Add application file

Dockerfile

@@ -0,0 +1,38 @@
+FROM golang:1.21-alpine AS builder
+
+WORKDIR /app
+
+RUN apk add --no-cache git
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+COPY . .
+
+RUN go build -o server ./cmd/main.go
+
+FROM alpine:3.18
+
+WORKDIR /app
+
+COPY --from=builder /app/server .
+
+ENV PORT=7860
+ENV MONGO_URI=mongodb+srv://learnifymedhub_db_user:learnifymedhub_db_user@cluster0.ubsovhe.mongodb.net/?appName=Cluster0
+ENV MONGO_DB=bff_secure
+ENV KEYCLOAK_URL=https://learnifymedhub-kc.hf.space
+ENV KEYCLOAK_REALM=master
+ENV KEYCLOAK_CLIENT_ID=prepnic-web
+ENV KEYCLOAK_CLIENT_SECRET=AgZOzRF6xejhjbSVB0QzuZt6Mpo31H95
+ENV KEYCLOAK_REDIRECT_URL=https://8080-firebase-q-1771049796673.cluster-ancjwrkgr5dvux4qug5rbzyc2y.cloudworkstations.dev/auth/callback
+ENV SESSION_SECRET=12345678901234567890123456789012
+ENV CSRF_SECRET=ANOTHER_32BYTE_RANDOM_SECRET_123
+ENV COOKIE_DOMAIN=.cloudworkstations.dev
+ENV FRONTEND_ORIGIN=https://4200-firebase-q-1771049796673.cluster-ancjwrkgr5dvux4qug5rbzyc2y.cloudworkstations.dev
+ENV SESSION_TTL_HOURS=24
+ENV KEYCLOAK_BACKCHANNEL_SECRET=AgZOzRF6xejhjbSVB0QzuZt6Mpo31H95
+
+
+EXPOSE 7860
+
+CMD ["./server"]

cmd/main.go

@@ -0,0 +1,48 @@
+// cmd/main.go
+package main
+
+import (
+	"log"
+	"net/http"
+	"os"
+
+	"server/internal/auth/handler"
+	authMiddleware "server/internal/auth/middleware"
+	"server/internal/config"
+	"server/internal/database"
+	sharedMiddleware "server/internal/shared/middleware"
+
+	"github.com/go-chi/chi/v5"
+)
+
+func main() {
+	config.Load()
+	database.Connect()
+
+	r := chi.NewRouter()
+
+	// Global middlewares
+	r.Use(sharedMiddleware.CORS())
+	r.Use(sharedMiddleware.SecurityHeaders)
+	r.Use(sharedMiddleware.RateLimiter)
+
+	// Public auth routes
+	r.Route("/auth", func(r chi.Router) {
+		r.Get("/login", handler.Login)
+		r.Get("/callback", handler.Callback)
+		r.Post("/logout", handler.Logout)
+		r.Post("/backchannel-logout", handler.BackchannelLogout)
+	})
+
+	// Protected routes
+	r.Group(func(r chi.Router) {
+		r.Use(authMiddleware.RequireAuthWithRefresh)
+		r.Use(authMiddleware.RequireCSRF)
+		r.Get("/auth/me", handler.Me)
+		r.Post("/auth/logout", handler.Logout)
+	})
+
+	port := os.Getenv("PORT")
+	log.Println("Server running on :", port)
+	log.Fatal(http.ListenAndServe(":"+port, r))
+}

go.mod

@@ -0,0 +1,26 @@
+module server
+
+go 1.24.0
+
+require (
+	github.com/MicahParks/keyfunc v1.9.0
+	github.com/go-chi/chi/v5 v5.2.5
+	github.com/go-chi/cors v1.2.2
+	github.com/golang-jwt/jwt/v4 v4.4.2
+	github.com/joho/godotenv v1.5.1
+	go.mongodb.org/mongo-driver v1.17.9
+	golang.org/x/time v0.14.0
+)
+
+require (
+	github.com/golang/snappy v0.0.4 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
+	github.com/montanaflynn/stats v0.7.1 // indirect
+	github.com/xdg-go/pbkdf2 v1.0.0 // indirect
+	github.com/xdg-go/scram v1.1.2 // indirect
+	github.com/xdg-go/stringprep v1.0.4 // indirect
+	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
+	golang.org/x/crypto v0.26.0 // indirect
+	golang.org/x/sync v0.8.0 // indirect
+	golang.org/x/text v0.17.0 // indirect
+)

