Update api for auth

backend/go.mod

@@ -6,6 +6,8 @@ require (
 	github.com/go-chi/chi/v5 v5.1.0
 	github.com/go-git/go-git/v5 v5.12.0
 	github.com/go-playground/validator/v10 v10.22.1
+	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/google/uuid v1.6.0
 	github.com/mattn/go-sqlite3 v1.14.23
 	golang.org/x/crypto v0.21.0
 )

backend/go.sum

@@ -44,10 +44,14 @@ github.com/go-playground/universal-translator v0.18.1 h1:Bcnm0ZwsGyWbCzImXv+pAJn
 github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91TpwSH2VMlDf28Uj24BCp08ZFTUY=
 github.com/go-playground/validator/v10 v10.22.1 h1:40JcKH+bBNGFczGuoBYgX4I6m/i27HYW8P9FDk5PbgA=
 github.com/go-playground/validator/v10 v10.22.1/go.mod h1:dbuPbCMFw/DrkbEynArYaCwl3amGuJotoKCe95atGMM=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=

backend/internal/api/auth_handlers.go

@@ -0,0 +1,148 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"novamd/internal/auth"
+	"novamd/internal/db"
+	"novamd/internal/models"
+
+	"golang.org/x/crypto/bcrypt"
+)
+
+type LoginRequest struct {
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+type LoginResponse struct {
+	AccessToken  string        `json:"accessToken"`
+	RefreshToken string        `json:"refreshToken"`
+	User         *models.User  `json:"user"`
+	Session      *auth.Session `json:"session"`
+}
+
+type RefreshRequest struct {
+	RefreshToken string `json:"refreshToken"`
+}
+
+type RefreshResponse struct {
+	AccessToken string `json:"accessToken"`
+}
+
+// Login handles user authentication and returns JWT tokens
+func Login(authService *auth.SessionService, db *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req LoginRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			http.Error(w, "Invalid request body", http.StatusBadRequest)
+			return
+		}
+
+		// Validate request
+		if req.Email == "" || req.Password == "" {
+			http.Error(w, "Email and password are required", http.StatusBadRequest)
+			return
+		}
+
+		// Get user from database
+		user, err := db.GetUserByEmail(req.Email)
+		if err != nil {
+			http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+			return
+		}
+
+		// Verify password
+		err = bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.Password))
+		if err != nil {
+			http.Error(w, "Invalid credentials", http.StatusUnauthorized)
+			return
+		}
+
+		// Create session and generate tokens
+		session, accessToken, err := authService.CreateSession(user.ID, string(user.Role))
+		if err != nil {
+			http.Error(w, "Failed to create session", http.StatusInternalServerError)
+			return
+		}
+
+		// Prepare response
+		response := LoginResponse{
+			AccessToken:  accessToken,
+			RefreshToken: session.RefreshToken,
+			User:         user,
+			Session:      session,
+		}
+
+		respondJSON(w, response)
+	}
+}
+
+// Logout invalidates the user's session
+func Logout(authService *auth.SessionService) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		sessionID := r.Header.Get("X-Session-ID")
+		if sessionID == "" {
+			http.Error(w, "Session ID required", http.StatusBadRequest)
+			return
+		}
+
+		err := authService.InvalidateSession(sessionID)
+		if err != nil {
+			http.Error(w, "Failed to logout", http.StatusInternalServerError)
+			return
+		}
+
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+// RefreshToken generates a new access token using a refresh token
+func RefreshToken(authService *auth.SessionService) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var req RefreshRequest
+		if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+			http.Error(w, "Invalid request body", http.StatusBadRequest)
+			return
+		}
+
+		if req.RefreshToken == "" {
+			http.Error(w, "Refresh token required", http.StatusBadRequest)
+			return
+		}
+
+		// Generate new access token
+		accessToken, err := authService.RefreshSession(req.RefreshToken)
+		if err != nil {
+			http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
+			return
+		}
+
+		response := RefreshResponse{
+			AccessToken: accessToken,
+		}
+
+		respondJSON(w, response)
+	}
+}
+
+// GetCurrentUser returns the currently authenticated user
+func GetCurrentUser(db *db.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		// Get user claims from context (set by auth middleware)
+		claims, err := auth.GetUserFromContext(r.Context())
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		// Get user from database
+		user, err := db.GetUserByID(claims.UserID)
+		if err != nil {
+			http.Error(w, "User not found", http.StatusNotFound)
+			return
+		}
+
+		respondJSON(w, user)
+	}
+}

backend/internal/api/routes.go

@@ -1,14 +1,30 @@
 package api
 
 import (
+	"novamd/internal/auth"
 	"novamd/internal/db"
 	"novamd/internal/filesystem"
+	"novamd/internal/models"
 
 	"github.com/go-chi/chi/v5"
 )
 
-func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) {
+func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem, authMiddleware *auth.Middleware, sessionService *auth.SessionService) {
-	r.Route("/", func(r chi.Router) {
+	// Public routes (no authentication required)
+	r.Group(func(r chi.Router) {
+		r.Post("/auth/login", Login(sessionService, db))
+		r.Post("/auth/refresh", RefreshToken(sessionService))
+	})
+
+	// Protected routes (authentication required)
+	r.Group(func(r chi.Router) {
+		// Apply authentication middleware to all routes in this group
+		r.Use(authMiddleware.Authenticate)
+
+		// Auth routes
+		r.Post("/auth/logout", Logout(sessionService))
+		r.Get("/auth/me", GetCurrentUser(db))
+
 		// User routes
 		r.Route("/users/{userId}", func(r chi.Router) {
 			r.Get("/", GetUser(db))
@@ -30,12 +46,11 @@ func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) {
 						r.Get("/", ListFiles(fs))
 						r.Get("/last", GetLastOpenedFile(db))
 						r.Put("/last", UpdateLastOpenedFile(db, fs))
-						r.Get("/lookup", LookupFileByName(fs)) // Moved here
+						r.Get("/lookup", LookupFileByName(fs))
 
 						r.Post("/*", SaveFile(fs))
 						r.Get("/*", GetFileContent(fs))
 						r.Delete("/*", DeleteFile(fs))
-
 					})
 
 					// Git routes
@@ -46,5 +61,11 @@ func SetupRoutes(r chi.Router, db *db.DB, fs *filesystem.FileSystem) {
 				})
 			})
 		})
+
+		// Admin-only routes
+		r.Group(func(r chi.Router) {
+			r.Use(authMiddleware.RequireRole(string(models.RoleAdmin)))
+			// Admin-only endpoints
+		})
 	})
 }