --help   help for pair
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto](authelia_crypto.md)	 - Perform cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa.md
@ -38,6 +38,13 @@ authelia crypto pair ecdsa --help
  -h, --help   help for ecdsa
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair](authelia_crypto_pair.md)	 - Perform key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ecdsa_generate.md
@ -43,6 +43,13 @@ authelia crypto pair ecdsa generate --help
      --pkcs8                     force PKCS #8 ASN.1 format
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair ecdsa](authelia_crypto_pair_ecdsa.md)	 - Perform ECDSA key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519.md
@ -38,6 +38,13 @@ authelia crypto pair ed25519 --help
  -h, --help   help for ed25519
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair](authelia_crypto_pair.md)	 - Perform key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_ed25519_generate.md
@ -42,6 +42,13 @@ authelia crypto pair ed25519 generate --help
      --pkcs8                     force PKCS #8 ASN.1 format
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair ed25519](authelia_crypto_pair_ed25519.md)	 - Perform Ed25519 key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa.md
@ -38,6 +38,13 @@ authelia crypto pair rsa --help
  -h, --help   help for rsa
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair](authelia_crypto_pair.md)	 - Perform key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_pair_rsa_generate.md
@ -43,6 +43,13 @@ authelia crypto pair rsa generate --help
      --pkcs8                     force PKCS #8 ASN.1 format
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto pair rsa](authelia_crypto_pair_rsa.md)	 - Perform RSA key pair cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md
+++ b/docs/content/en/reference/cli/authelia/authelia_crypto_rand.md
@ -44,11 +44,18 @@ authelia crypto rand --characters 0123456789ABCDEF
 ```
      --characters string   sets the explicit characters for the random string
-  -c, --charset string      sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
+  -x, --charset string      sets the charset for the random password, options are 'ascii', 'alphanumeric', 'alphabetic', 'numeric', 'numeric-hex', and 'rfc3986' (default "alphanumeric")
  -h, --help                help for rand
  -n, --length int          sets the character length for the random string (default 72)
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia crypto](authelia_crypto.md)	 - Perform cryptographic operations
--- a/docs/content/en/reference/cli/authelia/authelia_hash-password.md
+++ b/docs/content/en/reference/cli/authelia/authelia_hash-password.md
@ -1,55 +0,0 @@
 ---
 title: "authelia hash-password"
 description: "Reference for the authelia hash-password command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia hash-password
 Hash a password to be used in file-based users database
 ### Synopsis
 Hash a password to be used in file-based users database.
 ```
 authelia hash-password [flags] -- [password]
 ```
 ### Examples
 ```
 authelia hash-password -- 'mypass'
 authelia hash-password --sha512 -- 'mypass'
 authelia hash-password --iterations=4 -- 'mypass'
 authelia hash-password --memory=128 -- 'mypass'
 authelia hash-password --parallelism=1 -- 'mypass'
 authelia hash-password --key-length=64 -- 'mypass'
 ```
 ### Options
 ```
  -c, --config strings    configuration files to load (default [configuration.yml])
  -h, --help              help for hash-password
  -i, --iterations int    set the number of hashing iterations (default 3)
  -k, --key-length int    [argon2id] set the key length param (default 32)
  -m, --memory int        [argon2id] set the amount of memory param (in MB) (default 65536)
      --no-confirm        skip the password confirmation prompt
  -p, --parallelism int   [argon2id] set the parallelism param (default 4)
  -l, --salt-length int   set the auto-generated salt length (default 16)
  -z, --sha512            use sha512 as the algorithm (changes iterations to 50000, change with -i)
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/cli/authelia/authelia_storage.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage.md
@ -33,7 +33,6 @@ authelia storage --help
 ### Options
 ```
  -c, --config strings                         configuration files to load (default [configuration.yml])
      --encryption-key string                  the storage encryption key to use
  -h, --help                                   help for storage
      --mysql.database string                  the MySQL database name (default "authelia")
@ -54,6 +53,13 @@ authelia storage --help
      --sqlite.path string                     the SQLite database path
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption.md
@ -37,7 +37,8 @@ authelia storage encryption --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_change-key.md
@ -43,7 +43,8 @@ authelia storage encryption change-key --encryption-key b3453fde-ecc2-4a1f-9422-
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_encryption_check.md
@ -45,7 +45,8 @@ authelia storage encryption check --verbose --encryption-key b3453fde-ecc2-4a1f-
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate.md
@ -37,7 +37,8 @@ authelia storage migrate --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_down.md
@ -46,7 +46,8 @@ authelia storage migrate down --target 20 --encryption-key b3453fde-ecc2-4a1f-94
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_history.md
@ -43,7 +43,8 @@ authelia storage migrate history --encryption-key b3453fde-ecc2-4a1f-9422-2707dd
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-down.md
@ -44,7 +44,8 @@ authelia storage migrate list-down --encryption-key b3453fde-ecc2-4a1f-9422-2707
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_list-up.md
@ -44,7 +44,8 @@ authelia storage migrate list-up --encryption-key b3453fde-ecc2-4a1f-9422-2707dd
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_migrate_up.md
@ -46,7 +46,8 @@ authelia storage migrate up --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed49
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_schema-info.md
@ -43,7 +43,8 @@ authelia storage schema-info --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed4
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user.md
@ -37,7 +37,8 @@ authelia storage user --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers.md
@ -37,7 +37,8 @@ authelia storage user identifiers --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_add.md
@ -46,7 +46,8 @@ authelia storage user identifiers add john --identifier f0919359-9d15-4e15-bcba-
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_export.md
@ -38,14 +38,15 @@ authelia storage user identifiers export --file export.yaml --encryption-key b34
 ### Options
 ```
-  -f, --file string   The file name for the YAML export (default "user-opaque-identifiers.yml")
+  -f, --file string   The file name for the YAML export (default "authelia.export.opaque-identifiers.yml")
  -h, --help          help for export
 ```
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_generate.md
@ -48,7 +48,8 @@ authelia storage user identifiers generate --users john,mary --services openid -
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_identifiers_import.md
@ -26,29 +26,29 @@ The YAML file can either be automatically generated using the authelia storage u
 manually provided the file is in the same format.
