comment

Reviewed-on: #4

.env

@@ -2,3 +2,9 @@
 sike you thought I was like that
 
 hehehehee (urp so full)
+
+# TODO: should have basic public-safe environment variables here
+# then secret environment variables can be added via secrets in the ci script like so:
+# job: inject-seccrets $ echo API_KEY={{ secrets.API_KEY }} >> .env
+# then they dont have to be inserted by the docker container ( messy)
+

api/Migrations/20260423011426_InitialMigration.Designer.cs

@@ -11,8 +11,8 @@ using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
 namespace agologum_api.Migrations
 {
     [DbContext(typeof(AppDbContext))]
-    [Migration("20260321221316_InitialCreate")]
+    [Migration("20260423011426_InitialMigration")]
-    partial class InitialCreate
+    partial class InitialMigration
     {
         /// <inheritdoc />
         protected override void BuildTargetModel(ModelBuilder modelBuilder)
@@ -156,6 +156,63 @@ namespace agologum_api.Migrations
                     b.ToTable("AspNetUserTokens", (string)null);
                 });
 
+            modelBuilder.Entity("RefreshToken", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("IsRevoked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Token")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("UserId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("RefreshTokens");
+                });
+
+            modelBuilder.Entity("agologumApi.Models.Item", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("LastEditedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Items");
+                });
+
             modelBuilder.Entity("agologumApi.Models.User", b =>
                 {
                     b.Property<string>("Id")
@@ -195,6 +252,9 @@ namespace agologum_api.Migrations
                     b.Property<string>("PasswordHash")
                         .HasColumnType("text");
 
+                    b.PrimitiveCollection<string>("Permissions")
+                        .HasColumnType("jsonb");
+
                     b.Property<string>("PhoneNumber")
                         .HasColumnType("text");
 

api/Migrations/20260423011426_InitialMigration.cs

@@ -7,7 +7,7 @@ using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
 namespace agologum_api.Migrations
 {
     /// <inheritdoc />
-    public partial class InitialCreate : Migration
+    public partial class InitialMigration : Migration
     {
         /// <inheritdoc />
         protected override void Up(MigrationBuilder migrationBuilder)
@@ -32,6 +32,7 @@ namespace agologum_api.Migrations
                 {
                     Id = table.Column<string>(type: "text", nullable: false),
                     CreatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    Permissions = table.Column<string>(type: "jsonb", nullable: true),
                     UserName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
                     NormalizedUserName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
                     Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
@@ -52,6 +53,39 @@ namespace agologum_api.Migrations
                     table.PrimaryKey("PK_AspNetUsers", x => x.Id);
                 });
 
+            migrationBuilder.CreateTable(
+                name: "Items",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    Name = table.Column<string>(type: "text", nullable: false),
+                    Description = table.Column<string>(type: "text", nullable: false),
+                    CreatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    LastEditedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_Items", x => x.Id);
+                });
+
+            migrationBuilder.CreateTable(
+                name: "RefreshTokens",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    Token = table.Column<string>(type: "text", nullable: false),
+                    UserId = table.Column<string>(type: "text", nullable: false),
+                    CreatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    ExpiresAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
+                    IsRevoked = table.Column<bool>(type: "boolean", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_RefreshTokens", x => x.Id);
+                });
+
             migrationBuilder.CreateTable(
                 name: "AspNetRoleClaims",
                 columns: table => new
@@ -214,6 +248,12 @@ namespace agologum_api.Migrations
             migrationBuilder.DropTable(
                 name: "AspNetUserTokens");
 
+            migrationBuilder.DropTable(
+                name: "Items");
+
+            migrationBuilder.DropTable(
+                name: "RefreshTokens");
+
             migrationBuilder.DropTable(
                 name: "AspNetRoles");
 

api/Migrations/AppDbContextModelSnapshot.cs

@@ -153,6 +153,63 @@ namespace agologum_api.Migrations
                     b.ToTable("AspNetUserTokens", (string)null);
                 });
 
+            modelBuilder.Entity("RefreshToken", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<DateTime>("ExpiresAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<bool>("IsRevoked")
+                        .HasColumnType("boolean");
+
+                    b.Property<string>("Token")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<string>("UserId")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("RefreshTokens");
+                });
+
+            modelBuilder.Entity("agologumApi.Models.Item", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<DateTime>("CreatedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Description")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.Property<DateTime>("LastEditedAt")
+                        .HasColumnType("timestamp with time zone");
+
+                    b.Property<string>("Name")
+                        .IsRequired()
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("Items");
+                });
+
             modelBuilder.Entity("agologumApi.Models.User", b =>
                 {
                     b.Property<string>("Id")
@@ -192,6 +249,9 @@ namespace agologum_api.Migrations
                     b.Property<string>("PasswordHash")
                         .HasColumnType("text");
 
+                    b.PrimitiveCollection<string>("Permissions")
+                        .HasColumnType("jsonb");
+
                     b.Property<string>("PhoneNumber")
                         .HasColumnType("text");
 

api/Program.cs

@@ -1,4 +1,5 @@
 
+// system usings
 using Microsoft.AspNetCore.HttpOverrides;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.AspNetCore.Authentication.JwtBearer;
@@ -7,27 +8,33 @@ using Microsoft.AspNetCore.Identity;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
 using System.Text;
 
+// homeburger usings
 using agologumApi.Models;
 using agologumApi.Services;
 
 var builder = WebApplication.CreateBuilder(args);
 
+// make sure the jwt key exists or else abort, security issue
 var key = builder.Configuration["Jwt:Key"];
 if(key == null) return;
 
+// connect to the sql database
 builder.Services.AddDbContext<AppDbContext>(options => 
     options.UseNpgsql(builder.Configuration.GetConnectionString("DefaultConnection")));
 
 builder.Services.AddControllers();
 
-// services
+// add our services
 builder.Services.AddScoped<UserService>();
+builder.Services.AddScoped<ItemService>();
 builder.Services.AddScoped<JwtService>();
+// if this grows sufficiently large we can put elsewhere
 
 // configuration for jwt authentication
 builder.Services.AddIdentity<User, IdentityRole>()
     .AddEntityFrameworkStores<AppDbContext>()
-    .AddDefaultTokenProviders();
+    .AddDefaultTokenProviders()
+    .AddRoles<IdentityRole>();
 builder.Services.AddAuthentication(options => {
     options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
     options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
@@ -39,11 +46,21 @@ builder.Services.AddAuthentication(options => {
         ValidateIssuerSigningKey = true,
         ValidIssuer = "agologum",
         ValidAudience = "agologum",
-        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key))
+        IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(key)),
+        ClockSkew = TimeSpan.Zero
     };
 });
 
