use debug instead of console.error

VolumesFrom is part of HostConfig
containerId does not mean it is running
2015-10-20 19:03:34 -07:00 · 2015-10-20 17:34:47 -07:00 · 2015-10-20 16:56:57 -07:00 · 2015-10-20 15:07:35 -07:00 · 2015-10-20 14:40:27 -07:00 · 2015-10-20 14:30:50 -07:00
80 changed files with 4222 additions and 2238 deletions
@@ -14,6 +14,7 @@ var appHealthMonitor = require('./src/apphealthmonitor.js'),
    async = require('async'),
    config = require('./src/config.js'),
    ldap = require('./src/ldap.js'),
+    simpleauth = require('./src/simpleauth.js'),
    oauthproxy = require('./src/oauthproxy.js'),
    server = require('./src/server.js');

@@ -35,6 +36,7 @@ console.log();
 async.series([
    server.start,
    ldap.start,
+    simpleauth.start,
    appHealthMonitor.start,
    oauthproxy.start
 ], function (error) {
@@ -49,6 +51,7 @@ var NOOP_CALLBACK = function () { };
 process.on('SIGINT', function () {
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
+    simpleauth.stop(NOOP_CALLBACK);
    oauthproxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });
@@ -56,6 +59,7 @@ process.on('SIGINT', function () {
 process.on('SIGTERM', function () {
    server.stop(NOOP_CALLBACK);
    ldap.stop(NOOP_CALLBACK);
+    simpleauth.stop(NOOP_CALLBACK);
    oauthproxy.stop(NOOP_CALLBACK);
    setTimeout(process.exit.bind(process), 3000);
 });
@@ -1,74 +0,0 @@
-#!/usr/bin/env node
-
-'use strict';
-
-require('supererror')({ splatchError: true });
-
-// remove timestamp from debug() based output
-require('debug').formatArgs = function formatArgs() {
-    arguments[0] = this.namespace + ' ' + arguments[0];
-    return arguments;
-};
-
-var assert = require('assert'),
-    debug = require('debug')('box:janitor'),
-    async = require('async'),
-    tokendb = require('./src/tokendb.js'),
-    authcodedb = require('./src/authcodedb.js'),
-    database = require('./src/database.js');
-
-function initialize(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    async.series([
-        database.initialize
-    ], callback);
-}
-
-function cleanupExpiredTokens(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    tokendb.delExpired(function (error, result) {
-        if (error) return callback(error);
-
-        debug('Cleaned up %s expired tokens.', result);
-
-        callback(null);
-    });
-}
-
-function cleanupExpiredAuthCodes(callback) {
-    assert.strictEqual(typeof callback, 'function');
-
-    authcodedb.delExpired(function (error, result) {
-        if (error) return callback(error);
-
-        debug('Cleaned up %s expired authcodes.', result);
-
-        callback(null);
-    });
-}
-
-function run() {
-    cleanupExpiredTokens(function (error) {
-        if (error) console.error(error);
-
-        cleanupExpiredAuthCodes(function (error) {
-            if (error) console.error(error);
-
-            process.exit(0);
-        });
-    });
-}
-
-if (require.main === module) {
-    initialize(function (error) {
-        if (error) {
-            console.error('janitor task exiting with error', error);
-            process.exit(1);
-        }
-
-        run();
-    });
-}
-
@@ -0,0 +1,17 @@
+dbm = dbm || require('db-migrate');
+var type = dbm.dataType;
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps ADD COLUMN oauthProxy BOOLEAN DEFAULT 0', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps DROP COLUMN oauthProxy', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
@@ -0,0 +1,17 @@
+dbm = dbm || require('db-migrate');
+var type = dbm.dataType;
+var async = require('async');
+
+exports.up = function(db, callback) {
+    async.series([
+        db.runSql.bind(db, 'DELETE FROM clients'),
+        db.runSql.bind(db, 'ALTER TABLE clients ADD COLUMN type VARCHAR(16) NOT NULL'),
+    ], callback);
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE clients DROP COLUMN type', function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
@@ -0,0 +1,17 @@
+var dbm = global.dbm || require('db-migrate');
+var type = dbm.dataType;
+
+exports.up = function(db, callback) {
+    db.runSql('ALTER TABLE apps CHANGE accessRestriction accessRestrictionJson VARCHAR(2048)', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
+exports.down = function(db, callback) {
+    db.runSql('ALTER TABLE apps CHANGE accessRestrictionJson accessRestriction VARCHAR(2048)', [], function (error) {
+        if (error) console.error(error);
+        callback(error);
+    });
+};
+
@@ -29,8 +29,9 @@ CREATE TABLE IF NOT EXISTS tokens(
    PRIMARY KEY(accessToken));

 CREATE TABLE IF NOT EXISTS clients(
-    id VARCHAR(128) NOT NULL UNIQUE,
+    id VARCHAR(128) NOT NULL UNIQUE, // prefixed with cid- to identify token easily in auth routes
    appId VARCHAR(128) NOT NULL,
+    type VARCHAR(16) NOT NULL,
    clientSecret VARCHAR(512) NOT NULL,
    redirectURI VARCHAR(512) NOT NULL,
    scope VARCHAR(512) NOT NULL,
@@ -48,11 +49,15 @@ CREATE TABLE IF NOT EXISTS apps(
    httpPort INTEGER,                        // this is the nginx proxy port and not manifest.httpPort
    location VARCHAR(128) NOT NULL UNIQUE,
    dnsRecordId VARCHAR(512),
-    accessRestriction VARCHAR(512),
+    accessRestrictionJson VARCHAR(2048),
+    oauthProxy BOOLEAN DEFAULT 0,
    createdAt TIMESTAMP(2) NOT NULL DEFAULT CURRENT_TIMESTAMP,

    lastBackupId VARCHAR(128),
    lastBackupConfigJson VARCHAR(2048), // used for appstore and non-appstore installs. it's here so it's easy to do REST validation
+
+    oldConfigJson VARCHAR(2048), // used to pass old config for apptask
+
    PRIMARY KEY(id));

 CREATE TABLE IF NOT EXISTS appPortBindings(
@@ -16,7 +16,7 @@
    "async": "^1.2.1",
    "aws-sdk": "^2.1.46",
    "body-parser": "^1.13.1",
-    "cloudron-manifestformat": "^1.7.0",
+    "cloudron-manifestformat": "^2.0.0",
    "connect-ensure-login": "^0.1.1",
    "connect-lastmile": "0.0.13",
    "connect-timeout": "^1.5.0",
@@ -84,6 +84,7 @@
    "nock": "^2.6.0",
    "node-sass": "^3.0.0-alpha.0",
    "redis": "^0.12.1",
+    "request": "^2.65.0",
    "sinon": "^1.12.2",
    "yargs": "^3.15.0"
  },
@@ -3,15 +3,21 @@
 # If you change the infra version, be sure to put a warning
 # in the change log

-INFRA_VERSION=11
+INFRA_VERSION=18

 # WARNING WARNING WARNING WARNING WARNING WARNING WARNING WARNING
 # These constants are used in the installer script as well
-BASE_IMAGE=cloudron/base:0.4.0
-MYSQL_IMAGE=cloudron/mysql:0.4.0
-POSTGRESQL_IMAGE=cloudron/postgresql:0.4.0
-MONGODB_IMAGE=cloudron/mongodb:0.4.0
-REDIS_IMAGE=cloudron/redis:0.4.0 # if you change this, fix src/addons.js as well
-MAIL_IMAGE=cloudron/mail:0.4.0
-GRAPHITE_IMAGE=cloudron/graphite:0.4.0
+BASE_IMAGE=cloudron/base:0.7.0
+MYSQL_IMAGE=cloudron/mysql:0.7.0
+POSTGRESQL_IMAGE=cloudron/postgresql:0.7.0
+MONGODB_IMAGE=cloudron/mongodb:0.7.0
+REDIS_IMAGE=cloudron/redis:0.7.0 # if you change this, fix src/addons.js as well
+MAIL_IMAGE=cloudron/mail:0.7.0
+GRAPHITE_IMAGE=cloudron/graphite:0.7.0

+MYSQL_REPO=cloudron/mysql
+POSTGRESQL_REPO=cloudron/postgresql
+MONGODB_REPO=cloudron/mongodb
+REDIS_REPO=cloudron/redis # if you change this, fix src/addons.js as well
+MAIL_REPO=cloudron/mail
+GRAPHITE_REPO=cloudron/graphite
@@ -14,12 +14,13 @@ rm -rf "${CONFIG_DIR}"
 sudo -u yellowtent mkdir "${CONFIG_DIR}"

 ########## systemd
+rm -f /etc/systemd/system/janitor.*
 cp -r "${container_files}/systemd/." /etc/systemd/system/
 systemctl daemon-reload
 systemctl enable cloudron.target

 ########## sudoers
-rm /etc/sudoers.d/*
+rm -f /etc/sudoers.d/*
 cp "${container_files}/sudoers" /etc/sudoers.d/yellowtent

 ########## collectd
@@ -2,8 +2,8 @@
 Description=Cloudron Smart Cloud
 Documentation=https://cloudron.io/documentation.html
 StopWhenUnneeded=true
-Requires=box.service janitor.timer
-After=box.service janitor.timer
+Requires=box.service
+After=box.service
 # AllowIsolate=yes

 [Install]
@@ -1,15 +0,0 @@
-[Unit]
-Description=Cloudron Janitor
-OnFailure=crashnotifier@%n.service
-
-[Service]
-Type=simple
-WorkingDirectory=/home/yellowtent/box
-Restart=no
-ExecStart=/usr/bin/node /home/yellowtent/box/janitor.js
-Environment="HOME=/home/yellowtent" "USER=yellowtent" "DEBUG=box*,connect-lastmile" "BOX_ENV=cloudron" "NODE_ENV=production"
-KillMode=process
-User=yellowtent
-Group=yellowtent
-MemoryLimit=50M
-WatchdogSec=30
@@ -1,10 +0,0 @@
-[Unit]
-Description=Cloudron Janitor
-StopWhenUnneeded=true
-
-[Timer]
-# this activates it immediately
-OnBootSec=0
-OnUnitActiveSec=30min
-Unit=janitor.service
-
@@ -157,14 +157,14 @@ EOF
 # The domain might have changed, therefor we have to update the record
 # !!! This needs to be in sync with the webadmin, specifically login_callback.js
 echo "Add webadmin oauth cient"
-ADMIN_SCOPES="root,developer,profile,users,apps,settings,roleUser"
+ADMIN_SCOPES="root,developer,profile,users,apps,settings"
 mysql -u root -p${mysql_root_password} \
-    -e "REPLACE INTO clients (id, appId, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"secret-webadmin\", \"${admin_origin}\", \"${ADMIN_SCOPES}\")" box
+    -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"admin\", \"secret-webadmin\", \"${admin_origin}\", \"${ADMIN_SCOPES}\")" box

-echo "Add localhost test oauth cient"
-ADMIN_SCOPES="root,developer,profile,users,apps,settings,roleUser"
+echo "Add localhost test oauth client"
+ADMIN_SCOPES="root,developer,profile,users,apps,settings"
 mysql -u root -p${mysql_root_password} \
-    -e "REPLACE INTO clients (id, appId, clientSecret, redirectURI, scope) VALUES (\"cid-test\", \"test\", \"secret-test\", \"http://127.0.0.1:5000\", \"${ADMIN_SCOPES}\")" box
+    -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-test\", \"test\", \"test\", \"secret-test\", \"http://127.0.0.1:5000\", \"${ADMIN_SCOPES}\")" box

 set_progress "80" "Starting Cloudron"
 systemctl start cloudron.target
@@ -34,19 +34,26 @@ graphite_container_id=$(docker run --restart=always -d --name="graphite" \
    -p 127.0.0.1:2004:2004 \
    -p 127.0.0.1:8000:8000 \
    -v "${DATA_DIR}/graphite:/app/data" \
+    --read-only -v /tmp -v /run \
    "${GRAPHITE_IMAGE}")
 echo "Graphite container id: ${graphite_container_id}"
+if docker images "${GRAPHITE_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${GRAPHITE_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old graphite images"
+fi

-# mail
+# mail (MAIL_SMTP_PORT is 2500 in addons.js. used in mailer.js as well)
 mail_container_id=$(docker run --restart=always -d --name="mail" \
    -m 75m \
    --memory-swap 150m \
-    -p 127.0.0.1:25:25 \
    -h "${arg_fqdn}" \
    -e "DOMAIN_NAME=${arg_fqdn}" \
    -v "${DATA_DIR}/box/mail:/app/data" \
+    --read-only -v /tmp -v /run \
    "${MAIL_IMAGE}")
 echo "Mail container id: ${mail_container_id}"
+if docker images "${MAIL_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${MAIL_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old mail images"
+fi

 # mysql
 mysql_addon_root_password=$(pwgen -1 -s)
@@ -61,8 +68,12 @@ mysql_container_id=$(docker run --restart=always -d --name="mysql" \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/mysql:/var/lib/mysql" \
    -v "${DATA_DIR}/addons/mysql_vars.sh:/etc/mysql/mysql_vars.sh:ro" \
+    --read-only -v /tmp -v /run \
    "${MYSQL_IMAGE}")
 echo "MySQL container id: ${mysql_container_id}"
+if docker images "${MYSQL_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${MYSQL_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old mysql images"
+fi

 # postgresql
 postgresql_addon_root_password=$(pwgen -1 -s)
@@ -75,8 +86,12 @@ postgresql_container_id=$(docker run --restart=always -d --name="postgresql" \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/postgresql:/var/lib/postgresql" \
    -v "${DATA_DIR}/addons/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh:ro" \
+    --read-only -v /tmp -v /run \
    "${POSTGRESQL_IMAGE}")
 echo "PostgreSQL container id: ${postgresql_container_id}"
+if docker images "${POSTGRESQL_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${POSTGRESQL_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old postgresql images"
+fi

 # mongodb
 mongodb_addon_root_password=$(pwgen -1 -s)
@@ -89,17 +104,26 @@ mongodb_container_id=$(docker run --restart=always -d --name="mongodb" \
    -h "${arg_fqdn}" \
    -v "${DATA_DIR}/mongodb:/var/lib/mongodb" \
    -v "${DATA_DIR}/addons/mongodb_vars.sh:/etc/mongodb_vars.sh:ro" \
+    --read-only -v /tmp -v /run \
    "${MONGODB_IMAGE}")
 echo "Mongodb container id: ${mongodb_container_id}"
+if docker images "${MONGODB_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${MONGODB_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old mongodb images"
+fi

+# redis
+if docker images "${REDIS_REPO}" | tail -n +2 | awk '{ print $1 ":" $2 }' | grep -v "${REDIS_IMAGE}" | xargs --no-run-if-empty docker rmi; then
+    echo "Removed old redis images"
+fi
+
+# only touch apps in installed state. any other state is just resumed by the taskmanager
 if [[ "${infra_version}" == "none" ]]; then
-    # if no existing infra was found (for new and restoring cloudons), download app backups
+    # if no existing infra was found (for new, upgraded and restored cloudons), download app backups
    echo "Marking installed apps for restore"
-    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_restore" WHERE installationState = "installed"' box
+    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_restore", oldConfigJson = NULL WHERE installationState = "installed"' box
 else
    # if existing infra was found, just mark apps for reconfiguration
-    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_configure" WHERE installationState = "installed"' box
+    mysql -u root -ppassword -e 'UPDATE apps SET installationState = "pending_configure", oldConfigJson = NULL  WHERE installationState = "installed"' box
 fi

 echo -n "${INFRA_VERSION}" > "${DATA_DIR}/INFRA_VERSION"
-
@@ -23,56 +23,36 @@ var appdb = require('./appdb.js'),
    config = require('./config.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:addons'),
-    docker = require('./docker.js'),
+    docker = require('./docker.js').connection,
    fs = require('fs'),
    generatePassword = require('password-generator'),
    hat = require('hat'),
    MemoryStream = require('memorystream'),
    once = require('once'),
-    os = require('os'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
    shell = require('./shell.js'),
    spawn = child_process.spawn,
    util = require('util'),
-    uuid = require('node-uuid'),
-    vbox = require('./vbox.js');
+    uuid = require('node-uuid');

 var NOOP = function (app, options, callback) { return callback(); };

 // setup can be called multiple times for the same app (configure crash restart) and existing data must not be lost
 // teardown is destructive. app data stored with the addon is lost
 var KNOWN_ADDONS = {
-    oauth: {
-        setup: setupOauth,
-        teardown: teardownOauth,
-        backup: NOOP,
-        restore: setupOauth
-    },
    ldap: {
        setup: setupLdap,
        teardown: teardownLdap,
        backup: NOOP,
        restore: setupLdap
    },
-    sendmail: {
-        setup: setupSendMail,
-        teardown: teardownSendMail,
-        backup: NOOP,
-        restore: setupSendMail
-    },
-    mysql: {
-        setup: setupMySql,
-        teardown: teardownMySql,
-        backup: backupMySql,
-        restore: restoreMySql,
-    },
-    postgresql: {
-        setup: setupPostgreSql,
-        teardown: teardownPostgreSql,
-        backup: backupPostgreSql,
-        restore: restorePostgreSql
+    localstorage: {
+        setup: NOOP, // docker creates the directory for us
+        teardown: NOOP,
+        backup: NOOP, // no backup because it's already inside app data
+        restore: NOOP
    },
    mongodb: {
        setup: setupMongoDb,
@@ -80,18 +60,48 @@ var KNOWN_ADDONS = {
        backup: backupMongoDb,
        restore: restoreMongoDb
    },
+    mysql: {
+        setup: setupMySql,
+        teardown: teardownMySql,
+        backup: backupMySql,
+        restore: restoreMySql,
+    },
+    oauth: {
+        setup: setupOauth,
+        teardown: teardownOauth,
+        backup: NOOP,
+        restore: setupOauth
+    },
+    postgresql: {
+        setup: setupPostgreSql,
+        teardown: teardownPostgreSql,
+        backup: backupPostgreSql,
+        restore: restorePostgreSql
+    },
    redis: {
        setup: setupRedis,
        teardown: teardownRedis,
-        backup: NOOP, // no backup because we store redis as part of app's volume
+        backup: backupRedis,
        restore: setupRedis // same thing
    },
-    localstorage: {
-        setup: NOOP, // docker creates the directory for us
+    sendmail: {
+        setup: setupSendMail,
+        teardown: teardownSendMail,
+        backup: NOOP,
+        restore: setupSendMail
+    },
+    scheduler: {
+        setup: NOOP,
        teardown: NOOP,
-        backup: NOOP, // no backup because it's already inside app data
+        backup: NOOP,
        restore: NOOP
    },
+    simpleauth: {
+        setup: setupSimpleAuth,
+        teardown: teardownSimpleAuth,
+        backup: NOOP,
+        restore: setupSimpleAuth
+    },
    _docker: {
        setup: NOOP,
        teardown: NOOP,
@@ -235,17 +245,17 @@ function setupOauth(app, options, callback) {
    assert.strictEqual(typeof callback, 'function');

    var appId = app.id;
-    var id = 'cid-addon-' + uuid.v4();
+    var id = 'cid-' + uuid.v4();
    var clientSecret = hat(256);
    var redirectURI = 'https://' + config.appFqdn(app.location);
-    var scope = 'profile,roleUser';
+    var scope = 'profile';

    debugApp(app, 'setupOauth: id:%s clientSecret:%s', id, clientSecret);

-    clientdb.delByAppId('addon-' + appId, function (error) { // remove existing creds
+    clientdb.delByAppIdAndType(appId, clientdb.TYPE_OAUTH, function (error) { // remove existing creds
        if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(error);

-        clientdb.add(id, 'addon-' + appId, clientSecret, redirectURI, scope, function (error) {
+        clientdb.add(id, appId, clientdb.TYPE_OAUTH, clientSecret, redirectURI, scope, function (error) {
            if (error) return callback(error);

            var env = [
@@ -268,13 +278,59 @@ function teardownOauth(app, options, callback) {

    debugApp(app, 'teardownOauth');

-    clientdb.delByAppId('addon-' + app.id, function (error) {
+    clientdb.delByAppIdAndType(app.id, clientdb.TYPE_OAUTH, function (error) {
        if (error && error.reason !== DatabaseError.NOT_FOUND) console.error(error);

        appdb.unsetAddonConfig(app.id, 'oauth', callback);
    });
 }

+function setupSimpleAuth(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var appId = app.id;
+    var id = 'cid-' + uuid.v4();
+    var scope = 'profile';
+
+    debugApp(app, 'setupSimpleAuth: id:%s', id);
+
+    clientdb.delByAppIdAndType(app.id, clientdb.TYPE_SIMPLE_AUTH, function (error) { // remove existing creds
+        if (error && error.reason !== DatabaseError.NOT_FOUND) return callback(error);
+
+        clientdb.add(id, appId, clientdb.TYPE_SIMPLE_AUTH, '', '', scope, function (error) {
+            if (error) return callback(error);
+
+            var env = [
+                'SIMPLE_AUTH_SERVER=172.17.42.1',
+                'SIMPLE_AUTH_PORT=' + config.get('simpleAuthPort'),
+                'SIMPLE_AUTH_URL=http://172.17.42.1:' + config.get('simpleAuthPort'), // obsolete, remove
+                'SIMPLE_AUTH_ORIGIN=http://172.17.42.1:' + config.get('simpleAuthPort'),
+                'SIMPLE_AUTH_CLIENT_ID=' + id
+            ];
+
+            debugApp(app, 'Setting simple auth addon config to %j', env);
+
+            appdb.setAddonConfig(appId, 'simpleauth', env, callback);
+        });
+    });
+}
+
+function teardownSimpleAuth(app, options, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof options, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debugApp(app, 'teardownSimpleAuth');
+
+    clientdb.delByAppIdAndType(app.id, clientdb.TYPE_SIMPLE_AUTH, function (error) {
+        if (error && error.reason !== DatabaseError.NOT_FOUND) console.error(error);
+
+        appdb.unsetAddonConfig(app.id, 'simpleauth', callback);
+    });
+}
+
 function setupLdap(app, options, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof options, 'object');
@@ -282,8 +338,8 @@ function setupLdap(app, options, callback) {

    var env = [
        'LDAP_SERVER=172.17.42.1',
-        'LDAP_PORT=3002',
-        'LDAP_URL=ldap://172.17.42.1:3002',
+        'LDAP_PORT=' + config.get('ldapPort'),
+        'LDAP_URL=ldap://172.17.42.1:' + config.get('ldapPort'),
        'LDAP_USERS_BASE_DN=ou=users,dc=cloudron',
        'LDAP_GROUPS_BASE_DN=ou=groups,dc=cloudron',
        'LDAP_BIND_DN=cn='+ app.id + ',ou=apps,dc=cloudron',
@@ -312,7 +368,7 @@ function setupSendMail(app, options, callback) {

    var env = [
        'MAIL_SMTP_SERVER=mail',
-        'MAIL_SMTP_PORT=25',
+        'MAIL_SMTP_PORT=2500', // if you change this, change the mail container
        'MAIL_SMTP_USERNAME=' + (app.location || app.id), // use app.id for bare domains
        'MAIL_DOMAIN=' + config.fqdn()
    ];
@@ -658,12 +714,28 @@ function forwardRedisPort(appId, callback) {
        var redisPort = parseInt(safe.query(data, 'NetworkSettings.Ports.6379/tcp[0].HostPort'), 10);
        if (!Number.isInteger(redisPort)) return callback(new Error('Unable to get container port mapping'));

-        vbox.forwardFromHostToVirtualBox('redis-' + appId, redisPort);
-
        return callback(null);
    });
 }

+function stopAndRemoveRedis(container, callback) {
+    function ignoreError(func) {
+        return function (callback) {
+            func(function (error) {
+                if (error) debug('stopAndRemoveRedis: Ignored error:', error);
+                callback();
+            });
+        };
+    }
+
+    // stopping redis with SIGTERM makes it commit the database to disk
+    async.series([
+        ignoreError(container.stop.bind(container, { t: 10 })),
+        ignoreError(container.wait.bind(container)),
+        ignoreError(container.remove.bind(container, { force: true, v: true }))
+    ], callback);
+}
+
 // Ensures that app's addon redis container is running. Can be called when named container already exists/running
 function setupRedis(app, options, callback) {
    assert.strictEqual(typeof app, 'object');
@@ -684,29 +756,28 @@ function setupRedis(app, options, callback) {
        name: 'redis-' + app.id,
        Hostname: config.appFqdn(app.location),
        Tty: true,
-        Image: 'cloudron/redis:0.4.0', // if you change this, fix setup/INFRA_VERSION as well
+        Image: 'cloudron/redis:0.7.0', // if you change this, fix setup/INFRA_VERSION as well
        Cmd: null,
-        Volumes: {},
-        VolumesFrom: []
-    };
-
-    var isMac = os.platform() === 'darwin';
-
-    var startOptions = {
-        Binds: [
-            redisVarsFile + ':/etc/redis/redis_vars.sh:ro',
-            redisDataDir + ':/var/lib/redis:rw'
-        ],
-        Memory: 1024 * 1024 * 75, // 100mb
-        MemorySwap: 1024 * 1024 * 75 * 2, // 150mb
-        // On Mac (boot2docker), we have to export the port to external world for port forwarding from Mac to work
-        // On linux, export to localhost only for testing purposes and not for the app itself
-        PortBindings: {
-            '6379/tcp': [{ HostPort: '0', HostIp: isMac ? '0.0.0.0' : '127.0.0.1' }]
+        Volumes: {
+            '/tmp': {},
+            '/run': {}
        },
-        RestartPolicy: {
-            'Name': 'always',
-            'MaximumRetryCount': 0
+        VolumesFrom: [],
+        HostConfig: {
+            Binds: [
+                redisVarsFile + ':/etc/redis/redis_vars.sh:ro',
+                redisDataDir + ':/var/lib/redis:rw'
+            ],
+            Memory: 1024 * 1024 * 75, // 100mb
+            MemorySwap: 1024 * 1024 * 75 * 2, // 150mb
+            PortBindings: {
+                '6379/tcp': [{ HostPort: '0', HostIp: '127.0.0.1' }]
+            },
+            ReadonlyRootfs: true,
+            RestartPolicy: {
+                'Name': 'always',
+                'MaximumRetryCount': 0
+            }
        }
    };

@@ -718,11 +789,11 @@ function setupRedis(app, options, callback) {
    ];

    var redisContainer = docker.getContainer(createOptions.name);
-    redisContainer.remove({ force: true, v: false }, function (ignoredError) {
+    stopAndRemoveRedis(redisContainer, function () {
        docker.createContainer(createOptions, function (error) {
            if (error && error.statusCode !== 409) return callback(error); // if not already created