 ```
-authelia storage user identifiers import [flags]
+authelia storage user identifiers import <filename> [flags]
 ```
 ### Examples
 ```
 authelia storage user identifiers import
-authelia storage user identifiers import --file export.yaml
+authelia storage user identifiers import authelia.export.opaque-identifiers.yaml
-authelia storage user identifiers import --file export.yaml --config config.yml
+authelia storage user identifiers import --config config.yml export.yaml
-authelia storage user identifiers import --file export.yaml --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
+authelia storage user identifiers import --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw export.yaml
 ```
 ### Options
 ```
  -f, --file string   The file name for the YAML import (default "user-opaque-identifiers.yml")
  -h, --help   help for import
 ```
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp.md
@ -37,7 +37,8 @@ authelia storage user totp --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
@ -63,4 +64,5 @@ authelia storage user totp --help
 * [authelia storage user totp delete](authelia_storage_user_totp_delete.md)	 - Delete a TOTP configuration for a user
 * [authelia storage user totp export](authelia_storage_user_totp_export.md)	 - Perform exports of the TOTP configurations
 * [authelia storage user totp generate](authelia_storage_user_totp_generate.md)	 - Generate a TOTP configuration for a user
 * [authelia storage user totp import](authelia_storage_user_totp_import.md)	 - Perform imports of the TOTP configurations
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_delete.md
@ -43,7 +43,8 @@ authelia storage user totp delete john --encryption-key b3453fde-ecc2-4a1f-9422-
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export.md
@ -20,7 +20,7 @@ Perform exports of the TOTP configurations
 Perform exports of the TOTP configurations.
-This subcommand allows exporting TOTP configurations to various formats.
+This subcommand allows exporting TOTP configurations to importable YAML files, or use the subcommands to export them to other non-importable formats.
 ```
 authelia storage user totp export [flags]
@ -29,24 +29,23 @@ authelia storage user totp export [flags]
 ### Examples
 ```
-authelia storage user totp export --format csv
+authelia storage user totp export --file example.yaml
-authelia storage user totp export --format png --dir ./totp-qr
+authelia storage user totp export --config config.yml
-authelia storage user totp export --format png --dir ./totp-qr --config config.yml
+authelia storage user totp export --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 authelia storage user totp export --format png --dir ./totp-qr --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
-      --dir string      used with the png output format to specify which new directory to save the files in
+  -f, --file string   The file name for the YAML export (default "authelia.export.totp.yaml")
      --format string   sets the output format, valid values are: csv, uri, png (default "uri")
  -h, --help          help for export
 ```
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
@ -69,4 +68,7 @@ authelia storage user totp export --format png --dir ./totp-qr --encryption-key
 ### SEE ALSO
 * [authelia storage user totp](authelia_storage_user_totp.md)	 - Manage TOTP configurations
 * [authelia storage user totp export csv](authelia_storage_user_totp_export_csv.md)	 - Perform exports of the TOTP configurations to a CSV
 * [authelia storage user totp export png](authelia_storage_user_totp_export_png.md)	 - Perform exports of the TOTP configurations to QR code PNG images
 * [authelia storage user totp export uri](authelia_storage_user_totp_export_uri.md)	 - Perform exports of the TOTP configurations to URIs
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_csv.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_csv.md
@ -0,0 +1,71 @@
 ---
 title: "authelia storage user totp export csv"
 description: "Reference for the authelia storage user totp export csv command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user totp export csv
 Perform exports of the TOTP configurations to a CSV
 ### Synopsis
 Perform exports of the TOTP configurations to a CSV.
 This subcommand allows exporting TOTP configurations to a CSV.
 ```
 authelia storage user totp export csv [flags]
 ```
 ### Examples
 ```
 authelia storage user totp export csv --file users.csv
 authelia storage user totp export csv --config config.yml
 authelia storage user totp export csv --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
  -f, --file string   The file name for the CSV export (default "authelia.export.totp.csv")
  -h, --help          help for csv
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user totp export](authelia_storage_user_totp_export.md)	 - Perform exports of the TOTP configurations
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_png.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_png.md
@ -0,0 +1,72 @@
 ---
 title: "authelia storage user totp export png"
 description: "Reference for the authelia storage user totp export png command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user totp export png
 Perform exports of the TOTP configurations to QR code PNG images
 ### Synopsis
 Perform exports of the TOTP configurations to QR code PNG images.
 This subcommand allows exporting TOTP configurations to PNG images with QR codes which represent the appropriate URI so they can be scanned.
 ```
 authelia storage user totp export png [flags]
 ```
 ### Examples
 ```
 authelia storage user totp export png
 authelia storage user totp export png --directory example/dir
 authelia storage user totp export png --config config.yml
 authelia storage user totp export png --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
      --directory string   The directory where all exported png files will be saved to
  -h, --help               help for png
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user totp export](authelia_storage_user_totp_export.md)	 - Perform exports of the TOTP configurations
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_uri.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_export_uri.md
@ -0,0 +1,70 @@
 ---
 title: "authelia storage user totp export uri"
 description: "Reference for the authelia storage user totp export uri command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user totp export uri
 Perform exports of the TOTP configurations to URIs
 ### Synopsis
 Perform exports of the TOTP configurations to URIs.
 This subcommand allows exporting TOTP configurations to TOTP URIs.
 ```
 authelia storage user totp export uri [flags]
 ```
 ### Examples
 ```
 authelia storage user totp export uri
 authelia storage user totp export uri --config config.yml
 authelia storage user totp export uri --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
  -h, --help   help for uri
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user totp export](authelia_storage_user_totp_export.md)	 - Perform exports of the TOTP configurations
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_generate.md
@ -55,7 +55,8 @@ authelia storage user totp generate john --algorithm SHA512 --config config.yml
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_import.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_totp_import.md
@ -0,0 +1,70 @@
 ---
 title: "authelia storage user totp import"
 description: "Reference for the authelia storage user totp import command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user totp import
 Perform imports of the TOTP configurations
 ### Synopsis
 Perform imports of the TOTP configurations.
 This subcommand allows importing TOTP configurations from various formats.
 ```
 authelia storage user totp import <filename> [flags]
 ```
 ### Examples
 ```
 authelia storage user totp import authelia.export.totp.yaml
 authelia storage user totp import --config config.yml authelia.export.totp.yaml
 authelia storage user totp import --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw authelia.export.totp.yaml
 ```
 ### Options
 ```
  -h, --help   help for import
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user totp](authelia_storage_user_totp.md)	 - Manage TOTP configurations
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn.md
@ -37,7 +37,8 @@ authelia storage user webauthn --help
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
@ -60,6 +61,8 @@ authelia storage user webauthn --help
 ### SEE ALSO
 * [authelia storage user](authelia_storage_user.md)	 - Manages user settings
-* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md)	 - Delete a WebAuthn device
+* [authelia storage user webauthn delete](authelia_storage_user_webauthn_delete.md)	 - Delete a Webauthn device
-* [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md)	 - List WebAuthn devices
+* [authelia storage user webauthn export](authelia_storage_user_webauthn_export.md)	 - Perform exports of the Webauthn devices
 * [authelia storage user webauthn import](authelia_storage_user_webauthn_import.md)	 - Perform imports of the Webauthn devices
 * [authelia storage user webauthn list](authelia_storage_user_webauthn_list.md)	 - List Webauthn devices
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_delete.md
@ -14,13 +14,13 @@ toc: true
 ## authelia storage user webauthn delete
-Delete a WebAuthn device
+Delete a Webauthn device
 ### Synopsis
-Delete a WebAuthn device.
