swag fmt

.gitignore

@@ -1,3 +1,7 @@
 bin/
 config.yaml
-*.sqlite3
+*.sqlite3
+panic.log
+testdata/
+secret/
+data/

Makefile

@@ -20,7 +20,7 @@ imports-tools:
 		go install golang.org/x/tools/cmd/goimports@latest; \
 	fi
 
-.PHONY: all build run test lint fmt imports
+.PHONY: all swag build run test lint fmt imports
 
 all: build
 
@@ -30,6 +30,12 @@ run: build
 
 BUILD_PARAMS = -trimpath -ldflags "-X git.oblat.lv/alex/triggerssmith/internal/vars.Version=$(VERSION)"
 
+build-with-swag: swag build
+
+swag:
+	@echo "-- generating swagger docs"
+	@swag init -g cmd/serve.go
+
 build:
 	@echo "-- building $(NAME)"
 	@go build $(BUILD_PARAMS) -o $(BINARY) $(ENTRY)  

api/acl_admin/common_models.go

@@ -0,0 +1,11 @@
+package api_acladmin
+
+type errorInvalidRequestBody struct {
+	Error   string `json:"error" example:"INVALID_REQUEST_BODY"`
+	Details string `json:"details" example:"Request body is not valid JSON"`
+}
+
+type errorInternalServerError struct {
+	Error   string `json:"error"`
+	Details string `json:"details"`
+}

api/acl_admin/errors.go

@@ -0,0 +1,59 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+const (
+	ErrorInvalidRequestBody  = "INVALID_REQUEST_BODY"
+	ErrorInternalServerError = "INTERNAL_SERVER_ERROR"
+
+	// Roles
+	ErrorFailedToCreateRole = "FAILED_TO_CREATE_ROLE"
+	ErrorFailedToGetRole    = "FAILED_TO_GET_ROLE"
+	ErrorFailedToUpdateRole = "FAILED_TO_UPDATE_ROLE"
+	ErrorFailedToDeleteRole = "FAILED_TO_DELETE_ROLE"
+
+	ErrorInvalidRoleID = "INVALID_ROLE_ID"
+	ErrorRoleNotFound  = "ROLE_NOT_FOUND"
+
+	// Resources
+	ErrorFailedToCreateResource = "FAILED_TO_CREATE_RESOURCE"
+	ErrorFailedToGetResource    = "FAILED_TO_GET_RESOURCE"
+	ErrorFailedToUpdateResource = "FAILED_TO_UPDATE_RESOURCE"
+	ErrorFailedToDeleteResource = "FAILED_TO_DELETE_RESOURCE"
+
+	ErrorInvalidResourceID = "INVALID_RESOURCE_ID"
+	ErrorResourceNotFound  = "RESOURCE_NOT_FOUND"
+)
+
+const (
+	ErrorACLServiceNotInitialized = "ACL service is not initialized"
+)
+
+// RFC-7807 (Problem Details)
+type ProblemDetails struct {
+	Type     string `json:"type" example:"https://api.triggerssmith.com/errors/role-not-found"`
+	Title    string `json:"title" example:"Role not found"`
+	Status   int    `json:"status" example:"404"`
+	Detail   string `json:"detail" example:"No role with ID 42"`
+	Instance string `json:"instance" example:"/api/acl/roles/42"`
+}
+
+var typeDomain = "https://api.triggerssmith.com"
+
+func writeProblem(w http.ResponseWriter, status int, typ, title, detail string, r *http.Request) {
+	w.Header().Set("Content-Type", "application/problem+json")
+	w.WriteHeader(status)
+	prob := ProblemDetails{
+		Type:     typeDomain + typ,
+		Title:    title,
+		Status:   status,
+		Detail:   detail,
+		Instance: r.URL.Path,
+	}
+	slog.Warn("new problem", "type", typ, "title", title, "detail", detail, "instance", r.URL.Path, "status", status)
+	_ = json.NewEncoder(w).Encode(prob)
+}

api/acl_admin/handle.go

@@ -0,0 +1,259 @@
+package api_acladmin
+
+import (
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+
+	//"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+type aclAdminHandler struct {
+	cfg  *config.Config
+	a    *acl.Service
+	auth *auth.Service
+}
+
+func MustRoute(config *config.Config, aclService *acl.Service, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if aclService == nil {
+		panic("aclService is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &aclAdminHandler{
+		cfg:  config,
+		a:    aclService,
+		auth: authService,
+	}
+	// GET    /roles            — список ролей
+	// POST   /roles            — создать роль
+	// GET    /roles/{roleId}   — получить роль
+	// PATCH  /roles/{roleId}   — обновить роль (если нужно)
+	// DELETE /roles/{roleId}   — удалить роль
+
+	// GET    /resources              — список ресурсов
+	// POST   /resources              — создать ресурс
+	// GET    /resources/{resId}      — получить ресурс
+	// PATCH  /resources/{resId}      — обновить ресурс
+	// DELETE /resources/{resId}      — удалить ресурс
+
+	// GET    /users/{userId}/roles           — роли пользователя
+	// POST   /users/{userId}/roles           — назначить роль пользователю
+	// DELETE /users/{userId}/roles/{roleId}  — снять роль
+
+	// GET    /roles/{roleId}/resources           — ресурсы роли
+	// POST   /roles/{roleId}/resources           — назначить ресурс роли
+	// DELETE /roles/{roleId}/resources/{resId}   — убрать ресурс
+	return func(r chi.Router) {
+		// Roles
+		r.Get("/roles", h.getRoles)                                             // list all roles
+		r.Post("/roles", h.createRole)                                          // create a new role
+		r.Get("/roles/{roleId}", h.getRole)                                     // get a role by ID
+		r.Get("/roles/{roleId}/users", h.getRoleUsers)                          // get all assigned users to a role
+		r.Get("/roles/{roleId}/resources", h.getRoleResources)                  // get all resources assigned to a role
+		r.Patch("/roles/{roleId}", h.updateRole)                                // update a role by ID
+		r.Delete("/roles/{roleId}", h.deleteRole)                               // delete a role by ID
+		r.Post("/roles/{roleId}/resources", h.assignResourceToRole)             // assign a resource to a role
+		r.Delete("/roles/{roleId}/resources/{resId}", h.removeResourceFromRole) // remove a resource from a role
+
+		// Resources
+		r.Get("/resources", h.getResources)                   // list all resources
+		r.Post("/resources", h.createResource)                // create a new resource
+		r.Get("/resources/{resourceId}", h.getResource)       // get a resource by ID
+		r.Patch("/resources/{resourceId}", h.updateResource)  // update a resource by ID
+		r.Delete("/resources/{resourceId}", h.deleteResource) // delete a resource by ID
+
+		// Users
+		r.Get("/users/{userId}/roles", h.getUserRoles)                   // get all roles for a user
+		r.Post("/users/{userId}/roles", h.assignRoleToUser)              // assign a role to a user
+		r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// Users
+		// r.Get("/users/{userId}/roles", h.getUserRoles) // get all roles for a user
+		// r.Post("/users/{userId}/roles", h.assignRoleToUser) // assign a role to a user
+		// r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// r.Get("/roles", h.getRoles)
+		// r.Post("/create-role", h.createRole)
+		// r.Post("/assign-role", h.assignRoleToUser)
+		// r.Get("/user-roles", h.getUserRoles)
+		// r.Post("/remove-role", h.removeRoleFromUser)
+
+		// r.Get("/resources", h.getResources)
+		// r.Post("/create-resource", h.createResource)
+		// r.Post("/assign-resource", h.assignResourceToRole)
+		// r.Get("/role-resources", h.getRoleResources)
+		// r.Post("/remove-resource", h.removeResourceFromRole)
+
+		// r.Get("/permissions", h.getResources)                   // legacy support
+		// r.Post("/create-permissions", h.createResource)         // legacy support
+		// r.Post("/assign-permissions", h.assignResourceToRole)   // legacy support
+		// r.Get("/role-permissions", h.getRoleResources)          // legacy support
+		// r.Post("/remove-permissions", h.removeResourceFromRole) // legacy support
+	}
+}
+
+// type assignRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+// 	var req assignRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.AssignRoleToUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to assign role to user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// }
+
+// type getUserRolesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+// 	uidStr := r.URL.Query().Get("userId")
+// 	if uidStr == "" {
+// 		http.Error(w, "Missing userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	userID, err := strconv.Atoi(uidStr)
+// 	if err != nil || userID < 0 {
+// 		http.Error(w, "Invalid userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	roles, err := h.a.GetUserRoles(uint(userID))
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getUserRolesResponse {
+// 		// Transform acl.Role to getUserRolesResponse
+// 		resp := make(getUserRolesResponse, 0, len(roles))
+// 		for _, role := range roles {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   role.ID,
+// 				Name: role.Name,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type removeRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+// 	var req removeRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.RemoveRoleFromUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to remove role from user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusNoContent)
+// }
+
+// type getResourcesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+// 	resources, err := h.a.GetResources()
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getResourcesResponse {
+// 		// Transform acl.Resource to getResourcesResponse
+// 		resp := make(getResourcesResponse, 0, len(resources))
+// 		for _, res := range resources {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   res.ID,
+// 				Name: res.Key,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type createResourceRequest struct {
+// 	Name string `json:"name"`
+// }
+
+// type createResourceResponse struct {
+// 	ID   uint   `json:"id"`
+// 	Name string `json:"name"`
+// }
+
+// func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+// 	var req createResourceRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.Name == "" {
+// 		http.Error(w, "Name is required", http.StatusBadRequest)
+// 		return
+// 	}
+// 	id, err := h.a.CreateResource(req.Name)
+// 	if err != nil {
+// 		http.Error(w, "Failed to create resource", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(createResourceResponse{
+// 		ID:   id,
+// 		Name: req.Name,
+// 	})
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }

api/acl_admin/resources.go

@@ -0,0 +1,223 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all resources
+// @Tags		acl/resources
+// @Produce	json
+// @Success	200	{object}	getResourcesResponse
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/resources [get]
+func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resources, err := h.a.GetResources()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID  uint   `json:"id" example:"1"`
+		Key string `json:"key" example:"html.view"`
+	}
+
+	resp := make([]R, 0, len(resources))
+	for _, res := range resources {
+		resp = append(resp, R{ID: res.ID, Key: res.Key})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get resource by ID
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path		int	true	"Resource ID"	example(1)
+// @Success	200			{object}	getResourceResponse
+// @Failure	400			{object}	ProblemDetails
+// @Failure	404			{object}	ProblemDetails
+// @Failure	500			{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [get]
+func (h *aclAdminHandler) getResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	resource, err := h.a.GetResourceByID(uint(resourceID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getResourceResponse{
+		ID:  resource.ID,
+		Key: resource.Key,
+	})
+}
+
+// @Summary	Create resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createResourceRequest	true	"Resource"
+// @Success	201		{object}	createResourceResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/resources [post]
+func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceID, err := h.a.CreateResource(req.Key)
+	if err != nil {
+		slog.Error("Failed to create resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceAlreadyExists:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-already-exists", "Resource already exists", "Resource '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createResourceResponse{
+		ID:  resourceID,
+		Key: req.Key,
+	})
+}
+
+// @Summary	Update resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		resourceId	path		int						true	"Resource ID"	example(1)
+// @Param		request		body		updateResourceRequest	true	"Resource"
+// @Success	200			{object}	updateResourceResponse
+// @Failure	400			{object}	ProblemDetails
+// @Failure	404			{object}	ProblemDetails
+// @Failure	409			{object}	ProblemDetails
+// @Failure	500			{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [patch]
+func (h *aclAdminHandler) updateResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateResource(uint(resourceID), req.Key)
+	if err != nil {
+		slog.Error("Failed to update resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrSameResourceKey:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-key-already-exists", "Resource key already exists", "Resource key '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateResourceResponse{
+		ID:  uint(resourceID),
+		Key: req.Key,
+	})
+}
+
+// @Summary	Delete resource
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path	int	true	"Resource ID"	example(1)
+// @Success	200
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [delete]
+func (h *aclAdminHandler) deleteResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteResource(uint(resourceID))
+	if err != nil {
+		slog.Error("Failed to delete resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrResourceInUse:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-in-use", "Resource in use", "Resource "+resourceIDStr+" is in use", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}

api/acl_admin/resources_models.go

@@ -0,0 +1,39 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getResources()
+type getResourcesResponse []struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+var _ getResourcesResponse // for documentation
+
+/*******************************************************************/
+// used in getResource()
+type getResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in createResource()
+type createResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type createResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in updateResource()
+type updateResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type updateResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}

api/acl_admin/roles.go

@@ -0,0 +1,390 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all roles
+// @Tags		acl/roles
+// @Produce	json
+// @Success	200	{array}		getRolesResponse
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles [get]
+func (h *aclAdminHandler) getRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roles, err := h.a.GetRoles()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID   uint   `json:"id" example:"1"`
+		Name string `json:"name" example:"admin"`
+	}
+
+	resp := make([]R, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, R{ID: role.ID, Name: role.Name})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get role by ID
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{object}	getRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [get]
+func (h *aclAdminHandler) getRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getRoleResponse{
+		ID:   role.ID,
+		Name: role.Name,
+	})
+}
+
+// @Summary	Get role users
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleUsersResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/users [get]
+func (h *aclAdminHandler) getRoleUsers(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Users) == 0 {
+		writeProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respUsers getRoleUsersResponse
+	for _, user := range role.Users {
+		respUsers = append(respUsers, getRoleUser{
+			ID:    user.ID,
+			Name:  user.Username,
+			Email: user.Email,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respUsers)
+}
+
+// @Summary	Get role resources
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleResourcesResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [get]
+func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Resources) == 0 {
+		writeProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respResources getRoleResourcesResponse
+	for _, user := range role.Resources {
+		respResources = append(respResources, getRoleResource{
+			ID:   user.ID,
+			Name: user.Key,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respResources)
+}
+
+// @Summary	Create role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createRoleRequest	true	"Role"
+// @Success	201		{object}	createRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles [post]
+func (h *aclAdminHandler) createRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleID, err := h.a.CreateRole(req.Name)
+	if err != nil {
+		slog.Error("Failed to create role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleAlreadyExists:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-already-exists", "Role already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createRoleResponse{
+		ID:   roleID,
+		Name: req.Name,
+	})
+}
+
+// @Summary	Update role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		roleId	path		int					true	"Role ID"	example(1)
+// @Param		request	body		updateRoleRequest	true	"Role"
+// @Success	200		{object}	updateRoleResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	409		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [patch]
+func (h *aclAdminHandler) updateRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateRole(uint(roleID), req.Name)
+	if err != nil {
+		slog.Error("Failed to update role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrSameRoleName:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-name-already-exists", "Role name already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateRoleResponse{
+		ID:   uint(roleID),
+		Name: req.Name,
+	})
+}
+
+// @Summary	Delete role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId} [delete]
+func (h *aclAdminHandler) deleteRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteRole(uint(roleID))
+	if err != nil {
+		slog.Error("Failed to delete role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrRoleInUse:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-in-use", "Role in use", "Role "+roleIDStr+" is assigned to at least one user and cannot be deleted", r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// @Summary	Assign resource to role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int							true	"Role ID"	example(1)
+// @Param		request	body	assignResourceToRoleRequest	true	"Resource"
+// @Success	201
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [post]
+func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	var req assignResourceToRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignResourceToRole(uint(roleID), req.ResourceID); err != nil {
+		slog.Error("Failed to assign resource to role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(req.ResourceID)), r)
+		case acl.ErrResourceAlreadyAssigned:
+			writeProblem(w, http.StatusConflict, "/errors/acl/resource-already-assigned", "Resource already assigned", "Resource with ID "+strconv.Itoa(int(req.ResourceID))+" is already assigned to role with ID "+roleIDStr, r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove resource from role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"		example(1)
+// @Param		resId	path	int	true	"Resource ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources/{resId} [delete]
+func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	resourceIDStr := chi.URLParam(r, "resId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+	if err := h.a.RemoveResourceFromRole(uint(roleID), uint(resourceID)); err != nil {
+		slog.Error("Failed to remove resource from role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(resourceID)), r)
+		case acl.ErrRoleResourceNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/role-resource-not-found", "Role resource not found", "No role-resource pair with role ID "+roleIDStr+" and resource ID "+strconv.Itoa(int(resourceID)), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

api/acl_admin/roles_models.go

@@ -0,0 +1,62 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getRoles()
+type getRolesResponse []struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+var _ getRolesResponse
+
+/*******************************************************************/
+// used in getRole()
+type getRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in getRoleUsers()
+type getRoleUser struct {
+	ID    uint   `json:"id" example:"1"`
+	Name  string `json:"username" example:"admin"`
+	Email string `json:"email" example:"admin@triggerssmith.com"`
+}
+type getRoleUsersResponse []getRoleUser
+
+/*******************************************************************/
+// used in getRoleResources()
+type getRoleResource struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+type getRoleResourcesResponse []getRoleResource
+
+/*******************************************************************/
+// used in createRole()
+type createRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type createRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in updateRole()
+type updateRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type updateRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in assignResourceToRole()
+type assignResourceToRoleRequest struct {
+	ResourceID uint `json:"resourceId" example:"1"`
+}

api/acl_admin/users.go

@@ -0,0 +1,136 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get user roles by user ID
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path		int	true	"User ID"	example(1)
+// @Success	200		{object}	getUserRolesResponse
+// @Failure	400		{object}	ProblemDetails
+// @Failure	404		{object}	ProblemDetails
+// @Failure	500		{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [get]
+func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roles, err := h.a.GetUserRoles(uint(userID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	resp := make(getUserRolesResponse, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, getUserRole{ID: role.ID, Name: role.Name})
+	}
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Assign role to user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int						true	"User ID"	example(1)
+// @Param		body	body	assignRoleToUserRequest	true	"Role ID"
+// @Success	201
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	409	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [post]
+func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	var req assignRoleToUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignRoleToUser(req.RoleID, uint(userID)); err != nil {
+		slog.Error("Failed to assign role to user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrRoleAlreadyAssigned:
+			writeProblem(w, http.StatusConflict, "/errors/acl/role-already-assigned", "Role already assigned", "Role with ID "+strconv.Itoa(int(req.RoleID))+" is already assigned to user "+strconv.Itoa(userID), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove role from user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int	true	"User ID"	example(1)
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	ProblemDetails
+// @Failure	404	{object}	ProblemDetails
+// @Failure	500	{object}	ProblemDetails
+// @Router		/api/acl/users/{userId}/roles/{roleId} [delete]
+func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		writeProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	err = h.a.RemoveRoleFromUser(uint(roleID), uint(userID))
+	if err != nil {
+		slog.Error("Failed to remove role from user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrUserRoleNotFound:
+			writeProblem(w, http.StatusNotFound, "/errors/acl/user-role-not-found", "User role not found", "User "+strconv.Itoa(userID)+" does not have role "+strconv.Itoa(roleID), r)
+		default:
+			writeProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+}

