Restructure the projec and start adding projects

Signed-off-by: Nikolai Rodionov <iam@allanger.xyz>

internal/services/accounts.go

@@ -0,0 +1,107 @@
+package services
+
+import (
+	"context"
+	"database/sql"
+	"errors"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/hash"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/repository"
+	"github.com/google/uuid"
+
+	"github.com/redis/go-redis/v9"
+)
+
+var (
+	ErrEmailUsed     = errors.New("email is already used")
+	ErrUserNotFound  = errors.New("user not found")
+	ErrWrongPassword = errors.New("wrong password")
+)
+
+type AccountController struct {
+	DB              *sql.DB
+	Redis           *redis.Client
+	DevMode         bool
+	HashCost        int16
+	AccessTokenTTL  time.Duration
+	RefreshTokenTTL time.Duration
+	JWTSecret       []byte
+}
+
+type JWT struct {
+	RefreshToken string
+	AccessToken  string
+}
+
+type AccountParams struct{}
+
+type AccountData struct {
+	Password string
+	Email    string
+	UUID     string
+	Name     string
+	Surname  string
+}
+
+// Create a new account
+func (c *AccountController) Create(ctx context.Context, data *AccountData) (string, error) {
+	log := logger.FromContext(ctx).WithValues("email", data.Email)
+	log.V(2).Info("Creating a user")
+	data.UUID = uuid.New().String()
+
+	passwordHash, err := hash.HashPassword(data.Password, int(c.HashCost))
+	if err != nil {
+		log.Error(err, "Couldn't crate the password hash")
+		return "", ErrServerError
+	}
+
+	queryData := &repository.AccountData{
+		UUID:         data.UUID,
+		Email:        data.Email,
+		PasswordHash: passwordHash,
+		Name:         data.Name,
+		Surname:      data.Surname,
+	}
+
+	if err := repository.CreateAccount(ctx, c.DB, queryData); err != nil {
+		if errors.Is(err, repository.ErrAlreadyExists) {
+			return "", ErrEmailUsed
+		}
+		log.Error(err, "Couldn't create a user")
+		return "", ErrServerError
+	}
+
+	return data.UUID, nil
+}
+
+// Login into an existing account (check password and email)
+func (c *AccountController) Login(ctx context.Context, email, password string) (string, error) {
+	log := logger.FromContext(ctx).WithValues("email", email)
+	log.V(2).Info("Trying to verify user login")
+
+	passwordHash, err := repository.GetPasswordHashForEmail(ctx, c.DB, email)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return "", ErrUserNotFound
+		}
+		log.Error(err, "Couldn't get the password hash")
+		return "", ErrServerError
+	}
+
+	if err := hash.CheckPasswordHash(password, passwordHash); err != nil {
+		return "", ErrWrongPassword
+	}
+
+	uuid, err := repository.GetUUIDForEmail(ctx, c.DB, email)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return "", ErrUserNotFound
+		}
+		log.Error(err, "Couldn't get tha password hash")
+		return "", ErrServerError
+	}
+
+	return uuid, nil
+}