+Delete a Webauthn device.
-This subcommand allows deleting a WebAuthn device directly from the database.
+This subcommand allows deleting a Webauthn device directly from the database.
 ```
 authelia storage user webauthn delete [username] [flags]
@ -52,7 +52,8 @@ authelia storage user webauthn delete --kid abc123 --encryption-key b3453fde-ecc
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_export.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_export.md
@ -0,0 +1,72 @@
 ---
 title: "authelia storage user webauthn export"
 description: "Reference for the authelia storage user webauthn export command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user webauthn export
 Perform exports of the Webauthn devices
 ### Synopsis
 Perform exports of the Webauthn devices.
 This subcommand allows exporting Webauthn devices to various formats.
 ```
 authelia storage user webauthn export [flags]
 ```
 ### Examples
 ```
 authelia storage user webauthn export
 authelia storage user webauthn export --file authelia.export.webauthn.yaml
 authelia storage user webauthn export --config config.yml
 authelia storage user webauthn export--encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
  -f, --file string   The file name for the YAML export (default "authelia.export.webauthn.yaml")
  -h, --help          help for export
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage Webauthn devices
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_import.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_import.md
@ -0,0 +1,71 @@
 ---
 title: "authelia storage user webauthn import"
 description: "Reference for the authelia storage user webauthn import command."
 lead: ""
 date: 2022-06-15T17:51:47+10:00
 draft: false
 images: []
 menu:
  reference:
    parent: "cli-authelia"
 weight: 905
 toc: true
 ---
 ## authelia storage user webauthn import
 Perform imports of the Webauthn devices
 ### Synopsis
 Perform imports of the Webauthn devices.
 This subcommand allows importing Webauthn devices from various formats.
 ```
 authelia storage user webauthn import <filename> [flags]
 ```
 ### Examples
 ```
 authelia storage user webauthn export
 authelia storage user webauthn import --file authelia.export.webauthn.yaml
 authelia storage user webauthn import --file authelia.export.webauthn.yaml --config config.yml
 authelia storage user webauthn import --file authelia.export.webauthn.yaml --encryption-key b3453fde-ecc2-4a1f-9422-2707ddbed495 --postgres.host postgres --postgres.password autheliapw
 ```
 ### Options
 ```
  -h, --help   help for import
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
      --mysql.password string                  the MySQL password
      --mysql.port int                         the MySQL port (default 3306)
      --mysql.username string                  the MySQL username (default "authelia")
      --postgres.database string               the PostgreSQL database name (default "authelia")
      --postgres.host string                   the PostgreSQL hostname
      --postgres.password string               the PostgreSQL password
      --postgres.port int                      the PostgreSQL port (default 5432)
      --postgres.schema string                 the PostgreSQL schema name (default "public")
      --postgres.ssl.certificate string        the PostgreSQL ssl certificate file location
      --postgres.ssl.key string                the PostgreSQL ssl key file location
      --postgres.ssl.mode string               the PostgreSQL ssl mode (default "disable")
      --postgres.ssl.root_certificate string   the PostgreSQL ssl root certificate file location
      --postgres.username string               the PostgreSQL username (default "authelia")
      --sqlite.path string                     the SQLite database path
 ```
 ### SEE ALSO
 * [authelia storage user webauthn](authelia_storage_user_webauthn.md)	 - Manage Webauthn devices
--- a/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md
+++ b/docs/content/en/reference/cli/authelia/authelia_storage_user_webauthn_list.md
@ -14,13 +14,13 @@ toc: true
 ## authelia storage user webauthn list
-List WebAuthn devices
+List Webauthn devices
 ### Synopsis
-List WebAuthn devices.
+List Webauthn devices.
-This subcommand allows listing WebAuthn devices.
+This subcommand allows listing Webauthn devices.
 ```
 authelia storage user webauthn list [username] [flags]
@ -46,7 +46,8 @@ authelia storage user webauthn list john --encryption-key b3453fde-ecc2-4a1f-942
 ### Options inherited from parent commands
 ```
-  -c, --config strings                         configuration files to load (default [configuration.yml])
+  -c, --config strings                         configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings    list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
      --encryption-key string                  the storage encryption key to use
      --mysql.database string                  the MySQL database name (default "authelia")
      --mysql.host string                      the MySQL hostname
--- a/docs/content/en/reference/cli/authelia/authelia_validate-config.md
+++ b/docs/content/en/reference/cli/authelia/authelia_validate-config.md
@ -37,10 +37,16 @@ authelia validate-config --config config.yml
 ### Options
 ```
  -c, --config strings   configuration files to load (default [configuration.yml])
  -h, --help   help for validate-config
 ```
 ### Options inherited from parent commands
 ```
  -c, --config strings                        configuration files or directories to load, for more information run 'authelia -h authelia config' (default [configuration.yml])
      --config.experimental.filters strings   list of filters to apply to all configuration files, for more information run 'authelia -h authelia filters'
 ```
 ### SEE ALSO
 * [authelia](authelia.md)	 - authelia untagged-unknown-dirty (master, unknown)
--- a/docs/content/en/reference/guides/ldap.md
+++ b/docs/content/en/reference/guides/ldap.md
@ -10,6 +10,8 @@ menu:
    parent: "guides"
 weight: 220
 toc: true
 aliases:
  - /r/ldap
 ---
 ## Binding
@ -46,10 +48,28 @@ Authelia primarily supports this method.
 ## Implementation Guide
-There are currently two implementations, `custom` and `activedirectory`. The `activedirectory` implementation
+The following implementations exist:
-must be used if you wish to allow users to change or reset their password as Active Directory
+
-uses a custom attribute for this, and an input format other implementations do not use. The long term
+- `custom`:
-intention of this is to have logical defaults for various RFC implementations of LDAP.
+  - Not specific to any particular LDAP provider
 - `activedirectory`:
  - Specific configuration defaults for [Active Directory]
  - Special implementation details:
    - Includes a special encoding format required for changing passwords with [Active Directory]
 - `freeipa`:
  - Specific configuration defaults for [FreeIPA]
  - No special implementation details
 - `lldap`:
  - Specific configuration defaults for [lldap]
  - No special implementation details
 - `glauth`:
  - Specific configuration defaults for [GLAuth]
  - No special implementation details
 [Active Directory]: https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-domain-services
 [FreeIPA]: https://www.freeipa.org/
 [lldap]: https://github.com/nitnelave/lldap
 [GLAuth]: https://glauth.github.io/
 ### Filter replacements
@ -59,11 +79,14 @@ search.
