add docs to gitignore

front
add internal gorm erros
2026-01-03 15:47:04 +02:00 · 2026-01-03 15:46:06 +02:00 · 2026-01-03 15:45:47 +02:00 · 2026-01-03 15:45:34 +02:00 · 2026-01-03 15:45:23 +02:00 · 2026-01-03 15:44:48 +02:00
59 changed files with 4076 additions and 363 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,7 @@ bin/
 config.yaml
 *.sqlite3
 panic.log
+testdata/
+secret/
+data/
+docs/
--- a/8
+++ b/8
@@ -20,7 +20,7 @@ imports-tools:
 		go install golang.org/x/tools/cmd/goimports@latest; \
 	fi

-.PHONY: all build run test lint fmt imports
+.PHONY: all swag build run test lint fmt imports

 all: build

@@ -30,6 +30,12 @@ run: build

 BUILD_PARAMS = -trimpath -ldflags "-X git.oblat.lv/alex/triggerssmith/internal/vars.Version=$(VERSION)"

+build-with-swag: swag build
+
+swag:
+	@echo "-- generating swagger docs"
+	@swag init -g cmd/serve.go
+
 build:
 	@echo "-- building $(NAME)"
 	@go build $(BUILD_PARAMS) -o $(BINARY) $(ENTRY)  
--- a/api/acl_admin/common_models.go
+++ b/api/acl_admin/common_models.go
@@ -0,0 +1,11 @@
+package api_acladmin
+
+type errorInvalidRequestBody struct {
+	Error   string `json:"error" example:"INVALID_REQUEST_BODY"`
+	Details string `json:"details" example:"Request body is not valid JSON"`
+}
+
+type errorInternalServerError struct {
+	Error   string `json:"error"`
+	Details string `json:"details"`
+}
--- a/api/acl_admin/errors.go
+++ b/api/acl_admin/errors.go
@@ -0,0 +1,28 @@
+package api_acladmin
+
+const (
+	ErrorInvalidRequestBody  = "INVALID_REQUEST_BODY"
+	ErrorInternalServerError = "INTERNAL_SERVER_ERROR"
+
+	// Roles
+	ErrorFailedToCreateRole = "FAILED_TO_CREATE_ROLE"
+	ErrorFailedToGetRole    = "FAILED_TO_GET_ROLE"
+	ErrorFailedToUpdateRole = "FAILED_TO_UPDATE_ROLE"
+	ErrorFailedToDeleteRole = "FAILED_TO_DELETE_ROLE"
+
+	ErrorInvalidRoleID = "INVALID_ROLE_ID"
+	ErrorRoleNotFound  = "ROLE_NOT_FOUND"
+
+	// Resources
+	ErrorFailedToCreateResource = "FAILED_TO_CREATE_RESOURCE"
+	ErrorFailedToGetResource    = "FAILED_TO_GET_RESOURCE"
+	ErrorFailedToUpdateResource = "FAILED_TO_UPDATE_RESOURCE"
+	ErrorFailedToDeleteResource = "FAILED_TO_DELETE_RESOURCE"
+
+	ErrorInvalidResourceID = "INVALID_RESOURCE_ID"
+	ErrorResourceNotFound  = "RESOURCE_NOT_FOUND"
+)
+
+const (
+	ErrorACLServiceNotInitialized = "ACL service is not initialized"
+)
--- a/api/acl_admin/handle.go
+++ b/api/acl_admin/handle.go
@@ -0,0 +1,259 @@
+package api_acladmin
+
+import (
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+
+	//"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+type aclAdminHandler struct {
+	cfg  *config.Config
+	a    *acl.Service
+	auth *auth.Service
+}
+
+func MustRoute(config *config.Config, aclService *acl.Service, authService *auth.Service) func(chi.Router) {
+	if config == nil {
+		panic("config is nil")
+	}
+	if aclService == nil {
+		panic("aclService is nil")
+	}
+	if authService == nil {
+		panic("authService is nil")
+	}
+	h := &aclAdminHandler{
+		cfg:  config,
+		a:    aclService,
+		auth: authService,
+	}
+	// GET    /roles            — список ролей
+	// POST   /roles            — создать роль
+	// GET    /roles/{roleId}   — получить роль
+	// PATCH  /roles/{roleId}   — обновить роль (если нужно)
+	// DELETE /roles/{roleId}   — удалить роль
+
+	// GET    /resources              — список ресурсов
+	// POST   /resources              — создать ресурс
+	// GET    /resources/{resId}      — получить ресурс
+	// PATCH  /resources/{resId}      — обновить ресурс
+	// DELETE /resources/{resId}      — удалить ресурс
+
+	// GET    /users/{userId}/roles           — роли пользователя
+	// POST   /users/{userId}/roles           — назначить роль пользователю
+	// DELETE /users/{userId}/roles/{roleId}  — снять роль
+
+	// GET    /roles/{roleId}/resources           — ресурсы роли
+	// POST   /roles/{roleId}/resources           — назначить ресурс роли
+	// DELETE /roles/{roleId}/resources/{resId}   — убрать ресурс
+	return func(r chi.Router) {
+		// Roles
+		r.Get("/roles", h.getRoles)                                             // list all roles
+		r.Post("/roles", h.createRole)                                          // create a new role
+		r.Get("/roles/{roleId}", h.getRole)                                     // get a role by ID
+		r.Get("/roles/{roleId}/users", h.getRoleUsers)                          // get all assigned users to a role
+		r.Get("/roles/{roleId}/resources", h.getRoleResources)                  // get all resources assigned to a role
+		r.Patch("/roles/{roleId}", h.updateRole)                                // update a role by ID
+		r.Delete("/roles/{roleId}", h.deleteRole)                               // delete a role by ID
+		r.Post("/roles/{roleId}/resources", h.assignResourceToRole)             // assign a resource to a role
+		r.Delete("/roles/{roleId}/resources/{resId}", h.removeResourceFromRole) // remove a resource from a role
+
+		// Resources
+		r.Get("/resources", h.getResources)                   // list all resources
+		r.Post("/resources", h.createResource)                // create a new resource
+		r.Get("/resources/{resourceId}", h.getResource)       // get a resource by ID
+		r.Patch("/resources/{resourceId}", h.updateResource)  // update a resource by ID
+		r.Delete("/resources/{resourceId}", h.deleteResource) // delete a resource by ID
+
+		// Users
+		r.Get("/users/{userId}/roles", h.getUserRoles)                   // get all roles for a user
+		r.Post("/users/{userId}/roles", h.assignRoleToUser)              // assign a role to a user
+		r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// Users
+		// r.Get("/users/{userId}/roles", h.getUserRoles) // get all roles for a user
+		// r.Post("/users/{userId}/roles", h.assignRoleToUser) // assign a role to a user
+		// r.Delete("/users/{userId}/roles/{roleId}", h.removeRoleFromUser) // remove a role from a user
+
+		// r.Get("/roles", h.getRoles)
+		// r.Post("/create-role", h.createRole)
+		// r.Post("/assign-role", h.assignRoleToUser)
+		// r.Get("/user-roles", h.getUserRoles)
+		// r.Post("/remove-role", h.removeRoleFromUser)
+
+		// r.Get("/resources", h.getResources)
+		// r.Post("/create-resource", h.createResource)
+		// r.Post("/assign-resource", h.assignResourceToRole)
+		// r.Get("/role-resources", h.getRoleResources)
+		// r.Post("/remove-resource", h.removeResourceFromRole)
+
+		// r.Get("/permissions", h.getResources)                   // legacy support
+		// r.Post("/create-permissions", h.createResource)         // legacy support
+		// r.Post("/assign-permissions", h.assignResourceToRole)   // legacy support
+		// r.Get("/role-permissions", h.getRoleResources)          // legacy support
+		// r.Post("/remove-permissions", h.removeResourceFromRole) // legacy support
+	}
+}
+
+// type assignRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+// 	var req assignRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.AssignRoleToUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to assign role to user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// }
+
+// type getUserRolesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+// 	uidStr := r.URL.Query().Get("userId")
+// 	if uidStr == "" {
+// 		http.Error(w, "Missing userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	userID, err := strconv.Atoi(uidStr)
+// 	if err != nil || userID < 0 {
+// 		http.Error(w, "Invalid userId parameter", http.StatusBadRequest)
+// 		return
+// 	}
+// 	roles, err := h.a.GetUserRoles(uint(userID))
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getUserRolesResponse {
+// 		// Transform acl.Role to getUserRolesResponse
+// 		resp := make(getUserRolesResponse, 0, len(roles))
+// 		for _, role := range roles {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   role.ID,
+// 				Name: role.Name,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type removeRoleRequest struct {
+// 	UserID int `json:"userId"`
+// 	RoleID int `json:"roleId"`
+// }
+
+// func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+// 	var req removeRoleRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.UserID < 0 || req.RoleID < 0 {
+// 		http.Error(w, "Invalid user or role ID", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if err := h.a.RemoveRoleFromUser(uint(req.RoleID), uint(req.UserID)); err != nil {
+// 		http.Error(w, "Failed to remove role from user", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusNoContent)
+// }
+
+// type getResourcesResponse getRolesResponse
+
+// func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+// 	resources, err := h.a.GetResources()
+// 	if err != nil {
+// 		http.Error(w, "Internal server error", http.StatusInternalServerError)
+// 		return
+// 	}
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(func() getResourcesResponse {
+// 		// Transform acl.Resource to getResourcesResponse
+// 		resp := make(getResourcesResponse, 0, len(resources))
+// 		for _, res := range resources {
+// 			resp = append(resp, struct {
+// 				ID   uint   `json:"id"`
+// 				Name string `json:"name"`
+// 			}{
+// 				ID:   res.ID,
+// 				Name: res.Key,
+// 			})
+// 		}
+// 		return resp
+// 	}())
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// type createResourceRequest struct {
+// 	Name string `json:"name"`
+// }
+
+// type createResourceResponse struct {
+// 	ID   uint   `json:"id"`
+// 	Name string `json:"name"`
+// }
+
+// func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+// 	var req createResourceRequest
+// 	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+// 		http.Error(w, "Invalid request body", http.StatusBadRequest)
+// 		return
+// 	}
+// 	if req.Name == "" {
+// 		http.Error(w, "Name is required", http.StatusBadRequest)
+// 		return
+// 	}
+// 	id, err := h.a.CreateResource(req.Name)
+// 	if err != nil {
+// 		http.Error(w, "Failed to create resource", http.StatusConflict)
+// 		return
+// 	}
+// 	w.WriteHeader(http.StatusCreated)
+// 	w.Header().Set("Content-Type", "application/json")
+// 	err = json.NewEncoder(w).Encode(createResourceResponse{
+// 		ID:   id,
+// 		Name: req.Name,
+// 	})
+// 	if err != nil {
+// 		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+// 		return
+// 	}
+// }
+
+// func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
+
+// func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+// 	server.NotImplemented(w)
+// }
--- a/api/acl_admin/resources.go
+++ b/api/acl_admin/resources.go
@@ -0,0 +1,224 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all resources
+// @Tags		acl/resources
+// @Produce	json
+// @Success	200	{object}	getResourcesResponse
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/resources [get]
+func (h *aclAdminHandler) getResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resources, err := h.a.GetResources()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID  uint   `json:"id" example:"1"`
+		Key string `json:"key" example:"html.view"`
+	}
+
+	resp := make([]R, 0, len(resources))
+	for _, res := range resources {
+		resp = append(resp, R{ID: res.ID, Key: res.Key})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get resource by ID
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path		int	true	"Resource ID"	example(1)
+// @Success	200			{object}	getResourceResponse
+// @Failure	400			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [get]
+func (h *aclAdminHandler) getResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	resource, err := h.a.GetResourceByID(uint(resourceID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getResourceResponse{
+		ID:  resource.ID,
+		Key: resource.Key,
+	})
+}
+
+// @Summary	Create resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createResourceRequest	true	"Resource"
+// @Success	201		{object}	createResourceResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/resources [post]
+func (h *aclAdminHandler) createResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceID, err := h.a.CreateResource(req.Key)
+	if err != nil {
+		slog.Error("Failed to create resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceAlreadyExists:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-already-exists", "Resource already exists", "Resource '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createResourceResponse{
+		ID:  resourceID,
+		Key: req.Key,
+	})
+}
+
+// @Summary	Update resource
+// @Tags		acl/resources
+// @Accept		json
+// @Produce	json
+// @Param		resourceId	path		int						true	"Resource ID"	example(1)
+// @Param		request		body		updateResourceRequest	true	"Resource"
+// @Success	200			{object}	updateResourceResponse
+// @Failure	400			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	409			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [patch]
+func (h *aclAdminHandler) updateResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateResourceRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateResource(uint(resourceID), req.Key)
+	if err != nil {
+		slog.Error("Failed to update resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrInvalidResourceKey:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-key", "Invalid resource key", "Resource key must be non-empty", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrSameResourceKey:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-key-already-exists", "Resource key already exists", "Resource key '"+req.Key+"' already exists", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateResourceResponse{
+		ID:  uint(resourceID),
+		Key: req.Key,
+	})
+}
+
+// @Summary	Delete resource
+// @Tags		acl/resources
+// @Produce	json
+// @Param		resourceId	path	int	true	"Resource ID"	example(1)
+// @Success	200
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/resources/{resourceId} [delete]
+func (h *aclAdminHandler) deleteResource(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	resourceIDStr := chi.URLParam(r, "resourceId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteResource(uint(resourceID))
+	if err != nil {
+		slog.Error("Failed to delete resource", "error", err)
+
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "acl service is not initialized", r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+resourceIDStr, r)
+		case acl.ErrResourceInUse:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-in-use", "Resource in use", "Resource "+resourceIDStr+" is in use", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
--- a/api/acl_admin/resources_models.go
+++ b/api/acl_admin/resources_models.go
@@ -0,0 +1,39 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getResources()
+type getResourcesResponse []struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+var _ getResourcesResponse // for documentation
+
+/*******************************************************************/
+// used in getResource()
+type getResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in createResource()
+type createResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type createResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
+
+/*******************************************************************/
+// used in updateResource()
+type updateResourceRequest struct {
+	Key string `json:"key" example:"html.view"`
+}
+
+type updateResourceResponse struct {
+	ID  uint   `json:"id" example:"1"`
+	Key string `json:"key" example:"html.view"`
+}
--- a/api/acl_admin/roles.go
+++ b/api/acl_admin/roles.go
@@ -0,0 +1,391 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get all roles
+// @Tags		acl/roles
+// @Produce	json
+// @Success	200	{array}		getRolesResponse
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles [get]
+func (h *aclAdminHandler) getRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roles, err := h.a.GetRoles()
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	type R struct {
+		ID   uint   `json:"id" example:"1"`
+		Name string `json:"name" example:"admin"`
+	}
+
+	resp := make([]R, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, R{ID: role.ID, Name: role.Name})
+	}
+
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Get role by ID
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{object}	getRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [get]
+func (h *aclAdminHandler) getRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(getRoleResponse{
+		ID:   role.ID,
+		Name: role.Name,
+	})
+}
+
+// @Summary	Get role users
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleUsersResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/users [get]
+func (h *aclAdminHandler) getRoleUsers(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Users) == 0 {
+		server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respUsers getRoleUsersResponse
+	for _, user := range role.Users {
+		respUsers = append(respUsers, getRoleUser{
+			ID:    user.ID,
+			Name:  user.Username,
+			Email: user.Email,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respUsers)
+}
+
+// @Summary	Get role resources
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path		int	true	"Role ID"	example(1)
+// @Success	200		{array}		getRoleResourcesResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [get]
+func (h *aclAdminHandler) getRoleResources(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	role, err := h.a.GetRoleByID(uint(roleID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	if len(role.Resources) == 0 {
+		server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-has-no-users", "Role has no users", "Role has no users", r)
+		return
+	}
+	var respResources getRoleResourcesResponse
+	for _, user := range role.Resources {
+		respResources = append(respResources, getRoleResource{
+			ID:   user.ID,
+			Name: user.Key,
+		})
+	}
+	_ = json.NewEncoder(w).Encode(respResources)
+}
+
+// @Summary	Create role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		request	body		createRoleRequest	true	"Role"
+// @Success	201		{object}	createRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles [post]
+func (h *aclAdminHandler) createRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req createRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleID, err := h.a.CreateRole(req.Name)
+	if err != nil {
+		slog.Error("Failed to create role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleAlreadyExists:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-already-exists", "Role already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	_ = json.NewEncoder(w).Encode(createRoleResponse{
+		ID:   roleID,
+		Name: req.Name,
+	})
+}
+
+// @Summary	Update role
+// @Tags		acl/roles
+// @Accept		json
+// @Produce	json
+// @Param		roleId	path		int					true	"Role ID"	example(1)
+// @Param		request	body		updateRoleRequest	true	"Role"
+// @Success	200		{object}	updateRoleResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	409		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [patch]
+func (h *aclAdminHandler) updateRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+
+	var req updateRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.UpdateRole(uint(roleID), req.Name)
+	if err != nil {
+		slog.Error("Failed to update role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrInvalidRoleName:
+			server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-name", "Invalid role name", "Role name must be non-empty", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrSameRoleName:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-name-already-exists", "Role name already exists", "Role '"+req.Name+"' already exists", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	_ = json.NewEncoder(w).Encode(updateRoleResponse{
+		ID:   uint(roleID),
+		Name: req.Name,
+	})
+}
+
+// @Summary	Delete role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId} [delete]
+func (h *aclAdminHandler) deleteRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+
+	err = h.a.DeleteRole(uint(roleID))
+	if err != nil {
+		slog.Error("Failed to delete role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrRoleInUse:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-in-use", "Role in use", "Role "+roleIDStr+" is assigned to at least one user and cannot be deleted", r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	w.WriteHeader(http.StatusNoContent)
+}
+
+// @Summary	Assign resource to role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int							true	"Role ID"	example(1)
+// @Param		request	body	assignResourceToRoleRequest	true	"Resource"
+// @Success	201
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources [post]
+func (h *aclAdminHandler) assignResourceToRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	var req assignResourceToRoleRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignResourceToRole(uint(roleID), req.ResourceID); err != nil {
+		slog.Error("Failed to assign resource to role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(req.ResourceID)), r)
+		case acl.ErrResourceAlreadyAssigned:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/resource-already-assigned", "Resource already assigned", "Resource with ID "+strconv.Itoa(int(req.ResourceID))+" is already assigned to role with ID "+roleIDStr, r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove resource from role
+// @Tags		acl/roles
+// @Produce	json
+// @Param		roleId	path	int	true	"Role ID"		example(1)
+// @Param		resId	path	int	true	"Resource ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/roles/{roleId}/resources/{resId} [delete]
+func (h *aclAdminHandler) removeResourceFromRole(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	resourceIDStr := chi.URLParam(r, "resId")
+	resourceID, err := strconv.Atoi(resourceIDStr)
+	if err != nil || resourceID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-resource-id", "Invalid resource ID", "Resource ID must be positive integer", r)
+		return
+	}
+	if err := h.a.RemoveResourceFromRole(uint(roleID), uint(resourceID)); err != nil {
+		slog.Error("Failed to remove resource from role", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-not-found", "Role not found", "No role with ID "+roleIDStr, r)
+		case acl.ErrResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/resource-not-found", "Resource not found", "No resource with ID "+strconv.Itoa(int(resourceID)), r)
+		case acl.ErrRoleResourceNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/role-resource-not-found", "Role resource not found", "No role-resource pair with role ID "+roleIDStr+" and resource ID "+strconv.Itoa(int(resourceID)), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/api/acl_admin/roles_models.go
+++ b/api/acl_admin/roles_models.go
@@ -0,0 +1,62 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getRoles()
+type getRolesResponse []struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+var _ getRolesResponse
+
+/*******************************************************************/
+// used in getRole()
+type getRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in getRoleUsers()
+type getRoleUser struct {
+	ID    uint   `json:"id" example:"1"`
+	Name  string `json:"username" example:"admin"`
+	Email string `json:"email" example:"admin@triggerssmith.com"`
+}
+type getRoleUsersResponse []getRoleUser
+
+/*******************************************************************/
+// used in getRoleResources()
+type getRoleResource struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+type getRoleResourcesResponse []getRoleResource
+
+/*******************************************************************/
+// used in createRole()
+type createRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type createRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in updateRole()
+type updateRoleRequest struct {
+	Name string `json:"name" example:"admin"`
+}
+
+type updateRoleResponse struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"admin"`
+}
+
+/*******************************************************************/
+// used in assignResourceToRole()
+type assignResourceToRoleRequest struct {
+	ResourceID uint `json:"resourceId" example:"1"`
+}
--- a/api/acl_admin/users.go
+++ b/api/acl_admin/users.go
@@ -0,0 +1,137 @@
+package api_acladmin
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+	"strconv"
+
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/go-chi/chi/v5"
+)
+
+// @Summary	Get user roles by user ID
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path		int	true	"User ID"	example(1)
+// @Success	200		{object}	getUserRolesResponse
+// @Failure	400		{object}	server.ProblemDetails
+// @Failure	404		{object}	server.ProblemDetails
+// @Failure	500		{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [get]
+func (h *aclAdminHandler) getUserRoles(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roles, err := h.a.GetUserRoles(uint(userID))
+	if err != nil {
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		default:
+			slog.Error("unexpected server error", "error", err.Error())
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	resp := make(getUserRolesResponse, 0, len(roles))
+	for _, role := range roles {
+		resp = append(resp, getUserRole{ID: role.ID, Name: role.Name})
+	}
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
+// @Summary	Assign role to user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int						true	"User ID"	example(1)
+// @Param		body	body	assignRoleToUserRequest	true	"Role ID"
+// @Success	201
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	409	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles [post]
+func (h *aclAdminHandler) assignRoleToUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	var req assignRoleToUserRequest
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-request-body", "Invalid request body", "Invalid JSON body", r)
+		return
+	}
+	if err := h.a.AssignRoleToUser(req.RoleID, uint(userID)); err != nil {
+		slog.Error("Failed to assign role to user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrRoleAlreadyAssigned:
+			server.WriteProblem(w, http.StatusConflict, "/errors/acl/role-already-assigned", "Role already assigned", "Role with ID "+strconv.Itoa(int(req.RoleID))+" is already assigned to user "+strconv.Itoa(userID), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+// @Summary	Remove role from user
+// @Tags		acl/users
+// @Produce	json
+// @Param		userId	path	int	true	"User ID"	example(1)
+// @Param		roleId	path	int	true	"Role ID"	example(1)
+// @Success	204
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	404	{object}	server.ProblemDetails
+// @Failure	500	{object}	server.ProblemDetails
+// @Router		/api/acl/users/{userId}/roles/{roleId} [delete]
+func (h *aclAdminHandler) removeRoleFromUser(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	userIDStr := chi.URLParam(r, "userId")
+	userID, err := strconv.Atoi(userIDStr)
+	if err != nil || userID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-user-id", "Invalid user ID", "User ID must be positive integer", r)
+		return
+	}
+	roleIDStr := chi.URLParam(r, "roleId")
+	roleID, err := strconv.Atoi(roleIDStr)
+	if err != nil || roleID < 0 {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/acl/invalid-role-id", "Invalid role ID", "Role ID must be positive integer", r)
+		return
+	}
+	err = h.a.RemoveRoleFromUser(uint(roleID), uint(userID))
+	if err != nil {
+		slog.Error("Failed to remove role from user", "error", err.Error())
+		switch err {
+		case acl.ErrNotInitialized:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "ACL service is not initialized", r)
+		case acl.ErrUserNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-not-found", "User not found", "User not found", r)
+		case acl.ErrRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/no-role-found", "No role found", "No role found for user "+strconv.Itoa(userID), r)
+		case acl.ErrUserRoleNotFound:
+			server.WriteProblem(w, http.StatusNotFound, "/errors/acl/user-role-not-found", "User role not found", "User "+strconv.Itoa(userID)+" does not have role "+strconv.Itoa(roleID), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+	}
+	w.WriteHeader(http.StatusNoContent)
+}
--- a/api/acl_admin/users_models.go
+++ b/api/acl_admin/users_models.go
@@ -0,0 +1,16 @@
+package api_acladmin
+
+/*******************************************************************/
+// used in getUserRoles()
+type getUserRole struct {
+	ID   uint   `json:"id" example:"1"`
+	Name string `json:"name" example:"*"`
+}
+
+type getUserRolesResponse []getUserRole
+
+/*******************************************************************/
+// used in assignRoleToUser()
+type assignRoleToUserRequest struct {
+	RoleID uint `json:"roleId" example:"1"`
+}
--- a/api/auth/errors.go
+++ b/api/auth/errors.go
@@ -0,0 +1,7 @@
+package api_auth
+
+const (
+	ErrorInvalidCredentials = "INVALID_CREDENTIALS"
+	ErrorInvalidToken       = "INVALID_TOKEN"
+	ErrorExpiredToken       = "EXPIRED_TOKEN"
+)
--- a/api/auth/get_user_data.go
+++ b/api/auth/get_user_data.go
@@ -0,0 +1,35 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"net/http"
+)
+
+type GetUserDataResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleGetUserData(w http.ResponseWriter, r *http.Request) {
+	by := r.URL.Query().Get("by")
+	value := r.URL.Query().Get("value")
+	if value == "" {
+		value = r.URL.Query().Get(by)
+	}
+	user, err := h.a.Get(by, value)
+	if err != nil {
+		http.Error(w, "Failed to get user", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(meResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+		Email:    user.Email,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+}
--- a/api/auth/handle.go
+++ b/api/auth/handle.go
@@ -4,34 +4,52 @@ package api_auth