api/acl_admin/users_models.go

@@ -0,0 +1,16 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getUserRoles()
+type getUserRole struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+
+type getUserRolesResponse []getUserRole
+
+/*******************************************************************/
+// used in assignRoleToUser()
+type assignRoleToUserRequest struct {
+	RoleID uint `json:"roleId" example:"1"`
+}

api/auth/handle.go

@@ -0,0 +1,222 @@
+// Package auth provides authentication-related API endpoints for the Triggersmith application.
+// It handles login, logout, and user management operations.
+package api_auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func setRefreshCookie(w http.ResponseWriter, token string, ttl time.Duration, secure bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    token,
+		Path:     "/api/auth/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   int(ttl.Seconds()),
+		Secure:   secure,
+	})
+}
+
+type authHandler struct {
+	cfg *config.Config
+	a   *auth.Service
+}
+
+func MustRoute(config *config.Config, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &authHandler{
+		cfg: config,
+		a:   authService,
+	}
+	return func(r chi.Router) {
+		r.Get("/getUserData", h.handleGetUserData) // legacy support
+
+		r.Post("/register", h.handleRegister)
+		r.Post("/login", h.handleLogin)
+		r.Post("/logout", h.handleLogout)   // !requires authentication
+		r.Post("/refresh", h.handleRefresh) // !requires authentication
+
+		r.Get("/me", h.handleMe) // !requires authentication
+		r.Get("/get-user-data", h.handleGetUserData)
+
+		r.Post("/revoke", h.handleRevoke) // not implemented
+	}
+}
+
+type registerRequest struct {
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+type registerResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+}
+
+func (h *authHandler) handleRegister(w http.ResponseWriter, r *http.Request) {
+	var req registerRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
+
+	user, err := h.a.Register(req.Username, req.Email, req.Password)
+	if err != nil {
+		slog.Error("Failed to register user", "error", err)
+		http.Error(w, "Registration failed", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(registerResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+type loginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type loginResponse struct {
+	Token string `json:"accessToken"`
+}
+
+func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
+	var req loginRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
+
+	tokens, err := h.a.Login(req.Username, req.Password)
+	if err != nil {
+		http.Error(w, "Authentication failed", http.StatusUnauthorized)
+		return
+	}
+
+	setRefreshCookie(w, tokens.Refresh, h.cfg.Auth.RefreshTokenTTL, false)
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(loginResponse{Token: tokens.Access})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
+	claims, err := h.a.AuthenticateRequest(r)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	rjti := claims.(jwt.MapClaims)["rjti"].(string)
+	err = h.a.Logout(rjti)
+	if err != nil {
+		http.Error(w, "Failed to logout, taking cookie anyways", http.StatusInternalServerError)
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/api/users/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	if err == nil {
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+type meResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {
+	refresh_token_cookie, err := r.Cookie("refresh_token")
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	userID, err := h.a.ValidateRefreshToken(refresh_token_cookie.Value)
+	if err != nil {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	user, err := h.a.Get("id", fmt.Sprint(userID))
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+type GetUserDataResponse meResponse
+
+func (h *authHandler) handleGetUserData(w http.ResponseWriter, r *http.Request) {
+	by := r.URL.Query().Get("by")
+	value := r.URL.Query().Get("value")
+	if value == "" {
+		value = r.URL.Query().Get(by)
+	}
+	user, err := h.a.Get(by, value)
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}
+
+func (h *authHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}

api/block/handle.go

@@ -0,0 +1,100 @@
+// Package block provides functionality to load HTML blocks with associated content, JavaScript, and CSS from the filesystem.
+// API Endpoint:
+//
+//	/api/block/{blockPath}
+//
+// Example:
+//
+//	/api/block/header would load the block located at {BlockDir}/header/
+package api_block
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"github.com/go-chi/chi/v5"
+)
+
+type Block struct {
+	Content string `json:"content"`
+	JS      string `json:"js"`
+	CSS     string `json:"css"`
+}
+
+type blockHandler struct {
+	cfg *config.Config
+}
+
+func MustRoute(config *config.Config) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	h := &blockHandler{
+		cfg: config,
+	}
+	return func(r chi.Router) {
+		r.Get("/*", h.handleBlock)
+	}
+}
+
+func (h *blockHandler) handleBlock(w http.ResponseWriter, r *http.Request) {
+	if !h.cfg.Server.BlockConfig.Enabled {
+		http.Error(w, "Block serving is disabled", http.StatusForbidden)
+		return
+	}
+
+	blockPath := r.URL.Path[len("/api/block/"):]
+	block, err := LoadBlock(blockPath, h.cfg)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	w.Write([]byte(block.ToJSON()))
+}
+
+// LoadBlock loads a block from the filesystem given its path and configuration.
+// It reads the content, JavaScript, and CSS files associated with the block.
+// If err is not nil, it indicates a failure in reading the block files.
+func LoadBlock(path string, cfg *config.Config) (*Block, error) {
+	slog.Debug("loading block", slog.String("path", path))
+	path = filepath.Join(cfg.Server.BlockConfig.BlockDir, path)
+	var block Block
+	var err error
+	contentPath := filepath.Join(path, "content.md")
+	jsPath := filepath.Join(path, "script.js")
+	cssPath := filepath.Join(path, "style.css")
+	if b, err := os.ReadFile(contentPath); err == nil {
+		block.Content = string(b)
+	} else {
+		slog.Warn("failed to read block content", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	if b, err := os.ReadFile(jsPath); err == nil {
+		block.JS = string(b)
+	} else {
+		slog.Warn("failed to read block JS", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	if b, err := os.ReadFile(cssPath); err == nil {
+		block.CSS = string(b)
+	} else {
+		slog.Warn("failed to read block CSS", slog.String("path", contentPath), slog.String("err", err.Error()))
+	}
+
+	return &block, err
+}
+
+func (b *Block) ToJSON() string {
+	jsonData, err := json.Marshal(b)
+	if err != nil {
+		slog.Error("failed to marshal block to JSON", slog.String("err", err.Error()))
+		return "{}"
+	}
+	return string(jsonData)
+}

api/router.go

@@ -1,37 +1,101 @@
+// Package api provides the main API router and route handlers for the Triggersmith application.
 package api
 
 import (
 	"encoding/json"
+	"log/slog"
 	"net/http"
 	"path/filepath"
 	"time"
 
-	"git.oblat.lv/alex/triggerssmith/api/invoke"
+	api_acladmin "git.oblat.lv/alex/triggerssmith/api/acl_admin"
+	api_auth "git.oblat.lv/alex/triggerssmith/api/auth"
+	api_block "git.oblat.lv/alex/triggerssmith/api/block"
+	_ "git.oblat.lv/alex/triggerssmith/docs"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5/middleware"
+	httpSwagger "github.com/swaggo/http-swagger"
 )
 
 type Router struct {
 	r chi.Router
 
 	cfg *config.Config
+
+	authService *auth.Service
+
+	aclService *acl.Service
 }
 
-func NewRouter(cfg *config.Config) *Router {
+type RouterDependencies struct {
+	AuthService   *auth.Service
+	Configuration *config.Config
+	ACLService    *acl.Service
+}
+
+func NewRouter(deps RouterDependencies) *Router {
+	if deps.AuthService == nil {
+		panic("AuthService is required")
+	}
+	if deps.Configuration == nil {
+		panic("Configuration is required")
+	}
+	if deps.ACLService == nil {
+		panic("ACLService is required")
+	}
 	r := chi.NewRouter()
 	return &Router{
-		r:   r,
-		cfg: cfg,
+		r:           r,
+		cfg:         deps.Configuration,
+		authService: deps.AuthService,
+		aclService:  deps.ACLService,
 	}
 }
 
-func (r *Router) RouteHandler() chi.Router {
-	r.r.Get("/", func(w http.ResponseWriter, req *http.Request) {
-		http.ServeFile(w, req, filepath.Join(r.cfg.Server.StaticFilesPath, "index.html"))
+// RouteHandler sets up the routes and middleware for the router.
+// TODO: implement hot reload for static files enabled/disabled
+func (r *Router) MustRoute() chi.Router {
+	r.r.Use(middleware.Logger)
+	r.r.Use(middleware.Recoverer)
+	r.r.Use(middleware.Timeout(r.cfg.Server.TimeoutSeconds))
+
+	if r.cfg.Server.StaticConfig.Enabled {
+		slog.Debug("Static file serving is enabled",
+			slog.String("dir", r.cfg.Server.StaticConfig.Dir),
+			slog.String("index_file", r.cfg.Server.StaticConfig.IndexFile),
+		)
+		r.r.Get("/*", func(w http.ResponseWriter, req *http.Request) {
+			http.ServeFile(w, req, filepath.Join(r.cfg.Server.StaticConfig.Dir, r.cfg.Server.StaticConfig.IndexFile))
+		})
+		fs := http.FileServer(http.Dir(r.cfg.Server.StaticConfig.Dir))
+		r.r.Handle("/static/*", http.StripPrefix("/static/", fs))
+	} else {
+		slog.Info("Static file serving is disabled")
+		r.r.Get("/", func(w http.ResponseWriter, req *http.Request) {
+			http.Error(w, "Static serving is disabled", http.StatusForbidden)
+		})
+		r.r.HandleFunc("/static/*", func(w http.ResponseWriter, req *http.Request) {
+			http.Error(w, "Static serving is disabled", http.StatusForbidden)
+		})
+	}
+
+	r.r.Route("/api", func(api chi.Router) {
+		api.Get("/swagger/*", httpSwagger.Handler(
+			httpSwagger.URL("/api/swagger/doc.json"),
+		))
+		api.Route("/block", api_block.MustRoute(r.cfg))
+		authRoute := api_auth.MustRoute(r.cfg, r.authService)
+		api.Route("/auth", authRoute)
+		//api.Route("/users", authRoute) // legacy support
+		aclAdminRoute := api_acladmin.MustRoute(r.cfg, r.aclService, r.authService)
+		api.Route("/acl", aclAdminRoute)
+		api.Route("/acl-admin", aclAdminRoute) // legacy support
 	})
-	fs := http.FileServer(http.Dir("static"))
-	r.r.Handle("/static/*", http.StripPrefix("/static/", fs))
+
 	r.r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
 		b, _ := json.Marshal(struct {
 			Status string `json:"status"`
@@ -42,6 +106,6 @@ func (r *Router) RouteHandler() chi.Router {
 		})
 		w.Write([]byte(b))
 	})
-	r.r.Handle("/invoke/function/{function_id}/{function_version}", invoke.InvokeHandler(r.cfg))
+	//r.r.Handle("/invoke/function/{function_id}/{function_version}", invoke.InvokeHandler(r.cfg))
 	return r.r
 }

cmd/serve.go

@@ -7,20 +7,30 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"runtime/debug"
 	"syscall"
+	"time"
 
 	"git.oblat.lv/alex/triggerssmith/api"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
 	application "git.oblat.lv/alex/triggerssmith/internal/app"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
 	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/spf13/cobra"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
 )
 
 var optsServeCmd = struct {
-	ConfigPath *string
-	Debug      *bool
+	ConfigPath    *string
+	Debug         *bool
 	HideGreetings *bool
+	NoPIDFile     *bool
 }{}
 
 // // simple middleware for request logging
@@ -81,7 +91,24 @@ var serveCmd = &cobra.Command{
 		}
 		defer func() {
 			if r := recover(); r != nil {
-				slog.Error("Application panicked", slog.Any("error", r))
+				slog.Debug("panic recovered: preparing panic.log", slog.Any("error", r))
+				stack := debug.Stack()
+
+				f, err := os.OpenFile("panic.log", os.O_CREATE|os.O_APPEND|os.O_WRONLY, 0644)
+				if err != nil {
+					slog.Error("Failed to open panic.log", slog.Any("error", err))
+				} else {
+					defer f.Close()
+					slog.Debug("flushing stack in to panic.log")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Time: %s\n", time.Now().Format(time.RFC3339))
+					fmt.Fprintln(f, "If this is unexpected, please report: https://git.oblat.lv/alex/triggerssmith/issues")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "Panic: %v\n", r)
+					f.Write(stack)
+					f.WriteString("\n\n")
+					slog.Error("Application panicked: the stack is flushed to disk", slog.Any("error", r))
+				}
 				os.Exit(-1)
 			}
 		}()
@@ -93,13 +120,17 @@ var serveCmd = &cobra.Command{
 			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
 		}
 
-		pid := os.Getpid()
-		slog.Debug("Starting server", slog.Int("pid", pid))
-		if err := writePID(vars.PID_PATH); err != nil {
-			panic(err)
+		if !*optsServeCmd.NoPIDFile {
+			pid := os.Getpid()
+			slog.Debug("Starting server", slog.Int("pid", pid))
+			if err := writePID(vars.PID_PATH); err != nil {
+				panic(err)
+			}
+			slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
+			defer os.Remove(vars.PID_PATH)
+		} else {
+			slog.Warn("Starting server without PID file as requested by --no-pidfile flag: this may complicate process management")
 		}
-		slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
-		defer os.Remove(vars.PID_PATH)
 
 		// load config
 		slog.Debug("Reading configuration", slog.String("path", *optsServeCmd.ConfigPath))
@@ -119,18 +150,113 @@ var serveCmd = &cobra.Command{
 		app.LoadConfiguration(cfg)
 
 		srv := app.Server()
-		//mux := http.NewServeMux()
 
-		// static files
-		// staticPath := cfg.Server.StaticFilesPath
-		// slog.Debug("Setting up static file server", slog.String("path", staticPath))
-		// fs := http.FileServer(http.Dir(staticPath))
-		// mux.Handle("/static/", http.StripPrefix("/static/", fs))
-		// handler := loggingMiddleware(mux)
+		// Services initialization
+		var jwtSigner jwt.Signer
+		// TODO: support more signing algorithms
+		//     : support hot config reload for signing alg and secret
+		switch cfg.Auth.SignAlg {
+		case "HS256":
+			secretBytes, err := os.ReadFile(cfg.Auth.HMACSecretPath)
+			if err != nil {
+				slog.Error("Failed to read HMAC secret file", slog.String("path", cfg.Auth.HMACSecretPath), slog.String("error", err.Error()))
+				return
+			}
+			jwtSigner = jwt.NewHMACSigner(secretBytes)
+		default:
+			slog.Error("Unsupported JWT signing algorithm", slog.String("alg", cfg.Auth.SignAlg))
+			return
+		}
+		jwtService := jwt.NewService(jwtSigner)
 
-		router := api.NewRouter(cfg)
+		err = os.MkdirAll(cfg.Data.DataPath, 0755)
+		if err != nil {
+			slog.Error("Failed to create data directory", slog.String("path", cfg.Data.DataPath), slog.String("error", err.Error()))
+			return
+		}
 
-		srv.SetHandler(router.RouteHandler())
+		tokenDb, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "tokens.sqlite3")), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open token database", slog.String("error", err.Error()))
+			return
+		}
+		// err = tokenDb.AutoMigrate(&token.Token{})
+		// if err != nil {
+		// 	slog.Error("Failed to migrate token database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		tokenStore, err := token.NewSQLiteTokenStore(tokenDb)
+		if err != nil {
+			slog.Error("Failed to create token store", slog.String("error", err.Error()))
+			return
+		}
+		tokenService, err := token.NewTokenService(&cfg.Auth, tokenStore)
+		if err != nil {
+			slog.Error("Failed to create token service", slog.String("error", err.Error()))
+			return
+		}
+		err = tokenService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize token service", slog.String("error", err.Error()))
+			return
+		}
+
+		// also acl !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+		userData, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "user_data.sqlite3")+"?_foreign_keys=on"), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open user database", slog.String("error", err.Error()))
+			return
+		}
+		// err =
+		// if err != nil {
+		// 	slog.Error("Failed to migrate user database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		userStore, err := user.NewGormUserStore(userData)
+		if err != nil {
+			slog.Error("Failed to create user store", slog.String("error", err.Error()))
+			return
+		}
+		userService, err := user.NewService(userStore)
+		if err != nil {
+			slog.Error("Failed to create user service", slog.String("error", err.Error()))
+			return
+		}
+		err = userService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize user service", slog.String("error", err.Error()))
+			return
+		}
+		aclService, err := acl.NewService(userData)
+		if err != nil {
+			slog.Error("Failed to create acl service", slog.String("error", err.Error()))
+			return
+		}
+		err = aclService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize acl service", slog.String("error", err.Error()))
+			return
+		}
+
+		authService, err := auth.NewAuthService(auth.AuthServiceDependencies{
+			Configuration: cfg,
+
+			JWTService:   jwtService,
+			UserService:  userService,
+			TokenService: tokenService,
+		})
+		if err != nil {
+			slog.Error("Failed to create auth service", slog.String("error", err.Error()))
+			return
+		}
+
+		router := api.NewRouter(api.RouterDependencies{
+			AuthService:   authService,
+			Configuration: cfg,
+			ACLService:    aclService,
+		})
+
+		srv.SetHandler(router.MustRoute())
 		srv.Init()
 
 		var addr = net.JoinHostPort(cfg.Server.Addr, fmt.Sprintf("%d", cfg.Server.Port))
@@ -190,5 +316,6 @@ func init() {
 	optsServeCmd.Debug = serveCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
 	optsServeCmd.ConfigPath = serveCmd.Flags().StringP("config", "c", "config.yaml", "Path to configuration file")
 	optsServeCmd.HideGreetings = serveCmd.Flags().BoolP("hide-greetings", "g", false, "Hide the welcome message and version when starting the server")
+	optsServeCmd.NoPIDFile = serveCmd.Flags().BoolP("no-pidfile", "p", false, "Do not write a PID file")
 	rootCmd.AddCommand(serveCmd)
 }

