feat: add basic website

Signed-off-by: kjuulh <contact@kjuulh.io>
2026-03-07 19:46:13 +01:00
commit b439762877
71 changed files with 16576 additions and 0 deletions
--- a/interface/proto/forest/v1/users.proto
+++ b/interface/proto/forest/v1/users.proto
@@ -0,0 +1,317 @@
+syntax = "proto3";
+
+package forest.v1;
+
+import "google/protobuf/timestamp.proto";
+
+// UsersService handles user management, authentication, and profile operations.
+service UsersService {
+  // Authentication
+  rpc Register(RegisterRequest) returns (RegisterResponse);
+  rpc Login(LoginRequest) returns (LoginResponse);
+  rpc RefreshToken(RefreshTokenRequest) returns (RefreshTokenResponse);
+  rpc Logout(LogoutRequest) returns (LogoutResponse);
+
+  // User CRUD
+  rpc GetUser(GetUserRequest) returns (GetUserResponse);
+  rpc UpdateUser(UpdateUserRequest) returns (UpdateUserResponse);
+  rpc DeleteUser(DeleteUserRequest) returns (DeleteUserResponse);
+  rpc ListUsers(ListUsersRequest) returns (ListUsersResponse);
+
+  // Password management
+  rpc ChangePassword(ChangePasswordRequest) returns (ChangePasswordResponse);
+
+  // Email management
+  rpc AddEmail(AddEmailRequest) returns (AddEmailResponse);
+  rpc VerifyEmail(VerifyEmailRequest) returns (VerifyEmailResponse);
+  rpc RemoveEmail(RemoveEmailRequest) returns (RemoveEmailResponse);
+
+  // Social / OAuth login
+  rpc OAuthLogin(OAuthLoginRequest) returns (OAuthLoginResponse);
+  rpc LinkOAuthProvider(LinkOAuthProviderRequest) returns (LinkOAuthProviderResponse);
+  rpc UnlinkOAuthProvider(UnlinkOAuthProviderRequest) returns (UnlinkOAuthProviderResponse);
+
+  // Personal access tokens
+  rpc CreatePersonalAccessToken(CreatePersonalAccessTokenRequest) returns (CreatePersonalAccessTokenResponse);
+  rpc ListPersonalAccessTokens(ListPersonalAccessTokensRequest) returns (ListPersonalAccessTokensResponse);
+  rpc DeletePersonalAccessToken(DeletePersonalAccessTokenRequest) returns (DeletePersonalAccessTokenResponse);
+
+  // Token introspection (requires valid access token)
+  rpc TokenInfo(TokenInfoRequest) returns (TokenInfoResponse);
+
+  // MFA
+  rpc SetupMfa(SetupMfaRequest) returns (SetupMfaResponse);
+  rpc VerifyMfa(VerifyMfaRequest) returns (VerifyMfaResponse);
+  rpc DisableMfa(DisableMfaRequest) returns (DisableMfaResponse);
+}
+
+// ─── Core types ──────────────────────────────────────────────────────
+
+message User {
+  string user_id = 1; // UUID
+  string username = 2;
+  repeated UserEmail emails = 3;
+  repeated OAuthConnection oauth_connections = 4;
+  bool mfa_enabled = 5;
+  google.protobuf.Timestamp created_at = 6;
+  google.protobuf.Timestamp updated_at = 7;
+}
+
+message UserEmail {
+  string email = 1;
+  bool verified = 2;
+}
+
+enum OAuthProvider {
+  OAUTH_PROVIDER_UNSPECIFIED = 0;
+  OAUTH_PROVIDER_GITHUB = 1;
+  OAUTH_PROVIDER_GOOGLE = 2;
+  OAUTH_PROVIDER_GITLAB = 3;
+  OAUTH_PROVIDER_MICROSOFT = 4;
+}
+
+message OAuthConnection {
+  OAuthProvider provider = 1;
+  string provider_user_id = 2;
+  string provider_email = 3;
+  google.protobuf.Timestamp linked_at = 4;
+}
+
+// ─── Authentication ──────────────────────────────────────────────────
+
+message RegisterRequest {
+  string username = 1;
+  string email = 2;
+  string password = 3;
+}
+
+message RegisterResponse {
+  User user = 1;
+  AuthTokens tokens = 2;
+}
+
+message LoginRequest {
+  // Login with either username or email
+  oneof identifier {
+    string username = 1;
+    string email = 2;
+  }
+  string password = 3;
+}
+
+message LoginResponse {
+  User user = 1;
+  AuthTokens tokens = 2;
+}
+
+message RefreshTokenRequest {
+  string refresh_token = 1;
+}
+
+message RefreshTokenResponse {
+  AuthTokens tokens = 1;
+}
+
+message LogoutRequest {
+  string refresh_token = 1;
+}
+
+message LogoutResponse {}
+
+message AuthTokens {
+  string access_token = 1;
+  string refresh_token = 2;
+  int64 expires_in_seconds = 3;
+}
+
+// ─── Token introspection ─────────────────────────────────────────────