 #### Users filter replacements
 |       Placeholder        |  Phase  |                                                   Replacement                                                    |
-|:------------------------:|:-------:|:-------------------------------------:|
+|:------------------------:|:-------:|:----------------------------------------------------------------------------------------------------------------:|
 |   {username_attribute}   | startup |                                        The configured username attribute                                         |
 |     {mail_attribute}     | startup |                                          The configured mail attribute                                           |
 | {display_name_attribute} | startup |                                      The configured display name attribute                                       |
 |         {input}          | search  |                                        The input into the username field                                         |
 | {date-time:generalized}  | search  |          The current UTC time formatted as a LDAP generalized time in the format of `20060102150405.0Z`          |
 |     {date-time:unix}     | search  |                                    The current time formatted as a Unix epoch                                    |
 | {date-time:microsoft-nt} | search  | The current time formatted as a Microsoft NT epoch which is used by some Microsoft [Active Directory] attributes |
 #### Groups filter replacements
@ -77,6 +100,14 @@ search.
 The below tables describes the current attribute defaults for each implementation.
 #### Search Base defaults
 The following set defaults for the `additional_users_dn` and `additional_groups_dn` values.
 | Implementation |   Users   |  Groups   |
 |:--------------:|:---------:|:---------:|
 |     lldap      | OU=people | OU=groups |
 #### Attribute defaults
 This table describes the attribute defaults for each implementation. i.e. the username_attribute is described by the
@ -86,18 +117,33 @@ Username column.
 |:---------------:|:--------------:|:------------:|:----:|:----------:|
 |     custom      |      N/A       | displayName  | mail |     cn     |
 | activedirectory | sAMAccountName | displayName  | mail |     cn     |
 |     freeipa     |      uid       | displayName  | mail |     cn     |
 |      lldap      |      uid       |      cn      | mail |     cn     |
 |     glauth      |       cn       | description  | mail |     cn     |
 #### Filter defaults
-The filters are probably the most important part to get correct when setting up LDAP. You want to exclude disabled
+The filters are probably the most important part to get correct when setting up LDAP. You want to exclude accounts under
-accounts. The active directory example has two attribute filters that accomplish this as an example (more examples would
+the following conditions:
-be appreciated). The userAccountControl filter checks that the account is not disabled and the pwdLastSet makes sure that
+
-value is not 0 which means the password requires changing at the next login.
+- The account is disabled or locked:
  - The [Active Directory] implementation achieves this via the `(!(userAccountControl:1.2.840.113556.1.4.803:=2))` filter.
  - The [FreeIPA] implementation achieves this via the `(!(nsAccountLock=TRUE))` filter.
  - The [GLAuth] implementation achieves this via the `(!(accountStatus=inactive))` filter.
 - Their password is expired:
  - The [Active Directory] implementation achieves this via the `(!(pwdLastSet=0))` filter.
  - The [FreeIPA] implementation achieves this via the `(krbPasswordExpiration>={date-time:generalized})` filter.
 - Their account is expired:
  - The [Active Directory] implementation achieves this via the `(|(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))` filter.
  - The [FreeIPA] implementation achieves this via the `(|(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized}))` filter.
 | Implementation  |                                                                                                                       Users Filter                                                                                                                       |                                Groups Filter                                 |
-|:---------------:|:---------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
+|:---------------:|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:|:----------------------------------------------------------------------------:|
 |     custom      |                                                                                                                           N/A                                                                                                                            |                                     N/A                                      |
-| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))) | (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912))) |
+| activedirectory | (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(pwdLastSet=0))(&#124;(!(accountExpires=*))(accountExpires=0)(accountExpires>={date-time:microsoft-nt}))) | (&(member={dn})(&#124;(sAMAccountType=268435456)(sAMAccountType=536870912))) |
 |     freeipa     |   (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(!(nsAccountLock=TRUE))(krbPasswordExpiration>={date-time:generalized})(&#124;(!(krbPrincipalExpiration=*))(krbPrincipalExpiration>={date-time:generalized})))   |                  (&(member={dn})(objectClass=groupOfNames))                  |
 |      lldap      |                                                                                 (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))                                                                                  |                  (&(member={dn})(objectClass=groupOfNames))                  |
 |     glauth      |                                                                 (&(&#124;({username_attribute}={input})({mail_attribute}={input}))(objectClass=posixAccount)(!(accountStatus=inactive)))                                                                 |                (&(uniqueMember={dn})(objectClass=posixGroup))                |
 ##### Microsoft Active Directory sAMAccountType
--- a/docs/content/en/reference/guides/notification-templates.md
+++ b/docs/content/en/reference/guides/notification-templates.md
@ -23,8 +23,7 @@ This guide effectively documents the usage of the
 1. The templates are not covered by our stability guarantees. While we aim to avoid changes to the templates which
   would cause users to have to manually change them changes may be necessary in order to facilitate bug fixes or
   generally improve the templates.
-   1. This is especially important for the [Envelope Template](#envelope-template).
+   1. It is your responsibility to ensure your templates are up to date. We make no efforts in facilitating this.
   2. It is your responsibility to ensure your templates are up to date. We make no efforts in facilitating this.
 2. We may not be able to offer any direct support in debugging these templates. We only offer support and fixes to
   the official templates.
 3. All templates __*MUST*__ be encoded in UTF-8 with CRLF line endings. The line endings __*MUST NOT*__ be a simple LF.
@ -69,30 +68,6 @@ This is a basic example:
 Some Additional examples for specific purposes can be found in the
 [examples directory on GitHub](https://github.com/authelia/authelia/tree/master/examples/templates/notifications).
 ## Envelope Template
 *__Important Note:__ This template must end with a CRLF newline. Failure to include this newline will result in
 malformed emails.*
 There is also a special envelope template. This is the email envelope which contains the content of the other templates
 when sent via the SMTP notifier. It's *__strongly recommended__* that you do not modify this template unless you know
 what you're doing. If you really want to modify it the name of the file must be `Envelope.tmpl`.
 This template contains the following placeholders which are automatically injected into the template:
 |       Placeholder       |                                 Description                                 |
 |:-----------------------:|:---------------------------------------------------------------------------:|
 |   `{{ .ProcessID }}`    |                          The Authelia Process ID.                           |
 |      `{{ .UUID }}`      | A string representation of a UUID v4 generated specifically for this email. |
 |      `{{ .Host }}`      |                           The configured [host].                            |
 |   `{{ .ServerName }}`   |                      The configured TLS [server_name].                      |
 |  `{{ .SenderDomain }}`  |               The domain portion of the configured [sender].                |
 |   `{{ .Identifier }}`   |                        The configured [identifier].                         |
 |      `{{ .From }}`      |            The string representation of the configured [sender].            |
 |       `{{ .To }}`       |         The string representation of the recipients email address.          |
 |    `{{ .Subject }}`     |                             The email subject.                              |
 |      `{{ .Date }}`      |             The time.Time of the email envelope being rendered.             |
 ## Original Templates
 The original template content can be found on
--- a/docs/content/en/reference/integrations/cache-integrations.md
+++ b/docs/content/en/reference/integrations/cache-integrations.md
@ -2,7 +2,7 @@
 title: "Cache Integrations"
 description: "A cache integration reference guide"
 lead: "This section contains a cache integration reference guide for Authelia."
