swag fmt

.gitignore

@@ -1,3 +1,7 @@
 bin/
 config.yaml
 *.sqlite3
+panic.log
+testdata/
+secret/
+data/

Makefile

@@ -20,7 +20,7 @@ imports-tools:
 		go install golang.org/x/tools/cmd/goimports@latest; \
 	fi
 
-.PHONY: all build run test lint fmt imports
+.PHONY: all swag build run test lint fmt imports
 
 all: build
 
@@ -30,6 +30,12 @@ run: build
 
 BUILD_PARAMS = -trimpath -ldflags "-X git.oblat.lv/alex/triggerssmith/internal/vars.Version=$(VERSION)"
 
+build-with-swag: swag build
+
+swag:
+	@echo "-- generating swagger docs"
+	@swag init -g cmd/serve.go
+
 build:
 	@echo "-- building $(NAME)"
 	@go build $(BUILD_PARAMS) -o $(BINARY) $(ENTRY)  

api/acl_admin/common_models.go

@@ -0,0 +1,11 @@
+package api_acladmin
+
+type errorInvalidRequestBody struct {
+	Error   string `json:"error" example:"INVALID_REQUEST_BODY"`
+	Details string `json:"details" example:"Request body is not valid JSON"`
+}
+
+type errorInternalServerError struct {
+	Error   string `json:"error"`
+	Details string `json:"details"`
+}

api/acl_admin/errors.go

@@ -0,0 +1,59 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+const (
+	ErrorInvalidRequestBody  = "INVALID_REQUEST_BODY"
+	ErrorInternalServerError = "INTERNAL_SERVER_ERROR"
+
+	// Roles
+	ErrorFailedToCreateRole = "FAILED_TO_CREATE_ROLE"
+	ErrorFailedToGetRole    = "FAILED_TO_GET_ROLE"
+	ErrorFailedToUpdateRole = "FAILED_TO_UPDATE_ROLE"
+	ErrorFailedToDeleteRole = "FAILED_TO_DELETE_ROLE"
+
+	ErrorInvalidRoleID = "INVALID_ROLE_ID"
+	ErrorRoleNotFound  = "ROLE_NOT_FOUND"
+
+	// Resources
+	ErrorFailedToCreateResource = "FAILED_TO_CREATE_RESOURCE"
+	ErrorFailedToGetResource    = "FAILED_TO_GET_RESOURCE"
+	ErrorFailedToUpdateResource = "FAILED_TO_UPDATE_RESOURCE"
+	ErrorFailedToDeleteResource = "FAILED_TO_DELETE_RESOURCE"
+
+	ErrorInvalidResourceID = "INVALID_RESOURCE_ID"
+	ErrorResourceNotFound  = "RESOURCE_NOT_FOUND"
+)
+
+const (
+	ErrorACLServiceNotInitialized = "ACL service is not initialized"
+)
+
+// RFC-7807 (Problem Details)
+type ProblemDetails struct {
+	Type     string `json:"type" example:"https://api.triggerssmith.com/errors/role-not-found"`
+	Title    string `json:"title" example:"Role not found"`
+	Status   int    `json:"status" example:"404"`
+	Detail   string `json:"detail" example:"No role with ID 42"`
+	Instance string `json:"instance" example:"/api/acl/roles/42"`
+}
+
+var typeDomain = "https://api.triggerssmith.com"
+
+func writeProblem(w http.ResponseWriter, status int, typ, title, detail string, r *http.Request) {
+	w.Header().Set("Content-Type", "application/problem+json")
+	w.WriteHeader(status)
+	prob := ProblemDetails{
+		Type:     typeDomain + typ,
+		Title:    title,
+		Status:   status,
+		Detail:   detail,
+		Instance: r.URL.Path,
+	}
+	slog.Warn("new problem", "type", typ, "title", title, "detail", detail, "instance", r.URL.Path, "status", status)
+	_ = json.NewEncoder(w).Encode(prob)
+}

api/acl_admin/handle.go

@@ -0,0 +1,259 @@
+package api_acladmin
+
+import (
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+
+	//"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+type aclAdminHandler struct {
+	cfg  *config.Config
+	a    *acl.Service
+	auth *auth.Service
+}
+
+func MustRoute(config *config.Config, aclService *acl.Service, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if aclService == nil {
+		panic("aclService is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &aclAdminHandler{
+		cfg:  config,
+		a:    aclService,
+		auth: authService,
+	}
+	// GET    /roles            — список ролей
+	// POST   /roles            — создать роль
+	// GET    /roles/{roleId}   — получить роль
+	// PATCH  /roles/{roleId}   — обновить роль (если нужно)
+	// DELETE /roles/{roleId}   — удалить роль
+
+	// GET    /resources              — список ресурсов
+	// POST   /resources              — создать ресурс
+	// GET    /resources/{resId}      — получить ресурс
+	// PATCH  /resources/{resId}      — обновить ресурс
+	// DELETE /resources/{resId}      — удалить ресурс
+
+	// GET    /users/{userId}/roles           — роли пользователя
+	// POST   /users/{userId}/roles           — назначить роль пользователю
+	// DELETE /users/{userId}/roles/{roleId}  — снять роль
+
+	// GET    /roles/{roleId}/resources           — ресурсы роли
+	// POST   /roles/{roleId}/resources           — назначить ресурс роли
+	// DELETE /roles/{roleId}/resources/{resId}   — убрать ресурс
+	return func(r chi.Router) {
+		// Roles
+		r.Get("/roles", h.getRoles)                                             // list all roles
+		r.Post("/roles", h.createRole)                                          // create a new role
+		r.Get("/roles/{roleId}", h.getRole)                                     // get a role by ID
+		r.Get("/roles/{roleId}/users", h.getRoleUsers)                          // get all assigned users to a role
+		r.Get("/roles/{roleId}/resources", h.getRoleResources)                  // get all resources assigned to a role
+		r.Patch("/roles/{roleId}", h.updateRole)                                // update a role by ID
+		r.Delete("/roles/{roleId}", h.deleteRole)                               // delete a role by ID
+		r.Post("/roles/{roleId}/resources", h.assignResourceToRole)             // assign a resource to a role
+		r.Delete("/roles/{roleId}/resources/{resId}", h.removeResourceFromRole) // remove a resource from a role
+
+		// Resources
+		r.Get("/resources", h.getResources)                   // list all resources
+		r.Post("/resources", h.createResource)                // create a new resource
+		r.Get("/resources/{resourceId}", h.getResource)       // get a resource by ID
+		r.Patch("/resources/{resourceId}", h.updateResource)  // update a resource by ID
+		r.Delete("/resources/{resourceId}", h.deleteResource) // delete a resource by ID
+
+		// Users
+		r.Get("/users/{userId}/roles", h.getUserRoles)                   // get all roles for a user
+		r.Post("/users/{userId}/roles", h.assignRoleToUser)              // assign a role to a user
+		r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// Users
+		// r.Get("/users/{userId}/roles", h.getUserRoles) // get all roles for a user
+		// r.Post("/users/{userId}/roles", h.assignRoleToUser) // assign a role to a user
+		// r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// r.Get("/roles", h.getRoles)
+		// r.Post("/create-role", h.createRole)
+		// r.Post("/assign-role", h.assignRoleToUser)
+		// r.Get("/user-roles", h.getUserRoles)
+		// r.Post("/remove-role", h.removeRoleFromUser)
+
+		// r.Get("/resources", h.getResources)
+		// r.Post("/create-resource", h.createResource)
+		// r.Post("/assign-resource", h.assignResourceToRole)
+		// r.Get("/role-resources", h.getRoleResources)
+		// r.Post("/remove-resource", h.removeResourceFromRole)
+
+		// r.Get("/permissions", h.getResources)                   // legacy support
+		// r.Post("/create-permissions", h.createResource)         // legacy support
+		// r.Post("/assign-permissions", h.assignResourceToRole)   // legacy support
+		// r.Get("/role-permissions", h.getRoleResources)          // legacy support
+		// r.Post("/remove-permissions", h.removeResourceFromRole) // legacy support
+	}
+}
+
+// type assignRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+// 	var req assignRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.AssignRoleToUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to assign role to user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// }
+
+// type getUserRolesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+// 	uidStr := r.URL.Query().Get("userId")
+// 	if uidStr == "" {
+// 		http.Error(w, "Missing userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	userID, err := strconv.Atoi(uidStr)
+// 	if err != nil || userID < 0 {
+// 		http.Error(w, "Invalid userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	roles, err := h.a.GetUserRoles(uint(userID))
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getUserRolesResponse {
+// 		// Transform acl.Role to getUserRolesResponse
+// 		resp := make(getUserRolesResponse, 0, len(roles))
+// 		for _, role := range roles {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   role.ID,
+// 				Name: role.Name,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type removeRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+// 	var req removeRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.RemoveRoleFromUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to remove role from user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusNoContent)
+// }
+
+// type getResourcesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+// 	resources, err := h.a.GetResources()
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getResourcesResponse {
+// 		// Transform acl.Resource to getResourcesResponse
+// 		resp := make(getResourcesResponse, 0, len(resources))
+// 		for _, res := range resources {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   res.ID,
+// 				Name: res.Key,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type createResourceRequest struct {
+// 	Name string `json:"name"`
+// }
+
+// type createResourceResponse struct {
+// 	ID   uint   `json:"id"`
+// 	Name string `json:"name"`
+// }
+
+// func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+// 	var req createResourceRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.Name == "" {
+// 		http.Error(w, "Name is required", http.StatusBadRequest)
+// 		return
+// 	}
+// 	id, err := h.a.CreateResource(req.Name)
+// 	if err != nil {
+// 		http.Error(w, "Failed to create resource", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(createResourceResponse{
+// 		ID:   id,
+// 		Name: req.Name,
+// 	})
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }

api/acl_admin/resources.go

@@ -0,0 +1,223 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all resources
+// @Tags		acl/resources
+// @Produce	json
+// @Success	200	{object}	getResourcesResponse
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/resources [get]
+func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resources, err := h.a.GetResources()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID  uint   `json:"id" example:"1"`
+		Key string `json:"key" example:"html.view"`
+	}
+
+	resp := make([]R, 0, len(resources))
+	for _, res := range resources {
+		resp = append(resp, R{ID: res.ID, Key: res.Key})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get resource by ID
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path		int	true	"Resource ID"	example(1)
+// @Success	200			{object}	getResourceResponse
+// @Failure	400			{object}	ProblemDetails
+// @Failure	404			{object}	ProblemDetails
+// @Failure	500			{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [get]
+func (h *aclAdminHandler) getResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	resource, err := h.a.GetResourceByID(uint(resourceID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getResourceResponse{
+		ID:  resource.ID,
+		Key: resource.Key,
+	})
+}
+
+// @Summary	Create resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createResourceRequest	true	"Resource"
+// @Success	201		{object}	createResourceResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/resources [post]
+func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceID, err := h.a.CreateResource(req.Key)
+	if err != nil {
+		slog.Error("Failed to create resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceAlreadyExists:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-already-exists", "Resource already exists", "Resource '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createResourceResponse{
+		ID:  resourceID,
+		Key: req.Key,
+	})
+}
+
+// @Summary	Update resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		resourceId	path		int						true	"Resource ID"	example(1)
+// @Param		request		body		updateResourceRequest	true	"Resource"
+// @Success	200			{object}	updateResourceResponse
+// @Failure	400			{object}	ProblemDetails
+// @Failure	404			{object}	ProblemDetails
+// @Failure	409			{object}	ProblemDetails
+// @Failure	500			{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [patch]
+func (h *aclAdminHandler) updateResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateResource(uint(resourceID), req.Key)
+	if err != nil {
+		slog.Error("Failed to update resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrSameResourceKey:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-key-already-exists", "Resource key already exists", "Resource key '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateResourceResponse{
+		ID:  uint(resourceID),
+		Key: req.Key,
+	})
+}
+
+// @Summary	Delete resource
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path	int	true	"Resource ID"	example(1)
+// @Success	200
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [delete]
+func (h *aclAdminHandler) deleteResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteResource(uint(resourceID))
+	if err != nil {
+		slog.Error("Failed to delete resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrResourceInUse:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-in-use", "Resource in use", "Resource "+resourceIDStr+" is in use", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}

api/acl_admin/resources_models.go

@@ -0,0 +1,39 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getResources()
+type getResourcesResponse []struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+var _ getResourcesResponse // for documentation
+
+/*******************************************************************/
+// used in getResource()
+type getResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in createResource()
+type createResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type createResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in updateResource()
+type updateResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type updateResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}

api/acl_admin/roles.go

@@ -0,0 +1,390 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all roles
+// @Tags		acl/roles
+// @Produce	json
+// @Success	200	{array}		getRolesResponse
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles [get]
+func (h *aclAdminHandler) getRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roles, err := h.a.GetRoles()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID   uint   `json:"id" example:"1"`
+		Name string `json:"name" example:"admin"`
+	}
+
+	resp := make([]R, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, R{ID: role.ID, Name: role.Name})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get role by ID
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{object}	getRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [get]
+func (h *aclAdminHandler) getRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getRoleResponse{
+		ID:   role.ID,
+		Name: role.Name,
+	})
+}
+
+// @Summary	Get role users
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleUsersResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/users [get]
+func (h *aclAdminHandler) getRoleUsers(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Users) == 0 {
+		writeProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respUsers getRoleUsersResponse
+	for _, user := range role.Users {
+		respUsers = append(respUsers, getRoleUser{
+			ID:    user.ID,
+			Name:  user.Username,
+			Email: user.Email,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respUsers)
+}
+
+// @Summary	Get role resources
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleResourcesResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [get]
+func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Resources) == 0 {
+		writeProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respResources getRoleResourcesResponse
+	for _, user := range role.Resources {
+		respResources = append(respResources, getRoleResource{
+			ID:   user.ID,
+			Name: user.Key,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respResources)
+}
+
+// @Summary	Create role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createRoleRequest	true	"Role"
+// @Success	201		{object}	createRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles [post]
+func (h *aclAdminHandler) createRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleID, err := h.a.CreateRole(req.Name)
+	if err != nil {
+		slog.Error("Failed to create role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleAlreadyExists:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-already-exists", "Role already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createRoleResponse{
+		ID:   roleID,
+		Name: req.Name,
+	})
+}
+
+// @Summary	Update role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		roleId	path		int					true	"Role ID"	example(1)
+// @Param		request	body		updateRoleRequest	true	"Role"
+// @Success	200		{object}	updateRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [patch]
+func (h *aclAdminHandler) updateRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateRole(uint(roleID), req.Name)
+	if err != nil {
+		slog.Error("Failed to update role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrSameRoleName:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-name-already-exists", "Role name already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateRoleResponse{
+		ID:   uint(roleID),
+		Name: req.Name,
+	})
+}
+
+// @Summary	Delete role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [delete]
+func (h *aclAdminHandler) deleteRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteRole(uint(roleID))
+	if err != nil {
+		slog.Error("Failed to delete role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrRoleInUse:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-in-use", "Role in use", "Role "+roleIDStr+" is assigned to at least one user and cannot be deleted", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// @Summary	Assign resource to role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int							true	"Role ID"	example(1)
+// @Param		request	body	assignResourceToRoleRequest	true	"Resource"
+// @Success	201
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [post]
+func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	var req assignResourceToRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignResourceToRole(uint(roleID), req.ResourceID); err != nil {
+		slog.Error("Failed to assign resource to role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(req.ResourceID)), r)
+		case acl.ErrResourceAlreadyAssigned:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-already-assigned", "Resource already assigned", "Resource with ID "+strconv.Itoa(int(req.ResourceID))+" is already assigned to role with ID "+roleIDStr, r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove resource from role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"		example(1)
+// @Param		resId	path	int	true	"Resource ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources/{resId} [delete]
+func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	resourceIDStr := chi.URLParam(r, "resId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+	if err := h.a.RemoveResourceFromRole(uint(roleID), uint(resourceID)); err != nil {
+		slog.Error("Failed to remove resource from role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(resourceID)), r)
+		case acl.ErrRoleResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-resource-not-found", "Role resource not found", "No role-resource pair with role ID "+roleIDStr+" and resource ID "+strconv.Itoa(int(resourceID)), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

api/acl_admin/roles_models.go

@@ -0,0 +1,62 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getRoles()
+type getRolesResponse []struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+var _ getRolesResponse
+
+/*******************************************************************/
+// used in getRole()
+type getRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in getRoleUsers()
+type getRoleUser struct {
+	ID    uint   `json:"id" example:"1"`
+	Name  string `json:"username" example:"admin"`
+	Email string `json:"email" example:"admin@triggerssmith.com"`
+}
+type getRoleUsersResponse []getRoleUser
+
+/*******************************************************************/
+// used in getRoleResources()
+type getRoleResource struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+type getRoleResourcesResponse []getRoleResource
+
+/*******************************************************************/
+// used in createRole()
+type createRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type createRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in updateRole()
+type updateRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type updateRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in assignResourceToRole()
+type assignResourceToRoleRequest struct {
+	ResourceID uint `json:"resourceId" example:"1"`
+}