internal/services/accounts_test.go

@@ -0,0 +1,151 @@
+package services_test
+
+import (
+	"context"
+	"database/sql"
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/postgres"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/services"
+	"github.com/google/uuid"
+	_ "github.com/jackc/pgx/v5/stdlib"
+	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/assert"
+)
+
+func newTestDBConnection(ctx context.Context) *sql.DB {
+	connStr, ok := os.LookupEnv("SOFTPLAYER_DB_CONNECTION_STRING")
+	if !ok {
+		// Default connection string
+		connStr = "postgres://softplayer:qwertyu9@localhost:30432/softplayer?sslmode=disable"
+	}
+	db, err := postgres.Open(ctx, connStr)
+	if err != nil {
+		panic(err)
+	}
+	return db
+}
+
+func newTestRedisConnection() *redis.Client {
+	connStr, ok := os.LookupEnv("SOFTPLAYER_REDIS_HOST")
+	if !ok {
+		// Default redis host
+		connStr = "localhost:30379"
+	}
+	return redis.NewClient(&redis.Options{
+		Addr: connStr,
+	})
+}
+
+func newTestAccountController(ctx context.Context) *services.AccountController {
+	return &services.AccountController{
+		DB:              newTestDBConnection(ctx),
+		Redis:           newTestRedisConnection(),
+		DevMode:         true,
+		HashCost:        3,
+		AccessTokenTTL:  time.Second * 10,
+		RefreshTokenTTL: time.Second * 15,
+		JWTSecret:       []byte("test-secret"),
+	}
+}
+
+func newTestUniqueEmail(prefix string) string {
+	if prefix == "" {
+		prefix = "test"
+	}
+
+	return fmt.Sprintf(
+		"%s-%d-%s@example.com",
+		prefix,
+		time.Now().UnixMilli(),
+		uuid.NewString(),
+	)
+}
+
+func TestIntegrationAccountCreate_Success(t *testing.T) {
+	ctrl := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+		Surname:  "Doe",
+		Name:     "John",
+	}
+	id, err := ctrl.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+}
+
+func TestIntegrationAccountCreate_ExistingAccountErr(t *testing.T) {
+	ctrl := newTestAccountController(t.Context())
+	email := newTestUniqueEmail("accounts")
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    email,
+		Surname:  "Doe",
+		Name:     "John",
+	}
+	id, err := ctrl.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+
+	id, err = ctrl.Create(t.Context(), accountData)
+	assert.Empty(t, id)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrEmailUsed)
+}
+
+func TestIntegrationAccountLogin_Success(t *testing.T) {
+	ctrl := newTestAccountController(t.Context())
+	email := newTestUniqueEmail("accounts")
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    email,
+	}
+	id, err := ctrl.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+	accountData.UUID = id
+
+	id, err = ctrl.Login(t.Context(), accountData.Email, accountData.Password)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+}
+
+func TestIntegrationAccountLogin_WrongPassword(t *testing.T) {
+	ctrl := newTestAccountController(t.Context())
+	email := newTestUniqueEmail("accounts")
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    email,
+	}
+	id, err := ctrl.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+	accountData.UUID = id
+
+	id, err = ctrl.Login(t.Context(), accountData.Email, "Wrong Password")
+	assert.Empty(t, id)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrWrongPassword)
+}
+
+func TestIntegrationAccountLogin_WrongEmail(t *testing.T) {
+	ctrl := newTestAccountController(t.Context())
+	email := newTestUniqueEmail("accounts")
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    email,
+	}
+	id, err := ctrl.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, id)
+	accountData.UUID = id
+
+	id, err = ctrl.Login(t.Context(), "some@email.com", "Wrong Password")
+	assert.Empty(t, id)
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrUserNotFound)
+}