go.sum

@@ -0,0 +1,62 @@
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-chi/chi/v5 v5.2.5 h1:Eg4myHZBjyvJmAFjFvWgrqDTXFyOzjj7YIm3L3mu6Ug=
+github.com/go-chi/chi/v5 v5.2.5/go.mod h1:X7Gx4mteadT3eDOMTsXzmI4/rwUpOwBHLpAfupzFJP0=
+github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
+github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
+github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
+github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
+github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
+github.com/klauspost/compress v1.16.7 h1:2mk3MPGNzKyxErAw8YaohYh69+pa4sIQSC0fPGCFR9I=
+github.com/klauspost/compress v1.16.7/go.mod h1:ntbaceVETuRiXiv4DpjP66DpAtAGkEQskQzEyD//IeE=
+github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
+github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
+github.com/xdg-go/pbkdf2 v1.0.0 h1:Su7DPu48wXMwC3bs7MCNG+z4FhcyEuz5dlvchbq0B0c=
+github.com/xdg-go/pbkdf2 v1.0.0/go.mod h1:jrpuAogTd400dnrH08LKmI/xc1MbPOebTwRqcT5RDeI=
+github.com/xdg-go/scram v1.1.2 h1:FHX5I5B4i4hKRVRBCFRxq1iQRej7WO3hhBuJf+UUySY=
+github.com/xdg-go/scram v1.1.2/go.mod h1:RT/sEzTbU5y00aCK8UOx6R7YryM0iF1N2MOmC3kKLN4=
+github.com/xdg-go/stringprep v1.0.4 h1:XLI/Ng3O1Atzq0oBs3TWm+5ZVgkq2aqdlvP9JtoZ6c8=
+github.com/xdg-go/stringprep v1.0.4/go.mod h1:mPGuuIYwz7CmR2bT9j4GbQqutWS1zV24gijq1dTyGkM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
+github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
+go.mongodb.org/mongo-driver v1.17.9/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.26.0 h1:RrRspgV4mU+YwB4FYnuBoKsUapNIL5cohGAmSH3azsw=
+golang.org/x/crypto v0.26.0/go.mod h1:GY7jblb9wI+FOo5y8/S2oY4zWP07AkOJ4+jxCqdqn54=
+golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
+golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
+golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
+golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
+golang.org/x/text v0.17.0 h1:XtiM5bkSOt+ewxlOE/aE/AKEHibwj/6gvWMl9Rsh0Qc=
+golang.org/x/text v0.17.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
+golang.org/x/time v0.14.0 h1:MRx4UaLrDotUKUdCIqzPC48t1Y9hANFKIRpNx+Te8PI=
+golang.org/x/time v0.14.0/go.mod h1:eL/Oa2bBBK0TkX57Fyni+NgnyQQN4LitPmob2Hjnqw4=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

internal/auth/dto/me_response.go

@@ -0,0 +1,8 @@
+// internal/auth/dto/me_response.go
+package dto
+
+type MeResponse struct {
+    ID       string `json:"id"`
+    Email    string `json:"email"`
+    Username string `json:"username"`
+}

