Added endpoint for shares

- Roles are not hardcoded anymore (closes #4)

.gitignore

@@ -1,3 +1,5 @@
-database.db
+appdata
 .idea
 *.exe
+*.cmd
+.run

Dockerfile

@@ -0,0 +1,19 @@
+FROM --platform=$BUILDPLATFORM golang:1.26-alpine AS builder
+
+RUN apk add --no-cache git
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+ARG TARGETOS
+ARG TARGETARCH
+
+RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
+    go build -ldflags "-s -w" -o shap-planner-backend .
+
+FROM scratch
+COPY --from=builder /app/shap-planner-backend /shap-planner-backend
+ENTRYPOINT ["/shap-planner-backend"]

LICENSE

@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+   protected by copyright and related or neighboring rights ("Copyright and
+   Related Rights"). Copyright and Related Rights include, but are not
+   limited to, the following:
+
+i. the right to reproduce, adapt, distribute, perform, display,
+communicate, and translate a Work;
+ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+likeness depicted in a Work;
+iv. rights protecting against unfair competition in regards to a Work,
+subject to the limitations in paragraph 4(a), below;
+v. rights protecting the extraction, dissemination, use and reuse of data
+in a Work;
+vi. database rights (such as those arising under Directive 96/9/EC of the
+European Parliament and of the Council of 11 March 1996 on the legal
+protection of databases, and under any national implementation
+thereof, including any amended or successor version of such
+directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+world based on applicable law or treaty, and any national
+implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+   of, applicable law, Affirmer hereby overtly, fully, permanently,
+   irrevocably and unconditionally waives, abandons, and surrenders all of
+   Affirmer's Copyright and Related Rights and associated claims and causes
+   of action, whether now known or unknown (including existing as well as
+   future claims and causes of action), in the Work (i) in all territories
+   worldwide, (ii) for the maximum duration provided by applicable law or
+   treaty (including future time extensions), (iii) in any current or future
+   medium and for any number of copies, and (iv) for any purpose whatsoever,
+   including without limitation commercial, advertising or promotional
+   purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+   member of the public at large and to the detriment of Affirmer's heirs and
+   successors, fully intending that such Waiver shall not be subject to
+   revocation, rescission, cancellation, termination, or any other legal or
+   equitable action to disrupt the quiet enjoyment of the Work by the public
+   as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+   be judged legally invalid or ineffective under applicable law, then the
+   Waiver shall be preserved to the maximum extent permitted taking into
+   account Affirmer's express Statement of Purpose. In addition, to the
+   extent the Waiver is so judged Affirmer hereby grants to each affected
+   person a royalty-free, non transferable, non sublicensable, non exclusive,
+   irrevocable and unconditional license to exercise Affirmer's Copyright and
+   Related Rights in the Work (i) in all territories worldwide, (ii) for the
+   maximum duration provided by applicable law or treaty (including future
+   time extensions), (iii) in any current or future medium and for any number
+   of copies, and (iv) for any purpose whatsoever, including without
+   limitation commercial, advertising or promotional purposes (the
+   "License"). The License shall be deemed effective as of the date CC0 was
+   applied by Affirmer to the Work. Should any part of the License for any
+   reason be judged legally invalid or ineffective under applicable law, such
+   partial invalidity or ineffectiveness shall not invalidate the remainder
+   of the License, and in such case Affirmer hereby affirms that he or she
+   will not (i) exercise any of his or her remaining Copyright and Related
+   Rights in the Work or (ii) assert any associated claims and causes of
+   action with respect to the Work, in either case contrary to Affirmer's
+   express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+a. No trademark or patent rights held by Affirmer are waived, abandoned,
+surrendered, licensed or otherwise affected by this document.
+b. Affirmer offers the Work as-is and makes no representations or
+warranties of any kind concerning the Work, express, implied,
+statutory or otherwise, including without limitation warranties of
+title, merchantability, fitness for a particular purpose, non
+infringement, or the absence of latent or other defects, accuracy, or
+the present or absence of errors, whether or not discoverable, all to
+the greatest extent permissible under applicable law.
+c. Affirmer disclaims responsibility for clearing rights of other persons
+that may apply to the Work or any use thereof, including without
+limitation any person's Copyright and Related Rights in the Work.
+Further, Affirmer disclaims responsibility for obtaining any necessary
+consents, permissions or other rights required for any use of the
+Work.
+d. Affirmer understands and acknowledges that Creative Commons is not a
+party to this document and has no duty or obligation with respect to
+this CC0 or use of the Work.