internal/services/authorization.go

@@ -0,0 +1,230 @@
+package services
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"slices"
+	"strings"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/cache"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/google/uuid"
+	"github.com/grpc-ecosystem/go-grpc-middleware/v2/interceptors/auth"
+	"github.com/redis/go-redis/v9"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+)
+
+type TokenType string
+
+const (
+	TokenTypeAccess  TokenType = "access"
+	TokenTypeRefresh TokenType = "refresh"
+	TokenAudToken    string    = "token"
+	TokenAudWeb      string    = "web"
+)
+
+var (
+	ErrUnknownTokenType = errors.New("token type unknown")
+	ErrInvalidToken     = errors.New("invalid token")
+	ErrSessionNotFound  = errors.New("session not found")
+)
+
+type Claims struct {
+	UserID    string    `json:"user_id"`
+	TokenID   string    `json:"token_id"`
+	TokenType TokenType `json:"token_type"`
+	Scope     string    `json:"scope,omitempty"`
+	jwt.RegisteredClaims
+}
+
+type AuthController struct {
+	jwtSecret  []byte
+	accessTTL  time.Duration
+	refreshTTL time.Duration
+	redis      *redis.Client
+}
+
+type contextKey string
+
+const claimsContextKey contextKey = "jwt_claims"
+
+func NewAuthController(jwtSecret []byte, accessTTL, refreshTTL time.Duration, redis *redis.Client) *AuthController {
+	return &AuthController{
+		jwtSecret:  jwtSecret,
+		accessTTL:  accessTTL,
+		refreshTTL: refreshTTL,
+		redis:      redis,
+	}
+}
+
+type JWTData struct {
+	UserID    string
+	TokenType TokenType
+	TokenAud  string
+	Scope     string
+}
+
+// Write claims into context
+func WithClaims(ctx context.Context, claims *Claims) context.Context {
+	return context.WithValue(ctx, claimsContextKey, claims)
+}
+
+// Extract claims from context
+func ClaimsFromContext(ctx context.Context) (*Claims, error) {
+	claims, ok := ctx.Value(claimsContextKey).(*Claims)
+	if !ok || claims == nil {
+		return nil, errors.New("claims not found in context")
+	}
+
+	return claims, nil
+}
+
+func (a *AuthController) AuthInterceptorFN(ctx context.Context) (context.Context, error) {
+	tokenString, err := auth.AuthFromMD(ctx, "bearer")
+	if err != nil {
+		return nil, err
+	}
+
+	claims, err := a.ParseToken(tokenString)
+	if err != nil {
+		return nil, status.Error(codes.Unauthenticated, "Invalid JWT token")
+	}
+	if method, ok := grpc.Method(ctx); ok {
+		if claims.TokenType == TokenTypeRefresh && !strings.Contains(method, "RefreshToken") {
+			return nil, status.Error(codes.Unauthenticated, "Refresh token is not allowed for this method")
+		}
+	}
+
+	// If it's a cli token, we need to check the scope
+	if slices.Contains(claims.Audience, TokenAudToken) {
+		currentMethod, ok := grpc.Method(ctx)
+		if !ok {
+			return nil, errors.New("unknown method")
+		}
+
+		scopeMap := map[string][]string{}
+		if err := json.Unmarshal([]byte(claims.Scope), &scopeMap); err != nil {
+			return nil, ErrServerError
+		}
+		allowed := isAllowed(scopeMap, currentMethod)
+		if !allowed {
+			return nil, errors.New("not authorized")
+		}
+	}
+
+	ctx = WithClaims(ctx, claims)
+	return ctx, nil
+}
+
+func isAllowed(scope map[string][]string, currentMethod string) bool {
+	for service, methods := range scope {
+		for _, method := range methods {
+			if fmt.Sprintf("/%s/%s", service, method) == currentMethod {
+				return true
+			}
+		}
+	}
+	return false
+}
+
+// Generate JWT token
+func (a *AuthController) GenerateToken(data *JWTData) (token, tokenID string, err error) {
+	var expiresAt time.Time
+	notBefore := time.Now()
+	switch data.TokenType {
+	case TokenTypeAccess:
+		expiresAt = time.Now().Add(a.accessTTL)
+	case TokenTypeRefresh:
+		expiresAt = time.Now().Add(a.refreshTTL)
+	default:
+		return "", "", ErrUnknownTokenType
+	}
+
+	tokenID = uuid.New().String()
+
+	claims := Claims{
+		UserID:    data.UserID,
+		TokenID:   tokenID,
+		TokenType: data.TokenType,
+		Scope:     data.Scope,
+		RegisteredClaims: jwt.RegisteredClaims{
+			Issuer:    "",
+			Subject:   data.UserID,
+			Audience:  jwt.ClaimStrings{data.TokenAud},
+			ExpiresAt: jwt.NewNumericDate(expiresAt),
+			NotBefore: jwt.NewNumericDate(notBefore),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			ID:        tokenID,
+		},
+	}
+
+	tokenJwt := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	token, err = tokenJwt.SignedString(a.jwtSecret)
+	if err != nil {
+		return "", "", err
+	}
+	return
+}
+
+func (a *AuthController) ParseToken(tokenStr string) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(
+		tokenStr,
+		&Claims{},
+		func(token *jwt.Token) (interface{}, error) {
+			return a.jwtSecret, nil
+		},
+	)
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(*Claims)
+	if !ok || !token.Valid {
+		return nil, ErrInvalidToken
+	}
+
+	return claims, nil
+}
+
+type Session struct {
+	UserID string `json:"user_id"`
+}
+
+func (a *AuthController) SaveSession(ctx context.Context, tokenID string, session *Session) error {
+	log := logger.FromContext(ctx)
+	sessionJSON, err := json.Marshal(session)
+	if err != nil {
+		log.Error(err, "Couldn't marshal a session into json")
+		return ErrServerError
+	}
+	if err := cache.SaveToCache(ctx, a.redis, cache.CacheFolderSessions, tokenID, string(sessionJSON), a.refreshTTL); err != nil {
+		log.Error(err, "Couldn't save the session")
+		return ErrServerError
+	}
+	return nil
+}
+
+func (a *AuthController) GetSession(ctx context.Context, tokenID string) (*Session, error) {
+	log := logger.FromContext(ctx)
+	sessionRaw := cache.GetFromCache(ctx, a.redis, cache.CacheFolderSessions, tokenID)
+	if sessionRaw == "" {
+		return nil, ErrSessionNotFound
+	}
+	if err := cache.DeleteFromCache(ctx, a.redis, cache.CacheFolderSessions, tokenID); err != nil {
+		// Just log an error
+		log.Error(err, "Couldn't remove a session from the cache")
+	}
+
+	session := &Session{}
+	if err := json.Unmarshal([]byte(sessionRaw), session); err != nil {
+		return nil, ErrServerError
+	}
+
+	return session, nil
+}