 import (
 	"net/http"
+	"time"

+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
 	"github.com/go-chi/chi/v5"
 )

-type authHandler struct {
-	cfg *config.Config
+func setRefreshCookie(w http.ResponseWriter, token string, ttl time.Duration, secure bool) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    token,
+		Path:     "/api/auth/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   int(ttl.Seconds()),
+		Secure:   secure,
+	})
 }

-func MustRoute(config *config.Config) func(chi.Router) {
+type authHandler struct {
+	cfg *config.Config
+	a   *auth.Service
+}
+
+func MustRoute(config *config.Config, authService *auth.Service) func(chi.Router) {
 	if config == nil {
 		panic("config is nil")
 	}
+	if authService == nil {
+		panic("authService is nil")
+	}
 	h := &authHandler{
 		cfg: config,
+		a:   authService,
 	}
 	return func(r chi.Router) {
-		r.Get("/login", h.handleLogin)
-		r.Get("/logout", h.handleLogout)
-		r.Get("/me", h.handleMe)
-		r.Get("/revoke", h.handleRevoke)
+		r.Get("/getUserData", h.handleGetUserData) // legacy support
+
+		r.Post("/register", h.handleRegister)
+		r.Post("/login", h.handleLogin)
+		r.Post("/logout", h.handleLogout)   // !requires authentication
+		r.Post("/refresh", h.handleRefresh) // !requires authentication
+
+		r.Get("/me", h.handleMe) // !requires authentication
+		r.Get("/get-user-data", h.handleGetUserData)
+
+		r.Post("/revoke", h.handleRevoke) // not implemented
 	}
 }
-
-func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {}
-
-func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {}
-
-func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {}
-
-func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {}
--- a/api/auth/login.go
+++ b/api/auth/login.go
@@ -0,0 +1,55 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type loginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type loginResponse struct {
+	Token string `json:"accessToken"`
+}
+
+// @Summary	Login
+// @Tags		auth
+// @Produce	json
+// @Param		request	body	loginRequest	true	"Login request"
+// @Success	200		{object}	loginResponse
+// @Failure	400	{object}	server.ProblemDetails
+// @Failure	401	{object}	server.ProblemDetails
+// @Router 	/api/auth/login [post]
+func (h *authHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/json")
+	var req loginRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		server.WriteProblem(w, http.StatusBadRequest, "/errors/invalid-request-body", "Invalid request body", "Body is not valid JSON", r)
+		return
+	}
+
+	tokens, err := h.a.Login(req.Username, req.Password)
+	if err != nil {
+		slog.Error("Login failed", "error", err.Error())
+		switch err {
+		case auth.ErrInvalidUsername:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-credentials", "Invalid credentials", fmt.Sprintf("User with username %s not found", req.Username), r)
+		case auth.ErrInvalidPassword:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-credentials", "Invalid credentials", fmt.Sprintf("Invalid password for user %s", req.Username), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error", r)
+		}
+		return
+	}
+
+	setRefreshCookie(w, tokens.Refresh, h.cfg.Auth.RefreshTokenTTL, false)
+	_ = json.NewEncoder(w).Encode(loginResponse{Token: tokens.Access})
+}
--- a/api/auth/logout.go
+++ b/api/auth/logout.go
@@ -0,0 +1,82 @@
+package api_auth
+
+import (
+	"errors"
+	"fmt"
+	"log/slog"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"github.com/golang-jwt/jwt/v5"
+)
+
+// @Summary Logout
+// @Description Requires valid refresh token
+// @Tags auth
+// @Success 204
+// @Failure 401 {object} server.ProblemDetails
+// @Failure 500 {object} server.ProblemDetails
+// @Router /api/auth/logout [post]
+func (h *authHandler) handleLogout(w http.ResponseWriter, r *http.Request) {
+	// claims, err := h.a.AuthenticateRequest(r)
+	// if err != nil {
+	// 	slog.Error("failed to AuthenticateRequest", "error", err.Error())
+	// 	switch err {
+	// 	case auth.ErrInvalidToken:
+	// 		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-token", "Invalid token", "Invalid token: taking cookies anyways", r)
+	// 	case auth.ErrTokenIsMissing:
+	// 		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/invalid-token", "Invalid token", "Token is missing: taking cookies anyway", r)
+	// 	default:
+	// 		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+	// 	}
+	// 	http.SetCookie(w, &http.Cookie{
+	// 		Name:     "refresh_token",
+	// 		Value:    "",
+	// 		MaxAge:   -1,
+	// 		Path:     "/api/auth/",
+	// 		HttpOnly: true,
+	// 		SameSite: http.SameSiteLaxMode,
+	// 	})
+	// 	return
+	// }
+	// rjti := claims.(jwt.MapClaims)["rjti"].(string)
+	refreshCookie, err := r.Cookie("refresh_token")
+	if err != nil && errors.Is(err, http.ErrNoCookie) {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	refreshStr := refreshCookie.Value
+	if refreshStr == "" {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	claims, err := h.a.ValidateRefreshToken(refreshStr)
+	if err != nil {
+		slog.Error("failed to ValidateRefreshToken", "error", err.Error())
+		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error while validating refresh token: maybe invalid", r)
+		return
+	}
+	rjti := claims.(jwt.MapClaims)["jti"].(string)
+	err = h.a.Logout(rjti)
+	if err != nil {
+		slog.Error("failed to Logout", "error", err.Error())
+		switch err {
+		case auth.ErrInvalidToken:
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/already-revoked", "Token already revoked", fmt.Sprintf("Token with rjti '%s' is already revoked", rjti), r)
+		default:
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+		}
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/api/auth/",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	if err == nil {
+		w.WriteHeader(http.StatusNoContent)
+	}
+}
--- a/api/auth/me.go
+++ b/api/auth/me.go
@@ -0,0 +1,42 @@
+package api_auth
+
+import (
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type meResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+	Email    string `json:"email"`
+}
+
+func (h *authHandler) handleMe(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+	// refresh_token_cookie, err := r.Cookie("refresh_token")
+	// if err != nil {
+	// 	w.WriteHeader(http.StatusUnauthorized)
+	// 	return
+	// }
+	// userID, err := h.a.ValidateRefreshToken(refresh_token_cookie.Value)
+	// if err != nil {
+	// 	w.WriteHeader(http.StatusUnauthorized)
+	// 	return
+	// }
+	// user, err := h.a.Get("id", fmt.Sprint(userID))
+	// if err != nil {
+	// 	http.Error(w, "Failed to get user", http.StatusInternalServerError)
+	// 	return
+	// }
+	// w.Header().Set("Content-Type", "application/json")
+	// err = json.NewEncoder(w).Encode(meResponse{
+	// 	UserID:   user.ID,
+	// 	Username: user.Username,
+	// 	Email:    user.Email,
+	// })
+	// if err != nil {
+	// 	http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+	// 	return
+	// }
+}
--- a/api/auth/refresh.go
+++ b/api/auth/refresh.go
@@ -0,0 +1,56 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"errors"
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+type refreshResponse struct {
+	Access string `json:"accessToken"`
+}
+
+// @Summary Refresh tokens
+// @Description Requires valid HttpOnly refresh_token cookie
+// @Tags auth
+// @Produce json
+// @Security RefreshCookieAuth
+// @Success 200 {object} refreshResponse
+// @Failure 401 {object} server.ProblemDetails
+// @Failure 500 {object} server.ProblemDetails
+// @Router /api/auth/refresh [post]
+func (h *authHandler) handleRefresh(w http.ResponseWriter, r *http.Request) {
+	refreshCookie, err := r.Cookie("refresh_token")
+	if err != nil && errors.Is(err, http.ErrNoCookie) {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	refreshStr := refreshCookie.Value
+	if refreshStr == "" {
+		server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-not-found", "Refresh token is missing", "Refresh token is missing", r)
+		return
+	}
+	tokens, err := h.a.RefreshTokens(refreshStr)
+	if err != nil {
+		if errors.Is(err, auth.ErrInvalidToken) {
+			server.WriteProblem(w, http.StatusUnauthorized, "/errors/auth/refresh-token-invalid", "Refresh token is invalid", "Refresh token is invalid", r)
+		} else {
+			server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "unexpected error: taking cookies anyway", r)
+		}
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refresh_token",
+		Value:    tokens.Refresh,
+		MaxAge:   3600,
+		Path:     "/api/auth/refresh",
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+	var resp refreshResponse
+	resp.Access = tokens.Access
+	_ = json.NewEncoder(w).Encode(resp)
+}
--- a/api/auth/register.go
+++ b/api/auth/register.go
@@ -0,0 +1,45 @@
+package api_auth
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+type registerRequest struct {
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+type registerResponse struct {
+	UserID   uint   `json:"id"`
+	Username string `json:"username"`
+}
+
+func (h *authHandler) handleRegister(w http.ResponseWriter, r *http.Request) {
+	var req registerRequest
+	err := json.NewDecoder(r.Body).Decode(&req)
+	if err != nil {
+		http.Error(w, "Invalid request payload", http.StatusBadRequest)
+		return
+	}
+
+	user, err := h.a.Register(req.Username, req.Email, req.Password)
+	if err != nil {
+		slog.Error("Failed to register user", "error", err)
+		http.Error(w, "Registration failed", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(registerResponse{
+		UserID:   user.ID,
+		Username: user.Username,
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
--- a/api/auth/revoke.go
+++ b/api/auth/revoke.go
@@ -0,0 +1,11 @@
+package api_auth
+
+import (
+	"net/http"
+
+	"git.oblat.lv/alex/triggerssmith/internal/server"
+)
+
+func (h *authHandler) handleRevoke(w http.ResponseWriter, r *http.Request) {
+	server.NotImplemented(w)
+}
--- a/api/block/handle.go
+++ b/api/block/handle.go
@@ -16,6 +16,7 @@ import (
 	"path/filepath"