-date: 2022-11-19T16:47:09+11:00
+date: 2022-12-09T18:24:02+11:00
 draft: false
 images: []
 menu:
--- a/docs/layouts/partials/main/community.html
+++ b/docs/layouts/partials/main/community.html
@ -3,6 +3,6 @@
  <div class="w-100">
    This documentation is maintained by the community, it is not guaranteed to be complete or up-to-date.
    We always recommend users read the third-party documentation as part of the integration process to ensure the configuration matches their needs and as such we always link the documentation if available.
-    If you find an error in this documentation please either make a GitHub Pull Request or start a GitHub Discussion.
+    If you find an error in this documentation please either start a <a class="link-danger" href="https://github.com/authelia/authelia/discussions">Discussion</a>, make a <a class="link-danger" href="https://github.com/authelia/authelia/pulls">Pull Request</a>, or contact us on a <a class="link-danger" href="https://www.authelia.com/contact/#chat">Chat Room</a>.
  </div>
 </div>
--- a/docs/layouts/shortcodes/alert.html
+++ b/docs/layouts/shortcodes/alert.html
@ -8,5 +8,5 @@
    {{ else }}
      {{ errorf "No valid text variable or Inner content given"}}
    {{ end }}
-  {{ end}}
+  {{ end }}
 </div>
--- a/go.mod
+++ b/go.mod
@ -28,7 +28,7 @@ require (
 	github.com/mohae/deepcopy v0.0.0-20170929034955-c48cc78d4826
 	github.com/ory/fosite v0.44.0
 	github.com/ory/herodot v0.9.13
-	github.com/ory/x v0.0.520
+	github.com/ory/x v0.0.523
 	github.com/otiai10/copy v1.9.0
 	github.com/pkg/errors v0.9.1
 	github.com/pquerna/otp v1.4.0
@ -39,6 +39,8 @@ require (
 	github.com/stretchr/testify v1.8.1
 	github.com/trustelem/zxcvbn v1.0.1
 	github.com/valyala/fasthttp v1.43.0
 	github.com/wneessen/go-mail v0.3.5
 	golang.org/x/net v0.1.0
 	golang.org/x/sync v0.1.0
 	golang.org/x/term v0.3.0
 	golang.org/x/text v0.5.0
@ -108,7 +110,6 @@ require (
 	github.com/ysmood/leakless v0.8.0 // indirect
 	golang.org/x/crypto v0.1.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/net v0.1.0 // indirect
 	golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b // indirect
 	golang.org/x/sys v0.3.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect
--- a/go.sum
+++ b/go.sum
@ -461,8 +461,8 @@ github.com/ory/herodot v0.9.13 h1:cN/Z4eOkErl/9W7hDIDLb79IO/bfsH+8yscBjRpB4IU=
 github.com/ory/herodot v0.9.13/go.mod h1:IWDs9kSvFQqw/cQ8zi5ksyYvITiUU4dI7glUrhZcJYo=
 github.com/ory/viper v1.7.5 h1:+xVdq7SU3e1vNaCsk/ixsfxE4zylk1TJUiJrY647jUE=
 github.com/ory/viper v1.7.5/go.mod h1:ypOuyJmEUb3oENywQZRgeAMwqgOyDqwboO1tj3DjTaM=
-github.com/ory/x v0.0.520 h1:ryfKHQEViUBv/UdlZhePOG52RpPAooZtK/I7+x58lBI=
+github.com/ory/x v0.0.523 h1:vn8e+8tV3RqD8RlvoE6lLPUnjpjua1ExJDMFy3Z5TAQ=
-github.com/ory/x v0.0.520/go.mod h1:7f32P5XMBLCy6aVT+fUYq3WPcMVpzsjC0C+FovlMNqY=
+github.com/ory/x v0.0.523/go.mod h1:ayJio5x/fK4RwTgfgzs3JetOaaOSxso9hQjc3mFY8z0=
 github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4=
 github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
@ -609,6 +609,8 @@ github.com/valyala/fasthttp v1.42.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seB
 github.com/valyala/fasthttp v1.43.0 h1:Gy4sb32C98fbzVWZlTM1oTMdLWGyvxR03VhM6cBIU4g=
 github.com/valyala/fasthttp v1.43.0/go.mod h1:f6VbjjoI3z1NDOZOv17o6RvtRSWxC77seBFc2uWtgiY=
 github.com/valyala/tcplisten v1.0.0/go.mod h1:T0xQ8SeCZGxckz9qRXTfG43PvQ/mcWh7FwZEA7Ioqkc=
 github.com/wneessen/go-mail v0.3.5 h1:5fl4O1SnBpA072WFD+q1KBX6L3ltiIsKQDYjs7sY7GM=
 github.com/wneessen/go-mail v0.3.5/go.mod h1:m25lkU2GYQnlVr6tdwK533/UXxo57V0kLOjaFYmub0E=
 github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
 github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
--- a/internal/authentication/const.go
+++ b/internal/authentication/const.go
@ -73,6 +73,13 @@ const (
 	ldapPlaceholderInput                        = "{input}"
 	ldapPlaceholderDistinguishedName            = "{dn}"
 	ldapPlaceholderUsername                     = "{username}"
 	ldapPlaceholderDateTimeGeneralized          = "{date-time:generalized}"
 	ldapPlaceholderDateTimeMicrosoftNTTimeEpoch = "{date-time:microsoft-nt}"
 	ldapPlaceholderDateTimeUnixEpoch            = "{date-time:unix}"
 )
 const (
 	ldapGeneralizedTimeDateTimeFormat = "20060102150405.0Z"
 )
 const (
--- a/internal/authentication/ldap_user_provider.go
+++ b/internal/authentication/ldap_user_provider.go
@ -5,6 +5,7 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net"
 	"strconv"
 	"strings"
 	"github.com/go-ldap/ldap/v3"
@ -23,6 +24,8 @@ type LDAPUserProvider struct {
 	log       *logrus.Logger
 	factory   LDAPClientFactory
 	clock utils.Clock
 	disableResetPassword bool
 	// Automatically detected LDAP features.
