🎨 Update project structure

pkg/internal/database/migrator.go

@@ -0,0 +1,32 @@
+package database
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"gorm.io/gorm"
+)
+
+var AutoMaintainRange = []any{
+	&models.Account{},
+	&models.AuthFactor{},
+	&models.AccountProfile{},
+	&models.AccountPage{},
+	&models.AccountContact{},
+	&models.AccountFriendship{},
+	&models.Badge{},
+	&models.Realm{},
+	&models.RealmMember{},
+	&models.AuthTicket{},
+	&models.MagicToken{},
+	&models.ThirdClient{},
+	&models.ActionEvent{},
+	&models.Notification{},
+	&models.NotificationSubscriber{},
+}
+
+func RunMigration(source *gorm.DB) error {
+	if err := source.AutoMigrate(AutoMaintainRange...); err != nil {
+		return err
+	}
+
+	return nil
+}

pkg/internal/database/source.go

@@ -0,0 +1,28 @@
+package database
+
+import (
+	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"gorm.io/driver/postgres"
+	"gorm.io/gorm"
+	"gorm.io/gorm/logger"
+	"gorm.io/gorm/schema"
+)
+
+var C *gorm.DB
+
+func NewGorm() error {
+	var err error
+
+	dialector := postgres.Open(viper.GetString("database.dsn"))
+	C, err = gorm.Open(dialector, &gorm.Config{NamingStrategy: schema.NamingStrategy{
+		TablePrefix: viper.GetString("database.prefix"),
+	}, Logger: logger.New(&log.Logger, logger.Config{
+		Colorful:                  true,
+		IgnoreRecordNotFoundError: true,
+		LogLevel:                  lo.Ternary(viper.GetBool("debug.database"), logger.Info, logger.Silent),
+	})})
+
+	return err
+}

pkg/internal/embed.go

@@ -0,0 +1,6 @@
+package pkg
+
+import "embed"
+
+//go:embed views/*
+var FS embed.FS

pkg/internal/gap/server.go

@@ -0,0 +1,38 @@
+package gap
+
+import (
+	"fmt"
+	"github.com/hashicorp/consul/api"
+	"github.com/spf13/viper"
+	"strconv"
+	"strings"
+)
+
+func Register() error {
+	cfg := api.DefaultConfig()
+	cfg.Address = viper.GetString("consul.addr")
+
+	client, err := api.NewClient(cfg)
+	if err != nil {
+		return err
+	}
+
+	bind := strings.SplitN(viper.GetString("consul.srv_serve"), ":", 2)
+	baseAddr := viper.GetString("consul.srv_http")
+
+	port, _ := strconv.Atoi(bind[1])
+
+	registration := new(api.AgentServiceRegistration)
+	registration.ID = viper.GetString("id")
+	registration.Name = "Hydrogen.Passport"
+	registration.Address = bind[0]
+	registration.Port = port
+	registration.Check = &api.AgentServiceCheck{
+		HTTP:                           fmt.Sprintf("%s/.well-known", baseAddr),
+		Timeout:                        "5s",
+		Interval:                       "5s",
+		DeregisterCriticalServiceAfter: "10s",
+	}
+
+	return client.Agent().ServiceRegister(registration)
+}

pkg/internal/grpc/auth.go

@@ -0,0 +1,70 @@
+package grpc
+
+import (
+	"context"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/samber/lo"
+)
+
+func (v *Server) Authenticate(_ context.Context, in *proto.AuthRequest) (*proto.AuthReply, error) {
+	ctx, perms, atk, rtk, err := services.Authenticate(in.GetAccessToken(), in.GetRefreshToken(), 0)
+	if err != nil {
+		return &proto.AuthReply{
+			IsValid: false,
+		}, nil
+	} else {
+		user := ctx.Account
+		rawPerms, _ := jsoniter.Marshal(perms)
+
+		userinfo := &proto.Userinfo{
+			Id:          uint64(user.ID),
+			Name:        user.Name,
+			Nick:        user.Nick,
+			Email:       user.GetPrimaryEmail().Content,
+			Description: &user.Description,
+		}
+
+		if user.Avatar != nil {
+			userinfo.Avatar = *user.GetAvatar()
+		}
+		if user.Banner != nil {
+			userinfo.Banner = *user.GetBanner()
+		}
+
+		return &proto.AuthReply{
+			IsValid:      true,
+			AccessToken:  &atk,
+			RefreshToken: &rtk,
+			Permissions:  rawPerms,
+			TicketId:     lo.ToPtr(uint64(ctx.Ticket.ID)),
+			Userinfo:     userinfo,
+		}, nil
+	}
+}
+
+func (v *Server) CheckPerm(_ context.Context, in *proto.CheckPermRequest) (*proto.CheckPermReply, error) {
+	claims, err := services.DecodeJwt(in.GetToken())
+	if err != nil {
+		return nil, err
+	}
+	ctx, err := services.GetAuthContext(claims.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	var heldPerms map[string]any
+	rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
+	_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
+
+	var value any
+	_ = jsoniter.Unmarshal(in.GetValue(), &value)
+	perms := services.FilterPermNodes(heldPerms, ctx.Ticket.Claims)
+	valid := services.HasPermNode(perms, in.GetKey(), value)
+
+	return &proto.CheckPermReply{
+		IsValid: valid,
+	}, nil
+}

pkg/internal/grpc/client.go

@@ -0,0 +1,21 @@
+package grpc
+
+import (
+	pcpb "git.solsynth.dev/hydrogen/paperclip/pkg/grpc/proto"
+	"github.com/spf13/viper"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+)
+
+var Attachments pcpb.AttachmentsClient
+
+func ConnectPaperclip() error {
+	addr := viper.GetString("paperclip.grpc_endpoint")
+	if conn, err := grpc.Dial(addr, grpc.WithTransportCredentials(insecure.NewCredentials())); err != nil {
+		return err
+	} else {
+		Attachments = pcpb.NewAttachmentsClient(conn)
+	}
+
+	return nil
+}

pkg/internal/grpc/friendships.go

@@ -0,0 +1,46 @@
+package grpc
+
+import (
+	"context"
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/samber/lo"
+)
+
+func (v *Server) ListFriendship(_ context.Context, request *proto.FriendshipLookupRequest) (*proto.ListFriendshipResponse, error) {
+	account, err := services.GetAccount(uint(request.GetAccountId()))
+	if err != nil {
+		return nil, err
+	}
+	friends, err := services.ListFriend(account, models.FriendshipStatus(request.GetStatus()))
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.ListFriendshipResponse{
+		Data: lo.Map(friends, func(item models.AccountFriendship, index int) *proto.FriendshipResponse {
+			return &proto.FriendshipResponse{
+				AccountId: uint64(item.AccountID),
+				RelatedId: uint64(item.RelatedID),
+				Status:    uint32(item.Status),
+			}
+		}),
+	}, nil
+}
+
+func (v *Server) GetFriendship(ctx context.Context, request *proto.FriendshipTwoSideLookupRequest) (*proto.FriendshipResponse, error) {
+	friend, err := services.GetFriendWithTwoSides(uint(request.GetAccountId()), uint(request.GetRelatedId()))
+	if err != nil {
+		return nil, err
+	} else if friend.Status != models.FriendshipStatus(request.GetStatus()) {
+		return nil, fmt.Errorf("status mismatch")
+	}
+
+	return &proto.FriendshipResponse{
+		AccountId: uint64(friend.AccountID),
+		RelatedId: uint64(friend.RelatedID),
+		Status:    uint32(friend.Status),
+	}, nil
+}

pkg/internal/grpc/notify.go

@@ -0,0 +1,57 @@
+package grpc
+
+import (
+	"context"
+	jsoniter "github.com/json-iterator/go"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/samber/lo"
+)
+
+func (v *Server) NotifyUser(_ context.Context, in *proto.NotifyRequest) (*proto.NotifyReply, error) {
+	client, err := services.GetThirdClientWithSecret(in.GetClientId(), in.GetClientSecret())
+	if err != nil {
+		return nil, err
+	}
+
+	var user models.Account
+	if user, err = services.GetAccount(uint(in.GetRecipientId())); err != nil {
+		return nil, err
+	}
+
+	var metadata map[string]any
+	_ = jsoniter.Unmarshal(in.GetMetadata(), &metadata)
+
+	links := lo.Map(in.GetLinks(), func(item *proto.NotifyLink, index int) models.NotificationLink {
+		return models.NotificationLink{
+			Label: item.Label,
+			Url:   item.Url,
+		}
+	})
+
+	notification := models.Notification{
+		Type:        lo.Ternary(len(in.GetType()) > 0, in.GetType(), "common"),
+		Subject:     in.GetSubject(),
+		Content:     in.GetContent(),
+		Metadata:    metadata,
+		Links:       links,
+		IsRealtime:  in.GetIsRealtime(),
+		IsForcePush: in.GetIsForcePush(),
+		RecipientID: user.ID,
+		SenderID:    &client.ID,
+	}
+
+	if in.GetIsRealtime() {
+		if err := services.PushNotification(notification); err != nil {
+			return nil, err
+		}
+	} else {
+		if err := services.NewNotification(notification); err != nil {
+			return nil, err
+		}
+	}
+
+	return &proto.NotifyReply{IsSent: true}, nil
+}

pkg/internal/grpc/realms.go

@@ -0,0 +1,151 @@
+package grpc
+
+import (
+	"context"
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/proto"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/samber/lo"
+	"google.golang.org/protobuf/types/known/emptypb"
+)
+
+func (v *Server) ListCommunityRealm(ctx context.Context, empty *emptypb.Empty) (*proto.ListRealmResponse, error) {
+	realms, err := services.ListCommunityRealm()
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.ListRealmResponse{
+		Data: lo.Map(realms, func(item models.Realm, index int) *proto.RealmResponse {
+			return &proto.RealmResponse{
+				Id:          uint64(item.ID),
+				Alias:       item.Alias,
+				Name:        item.Name,
+				Description: item.Description,
+				IsPublic:    item.IsPublic,
+				IsCommunity: item.IsCommunity,
+			}
+		}),
+	}, nil
+}
+
+func (v *Server) ListAvailableRealm(ctx context.Context, request *proto.RealmLookupWithUserRequest) (*proto.ListRealmResponse, error) {
+	account, err := services.GetAccount(uint(request.GetUserId()))
+	if err != nil {
+		return nil, fmt.Errorf("unable to find target account: %v", err)
+	}
+	realms, err := services.ListAvailableRealm(account)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.ListRealmResponse{
+		Data: lo.Map(realms, func(item models.Realm, index int) *proto.RealmResponse {
+			return &proto.RealmResponse{
+				Id:          uint64(item.ID),
+				Alias:       item.Alias,
+				Name:        item.Name,
+				Description: item.Description,
+				IsPublic:    item.IsPublic,
+				IsCommunity: item.IsCommunity,
+			}
+		}),
+	}, nil
+}
+
+func (v *Server) ListOwnedRealm(ctx context.Context, request *proto.RealmLookupWithUserRequest) (*proto.ListRealmResponse, error) {
+	account, err := services.GetAccount(uint(request.GetUserId()))
+	if err != nil {
+		return nil, fmt.Errorf("unable to find target account: %v", err)
+	}
+	realms, err := services.ListOwnedRealm(account)
+	if err != nil {
+		return nil, err
+	}
+
+	return &proto.ListRealmResponse{
+		Data: lo.Map(realms, func(item models.Realm, index int) *proto.RealmResponse {
+			return &proto.RealmResponse{
+				Id:          uint64(item.ID),
+				Alias:       item.Alias,
+				Name:        item.Name,
+				Description: item.Description,
+				IsPublic:    item.IsPublic,
+				IsCommunity: item.IsCommunity,
+			}
+		}),
+	}, nil
+}
+
+func (v *Server) GetRealm(ctx context.Context, request *proto.RealmLookupRequest) (*proto.RealmResponse, error) {
+	var realm models.Realm
+
+	tx := database.C.Model(&models.Realm{})
+	if request.Id != nil {
+		tx = tx.Where("id = ?", request.GetId())
+	}
+	if request.Alias != nil {
+		tx = tx.Where("alias = ?", request.GetAlias())
+	}
+	if request.IsPublic != nil {
+		tx = tx.Where("is_public = ?", request.GetIsPublic())
+	}
+	if request.IsCommunity != nil {
+		tx = tx.Where("is_community = ?", request.GetIsCommunity())
+	}
+
+	if err := tx.First(&realm).Error; err != nil {
+		return nil, err
+	}
+
+	return &proto.RealmResponse{
+		Id:          uint64(realm.ID),
+		Alias:       realm.Alias,
+		Name:        realm.Name,
+		Description: realm.Description,
+		IsPublic:    realm.IsPublic,
+		IsCommunity: realm.IsCommunity,
+	}, nil
+}
+
+func (v *Server) ListRealmMember(ctx context.Context, request *proto.RealmMemberLookupRequest) (*proto.ListRealmMemberResponse, error) {
+	var members []models.RealmMember
+	tx := database.C.Where("realm_id = ?", request.GetRealmId())
+	if request.UserId != nil {
+		tx = tx.Where("account_id = ?", request.GetUserId())
+	}
+
+	if err := tx.Find(&members).Error; err != nil {
+		return nil, err
+	}
+
+	return &proto.ListRealmMemberResponse{
+		Data: lo.Map(members, func(item models.RealmMember, index int) *proto.RealmMemberResponse {
+			return &proto.RealmMemberResponse{
+				RealmId:    uint64(item.RealmID),
+				UserId:     uint64(item.AccountID),
+				PowerLevel: int32(item.PowerLevel),
+			}
+		}),
+	}, nil
+}
+
+func (v *Server) GetRealmMember(ctx context.Context, request *proto.RealmMemberLookupRequest) (*proto.RealmMemberResponse, error) {
+	var member models.RealmMember
+	tx := database.C.Where("realm_id = ?", request.GetRealmId())
+	if request.UserId != nil {
+		tx = tx.Where("account_id = ?", request.GetUserId())
+	}
+
+	if err := tx.First(&member).Error; err != nil {
+		return nil, err
+	}
+
+	return &proto.RealmMemberResponse{
+		RealmId:    uint64(member.RealmID),
+		UserId:     uint64(member.AccountID),
+		PowerLevel: int32(member.PowerLevel),
+	}, nil
+}

pkg/internal/grpc/server.go

@@ -0,0 +1,35 @@
+package grpc
+
+import (
+	"net"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc/proto"
+	"github.com/spf13/viper"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/reflection"
+)
+
+type Server struct {
+	proto.UnimplementedAuthServer
+	proto.UnimplementedNotifyServer
+	proto.UnimplementedFriendshipsServer
+	proto.UnimplementedRealmsServer
+}
+
+func StartGrpc() error {
+	listen, err := net.Listen("tcp", viper.GetString("grpc_bind"))
+	if err != nil {
+		return err
+	}
+
+	server := grpc.NewServer()
+
+	proto.RegisterAuthServer(server, &Server{})
+	proto.RegisterNotifyServer(server, &Server{})
+	proto.RegisterFriendshipsServer(server, &Server{})
+	proto.RegisterRealmsServer(server, &Server{})
+
+	reflection.Register(server)
+
+	return server.Serve(listen)
+}

pkg/internal/i18n/bundle.go

@@ -0,0 +1,16 @@
+package i18n
+
+import (
+	jsoniter "github.com/json-iterator/go"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"golang.org/x/text/language"
+)
+
+var Bundle *i18n.Bundle
+
+func InitInternationalization() {
+	Bundle = i18n.NewBundle(language.English)
+	Bundle.RegisterUnmarshalFunc("json", jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal)
+	Bundle.LoadMessageFileFS(FS, "locale.en.json")
+	Bundle.LoadMessageFileFS(FS, "locale.zh.json")
+}

pkg/internal/i18n/embed.go

@@ -0,0 +1,6 @@
+package i18n
+
+import "embed"
+
+//go:embed locale.*.json
+var FS embed.FS

pkg/internal/i18n/locale.en.json

@@ -0,0 +1,23 @@
+{
+  "next": "Next",
+  "email": "Email",
+  "username": "Username",
+  "nickname": "Nickname",
+  "password": "Password",
+  "unknown": "Unknown",
+  "apply": "Apply",
+  "back": "Back",
+  "approve": "Approve",
+  "decline": "Decline",
+  "magicToken": "Magic Token",
+  "signinTitle": "Sign In",
+  "signinCaption": "Sign in to Solarpass to explore entire Solar Network. Explore posts, discover communities, talk with your best friends. All these things in the Solar Network!",
+  "signinRequired": "You need to sign in before do that.",
+  "signupTitle": "Sign Up",
+  "signupCaption": "Sign up to create an account on Solarpass, then you can explore the entire Solar Network! Enjoy the next-generation Internet Ecosystem!",
+  "authorizeTitle": "Authorize",
+  "authorizeCaption": "One Solarpass, get entire network.",
+  "mfaTitle": "Multi Factor Authenticate",
+  "mfaCaption": "We need use one more way to verify it is you.",
+  "mfaFactorEmail": "OTP through your email"
+}

pkg/internal/i18n/locale.zh.json

@@ -0,0 +1,23 @@
+{
+  "next": "下一步",
+  "email": "邮件地址",
+  "username": "用户名",
+  "nickname": "昵称",
+  "password": "密码",
+  "unknown": "未知",
+  "apply": "应用",
+  "back": "返回",
+  "approve": "接受",
+  "decline": "拒绝",
+  "magicToken": "魔法令牌",
+  "signinTitle": "登陆",
+  "signinCaption": "登陆 Solarpass 以探索整个 Solar Network，浏览帖子、探索社区、和你的好朋友聊八卦，一切尽在 Solar Network!",
+  "signinRequired": "你需要在那之前登陆",
+  "signupTitle": "注册",
+  "signupCaption": "注册以在 Solarpass 创建一个账号，之后你就可以探索整个 Solar Network，享受下一代互联网生态系统！",
+  "authorizeTitle": "授权",
+  "authorizeCaption": "一个 Solarpass，整个网络。",
+  "mfaTitle": "多因素验证",
+  "mfaCaption": "我们需要另一个方法来确认你是你。",
+  "mfaFactorEmail": "电子邮寄一次性验证码"
+}

pkg/internal/i18n/middleware.go

@@ -0,0 +1,15 @@
+package i18n
+
+import (
+	"github.com/gofiber/fiber/v2"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+)
+
+func I18nMiddleware(c *fiber.Ctx) error {
+	accept := c.Get(fiber.HeaderAcceptLanguage)
+	localizer := i18n.NewLocalizer(Bundle, accept)
+
+	c.Locals("localizer", localizer)
+
+	return c.Next()
+}

pkg/internal/meta.go

@@ -0,0 +1,5 @@
+package pkg
+
+const (
+	AppVersion = "1.0.0"
+)