internal/services/authorization_test.go

@@ -0,0 +1,71 @@
+package services_test
+
+import (
+	"testing"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/services"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+var (
+	testAccessTTL  = time.Second * 5
+	testRefreshTTL = time.Second * 20
+	testUserID     = uuid.New().String()
+)
+
+func TestGenerateInvalidTokenType(t *testing.T) {
+	data := &services.JWTData{
+		UserID:    testUserID,
+		TokenType: "invalid_type",
+	}
+
+	authCtrl := services.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
+
+	token, _, err := authCtrl.GenerateToken(data)
+	assert.Equal(t, "", token)
+	assert.ErrorIs(t, services.ErrUnknownTokenType, err)
+}
+
+func TestGenerateValidateAccessToken(t *testing.T) {
+	data := &services.JWTData{
+		UserID:    testUserID,
+		TokenType: services.TokenTypeAccess,
+	}
+	authCtrl := services.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
+	now := time.Now()
+	token, _, err := authCtrl.GenerateToken(data)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	claims, err := authCtrl.ParseToken(token)
+	assert.NoError(t, err)
+	assert.Equal(t, testUserID, claims.UserID)
+	assert.NotEmpty(t, claims.TokenID)
+	assert.Equal(t, services.TokenTypeAccess, claims.TokenType)
+	assert.Equal(t, now.Add(testAccessTTL).Unix(), claims.ExpiresAt.Unix())
+	assert.Equal(t, now.Unix(), claims.IssuedAt.Unix())
+	assert.Equal(t, now.Unix(), claims.NotBefore.Unix())
+}
+
+func TestGenerateValidateRefreshToken(t *testing.T) {
+	data := &services.JWTData{
+		UserID:    testUserID,
+		TokenType: services.TokenTypeRefresh,
+	}
+	authCtrl := services.NewAuthController([]byte("test"), testAccessTTL, testRefreshTTL, nil)
+	now := time.Now()
+	token, _, err := authCtrl.GenerateToken(data)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, token)
+
+	claims, err := authCtrl.ParseToken(token)
+	assert.NoError(t, err)
+	assert.Equal(t, testUserID, claims.UserID)
+	assert.NotEmpty(t, claims.TokenID)
+	assert.Equal(t, services.TokenTypeRefresh, claims.TokenType)
+	assert.Equal(t, now.Add(testRefreshTTL).Unix(), claims.ExpiresAt.Unix())
+	assert.Equal(t, now.Unix(), claims.IssuedAt.Unix())
+	assert.Equal(t, now.Unix(), claims.NotBefore.Unix())
+}

internal/services/projects.go

@@ -0,0 +1,35 @@
+package services
+
+import (
+	"context"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
+)
+
+type ProjectsController struct{}
+
+type ProjectData struct{}
+
+// Create a new project
+// It should create a project and set an owner to it
+func (ctrl *ProjectsController) Create(ctx context.Context, data *ProjectData) (id string, err error) {
+	log := logger.FromContext(ctx)
+	log.V(2).Info("Creating a project")
+
+	return "", nil
+}
+
+// Update an existing project
+func (ctrl *ProjectsController) Update(ctx context.Context, data *ProjectData) error {
+	return nil
+}
+
+// Get an existing project by ID
+func (ctrl *ProjectsController) Get(ctx context.Context, projectID string) (data *ProjectData, err error) {
+	return nil, nil
+}
+
+// List projects available for a user
+func (ctrl *ProjectsController) List(ctx context.Context) (data []*ProjectData, err error) {
+	return nil, nil
+}