-            redisContainer.start(startOptions, function (error) {
+            redisContainer.start(function (error) {
                if (error && error.statusCode !== 304) return callback(error); // if not already running

                appdb.setAddonConfig(app.id, 'redis', env, function (error) {
@@ -744,14 +815,12 @@ function teardownRedis(app, options, callback) {

   var removeOptions = {
       force: true, // kill container if it's running
-       v: false // removes volumes associated with the container
+       v: true // removes volumes associated with the container
   };

   container.remove(removeOptions, function (error) {
       if (error && error.statusCode !== 404) return callback(new Error('Error removing container:' + error));

-       vbox.unforwardFromHostToVirtualBox('redis-' + app.id);
-
       safe.fs.unlinkSync(paths.ADDON_CONFIG_DIR, 'redis-' + app.id + '_vars.sh');

        shell.sudo('teardownRedis', [ RMAPPDIR_CMD, app.id + '/redis' ], function (error, stdout, stderr) {
@@ -761,3 +830,19 @@ function teardownRedis(app, options, callback) {
        });
   });
 }
+
+function backupRedis(app, options, callback) {
+    debugApp(app, 'Backing up redis');
+
+    callback = once(callback); // ChildProcess exit may or may not be called after error
+
+    var cp = spawn('/usr/bin/docker', [ 'exec', 'redis-' + app.id, '/addons/redis/service.sh', 'backup' ]);
+    cp.on('error', callback);
+    cp.on('exit', function (code, signal) {
+        debugApp(app, 'backupRedis: done. code:%s signal:%s', code, signal);
+        if (!callback.called) callback(code ? 'backupRedis failed with status ' + code : null);
+    });
+
+    cp.stdout.pipe(process.stdout);
+    cp.stderr.pipe(process.stderr);
+}
@@ -40,7 +40,6 @@ exports = module.exports = {
    RSTATE_PENDING_START: 'pending_start',
    RSTATE_PENDING_STOP: 'pending_stop',
    RSTATE_STOPPED: 'stopped', // app stopped by use
-    RSTATE_ERROR: 'error',

    // run codes (keep in sync in UI)
    HEALTH_HEALTHY: 'healthy',
@@ -58,13 +57,9 @@ var assert = require('assert'),
    safe = require('safetydance'),
    util = require('util');

-var APPS_FIELDS = [ 'id', 'appStoreId', 'installationState', 'installationProgress', 'runState',
-    'health', 'containerId', 'manifestJson', 'httpPort', 'location', 'dnsRecordId',
-    'accessRestriction', 'lastBackupId', 'lastBackupConfigJson', 'oldConfigJson' ].join(',');
-
 var APPS_FIELDS_PREFIXED = [ 'apps.id', 'apps.appStoreId', 'apps.installationState', 'apps.installationProgress', 'apps.runState',
    'apps.health', 'apps.containerId', 'apps.manifestJson', 'apps.httpPort', 'apps.location', 'apps.dnsRecordId',
-    'apps.accessRestriction', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson' ].join(',');
+    'apps.accessRestrictionJson', 'apps.lastBackupId', 'apps.lastBackupConfigJson', 'apps.oldConfigJson', 'apps.oauthProxy' ].join(',');

 var PORT_BINDINGS_FIELDS = [ 'hostPort', 'environmentVariable', 'appId' ].join(',');

@@ -96,6 +91,13 @@ function postProcess(result) {
    for (var i = 0; i < environmentVariables.length; i++) {
        result.portBindings[environmentVariables[i]] = parseInt(hostPorts[i], 10);
    }
+
+    result.oauthProxy = !!result.oauthProxy;
+
+    assert(result.accessRestrictionJson === null || typeof result.accessRestrictionJson === 'string');
+    result.accessRestriction = safe.JSON.parse(result.accessRestrictionJson);
+    if (result.accessRestriction && !result.accessRestriction.users) result.accessRestriction.users = [];
+    delete result.accessRestrictionJson;
 }

 function get(id, callback) {
@@ -177,24 +179,26 @@ function getAll(callback) {
    });
 }

-function add(id, appStoreId, manifest, location, portBindings, accessRestriction, callback) {
+function add(id, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, callback) {
    assert.strictEqual(typeof id, 'string');
    assert.strictEqual(typeof appStoreId, 'string');
    assert(manifest && typeof manifest === 'object');
    assert.strictEqual(typeof manifest.version, 'string');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof portBindings, 'object');
-    assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof accessRestriction, 'object');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
    assert.strictEqual(typeof callback, 'function');

    portBindings = portBindings || { };

    var manifestJson = JSON.stringify(manifest);
+    var accessRestrictionJson = JSON.stringify(accessRestriction);

    var queries = [ ];
    queries.push({
-        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestriction) VALUES (?, ?, ?, ?, ?, ?)',
-        args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestriction ]
+        query: 'INSERT INTO apps (id, appStoreId, manifestJson, installationState, location, accessRestrictionJson, oauthProxy) VALUES (?, ?, ?, ?, ?, ?, ?)',
+        args: [ id, appStoreId, manifestJson, exports.ISTATE_PENDING_INSTALL, location, accessRestrictionJson, oauthProxy ]
    });

    Object.keys(portBindings).forEach(function (env) {
@@ -303,6 +307,9 @@ function updateWithConstraints(id, app, constraints, callback) {
        } else if (p === 'oldConfig') {
            fields.push('oldConfigJson = ?');
            values.push(JSON.stringify(app[p]));
+        } else if (p === 'accessRestriction') {
+            fields.push('accessRestrictionJson = ?');
+            values.push(JSON.stringify(app[p]));
        } else if (p !== 'portBindings') {
            fields.push(p + ' = ?');
            values.push(app[p]);
@@ -5,7 +5,7 @@ var appdb = require('./appdb.js'),
    async = require('async'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:apphealthmonitor'),
-    docker = require('./docker.js'),
+    docker = require('./docker.js').connection,
    mailer = require('./mailer.js'),
    superagent = require('superagent'),
    util = require('util');
@@ -5,6 +5,8 @@
 exports = module.exports = {
    AppsError: AppsError,

+    hasAccessTo: hasAccessTo,
+
    get: get,
    getBySubdomain: getBySubdomain,
    getAll: getAll,
@@ -37,7 +39,8 @@ exports = module.exports = {

    // exported for testing
    _validateHostname: validateHostname,
-    _validatePortBindings: validatePortBindings
+    _validatePortBindings: validatePortBindings,
+    _validateAccessRestriction: validateAccessRestriction
 };

 var addons = require('./addons.js'),
@@ -50,7 +53,7 @@ var addons = require('./addons.js'),
    constants = require('./constants.js'),
    DatabaseError = require('./databaseerror.js'),
    debug = require('debug')('box:apps'),
-    docker = require('./docker.js'),
+    docker = require('./docker.js').connection,
    fs = require('fs'),
    manifestFormat = require('cloudron-manifestformat'),
    path = require('path'),
@@ -114,6 +117,8 @@ AppsError.BAD_STATE = 'Bad State';
 AppsError.PORT_RESERVED = 'Port Reserved';
 AppsError.PORT_CONFLICT = 'Port Conflict';
 AppsError.BILLING_REQUIRED = 'Billing Required';
+AppsError.ACCESS_DENIED = 'Access denied';
+AppsError.USER_REQUIRED = 'User required';

 // Hostname validation comes from RFC 1123 (section 2.1)
 // Domain name validation comes from RFC 2181 (Name syntax)
@@ -152,6 +157,7 @@ function validatePortBindings(portBindings, tcpPorts) {
        config.get('internalPort'), /* internal app server (lo) */
        config.get('ldapPort'), /* ldap server (lo) */
        config.get('oauthProxyPort'), /* oauth proxy server (lo) */
+        config.get('simpleAuthPort'), /* simple auth server (lo) */
        3306, /* mysql (lo) */
        8000 /* graphite (lo) */
    ];
@@ -178,6 +184,18 @@ function validatePortBindings(portBindings, tcpPorts) {
    return null;
 }

+function validateAccessRestriction(accessRestriction) {
+    assert.strictEqual(typeof accessRestriction, 'object');
+
+    if (accessRestriction === null) return null;
+
+    if (!accessRestriction.users || !Array.isArray(accessRestriction.users)) return new Error('users array property required');
+    if (accessRestriction.users.length === 0) return new Error('users array cannot be empty');
+    if (!accessRestriction.users.every(function (e) { return typeof e === 'string'; })) return new Error('All users have to be strings');
+
+    return null;
+}
+
 function getDuplicateErrorDetails(location, portBindings, error) {
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof portBindings, 'object');
@@ -205,6 +223,14 @@ function getIconUrlSync(app) {
    return fs.existsSync(iconPath) ? '/api/v1/apps/' + app.id + '/icon' : null;
 }

+function hasAccessTo(app, user) {
+    assert.strictEqual(typeof app, 'object');
+    assert.strictEqual(typeof user, 'object');
+
+    if (app.accessRestriction === null) return true;
+    return app.accessRestriction.users.some(function (e) { return e === user.id; });
+}
+
 function get(appId, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -250,18 +276,6 @@ function getAll(callback) {
    });
 }

-function validateAccessRestriction(accessRestriction) {
-    // TODO: make the values below enumerations in the oauth code
-    switch (accessRestriction) {
-    case '':
-    case 'roleUser':
-    case 'roleAdmin':
-        return null;
-    default:
-        return new Error('Invalid accessRestriction');
-    }
-}
-
 function purchase(appStoreId, callback) {
    assert.strictEqual(typeof appStoreId, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -280,13 +294,14 @@ function purchase(appStoreId, callback) {
    });
 }

-function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, icon, callback) {
+function install(appId, appStoreId, manifest, location, portBindings, accessRestriction, oauthProxy, icon, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof appStoreId, 'string');
    assert(manifest && typeof manifest === 'object');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof portBindings, 'object');
-    assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof accessRestriction, 'object');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
    assert(!icon || typeof icon === 'string');
    assert.strictEqual(typeof callback, 'function');

@@ -305,6 +320,10 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
    error = validateAccessRestriction(accessRestriction);
    if (error) return callback(new AppsError(AppsError.BAD_FIELD, error.message));

+    // singleUser mode requires accessRestriction to contain exactly one user
+    if (manifest.singleUser && accessRestriction === null) return callback(new AppsError(AppsError.USER_REQUIRED));
+    if (manifest.singleUser && accessRestriction.users.length !== 1) return callback(new AppsError(AppsError.USER_REQUIRED));
+
    if (icon) {
        if (!validator.isBase64(icon)) return callback(new AppsError(AppsError.BAD_FIELD, 'icon is not base64'));

@@ -318,7 +337,7 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
    purchase(appStoreId, function (error) {
        if (error) return callback(error);

-        appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, function (error) {
+        appdb.add(appId, appStoreId, manifest, location.toLowerCase(), portBindings, accessRestriction, oauthProxy, function (error) {
            if (error && error.reason === DatabaseError.ALREADY_EXISTS) return callback(getDuplicateErrorDetails(location.toLowerCase(), portBindings, error));
            if (error) return callback(new AppsError(AppsError.INTERNAL_ERROR, error));

@@ -329,11 +348,12 @@ function install(appId, appStoreId, manifest, location, portBindings, accessRest
    });
 }

-function configure(appId, location, portBindings, accessRestriction, callback) {
+function configure(appId, location, portBindings, accessRestriction, oauthProxy, callback) {
    assert.strictEqual(typeof appId, 'string');
    assert.strictEqual(typeof location, 'string');
    assert.strictEqual(typeof portBindings, 'object');
-    assert.strictEqual(typeof accessRestriction, 'string');
+    assert.strictEqual(typeof accessRestriction, 'object');
+    assert.strictEqual(typeof oauthProxy, 'boolean');
    assert.strictEqual(typeof callback, 'function');

    var error = validateHostname(location, config.fqdn());
@@ -352,12 +372,14 @@ function configure(appId, location, portBindings, accessRestriction, callback) {
        var values = {
            location: location.toLowerCase(),
            accessRestriction: accessRestriction,
+            oauthProxy: oauthProxy,
            portBindings: portBindings,

            oldConfig: {
                location: app.location,
                accessRestriction: app.accessRestriction,
-                portBindings: app.portBindings
+                portBindings: app.portBindings,
+                oauthProxy: app.oauthProxy
            }
        };

@@ -411,7 +433,9 @@ function update(appId, force, manifest, portBindings, icon, callback) {
            portBindings: portBindings,
            oldConfig: {
                manifest: app.manifest,
-                portBindings: app.portBindings
+                portBindings: app.portBindings,
+                accessRestriction: app.accessRestriction,
+                oauthProxy: app.oauthProxy
            }
        };

@@ -511,6 +535,7 @@ function restore(appId, callback) {
                oldConfig: {
                    location: app.location,
                    accessRestriction: app.accessRestriction,
+                    oauthProxy: app.oauthProxy,
                    portBindings: app.portBindings,
                    manifest: app.manifest
                }
@@ -691,11 +716,11 @@ function autoupdateApps(updateInfo, callback) { // updateInfo is { appId -> { ma
 }

 function canBackupApp(app) {
-    // only backup apps that are installed or pending configure. Rest of them are in some
+    // only backup apps that are installed or pending configure or called from apptask. Rest of them are in some
    // state not good for consistent backup (i.e addons may not have been setup completely)
    return (app.installationState === appdb.ISTATE_INSTALLED && app.health === appdb.HEALTH_HEALTHY) ||
            app.installationState === appdb.ISTATE_PENDING_CONFIGURE ||
-            app.installationState === appdb.ISTATE_PENDING_BACKUP ||
+            app.installationState === appdb.ISTATE_PENDING_BACKUP ||  // called from apptask
            app.installationState === appdb.ISTATE_PENDING_UPDATE; // called from apptask
 }

@@ -758,7 +783,8 @@ function backupApp(app, addonsToBackup, callback) {
            manifest: app.manifest,
            location: app.location,
            portBindings: app.portBindings,
-            accessRestriction: app.accessRestriction
+            accessRestriction: app.accessRestriction,
+            oauthProxy: app.oauthProxy
        };
        backupFunction = createNewBackup.bind(null, app, addonsToBackup);

@@ -818,4 +844,3 @@ function restoreApp(app, addonsToRestore, callback) {
        });
    });
 }
-
@@ -47,10 +47,10 @@ var addons = require('./addons.js'),
    hat = require('hat'),
    manifestFormat = require('cloudron-manifestformat'),
    net = require('net'),
-    os = require('os'),
    path = require('path'),
    paths = require('./paths.js'),
    safe = require('safetydance'),
+    semver = require('semver'),
    shell = require('./shell.js'),
    SubdomainError = require('./subdomainerror.js'),
    subdomains = require('./subdomains.js'),
@@ -58,7 +58,6 @@ var addons = require('./addons.js'),
    sysinfo = require('./sysinfo.js'),
    util = require('util'),
    uuid = require('node-uuid'),
-    vbox = require('./vbox.js'),
    _ = require('underscore');

 var NGINX_APPCONFIG_EJS = fs.readFileSync(__dirname + '/../setup/start/nginx/appconfig.ejs', { encoding: 'utf8' }),
@@ -79,6 +78,14 @@ function debugApp(app, args) {
    debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
 }

+function targetBoxVersion(manifest) {
+    if ('targetBoxVersion' in manifest) return manifest.targetBoxVersion;
+
+    if ('minBoxVersion' in manifest) return manifest.minBoxVersion;
+
+    return '0.0.1';
+}
+
 // We expect conflicts to not happen despite closing the port (parallel app installs, app update does not reconfigure nginx etc)
 // https://tools.ietf.org/html/rfc6056#section-3.5 says linux uses random ephemeral port allocation
 function getFreePort(callback) {
@@ -100,7 +107,7 @@ function configureNginx(app, callback) {
        if (error) return callback(error);

        var sourceDir = path.resolve(__dirname, '..');
-        var endpoint = app.accessRestriction ? 'oauthproxy' : 'app';
+        var endpoint = app.oauthProxy ? 'oauthproxy' : 'app';
        var nginxConf = ejs.render(NGINX_APPCONFIG_EJS, { sourceDir: sourceDir, adminOrigin: config.adminOrigin(), vhost: config.appFqdn(app.location), port: freePort, endpoint: endpoint });

        var nginxConfigFilename = path.join(paths.NGINX_APPCONFIG_DIR, app.id + '.conf');
@@ -115,8 +122,6 @@ function configureNginx(app, callback) {
            exports._reloadNginx,
            updateApp.bind(null, app, { httpPort: freePort })
        ], callback);
-
-        vbox.forwardFromHostToVirtualBox(app.id + '-http', freePort);
    });
 }

@@ -128,146 +133,27 @@ function unconfigureNginx(app, callback) {
    }

    exports._reloadNginx(callback);
-
-    vbox.unforwardFromHostToVirtualBox(app.id + '-http');
-}
-
-function pullImage(app, callback) {
-    docker.pull(app.manifest.dockerImage, function (err, stream) {
-        if (err) return callback(new Error('Error connecting to docker. statusCode: %s' + err.statusCode));
-
-        // https://github.com/dotcloud/docker/issues/1074 says each status message
-        // is emitted as a chunk
-        stream.on('data', function (chunk) {
-            var data = safe.JSON.parse(chunk) || { };
-            debugApp(app, 'downloadImage data: %j', data);
-
-            // The information here is useless because this is per layer as opposed to per image
-            if (data.status) {
-                debugApp(app, 'progress: %s', data.status); // progressDetail { current, total }
-            } else if (data.error) {
-                debugApp(app, 'error detail: %s', data.errorDetail.message);
-            }
-        });
-
-        stream.on('end', function () {
-            debugApp(app, 'download image successfully');
-
-            var image = docker.getImage(app.manifest.dockerImage);
-
-            image.inspect(function (err, data) {
-                if (err) return callback(new Error('Error inspecting image:' + err.message));
-                if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
-                if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));
-
-                debugApp(app, 'This image exposes ports: %j', data.Config.ExposedPorts);
-
-                callback(null);
-            });
-        });
-    });
-}
-
-function downloadImage(app, callback) {
-    debugApp(app, 'downloadImage %s', app.manifest.dockerImage);
-
-    var attempt = 1;
-
-    async.retry({ times: 5, interval: 15000 }, function (retryCallback) {
-        debugApp(app, 'Downloading image. attempt: %s', attempt++);
-
-        pullImage(app, retryCallback);
-    }, callback);
 }

 function createContainer(app, callback) {
-    appdb.getPortBindings(app.id, function (error, portBindings) {
-        if (error) return callback(error);
+    assert(!app.containerId); // otherwise, it will trigger volumeFrom

-        var manifest = app.manifest;
-        var exposedPorts = {};
-        var env = [];
+    debugApp(app, 'creating container');

-        // docker portBindings requires ports to be exposed
-        exposedPorts[manifest.httpPort + '/tcp'] = {};
+    docker.createContainer(app, function (error, container) {
+        if (error) return callback(new Error('Error creating container: ' + error));

-        for (var e in portBindings) {
-            var hostPort = portBindings[e];
-            var containerPort = manifest.tcpPorts[e].containerPort || hostPort;
-            exposedPorts[containerPort + '/tcp'] = {};
-
-            env.push(e + '=' + hostPort);
-        }
-
-        env.push('CLOUDRON=1');
-        env.push('WEBADMIN_ORIGIN' + '=' + config.adminOrigin());
-        env.push('API_ORIGIN' + '=' + config.adminOrigin());
-
-        addons.getEnvironment(app, function (error, addonEnv) {
-            if (error) return callback(new Error('Error getting addon env: ' + error));
-
-            var containerOptions = {
-                name: app.id,
-                Hostname: config.appFqdn(app.location),
-                Tty: true,
-                Image: app.manifest.dockerImage,
-                Cmd: null,
-                Env: env.concat(addonEnv),
-                ExposedPorts: exposedPorts
-            };
-
-            debugApp(app, 'Creating container for %s', app.manifest.dockerImage);
-
-            docker.createContainer(containerOptions, function (error, container) {
-                if (error) return callback(new Error('Error creating container: ' + error));
-
-                updateApp(app, { containerId: container.id }, callback);
-            });
-        });
+        updateApp(app, { containerId: container.id }, callback);
    });
 }

-function deleteContainer(app, callback) {
-    if (app.containerId === null) return callback(null);
+function deleteContainers(app, callback) {
+    debugApp(app, 'deleting containers');

-    var container = docker.getContainer(app.containerId);
+    docker.deleteContainers(app.id, function (error) {
+        if (error) return callback(new Error('Error deleting container: ' + error));

-    var removeOptions = {
-        force: true, // kill container if it's running
-        v: false // removes volumes associated with the container
-    };
-
-    container.remove(removeOptions, function (error) {
-        if (error && error.statusCode === 404) return updateApp(app, { containerId: null }, callback);
-
-        if (error) debugApp(app, 'Error removing container', error);
-        callback(error);
-    });
-}
-
-function deleteImage(app, manifest, callback) {
-    var dockerImage = manifest ? manifest.dockerImage : null;
-    if (!dockerImage) return callback(null);
-
-    docker.getImage(dockerImage).inspect(function (error, result) {
-        if (error && error.statusCode === 404) return callback(null);
-
-        if (error) return callback(error);
-
-        var removeOptions = {
-            force: true,
-            noprune: false
-        };
-
-         // delete image by id because 'docker pull' pulls down all the tags and this is the only way to delete all tags
-        docker.getImage(result.Id).remove(removeOptions, function (error) {
-            if (error && error.statusCode === 404) return callback(null);
-            if (error && error.statusCode === 409) return callback(null); // another container using the image
-
-            if (error) debugApp(app, 'Error removing image', error);
-
-            callback(error);
-        });
+        updateApp(app, { containerId: null }, callback);
    });
 }

@@ -283,22 +169,21 @@ function allocateOAuthProxyCredentials(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');

-    if (!app.accessRestriction) return callback(null);
+    if (!app.oauthProxy) return callback(null);

-    var appId = 'proxy-' + app.id;
-    var id = 'cid-proxy-' + uuid.v4();
+    var id = 'cid-' + uuid.v4();
    var clientSecret = hat(256);
    var redirectURI = 'https://' + config.appFqdn(app.location);
-    var scope = 'profile,' + app.accessRestriction;
+    var scope = 'profile';

-    clientdb.add(id, appId, clientSecret, redirectURI, scope, callback);
+    clientdb.add(id, app.id, clientdb.TYPE_PROXY, clientSecret, redirectURI, scope, callback);
 }

 function removeOAuthProxyCredentials(app, callback) {
    assert.strictEqual(typeof app, 'object');
    assert.strictEqual(typeof callback, 'function');

-    clientdb.delByAppId('proxy-' + app.id, function (error) {
+    clientdb.delByAppIdAndType(app.id, clientdb.TYPE_PROXY, function (error) {
        if (error && error.reason !== DatabaseError.NOT_FOUND) {
            debugApp(app, 'Error removing OAuth client id', error);
            return callback(error);
@@ -323,86 +208,6 @@ function removeCollectdProfile(app, callback) {
    });
 }

-function startContainer(app, callback) {
-    appdb.getPortBindings(app.id, function (error, portBindings) {
-        if (error) return callback(error);
-
-        var manifest = app.manifest;
-
-        var dockerPortBindings = { };
-        var isMac = os.platform() === 'darwin';
-
-        // On Mac (boot2docker), we have to export the port to external world for port forwarding from Mac to work
-        dockerPortBindings[manifest.httpPort + '/tcp'] = [ { HostIp: isMac ? '0.0.0.0' : '127.0.0.1', HostPort: app.httpPort + '' } ];
-
-        for (var env in portBindings) {
-            var hostPort = portBindings[env];
-            var containerPort = manifest.tcpPorts[env].containerPort || hostPort;
-            dockerPortBindings[containerPort + '/tcp'] = [ { HostIp: '0.0.0.0', HostPort: hostPort + '' } ];
-            vbox.forwardFromHostToVirtualBox(app.id + '-tcp' + containerPort, hostPort);
-        }
-
-        var memoryLimit = manifest.memoryLimit || 1024 * 1024 * 200; // 200mb by default
-
-        var startOptions = {
-            Binds: addons.getBindsSync(app, app.manifest.addons),
-            Memory: memoryLimit / 2,
-            MemorySwap: memoryLimit, // Memory + Swap
-            PortBindings: dockerPortBindings,
-            PublishAllPorts: false,
-            Links: addons.getLinksSync(app, app.manifest.addons),
-            RestartPolicy: {
-                "Name": "always",
-                "MaximumRetryCount": 0
-            },
-            CpuShares: 512, // relative to 1024 for system processes
-            SecurityOpt: config.CLOUDRON ? [ "apparmor:docker-cloudron-app" ] : null // profile available only on cloudron
-        };
-
-        var container = docker.getContainer(app.containerId);
-        debugApp(app, 'Starting container %s with options: %j', container.id, JSON.stringify(startOptions));
-
-        container.start(startOptions, function (error, data) {
-            if (error && error.statusCode !== 304) return callback(new Error('Error starting container:' + error));
-
-            return callback(null);
-        });
-    });
-}
-
-function stopContainer(app, callback) {
-    if (!app.containerId) {
-        debugApp(app, 'No previous container to stop');
-        return callback();
-    }
-
-    var container = docker.getContainer(app.containerId);
-    debugApp(app, 'Stopping container %s', container.id);
-
-    var options = {
-        t: 10 // wait for 10 seconds before killing it
-    };
-
-    container.stop(options, function (error) {
-        if (error && (error.statusCode !== 304 && error.statusCode !== 404)) return callback(new Error('Error stopping container:' + error));
-
-        var tcpPorts = safe.query(app, 'manifest.tcpPorts', { });
-        for (var containerPort in tcpPorts) {
-            vbox.unforwardFromHostToVirtualBox(app.id + '-tcp' + containerPort);
-        }
-
-        debugApp(app, 'Waiting for container ' + container.id);
-
-        container.wait(function (error, data) {
-            if (error && (error.statusCode !== 304 && error.statusCode !== 404)) return callback(new Error('Error waiting on container:' + error));
-
-            debugApp(app, 'Container stopped with status code [%s]', data ? String(data.StatusCode) : '');
-
-            return callback(null);
-        });
-    });
-}
-
 function verifyManifest(app, callback) {
    debugApp(app, 'Verifying manifest');

@@ -509,7 +314,7 @@ function waitForDnsPropagation(app, callback) {

 // updates the app object and the database
 function updateApp(app, values, callback) {
-    debugApp(app, 'installationState: %s progress: %s', app.installationState, app.installationProgress);
+    debugApp(app, 'updating app with values: %j', values);

    appdb.update(app.id, values, function (error) {
        if (error) return callback(error);
@@ -540,7 +345,7 @@ function install(app, callback) {
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainer.bind(null, app),
+        deleteContainers.bind(null, app),
        addons.teardownAddons.bind(null, app, app.manifest.addons),
        deleteVolume.bind(null, app),
        unregisterSubdomain.bind(null, app, app.location),
@@ -561,7 +366,7 @@ function install(app, callback) {
        registerSubdomain.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '40, Downloading image' }),
-        downloadImage.bind(null, app),
+        docker.downloadImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '50, Creating volume' }),
        createVolume.bind(null, app),
@@ -626,14 +431,14 @@ function restore(app, callback) {
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainer.bind(null, app),
+        deleteContainers.bind(null, app),
         // oldConfig can be null during upgrades
        addons.teardownAddons.bind(null, app, app.oldConfig ? app.oldConfig.manifest.addons : null),
        deleteVolume.bind(null, app),
        function deleteImageIfChanged(done) {
             if (!app.oldConfig || (app.oldConfig.manifest.dockerImage === app.manifest.dockerImage)) return done();

-             deleteImage(app, app.oldConfig.manifest, done);
+             docker.deleteImage(app.oldConfig.manifest, done);
        },
        removeOAuthProxyCredentials.bind(null, app),
        removeIcon.bind(null, app),
@@ -652,7 +457,7 @@ function restore(app, callback) {
        registerSubdomain.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '60, Downloading image' }),
-        downloadImage.bind(null, app),
+        docker.downloadImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '65, Creating volume' }),
        createVolume.bind(null, app),
@@ -692,10 +497,10 @@ function configure(app, callback) {
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainer.bind(null, app),
+        deleteContainers.bind(null, app),
        function (next) {
-            // oldConfig can be null during an infra update. location can be null when infra updated for an updated app
-            if (!app.oldConfig || !app.oldConfig.location || app.oldConfig.location === app.location) return next();
+            // oldConfig can be null during an infra update
+            if (!app.oldConfig || app.oldConfig.location === app.location) return next();
            unregisterSubdomain(app, app.oldConfig.location, next);
        },
        removeOAuthProxyCredentials.bind(null, app),
@@ -755,12 +560,12 @@ function update(app, callback) {
        updateApp.bind(null, app, { installationProgress: '10, Cleaning up old install' }),
        removeCollectdProfile.bind(null, app),
        stopApp.bind(null, app),
-        deleteContainer.bind(null, app),
+        deleteContainers.bind(null, app),
        addons.teardownAddons.bind(null, app, unusedAddons),
        function deleteImageIfChanged(done) {
             if (app.oldConfig.manifest.dockerImage === app.manifest.dockerImage) return done();

-             deleteImage(app, app.oldConfig.manifest, done);
+             docker.deleteImage(app.oldConfig.manifest, done);
        },
        // removeIcon.bind(null, app), // do not remove icon, otherwise the UI breaks for a short time...