pkg/internal/models/accounts.go

@@ -0,0 +1,80 @@
+package models
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"gorm.io/datatypes"
+)
+
+type Account struct {
+	BaseModel
+
+	Name        string            `json:"name" gorm:"uniqueIndex"`
+	Nick        string            `json:"nick"`
+	Description string            `json:"description"`
+	Avatar      *uint             `json:"avatar"`
+	Banner      *uint             `json:"banner"`
+	ConfirmedAt *time.Time        `json:"confirmed_at"`
+	PermNodes   datatypes.JSONMap `json:"perm_nodes"`
+
+	Profile         AccountProfile   `json:"profile"`
+	PersonalPage    AccountPage      `json:"personal_page"`
+	Badges          []Badge          `json:"badges"`
+	Contacts        []AccountContact `json:"contacts"`
+	RealmIdentities []RealmMember    `json:"realm_identities"`
+
+	Tickets []AuthTicket `json:"tickets"`
+	Factors []AuthFactor `json:"factors"`
+
+	Events      []ActionEvent `json:"events"`
+	MagicTokens []MagicToken  `json:"-" gorm:"foreignKey:AssignTo"`
+
+	ThirdClients []ThirdClient `json:"clients"`
+
+	Notifications     []Notification           `json:"notifications" gorm:"foreignKey:RecipientID"`
+	NotifySubscribers []NotificationSubscriber `json:"notify_subscribers"`
+
+	Friendships        []AccountFriendship `json:"friendships" gorm:"foreignKey:AccountID"`
+	RelatedFriendships []AccountFriendship `json:"related_friendships" gorm:"foreignKey:RelatedID"`
+}
+
+func (v Account) GetAvatar() *string {
+	if v.Avatar != nil {
+		return lo.ToPtr(fmt.Sprintf("%s/api/attachments/%d", viper.GetString("paperclip.endpoint"), *v.Avatar))
+	}
+	return nil
+}
+
+func (v Account) GetBanner() *string {
+	if v.Banner != nil {
+		return lo.ToPtr(fmt.Sprintf("%s/api/attachments/%d", viper.GetString("paperclip.endpoint"), *v.Banner))
+	}
+	return nil
+}
+
+func (v Account) GetPrimaryEmail() AccountContact {
+	val, _ := lo.Find(v.Contacts, func(item AccountContact) bool {
+		return item.Type == EmailAccountContact && item.IsPrimary
+	})
+	return val
+}
+
+type AccountContactType = int8
+
+const (
+	EmailAccountContact = AccountContactType(iota)
+)
+
+type AccountContact struct {
+	BaseModel
+
+	Type       int8       `json:"type"`
+	Content    string     `json:"content" gorm:"uniqueIndex"`
+	IsPublic   bool       `json:"is_public"`
+	IsPrimary  bool       `json:"is_primary"`
+	VerifiedAt *time.Time `json:"verified_at"`
+	AccountID  uint       `json:"account_id"`
+}

pkg/internal/models/auth.go

@@ -0,0 +1,64 @@
+package models
+
+import (
+	"fmt"
+	"time"
+
+	"gorm.io/datatypes"
+)
+
+type AuthFactorType = int8
+
+const (
+	PasswordAuthFactor = AuthFactorType(iota)
+	EmailPasswordFactor
+)
+
+type AuthFactor struct {
+	BaseModel
+
+	Type      int8    `json:"type"`
+	Secret    string  `json:"-"`
+	Config    JSONMap `json:"config"`
+	AccountID uint    `json:"account_id"`
+}
+
+type AuthTicket struct {
+	BaseModel
+
+	Location            string                      `json:"location"`
+	IpAddress           string                      `json:"ip_address"`
+	UserAgent           string                      `json:"user_agent"`
+	RequireMFA          bool                        `json:"require_mfa"`
+	RequireAuthenticate bool                        `json:"require_authenticate"`
+	Claims              datatypes.JSONSlice[string] `json:"claims"`
+	Audiences           datatypes.JSONSlice[string] `json:"audiences"`
+	GrantToken          *string                     `json:"grant_token"`
+	AccessToken         *string                     `json:"access_token"`
+	RefreshToken        *string                     `json:"refresh_token"`
+	ExpiredAt           *time.Time                  `json:"expired_at"`
+	AvailableAt         *time.Time                  `json:"available_at"`
+	LastGrantAt         *time.Time                  `json:"last_grant_at"`
+	ClientID            *uint                       `json:"client_id"`
+	AccountID           uint                        `json:"account_id"`
+}
+
+func (v AuthTicket) IsAvailable() error {
+	if v.RequireMFA || v.RequireAuthenticate {
+		return fmt.Errorf("ticket isn't authenticated yet")
+	}
+	if v.AvailableAt != nil && time.Now().Unix() < v.AvailableAt.Unix() {
+		return fmt.Errorf("ticket isn't available yet")
+	}
+	if v.ExpiredAt != nil && time.Now().Unix() > v.ExpiredAt.Unix() {
+		return fmt.Errorf("ticket expired")
+	}
+
+	return nil
+}
+
+type AuthContext struct {
+	Ticket     AuthTicket `json:"ticket"`
+	Account    Account    `json:"account"`
+	LastUsedAt time.Time  `json:"last_used_at"`
+}

pkg/internal/models/badges.go

@@ -0,0 +1,11 @@
+package models
+
+import "gorm.io/datatypes"
+
+type Badge struct {
+	BaseModel
+
+	Type      string            `json:"type"`
+	Metadata  datatypes.JSONMap `json:"metadata"`
+	AccountID uint              `json:"account_id"`
+}

pkg/internal/models/base.go

@@ -0,0 +1,17 @@
+package models
+
+import (
+	"time"
+
+	"gorm.io/datatypes"
+	"gorm.io/gorm"
+)
+
+type JSONMap = datatypes.JSONType[map[string]any]
+
+type BaseModel struct {
+	ID        uint           `json:"id" gorm:"primaryKey"`
+	CreatedAt time.Time      `json:"created_at"`
+	UpdatedAt time.Time      `json:"updated_at"`
+	DeletedAt gorm.DeletedAt `json:"deleted_at" gorm:"index"`
+}

pkg/internal/models/clients.go

@@ -0,0 +1,18 @@
+package models
+
+import "gorm.io/datatypes"
+
+type ThirdClient struct {
+	BaseModel
+
+	Alias         string                      `json:"alias" gorm:"uniqueIndex"`
+	Name          string                      `json:"name"`
+	Description   string                      `json:"description"`
+	Secret        string                      `json:"secret"`
+	Urls          datatypes.JSONSlice[string] `json:"urls"`
+	Callbacks     datatypes.JSONSlice[string] `json:"callbacks"`
+	Sessions      []AuthTicket                `json:"tickets" gorm:"foreignKey:ClientID"`
+	Notifications []Notification              `json:"notifications" gorm:"foreignKey:SenderID"`
+	IsDraft       bool                        `json:"is_draft"`
+	AccountID     *uint                       `json:"account_id"`
+}

pkg/internal/models/events.go

@@ -0,0 +1,12 @@
+package models
+
+type ActionEvent struct {
+	BaseModel
+
+	Type      string `json:"type"`
+	Target    string `json:"target"`
+	Location  string `json:"location"`
+	IpAddress string `json:"ip_address"`
+	UserAgent string `json:"user_agent"`
+	AccountID uint   `json:"account_id"`
+}

pkg/internal/models/friendships.go

@@ -0,0 +1,20 @@
+package models
+
+type FriendshipStatus = int8
+
+const (
+	FriendshipPending = FriendshipStatus(iota)
+	FriendshipActive
+	FriendshipBlocked
+)
+
+type AccountFriendship struct {
+	BaseModel
+
+	AccountID uint             `json:"account_id"`
+	RelatedID uint             `json:"related_id"`
+	BlockedBy *uint            `json:"blocked_by"`
+	Account   Account          `json:"account"`
+	Related   Account          `json:"related"`
+	Status    FriendshipStatus `json:"status"`
+}

pkg/internal/models/notifications.go

@@ -0,0 +1,40 @@
+package models
+
+import (
+	"gorm.io/datatypes"
+)
+
+type Notification struct {
+	BaseModel
+
+	Type        string                                `json:"type"`
+	Subject     string                                `json:"subject"`
+	Content     string                                `json:"content"`
+	Metadata    datatypes.JSONMap                     `json:"metadata"`
+	Links       datatypes.JSONSlice[NotificationLink] `json:"links"`
+	IsRealtime  bool                                  `json:"is_realtime" gorm:"-"`
+	IsForcePush bool                                  `json:"is_force_push" gorm:"-"`
+	SenderID    *uint                                 `json:"sender_id"`
+	RecipientID uint                                  `json:"recipient_id"`
+}
+
+// NotificationLink Used to embed into notify and render actions
+type NotificationLink struct {
+	Label string `json:"label"`
+	Url   string `json:"url"`
+}
+
+const (
+	NotifySubscriberFirebase = "firebase"
+	NotifySubscriberAPNs     = "apple"
+)
+
+type NotificationSubscriber struct {
+	BaseModel
+
+	UserAgent   string `json:"user_agent"`
+	Provider    string `json:"provider"`
+	DeviceID    string `json:"device_id" gorm:"uniqueIndex"`
+	DeviceToken string `json:"device_token"`
+	AccountID   uint   `json:"account_id"`
+}

pkg/internal/models/profiles.go

@@ -0,0 +1,31 @@
+package models
+
+import (
+	"gorm.io/datatypes"
+	"time"
+)
+
+type AccountProfile struct {
+	BaseModel
+
+	FirstName  string     `json:"first_name"`
+	LastName   string     `json:"last_name"`
+	Experience uint64     `json:"experience"`
+	Birthday   *time.Time `json:"birthday"`
+	AccountID  uint       `json:"account_id"`
+}
+
+type AccountPage struct {
+	BaseModel
+
+	Content   string                                `json:"content"`
+	Script    string                                `json:"script"`
+	Style     string                                `json:"style"`
+	Links     datatypes.JSONSlice[AccountPageLinks] `json:"links"`
+	AccountID uint                                  `json:"account_id"`
+}
+
+type AccountPageLinks struct {
+	Label string `json:"label"`
+	Url   string `json:"url"`
+}

pkg/internal/models/realms.go

@@ -0,0 +1,23 @@
+package models
+
+type Realm struct {
+	BaseModel
+
+	Alias       string        `json:"alias" gorm:"uniqueIndex"`
+	Name        string        `json:"name"`
+	Description string        `json:"description"`
+	Members     []RealmMember `json:"members"`
+	IsPublic    bool          `json:"is_public"`
+	IsCommunity bool          `json:"is_community"`
+	AccountID   uint          `json:"account_id"`
+}
+
+type RealmMember struct {
+	BaseModel
+
+	RealmID    uint    `json:"realm_id"`
+	AccountID  uint    `json:"account_id"`
+	Realm      Realm   `json:"realm"`
+	Account    Account `json:"account"`
+	PowerLevel int     `json:"power_level"`
+}

pkg/internal/models/tokens.go

@@ -0,0 +1,19 @@
+package models
+
+import "time"
+
+type MagicTokenType = int8
+
+const (
+	ConfirmMagicToken = MagicTokenType(iota)
+	RegistrationMagicToken
+)
+
+type MagicToken struct {
+	BaseModel
+
+	Code      string     `json:"code"`
+	Type      int8       `json:"type"`
+	AssignTo  *uint      `json:"assign_to"`
+	ExpiredAt *time.Time `json:"expired_at"`
+}

pkg/internal/models/unified.go

@@ -0,0 +1,21 @@
+package models
+
+import jsoniter "github.com/json-iterator/go"
+
+type UnifiedCommand struct {
+	Action  string `json:"w"`
+	Message string `json:"m"`
+	Payload any    `json:"p"`
+}
+
+func UnifiedCommandFromError(err error) UnifiedCommand {
+	return UnifiedCommand{
+		Action:  "error",
+		Message: err.Error(),
+	}
+}
+
+func (v UnifiedCommand) Marshal() []byte {
+	data, _ := jsoniter.Marshal(v)
+	return data
+}

pkg/internal/server/accounts_api.go

@@ -0,0 +1,179 @@
+package server
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/gofiber/fiber/v2"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/spf13/viper"
+)
+
+func getUserinfo(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data models.Account
+	if err := database.C.
+		Where(&models.Account{BaseModel: models.BaseModel{ID: user.ID}}).
+		Preload("Profile").
+		Preload("Contacts").
+		Preload("Badges").
+		First(&data).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	var resp fiber.Map
+	raw, _ := jsoniter.Marshal(data)
+	jsoniter.Unmarshal(raw, &resp)
+
+	resp["sub"] = strconv.Itoa(int(data.ID))
+	resp["family_name"] = data.Profile.FirstName
+	resp["given_name"] = data.Profile.LastName
+	resp["name"] = data.Name
+	resp["email"] = data.GetPrimaryEmail().Content
+	resp["preferred_username"] = data.Nick
+
+	if data.Avatar != nil {
+		resp["picture"] = *data.GetAvatar()
+	}
+
+	return c.JSON(resp)
+}
+
+func getEvents(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	take := c.QueryInt("take", 0)
+	offset := c.QueryInt("offset", 0)
+
+	var count int64
+	var events []models.ActionEvent
+	if err := database.C.
+		Where(&models.ActionEvent{AccountID: user.ID}).
+		Model(&models.ActionEvent{}).
+		Count(&count).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	if err := database.C.
+		Order("created_at desc").
+		Where(&models.ActionEvent{AccountID: user.ID}).
+		Limit(take).
+		Offset(offset).
+		Find(&events).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(fiber.Map{
+		"count": count,
+		"data":  events,
+	})
+}
+
+func editUserinfo(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		Nick        string    `json:"nick" validate:"required,min=4,max=24"`
+		Description string    `json:"description"`
+		FirstName   string    `json:"first_name"`
+		LastName    string    `json:"last_name"`
+		Birthday    time.Time `json:"birthday"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var account models.Account
+	if err := database.C.
+		Where(&models.Account{BaseModel: models.BaseModel{ID: user.ID}}).
+		Preload("Profile").
+		First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	account.Nick = data.Nick
+	account.Description = data.Description
+	account.Profile.FirstName = data.FirstName
+	account.Profile.LastName = data.LastName
+	account.Profile.Birthday = &data.Birthday
+
+	if err := database.C.Save(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else if err := database.C.Save(&account.Profile).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	services.InvalidAuthCacheWithUser(account.ID)
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func killSession(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	id, _ := c.ParamsInt("ticketId", 0)
+
+	if err := database.C.Delete(&models.AuthTicket{}, &models.AuthTicket{
+		BaseModel: models.BaseModel{ID: uint(id)},
+		AccountID: user.ID,
+	}).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func doRegister(c *fiber.Ctx) error {
+	var data struct {
+		Name       string `json:"name" validate:"required,lowercase,alphanum,min=4,max=16"`
+		Nick       string `json:"nick" validate:"required,min=4,max=24"`
+		Email      string `json:"email" validate:"required,email"`
+		Password   string `json:"password" validate:"required,min=4,max=32"`
+		MagicToken string `json:"magic_token"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	} else if viper.GetBool("use_registration_magic_token") && len(data.MagicToken) <= 0 {
+		return fmt.Errorf("missing magic token in request")
+	} else if viper.GetBool("use_registration_magic_token") {
+		if tk, err := services.ValidateMagicToken(data.MagicToken, models.RegistrationMagicToken); err != nil {
+			return err
+		} else {
+			database.C.Delete(&tk)
+		}
+	}
+
+	if user, err := services.CreateAccount(
+		data.Name,
+		data.Nick,
+		data.Email,
+		data.Password,
+	); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(user)
+	}
+}
+
+func doRegisterConfirm(c *fiber.Ctx) error {
+	var data struct {
+		Code string `json:"code" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	if err := services.ConfirmAccount(data.Code); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/admin/badges_api.go

@@ -0,0 +1,63 @@
+package admin
+
+import (
+	"fmt"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func grantBadge(c *fiber.Ctx) error {
+	if err := utils.CheckPermissions(c, "AdminGrantBadges", true); err != nil {
+		return err
+	}
+
+	var data struct {
+		Type      string         `json:"type" validate:"required"`
+		Metadata  map[string]any `json:"metadata"`
+		AccountID uint           `json:"account_id"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var err error
+	var account models.Account
+	if account, err = services.GetAccount(data.AccountID); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("target account was not found: %v", err))
+	}
+
+	badge := models.Badge{
+		Type:     data.Type,
+		Metadata: data.Metadata,
+	}
+
+	if err := services.GrantBadge(account, badge); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(badge)
+	}
+}
+
+func revokeBadge(c *fiber.Ctx) error {
+	if err := utils.CheckPermissions(c, "AdminRevokeBadges", true); err != nil {
+		return err
+	}
+
+	id, _ := c.ParamsInt("badgeId", 0)
+
+	var badge models.Badge
+	if err := database.C.Where("id = ?", id).First(&badge).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("target badge was not found: %v", err))
+	}
+
+	if err := services.RevokeBadge(badge); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(badge)
+	}
+}

pkg/internal/server/admin/index.go

@@ -0,0 +1,13 @@
+package admin
+
+import (
+	"github.com/gofiber/fiber/v2"
+)
+
+func MapAdminEndpoints(A *fiber.App, authMiddleware fiber.Handler) {
+	admin := A.Group("/api/admin").Use(authMiddleware)
+	{
+		admin.Post("/badges", grantBadge)
+		admin.Delete("/badges/:badgeId", revokeBadge)
+	}
+}

pkg/internal/server/auth_api.go

@@ -0,0 +1,146 @@
+package server
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+)
+
+func doAuthenticate(c *fiber.Ctx) error {
+	var data struct {
+		Username string `json:"username"`
+		Password string `json:"password" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	user, err := services.LookupAccount(data.Username)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
+	}
+
+	ticket, err := services.NewTicket(user, c.IP(), c.Get(fiber.HeaderUserAgent))
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
+	}
+
+	ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("invalid password: %v", err.Error()))
+	}
+
+	return c.JSON(fiber.Map{
+		"is_finished": ticket.IsAvailable(),
+		"ticket":      ticket,
+	})
+}
+
+func doMultiFactorAuthenticate(c *fiber.Ctx) error {
+	var data struct {
+		TicketID uint   `json:"ticket_id" validate:"required"`
+		FactorID uint   `json:"factor_id" validate:"required"`
+		Code     string `json:"code" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	ticket, err := services.GetTicket(data.TicketID)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("ticket was not found: %v", err.Error()))
+	}
+
+	factor, err := services.GetFactor(data.FactorID)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("factor was not found: %v", err.Error()))
+	}
+
+	ticket, err = services.ActiveTicketWithMFA(ticket, factor, data.Code)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("invalid code: %v", err.Error()))
+	}
+
+	return c.JSON(fiber.Map{
+		"is_finished": ticket.IsAvailable(),
+		"ticket":      ticket,
+	})
+}
+
+func getToken(c *fiber.Ctx) error {
+	var data struct {
+		Code         string `json:"code" form:"code"`
+		RefreshToken string `json:"refresh_token" form:"refresh_token"`
+		ClientID     string `json:"client_id" form:"client_id"`
+		ClientSecret string `json:"client_secret" form:"client_secret"`
+		Username     string `json:"username" form:"username"`
+		Password     string `json:"password" form:"password"`
+		RedirectUri  string `json:"redirect_uri" form:"redirect_uri"`
+		GrantType    string `json:"grant_type" form:"grant_type"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var err error
+	var access, refresh string
+	switch data.GrantType {
+	case "refresh_token":
+		// Refresh Token
+		access, refresh, err = services.RefreshToken(data.RefreshToken)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	case "authorization_code":
+		// Authorization Code Mode
+		access, refresh, err = services.ExchangeOauthToken(data.ClientID, data.ClientSecret, data.RedirectUri, data.Code)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	case "password":
+		// Password Mode
+		user, err := services.LookupAccount(data.Username)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("account was not found: %v", err.Error()))
+		}
+		ticket, err := services.NewTicket(user, c.IP(), c.Get(fiber.HeaderUserAgent))
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("unable setup ticket: %v", err.Error()))
+		}
+		ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("invalid password: %v", err.Error()))
+		} else if err := ticket.IsAvailable(); err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("risk detected: %v (ticketId=%d)", err, ticket.ID))
+		}
+		access, refresh, err = services.ExchangeOauthToken(data.ClientID, data.ClientSecret, data.RedirectUri, *ticket.GrantToken)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	case "grant_token":
+		// Internal Usage
+		access, refresh, err = services.ExchangeToken(data.Code)
+		if err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	default:
+		return fiber.NewError(fiber.StatusBadRequest, "unsupported exchange token type")
+	}
+
+	services.SetJwtCookieSet(c, access, refresh)
+
+	return c.JSON(fiber.Map{
+		"id_token":      access,
+		"access_token":  access,
+		"refresh_token": refresh,
+		"token_type":    "Bearer",
+		"expires_in":    (30 * time.Minute).Seconds(),
+	})
+}