README.md

@@ -0,0 +1,72 @@
+# ShAp-Planner
+
+ShAp-Planner is a **self-hosted app** for managing finances, tasks, and data within shared households.  
+The app is fully open source, lightweight, and can run on small devices like Raspberry Pi or older computers.
+
+**[Backend](https://git.miaurizius.de/MiauRizius/shap-planner-backend):** Go  
+**[Frontend](https://git.miaurizius.de/MiauRizius/shap-planner-android):** Android (Kotlin)  
+**[License](https://git.miaurizius.de/MiauRizius/shap-planner-backend/src/branch/main/LICENSE):** [CC0 1.0](https://creativecommons.org/publicdomain/zero/1.0/)
+
+---
+
+## Installation
+
+### Docker  Compose (recommended)
+1. Download docker-compose.yaml
+````shell
+$ curl -L https://git.miaurizius.de/MiauRizius/shap-planner-backend/raw/branch/main/docker-compose.yaml -o docker-compose.yaml
+````
+or create it yourself and enter the following content
+````yaml
+services:
+  shap-planner:
+    image: git.miaurizius.de/miaurizius/shap-planner-backend:latest
+    container_name: shap-planner
+    restart: unless-stopped
+    ports:
+      - "8080:8080"
+    environment:
+      - SHAP_JWT_SECRET=SECURE_RANDOM_STRING # Must be at least 32 characters long
+    volumes:
+      - ./appdata:/appdata # To edit your configuration files
+````
+
+2. Start the container
+````shell
+$ docker compose up -d
+````
+
+3. Edit configuration as you like
+
+### Build from source
+
+1. Clone the repository:
+```bash
+git clone https://git.miaurizius.de/MiauRizius/shap-planner-backend.git
+cd shap-planner-backend
+````
+
+2. Set environment variables:
+
+```bash
+export SHAP_JWT_SECRET="your_super_random_secret"
+```
+
+3. Run the server:
+
+```bash
+go run main.go
+```
+
+## Configuration
+### Environment Variables
+
+| Variable          | Description                                           | Example          |
+|-------------------|-------------------------------------------------------|----------------|
+| `SHAP_JWT_SECRET` | Secret used to sign JWT tokens                        | `superrandomsecret123` |
+
+---
+
+## License
+
+This work is marked <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 1.0</a>

auth/jwt.go

@@ -0,0 +1,42 @@
+package auth
+
+import (
+	"time"
+
+	"github.com/golang-jwt/jwt/v5"
+)
+
+type Claims struct {
+	UserID string `json:"user_id"`
+	Role   string `json:"role"`
+	jwt.RegisteredClaims
+}
+
+func GenerateJWT(userID, role string, secret []byte) (string, error) {
+	claims := Claims{
+		UserID: userID,
+		Role:   role,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(time.Now().Add(15 * time.Minute)),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(secret)
+}
+func ValidateJWT(tokenStr string, secret []byte) (*Claims, error) {
+	token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(token *jwt.Token) (interface{}, error) {
+		return secret, nil
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(*Claims)
+	if !ok || !token.Valid {
+		return nil, err
+	}
+
+	return claims, nil
+}

auth/middleware.go

@@ -0,0 +1,48 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+	"strings"
+)
+
+type contextKey string
+
+const UserContextKey contextKey = contextKey("user")
+
+func AuthMiddleware(secret []byte) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			authHeader := r.Header.Get("Authorization")
+			if authHeader == "" {
+				http.Error(w, "Missing token", http.StatusUnauthorized)
+				return
+			}
+
+			tokenStr := strings.TrimPrefix(authHeader, "Bearer ")
+
+			claims, err := ValidateJWT(tokenStr, secret)
+			if err != nil {
+				http.Error(w, "Invalid token", http.StatusUnauthorized)
+				return
+			}
+
+			ctx := context.WithValue(r.Context(), UserContextKey, claims)
+			next.ServeHTTP(w, r.WithContext(ctx))
+
+		})
+	}
+}
+func RequireRole(role string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			claims := r.Context().Value(UserContextKey).(*Claims)
+			if claims.Role != role {
+				http.Error(w, "Forbidden", http.StatusForbidden)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

auth/password.go

@@ -0,0 +1,12 @@
+package auth
+
+import "golang.org/x/crypto/bcrypt"
+
+func HashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
+	return string(bytes), err
+}
+func CheckPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}

config/config.go

@@ -0,0 +1,62 @@
+package config
+
+import (
+	"log"
+	"os"
+	"path/filepath"
+
+	"gopkg.in/yaml.v3"
+)
+
+type Config struct {
+	HouseholdName   string `yaml:"household_name"`
+	Port            string `yaml:"port"`
+	DatabasePath    string `yaml:"database_path"`
+	CertificatePath string `yaml:"certificate_path"`
+	PrivateKeyPath  string `yaml:"private_key_path"`
+}
+
+const configPath = "./appdata/config.yaml"
+
+func CheckIfExists() error {
+	_, err := os.Stat(configPath)
+	if err == nil {
+		return nil
+	}
+
+	if !os.IsNotExist(err) {
+		return err
+	}
+
+	log.Printf("Config file %s doesn't exist, creating...", configPath)
+	err = os.MkdirAll(filepath.Dir(configPath), 0755)
+	if err != nil {
+		return err
+	}
+
+	defaultConfig := Config{
+		Port:            "8080",
+		DatabasePath:    "./appdata/database.db",
+		HouseholdName:   "Example-Household",
+		CertificatePath: "./appdata/cert.pem",
+		PrivateKeyPath:  "./appdata/key.pem",
+	}
+
+	data, err := yaml.Marshal(defaultConfig)
+	if err != nil {
+		return err
+	}
+
+	return os.WriteFile(configPath, data, 0644)
+}
+func LoadConfig() (Config, error) {
+	var cfg Config
+
+	file, err := os.ReadFile(configPath)
+	if err != nil {
+		return cfg, err
+	}
+
+	err = yaml.Unmarshal(file, &cfg)
+	return cfg, err
+}

docker-compose.yaml

@@ -0,0 +1,11 @@
+services:
+    shap-planner:
+        image: git.miaurizius.de/miaurizius/shap-planner-backend:latest
+        container_name: shap-planner
+        restart: unless-stopped
+        ports:
+          - "8080:8080"
+        environment:
+          - SHAP_JWT_SECRET=SECURE_RANDOM_STRING # Must be at least 32 characters long
+        volumes:
+          - ./appdata:/appdata # To edit your configuration files

go.mod

@@ -4,8 +4,10 @@ go 1.26.0
 
 require (
 	github.com/glebarez/go-sqlite v1.22.0
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	golang.org/x/crypto v0.48.0
+	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (

go.sum

@@ -2,6 +2,8 @@ github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkp
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
 github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
 github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -15,6 +17,10 @@ golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVo
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
 golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
 modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
 modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=

handlers/account.go

@@ -2,49 +2,245 @@ package handlers
 
 import (
 	"encoding/json"
+	"log"
 	"net/http"
+	"os"
+	"shap-planner-backend/auth"
+	"shap-planner-backend/config"
 	"shap-planner-backend/models"
 	"shap-planner-backend/storage"
 	"shap-planner-backend/utils"
+	"time"
 )
 