-builder.Services.AddAuthorization();
+// authorization configurations; here's where we register our permissions to policies
+// TODO: this suspiciously looks able to be automated through a for loop, only if we can have a static dictionary maybe though?
+builder.Services.AddAuthorization(options => {
+
+    options.AddPolicy(Permission.SensitiveData_Read, policy =>
+        policy.RequireClaim("permission", Permission.SensitiveData_Read));
+    options.AddPolicy(Permission.SensitiveData_Modify, policy =>
+        policy.RequireClaim("permission", Permission.SensitiveData_Modify));
+
+});
 
 // configuration for behind my nginx proxy
 builder.Services.Configure<ForwardedHeadersOptions>(options =>
@@ -60,6 +77,7 @@ builder.Services.Configure<ForwardedHeadersOptions>(options =>
 // Learn more about configuring OpenAPI at https://aka.ms/aspnet/openapi
 builder.Services.AddOpenApi();
 
+// cors; scary needs to be fixed
 builder.Services.AddCors(options =>
 {
     options.AddPolicy("dev",
@@ -68,17 +86,14 @@ builder.Services.AddCors(options =>
             policy.AllowAnyOrigin()
                   .AllowAnyHeader()
                   .AllowAnyMethod();
-        });
+        }); // TODO: scary please fix this
 });
 
+// more middleware; probably uncessary at this stage
 builder.Services.AddEndpointsApiExplorer();
 builder.Services.AddSwaggerGen();
 
-// https://www.reddit.com/r/dotnet/comments/1h7vzbs/how_do_you_guys_handle_authorization_on_a_web_api/
+// build app
-// add authorization here
-// controllers will have endpoints based on authorization
-// frontend is a different story
-
 var app = builder.Build();
 
 app.UseForwardedHeaders();
@@ -110,6 +125,7 @@ using (var scope = app.Services.CreateScope()) {
             Thread.Sleep(5000);
         }
     }
+
 }
 
 app.Run();

api/src/Controllers/AuthController.cs

@@ -13,62 +13,124 @@ public class AuthController : ControllerBase {
     // identity things
     private readonly UserManager<User> userManager_;
     private readonly SignInManager<User> signInManager_;
-
+    // services
-    private readonly UserService users_;
     private readonly JwtService jwt_;
+    private readonly UserService userService_;
 
-    public AuthController(UserManager<User> userManager, SignInManager<User> signInManager, UserService users, JwtService jwt) {
+    // class constructor (where are my initializer lists man)
+    public AuthController(UserManager<User> userManager, SignInManager<User> signInManager, JwtService jwt, UserService userService) {
 
         userManager_ = userManager;
         signInManager_ = signInManager;
-        users_ = users;
         jwt_ = jwt;
+        userService_ = userService;
     }
 
+    // register endpoint
     [HttpPost("register")]
     public async Task<ActionResult> Register(RegisterDto dto) {
-        var user = new User {
+        // create a new user out of the dto from the request
+        User user = new User {
             UserName = dto.UserName,
             Email = dto.Email,
             CreatedAt = DateTime.UtcNow // yeah why not utc
         };
 
+        // assigning roles to user. create a user starting with x to give it permissions to read sensitive data
+        if(dto.UserName.StartsWith("x")) {
+            user.Permissions = new List<string> { Permission.SensitiveData_Read };
+        }
+
+        // use Identity's user manager to add to db; error check if failed
         var result = await userManager_.CreateAsync(user, dto.Password);
         if(!result.Succeeded) return BadRequest(result.Errors);
 
+        // respond to post as necessary
         return CreatedAtAction(
             nameof(Register),
             new { id = user.Id }
         );
     }
 
+    // login endpoint
     [HttpPost("login")]
     public async Task<ActionResult> Login(LoginDto dto)
     {
+        // get the user from the database given the username
         var user = await userManager_.FindByNameAsync(dto.UserName);
+        // user not found with that name
+        if (user == null) return Unauthorized(); // unauthorized instead of not found to not give away info
 
-        if (user == null) return Unauthorized();
+        // use identity's password validation
-
         var result = await signInManager_.CheckPasswordSignInAsync(user, dto.Password, false);
-
+        // if failed then youre not real !
         if(!result.Succeeded) return Unauthorized();
 
-        var token = jwt_.GenerateJwt(user);
+        // login sucess, give you an authentication token
+        var accessToken = await jwt_.GenerateJwt(user);
+        var refreshToken = jwt_.GenerateRefreshToken(); // the refresh token is good enough to refresh your access token
+        RefreshToken newTokenObject = new RefreshToken {
+            Token = refreshToken,
+            UserId = user.Id,
+            CreatedAt = DateTime.UtcNow,
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            IsRevoked = false
+        };
+        await jwt_.AddRefreshToken(newTokenObject);
+        // the jwt says we trust who you are and can substitute it for login
+        // contains permissions claims too
 
-        return Ok(new { token });
+        // return both access and refresh token
+        return Ok(new { accessToken, refreshToken });
     }
 
+    // logout endpoint
     [Authorize] // authorize is handled by middleware
     [HttpPost("logout")]
-    public ActionResult Logout() {
+    public async Task<ActionResult> Logout(string refreshTokenString) {
-        // dummy endpoint
+        // revoke refresh token
-        // logout happens upon client-side jwt removal
+        bool success = await jwt_.RevokeRefreshToken(refreshTokenString);
-        // TODO: expire all refresh tokens 
+        if(!success) return NotFound();
+        // frontend refreshes page and detects logout
         return Ok();
     }
 
+    // refresh token endpoint
+    [HttpPost("refresh")] // allow-anonymous by default
+    public async Task<ActionResult> Refresh(TokenDto request) {
+        // reached when the frontend gets an unauthorized response and autoattempts to refresh if available
+        
+        // get token from request and check if its valid
+        RefreshToken? storedToken = await jwt_.GetRefreshToken(request.RefreshToken);
+        if (storedToken == null) return Unauthorized();
+        bool valid = (storedToken.IsRevoked) ||
+                     (storedToken.ExpiresAt < DateTime.UtcNow);
+        if(!valid) return Unauthorized(); // TODO: delete the invalid token
+
+        // get user from the token and give them new tokens
+        User? user = await jwt_.GetUser(storedToken.UserId);
+        if(user == null) return NotFound();
+        string? newAccessToken = await jwt_.GenerateJwt(user);
+        if(newAccessToken == null) return NotFound();
+        string newRefreshToken = jwt_.GenerateRefreshToken();
+
+        // construct new token
+        storedToken.IsRevoked = true;
+        RefreshToken newTokenObject = new RefreshToken {
+            Token = newRefreshToken,
+            UserId = storedToken.UserId,
+            CreatedAt = DateTime.UtcNow,
+            ExpiresAt = DateTime.UtcNow.AddDays(30),
+            IsRevoked = false
+        };
+
+        await jwt_.AddRefreshToken(newTokenObject);
+        // return new tokens
+        return Ok(new { accessToken = newAccessToken, refreshToken = newRefreshToken });
+
+    }
+
     // TODO
-    // refresh tokens
     // email verification
     // password reset
     // oh hell naw 2FA I do not care enough