@@ -777,7 +582,7 @@ function update(app, callback) {
        downloadIcon.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '45, Downloading image' }),
-        downloadImage.bind(null, app),
+        docker.downloadImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '70, Updating addons' }),
        addons.setupAddons.bind(null, app, app.manifest.addons),
@@ -815,7 +620,7 @@ function uninstall(app, callback) {
        stopApp.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '20, Deleting container' }),
-        deleteContainer.bind(null, app),
+        deleteContainers.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '30, Teardown addons' }),
        addons.teardownAddons.bind(null, app, app.manifest.addons),
@@ -824,7 +629,7 @@ function uninstall(app, callback) {
        deleteVolume.bind(null, app),

        updateApp.bind(null, app, { installationProgress: '50, Deleting image' }),
-        deleteImage.bind(null, app, app.manifest),
+        docker.deleteImage.bind(null, app.manifest),

        updateApp.bind(null, app, { installationProgress: '60, Unregistering subdomain' }),
        unregisterSubdomain.bind(null, app, app.location),
@@ -844,18 +649,15 @@ function uninstall(app, callback) {
 }

 function runApp(app, callback) {
-    startContainer(app, function (error) {
-        if (error) {
-            debugApp(app, 'Error starting container : %s', error);
-            return updateApp(app, { runState: appdb.RSTATE_ERROR }, callback);
-        }
+    docker.startContainer(app.containerId, function (error) {
+        if (error) return callback(error);

        updateApp(app, { runState: appdb.RSTATE_RUNNING }, callback);
    });
 }

 function stopApp(app, callback) {
-    stopContainer(app, function (error) {
+    docker.stopContainers(app.id, function (error) {
        if (error) return callback(error);

        updateApp(app, { runState: appdb.RSTATE_STOPPED }, callback);
@@ -65,6 +65,7 @@ function delSubdomain(zoneName, subdomain, type, value, callback) {
        .end(function (error, result) {
            if (error) return callback(error);
            if (result.status === 420) return callback(new SubdomainError(SubdomainError.STILL_BUSY));
+            if (result.status === 404) return callback(new SubdomainError(SubdomainError.NOT_FOUND));
            if (result.status !== 204) return callback(new SubdomainError(SubdomainError.EXTERNAL_ERROR, util.format('%s %j', result.status, result.body)));

            return callback(null);
@@ -8,19 +8,27 @@ exports = module.exports = {
    getAllWithTokenCountByIdentifier: getAllWithTokenCountByIdentifier,
    add: add,
    del: del,
-    update: update,
    getByAppId: getByAppId,
-    delByAppId: delByAppId,
+    getByAppIdAndType: getByAppIdAndType,

-    _clear: clear
+    delByAppId: delByAppId,
+    delByAppIdAndType: delByAppIdAndType,
+
+    _clear: clear,
+
+    TYPE_EXTERNAL: 'external',
+    TYPE_OAUTH: 'addon-oauth',
+    TYPE_SIMPLE_AUTH: 'addon-simpleauth',
+    TYPE_PROXY: 'addon-proxy',
+    TYPE_ADMIN: 'admin'
 };

 var assert = require('assert'),
    database = require('./database.js'),
    DatabaseError = require('./databaseerror.js');

-var CLIENTS_FIELDS = [ 'id', 'appId', 'clientSecret', 'redirectURI', 'scope' ].join(',');
-var CLIENTS_FIELDS_PREFIXED = [ 'clients.id', 'clients.appId', 'clients.clientSecret', 'clients.redirectURI', 'clients.scope' ].join(',');
+var CLIENTS_FIELDS = [ 'id', 'appId', 'type', 'clientSecret', 'redirectURI', 'scope' ].join(',');
+var CLIENTS_FIELDS_PREFIXED = [ 'clients.id', 'clients.appId', 'clients.type', 'clients.clientSecret', 'clients.redirectURI', 'clients.scope' ].join(',');

 function get(id, callback) {
    assert.strictEqual(typeof id, 'string');
@@ -67,37 +75,33 @@ function getByAppId(appId, callback) {
    });
 }

-function add(id, appId, clientSecret, redirectURI, scope, callback) {
-    assert.strictEqual(typeof id, 'string');
+function getByAppIdAndType(appId, type, callback) {
    assert.strictEqual(typeof appId, 'string');
-    assert.strictEqual(typeof clientSecret, 'string');
-    assert.strictEqual(typeof redirectURI, 'string');
-    assert.strictEqual(typeof scope, 'string');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof callback, 'function');

-    var data = [ id, appId, clientSecret, redirectURI, scope ];
+    database.query('SELECT ' + CLIENTS_FIELDS + ' FROM clients WHERE appId = ? AND type = ? LIMIT 1', [ appId, type ], function (error, result) {
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (result.length === 0) return callback(new DatabaseError(DatabaseError.NOT_FOUND));

-    database.query('INSERT INTO clients (id, appId, clientSecret, redirectURI, scope) VALUES (?, ?, ?, ?, ?)', data, function (error, result) {
-        if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS));
-        if (error || result.affectedRows === 0) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-
-        callback(null);
+        return callback(null, result[0]);
    });
 }

-function update(id, appId, clientSecret, redirectURI, scope, callback) {
+function add(id, appId, type, clientSecret, redirectURI, scope, callback) {
    assert.strictEqual(typeof id, 'string');
    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof clientSecret, 'string');
    assert.strictEqual(typeof redirectURI, 'string');
    assert.strictEqual(typeof scope, 'string');
    assert.strictEqual(typeof callback, 'function');

-    var data = [ appId, clientSecret, redirectURI, scope, id ];
+    var data = [ id, appId, type, clientSecret, redirectURI, scope ];

-    database.query('UPDATE clients SET appId = ?, clientSecret = ?, redirectURI = ?, scope = ? WHERE id = ?', data, function (error, result) {
-        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
-        if (result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+    database.query('INSERT INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (?, ?, ?, ?, ?, ?)', data, function (error, result) {
+        if (error && error.code === 'ER_DUP_ENTRY') return callback(new DatabaseError(DatabaseError.ALREADY_EXISTS));
+        if (error || result.affectedRows === 0) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));

        callback(null);
    });
@@ -127,6 +131,19 @@ function delByAppId(appId, callback) {
    });
 }

+function delByAppIdAndType(appId, type, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof type, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    database.query('DELETE FROM clients WHERE appId=? AND type=?', [ appId, type ], function (error, result) {
+        if (error) return callback(new DatabaseError(DatabaseError.INTERNAL_ERROR, error));
+        if (result.affectedRows !== 1) return callback(new DatabaseError(DatabaseError.NOT_FOUND));
+
+        return callback(null);
+    });
+}
+
 function clear(callback) {
    assert.strictEqual(typeof callback, 'function');

@@ -5,7 +5,6 @@ exports = module.exports = {

    add: add,
    get: get,
-    update: update,
    del: del,
    getAllWithDetailsByUserId: getAllWithDetailsByUserId,
    getClientTokensByUserId: getClientTokensByUserId,
@@ -43,6 +42,7 @@ function ClientsError(reason, errorOrMessage) {
 }
 util.inherits(ClientsError, Error);
 ClientsError.INVALID_SCOPE = 'Invalid scope';
+ClientsError.INVALID_CLIENT = 'Invalid client';

 function validateScope(scope) {
    assert.strictEqual(typeof scope, 'string');
@@ -55,8 +55,9 @@ function validateScope(scope) {
    return null;
 }

-function add(appIdentifier, redirectURI, scope, callback) {
-    assert.strictEqual(typeof appIdentifier, 'string');
+function add(appId, type, redirectURI, scope, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof type, 'string');
    assert.strictEqual(typeof redirectURI, 'string');
    assert.strictEqual(typeof scope, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -67,12 +68,13 @@ function add(appIdentifier, redirectURI, scope, callback) {
    var id = 'cid-' + uuid.v4();
    var clientSecret = hat(256);

-    clientdb.add(id, appIdentifier, clientSecret, redirectURI, scope, function (error) {
+    clientdb.add(id, appId, type, clientSecret, redirectURI, scope, function (error) {
        if (error) return callback(error);

        var client = {
            id: id,
-            appId: appIdentifier,
+            appId: appId,
+            type: type,
            clientSecret: clientSecret,
            redirectURI: redirectURI,
            scope: scope
@@ -92,23 +94,6 @@ function get(id, callback) {
    });
 }

-// we only allow appIdentifier and redirectURI to be updated
-function update(id, appIdentifier, redirectURI, callback) {
-    assert.strictEqual(typeof id, 'string');
-    assert.strictEqual(typeof appIdentifier, 'string');
-    assert.strictEqual(typeof redirectURI, 'string');
-    assert.strictEqual(typeof callback, 'function');
-
-    clientdb.get(id, function (error, result) {
-        if (error) return callback(error);
-
-        clientdb.update(id, appIdentifier, result.clientSecret, redirectURI, result.scope, function (error, result) {
-            if (error) return callback(error);
-            callback(null, result);
-        });
-    });
-}
-
 function del(id, callback) {
    assert.strictEqual(typeof id, 'string');
    assert.strictEqual(typeof callback, 'function');
@@ -127,54 +112,29 @@ function getAllWithDetailsByUserId(userId, callback) {
        if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, []);
        if (error) return callback(error);

-        // We have several types of records here
-        //   1) webadmin has an app id of 'webadmin'
-        //   2) oauth proxy records are always the app id prefixed with 'proxy-'
-        //   3) addon oauth records for apps prefixed with 'addon-'
-        //   4) external app records prefixed with 'external-'
-        //   5) normal apps on the cloudron without a prefix
-
        var tmp = [];
        async.each(results, function (record, callback) {
-            if (record.appId === constants.ADMIN_CLIENT_ID) {
+            if (record.type === clientdb.TYPE_ADMIN) {
                record.name = constants.ADMIN_NAME;
                record.location = constants.ADMIN_LOCATION;
-                record.type = 'webadmin';
-
-                tmp.push(record);
-
-                return callback(null);
-            } else if (record.appId === constants.TEST_CLIENT_ID) {
-                record.name = constants.TEST_NAME;
-                record.location = constants.TEST_LOCATION;
-                record.type = 'test';

                tmp.push(record);

                return callback(null);
            }

-            var appId = record.appId;
-            var type = 'app';
-
-            // Handle our different types of oauth clients
-            if (record.appId.indexOf('addon-') === 0) {
-                appId = record.appId.slice('addon-'.length);
-                type = 'addon';
-            } else if (record.appId.indexOf('proxy-') === 0) {
-                appId = record.appId.slice('proxy-'.length);
-                type = 'proxy';
-            }
-
-            appdb.get(appId, function (error, result) {
+            appdb.get(record.appId, function (error, result) {
                if (error) {
                    console.error('Failed to get app details for oauth client', result, error);
                    return callback(null);  // ignore error so we continue listing clients
                }

-                record.name = result.manifest.title + (record.appId.indexOf('proxy-') === 0 ? 'OAuth Proxy' : '');
+                if (record.type === clientdb.TYPE_PROXY) record.name = result.manifest.title + ' Website Proxy';
+                if (record.type === clientdb.TYPE_OAUTH) record.name = result.manifest.title + ' OAuth';
+                if (record.type === clientdb.TYPE_SIMPLE_AUTH) record.name = result.manifest.title + ' Simple Auth';
+                if (record.type === clientdb.TYPE_EXTERNAL) record.name = result.manifest.title + ' external';
+
                record.location = result.location;
-                record.type = type;

                tmp.push(record);

@@ -38,7 +38,6 @@ var apps = require('./apps.js'),
    progress = require('./progress.js'),
    safe = require('safetydance'),
    settings = require('./settings.js'),
-    SettingsError = settings.SettingsError,
    shell = require('./shell.js'),
    subdomains = require('./subdomains.js'),
    superagent = require('superagent'),
@@ -149,43 +148,35 @@ function setTimeZone(ip, callback) {
    });
 }

-function activate(username, password, email, name, ip, callback) {
+function activate(username, password, email, ip, callback) {
    assert.strictEqual(typeof username, 'string');
    assert.strictEqual(typeof password, 'string');
    assert.strictEqual(typeof email, 'string');
    assert.strictEqual(typeof ip, 'string');
-    assert(!name || typeof name, 'string');
    assert.strictEqual(typeof callback, 'function');

    debug('activating user:%s email:%s', username, email);

    setTimeZone(ip, function () { }); // TODO: get this from user. note that timezone is detected based on the browser location and not the cloudron region

-    if (!name) name = settings.getDefaultSync(settings.CLOUDRON_NAME_KEY);
-
-    settings.setCloudronName(name, function (error) {
-        if (error && error.reason === SettingsError.BAD_FIELD) return callback(new CloudronError(CloudronError.BAD_NAME));
+    user.createOwner(username, password, email, function (error, userObject) {
+        if (error && error.reason === UserError.ALREADY_EXISTS) return callback(new CloudronError(CloudronError.ALREADY_PROVISIONED));
+        if (error && error.reason === UserError.BAD_USERNAME) return callback(new CloudronError(CloudronError.BAD_USERNAME));
+        if (error && error.reason === UserError.BAD_PASSWORD) return callback(new CloudronError(CloudronError.BAD_PASSWORD));
+        if (error && error.reason === UserError.BAD_EMAIL) return callback(new CloudronError(CloudronError.BAD_EMAIL));
        if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

-        user.createOwner(username, password, email, function (error, userObject) {
-            if (error && error.reason === UserError.ALREADY_EXISTS) return callback(new CloudronError(CloudronError.ALREADY_PROVISIONED));
-            if (error && error.reason === UserError.BAD_USERNAME) return callback(new CloudronError(CloudronError.BAD_USERNAME));
-            if (error && error.reason === UserError.BAD_PASSWORD) return callback(new CloudronError(CloudronError.BAD_PASSWORD));
-            if (error && error.reason === UserError.BAD_EMAIL) return callback(new CloudronError(CloudronError.BAD_EMAIL));
+        clientdb.getByAppIdAndType('webadmin', clientdb.TYPE_ADMIN, function (error, result) {
            if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

-            clientdb.getByAppId('webadmin', function (error, result) {
+            // Also generate a token so the admin creation can also act as a login
+            var token = tokendb.generateToken();
+            var expires = Date.now() + 24 * 60 * 60 * 1000; // 1 day
+
+            tokendb.add(token, tokendb.PREFIX_USER + userObject.id, result.id, expires, '*', function (error) {
                if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));

-                // Also generate a token so the admin creation can also act as a login
-                var token = tokendb.generateToken();
-                var expires = Date.now() + 24 * 60 * 60 * 1000; // 1 day
-
-                tokendb.add(token, tokendb.PREFIX_USER + userObject.id, result.id, expires, '*', function (error) {
-                    if (error) return callback(new CloudronError(CloudronError.INTERNAL_ERROR, error));
-
-                    callback(null, { token: token, expires: expires });
-                });
+                callback(null, { token: token, expires: expires });
            });
        });
    });
@@ -334,7 +325,7 @@ function addDnsRecords() {
                });
            }, function (error) {
                if (error) {
-                    console.error(error);
+                    debug(error.message);
                    gAddDnsRecordsTimerId = setTimeout(checkIfInSync, 5000);
                    return;
                }
@@ -75,6 +75,7 @@ function initConfig() {
    data.internalPort = 3001;
    data.ldapPort = 3002;
    data.oauthProxyPort = 3003;
+    data.simpleAuthPort = 3004;
    data.backupKey = 'backupKey';
    data.aws = {
        backupBucket: null,
@@ -7,10 +7,6 @@ exports = module.exports = {
    ADMIN_NAME: 'Settings',

    ADMIN_CLIENT_ID: 'webadmin', // oauth client id
-    ADMIN_APPID: 'admin', // admin appid (settingsdb)
-
-    TEST_NAME: 'Test',
-    TEST_LOCATION: '',
-    TEST_CLIENT_ID: 'test'
+    ADMIN_APPID: 'admin' // admin appid (settingsdb)
 };

@@ -8,8 +8,11 @@ exports = module.exports = {
 var apps = require('./apps.js'),
    assert = require('assert'),
    cloudron = require('./cloudron.js'),
+    config = require('./config.js'),
    CronJob = require('cron').CronJob,
    debug = require('debug')('box:cron'),
+    janitor = require('./janitor.js'),
+    scheduler = require('./scheduler.js'),
    settings = require('./settings.js'),
    updateChecker = require('./updatechecker.js');

@@ -17,7 +20,10 @@ var gAutoupdaterJob = null,
    gBoxUpdateCheckerJob = null,
    gAppUpdateCheckerJob = null,
    gHeartbeatJob = null,
-    gBackupJob = null;
+    gBackupJob = null,
+    gCleanupTokensJob = null,
+    gDockerVolumeCleanerJob = null,
+    gSchedulerSyncJob = null;

 var gInitialized = false;

@@ -82,6 +88,30 @@ function recreateJobs(unusedTimeZone, callback) {
            timeZone: allSettings[settings.TIME_ZONE_KEY]
        });

+        if (gCleanupTokensJob) gCleanupTokensJob.stop();
+        gCleanupTokensJob = new CronJob({
+            cronTime: '00 */30 * * * *', // every 30 minutes
+            onTick: janitor.cleanupTokens,
+            start: true,
+            timeZone: allSettings[settings.TIME_ZONE_KEY]
+        });
+
+        if (gDockerVolumeCleanerJob) gDockerVolumeCleanerJob.stop();
+        gDockerVolumeCleanerJob = new CronJob({
+            cronTime: '00 00 */12 * * *', // every 12 hours
+            onTick: janitor.cleanupDockerVolumes,
+            start: true,
+            timeZone: allSettings[settings.TIME_ZONE_KEY]
+        });
+
+        if (gSchedulerSyncJob) gSchedulerSyncJob.stop();
+        gSchedulerSyncJob = new CronJob({
+            cronTime: config.TEST ? '*/10 * * * * *' : '00 */1 * * * *', // every minute
+            onTick: scheduler.sync,
+            start: true,
+            timeZone: allSettings[settings.TIME_ZONE_KEY]
+        });
+
        autoupdatePatternChanged(allSettings[settings.AUTOUPDATE_PATTERN_KEY]);

        if (callback) callback();
@@ -136,8 +166,16 @@ function uninitialize(callback) {
    gBackupJob.stop();
    gBackupJob = null;

+    gCleanupTokensJob.stop();
+    gCleanupTokensJob = null;
+
+    gDockerVolumeCleanerJob.stop();
+    gDockerVolumeCleanerJob = null;
+
+    gSchedulerSyncJob.stop();
+    gSchedulerSyncJob = null;
+
    gInitialized = false;

    callback();
 }
-
@@ -65,7 +65,7 @@ function issueDeveloperToken(user, callback) {
    var token = tokendb.generateToken();
    var expiresAt = Date.now() + 24 * 60 * 60 * 1000; // 1 day

-    tokendb.add(token, tokendb.PREFIX_DEV + user.id, '', expiresAt, 'apps,settings,roleDeveloper', function (error) {
+    tokendb.add(token, tokendb.PREFIX_DEV + user.id, '', expiresAt, 'developer,apps,settings,users', function (error) {
        if (error) return callback(new DeveloperError(DeveloperError.INTERNAL_ERROR, error));

        callback(null, { token: token, expiresAt: expiresAt });
@@ -1,42 +1,340 @@
 'use strict';

-var Docker = require('dockerode'),
-    fs = require('fs'),
-    os = require('os'),
-    path = require('path'),
-    url = require('url');
+var addons = require('./addons.js'),
+    async = require('async'),
+    assert = require('assert'),
+    config = require('./config.js'),
+    debug = require('debug')('box:src/docker.js'),
+    Docker = require('dockerode'),
+    safe = require('safetydance'),
+    semver = require('semver'),
+    util = require('util');

-exports = module.exports = (function () {
+exports = module.exports = {
+    connection: connectionInstance(),
+    downloadImage: downloadImage,
+    createContainer: createContainer,
+    startContainer: startContainer,
+    stopContainer: stopContainer,
+    stopContainers: stopContainers,
+    deleteContainer: deleteContainer,
+    deleteImage: deleteImage,
+    deleteContainers: deleteContainers,
+    createSubcontainer: createSubcontainer
+};
+
+function connectionInstance() {
    var docker;
-    var options = connectOptions(); // the real docker

    if (process.env.BOX_ENV === 'test') {
        // test code runs a docker proxy on this port
        docker = new Docker({ host: 'http://localhost', port: 5687 });
+
+        // proxy code uses this to route to the real docker
+        docker.options = { socketPath: '/var/run/docker.sock' };
    } else {
-        docker = new Docker(options);
+        docker = new Docker({ socketPath: '/var/run/docker.sock' });
    }

-    // proxy code uses this to route to the real docker
-    docker.options = options;
-
    return docker;
-})();
-
-function connectOptions() {
-    if (os.platform() === 'linux') return { socketPath: '/var/run/docker.sock' };
-
-    // boot2docker configuration
-    var DOCKER_CERT_PATH = process.env.DOCKER_CERT_PATH || path.join(process.env.HOME, '.boot2docker/certs/boot2docker-vm');
-    var DOCKER_HOST = process.env.DOCKER_HOST || 'tcp://192.168.59.103:2376';
-
-    return {
-        protocol: 'https',
-        host: url.parse(DOCKER_HOST).hostname,
-        port: url.parse(DOCKER_HOST).port,
-        ca: fs.readFileSync(path.join(DOCKER_CERT_PATH, 'ca.pem')),
-        cert: fs.readFileSync(path.join(DOCKER_CERT_PATH, 'cert.pem')),
-        key: fs.readFileSync(path.join(DOCKER_CERT_PATH, 'key.pem'))
-    };
 }