+
+message TokenInfoRequest {}
+
+message TokenInfoResponse {
+  string user_id = 1;
+  int64 expires_at = 2; // Unix timestamp (seconds)
+}
+
+// ─── User CRUD ───────────────────────────────────────────────────────
+
+message GetUserRequest {
+  oneof identifier {
+    string user_id = 1;
+    string username = 2;
+    string email = 3;
+  }
+}
+
+message GetUserResponse {
+  User user = 1;
+}
+
+message UpdateUserRequest {
+  string user_id = 1;
+  optional string username = 2;
+}
+
+message UpdateUserResponse {
+  User user = 1;
+}
+
+message DeleteUserRequest {
+  string user_id = 1;
+}
+
+message DeleteUserResponse {}
+
+message ListUsersRequest {
+  int32 page_size = 1;
+  string page_token = 2;
+  optional string search = 3; // search across username, email
+}
+
+message ListUsersResponse {
+  repeated User users = 1;
+  string next_page_token = 2;
+  int32 total_count = 3;
+}
+
+// ─── Password management ─────────────────────────────────────────────
+
+message ChangePasswordRequest {
+  string user_id = 1;
+  string current_password = 2;
+  string new_password = 3;
+}
+
+message ChangePasswordResponse {}
+
+// ─── Email management ────────────────────────────────────────────────
+
+message AddEmailRequest {
+  string user_id = 1;
+  string email = 2;
+}
+
+message AddEmailResponse {
+  UserEmail email = 1;
+}
+
+message VerifyEmailRequest {
+  string user_id = 1;
+  string email = 2;
+}
+
+message VerifyEmailResponse {}
+
+message RemoveEmailRequest {
+  string user_id = 1;
+  string email = 2;
+}
+
+message RemoveEmailResponse {}
+
+// ─── OAuth / Social login ────────────────────────────────────────────
+
+message OAuthLoginRequest {
+  OAuthProvider provider = 1;
+  string authorization_code = 2;
+  string redirect_uri = 3;
+}
+
+message OAuthLoginResponse {
+  User user = 1;
+  AuthTokens tokens = 2;
+  bool is_new_user = 3;
+}
+
+message LinkOAuthProviderRequest {
+  string user_id = 1;
+  OAuthProvider provider = 2;
+  string authorization_code = 3;
+  string redirect_uri = 4;
+}
+
+message LinkOAuthProviderResponse {
+  OAuthConnection connection = 1;
+}
+
+message UnlinkOAuthProviderRequest {
+  string user_id = 1;
+  OAuthProvider provider = 2;
+}
+
+message UnlinkOAuthProviderResponse {}
+
+// ─── Personal access tokens ──────────────────────────────────────────
+
+message PersonalAccessToken {
+  string token_id = 1; // UUID
+  string name = 2;
+  repeated string scopes = 3;
+  google.protobuf.Timestamp expires_at = 4;
+  google.protobuf.Timestamp last_used = 5;
+  google.protobuf.Timestamp created_at = 6;
+}
+
+message CreatePersonalAccessTokenRequest {
+  string user_id = 1;
+  string name = 2;
+  repeated string scopes = 3;
+  // Duration in seconds; 0 = no expiry
+  int64 expires_in_seconds = 4;
+}
+
+message CreatePersonalAccessTokenResponse {
+  PersonalAccessToken token = 1;
+  // The raw token value, only returned on creation
+  string raw_token = 2;
+}
+
+message ListPersonalAccessTokensRequest {
+  string user_id = 1;
+}
+
+message ListPersonalAccessTokensResponse {
+  repeated PersonalAccessToken tokens = 1;
+}
+
+message DeletePersonalAccessTokenRequest {
+  string token_id = 1;
+}
+
+message DeletePersonalAccessTokenResponse {}
+
+// ─── MFA ─────────────────────────────────────────────────────────────
+
+enum MfaType {
+  MFA_TYPE_UNSPECIFIED = 0;
+  MFA_TYPE_TOTP = 1;
+}
+
+message SetupMfaRequest {
+  string user_id = 1;
+  MfaType mfa_type = 2;
+}
+
+message SetupMfaResponse {
+  string mfa_id = 1; // UUID
+  // TOTP provisioning URI (otpauth://...)
+  string provisioning_uri = 2;
+  // Base32-encoded secret for manual entry
+  string secret = 3;
+}
+
+message VerifyMfaRequest {
+  string mfa_id = 1;
+  // The TOTP code to verify setup
+  string code = 2;
+}
+
+message VerifyMfaResponse {}
+
+message DisableMfaRequest {
+  string user_id = 1;
+  // Current TOTP code to confirm disable
+  string code = 2;
+}
+
+message DisableMfaResponse {}