internal/auth/handler/auth_handler.go

@@ -0,0 +1,313 @@
+// internal/auth/handler/auth_handler.go
+package handler
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"time"
+	"log"
+
+	"server/internal/auth/models"
+	"server/internal/auth/repository"
+	"server/internal/auth/service"
+	"server/internal/shared/crypto"
+	"server/internal/shared/utils"
+	"go.mongodb.org/mongo-driver/mongo"
+
+)
+
+func Login(w http.ResponseWriter, r *http.Request) {
+	state, _ := utils.SecureRandom(32)
+	codeVerifier, _ := utils.SecureRandom(64)
+	codeChallenge := crypto.SHA256Base64URL(codeVerifier)
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "oauth_state",
+		Value:    state,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteNoneMode,
+		Path:     "/",
+		MaxAge:   300,
+	})
+	http.SetCookie(w, &http.Cookie{
+		Name:     "pkce_verifier",
+		Value:    codeVerifier,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteNoneMode,
+		Path:     "/",
+		MaxAge:   300,
+	})
+
+	authURL := fmt.Sprintf("%s/realms/%s/protocol/openid-connect/auth?client_id=%s&response_type=code&scope=openid profile email&redirect_uri=%s&state=%s&code_challenge=%s&code_challenge_method=S256",
+		os.Getenv("KEYCLOAK_URL"),
+		os.Getenv("KEYCLOAK_REALM"),
+		os.Getenv("KEYCLOAK_CLIENT_ID"),
+		url.QueryEscape(os.Getenv("KEYCLOAK_REDIRECT_URL")),
+		state,
+		codeChallenge,
+	)
+
+	http.Redirect(w, r, authURL, http.StatusTemporaryRedirect)
+}
+
+func Callback(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
+	defer cancel()
+
+	code := r.URL.Query().Get("code")
+	state := r.URL.Query().Get("state")
+
+	stateCookie, err := r.Cookie("oauth_state")
+	if err != nil || state != stateCookie.Value {
+		http.Error(w, "Invalid state", http.StatusBadRequest)
+		return
+	}
+
+	pkceCookie, err := r.Cookie("pkce_verifier")
+	if err != nil {
+		http.Error(w, "Missing PKCE verifier", http.StatusBadRequest)
+		return
+	}
+
+	tokenResp, err := exchangeCodeForToken(code, pkceCookie.Value)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	claims, err := verifyIDToken(tokenResp.IDToken)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Invalid ID token: %v", err), http.StatusUnauthorized)
+		return
+	}
+
+	userID := claims["sub"].(string)
+	email := claims["email"].(string)
+	username := claims["preferred_username"].(string)
+	sid, _ := claims["sid"].(string)
+
+	sessionID, _ := utils.SecureRandom(32)
+	csrfToken, _ := utils.SecureRandom(32)
+
+	encAccess, _ := crypto.Encrypt(tokenResp.AccessToken)
+	encRefresh, _ := crypto.Encrypt(tokenResp.RefreshToken)
+
+	expiresAt := time.Now().Add(time.Hour * 24)
+	accessExpires := time.Now().Add(time.Second * time.Duration(tokenResp.ExpiresIn))
+
+	session := models.Session{
+		SessionID:        sessionID,
+		UserID:           userID,
+		Email:            email,
+		Username:         username,
+		KeycloakSID:      sid,  
+		EncryptedAccess:  encAccess,
+		EncryptedRefresh: encRefresh,
+		AccessExpiresAt:  accessExpires,
+		ExpiresAt:        expiresAt,
+	}
+
+	if err := repository.Save(ctx, session); err != nil {
+		http.Error(w, fmt.Sprintf("Failed to save session: %v", err), http.StatusInternalServerError)
+		return
+	}
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "session_id",
+		Value:    sessionID,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteNoneMode,
+		Domain:   os.Getenv("COOKIE_DOMAIN"),
+	})
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "XSRF-TOKEN",
+		Value:    csrfToken,
+		Path:     "/",
+		HttpOnly: false,
+		Secure:   true,
+		SameSite: http.SameSiteNoneMode,
+		Domain:   os.Getenv("COOKIE_DOMAIN"),
+	})
+
+	clearCookie(w, "oauth_state")
+	clearCookie(w, "pkce_verifier")
+
+	http.Redirect(w, r, os.Getenv("FRONTEND_ORIGIN"), http.StatusFound)
+}
+
+func Me(w http.ResponseWriter, r *http.Request) {
+	user, err := service.GetCurrentUser(r.Context())
+	if err != nil {
+		http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(user)
+}
+
+
+func Logout(w http.ResponseWriter, r *http.Request) {
+	// 1. Delete local session
+	cookie, err := r.Cookie("session_id")