@ -32,6 +35,9 @@ type LDAPUserProvider struct {
 	usersBaseDN                                        string
 	usersAttributes                                    []string
 	usersFilterReplacementInput                        bool
 	usersFilterReplacementDateTimeGeneralized          bool
 	usersFilterReplacementDateTimeUnixEpoch            bool
 	usersFilterReplacementDateTimeMicrosoftNTTimeEpoch bool
 	// Dynamically generated groups values.
 	groupsBaseDN                    string
@ -41,14 +47,15 @@ type LDAPUserProvider struct {
 	groupsFilterReplacementDN       bool
 }
-// NewLDAPUserProvider creates a new instance of LDAPUserProvider.
+// NewLDAPUserProvider creates a new instance of LDAPUserProvider with the ProductionLDAPClientFactory.
 func NewLDAPUserProvider(config schema.AuthenticationBackend, certPool *x509.CertPool) (provider *LDAPUserProvider) {
-	provider = newLDAPUserProvider(*config.LDAP, config.PasswordReset.Disable, certPool, nil)
+	provider = NewLDAPUserProviderWithFactory(*config.LDAP, config.PasswordReset.Disable, certPool, NewProductionLDAPClientFactory())
 	return provider
 }
-func newLDAPUserProvider(config schema.LDAPAuthenticationBackend, disableResetPassword bool, certPool *x509.CertPool, factory LDAPClientFactory) (provider *LDAPUserProvider) {
+// NewLDAPUserProviderWithFactory creates a new instance of LDAPUserProvider with the specified LDAPClientFactory.
 func NewLDAPUserProviderWithFactory(config schema.LDAPAuthenticationBackend, disableResetPassword bool, certPool *x509.CertPool, factory LDAPClientFactory) (provider *LDAPUserProvider) {
 	if config.TLS == nil {
 		config.TLS = schema.DefaultLDAPAuthenticationBackendConfigurationImplementationCustom.TLS
 	}
@ -74,6 +81,7 @@ func newLDAPUserProvider(config schema.LDAPAuthenticationBackend, disableResetPa
 		log:                  logging.Logger(),
 		factory:              factory,
 		disableResetPassword: disableResetPassword,
 		clock:                &utils.RealClock{},
 	}
 	provider.parseDynamicUsersConfiguration()
@ -394,12 +402,24 @@ func (p *LDAPUserProvider) getUserProfile(client LDAPClient, username string) (p
 	return &userProfile, nil
 }
-func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) {
+func (p *LDAPUserProvider) resolveUsersFilter(input string) (filter string) {
 	filter = p.config.UsersFilter
 	if p.usersFilterReplacementInput {
 		// The {input} placeholder is replaced by the username input.
-		filter = strings.ReplaceAll(filter, ldapPlaceholderInput, ldapEscape(username))
+		filter = strings.ReplaceAll(filter, ldapPlaceholderInput, ldapEscape(input))
 	}
 	if p.usersFilterReplacementDateTimeGeneralized {
 		filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeGeneralized, p.clock.Now().UTC().Format(ldapGeneralizedTimeDateTimeFormat))
 	}
 	if p.usersFilterReplacementDateTimeUnixEpoch {
 		filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeUnixEpoch, strconv.Itoa(int(p.clock.Now().Unix())))
 	}
 	if p.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch {
 		filter = strings.ReplaceAll(filter, ldapPlaceholderDateTimeMicrosoftNTTimeEpoch, strconv.Itoa(int(utils.UnixNanoTimeToMicrosoftNTEpoch(p.clock.Now().UnixNano()))))
 	}
 	p.log.Tracef("Detected user filter is %s", filter)
@ -407,12 +427,12 @@ func (p *LDAPUserProvider) resolveUsersFilter(username string) (filter string) {
 	return filter
 }
-func (p *LDAPUserProvider) resolveGroupsFilter(username string, profile *ldapUserProfile) (filter string) {
+func (p *LDAPUserProvider) resolveGroupsFilter(input string, profile *ldapUserProfile) (filter string) {
 	filter = p.config.GroupsFilter
 	if p.groupsFilterReplacementInput {
 		// The {input} placeholder is replaced by the users username input.
-		filter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderInput, ldapEscape(username))
+		filter = strings.ReplaceAll(p.config.GroupsFilter, ldapPlaceholderInput, ldapEscape(input))
 	}
 	if profile != nil {
--- a/internal/authentication/ldap_user_provider_startup.go
+++ b/internal/authentication/ldap_user_provider_startup.go
@ -120,6 +120,18 @@ func (p *LDAPUserProvider) parseDynamicUsersConfiguration() {
 		p.usersFilterReplacementInput = true
 	}
 	if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeGeneralized) {
 		p.usersFilterReplacementDateTimeGeneralized = true
 	}
 	if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeUnixEpoch) {
 		p.usersFilterReplacementDateTimeUnixEpoch = true
 	}
 	if strings.Contains(p.config.UsersFilter, ldapPlaceholderDateTimeMicrosoftNTTimeEpoch) {
 		p.usersFilterReplacementDateTimeMicrosoftNTTimeEpoch = true
 	}
 	p.log.Tracef("Detected user filter replacements that need to be resolved per lookup are: %s=%v",
 		ldapPlaceholderInput, p.usersFilterReplacementInput)
 }
--- a/internal/authentication/ldap_user_provider_test.go
+++ b/internal/authentication/ldap_user_provider_test.go
--- a/internal/authentication/util.go
+++ b/internal/authentication/util.go
@ -1,15 +1,15 @@
 package authentication
-// LevelToString returns a string representation of an authentication.Level.
+// String returns a string representation of an authentication.Level.
-func LevelToString(level Level) string {
+func (l Level) String() string {
-	switch level {
+	switch l {
 	case NotAuthenticated:
 		return "not_authenticated"
 	case OneFactor:
 		return "one_factor"
 	case TwoFactor:
 		return "two_factor"
-	}
+	default:
 		return "invalid"
 	}
 }
--- a/internal/authorization/access_control_rule.go
+++ b/internal/authorization/access_control_rule.go
@ -26,7 +26,7 @@ func NewAccessControlRule(pos int, rule schema.ACLRule, networksMap map[string][
 		Methods:  schemaMethodsToACL(rule.Methods),
 		Networks: schemaNetworksToACL(rule.Networks, networksMap, networksCacheMap),
 		Subjects: schemaSubjectsToACL(rule.Subjects),
-		Policy:   StringToLevel(rule.Policy),
+		Policy:   NewLevel(rule.Policy),
 	}
 	if len(r.Subjects) != 0 {
--- a/internal/authorization/authorizer.go
+++ b/internal/authorization/authorizer.go
@ -19,7 +19,7 @@ type Authorizer struct {
 // NewAuthorizer create an instance of authorizer with a given access control config.
