refactor: use dependency injection in backend

2025-12-14 15:22:18 +00:00 · 2024-08-17 21:57:14 +02:00
parent 0595d73ea5
commit 601f6c488a
44 changed files with 2220 additions and 1751 deletions
--- a/backend/internal/controller/app_config_controller.go
+++ b/backend/internal/controller/app_config_controller.go
@@ -0,0 +1,140 @@
+package controller
+
+import (
+	"errors"
+	"fmt"
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"net/http"
+)
+
+func NewApplicationConfigurationController(
+	group *gin.RouterGroup,
+	jwtAuthMiddleware *middleware.JwtAuthMiddleware,
+	appConfigService *service.AppConfigService) {
+
+	acc := &ApplicationConfigurationController{
+		appConfigService: appConfigService,
+	}
+	group.GET("/application-configuration", acc.listApplicationConfigurationHandler)
+	group.GET("/application-configuration/all", jwtAuthMiddleware.Add(true), acc.listAllApplicationConfigurationHandler)
+	group.PUT("/application-configuration", acc.updateApplicationConfigurationHandler)
+
+	group.GET("/application-configuration/logo", acc.getLogoHandler)
+	group.GET("/application-configuration/background-image", acc.getBackgroundImageHandler)
+	group.GET("/application-configuration/favicon", acc.getFaviconHandler)
+	group.PUT("/application-configuration/logo", jwtAuthMiddleware.Add(true), acc.updateLogoHandler)
+	group.PUT("/application-configuration/favicon", jwtAuthMiddleware.Add(true), acc.updateFaviconHandler)
+	group.PUT("/application-configuration/background-image", jwtAuthMiddleware.Add(true), acc.updateBackgroundImageHandler)
+}
+
+type ApplicationConfigurationController struct {
+	appConfigService *service.AppConfigService
+}
+
+func (acc *ApplicationConfigurationController) listApplicationConfigurationHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListApplicationConfiguration(false)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(200, configuration)
+}
+
+func (acc *ApplicationConfigurationController) listAllApplicationConfigurationHandler(c *gin.Context) {
+	configuration, err := acc.appConfigService.ListApplicationConfiguration(true)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(200, configuration)
+}
+
+func (acc *ApplicationConfigurationController) updateApplicationConfigurationHandler(c *gin.Context) {
+	var input model.AppConfigUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	savedConfigVariables, err := acc.appConfigService.UpdateApplicationConfiguration(input)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, savedConfigVariables)
+}
+
+func (acc *ApplicationConfigurationController) getLogoHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
+	acc.getImage(c, "logo", imageType)
+}
+
+func (acc *ApplicationConfigurationController) getFaviconHandler(c *gin.Context) {
+	acc.getImage(c, "favicon", "ico")
+}
+
+func (acc *ApplicationConfigurationController) getBackgroundImageHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	acc.getImage(c, "background", imageType)
+}
+
+func (acc *ApplicationConfigurationController) updateLogoHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.LogoImageType.Value
+	acc.updateImage(c, "logo", imageType)
+}
+
+func (acc *ApplicationConfigurationController) updateFaviconHandler(c *gin.Context) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	fileType := utils.GetFileExtension(file.Filename)
+	if fileType != "ico" {
+		utils.HandlerError(c, http.StatusBadRequest, "File must be of type .ico")
+		return
+	}
+	acc.updateImage(c, "favicon", "ico")
+}
+
+func (acc *ApplicationConfigurationController) updateBackgroundImageHandler(c *gin.Context) {
+	imageType := acc.appConfigService.DbConfig.BackgroundImageType.Value
+	acc.updateImage(c, "background", imageType)
+}
+
+func (acc *ApplicationConfigurationController) getImage(c *gin.Context, name string, imageType string) {
+	imagePath := fmt.Sprintf("%s/application-images/%s.%s", common.EnvConfig.UploadPath, name, imageType)
+	mimeType := utils.GetImageMimeType(imageType)
+
+	c.Header("Content-Type", mimeType)
+	c.File(imagePath)
+}
+
+func (acc *ApplicationConfigurationController) updateImage(c *gin.Context, imageName string, oldImageType string) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	err = acc.appConfigService.UpdateImage(file, imageName, oldImageType)
+	if err != nil {
+		if errors.Is(err, common.ErrFileTypeNotSupported) {