+function debugApp(app, args) {
+    assert(!app || typeof app === 'object');
+
+    var prefix = app ? (app.location || '(bare)') : '(no app)';
+    debug(prefix + ' ' + util.format.apply(util, Array.prototype.slice.call(arguments, 1)));
+}
+
+function targetBoxVersion(manifest) {
+    if ('targetBoxVersion' in manifest) return manifest.targetBoxVersion;
+
+    if ('minBoxVersion' in manifest) return manifest.minBoxVersion;
+
+    return '0.0.1';
+}
+
+function pullImage(manifest, callback) {
+    var docker = exports.connection;
+
+    docker.pull(manifest.dockerImage, function (err, stream) {
+        if (err) return callback(new Error('Error connecting to docker. statusCode: %s' + err.statusCode));
+
+        // https://github.com/dotcloud/docker/issues/1074 says each status message
+        // is emitted as a chunk
+        stream.on('data', function (chunk) {
+            var data = safe.JSON.parse(chunk) || { };
+            debug('pullImage data: %j', data);
+
+            // The information here is useless because this is per layer as opposed to per image
+            if (data.status) {
+                // debugApp(app, 'progress: %s', data.status); // progressDetail { current, total }
+            } else if (data.error) {
+                debug('pullImage error detail: %s', data.errorDetail.message);
+            }
+        });
+
+        stream.on('end', function () {
+            debug('downloaded image %s successfully', manifest.dockerImage);
+
+            var image = docker.getImage(manifest.dockerImage);
+
+            image.inspect(function (err, data) {
+                if (err) return callback(new Error('Error inspecting image:' + err.message));
+                if (!data || !data.Config) return callback(new Error('Missing Config in image:' + JSON.stringify(data, null, 4)));
+                if (!data.Config.Entrypoint && !data.Config.Cmd) return callback(new Error('Only images with entry point are allowed'));
+
+                debug('This image exposes ports: %j', data.Config.ExposedPorts);
+
+                callback(null);
+            });
+        });
+
+        stream.on('error', function (error) {
+            debug('error pulling image %s : %j', manifest.dockerImage, error);
+
+            callback(error);
+        });
+    });
+}
+
+function downloadImage(manifest, callback) {
+    assert.strictEqual(typeof manifest, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('downloadImage %s', manifest.dockerImage);
+
+    var attempt = 1;
+
+    async.retry({ times: 5, interval: 15000 }, function (retryCallback) {
+        debug('Downloading image. attempt: %s', attempt++);
+
+        pullImage(manifest, function (error) {
+            if (error) console.error(error);
+
+            retryCallback(error);
+        });
+    }, callback);
+}
+
+function createSubcontainer(app, cmd, callback) {
+    assert.strictEqual(typeof app, 'object');
+    assert(!cmd || util.isArray(cmd));
+    assert.strictEqual(typeof callback, 'function');
+
+    var docker = exports.connection,
+        isAppContainer = !cmd;
+
+    var manifest = app.manifest;
+    var exposedPorts = {}, dockerPortBindings = { };
+    var stdEnv = [
+        'CLOUDRON=1',
+        'WEBADMIN_ORIGIN' + '=' + config.adminOrigin(),
+        'API_ORIGIN' + '=' + config.adminOrigin()
+    ];
+
+    // docker portBindings requires ports to be exposed
+    exposedPorts[manifest.httpPort + '/tcp'] = {};
+
+    dockerPortBindings[manifest.httpPort + '/tcp'] = [ { HostIp: '127.0.0.1', HostPort: app.httpPort + '' } ];
+
+    var portEnv = [];
+    for (var e in app.portBindings) {
+        var hostPort = app.portBindings[e];
+        var containerPort = manifest.tcpPorts[e].containerPort || hostPort;
+
+        exposedPorts[containerPort + '/tcp'] = {};
+        portEnv.push(e + '=' + hostPort);
+
+        dockerPortBindings[containerPort + '/tcp'] = [ { HostIp: '0.0.0.0', HostPort: hostPort + '' } ];
+    }
+
+    var memoryLimit = manifest.memoryLimit || 1024 * 1024 * 200; // 200mb by default
+
+    addons.getEnvironment(app, function (error, addonEnv) {
+        if (error) return callback(new Error('Error getting addon environment : ' + error));
+
+        var containerOptions = {
+            Hostname: config.appFqdn(app.location),
+            Tty: isAppContainer,
+            Image: app.manifest.dockerImage,
+            Cmd: cmd,
+            Env: stdEnv.concat(addonEnv).concat(portEnv),
+            ExposedPorts: isAppContainer ? exposedPorts : { },
+            Volumes: { // see also ReadonlyRootfs
+                '/tmp': {},
+                '/run': {}
+            },
+            Labels: {
+                "location": app.location,
+                "appId": app.id,
+                "isSubcontainer": String(!isAppContainer)
+            },
+            HostConfig: {
+                Binds: addons.getBindsSync(app, app.manifest.addons),
+                Memory: memoryLimit / 2,
+                MemorySwap: memoryLimit, // Memory + Swap
+                PortBindings: isAppContainer ? dockerPortBindings : { },
+                PublishAllPorts: false,
+                ReadonlyRootfs: semver.gte(targetBoxVersion(app.manifest), '0.0.66'), // see also Volumes in startContainer
+                Links: addons.getLinksSync(app, app.manifest.addons),
+                RestartPolicy: {
+                    "Name": isAppContainer ? "always" : "no",
+                    "MaximumRetryCount": 0
+                },
+                CpuShares: 512, // relative to 1024 for system processes
+                VolumesFrom: isAppContainer ? null : [ app.containerId + ":rw" ],
+                SecurityOpt: config.CLOUDRON ? [ "apparmor:docker-cloudron-app" ] : null // profile available only on cloudron
+            }
+        };
+
+        // older versions wanted a writable /var/log
+        if (semver.lte(targetBoxVersion(app.manifest), '0.0.71')) containerOptions.Volumes['/var/log'] = {};
+
+        debugApp(app, 'Creating container for %s', app.manifest.dockerImage);
+
+        docker.createContainer(containerOptions, callback);
+    });
+}
+
+function createContainer(app, callback) {
+    createSubcontainer(app, null, callback);
+}
+
+function startContainer(containerId, callback) {
+    assert.strictEqual(typeof containerId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var docker = exports.connection;
+
+    var container = docker.getContainer(containerId);
+    debug('Starting container %s', containerId);
+
+    container.start(function (error) {
+        if (error && error.statusCode !== 304) return callback(new Error('Error starting container :' + error));
+
+        return callback(null);
+    });
+}
+
+function stopContainer(containerId, callback) {
+    assert(!containerId || typeof containerId === 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    if (!containerId) {
+        debug('No previous container to stop');
+        return callback();
+    }
+
+    var docker = exports.connection;
+    var container = docker.getContainer(containerId);
+    debug('Stopping container %s', containerId);
+
+    var options = {
+        t: 10 // wait for 10 seconds before killing it
+    };
+
+    container.stop(options, function (error) {
+        if (error && (error.statusCode !== 304 && error.statusCode !== 404)) return callback(new Error('Error stopping container:' + error));
+
+        debug('Waiting for container ' + containerId);
+
+        container.wait(function (error, data) {
+            if (error && (error.statusCode !== 304 && error.statusCode !== 404)) return callback(new Error('Error waiting on container:' + error));
+
+            debug('Container %s stopped with status code [%s]', containerId, data ? String(data.StatusCode) : '');
+
+            return callback(null);
+        });
+    });
+}
+
+function deleteContainer(containerId, callback) {
+    assert(!containerId || typeof containerId === 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('deleting container %s', containerId);
+
+    if (containerId === null) return callback(null);
+
+    var docker = exports.connection;
+    var container = docker.getContainer(containerId);
+
+    var removeOptions = {
+        force: true, // kill container if it's running
+        v: true // removes volumes associated with the container (but not host mounts)
+    };
+
+    container.remove(removeOptions, function (error) {
+        if (error && error.statusCode === 404) return callback(null);
+
+        if (error) debug('Error removing container %s : %j', containerId, error);
+
+        callback(error);
+    });
+}
+
+function deleteContainers(appId, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var docker = exports.connection;
+
+    debug('deleting containers of %s', appId);
+
+    docker.listContainers({ all: 1, filters: JSON.stringify({ label: [ 'appId=' + appId ] }) }, function (error, containers) {
+        if (error) return callback(error);
+
+        async.eachSeries(containers, function (container, iteratorDone) {
+            deleteContainer(container.Id, iteratorDone);
+        }, callback);
+    });
+}
+
+function stopContainers(appId, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    var docker = exports.connection;
+
+    debug('stopping containers of %s', appId);
+
+    docker.listContainers({ all: 1, filters: JSON.stringify({ label: [ 'appId=' + appId ] }) }, function (error, containers) {
+        if (error) return callback(error);
+
+        async.eachSeries(containers, function (container, iteratorDone) {
+            stopContainer(container.Id, iteratorDone);
+        }, callback);
+    });
+}
+
+function deleteImage(manifest, callback) {
+    assert(!manifest || typeof manifest === 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var dockerImage = manifest ? manifest.dockerImage : null;
+    if (!dockerImage) return callback(null);
+
+    var docker = exports.connection;
+
+    docker.getImage(dockerImage).inspect(function (error, result) {
+        if (error && error.statusCode === 404) return callback(null);
+
+        if (error) return callback(error);
+
+        var removeOptions = {
+            force: true,
+            noprune: false
+        };
+
+         // delete image by id because 'docker pull' pulls down all the tags and this is the only way to delete all tags
+        docker.getImage(result.Id).remove(removeOptions, function (error) {
+            if (error && error.statusCode === 404) return callback(null);
+            if (error && error.statusCode === 409) return callback(null); // another container using the image
+
+            if (error) debug('Error removing image %s : %j', dockerImage, error);
+
+            callback(error);
+        });
+    });
+}
@@ -0,0 +1,103 @@
+'use strict';
+
+var assert = require('assert'),
+    async = require('async'),
+    authcodedb = require('./authcodedb.js'),
+    debug = require('debug')('box:src/janitor'),
+    docker = require('./docker.js').connection,
+    tokendb = require('./tokendb.js');
+
+exports = module.exports = {
+    cleanupTokens: cleanupTokens,
+    cleanupDockerVolumes: cleanupDockerVolumes
+};
+
+var NOOP_CALLBACK = function () { };
+
+function ignoreError(func) {
+    return function (callback) {
+        func(function (error) {
+            if (error) console.error('Ignored error:', error);
+
+            callback();
+        });
+    };
+}
+
+function cleanupExpiredTokens(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    tokendb.delExpired(function (error, result) {
+        if (error) return callback(error);
+
+        debug('Cleaned up %s expired tokens.', result);
+
+        callback(null);
+    });
+}
+
+function cleanupExpiredAuthCodes(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    authcodedb.delExpired(function (error, result) {
+        if (error) return callback(error);
+
+        debug('Cleaned up %s expired authcodes.', result);
+
+        callback(null);
+    });
+}
+
+function cleanupTokens(callback) {
+    assert(!callback || typeof callback === 'function'); // callback is null when called from cronjob
+
+    debug('Cleaning up expired tokens');
+
+    async.series([
+        ignoreError(cleanupExpiredTokens),
+        ignoreError(cleanupExpiredAuthCodes)
+    ], callback);
+}
+
+function cleanupTmpVolume(containerInfo, callback) {
+    assert.strictEqual(typeof containerInfo, 'object');
+    assert.strictEqual(typeof callback, 'function');
+
+    var cmd = 'find /tmp -mtime +10 -exec rm -rf {} +'.split(' '); // 10 days old
+
+    debug('cleanupTmpVolume %j', containerInfo.Names);
+
+    docker.getContainer(containerInfo.Id).exec({ Cmd: cmd, AttachStdout: true, AttachStderr: true, Tty: false }, function (error, execContainer) {
+        if (error) return callback(new Error('Failed to exec container : ' + error.message));
+
+        execContainer.start(function(err, stream) {
+            if (error) return callback(new Error('Failed to start exec container : ' + error.message));
+
+            stream.on('error', callback);
+            stream.on('end', callback);
+
+            stream.setEncoding('utf8');
+            stream.pipe(process.stdout);
+        });
+    });
+}
+
+function cleanupDockerVolumes(callback) {
+    assert(!callback || typeof callback === 'function'); // callback is null when called from cronjob
+
+    callback = callback || NOOP_CALLBACK;
+
+    debug('Cleaning up docker volumes');
+
+    docker.listContainers({ all: 0 }, function (error, containers) {
+        if (error) return callback(error);
+
+        async.eachSeries(containers, function (container, iteratorDone) {
+            cleanupTmpVolume(container, function (error) {
+                if (error) debug('Error cleaning tmp: %s', error);
+
+                iteratorDone(); // intentionally ignore error
+            });
+        }, callback);
+    });
+}
@@ -28,7 +28,7 @@ var assert = require('assert'),
    config = require('./config.js'),
    debug = require('debug')('box:mailer'),
    digitalocean = require('./digitalocean.js'),
-    docker = require('./docker.js'),
+    docker = require('./docker.js').connection,
    ejs = require('ejs'),
    nodemailer = require('nodemailer'),
    path = require('path'),
@@ -87,13 +87,13 @@ function processQueue() {

        var transport = nodemailer.createTransport(smtpTransport({
            host: mailServerIp,
-            port: 25
+            port: 2500 // this value comes from mail container
        }));

        var mailQueueCopy = gMailQueue;
        gMailQueue = [ ];

-        debug('Processing mail queue of size %d', mailQueueCopy.length);
+        debug('Processing mail queue of size %d (through %s:2500)', mailQueueCopy.length, mailServerIp);

        async.mapSeries(mailQueueCopy, function iterator(mailOptions, callback) {
            transport.sendMail(mailOptions, function (error) {
@@ -1,8 +0,0 @@
-'use strict';
-
-module.exports = function contentType(type) {
-    return function (req, res, next) {
-        res.setHeader('Content-Type', type);
-        next();
-    };
-};
@@ -1,7 +1,6 @@
 'use strict';

 exports = module.exports = {
-    contentType: require('./contentType'),
    cookieParser: require('cookie-parser'),
    cors: require('./cors'),
    csrf: require('csurf'),
@@ -1,4 +1,4 @@
-<% include header %>
+<!-- callback tester -->

 <script>

@@ -43,5 +43,3 @@ if (code && redirectURI) {
 }

 </script>
-
-<% include footer %>;
@@ -1,38 +0,0 @@
-<% include header %>
-
-<form action="/api/v1/oauth/dialog/authorize/decision" method="post">
-  <input name="transaction_id" type="hidden" value="<%= transactionID %>">
-  <input type="hidden" name="_csrf" value="<%= csrf %>"/>
-
-  <div class="row">
-    <div class="col-md-3"></div>
-    <div class="col-md-6">
-      <div class="container-fluid">
-        <div class="row">
-          <div class="col-sm-12">
-            Hi <%= user.username %>!
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            <b><%= client.name %></b> is requesting access to your account.
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            Do you approve?
-          </div>
-        </div>
-        <div class="row">
-          <div class="col-sm-12">
-            <input class="btn btn-danger btn-outline" type="submit" value="Deny" name="cancel" id="deny"/>
-            <input class="btn btn-success btn-outline" type="submit" value="Allow"/>
-          </div>
-        </div>
-      </div>
-    </div>
-    <div class="col-md-3"></div>
-  </div>
-</form>
-
-<% include footer %>
@@ -1,5 +1,7 @@
 <% include header %>

+<!-- error tester -->
+
 <br/>

 <div class="container">
@@ -26,3 +26,12 @@
 </head>

 <body class="oauth">
+
+    <!-- Navigation -->
+    <nav class="navbar navbar-default navbar-static-top shadow" role="navigation" style="margin-bottom: 0">
+        <div class="container-fluid">
+            <div class="navbar-header">
+                <span class="navbar-brand navbar-brand-icon"><img src="/api/v1/cloudron/avatar" width="40" height="40"/></span>
+            </div>
+        </div>
+    </nav>
@@ -1,5 +1,7 @@
 <% include header %>

+<!-- login tester -->
+
 <div class="container">
    <div class="row">
        <div class="col-md-6 col-md-offset-3">
@@ -7,7 +9,7 @@
                <div class="row">
                    <div class="col-md-12" style="text-align: center;">
                        <img width="128" height="128" src="<%= applicationLogo %>"/>
-                        <h1>Login to <%= applicationName %> on <%= cloudronName %></h1>
+                        <h1><small>Login to</small> <%= applicationName %></h1>
                        <br/>
                    </div>
                </div>
@@ -121,7 +121,7 @@ function authenticate(req, res, next) {
                return res.send(500, 'Unknown app.');
            }

-            clientdb.getByAppId('proxy-' + result.id, function (error, result) {
+            clientdb.getByAppIdAndType(result.id, clientdb.TYPE_PROXY, function (error, result) {
                if (error) {
                    console.error('Unkonwn OAuth client.', error);
                    return res.send(500, 'Unknown OAuth client.');
@@ -133,7 +133,7 @@ function authenticate(req, res, next) {
                req.sessionData.clientSecret = result.clientSecret;

                var callbackUrl = result.redirectURI + CALLBACK_URI;
-                var scope = 'profile,roleUser';
+                var scope = 'profile';
                var oauthLogin = config.adminOrigin() + '/api/v1/oauth/dialog/authorize?response_type=code&client_id=' + result.id + '&redirect_uri=' + callbackUrl + '&scope=' + scope;

                debug('begin OAuth flow for client %s.', result.name);
@@ -12,6 +12,7 @@ exports = module.exports = {
    NGINX_CERT_DIR: path.join(config.baseDir(), 'data/nginx/cert'),

    ADDON_CONFIG_DIR: path.join(config.baseDir(), 'data/addons'),
+    SCHEDULER_FILE: path.join(config.baseDir(), 'data/addons/scheduler.json'),

    COLLECTD_APPCONFIG_DIR: path.join(config.baseDir(), 'data/collectd/collectd.conf.d'),

@@ -43,6 +43,7 @@ function removeInternalAppFields(app) {
        health: app.health,
        location: app.location,
        accessRestriction: app.accessRestriction,
+        oauthProxy: app.oauthProxy,
        lastBackupId: app.lastBackupId,
        manifest: app.manifest,
        portBindings: app.portBindings,
@@ -113,20 +114,22 @@ function installApp(req, res, next) {
    if (typeof data.appStoreId !== 'string') return next(new HttpError(400, 'appStoreId is required'));
    if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
    if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
-    if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean'));
    if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));

    // allow tests to provide an appId for testing
    var appId = (process.env.BOX_ENV === 'test' && typeof data.appId === 'string') ? data.appId : uuid.v4();

-    debug('Installing app id:%s storeid:%s loc:%s port:%j restrict:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.manifest);
+    debug('Installing app id:%s storeid:%s loc:%s port:%j accessRestriction:%j oauthproxy:%s manifest:%j', appId, data.appStoreId, data.location, data.portBindings, data.accessRestriction, data.oauthProxy, data.manifest);

-    apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.icon || null, function (error) {
+    apps.install(appId, data.appStoreId, data.manifest, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, data.icon || null, function (error) {
        if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
        if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
        if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));
        if (error && error.reason === AppsError.BAD_FIELD) return next(new HttpError(400, error.message));
        if (error && error.reason === AppsError.BILLING_REQUIRED) return next(new HttpError(402, 'Billing required'));
+        if (error && error.reason === AppsError.USER_REQUIRED) return next(new HttpError(400, 'accessRestriction must specify one user'));
        if (error) return next(new HttpError(500, error));

        next(new HttpSuccess(202, { id: appId } ));
@@ -149,11 +152,12 @@ function configureApp(req, res, next) {
    if (!data) return next(new HttpError(400, 'Cannot parse data field'));
    if (typeof data.location !== 'string') return next(new HttpError(400, 'location is required'));
    if (('portBindings' in data) && typeof data.portBindings !== 'object') return next(new HttpError(400, 'portBindings must be an object'));
-    if (typeof data.accessRestriction !== 'string') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.accessRestriction !== 'object') return next(new HttpError(400, 'accessRestriction is required'));
+    if (typeof data.oauthProxy !== 'boolean') return next(new HttpError(400, 'oauthProxy must be a boolean'));

-    debug('Configuring app id:%s location:%s bindings:%j', req.params.id, data.location, data.portBindings);
+    debug('Configuring app id:%s location:%s bindings:%j accessRestriction:%j oauthProxy:%s', req.params.id, data.location, data.portBindings, data.accessRestriction, data.oauthProxy);

-    apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, function (error) {
+    apps.configure(req.params.id, data.location, data.portBindings || null, data.accessRestriction, data.oauthProxy, function (error) {
        if (error && error.reason === AppsError.ALREADY_EXISTS) return next(new HttpError(409, error.message));
        if (error && error.reason === AppsError.PORT_RESERVED) return next(new HttpError(409, 'Port ' + error.message + ' is reserved.'));
        if (error && error.reason === AppsError.PORT_CONFLICT) return next(new HttpError(409, 'Port ' + error.message + ' is already in use.'));
@@ -253,7 +257,7 @@ function updateApp(req, res, next) {
    if ('icon' in data && typeof data.icon !== 'string') return next(new HttpError(400, 'icon is not a string'));
    if ('force' in data && typeof data.force !== 'boolean') return next(new HttpError(400, 'force must be a boolean'));

-    debug('Update app id:%s to manifest:%j', req.params.id, data.manifest);
+    debug('Update app id:%s to manifest:%j with portBindings:%j', req.params.id, data.manifest, data.portBindings);

    apps.update(req.params.id, data.force || false, data.manifest, data.portBindings, data.icon, function (error) {
        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(404, 'No such app'));
@@ -5,7 +5,6 @@
 exports = module.exports = {
    add: add,
    get: get,
-    update: update,
    del: del,
    getAllByUserId: getAllByUserId,
    getClientTokens: getClientTokens,
@@ -13,12 +12,13 @@ exports = module.exports = {
 };

 var assert = require('assert'),
-    validUrl = require('valid-url'),
+    clientdb = require('../clientdb.js'),
    clients = require('../clients.js'),
    ClientsError = clients.ClientsError,
    DatabaseError = require('../databaseerror.js'),
    HttpError = require('connect-lastmile').HttpError,
-    HttpSuccess = require('connect-lastmile').HttpSuccess;
+    HttpSuccess = require('connect-lastmile').HttpSuccess,
+    validUrl = require('valid-url');

 function add(req, res, next) {
    var data = req.body;
@@ -29,10 +29,7 @@ function add(req, res, next) {
    if (typeof data.scope !== 'string' || !data.scope) return next(new HttpError(400, 'scope is required'));
    if (!validUrl.isWebUri(data.redirectURI)) return next(new HttpError(400, 'redirectURI must be a valid uri'));

-    // prefix as this route only allows external apps for developers
-    var appId = 'external-' + data.appId;
-
-    clients.add(appId, data.redirectURI, data.scope, function (error, result) {
+    clients.add(data.appId, clientdb.TYPE_EXTERNAL, data.redirectURI, data.scope, function (error, result) {
        if (error && error.reason === ClientsError.INVALID_SCOPE) return next(new HttpError(400, 'Invalid scope'));
        if (error) return next(new HttpError(500, error));
        next(new HttpSuccess(201, result));
@@ -49,22 +46,6 @@ function get(req, res, next) {
    });
 }

-function update(req, res, next) {
-    assert.strictEqual(typeof req.params.clientId, 'string');
-
-    var data = req.body;
-
-    if (!data) return next(new HttpError(400, 'Cannot parse data field'));
-    if (typeof data.appId !== 'string' || !data.appId) return next(new HttpError(400, 'appId is required'));
-    if (typeof data.redirectURI !== 'string' || !data.redirectURI) return next(new HttpError(400, 'redirectURI is required'));
-    if (!validUrl.isWebUri(data.redirectURI)) return next(new HttpError(400, 'redirectURI must be a valid uri'));
-
-    clients.update(req.params.clientId, data.appId, data.redirectURI, function (error, result) {
-        if (error) return next(new HttpError(500, error));
-        next(new HttpSuccess(202, result));
-    });
-}
-
 function del(req, res, next) {
    assert.strictEqual(typeof req.params.clientId, 'string');

@@ -44,22 +44,19 @@ function activate(req, res, next) {
    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username must be string'));
    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password must be string'));
    if (typeof req.body.email !== 'string') return next(new HttpError(400, 'email must be string'));
-    if ('name' in req.body && typeof req.body.name !== 'string') return next(new HttpError(400, 'name must be a string'));

    var username = req.body.username;
    var password = req.body.password;
    var email = req.body.email;
-    var name = req.body.name || null;

    var ip = req.headers['x-forwarded-for'] || req.connection.remoteAddress;
    debug('activate: username:%s ip:%s', username, ip);

-    cloudron.activate(username, password, email, name, ip, function (error, info) {
+    cloudron.activate(username, password, email, ip, function (error, info) {
        if (error && error.reason === CloudronError.ALREADY_PROVISIONED) return next(new HttpError(409, 'Already setup'));
        if (error && error.reason === CloudronError.BAD_USERNAME) return next(new HttpError(400, 'Bad username'));
        if (error && error.reason === CloudronError.BAD_PASSWORD) return next(new HttpError(400, 'Bad password'));
        if (error && error.reason === CloudronError.BAD_EMAIL) return next(new HttpError(400, 'Bad email'));
-        if (error && error.reason === CloudronError.BAD_NAME) return next(new HttpError(400, 'Bad name'));
        if (error) return next(new HttpError(500, error));

        // Now let the api server know we got activated
@@ -3,6 +3,7 @@
 'use strict';

 var assert = require('assert'),
+    apps = require('../apps'),
    authcodedb = require('../authcodedb'),
    clientdb = require('../clientdb'),
    config = require('../config.js'),
@@ -27,34 +28,21 @@ var assert = require('assert'),
 // create OAuth 2.0 server
 var gServer = oauth2orize.createServer();

+
 // Register serialialization and deserialization functions.
 //
-// When a client redirects a user to user authorization endpoint, an
-// authorization transaction is initiated.  To complete the transaction, the
-// user must authenticate and approve the authorization request.  Because this
-// may involve multiple HTTP request/response exchanges, the transaction is
-// stored in the session.
-//
-// An application must supply serialization functions, which determine how the
-// client object is serialized into the session.  Typically this will be a
-// simple matter of serializing the client's ID, and deserializing by finding
-// the client by ID from the database.
+// The client id is stored in the session and can thus be retrieved for each
+// step in the oauth flow transaction, which involves multiple http requests.

 gServer.serializeClient(function (client, callback) {
-    debug('server serialize:', client);
-
    return callback(null, client.id);
 });

 gServer.deserializeClient(function (id, callback) {
-    debug('server deserialize:', id);
-
-    clientdb.get(id, function (error, client) {
-        if (error) { return callback(error); }
-        return callback(null, client);
-    });
+    clientdb.get(id, callback);
 });

+
 // Register supported grant types.

 // Grant authorization codes.  The callback takes the `client` requesting
@@ -64,21 +52,17 @@ gServer.deserializeClient(function (id, callback) {
 // the application.  The application issues a code, which is bound to these
 // values, and will be exchanged for an access token.