 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
 	"github.com/go-chi/chi/v5"
 )

@@ -41,16 +42,26 @@ func MustRoute(config *config.Config) func(chi.Router) {
 	}
 }

+// @Summary	Get block
+// @Tags		block
+// @Produce	json
+// @Param blockPath	path		string	true	"Block Path"	example(menu)
+// @Success	200			{object}	Block
+// @Failure	403			{object}	server.ProblemDetails
+// @Failure	404			{object}	server.ProblemDetails
+// @Failure	500			{object}	server.ProblemDetails
+// @Router		/api/block/{blockPath} [get]
 func (h *blockHandler) handleBlock(w http.ResponseWriter, r *http.Request) {
 	if !h.cfg.Server.BlockConfig.Enabled {
-		http.Error(w, "Block serving is disabled", http.StatusForbidden)
+		server.WriteProblem(w, http.StatusForbidden, "/errors/block/block-serving-disabled", "Block serving is disabled", "Block serving is disabled", r)
 		return
 	}

 	blockPath := r.URL.Path[len("/api/block/"):]
 	block, err := LoadBlock(blockPath, h.cfg)
 	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
+		slog.Error("failed to load block", slog.String("path", blockPath), slog.String("err", err.Error()))
+		server.WriteProblem(w, http.StatusInternalServerError, "/errors/internal-server-error", "Internal Server Error", "failed to load block", r)
 		return
 	}
 	w.Header().Set("Content-Type", "application/json")
--- a/api/router.go
+++ b/api/router.go
@@ -8,31 +8,59 @@ import (
 	"path/filepath"
 	"time"

-	"git.oblat.lv/alex/triggerssmith/api/auth"
-	"git.oblat.lv/alex/triggerssmith/api/block"
+	api_acladmin "git.oblat.lv/alex/triggerssmith/api/acl_admin"
+	api_auth "git.oblat.lv/alex/triggerssmith/api/auth"
+	api_block "git.oblat.lv/alex/triggerssmith/api/block"
+	_ "git.oblat.lv/alex/triggerssmith/docs"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/server"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
+	httpSwagger "github.com/swaggo/http-swagger"
 )

 type Router struct {
 	r chi.Router

 	cfg *config.Config
+
+	authService *auth.Service
+
+	aclService *acl.Service
 }

-func NewRouter(cfg *config.Config) *Router {
+type RouterDependencies struct {
+	AuthService   *auth.Service
+	Configuration *config.Config
+	ACLService    *acl.Service
+}
+
+func NewRouter(deps RouterDependencies) *Router {
+	if deps.AuthService == nil {
+		panic("AuthService is required")
+	}
+	if deps.Configuration == nil {
+		panic("Configuration is required")
+	}
+	if deps.ACLService == nil {
+		panic("ACLService is required")
+	}
 	r := chi.NewRouter()
 	return &Router{
 		r:           r,
-		cfg: cfg,
+		cfg:         deps.Configuration,
+		authService: deps.AuthService,
+		aclService:  deps.ACLService,
 	}
 }

 // RouteHandler sets up the routes and middleware for the router.
 // TODO: implement hot reload for static files enabled/disabled
 func (r *Router) MustRoute() chi.Router {
+	r.r.Use(middleware.RealIP)
 	r.r.Use(middleware.Logger)
 	r.r.Use(middleware.Recoverer)
 	r.r.Use(middleware.Timeout(r.cfg.Server.TimeoutSeconds))
@@ -42,7 +70,7 @@ func (r *Router) MustRoute() chi.Router {
 			slog.String("dir", r.cfg.Server.StaticConfig.Dir),
 			slog.String("index_file", r.cfg.Server.StaticConfig.IndexFile),
 		)
-		r.r.Get("/", func(w http.ResponseWriter, req *http.Request) {
+		r.r.Get("/*", func(w http.ResponseWriter, req *http.Request) {
 			http.ServeFile(w, req, filepath.Join(r.cfg.Server.StaticConfig.Dir, r.cfg.Server.StaticConfig.IndexFile))
 		})
 		fs := http.FileServer(http.Dir(r.cfg.Server.StaticConfig.Dir))
@@ -58,8 +86,16 @@ func (r *Router) MustRoute() chi.Router {
 	}

 	r.r.Route("/api", func(api chi.Router) {
+		api.Get("/swagger/*", httpSwagger.Handler(
+			httpSwagger.URL("/api/swagger/doc.json"),
+		))
 		api.Route("/block", api_block.MustRoute(r.cfg))
-		api.Route("/auth", api_auth.MustRoute(r.cfg))
+		authRoute := api_auth.MustRoute(r.cfg, r.authService)
+		api.Route("/auth", authRoute)
+		//api.Route("/users", authRoute) // legacy support
+		aclAdminRoute := api_acladmin.MustRoute(r.cfg, r.aclService, r.authService)
+		api.Route("/acl", aclAdminRoute)
+		api.Route("/acl-admin", aclAdminRoute) // legacy support
 	})

 	r.r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
@@ -72,6 +108,14 @@ func (r *Router) MustRoute() chi.Router {
 		})
 		w.Write([]byte(b))
 	})
+	r.r.NotFound(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Content-Type", "application/problem+json")
+		server.WriteProblem(w, http.StatusNotFound, "/errors/not-found", "Not found", "Requested page not found", req)
+	})
+	r.r.MethodNotAllowed(func(w http.ResponseWriter, req *http.Request) {
+		w.Header().Set("Content-Type", "application/problem+json")
+		server.WriteProblem(w, http.StatusMethodNotAllowed, "/errors/method-not-allowed", "Method not allowed", "Requested method not allowed", req)
+	})
 	//r.r.Handle("/invoke/function/{function_id}/{function_version}", invoke.InvokeHandler(r.cfg))
 	return r.r
 }
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -12,17 +12,25 @@ import (
 	"time"

 	"git.oblat.lv/alex/triggerssmith/api"
+	"git.oblat.lv/alex/triggerssmith/internal/acl"
 	application "git.oblat.lv/alex/triggerssmith/internal/app"
+	"git.oblat.lv/alex/triggerssmith/internal/auth"
 	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
 	"git.oblat.lv/alex/triggerssmith/internal/server"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	"git.oblat.lv/alex/triggerssmith/internal/user"
 	"git.oblat.lv/alex/triggerssmith/internal/vars"
 	"github.com/spf13/cobra"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
 )

 var optsServeCmd = struct {
 	ConfigPath    *string
 	Debug         *bool
 	HideGreetings *bool
+	NoPIDFile     *bool
 }{}

 // // simple middleware for request logging
@@ -92,17 +100,15 @@ var serveCmd = &cobra.Command{
 				} else {
 					defer f.Close()
 					slog.Debug("flushing stack in to panic.log")
-					fmt.Fprintln(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
 					fmt.Fprintf(f, "Time: %s\n", time.Now().Format(time.RFC3339))
 					fmt.Fprintln(f, "If this is unexpected, please report: https://git.oblat.lv/alex/triggerssmith/issues")
-					fmt.Fprintln(f, "\n--------------------------------------------------------\n")
+					fmt.Fprintf(f, "\n--------------------------------------------------------\n")
 					fmt.Fprintf(f, "Panic: %v\n", r)
 					f.Write(stack)
 					f.WriteString("\n\n")
-				}
-
 					slog.Error("Application panicked: the stack is flushed to disk", slog.Any("error", r))
-
+				}
 				os.Exit(-1)
 			}
 		}()
@@ -114,6 +120,7 @@ var serveCmd = &cobra.Command{
 			slog.SetDefault(slog.New(slog.NewTextHandler(cmd.OutOrStdout(), &slog.HandlerOptions{Level: slog.LevelInfo})))
 		}

+		if !*optsServeCmd.NoPIDFile {
 			pid := os.Getpid()
 			slog.Debug("Starting server", slog.Int("pid", pid))
 			if err := writePID(vars.PID_PATH); err != nil {
@@ -121,6 +128,9 @@ var serveCmd = &cobra.Command{
 			}
 			slog.Debug("created pid file", slog.String("path", vars.PID_PATH))
 			defer os.Remove(vars.PID_PATH)
+		} else {
+			slog.Warn("Starting server without PID file as requested by --no-pidfile flag: this may complicate process management")
+		}

 		// load config
 		slog.Debug("Reading configuration", slog.String("path", *optsServeCmd.ConfigPath))
@@ -140,16 +150,111 @@ var serveCmd = &cobra.Command{
 		app.LoadConfiguration(cfg)

 		srv := app.Server()
-		//mux := http.NewServeMux()

-		// static files
-		// staticPath := cfg.Server.StaticFilesPath
-		// slog.Debug("Setting up static file server", slog.String("path", staticPath))
-		// fs := http.FileServer(http.Dir(staticPath))
-		// mux.Handle("/static/", http.StripPrefix("/static/", fs))
-		// handler := loggingMiddleware(mux)
+		// Services initialization
+		var jwtSigner jwt.Signer
+		// TODO: support more signing algorithms
+		//     : support hot config reload for signing alg and secret
+		switch cfg.Auth.SignAlg {
+		case "HS256":
+			secretBytes, err := os.ReadFile(cfg.Auth.HMACSecretPath)
+			if err != nil {
+				slog.Error("Failed to read HMAC secret file", slog.String("path", cfg.Auth.HMACSecretPath), slog.String("error", err.Error()))
+				return
+			}
+			jwtSigner = jwt.NewHMACSigner(secretBytes)
+		default:
+			slog.Error("Unsupported JWT signing algorithm", slog.String("alg", cfg.Auth.SignAlg))
+			return
+		}
+		jwtService := jwt.NewService(jwtSigner)

-		router := api.NewRouter(cfg)
+		err = os.MkdirAll(cfg.Data.DataPath, 0755)
+		if err != nil {
+			slog.Error("Failed to create data directory", slog.String("path", cfg.Data.DataPath), slog.String("error", err.Error()))
+			return
+		}
+
+		tokenDb, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "tokens.sqlite3")), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open token database", slog.String("error", err.Error()))
+			return
+		}
+		// err = tokenDb.AutoMigrate(&token.Token{})
+		// if err != nil {
+		// 	slog.Error("Failed to migrate token database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		tokenStore, err := token.NewSQLiteTokenStore(tokenDb)
+		if err != nil {
+			slog.Error("Failed to create token store", slog.String("error", err.Error()))
+			return
+		}
+		tokenService, err := token.NewTokenService(&cfg.Auth, tokenStore)
+		if err != nil {
+			slog.Error("Failed to create token service", slog.String("error", err.Error()))
+			return
+		}
+		err = tokenService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize token service", slog.String("error", err.Error()))
+			return
+		}
+
+		// also acl !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+		userData, err := gorm.Open(sqlite.Open(filepath.Join(cfg.Data.DataPath, "user_data.sqlite3")+"?_foreign_keys=on"), &gorm.Config{})
+		if err != nil {
+			slog.Error("Failed to open user database", slog.String("error", err.Error()))
+			return
+		}
+		// err =
+		// if err != nil {
+		// 	slog.Error("Failed to migrate user database", slog.String("error", err.Error()))
+		// 	return
+		// }
+		userStore, err := user.NewGormUserStore(userData)
+		if err != nil {
+			slog.Error("Failed to create user store", slog.String("error", err.Error()))
+			return
+		}
+		userService, err := user.NewService(userStore)
+		if err != nil {
+			slog.Error("Failed to create user service", slog.String("error", err.Error()))
+			return
+		}
+		err = userService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize user service", slog.String("error", err.Error()))
+			return
+		}
+		aclService, err := acl.NewService(userData)
+		if err != nil {
+			slog.Error("Failed to create acl service", slog.String("error", err.Error()))
+			return
+		}
+		err = aclService.Init()
+		if err != nil {
+			slog.Error("Failed to initialize acl service", slog.String("error", err.Error()))
+			return
+		}
+
+		authService, err := auth.NewAuthService(auth.AuthServiceDependencies{
+			Configuration: cfg,
+
+			JWTService:   jwtService,
+			UserService:  userService,
+			TokenService: tokenService,
+		})
+		if err != nil {
+			slog.Error("Failed to create auth service", slog.String("error", err.Error()))
+			return
+		}
+
+		router := api.NewRouter(api.RouterDependencies{
+			AuthService:   authService,
+			Configuration: cfg,
+			ACLService:    aclService,
+		})

 		srv.SetHandler(router.MustRoute())
 		srv.Init()
@@ -211,5 +316,6 @@ func init() {
 	optsServeCmd.Debug = serveCmd.Flags().BoolP("debug", "d", false, "Enable debug logs")
 	optsServeCmd.ConfigPath = serveCmd.Flags().StringP("config", "c", "config.yaml", "Path to configuration file")
 	optsServeCmd.HideGreetings = serveCmd.Flags().BoolP("hide-greetings", "g", false, "Hide the welcome message and version when starting the server")
+	optsServeCmd.NoPIDFile = serveCmd.Flags().BoolP("no-pidfile", "p", false, "Do not write a PID file")
 	rootCmd.AddCommand(serveCmd)
 }
--- a/go.mod
+++ b/go.mod
@@ -5,12 +5,33 @@ go 1.24.9
 require (
 	github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204
 	github.com/spf13/cobra v1.10.1
+	github.com/swaggo/http-swagger v1.3.4
+	github.com/swaggo/swag v1.16.6
+	golang.org/x/crypto v0.46.0
+)
+
+require (
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/go-openapi/jsonpointer v0.19.5 // indirect
+	github.com/go-openapi/jsonreference v0.20.0 // indirect
+	github.com/go-openapi/spec v0.20.6 // indirect
+	github.com/go-openapi/swag v0.19.15 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/mailru/easyjson v0.7.6 // indirect
+	github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe // indirect
+	golang.org/x/mod v0.30.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/tools v0.39.0 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 )