api/src/Controllers/ItemsController.cs

@@ -0,0 +1,76 @@
+
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Authorization;
+
+using agologumApi.Models;
+using agologumApi.Services;
+
+[ApiController]
+[Route("api/[controller]")]
+public class ItemsController : ControllerBase {
+
+    private readonly ItemService service_;
+
+    public ItemsController(ItemService service) {
+        service_ = service;
+    }
+
+    [Authorize]
+    [HttpGet]
+    public async Task<ActionResult<List<Item>>> getItems() {
+        return Ok(await service_.GetAll());
+    }
+
+    [Authorize]
+    [HttpGet("{id:int}")]
+    public async Task<ActionResult<Item>> getItem(int id) {
+
+        var item = await service_.Get(id);
+
+        if (item == null) return NotFound();
+
+        return Ok(item);
+    }
+
+    [Authorize] // testing the authorization
+    [HttpPost]
+    public async Task<ActionResult<Item>> createItem(ItemDto item) {
+
+        Item newItem = new Item {
+            Name = item.Name,
+            Description = item.Description,
+            CreatedAt = DateTime.UtcNow,
+            LastEditedAt = DateTime.UtcNow
+        };
+
+        var created = await service_.Create(newItem);
+
+        return CreatedAtAction(
+            nameof(getItem),
+            new { id = created.Id },
+            created
+        );
+    }
+
+    [Authorize]
+    [HttpPut("{id}")]
+    public async Task<ActionResult<Item>> updateItem(int id, ItemDto item) {
+
+        var updated = await service_.Update(id, item);
+
+        if (updated == null) return NotFound();
+
+        return Ok(updated);
+    }
+
+    [Authorize]
+    [HttpDelete("{id}")]
+    public async Task<ActionResult> deleteItem(int id) {
+
+        var success = await service_.Delete(id);
+
+        if (!success) return NotFound();
+
+        return NoContent();
+    }
+}

api/src/Controllers/UsersController.cs

@@ -1,6 +1,13 @@
 
+// this is basically a demo on roles
+// level 0 can't access the users endpoint at all
+// level 1 has read permissions
+// level 2 has modify permissions
+
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Authorization;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Identity;
 
 using agologumApi.Models;
 using agologumApi.Services;
@@ -15,50 +22,40 @@ public class UsersController : ControllerBase {
         service_ = service;
     }
 
-    [AllowAnonymous] // accessible if not authorized
+    [Authorize(Policy = Permission.SensitiveData_Read)]
     [HttpGet]
     public async Task<ActionResult<List<User>>> getUsers() {
-        return Ok(await service_.GetAll());
+        List<User> rawArray = await service_.GetAll();
+
+        List<UserDto> dtoArray = new List<UserDto>();
+
+        foreach(User user in rawArray) {
+            UserDto newDto = new UserDto(user);
+            dtoArray.Add(newDto);
         }
 
-    [AllowAnonymous]
+        return Ok(dtoArray);
-    [HttpGet("{id:int}")]
+    }
-    public async Task<ActionResult<User>> getUser(int id) {
 
-        var user = await service_.Get(id);
+    [Authorize(Policy = Permission.SensitiveData_Read)]
+    [HttpGet("{id:int}")]
+    public async Task<ActionResult<User>> getUser(string id) {
+
+        var user = await service_.GetById(id);
 
         if (user == null) return NotFound();
 
-        return Ok(user);
+        UserDto newDto = new UserDto(user);
+
+        return Ok(newDto);
     }
 
-    [Authorize] // testing the authorization
+    [Authorize(Policy = Permission.SensitiveData_Modify)]
-    [HttpPost]
-    public async Task<ActionResult<User>> createUser(User user) {
-
-        var created = await service_.Create(user);
-
-        return CreatedAtAction(
-            nameof(getUser),
-            new { id = created.Id },
-            created
-        );
-    }
-
-    [Authorize]
-    [HttpPut("{id}")]
-    public async Task<ActionResult<User>> updateUser(int id, User user) {
-
-        var updated = await service_.Update(user);
-
-        if (updated == null) return NotFound();
-
-        return Ok(updated);
-    }
-
-    [Authorize]
     [HttpDelete("{id}")]
-    public async Task<ActionResult> deleteUser(int id) {
+    public async Task<ActionResult> deleteUser(string id) {
+
+        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if(userId == id) return BadRequest(); // dont allow deletion of yourself
 
         var success = await service_.Delete(id);
 
@@ -66,4 +63,56 @@ public class UsersController : ControllerBase {
 
         return NoContent();
     }
+
+    [Authorize(Policy = Permission.SensitiveData_Modify)]
+    [HttpDelete("{id}/{permission}")]
+    public async Task<ActionResult> removePermission(string id, string permission) {
+
+        // get the user this request comes from. since it passed identity auth we can trust it
+	    var userId = User.FindFirstValue(ClaimTypes.NameIdentifier);
+        if(permission == Permission.SensitiveData_Modify && userId == id) return BadRequest(); // dont allow permission removal of whats allowing us to re-add premissions
+
+        // get list of permissions of that user
+        var user = await service_.GetById(id);
+        if (user == null) return NotFound();
+        if(user.Permissions == null) return NotFound();
+
+        // verify that the requested permission exists on that user
+        if(!user.Permissions.Contains(permission)) return NotFound();
+
+        // remove the permission from the permission list
+        user.Permissions.Remove(permission);
+
+        // update the user
+        await service_.Update(id, user);
+
+        return NoContent();
+    }
+
+    [Authorize(Policy = Permission.SensitiveData_Modify)]
+    [HttpPost("{id}/{permission}")] // TODO: this was made with a single button per permission in mind, but may be better as sending an array 
+    public async Task<ActionResult> addPermission(string id, string permission) {
+
+        // we'll allow the superuser to elevate their own permissions because they're the superuser
+
+        // get list of permissions of the user
+        var user = await service_.GetById(id);
+        if (user == null) return NotFound();
+        if(user.Permissions == null) return NotFound();
+
+        // remove add the permission to the user's permission list (if it doesnt already exist)
+        if(user.Permissions.Contains(permission)) return NoContent();
+        user.Permissions.Add(permission);
+
+        // update the user
+        await service_.Update(id, user);
+
+        return NoContent();
+
+        // fyi the user will need to sign out and sign back in so the new permissions are reflected in their jwt claims
+        // TODO: or on the client i could issue a refresh token request after a permission api call
+    }
+
+    // TODO: add controls on editing roles 
+
 }