internal/services/tokens.go

@@ -0,0 +1,353 @@
+// Package controllers for token management
+// This a token controller, that implements the logic around tokens
+package services
+
+import (
+	"context"
+	"crypto/sha256"
+	"database/sql"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"regexp"
+	"testing"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/cache"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/logger"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/helpers/token"
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/repository"
+	"github.com/google/uuid"
+	"github.com/redis/go-redis/v9"
+	"github.com/stretchr/testify/assert"
+	"google.golang.org/grpc"
+)
+
+type TokenController struct {
+	DB          *sql.DB
+	ServiceInfo map[string]grpc.ServiceInfo
+	rules       []rule
+	Redis       *redis.Client
+}
+
+// DisabledServicesRegex is a slice of regex to catch the services
+// that are not available for tokens
+var DisabledServicesRegex = []string{".*Accounts.*", ".*Tokens.*"}
+
+// Errors
+var (
+	ErrServerError       = errors.New("internal server error")
+	ErrUserTokenMismatch = errors.New("user doesn't match the token")
+	ErrBadToken          = errors.New("bad token")
+	ErrTokenNotFound     = errors.New("token not found")
+)
+
+type TokenData struct {
+	UUID        string
+	Name        string
+	UserID      string
+	CreatedAt   time.Time
+	LastUsedAt  time.Time
+	RevokedAt   time.Time
+	ExpiresAt   time.Time
+	GeneratedAt time.Time
+	Scopes      map[string][]string
+}
+
+// SetGRPCInfo must happen after all the service are initialized
+func (ctrl *TokenController) SetGRPCInfo(info map[string]grpc.ServiceInfo) {
+	ctrl.ServiceInfo = info
+}
+
+func (ctrl *TokenController) SetRules() {
+	rules := []rule{
+		{re: regexp.MustCompile(`.*Tokens.*`)},
+		{re: regexp.MustCompile(`.*Accounts.*`)},
+		{re: regexp.MustCompile(`.*Reflection.*`)},
+	}
+	ctrl.rules = rules
+}
+
+// VerifyTokenOwner is there to ensure that a user can't manipulate tokens of other users
+func (ctrl *TokenController) VerifyTokenOwner(ctx context.Context, userID, tokenID string) error {
+	log := logger.FromContext(ctx).WithValues("uuid", tokenID, "user_id", userID)
+	log.V(2).Info("Verifying the token owner")
+
+	realUserID := cache.GetFromCache(ctx, ctrl.Redis, cache.CacheFolderToken, tokenID)
+	// If not found in cache, get from postgres
+	if realUserID == "" {
+		query := "SELECT user_id FROM tokens WHERE uuid = $1;"
+		if err := ctrl.DB.QueryRowContext(ctx, query, tokenID).Scan(
+			&realUserID,
+		); err != nil {
+			log.Error(err, "Couldn't get user_id for a token")
+			return ErrServerError
+		}
+	}
+
+	if realUserID != userID {
+		return ErrUserTokenMismatch
+	}
+	if err := cache.SaveToCache(ctx, ctrl.Redis, cache.CacheFolderToken, realUserID, tokenID, time.Hour); err != nil {
+		log.Info("Couldn't write to cache", "error", err)
+	}
+	return nil
+}
+
+// Create a new token, store its hash in the database and return the token value
+func (ctrl *TokenController) Create(ctx context.Context, data *TokenData) (string, string, error) {
+	id := uuid.NewString()
+	log := logger.FromContext(ctx).WithValues("uuid", id)
+	log.V(2).Info("Creating a new token")
+
+	userExists, err := repository.IsAccountExist(ctx, ctrl.DB, data.UserID)
+	if err != nil {
+		log.Error(err, "Couldn't check whether a user exists")
+		return "", "", ErrServerError
+	}
+
+	// If user doesn't exist, do not generate a token
+	if !userExists {
+		return "", "", ErrUserNotFound
+	}
+
+	tokenValue, err := token.GenerateToken()
+	if err != nil {
+		log.Error(err, "Couldn't create a token")
+		return "", "", ErrServerError
+	}
+
+	tokenHash := hashSHA256(tokenValue)
+
+	scopesJSON, err := json.Marshal(data.Scopes)
+	if err != nil {
+		log.Error(err, "Couldn't marshal permissions into json")
+		return "", "", ErrServerError
+	}
+
+	queryData := &repository.TokenData{
+		UUID:        id,
+		Decsription: data.Name,
+		TokenHash:   tokenHash,
+		UserID:      data.UserID,
+		CreatedAt:   time.Now(),
+		GeneratedAt: time.Now(),
+		ExpiresAt:   data.ExpiresAt,
+		Scope:       string(scopesJSON),
+	}
+
+	if err := repository.CreateToken(ctx, ctrl.DB, queryData); err != nil {
+		log.Error(err, "Couldn't create a token")
+		return "", "", ErrServerError
+	}
+
+	return tokenValue, id, nil
+}
+
+// Update token name or permissions, other changes are ignored by this method
+func (ctrl *TokenController) Update(ctx context.Context, data *TokenData) error {
+	log := logger.FromContext(ctx).WithValues("uuid", data.UUID)
+	log.V(2).Info("Updating a token")
+
+	scopesJSON, err := json.Marshal(data.Scopes)
+	if err != nil {
+		log.Error(err, "Couldn't marshal permissions into json")
+		return ErrServerError
+	}
+
+	queryData := &repository.TokenData{
+		UUID:        data.UUID,
+		Scope:       string(scopesJSON),
+		Decsription: data.Name,
+	}
+
+	if err := repository.UpdateToken(ctx, ctrl.DB, queryData); err != nil {
+		log.Error(err, "Couldn't update a token")