 require (
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
-	github.com/go-chi/chi/v5 v5.2.3 // indirect
+	github.com/go-chi/chi/v5 v5.2.3
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/golang-jwt/jwt/v5 v5.3.0
+	github.com/google/uuid v1.6.0
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
@@ -24,8 +45,8 @@ require (
 	github.com/spf13/viper v1.21.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	go.yaml.in/yaml/v3 v3.0.4 // indirect
-	golang.org/x/sys v0.29.0 // indirect
-	golang.org/x/text v0.28.0 // indirect
-	gorm.io/driver/sqlite v1.6.0 // indirect
-	gorm.io/gorm v1.31.1 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
+	gorm.io/driver/sqlite v1.6.0
+	gorm.io/gorm v1.31.1
 )
--- a/go.sum
+++ b/go.sum
@@ -1,6 +1,10 @@
+github.com/KyleBanks/depth v1.2.1 h1:5h8fQADFrWtarTdtDudMmGsC7GPbOAu6RVB3ffsVFHc=
+github.com/KyleBanks/depth v1.2.1/go.mod h1:jzSb9d0L43HxTQfT+oSA1EEp2q+ne2uh6XgeJcm8brE=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204 h1:tvG9DIB1e58sWfDbYLdgOcXRdyZxSYy/wk2VHJHgzec=
 github.com/akyaiy/GSfass/core v0.0.0-20251115194535-2b7489bfc204/go.mod h1:Sk61563skjfIIYbmTUTJSWqGwBp9ODiBMjza8F5+UFY=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
@@ -9,22 +13,47 @@ github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S
 github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/go-chi/chi/v5 v5.2.3 h1:WQIt9uxdsAbgIYgid+BpYc+liqQZGMHRaUwp0JUcvdE=
 github.com/go-chi/chi/v5 v5.2.3/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-openapi/jsonpointer v0.19.3/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonpointer v0.19.5 h1:gZr+CIYByUqjcgeLXnQu2gHYQC9o73G2XUeOFYEICuY=
+github.com/go-openapi/jsonpointer v0.19.5/go.mod h1:Pl9vOtqEWErmShwVjC8pYs9cog34VGT37dQOVbmoatg=
+github.com/go-openapi/jsonreference v0.20.0 h1:MYlu0sBgChmCfJxxUKZ8g1cPWFOB37YSZqewK7OKeyA=
+github.com/go-openapi/jsonreference v0.20.0/go.mod h1:Ag74Ico3lPc+zR+qjn4XBUmXymS4zJbYVCZmcgkasdo=
+github.com/go-openapi/spec v0.20.6 h1:ich1RQ3WDbfoeTqTAb+5EIxNmpKVJZWBNah9RAT0jIQ=
+github.com/go-openapi/spec v0.20.6/go.mod h1:2OpW+JddWPrpXSCIX8eOx7lZ5iyuWj3RYR6VaaBKcWA=
+github.com/go-openapi/swag v0.19.5/go.mod h1:POnQmlKehdgb5mhVOsnJFsivZCEZ/vjK9gh66Z9tfKk=
+github.com/go-openapi/swag v0.19.15 h1:D2NRCBzS9/pEY3gP9Nl8aDqGUcPFrwG2p+CNFrLyrCM=
+github.com/go-openapi/swag v0.19.15/go.mod h1:QYRuS/SOXUCsnplDa677K7+DxSOj6IPNl/eQntq43wQ=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/golang-jwt/jwt/v5 v5.3.0 h1:pv4AsKCKKZuqlgs5sUmn4x8UlGa0kEVt/puTpKx9vvo=
+github.com/golang-jwt/jwt/v5 v5.3.0/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
+github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/mailru/easyjson v0.0.0-20190614124828-94de47d64c63/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
+github.com/mailru/easyjson v0.7.6 h1:8yTIVnZgCoiM1TgqoeTl+LfU5Jg6/xL3QhGQnimLYnA=
+github.com/mailru/easyjson v0.7.6/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
 github.com/mattn/go-sqlite3 v1.14.22 h1:2gZY6PC6kBnID23Tichd1K+Z0oS6nE/XwU+Vz/5o4kU=
 github.com/mattn/go-sqlite3 v1.14.22/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e h1:fD57ERR4JtEqsWbfPhv4DMiApHyliiK5xCTNVSPiaAs=
+github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
 github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
@@ -47,19 +76,50 @@ github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
 github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.21.0 h1:x5S+0EU27Lbphp4UKm1C+1oQO+rKx36vfCoaVebLFSU=
 github.com/spf13/viper v1.21.0/go.mod h1:P0lhsswPGWD/1lZJ9ny3fYnVqxiegrlNrEmgLjbTCAY=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
 github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
 github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe h1:K8pHPVoTgxFJt1lXuIzzOX7zZhZFldJQK/CgKx9BFIc=
+github.com/swaggo/files v0.0.0-20220610200504-28940afbdbfe/go.mod h1:lKJPbtWzJ9JhsTN1k1gZgleJWY/cqq0psdoMmaThG3w=
+github.com/swaggo/http-swagger v1.3.4 h1:q7t/XLx0n15H1Q9/tk3Y9L4n210XzJF5WtnDX64a5ww=
+github.com/swaggo/http-swagger v1.3.4/go.mod h1:9dAh0unqMBAlbp1uE2Uc2mQTxNMU/ha4UbucIg1MFkQ=
+github.com/swaggo/swag v1.16.6 h1:qBNcx53ZaX+M5dxVyTrgQ0PJ/ACK+NzhwcbieTt+9yI=
+github.com/swaggo/swag v1.16.6/go.mod h1:ngP2etMK5a0P3QBizic5MEwpRmluJZPHjXcMoj4Xesg=
 go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
 go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
-golang.org/x/sys v0.29.0 h1:TPYlXGxvx1MGTn2GiZDhnjPA9wZzZeGKHHmKhHYvgaU=
-golang.org/x/sys v0.29.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/text v0.28.0 h1:rhazDwis8INMIwQ4tpjLDzUhx6RlXqZNPEM0huQojng=
-golang.org/x/text v0.28.0/go.mod h1:U8nCwOR8jO/marOQ0QbDiOngZVEBB7MAiitBuMjXiNU=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/mod v0.30.0 h1:fDEXFVZ/fmCKProc/yAXXUijritrDzahmwwefnjoPFk=
+golang.org/x/mod v0.30.0/go.mod h1:lAsf5O2EvJeSFMiBxXDki7sCgAxEUcZHXoXMKT4GJKc=
+golang.org/x/net v0.0.0-20210805182204-aaa1db679c0d/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.39.0 h1:ik4ho21kwuQln40uelmciQPp9SipgNDdrafrYA4TmQQ=
+golang.org/x/tools v0.39.0/go.mod h1:JnefbkDPyD8UU2kI5fuf8ZX4/yUeh9W877ZeBONxUqQ=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
-gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f h1:BLraFXnmrev5lT+xlilqcH8XK9/i0At2xKjWk4p6zsU=
+gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/sqlite v1.6.0 h1:WHRRrIiulaPiPFmDcod6prc4l2VGVWHz80KspNsxSfQ=
--- a/internal/acl/errors.go
+++ b/internal/acl/errors.go
@@ -0,0 +1,27 @@
+package acl
+
+// TODO: add more specific errors
+
+import "fmt"
+
+var (
+	ErrNotInitialized = fmt.Errorf("acl service is not initialized")
+
+	ErrRoleNotFound        = fmt.Errorf("role not found")
+	ErrRoleAlreadyExists   = fmt.Errorf("role already exists")
+	ErrInvalidRoleName     = fmt.Errorf("role name is invalid")
+	ErrSameRoleName        = fmt.Errorf("role name is the same as another role")
+	ErrRoleInUse           = fmt.Errorf("role is in use")
+	ErrRoleAlreadyAssigned = fmt.Errorf("role is already assigned to user")
+
+	ErrResourceNotFound        = fmt.Errorf("resource not found")
+	ErrResourceAlreadyExists   = fmt.Errorf("resource already exists")
+	ErrInvalidResourceKey      = fmt.Errorf("invalid resource key")
+	ErrResourceInUse           = fmt.Errorf("resource is in use")
+	ErrSameResourceKey         = fmt.Errorf("resource key is the same as another resource")
+	ErrResourceAlreadyAssigned = fmt.Errorf("resource is already assigned to role")
+	ErrRoleResourceNotFound    = fmt.Errorf("assigned resource to role is not found")
+
+	ErrUserNotFound     = fmt.Errorf("user not found")
+	ErrUserRoleNotFound = fmt.Errorf("user role not found")
+)
--- a/internal/acl/models.go
+++ b/internal/acl/models.go
@@ -0,0 +1,32 @@
+package acl
+
+import "git.oblat.lv/alex/triggerssmith/internal/user"
+
+type UserRole struct {
+	UserID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+	RoleID uint `gorm:"index;not null;uniqueIndex:ux_user_role"`
+
+	Role Role      `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	User user.User `gorm:"constraint:OnDelete:CASCADE;foreignKey:UserID;references:ID"`
+}
+
+type Resource struct {
+	ID  uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Key string `gorm:"unique;not null" json:"key"`
+}
+
+type Role struct {
+	ID   uint   `gorm:"primaryKey;autoIncrement" json:"id"`
+	Name string `gorm:"unique;not null" json:"name"`
+
+	Resources []Resource  `gorm:"many2many:role_resources" json:"resources"`
+	Users     []user.User `gorm:"many2many:user_roles"`
+}
+
+type RoleResource struct {
+	RoleID     uint `gorm:"primaryKey" json:"roleId"`
+	ResourceID uint `gorm:"primaryKey" json:"resourceId"`
+
+	Role     Role     `gorm:"constraint:OnDelete:CASCADE;foreignKey:RoleID;references:ID" json:"role"`
+	Resource Resource `gorm:"constraint:OnDelete:CASCADE;foreignKey:ResourceID;references:ID" json:"resource"`
+}
--- a/internal/acl/resources.go
+++ b/internal/acl/resources.go
@@ -0,0 +1,220 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetResources returns all resources.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetResources() ([]Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var resources []Resource
+	if err := s.db.Order("id").Find(&resources).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return resources, nil
+}
+
+// CreateResource creates a new resource with the given key or returns existing one.
+// Returns ID of created resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceAlreadyExists] or db error.
+func (s *Service) CreateResource(key string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	key = strings.TrimSpace(key)
+	if key == "" {
+		return 0, ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.Where("key = ?", key).First(&res).Error; err == nil {
+		// already exists
+		return res.ID, ErrResourceAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other db error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	res = Resource{Key: key}
+	if err := s.db.Create(&res).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return res.ID, nil
+}
+
+// GetResourceByID returns the resource with the given ID.
+// May return [ErrNotInitialized], [ErrResourceNotFound] or db error.
+func (s *Service) GetResourceByID(resourceID uint) (*Resource, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrResourceNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &res, nil
+}
+
+// UpdateResource updates the key of a resource.
+// May return [ErrNotInitialized], [ErrInvalidResourceKey], [ErrResourceNotFound], [ErrSameResourceKey] or db error.
+func (s *Service) UpdateResource(resourceID uint, newKey string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newKey = strings.TrimSpace(newKey)
+	if newKey == "" {
+		return ErrInvalidResourceKey
+	}
+
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// same key?
+	if res.Key == newKey {
+		return ErrSameResourceKey
+	}
+
+	// check if key used by another resource
+	var count int64
+	if err := s.db.Model(&Resource{}).
+		Where("key = ? AND id != ?", newKey, resourceID).
+		Count(&count).Error; err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if count > 0 {
+		return ErrSameResourceKey
+	}
+
+	res.Key = newKey
+	if err := s.db.Save(&res).Error; err != nil {
+		return fmt.Errorf("failed to update resource: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteResource deletes a resource.
+// May return [ErrNotInitialized], [ErrResourceNotFound], [ErrResourceInUse] or db error.
+func (s *Service) DeleteResource(resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Resource{}, resourceID)
+
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrResourceInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrResourceNotFound
+	}
+
+	return nil
+}
+
+// AssignResourceToRole assigns a resource to a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrAlreadyAssigned] or db error.
+func (s *Service) AssignResourceToRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	rr := RoleResource{
+		RoleID:     roleID,
+		ResourceID: resourceID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&rr)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+
+	// if nothing inserted — already assigned
+	if tx.RowsAffected == 0 {
+		return ErrResourceAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveResourceFromRole removes a resource from a role
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrResourceNotFound], [ErrRoleResourceNotFound] or db error.
+func (s *Service) RemoveResourceFromRole(roleID, resourceID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	// check role exists
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	// check resource exists
+	var res Resource
+	if err := s.db.First(&res, resourceID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrResourceNotFound
+		}
+		return fmt.Errorf("failed to fetch resource: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND resource_id = ?", roleID, resourceID).Delete(&RoleResource{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove resource from role: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrRoleResourceNotFound
+	}
+
+	return nil
+}
--- a/internal/acl/roles.go
+++ b/internal/acl/roles.go
@@ -0,0 +1,240 @@
+package acl
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/user"
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+)
+
+// GetRoles returns all roles.
+// May return [ErrNotInitialized] or db error.
+func (s *Service) GetRoles() ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+
+	var roles []Role
+	if err := s.db.Preload("Resources").Preload("Users").Order("id").Find(&roles).Error; err != nil {
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return roles, nil
+}
+
+// CreateRole creates a new role with the given name or returns existing one.
+// Returns the ID of the created role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleAlreadyExists] or db error.
+func (s *Service) CreateRole(name string) (uint, error) {
+	if !s.isInitialized() {
+		return 0, ErrNotInitialized
+	}
+
+	name = strings.TrimSpace(name)
+	if name == "" {
+		return 0, ErrInvalidRoleName
+	}
+
+	var role Role
+	if err := s.db.Where("name = ?", name).First(&role).Error; err == nil {
+		// already exists
+		return role.ID, ErrRoleAlreadyExists
+	} else if !errors.Is(err, gorm.ErrRecordNotFound) {
+		// other database error
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	role = Role{Name: name}
+	if err := s.db.Create(&role).Error; err != nil {
+		return 0, fmt.Errorf("db error: %w", err)
+	}
+
+	return role.ID, nil
+}
+
+// GetRoleByID returns the role with the given ID or an error.
+// May return [ErrNotInitialized], [ErrRoleNotFound] or db error.
+func (s *Service) GetRoleByID(roleID uint) (*Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var role Role
+	err := s.db.Preload("Resources").Preload("Users").First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrRoleNotFound
+		}
+		return nil, fmt.Errorf("db error: %w", err)
+	}
+
+	return &role, nil
+}
+
+// UpdateRole updates the name of a role.
+// May return [ErrNotInitialized], [ErrInvalidRoleName], [ErrRoleNotFound], [ErrSameRoleName], or db error.
+func (s *Service) UpdateRole(roleID uint, newName string) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	newName = strings.TrimSpace(newName)
+	if newName == "" {
+		return ErrInvalidRoleName
+	}
+
+	var role Role
+	err := s.db.First(&role, roleID).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	// check for name conflicts
+	if role.Name == newName {
+		return ErrSameRoleName
+	}
+	var count int64
+	err = s.db.Model(&Role{}).Where("name = ? AND id != ?", newName, roleID).Count(&count).Error
+	if err != nil {
+		return fmt.Errorf("db error: %w", err)
+	}
+	if count > 0 {
+		return ErrSameRoleName
+	}
+
+	role.Name = newName