docs/swagger.yaml

@@ -0,0 +1,718 @@
+definitions:
+  api_acladmin.ProblemDetails:
+    properties:
+      detail:
+        example: No role with ID 42
+        type: string
+      instance:
+        example: /api/acl/roles/42
+        type: string
+      status:
+        example: 404
+        type: integer
+      title:
+        example: Role not found
+        type: string
+      type:
+        example: https://api.triggerssmith.com/errors/role-not-found
+        type: string
+    type: object
+  api_acladmin.assignResourceToRoleRequest:
+    properties:
+      resourceId:
+        example: 1
+        type: integer
+    type: object
+  api_acladmin.assignRoleToUserRequest:
+    properties:
+      roleId:
+        example: 1
+        type: integer
+    type: object
+  api_acladmin.createResourceRequest:
+    properties:
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.createResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.createRoleRequest:
+    properties:
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.createRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.getRoleResource:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: '*'
+        type: string
+    type: object
+  api_acladmin.getRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getRoleUser:
+    properties:
+      email:
+        example: admin@triggerssmith.com
+        type: string
+      id:
+        example: 1
+        type: integer
+      username:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.getUserRole:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: '*'
+        type: string
+    type: object
+  api_acladmin.updateResourceRequest:
+    properties:
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.updateResourceResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      key:
+        example: html.view
+        type: string
+    type: object
+  api_acladmin.updateRoleRequest:
+    properties:
+      name:
+        example: admin
+        type: string
+    type: object
+  api_acladmin.updateRoleResponse:
+    properties:
+      id:
+        example: 1
+        type: integer
+      name:
+        example: admin
+        type: string
+    type: object
+info:
+  contact: {}
+paths:
+  /api/acl/resources:
+    get:
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              properties:
+                id:
+                  example: 1
+                  type: integer
+                key:
+                  example: html.view
+                  type: string
+              type: object
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get all resources
+      tags:
+      - acl/resources
+    post:
+      consumes:
+      - application/json
+      parameters:
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.createResourceRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/api_acladmin.createResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Create resource
+      tags:
+      - acl/resources
+  /api/acl/resources/{resourceId}:
+    delete:
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Delete resource
+      tags:
+      - acl/resources
+    get:
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.getResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get resource by ID
+      tags:
+      - acl/resources
+    patch:
+      consumes:
+      - application/json
+      parameters:
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resourceId
+        required: true
+        type: integer
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.updateResourceRequest'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.updateResourceResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Update resource
+      tags:
+      - acl/resources
+  /api/acl/roles:
+    get:
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                properties:
+                  id:
+                    example: 1
+                    type: integer
+                  name:
+                    example: admin
+                    type: string
+                type: object
+              type: array
+            type: array
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get all roles
+      tags:
+      - acl/roles
+    post:
+      consumes:
+      - application/json
+      parameters:
+      - description: Role
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.createRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+          schema:
+            $ref: '#/definitions/api_acladmin.createRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Create role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}:
+    delete:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Delete role
+      tags:
+      - acl/roles
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.getRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role by ID
+      tags:
+      - acl/roles
+    patch:
+      consumes:
+      - application/json
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Role
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.updateRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/api_acladmin.updateRoleResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Update role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/resources:
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                $ref: '#/definitions/api_acladmin.getRoleResource'
+              type: array
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role resources
+      tags:
+      - acl/roles
+    post:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Resource
+        in: body
+        name: request
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.assignResourceToRoleRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Assign resource to role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/resources/{resId}:
+    delete:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      - description: Resource ID
+        example: 1
+        in: path
+        name: resId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Remove resource from role
+      tags:
+      - acl/roles
+  /api/acl/roles/{roleId}/users:
+    get:
+      parameters:
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              items:
+                $ref: '#/definitions/api_acladmin.getRoleUser'
+              type: array
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get role users
+      tags:
+      - acl/roles
+  /api/acl/users/{userId}/roles:
+    get:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            items:
+              $ref: '#/definitions/api_acladmin.getUserRole'
+            type: array
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Get user roles by user ID
+      tags:
+      - acl/users
+    post:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      - description: Role ID
+        in: body
+        name: body
+        required: true
+        schema:
+          $ref: '#/definitions/api_acladmin.assignRoleToUserRequest'
+      produces:
+      - application/json
+      responses:
+        "201":
+          description: Created
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "409":
+          description: Conflict
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Assign role to user
+      tags:
+      - acl/users
+  /api/acl/users/{userId}/roles/{roleId}:
+    delete:
+      parameters:
+      - description: User ID
+        example: 1
+        in: path
+        name: userId
+        required: true
+        type: integer
+      - description: Role ID
+        example: 1
+        in: path
+        name: roleId
+        required: true
+        type: integer
+      produces:
+      - application/json
+      responses:
+        "204":
+          description: No Content
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "404":
+          description: Not Found
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/api_acladmin.ProblemDetails'
+      summary: Remove role from user
+      tags:
+      - acl/users
+swagger: "2.0"

go.mod

@@ -5,12 +5,33 @@ go 1.24.9
 require (
 	github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204
 	github.com/spf13/cobra v1.10.1
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.46.0
+)
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )
 
 require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -24,8 +45,8 @@ require (
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	gorm.io/driver/sqlite v1.6.0 // indirect
-	gorm.io/gorm v1.31.1 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	gorm.io/driver/sqlite v1.6.0
+	gorm.io/gorm v1.31.1
 )

go.sum

@@ -1,6 +1,10 @@
+github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
+github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204 h1:tvG9DIB1e58sWfDbYLdgOcXRdyZxSYy/wk2VHJHgzec=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204/go.mod h1:Sk61563skjfIIYbmTUTJSWqGwBp9ODiBMjza8F5+UFY=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
@@ -9,22 +13,47 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -47,19 +76,50 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
+github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
+github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
+github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
+github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=

internal/acl/errors.go

@@ -0,0 +1,27 @@
+package acl
+
+// TODO: add more specific errors
+
+import "fmt"
+
+var (
+	ErrNotInitialized = fmt.Errorf("acl service is not initialized")
+
+	ErrRoleNotFound        = fmt.Errorf("role not found")
+	ErrRoleAlreadyExists   = fmt.Errorf("role already exists")
+	ErrInvalidRoleName     = fmt.Errorf("role name is invalid")
+	ErrSameRoleName        = fmt.Errorf("role name is the same as another role")
+	ErrRoleInUse           = fmt.Errorf("role is in use")
+	ErrRoleAlreadyAssigned = fmt.Errorf("role is already assigned to user")
+
+	ErrResourceNotFound        = fmt.Errorf("resource not found")
+	ErrResourceAlreadyExists   = fmt.Errorf("resource already exists")
+	ErrInvalidResourceKey      = fmt.Errorf("invalid resource key")
+	ErrResourceInUse           = fmt.Errorf("resource is in use")
+	ErrSameResourceKey         = fmt.Errorf("resource key is the same as another resource")
+	ErrResourceAlreadyAssigned = fmt.Errorf("resource is already assigned to role")
+	ErrRoleResourceNotFound    = fmt.Errorf("assigned resource to role is not found")
+
+	ErrUserNotFound     = fmt.Errorf("user not found")
+	ErrUserRoleNotFound = fmt.Errorf("user role not found")
+)

internal/acl/models.go

@@ -0,0 +1,32 @@
+package acl
+
+import "git.oblat.lv/alex/triggerssmith/internal/user"
+
+type UserRole struct {
+	UserID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+	RoleID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+
+	Role Role      `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	User user.User `gorm:"constraint:OnDelete:CASCADE;foreignKey:UserID;references:ID"`
+}
+
+type Resource struct {
+	ID  uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Key string `gorm:"unique;not null" json:"key"`
+}
+
+type Role struct {
+	ID   uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Name string `gorm:"unique;not null" json:"name"`
+
+	Resources []Resource  `gorm:"many2many:role_resources" json:"resources"`
+	Users     []user.User `gorm:"many2many:user_roles"`
+}
+
+type RoleResource struct {
+	RoleID     uint `gorm:"primaryKey" json:"roleId"`
+	ResourceID uint `gorm:"primaryKey" json:"resourceId"`
+
+	Role     Role     `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	Resource Resource `gorm:"constraint:OnDelete:CASCADE;foreignKey:ResourceID;references:ID" json:"resource"`
+}

internal/acl/resources.go

@@ -0,0 +1,220 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetResources returns all resources.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetResources() ([]Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var resources []Resource
+	if err := s.db.Order("id").Find(&resources).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return resources, nil
+}
+
+// CreateResource creates a new resource with the given key or returns existing one.
+// Returns ID of created resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceAlreadyExists] or db error.
+func (s *Service) CreateResource(key string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return 0, ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.Where("key = ?", key).First(&res).Error; err == nil {
+		// already exists
+		return res.ID, ErrResourceAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other db error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	res = Resource{Key: key}
+	if err := s.db.Create(&res).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return res.ID, nil
+}
+
+// GetResourceByID returns the resource with the given ID.
+// May return [ErrNotInitialized], [ErrResourceNotFound] or db error.
+func (s *Service) GetResourceByID(resourceID uint) (*Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrResourceNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &res, nil
+}
+
+// UpdateResource updates the key of a resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceNotFound], [ErrSameResourceKey] or db error.
+func (s *Service) UpdateResource(resourceID uint, newKey string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newKey = strings.TrimSpace(newKey)
+	if newKey == "" {
+		return ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// same key?
+	if res.Key == newKey {
+		return ErrSameResourceKey
+	}
+
+	// check if key used by another resource
+	var count int64
+	if err := s.db.Model(&Resource{}).
+		Where("key = ? AND id != ?", newKey, resourceID).
+		Count(&count).Error; err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if count > 0 {
+		return ErrSameResourceKey
+	}
+
+	res.Key = newKey
+	if err := s.db.Save(&res).Error; err != nil {
+		return fmt.Errorf("failed to update resource: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteResource deletes a resource.
+// May return [ErrNotInitialized], [ErrResourceNotFound], [ErrResourceInUse] or db error.
+func (s *Service) DeleteResource(resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Resource{}, resourceID)
+
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrResourceInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrResourceNotFound
+	}
+
+	return nil
+}
+
+// AssignResourceToRole assigns a resource to a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrAlreadyAssigned] or db error.
+func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	rr := RoleResource{
+		RoleID:     roleID,
+		ResourceID: resourceID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&rr)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+
+	// if nothing inserted — already assigned
+	if tx.RowsAffected == 0 {
+		return ErrResourceAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveResourceFromRole removes a resource from a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrRoleResourceNotFound] or db error.
+func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND resource_id = ?", roleID, resourceID).Delete(&RoleResource{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove resource from role: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrRoleResourceNotFound
+	}
+
+	return nil
+}

internal/acl/roles.go

@@ -0,0 +1,240 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetRoles returns all roles.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetRoles() ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var roles []Role
+	if err := s.db.Preload("Resources").Preload("Users").Order("id").Find(&roles).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return roles, nil
+}
+
+// CreateRole creates a new role with the given name or returns existing one.
+// Returns the ID of the created role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleAlreadyExists] or db error.
+func (s *Service) CreateRole(name string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return 0, ErrInvalidRoleName
+	}
+
+	var role Role
+	if err := s.db.Where("name = ?", name).First(&role).Error; err == nil {
+		// already exists
+		return role.ID, ErrRoleAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other database error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	role = Role{Name: name}
+	if err := s.db.Create(&role).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return role.ID, nil
+}
+
+// GetRoleByID returns the role with the given ID or an error.
+// May return [ErrNotInitialized], [ErrRoleNotFound] or db error.
+func (s *Service) GetRoleByID(roleID uint) (*Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var role Role
+	err := s.db.Preload("Resources").Preload("Users").First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrRoleNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &role, nil
+}
+
+// UpdateRole updates the name of a role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleNotFound], [ErrSameRoleName], or db error.
+func (s *Service) UpdateRole(roleID uint, newName string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return ErrInvalidRoleName
+	}
+
+	var role Role
+	err := s.db.First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// check for name conflicts
+	if role.Name == newName {
+		return ErrSameRoleName
+	}
+	var count int64
+	err = s.db.Model(&Role{}).Where("name = ? AND id != ?", newName, roleID).Count(&count).Error
+	if err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+	if count > 0 {
+		return ErrSameRoleName
+	}
+
+	role.Name = newName
+	if err := s.db.Save(&role).Error; err != nil {
+		return fmt.Errorf("failed to update role: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role.
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrRoleInUse] or db error.
+func (s *Service) DeleteRole(roleID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Role{}, roleID)
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrRoleInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrRoleNotFound
+	}
+
+	return nil
+}
+
+// GetUserRoles returns all roles for a given user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound] or db error.
+func (s *Service) GetUserRoles(userID uint) ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var roles []Role
+	err := s.db.
+		Joins("JOIN user_roles ur ON ur.role_id = roles.id").
+		Where("ur.user_id = ?", userID).
+		Find(&roles).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user roles: %w", err)
+	}
+
+	if len(roles) == 0 {
+		return nil, ErrRoleNotFound
+	}
+	return roles, nil
+}
+
+// AssignRoleToUser assigns a role to a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrRoleAlreadyAssigned] or db error.
+func (s *Service) AssignRoleToUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	ur := UserRole{
+		UserID: userID,
+		RoleID: roleID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ur)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+	if tx.RowsAffected == 0 {
+		return ErrRoleAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveRoleFromUser removes a role from a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrUserRoleNotFound] or db error.
+func (s *Service) RemoveRoleFromUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND user_id = ?", roleID, userID).Delete(&UserRole{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove role from user: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrUserRoleNotFound
+	}
+
+	return nil
+}

internal/acl/service.go

@@ -0,0 +1,41 @@
+package acl
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type Service struct {
+	initialized bool
+
+	db *gorm.DB
+}
+
+func NewService(db *gorm.DB) (*Service, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is required")
+	}
+	return &Service{
+		db: db,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&UserRole{}, &Resource{}, &Role{}, &RoleResource{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate ACL models: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}

internal/acl_test/crud_test.go

@@ -0,0 +1,158 @@
+package acl_test
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"git.oblat.lv/alex/triggerssmith/internal/acl"
+// 	"git.oblat.lv/alex/triggerssmith/internal/user"
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func openTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	// Путь к файлу базы
+// 	dbPath := filepath.Join("testdata", "test.db")
+
+// 	// Удаляем старую базу, если есть
+// 	os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open test db: %v", err)
+// 	}
+
+// 	// Миграция таблицы User для связи с ACL
+// 	if err := db.AutoMigrate(&user.User{}); err != nil {
+// 		t.Fatalf("failed to migrate User: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestACLService_CRUD(t *testing.T) {
+// 	db := openTestDB(t)
+
+// 	// Создаём сервис ACL
+// 	svc, err := acl.NewService(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create ACL service: %v", err)
+// 	}
+
+// 	if err := svc.Init(); err != nil {
+// 		t.Fatalf("failed to init ACL service: %v", err)
+// 	}
+
+// 	// Создаём роли
+// 	if err := svc.CreateRole("admin"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+// 	if err := svc.CreateRole("guest"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+
+// 	roles, err := svc.GetRoles()
+// 	if err != nil {
+// 		t.Fatalf("GetRoles failed: %v", err)
+// 	}
+// 	if len(roles) != 2 {
+// 		t.Fatalf("expected 2 roles, got %d", len(roles))
+// 	}
+
+// 	// Создаём ресурсы
+// 	if err := svc.CreateResource("*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+// 	if err := svc.CreateResource("html.view.*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+
+// 	resources, err := svc.GetPermissions()
+// 	if err != nil {
+// 		t.Fatalf("GetPermissions failed: %v", err)
+// 	}
+// 	if len(resources) != 2 {
+// 		t.Fatalf("expected 2 resources, got %d", len(resources))
+// 	}
+
+// 	// 1. Создаём сервис user
+// 	store, err := user.NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user store: %v", err)
+// 	}
+// 	userSvc, err := user.NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user service: %v", err)
+// 	}
+
+// 	// 2. Инициализируем
+// 	if err := userSvc.Init(); err != nil {
+// 		t.Fatalf("failed to init user service: %v", err)
+// 	}
+
+// 	user := &user.User{
+// 		Username: "testuser",
+// 		Email:    "testuser@example.com",
+// 		Password: "secret",
+// 	}
+
+// 	u := user
+
+// 	// 3. Создаём пользователя через сервис
+// 	err = userSvc.Create(user)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+
+// 	// Привязываем роль к пользователю
+// 	adminRoleID := roles[0].ID
+// 	if err := svc.AssignRoleToUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("AssignRoleToUser failed: %v", err)
+// 	}
+
+// 	userRoles, err := svc.GetUserRoles(uint(u.ID))
+// 	if err != nil {
+// 		t.Fatalf("GetUserRoles failed: %v", err)
+// 	}
+// 	if len(userRoles) != 1 || userRoles[0].ID != adminRoleID {
+// 		t.Fatalf("expected user to have admin role")
+// 	}
+
+// 	// Привязываем ресурсы к роли
+// 	for _, res := range resources {
+// 		if err := svc.AssignResourceToRole(adminRoleID, res.ID); err != nil {
+// 			t.Fatalf("AssignResourceToRole failed: %v", err)
+// 		}
+// 	}
+
+// 	roleResources, err := svc.GetRoleResources(adminRoleID)
+// 	if err != nil {
+// 		t.Fatalf("GetRoleResources failed: %v", err)
+// 	}
+// 	if len(roleResources) != 2 {
+// 		t.Fatalf("expected role to have 2 resources")
+// 	}
+
+// 	// Удаляем ресурс из роли
+// 	if err := svc.RemoveResourceFromRole(adminRoleID, resources[0].ID); err != nil {
+// 		t.Fatalf("RemoveResourceFromRole failed: %v", err)
+// 	}
+// 	roleResources, _ = svc.GetRoleResources(adminRoleID)
+// 	if len(roleResources) != 1 {
+// 		t.Fatalf("expected 1 resource after removal")
+// 	}
+
+// 	// Удаляем роль у пользователя
+// 	if err := svc.RemoveRoleFromUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("RemoveRoleFromUser failed: %v", err)
+// 	}
+// 	userRoles, _ = svc.GetUserRoles(uint(u.ID))
+// 	if len(userRoles) != 0 {
+// 		t.Fatalf("expected user to have 0 roles after removal")
+// 	}
+// }