+		return ErrServerError
+	}
+
+	return nil
+}
+
+// ForceExpiration of a token, so it can no longer be used
+func (ctrl *TokenController) ForceExpiration(ctx context.Context, tokenID string) error {
+	log := logger.FromContext(ctx).WithValues("uuid", tokenID)
+	log.V(2).Info("Forcing a token expiration")
+
+	if err := repository.RevokeToken(ctx, ctrl.DB, tokenID, time.Now()); err != nil {
+		log.Error(err, "Couldn't revoke a token")
+		return ErrServerError
+	}
+	return nil
+}
+
+// Regenerate a token and get a new value
+func (ctrl *TokenController) Regenerate(ctx context.Context, tokenID string) (string, error) {
+	log := logger.FromContext(ctx).WithValues("uuid", tokenID)
+	log.V(2).Info("Regenerating a token")
+
+	tokenValue, err := token.GenerateToken()
+	if err != nil {
+		log.Error(err, "Couldn't create a token")
+		return "", ErrServerError
+	}
+
+	tokenHash := hashSHA256(tokenValue)
+
+	if err := repository.RegenerateToken(ctx, ctrl.DB, tokenID, tokenHash, time.Now()); err != nil {
+		log.Error(err, "Couldn't regenerate a token")
+		return "", err
+	}
+
+	return tokenValue, nil
+}
+
+// Get an existing token data
+func (ctrl *TokenController) Get(ctx context.Context, id, userID string) (*TokenData, error) {
+	log := logger.FromContext(ctx).WithValues("uuid", id, "user_id", userID)
+	log.V(2).Info("Getting a token")
+
+	queryResult, err := repository.GetToken(ctx, ctrl.DB, id, userID)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, ErrTokenNotFound
+		}
+		log.Error(err, "Couldn't get a token from DB")
+		return nil, ErrServerError
+	}
+
+	scope := map[string][]string{}
+	if err := json.Unmarshal([]byte(queryResult.Scope), &scope); err != nil {
+		log.Error(err, "Couldn't unmarshal scope into json")
+		return nil, ErrServerError
+
+	}
+
+	result := &TokenData{
+		UUID:        queryResult.UUID,
+		Name:        queryResult.Decsription,
+		CreatedAt:   queryResult.CreatedAt,
+		LastUsedAt:  queryResult.LastUsedAt,
+		RevokedAt:   queryResult.RevokedAt,
+		ExpiresAt:   queryResult.ExpiresAt,
+		GeneratedAt: queryResult.GeneratedAt,
+		Scopes:      scope,
+	}
+
+	return result, nil
+}
+
+// List all available token
+func (ctrl *TokenController) List(ctx context.Context, userID string) ([]TokenData, error) {
+	log := logger.FromContext(ctx).WithValues("user_id", userID)
+	log.V(2).Info("Regenerating a token")
+
+	result := []TokenData{}
+
+	queryResult, err := repository.ListTokensByUserID(ctx, ctrl.DB, userID)
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, ErrTokenNotFound
+		}
+		log.Error(err, "Couldn't list tokens")
+		return nil, ErrServerError
+	}
+
+	for _, tokenResult := range queryResult {
+		scope := map[string][]string{}
+		if err := json.Unmarshal([]byte(tokenResult.Scope), &scope); err != nil {
+			log.Error(err, "Couldn't unmarshal scope into json")
+			return nil, ErrServerError
+
+		}
+
+		t := TokenData{
+			UUID:        tokenResult.UUID,
+			Name:        tokenResult.Decsription,
+			CreatedAt:   tokenResult.CreatedAt,
+			LastUsedAt:  tokenResult.LastUsedAt,
+			RevokedAt:   tokenResult.RevokedAt,
+			ExpiresAt:   tokenResult.ExpiresAt,
+			GeneratedAt: tokenResult.GeneratedAt,
+			Scopes:      scope,
+		}
+		result = append(result, t)
+	}
+
+	return result, nil
+}
+
+// ListPermissions returnes all available permissions
+func (ctrl *TokenController) ListPermissions(ctx context.Context) (result map[string][]string) {
+	result = map[string][]string{}
+	for key, val := range ctrl.ServiceInfo {
+		if shouldSkip(key, ctrl.rules) {
+			continue
+		}
+		var services []string
+		for _, svc := range val.Methods {
+			services = append(services, svc.Name)
+		}
+		result[key] = services
+	}
+	return
+}
+
+type rule struct {
+	re *regexp.Regexp
+}
+
+func shouldSkip(s string, rules []rule) bool {
+	for _, r := range rules {
+		if r.re.MatchString(s) {
+			return true
+		}
+	}
+	return false
+}
+
+type TokenAuthResult struct {
+	UserID string
+	Scope  string
+}
+
+func (ctrl *TokenController) AuthenticateWithToken(ctx context.Context, token string) (*TokenAuthResult, error) {
+	log := logger.FromContext(ctx)
+	log.V(2).Info("Authenticating with a token")
+
+	queryResult, err := repository.GetTokenDataBySHA(ctx, ctrl.DB, hashSHA256(token))
+	if err != nil {
+		if errors.Is(err, repository.ErrNotFound) {
+			return nil, ErrTokenNotFound
+		}
+		log.Error(err, "Couldn't get token by sha")
+		return nil, err
+	}
+
+	if !queryResult.RevokedAt.IsZero() {
+		return nil, ErrBadToken
+	}
+
+	if queryResult.ExpiresAt.Before(time.Now()) {
+		return nil, ErrBadToken
+	}
+
+	result := &TokenAuthResult{
+		UserID: queryResult.UserID,
+		Scope:  queryResult.Scope,
+	}
+
+	return result, nil
+}
+
+func hashSHA256(s string) string {
+	hash := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(hash[:])
+}
+
+func TestUnitHashPersistence(t *testing.T) {
+	password := "qwertyu9"
+	hash1 := hashSHA256(password)
+	hash2 := hashSHA256(password)
+	assert.Equal(t, hash1, hash2)
+}