api/acl_admin/users.go

@@ -0,0 +1,136 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get user roles by user ID
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path		int	true	"User ID"	example(1)
+// @Success	200		{object}	getUserRolesResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [get]
+func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roles, err := h.a.GetUserRoles(uint(userID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	resp := make(getUserRolesResponse, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, getUserRole{ID: role.ID, Name: role.Name})
+	}
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Assign role to user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int						true	"User ID"	example(1)
+// @Param		body	body	assignRoleToUserRequest	true	"Role ID"
+// @Success	201
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [post]
+func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	var req assignRoleToUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignRoleToUser(req.RoleID, uint(userID)); err != nil {
+		slog.Error("Failed to assign role to user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrRoleAlreadyAssigned:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-already-assigned", "Role already assigned", "Role with ID "+strconv.Itoa(int(req.RoleID))+" is already assigned to user "+strconv.Itoa(userID), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove role from user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int	true	"User ID"	example(1)
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles/{roleId} [delete]
+func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	err = h.a.RemoveRoleFromUser(uint(roleID), uint(userID))
+	if err != nil {
+		slog.Error("Failed to remove role from user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrUserRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-role-not-found", "User role not found", "User "+strconv.Itoa(userID)+" does not have role "+strconv.Itoa(roleID), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

api/acl_admin/users_models.go

@@ -0,0 +1,16 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getUserRoles()
+type getUserRole struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+
+type getUserRolesResponse []getUserRole
+
+/*******************************************************************/
+// used in assignRoleToUser()
+type assignRoleToUserRequest struct {
+	RoleID uint `json:"roleId" example:"1"`
+}

api/auth/handle.go

@@ -1,37 +1,222 @@
 // Package auth provides authentication-related API endpoints for the Triggersmith application.
 // It handles login, logout, and user management operations.
-package auth
+package api_auth
 
 import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
 	"net/http"
+	"time"
 
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
 	"github.com/go-chi/chi/v5"
+	"github.com/golang-jwt/jwt/v5"
 )
 
+func setRefreshCookie(w http.ResponseWriter, token string, ttl time.Duration, secure bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    token,
+		Path:     "/api/auth/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   int(ttl.Seconds()),
+		Secure:   secure,
+	})
+}
+
 type authHandler struct {
 	cfg *config.Config
+	a   *auth.Service
 }
 
-func MustRoute(config *config.Config) func(chi.Router) {
+func MustRoute(config *config.Config, authService *auth.Service) func(chi.Router) {
 	if config == nil {
 		panic("config is nil")
 	}
+	if authService == nil {
+		panic("authService is nil")
+	}
 	h := &authHandler{
 		cfg: config,
+		a:   authService,
 	}
 	return func(r chi.Router) {
-		r.Get("/login", h.handleLogin)
-		r.Get("/logout", h.handleLogout)
-		r.Get("/me", h.handleMe)
-		r.Get("/revoke", h.handleRevoke)
+		r.Get("/getUserData", h.handleGetUserData) // legacy support
+
+		r.Post("/register", h.handleRegister)
+		r.Post("/login", h.handleLogin)
+		r.Post("/logout", h.handleLogout)   // !requires authentication
+		r.Post("/refresh", h.handleRefresh) // !requires authentication
+
+		r.Get("/me", h.handleMe) // !requires authentication
+		r.Get("/get-user-data", h.handleGetUserData)
+
+		r.Post("/revoke", h.handleRevoke) // not implemented
 	}
 }
 
-func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {}
+type registerRequest struct {
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
 
-func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {}
+type registerResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+}
 
-func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {}
+func (h *authHandler) handleRegister(w http.ResponseWriter, r *http.Request) {
+	var req registerRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
 
-func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {}
+	user, err := h.a.Register(req.Username, req.Email, req.Password)
+	if err != nil {
+		slog.Error("Failed to register user", "error", err)
+		http.Error(w, "Registration failed", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(registerResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+type loginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type loginResponse struct {
+	Token string `json:"accessToken"`
+}
+
+func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
+	var req loginRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
+
+	tokens, err := h.a.Login(req.Username, req.Password)
+	if err != nil {
+		http.Error(w, "Authentication failed", http.StatusUnauthorized)
+		return
+	}
+
+	setRefreshCookie(w, tokens.Refresh, h.cfg.Auth.RefreshTokenTTL, false)
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(loginResponse{Token: tokens.Access})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
+	claims, err := h.a.AuthenticateRequest(r)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	rjti := claims.(jwt.MapClaims)["rjti"].(string)
+	err = h.a.Logout(rjti)
+	if err != nil {
+		http.Error(w, "Failed to logout, taking cookie anyways", http.StatusInternalServerError)
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/api/users/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	if err == nil {
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+type meResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {
+	refresh_token_cookie, err := r.Cookie("refresh_token")
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	userID, err := h.a.ValidateRefreshToken(refresh_token_cookie.Value)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	user, err := h.a.Get("id", fmt.Sprint(userID))
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+type GetUserDataResponse meResponse
+
+func (h *authHandler) handleGetUserData(w http.ResponseWriter, r *http.Request) {
+	by := r.URL.Query().Get("by")
+	value := r.URL.Query().Get("value")
+	if value == "" {
+		value = r.URL.Query().Get(by)
+	}
+	user, err := h.a.Get(by, value)
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}
+
+func (h *authHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}

api/block/handle.go

@@ -6,7 +6,7 @@
 // Example:
 //
 //	/api/block/header would load the block located at {BlockDir}/header/
-package block
+package api_block
 
 import (
 	"encoding/json"

api/router.go

@@ -8,25 +8,51 @@ import (
 	"path/filepath"
 	"time"
 
-	"git.oblat.lv/alex/triggerssmith/api/auth"
-	"git.oblat.lv/alex/triggerssmith/api/block"
+	api_acladmin "git.oblat.lv/alex/triggerssmith/api/acl_admin"
+	api_auth "git.oblat.lv/alex/triggerssmith/api/auth"
+	api_block "git.oblat.lv/alex/triggerssmith/api/block"
+	_ "git.oblat.lv/alex/triggerssmith/docs"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	httpSwagger "github.com/swaggo/http-swagger"
 )
 
 type Router struct {
 	r chi.Router
 
 	cfg *config.Config
+
+	authService *auth.Service
+
+	aclService *acl.Service
 }
 
-func NewRouter(cfg *config.Config) *Router {
+type RouterDependencies struct {
+	AuthService   *auth.Service
+	Configuration *config.Config
+	ACLService    *acl.Service
+}
+
+func NewRouter(deps RouterDependencies) *Router {
+	if deps.AuthService == nil {
+		panic("AuthService is required")
+	}
+	if deps.Configuration == nil {
+		panic("Configuration is required")
+	}
+	if deps.ACLService == nil {
+		panic("ACLService is required")
+	}
 	r := chi.NewRouter()
 	return &Router{
-		r:   r,
-		cfg: cfg,
+		r:           r,
+		cfg:         deps.Configuration,
+		authService: deps.AuthService,
+		aclService:  deps.ACLService,
 	}
 }
 
@@ -42,7 +68,7 @@ func (r *Router) MustRoute() chi.Router {
 			slog.String("dir", r.cfg.Server.StaticConfig.Dir),
 			slog.String("index_file", r.cfg.Server.StaticConfig.IndexFile),
 		)
-		r.r.Get("/", func(w http.ResponseWriter, req *http.Request) {
+		r.r.Get("/*", func(w http.ResponseWriter, req *http.Request) {
 			http.ServeFile(w, req, filepath.Join(r.cfg.Server.StaticConfig.Dir, r.cfg.Server.StaticConfig.IndexFile))
 		})
 		fs := http.FileServer(http.Dir(r.cfg.Server.StaticConfig.Dir))
@@ -58,8 +84,16 @@ func (r *Router) MustRoute() chi.Router {
 	}
 
 	r.r.Route("/api", func(api chi.Router) {
-		api.Route("/block", block.MustRoute(r.cfg))
-		api.Route("/auth", auth.MustRoute(r.cfg))
+		api.Get("/swagger/*", httpSwagger.Handler(
+			httpSwagger.URL("/api/swagger/doc.json"),
+		))
+		api.Route("/block", api_block.MustRoute(r.cfg))
+		authRoute := api_auth.MustRoute(r.cfg, r.authService)
+		api.Route("/auth", authRoute)
+		//api.Route("/users", authRoute) // legacy support
+		aclAdminRoute := api_acladmin.MustRoute(r.cfg, r.aclService, r.authService)
+		api.Route("/acl", aclAdminRoute)
+		api.Route("/acl-admin", aclAdminRoute) // legacy support
 	})
 
 	r.r.Get("/health", func(w http.ResponseWriter, r *http.Request) {

cmd/serve.go

@@ -9,19 +9,28 @@ import (
 	"path/filepath"
 	"runtime/debug"
 	"syscall"
+	"time"
 