+			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/oidc_controller.go
+++ b/backend/internal/controller/oidc_controller.go
@@ -0,0 +1,218 @@
+package controller
+
+import (
+	"errors"
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"net/http"
+	"strconv"
+)
+
+func NewOidcController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, fileSizeLimitMiddleware *middleware.FileSizeLimitMiddleware, oidcService *service.OidcService) {
+	oc := &OidcController{OidcService: oidcService}
+
+	group.POST("/oidc/authorize", jwtAuthMiddleware.Add(false), oc.authorizeHandler)
+	group.POST("/oidc/authorize/new-client", jwtAuthMiddleware.Add(false), oc.authorizeNewClientHandler)
+	group.POST("/oidc/token", oc.createIDTokenHandler)
+
+	group.GET("/oidc/clients", jwtAuthMiddleware.Add(true), oc.listClientsHandler)
+	group.POST("/oidc/clients", jwtAuthMiddleware.Add(true), oc.createClientHandler)
+	group.GET("/oidc/clients/:id", oc.getClientHandler)
+	group.PUT("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.updateClientHandler)
+	group.DELETE("/oidc/clients/:id", jwtAuthMiddleware.Add(true), oc.deleteClientHandler)
+
+	group.POST("/oidc/clients/:id/secret", jwtAuthMiddleware.Add(true), oc.createClientSecretHandler)
+
+	group.GET("/oidc/clients/:id/logo", oc.getClientLogoHandler)
+	group.DELETE("/oidc/clients/:id/logo", oc.deleteClientLogoHandler)
+	group.POST("/oidc/clients/:id/logo", jwtAuthMiddleware.Add(true), fileSizeLimitMiddleware.Add(2<<20), oc.updateClientLogoHandler)
+}
+
+type OidcController struct {
+	OidcService *service.OidcService
+}
+
+func (oc *OidcController) authorizeHandler(c *gin.Context) {
+	var parsedBody model.AuthorizeRequest
+	if err := c.ShouldBindJSON(&parsedBody); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	code, err := oc.OidcService.Authorize(parsedBody, c.GetString("userID"))
+	if err != nil {
+		if errors.Is(err, common.ErrOidcMissingAuthorization) {
+			utils.HandlerError(c, http.StatusForbidden, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"code": code})
+}
+
+func (oc *OidcController) authorizeNewClientHandler(c *gin.Context) {
+	var parsedBody model.AuthorizeNewClientDto
+	if err := c.ShouldBindJSON(&parsedBody); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	code, err := oc.OidcService.AuthorizeNewClient(parsedBody, c.GetString("userID"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"code": code})
+}
+
+func (oc *OidcController) createIDTokenHandler(c *gin.Context) {
+	var body model.OidcIdTokenDto
+
+	if err := c.ShouldBind(&body); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	idToken, err := oc.OidcService.CreateIDToken(body)
+	if err != nil {
+		if errors.Is(err, common.ErrOidcGrantTypeNotSupported) ||
+			errors.Is(err, common.ErrOidcMissingClientCredentials) ||
+			errors.Is(err, common.ErrOidcClientSecretInvalid) ||
+			errors.Is(err, common.ErrOidcInvalidAuthorizationCode) {
+			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"id_token": idToken})
+}
+
+func (oc *OidcController) getClientHandler(c *gin.Context) {
+	clientId := c.Param("id")
+	client, err := oc.OidcService.GetClient(clientId)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, client)
+}
+
+func (oc *OidcController) listClientsHandler(c *gin.Context) {
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
+	searchTerm := c.Query("search")
+
+	clients, pagination, err := oc.OidcService.ListClients(searchTerm, page, pageSize)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"data":       clients,
+		"pagination": pagination,
+	})
+}
+
+func (oc *OidcController) createClientHandler(c *gin.Context) {
+	var input model.OidcClientCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	client, err := oc.OidcService.CreateClient(input, c.GetString("userID"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, client)
+}
+
+func (oc *OidcController) deleteClientHandler(c *gin.Context) {
+	err := oc.OidcService.DeleteClient(c.Param("id"))
+	if err != nil {
+		utils.HandlerError(c, http.StatusNotFound, "OIDC client not found")
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (oc *OidcController) updateClientHandler(c *gin.Context) {
+	var input model.OidcClientCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	client, err := oc.OidcService.UpdateClient(c.Param("id"), input)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusNoContent, client)
+}
+