-// we use , (comma) as scope separator
 gServer.grant(oauth2orize.grant.code({ scopeSeparator: ',' }, function (client, redirectURI, user, ares, callback) {
-    debug('grant code:', client, redirectURI, user.id, ares);
+    debug('grant code:', client.id, redirectURI, user.id, ares);

    var code = hat(256);
    var expiresAt = Date.now() + 60 * 60000; // 1 hour
-    var scopes = client.scope ? client.scope.split(',') : ['profile','roleUser'];
-
-    if (scopes.indexOf('roleAdmin') !== -1 && !user.admin) {
-        debug('grant code: not allowed, you need to be admin');
-        return callback(new Error('Admin capabilities required'));
-    }

    authcodedb.add(code, client.id, user.username, expiresAt, function (error) {
        if (error) return callback(error);
+
+        debug('grant code: new auth code for client %s code %s', client.id, code);
+
        callback(null, code);
    });
 }));
@@ -93,7 +77,7 @@ gServer.grant(oauth2orize.grant.token({ scopeSeparator: ',' }, function (client,
    tokendb.add(token, tokendb.PREFIX_USER + user.id, client.id, expires, client.scope, function (error) {
        if (error) return callback(error);

-        debug('new access token for client ' + client.id + ' token ' + token);
+        debug('grant token: new access token for client %s token %s', client.id, token);

        callback(null, token);
    });
@@ -123,7 +107,7 @@ gServer.exchange(oauth2orize.exchange.code(function (client, code, redirectURI,
            tokendb.add(token, tokendb.PREFIX_USER + authCode.userId, authCode.clientId, expires, client.scope, function (error) {
                if (error) return callback(error);

-                debug('new access token for client ' + client.id + ' token ' + token);
+                debug('exchange: new access token for client %s token %s', client.id, token);

                callback(null, token);
            });
@@ -148,24 +132,34 @@ session.ensureLoggedIn = function (redirectTo) {
    };
 };

+function renderTemplate(res, template, data) {
+    assert.strictEqual(typeof res, 'object');
+    assert.strictEqual(typeof template, 'string');
+    assert.strictEqual(typeof data, 'object');
+
+    res.render(template, data);
+}
+
 function sendErrorPageOrRedirect(req, res, message) {
    assert.strictEqual(typeof req, 'object');
    assert.strictEqual(typeof res, 'object');
    assert.strictEqual(typeof message, 'string');

-    debug('sendErrorPageOrRedirect: returnTo "%s".', req.query.returnTo, message);
+    debug('sendErrorPageOrRedirect: returnTo %s.', req.query.returnTo, message);

    if (typeof req.query.returnTo !== 'string') {
-        res.render('error', {
+        renderTemplate(res, 'error', {
            adminOrigin: config.adminOrigin(),
            message: message
        });
    } else {
        var u = url.parse(req.query.returnTo);
-        if (!u.protocol || !u.host) return res.render('error', {
-            adminOrigin: config.adminOrigin(),
-            message: 'Invalid request. returnTo query is not a valid URI. ' + message
-        });
+        if (!u.protocol || !u.host) {
+            return renderTemplate(res, 'error', {
+                adminOrigin: config.adminOrigin(),
+                message: 'Invalid request. returnTo query is not a valid URI. ' + message
+            });
+        }

        res.redirect(util.format('%s//%s', u.protocol, u.host));
    }
@@ -178,65 +172,49 @@ function sendError(req, res, message) {
    assert.strictEqual(typeof res, 'object');
    assert.strictEqual(typeof message, 'string');

-    res.render('error', {
+    renderTemplate(res, 'error', {
        adminOrigin: config.adminOrigin(),
        message: message
    });
 }

-// Main login form username and password
+// -> GET /api/v1/session/login
 function loginForm(req, res) {
    if (typeof req.session.returnTo !== 'string') return sendErrorPageOrRedirect(req, res, 'Invalid login request. No returnTo provided.');

    var u = url.parse(req.session.returnTo, true);
    if (!u.query.client_id) return sendErrorPageOrRedirect(req, res, 'Invalid login request. No client_id provided.');

-    var cloudronName = '';
-
    function render(applicationName, applicationLogo) {
-        res.render('login', {
+        renderTemplate(res, 'login', {
            adminOrigin: config.adminOrigin(),
            csrf: req.csrfToken(),
-            cloudronName: cloudronName,
            applicationName: applicationName,
            applicationLogo: applicationLogo,
            error: req.query.error || null
        });
    }

-    settings.getCloudronName(function (error, name) {
-        if (error) return sendError(req, res, 'Internal Error');
+    clientdb.get(u.query.client_id, function (error, result) {
+        if (error) return sendError(req, res, 'Unknown OAuth client');

-        cloudronName = name;
+        switch (result.type) {
+            case clientdb.TYPE_ADMIN: return render(constants.ADMIN_NAME, '/api/v1/cloudron/avatar');
+            case clientdb.TYPE_EXTERNAL: return render('External Application', '/api/v1/cloudron/avatar');
+            case clientdb.TYPE_SIMPLE_AUTH: return sendError(req, res, 'Unknown OAuth client');
+            default: break;
+        }

-        clientdb.get(u.query.client_id, function (error, result) {
-            if (error) return sendError(req, res, 'Unknown OAuth client');
+        appdb.get(result.appId, function (error, result) {
+            if (error) return sendErrorPageOrRedirect(req, res, 'Unknown Application for those OAuth credentials');

-            // Handle our different types of oauth clients
-            var appId = result.appId;
-            if (appId === constants.ADMIN_CLIENT_ID) {
-                return render(constants.ADMIN_NAME, '/api/v1/cloudron/avatar');
-            } else if (appId === constants.TEST_CLIENT_ID) {
-                return render(constants.TEST_NAME, '/api/v1/cloudron/avatar');
-            } else if (appId.indexOf('external-') === 0) {
-                return render('External Application', '/api/v1/cloudron/avatar');
-            } else if (appId.indexOf('addon-') === 0) {
-                appId = appId.slice('addon-'.length);
-            } else if (appId.indexOf('proxy-') === 0) {
-                appId = appId.slice('proxy-'.length);
-            }
-
-            appdb.get(appId, function (error, result) {
-                if (error) return sendErrorPageOrRedirect(req, res, 'Unknown Application for those OAuth credentials');
-
-                var applicationName = result.location || config.fqdn();
-                render(applicationName, '/api/v1/cloudron/avatar');
-            });
+            var applicationName = result.location || config.fqdn();
+            render(applicationName, '/api/v1/apps/' + result.id + '/icon');
        });
    });
 }

-// performs the login POST from the login form
+// -> POST /api/v1/session/login
 function login(req, res) {
    var returnTo = req.session.returnTo || req.query.returnTo;

@@ -248,7 +226,7 @@ function login(req, res) {
    });
 }

-// ends the current session
+// -> GET /api/v1/session/logout
 function logout(req, res) {
    req.logout();

@@ -259,7 +237,7 @@ function logout(req, res) {
 // Form to enter email address to send a password reset request mail
 // -> GET /api/v1/session/password/resetRequest.html
 function passwordResetRequestSite(req, res) {
-    res.render('password_reset_request', { adminOrigin: config.adminOrigin(), csrf: req.csrfToken() });
+    renderTemplate(res, 'password_reset_request', { adminOrigin: config.adminOrigin(), csrf: req.csrfToken() });
 }

 // This route is used for above form submission
@@ -283,19 +261,22 @@ function passwordResetRequest(req, res, next) {

 // -> GET /api/v1/session/password/sent.html
 function passwordSentSite(req, res) {
-    res.render('password_reset_sent', { adminOrigin: config.adminOrigin() });
+    renderTemplate(res, 'password_reset_sent', { adminOrigin: config.adminOrigin() });
 }

 // -> GET /api/v1/session/password/setup.html
 function passwordSetupSite(req, res, next) {
    if (!req.query.reset_token) return next(new HttpError(400, 'Missing reset_token'));

-    debug('passwordSetupSite: with token %s.', req.query.reset_token);
-
    user.getByResetToken(req.query.reset_token, function (error, user) {
        if (error) return next(new HttpError(401, 'Invalid reset_token'));

-        res.render('password_setup', { adminOrigin: config.adminOrigin(), user: user, csrf: req.csrfToken(), resetToken: req.query.reset_token });
+        renderTemplate(res, 'password_setup', {
+            adminOrigin: config.adminOrigin(),
+            user: user,
+            csrf: req.csrfToken(),
+            resetToken: req.query.reset_token
+        });
    });
 }

@@ -303,12 +284,15 @@ function passwordSetupSite(req, res, next) {
 function passwordResetSite(req, res, next) {
    if (!req.query.reset_token) return next(new HttpError(400, 'Missing reset_token'));

-    debug('passwordResetSite: with token %s.', req.query.reset_token);
-
    user.getByResetToken(req.query.reset_token, function (error, user) {
        if (error) return next(new HttpError(401, 'Invalid reset_token'));

-        res.render('password_reset', { adminOrigin: config.adminOrigin(), user: user, csrf: req.csrfToken(), resetToken: req.query.reset_token });
+        renderTemplate(res, 'password_reset', {
+            adminOrigin: config.adminOrigin(),
+            user: user,
+            csrf: req.csrfToken(),
+            resetToken: req.query.reset_token
+        });
    });
 }

@@ -334,50 +318,28 @@ function passwordReset(req, res, next) {
 }


-/*
-
-  The callback page takes the redirectURI and the authCode and redirects the browser accordingly
-
-*/
+// The callback page takes the redirectURI and the authCode and redirects the browser accordingly
+//
+// -> GET /api/v1/session/callback
 var callback = [
    session.ensureLoggedIn('/api/v1/session/login'),
    function (req, res) {
-        debug('callback: with callback server ' + req.query.redirectURI);
-        res.render('callback', { adminOrigin: config.adminOrigin(), callbackServer: req.query.redirectURI });
+        renderTemplate(res, 'callback', { adminOrigin: config.adminOrigin(), callbackServer: req.query.redirectURI });
    }
 ];


-/*
-
-  This indicates a missing OAuth client session or invalid client ID
-
-*/
-var error = [
-    session.ensureLoggedIn('/api/v1/session/login'),
-    function (req, res) {
-        sendErrorPageOrRedirect(req, res, 'Invalid OAuth Client');
-    }
-];
-
-
-/*
-
-  The authorization endpoint is the entry point for an OAuth login.
-
-  Each app would start OAuth by redirecting the user to:
-
-    /api/v1/oauth/dialog/authorize?response_type=code&client_id=<clientId>&redirect_uri=<callbackURL>&scope=<ignored>
-
-  - First, this will ensure the user is logged in.
-  - Then in normal OAuth it would ask the user for permissions to the scopes, which we will do on app installation
-  - Then it will redirect the browser to the given <callbackURL> containing the authcode in the query
-
-  Scopes are set by the app during installation, the ones given on OAuth transaction start are simply ignored.
-
-*/
+// The authorization endpoint is the entry point for an OAuth login.
+//
+// Each app would start OAuth by redirecting the user to:
+//
+//    /api/v1/oauth/dialog/authorize?response_type=code&client_id=<clientId>&redirect_uri=<callbackURL>&scope=<ignored>
+//
+//  - First, this will ensure the user is logged in.
+//  - Then it will redirect the browser to the given <callbackURL> containing the authcode in the query
+//
+// -> GET /api/v1/oauth/dialog/authorize
 var authorization = [
-    // extract the returnTo origin and set as query param
    function (req, res, next) {
        if (!req.query.redirect_uri) return sendErrorPageOrRedirect(req, res, 'Invalid request. redirect_uri query param is not set.');
        if (!req.query.client_id) return sendErrorPageOrRedirect(req, res, 'Invalid request. client_id query param is not set.');
@@ -386,10 +348,10 @@ var authorization = [

        session.ensureLoggedIn('/api/v1/session/login?returnTo=' + req.query.redirect_uri)(req, res, next);
    },
-    gServer.authorization(function (clientID, redirectURI, callback) {
-        debug('authorization: client %s with callback to %s.', clientID, redirectURI);
+    gServer.authorization({}, function (clientId, redirectURI, callback) {
+        debug('authorization: client %s with callback to %s.', clientId, redirectURI);

-        clientdb.get(clientID, function (error, client) {
+        clientdb.get(clientId, function (error, client) {
            if (error && error.reason === DatabaseError.NOT_FOUND) return callback(null, false);
            if (error) return callback(error);

@@ -400,47 +362,33 @@ var authorization = [
            callback(null, client, '/api/v1/session/callback?redirectURI=' + url.resolve(redirectOrigin, redirectPath));
        });
    }),
-    // Until we have OAuth scopes, skip decision dialog
-    // OAuth sopes skip START
    function (req, res, next) {
-        assert.strictEqual(typeof req.body, 'object');
-        assert.strictEqual(typeof req.oauth2, 'object');
+        // Handle our different types of oauth clients
+        var type = req.oauth2.client.type;

-        var scopes = req.oauth2.client.scope ? req.oauth2.client.scope.split(',') : ['profile','roleUser'];
+        if (type === clientdb.TYPE_ADMIN) return next();
+        if (type === clientdb.TYPE_EXTERNAL) return next();
+        if (type === clientdb.TYPE_SIMPLE_AUTH) return sendError(req, res, 'Unkonwn OAuth client.');

-        if (scopes.indexOf('roleAdmin') !== -1 && !req.user.admin) {
-            return sendErrorPageOrRedirect(req, res, 'Admin capabilities required');
-        }
+        appdb.get(req.oauth2.client.appId, function (error, appObject) {
+            if (error) return sendErrorPageOrRedirect(req, res, 'Invalid request. Unknown app for this client_id.');

-        req.body.transaction_id = req.oauth2.transactionID;
-        next();
+            if (!apps.hasAccessTo(appObject, req.oauth2.user)) return sendErrorPageOrRedirect(req, res, 'No access to this app.');
+
+            next();
+        });
    },
-    gServer.decision(function(req, done) {
-        debug('decision: with scope', req.oauth2.req.scope);
-        return done(null, { scope: req.oauth2.req.scope });
-    })
-    // OAuth sopes skip END
-    // function (req, res) {
-    //     res.render('dialog', { transactionID: req.oauth2.transactionID, user: req.user, client: req.oauth2.client, csrf: req.csrfToken() });
-    // }
-];
-
-// this triggers the above grant middleware and handles the user's decision if he accepts the access
-var decision = [
-    session.ensureLoggedIn('/api/v1/session/login'),
-    gServer.decision()
+    gServer.decision({ loadTransaction: false })
 ];


-/*
-
-  The token endpoint allows an OAuth client to exchange an authcode with an accesstoken.
-
-  Authcodes are obtained using the authorization endpoint. The route is authenticated by
-  providing a Basic auth with clientID as username and clientSecret as password.
-  An authcode is only good for one such exchange to an accesstoken.
-
-*/
+//  The token endpoint allows an OAuth client to exchange an authcode with an accesstoken.
+//
+//  Authcodes are obtained using the authorization endpoint. The route is authenticated by
+//  providing a Basic auth with clientID as username and clientSecret as password.
+//  An authcode is only good for one such exchange to an accesstoken.
+//
+// -> POST /api/v1/oauth/token
 var token = [
    passport.authenticate(['basic', 'oauth2-client-password'], { session: false }),
    gServer.token(),
@@ -448,18 +396,15 @@ var token = [
 ];


-/*
-
-  The scope middleware provides an auth middleware for routes.
-
-  It is used for API routes, which are authenticated using accesstokens.
-  Those accesstokens carry OAuth scopes and the middleware takes the required
-  scope as an argument and will verify the accesstoken against it.
-
-  See server.js:
-    var profileScope = routes.oauth2.scope('profile');
-
-*/
+//  The scope middleware provides an auth middleware for routes.
+//
+//  It is used for API routes, which are authenticated using accesstokens.
+//  Those accesstokens carry OAuth scopes and the middleware takes the required
+//  scope as an argument and will verify the accesstoken against it.
+//
+//  See server.js:
+//    var profileScope = routes.oauth2.scope('profile');
+//
 function scope(requestedScope) {
    assert.strictEqual(typeof requestedScope, 'string');

@@ -501,7 +446,6 @@ exports = module.exports = {
    login: login,
    logout: logout,
    callback: callback,
-    error: error,
    passwordResetRequestSite: passwordResetRequestSite,
    passwordResetRequest: passwordResetRequest,
    passwordSentSite: passwordSentSite,
@@ -509,7 +453,6 @@ exports = module.exports = {
    passwordSetupSite: passwordSetupSite,
    passwordReset: passwordReset,
    authorization: authorization,
-    decision: decision,
    token: token,
    scope: scope,
    csrf: csrf
@@ -16,7 +16,7 @@ var appdb = require('../../appdb.js'),
    config = require('../../config.js'),
    constants = require('../../constants.js'),
    database = require('../../database.js'),
-    docker = require('../../docker.js'),
+    docker = require('../../docker.js').connection,
    expect = require('expect.js'),
    fs = require('fs'),
    hock = require('hock'),
@@ -25,7 +25,6 @@ var appdb = require('../../appdb.js'),
    js2xml = require('js2xmlparser'),
    net = require('net'),
    nock = require('nock'),
-    os = require('os'),
    paths = require('../../paths.js'),
    redis = require('redis'),
    request = require('superagent'),
@@ -42,15 +41,21 @@ var SERVER_URL = 'http://localhost:' + config.get('port');

 // Test image information
 var TEST_IMAGE_REPO = 'cloudron/test';
-var TEST_IMAGE_TAG = '2.0.1';
-var TEST_IMAGE_ID = 'f0c6f6fe356b1bb35408d2fafc5cca679ee66125d018082f6695a90a3e5f9ce0';
+var TEST_IMAGE_TAG = '9.0.0';
+var TEST_IMAGE_ID = child_process.execSync('docker inspect --format={{.Id}} ' + TEST_IMAGE_REPO + ':' + TEST_IMAGE_TAG).toString('utf8').trim();

 var APP_STORE_ID = 'test', APP_ID;
 var APP_LOCATION = 'appslocation';
 var APP_LOCATION_2 = 'appslocationtwo';
 var APP_LOCATION_NEW = 'appslocationnew';
+
 var APP_MANIFEST = JSON.parse(fs.readFileSync(__dirname + '/../../../../test-app/CloudronManifest.json', 'utf8'));
 APP_MANIFEST.dockerImage = TEST_IMAGE_REPO + ':' + TEST_IMAGE_TAG;
+
+var APP_MANIFEST_1 = JSON.parse(fs.readFileSync(__dirname + '/../../../../test-app/CloudronManifest.json', 'utf8'));
+APP_MANIFEST_1.dockerImage = TEST_IMAGE_REPO + ':' + TEST_IMAGE_TAG;
+APP_MANIFEST_1.singleUser = true;
+
 var USERNAME = 'admin', PASSWORD = 'password', EMAIL ='admin@me.com';
 var USERNAME_1 = 'user', PASSWORD_1 = 'password', EMAIL_1 ='user@me.com';
 var token = null; // authentication token
@@ -157,7 +162,7 @@ function cleanup(done) {

        function (callback) { setTimeout(callback, 2000); }, // give taskmanager tasks couple of seconds to finish

-        child_process.exec.bind(null, 'docker rm -f mysql; docker rm -f postgresql; docker rm -f mongodb')
+        child_process.exec.bind(null, 'docker rm -f mysql; docker rm -f postgresql; docker rm -f mongodb; docker rm -f mail')
    ], done);
 }

@@ -221,7 +226,7 @@ describe('App API', function () {
    it('app install fails - invalid location', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: '!awesome', accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('Hostname can only contain alphanumerics and hyphen');
@@ -232,7 +237,7 @@ describe('App API', function () {
    it('app install fails - invalid location type', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: 42, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('location is required');
@@ -243,7 +248,7 @@ describe('App API', function () {
    it('app install fails - reserved admin location', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.ADMIN_LOCATION, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql(constants.ADMIN_LOCATION + ' is reserved');
@@ -254,7 +259,7 @@ describe('App API', function () {
    it('app install fails - reserved api location', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: constants.API_LOCATION, accessRestriction: null, oauthProxy: true })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql(constants.API_LOCATION + ' is reserved');
@@ -265,7 +270,7 @@ describe('App API', function () {
    it('app install fails - portBindings must be object', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: 23, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('portBindings must be an object');
@@ -276,7 +281,7 @@ describe('App API', function () {
    it('app install fails - accessRestriction is required', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {} })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            expect(res.body.message).to.eql('accessRestriction is required');
@@ -284,10 +289,54 @@ describe('App API', function () {
        });
    });

+    it('app install fails - accessRestriction type is wrong', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: '', oauthProxy: false })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('accessRestriction is required');
+            done(err);
+        });
+    });
+
+    it('app install fails - accessRestriction no users not allowed', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null, oauthProxy: false })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('accessRestriction must specify one user');
+            done(err);
+        });
+    });
+
+    it('app install fails - accessRestriction too many users not allowed', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST_1, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: { users: [ 'one', 'two' ] }, oauthProxy: false })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('accessRestriction must specify one user');
+            done(err);
+        });
+    });
+
+    it('app install fails - oauthProxy is required', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/install')
+               .query({ access_token: token })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: {}, accessRestriction: null })
+               .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            expect(res.body.message).to.eql('oauthProxy must be a boolean');
+            done(err);
+        });
+    });
+
    it('app install fails for non admin', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token_1 })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
            done(err);
@@ -299,7 +348,7 @@ describe('App API', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(402);
            expect(fake.isDone()).to.be.ok();
@@ -312,7 +361,7 @@ describe('App API', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
            expect(res.body.id).to.be.a('string');
@@ -327,7 +376,7 @@ describe('App API', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(409);
            expect(fake.isDone()).to.be.ok();
@@ -451,7 +500,7 @@ describe('App API', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
               .query({ access_token: token })
-               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: '' })
+               .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION_2, portBindings: null, accessRestriction: null, oauthProxy: false })
               .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
            expect(res.body.id).to.be.a('string');
@@ -480,7 +529,7 @@ describe('App API', function () {

                request.post(SERVER_URL + '/api/v1/apps/install')
                       .query({ access_token: token })
-                       .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: '' })
+                       .send({ appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, location: APP_LOCATION+APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
                       .end(function (err, res) {
                    expect(res.statusCode).to.equal(202);
                    expect(res.body.id).to.be.a('string');
@@ -591,7 +640,7 @@ describe('App installation', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
              .query({ access_token: token })
-              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: '' })
+              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: null, accessRestriction: null, oauthProxy: false })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
            expect(fake.isDone()).to.be.ok();
@@ -623,9 +672,9 @@ describe('App installation', function () {
            expect(data.Config.Env).to.contain('WEBADMIN_ORIGIN=' + config.adminOrigin());
            expect(data.Config.Env).to.contain('API_ORIGIN=' + config.adminOrigin());
            expect(data.Config.Env).to.contain('CLOUDRON=1');
-            clientdb.getByAppId('addon-' + appResult.id, function (error, client) {
+            clientdb.getByAppIdAndType(appResult.id, clientdb.TYPE_OAUTH, function (error, client) {
                expect(error).to.not.be.ok();
-                expect(client.id.length).to.be(46); // cid-addon- + 32 hex chars (128 bits) + 4 hyphens
+                expect(client.id.length).to.be(40); // cid- + 32 hex chars (128 bits) + 4 hyphens
                expect(client.clientSecret.length).to.be(64); // 32 hex chars (256 bits)
                expect(data.Config.Env).to.contain('OAUTH_CLIENT_ID=' + client.id);
                expect(data.Config.Env).to.contain('OAUTH_CLIENT_SECRET=' + client.clientSecret);
@@ -664,7 +713,14 @@ describe('App installation', function () {
    it('installation - running container has volume mounted', function (done) {
        docker.getContainer(appEntry.containerId).inspect(function (error, data) {
            expect(error).to.not.be.ok();
-            expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+
+            // support newer docker versions
+            if (data.Volumes) {
+                expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            } else {
+                expect(data.Mounts.filter(function (mount) { return mount.Destination === '/app/data'; })[0].Source).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            }
+
            done();
        });
    });
@@ -701,10 +757,7 @@ describe('App installation', function () {

            expect(urlp.hostname).to.be('redis-' + APP_ID);

-            var isMac = os.platform() === 'darwin';
-            var client =
-                isMac ? redis.createClient(parseInt(exportedRedisPort, 10), '127.0.0.1', { auth_pass: password })
-                      : redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
+            var client = redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
            client.on('error', done);
            client.set('key', 'value');
            client.get('key', function (err, reply) {
@@ -776,6 +829,14 @@ describe('App installation', function () {
        });
    });

+    it('installation - scheduler', function (done) {
+        async.retry({ times: 100, interval: 1000 }, function (retryCallback) {
+            if (fs.existsSync(paths.DATA_DIR + '/' + APP_ID + '/data/every_minute.env')) return retryCallback();
+
+            retryCallback(new Error('not run yet'));
+        }, done);
+    });
+
    it('logs - stdout and stderr', function (done) {
        request.get(SERVER_URL + '/api/v1/apps/' + APP_ID + '/logs')
            .query({ access_token: token })
@@ -1039,7 +1100,7 @@ describe('App installation - port bindings', function () {

        request.post(SERVER_URL + '/api/v1/apps/install')
              .query({ access_token: token })
-              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: '' })
+              .send({ appId: APP_ID, appStoreId: APP_STORE_ID, manifest: APP_MANIFEST, password: PASSWORD, location: APP_LOCATION, portBindings: { ECHO_SERVER_PORT: 7171 }, accessRestriction: null, oauthProxy: false })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
            expect(fake.isDone()).to.be.ok();
@@ -1119,7 +1180,14 @@ describe('App installation - port bindings', function () {
    it('installation - running container has volume mounted', function (done) {
        docker.getContainer(appEntry.containerId).inspect(function (error, data) {
            expect(error).to.not.be.ok();
-            expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+
+            // support newer docker versions
+            if (data.Volumes) {
+                expect(data.Volumes['/app/data']).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            } else {
+                expect(data.Mounts.filter(function (mount) { return mount.Destination === '/app/data'; })[0].Source).to.eql(paths.DATA_DIR + '/' + APP_ID + '/data');
+            }
+
            done();
        });
    });
@@ -1157,10 +1225,7 @@ describe('App installation - port bindings', function () {
            expect(data.Config.Env).to.contain('REDIS_PASSWORD=' + password);

            function checkRedis() {
-                var isMac = os.platform() === 'darwin';
-                var client =
-                    isMac ? redis.createClient(parseInt(exportedRedisPort, 10), '127.0.0.1', { auth_pass: password })
-                          : redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
+                var client = redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
                client.on('error', done);
                client.set('key', 'value');
                client.get('key', function (err, reply) {
@@ -1193,7 +1258,7 @@ describe('App installation - port bindings', function () {
    it('cannot reconfigure app with missing location', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            done();
@@ -1203,7 +1268,17 @@ describe('App installation - port bindings', function () {
    it('cannot reconfigure app with missing accessRestriction', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 } })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, oauthProxy: false })
+              .end(function (err, res) {
+            expect(res.statusCode).to.equal(400);
+            done();
+        });
+    });
+
+    it('cannot reconfigure app with missing oauthProxy', function (done) {
+        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
+              .query({ access_token: token })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(400);
            done();
@@ -1213,7 +1288,7 @@ describe('App installation - port bindings', function () {
    it('non admin cannot reconfigure app', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token_1 })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(403);
            done();
@@ -1223,7 +1298,7 @@ describe('App installation - port bindings', function () {
    it('can reconfigure app', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/configure')
              .query({ access_token: token })
-              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: 'roleAdmin' })
+              .send({ appId: APP_ID, password: PASSWORD, location: APP_LOCATION_NEW, portBindings: { ECHO_SERVER_PORT: 7172 }, accessRestriction: null, oauthProxy: true })
              .end(function (err, res) {
            expect(res.statusCode).to.equal(202);
            checkConfigureStatus(0, done);
@@ -1282,10 +1357,7 @@ describe('App installation - port bindings', function () {
            expect(data.Config.Env).to.contain('REDIS_HOST=redis-' + APP_ID);
            expect(data.Config.Env).to.contain('REDIS_PASSWORD=' + password);

-            var isMac = os.platform() === 'darwin';
-            var client =
-                isMac ? redis.createClient(parseInt(exportedRedisPort, 10), '127.0.0.1', { auth_pass: password })
-                      : redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
+            var client = redis.createClient(parseInt(urlp.port, 10), redisIp, { auth_pass: password });
            client.on('error', done);
            client.set('key', 'value');
            client.get('key', function (err, reply) {
@@ -1297,6 +1369,16 @@ describe('App installation - port bindings', function () {
        });
    });