 	"git.oblat.lv/alex/triggerssmith/api"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
 	application "git.oblat.lv/alex/triggerssmith/internal/app"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
 	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/spf13/cobra"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
 )
 
 var optsServeCmd = struct {
 	ConfigPath    *string
 	Debug         *bool
 	HideGreetings *bool
+	NoPIDFile     *bool
 }{}
 
 // // simple middleware for request logging
@@ -82,6 +91,7 @@ var serveCmd = &cobra.Command{
 		}
 		defer func() {
 			if r := recover(); r != nil {
+				slog.Debug("panic recovered: preparing panic.log", slog.Any("error", r))
 				stack := debug.Stack()
 
 				f, err := os.OpenFile("panic.log", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0644)
@@ -89,13 +99,16 @@ var serveCmd = &cobra.Command{
 					slog.Error("Failed to open panic.log", slog.Any("error", err))
 				} else {
 					defer f.Close()
-					f.WriteString(fmt.Sprintf("Panic: %v\n", r))
+					slog.Debug("flushing stack in to panic.log")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Time: %s\n", time.Now().Format(time.RFC3339))
+					fmt.Fprintln(f, "If this is unexpected, please report: https://git.oblat.lv/alex/triggerssmith/issues")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Panic: %v\n", r)
 					f.Write(stack)
 					f.WriteString("\n\n")
+					slog.Error("Application panicked: the stack is flushed to disk", slog.Any("error", r))
 				}
-
-				slog.Error("Application panicked: the stack is flushed to disk", slog.Any("error", r))
-
 				os.Exit(-1)
 			}
 		}()
@@ -107,13 +120,17 @@ var serveCmd = &cobra.Command{
 			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
 		}
 
-		pid := os.Getpid()
-		slog.Debug("Starting server", slog.Int("pid", pid))
-		if err := writePID(vars.PID_PATH); err != nil {
-			panic(err)
+		if !*optsServeCmd.NoPIDFile {
+			pid := os.Getpid()
+			slog.Debug("Starting server", slog.Int("pid", pid))
+			if err := writePID(vars.PID_PATH); err != nil {
+				panic(err)
+			}
+			slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
+			defer os.Remove(vars.PID_PATH)
+		} else {
+			slog.Warn("Starting server without PID file as requested by --no-pidfile flag: this may complicate process management")
 		}
-		slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
-		defer os.Remove(vars.PID_PATH)
 
 		// load config
 		slog.Debug("Reading configuration", slog.String("path", *optsServeCmd.ConfigPath))
@@ -133,16 +150,111 @@ var serveCmd = &cobra.Command{
 		app.LoadConfiguration(cfg)
 
 		srv := app.Server()
-		//mux := http.NewServeMux()
 
-		// static files
-		// staticPath := cfg.Server.StaticFilesPath
-		// slog.Debug("Setting up static file server", slog.String("path", staticPath))
-		// fs := http.FileServer(http.Dir(staticPath))
-		// mux.Handle("/static/", http.StripPrefix("/static/", fs))
-		// handler := loggingMiddleware(mux)
+		// Services initialization
+		var jwtSigner jwt.Signer
+		// TODO: support more signing algorithms
+		//     : support hot config reload for signing alg and secret
+		switch cfg.Auth.SignAlg {
+		case "HS256":
+			secretBytes, err := os.ReadFile(cfg.Auth.HMACSecretPath)
+			if err != nil {
+				slog.Error("Failed to read HMAC secret file", slog.String("path", cfg.Auth.HMACSecretPath), slog.String("error", err.Error()))
+				return
+			}
+			jwtSigner = jwt.NewHMACSigner(secretBytes)
+		default:
+			slog.Error("Unsupported JWT signing algorithm", slog.String("alg", cfg.Auth.SignAlg))
+			return
+		}
+		jwtService := jwt.NewService(jwtSigner)
 
-		router := api.NewRouter(cfg)
+		err = os.MkdirAll(cfg.Data.DataPath, 0755)
+		if err != nil {
+			slog.Error("Failed to create data directory", slog.String("path", cfg.Data.DataPath), slog.String("error", err.Error()))
+			return
+		}
+
+		tokenDb, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "tokens.sqlite3")), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open token database", slog.String("error", err.Error()))
+			return
+		}
+		// err = tokenDb.AutoMigrate(&token.Token{})
+		// if err != nil {
+		// 	slog.Error("Failed to migrate token database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		tokenStore, err := token.NewSQLiteTokenStore(tokenDb)
+		if err != nil {
+			slog.Error("Failed to create token store", slog.String("error", err.Error()))
+			return
+		}
+		tokenService, err := token.NewTokenService(&cfg.Auth, tokenStore)
+		if err != nil {
+			slog.Error("Failed to create token service", slog.String("error", err.Error()))
+			return
+		}
+		err = tokenService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize token service", slog.String("error", err.Error()))
+			return
+		}
+
+		// also acl !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+		userData, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "user_data.sqlite3")+"?_foreign_keys=on"), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open user database", slog.String("error", err.Error()))
+			return
+		}
+		// err =
+		// if err != nil {
+		// 	slog.Error("Failed to migrate user database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		userStore, err := user.NewGormUserStore(userData)
+		if err != nil {
+			slog.Error("Failed to create user store", slog.String("error", err.Error()))
+			return
+		}
+		userService, err := user.NewService(userStore)
+		if err != nil {
+			slog.Error("Failed to create user service", slog.String("error", err.Error()))
+			return
+		}
+		err = userService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize user service", slog.String("error", err.Error()))
+			return
+		}
+		aclService, err := acl.NewService(userData)
+		if err != nil {
+			slog.Error("Failed to create acl service", slog.String("error", err.Error()))
+			return
+		}
+		err = aclService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize acl service", slog.String("error", err.Error()))
+			return
+		}
+
+		authService, err := auth.NewAuthService(auth.AuthServiceDependencies{
+			Configuration: cfg,
+
+			JWTService:   jwtService,
+			UserService:  userService,
+			TokenService: tokenService,
+		})
+		if err != nil {
+			slog.Error("Failed to create auth service", slog.String("error", err.Error()))
+			return
+		}
+
+		router := api.NewRouter(api.RouterDependencies{
+			AuthService:   authService,
+			Configuration: cfg,
+			ACLService:    aclService,
+		})
 
 		srv.SetHandler(router.MustRoute())
 		srv.Init()
@@ -204,5 +316,6 @@ func init() {
 	optsServeCmd.Debug = serveCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
 	optsServeCmd.ConfigPath = serveCmd.Flags().StringP("config", "c", "config.yaml", "Path to configuration file")
 	optsServeCmd.HideGreetings = serveCmd.Flags().BoolP("hide-greetings", "g", false, "Hide the welcome message and version when starting the server")
+	optsServeCmd.NoPIDFile = serveCmd.Flags().BoolP("no-pidfile", "p", false, "Do not write a PID file")
 	rootCmd.AddCommand(serveCmd)
 }