+	if err == nil {
+		_ = repository.DeleteSession(r.Context(), cookie.Value)
+	}
+
+	clearCookie := func(name string, httpOnly bool) {
+		http.SetCookie(w, &http.Cookie{
+			Name:     name,
+			Value:    "",
+			Path:     "/",
+			HttpOnly: httpOnly,
+			Secure:   true, // only HTTPS
+			MaxAge:   -1,
+			SameSite: http.SameSiteNoneMode,
+			Domain:   os.Getenv("COOKIE_DOMAIN"),
+		})
+	}
+	clearCookie("session_id", true)
+	clearCookie("XSRF-TOKEN", false)
+
+	logoutURL := fmt.Sprintf("%s/realms/%s/protocol/openid-connect/logout?redirect_uri=%s",
+		os.Getenv("KEYCLOAK_URL"),
+		os.Getenv("KEYCLOAK_REALM"),
+		url.QueryEscape(os.Getenv("FRONTEND_ORIGIN")),
+	)
+	http.Redirect(w, r, logoutURL, http.StatusFound)
+}
+
+
+func clearCookie(w http.ResponseWriter, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    "",
+		MaxAge:   -1,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteNoneMode,
+		Domain:   os.Getenv("COOKIE_DOMAIN"),
+	})
+}
+
+type tokenResponse struct {
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
+	ExpiresIn    int    `json:"expires_in"`
+	IDToken      string `json:"id_token"`
+}
+
+func exchangeCodeForToken(code, verifier string) (*tokenResponse, error) {
+	tokenURL := fmt.Sprintf("%s/realms/%s/protocol/openid-connect/token",
+		os.Getenv("KEYCLOAK_URL"),
+		os.Getenv("KEYCLOAK_REALM"),
+	)
+
+	data := url.Values{}
+	data.Set("grant_type", "authorization_code")
+	data.Set("client_id", os.Getenv("KEYCLOAK_CLIENT_ID"))
+	data.Set("client_secret", os.Getenv("KEYCLOAK_CLIENT_SECRET"))
+	data.Set("code", code)
+	data.Set("redirect_uri", os.Getenv("KEYCLOAK_REDIRECT_URL"))
+	data.Set("code_verifier", verifier)
+
+	resp, err := http.PostForm(tokenURL, data)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		return nil, errors.New("token exchange failed: " + string(body))
+	}
+
+	var tr tokenResponse
+	if err := json.Unmarshal(body, &tr); err != nil {
+		return nil, err
+	}
+	return &tr, nil
+}
+
+func verifyIDToken(idToken string) (map[string]interface{}, error) {
+	claims, err := service.VerifyIDTokenJWKS(idToken)
+	if err != nil {
+		return nil, err
+	}
+	return claims, nil
+}
+
+func BackchannelLogout(w http.ResponseWriter, r *http.Request) {
+    ctx := r.Context()
+
+    if err := r.ParseForm(); err != nil {
+        http.Error(w, "Invalid form", http.StatusBadRequest)
+        return
+    }
+
+    logoutToken := r.FormValue("logout_token")
+    if logoutToken == "" {
+        http.Error(w, "Missing logout_token", http.StatusBadRequest)
+        return
+    }
+
+    claims, err := service.VerifyIDTokenJWKS(logoutToken)
+    if err != nil {
+        log.Println("Invalid logout token:", err)
+        http.Error(w, "Invalid token", http.StatusUnauthorized)
+        return
+    }
+
+    expectedIssuer := fmt.Sprintf("%s/realms/%s",
+        os.Getenv("KEYCLOAK_URL"),
+        os.Getenv("KEYCLOAK_REALM"),
+    )
+    if claims["iss"] != expectedIssuer {
+        http.Error(w, "Invalid issuer", http.StatusUnauthorized)
+        return
+    }
+
+    if claims["aud"] != os.Getenv("KEYCLOAK_CLIENT_ID") {
+        http.Error(w, "Invalid audience", http.StatusUnauthorized)
+        return
+    }
+
+    events, ok := claims["events"].(map[string]interface{})
+    if !ok {
+        http.Error(w, "Invalid logout token structure", http.StatusUnauthorized)
+        return
+    }
+
+    if _, ok := events["http://schemas.openid.net/event/backchannel-logout"]; !ok {
+        http.Error(w, "Not a backchannel logout event", http.StatusUnauthorized)
+        return
+    }
+
+    sid, ok := claims["sid"].(string)
+    if !ok || sid == "" {
+        http.Error(w, "Missing sid", http.StatusBadRequest)
+        return
+    }
+
+    if err := repository.DeleteByKeycloakSID(ctx, sid); err != nil {
+        if !errors.Is(err, mongo.ErrNoDocuments) {
+            log.Println("DB delete error:", err)
+            http.Error(w, "Internal error", http.StatusInternalServerError)
+            return
+        }
+    }
+
+    w.WriteHeader(http.StatusOK)
+}