+var cfg, _ = config.LoadConfig()
+
 func Register(w http.ResponseWriter, r *http.Request) {
 	var user models.User
-	_ = json.NewDecoder(r.Body).Decode(&user)
+	if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
-	hashed, _ := utils.HashPassword(user.Password)
+		log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
-	user.Password = hashed
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
-	user.ID = utils.GenerateUUID()
-
-	err := storage.AddUser(user)
-	if err != nil {
-		http.Error(w, "User exists", http.StatusBadRequest)
 		return
 	}
-	w.WriteHeader(http.StatusCreated)
+
+	if user.Username == "" || user.Password == "" {
+		log.Println("POST [api/register] " + r.RemoteAddr + ": Username or Password is empty")
+		http.Error(w, "username and password required", http.StatusBadRequest)
+		return
 	}
 
+	hashed, err := auth.HashPassword(user.Password)
+	if err != nil {
+		log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+	user.Password = hashed
+	user.ID = utils.GenerateUUID()
+	user.Role = models.RoleUser
+
+	if err := storage.AddUser(&user); err != nil {
+		log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "user already exists", http.StatusBadRequest)
+		return
+	}
+
+	w.WriteHeader(http.StatusCreated)
+	log.Println("POST [api/register] " + r.RemoteAddr + ": Successfully created user")
+}
 func Login(w http.ResponseWriter, r *http.Request) {
 	var creds struct {
 		Username string `json:"username"`
 		Password string `json:"password"`
 	}
-	_ = json.NewDecoder(r.Body).Decode(&creds)
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
 
 	user, err := storage.GetUserByUsername(creds.Username)
 	if err != nil {
-		http.Error(w, "User not found", http.StatusUnauthorized)
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
 		return
 	}
 
-	if !utils.CheckPasswordHash(creds.Password, user.Password) {
+	if !auth.CheckPasswordHash(creds.Password, user.Password) {
-		http.Error(w, "Wrong password", http.StatusUnauthorized)
+		log.Println("POST [api/login] " + r.RemoteAddr + ": Invalid credentials")
+		http.Error(w, "Invalid credentials", http.StatusUnauthorized)
 		return
 	}
 