internal/auth/service.go

@@ -0,0 +1,246 @@
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	ejwt "github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type Tokens struct {
+	Access  string
+	Refresh string
+}
+
+type Service struct {
+	cfg *config.Config
+
+	services struct {
+		jwt   *jwt.Service
+		user  *user.Service
+		token *token.Service
+	}
+}
+
+type AuthServiceDependencies struct {
+	Configuration *config.Config
+
+	JWTService   *jwt.Service
+	UserService  *user.Service
+	TokenService *token.Service
+}
+
+func NewAuthService(deps AuthServiceDependencies) (*Service, error) {
+	if deps.Configuration == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	if deps.JWTService == nil {
+		return nil, fmt.Errorf("jwt service is nil")
+	}
+	if deps.UserService == nil {
+		return nil, fmt.Errorf("user service is nil")
+	}
+	if deps.TokenService == nil {
+		return nil, fmt.Errorf("token service is nil")
+	}
+	return &Service{
+		cfg: deps.Configuration,
+		services: struct {
+			jwt   *jwt.Service
+			user  *user.Service
+			token *token.Service
+		}{
+			jwt:   deps.JWTService,
+			user:  deps.UserService,
+			token: deps.TokenService,
+		},
+	}, nil
+}
+
+// Users
+
+func (s *Service) Get(by, value string) (*user.User, error) {
+	return s.services.user.GetBy(by, value)
+}
+
+// Register creates a new user with the given username, email, and password.
+// Password is hashed before storing.
+// Returns the created user or an error.
+func (s *Service) Register(username, email, password string) (*user.User, error) {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	user := &user.User{
+		Username: username,
+		Email:    email,
+		Password: string(hashedPassword),
+	}
+
+	err = s.services.user.Create(user)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	return user, nil
+}
+
+// Login authenticates a user with the given username and password.
+// Returns access and refresh tokens if successful.
+func (s *Service) Login(username, password string) (*Tokens, error) {
+	user, err := s.services.user.GetBy("username", username)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user by username: %w", err)
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
+	if err != nil {
+		return nil, fmt.Errorf("invalid password: %w", err)
+	}
+	refreshToken, rjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": user.ID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	accessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  user.ID,
+		"rjti": rjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	return &Tokens{Access: accessToken, Refresh: refreshToken}, nil
+}
+
+// Logout revokes the refresh token identified by the given rjti.
+func (s *Service) Logout(rjti string) error {
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// Access tokens
+
+// ValidateAccessToken validates the given access token string.
+// Returns the user ID (sub claim) if valid, or an error.
+func (s *Service) ValidateAccessToken(tokenStr string) (int64, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to validate access token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["rjti"].(string))
+	if err != nil {
+		return 0, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return 0, fmt.Errorf("token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+	return int64(sub), nil
+}
+
+// Refresh tokens
+
+// RefreshTokens validates the given refresh token and issues new access and refresh tokens.
+// Returns the new access and refresh tokens or an error.
+func (s *Service) RefreshTokens(refreshTokenStr string) (*Tokens, error) {
+	claims, rjti, err := s.services.jwt.Validate(refreshTokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(rjti)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("refresh token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+
+	newRefreshToken, newRjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": sub,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new refresh token: %w", err)
+	}
+	newAccessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  sub,
+		"rjti": newRjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new access token: %w", err)
+	}
+
+	// Revoke the old refresh token
+	if err := s.services.token.RevokeByRefreshDefault(rjti); err != nil {
+		return nil, fmt.Errorf("failed to revoke old refresh token: %w", err)
+	}
+
+	return &Tokens{Access: newAccessToken, Refresh: newRefreshToken}, nil
+}
+
+// ValidateRefreshToken validates the given refresh token string.
+// Returns user id and error.
+func (s *Service) ValidateRefreshToken(tokenStr string) (int64, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return 0, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["jti"].(string))
+	if err != nil {
+		return 0, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return 0, fmt.Errorf("refresh token is revoked")
+	}
+
+	sub := claims["sub"].(float64)
+	return int64(sub), nil
+}
+
+// RevokeRefresh revokes the refresh token identified by the given token string.
+func (s *Service) RevokeRefresh(token string) error {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// IsRefreshRevoked checks if the refresh token identified by the given token string is revoked.
+func (s *Service) IsRefreshRevoked(token string) (bool, error) {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.IsRevoked(rjti)
+}
+
+func (s *Service) AuthenticateRequest(r *http.Request) (ejwt.Claims, error) {
+	header := r.Header.Get("Authorization")
+	if header == "" {
+		return nil, fmt.Errorf("token is missing")
+	}
+	if !strings.HasPrefix(header, "Bearer ") {
+		return nil, fmt.Errorf("token is missing")
+	}
+	tokenString := strings.TrimPrefix(header, "Bearer ")
+	tokenClaims, _, err := s.services.jwt.Validate(tokenString)
+	if err != nil {
+		return nil, err
+	}
+	return tokenClaims, nil
+}

internal/config/config.go

@@ -2,33 +2,73 @@ package config
 
 import (
 	"sync/atomic"
+	"time"
 
 	"github.com/akyaiy/GSfass/core/config"
 )
 
+type StaticConfig struct {
+	Enabled   bool   `mapstructure:"enabled"`
+	Dir       string `mapstructure:"static_dir"`
+	IndexFile string `mapstructure:"index_file"`
+}
+
+type BlockConfig struct {
+	Enabled  bool   `mapstructure:"enabled"`
+	BlockDir string `mapstructure:"block_dir"`
+}
+
 type ServerConfig struct {
-	Port            int    `mapstructure:"port"`
-	Addr            string `mapstructure:"address"`
-	StaticFilesPath string `mapstructure:"static_dir"`
-	LogPath         string `mapstructure:"log_path"`
+	StaticConfig   StaticConfig  `mapstructure:"static"`
+	BlockConfig    BlockConfig   `mapstructure:"block"`
+	Port           int           `mapstructure:"port"`
+	Addr           string        `mapstructure:"address"`
+	LogPath        string        `mapstructure:"log_path"`
+	TimeoutSeconds time.Duration `mapstructure:"timeout_seconds"`
 }
 
 type FuncConfig struct {
 	FunctionDir string `mapstructure:"func_dir"`
 }
 
+type Auth struct {
+	SignAlg         string        `mapstructure:"sign_alg"`
+	HMACSecretPath  string        `mapstructure:"hmac_secret_path"`
+	RefreshTokenTTL time.Duration `mapstructure:"refresh_token_ttl"`
+	AccessTokenTTL  time.Duration `mapstructure:"access_token_ttl"`
+}
+
+type Data struct {
+	DataPath string `mapstructure:"data_dir"`
+}
+
 type Config struct {
 	Server    ServerConfig `mapstructure:"server"`
 	Functions FuncConfig   `mapstructure:"functions"`
+	Auth      Auth         `mapstructure:"auth"`
+	Data      Data         `mapstructure:"data"`
 }
 
 var configPath atomic.Value // string
 var defaults = map[string]any{
-	"server.port":       8080,
-	"server.address":    "127.0.0.0",
-	"server.static_dir": "./static",
+	"server.port":              8080,
+	"server.address":           "127.0.0.0",
+	"server.timeout_seconds":   5,
+	"server.log_path":          "./logs/server.log",
+	"server.static.enabled":    true,
+	"server.static.static_dir": "./static",
+	"server.static.index_file": "index.html",
+	"server.block.enabled":     true,
+	"server.block.block_dir":   "./blocks",
+
+	"data.data_dir": "./data",
 
 	"functions.func_dir": "./functions",
+
+	"auth.refresh_token_ttl": 24 * time.Hour,
+	"auth.access_token_ttl":  15 * time.Minute,
+	"auth.sign_alg":          "HS256",
+	"auth.hmac_secret_path":  "./secret/hmac_secret",
 }
 
 func read(cfg *Config) error {

internal/jwt/parse.go

@@ -0,0 +1,28 @@
+package jwt
+
+import (
+	"fmt"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func Parse(
+	tokenStr string,
+	method jwt.SigningMethod,
+	key any,
+) (jwt.Claims, error) {
+	t, err := jwt.Parse(tokenStr, func(tok *jwt.Token) (any, error) {
+		if tok.Method.Alg() != method.Alg() {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return key, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	// check validity twice: invalid token may return nil error
+	if !t.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return t.Claims, nil
+}

internal/jwt/service.go

@@ -0,0 +1,48 @@
+package jwt
+
+import (
+	"maps"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type Service struct {
+	signer Signer
+}
+
+func NewService(signer Signer) *Service {
+	return &Service{
+		signer: signer,
+	}
+}
+
+// Generate creates a new JWT token for a given user ID and
+// returns the token string along with its JTI(JWT IDentifier).
+func (s *Service) Generate(ttl time.Duration, extraClaims jwt.MapClaims) (string, string, error) {
+	jti := uuid.NewString()
+
+	claims := jwt.MapClaims{
+		"jti": jti,
+		"exp": time.Now().Add(ttl).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	maps.Copy(claims, extraClaims)
+
+	token, err := s.signer.Sign(claims)
+	return token, jti, err
+}
+
+// Validate verifies the JWT token and extracts the claims and JTI(JWT IDentifier).
+// Returns claims, jti, and error if any.
+func (s *Service) Validate(token string) (jwt.MapClaims, string, error) {
+	claims, err := s.signer.Verify(token)
+	if err != nil {
+		return nil, "", err
+	}
+
+	jti := claims.(jwt.MapClaims)["jti"].(string)
+
+	return claims.(jwt.MapClaims), jti, nil
+}

internal/jwt/signer.go

@@ -0,0 +1,8 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type Signer interface {
+	Sign(claims jwt.Claims) (string, error)
+	Verify(token string) (jwt.Claims, error)
+}

internal/jwt/signer_HS256.go

@@ -0,0 +1,20 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type HMACSigner struct {
+	secret []byte
+}
+
+func NewHMACSigner(secret []byte) *HMACSigner {
+	return &HMACSigner{secret: secret}
+}
+
+func (s *HMACSigner) Sign(claims jwt.Claims) (string, error) {
+	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return t.SignedString(s.secret)
+}
+
+func (s *HMACSigner) Verify(tokenStr string) (jwt.Claims, error) {
+	return Parse(tokenStr, jwt.SigningMethodHS256, s.secret)
+}

internal/server/error.go

@@ -0,0 +1,20 @@
+package server
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+type ErrorResponse struct {
+	Error   string `json:"error"`
+	Details string `json:"details,omitempty"`
+}
+
+func WriteError(w http.ResponseWriter, error, details string, statusCode int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	json.NewEncoder(w).Encode(ErrorResponse{
+		Error:   error,
+		Details: details,
+	})
+}

internal/server/notimpl.go

@@ -0,0 +1,7 @@
+package server
+
+import "net/http"
+
+func NotImplemented(w http.ResponseWriter) {
+	http.Error(w, "Not implemented", http.StatusNotImplemented)
+}

internal/token/service.go

@@ -0,0 +1,63 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+)
+
+type TokenStore interface {
+	revoke(tokenID string, expiresAt time.Time) error
+	isRevoked(tokenID string) (bool, error)
+
+	init() error
+}
+
+type Service struct {
+	initialized bool
+
+	cfg   *config.Auth
+	store TokenStore
+}
+
+func NewTokenService(cfg *config.Auth, store TokenStore) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	if cfg == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	return &Service{cfg: cfg, store: store}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize token store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Revoke(jti string, exp time.Time) error {
+	return s.store.revoke(jti, exp)
+}
+
+func (s *Service) RevokeByRefreshDefault(jti string) error {
+	expiryTime := time.Now().Add(-time.Duration(s.cfg.RefreshTokenTTL))
+	return s.store.revoke(jti, expiryTime)
+}
+
+func (s *Service) IsRevoked(jti string) (bool, error) {
+	return s.store.isRevoked(jti)
+}

internal/token/store_sqlite.go

@@ -0,0 +1,55 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"gorm.io/gorm"
+)
+
+type SQLiteTokenStore struct {
+	db *gorm.DB
+}
+
+type Token struct {
+	TokenID    string    `gorm:"primaryKey"`
+	UserID     int64     `gorm:"index"`
+	Expiration time.Time `gorm:"index"`
+}
+
+// NewSQLiteTokenStore creates a new SQLiteTokenStore with the given GORM DB instance.
+// Actually can be used for any GORM-supported database.
+func NewSQLiteTokenStore(db *gorm.DB) (*SQLiteTokenStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &SQLiteTokenStore{
+		db: db,
+	}, nil
+}
+
+func (s *SQLiteTokenStore) revoke(tokenID string, expiresAt time.Time) error {
+	return s.db.Create(&Token{
+		TokenID:    tokenID,
+		Expiration: expiresAt,
+	}).Error
+}
+
+func (s *SQLiteTokenStore) isRevoked(tokenID string) (bool, error) {
+	var count int64
+	err := s.db.Model(&Token{}).Where("token_id = ?", tokenID).Count(&count).Error
+	if err != nil {
+		return false, err
+	}
+	return count > 0, nil
+}
+
+func (s *SQLiteTokenStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&Token{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate Token model: %w", err)
+	}
+
+	return nil
+}

internal/token/store_sqlite_test.go

@@ -0,0 +1,71 @@
+package token
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	dbPath := filepath.Join("testdata", "tokens.db")
+
+	_ = os.Remove(dbPath)
+
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("failed to open db: %v", err)
+	}
+
+	if err := db.AutoMigrate(&Token{}); err != nil {
+		t.Fatalf("failed to migrate: %v", err)
+	}
+
+	return db
+}
+
+func TestSQLiteTokenStore_RevokeAndCheck(t *testing.T) {
+	db := setupTestDB(t)
+
+	store, err := NewSQLiteTokenStore(db)
+	if err != nil {
+		t.Fatalf("failed to create store: %v", err)
+	}
+
+	cfg := &config.Auth{
+		RefreshTokenTTL: 24 * time.Hour,
+	}
+	service, err := NewTokenService(cfg, store)
+	if err != nil {
+		t.Fatalf("failed to create service: %v", err)
+	}
+
+	jti := "test-token-123"
+	exp := time.Now().Add(time.Hour)
+
+	revoked, err := service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if revoked {
+		t.Fatalf("token should NOT be revoked initially")
+	}
+
+	if err := service.Revoke(jti, exp); err != nil {
+		t.Fatalf("revoke failed: %v", err)
+	}
+
+	revoked, err = service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if !revoked {
+		t.Fatalf("token should be revoked")
+	}
+}

internal/user/errors.go

@@ -0,0 +1,7 @@
+package user
+
+import "fmt"
+
+var (
+	ErrUserNotFound = fmt.Errorf("user not found")
+)

internal/user/gorm_store.go

@@ -0,0 +1,55 @@
+package user
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type GormUserStore struct {
+	db *gorm.DB
+}
+
+func NewGormUserStore(db *gorm.DB) (*GormUserStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &GormUserStore{
+		db: db,
+	}, nil
+}
+
+func (s *GormUserStore) Create(user *User) error {
+	return s.db.Create(user).Error
+}
+
+// Search returns a user by username or id or email
+func (s *GormUserStore) GetBy(by, value string) (*User, error) {
+	if by != "username" && by != "id" && by != "email" {
+		return nil, fmt.Errorf("unsuppored field %s", by)
+	}
+	var user User
+	err := s.db.Where(fmt.Sprintf("%s = ?", by), value).First(&user).Error
+	if err != nil {
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (s *GormUserStore) Update(user *User) error {
+	return s.db.Save(user).Error
+}
+
+func (s *GormUserStore) Delete(id int64) error {
+	return s.db.Delete(&User{}, id).Error
+}
+
+func (s *GormUserStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&User{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate User model: %w", err)
+	}
+
+	return nil
+}

internal/user/model.go

@@ -0,0 +1,13 @@
+package user
+
+import (
+	"gorm.io/gorm"
+)
+
+type User struct {
+	ID        uint           `gorm:"primaryKey"`
+	Username  string         `gorm:"uniqueIndex;not null"`
+	Email     string         `gorm:"uniqueIndex;not null"`
+	Password  string         `gorm:"not null"`
+	DeletedAt gorm.DeletedAt `gorm:"index"`
+}

internal/user/service.go

@@ -0,0 +1,64 @@
+package user
+
+import "fmt"
+
+type Service struct {
+	initialized bool
+
+	store UserCRUD
+}
+
+func NewService(store UserCRUD) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	return &Service{
+		store: store,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize user store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Create(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Create(user)
+}
+
+func (s *Service) GetBy(by, value string) (*User, error) {
+	if !s.isInitialized() {
+		return nil, fmt.Errorf("user service is not initialized")
+	}
+	return s.store.GetBy(by, value)
+}
+
+func (s *Service) Update(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Update(user)
+}
+
+func (s *Service) Delete(id int64) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Delete(id)
+}

internal/user/store.go

@@ -0,0 +1,10 @@
+package user
+
+type UserCRUD interface {
+	Create(user *User) error
+	GetBy(by, value string) (*User, error)
+	Update(user *User) error
+	Delete(id int64) error
+
+	init() error
+}