internal/auth/middleware/auth_middleware.go

@@ -0,0 +1,59 @@
+// internal/auth/middleware/auth_middleware.go
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"time"
+
+	"server/internal/auth/service"
+	"server/internal/auth/repository"
+)
+
+func RequireAuthWithRefresh(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		cookie, err := r.Cookie("session_id")
+		if err != nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		ctx := r.Context()
+		session, err := service.ValidateSession(ctx, cookie.Value)
+		if err != nil {
+			http.SetCookie(w, &http.Cookie{Name: "session_id", Value: "", Path: "/", MaxAge: -1})
+			http.SetCookie(w, &http.Cookie{Name: "XSRF-TOKEN", Value: "", Path: "/", MaxAge: -1})
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
+		if time.Now().After(session.AccessExpiresAt) {
+			refreshToken, err := service.DecryptToken(session.EncryptedRefresh)
+			if err != nil {
+				http.Error(w, "Invalid session tokens", http.StatusUnauthorized)
+				return
+			}
+
+			newAccess, newRefresh, newAccessExpiry, err := service.RefreshAccessToken(refreshToken)
+			if err != nil {
+				http.Error(w, "Failed to refresh access token", http.StatusUnauthorized)
+				return
+			}
+
+			encAccess, _ := service.EncryptToken(newAccess)
+			encRefresh, _ := service.EncryptToken(newRefresh)
+
+			session.EncryptedAccess = encAccess
+			session.EncryptedRefresh = encRefresh
+			session.AccessExpiresAt = newAccessExpiry
+
+			if err := repository.UpdateSession(ctx, session); err != nil {
+				http.Error(w, "Failed to update session", http.StatusInternalServerError)
+				return
+			}
+		}
+
+		ctx = context.WithValue(ctx, "current_session", session)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}

internal/auth/middleware/csrf_middleware.go

@@ -0,0 +1,32 @@
+// internal/auth/middleware/csrf_middleware.go
+package middleware
+
+import (
+	"log"
+	"net/http"
+)
+
+func RequireCSRF(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		if r.Method == http.MethodGet || r.Method == http.MethodHead || r.Method == http.MethodOptions {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		headerToken := r.Header.Get("X-XSRF-TOKEN")
+		cookie, err := r.Cookie("XSRF-TOKEN")
+		if err != nil || cookie.Value == "" {
+			http.Error(w, "CSRF cookie missing", http.StatusForbidden)
+			return
+		}
+
+		if headerToken == "" || headerToken != cookie.Value {
+            log.Println("header token: ", headerToken, "cookie value:", cookie.Value)
+			http.Error(w, "Invalid CSRF token", http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}

internal/auth/models/session.go

@@ -0,0 +1,16 @@
+// internal/auth/models/session.go
+package models
+
+import "time"
+
+type Session struct {
+	SessionID        string    `bson:"session_id"`
+	KeycloakSID        string    `bson:"keycloak_sid"`
+	UserID           string    `bson:"user_id"`
+	Email            string    `bson:"email"`
+	Username         string    `bson:"username"`
+	EncryptedAccess  string    `bson:"encrypted_access"`
+	EncryptedRefresh string    `bson:"encrypted_refresh"`
+	AccessExpiresAt  time.Time `bson:"access_expires_at"`
+	ExpiresAt        time.Time `bson:"expires_at"`
+}

internal/auth/repository/session_repository.go

@@ -0,0 +1,70 @@
+// internal/auth/repository/session_repository.go
+package repository
+
+import (
+	"context"
+
+	"server/internal/auth/models"
+	"server/internal/database"
+	"go.mongodb.org/mongo-driver/bson"
+	"go.mongodb.org/mongo-driver/mongo"
+)
+
+func Save(ctx context.Context, session models.Session) error {
+	_, err := database.DB.Collection("sessions").InsertOne(ctx, session)
+	return err
+}
+
+func Update(ctx context.Context, session models.Session) error {
+	_, err := database.DB.Collection("sessions").ReplaceOne(ctx,
+		bson.M{"session_id": session.SessionID}, session)
+	return err
+}
+
+func FindByID(ctx context.Context, id string) (*models.Session, error) {
+	var session models.Session
+	err := database.DB.Collection("sessions").
+		FindOne(ctx, bson.M{"session_id": id}).
+		Decode(&session)
+	if err != nil {
+		return nil, err
+	}
+	return &session, nil
+}
+
+func DeleteByID(ctx context.Context, id string) error {
+	_, err := database.DB.Collection("sessions").DeleteOne(ctx, bson.M{"session_id": id})
+	return err
+}
+
+func UpdateSession(ctx context.Context, session *models.Session) error {
+	_, err := database.DB.Collection("sessions").UpdateOne(
+		ctx,
+		bson.M{"session_id": session.SessionID},
+		bson.M{"$set": session},
+	)
+	return err
+}
+
+func DeleteSession(ctx context.Context, sessionID string) error {
+    res, err := database.DB.Collection("sessions").DeleteOne(ctx, bson.M{"session_id": sessionID})
+    if err != nil {
+        return err
+    }
+    if res.DeletedCount == 0 {
+        return mongo.ErrNoDocuments
+    }
+    return nil
+}
+
+func DeleteByKeycloakSID(ctx context.Context, sid string) error {
+    res, err := database.DB.Collection("sessions").
+        DeleteOne(ctx, bson.M{"keycloak_sid": sid})
+    if err != nil {
+        return err
+    }
+    if res.DeletedCount == 0 {
+        return mongo.ErrNoDocuments
+    }
+    return nil
+}