-	// TODO: JWT oder Session-Token erzeugen
+	secret := []byte(os.Getenv("SHAP_JWT_SECRET"))
-	w.WriteHeader(http.StatusOK)
+	if len(secret) == 0 {
-	err = json.NewEncoder(w).Encode(user)
+		log.Println("POST [api/login] " + r.RemoteAddr + ": Server misconfiguration")
+		http.Error(w, "Server misconfiguration", http.StatusInternalServerError)
+		return
+	}
+
+	accessToken, err := auth.GenerateJWT(user.ID, user.Role, secret)
 	if err != nil {
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Could not generate token", http.StatusInternalServerError)
 		return
 	}
+
+	refreshTokenPlain, err := utils.GenerateRefreshToken()
+	if err != nil {
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "could not generate refresh token", http.StatusInternalServerError)
+		return
+	}
+	refreshHash := utils.HashToken(refreshTokenPlain)
+	refreshID := utils.GenerateUUID()
+	refreshExpires := time.Now().Add(7 * 24 * time.Hour).Unix() // expiry: 7 days
+
+	deviceInfo := r.Header.Get("User-Agent")
+
+	if err := storage.AddRefreshToken(&models.RefreshToken{
+		ID:         refreshID,
+		UserID:     user.ID,
+		Token:      refreshHash,
+		ExpiresAt:  refreshExpires,
+		DeviceInfo: deviceInfo,
+		CreatedAt:  time.Now().Unix(),
+		Revoked:    false,
+	}); err != nil {
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "could not save refresh token", http.StatusInternalServerError)
+		return
+	}
+
+	// Return access + refresh token (refresh in plain for client to store securely)
+	resp := map[string]interface{}{
+		"access_token":  accessToken,
+		"refresh_token": refreshTokenPlain,
+		"user": map[string]interface{}{
+			"id":       user.ID,
+			"username": user.Username,
+			"role":     user.Role,
+		},
+		"wgName": cfg.HouseholdName,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(resp)
+	if err != nil {
+		log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Something went wrong", http.StatusInternalServerError)
+		return
+	}
+	log.Println("POST [api/login] " + r.RemoteAddr + ": Successfully logged in")
+}
+func Logout(w http.ResponseWriter, r *http.Request) {
+	claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
+	err := storage.RevokeAllRefreshTokensForUser(claims.UserID)
+	if err != nil {
+		log.Println("GET [api/logout] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+	w.WriteHeader(204)
+}
+func TestHandler(w http.ResponseWriter, r *http.Request) {
+	claims, _ := utils.IsLoggedIn(w, r)
+
+	w.Header().Set("Content-Type", "application/json")
+	err := json.NewEncoder(w).Encode(map[string]interface{}{
+		"user_id": claims.UserID,
+		"role":    claims.Role,
+		"msg":     "Authentication successful",
+	})
+	if err != nil {
+		log.Println("GET [api/ping] " + r.RemoteAddr + ": " + err.Error())
+		return
+	}
+	log.Println("GET [api/login] " + r.RemoteAddr + ": Successfully tested connection")
+}
+func RefreshToken(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		RefreshToken string `json:"refresh_token"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Invalid request", http.StatusBadRequest)
+		return
+	}
+
+	hashed := utils.HashToken(req.RefreshToken)
+
+	tokenRow, err := storage.GetRefreshToken(hashed)
+	if err != nil || tokenRow.Revoked || tokenRow.ExpiresAt < time.Now().Unix() {
+		log.Println("POST [api/refresh] " + r.RemoteAddr + ": Invalid refresh token")
+		http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
+		return
+	}
+
+	if err := storage.RevokeRefreshToken(tokenRow.ID); err != nil {
+		log.Println(err)
+	}
+
+	newToken, _ := utils.GenerateRefreshToken()
+	newHash := utils.HashToken(newToken)
+	newExpires := time.Now().Add(7 * 24 * time.Hour).Unix() //7 days
+	newID := utils.GenerateUUID()
+	deviceInfo := r.Header.Get("User-Agent")
+	if err = storage.AddRefreshToken(&models.RefreshToken{
+		ID:         newID,
+		UserID:     tokenRow.UserID,
+		Token:      newHash,
+		ExpiresAt:  newExpires,
+		CreatedAt:  time.Now().Unix(),
+		Revoked:    false,
+		DeviceInfo: deviceInfo,
+	}); err != nil {
+		log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Could not generate new refresh token", http.StatusInternalServerError)
+		return
+	}
+
+	user, err := storage.GetUserById(tokenRow.UserID)
+	if err != nil {
+		log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+	accessToken, _ := auth.GenerateJWT(tokenRow.UserID, user.Role, []byte(os.Getenv("SHAP_JWT_SECRET")))
+
+	if err = json.NewEncoder(w).Encode(map[string]string{
+		"access_token":  accessToken,
+		"refresh_token": newToken,
+	}); err != nil {
+		log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
+		return
+	}
+	log.Println("POST [api/refresh] " + r.RemoteAddr + ": Successfully refreshed token")
+}
+func UserInfo(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Method " + r.Method + " not allowed")
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+	query := r.URL.Query()
+	idParam := query.Get("id")
+	user, err := storage.GetUserById(idParam)
+	if err != nil {
+		log.Println("GET [api/userinfo] " + r.RemoteAddr + ": User " + idParam + " not found")
+		http.Error(w, "User not found", http.StatusNotFound)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	err = json.NewEncoder(w).Encode(map[string]interface{}{
+		"id":         user.ID,
+		"name":       user.Username,
+		"avatar_url": "",
+	})
+	if err != nil {
+		log.Println("GET [api/userinfo] " + r.RemoteAddr + ": " + err.Error())
+		return
+	}
+	log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Successfully retrieved user info")
 }

handlers/balance.go

@@ -0,0 +1,32 @@
+package handlers
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"shap-planner-backend/storage"
+)
+
+func GetBalance(w http.ResponseWriter, r *http.Request) {
+	query := r.URL.Query()
+	userParam := query.Get("user")
+
+	if userParam == "all" {
+		// TODO: add later
+	} else {
+		balance, err := storage.ComputeBalance(userParam)
+		if err != nil {
+			log.Println("GET [api/balance] " + r.RemoteAddr + ": " + err.Error())
+			http.Error(w, "Invalid request query", http.StatusBadRequest)
+			return
+		}
+		err = json.NewEncoder(w).Encode(map[string]interface{}{
+			"balance": balance,
+		})
+		if err != nil {
+			log.Println("GET [api/balance] " + r.RemoteAddr + ": " + err.Error())
+			return
+		}
+		log.Println("GET [api/balance] " + r.RemoteAddr + ": Successfully retrieved balance")
+	}
+}