pkg/internal/server/auth_middleware.go

@@ -0,0 +1,55 @@
+package server
+
+import (
+	"strings"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/gofiber/fiber/v2"
+)
+
+func authMiddleware(c *fiber.Ctx) error {
+	var token string
+	if cookie := c.Cookies(services.CookieAccessKey); len(cookie) > 0 {
+		token = cookie
+	}
+	if header := c.Get(fiber.HeaderAuthorization); len(header) > 0 {
+		tk := strings.Replace(header, "Bearer", "", 1)
+		token = strings.TrimSpace(tk)
+	}
+	if query := c.Query("tk"); len(query) > 0 {
+		token = strings.TrimSpace(query)
+	}
+
+	c.Locals("token", token)
+
+	if err := authFunc(c); err != nil {
+		return err
+	}
+
+	return c.Next()
+}
+
+func authFunc(c *fiber.Ctx, overrides ...string) error {
+	var token string
+	if len(overrides) > 0 {
+		token = overrides[0]
+	} else {
+		if tk, ok := c.Locals("token").(string); !ok {
+			return fiber.NewError(fiber.StatusUnauthorized)
+		} else {
+			token = tk
+		}
+	}
+
+	rtk := c.Cookies(services.CookieRefreshKey)
+	if ctx, perms, atk, rtk, err := services.Authenticate(token, rtk, 0); err == nil {
+		if atk != token {
+			services.SetJwtCookieSet(c, atk, rtk)
+		}
+		c.Locals("permissions", perms)
+		c.Locals("principal", ctx.Account)
+		return nil
+	} else {
+		return err
+	}
+}

pkg/internal/server/avatar_api.go

@@ -0,0 +1,73 @@
+package server
+
+import (
+	"context"
+	"fmt"
+
+	pcpb "git.solsynth.dev/hydrogen/paperclip/pkg/grpc/proto"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/grpc"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+	"github.com/samber/lo"
+)
+
+func setAvatar(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		AttachmentID uint `json:"attachment" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	if _, err := grpc.Attachments.CheckAttachmentExists(context.Background(), &pcpb.AttachmentLookupRequest{
+		Id:    lo.ToPtr(uint64(data.AttachmentID)),
+		Usage: lo.ToPtr("p.avatar"),
+	}); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("avatar was not found in repository: %v", err))
+	}
+
+	user.Avatar = &data.AttachmentID
+
+	if err := database.C.Save(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.InvalidAuthCacheWithUser(user.ID)
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}
+
+func setBanner(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		AttachmentID uint `json:"attachment" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	if _, err := grpc.Attachments.CheckAttachmentExists(context.Background(), &pcpb.AttachmentLookupRequest{
+		Id:    lo.ToPtr(uint64(data.AttachmentID)),
+		Usage: lo.ToPtr("p.banner"),
+	}); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, fmt.Sprintf("banner was not found in repository: %v", err))
+	}
+
+	user.Banner = &data.AttachmentID
+
+	if err := database.C.Save(&user).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		services.InvalidAuthCacheWithUser(user.ID)
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/factors_api.go

@@ -0,0 +1,23 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/gofiber/fiber/v2"
+)
+
+func requestFactorToken(c *fiber.Ctx) error {
+	id, _ := c.ParamsInt("factorId", 0)
+
+	factor, err := services.GetFactor(uint(id))
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if sent, err := services.GetFactorCode(factor); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if !sent {
+		return c.SendStatus(fiber.StatusNoContent)
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}

pkg/internal/server/friendships_api.go

@@ -0,0 +1,123 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func listFriendship(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	status := c.QueryInt("status", -1)
+
+	var err error
+	var friends []models.AccountFriendship
+	if status < 0 {
+		if friends, err = services.ListAllFriend(user); err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		}
+	} else {
+		if friends, err = services.ListFriend(user, models.FriendshipStatus(status)); err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		}
+	}
+
+	return c.JSON(friends)
+}
+
+func getFriendship(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	relatedId, _ := c.ParamsInt("relatedId", 0)
+
+	related, err := services.GetAccount(uint(relatedId))
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if friend, err := services.GetFriendWithTwoSides(user.ID, related.ID); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else {
+		return c.JSON(friend)
+	}
+}
+
+func makeFriendship(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	relatedName := c.Query("related")
+	relatedId, _ := c.ParamsInt("relatedId", 0)
+
+	var err error
+	var related models.Account
+	if relatedId > 0 {
+		related, err = services.GetAccount(uint(relatedId))
+		if err != nil {
+			return fiber.NewError(fiber.StatusNotFound, err.Error())
+		}
+	} else if len(relatedName) > 0 {
+		related, err = services.LookupAccount(relatedName)
+		if err != nil {
+			return fiber.NewError(fiber.StatusNotFound, err.Error())
+		}
+	} else {
+		return fiber.NewError(fiber.StatusBadRequest, "must one of username or user id")
+	}
+
+	friend, err := services.NewFriend(user, related, models.FriendshipPending)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(friend)
+	}
+}
+
+func editFriendship(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	relatedId, _ := c.ParamsInt("relatedId", 0)
+
+	var data struct {
+		Status uint8 `json:"status"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	related, err := services.GetAccount(uint(relatedId))
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+	friendship, err := services.GetFriendWithTwoSides(user.ID, related.ID)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	originalStatus := friendship.Status
+	friendship.Status = models.FriendshipStatus(data.Status)
+
+	if friendship, err := services.EditFriendWithCheck(friendship, user, originalStatus); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(friendship)
+	}
+}
+
+func deleteFriendship(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	relatedId, _ := c.ParamsInt("relatedId", 0)
+
+	related, err := services.GetAccount(uint(relatedId))
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+	friendship, err := services.GetFriendWithTwoSides(user.ID, related.ID)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := services.DeleteFriend(friendship); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(friendship)
+	}
+}

pkg/internal/server/notifications_api.go

@@ -0,0 +1,111 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func getNotifications(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	take := c.QueryInt("take", 0)
+	offset := c.QueryInt("offset", 0)
+
+	tx := database.C.Where(&models.Notification{RecipientID: user.ID}).Model(&models.Notification{})
+
+	var count int64
+	var notifications []models.Notification
+	if err := tx.
+		Count(&count).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	if err := tx.
+		Limit(take).
+		Offset(offset).
+		Find(&notifications).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(fiber.Map{
+		"count": count,
+		"data":  notifications,
+	})
+}
+
+func markNotificationRead(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	id, _ := c.ParamsInt("notificationId", 0)
+
+	var notify models.Notification
+	if err := database.C.Where(&models.Notification{
+		BaseModel:   models.BaseModel{ID: uint(id)},
+		RecipientID: user.ID,
+	}).First(&notify).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := database.C.Delete(&notify).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}
+
+func markNotificationReadBatch(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		MessageIDs []uint `json:"messages"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	if err := database.C.Model(&models.Notification{}).
+		Where("recipient_id = ? AND id IN ?", user.ID, data.MessageIDs).
+		Delete(&models.Notification{}).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}
+
+func addNotifySubscriber(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		Provider    string `json:"provider" validate:"required"`
+		DeviceToken string `json:"device_token" validate:"required"`
+		DeviceID    string `json:"device_id" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var count int64
+	if err := database.C.Where(&models.NotificationSubscriber{
+		DeviceID:    data.DeviceID,
+		DeviceToken: data.DeviceToken,
+		AccountID:   user.ID,
+	}).Model(&models.NotificationSubscriber{}).Count(&count).Error; err != nil || count > 0 {
+		return c.SendStatus(fiber.StatusOK)
+	}
+
+	subscriber, err := services.AddNotifySubscriber(
+		user,
+		data.Provider,
+		data.DeviceID,
+		data.DeviceToken,
+		c.Get(fiber.HeaderUserAgent),
+	)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(subscriber)
+}

pkg/internal/server/notify_api.go

@@ -0,0 +1,60 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func notifyUser(c *fiber.Ctx) error {
+	var data struct {
+		ClientID     string                    `json:"client_id" validate:"required"`
+		ClientSecret string                    `json:"client_secret" validate:"required"`
+		Type         string                    `json:"type" validate:"required"`
+		Subject      string                    `json:"subject" validate:"required,max=1024"`
+		Content      string                    `json:"content" validate:"required,max=4096"`
+		Metadata     map[string]any            `json:"metadata"`
+		Links        []models.NotificationLink `json:"links"`
+		IsForcePush  bool                      `json:"is_force_push"`
+		IsRealtime   bool                      `json:"is_realtime"`
+		UserID       uint                      `json:"user_id" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	client, err := services.GetThirdClientWithSecret(data.ClientID, data.ClientSecret)
+	if err != nil {
+		return fiber.NewError(fiber.StatusForbidden, err.Error())
+	}
+
+	var user models.Account
+	if user, err = services.GetAccount(data.UserID); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	notification := models.Notification{
+		Type:        data.Type,
+		Subject:     data.Subject,
+		Content:     data.Content,
+		Links:       data.Links,
+		IsRealtime:  data.IsRealtime,
+		IsForcePush: data.IsForcePush,
+		RecipientID: user.ID,
+		SenderID:    &client.ID,
+	}
+
+	if data.IsRealtime {
+		if err := services.PushNotification(notification); err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	} else {
+		if err := services.NewNotification(notification); err != nil {
+			return fiber.NewError(fiber.StatusBadRequest, err.Error())
+		}
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/page_api.go

@@ -0,0 +1,70 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func getPersonalPage(c *fiber.Ctx) error {
+	alias := c.Params("alias")
+
+	var account models.Account
+	if err := database.C.
+		Where(&models.Account{Name: alias}).
+		First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	var page models.AccountPage
+	if err := database.C.
+		Where(&models.AccountPage{AccountID: account.ID}).
+		First(&page).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(page)
+}
+
+func getOwnPersonalPage(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var page models.AccountPage
+	if err := database.C.
+		Where(&models.AccountPage{AccountID: user.ID}).
+		FirstOrCreate(&page, &models.AccountPage{AccountID: user.ID}).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(page)
+}
+
+func editPersonalPage(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data struct {
+		Content string                    `json:"content"`
+		Links   []models.AccountPageLinks `json:"links"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var page models.AccountPage
+	if err := database.C.
+		Where(&models.AccountPage{AccountID: user.ID}).
+		FirstOrInit(&page).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	page.Content = data.Content
+	page.Links = data.Links
+
+	if err := database.C.Save(&page).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/realm_members_api.go

@@ -0,0 +1,121 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func listRealmMembers(c *fiber.Ctx) error {
+	alias := c.Params("realm")
+
+	if realm, err := services.GetRealmWithAlias(alias); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if members, err := services.ListRealmMember(realm.ID); err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	} else {
+		return c.JSON(members)
+	}
+}
+
+func getMyRealmMember(c *fiber.Ctx) error {
+	alias := c.Params("realm")
+	user := c.Locals("principal").(models.Account)
+
+	if realm, err := services.GetRealmWithAlias(alias); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if member, err := services.GetRealmMember(user.ID, realm.ID); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else {
+		return c.JSON(member)
+	}
+}
+
+func addRealmMember(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	alias := c.Params("realm")
+
+	var data struct {
+		Target string `json:"target" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	realm, err := services.GetRealmWithAlias(alias)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	var account models.Account
+	if err := database.C.Where(&models.Account{
+		Name: data.Target,
+	}).First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := services.AddRealmMember(user, account, realm); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}
+
+func removeRealmMember(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	alias := c.Params("realm")
+
+	var data struct {
+		Target string `json:"target" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	realm, err := services.GetRealmWithAlias(alias)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	var account models.Account
+	if err := database.C.Where(&models.Account{
+		Name: data.Target,
+	}).First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := services.RemoveRealmMember(user, account, realm); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}
+
+func leaveRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	alias := c.Params("realm")
+
+	realm, err := services.GetRealmWithAlias(alias)
+	if err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else if user.ID == realm.AccountID {
+		return fiber.NewError(fiber.StatusBadRequest, "you cannot leave your own realm")
+	}
+
+	var account models.Account
+	if err := database.C.Where(&models.Account{
+		BaseModel: models.BaseModel{ID: user.ID},
+	}).First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := services.RemoveRealmMember(user, account, realm); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.SendStatus(fiber.StatusOK)
+	}
+}

pkg/internal/server/realms_api.go

@@ -0,0 +1,135 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func getRealm(c *fiber.Ctx) error {
+	alias := c.Params("realm")
+	if realm, err := services.GetRealmWithAlias(alias); err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	} else {
+		return c.JSON(realm)
+	}
+}
+
+func listCommunityRealm(c *fiber.Ctx) error {
+	realms, err := services.ListCommunityRealm()
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(realms)
+}
+
+func listOwnedRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	if realms, err := services.ListOwnedRealm(user); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(realms)
+	}
+}
+
+func listAvailableRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	if realms, err := services.ListAvailableRealm(user); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else {
+		return c.JSON(realms)
+	}
+}
+
+func createRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	if err := utils.CheckPermissions(c, "CreateRealms", true); err != nil {
+		return err
+	}
+
+	var data struct {
+		Alias       string `json:"alias" validate:"required,lowercase,min=4,max=32"`
+		Name        string `json:"name" validate:"required"`
+		Description string `json:"description"`
+		IsPublic    bool   `json:"is_public"`
+		IsCommunity bool   `json:"is_community"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	realm, err := services.NewRealm(models.Realm{
+		Alias:       data.Alias,
+		Name:        data.Name,
+		Description: data.Description,
+		IsPublic:    data.IsPublic,
+		IsCommunity: data.IsCommunity,
+		AccountID:   user.ID,
+	}, user)
+
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+	return c.JSON(realm)
+}
+
+func editRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	id, _ := c.ParamsInt("realmId", 0)
+
+	var data struct {
+		Alias       string `json:"alias" validate:"required,lowercase,min=4,max=32"`
+		Name        string `json:"name" validate:"required"`
+		Description string `json:"description"`
+		IsPublic    bool   `json:"is_public"`
+		IsCommunity bool   `json:"is_community"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
+	var realm models.Realm
+	if err := database.C.Where(&models.Realm{
+		BaseModel: models.BaseModel{ID: uint(id)},
+		AccountID: user.ID,
+	}).First(&realm).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	realm.Alias = data.Alias
+	realm.Name = data.Name
+	realm.Description = data.Description
+	realm.IsPublic = data.IsPublic
+	realm.IsCommunity = data.IsCommunity
+
+	realm, err := services.EditRealm(realm)
+	if err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(realm)
+}
+
+func deleteRealm(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	id, _ := c.ParamsInt("realmId", 0)
+
+	var realm models.Realm
+	if err := database.C.Where(&models.Realm{
+		BaseModel: models.BaseModel{ID: uint(id)},
+		AccountID: user.ID,
+	}).First(&realm).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	if err := services.DeleteRealm(realm); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.SendStatus(fiber.StatusOK)
+}

pkg/internal/server/security_api.go

@@ -0,0 +1,36 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/fiber/v2"
+)
+
+func getTickets(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	take := c.QueryInt("take", 0)
+	offset := c.QueryInt("offset", 0)
+
+	var count int64
+	var tickets []models.AuthTicket
+	if err := database.C.
+		Where(&models.AuthTicket{AccountID: user.ID}).
+		Model(&models.AuthTicket{}).
+		Count(&count).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	if err := database.C.
+		Order("created_at desc").
+		Where(&models.AuthTicket{AccountID: user.ID}).
+		Limit(take).
+		Offset(offset).
+		Find(&tickets).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	return c.JSON(fiber.Map{
+		"count": count,
+		"data":  tickets,
+	})
+}

pkg/internal/server/startup.go

@@ -0,0 +1,156 @@
+package server
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/gofiber/contrib/websocket"
+
+	"git.solsynth.dev/hydrogen/passport/pkg"
+	"git.solsynth.dev/hydrogen/passport/pkg/i18n"
+	"git.solsynth.dev/hydrogen/passport/pkg/server/admin"
+	"git.solsynth.dev/hydrogen/passport/pkg/server/ui"
+	"github.com/gofiber/fiber/v2"
+	"github.com/gofiber/fiber/v2/middleware/cors"
+	"github.com/gofiber/fiber/v2/middleware/favicon"
+	"github.com/gofiber/fiber/v2/middleware/idempotency"
+	"github.com/gofiber/fiber/v2/middleware/logger"
+	"github.com/gofiber/template/html/v2"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+)
+
+var A *fiber.App
+
+func NewServer() {
+	templates := html.NewFileSystem(http.FS(pkg.FS), ".gohtml")
+
+	A = fiber.New(fiber.Config{
+		DisableStartupMessage: true,
+		EnableIPValidation:    true,
+		ServerHeader:          "Hydrogen.Passport",
+		AppName:               "Hydrogen.Passport",
+		ProxyHeader:           fiber.HeaderXForwardedFor,
+		JSONEncoder:           jsoniter.ConfigCompatibleWithStandardLibrary.Marshal,
+		JSONDecoder:           jsoniter.ConfigCompatibleWithStandardLibrary.Unmarshal,
+		EnablePrintRoutes:     viper.GetBool("debug.print_routes"),
+		Views:                 templates,
+		ViewsLayout:           "views/index",
+	})
+
+	A.Use(idempotency.New())
+	A.Use(cors.New(cors.Config{
+		AllowCredentials: true,
+		AllowMethods: strings.Join([]string{
+			fiber.MethodGet,
+			fiber.MethodPost,
+			fiber.MethodHead,
+			fiber.MethodOptions,
+			fiber.MethodPut,
+			fiber.MethodDelete,
+			fiber.MethodPatch,
+		}, ","),
+		AllowOriginsFunc: func(origin string) bool {
+			return true
+		},
+	}))
+
+	A.Use(logger.New(logger.Config{
+		Format: "${status} | ${latency} | ${method} ${path}\n",
+		Output: log.Logger,
+	}))
+
+	A.Use(i18n.I18nMiddleware)
+
+	A.Get("/.well-known", getMetadata)
+	A.Get("/.well-known/openid-configuration", getOidcConfiguration)
+
+	api := A.Group("/api").Name("API")
+	{
+		notify := api.Group("/notifications").Name("Notifications API")
+		{
+			notify.Get("/", authMiddleware, getNotifications)
+			notify.Post("/subscribe", authMiddleware, addNotifySubscriber)
+			notify.Put("/batch/read", authMiddleware, markNotificationReadBatch)
+			notify.Put("/:notificationId/read", authMiddleware, markNotificationRead)
+		}
+
+		me := api.Group("/users/me").Name("Myself Operations")
+		{
+
+			me.Put("/avatar", authMiddleware, setAvatar)
+			me.Put("/banner", authMiddleware, setBanner)
+
+			me.Get("/", authMiddleware, getUserinfo)
+			me.Get("/page", authMiddleware, getOwnPersonalPage)
+			me.Put("/", authMiddleware, editUserinfo)
+			me.Put("/page", authMiddleware, editPersonalPage)
+			me.Get("/events", authMiddleware, getEvents)
+			me.Get("/tickets", authMiddleware, getTickets)
+			me.Delete("/tickets/:ticketId", authMiddleware, killSession)
+
+			me.Post("/confirm", doRegisterConfirm)
+
+			friends := me.Group("/friends").Name("Friends")
+			{
+				friends.Get("/", authMiddleware, listFriendship)
+				friends.Get("/:relatedId", authMiddleware, getFriendship)
+				friends.Post("/", authMiddleware, makeFriendship)
+				friends.Post("/:relatedId", authMiddleware, makeFriendship)
+				friends.Put("/:relatedId", authMiddleware, editFriendship)
+				friends.Delete("/:relatedId", authMiddleware, deleteFriendship)
+			}
+		}
+
+		directory := api.Group("/users/:alias").Name("User Directory")
+		{
+			directory.Get("/", getOtherUserinfo)
+			directory.Get("/page", getPersonalPage)
+		}
+
+		api.Post("/users", doRegister)
+
+		api.Post("/auth", doAuthenticate)
+		api.Post("/auth/token", getToken)
+		api.Post("/auth/factors/:factorId", requestFactorToken)
+
+		realms := api.Group("/realms").Name("Realms API")
+		{
+			realms.Get("/", listCommunityRealm)
+			realms.Get("/me", authMiddleware, listOwnedRealm)
+			realms.Get("/me/available", authMiddleware, listAvailableRealm)
+			realms.Get("/:realm", getRealm)
+			realms.Get("/:realm/members", listRealmMembers)
+			realms.Get("/:realm/members/me", authMiddleware, getMyRealmMember)
+			realms.Post("/", authMiddleware, createRealm)
+			realms.Put("/:realmId", authMiddleware, editRealm)
+			realms.Delete("/:realmId", authMiddleware, deleteRealm)
+			realms.Post("/:realm/members", authMiddleware, addRealmMember)
+			realms.Delete("/:realm/members", authMiddleware, removeRealmMember)
+			realms.Delete("/:realm/members/me", authMiddleware, leaveRealm)
+		}
+
+		developers := api.Group("/dev").Name("Developers API")
+		{
+			developers.Post("/notify", notifyUser)
+		}
+
+		api.Get("/ws", authMiddleware, websocket.New(listenWebsocket))
+	}
+
+	A.Use(favicon.New(favicon.Config{
+		FileSystem: http.FS(pkg.FS),
+		File:       "views/favicon.png",
+		URL:        "/favicon.png",
+	}))
+
+	admin.MapAdminEndpoints(A, authMiddleware)
+	ui.MapUserInterface(A, authFunc)
+}
+
+func Listen() {
+	if err := A.Listen(viper.GetString("bind")); err != nil {
+		log.Fatal().Err(err).Msg("An error occurred when starting server...")
+	}
+}