+func (oc *OidcController) createClientSecretHandler(c *gin.Context) {
+	secret, err := oc.OidcService.CreateClientSecret(c.Param("id"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"secret": secret})
+}
+
+func (oc *OidcController) getClientLogoHandler(c *gin.Context) {
+	imagePath, mimeType, err := oc.OidcService.GetClientLogo(c.Param("id"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.Header("Content-Type", mimeType)
+	c.File(imagePath)
+}
+
+func (oc *OidcController) updateClientLogoHandler(c *gin.Context) {
+	file, err := c.FormFile("file")
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	err = oc.OidcService.UpdateClientLogo(c.Param("id"), file)
+	if err != nil {
+		if errors.Is(err, common.ErrFileTypeNotSupported) {
+			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (oc *OidcController) deleteClientLogoHandler(c *gin.Context) {
+	err := oc.OidcService.DeleteClientLogo(c.Param("id"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/test_controller.go
+++ b/backend/internal/controller/test_controller.go
@@ -0,0 +1,36 @@
+package controller
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+)
+
+func NewTestController(group *gin.RouterGroup, testService *service.TestService) {
+	testController := &TestController{TestService: testService}
+
+	group.POST("/test/reset", testController.resetAndSeedHandler)
+}
+
+type TestController struct {
+	TestService *service.TestService
+}
+
+func (tc *TestController) resetAndSeedHandler(c *gin.Context) {
+	if err := tc.TestService.ResetDatabase(); err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	if err := tc.TestService.ResetApplicationImages(); err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	if err := tc.TestService.SeedDatabase(); err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(200, gin.H{"message": "Database reset and seeded"})
+}
--- a/backend/internal/controller/user_controller.go
+++ b/backend/internal/controller/user_controller.go
@@ -0,0 +1,182 @@
+package controller
+
+import (
+	"errors"
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
+	"net/http"
+	"strconv"
+	"time"
+)
+
+func NewUserController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, userService *service.UserService) {
+	uc := UserController{
+		UserService: userService,
+	}
+
+	group.GET("/users", jwtAuthMiddleware.Add(true), uc.listUsersHandler)
+	group.GET("/users/me", jwtAuthMiddleware.Add(false), uc.getCurrentUserHandler)
+	group.GET("/users/:id", jwtAuthMiddleware.Add(true), uc.getUserHandler)
+	group.POST("/users", jwtAuthMiddleware.Add(true), uc.createUserHandler)
+	group.PUT("/users/:id", jwtAuthMiddleware.Add(true), uc.updateUserHandler)
+	group.PUT("/users/me", jwtAuthMiddleware.Add(false), uc.updateCurrentUserHandler)
+	group.DELETE("/users/:id", jwtAuthMiddleware.Add(true), uc.deleteUserHandler)
+
+	group.POST("/users/:id/one-time-access-token", jwtAuthMiddleware.Add(true), uc.createOneTimeAccessTokenHandler)
+	group.POST("/one-time-access-token/:token", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), uc.exchangeOneTimeAccessTokenHandler)
+	group.POST("/one-time-access-token/setup", uc.getSetupAccessTokenHandler)
+}
+
+type UserController struct {
+	UserService *service.UserService
+}
+
+func (uc *UserController) listUsersHandler(c *gin.Context) {
+	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
+	pageSize, _ := strconv.Atoi(c.DefaultQuery("limit", "10"))
+	searchTerm := c.Query("search")
+
+	users, pagination, err := uc.UserService.ListUsers(searchTerm, page, pageSize)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{
+		"data":       users,
+		"pagination": pagination,
+	})
+}
+
+func (uc *UserController) getUserHandler(c *gin.Context) {
+	user, err := uc.UserService.GetUser(c.Param("id"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, user)
+}
+
+func (uc *UserController) getCurrentUserHandler(c *gin.Context) {
+	user, err := uc.UserService.GetUser(c.GetString("userID"))
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+	c.JSON(http.StatusOK, user)
+}
+
+func (uc *UserController) deleteUserHandler(c *gin.Context) {
+	if err := uc.UserService.DeleteUser(c.Param("id")); err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (uc *UserController) createUserHandler(c *gin.Context) {
+	var user model.User
+	if err := c.ShouldBindJSON(&user); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	if err := uc.UserService.CreateUser(&user); err != nil {