api/src/Data/AppDbContext.cs

@@ -10,4 +10,16 @@ public class AppDbContext : IdentityDbContext<User> {
 
     }
 
+    // Db set for each model besides Users (DbSet<User> is already defined in IdentityDbContext<User>)
+    public DbSet<Item> Items { get; set; }
+    public DbSet<RefreshToken> RefreshTokens { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder builder) {
+        
+        base.OnModelCreating(builder);
+
+        builder.Entity<User>().Property(u => u.Permissions).HasColumnType("jsonb");
+        
+    }
+
 }

api/src/Models/Dto.cs

@@ -1,15 +0,0 @@
-
-public class RegisterDto {
-
-    public string UserName { get; set; } = "";
-    public string Email { get; set; } = "";
-    public string Password { get; set; } = "";
-
-}
-
-public class LoginDto {
-
-    public string UserName { get; set; } = "";
-    public string Password { get; set; } = "";
-
-}

api/src/Models/Item.cs

@@ -0,0 +1,19 @@
+
+namespace agologumApi.Models;
+
+public class Item {
+
+    public int Id { get; set; }
+    public String Name { get; set; } = "";
+    public String Description { get; set; } = "";
+    public DateTime CreatedAt { get; set; }
+    public DateTime LastEditedAt { get; set; }
+
+};
+
+public class ItemDto {
+
+    public String Name { get; set; } = "";
+    public String Description { get; set; } = "";
+
+}

api/src/Models/Permissions.cs

@@ -0,0 +1,10 @@
+
+// this is a static data model; it doesnt exist in a database (yet)
+// lol no dynamic permissions would mean endpoint authorization gates need to be dynamic too
+
+public static class Permission {
+
+    public const string SensitiveData_Read = "SensitiveData.Read";
+    public const string SensitiveData_Modify = "SensitiveData.Modify";
+
+}

api/src/Models/RefreshToken.cs

@@ -0,0 +1,21 @@
+
+// a refresh token's purpose is to authenticate user's without logging in
+public class RefreshToken {
+
+    public int Id { get; set; }
+
+    public string Token { get; set; } = "";
+    
+    public string UserId { get; set; } = ""; // in EF Identity the IdentityUser's id is a GUID string (32 hex digits)
+
+    public DateTime CreatedAt { get; set; }
+    public DateTime ExpiresAt { get; set; }
+    public bool IsRevoked { get; set; }
+
+}
+
+public class TokenDto {
+
+    public string RefreshToken { get; set; } = "";
+
+}

api/src/Models/User.cs

@@ -7,6 +7,11 @@ public class User : IdentityUser {
 
     public DateTime CreatedAt { get; set; }
 
+    // TODO: make this a list of UserPermissions
+    // where a userpermission has an Id, Permission (string), and userId string
+    // then we can do something like: get all users with this permission
+    public List<string>? Permissions { get; set; } = new(); // because this isnt very relational database happy
+
     // properties inherited from IdentityUser:
     /*
     AccessFailedCount: Gets or sets the number of failed login attempts for the current user.
@@ -30,3 +35,39 @@ public class User : IdentityUser {
     https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.identity.entityframeworkcore.identityuser?view=aspnetcore-1.1
     */
 };
+
+// DTOs include only the minimum information for transit
+public class RegisterDto {
+
+    public string UserName { get; set; } = "";
+    public string Email { get; set; } = "";
+    public string Password { get; set; } = "";
+
+}
+
+public class LoginDto {
+
+    public string UserName { get; set; } = "";
+    public string Password { get; set; } = "";
+
+}
+
+public class UserDto {
+
+    public DateTime CreatedAt { get; set; } = DateTime.UtcNow; // datetimes get compressed to a string
+    public List<string>? Permissions { get; set; } = [];
+    public string? Email { get; set; } = "";
+    public string Id { get; set; } = "";
+    public string? UserName { get; set; } = "";
+
+    // constructor out of a full User object
+    // REMEMBER: when adding fields to UserDto they must also be set in this constructor or else stuff breaks
+    public UserDto(User user) {
+        CreatedAt = user.CreatedAt;
+        Email = user.Email;
+        Id = user.Id;
+        UserName = user.UserName;
+        Permissions = user.Permissions;
+    }
+
+};

api/src/Services/ItemService.cs

@@ -0,0 +1,59 @@
+
+using Microsoft.EntityFrameworkCore;
+
+using agologumApi.Models;
+
+namespace agologumApi.Services;
+
+// basic CRUD operations for items in the database
+public class ItemService {
+
+    private readonly AppDbContext db_;
+
+    public ItemService(AppDbContext db) {
+        db_ = db;
+    }
+
+    public async Task<List<Item>> GetAll() {
+        return await db_.Items.ToListAsync();
+    }
+
+    public async Task<Item?> Get(int id) {
+        return await db_.Items.FindAsync(id);
+    }
+
+    public async Task<Item?> Get(string name) {
+        return await db_.Items.FirstOrDefaultAsync(u => u.Name == name);
+    }
+
+    public async Task<Item> Create(Item item) {
+        db_.Items.Add(item);
+        await db_.SaveChangesAsync();
+        return item;
+    }
+
+    public async Task<Item?> Update(int id, ItemDto item) {
+
+        Item? oldItem = await db_.Items.FindAsync(id);
+        if(oldItem == null) return oldItem;
+
+        oldItem.Name = item.Name;
+        oldItem.Description = item.Description;
+        oldItem.LastEditedAt = DateTime.UtcNow;
+
+        await db_.SaveChangesAsync();
+        return oldItem;
+    }
+
+    public async Task<bool> Delete(int id) {
+        Item? item = await db_.Items.FindAsync(id);
+        if(item != null) {
+            db_.Items.Remove(item);
+            await db_.SaveChangesAsync();
+            return true;
+        } else {
+            return false;
+        }
+    }
+
+}

api/src/Services/JwtService.cs

@@ -1,40 +1,58 @@
 
 using Microsoft.IdentityModel.Tokens;
+using Microsoft.EntityFrameworkCore;
 using System.Text;
 using System.Security.Claims;
 using System.IdentityModel.Tokens.Jwt;
+using System.Security.Cryptography;
+using Microsoft.AspNetCore.Identity;
 
 using agologumApi.Models;
 
 public class JwtService {
 
     private readonly IConfiguration config_;
+    private readonly AppDbContext db_;
+    private readonly UserManager<User> userManager_;
 
-    public JwtService(IConfiguration config) { // why the heck does c# not have initializer lists ?
+    public JwtService(IConfiguration config, AppDbContext db, UserManager<User> userManager) { // why the heck does c# not have initializer lists ?
         config_ = config;
+        db_ = db;
+        userManager_ = userManager;
     }
 
-    public string? GenerateJwt(User user) {
+    // create a jwt string given a user (user contains permissions which go into claims)
+    public async Task<string?> GenerateJwt(User user) {
 
+        // security stuff
         string? jwtKey = config_["Jwt:Key"];
         if(jwtKey == null) return null;
         var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtKey));
 
         var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
-
+        // make sure the user is real
         if(user.UserName == null) return null;
 