internal/services/tokens_test.go

@@ -0,0 +1,403 @@
+package services_test
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+	"time"
+
+	"gitea.badhouseplants.net/softplayer/softplayer-backend/internal/services"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+)
+
+func newTestTokensController(ctx context.Context) *services.TokenController {
+	return &services.TokenController{
+		DB:    newTestDBConnection(ctx),
+		Redis: newTestRedisConnection(),
+	}
+}
+
+func TestIntegrationCreateToken_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+	id, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    id,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	tokenVal, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, tokenID)
+	assert.NotEmpty(t, tokenVal)
+}
+
+func TestIntegrationCreateToken_UserNotExist(t *testing.T) {
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    uuid.NewString(),
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	tokenVal, tokenID, err := ctrl.Create(t.Context(), tokenData)
+
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrUserNotFound)
+	assert.Empty(t, tokenID)
+	assert.Empty(t, tokenVal)
+}
+
+func TestIntegrationGetToken_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	now := time.Now()
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+
+	token, err := ctrl.Get(t.Context(), tokenID, userID)
+	assert.NoError(t, err)
+	assert.Equal(t, now.Truncate(time.Second), token.GeneratedAt.Truncate(time.Second))
+	assert.Equal(t, now.Truncate(time.Second), token.CreatedAt.Truncate(time.Second))
+	assert.Equal(t, tokenData.Scopes, token.Scopes)
+	assert.Equal(t, tokenData.Name, token.Name)
+	assert.Equal(t, tokenData.ExpiresAt.Truncate(time.Second), token.ExpiresAt.Truncate(time.Second))
+}
+
+func TestIntegrationGetToken_NotExists(t *testing.T) {
+	ctrl := newTestTokensController(t.Context())
+	token, err := ctrl.Get(t.Context(), uuid.NewString(), uuid.NewString())
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrTokenNotFound)
+	assert.Empty(t, token)
+}
+
+func TestIntegrationGetToken_WrongRequest(t *testing.T) {
+	ctrl := newTestTokensController(t.Context())
+	token, err := ctrl.Get(t.Context(), "test", "test")
+	assert.Error(t, err)
+	assert.ErrorIs(t, err, services.ErrServerError)
+	assert.Empty(t, token)
+}
+
+func TestIntegrationVerifyTokenOwner_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+	assert.NoError(t, ctrl.VerifyTokenOwner(t.Context(), userID, tokenID))
+}
+
+func TestIntegrationVerifyTokenOwner_WrongOwner(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	secondAccountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	secondUserID, err := ctrlAccount.Create(t.Context(), secondAccountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+	assert.ErrorIs(t, ctrl.VerifyTokenOwner(t.Context(), secondUserID, tokenID), services.ErrUserTokenMismatch)
+}
+
+func TestIntegrationForceExpiration_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+	now := time.Now()
+	assert.NoError(t, ctrl.ForceExpiration(t.Context(), tokenID))
+	token, err := ctrl.Get(t.Context(), tokenID, userID)
+	assert.NoError(t, err)
+	assert.Equal(t, now.Truncate(time.Second), token.RevokedAt.Truncate(time.Second))
+}
+
+func TestIntegrationRegenerateToken_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	now := time.Now()
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+
+	token, err := ctrl.Get(t.Context(), tokenID, userID)
+	assert.NoError(t, err)
+	assert.Equal(t, now.Truncate(time.Second), token.GeneratedAt.Truncate(time.Second))
+	assert.Equal(t, now.Truncate(time.Second), token.CreatedAt.Truncate(time.Second))
+	assert.Equal(t, tokenData.Scopes, token.Scopes)
+	assert.Equal(t, tokenData.Name, token.Name)
+	assert.Equal(t, tokenData.ExpiresAt.Truncate(time.Second), token.ExpiresAt.Truncate(time.Second))
+	time.Sleep(5 * time.Second)
+
+	newNow := time.Now()
+	newToken, err := ctrl.Regenerate(t.Context(), tokenID)
+	assert.NotEmpty(t, newToken)