docs/swagger.yaml

@@ -0,0 +1,718 @@
+definitions:
+  api_acladmin.ProblemDetails:
+    properties:
+      detail:
+        example: No role with ID 42
+        type: string
+      instance:
+        example: /api/acl/roles/42
+        type: string
+      status:
+        example: 404
+        type: integer
+      title:
+        example: Role not found
+        type: string
+      type:
+        example: https://api.triggerssmith.com/errors/role-not-found
+        type: string
+    type: object
+  api_acladmin.assignResourceToRoleRequest:
+    properties:
+      resourceId:
+        example: 1
+        type: integer
+    type: object
+  api_acladmin.assignRoleToUserRequest:
+    properties:
+      roleId:
+        example: 1
+        type: integer
+    type: object
+  api_acladmin.createResourceRequest:
+    properties:
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.createResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.createRoleRequest:
+    properties:
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.createRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.getRoleResource:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: '*'
+        type: string
+    type: object
+  api_acladmin.getRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getRoleUser:
+    properties:
+      email:
+        example: admin@triggerssmith.com
+        type: string
+      id:
+        example: 1
+        type: integer
+      username:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getUserRole:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: '*'
+        type: string
+    type: object
+  api_acladmin.updateResourceRequest:
+    properties:
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.updateResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.updateRoleRequest:
+    properties:
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.updateRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+info:
+  contact: {}
+paths:
+  /api/acl/resources:
+    get:
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              properties:
+                id:
+                  example: 1
+                  type: integer
+                key:
+                  example: html.view
+                  type: string
+              type: object
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get all resources
+      tags:
+      - acl/resources
+    post:
+      consumes:
+      - application/json
+      parameters:
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.createResourceRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/api_acladmin.createResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Create resource
+      tags:
+      - acl/resources
+  /api/acl/resources/{resourceId}:
+    delete:
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Delete resource
+      tags:
+      - acl/resources
+    get:
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.getResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get resource by ID
+      tags:
+      - acl/resources
+    patch:
+      consumes:
+      - application/json
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.updateResourceRequest'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.updateResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Update resource
+      tags:
+      - acl/resources
+  /api/acl/roles:
+    get:
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                properties:
+                  id:
+                    example: 1
+                    type: integer
+                  name:
+                    example: admin
+                    type: string
+                type: object
+              type: array
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get all roles
+      tags:
+      - acl/roles
+    post:
+      consumes:
+      - application/json
+      parameters:
+      - description: Role
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.createRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/api_acladmin.createRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Create role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}:
+    delete:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Delete role
+      tags:
+      - acl/roles
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.getRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role by ID
+      tags:
+      - acl/roles
+    patch:
+      consumes:
+      - application/json
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Role
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.updateRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.updateRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Update role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/resources:
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                $ref: '#/definitions/api_acladmin.getRoleResource'
+              type: array
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role resources
+      tags:
+      - acl/roles
+    post:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.assignResourceToRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Assign resource to role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/resources/{resId}:
+    delete:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Remove resource from role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/users:
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                $ref: '#/definitions/api_acladmin.getRoleUser'
+              type: array
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role users
+      tags:
+      - acl/roles
+  /api/acl/users/{userId}/roles:
+    get:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              $ref: '#/definitions/api_acladmin.getUserRole'
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get user roles by user ID
+      tags:
+      - acl/users
+    post:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      - description: Role ID
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.assignRoleToUserRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Assign role to user
+      tags:
+      - acl/users
+  /api/acl/users/{userId}/roles/{roleId}:
+    delete:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Remove role from user
+      tags:
+      - acl/users
+swagger: "2.0"

go.mod

@@ -5,12 +5,33 @@ go 1.24.9
 require (
 	github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204
 	github.com/spf13/cobra v1.10.1
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.46.0
+)
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
 require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -24,8 +45,8 @@ require (
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	gorm.io/driver/sqlite v1.6.0 // indirect
-	gorm.io/gorm v1.31.1 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	gorm.io/driver/sqlite v1.6.0
+	gorm.io/gorm v1.31.1
 )

go.sum

@@ -1,6 +1,10 @@
+github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
+github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204 h1:tvG9DIB1e58sWfDbYLdgOcXRdyZxSYy/wk2VHJHgzec=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204/go.mod h1:Sk61563skjfIIYbmTUTJSWqGwBp9ODiBMjza8F5+UFY=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
@@ -9,22 +13,47 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -47,19 +76,50 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
+github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
+github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
+github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
+github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=

internal/acl/errors.go

@@ -0,0 +1,27 @@
+package acl
+
+// TODO: add more specific errors
+
+import "fmt"
+
+var (
+	ErrNotInitialized = fmt.Errorf("acl service is not initialized")
+
+	ErrRoleNotFound        = fmt.Errorf("role not found")
+	ErrRoleAlreadyExists   = fmt.Errorf("role already exists")
+	ErrInvalidRoleName     = fmt.Errorf("role name is invalid")
+	ErrSameRoleName        = fmt.Errorf("role name is the same as another role")
+	ErrRoleInUse           = fmt.Errorf("role is in use")
+	ErrRoleAlreadyAssigned = fmt.Errorf("role is already assigned to user")
+
+	ErrResourceNotFound        = fmt.Errorf("resource not found")
+	ErrResourceAlreadyExists   = fmt.Errorf("resource already exists")
+	ErrInvalidResourceKey      = fmt.Errorf("invalid resource key")
+	ErrResourceInUse           = fmt.Errorf("resource is in use")
+	ErrSameResourceKey         = fmt.Errorf("resource key is the same as another resource")
+	ErrResourceAlreadyAssigned = fmt.Errorf("resource is already assigned to role")
+	ErrRoleResourceNotFound    = fmt.Errorf("assigned resource to role is not found")
+
+	ErrUserNotFound     = fmt.Errorf("user not found")
+	ErrUserRoleNotFound = fmt.Errorf("user role not found")
+)

internal/acl/models.go

@@ -0,0 +1,32 @@
+package acl
+
+import "git.oblat.lv/alex/triggerssmith/internal/user"
+
+type UserRole struct {
+	UserID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+	RoleID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+
+	Role Role      `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	User user.User `gorm:"constraint:OnDelete:CASCADE;foreignKey:UserID;references:ID"`
+}
+
+type Resource struct {
+	ID  uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Key string `gorm:"unique;not null" json:"key"`
+}
+
+type Role struct {
+	ID   uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Name string `gorm:"unique;not null" json:"name"`
+
+	Resources []Resource  `gorm:"many2many:role_resources" json:"resources"`
+	Users     []user.User `gorm:"many2many:user_roles"`
+}
+
+type RoleResource struct {
+	RoleID     uint `gorm:"primaryKey" json:"roleId"`
+	ResourceID uint `gorm:"primaryKey" json:"resourceId"`
+
+	Role     Role     `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	Resource Resource `gorm:"constraint:OnDelete:CASCADE;foreignKey:ResourceID;references:ID" json:"resource"`
+}

internal/acl/resources.go

@@ -0,0 +1,220 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetResources returns all resources.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetResources() ([]Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var resources []Resource
+	if err := s.db.Order("id").Find(&resources).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return resources, nil
+}
+
+// CreateResource creates a new resource with the given key or returns existing one.
+// Returns ID of created resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceAlreadyExists] or db error.
+func (s *Service) CreateResource(key string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return 0, ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.Where("key = ?", key).First(&res).Error; err == nil {
+		// already exists
+		return res.ID, ErrResourceAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other db error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	res = Resource{Key: key}
+	if err := s.db.Create(&res).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return res.ID, nil
+}
+
+// GetResourceByID returns the resource with the given ID.
+// May return [ErrNotInitialized], [ErrResourceNotFound] or db error.
+func (s *Service) GetResourceByID(resourceID uint) (*Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrResourceNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &res, nil
+}
+
+// UpdateResource updates the key of a resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceNotFound], [ErrSameResourceKey] or db error.
+func (s *Service) UpdateResource(resourceID uint, newKey string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newKey = strings.TrimSpace(newKey)
+	if newKey == "" {
+		return ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// same key?
+	if res.Key == newKey {
+		return ErrSameResourceKey
+	}
+
+	// check if key used by another resource
+	var count int64
+	if err := s.db.Model(&Resource{}).
+		Where("key = ? AND id != ?", newKey, resourceID).
+		Count(&count).Error; err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if count > 0 {
+		return ErrSameResourceKey
+	}
+
+	res.Key = newKey
+	if err := s.db.Save(&res).Error; err != nil {
+		return fmt.Errorf("failed to update resource: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteResource deletes a resource.
+// May return [ErrNotInitialized], [ErrResourceNotFound], [ErrResourceInUse] or db error.
+func (s *Service) DeleteResource(resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Resource{}, resourceID)
+
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrResourceInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrResourceNotFound
+	}
+
+	return nil
+}
+
+// AssignResourceToRole assigns a resource to a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrAlreadyAssigned] or db error.
+func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	rr := RoleResource{
+		RoleID:     roleID,
+		ResourceID: resourceID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&rr)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+
+	// if nothing inserted — already assigned
+	if tx.RowsAffected == 0 {
+		return ErrResourceAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveResourceFromRole removes a resource from a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrRoleResourceNotFound] or db error.
+func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND resource_id = ?", roleID, resourceID).Delete(&RoleResource{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove resource from role: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrRoleResourceNotFound
+	}
+
+	return nil
+}