handlers/expenses.go

@@ -0,0 +1,160 @@
+package handlers
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"shap-planner-backend/models"
+	"shap-planner-backend/storage"
+	"shap-planner-backend/utils"
+	"strings"
+	"time"
+)
+
+func Expenses(w http.ResponseWriter, r *http.Request) {
+	claims, _ := utils.IsLoggedIn(w, r)
+
+	switch r.Method {
+	case http.MethodGet: // -> Get Expenses
+		expenses, err := storage.GetAllExpenses()
+		if err != nil {
+			log.Println("GET [api/expense] " + r.RemoteAddr + ": " + err.Error())
+			http.Error(w, "Something went wrong", http.StatusInternalServerError)
+			return
+		}
+		err = json.NewEncoder(w).Encode(map[string]interface{}{
+			"expenses": expenses,
+		})
+		if err != nil {
+			log.Println("GET [api/expense] " + r.RemoteAddr + ": " + err.Error())
+			return
+		}
+		log.Println("GET [api/expense] " + r.RemoteAddr + ": Successfully retrieved expenses")
+		break
+	case http.MethodPost: // -> Create Expense
+		var body struct {
+			Expense models.Expense        `json:"expense"`
+			Shares  []models.ExpenseShare `json:"shares"`
+		}
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": " + err.Error())
+			http.Error(w, "Invalid request body", http.StatusBadRequest)
+			return
+		}
+		if claims.UserID != body.Expense.PayerID { // You cannot create an expense in the name of another user
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": claims.UserID and expense.PayerID does not match")
+			http.Error(w, "Invalid request", http.StatusBadRequest)
+			return
+		}
+		// Set ExpenseID
+		if body.Expense.ID != "" {
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": Expense ID must be empty")
+			http.Error(w, "Invalid request", http.StatusBadRequest)
+			return
+		}
+		body.Expense.ID = utils.GenerateUUID()
+		if body.Expense.CreatedAt == 0 {
+			body.Expense.CreatedAt = time.Now().Unix()
+		}
+		if body.Expense.Amount <= 0 {
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": Amount must be greater than zero")
+			http.Error(w, "Invalid request", http.StatusBadRequest)
+			return
+		}
+		// Set ShareIDs and save them
+		for _, share := range body.Shares {
+			if share.ID != "" {
+				log.Println("POST [api/expense] " + r.RemoteAddr + ": Share ID must be empty")
+				http.Error(w, "Invalid request", http.StatusBadRequest)
+				return
+			}
+			if share.ExpenseID != "" {
+				log.Println("POST [api/expense] " + r.RemoteAddr + ": Expense ID of Share must be empty")
+				http.Error(w, "Invalid request", http.StatusBadRequest)
+				return
+			}
+			share.ExpenseID = body.Expense.ID
+			share.ID = utils.GenerateUUID()
+			err := storage.AddShare(&share)
+			if err != nil {
+				log.Println("POST [api/expense] " + r.RemoteAddr + ": " + err.Error())
+				http.Error(w, "Error adding expense", http.StatusBadRequest) // Should never happen
+				return
+			}
+		}
+		err := storage.AddExpense(&body.Expense)
+		if err != nil {
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": " + err.Error())
+			http.Error(w, "Error adding expense", http.StatusBadRequest)
+			return
+		}
+		err = json.NewEncoder(w).Encode(map[string]interface{}{
+			"expense": body.Expense,
+			"shares":  body.Shares,
+		})
+		if err != nil {
+			log.Println("POST [api/expense] " + r.RemoteAddr + ": " + err.Error())
+			return
+		}
+		log.Println("POST [api/expense] " + r.RemoteAddr + ": Successfully added expense and its shares")
+		break
+	case http.MethodPut: // -> Update Expense
+		break
+	case http.MethodDelete: // -> Delete Expense
+	default:
+		http.Error(w, "Invalid request method", http.StatusMethodNotAllowed)
+	}
+}
+func ExpenseShares(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case http.MethodGet:
+		query := r.URL.Query()
+		idParam := query.Get("id")
+		idTypeParam := strings.ToLower(query.Get("idType"))
+		if idTypeParam == models.IDTypeEXPENSE {
+			println(idParam)
+			shares, err := storage.GetSharesByExpenseId(idParam)
+			if err != nil {
+				log.Println("GET [api/shares] " + r.RemoteAddr + ": " + err.Error())
+				http.Error(w, "Something went wrong", http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			err = json.NewEncoder(w).Encode(map[string]interface{}{
+				"shares": shares,
+			})
+			if err != nil {
+				log.Println("GET [api/shares] " + r.RemoteAddr + ": " + err.Error())
+				return
+			}
+			log.Println("GET [api/shares] " + r.RemoteAddr + ": Successfully retrieved shares")
+		} else if idTypeParam == models.IDTypeSHARE || idTypeParam == "" {
+			share, err := storage.GetShareById(idParam)
+			if err != nil {
+				log.Println("GET [api/shares] " + r.RemoteAddr + ": " + err.Error())
+				http.Error(w, "Something went wrong", http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			err = json.NewEncoder(w).Encode(map[string]interface{}{
+				"id":          share.ID,
+				"expense_id":  share.ExpenseID,
+				"user_id":     share.UserID,
+				"share_cents": share.ShareCents,
+			})
+			if err != nil {
+				log.Println("GET [api/shares] " + r.RemoteAddr + ": " + err.Error())
+				return
+			}
+			log.Println("GET [api/shares] " + r.RemoteAddr + ": Successfully retrieved shares")
+		}
+		break
+	case http.MethodPut:
+		break
+	case http.MethodDelete:
+		break
+	default:
+		http.Error(w, "Invalid request method", http.StatusMethodNotAllowed)
+	}
+}
+func AdminPanel(w http.ResponseWriter, r *http.Request) {}

main.go

@@ -2,20 +2,18 @@ package main
 
 import (
 	"log"
-	"net/http"
+	"shap-planner-backend/server"
-	"shap-planner-backend/handlers"
 	"shap-planner-backend/storage"
 )
 
 func main() {
-	err := storage.InitDB("database.db")
+	var _server = server.InitServer()
+
+	err := storage.InitDB(_server.DatabasePath)
 	if err != nil {
 		log.Fatal(err)
+		return
 	}
 