pkg/internal/server/ui/accounts.go

@@ -0,0 +1,51 @@
+package ui
+
+import (
+	"fmt"
+	"html/template"
+	"time"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/fiber/v2"
+	"github.com/gomarkdown/markdown"
+	"github.com/gomarkdown/markdown/html"
+	"github.com/gomarkdown/markdown/parser"
+	"github.com/sujit-baniya/flash"
+)
+
+func selfUserinfoPage(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+
+	var data models.Account
+	if err := database.C.
+		Where(&models.Account{BaseModel: models.BaseModel{ID: user.ID}}).
+		Preload("Profile").
+		Preload("PersonalPage").
+		Preload("Contacts").
+		First(&data).Error; err != nil {
+		return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+	}
+
+	birthday := "Unknown"
+	if data.Profile.Birthday != nil {
+		birthday = data.Profile.Birthday.Format(time.RFC822)
+	}
+
+	doc := parser.
+		NewWithExtensions(parser.CommonExtensions | parser.AutoHeadingIDs | parser.NoEmptyLineBeforeBlock).
+		Parse([]byte(data.PersonalPage.Content))
+
+	renderer := html.NewRenderer(html.RendererOptions{Flags: html.CommonFlags | html.HrefTargetBlank})
+
+	return c.Render("views/users/me", fiber.Map{
+		"info":          flash.Get(c)["message"],
+		"uid":           fmt.Sprintf("%08d", data.ID),
+		"joined_at":     data.CreatedAt.Format(time.RFC822),
+		"birthday_at":   birthday,
+		"personal_page": template.HTML(markdown.Render(doc, renderer)),
+		"userinfo":      data,
+		"avatar":        data.GetAvatar(),
+		"banner":        data.GetBanner(),
+	}, "views/layouts/user-center")
+}

pkg/internal/server/ui/index.go

@@ -0,0 +1,47 @@
+package ui
+
+import (
+	"fmt"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+)
+
+func MapUserInterface(A *fiber.App, authFunc utils.AuthFunc) {
+	authCheckWare := func(c *fiber.Ctx) error {
+		var token string
+		if cookie := c.Cookies(services.CookieAccessKey); len(cookie) > 0 {
+			token = cookie
+		}
+
+		c.Locals("token", token)
+
+		if err := authFunc(c); err != nil {
+			uri := c.Request().URI().FullURI()
+			return c.Redirect(fmt.Sprintf("/sign-in?redirect_uri=%s", string(uri)))
+		} else {
+			return c.Next()
+		}
+	}
+
+	pages := A.Group("/").Name("Pages")
+
+	pages.Get("/", func(c *fiber.Ctx) error {
+		return c.Redirect("/users/me")
+	})
+
+	pages.Get("/sign-up", signupPage)
+	pages.Get("/sign-in", signinPage)
+	pages.Get("/mfa", mfaRequestPage)
+	pages.Get("/mfa/apply", mfaApplyPage)
+	pages.Get("/authorize", authCheckWare, authorizePage)
+
+	pages.Post("/sign-up", signupAction)
+	pages.Post("/sign-in", signinAction)
+	pages.Post("/mfa", mfaRequestAction)
+	pages.Post("/mfa/apply", mfaApplyAction)
+	pages.Post("/authorize", authCheckWare, authorizeAction)
+
+	pages.Get("/users/me", authCheckWare, selfUserinfoPage)
+}

pkg/internal/server/ui/mfa.go

@@ -0,0 +1,194 @@
+package ui
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"github.com/samber/lo"
+	"github.com/sujit-baniya/flash"
+)
+
+func mfaRequestPage(c *fiber.Ctx) error {
+	ticketId := c.QueryInt("ticket", 0)
+
+	ticket, err := services.GetTicket(uint(ticketId))
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "you must provide ticket id to perform multi-factor authenticate",
+		}).Redirect("/sign-in")
+	}
+	user, err := services.GetAccount(ticket.AccountID)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "ticket related user just weirdly disappear",
+		}).Redirect("/sign-in")
+	}
+	factors, err := services.ListUserFactor(user.ID)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable to get your factors: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+
+	factors = lo.Filter(factors, func(item models.AuthFactor, index int) bool {
+		return item.Type != models.PasswordAuthFactor
+	})
+
+	localizer := c.Locals("localizer").(*i18n.Localizer)
+
+	next, _ := localizer.LocalizeMessage(&i18n.Message{ID: "next"})
+	title, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaTitle"})
+	caption, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaCaption"})
+
+	return c.Render("views/mfa", fiber.Map{
+		"info":         flash.Get(c)["message"],
+		"redirect_uri": flash.Get(c)["redirect_uri"],
+		"ticket_id":    ticket.ID,
+		"factors": lo.Map(factors, func(item models.AuthFactor, index int) fiber.Map {
+			return fiber.Map{
+				"name": services.GetFactorName(item.Type, localizer),
+				"id":   item.ID,
+			}
+		}),
+		"i18n": fiber.Map{
+			"next":    next,
+			"title":   title,
+			"caption": caption,
+		},
+	}, "views/layouts/auth")
+}
+
+func mfaRequestAction(c *fiber.Ctx) error {
+	var data struct {
+		TicketID uint `form:"ticket_id" validate:"required"`
+		FactorID uint `form:"factor_id" validate:"required"`
+	}
+
+	redirectBackUri := "/sign-in"
+	err := utils.BindAndValidate(c, &data)
+
+	if data.TicketID > 0 {
+		redirectBackUri = fmt.Sprintf("/mfa?ticket=%d", data.TicketID)
+	}
+
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": err.Error(),
+		}).Redirect(redirectBackUri)
+	}
+
+	factor, err := services.GetFactor(data.FactorID)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("factor was not found: %v", err.Error()),
+		}).Redirect(redirectBackUri)
+	}
+
+	_, err = services.GetFactorCode(factor)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable to get factor code: %v", err.Error()),
+		}).Redirect(redirectBackUri)
+	}
+
+	return flash.WithData(c, fiber.Map{
+		"redirect_uri": utils.GetRedirectUri(c),
+	}).Redirect(fmt.Sprintf("/mfa/apply?ticket=%d&factor=%d", data.TicketID, factor.ID))
+}
+
+func mfaApplyPage(c *fiber.Ctx) error {
+	ticketId := c.QueryInt("ticket", 0)
+	factorId := c.QueryInt("factor", 0)
+
+	ticket, err := services.GetTicket(uint(ticketId))
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable to find your ticket: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+	factor, err := services.GetFactor(uint(factorId))
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable to find your factors: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+
+	localizer := c.Locals("localizer").(*i18n.Localizer)
+
+	next, _ := localizer.LocalizeMessage(&i18n.Message{ID: "next"})
+	password, _ := localizer.LocalizeMessage(&i18n.Message{ID: "password"})
+	title, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaTitle"})
+	caption, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaCaption"})
+
+	return c.Render("views/mfa-apply", fiber.Map{
+		"info":      flash.Get(c)["message"],
+		"label":     services.GetFactorName(factor.Type, localizer),
+		"ticket_id": ticket.ID,
+		"factor_id": factor.ID,
+		"i18n": fiber.Map{
+			"next":     next,
+			"password": password,
+			"title":    title,
+			"caption":  caption,
+		},
+	}, "views/layouts/auth")
+}
+
+func mfaApplyAction(c *fiber.Ctx) error {
+	var data struct {
+		TicketID uint   `form:"ticket_id" validate:"required"`
+		FactorID uint   `form:"factor_id" validate:"required"`
+		Code     string `form:"code" validate:"required"`
+	}
+
+	redirectBackUri := "/sign-in"
+	err := utils.BindAndValidate(c, &data)
+
+	if data.TicketID > 0 {
+		redirectBackUri = fmt.Sprintf("/mfa/apply?ticket=%d&factor=%d", data.TicketID, data.FactorID)
+	}
+
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": err.Error(),
+		}).Redirect(redirectBackUri)
+	}
+
+	ticket, err := services.GetTicket(data.TicketID)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable to find your ticket: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+	factor, err := services.GetFactor(data.FactorID)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("factor was not found: %v", err.Error()),
+		}).Redirect(redirectBackUri)
+	}
+
+	ticket, err = services.ActiveTicketWithMFA(ticket, factor, data.Code)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("invalid multi-factor authenticate code: %v", err.Error()),
+		}).Redirect(redirectBackUri)
+	} else if ticket.IsAvailable() != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "ticket weirdly still unavailable after multi-factor authenticate",
+		}).Redirect("/sign-in")
+	}
+
+	access, refresh, err := services.ExchangeToken(*ticket.GrantToken)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("failed to exchange token: %v", err.Error()),
+		}).Redirect("/sign-in")
+	} else {
+		services.SetJwtCookieSet(c, access, refresh)
+	}
+
+	return c.Redirect(lo.FromPtr(utils.GetRedirectUri(c, "/users/me")))
+}

pkg/internal/server/ui/oauth.go

@@ -0,0 +1,154 @@
+package ui
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/gofiber/fiber/v2"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"github.com/samber/lo"
+	"github.com/sujit-baniya/flash"
+	"html/template"
+	"strings"
+	"time"
+)
+
+func authorizePage(c *fiber.Ctx) error {
+	localizer := c.Locals("localizer").(*i18n.Localizer)
+	user := c.Locals("principal").(models.Account)
+
+	id := c.Query("client_id")
+	redirect := c.Query("redirect_uri")
+
+	var message string
+	if len(id) <= 0 || len(redirect) <= 0 {
+		message = "invalid request, missing query parameters"
+	}
+
+	var client models.ThirdClient
+	if err := database.C.Where(&models.ThirdClient{Alias: id}).First(&client).Error; err != nil {
+		message = fmt.Sprintf("unable to find client: %v", err)
+	} else if !client.IsDraft && !lo.Contains(client.Callbacks, strings.Split(redirect, "?")[0]) {
+		message = "invalid callback url"
+	}
+
+	var ticket models.AuthTicket
+	if err := database.C.Where(&models.AuthTicket{
+		AccountID: user.ID,
+		ClientID:  &client.ID,
+	}).Where("last_grant_at IS NULL").First(&ticket).Error; err == nil {
+		if !(ticket.ExpiredAt != nil && ticket.ExpiredAt.Unix() < time.Now().Unix()) {
+			ticket, err = services.RegenSession(ticket)
+			if c.Query("response_type") == "code" {
+				return c.Redirect(fmt.Sprintf(
+					"%s?code=%s&state=%s",
+					redirect,
+					*ticket.GrantToken,
+					c.Query("state"),
+				))
+			} else if c.Query("response_type") == "token" {
+				if access, refresh, err := services.GetToken(ticket); err == nil {
+					return c.Redirect(fmt.Sprintf("%s?access_token=%s&refresh_token=%s&state=%s",
+						redirect,
+						access,
+						refresh, c.Query("state"),
+					))
+				}
+			}
+		}
+	}
+
+	decline, _ := localizer.LocalizeMessage(&i18n.Message{ID: "decline"})
+	approve, _ := localizer.LocalizeMessage(&i18n.Message{ID: "approve"})
+	title, _ := localizer.LocalizeMessage(&i18n.Message{ID: "authorizeTitle"})
+	caption, _ := localizer.LocalizeMessage(&i18n.Message{ID: "authorizeCaption"})
+
+	qs := "/authorize?" + string(c.Request().URI().QueryString())
+
+	return c.Render("views/authorize", fiber.Map{
+		"info":       lo.Ternary[any](len(message) > 0, message, flash.Get(c)["message"]),
+		"client":     client,
+		"scopes":     strings.Split(c.Query("scope"), " "),
+		"action_url": template.URL(qs),
+		"i18n": fiber.Map{
+			"approve": approve,
+			"decline": decline,
+			"title":   title,
+			"caption": caption,
+		},
+	}, "views/layouts/auth")
+}
+
+func authorizeAction(c *fiber.Ctx) error {
+	user := c.Locals("principal").(models.Account)
+	id := c.Query("client_id")
+	response := c.Query("response_type")
+	redirect := c.Query("redirect_uri")
+	scope := c.Query("scope")
+
+	redirectBackUri := "/authorize?" + string(c.Request().URI().QueryString())
+
+	if len(scope) <= 0 {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "invalid request parameters",
+		}).Redirect(redirectBackUri)
+	}
+
+	var client models.ThirdClient
+	if err := database.C.Where(&models.ThirdClient{Alias: id}).First(&client).Error; err != nil {
+		return fiber.NewError(fiber.StatusNotFound, err.Error())
+	}
+
+	switch response {
+	case "code":
+		// OAuth Authorization Mode
+		ticket, err := services.NewOauthTicket(
+			user,
+			client,
+			strings.Split(scope, " "),
+			[]string{"passport", client.Alias},
+			c.IP(),
+			c.Get(fiber.HeaderUserAgent),
+		)
+
+		if err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else {
+			services.AddEvent(user, "oauth.connect", client.Alias, c.IP(), c.Get(fiber.HeaderUserAgent))
+			return c.Redirect(fmt.Sprintf(
+				"%s?code=%s&state=%s",
+				redirect,
+				*ticket.GrantToken,
+				c.Query("state"),
+			))
+		}
+	case "token":
+		// OAuth Implicit Mode
+		ticket, err := services.NewOauthTicket(
+			user,
+			client,
+			strings.Split(scope, " "),
+			[]string{"passport", client.Alias},
+			c.IP(),
+			c.Get(fiber.HeaderUserAgent),
+		)
+
+		if err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else if access, refresh, err := services.GetToken(ticket); err != nil {
+			return fiber.NewError(fiber.StatusInternalServerError, err.Error())
+		} else {
+			services.AddEvent(user, "oauth.connect", client.Alias, c.IP(), c.Get(fiber.HeaderUserAgent))
+			return c.Redirect(fmt.Sprintf("%s?access_token=%s&refresh_token=%s&state=%s",
+				redirect,
+				access,
+				refresh, c.Query("state"),
+			))
+		}
+	default:
+		return flash.WithInfo(c, fiber.Map{
+			"message": "unsupported response type",
+		}).Redirect(redirectBackUri)
+	}
+}

pkg/internal/server/ui/signin.go

@@ -0,0 +1,93 @@
+package ui
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"github.com/samber/lo"
+	"github.com/sujit-baniya/flash"
+)
+
+func signinPage(c *fiber.Ctx) error {
+	localizer := c.Locals("localizer").(*i18n.Localizer)
+
+	next, _ := localizer.LocalizeMessage(&i18n.Message{ID: "next"})
+	username, _ := localizer.LocalizeMessage(&i18n.Message{ID: "username"})
+	password, _ := localizer.LocalizeMessage(&i18n.Message{ID: "password"})
+	signup, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signupTitle"})
+	title, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signinTitle"})
+	caption, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signinCaption"})
+	requiredNotify, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signinRequired"})
+
+	var info any
+	if flash.Get(c)["message"] != nil {
+		info = flash.Get(c)["message"]
+	} else {
+		info = requiredNotify
+	}
+
+	return c.Render("views/signin", fiber.Map{
+		"info": info,
+		"i18n": fiber.Map{
+			"next":     next,
+			"username": username,
+			"password": password,
+			"signup":   signup,
+			"title":    title,
+			"caption":  caption,
+		},
+	}, "views/layouts/auth")
+}
+
+func signinAction(c *fiber.Ctx) error {
+	var data struct {
+		Username string `form:"username" validate:"required"`
+		Password string `form:"password" validate:"required"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": err.Error(),
+		}).Redirect("/sign-in")
+	}
+
+	user, err := services.LookupAccount(data.Username)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("account was not found: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+
+	ticket, err := services.NewTicket(user, c.IP(), c.Get(fiber.HeaderUserAgent))
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("unable setup ticket: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+
+	ticket, err = services.ActiveTicketWithPassword(ticket, data.Password)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("invalid password: %v", err.Error()),
+		}).Redirect("/sign-in")
+	}
+
+	if ticket.IsAvailable() != nil {
+		return flash.WithData(c, fiber.Map{
+			"redirect_uri": utils.GetRedirectUri(c),
+		}).Redirect(fmt.Sprintf("/mfa?ticket=%d", ticket.ID))
+	}
+
+	access, refresh, err := services.ExchangeToken(*ticket.GrantToken)
+	if err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": fmt.Sprintf("failed to exchange token: %v", err.Error()),
+		}).Redirect("/sign-in")
+	} else {
+		services.SetJwtCookieSet(c, access, refresh)
+	}
+
+	return c.Redirect(lo.FromPtr(utils.GetRedirectUri(c, "/users/me")))
+}