         // not too sure
-        var claims = new[] {
+        var claims = new List<Claim> {
             new Claim(ClaimTypes.Name, user.UserName),
             new Claim(ClaimTypes.NameIdentifier, user.Id.ToString())
         };
 
+        // add each permission that the user has into the claims
+        List<string>? permissions = user.Permissions;
+        if(permissions != null) {
+            foreach(string perm in permissions) {
+                claims.Add(new Claim("permission", perm));
+            }
+        }
+
+        // construct that token
         var token = new JwtSecurityToken(
             issuer: "agologum",
             audience: "agologum",
             claims: claims,
-            expires: DateTime.UtcNow.AddHours(2), // will add a refresher later
+            expires: DateTime.UtcNow.AddHours(2),
             signingCredentials: creds
         );
 
@@ -42,5 +60,39 @@ public class JwtService {
 
     }
 
+    // generating a refresh token is just like a long random password
+    public string GenerateRefreshToken() {
+
+        byte[] randomBytes = new byte[64];
+        RandomNumberGenerator.Fill(randomBytes.AsSpan());
+        return Convert.ToBase64String(randomBytes);
+
+    }
+
+    // we store refresh tokens on our side to check against when a user requests a refresh
+    public async Task<RefreshToken?> GetRefreshToken(string refreshTokenString) {
+        return await db_.RefreshTokens.FirstOrDefaultAsync(u => u.Token == refreshTokenString);
+    }
+
+    // add a refresh token to the token db store
+    public async Task<RefreshToken> AddRefreshToken(RefreshToken refreshToken) {
+        db_.RefreshTokens.Add(refreshToken);
+        await db_.SaveChangesAsync();
+        return refreshToken;
+    }
+
+    // helper to get the User from the id that exists in a refresh token object
+    public async Task<User?> GetUser(string id) {
+        return await db_.Users.FindAsync(id);
+    } // since other places aren't good for having references to db contexts
+
+    // remove refresh token from our store; called when user logs out
+    public async Task<bool> RevokeRefreshToken(string refreshTokenString) {
+        var refreshToken = await db_.RefreshTokens.FirstOrDefaultAsync(u => u.Token == refreshTokenString);
+        if(refreshToken == null) return false;
+        refreshToken.IsRevoked = true;
+        await db_.SaveChangesAsync();
+        return true;
+    }
 
 }

api/src/Services/UserService.cs

@@ -13,34 +13,26 @@ public class UserService {
         db_ = db;
     }
 
+    // get all users
     public async Task<List<User>> GetAll() {
         return await db_.Users.ToListAsync();
     }
 
-    public async Task<User?> Get(int id) {
+    // get one user with id of id
+    public async Task<User?> GetById(string id) {
         return await db_.Users.FindAsync(id);
     }
 
-    public async Task<User?> Get(string username) {
+    // get one user with username of name
-        return await db_.Users.FirstOrDefaultAsync(u => u.UserName == username);
+    public async Task<User?> GetByName(string name) {
+        return await db_.Users.FirstOrDefaultAsync(u => u.UserName == name);
     }
 
-    public async Task<User> Create(User user) {
+    // delete one user with id of id
-        db_.Users.Add(user);
+    public async Task<bool> Delete(string id) {
-        await db_.SaveChangesAsync();
+        User? User = await db_.Users.FindAsync(id);
-        return user;
+        if(User != null) {
-    }
+            db_.Users.Remove(User);
-
-    public async Task<User> Update(User user) {
-        db_.Users.Update(user);
-        await db_.SaveChangesAsync();
-        return user;
-    }
-
-    public async Task<bool> Delete(int id) {
-        User? user = await db_.Users.FindAsync(id);
-        if(user != null) {
-            db_.Users.Remove(user);
             await db_.SaveChangesAsync();
             return true;
         } else {
@@ -48,4 +40,16 @@ public class UserService {
         }
     }
 
+    // update user of id with user
+    public async Task<User?> Update(string id, User user) {
+
+        User? oldUser = await db_.Users.FindAsync(id);
+        if(oldUser == null) return oldUser;
+
+        oldUser.Permissions = user.Permissions;
+
+        await db_.SaveChangesAsync();
+        return oldUser;
+    }
+
 }

client/src/api/AuthApi.ts

@@ -2,18 +2,16 @@
 // service to interact with the api/auth endpoints 
 // handles user registration, user logins, tokens, password reset, etc.
 
-import api from "./axios.ts"
+import { api, authStorage } from "./axios.ts"
-import type { User, RegisterDto, LoginDto } from "../models/User.ts";
+import type { UserDto, RegisterDto, LoginDto } from "../models/User.ts";
 
 const API_URL: string = "/auth";
 
 export const register = async (user: RegisterDto) => {
 
 	try {
-		console.log(user);
-		const response = await api.post(`${API_URL}/register`, user);
 
-		// TODO: if valid
+		const response = await api.post(`${API_URL}/register`, user);
 
 		return true;
 
@@ -29,9 +27,7 @@ export const login = async (user: LoginDto ) => {
 
 	try {
 		const response = await api.post(`${API_URL}/login`, user);
-		const token = response.data.token;
+		authStorage.setTokens(response.data);
-
-		localStorage.setItem("token", token);
 
 		return true;
 
@@ -42,9 +38,9 @@ export const login = async (user: LoginDto ) => {
 }
 
 export const logout = () => {
-	localStorage.removeItem("token");
+	authStorage.clear();
 }
 
 export const getToken = () => {
-	return localStorage.getItem("token");
+	authStorage.getAccessToken();
 }

client/src/api/ItemsApi.ts

@@ -0,0 +1,18 @@
+
+// services are kinda whatever, but in general its a good idea for all api calls to be within a service (at least thats how angular handles it)
+// this item service will handle all to <-> from the server when handling item objects
+
+import api from "./axios.ts"
+import type { Item, ItemDto } from "../models/Item.ts";
+
+const API_URL: string = "/items";
+
+export const getItems = () => api.get<Item[]>(`${API_URL}`);
+
+export const getItem = (id: number) => api.get<Item>(`${API_URL}/${id}`);
+
+export const createItem = (data: ItemDto) => api.post<Item>(`${API_URL}`, data);
+
+export const updateItem = (id: number, data: ItemDto) => api.put<Item>(`${API_URL}/${id}`, data);
+
+export const deleteItem = (id: number) => api.delete<Item>(`${API_URL}/${id}`);

client/src/api/UsersApi.ts

@@ -1,18 +1,15 @@
 
-// services are kinda whatever, but in general its a good idea for all api calls to be within a service (at least thats how angular handles it)
-// this user service will handle all to <-> from the server when handling user objects
-
 import api from "./axios.ts"
-import type { User } from "../models/User.ts";
+import type { UserDto } from "../models/User.ts";
 
 const API_URL: string = "/users";
 