internal/user/user_test.go

@@ -0,0 +1,86 @@
+package user
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func setupTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	dbPath := filepath.Join("testdata", "users.db")
+
+// 	_ = os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open db: %v", err)
+// 	}
+
+// 	if err := db.AutoMigrate(&User{}); err != nil {
+// 		t.Fatalf("failed to migrate: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestUsersCRUD(t *testing.T) {
+// 	db := setupTestDB(t)
+
+// 	store, err := NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create store: %v", err)
+// 	}
+
+// 	service, err := NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create service: %v", err)
+// 	}
+
+// 	user := &User{
+// 		Username: "testuser",
+// 		Email:    "test@example.com",
+// 		Password: "password123",
+// 	}
+
+// 	if err := service.Create(user); err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+// 	// retrieved, err := service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Username != user.Username {
+// 	// 	t.Fatalf("expected username %s, got %s", user.Username, retrieved.Username)
+// 	// }
+
+// 	// retrievedByUsername, err := service.GetByUsername(user.Username)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by username: %v", err)
+// 	// }
+// 	// if retrievedByUsername.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrievedByUsername.Email)
+// 	// }
+
+// 	// user.Email = "newemail@example.com"
+// 	// if err := service.Update(user); err != nil {
+// 	// 	t.Fatalf("failed to update user: %v", err)
+// 	// }
+// 	// retrieved, err = service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrieved.Email)
+// 	// }
+// 	err = service.Delete(user.ID)
+// 	if err != nil {
+// 		t.Fatalf("failed to delete user: %v", err)
+// 	}
+// }

main.go

@@ -1,3 +1,6 @@
+// The main file only starts cobra
+
+// Copyright 2025 TriggerSmith Labs. All rights reserved.
 package main
 
 import (

static/base/css/style.css

@@ -0,0 +1,173 @@
+body {
+  font-family: system-ui, sans-serif;
+  margin: 0;
+  display: flex;
+  flex-direction: column;
+  min-height: 100vh;
+}
+
+header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  background: #333;
+  color: white;
+  padding: 10px 15px;
+  position: relative;
+}
+
+footer {
+  background: #333;
+  color: white;
+  text-align: center;
+  padding: 10px;
+}
+
+main {
+  flex: 1;
+  padding: 20px;
+  max-width: 1000px;
+  margin: 0 auto;
+}
+
+/* навигация */
+nav ul {
+  list-style: none;
+  display: flex;
+  gap: 20px;
+  margin: 0;
+  padding: 0;
+}
+
+nav a {
+  color: white;
+  text-decoration: none;
+  font-weight: 500;
+}
+
+nav a:hover {
+  text-decoration: underline;
+}
+
+/* бургер */
+.burger {
+  display: none;
+  flex-direction: column;
+  justify-content: center;
+  gap: 5px;
+  width: 30px;
+  height: 25px;
+  background: none;
+  border: none;
+  cursor: pointer;
+}
+
+.burger span {
+  display: block;
+  height: 3px;
+  width: 100%;
+  background: white;
+  border-radius: 2px;
+  transition: 0.3s;
+}
+
+.burger.active span:nth-child(1) {
+  transform: translateY(8px) rotate(45deg);
+}
+
+.burger.active span:nth-child(2) {
+  opacity: 0;
+}
+
+.burger.active span:nth-child(3) {
+  transform: translateY(-8px) rotate(-45deg);
+}
+
+/* сетка */
+.grid-3 {
+  display: grid;
+  grid-template-columns: 15% 70% 15%;
+  gap: 20px;
+  margin-top: 20px;
+}
+
+.grid-block {
+  background: #f5f5f5;
+  padding: 15px;
+  border-radius: 10px;
+  box-shadow: 0 2px 5px rgba(0,0,0,0.1);
+}
+  /* Полупрозрачный фон */
+  .overlay {
+    position: fixed;
+    top: 0;
+    left: 0;
+    width: 100%;
+    height: 100%;
+    background: rgba(0,0,0,0.5);
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    z-index: 1000;
+  }
+
+  /* Окна */
+/* Message */
+.window-popup { width:400px; height:150px; background:#fff; border-radius:10px; display:flex; flex-direction:column; justify-content:center; align-items:center; padding:20px; box-shadow:0 0 10px rgba(0,0,0,0.3); }
+.window-popup button { margin-top:20px; padding:5px 10px; cursor:pointer; }
+
+/* Menu */
+.window-menu { position:absolute; background:#fff; border-radius:10px; border:1px solid rgba(0,0,0,0.12); box-shadow:0 6px 18px rgba(0,0,0,0.12); min-width:160px; z-index:9999; overflow:hidden; }
+.window-item { padding:8px 12px; cursor:pointer; white-space:nowrap; font-size:14px; }
+.window-item:hover { background:rgba(0,0,0,0.04); }
+
+/* File */
+.window-panel { width:420px; background:#f0f0f0; border:1px solid #888; border-radius:10px; box-shadow:0 0 12px rgba(0,0,0,0.4); position:fixed; top:50%; left:50%; transform:translate(-50%,-50%); user-select:none; display:flex; flex-direction:column; }
+.window-header { background:#f0f0f0; padding:10px; font-size:16px; font-weight:600; border-bottom:1px solid #aaa; cursor:move; }
+.window-tabs { display:flex; border-bottom:1px solid #aaa; background:#f0f0f0; }
+.window-tab { padding:8px 14px; cursor:pointer; border-right:1px solid #aaa; user-select:none; }
+.window-tab.active { background:#fff; font-weight:600; border-bottom:2px solid #fff; }
+.window-content { display:none; padding:15px; background:#fff; }
+.window-content.active { display:block; }
+.window-row { display:flex; justify-content:space-between; margin-bottom:8px; font-size:14px; }
+.window-buttons { display:flex; justify-content:flex-end; padding:10px; gap:8px; border-top:1px solid #aaa; background:#f0f0f0; }
+.window-buttons button { padding:6px 16px; cursor:pointer; }
+
+/* адаптив */
+@media (max-width: 425px) {
+  .grid-3 {
+    grid-template-columns: 1fr;
+  }
+
+  .burger {
+    display: flex;
+  }
+
+  nav {
+    position: absolute;
+    top: 100%;
+    left: 0;
+    width: 100%;
+    background: #222;
+    display: none;
+    flex-direction: column;
+    text-align: center;
+    padding: 10px 0;
+    z-index: 10;
+  }
+
+  nav.open {
+    display: flex;
+    animation: slideDown 0.3s ease;
+  }
+
+  nav ul {
+    flex-direction: column;
+    gap: 10px;
+  }
+
+  @keyframes slideDown {
+    from { opacity: 0; transform: translateY(-10px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+}

static/base/js/app.js

@@ -0,0 +1,292 @@
+/***********************************************************************
+ *  ГЛОБАЛЬНОЕ СОСТОЯНИЕ
+ **********************************************************************/
+let accessToken = null;   // access-token хранится только в памяти (без localStorage)
+/***********************************************************************
+ *  sendRequest УНИВЕРСАЛЬНАЯ ФУНКЦИЯ ДЛЯ ОТПРАВКИ HTTP-ЗАПРОСОВ
+ *
+ *  sendRequest(url, options)
+ *  - автоматически добавляет Content-Type и credentials
+ *  - автоматически превращает body в JSON
+ *  - проверяет response.ok
+ *  - пробрасывает текст ошибки
+ *  - возвращает JSON-ответ
+ **********************************************************************/
+//let accessToken = ""; // access только в памяти
+
+async function apiProtected(path, options = {}) {
+    const send = async () =>
+        fetch(path, {
+            ...options,
+            headers: {
+                ...(options.headers || {}),
+                Authorization: "Bearer " + accessToken,
+                "Content-Type": "application/json"
+            }
+        });
+
+    let r = await send();
+
+    if ((r.status === 401)) {
+        // обновляем access
+        const rr = await fetch("/api/users/refresh", {
+            method: "POST",
+            credentials: "include"
+        });
+
+        if (!rr.ok) throw "refresh failed";
+
+        const j = await rr.json();
+        accessToken = j.access_token;
+
+        r = await send();
+    }
+
+    if (!r.ok) throw await r.text();
+    return r.json();
+}
+
+
+async function sendRequest(url, options = {}) {
+    // Базовые параметры
+    const defaultOptions = {
+        headers: { "Content-Type": "application/json" },
+        credentials: "include"
+    };
+
+    // Объединяем настройки
+    const finalOptions = {
+        ...defaultOptions,
+        ...options,
+        headers: { ...defaultOptions.headers, ...(options.headers || {}) }
+    };
+
+    // Если тело — объект, превращаем в JSON
+    if (finalOptions.body && typeof finalOptions.body === "object") {
+        finalOptions.body = JSON.stringify(finalOptions.body);
+    }
+
+    let response;
+    try {
+        response = await fetch(url, finalOptions);
+    } catch (err) {
+        // Сетевые ошибки (сервер не доступен, нет интернета, CORS и т.д.)
+        return {
+            ok: false,
+            status: 0,
+            data: err.toString()
+        };
+    }
+
+    // Читаем тело ответа только один раз
+    let text = await response.text();
+    let data;
+    try {
+        data = JSON.parse(text);
+    } catch {
+        data = text;
+    }
+
+    return {
+        ok: response.ok,
+        status: response.status,
+        data
+    };
+}
+
+
+
+/********************************************************************
+ * loadMenu функция загрузки блока меню страницы в формате Markdown *
+ ********************************************************************/
+async function loadMenu() {
+     await loadBlock("menu/top1", "header");
+}
+/********************************************************************
+ * loadPage функция загрузки блока страницы в формате Markdown      *
+ ********************************************************************/
+ async function loadPage(path) {
+     await loadBlock(path, "content");
+ }
+
+/********************************************************************
+ * loadMdScript функция загрузки Markdown библиотеки                *
+ ********************************************************************/
+ function loadMdScript(src) {
+    return new Promise((resolve, reject) => {
+        const script = document.createElement('script');
+        script.src = src;
+        script.defer = true;
+        script.onload = () => resolve();
+        script.onerror = () => reject(new Error(`Failed to load script: ${src}`));
+        document.head.appendChild(script);
+    });
+}
+
+/********************************************************************
+ * loadBlock функция загрузки блока в формате Markdown              *
+ ********************************************************************/
+async function loadBlock(path, block_Name) {
+    const container = document.getElementById(block_Name);
+if (!container) {
+    //console.warn(`loadBlock: контейнер #${block_Name} не найден — игнорируем`);
+    return;
+}
+    path = path.replace(/\/$/, "");
+    //console.log(path);
+    if (!container) {
+        console.error(`loadBlock ERROR: element #${block_Name} not found`);
+        return;
+    }
+    const blockName = path === "pages" ? "pages/home" : path;
+    //console.log(blockName);
+    try {
+        container.innerHTML = '';
+        document.querySelectorAll('style[data-dynamic], script[data-dynamic]').forEach(el => {
+            const name = el.getAttribute('data-dynamic');
+            if (name === block_Name || !document.getElementById(name)) {
+                el.remove();
+            }
+        });
+        const response = await sendRequest(`/api/block/${blockName}`);
+        if (!response.ok) {
+            throw new Error(`Failed to load block: ${response.status}`);
+        }
+
+        // Динамически подгружаем markdown-it, если он ещё не загружен
+        if (!window.markdownit) {
+            await loadMdScript('/static/js/markdown-it.min.js');
+        }
+
+        const { content: mdContent, css, js } = response.data;
+       // Преобразуем markdown в HTML
+        if (mdContent) {
+            const md = window.markdownit({ html: true, linkify: true, typographer: true });
+            container.innerHTML = md.render(mdContent);
+        }
+        if (css) {
+            const style = document.createElement('style');
+            style.dataset.dynamic = block_Name;
+            style.textContent = css;
+            document.head.appendChild(style);
+        }
+        if (js) {
+            const script = document.createElement('script');
+            script.dataset.dynamic = block_Name;
+            script.textContent = `
+                (() => {
+                    try {
+                        ${js}
+                        if (typeof pageInit === "function") pageInit();
+                    } catch (e) {
+                        console.error("Block script error:", e);
+                    }
+                })();
+            `;
+            document.body.appendChild(script);
+        }
+    } catch (err) {
+        console.error(err);
+        container.innerHTML = "<h2>блок не найден</h2>";
+    }
+}
+
+// SPA-навигация
+function navigateTo(url, target) {
+    const clean = url.replace(/^\//, "");
+    history.pushState({}, "", "/" + clean);
+    loadBlock("pages/" + clean, target);
+}
+
+// Поддержка кнопки "назад/вперед"
+window.addEventListener("popstate", () => {loadBlock(location.pathname);});
+// Обработка истории браузера
+window.addEventListener("popstate", () => loadBlock(window.location.pathname));
+// Инициализация после загрузки DOM
+window.onload = async function ()  {
+    let url = window.location.href;
+   // Убираем слеш в конце, если он есть
+    if (url.endsWith("/")) {
+        url = url.slice(0, -1);
+        // Меняем URL в адресной строке без перезагрузки страницы
+        window.history.replaceState(null, "", url);
+    }
+    //console.assert("читаем меню")
+    await loadMenu();
+    await loadPage("pages"+window.location.pathname);
+};
+// Перехватчик ссылок
+window.addEventListener("click", (event) => {
+    const a = event.target.closest("a");
+    if (!a) return;
+
+    const href = a.getAttribute("href");
+
+    // игнорируем внешние ссылки и mailto:
+    if (!href || href.startsWith("http") || href.startsWith("mailto:")) return;
+    const target = a.dataset.target || "content"; // default = content
+    event.preventDefault();
+    navigateTo(href, target);
+});
+
+//popup
+  function popup(message, afterClose){
+    // Создаём overlay
+    const overlay = document.createElement('div');
+    overlay.className = 'overlay';
+    // Создаём popup
+    const popup = document.createElement('div');
+    popup.className = 'popup';
+    // Добавляем текст
+    const text = document.createElement('div');
+    text.textContent = message;
+    // Добавляем кнопку закрытия
+    const closeBtn = document.createElement('button');
+    closeBtn.textContent = 'Закрыть';
+    closeBtn.addEventListener('click', () => {
+      overlay.remove();
+          if (typeof afterClose === 'function') {
+      afterClose();   // ← ВАША ФУНКЦИЯ ПОСЛЕ ЗАКРЫТИЯ
+    }
+    });
+  }
+//popupMenu
+  function popupMenu(message, afterClose){
+    // Создаём popupMenu
+    const popupMenu = document.createElement('div');
+    popup.className = 'popup_Menu';
+    // Добавляем текст
+    const text = document.createElement('div');
+    text.textContent = message;
+    // Добавляем кнопку закрытия
+    const closeBtn = document.createElement('button');
+    closeBtn.textContent = 'Закрыть';
+    closeBtn.addEventListener('click', () => {
+      overlay.remove();
+          if (typeof afterClose === 'function') {
+      afterClose();   // ← ВАША ФУНКЦИЯ ПОСЛЕ ЗАКРЫТИЯ
+    }
+    });
+
+    popup.appendChild(text);
+    popup.appendChild(closeBtn);
+    overlay.appendChild(popup);
+    document.body.appendChild(overlay);
+  };
+
+  /* ------------------- Переключение видимости пароля ------------------- */
+
+document.addEventListener("click", (e) => {
+    if (!e.target.classList.contains("toggle-pass")) return;
+//console.log("toggle");
+    const input = e.target.previousElementSibling;
+    if (!input) return;
+
+    if (input.type === "password") {
+        input.type = "text";
+        e.target.textContent = "🙈";
+    } else {
+        input.type = "password";
+        e.target.textContent = "👁";
+    }
+});

static/base/main.html

@@ -0,0 +1,24 @@
+
+<!DOCTYPE html>
+<html lang="ru">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <base href="/">   
+  <link rel="icon" type="image/png" href="/static/img/favicon.png">
+  <title>JWT SPA project</title>
+  <link rel="stylesheet" href="/static/css/style.css">
+  <script defer src="/static/js/app.js"></script>
+</head>
+<body id="body">
+  <header>
+    <div id="header"></div>
+  </header>
+
+  <main id="content"></main>
+
+  <footer>
+    <p>© 2025 Go Markdown SPA</p>
+  </footer>
+</body>
+</html>

static/blocks/menu/top1/content.md

@@ -0,0 +1,21 @@
+<button id="burger" class="burger" aria-label="Меню">
+    <span></span>
+    <span></span>
+    <span></span>
+</button>
+<nav id="nav">
+    <ul>
+        <li><a href="/" data-link="true" data-target="content">Главная</a></li>
+        <li><a href="/about" data-link="true" data-target="content">О нас</a></li>
+        <li><a href="/about copy" data-link="true" data-target="content">О нас 2</a></li>
+        <li><a href="/functions" data-link="true" data-target="content">Функции</a></li>
+        <li><a href="/contact" data-link="true" data-target="content">Контакты</a></li>
+        <li><a href="/fManager" data-link="true" data-target="content">Файловый менеджер</a></li>
+        <li><a href="/users" data-link="true" data-target="content">Юзер</a></li>
+        <li><a href="/login" data-link="true" data-target="content">Вход</a></li>
+        <li><a href="/userSlava" data-link="true" data-target="content">Слава</a></li>
+        <li><a href="/gpt" data-link="true" data-target="content">GPT</a></li>
+        <li><a href="/ACL" data-link="true" data-target="content">ACL</a></li>
+        <li><a href="/userSlava/popup" data-link="true" data-target="content">Сообщения popup</a></li>
+    </ul>
+</nav>

static/blocks/menu/top1/script.js

@@ -0,0 +1,42 @@
+// /*************************************************
+//  * toggleMenu функция открытия/закрытия меню
+//  *************************************************/
+// function toggleMenu() {
+//   const burger = document.getElementById("burger");
+//   const nav = document.getElementById("nav");
+//   burger.classList.toggle("active");
+//   nav.classList.toggle("open");
+// }
+// /*************************************************
+//  * closeMenu функция закрытия меню
+//  *************************************************/
+// function closeMenu() {
+//   document.getElementById("burger").classList.remove("active");
+//   document.getElementById("nav").classList.remove("open");
+// }
+
+/*************************************************************************
+ * pageInit функция автозапуска скриптов, после подгрузки на страницу    *
+ *************************************************************************/
+function pageInit() {
+ const burger = document.getElementById("burger");
+ // Добавляем обработчик клика
+ burger.addEventListener("click", toggleMenu);
+}
+/*************************************************
+ * toggleMenu функция открытия/закрытия меню
+ *************************************************/
+function toggleMenu() {
+  const burger = document.getElementById("burger");
+  const nav = document.getElementById("nav");
+  burger.classList.toggle("active");
+  nav.classList.toggle("open");
+}
+/*************************************************
+ * closeMenu функция закрытия меню
+ *************************************************/
+function closeMenu() {
+  document.getElementById("burger").classList.remove("active");
+  document.getElementById("nav").classList.remove("open");
+}
+