+    it('scheduler works after reconfiguration', function (done) {
+        async.retry({ times: 100, interval: 1000 }, function (callback) {
+            var data = safe.fs.readFileSync(paths.DATA_DIR + '/' + APP_ID + '/data/every_minute.env', 'utf8');
+
+            if (data && data.indexOf('ECHO_SERVER_PORT=7172') !== -1) return callback();
+
+            callback(new Error('not run yet'));
+        }, done);
+    });
+
    it('can stop app', function (done) {
        request.post(SERVER_URL + '/api/v1/apps/' + APP_ID + '/stop')
            .query({ access_token: token })
@@ -51,7 +51,7 @@ function setup(done) {

        function addApp(callback) {
            var manifest = { version: '0.0.1', manifestVersion: 1, dockerImage: 'foo', healthCheckPath: '/', httpPort: 3, title: 'ok', addons: { } };
-            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, callback);
+            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, null /* accessRestriction */, false /* oauthProxy */, callback);
        }
    ], done);
 }
@@ -71,7 +71,7 @@ describe('OAuth Clients API', function () {
            it('fails', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(412);
@@ -87,7 +87,7 @@ describe('OAuth Clients API', function () {

            it('fails without token', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
-                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(401);
@@ -98,7 +98,7 @@ describe('OAuth Clients API', function () {
            it('fails without appId', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ redirectURI: 'http://foobar.com', scope: 'profile,roleUser' })
+                       .send({ redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
@@ -109,7 +109,7 @@ describe('OAuth Clients API', function () {
            it('fails with empty appId', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: '', redirectURI: 'http://foobar.com', scope: 'profile,roleUser' })
+                       .send({ appId: '', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
@@ -142,7 +142,7 @@ describe('OAuth Clients API', function () {
            it('fails without redirectURI', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: 'someApp', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
@@ -153,7 +153,7 @@ describe('OAuth Clients API', function () {
            it('fails with empty redirectURI', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: 'someApp', redirectURI: '', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', redirectURI: '', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
@@ -164,7 +164,7 @@ describe('OAuth Clients API', function () {
            it('fails with malformed redirectURI', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: 'someApp', redirectURI: 'foobar', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', redirectURI: 'foobar', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(400);
@@ -175,7 +175,7 @@ describe('OAuth Clients API', function () {
            it('succeeds', function (done) {
                superagent.post(SERVER_URL + '/api/v1/oauth/clients')
                       .query({ access_token: token })
-                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile,roleUser' })
+                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com', scope: 'profile' })
                       .end(function (error, result) {
                    expect(error).to.not.be.ok();
                    expect(result.statusCode).to.equal(201);
@@ -195,7 +195,7 @@ describe('OAuth Clients API', function () {
            id: '',
            appId: 'someAppId-0',
            redirectURI: 'http://some.callback0',
-            scope: 'profile,roleUser'
+            scope: 'profile'
        };

        before(function (done) {
@@ -297,183 +297,12 @@ describe('OAuth Clients API', function () {
        });
    });

-    describe('update', function () {
-        var CLIENT_0 = {
-            id: '',
-            appId: 'someAppId-0',
-            redirectURI: 'http://some.callback0',
-            scope: 'profile,roleUser'
-        };
-        var CLIENT_1 = {
-            id: '',
-            appId: 'someAppId-1',
-            redirectURI: 'http://some.callback1',
-            scope: 'profile,roleUser'
-        };
-
-        before(function (done) {
-            async.series([
-                server.start.bind(null),
-                database._clear.bind(null),
-
-                function (callback) {
-                    var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
-                    var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
-
-                    superagent.post(SERVER_URL + '/api/v1/cloudron/activate')
-                           .query({ setupToken: 'somesetuptoken' })
-                           .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
-                           .end(function (error, result) {
-                        expect(error).to.not.be.ok();
-                        expect(result).to.be.ok();
-                        expect(result.statusCode).to.equal(201);
-                        expect(scope1.isDone()).to.be.ok();
-                        expect(scope2.isDone()).to.be.ok();
-
-                        // stash token for further use
-                        token = result.body.token;
-
-                        callback();
-                    });
-                },
-
-                settings.setDeveloperMode.bind(null, true),
-
-                function (callback) {
-                    superagent.post(SERVER_URL + '/api/v1/oauth/clients')
-                           .query({ access_token: token })
-                           .send({ appId: CLIENT_0.appId, redirectURI: CLIENT_0.redirectURI, scope: CLIENT_0.scope })
-                           .end(function (error, result) {
-                        expect(error).to.not.be.ok();
-                        expect(result.statusCode).to.equal(201);
-
-                        CLIENT_0 = result.body;
-
-                        callback();
-                    });
-                }
-            ], done);
-        });
-
-        after(cleanup);
-
-        describe('without developer mode', function () {
-            before(function (done) {
-                settings.setDeveloperMode(false, done);
-            });
-
-            it('fails', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: CLIENT_1.appId, redirectURI: CLIENT_1.redirectURI })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(412);
-                    done();
-                });
-            });
-        });
-
-        describe('with developer mode', function () {
-            before(function (done) {
-                settings.setDeveloperMode(true, done);
-            });
-
-            it('fails without token', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .send({ appId: 'someApp', redirectURI: 'http://foobar.com' })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(401);
-                    done();
-                });
-            });
-
-
-            it('fails without appId', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ redirectURI: CLIENT_1.redirectURI })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(400);
-                    done();
-                });
-            });
-
-            it('fails with empty appId', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: '', redirectURI: CLIENT_1.redirectURI })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(400);
-                    done();
-                });
-            });
-
-            it('fails without redirectURI', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: CLIENT_1.appId })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(400);
-                    done();
-                });
-            });
-
-            it('fails with empty redirectURI', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: CLIENT_1.appId, redirectURI: '' })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(400);
-                    done();
-                });
-            });
-
-            it('fails with malformed redirectURI', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: CLIENT_1.appId, redirectURI: 'foobar' })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(400);
-                    done();
-                });
-            });
-
-            it('succeeds', function (done) {
-                superagent.put(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                       .query({ access_token: token })
-                       .send({ appId: CLIENT_1.appId, redirectURI: CLIENT_1.redirectURI })
-                       .end(function (error, result) {
-                    expect(error).to.not.be.ok();
-                    expect(result.statusCode).to.equal(202);
-
-                    superagent.get(SERVER_URL + '/api/v1/oauth/clients/' + CLIENT_0.id)
-                           .query({ access_token: token })
-                           .end(function (error, result) {
-                        expect(error).to.be(null);
-                        expect(result.statusCode).to.equal(200);
-                        expect(result.body.appId).to.equal(CLIENT_1.appId);
-                        expect(result.body.redirectURI).to.equal(CLIENT_1.redirectURI);
-
-                        done();
-                   });
-                });
-            });
-        });
-    });
-
    describe('del', function () {
        var CLIENT_0 = {
            id: '',
            appId: 'someAppId-0',
            redirectURI: 'http://some.callback0',
-            scope: 'profile,roleUser'
+            scope: 'profile'
        };

        before(function (done) {
@@ -54,7 +54,7 @@ function setup(done) {

        function addApp(callback) {
            var manifest = { version: '0.0.1', manifestVersion: 1, dockerImage: 'foo', healthCheckPath: '/', httpPort: 3, title: 'ok' };
-            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, '' /* accessRestriction */, callback);
+            appdb.add('appid', 'appStoreId', manifest, 'location', [ ] /* portBindings */, null /* accessRestriction */, false /* oauthProxy */, callback);
        }
    ], done);
 }
@@ -0,0 +1,421 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var clientdb = require('../../clientdb.js'),
+    appdb = require('../../appdb.js'),
+    async = require('async'),
+    config = require('../../config.js'),
+    database = require('../../database.js'),
+    expect = require('expect.js'),
+    request = require('superagent'),
+    server = require('../../server.js'),
+    simpleauth = require('../../simpleauth.js'),
+    nock = require('nock');
+
+describe('SimpleAuth API', function () {
+    var SERVER_URL = 'http://localhost:' + config.get('port');
+    var SIMPLE_AUTH_ORIGIN = 'http://localhost:' + config.get('simpleAuthPort');
+
+    var USERNAME = 'admin', PASSWORD = 'password', EMAIL ='silly@me.com';
+
+    var APP_0 = {
+        id: 'app0',
+        appStoreId: '',
+        manifest: { version: '0.1.0', addons: { } },
+        location: 'test0',
+        portBindings: {},
+        accessRestriction: { users: [ 'foobar', 'someone'] },
+        oauthProxy: true
+    };
+
+    var APP_1 = {
+        id: 'app1',
+        appStoreId: '',
+        manifest: { version: '0.1.0', addons: { } },
+        location: 'test1',
+        portBindings: {},
+        accessRestriction: { users: [ 'foobar', USERNAME, 'someone' ] },
+        oauthProxy: true
+    };
+
+    var APP_2 = {
+        id: 'app2',
+        appStoreId: '',
+        manifest: { version: '0.1.0', addons: { } },
+        location: 'test2',
+        portBindings: {},
+        accessRestriction: null,
+        oauthProxy: true
+    };
+
+    var CLIENT_0 = {
+        id: 'someclientid',
+        appId: 'someappid',
+        type: clientdb.TYPE_SIMPLE_AUTH,
+        clientSecret: 'someclientsecret',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
+    var CLIENT_1 = {
+        id: 'someclientid1',
+        appId: APP_0.id,
+        type: clientdb.TYPE_SIMPLE_AUTH,
+        clientSecret: 'someclientsecret1',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
+    var CLIENT_2 = {
+        id: 'someclientid2',
+        appId: APP_1.id,
+        type: clientdb.TYPE_SIMPLE_AUTH,
+        clientSecret: 'someclientsecret2',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
+    var CLIENT_3 = {
+        id: 'someclientid3',
+        appId: APP_2.id,
+        type: clientdb.TYPE_SIMPLE_AUTH,
+        clientSecret: 'someclientsecret3',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
+    var CLIENT_4 = {
+        id: 'someclientid4',
+        appId: APP_2.id,
+        type: clientdb.TYPE_OAUTH,
+        clientSecret: 'someclientsecret4',
+        redirectURI: '',
+        scope: 'user,profile'
+    };
+
+    before(function (done) {
+        async.series([
+            server.start.bind(server),
+            simpleauth.start.bind(simpleauth),
+
+            database._clear,
+
+            function createAdmin(callback) {
+                var scope1 = nock(config.apiServerOrigin()).get('/api/v1/boxes/' + config.fqdn() + '/setup/verify?setupToken=somesetuptoken').reply(200, {});
+                var scope2 = nock(config.apiServerOrigin()).post('/api/v1/boxes/' + config.fqdn() + '/setup/done?setupToken=somesetuptoken').reply(201, {});
+
+                request.post(SERVER_URL + '/api/v1/cloudron/activate')
+                       .query({ setupToken: 'somesetuptoken' })
+                       .send({ username: USERNAME, password: PASSWORD, email: EMAIL })
+                       .end(function (error, result) {
+                    expect(error).to.not.be.ok();
+                    expect(result).to.be.ok();
+                    expect(result.statusCode).to.eql(201);
+                    expect(scope1.isDone()).to.be.ok();
+                    expect(scope2.isDone()).to.be.ok();
+
+                    callback();
+                });
+            },
+
+            clientdb.add.bind(null, CLIENT_0.id, CLIENT_0.appId, CLIENT_0.type, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope),
+            clientdb.add.bind(null, CLIENT_1.id, CLIENT_1.appId, CLIENT_1.type, CLIENT_1.clientSecret, CLIENT_1.redirectURI, CLIENT_1.scope),
+            clientdb.add.bind(null, CLIENT_2.id, CLIENT_2.appId, CLIENT_2.type, CLIENT_2.clientSecret, CLIENT_2.redirectURI, CLIENT_2.scope),
+            clientdb.add.bind(null, CLIENT_3.id, CLIENT_3.appId, CLIENT_3.type, CLIENT_3.clientSecret, CLIENT_3.redirectURI, CLIENT_3.scope),
+            clientdb.add.bind(null, CLIENT_4.id, CLIENT_4.appId, CLIENT_4.type, CLIENT_4.clientSecret, CLIENT_4.redirectURI, CLIENT_4.scope),
+            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy),
+            appdb.add.bind(null, APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, APP_1.portBindings, APP_1.accessRestriction, APP_1.oauthProxy),
+            appdb.add.bind(null, APP_2.id, APP_2.appStoreId, APP_2.manifest, APP_2.location, APP_2.portBindings, APP_2.accessRestriction, APP_2.oauthProxy)
+        ], done);
+    });
+
+    after(function (done) {
+        async.series([
+            database._clear,
+            simpleauth.stop.bind(simpleauth),
+            server.stop.bind(server)
+        ], done);
+    });
+
+    describe('login', function () {
+        it('cannot login without clientId', function (done) {
+            var body = {};
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login without username', function (done) {
+            var body = {
+                clientId: 'someclientid'
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login without password', function (done) {
+            var body = {
+                clientId: 'someclientid',
+                username: USERNAME
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('cannot login with unkown clientId', function (done) {
+            var body = {
+                clientId: CLIENT_0.id+CLIENT_0.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with unkown user', function (done) {
+            var body = {
+                clientId: CLIENT_0.id,
+                username: USERNAME+USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with empty password', function (done) {
+            var body = {
+                clientId: CLIENT_0.id,
+                username: USERNAME,
+                password: ''
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('cannot login with wrong password', function (done) {
+            var body = {
+                clientId: CLIENT_0.id,
+                username: USERNAME,
+                password: PASSWORD+PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('fails for unkown app', function (done) {
+            var body = {
+                clientId: CLIENT_0.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('fails for disallowed app', function (done) {
+            var body = {
+                clientId: CLIENT_1.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('succeeds for allowed app', function (done) {
+            var body = {
+                clientId: CLIENT_2.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+                expect(result.body.accessToken).to.be.a('string');
+                expect(result.body.user).to.be.an('object');
+                expect(result.body.user.id).to.be.a('string');
+                expect(result.body.user.username).to.be.a('string');
+                expect(result.body.user.email).to.be.a('string');
+                expect(result.body.user.admin).to.be.a('boolean');
+
+                request.get(SERVER_URL + '/api/v1/profile')
+                .query({ access_token: result.body.accessToken })
+                .end(function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result.body).to.be.an('object');
+                    expect(result.body.username).to.eql(USERNAME);
+
+                    done();
+                });
+            });
+        });
+
+        it('succeeds for app without accessRestriction', function (done) {
+            var body = {
+                clientId: CLIENT_3.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+                expect(result.body.accessToken).to.be.a('string');
+                expect(result.body.user).to.be.an('object');
+                expect(result.body.user.id).to.be.a('string');
+                expect(result.body.user.username).to.be.a('string');
+                expect(result.body.user.email).to.be.a('string');
+                expect(result.body.user.admin).to.be.a('boolean');
+
+                request.get(SERVER_URL + '/api/v1/profile')
+                .query({ access_token: result.body.accessToken })
+                .end(function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result.body).to.be.an('object');
+                    expect(result.body.username).to.eql(USERNAME);
+
+                    done();
+                });
+            });
+        });
+
+        it('fails for wrong client credentials', function (done) {
+            var body = {
+                clientId: CLIENT_4.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+    });
+
+    describe('logout', function () {
+        var accessToken;
+
+        before(function (done) {
+            var body = {
+                clientId: CLIENT_3.id,
+                username: USERNAME,
+                password: PASSWORD
+            };
+
+            request.post(SIMPLE_AUTH_ORIGIN + '/api/v1/login')
+            .send(body)
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+
+                accessToken = result.body.accessToken;
+
+                done();
+            });
+        });
+
+        it('fails without access_token', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(400);
+                done();
+            });
+        });
+
+        it('fails with unkonwn access_token', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .query({ access_token: accessToken+accessToken })
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(401);
+                done();
+            });
+        });
+
+        it('succeeds', function (done) {
+            request.get(SIMPLE_AUTH_ORIGIN + '/api/v1/logout')
+            .query({ access_token: accessToken })
+            .end(function (error, result) {
+                expect(error).to.be(null);
+                expect(result.statusCode).to.equal(200);
+
+                request.get(SERVER_URL + '/api/v1/profile')
+                .query({ access_token: accessToken })
+                .end(function (error, result) {
+                    expect(error).to.be(null);
+                    expect(result.statusCode).to.equal(401);
+
+                    done();
+                });
+            });
+        });
+    });
+});
@@ -24,7 +24,9 @@ start_postgresql() {

    docker rm -f postgresql 2>/dev/null 1>&2 || true

-    docker run -dtP --name=postgresql -v "${postgresqldatadir}:/var/lib/postgresql" -v /tmp/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh "${POSTGRESQL_IMAGE}" >/dev/null
+    docker run -dtP --name=postgresql -v "${postgresqldatadir}:/var/lib/postgresql" \
+        --read-only -v /tmp -v /run \
+        -v /tmp/postgresql_vars.sh:/etc/postgresql/postgresql_vars.sh "${POSTGRESQL_IMAGE}" >/dev/null
 }

 start_mysql() {
@@ -40,7 +42,9 @@ start_mysql() {

    docker rm -f mysql 2>/dev/null 1>&2 || true

-    docker run -dP --name=mysql -v "${mysqldatadir}:/var/lib/mysql" -v /tmp/mysql_vars.sh:/etc/mysql/mysql_vars.sh "${MYSQL_IMAGE}" >/dev/null
+    docker run -dP --name=mysql -v "${mysqldatadir}:/var/lib/mysql" \
+        --read-only -v /tmp -v /run \
+        -v /tmp/mysql_vars.sh:/etc/mysql/mysql_vars.sh "${MYSQL_IMAGE}" >/dev/null
 }

 start_mongodb() {
@@ -56,16 +60,29 @@ start_mongodb() {

    docker rm -f mongodb 2>/dev/null 1>&2 || true

-    docker run -dP --name=mongodb -v "${mongodbdatadir}:/var/lib/mongodb" -v /tmp/mongodb_vars.sh:/etc/mongodb_vars.sh "${MONGODB_IMAGE}" >/dev/null
+    docker run -dP --name=mongodb -v "${mongodbdatadir}:/var/lib/mongodb" \
+        --read-only -v /tmp -v /run \
+        -v /tmp/mongodb_vars.sh:/etc/mongodb_vars.sh "${MONGODB_IMAGE}" >/dev/null
+}
+
+start_mail() {
+    local mongodb_vars="MONGODB_ROOT_PASSWORD=${root_password}"
+
+    docker rm -f mail 2>/dev/null 1>&2 || true
+
+    docker run -dP --name=mail -e DOMAIN_NAME="localhost" \
+        --read-only -v /tmp -v /run \
+        -v /tmp/maildata:/app/data "${MAIL_IMAGE}" >/dev/null
 }

 start_mysql
 start_postgresql
 start_mongodb
+start_mail

 echo -n "Waiting for addons to start"
-for i in {1..10}; do
-   echo -n "."
+for i in {1..20}; do
+    echo -n "."
    sleep 1
 done
 echo ""
@@ -0,0 +1,192 @@
+'use strict';
+
+exports = module.exports = {
+    sync: sync
+};
+
+var appdb = require('./appdb.js'),
+    apps = require('./apps.js'),
+    assert = require('assert'),
+    async = require('async'),
+    config = require('./config.js'),
+    CronJob = require('cron').CronJob,
+    debug = require('debug')('box:src/scheduler'),
+    docker = require('./docker.js'),
+    paths = require('./paths.js'),
+    safe = require('safetydance'),
+    _ = require('underscore');
+
+var NOOP_CALLBACK = function (error) { if (error) console.error(error); };
+
+// appId -> { schedulerConfig (manifest), cronjobs, containerIds }
+var gState = (function loadState() {
+    var state = safe.JSON.parse(safe.fs.readFileSync(paths.SCHEDULER_FILE, 'utf8'));
+    return state || { };
+})();
+
+function saveState(state) {
+    // do not save cronJobs
+    var safeState = { };
+    for (var appId in state) {
+        safeState[appId] = {
+            schedulerConfig: state[appId].schedulerConfig,
+            containerIds: state[appId].containerIds
+        };
+    }
+    safe.fs.writeFileSync(paths.SCHEDULER_FILE, JSON.stringify(safeState, null, 4), 'utf8');
+}
+
+function sync(callback) {
+    assert(!callback || typeof callback === 'function');
+
+    callback = callback || NOOP_CALLBACK;
+
+    debug('Syncing');
+
+    apps.getAll(function (error, allApps) {
+        if (error) return callback(error);
+
+        // stop tasks of apps that went away
+        var allAppIds = allApps.map(function (app) { return app.id; });
+        var removedAppIds = _.difference(Object.keys(gState), allAppIds);
+        async.eachSeries(removedAppIds, function (appId, iteratorDone) {
+            stopJobs(appId, gState[appId], true /* killContainers */, iteratorDone);
+        }, function (error) {
+            if (error) debug('Error stopping jobs : %j', error);
+
+            gState = _.omit(gState, removedAppIds);
+
+            // start tasks of new apps
+            async.eachSeries(allApps, function (app, iteratorDone) {
+                var appState = gState[app.id] || null;
+                var schedulerConfig = app.manifest.addons.scheduler || null;
+
+                if (!appState && !schedulerConfig) return iteratorDone(); // nothing changed
+
+                if (appState && _.isEqual(appState.schedulerConfig, schedulerConfig) && appState.cronJobs) {
+                    return iteratorDone(); // nothing changed
+                }
+
+                var killContainers = appState && !appState.cronJobs ? true : false; // keep the old containers on 'startup'
+                stopJobs(app.id, appState, killContainers, function (error) {
+                    if (error) debug('Error stopping jobs for %s : %s', app.id, error.message);
+
+                    if (!schedulerConfig) {
+                        delete gState[app.id];
+                        return iteratorDone();
+                    }
+
+                    gState[app.id] = {
+                        schedulerConfig: schedulerConfig,
+                        cronJobs: createCronJobs(app.id, schedulerConfig),
+                        containerIds: { }
+                    };
+
+                    saveState(gState);
+
+                    iteratorDone();
+                });
+            });
+
+            debug('Done syncing');
+        });
+    });
+}
+
+function killContainer(containerId, callback) {
+    if (!containerId) return callback();
+
+    async.series([
+        docker.stopContainer.bind(null, containerId),
+        docker.deleteContainer.bind(null, containerId)
+    ], function (error) {
+        if (error) debug('Failed to kill task with containerId %s : %s', containerId, error.message);
+
+        callback(error);
+    });
+}
+
+function stopJobs(appId, appState, killContainers, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof appState, 'object');
+    assert.strictEqual(typeof killContainers, 'boolean');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('stopJobs for %s', appId);
+
+    if (!appState) return callback();
+
+    async.eachSeries(Object.keys(appState.schedulerConfig), function (taskName, iteratorDone) {
+        if (appState.cronJobs && appState.cronJobs[taskName]) {  // could be null across restarts
+            appState.cronJobs[taskName].stop();
+        }
+
+        if (!killContainers) return iteratorDone();
+
+        killContainer(appState.containerIds[taskName], iteratorDone);
+    }, callback);
+}
+
+function createCronJobs(appId, schedulerConfig) {
+    assert.strictEqual(typeof appId, 'string');
+    assert(schedulerConfig && typeof schedulerConfig === 'object');
+
+    debug('creating cron jobs for app %s', appId);
+
+    var jobs = { };
+
+    Object.keys(schedulerConfig).forEach(function (taskName) {
+        var task = schedulerConfig[taskName];
+
+        var cronTime = (config.TEST ? '*/5 ' : '00 ') + task.schedule; // time ticks faster in tests
+
+        debug('scheduling task for %s/%s @ %s : %s', appId, taskName, cronTime, task.command);
+
+        var cronJob = new CronJob({
+            cronTime: cronTime, // at this point, the pattern has been validated
+            onTick: doTask.bind(null, appId, taskName),
+            start: true
+        });
+
+        jobs[taskName] = cronJob;
+    });
+
+    return jobs;
+}
+
+function doTask(appId, taskName, callback) {
+    assert.strictEqual(typeof appId, 'string');
+    assert.strictEqual(typeof taskName, 'string');
+    assert(!callback || typeof callback === 'function');
+
+    callback = callback || NOOP_CALLBACK;
+
+    var appState = gState[appId];
+
+    debug('Executing task %s/%s', appId, taskName);
+
+    apps.get(appId, function (error, app) {
+        if (error) return callback(error);
+
+        if (app.installationState !== appdb.ISTATE_INSTALLED || app.runState !== appdb.RSTATE_RUNNING) {
+            debug('task %s skipped. app %s is not installed/running', taskName, app.id);
+            return callback();
+        }
+
+        if (appState.containerIds[taskName]) debug('task %s/%s has existing container %s. killing it', appId, taskName, appState.containerIds[taskName]);
+
+        killContainer(appState.containerIds[taskName], function (error) {
+            if (error) return callback(error);
+
+            debug('Creating createSubcontainer for %s/%s : %s', app.id, taskName, gState[appId].schedulerConfig[taskName].command);
+
+            docker.createSubcontainer(app, [ '/bin/sh', '-c', gState[appId].schedulerConfig[taskName].command ], function (error, container) {
+                appState.containerIds[taskName] = container.id;
+
+                saveState(gState);
+
+                docker.startContainer(container.id, callback);
+            });
+        });
+    });
+}
@@ -43,11 +43,7 @@ function initializeExpressSync() {
    app.set('view options', { layout: true, debug: true });
    app.set('view engine', 'ejs');

-    if (process.env.BOX_ENV === 'test') {
-       app.use(express.static(path.join(__dirname, '/../webadmin')));
-    } else {
-        app.use(middleware.morgan('dev', { immediate: false }));
-    }
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('Box :method :url :status :response-time ms - :res[content-length]', { immediate: false }));

    var router = new express.Router();
    router.del = router.delete; // amend router.del for readability further on
@@ -120,7 +116,6 @@ function initializeExpressSync() {
    router.post('/api/v1/session/login', csrf, routes.oauth2.login);
    router.get ('/api/v1/session/logout', routes.oauth2.logout);
    router.get ('/api/v1/session/callback', routes.oauth2.callback);
-    router.get ('/api/v1/session/error', routes.oauth2.error);
    router.get ('/api/v1/session/password/resetRequest.html', csrf, routes.oauth2.passwordResetRequestSite);
    router.post('/api/v1/session/password/resetRequest', csrf, routes.oauth2.passwordResetRequest);
    router.get ('/api/v1/session/password/sent.html', routes.oauth2.passwordSentSite);
@@ -130,13 +125,11 @@ function initializeExpressSync() {