internal/acl/roles.go

@@ -0,0 +1,240 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetRoles returns all roles.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetRoles() ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var roles []Role
+	if err := s.db.Preload("Resources").Preload("Users").Order("id").Find(&roles).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return roles, nil
+}
+
+// CreateRole creates a new role with the given name or returns existing one.
+// Returns the ID of the created role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleAlreadyExists] or db error.
+func (s *Service) CreateRole(name string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return 0, ErrInvalidRoleName
+	}
+
+	var role Role
+	if err := s.db.Where("name = ?", name).First(&role).Error; err == nil {
+		// already exists
+		return role.ID, ErrRoleAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other database error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	role = Role{Name: name}
+	if err := s.db.Create(&role).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return role.ID, nil
+}
+
+// GetRoleByID returns the role with the given ID or an error.
+// May return [ErrNotInitialized], [ErrRoleNotFound] or db error.
+func (s *Service) GetRoleByID(roleID uint) (*Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var role Role
+	err := s.db.Preload("Resources").Preload("Users").First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrRoleNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &role, nil
+}
+
+// UpdateRole updates the name of a role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleNotFound], [ErrSameRoleName], or db error.
+func (s *Service) UpdateRole(roleID uint, newName string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return ErrInvalidRoleName
+	}
+
+	var role Role
+	err := s.db.First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// check for name conflicts
+	if role.Name == newName {
+		return ErrSameRoleName
+	}
+	var count int64
+	err = s.db.Model(&Role{}).Where("name = ? AND id != ?", newName, roleID).Count(&count).Error
+	if err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+	if count > 0 {
+		return ErrSameRoleName
+	}
+
+	role.Name = newName
+	if err := s.db.Save(&role).Error; err != nil {
+		return fmt.Errorf("failed to update role: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role.
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrRoleInUse] or db error.
+func (s *Service) DeleteRole(roleID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Role{}, roleID)
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrRoleInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrRoleNotFound
+	}
+
+	return nil
+}
+
+// GetUserRoles returns all roles for a given user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound] or db error.
+func (s *Service) GetUserRoles(userID uint) ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var roles []Role
+	err := s.db.
+		Joins("JOIN user_roles ur ON ur.role_id = roles.id").
+		Where("ur.user_id = ?", userID).
+		Find(&roles).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user roles: %w", err)
+	}
+
+	if len(roles) == 0 {
+		return nil, ErrRoleNotFound
+	}
+	return roles, nil
+}
+
+// AssignRoleToUser assigns a role to a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrRoleAlreadyAssigned] or db error.
+func (s *Service) AssignRoleToUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	ur := UserRole{
+		UserID: userID,
+		RoleID: roleID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ur)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+	if tx.RowsAffected == 0 {
+		return ErrRoleAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveRoleFromUser removes a role from a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrUserRoleNotFound] or db error.
+func (s *Service) RemoveRoleFromUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND user_id = ?", roleID, userID).Delete(&UserRole{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove role from user: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrUserRoleNotFound
+	}
+
+	return nil
+}

internal/acl/service.go

@@ -0,0 +1,41 @@
+package acl
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type Service struct {
+	initialized bool
+
+	db *gorm.DB
+}
+
+func NewService(db *gorm.DB) (*Service, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is required")
+	}
+	return &Service{
+		db: db,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&UserRole{}, &Resource{}, &Role{}, &RoleResource{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate ACL models: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}

internal/acl_test/crud_test.go

@@ -0,0 +1,158 @@
+package acl_test
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"git.oblat.lv/alex/triggerssmith/internal/acl"
+// 	"git.oblat.lv/alex/triggerssmith/internal/user"
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func openTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	// Путь к файлу базы
+// 	dbPath := filepath.Join("testdata", "test.db")
+
+// 	// Удаляем старую базу, если есть
+// 	os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open test db: %v", err)
+// 	}
+
+// 	// Миграция таблицы User для связи с ACL
+// 	if err := db.AutoMigrate(&user.User{}); err != nil {
+// 		t.Fatalf("failed to migrate User: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestACLService_CRUD(t *testing.T) {
+// 	db := openTestDB(t)
+
+// 	// Создаём сервис ACL
+// 	svc, err := acl.NewService(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create ACL service: %v", err)
+// 	}
+
+// 	if err := svc.Init(); err != nil {
+// 		t.Fatalf("failed to init ACL service: %v", err)
+// 	}
+
+// 	// Создаём роли
+// 	if err := svc.CreateRole("admin"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+// 	if err := svc.CreateRole("guest"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+
+// 	roles, err := svc.GetRoles()
+// 	if err != nil {
+// 		t.Fatalf("GetRoles failed: %v", err)
+// 	}
+// 	if len(roles) != 2 {
+// 		t.Fatalf("expected 2 roles, got %d", len(roles))
+// 	}
+
+// 	// Создаём ресурсы
+// 	if err := svc.CreateResource("*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+// 	if err := svc.CreateResource("html.view.*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+
+// 	resources, err := svc.GetPermissions()
+// 	if err != nil {
+// 		t.Fatalf("GetPermissions failed: %v", err)
+// 	}
+// 	if len(resources) != 2 {
+// 		t.Fatalf("expected 2 resources, got %d", len(resources))
+// 	}
+
+// 	// 1. Создаём сервис user
+// 	store, err := user.NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user store: %v", err)
+// 	}
+// 	userSvc, err := user.NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user service: %v", err)
+// 	}
+
+// 	// 2. Инициализируем
+// 	if err := userSvc.Init(); err != nil {
+// 		t.Fatalf("failed to init user service: %v", err)
+// 	}
+
+// 	user := &user.User{
+// 		Username: "testuser",
+// 		Email:    "testuser@example.com",
+// 		Password: "secret",
+// 	}
+
+// 	u := user
+
+// 	// 3. Создаём пользователя через сервис
+// 	err = userSvc.Create(user)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+
+// 	// Привязываем роль к пользователю
+// 	adminRoleID := roles[0].ID
+// 	if err := svc.AssignRoleToUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("AssignRoleToUser failed: %v", err)
+// 	}
+
+// 	userRoles, err := svc.GetUserRoles(uint(u.ID))
+// 	if err != nil {
+// 		t.Fatalf("GetUserRoles failed: %v", err)
+// 	}
+// 	if len(userRoles) != 1 || userRoles[0].ID != adminRoleID {
+// 		t.Fatalf("expected user to have admin role")
+// 	}
+
+// 	// Привязываем ресурсы к роли
+// 	for _, res := range resources {
+// 		if err := svc.AssignResourceToRole(adminRoleID, res.ID); err != nil {
+// 			t.Fatalf("AssignResourceToRole failed: %v", err)
+// 		}
+// 	}
+
+// 	roleResources, err := svc.GetRoleResources(adminRoleID)
+// 	if err != nil {
+// 		t.Fatalf("GetRoleResources failed: %v", err)
+// 	}
+// 	if len(roleResources) != 2 {
+// 		t.Fatalf("expected role to have 2 resources")
+// 	}
+
+// 	// Удаляем ресурс из роли
+// 	if err := svc.RemoveResourceFromRole(adminRoleID, resources[0].ID); err != nil {
+// 		t.Fatalf("RemoveResourceFromRole failed: %v", err)
+// 	}
+// 	roleResources, _ = svc.GetRoleResources(adminRoleID)
+// 	if len(roleResources) != 1 {
+// 		t.Fatalf("expected 1 resource after removal")
+// 	}
+
+// 	// Удаляем роль у пользователя
+// 	if err := svc.RemoveRoleFromUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("RemoveRoleFromUser failed: %v", err)
+// 	}
+// 	userRoles, _ = svc.GetUserRoles(uint(u.ID))
+// 	if len(userRoles) != 0 {
+// 		t.Fatalf("expected user to have 0 roles after removal")
+// 	}
+// }