static/blocks/menu/top1/style.css

@@ -0,0 +1,90 @@
+ /* навигация
+nav ul {
+  list-style: none;
+  display: flex;
+  gap: 20px;
+  margin: 0;
+  padding: 0;
+}
+
+nav a {
+  color: white;
+  text-decoration: none;
+  font-weight: 500;
+}
+
+nav a:hover {
+  text-decoration: underline;
+}
+
+/* бургер */
+/*
+.burger {
+  display: none;
+  flex-direction: column;
+  justify-content: center;
+  gap: 5px;
+  width: 30px;
+  height: 25px;
+  background: none;
+  border: none;
+  cursor: pointer;
+}
+
+.burger span {
+  display: block;
+  height: 3px;
+  width: 100%;
+  background: white;
+  border-radius: 2px;
+  transition: 0.3s;
+}
+
+.burger.active span:nth-child(1) {
+  transform: translateY(8px) rotate(45deg);
+}
+
+.burger.active span:nth-child(2) {
+  opacity: 0;
+}
+
+.burger.active span:nth-child(3) {
+  transform: translateY(-8px) rotate(-45deg);
+}
+*/
+ /* адаптив */
+ /*
+@media (max-width: 425px) {
+
+  .burger {
+    display: flex;
+  }
+
+  nav {
+    position: absolute;
+    top: 100%;
+    left: 0;
+    width: 100%;
+    background: #222;
+    display: none;
+    flex-direction: column;
+    text-align: center;
+    padding: 10px 0;
+    z-index: 10;
+  }
+
+  nav.open {
+    display: flex;
+    animation: slideDown 0.3s ease;
+  }
+
+  nav ul {
+    flex-direction: column;
+    gap: 10px;
+  }
+
+  @keyframes slideDown {
+    from { opacity: 0; transform: translateY(-10px); }
+    to { opacity: 1; transform: translateY(0); }
+  }
+} */

static/blocks/pages/ACL/content.md

@@ -0,0 +1,23 @@
+# Панель администратора ACL
+
+## Создать роль
+
+<input id="roleName" placeholder="имя роли" />
+<button onclick="createRole()">Создавать</button>
+
+## Создать разрешение
+
+<input id="permKey" placeholder="ключ разрешения" />
+<button onclick="createPerm()">Создавать</button>
+
+## Назначить разрешение роли
+
+<input id="roleIdPerm" placeholder="идентификатор роли" />
+<input id="permIdRole" placeholder="идентификатор разрешения" />
+<button onclick="assignPermission()">Назначать</button>
+
+## Назначить роль пользователю
+
+<input id="roleIdUser" placeholder="идентификатор роли" />
+<input id="userIdRole" placeholder="идентификатор пользователя" />
+<button onclick="assignRole()">Назначать</button>

static/blocks/pages/ACL/script.js

@@ -0,0 +1,27 @@
+const api = (url, data, m) => fetch(url, {
+method: m,
+headers: { "Content-Type": "application/json" },
+body: JSON.stringify(data)
+}).then(r => r.text());
+
+
+
+
+function createRole() {
+api('/api/acl-admin/create-role', { name: roleName.value }, "POST").then(alert);
+}
+function createPerm() {
+api('/api/acl-admin/create-permission', { name: permKey.value }, "POST").then(alert);
+}
+function assignPermission() {
+api('/api/acl-admin/assign-permission', {
+role_id: Number(roleIdPerm.value),
+perm_id: Number(permIdRole.value)
+}, "POST").then(alert);
+}
+function assignRole() {
+api('/api/acl-admin/assign-role', {
+role_id: Number(roleIdUser.value),
+user_id: Number(userIdRole.value)
+}, "POST").then(alert);
+}

static/blocks/pages/ACL/style.css

@@ -0,0 +1,2 @@
+#app { background: white; padding: 20px; border-radius: 8px; max-width: 700px; }
+input, select, button { padding: 8px; margin: 4px 0; }

static/blocks/pages/about copy/content.md

@@ -0,0 +1,28 @@
+# О нашей команде
+
+Мы стремимся к тому, чтобы наш проект был простым, гибким и быстрым.  
+Ниже вы видите три блока информации, выровненные по горизонтали.
+
+<div class="grid-3">
+
+<div class="grid-block">
+<h3>Левая колонка</h3>
+<p>Здесь может быть навигация, цитата, боковая информация или полезные ссылки.</p>
+</div>
+
+<div class="grid-block">
+<h3>Центральный блок</h3>
+<p>Основной контент страницы. Здесь вы можете рассказать о компании, истории или услугах.</p>
+<p>Используйте разметку Markdown и HTML, чтобы сделать текст выразительным.</p>
+</div>
+
+<div class="grid-block">
+<h3>Правая колонка</h3>
+<p>Здесь могут быть контактные данные, баннеры или дополнительные ссылки.</p>
+</div>
+
+</div>
+
+---
+
+Блоки выравниваются по сетке `15% 70% 15%` и адаптируются под ширину контейнера.

static/blocks/pages/about/content.md

@@ -0,0 +1,28 @@
+# О нашей команде
+
+Мы стремимся к тому, чтобы наш проект был простым, гибким и быстрым.  
+Ниже вы видите три блока информации, выровненные по горизонтали.
+
+<div class="grid-3">
+
+<div class="grid-block">
+<h3>Левая колонка</h3>
+<p>Здесь может быть навигация, цитата, боковая информация или полезные ссылки.</p>
+</div>
+
+<div class="grid-block">
+<h3>Центральный блок</h3>
+<p>Основной контент страницы. Здесь вы можете рассказать о компании, истории или услугах.</p>
+<p>Используйте разметку Markdown и HTML, чтобы сделать текст выразительным.</p>
+</div>
+
+<div class="grid-block">
+<h3>Правая колонка</h3>
+<p>Здесь могут быть контактные данные, баннеры или дополнительные ссылки.</p>
+</div>
+
+</div>
+
+---
+
+Блоки выравниваются по сетке `15% 70% 15%` и адаптируются под ширину контейнера.

static/blocks/pages/contact/content.md

@@ -0,0 +1,6 @@
+# Контакты
+
+Свяжитесь с нами:
+
+- 📧 **contact@example.com**
+- 🌐 [example.com](https://example.com)

static/blocks/pages/fManager/content.md

@@ -0,0 +1,3 @@
+<input type="text" id="messageInput" placeholder="Введите сообщение">
+<button id="showPopupBtn">Показать Popup</button></br>
+<button id="showfManagerBtn">Открыть файл-менеджер</button>

static/blocks/pages/fManager/script.js

@@ -0,0 +1,23 @@
+//loadBlock("plugin/fManager", "content");
+
+showPopupBtn.addEventListener('click', () => {
+    popup(messageInput.value || 'Пустое сообщение');});
+
+showfManagerBtn.addEventListener('click', () => {
+    const div = document.createElement("div");
+    div.id = "fManager";
+
+    document.body.appendChild(div);
+
+//     const testW = document.createElement('div');
+//     testW.id = 'test_W'
+//     testW.className = 'testWW';
+
+    loadBlock("plugin/fManager", "fManager");
+
+ });
+
+    /*
+const overlay = document.createElement('div');
+
+    */ 

static/blocks/pages/functions/content.md

@@ -0,0 +1,29 @@
+# Go Функции
+
+### Доступные Функции:
+
+<div id="container">
+    <button id="bt_newFunc" class="all_button">Создать</button>
+    <div id="alternative">
+        <select id="functionList">
+            <option value="">— Выбери —</option>
+        </select>
+        <input id="newfunction" placeholder="Название функции" class="hidden" >
+    </div>
+    <button id="bt_save" class="all_button">Сохранить</button>
+    <button id="bt_delete" class="all_button">Удалить</button><br>
+
+</div>
+<label>Go Код:</label><br>
+
+<div id="codeWrapper">
+    <div id="lineNumbers"></div>
+    <div id="Wrapper"></div>
+    <textarea id="code"></textarea>
+</div><br>
+<button id="bt_compile" class="all_button">Компилировать</button>
+<button id="bt_run" class="all_button">Запустить</button><br>
+<label>Входные аргументы:</label><br>
+<input id="input" /><br>
+<label>Ответ сервера:</label><br>
+<div id="output"></div>

static/blocks/pages/functions/script.js

@@ -0,0 +1,168 @@
+let nameStringMod;
+let fCodeMod;
+// универсальный обработчик (вставка, ввод, удаление, drag-drop)
+function triggerUpdate() {
+    // вставка иногда происходит позже — даём браузеру завершить операцию
+    requestAnimationFrame(updateLineNumbers);
+}
+
+// ВСЕ события, которые могут менять текст
+code.addEventListener("input", triggerUpdate);
+code.addEventListener("change", triggerUpdate);
+code.addEventListener("keyup", triggerUpdate);
+code.addEventListener("paste", triggerUpdate);
+code.addEventListener("cut", triggerUpdate);
+code.addEventListener("drop", triggerUpdate);
+
+code.addEventListener("scroll", () => {
+    lineNumbers.scrollTop = code.scrollTop;
+});
+lineNumbers.addEventListener("scroll", () => {
+    code.scrollTop = lineNumbers.scrollTop;
+});
+
+updateLineNumbers();
+
+// ==================== ORIGINAL FUNCTIONS ====================
+async function loadSource(name) {
+    if (name != ""){
+        const res = await fetch("/api/functions/source/" + name);
+        if (!res.ok) {
+            code.value = "// source not found or binary only";
+            return;
+        }
+
+        const text = await res.text();
+        code.value = text;
+        } else {
+            code.value = "";    
+        }
+    // ВАЖНО: обновляем нумерацию после программной вставки
+    requestAnimationFrame(updateLineNumbers);
+
+}
+
+async function loadFunctions() {
+    const res = await fetch('/api/functions/list');
+    const list = await res.json();
+
+    //const sel = document.getElementById('functionList');
+    functionList.innerHTML = '<option value="">— select —</option>';
+
+//    Object.keys(list).forEach(name => {
+    list.forEach(name => {
+        const opt = document.createElement('option');
+        opt.value = name;
+        opt.textContent = name;
+        functionList.appendChild(opt);
+    });
+}
+
+function newf() {
+    if (functionList.className == 'hidden'){
+        functionList.classList.remove('hidden');
+        newfunction.classList.add('hidden');
+        selectFunction();
+        bt_newFunc.innerText = 'Создать';
+    } else {
+        functionList.classList.add('hidden');
+        newfunction.classList.remove('hidden');
+        code.value = "";
+        newfunction.value = "";
+        bt_newFunc.innerText = 'Выбрать';
+    }
+    code.value = "";
+    updateLineNumbers();
+}
+
+function selectFunction() {
+    loadSource(functionList.value);
+    requestAnimationFrame(updateLineNumbers);
+}
+
+async function compile() {
+    if (functionList.value != ""){
+    const res = await fetch('/api/functions/compile', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            functionName: functionList.value,
+            goCode: code.value
+        })
+    });
+    output.textContent = await res.text();
+    }
+}
+
+async function savef() {
+    if (newfunction.className == "hidden"){
+//        console.log("open")
+        popup("old")
+    } else {
+//        console.log("new")
+//        await popup("new",() => {return;});
+        await popup("new");
+        return;
+        console.log("test")
+    }
+    if (newfunction.value != ""){
+    const res = await fetch('/api/functions/save', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+            functionName: newfunction.value,
+            goCode: code.value
+        })
+    });
+    output.textContent = await res.text();
+    }
+}
+
+async function run() {
+    const name = functionList.value;
+
+    const res = await fetch('/api/functions/run/' + name, {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ input: input.value })
+    });
+
+    output.textContent = await res.text();
+}
+
+function updateLineNumbers() {
+    const lines = code.value.split("\n").length;
+    let html = "";
+    for (let i = 1; i <= lines; i++) {
+        html += i + "<br>";
+    }
+    lineNumbers.innerHTML = html;
+}
+
+function btLoc(){
+    if (newfunction.value != ""){
+        //bt_newFunc.disabled = true;
+        nameStringMod = true;
+    } else {
+        //bt_newFunc.disabled = false
+        nameStringMod = false;
+    }
+}
+
+function codLoc(){
+        fCodeMod = true;
+        fCodeMod = false;
+}
+
+//bt_save.addEventListener("click", () => {const message = 'Пустое сообщение'; popup(message);});
+
+
+functionList.addEventListener("change", selectFunction);
+bt_newFunc.addEventListener("click", newf);
+bt_compile.addEventListener("click", compile);
+bt_run.addEventListener("click", run);
+bt_save.addEventListener("click", savef);
+newfunction.addEventListener("input", btLoc)
+code.addEventListener("input", codLoc)
+
+loadFunctions();

static/blocks/pages/functions/style.css

@@ -0,0 +1,30 @@
+textarea { width: 100%; height: 200px; }
+#codeWrapper {display: flex; width: 100%; position: relative; height: 300px; border: 1px solid #aaa; 
+    border-radius: 4px; overflow: hidden; margin-top: 10px;}
+#lineNumbers {width: 40px; background: #f0f0f0; padding-right: 5px; text-align: right; user-select: none; 
+    font-family: monospace; font-size: 12px; line-height: 1.2em; color: #555; border-right: 1px solid #ccc; 
+    overflow-y: hidden; overflow-x: hidden;}
+#code {width: 100%; margin-left: 5px; white-space: pre; overflow: auto; height: 100%; border: none; outline: none;              
+    resize: none; box-sizing: border-box; font-family: monospace; font-size: 12px; line-height: 1.2em; padding: 0;}
+#output {display: flex; width: 100%; position: relative; height: 100px; border: 1px solid #aaa; 
+    border-radius: 4px; overflow: hidden; margin-top: 10px;}
+#input { width: 100%; height: 20px; margin-bottom: 10px; margin-top: 10px; padding-top: 8px; padding-left: 0px;
+    padding-right: 0px; } 
+#container {display: flex; align-items: center; gap: 10px; height: 40px; margin-top: 10px; margin-bottom: 10px}
+#alternative {position: relative; width: 500px; height: 100%;}
+#functionList, #newfunction{box-sizing: border-box; font-size: 16px; padding: 5px;height: 100%;}
+#functionList, #newfunction {position: absolute; top: 0; left: 0; width: 100%; }
+/* #bt_newFunc{width: 90px;}  , #bt_newFunc, #bt_compile 
+#bt_run{height: 40px; width: 90px; margin-top: 10px; margin-bottom: 10px} */
+.hidden {display: none;}
+.all_button{height: 40px; width: 120px; margin-top: 10px; margin-bottom: 10px}
+  /* Полупрозрачный фон */
+.overlay {position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0,0,0,0.5);
+    display: flex; justify-content: center; align-items: center; z-index: 1000;}
+  /* Центральный div */
+.popup {width: 400px; height: 150px; background: white; border-radius: 10px; display: flex;
+    flex-direction: column; justify-content: center; align-items: center; padding: 20px;
+    box-shadow: 0 0 10px rgba(0,0,0,0.3);}
+.popup button {margin-top: 20px; padding: 5px 10px;}
+
+