+	assert.NoError(t, err)
+
+	newExpiresAt := tokenData.ExpiresAt.Add(5 * time.Second)
+
+	updatedToken, err := ctrl.Get(t.Context(), tokenID, userID)
+	assert.NoError(t, err)
+	assert.Equal(t, newNow.Truncate(time.Second), updatedToken.GeneratedAt.Truncate(time.Second))
+	assert.Equal(t, now.Truncate(time.Second), updatedToken.CreatedAt.Truncate(time.Second))
+	assert.Equal(t, tokenData.Scopes, updatedToken.Scopes)
+	assert.Equal(t, tokenData.Name, updatedToken.Name)
+	assert.Equal(t, newExpiresAt.Truncate(time.Second), updatedToken.ExpiresAt.Truncate(time.Second))
+}
+
+func TestIntegrationListTokens_Success(t *testing.T) {
+	// Create a user for the token
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+
+	userID, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenDataOne := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+	tokenDataTwo := &services.TokenData{
+		Name:      "Test Token again",
+		UserID:    userID,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	_, _, err = ctrl.Create(t.Context(), tokenDataOne)
+	assert.NoError(t, err)
+	_, _, err = ctrl.Create(t.Context(), tokenDataTwo)
+	assert.NoError(t, err)
+
+	tokens, err := ctrl.List(t.Context(), userID)
+	assert.NoError(t, err)
+	assert.Len(t, tokens, 2)
+}
+
+func TestIntegrationAuthenticateWithToken_Success(t *testing.T) {
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+	id, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    id,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	tokenVal, _, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+
+	auth, err := ctrl.AuthenticateWithToken(t.Context(), tokenVal)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, auth.Scope)
+	assert.NotEmpty(t, auth.UserID)
+	assert.Equal(t, id, auth.UserID)
+
+	scope := map[string][]string{}
+	assert.NoError(t, json.Unmarshal([]byte(auth.Scope), &scope))
+	assert.NoError(t, err)
+	assert.Equal(t, tokenData.Scopes, scope)
+}
+
+func TestIntegrationAuthenticateWithToken_UnknownToken(t *testing.T) {
+	ctrl := newTestTokensController(t.Context())
+	auth, err := ctrl.AuthenticateWithToken(t.Context(), "dummy")
+	assert.Error(t, err)
+	assert.Nil(t, auth)
+	assert.ErrorIs(t, err, services.ErrTokenNotFound)
+}
+
+func TestIntegrationAuthenticateWithToken_Expired(t *testing.T) {
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+	id, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    id,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	tokenVal, _, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+
+	auth, err := ctrl.AuthenticateWithToken(t.Context(), tokenVal)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, auth.Scope)
+	assert.NotEmpty(t, auth.UserID)
+	assert.Equal(t, id, auth.UserID)
+
+	time.Sleep(time.Second * 6)
+	auth, err = ctrl.AuthenticateWithToken(t.Context(), tokenVal)
+	assert.Error(t, err)
+	assert.Nil(t, auth)
+	assert.ErrorIs(t, err, services.ErrBadToken)
+}
+
+func TestIntegrationAuthenticateWithToken_Revoked(t *testing.T) {
+	ctrlAccount := newTestAccountController(t.Context())
+	accountData := &services.AccountData{
+		Password: "qwertyu9",
+		Email:    newTestUniqueEmail("accounts"),
+	}
+	id, err := ctrlAccount.Create(t.Context(), accountData)
+	assert.NoError(t, err)
+
+	tokenData := &services.TokenData{
+		Name:      "Test Token",
+		UserID:    id,
+		ExpiresAt: time.Now().Add(time.Second * 5),
+		Scopes: map[string][]string{
+			"Test": {"test", "test2"},
+		},
+	}
+
+	ctrl := newTestTokensController(t.Context())
+	tokenVal, tokenID, err := ctrl.Create(t.Context(), tokenData)
+	assert.NoError(t, err)
+	auth, err := ctrl.AuthenticateWithToken(t.Context(), tokenVal)
+	assert.NoError(t, err)
+	assert.NotEmpty(t, auth.Scope)
+	assert.NotEmpty(t, auth.UserID)
+	assert.Equal(t, id, auth.UserID)
+
+	assert.NoError(t, ctrl.ForceExpiration(t.Context(), tokenID))
+	auth, err = ctrl.AuthenticateWithToken(t.Context(), tokenVal)
+	assert.Error(t, err)
+	assert.Nil(t, auth)
+	assert.ErrorIs(t, err, services.ErrBadToken)
+}