-	http.HandleFunc("/register", handlers.Register)
+	_server.Run()
-	http.HandleFunc("/login", handlers.Login)
-
-	log.Println("Server läuft auf :8080")
-	log.Fatal(http.ListenAndServe(":8080", nil))
 }

models/constants.go

@@ -0,0 +1,14 @@
+package models
+
+// Roles
+const (
+	RoleUser  = "user"
+	RoleAdmin = "admin"
+)
+
+// ID-Types
+const (
+	IDTypeSHARE   = "share"
+	IDTypeEXPENSE = "expense"
+	IDTypeUSER    = "user"
+)

models/dbmodels.go

@@ -0,0 +1,26 @@
+package models
+
+type User struct {
+	ID       string `json:"id"`
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Role     string `json:"role"`
+}
+
+type Expense struct {
+	ID            string   `json:"id"`
+	PayerID       string   `json:"payer_id"`
+	Amount        int64    `json:"amount"`
+	Title         string   `json:"title"`
+	Description   string   `json:"description"`
+	Attachments   []string `json:"attachments"`
+	CreatedAt     int64    `json:"created_at"`
+	LastUpdatedAt int64    `json:"last_updated_at"`
+}
+
+type ExpenseShare struct {
+	ID         string `json:"id"`
+	ExpenseID  string `json:"expense_id"`
+	UserID     string `json:"user_id"`
+	ShareCents int64  `json:"share_cents"`
+}

models/loginmodels.go

@@ -0,0 +1,11 @@
+package models
+
+type RefreshToken struct {
+	ID         string `json:"id"`
+	UserID     string `json:"user_id"`
+	Token      string `json:"token"`
+	ExpiresAt  int64  `json:"expires_at"`
+	CreatedAt  int64  `json:"created_at"`
+	Revoked    bool   `json:"revoked"`
+	DeviceInfo string `json:"device_info"`
+}

models/models.go

@@ -1,16 +0,0 @@
-package models
-
-type User struct {
-	ID       string `json:"id"`
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
-
-type Expense struct {
-	ID          string `json:"id"`
-	Amount      int    `json:"amt"`
-	Description string `json:"desc"`
-
-	Payer   User   `json:"payer"`
-	Debtors []User `json:"debtors"`
-}

server/server.go

@@ -0,0 +1,75 @@
+package server
+
+import (
+	"log"
+	"net/http"
+	"os"
+	"shap-planner-backend/auth"
+	"shap-planner-backend/config"
+	"shap-planner-backend/handlers"
+)
+
+type Server struct {
+	Port            string
+	JWTSecret       []byte
+	DatabasePath    string
+	CertificatePath string
+	PrivateKeyPath  string
+}
+
+func InitServer() *Server {
+
+	err := config.CheckIfExists()
+	if err != nil {
+		log.Fatal(err)
+		return nil
+	}
+
+	cfg, err := config.LoadConfig()
+	if err != nil {
+		log.Fatal(err)
+		return nil
+	}
+
+	jwtSecret := os.Getenv("SHAP_JWT_SECRET")
+	if jwtSecret == "" {
+		log.Fatal("SHAP_JWT_SECRET environment variable not set.")
+		return nil
+	}
+	if len(jwtSecret) < 32 {
+		log.Fatal("SHAP_JWT_SECRET must be at least 32 characters long.")
+		return nil
+	}
+
+	return &Server{
+		Port:            cfg.Port,
+		JWTSecret:       []byte(jwtSecret),
+		DatabasePath:    cfg.DatabasePath,
+		CertificatePath: cfg.CertificatePath,
+		PrivateKeyPath:  cfg.PrivateKeyPath,
+	}
+}
+
+func (server *Server) Run() {
+	log.Println("Starting server...")
+	mux := http.NewServeMux()
+
+	// Public
+	mux.HandleFunc("/api/login", handlers.Login)
+	mux.HandleFunc("/api/register", handlers.Register)
+	mux.HandleFunc("/api/refresh", handlers.RefreshToken)
+	mux.HandleFunc("/api/logout", handlers.Logout)
+
+	// Login required
+	mux.Handle("/api/expenses", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.Expenses)))
+	mux.Handle("/api/shares", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.ExpenseShares)))
+	mux.Handle("/api/balance", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.GetBalance)))
+	mux.Handle("/api/ping", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.TestHandler)))
+	mux.Handle("/api/userinfo", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.UserInfo)))
+
+	// Admin-only
+	mux.Handle("/api/admin", auth.AuthMiddleware(server.JWTSecret)(auth.RequireRole("admin")(http.HandlerFunc(handlers.AdminPanel))))
+
+	log.Printf("Listening on port %s", server.Port)
+	log.Fatal(http.ListenAndServeTLS(":"+server.Port, server.CertificatePath, server.PrivateKeyPath, mux))
+}

storage/storage.go

@@ -2,10 +2,15 @@ package storage
 
 import (
 	"database/sql"
-	_ "github.com/glebarez/go-sqlite"
+	"encoding/json"
+	"errors"
 	"shap-planner-backend/models"
+	"strings"
+
+	_ "github.com/glebarez/go-sqlite"
 )
 
+var ErrNotFound = sql.ErrNoRows
 var DB *sql.DB
 
 func InitDB(filepath string) error {
@@ -18,36 +23,283 @@ func InitDB(filepath string) error {
 	//Create Users-Table
 	_, err = DB.Exec(`CREATE TABLE IF NOT EXISTS users(
     	id TEXT PRIMARY KEY,
-    	username TEXT UNIQUE,
+    	username TEXT UNIQUE NOT NULL,
-    	password TEXT
+    	password TEXT NOT NULL,
+    	role TEXT NOT NULL
 	);`)
 	if err != nil {
 		return err
 	}
 