+	if err := s.db.Save(&role).Error; err != nil {
+		return fmt.Errorf("failed to update role: %w", err)
+	}
+
+	return nil
+}
+
+// DeleteRole deletes a role.
+// May return [ErrNotInitialized], [ErrRoleNotFound], [ErrRoleInUse] or db error.
+func (s *Service) DeleteRole(roleID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	result := s.db.Delete(&Role{}, roleID)
+	if err := result.Error; err != nil {
+		if strings.Contains(err.Error(), "FOREIGN KEY constraint failed") {
+			return ErrRoleInUse
+		}
+		return fmt.Errorf("db error: %w", err)
+	}
+
+	if result.RowsAffected == 0 {
+		return ErrRoleNotFound
+	}
+
+	return nil
+}
+
+// GetUserRoles returns all roles for a given user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound] or db error.
+func (s *Service) GetUserRoles(userID uint) ([]Role, error) {
+	if !s.isInitialized() {
+		return nil, ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var roles []Role
+	err := s.db.
+		Joins("JOIN user_roles ur ON ur.role_id = roles.id").
+		Where("ur.user_id = ?", userID).
+		Find(&roles).Error
+	if err != nil {
+		return nil, fmt.Errorf("failed to get user roles: %w", err)
+	}
+
+	if len(roles) == 0 {
+		return nil, ErrRoleNotFound
+	}
+	return roles, nil
+}
+
+// AssignRoleToUser assigns a role to a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrRoleAlreadyAssigned] or db error.
+func (s *Service) AssignRoleToUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	ur := UserRole{
+		UserID: userID,
+		RoleID: roleID,
+	}
+
+	tx := s.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ur)
+	if tx.Error != nil {
+		return fmt.Errorf("failed to assign resource to role: %w", tx.Error)
+	}
+	if tx.RowsAffected == 0 {
+		return ErrRoleAlreadyAssigned
+	}
+
+	return nil
+}
+
+// RemoveRoleFromUser removes a role from a user.
+// May return [ErrNotInitialized], [ErrUserNotFound], [ErrRoleNotFound], [ErrUserRoleNotFound] or db error.
+func (s *Service) RemoveRoleFromUser(roleID, userID uint) error {
+	if !s.isInitialized() {
+		return ErrNotInitialized
+	}
+
+	var user user.User
+	if err := s.db.First(&user, userID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to fetch user: %w", err)
+	}
+
+	var r Role
+	if err := s.db.First(&r, roleID).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return ErrRoleNotFound
+		}
+		return fmt.Errorf("failed to fetch role: %w", err)
+	}
+
+	tx := s.db.Where("role_id = ? AND user_id = ?", roleID, userID).Delete(&UserRole{})
+	if tx.Error != nil {
+		return fmt.Errorf("failed to remove role from user: %w", tx.Error)
+	}
+
+	if tx.RowsAffected == 0 {
+		return ErrUserRoleNotFound
+	}
+
+	return nil
+}
--- a/internal/acl/service.go
+++ b/internal/acl/service.go
@@ -0,0 +1,41 @@
+package acl
+
+import (
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type Service struct {
+	initialized bool
+
+	db *gorm.DB
+}
+
+func NewService(db *gorm.DB) (*Service, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is required")
+	}
+	return &Service{
+		db: db,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&UserRole{}, &Resource{}, &Role{}, &RoleResource{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate ACL models: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
--- a/internal/acl_test/crud_test.go
+++ b/internal/acl_test/crud_test.go
@@ -0,0 +1,158 @@
+package acl_test
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"git.oblat.lv/alex/triggerssmith/internal/acl"
+// 	"git.oblat.lv/alex/triggerssmith/internal/user"
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func openTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	// Путь к файлу базы
+// 	dbPath := filepath.Join("testdata", "test.db")
+
+// 	// Удаляем старую базу, если есть
+// 	os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open test db: %v", err)
+// 	}
+
+// 	// Миграция таблицы User для связи с ACL
+// 	if err := db.AutoMigrate(&user.User{}); err != nil {
+// 		t.Fatalf("failed to migrate User: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestACLService_CRUD(t *testing.T) {
+// 	db := openTestDB(t)
+
+// 	// Создаём сервис ACL
+// 	svc, err := acl.NewService(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create ACL service: %v", err)
+// 	}
+
+// 	if err := svc.Init(); err != nil {
+// 		t.Fatalf("failed to init ACL service: %v", err)
+// 	}
+
+// 	// Создаём роли
+// 	if err := svc.CreateRole("admin"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+// 	if err := svc.CreateRole("guest"); err != nil {
+// 		t.Fatalf("CreateRole failed: %v", err)
+// 	}
+
+// 	roles, err := svc.GetRoles()
+// 	if err != nil {
+// 		t.Fatalf("GetRoles failed: %v", err)
+// 	}
+// 	if len(roles) != 2 {
+// 		t.Fatalf("expected 2 roles, got %d", len(roles))
+// 	}
+
+// 	// Создаём ресурсы
+// 	if err := svc.CreateResource("*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+// 	if err := svc.CreateResource("html.view.*"); err != nil {
+// 		t.Fatalf("CreateResource failed: %v", err)
+// 	}
+
+// 	resources, err := svc.GetPermissions()
+// 	if err != nil {
+// 		t.Fatalf("GetPermissions failed: %v", err)
+// 	}
+// 	if len(resources) != 2 {
+// 		t.Fatalf("expected 2 resources, got %d", len(resources))
+// 	}
+
+// 	// 1. Создаём сервис user
+// 	store, err := user.NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user store: %v", err)
+// 	}
+// 	userSvc, err := user.NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user service: %v", err)
+// 	}
+
+// 	// 2. Инициализируем
+// 	if err := userSvc.Init(); err != nil {
+// 		t.Fatalf("failed to init user service: %v", err)
+// 	}
+
+// 	user := &user.User{
+// 		Username: "testuser",
+// 		Email:    "testuser@example.com",
+// 		Password: "secret",
+// 	}
+
+// 	u := user
+
+// 	// 3. Создаём пользователя через сервис
+// 	err = userSvc.Create(user)
+// 	if err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+
+// 	// Привязываем роль к пользователю
+// 	adminRoleID := roles[0].ID
+// 	if err := svc.AssignRoleToUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("AssignRoleToUser failed: %v", err)
+// 	}
+
+// 	userRoles, err := svc.GetUserRoles(uint(u.ID))
+// 	if err != nil {
+// 		t.Fatalf("GetUserRoles failed: %v", err)
+// 	}
+// 	if len(userRoles) != 1 || userRoles[0].ID != adminRoleID {
+// 		t.Fatalf("expected user to have admin role")
+// 	}
+
+// 	// Привязываем ресурсы к роли
+// 	for _, res := range resources {
+// 		if err := svc.AssignResourceToRole(adminRoleID, res.ID); err != nil {
+// 			t.Fatalf("AssignResourceToRole failed: %v", err)
+// 		}
+// 	}
+
+// 	roleResources, err := svc.GetRoleResources(adminRoleID)
+// 	if err != nil {
+// 		t.Fatalf("GetRoleResources failed: %v", err)
+// 	}
+// 	if len(roleResources) != 2 {
+// 		t.Fatalf("expected role to have 2 resources")
+// 	}
+
+// 	// Удаляем ресурс из роли
+// 	if err := svc.RemoveResourceFromRole(adminRoleID, resources[0].ID); err != nil {
+// 		t.Fatalf("RemoveResourceFromRole failed: %v", err)
+// 	}
+// 	roleResources, _ = svc.GetRoleResources(adminRoleID)
+// 	if len(roleResources) != 1 {
+// 		t.Fatalf("expected 1 resource after removal")
+// 	}
+
+// 	// Удаляем роль у пользователя
+// 	if err := svc.RemoveRoleFromUser(adminRoleID, uint(u.ID)); err != nil {
+// 		t.Fatalf("RemoveRoleFromUser failed: %v", err)
+// 	}
+// 	userRoles, _ = svc.GetUserRoles(uint(u.ID))
+// 	if len(userRoles) != 0 {
+// 		t.Fatalf("expected user to have 0 roles after removal")
+// 	}
+// }
--- a/internal/auth/errors.go
+++ b/internal/auth/errors.go
@@ -0,0 +1,13 @@
+package auth
+
+import "fmt"
+
+var (
+	ErrUserNotFound    = fmt.Errorf("user not found")
+	ErrInvalidPassword = fmt.Errorf("invalid password")
+	ErrInvalidEmail    = fmt.Errorf("invalid email")
+	ErrInvalidUsername = fmt.Errorf("invalid username")
+
+	ErrTokenIsMissing = fmt.Errorf("token is missing")
+	ErrInvalidToken   = fmt.Errorf("invalid token")
+)
--- a/internal/auth/service.go
+++ b/internal/auth/service.go
@@ -0,0 +1,256 @@
+package auth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"strings"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"git.oblat.lv/alex/triggerssmith/internal/jwt"
+	"git.oblat.lv/alex/triggerssmith/internal/token"
+	user_p "git.oblat.lv/alex/triggerssmith/internal/user"
+	ejwt "github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+)
+
+type Tokens struct {
+	Access  string
+	Refresh string
+}
+
+type Service struct {
+	cfg *config.Config
+
+	services struct {
+		jwt   *jwt.Service
+		user  *user_p.Service
+		token *token.Service
+	}
+}
+
+type AuthServiceDependencies struct {
+	Configuration *config.Config
+
+	JWTService   *jwt.Service
+	UserService  *user_p.Service
+	TokenService *token.Service
+}
+
+func NewAuthService(deps AuthServiceDependencies) (*Service, error) {
+	if deps.Configuration == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	if deps.JWTService == nil {
+		return nil, fmt.Errorf("jwt service is nil")
+	}
+	if deps.UserService == nil {
+		return nil, fmt.Errorf("user service is nil")
+	}
+	if deps.TokenService == nil {
+		return nil, fmt.Errorf("token service is nil")
+	}
+	return &Service{
+		cfg: deps.Configuration,
+		services: struct {
+			jwt   *jwt.Service
+			user  *user_p.Service
+			token *token.Service
+		}{
+			jwt:   deps.JWTService,
+			user:  deps.UserService,
+			token: deps.TokenService,
+		},
+	}, nil
+}
+
+// Users
+
+func (s *Service) Get(by, value string) (*user_p.User, error) {
+	return s.services.user.GetBy(by, value)
+}
+
+// Register creates a new user with the given username, email, and password.
+// Password is hashed before storing.
+// Returns the created user or an error.
+func (s *Service) Register(username, email, password string) (*user_p.User, error) {
+	hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	user := &user_p.User{
+		Username: username,
+		Email:    email,
+		Password: string(hashedPassword),
+	}
+
+	err = s.services.user.Create(user)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create user: %w", err)
+	}
+
+	return user, nil
+}
+
+// Login authenticates a user with the given username and password.
+// Returns access and refresh tokens if successful.
+func (s *Service) Login(username, password string) (*Tokens, error) {
+	user, err := s.services.user.GetBy("username", username)
+	if err != nil {
+		if err == user_p.ErrUserNotFound {
+			return nil, ErrInvalidUsername
+		}
+		return nil, fmt.Errorf("failed to get user by username: %w", err)
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
+	if err != nil {
+		return nil, ErrInvalidPassword
+	}
+	refreshToken, rjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": user.ID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	accessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  user.ID,
+		"rjti": rjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate refresh token: %w", err)
+	}
+	return &Tokens{Access: accessToken, Refresh: refreshToken}, nil
+}
+
+// Logout revokes the refresh token identified by the given rjti.
+func (s *Service) Logout(rjti string) error {
+	err := s.services.token.RevokeByRefreshDefault(rjti)
+	if err != nil {
+		if errors.Is(err, token.ErrTokenIsRevoked) {
+			return ErrInvalidToken
+		}
+		return fmt.Errorf("failed to revoke token: %w", err)
+	}
+	return nil
+}
+
+// Access tokens
+
+// ValidateAccessToken validates the given access token string.
+// Returns claims if valid, or an error.
+func (s *Service) ValidateAccessToken(tokenStr string) (ejwt.Claims, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate access token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["rjti"].(string))
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("token is revoked")
+	}
+
+	return claims, nil
+}
+
+// Refresh tokens
+
+// RefreshTokens validates the given refresh token and issues new access and refresh tokens.
+// Returns the new access and refresh tokens or an error.
+// May return [ErrInvalidToken] if the refresh token is invalid or revoked.
+func (s *Service) RefreshTokens(refreshTokenStr string) (*Tokens, error) {
+	claims, rjti, err := s.services.jwt.Validate(refreshTokenStr)
+	if err != nil {
+		return nil, errors.Join(ErrInvalidToken, err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(rjti)
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, ErrInvalidToken
+	}
+
+	sub := claims["sub"].(float64)
+
+	newRefreshToken, newRjti, err := s.services.jwt.Generate(s.cfg.Auth.RefreshTokenTTL, ejwt.MapClaims{
+		"sub": sub,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new refresh token: %w", err)
+	}
+	newAccessToken, _, err := s.services.jwt.Generate(s.cfg.Auth.AccessTokenTTL, ejwt.MapClaims{
+		"sub":  sub,
+		"rjti": newRjti,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("failed to generate new access token: %w", err)
+	}
+
+	// Revoke the old refresh token
+	if err := s.services.token.RevokeByRefreshDefault(rjti); err != nil {
+		return nil, fmt.Errorf("failed to revoke old refresh token: %w", err)
+	}
+
+	return &Tokens{Access: newAccessToken, Refresh: newRefreshToken}, nil
+}
+
+// ValidateRefreshToken validates the given refresh token string.
+// Returns claims and error.
+func (s *Service) ValidateRefreshToken(tokenStr string) (ejwt.Claims, error) {
+	claims, _, err := s.services.jwt.Validate(tokenStr)
+	if err != nil {
+		return nil, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	isRevoked, err := s.services.token.IsRevoked(claims["jti"].(string))
+	if err != nil {
+		return nil, fmt.Errorf("failed to check if token is revoked: %w", err)
+	}
+	if isRevoked {
+		return nil, fmt.Errorf("refresh token is revoked")
+	}
+
+	return claims, nil
+}
+
+// RevokeRefresh revokes the refresh token identified by the given token string.
+func (s *Service) RevokeRefresh(token string) error {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.RevokeByRefreshDefault(rjti)
+}
+
+// IsRefreshRevoked checks if the refresh token identified by the given token string is revoked.
+func (s *Service) IsRefreshRevoked(token string) (bool, error) {
+	_, rjti, err := s.services.jwt.Validate(token)
+	if err != nil {
+		return false, fmt.Errorf("failed to validate refresh token: %w", err)
+	}
+
+	return s.services.token.IsRevoked(rjti)
+}
+
+func (s *Service) AuthenticateRequest(r *http.Request) (ejwt.Claims, error) {
+	header := r.Header.Get("Authorization")
+	if header == "" {
+		return nil, ErrTokenIsMissing
+	}
+	if !strings.HasPrefix(header, "Bearer ") {
+		return nil, ErrTokenIsMissing
+	}
+	tokenString := strings.TrimPrefix(header, "Bearer ")
+	tokenClaims, _, err := s.services.jwt.Validate(tokenString)
+	if err != nil {
+		return nil, err
+	}
+	return tokenClaims, nil
+}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -31,9 +31,22 @@ type FuncConfig struct {
 	FunctionDir string `mapstructure:"func_dir"`
 }