internal/auth/service.go

@@ -0,0 +1,246 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	ejwt "github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type Tokens struct {
+	Access  string
+	Refresh string
+}
+
+type Service struct {
+	cfg *config.Config
+
+	services struct {
+		jwt   *jwt.Service
+		user  *user.Service
+		token *token.Service
+	}
+}
+
+type AuthServiceDependencies struct {
+	Configuration *config.Config
+
+	JWTService   *jwt.Service
+	UserService  *user.Service
+	TokenService *token.Service
+}
+
+func NewAuthService(deps AuthServiceDependencies) (*Service, error) {
+	if deps.Configuration == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	if deps.JWTService == nil {
+		return nil, fmt.Errorf("jwt service is nil")
+	}
+	if deps.UserService == nil {
+		return nil, fmt.Errorf("user service is nil")
+	}
+	if deps.TokenService == nil {
+		return nil, fmt.Errorf("token service is nil")
+	}
+	return &Service{
+		cfg: deps.Configuration,
+		services: struct {
+			jwt   *jwt.Service
+			user  *user.Service
+			token *token.Service
+		}{
+			jwt:   deps.JWTService,
+			user:  deps.UserService,
+			token: deps.TokenService,
+		},
+	}, nil
+}
+
+// Users
+
+func (s *Service) Get(by, value string) (*user.User, error) {
+	return s.services.user.GetBy(by, value)
+}
+
+// Register creates a new user with the given username, email, and password.
+// Password is hashed before storing.
+// Returns the created user or an error.
+func (s *Service) Register(username, email, password string) (*user.User, error) {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	user := &user.User{
+		Username: username,
+		Email:    email,
+		Password: string(hashedPassword),
+	}
+
+	err = s.services.user.Create(user)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	return user, nil
+}
+
+// Login authenticates a user with the given username and password.
+// Returns access and refresh tokens if successful.
+func (s *Service) Login(username, password string) (*Tokens, error) {
+	user, err := s.services.user.GetBy("username", username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user by username: %w", err)
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
+	if err != nil {
+		return nil, fmt.Errorf("invalid password: %w", err)
+	}
+	refreshToken, rjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": user.ID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	accessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  user.ID,
+		"rjti": rjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	return &Tokens{Access: accessToken, Refresh: refreshToken}, nil
+}
+
+// Logout revokes the refresh token identified by the given rjti.
+func (s *Service) Logout(rjti string) error {
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// Access tokens
+
+// ValidateAccessToken validates the given access token string.
+// Returns the user ID (sub claim) if valid, or an error.
+func (s *Service) ValidateAccessToken(tokenStr string) (int64, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to validate access token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["rjti"].(string))
+	if err != nil {
+		return 0, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return 0, fmt.Errorf("token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+	return int64(sub), nil
+}
+
+// Refresh tokens
+
+// RefreshTokens validates the given refresh token and issues new access and refresh tokens.
+// Returns the new access and refresh tokens or an error.
+func (s *Service) RefreshTokens(refreshTokenStr string) (*Tokens, error) {
+	claims, rjti, err := s.services.jwt.Validate(refreshTokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(rjti)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("refresh token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+
+	newRefreshToken, newRjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": sub,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new refresh token: %w", err)
+	}
+	newAccessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  sub,
+		"rjti": newRjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new access token: %w", err)
+	}
+
+	// Revoke the old refresh token
+	if err := s.services.token.RevokeByRefreshDefault(rjti); err != nil {
+		return nil, fmt.Errorf("failed to revoke old refresh token: %w", err)
+	}
+
+	return &Tokens{Access: newAccessToken, Refresh: newRefreshToken}, nil
+}
+
+// ValidateRefreshToken validates the given refresh token string.
+// Returns user id and error.
+func (s *Service) ValidateRefreshToken(tokenStr string) (int64, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["jti"].(string))
+	if err != nil {
+		return 0, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return 0, fmt.Errorf("refresh token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+	return int64(sub), nil
+}
+
+// RevokeRefresh revokes the refresh token identified by the given token string.
+func (s *Service) RevokeRefresh(token string) error {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// IsRefreshRevoked checks if the refresh token identified by the given token string is revoked.
+func (s *Service) IsRefreshRevoked(token string) (bool, error) {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.IsRevoked(rjti)
+}
+
+func (s *Service) AuthenticateRequest(r *http.Request) (ejwt.Claims, error) {
+	header := r.Header.Get("Authorization")
+	if header == "" {
+		return nil, fmt.Errorf("token is missing")
+	}
+	if !strings.HasPrefix(header, "Bearer ") {
+		return nil, fmt.Errorf("token is missing")
+	}
+	tokenString := strings.TrimPrefix(header, "Bearer ")
+	tokenClaims, _, err := s.services.jwt.Validate(tokenString)
+	if err != nil {
+		return nil, err
+	}
+	return tokenClaims, nil
+}

internal/config/config.go

@@ -31,9 +31,22 @@ type FuncConfig struct {
 	FunctionDir string `mapstructure:"func_dir"`
 }
 
+type Auth struct {
+	SignAlg         string        `mapstructure:"sign_alg"`
+	HMACSecretPath  string        `mapstructure:"hmac_secret_path"`
+	RefreshTokenTTL time.Duration `mapstructure:"refresh_token_ttl"`
+	AccessTokenTTL  time.Duration `mapstructure:"access_token_ttl"`
+}
+
+type Data struct {
+	DataPath string `mapstructure:"data_dir"`
+}
+
 type Config struct {
 	Server    ServerConfig `mapstructure:"server"`
 	Functions FuncConfig   `mapstructure:"functions"`
+	Auth      Auth         `mapstructure:"auth"`
+	Data      Data         `mapstructure:"data"`
 }
 
 var configPath atomic.Value // string
@@ -48,7 +61,14 @@ var defaults = map[string]any{
 	"server.block.enabled":     true,
 	"server.block.block_dir":   "./blocks",
 
+	"data.data_dir": "./data",
+
 	"functions.func_dir": "./functions",
+
+	"auth.refresh_token_ttl": 24 * time.Hour,
+	"auth.access_token_ttl":  15 * time.Minute,
+	"auth.sign_alg":          "HS256",
+	"auth.hmac_secret_path":  "./secret/hmac_secret",
 }
 
 func read(cfg *Config) error {

internal/jwt/parse.go

@@ -0,0 +1,28 @@
+package jwt
+
+import (
+	"fmt"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func Parse(
+	tokenStr string,
+	method jwt.SigningMethod,
+	key any,
+) (jwt.Claims, error) {
+	t, err := jwt.Parse(tokenStr, func(tok *jwt.Token) (any, error) {
+		if tok.Method.Alg() != method.Alg() {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return key, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	// check validity twice: invalid token may return nil error
+	if !t.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return t.Claims, nil
+}

internal/jwt/service.go

@@ -0,0 +1,48 @@
+package jwt
+
+import (
+	"maps"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type Service struct {
+	signer Signer
+}
+
+func NewService(signer Signer) *Service {
+	return &Service{
+		signer: signer,
+	}
+}
+
+// Generate creates a new JWT token for a given user ID and
+// returns the token string along with its JTI(JWT IDentifier).
+func (s *Service) Generate(ttl time.Duration, extraClaims jwt.MapClaims) (string, string, error) {
+	jti := uuid.NewString()
+
+	claims := jwt.MapClaims{
+		"jti": jti,
+		"exp": time.Now().Add(ttl).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	maps.Copy(claims, extraClaims)
+
+	token, err := s.signer.Sign(claims)
+	return token, jti, err
+}
+
+// Validate verifies the JWT token and extracts the claims and JTI(JWT IDentifier).
+// Returns claims, jti, and error if any.
+func (s *Service) Validate(token string) (jwt.MapClaims, string, error) {
+	claims, err := s.signer.Verify(token)
+	if err != nil {
+		return nil, "", err
+	}
+
+	jti := claims.(jwt.MapClaims)["jti"].(string)
+
+	return claims.(jwt.MapClaims), jti, nil
+}

internal/jwt/signer.go

@@ -0,0 +1,8 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type Signer interface {
+	Sign(claims jwt.Claims) (string, error)
+	Verify(token string) (jwt.Claims, error)
+}

internal/jwt/signer_HS256.go

@@ -0,0 +1,20 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type HMACSigner struct {
+	secret []byte
+}
+
+func NewHMACSigner(secret []byte) *HMACSigner {
+	return &HMACSigner{secret: secret}
+}
+
+func (s *HMACSigner) Sign(claims jwt.Claims) (string, error) {
+	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return t.SignedString(s.secret)
+}
+
+func (s *HMACSigner) Verify(tokenStr string) (jwt.Claims, error) {
+	return Parse(tokenStr, jwt.SigningMethodHS256, s.secret)
+}