pkg/internal/server/ui/signup.go

@@ -0,0 +1,87 @@
+package ui
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"git.solsynth.dev/hydrogen/passport/pkg/utils"
+	"github.com/gofiber/fiber/v2"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"github.com/sujit-baniya/flash"
+)
+
+func signupPage(c *fiber.Ctx) error {
+	localizer := c.Locals("localizer").(*i18n.Localizer)
+
+	next, _ := localizer.LocalizeMessage(&i18n.Message{ID: "next"})
+	email, _ := localizer.LocalizeMessage(&i18n.Message{ID: "email"})
+	nickname, _ := localizer.LocalizeMessage(&i18n.Message{ID: "nickname"})
+	username, _ := localizer.LocalizeMessage(&i18n.Message{ID: "username"})
+	password, _ := localizer.LocalizeMessage(&i18n.Message{ID: "password"})
+	magicToken, _ := localizer.LocalizeMessage(&i18n.Message{ID: "magicToken"})
+	signin, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signinTitle"})
+	title, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signupTitle"})
+	caption, _ := localizer.LocalizeMessage(&i18n.Message{ID: "signupCaption"})
+
+	return c.Render("views/signup", fiber.Map{
+		"info":            flash.Get(c)["message"],
+		"use_magic_token": viper.GetBool("use_registration_magic_token"),
+		"i18n": fiber.Map{
+			"next":        next,
+			"email":       email,
+			"username":    username,
+			"nickname":    nickname,
+			"password":    password,
+			"magic_token": magicToken,
+			"signin":      signin,
+			"title":       title,
+			"caption":     caption,
+		},
+	}, "views/layouts/auth")
+}
+
+func signupAction(c *fiber.Ctx) error {
+	var data struct {
+		Name       string `form:"name" validate:"required,lowercase,alphanum,min=4,max=16"`
+		Nick       string `form:"nick" validate:"required,min=4,max=24"`
+		Email      string `form:"email" validate:"required,email"`
+		Password   string `form:"password" validate:"required,min=4,max=32"`
+		MagicToken string `form:"magic_token"`
+	}
+
+	if err := utils.BindAndValidate(c, &data); err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": err.Error(),
+		}).Redirect("/sign-up")
+	} else if viper.GetBool("use_registration_magic_token") && len(data.MagicToken) <= 0 {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "magic token was required",
+		}).Redirect("/sign-up")
+	} else if viper.GetBool("use_registration_magic_token") {
+		if tk, err := services.ValidateMagicToken(data.MagicToken, models.RegistrationMagicToken); err != nil {
+			return flash.WithInfo(c, fiber.Map{
+				"message": fmt.Sprintf("magic token was invalid: %v", err.Error()),
+			}).Redirect("/sign-up")
+		} else {
+			database.C.Delete(&tk)
+		}
+	}
+
+	if _, err := services.CreateAccount(
+		data.Name,
+		data.Nick,
+		data.Email,
+		data.Password,
+	); err != nil {
+		return flash.WithInfo(c, fiber.Map{
+			"message": err.Error(),
+		}).Redirect("/sign-up")
+	} else {
+		return flash.WithInfo(c, fiber.Map{
+			"message": "account has been created. now you can sign in!",
+		}).Redirect(lo.FromPtr(utils.GetRedirectUri(c, "/sign-in")))
+	}
+}

pkg/internal/server/userinfo_api.go

@@ -0,0 +1,23 @@
+package server
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/fiber/v2"
+)
+
+func getOtherUserinfo(c *fiber.Ctx) error {
+	alias := c.Params("alias")
+
+	var account models.Account
+	if err := database.C.
+		Where(&models.Account{Name: alias}).
+		Omit("tickets", "challenges", "factors", "events", "clients", "notifications", "notify_subscribers").
+		Preload("Profile").
+		Preload("Badges").
+		First(&account).Error; err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return c.JSON(account)
+}

pkg/internal/server/well_known_api.go

@@ -0,0 +1,34 @@
+package server
+
+import (
+	"fmt"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/spf13/viper"
+)
+
+func getMetadata(c *fiber.Ctx) error {
+	return c.JSON(fiber.Map{
+		"name":              viper.GetString("name"),
+		"domain":            viper.GetString("domain"),
+		"open_registration": !viper.GetBool("use_registration_magic_token"),
+	})
+}
+
+func getOidcConfiguration(c *fiber.Ctx) error {
+	domain := viper.GetString("domain")
+	basepath := fmt.Sprintf("https://%s", domain)
+
+	return c.JSON(fiber.Map{
+		"issuer":                                           basepath,
+		"authorization_endpoint":                           fmt.Sprintf("%s/authorize", basepath),
+		"token_endpoint":                                   fmt.Sprintf("%s/api/auth/token", basepath),
+		"userinfo_endpoint":                                fmt.Sprintf("%s/api/users/me", basepath),
+		"response_types_supported":                         []string{"code", "token"},
+		"grant_types_supported":                            []string{"authorization_code", "implicit", "refresh_token"},
+		"subject_types_supported":                          []string{"public"},
+		"token_endpoint_auth_methods_supported":            []string{"client_secret_post"},
+		"id_token_signing_alg_values_supported":            []string{"HS512"},
+		"token_endpoint_auth_signing_alg_values_supported": []string{"HS512"},
+	})
+}

pkg/internal/server/ws.go

@@ -0,0 +1,83 @@
+package server
+
+import (
+	"fmt"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/gofiber/contrib/websocket"
+	jsoniter "github.com/json-iterator/go"
+	"github.com/rs/zerolog/log"
+	"github.com/samber/lo"
+)
+
+func listenWebsocket(c *websocket.Conn) {
+	user := c.Locals("principal").(models.Account)
+
+	// Push connection
+	services.ClientRegister(user, c)
+	log.Debug().Uint("user", user.ID).Msg("New websocket connection established...")
+
+	// Event loop
+	var task models.UnifiedCommand
+
+	var messageType int
+	var payload []byte
+	var packet []byte
+	var err error
+
+	for {
+		if messageType, packet, err = c.ReadMessage(); err != nil {
+			break
+		} else if err := jsoniter.Unmarshal(packet, &task); err != nil {
+			_ = c.WriteMessage(messageType, models.UnifiedCommand{
+				Action:  "error",
+				Message: "unable to unmarshal your command, requires json request",
+			}.Marshal())
+			continue
+		} else {
+			payload, _ = jsoniter.Marshal(task.Payload)
+		}
+
+		var message *models.UnifiedCommand
+		switch task.Action {
+		case "kex.request":
+			var req struct {
+				RequestID string `json:"request_id"`
+				KeypairID string `json:"keypair_id"`
+				Algorithm string `json:"algorithm"`
+				OwnerID   uint   `json:"owner_id"`
+				Deadline  int64  `json:"deadline"`
+			}
+			_ = jsoniter.Unmarshal(payload, &req)
+			if len(req.RequestID) <= 0 || len(req.KeypairID) <= 0 || req.OwnerID <= 0 {
+				message = lo.ToPtr(models.UnifiedCommandFromError(fmt.Errorf("invalid request")))
+			}
+			services.KexRequest(c, req.RequestID, req.KeypairID, req.Algorithm, req.OwnerID, req.Deadline)
+		case "kex.provide":
+			var req struct {
+				RequestID string `json:"request_id"`
+				KeypairID string `json:"keypair_id"`
+				Algorithm string `json:"algorithm"`
+				PublicKey []byte `json:"public_key"`
+			}
+			_ = jsoniter.Unmarshal(payload, &req)
+			if len(req.RequestID) <= 0 || len(req.KeypairID) <= 0 {
+				message = lo.ToPtr(models.UnifiedCommandFromError(fmt.Errorf("invalid request")))
+			}
+			services.KexProvide(user.ID, req.RequestID, req.KeypairID, packet)
+		default:
+			message = lo.ToPtr(models.UnifiedCommandFromError(fmt.Errorf("unknown action")))
+		}
+
+		if message != nil {
+			if err = c.WriteMessage(messageType, message.Marshal()); err != nil {
+				break
+			}
+		}
+	}
+
+	// Pop connection
+	services.ClientUnregister(user, c)
+	log.Debug().Uint("user", user.ID).Msg("A websocket connection disconnected...")
+}

pkg/internal/services/accounts.go

@@ -0,0 +1,123 @@
+package services
+
+import (
+	"fmt"
+	"github.com/spf13/viper"
+	"gorm.io/datatypes"
+	"time"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/google/uuid"
+	"github.com/samber/lo"
+	"gorm.io/gorm"
+)
+
+func GetAccount(id uint) (models.Account, error) {
+	var account models.Account
+	if err := database.C.Where(models.Account{
+		BaseModel: models.BaseModel{ID: id},
+	}).First(&account).Error; err != nil {
+		return account, err
+	}
+
+	return account, nil
+}
+
+func LookupAccount(probe string) (models.Account, error) {
+	var account models.Account
+	if err := database.C.Where(models.Account{Name: probe}).First(&account).Error; err == nil {
+		return account, nil
+	}
+
+	var contact models.AccountContact
+	if err := database.C.Where(models.AccountContact{Content: probe}).First(&contact).Error; err == nil {
+		if err := database.C.
+			Where(models.Account{
+				BaseModel: models.BaseModel{ID: contact.AccountID},
+			}).First(&account).Error; err == nil {
+			return account, err
+		}
+	}
+
+	return account, fmt.Errorf("account was not found")
+}
+
+func CreateAccount(name, nick, email, password string) (models.Account, error) {
+	user := models.Account{
+		Name: name,
+		Nick: nick,
+		Profile: models.AccountProfile{
+			Experience: 100,
+		},
+		Factors: []models.AuthFactor{
+			{
+				Type:   models.PasswordAuthFactor,
+				Secret: HashPassword(password),
+			},
+			{
+				Type:   models.EmailPasswordFactor,
+				Secret: uuid.NewString()[:8],
+			},
+		},
+		Contacts: []models.AccountContact{
+			{
+				Type:       models.EmailAccountContact,
+				Content:    email,
+				IsPrimary:  true,
+				VerifiedAt: nil,
+			},
+		},
+		PermNodes:   datatypes.JSONMap(viper.GetStringMap("permissions.default")),
+		ConfirmedAt: nil,
+	}
+
+	if err := database.C.Create(&user).Error; err != nil {
+		return user, err
+	}
+
+	if tk, err := NewMagicToken(models.ConfirmMagicToken, &user, nil); err != nil {
+		return user, err
+	} else if err := NotifyMagicToken(tk); err != nil {
+		return user, err
+	}
+
+	return user, nil
+}
+
+func ConfirmAccount(code string) error {
+	token, err := ValidateMagicToken(code, models.ConfirmMagicToken)
+	if err != nil {
+		return err
+	}
+
+	var user models.Account
+	if err := database.C.Where(&models.Account{
+		BaseModel: models.BaseModel{ID: *token.AssignTo},
+	}).First(&user).Error; err != nil {
+		return err
+	}
+
+	return database.C.Transaction(func(tx *gorm.DB) error {
+		user.ConfirmedAt = lo.ToPtr(time.Now())
+
+		for k, v := range viper.GetStringMap("permissions.verified") {
+			if val, ok := user.PermNodes[k]; !ok {
+				user.PermNodes[k] = v
+			} else if !ComparePermNode(val, v) {
+				user.PermNodes[k] = v
+			}
+		}
+
+		if err := database.C.Delete(&token).Error; err != nil {
+			return err
+		}
+		if err := database.C.Save(&user).Error; err != nil {
+			return err
+		}
+
+		InvalidAuthCacheWithUser(user.ID)
+
+		return nil
+	})
+}

pkg/internal/services/auth.go

@@ -0,0 +1,125 @@
+package services
+
+import (
+	"fmt"
+	"sync"
+	"time"
+
+	jsoniter "github.com/json-iterator/go"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/fiber/v2"
+	"github.com/rs/zerolog/log"
+)
+
+var (
+	authContextMutex sync.Mutex
+	authContextCache = make(map[string]models.AuthContext)
+)
+
+func Authenticate(access, refresh string, depth int) (ctx models.AuthContext, perms map[string]any, newAccess, newRefresh string, err error) {
+	var claims PayloadClaims
+	claims, err = DecodeJwt(access)
+	if err != nil {
+		if len(refresh) > 0 && depth < 1 {
+			// Auto refresh and retry
+			newAccess, newRefresh, err = RefreshToken(refresh)
+			if err == nil {
+				return Authenticate(newAccess, newRefresh, depth+1)
+			}
+		}
+		err = fiber.NewError(fiber.StatusUnauthorized, fmt.Sprintf("invalid auth key: %v", err))
+		return
+	}
+
+	newAccess = access
+	newRefresh = refresh
+
+	if ctx, err = GetAuthContext(claims.ID); err == nil {
+		var heldPerms map[string]any
+		rawHeldPerms, _ := jsoniter.Marshal(ctx.Account.PermNodes)
+		_ = jsoniter.Unmarshal(rawHeldPerms, &heldPerms)
+
+		perms = FilterPermNodes(heldPerms, ctx.Ticket.Claims)
+		return
+	}
+
+	err = fiber.NewError(fiber.StatusUnauthorized, err.Error())
+	return
+}
+
+func GetAuthContext(jti string) (models.AuthContext, error) {
+	var err error
+	var ctx models.AuthContext
+
+	if val, ok := authContextCache[jti]; ok {
+		ctx = val
+		ctx.LastUsedAt = time.Now()
+		authContextMutex.Lock()
+		authContextCache[jti] = ctx
+		authContextMutex.Unlock()
+		log.Debug().Str("jti", jti).Msg("Used an auth context cache")
+	} else {
+		ctx, err = CacheAuthContext(jti)
+		log.Debug().Str("jti", jti).Msg("Created a new auth context cache")
+	}
+
+	return ctx, err
+}
+
+func CacheAuthContext(jti string) (models.AuthContext, error) {
+	var ctx models.AuthContext
+
+	// Query data from primary database
+	ticket, err := GetTicketWithToken(jti)
+	if err != nil {
+		return ctx, fmt.Errorf("invalid auth ticket: %v", err)
+	} else if err := ticket.IsAvailable(); err != nil {
+		return ctx, fmt.Errorf("unavailable auth ticket: %v", err)
+	}
+
+	user, err := GetAccount(ticket.AccountID)
+	if err != nil {
+		return ctx, fmt.Errorf("invalid account: %v", err)
+	}
+
+	ctx = models.AuthContext{
+		Ticket:     ticket,
+		Account:    user,
+		LastUsedAt: time.Now(),
+	}
+
+	// Put the data into memory for cache
+	authContextMutex.Lock()
+	authContextCache[jti] = ctx
+	authContextMutex.Unlock()
+
+	return ctx, nil
+}
+
+func RecycleAuthContext() {
+	if len(authContextCache) == 0 {
+		return
+	}
+
+	affected := 0
+	for key, val := range authContextCache {
+		if val.LastUsedAt.Add(60*time.Second).Unix() < time.Now().Unix() {
+			affected++
+			authContextMutex.Lock()
+			delete(authContextCache, key)
+			authContextMutex.Unlock()
+		}
+	}
+	log.Debug().Int("affected", affected).Msg("Recycled auth context...")
+}
+
+func InvalidAuthCacheWithUser(userId uint) {
+	for key, val := range authContextCache {
+		if val.Account.ID == userId {
+			authContextMutex.Lock()
+			delete(authContextCache, key)
+			authContextMutex.Unlock()
+		}
+	}
+}

pkg/internal/services/badges.go

@@ -0,0 +1,15 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+)
+
+func GrantBadge(user models.Account, badge models.Badge) error {
+	badge.AccountID = user.ID
+	return database.C.Save(badge).Error
+}
+
+func RevokeBadge(badge models.Badge) error {
+	return database.C.Delete(&badge).Error
+}

pkg/internal/services/cleaner.go

@@ -0,0 +1,23 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"github.com/rs/zerolog/log"
+	"time"
+)
+
+func DoAutoDatabaseCleanup() {
+	deadline := time.Now().Add(60 * time.Minute)
+	log.Debug().Time("deadline", deadline).Msg("Now cleaning up entire database...")
+
+	var count int64
+	for _, model := range database.AutoMaintainRange {
+		tx := database.C.Unscoped().Delete(model, "deleted_at >= ?", deadline)
+		if tx.Error != nil {
+			log.Error().Err(tx.Error).Msg("An error occurred when running auth context cleanup...")
+		}
+		count += tx.RowsAffected
+	}
+
+	log.Debug().Int64("affected", count).Msg("Clean up entire database accomplished.")
+}

pkg/internal/services/clients.go

@@ -0,0 +1,32 @@
+package services
+
+import (
+	"fmt"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+)
+
+func GetThirdClient(id string) (models.ThirdClient, error) {
+	var client models.ThirdClient
+	if err := database.C.Where(&models.ThirdClient{
+		Alias: id,
+	}).First(&client).Error; err != nil {
+		return client, err
+	}
+
+	return client, nil
+}
+
+func GetThirdClientWithSecret(id, secret string) (models.ThirdClient, error) {
+	client, err := GetThirdClient(id)
+	if err != nil {
+		return client, err
+	}
+
+	if client.Secret != secret {
+		return client, fmt.Errorf("invalid client secret")
+	}
+
+	return client, nil
+}

pkg/internal/services/connections.go

@@ -0,0 +1,31 @@
+package services
+
+import (
+	"sync"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/contrib/websocket"
+)
+
+var (
+	wsMutex sync.Mutex
+	wsConn  = make(map[uint]map[*websocket.Conn]bool)
+)
+
+func ClientRegister(user models.Account, conn *websocket.Conn) {
+	wsMutex.Lock()
+	if wsConn[user.ID] == nil {
+		wsConn[user.ID] = make(map[*websocket.Conn]bool)
+	}
+	wsConn[user.ID][conn] = true
+	wsMutex.Unlock()
+}
+
+func ClientUnregister(user models.Account, conn *websocket.Conn) {
+	wsMutex.Lock()
+	if wsConn[user.ID] == nil {
+		wsConn[user.ID] = make(map[*websocket.Conn]bool)
+	}
+	delete(wsConn[user.ID], conn)
+	wsMutex.Unlock()
+}

pkg/internal/services/e2ee.go

@@ -0,0 +1,82 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/gofiber/contrib/websocket"
+	"github.com/gofiber/fiber/v2"
+	"time"
+)
+
+type kexRequest struct {
+	OwnerID  uint
+	Conn     *websocket.Conn
+	Deadline time.Time
+}
+
+var kexRequests = make(map[string]map[string]kexRequest)
+
+func KexRequest(conn *websocket.Conn, requestId, keypairId, algorithm string, ownerId uint, deadline int64) {
+	if kexRequests[keypairId] == nil {
+		kexRequests[keypairId] = make(map[string]kexRequest)
+	}
+
+	ddl := time.Now().Add(time.Second * time.Duration(deadline))
+	request := kexRequest{
+		OwnerID:  ownerId,
+		Conn:     conn,
+		Deadline: ddl,
+	}
+
+	flag := false
+	for c := range wsConn[ownerId] {
+		if c == conn {
+			continue
+		}
+
+		if c.WriteMessage(1, models.UnifiedCommand{
+			Action: "kex.request",
+			Payload: fiber.Map{
+				"request_id": requestId,
+				"keypair_id": keypairId,
+				"algorithm":  algorithm,
+				"owner_id":   ownerId,
+				"deadline":   deadline,
+			},
+		}.Marshal()) == nil {
+			flag = true
+		}
+	}
+
+	if flag {
+		kexRequests[keypairId][requestId] = request
+	}
+}
+
+func KexProvide(userId uint, requestId, keypairId string, pkt []byte) {
+	if kexRequests[keypairId] == nil {
+		return
+	}
+
+	val, ok := kexRequests[keypairId][requestId]
+	if !ok {
+		return
+	} else if val.OwnerID != userId {
+		return
+	} else {
+		_ = val.Conn.WriteMessage(1, pkt)
+	}
+}
+
+func KexCleanup() {
+	if len(kexRequests) <= 0 {
+		return
+	}
+
+	for kp, data := range kexRequests {
+		for idx, req := range data {
+			if req.Deadline.Unix() <= time.Now().Unix() {
+				delete(kexRequests[kp], idx)
+			}
+		}
+	}
+}