+	//Create refresh token-table
+	_, err = DB.Exec(`CREATE TABLE IF NOT EXISTS refresh_tokens(
+    	id TEXT PRIMARY KEY,
+    	user_id TEXT NOT NULL,
+        token_hash TEXT NOT NULL,
+        expires_at INTEGER NOT NULL,
+        created_at INTEGER NOT NULL,
+        revoked INTEGER NOT NULL DEFAULT 0,
+        device_info TEXT,
+        FOREIGN KEY(user_id) REFERENCES users(id)
+	)`)
+	if err != nil {
+		return err
+	}
+	_, err = DB.Exec(`CREATE INDEX IF NOT EXISTS idx_refresh_token_hash ON refresh_tokens(token_hash)`)
+	if err != nil {
+		return err
+	}
+
 	//Create Expenses-Table
 	_, err = DB.Exec(`CREATE TABLE IF NOT EXISTS expenses(
-    	id TEXT PRIMARY KEY
+    	id TEXT PRIMARY KEY,
-        
+        payer_id TEXT NOT NULL,
+        amount_cents INTEGER NOT NULL,
+        title TEXT NOT NULL,
+        description TEXT,
+        attachments TEXT,
+        created_at INTEGER NOT NULL,
+        last_updated_at INTEGER NOT NULL,
+        FOREIGN KEY(payer_id) REFERENCES users(id)
 	)`)
+	if err != nil {
+		return err
+	}
+	_, err = DB.Exec(`CREATE TABLE IF NOT EXISTS expense_shares(
+    	id TEXT PRIMARY KEY,
+		expense_id TEXT NOT NULL,
+		user_id TEXT NOT NULL,
+		share_cents INTEGER NOT NULL,
+		FOREIGN KEY(user_id) REFERENCES users(id)
+	)`)
+	if err != nil {
+		return err
+	}
+	_, err = DB.Exec(`CREATE INDEX IF NOT EXISTS idx_shares_expense ON expense_shares(expense_id)`)
+	if err != nil {
+		return err
+	}
+	_, err = DB.Exec(`CREATE INDEX IF NOT EXISTS idx_shares_user ON expense_shares(user_id)`)
 	return err
 }
 
-func AddUser(user models.User) error {
+// Expenses
-	_, err := DB.Exec("INSERT INTO users(id, username, password) VALUES (?, ?, ?)", user.ID, user.Username, user.Password)
+func AddExpense(expense *models.Expense) error {
+	var attachmentsData interface{}
+	if len(expense.Attachments) > 0 {
+		jsonBytes, err := json.Marshal(expense.Attachments)
+		if err != nil {
 			return err
 		}
+		attachmentsData = string(jsonBytes)
+	} else {
+		attachmentsData = nil
+	}
+	_, err := DB.Exec(`INSERT INTO expenses(id, payer_id, amount_cents, title, description, attachments, created_at, last_updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+		expense.ID,
+		expense.PayerID,
+		expense.Amount,
+		expense.Title,
+		expense.Description,
+		attachmentsData,
+		expense.CreatedAt,
+		expense.LastUpdatedAt)
+	return err
+}
+func UpdateExpense(expense *models.Expense) error {
+	return nil
+}
+func DeleteExpense(expense *models.Expense) error {
+	return nil
+}
 