 func NewAuthorizer(config *schema.Configuration) (authorizer *Authorizer) {
 	authorizer = &Authorizer{
-		defaultPolicy: StringToLevel(config.AccessControl.DefaultPolicy),
+		defaultPolicy: NewLevel(config.AccessControl.DefaultPolicy),
 		rules:         NewAccessControlRules(config.AccessControl),
 		config:        config,
 		log:           logging.Logger(),
--- a/internal/authorization/authorizer_test.go
+++ b/internal/authorization/authorizer_test.go
@ -988,12 +988,12 @@ func (s *AuthorizerSuite) TestShouldMatchResourceWithSubjectRules() {
 }
 func (s *AuthorizerSuite) TestPolicyToLevel() {
-	s.Assert().Equal(Bypass, StringToLevel(bypass))
+	s.Assert().Equal(Bypass, NewLevel(bypass))
-	s.Assert().Equal(OneFactor, StringToLevel(oneFactor))
+	s.Assert().Equal(OneFactor, NewLevel(oneFactor))
-	s.Assert().Equal(TwoFactor, StringToLevel(twoFactor))
+	s.Assert().Equal(TwoFactor, NewLevel(twoFactor))
-	s.Assert().Equal(Denied, StringToLevel(deny))
+	s.Assert().Equal(Denied, NewLevel(deny))
-	s.Assert().Equal(Denied, StringToLevel("whatever"))
+	s.Assert().Equal(Denied, NewLevel("whatever"))
 }
 func TestRunSuite(t *testing.T) {
--- a/internal/authorization/util.go
+++ b/internal/authorization/util.go
@ -9,8 +9,8 @@ import (
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 )
-// StringToLevel converts a string policy to int authorization level.
+// NewLevel converts a string policy to int authorization level.
-func StringToLevel(policy string) Level {
+func NewLevel(policy string) Level {
 	switch policy {
 	case bypass:
 		return Bypass
@ -25,9 +25,9 @@ func StringToLevel(policy string) Level {
 	return Denied
 }
-// LevelToString converts a int authorization level to string policy.
+// String returns a policy string representation of an authorization.Level.
-func LevelToString(level Level) (policy string) {
+func (l Level) String() string {
-	switch level {
+	switch l {
 	case Bypass:
 		return bypass
 	case OneFactor:
@ -36,9 +36,9 @@ func LevelToString(level Level) (policy string) {
 		return twoFactor
 	case Denied:
 		return deny
-	}
+	default:
 		return deny
 	}
 }
 func stringSliceToRegexpSlice(strings []string) (regexps []regexp.Regexp, err error) {
--- a/internal/authorization/util_test.go
+++ b/internal/authorization/util_test.go
@ -25,7 +25,7 @@ func TestLevelToString(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run("Expected_"+tc.expected, func(t *testing.T) {
-			assert.Equal(t, tc.expected, LevelToString(tc.have))
+			assert.Equal(t, tc.expected, tc.have.String())
 		})
 	}
 }
--- a/internal/commands/acl.go
+++ b/internal/commands/acl.go
@ -10,12 +10,10 @@ import (
 	"github.com/spf13/cobra"
 	"github.com/authelia/authelia/v4/internal/authorization"
 	"github.com/authelia/authelia/v4/internal/configuration"
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/configuration/validator"
 )
-func newAccessControlCommand() (cmd *cobra.Command) {
+func newAccessControlCommand(ctx *CmdCtx) (cmd *cobra.Command) {
 	cmd = &cobra.Command{
 		Use:     "access-control",
 		Short:   cmdAutheliaAccessControlShort,
@ -26,25 +24,26 @@ func newAccessControlCommand() (cmd *cobra.Command) {
 	}
 	cmd.AddCommand(
-		newAccessControlCheckCommand(),
+		newAccessControlCheckCommand(ctx),
 	)
 	return cmd
 }
-func newAccessControlCheckCommand() (cmd *cobra.Command) {
+func newAccessControlCheckCommand(ctx *CmdCtx) (cmd *cobra.Command) {
 	cmd = &cobra.Command{
 		Use:     "check-policy",
 		Short:   cmdAutheliaAccessControlCheckPolicyShort,
 		Long:    cmdAutheliaAccessControlCheckPolicyLong,
 		Example: cmdAutheliaAccessControlCheckPolicyExample,
-		RunE:    accessControlCheckRunE,
+		PreRunE: ctx.ChainRunE(
 			ctx.ConfigLoadRunE,
 		),
 		RunE: ctx.AccessControlCheckRunE,
 		DisableAutoGenTag: true,
 	}
 	cmdWithConfigFlags(cmd, false, []string{"configuration.yml"})
 	cmd.Flags().String("url", "", "the url of the object")
 	cmd.Flags().String("method", "GET", "the HTTP method of the object")
 	cmd.Flags().String("username", "", "the username of the subject")
@ -55,36 +54,14 @@ func newAccessControlCheckCommand() (cmd *cobra.Command) {
 	return cmd
 }
-func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
+func (ctx *CmdCtx) AccessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
-	configs, err := cmd.Flags().GetStringSlice(cmdFlagNameConfig)
+	validator.ValidateAccessControl(ctx.config, ctx.cconfig.validator)
 	if err != nil {
 		return err
 	}
-	sources := make([]configuration.Source, len(configs)+2)
+	if ctx.cconfig.validator.HasErrors() || ctx.cconfig.validator.HasWarnings() {
 	for i, path := range configs {
 		sources[i] = configuration.NewYAMLFileSource(path)
 	}
 	sources[0+len(configs)] = configuration.NewEnvironmentSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter)
 	sources[1+len(configs)] = configuration.NewSecretsSource(configuration.DefaultEnvPrefix, configuration.DefaultEnvDelimiter)
 	val := schema.NewStructValidator()
 	accessControlConfig := &schema.Configuration{}
 	if _, err = configuration.LoadAdvanced(val, "access_control", &accessControlConfig.AccessControl, sources...); err != nil {
 		return err
 	}
 	validator.ValidateAccessControl(accessControlConfig, val)
 	if val.HasErrors() || val.HasWarnings() {
 		return errors.New("your configuration has errors")
 	}
-	authorizer := authorization.NewAuthorizer(accessControlConfig)
+	authorizer := authorization.NewAuthorizer(ctx.config)
 	subject, object, err := getSubjectAndObjectFromFlags(cmd)
 	if err != nil {
@ -94,7 +71,7 @@ func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
 	results := authorizer.GetRuleMatchResults(subject, object)
 	if len(results) == 0 {
-		fmt.Printf("\nThe default policy '%s' will be applied to ALL requests as no rules are configured.\n\n", accessControlConfig.AccessControl.DefaultPolicy)