pkg/internal/services/encryptor.go

@@ -0,0 +1,12 @@
+package services
+
+import "golang.org/x/crypto/bcrypt"
+
+func HashPassword(raw string) string {
+	data, _ := bcrypt.GenerateFromPassword([]byte(raw), 12)
+	return string(data)
+}
+
+func VerifyPassword(text string, password string) bool {
+	return bcrypt.CompareHashAndPassword([]byte(password), []byte(text)) == nil
+}

pkg/internal/services/events.go

@@ -0,0 +1,20 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+)
+
+func AddEvent(user models.Account, event, target, ip, ua string) models.ActionEvent {
+	evt := models.ActionEvent{
+		Type:      event,
+		Target:    target,
+		IpAddress: ip,
+		UserAgent: ua,
+		AccountID: user.ID,
+	}
+
+	database.C.Save(&evt)
+
+	return evt
+}

pkg/internal/services/external_apns.go

@@ -0,0 +1,25 @@
+package services
+
+import (
+	"github.com/sideshow/apns2"
+	"github.com/sideshow/apns2/token"
+	"github.com/spf13/viper"
+)
+
+// ExtAPNS is Apple Notification Services client
+var ExtAPNS *apns2.Client
+
+func SetupAPNS() error {
+	authKey, err := token.AuthKeyFromFile(viper.GetString("apns_credentials"))
+	if err != nil {
+		return err
+	}
+
+	ExtAPNS = apns2.NewTokenClient(&token.Token{
+		AuthKey: authKey,
+		KeyID:   viper.GetString("apns_credentials_key"),
+		TeamID:  viper.GetString("apns_credentials_team"),
+	}).Production()
+
+	return nil
+}

pkg/internal/services/external_firebase.go

@@ -0,0 +1,23 @@
+package services
+
+import (
+	"context"
+	firebase "firebase.google.com/go"
+	"github.com/spf13/viper"
+	"google.golang.org/api/option"
+)
+
+// ExtFire is the firebase app client
+var ExtFire *firebase.App
+
+func SetupFirebase() error {
+	opt := option.WithCredentialsFile(viper.GetString("firebase_credentials"))
+	app, err := firebase.NewApp(context.Background(), nil, opt)
+	if err != nil {
+		return err
+	} else {
+		ExtFire = app
+	}
+
+	return nil
+}

pkg/internal/services/factors.go

@@ -0,0 +1,109 @@
+package services
+
+import (
+	"fmt"
+	"github.com/samber/lo"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/google/uuid"
+	"github.com/spf13/viper"
+)
+
+const EmailPasswordTemplate = `Dear %s,
+
+We hope this message finds you well.
+As part of our ongoing commitment to ensuring the security of your account, we require you to complete the login process by entering the verification code below:
+
+Your Login Verification Code: %s
+
+Please use the provided code within the next 2 hours to complete your login. 
+If you did not request this code, please update your information, maybe your username or email has been leak.
+
+Thank you for your cooperation in helping us maintain the security of your account.
+
+Best regards,
+%s`
+
+func GetPasswordTypeFactor(userId uint) (models.AuthFactor, error) {
+	var factor models.AuthFactor
+	err := database.C.Where(models.AuthFactor{
+		Type:      models.PasswordAuthFactor,
+		AccountID: userId,
+	}).First(&factor).Error
+
+	return factor, err
+}
+
+func GetFactor(id uint) (models.AuthFactor, error) {
+	var factor models.AuthFactor
+	err := database.C.Where(models.AuthFactor{
+		BaseModel: models.BaseModel{ID: id},
+	}).First(&factor).Error
+
+	return factor, err
+}
+
+func ListUserFactor(userId uint) ([]models.AuthFactor, error) {
+	var factors []models.AuthFactor
+	err := database.C.Where(models.AuthFactor{
+		AccountID: userId,
+	}).Find(&factors).Error
+
+	return factors, err
+}
+
+func CountUserFactor(userId uint) int64 {
+	var count int64
+	database.C.Where(models.AuthFactor{
+		AccountID: userId,
+	}).Model(&models.AuthFactor{}).Count(&count)
+
+	return count
+}
+
+func GetFactorCode(factor models.AuthFactor) (bool, error) {
+	switch factor.Type {
+	case models.EmailPasswordFactor:
+		var user models.Account
+		if err := database.C.Where(&models.Account{
+			BaseModel: models.BaseModel{ID: factor.AccountID},
+		}).Preload("Contacts").First(&user).Error; err != nil {
+			return true, err
+		}
+
+		factor.Secret = uuid.NewString()[:6]
+		if err := database.C.Save(&factor).Error; err != nil {
+			return true, err
+		}
+
+		subject := fmt.Sprintf("[%s] Login verification code", viper.GetString("name"))
+		content := fmt.Sprintf(EmailPasswordTemplate, user.Name, factor.Secret, viper.GetString("maintainer"))
+		if err := SendMail(user.GetPrimaryEmail().Content, subject, content); err != nil {
+			return true, err
+		}
+		return true, nil
+
+	default:
+		return false, nil
+	}
+}
+
+func CheckFactor(factor models.AuthFactor, code string) error {
+	switch factor.Type {
+	case models.PasswordAuthFactor:
+		return lo.Ternary(
+			VerifyPassword(code, factor.Secret),
+			nil,
+			fmt.Errorf("invalid password"),
+		)
+	case models.EmailPasswordFactor:
+		return lo.Ternary(
+			code == factor.Secret,
+			nil,
+			fmt.Errorf("invalid verification code"),
+		)
+	}
+
+	return nil
+}

pkg/internal/services/friendships.go

@@ -0,0 +1,125 @@
+package services
+
+import (
+	"errors"
+	"fmt"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"gorm.io/gorm"
+)
+
+func ListAllFriend(anyside models.Account) ([]models.AccountFriendship, error) {
+	var relationships []models.AccountFriendship
+	if err := database.C.
+		Where("account_id = ? OR related_id = ?", anyside.ID, anyside.ID).
+		Preload("Account").
+		Preload("Related").
+		Find(&relationships).Error; err != nil {
+		return relationships, err
+	}
+
+	return relationships, nil
+}
+
+func ListFriend(anyside models.Account, status models.FriendshipStatus) ([]models.AccountFriendship, error) {
+	var relationships []models.AccountFriendship
+	if err := database.C.
+		Where("(account_id = ? OR related_id = ?) AND status = ?", anyside.ID, anyside.ID, status).
+		Preload("Account").
+		Preload("Related").
+		Find(&relationships).Error; err != nil {
+		return relationships, err
+	}
+
+	return relationships, nil
+}
+
+func GetFriend(anysideId uint) (models.AccountFriendship, error) {
+	var relationship models.AccountFriendship
+	if err := database.C.
+		Where(&models.AccountFriendship{AccountID: anysideId}).
+		Or(&models.AccountFriendship{RelatedID: anysideId}).
+		Preload("Account").
+		Preload("Related").
+		First(&relationship).Error; err != nil {
+		return relationship, err
+	}
+
+	return relationship, nil
+}
+
+func GetFriendWithTwoSides(userId, relatedId uint, noPreload ...bool) (models.AccountFriendship, error) {
+	var tx *gorm.DB
+	if len(noPreload) > 0 && noPreload[0] {
+		tx = database.C
+	} else {
+		tx = database.C.Preload("Account").Preload("Related")
+	}
+
+	var relationship models.AccountFriendship
+	if err := tx.
+		Where(&models.AccountFriendship{AccountID: userId, RelatedID: relatedId}).
+		Or(&models.AccountFriendship{RelatedID: userId, AccountID: relatedId}).
+		First(&relationship).Error; err != nil {
+		return relationship, err
+	}
+
+	return relationship, nil
+}
+
+func NewFriend(user models.Account, related models.Account, status models.FriendshipStatus) (models.AccountFriendship, error) {
+	relationship := models.AccountFriendship{
+		AccountID: user.ID,
+		RelatedID: related.ID,
+		Status:    status,
+	}
+
+	if user.ID == related.ID {
+		return relationship, fmt.Errorf("you cannot make friendship with yourself")
+	} else if _, err := GetFriendWithTwoSides(user.ID, related.ID, true); err == nil || !errors.Is(err, gorm.ErrRecordNotFound) {
+		return relationship, fmt.Errorf("you already have a friendship with him or her")
+	}
+
+	if err := database.C.Save(&relationship).Error; err != nil {
+		return relationship, err
+	} else {
+		_ = NewNotification(models.Notification{
+			Subject:     fmt.Sprintf("New friend request from %s", user.Name),
+			Content:     fmt.Sprintf("You got a new friend request from %s. Go to your settings and decide how to deal it.", user.Nick),
+			RecipientID: related.ID,
+		})
+	}
+
+	return relationship, nil
+}
+
+func EditFriendWithCheck(relationship models.AccountFriendship, user models.Account, originalStatus models.FriendshipStatus) (models.AccountFriendship, error) {
+	if relationship.Status != originalStatus {
+		if originalStatus == models.FriendshipBlocked && relationship.BlockedBy != nil && user.ID != *relationship.BlockedBy {
+			return relationship, fmt.Errorf("the friendship has been blocked by the otherside, you cannot modify it status")
+		}
+		if relationship.Status == models.FriendshipPending && relationship.RelatedID != user.ID {
+			return relationship, fmt.Errorf("only related person can accept friendship")
+		}
+	}
+	if originalStatus != models.FriendshipBlocked && relationship.Status == models.FriendshipBlocked {
+		relationship.BlockedBy = &user.ID
+	}
+
+	return EditFriend(relationship)
+}
+
+func EditFriend(relationship models.AccountFriendship) (models.AccountFriendship, error) {
+	if err := database.C.Save(&relationship).Error; err != nil {
+		return relationship, err
+	}
+	return relationship, nil
+}
+
+func DeleteFriend(relationship models.AccountFriendship) error {
+	if err := database.C.Delete(&relationship).Error; err != nil {
+		return err
+	}
+	return nil
+}

pkg/internal/services/jwt.go

@@ -0,0 +1,81 @@
+package services
+
+import (
+	"fmt"
+	"github.com/gofiber/fiber/v2"
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+	"github.com/spf13/viper"
+)
+
+var CookieAccessKey = "passport_auth_key"
+var CookieRefreshKey = "passport_refresh_key"
+
+type PayloadClaims struct {
+	jwt.RegisteredClaims
+
+	SessionID string `json:"sed"`
+	Type      string `json:"typ"`
+}
+
+const (
+	JwtAccessType  = "access"
+	JwtRefreshType = "refresh"
+)
+
+func EncodeJwt(id string, typ, sub, sed string, aud []string, exp time.Time) (string, error) {
+	tk := jwt.NewWithClaims(jwt.SigningMethodHS512, PayloadClaims{
+		jwt.RegisteredClaims{
+			Subject:   sub,
+			Audience:  aud,
+			Issuer:    fmt.Sprintf("https://%s", viper.GetString("domain")),
+			ExpiresAt: jwt.NewNumericDate(exp),
+			NotBefore: jwt.NewNumericDate(time.Now()),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			ID:        id,
+		},
+		sed,
+		typ,
+	})
+
+	return tk.SignedString([]byte(viper.GetString("secret")))
+}
+
+func DecodeJwt(str string) (PayloadClaims, error) {
+	var claims PayloadClaims
+	tk, err := jwt.ParseWithClaims(str, &claims, func(token *jwt.Token) (interface{}, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return []byte(viper.GetString("secret")), nil
+	})
+	if err != nil {
+		return claims, err
+	}
+
+	if data, ok := tk.Claims.(*PayloadClaims); ok {
+		return *data, nil
+	} else {
+		return claims, fmt.Errorf("unexpected token payload: not payload claims type")
+	}
+}
+
+func SetJwtCookieSet(c *fiber.Ctx, access, refresh string) {
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieAccessKey,
+		Value:    access,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(60 * time.Minute),
+		Path:     "/",
+	})
+	c.Cookie(&fiber.Cookie{
+		Name:     CookieRefreshKey,
+		Value:    refresh,
+		Domain:   viper.GetString("security.cookie_domain"),
+		SameSite: viper.GetString("security.cookie_samesite"),
+		Expires:  time.Now().Add(24 * 30 * time.Hour),
+		Path:     "/",
+	})
+}

pkg/internal/services/mailer.go

@@ -0,0 +1,51 @@
+package services
+
+import (
+	"crypto/tls"
+	"fmt"
+	"net/smtp"
+	"net/textproto"
+
+	"github.com/jordan-wright/email"
+	"github.com/spf13/viper"
+)
+
+func SendMail(target string, subject string, content string) error {
+	mail := &email.Email{
+		To:      []string{target},
+		From:    viper.GetString("mailer.name"),
+		Subject: subject,
+		Text:    []byte(content),
+		Headers: textproto.MIMEHeader{},
+	}
+	return mail.SendWithTLS(
+		fmt.Sprintf("%s:%d", viper.GetString("mailer.smtp_host"), viper.GetInt("mailer.smtp_port")),
+		smtp.PlainAuth(
+			"",
+			viper.GetString("mailer.username"),
+			viper.GetString("mailer.password"),
+			viper.GetString("mailer.smtp_host"),
+		),
+		&tls.Config{ServerName: viper.GetString("mailer.smtp_host")},
+	)
+}
+
+func SendMailHTML(target string, subject string, content string) error {
+	mail := &email.Email{
+		To:      []string{target},
+		From:    viper.GetString("mailer.name"),
+		Subject: subject,
+		HTML:    []byte(content),
+		Headers: textproto.MIMEHeader{},
+	}
+	return mail.SendWithTLS(
+		fmt.Sprintf("%s:%d", viper.GetString("mailer.smtp_host"), viper.GetInt("mailer.smtp_port")),
+		smtp.PlainAuth(
+			"",
+			viper.GetString("mailer.username"),
+			viper.GetString("mailer.password"),
+			viper.GetString("mailer.smtp_host"),
+		),
+		&tls.Config{ServerName: viper.GetString("mailer.smtp_host")},
+	)
+}

pkg/internal/services/mfa.go

@@ -0,0 +1,18 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/nicksnyder/go-i18n/v2/i18n"
+)
+
+func GetFactorName(w models.AuthFactorType, localizer *i18n.Localizer) string {
+	unknown, _ := localizer.LocalizeMessage(&i18n.Message{ID: "unknown"})
+	mfaEmail, _ := localizer.LocalizeMessage(&i18n.Message{ID: "mfaFactorEmail"})
+
+	switch w {
+	case models.EmailPasswordFactor:
+		return mfaEmail
+	default:
+		return unknown
+	}
+}

pkg/internal/services/notifications.go

@@ -0,0 +1,138 @@
+package services
+
+import (
+	"context"
+	"firebase.google.com/go/messaging"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/rs/zerolog/log"
+	"github.com/sideshow/apns2"
+	payload2 "github.com/sideshow/apns2/payload"
+	"github.com/spf13/viper"
+	"reflect"
+)
+
+func AddNotifySubscriber(user models.Account, provider, id, tk, ua string) (models.NotificationSubscriber, error) {
+	var prev models.NotificationSubscriber
+	var subscriber models.NotificationSubscriber
+	if err := database.C.Where(&models.NotificationSubscriber{
+		DeviceID:  id,
+		AccountID: user.ID,
+	}); err != nil {
+		subscriber = models.NotificationSubscriber{
+			UserAgent:   ua,
+			Provider:    provider,
+			DeviceID:    id,
+			DeviceToken: tk,
+			AccountID:   user.ID,
+		}
+	} else {
+		prev = subscriber
+	}
+
+	subscriber.UserAgent = ua
+	subscriber.Provider = provider
+	subscriber.DeviceToken = tk
+
+	var err error
+	if !reflect.DeepEqual(subscriber, prev) {
+		err = database.C.Save(&subscriber).Error
+	}
+
+	return subscriber, err
+}
+
+func NewNotification(notification models.Notification) error {
+	if err := database.C.Save(&notification).Error; err != nil {
+		return err
+	}
+
+	go func() {
+		err := PushNotification(notification)
+		if err != nil {
+			log.Error().Err(err).Msg("Unexpected error occurred during the notification.")
+		}
+	}()
+
+	return nil
+}
+
+func PushNotification(notification models.Notification) error {
+	for conn := range wsConn[notification.RecipientID] {
+		_ = conn.WriteMessage(1, models.UnifiedCommand{
+			Action:  "notifications.new",
+			Payload: notification,
+		}.Marshal())
+	}
+
+	// TODO Detect the push notification is turned off (still push when IsForcePush is on)
+
+	var subscribers []models.NotificationSubscriber
+	if err := database.C.Where(&models.NotificationSubscriber{
+		AccountID: notification.RecipientID,
+	}).Find(&subscribers).Error; err != nil {
+		return err
+	}
+
+	for _, subscriber := range subscribers {
+		switch subscriber.Provider {
+		case models.NotifySubscriberFirebase:
+			if ExtFire != nil {
+				ctx := context.Background()
+				client, err := ExtFire.Messaging(ctx)
+				if err != nil {
+					log.Warn().Err(err).Msg("An error occurred when creating FCM client...")
+					break
+				}
+
+				message := &messaging.Message{
+					Notification: &messaging.Notification{
+						Title: notification.Subject,
+						Body:  notification.Content,
+					},
+					Token: subscriber.DeviceToken,
+				}
+
+				if response, err := client.Send(ctx, message); err != nil {
+					log.Warn().Err(err).Msg("An error occurred when notify subscriber via FCM...")
+				} else {
+					log.Debug().
+						Str("response", response).
+						Int("subscriber", int(subscriber.ID)).
+						Msg("Notified subscriber via FCM.")
+				}
+			}
+		case models.NotifySubscriberAPNs:
+			if ExtAPNS != nil {
+				data, err := payload2.
+					NewPayload().
+					AlertTitle(notification.Subject).
+					AlertBody(notification.Content).
+					Sound("default").
+					Category(notification.Type).
+					MarshalJSON()
+				if err != nil {
+					log.Warn().Err(err).Msg("An error occurred when preparing to notify subscriber via APNs...")
+				}
+				payload := &apns2.Notification{
+					ApnsID:      subscriber.DeviceID,
+					DeviceToken: subscriber.DeviceToken,
+					Topic:       viper.GetString("apns_topic"),
+					Payload:     data,
+				}
+
+				if resp, err := ExtAPNS.Push(payload); err != nil {
+					log.Warn().Err(err).Msg("An error occurred when notify subscriber via APNs...")
+				} else {
+					log.Debug().
+						Str("reason", resp.Reason).
+						Int("status", resp.StatusCode).
+						Int("subscriber", int(subscriber.ID)).
+						Msg("Notified subscriber via APNs.")
+				}
+			}
+		}
+	}
+
+	return nil
+}

pkg/internal/services/perms.go

@@ -0,0 +1,63 @@
+package services
+
+import (
+	"fmt"
+	"reflect"
+	"regexp"
+	"strings"
+)
+
+func HasPermNode(perms map[string]any, requiredKey string, requiredValue any) bool {
+	if heldValue, ok := perms[requiredKey]; ok {
+		return ComparePermNode(heldValue, requiredValue)
+	}
+	return false
+}
+
+func ComparePermNode(held any, required any) bool {
+	heldValue := reflect.ValueOf(held)
+	requiredValue := reflect.ValueOf(required)
+
+	switch heldValue.Kind() {
+	case reflect.Int, reflect.Float64:
+		if heldValue.Float() >= requiredValue.Float() {
+			return true
+		}
+	case reflect.String:
+		if heldValue.String() == requiredValue.String() {
+			return true
+		}
+	case reflect.Slice, reflect.Array:
+		for i := 0; i < heldValue.Len(); i++ {
+			if reflect.DeepEqual(heldValue.Index(i).Interface(), required) {
+				return true
+			}
+		}
+	default:
+		if reflect.DeepEqual(held, required) {
+			return true
+		}
+	}
+
+	return false
+}
+
+func FilterPermNodes(tree map[string]any, claims []string) map[string]any {
+	filteredTree := make(map[string]any)
+
+	match := func(claim, permission string) bool {
+		regex := strings.ReplaceAll(claim, "*", ".*")
+		match, _ := regexp.MatchString(fmt.Sprintf("^%s$", regex), permission)
+		return match
+	}
+
+	for _, claim := range claims {
+		for key, value := range tree {
+			if match(claim, key) {
+				filteredTree[key] = value
+			}
+		}
+	}
+
+	return filteredTree
+}