internal/auth/service/auth_service.go

@@ -0,0 +1,95 @@
+// internal/auth/service/auth_service.go
+package service
+
+import (
+	"context"
+	"errors"
+	"time"
+	"encoding/json"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+
+	"server/internal/auth/dto"
+	"server/internal/auth/models"
+	"server/internal/auth/repository"
+	"server/internal/shared/crypto"
+)
+
+func RefreshAccessToken(refreshToken string) (string, string, time.Time, error) {
+	tokenURL := os.Getenv("KEYCLOAK_URL") + "/realms/" + os.Getenv("KEYCLOAK_REALM") + "/protocol/openid-connect/token"
+
+	data := url.Values{}
+	data.Set("grant_type", "refresh_token")
+	data.Set("client_id", os.Getenv("KEYCLOAK_CLIENT_ID"))
+	data.Set("client_secret", os.Getenv("KEYCLOAK_CLIENT_SECRET"))
+	data.Set("refresh_token", refreshToken)
+
+	resp, err := http.PostForm(tokenURL, data)
+	if err != nil {
+		return "", "", time.Time{}, err
+	}
+	defer resp.Body.Close()
+
+	body, _ := io.ReadAll(resp.Body)
+	if resp.StatusCode != http.StatusOK {
+		return "", "", time.Time{}, errors.New("failed to refresh token: " + string(body))
+	}
+
+	var tr struct {
+		AccessToken  string `json:"access_token"`
+		RefreshToken string `json:"refresh_token"`
+		ExpiresIn    int    `json:"expires_in"`
+	}
+
+	if err := json.Unmarshal(body, &tr); err != nil {
+		return "", "", time.Time{}, err
+	}
+
+	newAccess := tr.AccessToken
+	newRefresh := tr.RefreshToken
+	expiry := time.Now().Add(time.Second * time.Duration(tr.ExpiresIn))
+
+	return newAccess, newRefresh, expiry, nil
+}
+
+func ValidateSession(ctx context.Context, sessionID string) (*models.Session, error) {
+	session, err := repository.FindByID(ctx, sessionID)
+	if err != nil {
+		return nil, errors.New("session not found")
+	}
+	if session.ExpiresAt.Before(time.Now()) {
+		return nil, errors.New("session expired")
+	}
+	return session, nil
+}
+
+func GetCurrentUser(ctx context.Context) (*dto.MeResponse, error) {
+	session, err := SessionFromContext(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	return &dto.MeResponse{
+		ID:       session.UserID,
+		Email:    session.Email,
+		Username: session.Username,
+	}, nil
+}
+
+func EncryptToken(token string) (string, error) {
+	return crypto.Encrypt(token)
+}
+
+func DecryptToken(enc string) (string, error) {
+	return crypto.Decrypt(enc)
+}
+
+func SessionFromContext(ctx context.Context) (*models.Session, error) {
+	session, ok := ctx.Value("current_session").(*models.Session)
+	if !ok || session == nil {
+		return nil, errors.New("session not found in context")
+	}
+	return session, nil
+}