-export const getUsers = () => api.get<User[]>(`${API_URL}`);
+export const getUsers = () => api.get<UserDto[]>(`${API_URL}`);
 
-export const getUser = (id: number) => api.get<User>(`${API_URL}/${id}`);
+export const getUser = (id: string) => api.get<UserDto>(`${API_URL}/${id}`);
 
-export const createUser = (data: User) => api.post<User>(`${API_URL}`, data);
+export const deleteUser = (id: string) => api.delete<UserDto>(`${API_URL}/${id}`);
 
-export const updateUser = (id: number, data: User) => api.put<User>(`${API_URL}/${id}`, data);
+export const removePermission = (id: string, permission: string) => api.delete(`${API_URL}/${id}/${permission}`)
 
-export const deleteUser = (id: number) => api.delete<User>(`${API_URL}/${id}`);
+export const addPermission = (id: string, permission: string) => api.post(`${API_URL}/${id}/${permission}`)

client/src/api/axios.ts

@@ -5,13 +5,41 @@
 import axios from "axios";
 
 const baseUrl: string = import.meta.env.DEV ? import.meta.env.VITE_DEV_API_URL : "https://app.vxbard.net/api"
-const api = axios.create({
+export const api = axios.create({
 	baseURL: baseUrl
 });
 
-api.interceptors.request.use(config => {
+type FailedRequest = { resolve: (token: string) => void, reject: (error: unknown) => void}
+let isRefreshing: boolean = false;
+let failedQueue: FailedRequest[] = [];
 
-    const token = localStorage.getItem("token");
+export const authStorage = {
+    getAccessToken: () => localStorage.getItem("accessToken"),
+    getRefreshToken: () => localStorage.getItem("refreshToken"),
+
+    setTokens: ({ accessToken, refreshToken } : { accessToken: string, refreshToken: string }) => {
+        localStorage.setItem("accessToken", accessToken)
+        localStorage.setItem("refreshToken", refreshToken)
+    },
+
+    clear: () => {
+        localStorage.removeItem("accessToken")
+        localStorage.removeItem("refreshToken")
+    }
+}
+
+const processQueue = (error: unknown, token: string | null = null): void => {
+    failedQueue.forEach(prom => {
+        if (error) prom.reject(error);
+        else prom.resolve(token as string);
+    })
+    failedQueue = [];
+}
+
+// intercept on each request
+api.interceptors.request.use(config => { // add access token to request headers
+
+    const token = authStorage.getAccessToken();
 
     if (token) {
         config.headers.Authorization = `Bearer ${token}`;
@@ -21,4 +49,45 @@ api.interceptors.request.use(config => {
 
 });
 
+// intercept on each response
+api.interceptors.response.use(response => response, async error => { // mainly for authentication refreshTokens
+    const originalRequest = error.config;
+
+    // if un authorized then refresh the token
+    if(error.response?.status === 401 && !originalRequest._retry) {
+        if(isRefreshing) {
+            return new Promise((resolve, reject) => {
+                failedQueue.push({ resolve, reject })
+            }).then(token => {
+                originalRequest.headers.Authorization = `Bearer ${token}`;
+                return api(originalRequest);
+            }).catch(err => Promise.reject(err));
+        }
+
+        originalRequest._retry = true;
+        isRefreshing = true;
+        const refreshToken = authStorage.getRefreshToken();
+        try {
+            // request refresh endpoint get back a new accessToken
+            const res = await axios.post(`${baseUrl}/auth/refresh`, { refreshToken });
+            const { accessToken, refreshToken: newRefresh } = res.data;
+            authStorage.setTokens({ accessToken, refreshToken: newRefresh });
+            processQueue(null, accessToken);
+            originalRequest.headers.Authorization = `Bearer ${accessToken}`;
+            return api(originalRequest);
+        } catch (err) {
+            processQueue(err, null);
+            authStorage.clear()
+            window.location.href = "/login";
+            return Promise.reject(err);
+        } finally {
+            isRefreshing = false;
+        }
+    }
+    return Promise.reject(error);
+})
+
+// TODO: if you get a 403 while navigating then redirect to the last authenticated page
+// if you gert a 403 on a form submissio nthen do like an unauthorized popup (message: stale session <login link>) (or redirect to login like i said elsewhere)
+
 export default api;

client/src/components/ItemsTable.vue

@@ -0,0 +1,33 @@
+
+<script setup lang="ts">
+
+import { onMounted } from "vue";
+import { useItemsStore} from "../stores/ItemsStore.ts";
+
+const store = useItemsStore();
+
+onMounted(() => { // register callback for when component is loaded on page
+    store.fetchItems();
+})
+
+</script>
+
+<template>
+
+    <div>
+        <h1>Items</h1>
+
+        <router-link to="/item/new">Create Item</router-link>
+
+        <table>
+            <tr v-for="item in store.items" :key="item.id">
+                <td>{{ item.name }}</td>
+                <td>
+                    <router-link :to="`/item/${item.id}`">Edit</router-link>
+                    <button @click="store.removeItem(item.id)">Delete</button>
+                </td>
+            </tr>
+        </table>
+    </div>
+
+</template>

client/src/components/UsersTable.vue

@@ -1,33 +0,0 @@
-
-<script setup lang="ts">
-
-import { onMounted } from "vue";
-import { useUsersStore} from "../stores/UsersStore.ts";
-
-const store = useUsersStore();
-
-onMounted(() => { // register callback for when component is loaded on page
-    store.fetchUsers();
-})
-
-</script>
-
-<template>
-
-    <div>
-        <h1>Users</h1>
-
-        <router-link to="/user/new">Create User</router-link>
-
-        <table>
-            <tr v-for="user in store.users" :key="user.id">
-                <td>{{ user.username }}</td>
-                <td>
-                    <router-link :to="`/user/${user.id}`">Edit</router-link>
-                    <button @click="store.removeUser(user.id)">Delete</button>
-                </td>
-            </tr>
-        </table>
-    </div>
-
-</template>

client/src/models/Item.ts

@@ -0,0 +1,13 @@
+
+export interface Item {
+    id: number;
+    name: string;
+    description: string;
+    createdAt: string;
+    lastEditedAt: string;
+}
+
+export interface ItemDto {
+    name: string;
+    description: string;
+}

client/src/models/User.ts

@@ -2,20 +2,21 @@
 // models are the data objects stored in the database. models defined here must match models defined in api/models 
 // dtos here must match the the dtos in api/src/Modelts/Dto.cs in name (case insensitive) (types are intermediately serialized to strings)
 