    // oauth2 routes
    router.get ('/api/v1/oauth/dialog/authorize', routes.oauth2.authorization);
-    router.post('/api/v1/oauth/dialog/authorize/decision', csrf, routes.oauth2.decision);
    router.post('/api/v1/oauth/token', routes.oauth2.token);
    router.get ('/api/v1/oauth/clients', settingsScope, routes.clients.getAllByUserId);
    router.post('/api/v1/oauth/clients', routes.developer.enabled, settingsScope, routes.clients.add);
    router.get ('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.get);
    router.post('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.add);
-    router.put ('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.update);
    router.del ('/api/v1/oauth/clients/:clientId', routes.developer.enabled, settingsScope, routes.clients.del);
    router.get ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.getClientTokens);
    router.del ('/api/v1/oauth/clients/:clientId/tokens', settingsScope, routes.clients.delClientTokens);
@@ -144,7 +137,7 @@ function initializeExpressSync() {
    // app routes
    router.get ('/api/v1/apps',          appsScope, routes.apps.getApps);
    router.get ('/api/v1/apps/:id',      appsScope, routes.apps.getApp);
-    router.get ('/api/v1/apps/:id/icon', appsScope, routes.apps.getAppIcon);
+    router.get ('/api/v1/apps/:id/icon', routes.apps.getAppIcon);

    router.post('/api/v1/apps/install',       appsScope, routes.user.requireAdmin, routes.apps.installApp);
    router.post('/api/v1/apps/:id/uninstall', appsScope, routes.user.requireAdmin, routes.user.verifyPassword, routes.apps.uninstallApp);
@@ -210,7 +203,7 @@ function initializeInternalExpressSync() {
    var json = middleware.json({ strict: true, limit: QUERY_LIMIT }), // application/json
        urlencoded = middleware.urlencoded({ extended: false, limit: QUERY_LIMIT }); // application/x-www-form-urlencoded

-    app.use(middleware.morgan('dev', { immediate: false }));
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('Box Internal :method :url :status :response-time ms - :res[content-length]', { immediate: false }));

    var router = new express.Router();
    router.del = router.delete; // amend router.del for readability further on
@@ -0,0 +1,155 @@
+'use strict';
+
+exports = module.exports = {
+    start: start,
+    stop: stop
+};
+
+var apps = require('./apps.js'),
+    AppsError = apps.AppsError,
+    assert = require('assert'),
+    clientdb = require('./clientdb.js'),
+    clients = require('./clients.js'),
+    ClientsError = clients.ClientsError,
+    config = require('./config.js'),
+    DatabaseError = require('./databaseerror.js'),
+    debug = require('debug')('box:src/simpleauth'),
+    express = require('express'),
+    http = require('http'),
+    HttpError = require('connect-lastmile').HttpError,
+    HttpSuccess = require('connect-lastmile').HttpSuccess,
+    middleware = require('./middleware'),
+    tokendb = require('./tokendb.js'),
+    user = require('./user.js'),
+    UserError = require('./user.js').UserError;
+
+var gHttpServer = null;
+
+function loginLogic(clientId, username, password, callback) {
+    assert.strictEqual(typeof clientId, 'string');
+    assert.strictEqual(typeof username, 'string');
+    assert.strictEqual(typeof password, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('login: client %s and user %s', clientId, username);
+
+    clients.get(clientId, function (error, clientObject) {
+        if (error) return callback(error);
+
+        // only allow simple auth clients
+        if (clientObject.type !== clientdb.TYPE_SIMPLE_AUTH) return callback(new ClientsError(ClientsError.INVALID_CLIENT));
+
+        user.verify(username, password, function (error, userObject) {
+            if (error) return callback(error);
+
+            apps.get(clientObject.appId, function (error, appObject) {
+                if (error) return callback(error);
+
+                if (!apps.hasAccessTo(appObject, userObject)) return callback(new AppsError(AppsError.ACCESS_DENIED));
+
+                var accessToken = tokendb.generateToken();
+                var expires = Date.now() + 24 * 60 * 60 * 1000; // 1 day
+
+                tokendb.add(accessToken, tokendb.PREFIX_USER + userObject.id, clientId, expires, clientObject.scope, function (error) {
+                    if (error) return callback(error);
+
+                    debug('login: new access token for client %s and user %s: %s', clientId, username, accessToken);
+
+                    callback(null, { accessToken: accessToken, user: userObject });
+                });
+            });
+        });
+    });
+}
+
+function logoutLogic(accessToken, callback) {
+    assert.strictEqual(typeof accessToken, 'string');
+    assert.strictEqual(typeof callback, 'function');
+
+    debug('logout: %s', accessToken);
+
+    tokendb.del(accessToken, function (error) {
+        if (error) return callback(error);
+        callback(null);
+    });
+}
+
+function login(req, res, next) {
+    assert.strictEqual(typeof req.body, 'object');
+
+    if (typeof req.body.clientId !== 'string') return next(new HttpError(400, 'clientId is required'));
+    if (typeof req.body.username !== 'string') return next(new HttpError(400, 'username is required'));
+    if (typeof req.body.password !== 'string') return next(new HttpError(400, 'password is required'));
+
+    loginLogic(req.body.clientId, req.body.username, req.body.password, function (error, result) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Unknown client'));
+        if (error && error.reason === ClientsError.INVALID_CLIENT) return next(new HttpError(401, 'Unkown client'));
+        if (error && error.reason === UserError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
+        if (error && error.reason === AppsError.NOT_FOUND) return next(new HttpError(401, 'Unkown app'));
+        if (error && error.reason === UserError.WRONG_PASSWORD) return next(new HttpError(401, 'Forbidden'));
+        if (error && error.reason === AppsError.ACCESS_DENIED) return next(new HttpError(401, 'Forbidden'));
+        if (error) return next(new HttpError(500, error));
+
+        var tmp = {
+            accessToken: result.accessToken,
+            user: {
+                id: result.user.id,
+                username: result.user.username,
+                email: result.user.email,
+                admin: !!result.user.admin
+            }
+        };
+
+        next(new HttpSuccess(200, tmp));
+    });
+}
+
+function logout(req, res, next) {
+    assert.strictEqual(typeof req.query, 'object');
+
+    if (typeof req.query.access_token !== 'string') return next(new HttpError(400, 'access_token in query required'));
+
+    logoutLogic(req.query.access_token, function (error) {
+        if (error && error.reason === DatabaseError.NOT_FOUND) return next(new HttpError(401, 'Forbidden'));
+        if (error) return next(new HttpError(500, error));
+
+        next(new HttpSuccess(200, {}));
+    });
+}
+
+function initializeExpressSync() {
+    var app = express();
+    var httpServer = http.createServer(app);
+
+    httpServer.on('error', console.error);
+
+    var json = middleware.json({ strict: true, limit: '100kb' });
+    var router = new express.Router();
+
+    // basic auth
+    router.post('/api/v1/login', login);
+    router.get ('/api/v1/logout', logout);
+
+    if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('SimpleAuth :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
+
+    app
+        .use(middleware.timeout(10000))
+        .use(json)
+        .use(router)
+        .use(middleware.lastMile());
+
+    return httpServer;
+}
+
+function start(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer = initializeExpressSync();
+    gHttpServer.listen(config.get('simpleAuthPort'), '0.0.0.0', callback);
+}
+
+function stop(callback) {
+    assert.strictEqual(typeof callback, 'function');
+
+    gHttpServer.close(callback);
+}
@@ -36,14 +36,15 @@ describe('Apps', function () {
        containerId: null,
        portBindings: { PORT: 5678 },
        healthy: null,
-        accessRestriction: ''
+        accessRestriction: null,
+        oauthProxy: false
    };

    before(function (done) {
        async.series([
            database.initialize,
            database._clear,
-            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction)
+            appdb.add.bind(null, APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy)
        ], done);
    });

@@ -157,5 +158,48 @@ describe('Apps', function () {
            });
        });
    });
-});

+    describe('validateAccessRestriction', function () {
+        it('allows null input', function () {
+            expect(apps._validateAccessRestriction(null)).to.eql(null);
+        });
+
+        it('does not allow wrong user type', function () {
+            expect(apps._validateAccessRestriction({ users: {} })).to.be.an(Error);
+        });
+
+        it('does not allow no user input', function () {
+            expect(apps._validateAccessRestriction({ users: [] })).to.be.an(Error);
+        });
+
+        it('allows single user input', function () {
+            expect(apps._validateAccessRestriction({ users: [ 'someuserid' ] })).to.eql(null);
+        });
+
+        it('allows multi user input', function () {
+            expect(apps._validateAccessRestriction({ users: [ 'someuserid', 'someuserid1', 'someuserid2', 'someuserid3' ] })).to.eql(null);
+        });
+    });
+
+    describe('hasAccessTo', function () {
+        it('returns true for unrestricted access', function () {
+            expect(apps.hasAccessTo({ accessRestriction: null }, { id: 'someuser' })).to.equal(true);
+        });
+
+        it('returns true for allowed user', function () {
+            expect(apps.hasAccessTo({ accessRestriction: { users: [ 'someuser' ] } }, { id: 'someuser' })).to.equal(true);
+        });
+
+        it('returns true for allowed user with multiple allowed', function () {
+            expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo', 'someuser', 'anotheruser' ] } }, { id: 'someuser' })).to.equal(true);
+        });
+
+        it('returns false for not allowed user', function () {
+            expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo' ] } }, { id: 'someuser' })).to.equal(false);
+        });
+
+        it('returns false for not allowed user with multiple allowed', function () {
+            expect(apps.hasAccessTo({ accessRestriction: { users: [ 'foo', 'anotheruser' ] } }, { id: 'someuser' })).to.equal(false);
+        });
+    });
+});
@@ -29,7 +29,7 @@ var MANIFEST = {
  "contactEmail": "support@cloudron.io",
  "version": "0.1.0",
  "manifestVersion": 1,
-  "dockerImage": "cloudron/test:2.0.0",
+  "dockerImage": "cloudron/test:8.0.0",
  "healthCheckPath": "/",
  "httpPort": 7777,
  "tcpPorts": {
@@ -57,7 +57,8 @@ var APP = {
    containerId: null,
    httpPort: 4567,
    portBindings: null,
-    accessRestriction: '',
+    accessRestriction: null,
+    oauthProxy: false,
    dnsRecordId: 'someDnsRecordId'
 };

@@ -81,7 +82,7 @@ describe('apptask', function () {
        config.set('version', '0.5.0');
        database.initialize(function (error) {
            expect(error).to.be(null);
-            appdb.add(APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, done);
+            appdb.add(APP.id, APP.appStoreId, APP.manifest, APP.location, APP.portBindings, APP.accessRestriction, APP.oauthProxy, done);
        });
    });

@@ -34,8 +34,8 @@ for script in "${scripts[@]}"; do
    fi
 done

-if ! docker inspect cloudron/test:2.0.1 >/dev/null 2>/dev/null; then
-    echo "docker pull cloudron/test:2.0.1 for tests to run"
+if ! docker inspect cloudron/test:8.0.0 >/dev/null 2>/dev/null; then
+    echo "docker pull cloudron/test:8.0.0 for tests to run"
    exit 1
 fi

@@ -478,7 +478,8 @@ describe('database', function () {
            containerId: null,
            portBindings: { port: 5678 },
            health: null,
-            accessRestriction: '',
+            accessRestriction: null,
+            oauthProxy: false,
            lastBackupId: null,
            lastBackupConfig: null,
            oldConfig: null
@@ -496,7 +497,8 @@ describe('database', function () {
            containerId: null,
            portBindings: { },
            health: null,
-            accessRestriction: 'roleAdmin',
+            accessRestriction: { users: [ 'foobar' ] },
+            oauthProxy: true,
            lastBackupId: null,
            lastBackupConfig: null,
            oldConfig: null
@@ -516,7 +518,7 @@ describe('database', function () {
        });

        it('add succeeds', function (done) {
-            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, function (error) {
+            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, APP_0.portBindings, APP_0.accessRestriction, APP_0.oauthProxy, function (error) {
                expect(error).to.be(null);
                done();
            });
@@ -540,7 +542,7 @@ describe('database', function () {
        });

        it('add of same app fails', function (done) {
-            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, [ ], APP_0.accessRestriction, function (error) {
+            appdb.add(APP_0.id, APP_0.appStoreId, APP_0.manifest, APP_0.location, [ ], APP_0.accessRestriction, APP_0.oauthProxy, function (error) {
                expect(error).to.be.a(DatabaseError);
                expect(error.reason).to.be(DatabaseError.ALREADY_EXISTS);
                done();
@@ -569,10 +571,20 @@ describe('database', function () {
            APP_0.installationState = 'some-other-status';
            APP_0.location = 'some-other-location';
            APP_0.manifest.version = '0.2';
-            APP_0.accessRestriction = true;
+            APP_0.accessRestriction = '';
+            APP_0.oauthProxy = true;
            APP_0.httpPort = 1337;

-            appdb.update(APP_0.id, { installationState: APP_0.installationState, location: APP_0.location, manifest: APP_0.manifest, accessRestriction: APP_0.accessRestriction, httpPort: APP_0.httpPort }, function (error) {
+            var data = {
+                installationState: APP_0.installationState,
+                location: APP_0.location,
+                manifest: APP_0.manifest,
+                accessRestriction: APP_0.accessRestriction,
+                oauthProxy: APP_0.oauthProxy,
+                httpPort: APP_0.httpPort
+            };
+
+            appdb.update(APP_0.id, data, function (error) {
                expect(error).to.be(null);

                appdb.get(APP_0.id, function (error, result) {
@@ -602,7 +614,7 @@ describe('database', function () {
        });

        it('add second app succeeds', function (done) {
-            appdb.add(APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, [ ], APP_1.accessRestriction, function (error) {
+            appdb.add(APP_1.id, APP_1.appStoreId, APP_1.manifest, APP_1.location, [ ], APP_1.accessRestriction, APP_0.oauthProxy, function (error) {
                expect(error).to.be(null);
                done();
            });
@@ -778,6 +790,7 @@ describe('database', function () {
        var CLIENT_0 = {
            id: 'cid-0',
            appId: 'someappid_0',
+            type: clientdb.TYPE_OAUTH,
            clientSecret: 'secret-0',
            redirectURI: 'http://foo.bar',
            scope: '*'
@@ -786,23 +799,17 @@ describe('database', function () {
        var CLIENT_1 = {
            id: 'cid-1',
            appId: 'someappid_1',
+            type: clientdb.TYPE_OAUTH,
            clientSecret: 'secret-',
            redirectURI: 'http://foo.bar',
            scope: '*'
        };
-        var CLIENT_2 = {
-            id: 'cid-2',
-            appId: 'someappid_2',
-            clientSecret: 'secret-2',
-            redirectURI: 'http://foo.bar.baz',
-            scope: 'profile,roleUser'
-        };

        it('add succeeds', function (done) {
-            clientdb.add(CLIENT_0.id, CLIENT_0.appId, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope, function (error) {
+            clientdb.add(CLIENT_0.id, CLIENT_0.appId, CLIENT_0.type, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope, function (error) {
                expect(error).to.be(null);

-                clientdb.add(CLIENT_1.id, CLIENT_1.appId, CLIENT_1.clientSecret, CLIENT_1.redirectURI, CLIENT_1.scope, function (error) {
+                clientdb.add(CLIENT_1.id, CLIENT_1.appId, CLIENT_0.type, CLIENT_1.clientSecret, CLIENT_1.redirectURI, CLIENT_1.scope, function (error) {
                    expect(error).to.be(null);
                    done();
                });
@@ -810,7 +817,7 @@ describe('database', function () {
        });

        it('add same client id fails', function (done) {
-            clientdb.add(CLIENT_0.id, CLIENT_0.appId, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope, function (error) {
+            clientdb.add(CLIENT_0.id, CLIENT_0.appId, CLIENT_0.type, CLIENT_0.clientSecret, CLIENT_0.redirectURI, CLIENT_0.scope, function (error) {
                expect(error).to.be.a(DatabaseError);
                expect(error.reason).to.equal(DatabaseError.ALREADY_EXISTS);
                done();
@@ -833,6 +840,14 @@ describe('database', function () {
            });
        });

+        it('getByAppIdAndType succeeds', function (done) {
+            clientdb.getByAppIdAndType(CLIENT_0.appId, CLIENT_0.type, function (error, result) {
+                expect(error).to.be(null);
+                expect(result).to.eql(CLIENT_0);
+                done();
+            });
+        });
+
        it('getByAppId fails for unknown client id', function (done) {
            clientdb.getByAppId(CLIENT_0.appId + CLIENT_0.appId, function (error, result) {
                expect(error).to.be.a(DatabaseError);
@@ -853,24 +868,14 @@ describe('database', function () {
            });
        });

-        it('update client fails due to unknown client id', function (done) {
-            clientdb.update(CLIENT_2.id, CLIENT_2.appId, CLIENT_2.clientSecret, CLIENT_2.redirectURI, CLIENT_2.scope, function (error) {
-                expect(error).to.be.a(DatabaseError);
-                expect(error.reason).to.equal(DatabaseError.NOT_FOUND);
-                done();
-            });
-        });
-
-        it('update client succeeds', function (done) {
-            clientdb.update(CLIENT_1.id, CLIENT_2.appId, CLIENT_2.clientSecret, CLIENT_2.redirectURI, CLIENT_2.scope, function (error) {
+        it('delByAppIdAndType succeeds', function (done) {
+            clientdb.delByAppIdAndType(CLIENT_1.appId, CLIENT_1.type, function (error) {
                expect(error).to.be(null);

-                clientdb.get(CLIENT_1.id, function (error, result) {
-                    expect(error).to.be(null);
-                    expect(result.appId).to.eql(CLIENT_2.appId);
-                    expect(result.clientSecret).to.eql(CLIENT_2.clientSecret);
-                    expect(result.redirectURI).to.eql(CLIENT_2.redirectURI);
-                    expect(result.scope).to.eql(CLIENT_2.scope);
+                clientdb.getByAppIdAndType(CLIENT_1.appId, CLIENT_1.type, function (error, result) {
+                    expect(error).to.be.a(DatabaseError);
+                    expect(error.reason).to.equal(DatabaseError.NOT_FOUND);
+                    expect(result).to.not.be.ok();
                    done();
                });
            });
@@ -0,0 +1,99 @@
+/* jslint node:true */
+/* global it:false */
+/* global describe:false */
+/* global before:false */
+/* global after:false */
+
+'use strict';
+
+var async = require('async'),
+    authcodedb = require('../authcodedb.js'),
+    database = require('../database'),
+    DatabaseError = require('../databaseerror.js'),
+    expect = require('expect.js'),
+    janitor = require('../janitor.js'),
+    tokendb = require('../tokendb.js');
+
+describe('janitor', function () {
+    var AUTHCODE_0 = {
+        authCode: 'authcode-0',
+        clientId: 'clientid-0',
+        userId: 'userid-0',
+        expiresAt: Date.now() + 5000
+    };
+    var AUTHCODE_1 = {
+        authCode: 'authcode-1',
+        clientId: 'clientid-1',
+        userId: 'userid-1',
+        expiresAt: Date.now() - 5000
+    };
+
+    var TOKEN_0 = {
+        accessToken: tokendb.generateToken(),
+        identifier: tokendb.PREFIX_USER + '0',
+        clientId: 'clientid-0',
+        expires: Date.now() + 60 * 60000,
+        scope: '*'
+    };
+    var TOKEN_1 = {
+        accessToken: tokendb.generateToken(),
+        identifier: tokendb.PREFIX_USER + '1',
+        clientId: 'clientid-1',
+        expires: Date.now() - 1000,
+        scope: '*',
+    };
+
+    before(function (done) {
+        async.series([
+            database.initialize,
+            database._clear,
+            authcodedb.add.bind(null, AUTHCODE_0.authCode, AUTHCODE_0.clientId, AUTHCODE_0.userId, AUTHCODE_0.expiresAt),
+            authcodedb.add.bind(null, AUTHCODE_1.authCode, AUTHCODE_1.clientId, AUTHCODE_1.userId, AUTHCODE_1.expiresAt),
+            tokendb.add.bind(null, TOKEN_0.accessToken, TOKEN_0.identifier, TOKEN_0.clientId, TOKEN_0.expires, TOKEN_0.scope),
+            tokendb.add.bind(null, TOKEN_1.accessToken, TOKEN_1.identifier, TOKEN_1.clientId, TOKEN_1.expires, TOKEN_1.scope)
+        ], done);
+    });
+
+    after(function (done) {
+        database._clear(done);
+    });
+
+    it('can cleanupTokens', function (done) {
+        janitor.cleanupTokens(done);
+    });
+
+    it('did not remove the non-expired authcode', function (done) {
+        authcodedb.get(AUTHCODE_0.authCode, function (error, result) {
+            expect(error).to.be(null);
+            expect(result).to.be.eql(AUTHCODE_0);
+            done();
+        });
+    });
+
+    it('did remove expired authcode', function (done) {
+        authcodedb.get(AUTHCODE_1.authCode, function (error, result) {
+            expect(error).to.be.a(DatabaseError);
+            expect(error.reason).to.be(DatabaseError.NOT_FOUND);
+            expect(result).to.not.be.ok();
+            done();
+        });
+    });
+
+    it('did not remove the non-expired token', function (done) {
+        tokendb.get(TOKEN_0.accessToken, function (error, result) {
+            expect(error).to.be(null);
+            expect(result).to.be.eql(TOKEN_0);
+            done();
+        });
+    });
+
+    it('did remove the non-expired token', function (done) {
+        tokendb.get(TOKEN_1.accessToken, function (error, result) {
+            expect(error).to.be.a(DatabaseError);
+            expect(error.reason).to.be(DatabaseError.NOT_FOUND);
+            expect(result).to.not.be.ok();
+            done();
+        });
+    });
+});
+
@@ -13,8 +13,8 @@ mkdir -p $HOME/.cloudron_test
 cd $HOME/.cloudron_test
 mkdir -p data/appdata data/box/appicons data/mail data/nginx/cert data/nginx/applications data/collectd/collectd.conf.d data/addons configs

-webadmin_scopes="root,profile,users,apps,settings,roleAdmin"
+webadmin_scopes="root,profile,users,apps,settings"
 webadmin_origin="https://${ADMIN_LOCATION}-localhost"
 mysql --user=root --password="" \
-    -e "REPLACE INTO clients (id, appId, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"secret-webadmin\", \"${webadmin_origin}\", \"${webadmin_scopes}\")" boxtest
+    -e "REPLACE INTO clients (id, appId, type, clientSecret, redirectURI, scope) VALUES (\"cid-webadmin\", \"webadmin\", \"admin\", \"secret-webadmin\", \"${webadmin_origin}\", \"${webadmin_scopes}\")" boxtest

@@ -81,6 +81,9 @@ function getAppUpdates(callback) {
 function getBoxUpdates(callback) {
    var currentVersion = config.version();

+    // do not crash if boxVersionsUrl is not set
+    if (!config.get('boxVersionsUrl')) return callback(null, null);
+
    superagent
        .get(config.get('boxVersionsUrl'))
        .timeout(10 * 1000)
@@ -340,7 +340,7 @@ function setPassword(userId, newPassword, callback) {
                if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

                // Also generate a token so the new user can get logged in immediately
-                clientdb.getByAppId('webadmin', function (error, result) {
+                clientdb.getByAppIdAndType('webadmin', clientdb.TYPE_ADMIN, function (error, result) {
                    if (error) return callback(new UserError(UserError.INTERNAL_ERROR, error));

                    var token = tokendb.generateToken();
@@ -1,40 +0,0 @@
-'use strict';
-
-// we can possibly remove this entire file and make our tests
-// smarter to just use the host interface provided by boot2docker
-// https://github.com/boot2docker/boot2docker#container-port-redirection
-// https://github.com/boot2docker/boot2docker/pull/93
-// https://github.com/docker/docker/issues/4007
-
-exports = module.exports = {
-    forwardFromHostToVirtualBox: forwardFromHostToVirtualBox,
-    unforwardFromHostToVirtualBox: unforwardFromHostToVirtualBox
-};
-
-var assert = require('assert'),
-    child_process = require('child_process'),
-    debug = require('debug')('box:vbox'),
-    os = require('os');
-
-
-function forwardFromHostToVirtualBox(rulename, port) {
-    assert.strictEqual(typeof rulename, 'string');
-    assert.strictEqual(typeof port, 'number');
-
-    if (os.platform() === 'darwin') {
-        debug('Setting up VirtualBox port forwarding for '+ rulename + ' at ' + port);
-        child_process.exec(
-            'VBoxManage controlvm boot2docker-vm natpf1 delete ' + rulename + ';' +
-            'VBoxManage controlvm boot2docker-vm natpf1 ' + rulename + ',tcp,127.0.0.1,' + port + ',,' + port);
-    }
-}
-
-function unforwardFromHostToVirtualBox(rulename) {
-    assert.strictEqual(typeof rulename, 'string');
-
-    if (os.platform() === 'darwin') {
-        debug('Removing VirtualBox port forwarding for '+ rulename);
-        child_process.exec('VBoxManage controlvm boot2docker-vm natpf1 delete ' + rulename);
-    }
-}
-
@@ -1,5 +1,5 @@
 <!DOCTYPE html>
-<html ng-app="Application" ng-controller="Controller">
+<html>
 <head>
    <meta charset="utf-8" />
    <meta name="viewport" content="user-scalable=no, initial-scale=1, maximum-scale=1, minimum-scale=1, width=device-width, height=device-height" />
@@ -13,41 +13,6 @@
    <link href="//maxcdn.bootstrapcdn.com/font-awesome/4.3.0/css/font-awesome.min.css" rel="stylesheet" type="text/css">
    <link href="//fonts.googleapis.com/css?family=Roboto:300" rel="stylesheet" type="text/css">

-    <!-- jQuery-->
-    <script src="3rdparty/js/jquery.min.js"></script>
-
-    <!-- Bootstrap Core JavaScript -->
-    <script src="3rdparty/js/bootstrap.min.js"></script>
-
-    <!-- Angularjs scripts -->
-    <script src="3rdparty/js/angular.min.js"></script>
-    <script src="3rdparty/js/angular-loader.min.js"></script>
-
-    <script>
-
-        'use strict';
-
-        // create main application module
-        var app = angular.module('Application', []);
-
-        app.controller('Controller', ['$scope', '$http', function ($scope, $http) {
-            var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});
-
-            $scope.cloudronName = 'Cloudron';
-            $scope.referrer = search.referrer || null;
-
-            // try to fetch cloudron status
-            $http.get('/api/v1/cloudron/status').success(function(data, status) {
-                if (status !== 200 || typeof data !== 'object') return console.error(status, data);
-                $scope.cloudronName = data.cloudronName;
-                document.title = $scope.cloudronName + ' App Error';
-            }).error(function (data, status) {
-                console.error(status, data);
-            });
-        }]);
-
-    </script>
-
 </head>

 <body class="status-page">
@@ -55,10 +20,9 @@
 <div class="wrapper">
    <div class="content">
        <img src="/img/logo_inverted_192.png"/>
-        <h1> {{cloudronName}} </h1>

        <h3> <i class="fa fa-frown-o fa-fw text-danger"></i> Something has gone wrong </h3>
-        This app is currently not running. <a href="{{ referrer }}">Please retry later</a>.
+        This app is currently not running. <a id="appLink" href="">Please retry later</a>.