static/blocks/pages/gpt/content.md

@@ -0,0 +1,885 @@
+Вставь полноценный acl. Напиши пример реализации CanUserAccess() на SQLite. Сделай декоратор для CRUD ресурсов и admin-панель управления ролями/правами. Создай новые файлы и перепиши существующие.
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+# Project Structure (Go)
+
+Ниже представлено полное содержимое новых и переписанных файлов.
+Используйте каждый раздел как отдельный файл.
+
+---
+
+## internal/acl/models.go
+
+```go
+package acl
+
+
+type Role struct {
+ID int64 `db:"id"`
+Name string `db:"name"`
+}
+
+type Permission struct {
+ID int64 `db:"id"`
+Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+Готово!
+Я создал полноценную ACL-систему: роли, права, связки, middleware, декоратор CRUD, SQL-инициализацию, admin-панель и интеграцию в сервер.
+Все файлы уже находятся в canvas и готовы к редактированию.
+
+Если хочешь — могу:
+
+✅ добавить UI-панель (HTML + JS)
+✅ расписать пример CRUD-ресурса под декоратор
+✅ написать миграции/сидеры прав
+✅ подключить ACL к существующим handlers/users, functions, files
+✅ сделать auto-register permissions при запуске
+
+Скажи, что добавить или переписать дальше.
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+Подключи ACL к существующим handlers/users, functions, files
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+# Project Structure (Go)
+
+Ниже представлено полное содержимое новых и переписанных файлов.
+Используйте каждый раздел как отдельный файл.
+
+---
+
+## internal/acl/models.go
+
+```go
+package acl
+
+type Role struct {
+    ID   int64  `db:"id"`
+    Name string `db:"name"`
+}
+
+type Permission struct {
+    ID   int64  `db:"id"`
+    Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+---
+
+## Integration with handlers/users, functions, files
+
+### Example: handlers/users/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("users.list")).Get("/", listUsers(db))
+        gr.With(acl.ACLMiddleware("users.read")).Get("/{id}", getUser(db))
+        gr.With(acl.ACLMiddleware("users.create")).Post("/", createUser(db))
+        gr.With(acl.ACLMiddleware("users.update")).Put("/{id}", updateUser(db))
+        gr.With(acl.ACLMiddleware("users.delete")).Delete("/{id}", deleteUser(db))
+    })
+}
+```
+
+### Example: handlers/functions/routes.go
+
+```go
+type FuncCRUD struct{}
+// implement Get, List, Create, Update, Delete
+
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        crud := &FuncCRUD{}
+        wrapped := acl.DecorateCRUD("functions", crud)
+
+        gr.Get("/", wrapped["GET_LIST"])
+        gr.Get("/{id}", wrapped["GET_ONE"])
+        gr.Post("/", wrapped["CREATE"])
+        gr.Put("/{id}", wrapped["UPDATE"])
+        gr.Delete("/{id}", wrapped["DELETE"])
+    })
+}
+```
+
+### Example: handlers/files/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("files.upload")).Post("/upload", uploadFile(db))
+        gr.With(acl.ACLMiddleware("files.download")).Get("/download/{id}", downloadFile(db))
+        gr.With(acl.ACLMiddleware("files.delete")).Delete("/{id}", deleteFile(db))
+    })
+}
+```
+
+### Update app/server.go registration
+
+```go
+aclEngine := acl.New(db)
+
+r.Route("/api", func(api chi.Router) {
+    api.Route("/users", func(u chi.Router) {
+        users.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/functions", func(u chi.Router) {
+        functions.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/files", func(u chi.Router) {
+        files.RegisterRoutes(u, db, aut, aclEngine)
+    })
+})
+```
+
+<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
+
+## internal/acl/models.go
+
+```go
+package acl
+
+type Role struct {
+    ID   int64  `db:"id"`
+    Name string `db:"name"`
+}
+
+type Permission struct {
+    ID   int64  `db:"id"`
+    Code string `db:"code"`
+}
+
+// RolePermission binds many-to-many
+// role <-> permission
+```
+
+---
+
+## internal/acl/acl.go
+
+```go
+package acl
+
+import (
+    "database/sql"
+    "errors"
+)
+
+type ACL struct {
+    db *sql.DB
+}
+
+func New(db *sql.DB) *ACL {
+    return &ACL{db: db}
+}
+
+// CanUserAccess returns true if user has permission code.
+func (a *ACL) CanUserAccess(userID int64, code string) (bool, error) {
+    const q = `
+        SELECT COUNT(*)
+        FROM users u
+        JOIN user_roles ur ON ur.user_id = u.id
+        JOIN role_permissions rp ON rp.role_id = ur.role_id
+        JOIN permissions p ON p.id = rp.permission_id
+        WHERE u.id = ? AND p.code = ?
+    `
+    var cnt int
+    if err := a.db.QueryRow(q, userID, code).Scan(&cnt); err != nil {
+        return false, err
+    }
+    return cnt > 0, nil
+}
+
+// AssignRole assigns role to user
+func (a *ACL) AssignRole(userID, roleID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO user_roles(user_id, role_id) VALUES(?, ?)`, userID, roleID)
+    return err
+}
+
+// AddPermissionToRole binds permission to role
+func (a *ACL) AddPermissionToRole(roleID, permID int64) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO role_permissions(role_id, permission_id) VALUES(?, ?)`, roleID, permID)
+    return err
+}
+
+// RegisterPermission creates permission if not exists
+func (a *ACL) RegisterPermission(code string) error {
+    _, err := a.db.Exec(`INSERT OR IGNORE INTO permissions(code) VALUES(?)`, code)
+    return err
+}
+```
+
+---
+
+## internal/acl/middleware.go
+
+```go
+package acl
+
+import (
+    "net/http"
+    "strconv"
+)
+
+// ACLMiddleware protects route by permission code
+func (a *ACL) ACLMiddleware(code string) func(http.Handler) http.Handler {
+    return func(next http.Handler) http.Handler {
+        return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+            userIDStr := r.Header.Get("X-User-ID")
+            if userIDStr == "" {
+                http.Error(w, "Unauthenticated", http.StatusUnauthorized)
+                return
+            }
+            userID, _ := strconv.ParseInt(userIDStr, 10, 64)
+
+            ok, err := a.CanUserAccess(userID, code)
+            if err != nil || !ok {
+                http.Error(w, "Forbidden", http.StatusForbidden)
+                return
+            }
+            next.ServeHTTP(w, r)
+        })
+    }
+}
+```
+
+---
+
+## internal/acl/decorator.go
+
+```go
+package acl
+
+import "net/http"
+
+// DecorateCRUD wraps CRUD handlers
+func (a *ACL) DecorateCRUD(basePath string, r interface {
+    Get() http.HandlerFunc
+    List() http.HandlerFunc
+    Create() http.HandlerFunc
+    Update() http.HandlerFunc
+    Delete() http.HandlerFunc
+}) map[string]http.HandlerFunc {
+
+    return map[string]http.HandlerFunc{
+        "GET_ONE":    a.ACLMiddleware(basePath+".read")(r.Get()),
+        "GET_LIST":   a.ACLMiddleware(basePath+".list")(r.List()),
+        "CREATE":     a.ACLMiddleware(basePath+".create")(r.Create()),
+        "UPDATE":     a.ACLMiddleware(basePath+".update")(r.Update()),
+        "DELETE":     a.ACLMiddleware(basePath+".delete")(r.Delete()),
+    }
+}
+```
+
+---
+
+## sqliteDB/init_acl.sql (auto executed inside InitDB)
+
+```sql
+CREATE TABLE IF NOT EXISTS roles (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    name TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS permissions (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    code TEXT UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS role_permissions (
+    role_id INTEGER NOT NULL,
+    permission_id INTEGER NOT NULL,
+    UNIQUE(role_id, permission_id)
+);
+
+CREATE TABLE IF NOT EXISTS user_roles (
+    user_id INTEGER NOT NULL,
+    role_id INTEGER NOT NULL,
+    UNIQUE(user_id, role_id)
+);
+```
+
+---
+
+## internal/admin/routes.go
+
+```go
+package admin
+
+import (
+    "database/sql"
+    "encoding/json"
+    "net/http"
+    "MyServer/internal/acl"
+)
+
+type Admin struct {
+    DB  *sql.DB
+    ACL *acl.ACL
+}
+
+func (a *Admin) Register(r chi.Router) {
+    r.Get("/roles", a.listRoles)
+    r.Post("/roles", a.addRole)
+    r.Post("/assign", a.assignRole)
+}
+
+func (a *Admin) listRoles(w http.ResponseWriter, r *http.Request) {
+    rows, _ := a.DB.Query(`SELECT id, name FROM roles`)
+    defer rows.Close()
+    var out []map[string]interface{}
+    for rows.Next() {
+        var id int64
+        var name string
+        rows.Scan(&id, &name)
+        out = append(out, map[string]interface{}{ "id": id, "name": name })
+    }
+    json.NewEncoder(w).Encode(out)
+}
+
+func (a *Admin) addRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ Name string }
+    json.NewDecoder(r.Body).Decode(&body)
+    _, _ = a.DB.Exec(`INSERT INTO roles(name) VALUES(?)`, body.Name)
+}
+
+func (a *Admin) assignRole(w http.ResponseWriter, r *http.Request) {
+    var body struct{ UserID, RoleID int64 }
+    json.NewDecoder(r.Body).Decode(&body)
+    a.ACL.AssignRole(body.UserID, body.RoleID)
+}
+```
+
+---
+
+## app/server.go (patched to include admin & ACL)
+
+```go
+// inside ServerStart()
+aclEngine := acl.New(db)
+r.Route("/admin", func(ad chi.Router) {
+    adminModule := &admin.Admin{DB: db, ACL: aclEngine}
+    adminModule.Register(ad)
+})
+```
+
+---
+
+---
+
+## Integration with handlers/users, functions, files
+
+### Example: handlers/users/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("users.list")).Get("/", listUsers(db))
+        gr.With(acl.ACLMiddleware("users.read")).Get("/{id}", getUser(db))
+        gr.With(acl.ACLMiddleware("users.create")).Post("/", createUser(db))
+        gr.With(acl.ACLMiddleware("users.update")).Put("/{id}", updateUser(db))
+        gr.With(acl.ACLMiddleware("users.delete")).Delete("/{id}", deleteUser(db))
+    })
+}
+```
+
+### Example: handlers/functions/routes.go
+
+```go
+type FuncCRUD struct{}
+// implement Get, List, Create, Update, Delete
+
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        crud := &FuncCRUD{}
+        wrapped := acl.DecorateCRUD("functions", crud)
+
+        gr.Get("/", wrapped["GET_LIST"])
+        gr.Get("/{id}", wrapped["GET_ONE"])
+        gr.Post("/", wrapped["CREATE"])
+        gr.Put("/{id}", wrapped["UPDATE"])
+        gr.Delete("/{id}", wrapped["DELETE"])
+    })
+}
+```
+
+### Example: handlers/files/routes.go
+
+```go
+func RegisterRoutes(r chi.Router, db *sql.DB, aut *auth.Auth, acl *acl.ACL) {
+    r.Group(func(gr chi.Router) {
+        gr.Use(aut.AuthMiddleware)
+
+        gr.With(acl.ACLMiddleware("files.upload")).Post("/upload", uploadFile(db))
+        gr.With(acl.ACLMiddleware("files.download")).Get("/download/{id}", downloadFile(db))
+        gr.With(acl.ACLMiddleware("files.delete")).Delete("/{id}", deleteFile(db))
+    })
+}
+```
+
+### Update app/server.go registration
+
+```go
+aclEngine := acl.New(db)
+
+r.Route("/api", func(api chi.Router) {
+    api.Route("/users", func(u chi.Router) {
+        users.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/functions", func(u chi.Router) {
+        functions.RegisterRoutes(u, db, aut, aclEngine)
+    })
+    api.Route("/files", func(u chi.Router) {
+        files.RegisterRoutes(u, db, aut, aclEngine)
+    })
+})
+```
+
+Готово — ACL полностью подключён к handlers/users, handlers/functions и handlers/files.
+Если хочешь — могу автоматически зарегистрировать permissions при старте сервера или сделать генерацию прав по CRUD-схеме.

static/blocks/pages/home/content.md

@@ -0,0 +1,6 @@
+# Главная страница
+
+Добро пожаловать!  
+Это **SPA на Go**, где контент хранится в файлах Markdown.
+
+Вы можете редактировать эти файлы без перекомпиляции проекта!

static/blocks/pages/login/content.md

@@ -0,0 +1,17 @@
+<div class="form1">
+
+<h1> Вход в систему</h1>
+
+Пожалуйста, введите ваши данные для входа.
+
+<div class="grid-block">
+<h3>Форма входа</h3>
+    <form action="/login" method="post">
+      <label for="username">Имя пользователя</label>
+      <input type="text" id="username" name="username" required>
+      <label for="password">Пароль</label>
+      <input type="password" id="password" name="password" required>
+      <button type="submit">Войти</button>
+    </form>
+</div>
+</div>

static/blocks/pages/login/script.js

@@ -0,0 +1,71 @@
+let accessToken = "";
+
+// привязка к форме
+const loginForm = document.querySelector("form[action='/login']");
+loginForm.addEventListener("submit", async (e) => {
+    e.preventDefault(); // предотвращаем обычную отправку формы
+    await UserLogin();
+});
+
+async function UserLogin() {
+    const u = document.getElementById("username").value;
+    const p = document.getElementById("password").value;
+
+    try {
+        const r = await fetch("/api/users/login", {
+            method: "POST",
+            credentials: "include",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ username: u, password: p })
+        });
+
+        if (!r.ok) throw new Error("Ошибка входа");
+
+        const data = await r.json();
+        accessToken = data.access_token;
+        alert("logged in");
+
+        document.getElementById("username").value = "";
+        document.getElementById("password").value = "";
+    } catch (err) {
+        console.error(err);
+        alert(err.message);
+    }
+}
+
+async function UserLogout() {
+    try {
+        await fetch("/api/users/logout", { method: "POST", credentials: "include" });
+        accessToken = "";
+        alert("logged out");
+    } catch (err) {
+        console.error(err);
+        alert("Ошибка выхода");
+    }
+}
+
+// пример Protected запроса
+async function getProtected() {
+    try {
+        const data = await apiProtected("/api/protected");
+        console.log(data);
+    } catch {
+        console.log("err");
+    }
+}
+
+// toggle password
+document.addEventListener("click", (e) => {
+    if (!e.target.classList.contains("toggle-pass")) return;
+
+    const input = e.target.previousElementSibling;
+    if (!input) return;
+
+    if (input.type === "password") {
+        input.type = "text";
+        e.target.textContent = "🙈";
+    } else {
+        input.type = "password";
+        e.target.textContent = "👁";
+    }
+});

static/blocks/pages/login/style.css

@@ -0,0 +1,72 @@
+ .form1 {
+    background: #fff;
+    padding: 30px 40px;
+    border-radius: 16px;
+    box-shadow: 0 4px 20px rgba(0,0,0,0.1);
+    max-width: 200px;
+    width: 100%;
+  }
+
+  .form1 h1 {
+    margin-top: 0;
+    text-align: center;
+    font-size: 26px;
+    color: #333;
+  }
+
+  .form1 p {
+    text-align: center;
+    color: #666;
+    margin-bottom: 25px;
+  }
+
+    .form1 .grid-block h3 {
+    margin-bottom: 15px;
+    color: #444;
+    text-align: center;
+  } 
+
+   .form1 form {
+    display: flex;
+    flex-direction: column;
+    gap: 14px;
+  }
+
+  .form1 label {
+    font-size: 15px;
+    color: #555;
+  }
+
+  .form1 input {
+    padding: 10px 12px;
+    font-size: 15px;
+    border-radius: 8px;
+    border: 1px solid #ccc;
+    transition: border 0.2s, box-shadow 0.2s;
+  }
+
+  .form1 input:focus {
+    border-color: #7f57ff;
+    box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2);
+    outline: none;
+  }
+
+  .form1 button {
+    padding: 12px;
+    font-size: 16px;
+    background: #7f57ff;
+    color: white;
+    border: none;
+    border-radius: 10px;
+    cursor: pointer;
+    margin-top: 10px;
+    transition: background 0.25s, transform 0.1s;
+  }
+
+  .form1 button:hover {
+    background: #6841e6;
+  }
+
+  .form1 button:active {
+    transform: scale(0.98);
+  }

static/blocks/pages/userSlava/content.md

@@ -0,0 +1,12 @@
+<div id="hed">
+
+# Пользователи
+
+</div>
+
+<div id="regPanel">
+    <a href="/userSlava/?sPage=login" data-link="true"  data-target="regDiv">Вход</a>
+    <a href="/userSlava/?sPage=new" data-link="true" data-target="regDiv">Регистрация</a>
+    <a href="/userSlava/?sPage=edit"  data-link="true" data-target="regDiv">Пользователи</a>
+</div>
+<div id="regDiv"></div>

static/blocks/pages/userSlava/edit/content.md

@@ -0,0 +1,18 @@
+# Пользовательская панель
+
+user:<br>
+<select id="users_list"></select>
+<button id="btn_load_users">Load Users</button><br>
+
+ID:<br>
+<input id="ud_id" placeholder="ID"><br>
+user:<br>
+<input id="ud_username" placeholder="Username"><br>
+password:<br>
+<input id="ud_password" placeholder="New password" type="password">
+<button class="toggle-pass" type="button">👁</button><br><br>
+
+<button id="btn_update_pass">Update password</button>
+<button id="btn_delete_user">Delete user</button>
+
+<div class="blockTest">ТестТестТест</div>

static/blocks/pages/userSlava/edit/script.js

@@ -0,0 +1,56 @@
+users_list.onchange = (e) => getUserData(e.target.value);
+async function getUserData(username) {
+    const data = await apiProtected(
+        `/api/users/getUserData?username=${encodeURIComponent(username)}`
+    );
+
+    ud_id.value = data.ID;
+    ud_username.value = data.Username;
+}
+
+btn_load_users.onclick = getUsersNames;
+document.addEventListener("DOMContentLoaded", getUsersNames);
+async function getUsersNames() {
+    const users = await apiProtected("/api/users/getUsersNames");
+
+    users_list.innerHTML = "";
+    users.forEach((username) => {
+        const opt = document.createElement("option");
+        opt.value = username;
+        opt.textContent = username;
+        users_list.appendChild(opt);
+    });
+
+    if (users.length > 0) getUserData(users[0]);
+}
+
+btn_update_pass.onclick = updatePassword;
+async function updatePassword() {
+    const username = ud_username.value;
+    const password = ud_password.value;
+
+    if (!password) return alert("Введите пароль");
+
+    await apiProtected("/api/users/update_password", {
+        method: "POST",
+        body: JSON.stringify({ username, password })
+    });
+
+    alert("Пароль обновлён");
+}
+
+btn_delete_user.onclick = deleteUser;
+async function deleteUser() {
+    const username = users_list.value;
+    if (!username) return;
+
+    if (!confirm(`Удалить пользователя "${username}"?`)) return;
+
+    await apiProtected("/api/users/delete_user", {
+        method: "Delete",
+        body: JSON.stringify({ username })
+    });
+
+    alert("Удалён");
+    getUsersNames();
+}

static/blocks/pages/userSlava/edit/style.css

@@ -0,0 +1 @@
+.blockTest { color: blue; }

static/blocks/pages/userSlava/login/content.md

@@ -0,0 +1,17 @@
+# Вход
+
+user:<br>
+<input id="log_user"  placeholder="Username">
+<br>
+password:<br>
+<input id="log_pass" placeholder="password"  type="password"><button class="toggle-pass" type="button">👁</button>
+<br><br>
+<button id="btn_log">Login</button>
+<br>
+
+<button id="btn_prot">Protected</button>
+<pre id="out"></pre>
+
+<button id="btn_logout">Logout</button>
+
+<div class="blockTest">ТестТестТест</div>

static/blocks/pages/userSlava/login/script.js

@@ -0,0 +1,37 @@
+btn_logout.onclick = UserLogout;
+btn_log.onclick = UserLogin;
+
+btn_prot.onclick = async () => {
+    try {
+        const data = await apiProtected("/api/protected");
+        out.textContent = JSON.stringify(data, null, 2);
+    } catch {
+        out.textContent = "err";
+    }
+};
+
+async function UserLogout() {
+    accessToken = "";
+    await fetch("/api/users/logout", { method: "POST", credentials: "include" });
+};
+
+async function UserLogin() {
+    const u = log_user.value,
+        p = log_pass.value;
+
+    const r = await fetch("/api/users/login", {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ username: u, password: p })
+    });
+
+    if (!r.ok) return alert("Ошибка");
+
+    const data = await r.json();
+    accessToken = data.access_token;
+    alert("logged in");
+    log_user.value = "",
+    log_pass.value = "";
+
+};

static/blocks/pages/userSlava/login/style.css

@@ -0,0 +1 @@
+.blockTest { color: green; }

static/blocks/pages/userSlava/new/content.md

@@ -0,0 +1,9 @@
+# Регистрация
+
+user:<br>
+<input id="reg_user" placeholder="Username"><br>
+password:<br>
+<input id="reg_pass" placeholder="password"  type="password"><button class="toggle-pass" type="button">👁</button><br><br>
+<button id="btn_reg">Register</button>
+
+<div class="blockTest">ТестТестТест</div>