-export interface User {
+export interface UserDto {
-    id: number;
+    createdAt: string;
-    username: string;
     email: string;
-    password: string;
+    id: string;
+    userName: string;
+    permissions: string;
 }
 
 export interface RegisterDto {
-    username: string;
+    userName: string;
     email: string;
     password: string;
 }
 
 export interface LoginDto {
-    username: string;
+    userName: string;
     password: string;
 }

client/src/pages/ItemForm.vue

@@ -0,0 +1,56 @@
+<!-- pages/views in vue are basically root-level full-page components -->
+
+<script setup lang="ts">
+
+import { ref, onMounted } from "vue";
+import { useRoute, useRouter } from "vue-router";
+
+import { useItemsStore } from "../stores/ItemsStore.ts";
+import type { Item } from "../models/Item.ts";
+
+const store = useItemsStore();
+const route = useRoute();
+const router = useRouter();
+
+const item = ref<Item>({
+    id: 0,
+    name: "",
+    description: "",
+    createdAt: "",
+    lastEditedAt: ""
+});
+
+const id: string | undefined = route.params.id as string | undefined
+
+onMounted(() => {
+    if(id) {
+        const existing = store.items.find(i => i.id == Number(id));
+        if (existing) item.value = { ...existing };
+    }
+});
+
+async function save(): Promise<void> {
+    if(id) {
+        await store.updateItem(Number(id), item.value);
+    } else {
+        await store.addItem(item.value);
+    }
+
+    router.push("/items"); // redirect
+}
+
+</script>
+
+<template>
+
+    <div>
+        <h2>{{ id ? "Edit Item" : "Create Item" }}</h2> <!-- omg I love ternary operator :D -->
+
+        <form @submit.prevent="save">
+            <input v-model="item.name" placeholder="Name" />
+            <input v-model="item.description" placeholder="Name" />
+            <button type="submit">Save</button>
+        </form>
+    </div>
+
+</template>

client/src/pages/ItemsList.vue

@@ -0,0 +1,44 @@
+
+<script setup lang="ts">
+
+import { onMounted } from "vue"
+import { useRoute, useRouter } from "vue-router";
+import { useItemsStore } from "../stores/ItemsStore.ts"
+import * as authApi from "../api/AuthApi";
+
+const store = useItemsStore()
+const router = useRouter();
+
+onMounted(() => {
+  store.fetchItems()
+})
+
+function logout() {
+    authApi.logout();
+    router.push("/login");
+}
+
+</script>
+
+<template>
+    <div>
+        <h1>Items</h1>
+
+        <router-link to="/item/new">Create Item</router-link>
+
+        <table>
+            <tr v-for="item in store.items" :key="item.id">
+                <td>{{ item.name }}</td>
+                <td>
+
+                    <router-link :to="`/item/${item.id}`" custom v-slot="{ navigate }">
+                        <button @click="navigate" role="link">Edit</button>
+                    </router-link>
+
+                    <button @click="store.removeItem(item.id)">Delete</button>
+                </td>
+            </tr>
+        </table>
+        <button @click="logout()">Logout</button>
+    </div>
+</template>

client/src/pages/LoginForm.vue

@@ -10,7 +10,7 @@ import * as authApi from "../api/AuthApi";
 const router = useRouter();
 
 const user = reactive<LoginDto>({ // the template ensures type consistency
-    username: "",
+    userName: "",
     password: "",
 });
 
@@ -23,10 +23,12 @@ async function login(): Promise<void> {
     const success: boolean = await authApi.login(user);
 
     if(success) {
-        router.push("/users"); // redirect
+        router.push("/"); // redirect
     } else {
         // prompt try again
     }
+    // TODO: interceptor for when a request returns unauthorized to redirect to login
+    // TODO: when redirected to login, save previous url as a query parameter then redirect back to that url after login 
 
 }
 
@@ -38,7 +40,7 @@ async function login(): Promise<void> {
         <h2>Login</h2>
 
         <form @submit.prevent="login">
-            <input v-model="user.username" placeholder="username" />
+            <input v-model="user.userName" placeholder="username" />
             <input v-model="user.password" type="password" placeholder="password" />
             
             <button type="submit">Submit</button>

client/src/pages/RegisterForm.vue

@@ -10,7 +10,7 @@ import * as authApi from "../api/AuthApi";
 const router = useRouter();
 
 const user = reactive<RegisterDto>({ // the template ensures type consistency
-    username: "",
+    userName: "",
     email: "",
     password: "",
 });
@@ -40,7 +40,7 @@ async function register(): Promise<void> {
         <h2>Register</h2>
 
         <form @submit.prevent="register">
-            <input v-model="user.username" placeholder="username" />
+            <input v-model="user.userName" placeholder="username" />
             <input v-model="user.email" placeholder="email" />
             <input v-model="user.password" placeholder="password" />
             

client/src/pages/UserForm.vue

@@ -1,55 +0,0 @@
-<!-- pages/views in vue are basically root-level full-page components -->
-
-<script setup lang="ts">
-
-import { ref, onMounted } from "vue";
-import { useRoute, useRouter } from "vue-router";
-
-import { useUsersStore } from "../stores/UsersStore.ts";
-import type { User } from "../models/User.ts";
-
-const store = useUsersStore();
-const route = useRoute();
-const router = useRouter();
-
-const user = ref<User>({
-    id: 0,
-    username: "",
-    email: "",
-    password: ""
-});
-
-const id: string | undefined = route.params.id as string | undefined
-
-onMounted(() => {
-    if(id) {
-        const existing = store.users.find(i => i.id == Number(id));
-        if (existing) user.value = { ...existing };
-    }
-});
-
-async function save(): Promise<void> {
-    if(id) {
-        await store.updateUser(Number(id), user.value);
-    } else {
-        await store.addUser(user.value);
-    }
-
-    router.push("/users"); // redirect
-}
-
-</script>
-
-<template>
-
-    <div>
-        <h2>{{ id ? "Edit User" : "Create User" }}</h2> <!-- omg I love ternary operator :D -->
-
-        <form @submit.prevent="save">
-            <input v-model="user.username" placeholder="Name" />
-            
-            <button type="submit">Save</button>
-        </form>
-    </div>
-
-</template>

client/src/pages/UsersList.vue

@@ -1,7 +1,7 @@
 
 <script setup lang="ts">
 
-import { onMounted } from "vue"
+import { onMounted, reactive } from "vue"
 import { useRoute, useRouter } from "vue-router";
 import { useUsersStore } from "../stores/UsersStore.ts"
 import * as authApi from "../api/AuthApi";
@@ -18,25 +18,36 @@ function logout() {
     router.push("/login");
 }
 
+const inputs = reactive<Record<number, string>>({});
+store.users.forEach((_, i) => {
+    inputs[i] = ""
+});
+
+const addPermission = (userId: string, index: number) => {
+    if(inputs[index] != null) store.addPermission(userId, inputs[index]);
+}
+
 </script>
 