+type Auth struct {
+	SignAlg         string        `mapstructure:"sign_alg"`
+	HMACSecretPath  string        `mapstructure:"hmac_secret_path"`
+	RefreshTokenTTL time.Duration `mapstructure:"refresh_token_ttl"`
+	AccessTokenTTL  time.Duration `mapstructure:"access_token_ttl"`
+}
+
+type Data struct {
+	DataPath string `mapstructure:"data_dir"`
+}
+
 type Config struct {
 	Server    ServerConfig `mapstructure:"server"`
 	Functions FuncConfig   `mapstructure:"functions"`
+	Auth      Auth         `mapstructure:"auth"`
+	Data      Data         `mapstructure:"data"`
 }

 var configPath atomic.Value // string
@@ -48,7 +61,14 @@ var defaults = map[string]any{
 	"server.block.enabled":     true,
 	"server.block.block_dir":   "./blocks",

+	"data.data_dir": "./data",
+
 	"functions.func_dir": "./functions",
+
+	"auth.refresh_token_ttl": 24 * time.Hour,
+	"auth.access_token_ttl":  15 * time.Minute,
+	"auth.sign_alg":          "HS256",
+	"auth.hmac_secret_path":  "./secret/hmac_secret",
 }

 func read(cfg *Config) error {
--- a/internal/jwt/parse.go
+++ b/internal/jwt/parse.go
@@ -0,0 +1,28 @@
+package jwt
+
+import (
+	"fmt"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+func Parse(
+	tokenStr string,
+	method jwt.SigningMethod,
+	key any,
+) (jwt.Claims, error) {
+	t, err := jwt.Parse(tokenStr, func(tok *jwt.Token) (any, error) {
+		if tok.Method.Alg() != method.Alg() {
+			return nil, fmt.Errorf("unexpected signing method")
+		}
+		return key, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+	// check validity twice: invalid token may return nil error
+	if !t.Valid {
+		return nil, fmt.Errorf("invalid token")
+	}
+	return t.Claims, nil
+}
--- a/internal/jwt/service.go
+++ b/internal/jwt/service.go
@@ -0,0 +1,48 @@
+package jwt
+
+import (
+	"maps"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+)
+
+type Service struct {
+	signer Signer
+}
+
+func NewService(signer Signer) *Service {
+	return &Service{
+		signer: signer,
+	}
+}
+
+// Generate creates a new JWT token for a given user ID and
+// returns the token string along with its JTI(JWT IDentifier).
+func (s *Service) Generate(ttl time.Duration, extraClaims jwt.MapClaims) (string, string, error) {
+	jti := uuid.NewString()
+
+	claims := jwt.MapClaims{
+		"jti": jti,
+		"exp": time.Now().Add(ttl).Unix(),
+		"iat": time.Now().Unix(),
+	}
+	maps.Copy(claims, extraClaims)
+
+	token, err := s.signer.Sign(claims)
+	return token, jti, err
+}
+
+// Validate verifies the JWT token and extracts the claims and JTI(JWT IDentifier).
+// Returns claims, jti, and error if any.
+func (s *Service) Validate(token string) (jwt.MapClaims, string, error) {
+	claims, err := s.signer.Verify(token)
+	if err != nil {
+		return nil, "", err
+	}
+
+	jti := claims.(jwt.MapClaims)["jti"].(string)
+
+	return claims.(jwt.MapClaims), jti, nil
+}
--- a/internal/jwt/signer.go
+++ b/internal/jwt/signer.go
@@ -0,0 +1,8 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type Signer interface {
+	Sign(claims jwt.Claims) (string, error)
+	Verify(token string) (jwt.Claims, error)
+}
--- a/internal/jwt/signer_HS256.go
+++ b/internal/jwt/signer_HS256.go
@@ -0,0 +1,20 @@
+package jwt
+
+import "github.com/golang-jwt/jwt/v5"
+
+type HMACSigner struct {
+	secret []byte
+}
+
+func NewHMACSigner(secret []byte) *HMACSigner {
+	return &HMACSigner{secret: secret}
+}
+
+func (s *HMACSigner) Sign(claims jwt.Claims) (string, error) {
+	t := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return t.SignedString(s.secret)
+}
+
+func (s *HMACSigner) Verify(tokenStr string) (jwt.Claims, error) {
+	return Parse(tokenStr, jwt.SigningMethodHS256, s.secret)
+}
--- a/internal/server/error.go
+++ b/internal/server/error.go
@@ -0,0 +1,46 @@
+package server
+
+import (
+	"encoding/json"
+	"log/slog"
+	"net/http"
+)
+
+type ErrorResponse struct {
+	Error   string `json:"error"`
+	Details string `json:"details,omitempty"`
+}
+
+func WriteError(w http.ResponseWriter, error, details string, statusCode int) {
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(statusCode)
+	json.NewEncoder(w).Encode(ErrorResponse{
+		Error:   error,
+		Details: details,
+	})
+}
+
+// RFC-7807 (Problem Details)
+type ProblemDetails struct {
+	Type     string `json:"type" example:"https://api.triggerssmith.com/errors/role-not-found"`
+	Title    string `json:"title" example:"Role not found"`
+	Status   int    `json:"status" example:"404"`
+	Detail   string `json:"detail" example:"No role with ID 42"`
+	Instance string `json:"instance" example:"/api/acl/roles/42"`
+}
+
+var typeDomain = "https://api.triggerssmith.com"
+
+func WriteProblem(w http.ResponseWriter, status int, typ, title, detail string, r *http.Request) {
+	w.Header().Set("Content-Type", "application/problem+json")
+	w.WriteHeader(status)
+	prob := ProblemDetails{
+		Type:     typeDomain + typ,
+		Title:    title,
+		Status:   status,
+		Detail:   detail,
+		Instance: r.URL.Path,
+	}
+	slog.Warn("new problem", "type", typ, "title", title, "detail", detail, "instance", r.URL.Path, "status", status)
+	_ = json.NewEncoder(w).Encode(prob)
+}
--- a/internal/server/notimpl.go
+++ b/internal/server/notimpl.go
@@ -0,0 +1,7 @@
+package server
+
+import "net/http"
+
+func NotImplemented(w http.ResponseWriter) {
+	http.Error(w, "Not implemented", http.StatusNotImplemented)
+}
--- a/internal/token/errors.go
+++ b/internal/token/errors.go
@@ -0,0 +1,7 @@
+package token
+
+import "fmt"
+
+var (
+	ErrTokenIsRevoked = fmt.Errorf("token is revoked")
+)
--- a/internal/token/service.go
+++ b/internal/token/service.go
@@ -0,0 +1,63 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+)
+
+type TokenStore interface {
+	revoke(tokenID string, expiresAt time.Time) error
+	isRevoked(tokenID string) (bool, error)
+
+	init() error
+}
+
+type Service struct {
+	initialized bool
+
+	cfg   *config.Auth
+	store TokenStore
+}
+
+func NewTokenService(cfg *config.Auth, store TokenStore) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	if cfg == nil {
+		return nil, fmt.Errorf("config is nil")
+	}
+	return &Service{cfg: cfg, store: store}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize token store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Revoke(jti string, exp time.Time) error {
+	return s.store.revoke(jti, exp)
+}
+
+func (s *Service) RevokeByRefreshDefault(jti string) error {
+	expiryTime := time.Now().Add(-time.Duration(s.cfg.RefreshTokenTTL))
+	return s.store.revoke(jti, expiryTime)
+}
+
+func (s *Service) IsRevoked(jti string) (bool, error) {
+	return s.store.isRevoked(jti)
+}
--- a/internal/token/store_sqlite.go
+++ b/internal/token/store_sqlite.go
@@ -0,0 +1,62 @@
+package token
+
+import (
+	"fmt"
+	"time"
+
+	"gorm.io/gorm"
+)
+
+type SQLiteTokenStore struct {
+	db *gorm.DB
+}
+
+type Token struct {
+	TokenID    string    `gorm:"primaryKey"`
+	UserID     int64     `gorm:"index"`
+	Expiration time.Time `gorm:"index"`
+}
+
+// NewSQLiteTokenStore creates a new SQLiteTokenStore with the given GORM DB instance.
+// Actually can be used for any GORM-supported database.
+func NewSQLiteTokenStore(db *gorm.DB) (*SQLiteTokenStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &SQLiteTokenStore{
+		db: db,
+	}, nil
+}
+
+func (s *SQLiteTokenStore) revoke(tokenID string, expiresAt time.Time) error {
+	if revoked, err := s.isRevoked(tokenID); err == nil {
+		if revoked {
+			return ErrTokenIsRevoked
+		}
+	} else {
+		return err
+	}
+	return s.db.Create(&Token{
+		TokenID:    tokenID,
+		Expiration: expiresAt,
+	}).Error
+}
+
+func (s *SQLiteTokenStore) isRevoked(tokenID string) (bool, error) {
+	var count int64
+	err := s.db.Model(&Token{}).Where("token_id = ?", tokenID).Count(&count).Error
+	if err != nil {
+		return false, err
+	}
+	return count > 0, nil
+}
+
+func (s *SQLiteTokenStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&Token{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate Token model: %w", err)
+	}
+
+	return nil
+}
--- a/internal/token/store_sqlite_test.go
+++ b/internal/token/store_sqlite_test.go
@@ -0,0 +1,71 @@
+package token
+
+import (
+	"os"
+	"path/filepath"
+	"testing"
+	"time"
+
+	"git.oblat.lv/alex/triggerssmith/internal/config"
+	"gorm.io/driver/sqlite"
+	"gorm.io/gorm"
+)
+
+func setupTestDB(t *testing.T) *gorm.DB {
+	t.Helper()
+
+	dbPath := filepath.Join("testdata", "tokens.db")
+
+	_ = os.Remove(dbPath)
+
+	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+	if err != nil {
+		t.Fatalf("failed to open db: %v", err)
+	}
+
+	if err := db.AutoMigrate(&Token{}); err != nil {
+		t.Fatalf("failed to migrate: %v", err)
+	}
+
+	return db
+}
+
+func TestSQLiteTokenStore_RevokeAndCheck(t *testing.T) {
+	db := setupTestDB(t)
+
+	store, err := NewSQLiteTokenStore(db)
+	if err != nil {
+		t.Fatalf("failed to create store: %v", err)
+	}
+
+	cfg := &config.Auth{
+		RefreshTokenTTL: 24 * time.Hour,
+	}
+	service, err := NewTokenService(cfg, store)
+	if err != nil {
+		t.Fatalf("failed to create service: %v", err)
+	}
+
+	jti := "test-token-123"
+	exp := time.Now().Add(time.Hour)
+
+	revoked, err := service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if revoked {
+		t.Fatalf("token should NOT be revoked initially")
+	}
+
+	if err := service.Revoke(jti, exp); err != nil {
+		t.Fatalf("revoke failed: %v", err)
+	}
+
+	revoked, err = service.IsRevoked(jti)
+	if err != nil {
+		t.Fatalf("isRevoked failed: %v", err)
+	}
+	if !revoked {
+		t.Fatalf("token should be revoked")
+	}
+}
--- a/internal/user/errors.go
+++ b/internal/user/errors.go
@@ -0,0 +1,7 @@
+package user
+
+import "fmt"
+
+var (
+	ErrUserNotFound = fmt.Errorf("user not found")
+)
--- a/internal/user/gorm_store.go
+++ b/internal/user/gorm_store.go
@@ -0,0 +1,60 @@
+package user
+
+import (
+	"errors"
+	"fmt"
+
+	"gorm.io/gorm"
+)
+
+type GormUserStore struct {
+	db *gorm.DB
+}
+
+func NewGormUserStore(db *gorm.DB) (*GormUserStore, error) {
+	if db == nil {
+		return nil, fmt.Errorf("db is nil")
+	}
+	return &GormUserStore{
+		db: db,
+	}, nil
+}
+
+func (s *GormUserStore) Create(user *User) error {
+	return s.db.Create(user).Error
+}
+
+// Search returns a user by username or id or email
+// May return [ErrUserNotFound] if user not found
+func (s *GormUserStore) GetBy(by, value string) (*User, error) {
+	if by != "username" && by != "id" && by != "email" {
+		return nil, fmt.Errorf("unsuppored field %s", by)
+	}
+	var user User
+	err := s.db.Where(fmt.Sprintf("%s = ?", by), value).First(&user).Error
+	if err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to get user: %w", err)
+	}
+	return &user, nil
+}
+
+func (s *GormUserStore) Update(user *User) error {
+	return s.db.Save(user).Error
+}
+
+func (s *GormUserStore) Delete(id int64) error {
+	return s.db.Delete(&User{}, id).Error
+}
+
+func (s *GormUserStore) init() error {
+	// AutoMigrate models
+	err := s.db.AutoMigrate(&User{})
+	if err != nil {
+		return fmt.Errorf("failed to migrate User model: %w", err)
+	}
+
+	return nil
+}
--- a/internal/user/model.go
+++ b/internal/user/model.go
@@ -0,0 +1,13 @@
+package user
+
+import (
+	"gorm.io/gorm"
+)
+
+type User struct {
+	ID        uint           `gorm:"primaryKey"`
+	Username  string         `gorm:"uniqueIndex;not null"`
+	Email     string         `gorm:"uniqueIndex;not null"`
+	Password  string         `gorm:"not null"`
+	DeletedAt gorm.DeletedAt `gorm:"index"`
+}
--- a/internal/user/service.go
+++ b/internal/user/service.go
@@ -0,0 +1,64 @@
+package user
+
+import "fmt"
+
+type Service struct {
+	initialized bool
+
+	store UserCRUD
+}
+
+func NewService(store UserCRUD) (*Service, error) {
+	if store == nil {
+		return nil, fmt.Errorf("store is nil")
+	}
+	return &Service{
+		store: store,
+	}, nil
+}
+
+func (s *Service) isInitialized() bool {
+	return s.initialized
+}
+
+func (s *Service) Init() error {
+	if s.isInitialized() {
+		return nil
+	}
+
+	err := s.store.init()
+	if err != nil {
+		return fmt.Errorf("failed to initialize user store: %w", err)
+	}
+
+	s.initialized = true
+	return nil
+}
+
+func (s *Service) Create(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Create(user)
+}
+
+func (s *Service) GetBy(by, value string) (*User, error) {
+	if !s.isInitialized() {
+		return nil, fmt.Errorf("user service is not initialized")
+	}
+	return s.store.GetBy(by, value)
+}
+
+func (s *Service) Update(user *User) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Update(user)
+}
+
+func (s *Service) Delete(id int64) error {
+	if !s.isInitialized() {
+		return fmt.Errorf("user service is not initialized")
+	}
+	return s.store.Delete(id)
+}
--- a/internal/user/store.go
+++ b/internal/user/store.go
@@ -0,0 +1,10 @@
+package user
+
+type UserCRUD interface {
+	Create(user *User) error
+	GetBy(by, value string) (*User, error)
+	Update(user *User) error
+	Delete(id int64) error
+
+	init() error
+}
--- a/internal/user/user_test.go
+++ b/internal/user/user_test.go
@@ -0,0 +1,86 @@
+package user
+
+// DEPRECATED TEST FILE
+
+// import (
+// 	"os"
+// 	"path/filepath"
+// 	"testing"
+
+// 	"gorm.io/driver/sqlite"
+// 	"gorm.io/gorm"
+// )
+
+// func setupTestDB(t *testing.T) *gorm.DB {
+// 	t.Helper()
+
+// 	dbPath := filepath.Join("testdata", "users.db")
+
+// 	_ = os.Remove(dbPath)
+
+// 	db, err := gorm.Open(sqlite.Open(dbPath), &gorm.Config{})
+// 	if err != nil {
+// 		t.Fatalf("failed to open db: %v", err)
+// 	}
+
+// 	if err := db.AutoMigrate(&User{}); err != nil {
+// 		t.Fatalf("failed to migrate: %v", err)
+// 	}
+
+// 	return db
+// }
+
+// func TestUsersCRUD(t *testing.T) {
+// 	db := setupTestDB(t)
+
+// 	store, err := NewGormUserStore(db)
+// 	if err != nil {
+// 		t.Fatalf("failed to create store: %v", err)
+// 	}
+
+// 	service, err := NewService(store)
+// 	if err != nil {
+// 		t.Fatalf("failed to create service: %v", err)
+// 	}
+
+// 	user := &User{
+// 		Username: "testuser",
+// 		Email:    "test@example.com",
+// 		Password: "password123",
+// 	}
+
+// 	if err := service.Create(user); err != nil {
+// 		t.Fatalf("failed to create user: %v", err)
+// 	}
+// 	// retrieved, err := service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Username != user.Username {
+// 	// 	t.Fatalf("expected username %s, got %s", user.Username, retrieved.Username)
+// 	// }
+
+// 	// retrievedByUsername, err := service.GetByUsername(user.Username)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by username: %v", err)
+// 	// }
+// 	// if retrievedByUsername.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrievedByUsername.Email)
+// 	// }
+
+// 	// user.Email = "newemail@example.com"
+// 	// if err := service.Update(user); err != nil {
+// 	// 	t.Fatalf("failed to update user: %v", err)
+// 	// }
+// 	// retrieved, err = service.GetByID(user.ID)
+// 	// if err != nil {
+// 	// 	t.Fatalf("failed to get user by ID: %v", err)
+// 	// }
+// 	// if retrieved.Email != user.Email {
+// 	// 	t.Fatalf("expected email %s, got %s", user.Email, retrieved.Email)
+// 	// }
+// 	err = service.Delete(user.ID)
+// 	if err != nil {
+// 		t.Fatalf("failed to delete user: %v", err)
+// 	}
+// }
--- a/static/base/css/style.css
+++ b/static/base/css/style.css
@@ -1,120 +1,33 @@
-body {
-  font-family: system-ui, sans-serif;
-  margin: 0;
-  display: flex;
-  flex-direction: column;
-  min-height: 100vh;
-}
-
-header {
-  display: flex;
-  align-items: center;
-  justify-content: space-between;
-  background: #333;
-  color: white;
-  padding: 10px 15px;
-  position: relative;
-}
-
-footer {
-  background: #333;
-  color: white;
-  text-align: center;
-  padding: 10px;
-}
-
-main {
-  flex: 1;
-  padding: 20px;
-  max-width: 1000px;
-  margin: 0 auto;
-}
-
+body {font-family: system-ui, sans-serif; margin: 0; display: flex; flex-direction: column; min-height: 100vh;}
+header {display: flex; align-items: center; justify-content: space-between; background: #333; color: white; padding: 10px 15px; position: relative;}
+footer {background: #333; color: white; text-align: center; padding: 10px;}
+main {flex: 1; padding: 20px; max-width: 1000px; margin: 0 auto;}
+button {cursor:pointer; border-radius: 8px; border: 1px solid #ccc; background:#e4e4e4; padding: 10px 12px; font-size: 16px;}
+button:hover {background: #aa92f8;}
+input {background: #ffffff; padding: 10px 12px; font-size: 15px; border-radius: 8px; border: 1px solid #ccc; transition: border 0.2s, box-shadow 0.2s; width:200px;}
+input:focus {border-color: #7f57ff; box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2); outline: none;}
+select{background: #ffffff; padding: 10px 12px; font-size: 15px; border-radius: 8px; border: 1px solid #ccc; transition: border 0.2s, box-shadow 0.2s; width:225px;}
+select:focus {border-color: #7f57ff; box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2); outline: none;}
 /* навигация */
-nav ul {
-  list-style: none;
-  display: flex;
-  gap: 20px;
-  margin: 0;
-  padding: 0;
-}
-
-nav a {
-  color: white;
-  text-decoration: none;
-  font-weight: 500;
-}
-
-nav a:hover {
-  text-decoration: underline;
-}
-
+nav ul {list-style: none; display: flex; gap: 20px; margin: 0; padding: 0;}
+nav a {color: white; text-decoration: none; font-weight: 500;}
+nav a:hover {text-decoration: underline;}
 /* бургер */
-.burger {
-  display: none;
-  flex-direction: column;
-  justify-content: center;
-  gap: 5px;
-  width: 30px;
-  height: 25px;
-  background: none;
-  border: none;
-  cursor: pointer;
-}
-
-.burger span {
-  display: block;
-  height: 3px;
-  width: 100%;
-  background: white;
-  border-radius: 2px;
-  transition: 0.3s;
-}
-
-.burger.active span:nth-child(1) {
-  transform: translateY(8px) rotate(45deg);
-}
-
-.burger.active span:nth-child(2) {
-  opacity: 0;
-}
-
-.burger.active span:nth-child(3) {
-  transform: translateY(-8px) rotate(-45deg);
-}
-
+.burger {display: none; flex-direction: column; justify-content: center; gap: 5px; width: 30px; height: 25px; background: none; border: none; cursor: pointer;}
+.burger span {display: block; height: 3px; width: 100%; background: white; border-radius: 2px; transition: 0.3s;}
+.burger.active span:nth-child(1) {transform: translateY(8px) rotate(45deg);}
+.burger.active span:nth-child(2) {opacity: 0;}
+.burger.active span:nth-child(3) {transform: translateY(-8px) rotate(-45deg);}
 /* сетка */
-.grid-3 {
-  display: grid;
-  grid-template-columns: 15% 70% 15%;
-  gap: 20px;
-  margin-top: 20px;
-}
-
-.grid-block {
-  background: #f5f5f5;
-  padding: 15px;
-  border-radius: 10px;
-  box-shadow: 0 2px 5px rgba(0,0,0,0.1);
-}
+.grid-3 {display: grid; grid-template-columns: 15% 70% 15%; gap: 20px; margin-top: 20px;}
+.grid-block {background: #f5f5f5; padding: 15px; border-radius: 10px; box-shadow: 0 2px 5px rgba(0,0,0,0.1);}
 /* Полупрозрачный фон */
-  .overlay {
-    position: fixed;
-    top: 0;
-    left: 0;
-    width: 100%;
-    height: 100%;
-    background: rgba(0,0,0,0.5);
-    display: flex;
-    justify-content: center;
-    align-items: center;
-    z-index: 1000;
-  }
+.overlay {position: fixed; top: 0; left: 0; width: 100%; height: 100%; background: rgba(0,0,0,0.5); display: flex; justify-content: center; align-items: center; z-index: 1000;}

 /* Окна */
 /* Message */
 .window-popup {width:400px; height:150px; background:#fff; border-radius:10px; display:flex; flex-direction:column; justify-content:center; align-items:center; padding:20px; box-shadow:0 0 10px rgba(0,0,0,0.3); }
-.window-popup button { margin-top:20px; padding:5px 10px; cursor:pointer; }
+

 /* Menu */
 .window-menu { position:absolute; background:#fff; border-radius:10px; border:1px solid rgba(0,0,0,0.12); box-shadow:0 6px 18px rgba(0,0,0,0.12); min-width:160px; z-index:9999; overflow:hidden; }
@@ -135,39 +48,29 @@ nav a:hover {