pkg/internal/services/realms.go

@@ -0,0 +1,141 @@
+package services
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/samber/lo"
+)
+
+func ListCommunityRealm() ([]models.Realm, error) {
+	var realms []models.Realm
+	if err := database.C.Where(&models.Realm{
+		IsCommunity: true,
+	}).Find(&realms).Error; err != nil {
+		return realms, err
+	}
+
+	return realms, nil
+}
+
+func ListOwnedRealm(user models.Account) ([]models.Realm, error) {
+	var realms []models.Realm
+	if err := database.C.Where(&models.Realm{AccountID: user.ID}).Find(&realms).Error; err != nil {
+		return realms, err
+	}
+
+	return realms, nil
+}
+
+func ListAvailableRealm(user models.Account) ([]models.Realm, error) {
+	var realms []models.Realm
+	var members []models.RealmMember
+	if err := database.C.Where(&models.RealmMember{
+		AccountID: user.ID,
+	}).Find(&members).Error; err != nil {
+		return realms, err
+	}
+
+	idx := lo.Map(members, func(item models.RealmMember, index int) uint {
+		return item.RealmID
+	})
+
+	if err := database.C.Where("id IN ?", idx).Find(&realms).Error; err != nil {
+		return realms, err
+	}
+
+	return realms, nil
+}
+
+func GetRealmWithAlias(alias string) (models.Realm, error) {
+	var realm models.Realm
+	if err := database.C.Where(&models.Realm{
+		Alias: alias,
+	}).First(&realm).Error; err != nil {
+		return realm, err
+	}
+	return realm, nil
+}
+
+func NewRealm(realm models.Realm, user models.Account) (models.Realm, error) {
+	realm.Members = []models.RealmMember{
+		{AccountID: user.ID, PowerLevel: 100},
+	}
+
+	err := database.C.Save(&realm).Error
+	return realm, err
+}
+
+func ListRealmMember(realmId uint) ([]models.RealmMember, error) {
+	var members []models.RealmMember
+
+	if err := database.C.
+		Where(&models.RealmMember{RealmID: realmId}).
+		Preload("Account").
+		Find(&members).Error; err != nil {
+		return members, err
+	}
+
+	return members, nil
+}
+
+func GetRealmMember(userId uint, realmId uint) (models.RealmMember, error) {
+	var member models.RealmMember
+	if err := database.C.Where(&models.RealmMember{
+		AccountID: userId,
+		RealmID:   realmId,
+	}).Find(&member).Error; err != nil {
+		return member, err
+	}
+	return member, nil
+}
+
+func AddRealmMember(user models.Account, affected models.Account, target models.Realm) error {
+	if !target.IsPublic && !target.IsCommunity {
+		if member, err := GetRealmMember(user.ID, target.ID); err != nil {
+			return fmt.Errorf("only realm member can add people: %v", err)
+		} else if member.PowerLevel < 50 {
+			return fmt.Errorf("only realm moderator can add people")
+		}
+		friendship, err := GetFriendWithTwoSides(affected.ID, user.ID)
+		if err != nil || friendship.Status != models.FriendshipActive {
+			return fmt.Errorf("you only can add your friends to your realm")
+		}
+	}
+
+	member := models.RealmMember{
+		RealmID:   target.ID,
+		AccountID: affected.ID,
+	}
+	err := database.C.Save(&member).Error
+	return err
+}
+
+func RemoveRealmMember(user models.Account, affected models.Account, target models.Realm) error {
+	if user.ID != affected.ID {
+		if member, err := GetRealmMember(user.ID, target.ID); err != nil {
+			return fmt.Errorf("only realm member can remove other member: %v", err)
+		} else if member.PowerLevel < 50 {
+			return fmt.Errorf("only realm moderator can invite people")
+		}
+	}
+
+	var member models.RealmMember
+	if err := database.C.Where(&models.RealmMember{
+		RealmID:   target.ID,
+		AccountID: affected.ID,
+	}).First(&member).Error; err != nil {
+		return err
+	}
+
+	return database.C.Delete(&member).Error
+}
+
+func EditRealm(realm models.Realm) (models.Realm, error) {
+	err := database.C.Save(&realm).Error
+	return realm, err
+}
+
+func DeleteRealm(realm models.Realm) error {
+	return database.C.Delete(&realm).Error
+}

pkg/internal/services/ticker_maintainer.go

@@ -0,0 +1,24 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/rs/zerolog/log"
+	"github.com/spf13/viper"
+	"time"
+)
+
+func DoAutoSignoff() {
+	duration := time.Duration(viper.GetInt64("security.auto_signoff_duration")) * time.Second
+	divider := time.Now().Add(-duration)
+
+	log.Debug().Time("before", divider).Msg("Now signing off tickets...")
+
+	if tx := database.C.
+		Where("last_grant_at < ?", divider).
+		Delete(&models.AuthTicket{}); tx.Error != nil {
+		log.Error().Err(tx.Error).Msg("An error occurred when running auto sign off...")
+	} else {
+		log.Debug().Int64("affected", tx.RowsAffected).Msg("Auto sign off accomplished.")
+	}
+}

pkg/internal/services/ticket.go

@@ -0,0 +1,158 @@
+package services
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/google/uuid"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/samber/lo"
+)
+
+func DetectRisk(user models.Account, ip, ua string) bool {
+	var availableFactor int64
+	if err := database.C.
+		Where(models.AuthFactor{AccountID: user.ID}).
+		Where("type != ?", models.PasswordAuthFactor).
+		Model(models.AuthFactor{}).
+		Where(&availableFactor); err != nil || availableFactor <= 0 {
+		return false
+	}
+
+	var secureFactor int64
+	if err := database.C.
+		Where(models.AuthTicket{AccountID: user.ID, IpAddress: ip}).
+		Where("available_at IS NOT NULL").
+		Model(models.AuthTicket{}).
+		Count(&secureFactor).Error; err == nil {
+		if secureFactor >= 1 {
+			return false
+		}
+	}
+
+	return true
+}
+
+func NewTicket(user models.Account, ip, ua string) (models.AuthTicket, error) {
+	var ticket models.AuthTicket
+	if err := database.C.
+		Where("account_id = ? AND expired_at < ? AND available_at IS NULL", time.Now(), user.ID).
+		First(&ticket).Error; err == nil {
+		return ticket, nil
+	}
+
+	requireMFA := DetectRisk(user, ip, ua)
+	if count := CountUserFactor(user.ID); count <= 1 {
+		requireMFA = false
+	}
+
+	ticket = models.AuthTicket{
+		Claims:              []string{"*"},
+		Audiences:           []string{"passport"},
+		IpAddress:           ip,
+		UserAgent:           ua,
+		RequireMFA:          requireMFA,
+		RequireAuthenticate: true,
+		ExpiredAt:           nil,
+		AvailableAt:         nil,
+		AccountID:           user.ID,
+	}
+
+	err := database.C.Save(&ticket).Error
+
+	return ticket, err
+}
+
+func NewOauthTicket(
+	user models.Account,
+	client models.ThirdClient,
+	claims, audiences []string,
+	ip, ua string,
+) (models.AuthTicket, error) {
+	ticket := models.AuthTicket{
+		Claims:       claims,
+		Audiences:    audiences,
+		IpAddress:    ip,
+		UserAgent:    ua,
+		RequireMFA:   DetectRisk(user, ip, ua),
+		GrantToken:   lo.ToPtr(uuid.NewString()),
+		AccessToken:  lo.ToPtr(uuid.NewString()),
+		RefreshToken: lo.ToPtr(uuid.NewString()),
+		AvailableAt:  lo.ToPtr(time.Now()),
+		ExpiredAt:    lo.ToPtr(time.Now()),
+		ClientID:     &client.ID,
+		AccountID:    user.ID,
+	}
+
+	if err := database.C.Save(&ticket).Error; err != nil {
+		return ticket, err
+	}
+
+	return ticket, nil
+}
+
+func ActiveTicketWithPassword(ticket models.AuthTicket, password string) (models.AuthTicket, error) {
+	if ticket.AvailableAt != nil {
+		return ticket, nil
+	} else if !ticket.RequireAuthenticate {
+		return ticket, nil
+	}
+
+	if factor, err := GetPasswordTypeFactor(ticket.AccountID); err != nil {
+		return ticket, fmt.Errorf("unable to active ticket: %v", err)
+	} else if err = CheckFactor(factor, password); err != nil {
+		return ticket, err
+	}
+
+	ticket.RequireAuthenticate = false
+
+	if !ticket.RequireAuthenticate && !ticket.RequireMFA {
+		ticket.AvailableAt = lo.ToPtr(time.Now())
+		ticket.GrantToken = lo.ToPtr(uuid.NewString())
+		ticket.AccessToken = lo.ToPtr(uuid.NewString())
+		ticket.RefreshToken = lo.ToPtr(uuid.NewString())
+	}
+
+	if err := database.C.Save(&ticket).Error; err != nil {
+		return ticket, err
+	}
+
+	return ticket, nil
+}
+
+func ActiveTicketWithMFA(ticket models.AuthTicket, factor models.AuthFactor, code string) (models.AuthTicket, error) {
+	if ticket.AvailableAt != nil {
+		return ticket, nil
+	} else if !ticket.RequireMFA {
+		return ticket, nil
+	}
+
+	if err := CheckFactor(factor, code); err != nil {
+		return ticket, fmt.Errorf("invalid code: %v", err)
+	}
+
+	ticket.RequireMFA = false
+
+	if !ticket.RequireAuthenticate && !ticket.RequireMFA {
+		ticket.AvailableAt = lo.ToPtr(time.Now())
+		ticket.GrantToken = lo.ToPtr(uuid.NewString())
+		ticket.AccessToken = lo.ToPtr(uuid.NewString())
+		ticket.RefreshToken = lo.ToPtr(uuid.NewString())
+	}
+
+	if err := database.C.Save(&ticket).Error; err != nil {
+		return ticket, err
+	}
+
+	return ticket, nil
+}
+
+func RegenSession(ticket models.AuthTicket) (models.AuthTicket, error) {
+	ticket.GrantToken = lo.ToPtr(uuid.NewString())
+	ticket.AccessToken = lo.ToPtr(uuid.NewString())
+	ticket.RefreshToken = lo.ToPtr(uuid.NewString())
+	err := database.C.Save(&ticket).Error
+	return ticket, err
+}

pkg/internal/services/ticket_queries.go

@@ -0,0 +1,29 @@
+package services
+
+import (
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+)
+
+func GetTicket(id uint) (models.AuthTicket, error) {
+	var ticket models.AuthTicket
+	if err := database.C.
+		Where(&models.AuthTicket{BaseModel: models.BaseModel{ID: id}}).
+		First(&ticket).Error; err != nil {
+		return ticket, err
+	}
+
+	return ticket, nil
+}
+
+func GetTicketWithToken(tokenId string) (models.AuthTicket, error) {
+	var ticket models.AuthTicket
+	if err := database.C.
+		Where(models.AuthTicket{AccessToken: &tokenId}).
+		Or(models.AuthTicket{RefreshToken: &tokenId}).
+		First(&ticket).Error; err != nil {
+		return ticket, err
+	}
+
+	return ticket, nil
+}

pkg/internal/services/ticket_token.go

@@ -0,0 +1,98 @@
+package services
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/samber/lo"
+	"github.com/spf13/viper"
+	"strconv"
+	"time"
+)
+
+func GetToken(ticket models.AuthTicket) (string, string, error) {
+	var refresh, access string
+	if err := ticket.IsAvailable(); err != nil {
+		return refresh, access, err
+	}
+	if ticket.AccessToken == nil || ticket.RefreshToken == nil {
+		return refresh, access, fmt.Errorf("unable to encode token, access or refresh token id missing")
+	}
+
+	accessDuration := time.Duration(viper.GetInt64("security.access_token_duration")) * time.Second
+	refreshDuration := time.Duration(viper.GetInt64("security.refresh_token_duration")) * time.Second
+
+	var err error
+	sub := strconv.Itoa(int(ticket.AccountID))
+	sed := strconv.Itoa(int(ticket.ID))
+	access, err = EncodeJwt(*ticket.AccessToken, JwtAccessType, sub, sed, ticket.Audiences, time.Now().Add(accessDuration))
+	if err != nil {
+		return refresh, access, err
+	}
+	refresh, err = EncodeJwt(*ticket.RefreshToken, JwtRefreshType, sub, sed, ticket.Audiences, time.Now().Add(refreshDuration))
+	if err != nil {
+		return refresh, access, err
+	}
+
+	ticket.LastGrantAt = lo.ToPtr(time.Now())
+	database.C.Save(&ticket)
+
+	return access, refresh, nil
+}
+
+func ExchangeToken(token string) (string, string, error) {
+	var ticket models.AuthTicket
+	if err := database.C.Where(models.AuthTicket{GrantToken: &token}).First(&ticket).Error; err != nil {
+		return "", "", err
+	} else if ticket.LastGrantAt != nil {
+		return "", "", fmt.Errorf("ticket was granted the first token, use refresh token instead")
+	} else if len(ticket.Audiences) > 1 {
+		return "", "", fmt.Errorf("should use authorization code grant type")
+	}
+
+	return GetToken(ticket)
+}
+
+func ExchangeOauthToken(clientId, clientSecret, redirectUri, token string) (string, string, error) {
+	var client models.ThirdClient
+	if err := database.C.Where(models.ThirdClient{Alias: clientId}).First(&client).Error; err != nil {
+		return "", "", err
+	} else if client.Secret != clientSecret {
+		return "", "", fmt.Errorf("invalid client secret")
+	} else if !client.IsDraft && !lo.Contains(client.Callbacks, redirectUri) {
+		return "", "", fmt.Errorf("invalid redirect uri")
+	}
+
+	var ticket models.AuthTicket
+	if err := database.C.Where(models.AuthTicket{GrantToken: &token}).First(&ticket).Error; err != nil {
+		return "", "", err
+	} else if ticket.LastGrantAt != nil {
+		return "", "", fmt.Errorf("ticket was granted the first token, use refresh token instead")
+	}
+
+	return GetToken(ticket)
+}
+
+func RefreshToken(token string) (string, string, error) {
+	parseInt := func(str string) int {
+		val, _ := strconv.Atoi(str)
+		return val
+	}
+
+	var ticket models.AuthTicket
+	if claims, err := DecodeJwt(token); err != nil {
+		return "404", "403", err
+	} else if claims.Type != JwtRefreshType {
+		return "404", "403", fmt.Errorf("invalid token type, expected refresh token")
+	} else if err := database.C.Where(models.AuthTicket{
+		BaseModel: models.BaseModel{ID: uint(parseInt(claims.SessionID))},
+	}).First(&ticket).Error; err != nil {
+		return "404", "403", err
+	}
+
+	if ticket, err := RegenSession(ticket); err != nil {
+		return "404", "403", err
+	} else {
+		return GetToken(ticket)
+	}
+}

pkg/internal/services/tokens.go

@@ -0,0 +1,92 @@
+package services
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"git.solsynth.dev/hydrogen/passport/pkg/database"
+	"git.solsynth.dev/hydrogen/passport/pkg/models"
+	"github.com/google/uuid"
+	"github.com/spf13/viper"
+)
+
+const ConfirmRegistrationTemplate = `Dear %s,
+
+Thank you for choosing to register with %s. We are excited to welcome you to our community and appreciate your trust in us.
+
+Your registration details have been successfully received, and you are now a valued member of %s. Here are the confirm link of your registration:
+
+	%s
+
+As a confirmed registered member, you will have access to all our services.
+We encourage you to explore our services and take full advantage of the resources available to you.
+
+Once again, thank you for choosing us. We look forward to serving you and hope you have a positive experience with us.
+
+Best regards,
+%s`
+
+func ValidateMagicToken(code string, mode models.MagicTokenType) (models.MagicToken, error) {
+	var tk models.MagicToken
+	if err := database.C.Where(models.MagicToken{Code: code, Type: mode}).First(&tk).Error; err != nil {
+		return tk, err
+	} else if tk.ExpiredAt != nil && time.Now().Unix() >= tk.ExpiredAt.Unix() {
+		return tk, fmt.Errorf("token has been expired")
+	}
+
+	return tk, nil
+}
+
+func NewMagicToken(mode models.MagicTokenType, assignTo *models.Account, expiredAt *time.Time) (models.MagicToken, error) {
+	var uid uint
+	if assignTo != nil {
+		uid = assignTo.ID
+	}
+
+	token := models.MagicToken{
+		Code:      strings.Replace(uuid.NewString(), "-", "", -1),
+		Type:      mode,
+		AssignTo:  &uid,
+		ExpiredAt: expiredAt,
+	}
+
+	if err := database.C.Save(&token).Error; err != nil {
+		return token, err
+	} else {
+		return token, nil
+	}
+}
+
+func NotifyMagicToken(token models.MagicToken) error {
+	if token.AssignTo == nil {
+		return fmt.Errorf("could notify a non-assign magic token")
+	}
+
+	var user models.Account
+	if err := database.C.Where(&models.Account{
+		BaseModel: models.BaseModel{ID: *token.AssignTo},
+	}).Preload("Contacts").First(&user).Error; err != nil {
+		return err
+	}
+
+	var subject string
+	var content string
+	switch token.Type {
+	case models.ConfirmMagicToken:
+		link := fmt.Sprintf("https://%s/me/confirm?tk=%s", viper.GetString("domain"), token.Code)
+		subject = fmt.Sprintf("[%s] Confirm your registration", viper.GetString("name"))
+		content = fmt.Sprintf(
+			ConfirmRegistrationTemplate,
+			user.Name,
+			viper.GetString("name"),
+			viper.GetString("maintainer"),
+			link,
+			viper.GetString("maintainer"),
+		)
+	default:
+		return fmt.Errorf("unsupported magic token type to notify")
+	}
+
+	return SendMail(user.GetPrimaryEmail().Content, subject, content)
+}

pkg/internal/utils/auth.go

@@ -0,0 +1,5 @@
+package utils
+
+import "github.com/gofiber/fiber/v2"
+
+type AuthFunc func(c *fiber.Ctx, overrides ...string) error

pkg/internal/utils/request.go

@@ -0,0 +1,45 @@
+package utils
+
+import (
+	"fmt"
+	"git.solsynth.dev/hydrogen/passport/pkg/services"
+	"github.com/go-playground/validator/v10"
+	"github.com/gofiber/fiber/v2"
+	"github.com/samber/lo"
+	"github.com/sujit-baniya/flash"
+)
+
+var validation = validator.New(validator.WithRequiredStructEnabled())
+
+func BindAndValidate(c *fiber.Ctx, out any) error {
+	if err := c.BodyParser(out); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	} else if err := validation.Struct(out); err != nil {
+		return fiber.NewError(fiber.StatusBadRequest, err.Error())
+	}
+
+	return nil
+}
+
+func GetPermissions(c *fiber.Ctx) map[string]any {
+	return c.Locals("permissions").(map[string]any)
+}
+
+func CheckPermissions(c *fiber.Ctx, key string, val any) error {
+	if !services.HasPermNode(GetPermissions(c), key, val) {
+		return fiber.NewError(fiber.StatusForbidden, fmt.Sprintf("requires permission: %s = %v", key, val))
+	}
+	return nil
+}
+
+func GetRedirectUri(c *fiber.Ctx, fallback ...string) *string {
+	if len(c.Query("redirect_uri")) > 0 {
+		return lo.ToPtr(c.Query("redirect_uri"))
+	} else if val, ok := flash.Get(c)["redirect_uri"].(*string); ok {
+		return val
+	} else if len(fallback) > 0 {
+		return &fallback[0]
+	} else {
+		return nil
+	}
+}