static/blocks/pages/userSlava/new/script.js

@@ -0,0 +1,16 @@
+async function UserReg() {
+    const u = reg_user.value,
+        p = reg_pass.value;
+
+    const r = await fetch("/api/users/register", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ username: u, password: p })
+    });
+
+    if (!r.ok) return alert("Ошибка");
+    alert("ok");
+    reg_user.value = "",
+    reg_pass.value = "";
+};
+btn_reg.onclick = UserReg;

static/blocks/pages/userSlava/new/style.css

@@ -0,0 +1 @@
+.blockTest { color: red; }

static/blocks/pages/userSlava/popup/content.md

@@ -0,0 +1,15 @@
+<br><br>
+<input type="text" id="inputPopup" style="width: 600px;" value=''><br>
+<div>{"act":"message","text":"Тест"}</div><br>
+<div>{"act":"menu","text":"Удалить, Редактировать, Копировать, Удалить"}</div><br>
+<div>
+{
+"act":"file",
+"text":{
+"Общие":{"Имя":"photo.png","Тип":"PNG изображение","Размер":"826 KB","Путь":"C:/Users/Admin/Desktop/","Дата изменения":"06.12.2025 13:40"},
+"Безопасность":{"Чтение":"✔","Запись":"✔","Исполнение":"✖","Владелец":"Admin"},
+"Подробно":{"Формат":"Portable Network Graphics","Кодировка":"N/A","Атрибуты":"archive"}
+}
+}
+</div><br>
+<button id="createPopup">Сообщения</button>

static/blocks/pages/userSlava/popup/script.js

@@ -0,0 +1,234 @@
+const inputPopup = document.getElementById('inputPopup');
+const createPopup = document.getElementById('createPopup');
+
+const actionTable = {
+    'Редактировать': () => console.log('Редактировать'),
+    'Удалить': () => console.log('Удалить'),
+    'Копировать': () => console.log('Скопировано')
+};
+
+let menuDiv = document.querySelector('.window-menu');
+if (!menuDiv) {
+    menuDiv = document.createElement('div');
+    menuDiv.className = 'window-menu';
+    menuDiv.style.position = 'absolute';
+    menuDiv.style.display = 'none';
+    document.body.appendChild(menuDiv);
+}
+
+function parseJSONSafe(str) {
+    if (!str) return null;
+    try { return JSON.parse(str); } catch (e) { return null; }
+}
+
+function splitMenuText(text) {
+    if (!text) return [];
+    return String(text).split(',').map(s => s.trim()).filter(Boolean);
+}
+
+function buildMenu(items) {
+    menuDiv.innerHTML = '';
+    items.forEach(label => {
+        const it = document.createElement('div');
+        it.className = 'window-item';
+        it.textContent = label;
+        it.addEventListener('click', (e) => {
+            e.stopPropagation();
+            if (actionTable[label]) actionTable[label]();
+            hideMenu();
+        });
+        menuDiv.appendChild(it);
+    });
+}
+
+function showMenuAt(x, y, items) {
+    if (!items || !items.length) return;
+    buildMenu(items);
+    menuDiv.style.display = 'block';
+    menuDiv.style.left = x + 'px';
+    menuDiv.style.top = y + 'px';
+    const rect = menuDiv.getBoundingClientRect();
+    if (rect.right > window.innerWidth) menuDiv.style.left = (x - rect.width) + 'px';
+    if (rect.bottom > window.innerHeight) menuDiv.style.top = (y - rect.height) + 'px';
+    setTimeout(() => document.addEventListener('click', hideMenu, { once: true }), 0);
+}
+
+function hideMenu() {
+    menuDiv.style.display = 'none';
+}
+
+function showOverlayMessage(text) {
+    if (!text) return;
+    const overlay = document.createElement('div');
+    overlay.className = 'overlay';
+    const popup = document.createElement('div');
+    popup.className = 'window-popup';
+    const content = document.createElement('div');
+    content.textContent = String(text);
+    const closeBtn = document.createElement('button');
+    closeBtn.textContent = 'Закрыть';
+    closeBtn.addEventListener('click', () => overlay.remove());
+    overlay.addEventListener('click', (e) => { if (e.target === overlay) overlay.remove(); });
+    popup.appendChild(content);
+    popup.appendChild(closeBtn);
+    overlay.appendChild(popup);
+    document.body.appendChild(overlay);
+}
+
+function popupFileFromSections(title, sections, afterClose) {
+    const popup = document.createElement('div');
+    popup.className = 'window-panel';
+    const header = document.createElement('div');
+    header.className = 'window-header';
+    header.textContent = 'Свойства: ' + (title || '');
+    const tabs = document.createElement('div');
+    tabs.className = 'window-tabs';
+    const tabButtons = [];
+    const tabContents = [];
+    const keys = Object.keys(sections || {});
+
+    keys.forEach((name, i) => {
+        const t = document.createElement('div');
+        t.className = 'window-tab' + (i === 0 ? ' active' : '');
+        t.textContent = name;
+        t.addEventListener('click', () => switchTab(i));
+        tabButtons.push(t);
+        tabs.appendChild(t);
+
+        const content = document.createElement('div');
+        content.className = 'window-content' + (i === 0 ? ' active' : '');
+        const val = sections[name];
+
+        if (Array.isArray(val)) {
+            val.forEach(row => {
+                const rowEl = document.createElement('div');
+                rowEl.className = 'window-row';
+                if (Array.isArray(row) && row.length >= 2) {
+                    const k = document.createElement('span');
+                    k.textContent = row[0];
+                    const v = document.createElement('span');
+                    v.textContent = row[1];
+                    rowEl.append(k, v);
+                } else {
+                    rowEl.textContent = String(row);
+                }
+                content.appendChild(rowEl);
+            });
+        } else if (val && typeof val === 'object') {
+            Object.keys(val).forEach(kname => {
+                const rowEl = document.createElement('div');
+                rowEl.className = 'window-row';
+                const k = document.createElement('span');
+                k.textContent = kname + ':';
+                const v = document.createElement('span');
+                v.textContent = String(val[kname]);
+                rowEl.append(k, v);
+                content.appendChild(rowEl);
+            });
+        } else {
+            content.innerHTML = String(val || '');
+        }
+
+        tabContents.push(content);
+    });
+
+    function switchTab(i) {
+        tabButtons.forEach((t, idx) => t.classList.toggle('active', idx === i));
+        tabContents.forEach((c, idx) => c.classList.toggle('active', idx === i));
+    }
+
+    const buttons = document.createElement('div');
+    buttons.className = 'window-buttons';
+    const okBtn = document.createElement('button');
+    okBtn.textContent = 'ОК';
+    const cancelBtn = document.createElement('button');
+    cancelBtn.textContent = 'Отмена';
+    okBtn.onclick = close;
+    cancelBtn.onclick = close;
+    buttons.append(okBtn, cancelBtn);
+
+    let offsetX, offsetY, dragging = false;
+
+    header.addEventListener('mousedown', (e) => {
+        dragging = true;
+        offsetX = e.clientX - popup.offsetLeft;
+        offsetY = e.clientY - popup.offsetTop;
+        header.style.userSelect = 'none';
+    });
+
+    document.addEventListener('mousemove', (e) => {
+        if (dragging) {
+            popup.style.left = (e.clientX - offsetX) + 'px';
+            popup.style.top = (e.clientY - offsetY) + 'px';
+        }
+    });
+
+    document.addEventListener('mouseup', () => {
+        dragging = false;
+    });
+
+    function close() {
+        popup.remove();
+        if (typeof afterClose === 'function') afterClose();
+    }
+
+    popup.append(header, tabs, ...tabContents, buttons);
+    document.body.append(popup);
+}
+
+function handleCommand(raw, opts) {
+    if (!raw) return;
+    const parsed = typeof raw === 'string' ? parseJSONSafe(raw.trim()) : raw;
+    if (!parsed || !parsed.act) return;
+
+    if (parsed.act === 'message' && opts && opts.source === 'button') {
+        const text = parsed.text || '';
+        if (!text) return;
+        showOverlayMessage(text);
+        return;
+    }
+
+    if (parsed.act === 'menu' && opts && opts.source === 'context') {
+        const items = Array.isArray(parsed.text)
+            ? parsed.text.map(s => String(s).trim()).filter(Boolean)
+            : splitMenuText(String(parsed.text || ''));
+
+        if (!items.length) return;
+
+        const x = opts.coords && typeof opts.coords.x === 'number' ? opts.coords.x : (parsed.x || 0);
+        const y = opts.coords && typeof opts.coords.y === 'number' ? opts.coords.y : (parsed.y || 0);
+
+        showMenuAt(x, y, items);
+        return;
+    }
+
+    if (parsed.act === 'file' && opts && opts.source === 'button') {
+        const sections = parsed.text && typeof parsed.text === 'object' ? parsed.text : null;
+        const title = sections && sections['Общие'] && sections['Общие']['Имя']
+            ? sections['Общие']['Имя']
+            : parsed.title || '';
+
+        if (!sections) return;
+
+        popupFileFromSections(title, sections);
+        return;
+    }
+}
+
+createPopup.addEventListener('click', () => {
+    const raw = (inputPopup && inputPopup.value) ? inputPopup.value : '';
+    handleCommand(raw, { source: 'button' });
+});
+
+document.addEventListener('contextmenu', (e) => {
+    const raw = (inputPopup && inputPopup.value) ? inputPopup.value : '';
+    const parsed = parseJSONSafe(raw);
+    if (!parsed || parsed.act !== 'menu') return;
+
+    e.preventDefault();
+    handleCommand(raw, { source: 'context', coords: { x: e.pageX, y: e.pageY } });
+});
+
+window.addEventListener('keydown', (e) => {
+    if (e.key === 'Escape') hideMenu();
+});

static/blocks/pages/userSlava/script.js

@@ -0,0 +1,73 @@
+
+const panel = document.getElementById("regPanel");
+
+panel.addEventListener("click", (e) => {
+    // ищем ближайшую <a> с data-link="true"
+    const link = e.target.closest("a[data-link='true']");
+    if (!link || !panel.contains(link)) return; // если клик не по нужной ссылке — выходим
+
+    e.preventDefault(); // отменяем переход по ссылке
+    e.stopPropagation(); // предотвращаем всплытие события
+
+    const urlStruct = urlStrBr(link.href);
+    const targetId = link.dataset.target || "regDiv";
+
+    if (urlStruct.action === "sPage") {
+        // Меняем URL в браузере без перезагрузки
+        const newUrl = `/${urlStruct.url}/?${urlStruct.action}=${urlStruct.data}`;
+        history.pushState(null, "", newUrl);
+
+        // Загружаем блок
+        loadBlock(`pages/${urlStruct.url}/${urlStruct.data}`, targetId);
+    }
+});
+
+
+function handleCurrentUrl() {
+    const urlStruct = urlStrBr(window.location.href);
+//    console.log("Текущий URL:", urlStruct);
+    if (urlStruct.action === "sPage") {
+        // пример вызова loadBlock для sPage
+        loadBlock("pages/" + urlStruct.url + "/" + urlStruct.data, "regDiv");
+    }
+}
+
+function urlStrBr(url){
+    // Создаём объект URL
+    const parsedUrl = new URL(url);
+    // 1. firstPart — берём путь до "?" и удаляем "/"
+    const firstPart = parsedUrl.pathname.replace(/^\/|\/$/g, "");
+    // 2. secondPart — берём ключ последнего параметра
+    const searchParams = parsedUrl.searchParams;
+    const secondPart = Array.from(searchParams.keys()).pop(); // берём последний ключ
+    // 3. thirdPart — берём значение последнего параметра
+    const thirdPart = searchParams.get(secondPart);
+    // Формируем структуру
+    return {
+        url: firstPart,
+        action: secondPart,
+        data: thirdPart
+    };
+}
+
+// При загрузке страницы
+handleCurrentUrl();
+
+// При переходах по истории (назад/вперед)
+window.addEventListener("popstate", handleCurrentUrl);
+
+
+document.addEventListener("click", (e) => {
+    if (!e.target.classList.contains("toggle-pass")) return;
+
+    const input = e.target.previousElementSibling;
+    if (!input) return;
+
+    if (input.type === "password") {
+        input.type = "text";
+        e.target.textContent = "🙈";
+    } else {
+        input.type = "password";
+        e.target.textContent = "👁";
+    }
+});

static/blocks/pages/userSlava/style.css

@@ -0,0 +1,36 @@
+#content {
+    display: grid;
+    width: 70%;
+    min-height: calc(100vh - 100px); /* чтобы footer/header не ломали сетку */
+    grid-template-rows: 200px 1fr;
+    grid-template-columns: 200px 1fr;
+    gap: 10px;
+}
+
+/* Верхний блок */
+#hed {
+    grid-row: 1;
+    grid-column: 1 / 3; /* растягиваем на две колонки */
+    background: #eee;
+    padding: 20px;
+}
+
+/* Левая нижняя колонка */
+#regPanel {
+    grid-row: 2;
+    grid-column: 1;
+    background: #f0f0f0;
+    padding: 20px;
+    display: flex;
+    flex-direction: column;
+    gap: 10px;
+}
+
+/* Правая нижняя колонка */
+#regDiv {
+    grid-row: 2;
+    grid-column: 2;
+    background: #fff;
+    padding: 20px;
+    overflow-y: auto;
+}

static/blocks/pages/users/content.md

@@ -0,0 +1,42 @@
+<div class="box">
+<h1>Auth demo</h1>
+<div>
+<h3>Register</h3>
+user:<br>
+<input id="reg_user" placeholder="Username"><br>
+password:<br>
+<input id="reg_pass" placeholder="password"  type="password"><button class="toggle-pass" type="button">👁</button><br><br>
+<button id="btn_reg">Register</button>
+
+<h3>Users</h3>
+user:<br>
+<select id="users_list"></select>
+<button id="btn_load_users">Load Users</button><br>
+<!-- <button id="btn_user_data">Get User Data</button> -->
+ID:<br>
+<input id="ud_id" placeholder="ID"><br>
+user:<br>
+<input id="ud_username" placeholder="Username"><br>
+password:<br>
+<input id="ud_password" placeholder="New password" type="password"><button class="toggle-pass" type="button">👁</button><br>
+<br>
+<button id="btn_update_pass">Update password</button>
+<button id="btn_delete_user">Delete user</button>
+
+<h3>Login</h3>
+user:<br>
+<input id="log_user"  placeholder="Username">
+<br>
+password:<br>
+<input id="log_pass" placeholder="password"  type="password"><button class="toggle-pass" type="button">👁</button>
+<br><br>
+<button id="btn_log">Login</button>
+</div><br>
+
+<button id="btn_prot">Protected</button>
+
+<pre id="out"></pre>
+
+<button id="btn_logout">Logout</button>
+
+</div>

static/blocks/pages/users/script.js

@@ -0,0 +1,125 @@
+/* ------------------- Регистрация (не защищена) ------------------- */
+
+async function UserReg() {
+    const u = reg_user.value,
+        p = reg_pass.value;
+
+    const r = await fetch("/api/users/register", {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ username: u, password: p })
+    });
+
+    if (!r.ok) return alert("Ошибка");
+    alert("ok");
+    reg_user.value = "",
+    reg_pass.value = "";
+};
+
+/* ------------------- Логин (не защищён) ------------------- */
+
+async function UserLogin() {
+    const u = log_user.value,
+        p = log_pass.value;
+
+    const r = await fetch("/api/users/login", {
+        method: "POST",
+        credentials: "include",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ username: u, password: p })
+    });
+
+    if (!r.ok) return alert("Ошибка");
+
+    const data = await r.json();
+    accessToken = data.access_token;
+    alert("logged in");
+    log_user.value = "",
+    log_pass.value = "";
+
+};
+
+/* ------------------- Логоут (не защищён) ------------------- */
+
+async function UserLogout() {
+    accessToken = "";
+    await fetch("/api/users/logout", { method: "POST", credentials: "include" });
+};
+
+/* ------------------- Защищённые операции ------------------- */
+
+async function getUsersNames() {
+    const users = await apiProtected("/api/users/getUsersNames");
+
+    users_list.innerHTML = "";
+    users.forEach((username) => {
+        const opt = document.createElement("option");
+        opt.value = username;
+        opt.textContent = username;
+        users_list.appendChild(opt);
+    });
+
+    if (users.length > 0) getUserData(users[0]);
+}
+
+async function getUserData(username) {
+    const data = await apiProtected(
+        `/api/users/getUserData?username=${encodeURIComponent(username)}`
+    );
+
+    ud_id.value = data.ID;
+    ud_username.value = data.Username;
+}
+
+async function updatePassword() {
+    const username = ud_username.value;
+    const password = ud_password.value;
+
+    if (!password) return alert("Введите пароль");
+
+    await apiProtected("/api/users/update_password", {
+        method: "POST",
+        body: JSON.stringify({ username, password })
+    });
+
+    alert("Пароль обновлён");
+}
+
+async function deleteUser() {
+    const username = users_list.value;
+    if (!username) return;
+
+    if (!confirm(`Удалить пользователя "${username}"?`)) return;
+
+    await apiProtected("/api/users/delete_user", {
+        method: "POST",
+        body: JSON.stringify({ username })
+    });
+
+    alert("Удалён");
+    getUsersNames();
+}
+
+
+
+/* ------------------- Кнопки ------------------- */
+btn_reg.onclick = UserReg;
+btn_logout.onclick = UserLogout;
+btn_log.onclick = UserLogin;
+btn_delete_user.onclick = deleteUser;
+btn_update_pass.onclick = updatePassword;
+btn_load_users.onclick = getUsersNames;
+
+users_list.onchange = (e) => getUserData(e.target.value);
+btn_prot.onclick = async () => {
+    try {
+        const data = await apiProtected("/api/protected");
+        out.textContent = JSON.stringify(data, null, 2);
+    } catch {
+        out.textContent = "err";
+    }
+};
+
+document.addEventListener("DOMContentLoaded", getUsersNames);
+
+

static/index.html

@@ -1,10 +0,0 @@
-<!DOCTYPE html>
-<html lang="ru">
-<head>
-	<meta charset="UTF-8">
-	<meta name="viewport" content="width=device-width, initial-scale=1.0">
-	<title>Панель управления</title>
-	<link rel="stylesheet" href="/static/style.css">
-</head>
-
-</html>