        <footer>
            <span class="text-muted"><a href="mailto: support@cloudron.io">Contact Support</a> - Copyright &copy; Cloudron 2014-15</span>
@@ -66,5 +30,17 @@
    </div>
 </div>

+<script>
+
+    (function () {
+        'use strict';
+
+        var search = decodeURIComponent(window.location.search).slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});
+
+        document.getElementById('appLink').href = search.referrer;
+    })();
+
+</script>
+
 </body>
 </html>
@@ -31,7 +31,6 @@
        var app = angular.module('Application', []);

        app.controller('Controller', ['$scope', '$http', function ($scope, $http) {
-            $scope.cloudronName = 'Cloudron';
            $scope.webServerOriginLink = '/';
            $scope.errorMessage = '';

@@ -44,15 +43,6 @@
                else console.error(status, data);
            });

-            // try to fetch cloudron status
-            $http.get('/api/v1/cloudron/status').success(function(data, status) {
-                if (status !== 200 || typeof data !== 'object') return console.error(status, data);
-                $scope.cloudronName  = data.cloudronName;
-                document.title = $scope.cloudronName + ' Error';
-            }).error(function (data, status) {
-                console.error(status, data);
-            });
-
            var search = window.location.search.slice(1).split('&').map(function (item) { return item.split('='); }).reduce(function (o, k) { o[k[0]] = k[1]; return o; }, {});

            $scope.errorCode = search.errorCode || 0;
@@ -68,7 +58,7 @@
 <div class="wrapper">
    <div class="content">
        <img src="/api/v1/cloudron/avatar" onerror="this.src = '/img/logo_inverted_192.png'"/>
-        <h1> {{cloudronName}} </h1>
+        <h1> Cloudron </h1>

        <div ng-show="errorCode == 0">
            <h3> <i class="fa fa-frown-o fa-fw text-danger"></i> Something has gone wrong </h3>
@@ -75,9 +75,7 @@
                    </div>
                    <div ng-show="installedApps | readyToUpdate">
                        <b ng-show="config.update.box.upgrade" class="text-danger">
-                            The update is a base system upgrade.<br/>
-                            This will cause some application downtime!<br/>
-                            <br/>
+                            This update upgrades the base system and will cause some application downtime.<br/>
                        </b>
                        <p>New version: <b>{{config.update.box.version}}</b></p>
                        <p>Recent Changes:</p>
@@ -123,7 +121,7 @@
                        <span class="icon-bar"></span>
                    </button>
                    <a class="navbar-brand navbar-brand-icon" href="index.html"><img src="/api/v1/cloudron/avatar" width="40" height="40"/></a>
-                    <a class="navbar-brand" href="index.html">{{config.cloudronName || 'Cloudron'}}</a>
+                    <a class="navbar-brand" href="index.html">Cloudron</a>
                </div>
                <!-- /.navbar-header -->

@@ -75,8 +75,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
            isCustomDomain: false,
            developerMode: false,
            region: null,
-            size: null,
-            cloudronName: null
+            size: null
        };
        this._installedApps = [];
        this._clientId = '<%= oauth.clientId %>';
@@ -186,20 +185,6 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
        }).error(defaultErrorHandler(callback));
    };

-    Client.prototype.changeCloudronName = function (name, callback) {
-        var that = this;
-
-        var data = { name: name };
-        $http.post(client.apiOrigin + '/api/v1/settings/cloudron_name', data).success(function (data, status) {
-            if (status !== 200) return callback(new ClientError(status, data));
-
-            // will get overriden after polling for config, but ensures quick UI update
-            that._config.cloudronName = name;
-
-            callback(null);
-        }).error(defaultErrorHandler(callback));
-    };
-
    Client.prototype.changeCloudronAvatar = function (avatarFile, callback) {
        var fd = new FormData();
        fd.append('avatar', avatarFile);
@@ -215,7 +200,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',

    Client.prototype.installApp = function (id, manifest, title, config, callback) {
        var that = this;
-        var data = { appStoreId: id, manifest: manifest, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction };
+        var data = { appStoreId: id, manifest: manifest, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction, oauthProxy: config.oauthProxy };
        $http.post(client.apiOrigin + '/api/v1/apps/install', data).success(function (data, status) {
            if (status !== 202 || typeof data !== 'object') return defaultErrorHandler(callback);

@@ -249,7 +234,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
    };

    Client.prototype.configureApp = function (id, password, config, callback) {
-        var data = { appId: id, password: password, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction };
+        var data = { appId: id, password: password, location: config.location, portBindings: config.portBindings, accessRestriction: config.accessRestriction, oauthProxy: config.oauthProxy };
        $http.post(client.apiOrigin + '/api/v1/apps/' + id + '/configure', data).success(function (data, status) {
            if (status !== 202) return callback(new ClientError(status, data));
            callback(null);
@@ -324,6 +309,13 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
        }).error(defaultErrorHandler(callback));
    };

+    Client.prototype.getUsers = function (callback) {
+        $http.get(client.apiOrigin + '/api/v1/users').success(function (data, status) {
+            if (status !== 200 || typeof data !== 'object') return callback(new ClientError(status, data));
+            callback(null, data.users);
+        }).error(defaultErrorHandler(callback));
+    };
+
    Client.prototype.getNonApprovedApps = function (callback) {
        if (!this._config.developerMode) return callback(null, []);

@@ -376,12 +368,11 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
        }).error(defaultErrorHandler(callback));
    };

-    Client.prototype.createAdmin = function (username, password, email, name, setupToken, callback) {
+    Client.prototype.createAdmin = function (username, password, email, setupToken, callback) {
        var payload = {
            username: username,
            password: password,
-            email: email,
-            name: name
+            email: email
        };

        var that = this;
@@ -610,7 +601,7 @@ angular.module('Application').service('Client', ['$http', 'md5', 'Notification',
        this._userInfo = {};

        var callbackURL = window.location.protocol + '//' + window.location.host + '/login_callback.html';
-        var scope = 'root,profile,apps,roleAdmin';
+        var scope = 'root,profile,apps';

        // generate a state id to protect agains csrf
        var state = Math.floor((1 + Math.random()) * 0x1000000000000).toString(16).substring(1);
@@ -143,16 +143,6 @@ app.filter('applicationLink', function() {
    };
 });

-app.filter('accessRestrictionLabel', function() {
-    return function (input) {
-        if (input === '') return 'public';
-        if (input === 'roleUser') return 'private';
-        if (input === 'roleAdmin') return 'private (Admins only)';
-
-        return input;
-    };
-});
-
 app.filter('prettyHref', function () {
    return function (input) {
        if (!input) return input;
@@ -112,10 +112,6 @@ angular.module('Application').controller('MainController', ['$scope', '$route',
        if (config.progress.update && config.progress.update.percent !== -1) {
            window.location.href = '/update.html';
        }
-
-        if (config.cloudronName) {
-            document.title = config.cloudronName;
-        }
    });

    // setup all the dialog focus handling
@@ -40,7 +40,6 @@ app.service('Wizard', [ function () {
        this.username = '';
        this.email = '';
        this.password = '';
-        this.name = '';
        this.availableAvatars = [{
            file: null,
            data: null,
@@ -198,7 +197,7 @@ app.controller('StepController', ['$scope', '$route', '$location', 'Wizard', fun
 app.controller('FinishController', ['$scope', '$location', '$timeout', 'Wizard', 'Client', function ($scope, $location, $timeout, Wizard, Client) {
    $scope.wizard = Wizard;

-    Client.createAdmin($scope.wizard.username, $scope.wizard.password, $scope.wizard.email, $scope.wizard.name, $scope.setupToken, function (error) {
+    Client.createAdmin($scope.wizard.username, $scope.wizard.password, $scope.wizard.email, $scope.setupToken, function (error) {
        if (error) {
            console.error('Internal error', error);
            window.location.href = '/error.html';
@@ -38,18 +38,9 @@
            else return 'https://my' + tmp.slice(tmp.indexOf('-')) + host.slice(tmp.length);
        }

-        app.controller('Controller', ['$scope', '$http', function ($scope, $http) {
+        app.controller('Controller', ['$scope', function ($scope) {
            $scope.apiOrigin = detectApiOrigin();
            $scope.cloudronAvatar = $scope.apiOrigin + '/api/v1/cloudron/avatar';
-            $scope.cloudronName = 'Cloudron';
-
-            $http.get($scope.apiOrigin + '/api/v1/cloudron/status').success(function(data, status) {
-                if (status !== 200 || typeof data !== 'object') return console.error(status, data);
-                $scope.cloudronName  = data.cloudronName;
-                document.title = $scope.cloudronName;
-            }).error(function (data, status) {
-                console.error(status, data);
-            });
        }]);

    </script>
@@ -60,7 +51,7 @@
 <div class="wrapper">
    <div class="content">
        <img ng-src="{{ cloudronAvatar || '/img/logo_inverted_192.png' }}" onerror="this.src = '/img/logo_inverted_192.png'"/>
-        <h1> {{cloudronName}} </h1>
+        <h1> Cloudron </h1>
        <p>
            There is no app configured for this domain. If you want to put an app at this location,<br/>
            please reconfigure the app in the <a ng-href="{{apiOrigin}}">settings panel</a> and leave the location empty.
@@ -152,7 +152,7 @@
                                <h4 class="text-muted">Credentials</h4>
                                <p>Permissions: <b>{{ client.scope }}</b></p>
                                <p>Client ID: <b>{{ client.id }}</b></p>
-                                <p>Client Secret: <b>{{ client.clientSecret }}</b></p>
+                                <p ng-show="client.clientSecret">Client Secret: <b>{{ client.clientSecret }}</b></p>
                            </div>
                        </div>
                    </div>
@@ -36,12 +36,17 @@
                                </div>
                            </ng-form>
                        </div>
+                        <div class="form-group" ng-show="appConfigure.app.manifest.singleUser">
+                            <label class="control-label">User</label>
+                            <p>This is a single user application. Access is granted to <b>{{appConfigure.app.accessRestriction.users[0]}}</b>.</p>
+                        </div>
                        <div class="form-group">
-                            <label class="control-label" for="accessRestriction">Website Visibility</label>
-                            <select class="form-control" id="accessRestriction" ng-model="appConfigure.accessRestriction">
-                                <option value="">Visible to all</option>
-                                <option value="roleUser">Visible only to Cloudron users</option>
-                            </select>
+                            <label class="control-label" for="oauthProxy">Website Visibility</label>
+                            <div class="checkbox">
+                                <label>
+                                    <input type="checkbox" id="oauthProxy" ng-model="appConfigure.oauthProxy"> Cloudron users only
+                                </label>
+                            </div>
                        </div>
                        <a ng-show="!!appConfigure.app.manifest.configurePath" ng-href="https://{{ appConfigure.app.location }}{{ !appConfigure.app.location ? '' : (config.isCustomDomain ? '.' : '-') }}{{ config.fqdn }}/{{ appConfigure.app.manifest.configurePath }}" target="_blank">Application Specific Settings</a>
                        <br/>
@@ -205,8 +210,7 @@
                                <div class="text-muted" style="text-overflow: ellipsis; white-space: nowrap; overflow: hidden">
                                    {{ app | installationStateLabel }}
                                </div>
-                                <br ng-hide="app | installationActive"/>
-                                <div ng-show="app | installationActive">
+                                <div ng-style="{ 'visibility': (app | installationActive) ? 'visible' : 'hidden' }">
                                    <div class="progress progress-striped active">
                                        <div class="progress-bar progress-bar-success" role="progressbar" style="width: {{ app.progress }}%"></div>
                                    </div>
@@ -217,7 +221,7 @@
                    <div class="grid-item-bottom-mobile" ng-show="user.admin">
                        <div class="row">
                            <div class="col-xs-4 text-left">
-                                <a href="" ng-click="showRestore(app)" ng-show="(app | installError) === true">
+                                <a href="" ng-click="showRestore(app)" ng-show="app.lastBackupId != null || (app | installError) === true">
                                    <i class="fa fa-undo scale"></i>
                                </a>

@@ -246,7 +250,7 @@
                            <a href="" ng-click="showUninstall(app)" title="Uninstall App"><i class="fa fa-remove scale"></i></a>
                        </div>

-                        <div ng-show="(app | installError) === true">
+                        <div ng-show="app.lastBackupId !== null || (app | installError) === true">
                            <a href="" ng-click="showRestore(app)" title="Restore App"><i class="fa fa-undo scale"></i></a>
                        </div>

@@ -19,7 +19,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
        portBindings: {},
        portBindingsEnabled: {},
        portBindingsInfo: {},
-        accessRestriction: ''
+        oauthProxy: false
    };

    $scope.appUninstall = {
@@ -52,7 +52,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
        $scope.appConfigure.location = '';
        $scope.appConfigure.password = '';
        $scope.appConfigure.portBindings = {};
-        $scope.appConfigure.accessRestriction = '';
+        $scope.appConfigure.oauthProxy = false;

        $scope.appConfigureForm.$setPristine();
        $scope.appConfigureForm.$setUntouched();
@@ -89,7 +89,7 @@ angular.module('Application').controller('AppsController', ['$scope', '$location

        $scope.appConfigure.app = app;
        $scope.appConfigure.location = app.location;
-        $scope.appConfigure.accessRestriction = app.accessRestriction;
+        $scope.appConfigure.oauthProxy = app.oauthProxy;
        $scope.appConfigure.portBindingsInfo = app.manifest.tcpPorts || {}; // Portbinding map only for information
        $scope.appConfigure.portBindings = {};                              // This is the actual model holding the env:port pair
        $scope.appConfigure.portBindingsEnabled = {};                       // This is the actual model holding the enabled/disabled flag
@@ -122,7 +122,14 @@ angular.module('Application').controller('AppsController', ['$scope', '$location
            }
        }

-        Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, { location: $scope.appConfigure.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appConfigure.accessRestriction }, function (error) {
+        var data = {
+            location: $scope.appConfigure.location || '',
+            portBindings: finalPortBindings,
+            oauthProxy: $scope.appConfigure.oauthProxy,
+            accessRestriction: $scope.appConfigure.app.accessRestriction
+        };
+
+        Client.configureApp($scope.appConfigure.app.id, $scope.appConfigure.password, data, function (error) {
            if (error) {
                if (error.statusCode === 409 && (error.message.indexOf('is reserved') !== -1 || error.message.indexOf('is already in use') !== -1)) {
                    $scope.appConfigure.error.port = error.message;
@@ -33,15 +33,13 @@
                                </div>
                            </ng-form>
                        </div>
-<!--
-                        <div class="form-group">
-                            <label class="control-label" for="accessRestriction">Access Restriction</label>
-                            <select class="form-control" id="accessRestriction" ng-model="appInstall.accessRestriction">
-                                <option value="">None</option>
-                                <option value="roleUser">Only for Cloudron Users</option>
+                        <div class="form-group" ng-show="appInstall.app.manifest.singleUser">
+                            <label class="control-label" for="accessRestriction">User</label>
+                            <p>This is a single user application.</p>
+                            <select class="form-control" id="accessRestriction" ng-model="appInstall.accessRestriction" ng-required="appInstall.app.manifest.singleUser">
+                                <option ng-repeat="user in users" value="{{user.id}}">{{user.username}} - {{user.email}}</option>
                            </select>
                        </div>
-->
                        <input class="ng-hide" type="submit" ng-disabled="appInstallForm.$invalid || busy"/>
                    </form>
                </div>
@@ -5,6 +5,7 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
    $scope.apps = [];
    $scope.config = Client.getConfig();
    $scope.user = Client.getUserInfo();
+    $scope.users = [];
    $scope.category = '';
    $scope.cachedCategory = ''; // used to cache the selected category while searching
    $scope.searchString = '';
@@ -16,7 +17,8 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
        app: {},
        location: '',
        portBindings: {},
-        accessRestriction: '',
+        accessRestriction: null,
+        oauthProxy: false,
        mediaLinks: []
    };

@@ -135,7 +137,8 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
        $scope.appInstall.error = {};
        $scope.appInstall.location = '';
        $scope.appInstall.portBindings = {};
-        $scope.appInstall.accessRestriction = '';
+        $scope.appInstall.accessRestriction = null;
+        $scope.appInstall.oauthProxy = false;
        $scope.appInstall.installFormVisible = false;
        $scope.appInstall.mediaLinks = [];
        $('#collapseInstallForm').collapse('hide');
@@ -159,12 +162,15 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
        angular.copy(app, $scope.appInstall.app);
        $('#appInstallModal').modal('show');

+        console.log(app)
+
        $scope.appInstall.mediaLinks = $scope.appInstall.app.manifest.mediaLinks || [];
        $scope.appInstall.location = app.location;
        $scope.appInstall.portBindingsInfo = $scope.appInstall.app.manifest.tcpPorts || {};   // Portbinding map only for information
        $scope.appInstall.portBindings = {};                            // This is the actual model holding the env:port pair
        $scope.appInstall.portBindingsEnabled = {};                     // This is the actual model holding the enabled/disabled flag
-        $scope.appInstall.accessRestriction = app.accessRestriction || '';
+        $scope.appInstall.accessRestriction = app.accessRestriction ? app.accessRestriction.users[0] : null;
+        $scope.appInstall.oauthProxy = false;

        // set default ports
        for (var env in $scope.appInstall.app.manifest.tcpPorts) {
@@ -194,7 +200,12 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
            }
        }

-        Client.installApp($scope.appInstall.app.id, $scope.appInstall.app.manifest, $scope.appInstall.app.title, { location: $scope.appInstall.location || '', portBindings: finalPortBindings, accessRestriction: $scope.appInstall.accessRestriction }, function (error) {
+        // translate to accessRestriction object
+        var accessRestriction = $scope.appInstall.app.manifest.singleUser ? {
+            users: [ $scope.appInstall.accessRestriction ]
+        } : null;
+
+        Client.installApp($scope.appInstall.app.id, $scope.appInstall.app.manifest, $scope.appInstall.app.title, { location: $scope.appInstall.location || '', portBindings: finalPortBindings, accessRestriction: accessRestriction, oauthProxy: $scope.appInstall.oauthProxy }, function (error) {
            if (error) {
                if (error.statusCode === 409 && (error.message.indexOf('is reserved') !== -1 || error.message.indexOf('is already in use') !== -1)) {
                    $scope.appInstall.error.port = error.message;
@@ -227,40 +238,49 @@ angular.module('Application').controller('AppStoreController', ['$scope', '$loca
    function refresh() {
        $scope.ready = false;

-        getAppList(function (error, apps) {
+        Client.getUsers(function (error, users) {
            if (error) {
                console.error(error);
                return $timeout(refresh, 1000);
            }

-            $scope.apps = apps;
+            $scope.users = users;

-            // show install app dialog immediately if an app id was passed in the query
-            if ($routeParams.appId) {
-                if ($routeParams.version) {
-                    AppStore.getAppByIdAndVersion($routeParams.appId, $routeParams.version, function (error, result) {
-                        if (error) {
-                            $scope.showAppNotFound($routeParams.appId, $routeParams.version);
-                            console.error(error);
-                            return;
-                        }
+            getAppList(function (error, apps) {
+                if (error) {
+                    console.error(error);
+                    return $timeout(refresh, 1000);
+                }

-                        $scope.showInstall(result);
-                    });
-                } else {
-                    var found = apps.filter(function (app) {
-                        return (app.id === $routeParams.appId) && ($routeParams.version ? $routeParams.version === app.manifest.version : true);
-                    });
+                $scope.apps = apps;

-                    if (found.length) {
-                        $scope.showInstall(found[0]);
+                // show install app dialog immediately if an app id was passed in the query
+                if ($routeParams.appId) {
+                    if ($routeParams.version) {
+                        AppStore.getAppByIdAndVersion($routeParams.appId, $routeParams.version, function (error, result) {
+                            if (error) {
+                                $scope.showAppNotFound($routeParams.appId, $routeParams.version);
+                                console.error(error);
+                                return;
+                            }
+
+                            $scope.showInstall(result);
+                        });
                    } else {
-                        $scope.showAppNotFound($routeParams.appId, null);
+                        var found = apps.filter(function (app) {
+                            return (app.id === $routeParams.appId) && ($routeParams.version ? $routeParams.version === app.manifest.version : true);
+                        });
+
+                        if (found.length) {
+                            $scope.showInstall(found[0]);
+                        } else {
+                            $scope.showAppNotFound($routeParams.appId, null);
+                        }
                    }
                }
-            }

-            $scope.ready = true;
+                $scope.ready = true;
+            });
        });
    }

@@ -32,36 +32,6 @@
    </div>
 </div>

-<!-- Modal change name -->
-<div class="modal fade" id="nameChangeModal" tabindex="-1" role="dialog">
-    <div class="modal-dialog">
-        <div class="modal-content">
-            <div class="modal-header">
-                <h4 class="modal-title">Change the Cloudron Name</h4>
-            </div>
-            <div class="modal-body">
-                <form name="nameChangeForm" class="form-signin" role="form" novalidate ng-submit="doChangeName()" autocomplete="off">
-                    <fieldset>
-                        <div class="form-group" ng-class="{ 'has-error': (nameChangeForm.name.$dirty && nameChangeForm.name.$invalid) }">
-                            <label class="control-label" for="inputNameChangeName">New Cloudron Name</label>
-                            <div class="control-label" ng-show="(!nameChangeForm.name.$dirty && nameChange.error.name) || (nameChangeForm.name.$dirty && nameChangeForm.name.$invalid)">
-                                <small ng-show="nameChangeForm.name.$error.required">A valid name is required</small>
-                                <small ng-show="(nameChangeForm.name.$dirty && nameChangeForm.name.$invalid) && !nameChangeForm.name.$error.required">The name is not valid</small>
-                            </div>
-                            <input type="text" class="form-control" ng-model="nameChange.name" id="inputNameChangeName" name="name" ng-maxlength="512" ng-minlength="1" required autofocus>
-                        </div>
-                        <input class="ng-hide" type="submit" ng-disabled="nameChangeForm.$invalid"/>
-                    </fieldset>
-                </form>
-            </div>
-            <div class="modal-footer">
-                <button type="button" class="btn btn-default" data-dismiss="modal">Cancel</button>
-                <button type="button" class="btn btn-success" ng-click="doChangeName()" ng-disabled="nameChangeForm.$invalid || nameChange.busy"><i class="fa fa-spinner fa-pulse" ng-show="nameChange.busy"></i> Change</button>
-            </div>
-        </div>
-    </div>
-</div>
-
 <!-- Modal change avatar -->
 <div class="modal fade" id="avatarChangeModal" tabindex="-1" role="dialog">
    <div class="modal-dialog">
@@ -160,10 +130,6 @@
        </div>
        <div class="col-xs-8">
            <table width="100%">
-                <tr>
-                    <td class="text-muted" style="vertical-align: top;">Name</td>
-                    <td class="text-right" style="vertical-align: top; white-space: nowrap;">{{ config.cloudronName }} <a href="" ng-click="showChangeName()"><i class="fa fa-pencil text-small"></i></a></td>
-                </tr>
                <tr>
                    <td class="text-muted" style="vertical-align: top;">Model</td>
                    <td class="text-right" style="vertical-align: top; white-space: nowrap;">{{ config.size }} - {{ config.region }}</td>
@@ -24,12 +24,6 @@ angular.module('Application').controller('SettingsController', ['$scope', '$loca
        percent: 100
    };

-    $scope.nameChange = {
-        busy: false,
-        error: {},
-        name: ''
-    };
-
    $scope.avatarChange = {
        busy: false,
        error: {},
@@ -97,14 +91,6 @@ angular.module('Application').controller('SettingsController', ['$scope', '$loca
        $('#avatarFileInput').click();
    };

-    function nameChangeReset() {
-        $scope.nameChange.error.name = null;
-        $scope.nameChange.name = '';
-
-        $scope.nameChangeForm.$setPristine();
-        $scope.nameChangeForm.$setUntouched();
-    }
-
    function avatarChangeReset() {
        $scope.avatarChange.error.avatar = null;
        $scope.avatarChange.avatar = null;
@@ -156,22 +142,6 @@ angular.module('Application').controller('SettingsController', ['$scope', '$loca
        });
    };

-    $scope.doChangeName = function () {
-        $scope.nameChange.error.name = null;
-        $scope.nameChange.busy = true;
-
-        Client.changeCloudronName($scope.nameChange.name, function (error) {
-            if (error) {
-                console.error('Unable to change name.', error);
-            } else {
-                nameChangeReset();
-                $('#nameChangeModal').modal('hide');
-            }
-
-            $scope.nameChange.busy = false;
-        });
-    };
-
    function getBlobFromImg(img, callback) {
        var size = 256;

@@ -263,11 +233,6 @@ angular.module('Application').controller('SettingsController', ['$scope', '$loca
        $('#developerModeChangeModal').modal('show');
    };

-    $scope.showChangeName = function () {
-        nameChangeReset();
-        $('#nameChangeModal').modal('show');
-    };
-
    $scope.showCreateBackup = function () {
        $('#createBackupModal').modal('show');
    };
@@ -301,7 +266,7 @@ angular.module('Application').controller('SettingsController', ['$scope', '$loca
    });

    // setup all the dialog focus handling
-    ['developerModeChangeModal', 'nameChangeModal'].forEach(function (id) {
+    ['developerModeChangeModal'].forEach(function (id) {
        $('#' + id).on('shown.bs.modal', function () {
            $(this).find("[autofocus]:first").focus();
        });
@@ -3,7 +3,7 @@
        <h1>Welcome to your Cloudron!</h1>
        <hr/>
        <h3 class="">
-                Choose a name and avatar for your Cloudron
+                Choose an avatar
        </h3>
    </div>
 </div>
@@ -19,16 +19,6 @@
 <br/>
 <br/>

-<div class="row">
-    <div class="col-md-4 col-md-offset-4 text-center">
-        <div class="form-group" ng-class="{ 'has-error': setup_form.name.$dirty && setup_form.name.$invalid }">
-            <!-- <label class="control-label" for="inputName">Name</label> -->
-            <input type="text" class="form-control" ng-model="wizard.name" id="inputName" name="name" placeholder="Name" ng-enter="next('/step2', setup_form.name.$invalid)" ng-maxlength="512" ng-minlength="1" autofocus required autocomplete="off">
-        </div>
-    </div>
-</div>
-
-
 <div class="row">
    <div class="col-md-12 settings-avatar-selector">
        <input type="file" id="avatarFileInput" style="display: none" accept="image/png"/>
@@ -48,6 +38,6 @@

 <div class="row">
    <div class="col-md-12 text-center">
-        <a class="btn btn-primary" href="#/step2" ng-disabled="setup_form.name.$invalid">Next</a>
+        <a class="btn btn-primary" href="#/step2">Next</a>
    </div>
 </div>
@@ -1,6 +1,6 @@
 <div class="row">
    <div class="col-md-12 text-center">
-        <h1>Create an Administrator for <b>{{ wizard.name }}</b></h1>
+        <h1>Create an Administrator for your Cloudron</h1>
        <h4 class="">
            This admin account is separate from your <a href="https://cloudron.io">cloudron.io</a> account.
        </h4>