 /* адаптив */
@media (max-width: 425px) {
-  .grid-3 {
-    grid-template-columns: 1fr;
-  }
-
-  .burger {
-    display: flex;
-  }
-
-  nav {
-    position: absolute;
-    top: 100%;
-    left: 0;
-    width: 100%;
-    background: #222;
-    display: none;
-    flex-direction: column;
-    text-align: center;
-    padding: 10px 0;
-    z-index: 10;
-  }
-
-  nav.open {
-    display: flex;
-    animation: slideDown 0.3s ease;
-  }
-
-  nav ul {
-    flex-direction: column;
-    gap: 10px;
-  }
-
+  .grid-3 {grid-template-columns: 1fr;}
+  .burger {display: flex;}
+  nav {position: absolute; top: 100%; left: 0; width: 100%; background: #222; display: none; flex-direction: column; text-align: center; padding: 10px 0; z-index: 10;}
+  nav.open {display: flex; animation: slideDown 0.3s ease;}
+  nav ul {flex-direction: column; gap: 10px;}
  @keyframes slideDown {
    from { opacity: 0; transform: translateY(-10px); }
    to { opacity: 1; transform: translateY(0); }
  }
 }
+.ui-overlay {position: fixed; inset: 0; background: rgba(0,0,0,.4); display: flex; align-items: center; justify-content: center;}
+.ui-alert {background: #fff; padding: 20px; border-radius: 16px; min-width: 300px; font-family: sans-serif; text-align: center;}
+/* .ui-alert button {margin-top: 20px; border: 1px solid #ccc; padding: 8px 16px; cursor: pointer; border-radius: 8px;} */
+.ui-popup-list {position: fixed; background: #fff; border: 1px solid #ccc; border-radius: 6px; box-shadow: 0 4px 10px rgba(0,0,0,.15); z-index: 1000;}
+.ui-popup-list .icon {width: 16px; text-align: center;}
+.ui-popup-list div {padding: 8px 12px; cursor: pointer; display: flex; align-items: center;}
+.ui-popup-list div:hover {background: #eee;}
+.ui-window {background: #fff; padding: 16px; border-radius: 8px; min-width: 300px; font-family: sans-serif; width: 360px;}
+.ui-window .header {display: flex; justify-content: space-between; font-weight: bold; margin-bottom: 10px; cursor: move; user-select: none;}
+.ui-window .row {display: flex; justify-content: space-between; padding: 4px 0;}
+/* Tabs */
+.tabs {display: flex; border-bottom: 1px solid #ccc; margin-bottom: 10px;}
+.tab {padding: 6px 12px; cursor: pointer;}
+.tab.active {border-bottom: 2px solid #0078d7; font-weight: bold;}
+.tab-content {display: none;}
+.tab-content.active {display: block;}
--- a/static/base/js/app.js
+++ b/static/base/js/app.js
@@ -1,117 +1,126 @@
 /***********************************************************************
- *  ГЛОБАЛЬНОЕ СОСТОЯНИЕ
+ *  access-token хранится только в памяти (без localStorage)
 **********************************************************************/
-let accessToken = null;   // access-token хранится только в памяти (без localStorage)
+let accessToken = null;   
+
 /***********************************************************************
- *  sendRequest УНИВЕРСАЛЬНАЯ ФУНКЦИЯ ДЛЯ ОТПРАВКИ HTTP-ЗАПРОСОВ
+ *  user объект в котором хранятся данные пользователя
+ **********************************************************************/
+const user = {
+  id: 0,
+  name: ""
+}
+
+/***********************************************************************
+ *  apiProtected — это удобная функция для защищённых API-запросов, 
+ * которая: 
 *  
- *  sendRequest(url, options)
- *  - автоматически добавляет Content-Type и credentials
- *  - автоматически превращает body в JSON
- *  - проверяет response.ok
- *  - пробрасывает текст ошибки
- *  - возвращает JSON-ответ
- **********************************************************************/
-//let accessToken = ""; // access только в памяти
-
+ *  - Подставляет стандартные и пользовательские настройки запроса.
+ *  - Добавляет Authorization с токеном.
+ *  - Автоматически сериализует JSON-тело.
+ *  - Парсит ответ.
+ *  - Обрабатывает устаревший токен (401) и повторяет запрос.
+ *  - Выбрасывает ошибки для внешнего try...catch.
+ ***********************************************************************/
 async function apiProtected(path, options = {}) {
-    const send = async () =>
-        fetch(path, {
-            ...options,
-            headers: {
-                ...(options.headers || {}),
-                Authorization: "Bearer " + accessToken,
-                "Content-Type": "application/json"
-            }
-        });
-
-    let r = await send();
-
-    if ((r.status === 401)) {
-        // обновляем access
-        const rr = await fetch("/api/users/refresh", {
-            method: "POST",
-            credentials: "include"
-        });
-
-        if (!rr.ok) throw "refresh failed";
-
-        const j = await rr.json();
-        accessToken = j.access_token;
-
-        r = await send();
-    }
-
-    if (!r.ok) throw await r.text();
-    return r.json();
-}
-
-
-async function sendRequest(url, options = {}) {
-    // Базовые параметры
+    // Базовые настройки
    const defaultOptions = {
+        //method: "GET",
        headers: { "Content-Type": "application/json" },
        credentials: "include"
    };
-
    // Объединяем настройки
    const finalOptions = {
        ...defaultOptions,
        ...options,
        headers: { ...defaultOptions.headers, ...(options.headers || {}) }
    };
-
-    // Если тело — объект, превращаем в JSON
+    // Если есть тело и это объект — сериализуем
    if (finalOptions.body && typeof finalOptions.body === "object") {
        finalOptions.body = JSON.stringify(finalOptions.body);
    }
-
-    let response;
+    // Вспомогательная функция отправки запроса
+    const send = async () => {
        try {
-        response = await fetch(url, finalOptions);
-    } catch (err) {
-        // Сетевые ошибки (сервер не доступен, нет интернета, CORS и т.д.)
-        return {
-            ok: false,
-            status: 0,
-            data: err.toString()
-        };
+            // Добавляем Authorization, если токен есть
+            if (accessToken) {
+                finalOptions.headers.Authorization = `Bearer ${accessToken}`;
            }
-
-    // Читаем тело ответа только один раз
-    let text = await response.text();
+            // Отправляем fetch запрос.
+            const res = await fetch(path, finalOptions);
+            const text = await res.text();
            let data;
+            // Пытаемся распарсить ответ как JSON, если не получается 
+            // — возвращаем текст.
            try {
                data = JSON.parse(text);
            } catch {
                data = text;
            }
-
-    return {
-        ok: response.ok,
-        status: response.status,
-        data
+            return { res, data };
+        } catch (err) {
+            return { res: null, data: err.toString() };
+        }
    };
+    // Первый запрос
+    let { res, data } = await send();
+    // Если 401 — обновляем токен и повторяем
+    if (res && res.status === 401) {
+        await refreshAccess();       // обновляем accessToken
+        ({ res, data } = await send()); // повторный запрос
+    }
+    // Если всё равно ошибка — кидаем
+    if (!res || !res.ok) {
+        throw { status: res ? res.status : 0, data };
+    }
+    return data; // возвращаем распарсенный JSON или текст
 }

+/***************************************************************************
+ * refreshAccess() Обнавление токенов:
+ * 
+ * - Отправляет POST на /api/users/refresh, используя refresh-токен в cookie.
+ * - Проверяет успешность ответа.
+ * - Сохраняет новый access-токен.
+ * - Декодирует токен, чтобы получить user_id.
+ * - Обновляет глобальные данные о пользователе (id и name).
+ ****************************************************************************/
+async function refreshAccess (){
+    //Отправка запроса на обновление токена
+    const rr = await fetch("/api/auth/refresh", {
+        method: "POST",
+        credentials: "include"
+    });
+    // Проверка ответа
+    if (!rr.ok) throw "refresh failed";
+    // Получение нового токена
+    const j = await rr.json();
+    accessToken = j.access_token;
+    // Декодирование payload JWT
+    const payload = JSON.parse(
+            atob(accessToken.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"))
+    );
+    // Обновление данных пользователя
+    user.id = payload.user_id;
+    user.name = (await getUserDataByID(user.id)).name;
+}

-
-/********************************************************************
- * loadMenu функция загрузки блока меню страницы в формате Markdown *
- ********************************************************************/
+/********************************************************************************
+ * loadMenu функция загрузки блока меню страницы в формате Markdown            
+ ********************************************************************************/
 async function loadMenu() {
     await loadBlock("menu/top1", "header");
 }
-/********************************************************************
- * loadPage функция загрузки блока страницы в формате Markdown      *
- ********************************************************************/
+/********************************************************************************
+ * loadPage функция загрузки блока страницы в формате Markdown                 
+ ********************************************************************************/
 async function loadPage(path) {
     await loadBlock(path, "content");
 }

-/********************************************************************
- * loadMdScript функция загрузки Markdown библиотеки                *
- ********************************************************************/
+/*********************************************************************************
+ * loadMdScript функция загрузки Markdown библиотеки                
+ *********************************************************************************/
 function loadMdScript(src) {
    return new Promise((resolve, reject) => {
        const script = document.createElement('script');
@@ -123,24 +132,32 @@ async function loadMenu() {
    });
 }

-/********************************************************************
- * loadBlock функция загрузки блока в формате Markdown              *
- ********************************************************************/
+/**********************************************************************************
+ * loadBlock — это универсальная функция для динамического контента:
+ *
+ * - Находит контейнер по id.
+ * - Очищает старый контент и связанные скрипты/стили.
+ * - Запрашивает блок через apiProtected.
+ * - Преобразует Markdown в HTML.
+ * - Добавляет CSS и JS динамически.
+ * - Вызывает pageInit() блока, если есть.
+ * - Обрабатывает ошибки.
+ **********************************************************************************/
 async function loadBlock(path, block_Name) {
+    // Получаем контейнер блока
    const container = document.getElementById(block_Name);
    if (!container) {
-    //console.warn(`loadBlock: контейнер #${block_Name} не найден — игнорируем`);
        return;
    }
+    // Обработка пути
    path = path.replace(/\/$/, "");
-    //console.log(path);
    if (!container) {
        console.error(`loadBlock ERROR: element #${block_Name} not found`);
        return;
    }
    const blockName = path === "pages" ? "pages/home" : path;
-    //console.log(blockName);
    try {
+        // Очистка контейнера и старых динамических стилей/скриптов
        container.innerHTML = '';
        document.querySelectorAll('style[data-dynamic], script[data-dynamic]').forEach(el => {
            const name = el.getAttribute('data-dynamic');
@@ -148,28 +165,27 @@ if (!container) {
                el.remove();
            }
        });
-        const response = await sendRequest(`/api/block/${blockName}`);
-        if (!response.ok) {
-            throw new Error(`Failed to load block: ${response.status}`);
-        }
-
+        // Получение блока с сервера
+        const response = await apiProtected(`/api/block/${blockName}`, {method: "GET"});
        // Динамически подгружаем markdown-it, если он ещё не загружен
        if (!window.markdownit) {
            await loadMdScript('/static/js/markdown-it.min.js');
        }
-
-        const { content: mdContent, css, js } = response.data;
+        const { content: mdContent, css, js } = response;
       // Преобразуем markdown в HTML
        if (mdContent) {
            const md = window.markdownit({ html: true, linkify: true, typographer: true });
            container.innerHTML = md.render(mdContent);
+            container?.id?.match(/^loadedBlock_\d+_view$/) && (document.getElementById(container.id.replace('_view', '_html')).innerHTML = mdContent);
        }
+        // Добавление CSS блока
        if (css) {
            const style = document.createElement('style');
            style.dataset.dynamic = block_Name;
            style.textContent = css;
            document.head.appendChild(style);
        }
+        // Добавление JS блока
        if (js) {
            const script = document.createElement('script');
            script.dataset.dynamic = block_Name;
@@ -185,24 +201,35 @@ if (!container) {
            `;
            document.body.appendChild(script);
        }
+    // Обработка ошибок
    } catch (err) {
        console.error(err);
        container.innerHTML = "<h2>блок не найден</h2>";
    }
 }

-// SPA-навигация
+/*****************************************************************************
+ * SPA-навигация
+ *****************************************************************************/
 function navigateTo(url, target) {
    const clean = url.replace(/^\//, "");
    history.pushState({}, "", "/" + clean);
    loadBlock("pages/" + clean, target);
 }

-// Поддержка кнопки "назад/вперед"
+/*****************************************************************************
+ * Поддержка кнопки "назад/вперед"
+ *****************************************************************************/
 window.addEventListener("popstate", () => {loadBlock(location.pathname);});
-// Обработка истории браузера
+
+/*****************************************************************************
+ * Обработка истории браузера
+ *****************************************************************************/
 window.addEventListener("popstate", () => loadBlock(window.location.pathname));
-// Инициализация после загрузки DOM
+
+/*****************************************************************************
+ * Инициализация после загрузки DOM
+ *****************************************************************************/
 window.onload = async function ()  {
    let url = window.location.href;
   // Убираем слеш в конце, если он есть
@@ -215,13 +242,14 @@ window.onload = async function ()  {
    await loadMenu();
    await loadPage("pages"+window.location.pathname);
 };
-// Перехватчик ссылок
+
+/*****************************************************************************
+ * Перехватчик ссылок
+ *****************************************************************************/
 window.addEventListener("click", (event) => {
    const a = event.target.closest("a");
    if (!a) return;
-
    const href = a.getAttribute("href");
-
    // игнорируем внешние ссылки и mailto:
    if (!href || href.startsWith("http") || href.startsWith("mailto:")) return;
    const target = a.dataset.target || "content"; // default = content
@@ -229,64 +257,305 @@ window.addEventListener("click", (event) => {
    navigateTo(href, target);
 });

-//popup
-  function popup(message, afterClose){
-    // Создаём overlay
-    const overlay = document.createElement('div');
-    overlay.className = 'overlay';
-    // Создаём popup
-    const popup = document.createElement('div');
-    popup.className = 'popup';
-    // Добавляем текст
-    const text = document.createElement('div');
-    text.textContent = message;
-    // Добавляем кнопку закрытия
-    const closeBtn = document.createElement('button');
-    closeBtn.textContent = 'Закрыть';
-    closeBtn.addEventListener('click', () => {
-      overlay.remove();
-          if (typeof afterClose === 'function') {
-      afterClose();   // ← ВАША ФУНКЦИЯ ПОСЛЕ ЗАКРЫТИЯ
-    }
-    });
-  }
-//popupMenu
-  function popupMenu(message, afterClose){
-    // Создаём popupMenu
-    const popupMenu = document.createElement('div');
-    popup.className = 'popup_Menu';
-    // Добавляем текст
-    const text = document.createElement('div');
-    text.textContent = message;
-    // Добавляем кнопку закрытия
-    const closeBtn = document.createElement('button');
-    closeBtn.textContent = 'Закрыть';
-    closeBtn.addEventListener('click', () => {
-      overlay.remove();
-          if (typeof afterClose === 'function') {
-      afterClose();   // ← ВАША ФУНКЦИЯ ПОСЛЕ ЗАКРЫТИЯ
-    }
-    });
-
-    popup.appendChild(text);
-    popup.appendChild(closeBtn);
-    overlay.appendChild(popup);
-    document.body.appendChild(overlay);
-  };
-
-  /* ------------------- Переключение видимости пароля ------------------- */

+/*****************************************************************************
+ * Переключение видимости пароля
+ *****************************************************************************/
 document.addEventListener("click", (e) => {
    if (!e.target.classList.contains("toggle-pass")) return;
-//console.log("toggle");
+console.log("toggle");
    const input = e.target.previousElementSibling;
    if (!input) return;