 <template>
     <div>
         <h1>Users</h1>
 
-        <router-link to="/user/new">Create User</router-link>
-
         <table>
-            <tr v-for="user in store.users" :key="user.id">
+            <tr v-for="(user, index) in store.users" :key="user.id">
-                <td>{{ user.username }}</td>
+                <td>{{ user.userName }}</td>
                 <td>
-
-                    <router-link :to="`/user/${user.id}`" custom v-slot="{ navigate }">
-                        <button @click="navigate" role="link">Edit</button>
-                    </router-link>
-
                     <button @click="store.removeUser(user.id)">Delete</button>
                 </td>
+                <td v-for="perm in user.permissions" :key="user.id">
+                    <button @click="store.removePermission(user.id, perm)">Remove {{ perm }} permission</button>
+                </td>
+                <td>
+                    <form @submit.prevent="addPermission(user.id, index)">
+                        <input type="text" v-model="inputs[index]" placeholder="permission" />
+                        <button type="submit">Add Permission</button>
+                    </form>
+                </td>
             </tr>
         </table>
         <button @click="logout()">Logout</button>

client/src/pages/index.vue

@@ -10,6 +10,12 @@
     <h3>yeah im so cool rn</h3>
     <h1>imagining what I could do with themes :o</h1>
 
+    <h3>TODO: if(logged in) show this stuff; else dont.</h3>
+
+    <router-link to="/items" custom v-slot="{ navigate }">
+        <button @click="navigate" role="link">Items</button>
+    </router-link>
+
     <router-link to="/users" custom v-slot="{ navigate }">
         <button @click="navigate" role="link">Users</button>
     </router-link>

client/src/router/index.ts

@@ -4,18 +4,22 @@
 import { createRouter, createWebHistory } from "vue-router";
 import LoginForm from "../pages/LoginForm.vue";
 import RegisterForm from "../pages/RegisterForm.vue";
+import ItemsList from "../pages/ItemsList.vue";
+import ItemForm from "../pages/ItemForm.vue";
 import UsersList from "../pages/UsersList.vue";
-import UserForm from "../pages/UserForm.vue";
 import index from "../pages/index.vue";
 
+import { authStorage } from "../api/axios.ts"
+
 // link path to the page component
 const routes = [
 	{ path: "/", component: index },
 	{ path: "/login", component: LoginForm },
 	{ path: "/register", component: RegisterForm },
-	{ path: "/users", component: UsersList, meta: { requiresAuth: true } },
+	{ path: "/items", component: ItemsList, meta: { requiresAuth: true } },
-	{ path: "/user/new", component: UserForm, meta: { requiresAuth: true } },
+	{ path: "/item/new", component: ItemForm, meta: { requiresAuth: true } },
-	{ path: "/user/:id", component: UserForm, meta: { requiresAuth: true } }
+	{ path: "/item/:id", component: ItemForm, meta: { requiresAuth: true } },
+	{ path: "/users", component: UsersList, meta: { requiresAuth: true } }
 ]; // I really like this
 
 const router = createRouter({
@@ -26,24 +30,14 @@ const router = createRouter({
 // intercept before routing
 router.beforeEach((to, from, next) => {
 
-	const token = localStorage.getItem("token");
+	const token: string | null = authStorage.getAccessToken();
 	if(to.meta.requiresAuth && !token) { // if the page requires use to be signed in, they must have at least a token set
 		next("/login");
 	} else {
 		next();
 	}
-	// TODO: if they have a token, but invalid, it will still send them to the page (the api will catch non-authorized though)
+
-	// maybe have a "validate token" from the api and refresh it if valid
-	/*
-	} else {
-		bool authorizedUser = authApi.refreshToken(token);
-		if(authorizedUser) {
-			next();
-		} else {
-			next("/login");
-		}
-	}
-	*/
 });
+// if the api responds unauthorized (401) then it also will auto-redirect to the login page
 
 export default router;

client/src/stores/ItemsStore.ts

@@ -0,0 +1,48 @@
+
+// stores are for component state management
+// Pinia (?) i kinda dont get it because in angular you just hook a component to a service and that's it,
+// though I guess the service handled the state management
+// sighh
+
+import { defineStore } from "pinia";
+import type { Item, ItemDto } from "../models/Item.ts";
+import * as itemsApi from "../api/ItemsApi";
+
+interface ItemState {
+    items: Item[];
+    loading: boolean;
+}
+
+export const useItemsStore = defineStore("items", {
+    
+    state: (): ItemState => ({
+        items: [],
+        loading: false
+    }),
+
+    actions: {
+        async fetchItems() {
+            this.loading = true;
+            const response = await itemsApi.getItems();
+            this.items = response.data;
+            this.loading = false;
+        },
+
+        async addItem(item: ItemDto) {
+            const response = await itemsApi.createItem(item);
+            this.items.push(response.data);
+        },
+
+        async updateItem(id: number, item: ItemDto) {
+            const response = await itemsApi.updateItem(id, item);
+            const index = this.items.findIndex(i => i.id === id);
+            this.items[index] = response.data;
+        },
+
+        async removeItem(id: number) {
+            await itemsApi.deleteItem(id);
+            this.items = this.items.filter(i => i.id !== id);
+        }
+    }
+
+});

client/src/stores/UsersStore.ts

@@ -1,15 +1,10 @@
 
-// stores are for component state management
-// Pinia (?) i kinda dont get it because in angular you just hook a component to a service and that's it,
-// though I guess the service handled the state management
-// sighh
-
 import { defineStore } from "pinia";
-import type { User } from "../models/User.ts";
+import type { UserDto } from "../models/User.ts";
 import * as usersApi from "../api/UsersApi";
 
 interface UserState {
-    users: User[];
+    users: UserDto[];
     loading: boolean;
 }
 
@@ -28,20 +23,17 @@ export const useUsersStore = defineStore("users", {
             this.loading = false;
         },
 
-        async addUser(user: User) {
+        async removeUser(id: string) {
-            const response = await usersApi.createUser(user);
-            this.users.push(response.data);
-        },
-
-        async updateUser(id: number, user: User) {
-            await usersApi.updateUser(id, user);
-            const index = this.users.findIndex(i => i.id === id);
-            this.users[index] = user;
-        },
-
-        async removeUser(id: number) {
             await usersApi.deleteUser(id);
             this.users = this.users.filter(i => i.id !== id);
+        },
+
+        async removePermission(id: string, permission: string) {
+            await usersApi.removePermission(id, permission);
+        },
+
+        async addPermission(id: string, permission: string) {
+            await usersApi.addPermission(id, permission);
         }
     }
 

scripts/DEV_README.md

@@ -13,7 +13,8 @@ To see live logs:
 sudo docker logs -f -t agologum-api
 
 public user:
-> username=bard
+> username=bard (sensitive data modify permissions)
+> username=xvbard (sensitive data read permissions)
 > password=Public*890
 
 chrome dev tools troubleshooting