internal/auth/service/jwks.go

@@ -0,0 +1,97 @@
+// internal/auth/service/jwks.go
+package service
+
+import (
+	"errors"
+	"net/http"
+	"os"
+	"time"
+
+	"github.com/MicahParks/keyfunc"
+	"github.com/golang-jwt/jwt/v4"
+)
+
+var JWKSClient *keyfunc.JWKS
+
+func InitializeJWKS() error {
+	issuer := os.Getenv("KEYCLOAK_URL") + "/realms/" + os.Getenv("KEYCLOAK_REALM")
+	jwksURL := issuer + "/protocol/openid-connect/certs"
+
+	var err error
+	JWKSClient, err = keyfunc.Get(jwksURL, keyfunc.Options{
+		RefreshInterval:     time.Hour, // refresh every hour
+		RefreshErrorHandler: func(err error) {},
+		RefreshTimeout:      10 * time.Second,
+		Client:              &http.Client{Timeout: 10 * time.Second},
+	})
+	if err != nil {
+		return errors.New("failed to get JWKS: " + err.Error())
+	}
+	return nil
+}
+
+func VerifyIDTokenJWKS(idToken string) (jwt.MapClaims, error) {
+	if JWKSClient == nil {
+		if err := InitializeJWKS(); err != nil {
+			return nil, err
+		}
+	}
+
+	token, err := jwt.Parse(idToken, JWKSClient.Keyfunc)
+	if err != nil {
+		return nil, err
+	}
+
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if !ok || !token.Valid {
+		return nil, errors.New("invalid token")
+	}
+
+	now := time.Now().Unix()
+	skew := int64(60) // allow 60 seconds drift
+
+	if !claims.VerifyExpiresAt(now-skew, true) {
+		return nil, errors.New("token expired")
+	}
+
+	nbf, ok := claims["nbf"].(float64)
+	if ok && int64(nbf) > now+skew {
+		return nil, errors.New("token not valid yet (nbf)")
+	}
+
+	iat, ok := claims["iat"].(float64)
+	if !ok {
+		return nil, errors.New("iat claim missing or invalid")
+	}
+	if int64(iat) > now+skew {
+		return nil, errors.New("token issued in the future (iat)")
+	}
+
+	issuer := os.Getenv("KEYCLOAK_URL") + "/realms/" + os.Getenv("KEYCLOAK_REALM")
+	clientID := os.Getenv("KEYCLOAK_CLIENT_ID")
+
+	if claims["iss"] != issuer {
+		return nil, errors.New("invalid issuer")
+	}
+
+	if aud, ok := claims["aud"].(string); ok {
+		if aud != clientID {
+			return nil, errors.New("invalid audience")
+		}
+	} else if audArray, ok := claims["aud"].([]interface{}); ok {
+		valid := false
+		for _, a := range audArray {
+			if a.(string) == clientID {
+				valid = true
+				break
+			}
+		}
+		if !valid {
+			return nil, errors.New("invalid audience")
+		}
+	} else {
+		return nil, errors.New("invalid audience format")
+	}
+
+	return claims, nil
+}

internal/config/config.go

@@ -0,0 +1,28 @@
+// internal/config/config.go
+package config
+
+import (
+	"log"
+	"os"
+
+	"github.com/joho/godotenv"
+)
+
+func Load() {
+	if err := godotenv.Load(); err != nil {
+		log.Println("No .env file found, using environment variables")
+	}
+
+	required := []string{
+		"PORT", "MONGO_URI", "MONGO_DB", "KEYCLOAK_URL",
+		"KEYCLOAK_REALM", "KEYCLOAK_CLIENT_ID", "KEYCLOAK_CLIENT_SECRET",
+		"KEYCLOAK_REDIRECT_URL", "SESSION_SECRET", "CSRF_SECRET",
+		"COOKIE_DOMAIN", "FRONTEND_ORIGIN", "SESSION_TTL_HOURS",
+	}
+
+	for _, k := range required {
+		if os.Getenv(k) == "" {
+			log.Fatalf("Environment variable %s is required", k)
+		}
+	}
+}