+		fmt.Printf("\nThe default policy '%s' will be applied to ALL requests as no rules are configured.\n\n", ctx.config.AccessControl.DefaultPolicy)
 		return nil
 	}
@ -104,7 +81,7 @@ func accessControlCheckRunE(cmd *cobra.Command, _ []string) (err error) {
 		return err
 	}
-	accessControlCheckWriteOutput(object, subject, results, accessControlConfig.AccessControl.DefaultPolicy, verbose)
+	accessControlCheckWriteOutput(object, subject, results, ctx.config.AccessControl.DefaultPolicy, verbose)
 	return nil
 }
@ -171,11 +148,11 @@ func accessControlCheckWriteOutput(object authorization.Object, subject authoriz
 	switch {
 	case appliedPos != 0 && (potentialPos == 0 || (potentialPos > appliedPos)):
-		fmt.Printf("\nThe policy '%s' from rule #%d will be applied to this request.\n\n", authorization.LevelToString(applied.Rule.Policy), appliedPos)
+		fmt.Printf("\nThe policy '%s' from rule #%d will be applied to this request.\n\n", applied.Rule.Policy, appliedPos)
 	case potentialPos != 0 && appliedPos != 0:
-		fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. If not policy '%s' from rule #%d will be.\n\n", authorization.LevelToString(potential.Rule.Policy), potentialPos, authorization.LevelToString(applied.Rule.Policy), appliedPos)
+		fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. If not policy '%s' from rule #%d will be.\n\n", potential.Rule.Policy, potentialPos, applied.Rule.Policy, appliedPos)
 	case potentialPos != 0:
-		fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. Otherwise the policy '%s' from the default policy will be.\n\n", authorization.LevelToString(potential.Rule.Policy), potentialPos, defaultPolicy)
+		fmt.Printf("\nThe policy '%s' from rule #%d will potentially be applied to this request. Otherwise the policy '%s' from the default policy will be.\n\n", potential.Rule.Policy, potentialPos, defaultPolicy)
 	default:
 		fmt.Printf("\nThe policy '%s' from the default policy will be applied to this request as no rules matched the request.\n\n", defaultPolicy)
 	}
--- a/internal/commands/build-info.go
+++ b/internal/commands/build-info.go
@ -9,13 +9,13 @@ import (
 	"github.com/authelia/authelia/v4/internal/utils"
 )
-func newBuildInfoCmd() (cmd *cobra.Command) {
+func newBuildInfoCmd(ctx *CmdCtx) (cmd *cobra.Command) {
 	cmd = &cobra.Command{
 		Use:     "build-info",
 		Short:   cmdAutheliaBuildInfoShort,
 		Long:    cmdAutheliaBuildInfoLong,
 		Example: cmdAutheliaBuildInfoExample,
-		RunE:    cmdBuildInfoRunE,
+		RunE:    ctx.BuildInfoRunE,
 		Args:    cobra.NoArgs,
 		DisableAutoGenTag: true,
@ -24,7 +24,8 @@ func newBuildInfoCmd() (cmd *cobra.Command) {
 	return cmd
 }
-func cmdBuildInfoRunE(_ *cobra.Command, _ []string) (err error) {
+// BuildInfoRunE is the RunE for the authelia build-info command.
 func (ctx *CmdCtx) BuildInfoRunE(_ *cobra.Command, _ []string) (err error) {
 	_, err = fmt.Printf(fmtAutheliaBuild, utils.BuildTag, utils.BuildState, utils.BuildBranch, utils.BuildCommit,
 		utils.BuildNumber, runtime.GOOS, runtime.GOARCH, utils.BuildDate, utils.BuildExtra)
--- a/internal/commands/configuration.go
+++ b/internal/commands/configuration.go
@ -1,101 +0,0 @@
 package commands
 import (
 	"os"
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/authelia/authelia/v4/internal/configuration"
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
 	"github.com/authelia/authelia/v4/internal/configuration/validator"
 	"github.com/authelia/authelia/v4/internal/logging"
 )
 // cmdWithConfigFlags is used for commands which require access to the configuration to add the flag to the command.
 func cmdWithConfigFlags(cmd *cobra.Command, persistent bool, configs []string) {
 	if persistent {
 		cmd.PersistentFlags().StringSliceP(cmdFlagNameConfig, "c", configs, "configuration files to load")
 	} else {
 		cmd.Flags().StringSliceP(cmdFlagNameConfig, "c", configs, "configuration files to load")
 	}
 }
 var config *schema.Configuration
 func newCmdWithConfigPreRun(ensureConfigExists, validateKeys, validateConfiguration bool) func(cmd *cobra.Command, args []string) {
 	return func(cmd *cobra.Command, _ []string) {
 		var (
 			logger  *logrus.Logger
 			configs []string
 			err     error
 		)
 		logger = logging.Logger()
 		if configs, err = cmd.Flags().GetStringSlice(cmdFlagNameConfig); err != nil {
 			logger.Fatalf("Error reading flags: %v", err)
 		}
 		if ensureConfigExists && len(configs) == 1 {
 			created, err := configuration.EnsureConfigurationExists(configs[0])
 			if err != nil {
 				logger.Fatal(err)
 			}
 			if created {
 				logger.Warnf("Configuration did not exist so a default one has been generated at %s, you will need to configure this", configs[0])
 				os.Exit(0)
 			}
 		}
 		var (
 			val *schema.StructValidator
 		)
 		config, val, err = loadConfig(configs, validateKeys, validateConfiguration)
 		if err != nil {
 			logger.Fatalf("Error occurred loading configuration: %v", err)
 		}
 		warnings := val.Warnings()
 		if len(warnings) != 0 {
 			for _, warning := range warnings {
 				logger.Warnf("Configuration: %+v", warning)
 			}
 		}
 		errs := val.Errors()
 		if len(errs) != 0 {
 			for _, err := range errs {
 				logger.Errorf("Configuration: %+v", err)
 			}
 			logger.Fatalf("Can't continue due to the errors loading the configuration")
 		}
 	}
 }
 func loadConfig(configs []string, validateKeys, validateConfiguration bool) (c *schema.Configuration, val *schema.StructValidator, err error) {
 	var keys []string
 	val = schema.NewStructValidator()
 	if keys, c, err = configuration.Load(val,
 		configuration.NewDefaultSources(
 			configs,
 			configuration.DefaultEnvPrefix,
 			configuration.DefaultEnvDelimiter)...); err != nil {
 		return nil, nil, err
 	}
 	if validateKeys {
 		validator.ValidateKeys(keys, configuration.DefaultEnvPrefix, val)
 	}
 	if validateConfiguration {
 		validator.ValidateConfiguration(c, val)
 	}
 	return c, val, nil
 }
--- a/Show More
+++ b/Show More