internal/server/error.go

@@ -0,0 +1,20 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+type ErrorResponse struct {
+	Error   string `json:"error"`
+	Details string `json:"details,omitempty"`
+}
+
+func WriteError(w http.ResponseWriter, error, details string, statusCode int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	json.NewEncoder(w).Encode(ErrorResponse{
+		Error:   error,
+		Details: details,
+	})
+}

internal/server/notimpl.go

@@ -0,0 +1,7 @@
+package server
+
+import "net/http"
+
+func NotImplemented(w http.ResponseWriter) {
+	http.Error(w, "Not implemented", http.StatusNotImplemented)
+}

internal/token/service.go

@@ -0,0 +1,63 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+)
+
+type TokenStore interface {
+	revoke(tokenID string, expiresAt time.Time) error
+	isRevoked(tokenID string) (bool, error)
+
+	init() error
+}
+
+type Service struct {
+	initialized bool
+
+	cfg   *config.Auth
+	store TokenStore
+}
+
+func NewTokenService(cfg *config.Auth, store TokenStore) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	if cfg == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	return &Service{cfg: cfg, store: store}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize token store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Revoke(jti string, exp time.Time) error {
+	return s.store.revoke(jti, exp)
+}
+
+func (s *Service) RevokeByRefreshDefault(jti string) error {
+	expiryTime := time.Now().Add(-time.Duration(s.cfg.RefreshTokenTTL))
+	return s.store.revoke(jti, expiryTime)
+}
+
+func (s *Service) IsRevoked(jti string) (bool, error) {
+	return s.store.isRevoked(jti)
+}

internal/token/store_sqlite.go

@@ -0,0 +1,55 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"gorm.io/gorm"
+)
+
+type SQLiteTokenStore struct {
+	db *gorm.DB
+}
+
+type Token struct {
+	TokenID    string    `gorm:"primaryKey"`
+	UserID     int64     `gorm:"index"`
+	Expiration time.Time `gorm:"index"`
+}
+
+// NewSQLiteTokenStore creates a new SQLiteTokenStore with the given GORM DB instance.
+// Actually can be used for any GORM-supported database.
+func NewSQLiteTokenStore(db *gorm.DB) (*SQLiteTokenStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &SQLiteTokenStore{
+		db: db,
+	}, nil
+}
+
+func (s *SQLiteTokenStore) revoke(tokenID string, expiresAt time.Time) error {
+	return s.db.Create(&Token{
+		TokenID:    tokenID,
+		Expiration: expiresAt,
+	}).Error
+}
+
+func (s *SQLiteTokenStore) isRevoked(tokenID string) (bool, error) {
+	var count int64
+	err := s.db.Model(&Token{}).Where("token_id = ?", tokenID).Count(&count).Error
+	if err != nil {
+		return false, err
+	}
+	return count > 0, nil
+}
+
+func (s *SQLiteTokenStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&Token{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate Token model: %w", err)
+	}
+
+	return nil
+}

internal/token/store_sqlite_test.go

@@ -0,0 +1,71 @@
+package token
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	dbPath := filepath.Join("testdata", "tokens.db")
+
+	_ = os.Remove(dbPath)
+
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("failed to open db: %v", err)
+	}
+
+	if err := db.AutoMigrate(&Token{}); err != nil {
+		t.Fatalf("failed to migrate: %v", err)
+	}
+
+	return db
+}
+
+func TestSQLiteTokenStore_RevokeAndCheck(t *testing.T) {
+	db := setupTestDB(t)
+
+	store, err := NewSQLiteTokenStore(db)
+	if err != nil {
+		t.Fatalf("failed to create store: %v", err)
+	}
+
+	cfg := &config.Auth{
+		RefreshTokenTTL: 24 * time.Hour,
+	}
+	service, err := NewTokenService(cfg, store)
+	if err != nil {
+		t.Fatalf("failed to create service: %v", err)
+	}
+
+	jti := "test-token-123"
+	exp := time.Now().Add(time.Hour)
+
+	revoked, err := service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if revoked {
+		t.Fatalf("token should NOT be revoked initially")
+	}
+
+	if err := service.Revoke(jti, exp); err != nil {
+		t.Fatalf("revoke failed: %v", err)
+	}
+
+	revoked, err = service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if !revoked {
+		t.Fatalf("token should be revoked")
+	}
+}

internal/user/errors.go

@@ -0,0 +1,7 @@
+package user
+
+import "fmt"
+
+var (
+	ErrUserNotFound = fmt.Errorf("user not found")
+)

internal/user/gorm_store.go

@@ -0,0 +1,55 @@
+package user
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type GormUserStore struct {
+	db *gorm.DB
+}
+
+func NewGormUserStore(db *gorm.DB) (*GormUserStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &GormUserStore{
+		db: db,
+	}, nil
+}
+
+func (s *GormUserStore) Create(user *User) error {
+	return s.db.Create(user).Error
+}
+
+// Search returns a user by username or id or email
+func (s *GormUserStore) GetBy(by, value string) (*User, error) {
+	if by != "username" && by != "id" && by != "email" {
+		return nil, fmt.Errorf("unsuppored field %s", by)
+	}
+	var user User
+	err := s.db.Where(fmt.Sprintf("%s = ?", by), value).First(&user).Error
+	if err != nil {
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (s *GormUserStore) Update(user *User) error {
+	return s.db.Save(user).Error
+}
+
+func (s *GormUserStore) Delete(id int64) error {
+	return s.db.Delete(&User{}, id).Error
+}
+
+func (s *GormUserStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&User{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate User model: %w", err)
+	}
+
+	return nil
+}

internal/user/model.go

@@ -0,0 +1,13 @@
+package user
+
+import (
+	"gorm.io/gorm"
+)
+
+type User struct {
+	ID        uint           `gorm:"primaryKey"`
+	Username  string         `gorm:"uniqueIndex;not null"`
+	Email     string         `gorm:"uniqueIndex;not null"`
+	Password  string         `gorm:"not null"`
+	DeletedAt gorm.DeletedAt `gorm:"index"`
+}

internal/user/service.go

@@ -0,0 +1,64 @@
+package user
+
+import "fmt"
+
+type Service struct {
+	initialized bool
+
+	store UserCRUD
+}
+
+func NewService(store UserCRUD) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	return &Service{
+		store: store,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize user store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Create(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Create(user)
+}
+
+func (s *Service) GetBy(by, value string) (*User, error) {
+	if !s.isInitialized() {
+		return nil, fmt.Errorf("user service is not initialized")
+	}
+	return s.store.GetBy(by, value)
+}
+
+func (s *Service) Update(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Update(user)
+}
+
+func (s *Service) Delete(id int64) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Delete(id)
+}

internal/user/store.go

@@ -0,0 +1,10 @@
+package user
+
+type UserCRUD interface {
+	Create(user *User) error
+	GetBy(by, value string) (*User, error)
+	Update(user *User) error
+	Delete(id int64) error
+
+	init() error
+}

internal/user/user_test.go

@@ -0,0 +1,86 @@
+package user
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func setupTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	dbPath := filepath.Join("testdata", "users.db")
+
+// 	_ = os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open db: %v", err)
+// 	}
+
+// 	if err := db.AutoMigrate(&User{}); err != nil {
+// 		t.Fatalf("failed to migrate: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestUsersCRUD(t *testing.T) {
+// 	db := setupTestDB(t)
+
+// 	store, err := NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create store: %v", err)
+// 	}
+
+// 	service, err := NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create service: %v", err)
+// 	}
+
+// 	user := &User{
+// 		Username: "testuser",
+// 		Email:    "test@example.com",
+// 		Password: "password123",
+// 	}
+
+// 	if err := service.Create(user); err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+// 	// retrieved, err := service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Username != user.Username {
+// 	// 	t.Fatalf("expected username %s, got %s", user.Username, retrieved.Username)
+// 	// }
+
+// 	// retrievedByUsername, err := service.GetByUsername(user.Username)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by username: %v", err)
+// 	// }
+// 	// if retrievedByUsername.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrievedByUsername.Email)
+// 	// }
+
+// 	// user.Email = "newemail@example.com"
+// 	// if err := service.Update(user); err != nil {
+// 	// 	t.Fatalf("failed to update user: %v", err)
+// 	// }
+// 	// retrieved, err = service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrieved.Email)
+// 	// }
+// 	err = service.Delete(user.ID)
+// 	if err != nil {
+// 		t.Fatalf("failed to delete user: %v", err)
+// 	}
+// }

main.go

@@ -1,3 +1,6 @@
+// The main file only starts cobra
+
+// Copyright 2025 TriggerSmith Labs. All rights reserved.
 package main
 
 import (