pkg/internal/views/authorize.gohtml

@@ -0,0 +1,56 @@
+<div class="left-part">
+  <img class="logo" alt="Logo" src="/favicon.png" width="64" height="64" />
+
+  <h1 class="title">{{.i18n.title}} {{.client.Name}}</h1>
+  <p class="caption">{{.i18n.caption}}</p>
+</div>
+
+<div class="right-part">
+  <div class="responsive-title-gap "></div>
+
+  <form class="action-form" action="{{.action_url}}" method="POST">
+    <div>
+      <div class="section-title">Description</div>
+      <div class="section-body">{{.client.Description}}</div>
+    </div>
+
+    <div>
+      <div class="section-title">Requested scopes</div>
+      <ul class="section-scope list-group">
+        {{range $_, $element := .scopes}}
+        <li class="monospace list-group-item">
+          {{$element}}
+        </li>
+        {{end}}
+      </ul>
+    </div>
+
+    <div class="action-form-buttons">
+      <button class="btn btn-secondary" type="button" id="decline-button">{{.i18n.decline}}</button>
+      <button class="btn btn-primary" type="submit">{{.i18n.approve}}</button>
+    </div>
+  </form>
+</div>
+
+<style>
+  .section-title {
+    font-weight: bold;
+  }
+
+  .section-scope {
+    margin-top: 4px;
+    margin-left: -8px;
+    margin-right: -8px;
+  }
+
+  .monospace {
+    font-family: "Roboto Mono", monospace;
+  }
+</style>
+
+<script>
+  $("#decline-button").on("click", () => {
+    history.back()
+    window.close()
+  })
+</script>

pkg/internal/views/index.gohtml

@@ -0,0 +1,10 @@
+<!doctype html>
+<html lang="en">
+
+{{template "views/partials/header"}}
+
+<body>
+{{embed}}
+</body>
+
+</html>

pkg/internal/views/layouts/auth.gohtml

@@ -0,0 +1,115 @@
+<!doctype html>
+<html lang="en">
+
+{{template "views/partials/header"}}
+
+<body>
+  <div class="outer-container">
+    <div class="inner-container">
+      {{if ne .info nil}}
+      <div class="alert alert-primary" role="alert">
+        <svg class="bi me-2" role="img" aria-label="Info:">
+          <use xlink:href="#info-fill" />
+        </svg>
+        <div class="content">{{.info}}</div>
+      </div>
+      {{end}}
+
+      <div class="card card-container">
+        {{embed}}
+      </div>
+    </div>
+  </div>
+</body>
+
+<style>
+  .outer-container {
+    width: 100dvw;
+    height: 100dvh;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+  }
+
+  .inner-container {
+    width: 100%;
+    min-width: 0;
+    max-width: min(800px, 100dvw);
+
+    margin: 1rem;
+
+    display: flex;
+    flex-direction: column;
+    gap: 1rem;
+  }
+
+  .card-container {
+    transition: all .3s;
+    height: auto;
+    overflow: auto;
+    display: grid;
+    grid-template-columns: 1fr;
+    justify-content: center;
+    padding: 48px;
+    gap: 0 2rem;
+  }
+
+  .logo {
+    margin-left: -8px;
+    margin-bottom: -8px;
+    display: block;
+  }
+
+  .title {
+    margin-block-start: 0.33em;
+    margin-block-end: 0.33em;
+    font-size: 2.5rem;
+  }
+
+  .caption {
+    font-size: 1rem;
+  }
+
+  .action-form {
+    display: flex;
+    flex-direction: column;
+    gap: 0.8rem 0;
+  }
+
+  .action-form-buttons {
+    display: flex;
+    gap: 4px;
+    margin-top: 10px;
+  }
+
+  .action-form-buttons * {
+    flex: 1;
+  }
+
+  .block-field {
+    width: 100%;
+  }
+
+  .responsive-hidden {
+    display: unset;
+  }
+
+  .columns-two {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 1rem;
+  }
+
+  @media (min-width: 768px) {
+    .card-container {
+      grid-template-columns: 1fr 1fr;
+    }
+
+    .responsive-title-gap {
+      height: calc(56px + 0.44rem);
+      display: block;
+    }
+  }
+</style>
+
+</html>

pkg/internal/views/layouts/user-center.gohtml

@@ -0,0 +1,128 @@
+<!doctype html>
+<html lang="en">
+
+{{template "views/partials/header"}}
+
+<body>
+  <div class="outer-container">
+    <div class="inner-container">
+      {{if ne .info nil}}
+      <div class="alert alert-primary" role="alert">
+        <svg class="bi me-2" role="img" aria-label="Info:">
+          <use xlink:href="#info-fill" />
+        </svg>
+        <div class="content">{{.info}}</div>
+      </div>
+      {{end}}
+
+      <div class="card card-container">
+        {{embed}}
+      </div>
+    </div>
+  </div>
+</body>
+
+<style>
+  body,
+  .outer-container {
+    scrollbar-width: none;
+    overflow-x: hidden;
+  }
+
+  .outer-container {
+    width: 100dvw;
+    min-height: 100dvh;
+    display: flex;
+    justify-content: center;
+    align-items: center;
+  }
+
+  .outer-container::-webkit-scrollbar,
+  body::-webkit-scrollbar {
+    display: none;
+    width: 0;
+  }
+
+  .inner-container {
+    width: 100%;
+    min-width: 0;
+    max-width: min(800px, 100dvw);
+
+    margin: 1rem;
+
+    display: flex;
+    flex-direction: column;
+    gap: 1rem;
+
+    padding-top: 1rem;
+    padding-bottom: 1rem;
+  }
+
+  .card-container {
+    transition: all .3s;
+    height: auto;
+    overflow: auto;
+    display: grid;
+    grid-template-columns: 1fr;
+    justify-content: center;
+    padding: 48px;
+    gap: 0 2rem;
+  }
+
+
+  .logo {
+    margin-left: -8px;
+    margin-bottom: -8px;
+    display: block;
+  }
+
+  .title {
+    margin-block-start: 0.33em;
+    margin-block-end: 0.33em;
+    font-size: 2.5rem;
+  }
+
+  .caption {
+    font-size: 1rem;
+  }
+
+  .action-form {
+    display: flex;
+    flex-direction: column;
+    gap: 0.8rem 0;
+  }
+
+  .action-form-buttons {
+    display: flex;
+    justify-content: end;
+    margin-top: 8px;
+    gap: 4px;
+  }
+
+  .block-field {
+    width: 100%;
+  }
+
+  .responsive-hidden {
+    display: unset;
+  }
+
+  .columns-two {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 1rem;
+  }
+
+  @media (min-width: 768px) {
+    .card-container {
+      grid-template-columns: 1fr 1fr;
+    }
+
+    .responsive-title-gap {
+      height: calc(56px + 0.44rem);
+      display: block;
+    }
+  }
+</style>
+
+</html>

pkg/internal/views/mfa-apply.gohtml

@@ -0,0 +1,43 @@
+<div class="left-part">
+  <img class="logo" alt="Logo" src="/favicon.png" width="64" height="64" />
+
+  <h1 class="title">{{.i18n.title}}</h1>
+  <p class="caption">{{.i18n.caption}}</p>
+</div>
+
+<div class="right-part">
+  <div class="responsive-title-gap"></div>
+
+  <form class="action-form" action="/mfa/apply" method="POST">
+    <label>
+      <input name="ticket_id" value="{{.ticket_id}}" hidden>
+    </label>
+    <label>
+      <input name="factor_id" value="{{.factor_id}}" hidden>
+    </label>
+
+    <div class="factor-label">{{.label}}</div>
+
+    <div class="mb-1 block-field">
+      <label for="code" class="form-label">{{.i18n.password}}</label>
+      <input type="password" class="form-control" id="code" name="password" autocomplete="off">
+    </div>
+
+    <div class="action-form-buttons">
+      <button class="btn btn-primary" type="submit">{{.i18n.next}}</button>
+    </div>
+  </form>
+</div>
+
+<style>
+  .factor-label {
+    font-size: 14px;
+    text-align: left;
+  }
+
+  @media (min-width: 768px) {
+    .factor-label {
+      text-align: center;
+    }
+  }
+</style>

pkg/internal/views/mfa.gohtml

@@ -0,0 +1,59 @@
+<div class="left-part">
+  <img class="logo" alt="Logo" src="/favicon.png" width="64" height="64" />
+
+  <h1 class="title">{{.i18n.title}}</h1>
+  <p class="caption">{{.i18n.caption}}</p>
+</div>
+
+<div class="right-part">
+  <div class="responsive-title-gap"></div>
+
+  <form class="action-form" action="/mfa" method="POST">
+    <label>
+      <input name="ticket_id" value="{{.ticket_id}}" hidden>
+    </label>
+    {{if ne .redirect_uri nil}}
+    <label>
+      <input name="redirect_uri" value="{{.redirect_uri}}" hidden>
+    </label>
+    {{end}}
+
+    <div class="block-field factor-list" role="radiogroup">
+      {{range $_, $element := .factors}}
+      <div class="factor-label">
+        <div class="form-check">
+          <input class="form-check-input" type="radio" name="factor_id" id="factor-{{$element.id}}"
+            value="{{$element.id}}">
+          <label class="form-check-label" for="factor-{{$element.id}}">
+            {{$element.name}}
+          </label>
+        </div>
+      </div>
+      {{end}}
+    </div>
+
+    <div class="action-form-buttons">
+      <button class="btn btn-primary" type="submit">{{.i18n.next}}</button>
+    </div>
+  </form>
+</div>
+
+<style>
+  .factor-list {
+    display: flex;
+    flex-direction: column;
+  }
+
+  .factor-label {
+    display: flex;
+    align-items: center;
+  }
+
+  .factor-label label {
+    display: inline-flex;
+    place-items: center;
+    gap: 8px;
+    font-family: Roboto, system-ui;
+    color: var(--md-sys-color-on-background);
+  }
+</style>

pkg/internal/views/partials/header.gohtml

@@ -0,0 +1,56 @@
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport"
+    content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
+  <meta http-equiv="X-UA-Compatible" content="ie=edge">
+
+  <link rel="icon" type="image/png" href="/favicon.png">
+
+  <link href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css" rel="stylesheet"
+    integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH" crossorigin="anonymous">
+
+  <script src="https://cdn.jsdelivr.net/npm/@popperjs/core@2.11.8/dist/umd/popper.min.js"
+    integrity="sha384-I7E8VVD/ismYTF4hNIPjVp/Zjvgyol6VFvRkX/vR+Vc4jQkC+hVqc2pM8ODewa9r"
+    crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/js/bootstrap.min.js"
+    integrity="sha384-0pUGZvbkm6XF6gxjEnlmuGrJXVbNuzT9qBBavbLwCsOGabYfZo0T0to5eqruptLy"
+    crossorigin="anonymous"></script>
+  <script src="https://cdn.jsdelivr.net/npm/jquery@3.7.1/dist/jquery.min.js"
+    integrity="sha256-/JqT3SQfawRcv/BIHPThkBvs0OEvtFFmqPF/lYI/Cxo=" crossorigin="anonymous"></script>
+
+
+  <svg xmlns="http://www.w3.org/2000/svg" class="d-none">
+    <symbol id="info-fill" viewBox="0 0 16 16">
+      <path
+        d="M8 16A8 8 0 1 0 8 0a8 8 0 0 0 0 16zm.93-9.412-1 4.705c-.07.34.029.533.304.533.194 0 .487-.07.686-.246l-.088.416c-.287.346-.92.598-1.465.598-.703 0-1.002-.422-.808-1.319l.738-3.468c.064-.293.006-.399-.287-.47l-.451-.081.082-.381 2.29-.287zM8 5.5a1 1 0 1 1 0-2 1 1 0 0 1 0 2z" />
+    </symbol>
+  </svg>
+
+  <title>Solarpass</title>
+
+  <style>
+    html,
+    body {
+      padding: 0;
+      margin: 0;
+    }
+
+    .alert {
+      padding: 16px 48px;
+      display: flex;
+      align-items: center;
+      gap: 8px;
+    }
+
+    .alert .bi {
+      aspect-ratio: 1;
+      width: 16px;
+      fill: var(--bs-alert-color);
+    }
+
+    .alert .content {
+      flex-grow: 1;
+      text-transform: capitalize;
+    }
+  </style>
+</head>

pkg/internal/views/signin.gohtml

@@ -0,0 +1,27 @@
+<div class="left-part">
+  <img class="logo" alt="Logo" src="/favicon.png" width="64" height="64" />
+
+  <h1 class="title">{{.i18n.title}}</h1>
+  <p class="caption">{{.i18n.caption}}</p>
+</div>
+
+<div class="right-part">
+  <div class="responsive-title-gap"></div>
+
+  <form class="action-form" action="/sign-in" method="POST">
+    <div class="mb-1 block-field">
+      <label for="username" class="form-label">{{.i18n.username}}</label>
+      <input type="text" class="form-control" id="username" name="username">
+    </div>
+
+    <div class="mb-1 block-field">
+      <label for="password" class="form-label">{{.i18n.password}}</label>
+      <input type="password" class="form-control" id="password" name="password">
+    </div>
+
+    <div class="action-form-buttons">
+      <a class="btn btn-secondary" href="/sign-up">{{.i18n.signup}}</a>
+      <button class="btn btn-primary" type="submit">{{.i18n.next}}</button>
+    </div>
+  </form>
+</div>

pkg/internal/views/signup.gohtml

@@ -0,0 +1,47 @@
+<div class="left-part">
+  <img class="logo" alt="Logo" src="/favicon.png" width="64" height="64" />
+
+  <h1 class="title">{{.i18n.title}}</h1>
+  <p class="caption">{{.i18n.caption}}</p>
+</div>
+
+<div class="right-part">
+  <div class="responsive-title-gap"></div>
+
+  <form class="action-form" action="/sign-up" method="POST">
+    <div class="columns-two">
+      <div class="mb-1">
+        <label for="name" class="form-label">{{.i18n.username}}</label>
+        <input type="text" class="form-control" id="name" name="name">
+      </div>
+
+      <div class="mb-1">
+        <label for="nick" class="form-label">{{.i18n.nickname}}</label>
+        <input type="text" class="form-control" id="nick" name="nick">
+      </div>
+    </div>
+
+
+    <div class="mb-1 block-field">
+      <label for="email" class="form-label">{{.i18n.email}}</label>
+      <input type="email" class="form-control" id="email" name="email">
+    </div>
+
+    <div class="mb-1">
+      <label for="password" class="form-label">{{.i18n.password}}</label>
+      <input type="password" class="form-control" id="password" name="password" autocomplete="new-password">
+    </div>
+
+    {{if eq .use_magic_token true}}
+    <div class="mb-1">
+      <label for="token" class="form-label">{{.i18n.password}}</label>
+      <input type="password" class="form-control" id="token" name="magic_token" autocomplete="new-password">
+    </div>
+    {{end}}
+
+    <div class="action-form-buttons">
+      <a class="btn btn-secondary" href="/sign-in">{{.i18n.signin}}</a>
+      <button class="btn btn-primary" type="submit">{{.i18n.next}}</button>
+    </div>
+  </form>
+</div>

pkg/internal/views/users/me.gohtml

@@ -0,0 +1,153 @@
+<link rel="stylesheet" href="https://unpkg.com/tailwindcss@1.4.6/dist/base.min.css">
+<link rel="stylesheet" href="https://unpkg.com/tailwindcss@1.4.6/dist/components.min.css">
+<link rel="stylesheet" href="https://unpkg.com/@tailwindcss/typography@0.1.2/dist/typography.min.css">
+<link rel="stylesheet" href="https://unpkg.com/tailwindcss@1.4.6/dist/utilities.min.css">
+
+<div class="banner-container">
+  {{if ne .userinfo.Banner nil}}
+  <img src="{{.banner}}" alt="Banner" class="banner">
+  {{end}}
+</div>
+
+<div class="left-part name-card">
+  {{if ne .userinfo.Avatar nil}}
+  <img src="{{.avatar}}" alt="Avatar" class="avatar">
+  {{else}}
+  <div class="avatar empty">
+    <span class="material-symbols-outlined">account_circle</span>
+  </div>
+  {{end}}
+
+  <div class="name">
+    <h2 class="username">{{.userinfo.Nick}}</h2>
+    <h6 class="nickname">@{{.userinfo.Name}}</h6>
+  </div>
+  {{if gt (len .userinfo.Description) 0}}
+  <div class="description">{{.userinfo.Description}}</div>
+  {{else}}
+  <div class="description empty">No description yet.</div>
+  {{end}}
+  <div class="uid">#{{.uid}}</div>
+</div>
+
+<div class="right-part">
+  <article class="personal-page prose">
+    {{.personal_page}}
+  </article>
+</div>
+
+<style>
+  .avatar {
+    display: block;
+    width: 64px;
+    height: 64px;
+    object-fit: cover;
+
+    clip-path: circle();
+  }
+
+  .avatar.empty {
+    display: flex;
+    justify-content: center;
+    align-items: center;
+    background-color: var(--md-sys-color-secondary);
+    color: var(--md-sys-color-on-secondary);
+  }
+
+  @media (min-width: 768px) {
+    .banner-container {
+      grid-column: span 2;
+    }
+  }
+
+  .banner {
+    display: block;
+    object-fit: cover;
+    border-radius: 28px;
+    aspect-ratio: 3 / 1;
+    width: 100%;
+  }
+
+  .name-card {
+    display: flex;
+    flex-direction: column;
+    gap: 1rem;
+  }
+
+  .name-card .name {
+    display: flex;
+    align-items: baseline;
+    gap: 0.3rem;
+  }
+
+  .name-card .username {
+    margin: 0;
+    font-size: 1.5rem;
+    font-weight: 600;
+  }
+
+  .name-card .nickname {
+    margin: 0;
+    font-size: 0.75rem;
+    font-weight: 500;
+  }
+
+  .name-card .uid {
+    margin-top: -0.8rem;
+    font-size: 0.7rem;
+    font-weight: 400;
+    font-family: Roboto Mono, monospace;
+  }
+
+  .name-card .description {
+    margin-top: -1.25rem;
+  }
+
+  .description.empty {
+    font-style: italic;
+  }
+
+  .name-card .metadata {
+    font-size: 0.85rem;
+    font-weight: 500;
+    display: flex;
+    flex-direction: column;
+  }
+
+  .metadata>div {
+    display: flex;
+    align-items: center;
+    gap: 0.25rem;
+  }
+
+  .metadata .material-symbols-outlined {
+    font-size: 1rem;
+    display: block;
+  }
+
+  .actions {
+    display: flex;
+    gap: 0.5rem;
+    margin: 0 -0.5rem;
+  }
+
+  @media (min-width: 768px) {
+    .actions {
+      flex-direction: column;
+    }
+  }
+
+  .actions .action {
+    width: fit-content;
+  }
+
+  .actions .material-symbols-outlined {
+    font-size: 20px;
+    margin-bottom: 4px;
+  }
+
+  .left-part .prose {
+    min-width: 0;
+    max-width: unset;
+  }
+</style>