+		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
+			utils.HandlerError(c, http.StatusConflict, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.JSON(http.StatusCreated, user)
+}
+
+func (uc *UserController) updateUserHandler(c *gin.Context) {
+	uc.updateUser(c, false)
+}
+
+func (uc *UserController) updateCurrentUserHandler(c *gin.Context) {
+	uc.updateUser(c, true)
+}
+
+func (uc *UserController) createOneTimeAccessTokenHandler(c *gin.Context) {
+	var input model.OneTimeAccessTokenCreateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	token, err := uc.UserService.CreateOneTimeAccessToken(input.UserID, input.ExpiresAt)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusCreated, gin.H{"token": token})
+}
+
+func (uc *UserController) exchangeOneTimeAccessTokenHandler(c *gin.Context) {
+	user, token, err := uc.UserService.ExchangeOneTimeAccessToken(c.Param("token"))
+	if err != nil {
+		if errors.Is(err, common.ErrTokenInvalidOrExpired) {
+			utils.HandlerError(c, http.StatusUnauthorized, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.JSON(http.StatusOK, user)
+}
+
+func (uc *UserController) getSetupAccessTokenHandler(c *gin.Context) {
+	user, token, err := uc.UserService.SetupInitialAdmin()
+	if err != nil {
+		if errors.Is(err, common.ErrSetupAlreadyCompleted) {
+			utils.HandlerError(c, http.StatusBadRequest, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.JSON(http.StatusOK, user)
+}
+
+func (uc *UserController) updateUser(c *gin.Context, updateOwnUser bool) {
+	var updatedUser model.User
+	if err := c.ShouldBindJSON(&updatedUser); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	var userID string
+	if updateOwnUser {
+		userID = c.GetString("userID")
+	} else {
+		userID = c.Param("id")
+	}
+
+	user, err := uc.UserService.UpdateUser(userID, updatedUser, updateOwnUser)
+	if err != nil {
+		if errors.Is(err, common.ErrEmailTaken) || errors.Is(err, common.ErrUsernameTaken) {
+			utils.HandlerError(c, http.StatusConflict, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	c.JSON(http.StatusOK, user)
+}
--- a/backend/internal/controller/webauthn_controller.go
+++ b/backend/internal/controller/webauthn_controller.go
@@ -0,0 +1,160 @@
+package controller
+
+import (
+	"errors"
+	"github.com/go-webauthn/webauthn/protocol"
+	"github.com/stonith404/pocket-id/backend/internal/middleware"
+	"github.com/stonith404/pocket-id/backend/internal/model"
+	"log"
+	"net/http"
+	"time"
+
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"golang.org/x/time/rate"
+)
+
+func NewWebauthnController(group *gin.RouterGroup, jwtAuthMiddleware *middleware.JwtAuthMiddleware, rateLimitMiddleware *middleware.RateLimitMiddleware, webauthnService *service.WebAuthnService, jwtService *service.JwtService) {
+	wc := &WebauthnController{webAuthnService: webauthnService, jwtService: jwtService}
+	group.GET("/webauthn/register/start", jwtAuthMiddleware.Add(false), wc.beginRegistrationHandler)
+	group.POST("/webauthn/register/finish", jwtAuthMiddleware.Add(false), wc.verifyRegistrationHandler)
+
+	group.GET("/webauthn/login/start", wc.beginLoginHandler)
+	group.POST("/webauthn/login/finish", rateLimitMiddleware.Add(rate.Every(10*time.Second), 5), wc.verifyLoginHandler)
+
+	group.POST("/webauthn/logout", jwtAuthMiddleware.Add(false), wc.logoutHandler)
+
+	group.GET("/webauthn/credentials", jwtAuthMiddleware.Add(false), wc.listCredentialsHandler)
+	group.PATCH("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.updateCredentialHandler)
+	group.DELETE("/webauthn/credentials/:id", jwtAuthMiddleware.Add(false), wc.deleteCredentialHandler)
+}
+
+type WebauthnController struct {
+	webAuthnService *service.WebAuthnService
+	jwtService      *service.JwtService
+}
+
+func (wc *WebauthnController) beginRegistrationHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	options, err := wc.webAuthnService.BeginRegistration(userID)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		log.Println(err)
+		return
+	}
+
+	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	c.JSON(http.StatusOK, options.Response)
+}
+
+func (wc *WebauthnController) verifyRegistrationHandler(c *gin.Context) {
+	sessionID, err := c.Cookie("session_id")
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
+		return
+	}
+
+	userID := c.GetString("userID")