    if (input.type === "password") {
        input.type = "text";
-        e.target.textContent = "🙈";
+        e.target.textContent = "*";//🔓
    } else {
        input.type = "password";
-        e.target.textContent = "👁";
+        e.target.textContent = "A";//🔒
    }
 });
+
+/*****************************************************************************
+ * Получение данных пользователя. Пример использования:
+ * btn.onclick = async function () {
+ *      const user = await getUserDataByID(3);
+ *      alert(user.name);
+ *  };
+ *****************************************************************************/
+async function getUserDataByID(id) {
+    const data = await apiProtected(
+        `/api/users/getUserData?userid=${encodeURIComponent(id)}&by=id`
+    );
+    return {
+        id: data.ID,
+        name: data.Username
+    }
+}
+
+/******************************************************************************
+ * Функция userLogin:
+ *
+ * - пытается залогиниться через API,
+ * - возвращает accessToken при успехе,
+ * - бросает понятные ошибки (INVALID_CREDENTIALS, LOGIN_FAILED) при неудаче.
+ ******************************************************************************/
+async function userLogin(username, password) {
+    try {
+        // Запрос логина
+        const r = await apiProtected(`/api/auth/login`, {
+            method: "POST",
+            headers: {
+                "Content-Type": "application/json"
+            },
+            body: JSON.stringify({
+                username,
+                password
+            })
+        });
+        // Проверка access token
+        if (!r?.access_token) {
+            throw new Error("Token not received");
+        }
+        const payload = JSON.parse(
+            atob(r.access_token.split(".")[1].replace(/-/g, "+").replace(/_/g, "/"))
+    );
+        // Успешный результат
+        user.name = username;
+        user.id = payload.user_id;
+        return {
+            accessToken: r.access_token
+        };
+    // Обработка ошибок (catch)    
+    } catch (err) {
+        // err — объект { status, data } из apiProtected
+        if (err?.status === 401) {
+            throw new Error("INVALID_CREDENTIALS");
+        }
+        // Неверный логин / пароль
+        console.error("Login error:", err);
+        throw new Error("LOGIN_FAILED");
+    }
+}
+
+/******************************************************************************
+ * userLogout — это функция выхода пользователя из системы.
+ ******************************************************************************/
+async function userLogout() {
+    accessToken = "";
+    await fetch("/api/auth/logout", { method: "POST", credentials: "include" });
+};
+
+/******************************************************************************
+ * userRegister функция которая:
+ *
+ * - регистрирует нового пользователя,
+ * - возвращает ответ сервера при успехе,
+ * - преобразует HTTP-ошибки в бизнес-ошибки, понятные UI.
+ ******************************************************************************/
+async function userRegister(username, password) {
+    try {
+        // Запрос регистрации
+        const data = await apiProtected("/api/auth/register", {
+            method: "POST",
+            body: {
+                username,
+                password
+            }
+        });
+        // Успешный результат
+        return data;
+    // Перехват ошибок
+    } catch (err) {
+        // Сюда прилетают ошибки, брошенные apiProtected:
+        // Логирование
+        console.error("Register error:", err);
+        // Маппинг HTTP → бизнес-ошибки
+        // Некорректные данные
+        if (err?.status === 400) {
+            throw new Error("BAD_REQUEST");
+        }
+        // Пользователь уже существует
+        if (err?.status === 409) {
+            throw new Error("USER_EXISTS");
+        }
+        // Любая другая ошибка
+        throw new Error("REGISTER_FAILED");
+    }
+}
+
+/***************************************************************************
+ * Класса UIComponents это статический UI-helper, который:
+ *
+ * - не хранит состояние приложения
+ * - не зависит от фреймворков
+ * - создаёт всплывающие UI-элементы поверх страницы
+ * 
+ * Содержит методы:
+ * 
+ * - UIComponents.showAlert(...)
+ * - UIComponents.confirm(...)
+ * - UIComponents.showPopupList(...)
+ * - UIComponents.showFileProperties(...)
+ ***************************************************************************/
+class UIComponents {
+    /* ============== 1. АЛЕРТ С ОВЕРЛЕЕМ ============== */
+    /*  Показывает модальное окно с кнопкой OK.  
+        с затемняющим фоном, который перекрывает страницу*/
+    static showAlert(message) {//, title = 'Сообщение'
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const alertBox = document.createElement('div');
+        alertBox.className = 'window-popup';//ui-alert
+
+        alertBox.innerHTML = 
+            //<h3>${title}</h3>
+            `<p>${message}</p>
+            <button>OK</button>
+        `;
+
+        alertBox.querySelector('button').onclick = () => {
+            overlay.remove();
+        };
+
+        overlay.appendChild(alertBox);
+        document.body.appendChild(overlay);
+    }
+
+    /*==================== 2. confirm ===================== */
+    /*                Аналог window.confirm                 */
+    static confirm(message, title = 'Подтверждение') {
+    return new Promise(resolve => {
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const box = document.createElement('div');
+        box.className = 'ui-alert';
+
+        box.innerHTML = `
+            <h3>${title}</h3>
+            <p>${message}</p>
+            <div style="display:flex;justify-content:center;gap:12px;margin-top:16px">
+                <button data-yes>Да</button>
+                <button data-no>Нет</button>
+            </div>
+        `;
+
+        const close = (result) => {
+            overlay.remove();
+            resolve(result);
+        };
+
+        box.querySelector('[data-yes]').onclick = () => close(true);
+        box.querySelector('[data-no]').onclick = () => close(false);
+
+        overlay.appendChild(box);
+        document.body.appendChild(overlay);
+    });
+}
+
+
+    /* ========== 3. ПОПАП СПИСОК ========== */
+static showPopupList(items = {}, x = 0, y = 0) {
+    // Удаляем предыдущий popup
+    if (UIComponents.currentPopup) {
+        UIComponents.currentPopup.remove();
+        UIComponents.currentPopup = null;
+    }
+
+    const popup = document.createElement('div');
+    popup.className = 'ui-popup-list';
+    popup.style.left = x + 'px';
+    popup.style.top = y + 'px';
+
+    for (const [name, fn] of Object.entries(items)) {
+        const el = document.createElement('div');
+        el.textContent = name;
+        el.onclick = () => {
+            fn();                 // вызываем конкретную функцию
+            popup.remove();
+            UIComponents.currentPopup = null;
+        };
+        popup.appendChild(el);
+    }
+
+    document.body.appendChild(popup);
+    UIComponents.currentPopup = popup;
+
+    const removePopup = () => {
+        if (UIComponents.currentPopup) {
+            UIComponents.currentPopup.remove();
+            UIComponents.currentPopup = null;
+        }
+        document.removeEventListener('click', removePopup);
+    };
+    setTimeout(() => document.addEventListener('click', removePopup), 0);
+}
+
+    /* ========== 4. ОКНО "СВОЙСТВА ФАЙЛА" ========== */
+    static showFileProperties(general = {}, details = {}) {
+        const overlay = document.createElement('div');
+        overlay.className = 'ui-overlay';
+
+        const win = document.createElement('div');
+        win.className = 'ui-window';
+        win.style.position = 'absolute';
+
+        const rows = obj =>
+            Object.entries(obj)
+                .map(([k, v]) => `<div class="row"><span>${k}</span><span>${v}</span></div>`)
+                .join('');
+
+        win.innerHTML = `
+            <div class="header">
+                <span>Свойства</span>
+                <button>&times;</button>
+            </div>
+
+            <div class="tabs">
+                <div class="tab active" data-tab="general">Общие</div>
+                <div class="tab" data-tab="details">Подробно</div>
+            </div>
+
+            <div class="tab-content active" id="general">${rows(general)}</div>
+            <div class="tab-content" id="details">${rows(details)}</div>
+        `;
+
+        win.querySelector('button').onclick = () => overlay.remove();
+
+        /* tabs */
+        win.querySelectorAll('.tab').forEach(tab => {
+            tab.onclick = () => {
+                win.querySelectorAll('.tab, .tab-content')
+                    .forEach(e => e.classList.remove('active'));
+
+                tab.classList.add('active');
+                win.querySelector('#' + tab.dataset.tab).classList.add('active');
+            };
+        });
+
+        /* drag */
+        const header = win.querySelector('.header');
+        header.onmousedown = (e) => {
+            const r = win.getBoundingClientRect();
+            const dx = e.clientX - r.left;
+            const dy = e.clientY - r.top;
+
+            document.onmousemove = e =>
+                Object.assign(win.style, {
+                    left: e.clientX - dx + 'px',
+                    top: e.clientY - dy + 'px'
+                });
+
+            document.onmouseup = () => document.onmousemove = null;
+        };
+
+        overlay.appendChild(win);
+        document.body.appendChild(overlay);
+
+        win.style.left = 'calc(50% - 180px)';
+        win.style.top = '20%';
+    }
+}
+
--- a/static/base/main.html
+++ b/static/base/main.html
@@ -1,12 +1,11 @@
-
 <!DOCTYPE html>
 <html lang="ru">
 <head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <base href="/">   
-  <link rel="icon" type="image/png" href="/static/img/favicon.png">
-  <title>JWT SPA project</title>
+  <link rel="icon" type="image/png" href="/img/favicon.png">
+  <title>TS Web</title>
  <link rel="stylesheet" href="/static/css/style.css">
  <script defer src="/static/js/app.js"></script>
 </head>
@@ -18,7 +17,7 @@
  <main id="content"></main>

  <footer>
-    <p>© 2025 Go Markdown SPA</p>
+    <p>© 2025 TriggersSmith web</p>
  </footer>
 </body>
 </html>
--- a/static/blocks/menu/top1/content.md
+++ b/static/blocks/menu/top1/content.md
@@ -17,5 +17,6 @@
        <li><a href="/gpt" data-link="true" data-target="content">GPT</a></li>
        <li><a href="/ACL" data-link="true" data-target="content">ACL</a></li>
        <li><a href="/userSlava/popup" data-link="true" data-target="content">Сообщения popup</a></li>
+        <li><a href="/session" data-link="true" data-target="content">Сессия</a></li>
    </ul>
 </nav>
--- a/static/blocks/pages/login/script.js
+++ b/static/blocks/pages/login/script.js
@@ -12,7 +12,7 @@ async function UserLogin() {
    const p = document.getElementById("password").value;

    try {
-        const r = await fetch("/api/users/login", {
+        const r = await fetch("/api/auth/login", {
            method: "POST",
            credentials: "include",
            headers: { "Content-Type": "application/json" },
@@ -35,7 +35,7 @@ async function UserLogin() {

 async function UserLogout() {
    try {
-        await fetch("/api/users/logout", { method: "POST", credentials: "include" });
+        await fetch("/api/auth/logout", { method: "POST", credentials: "include" });
        accessToken = "";
        alert("logged out");
    } catch (err) {
--- a/static/blocks/pages/session/content.md
+++ b/static/blocks/pages/session/content.md
@@ -0,0 +1,19 @@
+<div class="form1" id="login_block">
+
+# Вход в систему
+
+Пожалуйста, введите ваши данные для входа.
+
+  <div class="grid-block">
+        <label for="username">Имя пользователя</label>
+        <input type="text" id="username" name="username" required>
+        <label for="password">Пароль</label>
+        <input type="password" id="password" name="password" required>
+        <button type="submit" id="login_btn">Войти</button>
+  </div>
+</div>
+
+<div class="form1" id="user_block">
+  <p id="user_info"></p>
+  <button id="logout_btn">Выйти</button>
+</div>
--- a/static/blocks/pages/session/script.js
+++ b/static/blocks/pages/session/script.js
@@ -0,0 +1,67 @@
+async function initUser() {
+    try {
+        // Если нет токена, делаем refresh
+        if (!accessToken) {
+            await refreshAccess ();
+        }
+        // Проверяем, получили ли токен
+        if (!accessToken) throw new Error("no token");
+        // выводим имя пользователя
+        user_info.innerHTML = `Вы зашли как: ${user.name}. </br> Ваш ID:${user.id}`;
+        // Показываем блок пользователя
+        showUser()
+    } catch (e) {
+        // Показываем блок логина
+        showLogin()
+        console.error(e);
+    }
+}
+
+
+function showLogin() {
+    login_block.classList.remove("hiden_block");
+    user_block.classList.add("hiden_block");
+}
+
+function showUser() {
+    login_block.classList.add("hiden_block");
+    user_block.classList.remove("hiden_block");
+}
+initUser();
+
+/* --------------------------- Логин ------------------------------- */
+
+async function onLoginClick() {
+    try {
+        const { accessToken: token } = await userLogin(
+            username.value.trim(),
+            password.value
+        );
+
+        accessToken = token;
+        // UIComponents.showAlert("Вы успешно вошли как "+user.name+".</br> Ваш ID:"+user.id);
+
+        username.value = "";
+        password.value = "";
+
+    } catch (e) {
+        switch (e.message) {
+            case "INVALID_CREDENTIALS":
+                UIComponents.showAlert("Неверный логин или пароль");
+                break;
+            case "BAD_REQUEST":
+                UIComponents.showAlert("Некорректный запрос");
+                break;
+            default:
+                UIComponents.showAlert("Ошибка при логине");
+        }
+    }
+    initUser();
+}
+
+/* ------------------- Кнопки ------------------- */
+logout_btn.onclick = async () => {
+    await userLogout();   // вызываем существующую функцию
+    initUser();           // делаем своё
+};
+login_btn.onclick = onLoginClick;
--- a/static/blocks/pages/session/style.css
+++ b/static/blocks/pages/session/style.css
@@ -0,0 +1,78 @@
+  .hiden_block{
+    display:none;
+  }
+
+  .form1 {
+    background: #fff;
+    padding: 10px;
+    border-radius: 16px;
+    box-shadow: 0 4px 20px rgba(0,0,0,0.1);
+    /*max-width: 250px;
+    width: 100%;*/
+    width: 250px;
+  }
+
+  .form1 h1 {
+    margin-top: 0;
+    text-align: center;
+    font-size: 26px;
+    color: #333;
+  }
+
+  .form1 p {
+    text-align: center;
+    color: #666;
+    margin-bottom: 25px;
+  }
+
+    .form1 .grid-block h3 {
+    margin-bottom: 15px;
+    color: #444;
+    text-align: center;
+  } 
+
+   .form1 form {
+    display: flex;
+    flex-direction: column;
+    gap: 14px;
+  }
+
+  .form1 label {
+    font-size: 15px;
+    color: #555;
+  }
+
+  .form1 input {
+    padding: 10px 12px;
+    font-size: 15px;
+    border-radius: 8px;
+    border: 1px solid #ccc;
+    transition: border 0.2s, box-shadow 0.2s;
+  }
+
+  .form1 input:focus {
+    border-color: #7f57ff;
+    box-shadow: 0 0 0 2px rgba(127, 87, 255, 0.2);
+    outline: none;
+  }
+
+  .form1 button {
+    width: 100%;
+    padding: 10px 12px;
+    font-size: 16px;
+    background:#e4e4e4;
+    /* color: white; */
+    border: 1px solid #ccc;
+    border-radius: 8px;
+    cursor: pointer;
+    margin-top: 10px;
+    transition: background 0.25s, transform 0.1s;
+  }
+
+  .form1 button:hover {
+    background: #aa92f8;
+  }
+
+  .form1 button:active {
+    transform: scale(0.98);
+  }
--- a/static/blocks/pages/userSlava/login/script.js
+++ b/static/blocks/pages/userSlava/login/script.js
@@ -12,14 +12,14 @@ btn_prot.onclick = async () => {

 async function UserLogout() {
    accessToken = "";
-    await fetch("/api/users/logout", { method: "POST", credentials: "include" });
+    await fetch("/api/auth/logout", { method: "POST", credentials: "include"});
 };

 async function UserLogin() {
    const u = log_user.value,
        p = log_pass.value;

-    const r = await fetch("/api/users/login", {
+    const r = await fetch("/api/auth/login", {
        method: "POST",
        credentials: "include",
        headers: { "Content-Type": "application/json" },
Author	SHA1	Message	Date
Alexey	68bce99e1d	add docs to gitignore	2026-01-03 15:47:04 +02:00
Alexey	d64645599d	front	2026-01-03 15:46:06 +02:00
Alexey	6ce7edd194	add internal gorm erros	2026-01-03 15:45:47 +02:00
Alexey	c718db565e	add internal token erorrs	2026-01-03 15:45:34 +02:00
Alexey	af7770eb06	add user struct returning	2026-01-03 15:45:23 +02:00
Alexey	8e67bae683	add error handling logic	2026-01-03 15:44:48 +02:00
Alexey	5468c831c4	add internal auth errors	2026-01-03 15:44:25 +02:00
Alexey	600cf84776	add revoke method	2026-01-03 15:43:43 +02:00
Alexey	0485fd3bee	add register method	2026-01-03 15:43:22 +02:00
Alexey	f2f7819f8c	add refresh method	2026-01-03 15:43:12 +02:00
Alexey	48d9c14944	add me method (not implemented)	2026-01-03 15:43:00 +02:00
Alexey	cadb42d17a	add logout method	2026-01-03 15:42:29 +02:00
Alexey	0510103125	add login method	2026-01-03 15:42:19 +02:00
Alexey	e75390f673	add get user data method	2026-01-03 15:42:09 +02:00
Alexey	bf96ca1263	errors file	2026-01-03 15:41:39 +02:00
Alexey	ca569d25bc	refactor and documentation	2026-01-03 15:41:21 +02:00
Alexey	1468937589	move ProblemDetails	2026-01-03 15:39:42 +02:00
Alexey	9070b4138e	add real ip logging	2026-01-03 15:39:00 +02:00
Alexey	ac26a981b2	swag fmt	2025-12-21 22:21:58 +02:00
Alexey	e9d8877fbf	fully implement acl backend and interface	2025-12-21 22:18:29 +02:00
Alexey	85f8ac60e7	some changes	2025-12-21 00:00:03 +02:00
Alexey	904f446447	basicly implement acl crud ops with roles and resources	2025-12-20 17:38:15 +02:00
Alexey	c188b46519	gitignore add data dir	2025-12-20 17:37:34 +02:00
Alexey	8e31a84b0e	get some modules	2025-12-20 17:36:52 +02:00
Alexey	bd06d071b2	add swagger	2025-12-20 17:36:36 +02:00
Alexey	f0d7d79e0f	add swagger	2025-12-20 17:36:24 +02:00
Alexey	78a8e46b3e	implement endpoint /roles	2025-12-19 14:27:17 +02:00
Alexey	69281f3337	fmt	2025-12-19 14:27:01 +02:00
Alexey	07ec64b1bb	add acl service	2025-12-19 14:26:37 +02:00
Alexey	cd465d42a3	add init functions	2025-12-19 14:26:28 +02:00
Alexey	c0a187d461	implement basic acl operations and tests	2025-12-19 14:26:05 +02:00
Alexey	5a34a445cf	add acl service	2025-12-19 14:25:43 +02:00
Alexey	e12b4dea12	add legacy route and new	2025-12-19 09:23:03 +02:00
Alexey	beba3cfb4b	comment incorrect test	2025-12-18 20:03:21 +02:00
Alexey	0f966fa17e	remove unused functions	2025-12-18 20:02:49 +02:00
Alexey	7546d1bece	fix issue with NewService and remove unused GetById/Username	2025-12-18 20:02:38 +02:00
Alexey	45f4c76ff5	mod GetBy function	2025-12-18 20:01:28 +02:00
Alexey	73343fd57b	format	2025-12-18 19:59:57 +02:00
Alexey	6c9f8bcec0	fix test	2025-12-18 19:59:49 +02:00
Alexey	f65150cec3	add config to deps	2025-12-18 19:59:22 +02:00
Alexey	99fd0f5776	add function what returns http.StatusNotImplemented	2025-12-18 19:59:06 +02:00
Alexey	524749b329	rename called function	2025-12-18 19:58:41 +02:00
Alexey	c80f7932b4	add doc	2025-12-18 19:58:29 +02:00
Alexey	e2b92f8ba1	make jwt.Parse public	2025-12-18 19:58:21 +02:00
Alexey	a1f6c1ffa9	add jwt config	2025-12-18 19:58:04 +02:00
Alexey	7e581d99f5	create auth package	2025-12-18 19:57:51 +02:00
Alexey	ad980ee600	implement work with services	2025-12-18 19:57:38 +02:00
Alexey	438bed8f13	implement some auth (user) endpoints	2025-12-18 19:57:20 +02:00
Alexey	e9b7f8ca17	rename	2025-12-18 19:56:56 +02:00
Alexey	ae1e5600ae	go mod bcrypt	2025-12-18 19:56:46 +02:00
Alexey	44d39db701	git ignore add secret	2025-12-18 19:56:31 +02:00
Alexey	adf61a4d1d	add token config	2025-12-18 11:25:07 +02:00
Alexey	97253ee9c7	add field UserID	2025-12-18 11:24:57 +02:00
Alexey	4ae85c73bb	remove prefix Token	2025-12-18 11:24:48 +02:00
Alexey	16b6b292c6	make functions more universal	2025-12-18 11:24:34 +02:00
Alexey	6f4657caff	add comments	2025-12-18 10:50:08 +02:00
Alexey	53761db1e0	add user crud interface in impl	2025-12-18 10:49:56 +02:00
Alexey	603f007c63	gitignore add testdata/ and remove cached tokens.db	2025-12-18 10:49:35 +02:00
Alexey	597000f222	add jwt creating and parsing	2025-12-18 10:48:27 +02:00
Alexey	3b74f5c43d	go get uuid	2025-12-18 10:47:58 +02:00
Alexey	8de6a9212a	add auth service to main router's deps	2025-12-18 09:48:14 +02:00
Alexey	64dad6619e	require jwt	2025-12-18 09:47:14 +02:00
Alexey	cdde811e72	add token service, sqlite driver and test	2025-12-18 09:46:57 +02:00
Alexey	8836ea2673	remove comment	2025-12-17 18:51:46 +02:00