+//	func GetExpenseById(id string) (models.Expense, error) {
+//		return nil, nil
+//	}
+func GetExpensesByUserId(userId string) ([]models.Expense, error) {
+	return nil, nil
+}
+func GetAllExpenses() ([]models.Expense, error) {
+	query := "SELECT * FROM expenses"
+	rows, err := DB.Query(query)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var expenses []models.Expense
+
+	for rows.Next() {
+		var expense models.Expense
+		var attachmentsJSON []byte
+
+		err := rows.Scan(&expense.ID, &expense.PayerID, &expense.Amount, &expense.Title, &expense.Description, &attachmentsJSON, &expense.CreatedAt, &expense.LastUpdatedAt)
+		if err != nil {
+			return nil, err
+		}
+		if len(attachmentsJSON) > 0 {
+			err := json.Unmarshal(attachmentsJSON, &expense.Attachments)
+			if err != nil {
+				return nil, err
+			}
+		}
+		expenses = append(expenses, expense)
+	}
+	if err = rows.Err(); err != nil {
+		return nil, err
+	}
+	return expenses, nil
+}
+
+// Expense Shares
+func AddShare(share *models.ExpenseShare) error {
+	_, err := DB.Exec("INSERT INTO expense_shares(id, expense_id, user_id, share_cents) VALUES (?, ?, ?, ?)",
+		share.ID,
+		share.ExpenseID,
+		share.UserID,
+		share.ShareCents)
+	return err
+}
+func GetShareById(id string) (models.ExpenseShare, error) {
+	row := DB.QueryRow("SELECT * FROM expense_shares WHERE id = ?", id)
+	var share models.ExpenseShare
+	err := row.Scan(&share.ID, &share.ExpenseID, &share.UserID, &share.ShareCents)
+	return share, err
+}
+func GetSharesByExpenseId(id string) ([]models.ExpenseShare, error) {
+	query := "SELECT * FROM expense_shares WHERE expense_id = ?"
+	rows, err := DB.Query(query, id)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var shares []models.ExpenseShare
+
+	for rows.Next() {
+		var share models.ExpenseShare
+
+		err := rows.Scan(&share.ID, &share.ExpenseID, &share.UserID, &share.ShareCents)
+		if err != nil {
+			return nil, err
+		}
+		shares = append(shares, share)
+	}
+	if err = rows.Err(); err != nil {
+		return nil, err
+	}
+	return shares, nil
+}
+
+// Balances
+func ComputeBalance(userId string) (float64, error) {
+	var balance float64
+	query := `
+		SELECT 
+			COALESCE(p.paid, 0) - COALESCE(s.shared, 0) AS balance
+		FROM (SELECT ? AS id) u
+		LEFT JOIN (
+			SELECT payer_id, SUM(amount_cents) AS paid 
+			FROM expenses 
+			WHERE payer_id = ?
+			GROUP BY payer_id
+		) p ON u.id = p.payer_id
+		LEFT JOIN (
+			SELECT user_id, SUM(share_cents) AS shared 
+			FROM expense_shares 
+			WHERE user_id = ?
+			GROUP BY user_id
+		) s ON u.id = s.user_id`
+	err := DB.QueryRow(query, userId, userId, userId).Scan(&balance)
+	if err != nil {
+		return 0, err
+	}
+	return balance, nil
+}
+func ComputeWGBalance() (float64, error) {
+	var balance float64
+	query := `SELECT u.id AS user_id,
+       COALESCE(p.paid_cents,0) - COALESCE(s.share_cents,0) AS balance_cents
+FROM users u
+LEFT JOIN (
+    SELECT payer_id, SUM(amount_cents) AS paid_cents
+    FROM expenses
+    GROUP BY payer_id
+) p ON u.id = p.payer_id
+LEFT JOIN (
+    SELECT es.user_id, SUM(es.share_cents) AS share_cents
+    FROM expense_shares es
+    JOIN expenses e ON es.expense_id = e.id
+    GROUP BY es.user_id
+) s ON u.id = s.user_id)`
+	err := DB.QueryRow(query).Scan(&balance)
+	if err != nil {
+		return 0, err
+	}
+	return balance, nil
+}
+
+// Users
+func AddUser(user *models.User) error {
+	_, err := DB.Exec("INSERT INTO users(id, username, password, role) VALUES (?, ?, ?, ?)", user.ID, strings.ToLower(user.Username), user.Password, user.Role)
+	return err
+}
 func GetUserByUsername(username string) (models.User, error) {
-	row := DB.QueryRow("SELECT * FROM users WHERE username = ?", username)
+	row := DB.QueryRow("SELECT * FROM users WHERE username = ?", strings.ToLower(username))
 	var user models.User
-	err := row.Scan(&user.ID, &user.Username, &user.Password)
+	err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role)
 	return user, err
 }
-
 func GetUserById(id string) (models.User, error) {
 	row := DB.QueryRow("SELECT * FROM users WHERE id = ?", id)
 	var user models.User
-	err := row.Scan(&user.ID, &user.Username, &user.Password)
+	err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role)
 	return user, err
 }
+
+// Refresh Tokens
+func AddRefreshToken(token *models.RefreshToken) error {
+	_, err := DB.Exec("INSERT INTO refresh_tokens(id, user_id, token_hash, expires_at, created_at, revoked, device_info) VALUES (?, ?, ?, ?, ?, ?, ?)",
+		token.ID, token.UserID, token.Token, token.ExpiresAt, token.CreatedAt, token.Revoked, token.DeviceInfo)
+	return err
+}
+func GetRefreshToken(token string) (models.RefreshToken, error) {
+	row := DB.QueryRow("SELECT * FROM refresh_tokens WHERE token_hash = ?", token)
+	var refresh_token models.RefreshToken
+	err := row.Scan(&refresh_token.ID, &refresh_token.UserID, &refresh_token.Token, &refresh_token.ExpiresAt, &refresh_token.CreatedAt, &refresh_token.Revoked, &refresh_token.DeviceInfo)
+	return refresh_token, err
+}
+func RevokeRefreshToken(tokenID string) error {
+	if DB == nil {
+		return errors.New("db not initialized")
+	}
+
+	res, err := DB.Exec(`
+		UPDATE refresh_tokens
+		SET revoked = 1
+		WHERE id = ?
+	`, tokenID)
+	if err != nil {
+		return err
+	}
+	n, err := res.RowsAffected()
+	if err != nil {
+		return err
+	}
+	if n == 0 {
+		return ErrNotFound
+	}
+	return nil
+}
+func RevokeAllRefreshTokensForUser(userID string) error {
+	if DB == nil {
+		return errors.New("db not initialized")
+	}
+
+	_, err := DB.Exec(`
+		UPDATE refresh_tokens
+		SET revoked = 1
+		WHERE user_id = ?
+	`, userID)
+	return err
+}

utils/util.go

@@ -1,20 +1,49 @@
 package utils
 
 import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/hex"
+	"net/http"
+	"shap-planner-backend/auth"
+
 	"github.com/google/uuid"
-	"golang.org/x/crypto/bcrypt"
 )
 
-func HashPassword(password string) (string, error) {
-	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
-	return string(bytes), err
-}
-
-func CheckPasswordHash(password, hash string) bool {
-	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
-	return err == nil
-}
-
 func GenerateUUID() string {
 	return uuid.New().String()
 }
+func GenerateSecret() string {
+	b := make([]byte, 64)
+	_, err := rand.Read(b)
+	if err != nil {
+		return err.Error()
+	}
+	return base64.StdEncoding.EncodeToString(b)
+}
+func GenerateRefreshToken() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}
+func HashToken(token string) string {
+	hash := sha256.Sum256([]byte(token))
+	return hex.EncodeToString(hash[:])
+}
+func IsLoggedIn(w http.ResponseWriter, r *http.Request) (*auth.Claims, bool) {
+	claimsRaw := r.Context().Value(auth.UserContextKey)
+	if claimsRaw == nil {
+		http.Error(w, "No claims in context", http.StatusUnauthorized)
+		return nil, false
+	}
+
+	claims, ok := claimsRaw.(*auth.Claims)
+	if !ok {
+		http.Error(w, "Invalid claims", http.StatusUnauthorized)
+		return nil, false
+	}
+	return claims, true
+}