+	credential, err := wc.webAuthnService.VerifyRegistration(sessionID, userID, c.Request)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credential)
+}
+
+func (wc *WebauthnController) beginLoginHandler(c *gin.Context) {
+	options, err := wc.webAuthnService.BeginLogin()
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.SetCookie("session_id", options.SessionID, int(options.Timeout.Seconds()), "/", "", false, true)
+	c.JSON(http.StatusOK, options.Response)
+}
+
+func (wc *WebauthnController) verifyLoginHandler(c *gin.Context) {
+	sessionID, err := c.Cookie("session_id")
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, "Session ID missing")
+		return
+	}
+
+	credentialAssertionData, err := protocol.ParseCredentialRequestResponseBody(c.Request.Body)
+	if err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	userID := c.GetString("userID")
+	user, err := wc.webAuthnService.VerifyLogin(sessionID, userID, credentialAssertionData)
+	if err != nil {
+		if errors.Is(err, common.ErrInvalidCredentials) {
+			utils.HandlerError(c, http.StatusUnauthorized, err.Error())
+		} else {
+			utils.UnknownHandlerError(c, err)
+		}
+		return
+	}
+
+	token, err := wc.jwtService.GenerateAccessToken(*user)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.SetCookie("access_token", token, int(time.Hour.Seconds()), "/", "", false, true)
+	c.JSON(http.StatusOK, user)
+}
+
+func (wc *WebauthnController) listCredentialsHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentials, err := wc.webAuthnService.ListCredentials(userID)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, credentials)
+}
+
+func (wc *WebauthnController) deleteCredentialHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentialID := c.Param("id")
+
+	err := wc.webAuthnService.DeleteCredential(userID, credentialID)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (wc *WebauthnController) updateCredentialHandler(c *gin.Context) {
+	userID := c.GetString("userID")
+	credentialID := c.Param("id")
+
+	var input model.WebauthnCredentialUpdateDto
+	if err := c.ShouldBindJSON(&input); err != nil {
+		utils.HandlerError(c, http.StatusBadRequest, common.ErrInvalidBody.Error())
+		return
+	}
+
+	err := wc.webAuthnService.UpdateCredential(userID, credentialID, input.Name)
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.Status(http.StatusNoContent)
+}
+
+func (wc *WebauthnController) logoutHandler(c *gin.Context) {
+	c.SetCookie("access_token", "", 0, "/", "", false, true)
+	c.Status(http.StatusNoContent)
+}
--- a/backend/internal/controller/well_known_controller.go
+++ b/backend/internal/controller/well_known_controller.go
@@ -0,0 +1,45 @@
+package controller
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/stonith404/pocket-id/backend/internal/common"
+	"github.com/stonith404/pocket-id/backend/internal/service"
+	"github.com/stonith404/pocket-id/backend/internal/utils"
+	"net/http"
+)
+
+func NewWellKnownController(group *gin.RouterGroup, jwtService *service.JwtService) {
+	wkc := &WellKnownController{jwtService: jwtService}
+	group.GET("/.well-known/jwks.json", wkc.jwksHandler)
+	group.GET("/.well-known/openid-configuration", wkc.openIDConfigurationHandler)
+}
+
+type WellKnownController struct {
+	jwtService *service.JwtService
+}
+
+func (wkc *WellKnownController) jwksHandler(c *gin.Context) {
+	jwk, err := wkc.jwtService.GetJWK()
+	if err != nil {
+		utils.UnknownHandlerError(c, err)
+		return
+	}
+
+	c.JSON(http.StatusOK, gin.H{"keys": []interface{}{jwk}})
+}
+
+func (wkc *WellKnownController) openIDConfigurationHandler(c *gin.Context) {
+	appUrl := common.EnvConfig.AppURL
+	config := map[string]interface{}{
+		"issuer":                                appUrl,
+		"authorization_endpoint":                appUrl + "/authorize",
+		"token_endpoint":                        appUrl + "/api/oidc/token",
+		"jwks_uri":                              appUrl + "/.well-known/jwks.json",
+		"scopes_supported":                      []string{"openid", "profile", "email"},
+		"claims_supported":                      []string{"sub", "given_name", "family_name", "email", "preferred_username"},
+		"response_types_supported":              []string{"code", "id_token"},
+		"subject_types_supported":               []string{"public"},
+		"id_token_signing_alg_values_supported": []string{"RS256"},
+	}
+	c.JSON(http.StatusOK, config)
+}