internal/database/mongodb.go

@@ -0,0 +1,51 @@
+// internal/database/mongodb.go
+package database
+
+import (
+	"context"
+	"crypto/tls"
+	"log"
+	"os"
+	"time"
+
+	"go.mongodb.org/mongo-driver/mongo"
+	"go.mongodb.org/mongo-driver/mongo/options"
+)
+
+var DB *mongo.Database
+
+func Connect() {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	clientOpts := options.Client().
+		ApplyURI(os.Getenv("MONGO_URI")).
+		SetTLSConfig(&tls.Config{MinVersion: tls.VersionTLS12})
+
+	client, err := mongo.Connect(ctx, clientOpts)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	DB = client.Database(os.Getenv("MONGO_DB"))
+
+	coll := DB.Collection("sessions")
+	indexOpts := options.Index().SetExpireAfterSeconds(0)
+	_, err = coll.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys:    map[string]interface{}{"expires_at": 1},
+		Options: indexOpts,
+	})
+	if err != nil {
+		log.Fatal("Failed to create TTL index: ", err)
+	}
+
+	_, err = coll.Indexes().CreateOne(ctx, mongo.IndexModel{
+		Keys:    map[string]interface{}{"session_id": 1},
+		Options: options.Index().SetUnique(true),
+	})
+	if err != nil {
+		log.Fatal("Failed to create session_id index: ", err)
+	}
+
+	log.Println("Connected to MongoDB")
+}

internal/shared/crypto/encryption.go

@@ -0,0 +1,74 @@
+// internal/shared/crypto/encryption.go
+package crypto
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"io"
+	"os"
+	"crypto/sha256"
+)
+
+func Encrypt(plain string) (string, error) {
+	key := []byte(os.Getenv("SESSION_SECRET"))
+	if len(key) != 32 {
+		return "", errors.New("SESSION_SECRET must be 32 bytes")
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
+		return "", err
+	}
+
+	ciphertext := gcm.Seal(nonce, nonce, []byte(plain), nil)
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+func Decrypt(enc string) (string, error) {
+	key := []byte(os.Getenv("SESSION_SECRET"))
+	data, err := base64.StdEncoding.DecodeString(enc)
+	if err != nil {
+		return "", err
+	}
+
+	block, err := aes.NewCipher(key)
+	if err != nil {
+		return "", err
+	}
+
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return "", err
+	}
+
+	nonceSize := gcm.NonceSize()
+	if len(data) < nonceSize {
+		return "", errors.New("invalid ciphertext")
+	}
+
+	nonce, ciphertext := data[:nonceSize], data[nonceSize:]
+	plain, err := gcm.Open(nil, nonce, ciphertext, nil)
+	if err != nil {
+		return "", err
+	}
+
+	return string(plain), nil
+}
+
+func SHA256Base64URL(input string) string {
+	hash := sha256.Sum256([]byte(input))
+	return base64.RawURLEncoding.EncodeToString(hash[:])
+}

internal/shared/middleware/cors.go

@@ -0,0 +1,20 @@
+// internal/shared/middleware/cors.go
+package middleware
+
+import (
+	"net/http"
+	"os"
+
+	"github.com/go-chi/cors"
+)
+
+func CORS() func(http.Handler) http.Handler {
+	return cors.Handler(cors.Options{
+		AllowedOrigins: []string{os.Getenv("FRONTEND_ORIGIN")},
+		AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		AllowedHeaders: []string{"Accept", "Authorization", "Content-Type", "X-XSRF-TOKEN"},
+		ExposedHeaders: []string{"X-XSRF-TOKEN"},
+		AllowCredentials: true,
+		MaxAge: 300,
+	})
+}

internal/shared/middleware/rate_limiter.go

@@ -0,0 +1,40 @@
+// internal/shared/middleware/rate_limiter.go
+package middleware
+
+import (
+	"net"
+	"net/http"
+	"sync"
+
+	"golang.org/x/time/rate"
+)
+
+var (
+	ips      = make(map[string]*rate.Limiter)
+	mu       sync.Mutex
+	rateLimit = rate.Limit(5) 
+	burst     = 10
+)
+
+func getLimiter(ip string) *rate.Limiter {
+	mu.Lock()
+	defer mu.Unlock()
+	if limiter, exists := ips[ip]; exists {
+		return limiter
+	}
+	limiter := rate.NewLimiter(rateLimit, burst)
+	ips[ip] = limiter
+	return limiter
+}
+
+func RateLimiter(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ip, _, _ := net.SplitHostPort(r.RemoteAddr)
+		limiter := getLimiter(ip)
+		if !limiter.Allow() {
+			http.Error(w, "Too Many Requests", http.StatusTooManyRequests)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}

internal/shared/middleware/security_headers.go

@@ -0,0 +1,17 @@
+// internal/shared/middleware/security_headers.go
+package middleware
+
+import "net/http"
+
+func SecurityHeaders(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+		w.Header().Set("X-Frame-Options", "DENY")
+		w.Header().Set("X-Content-Type-Options", "nosniff")
+		w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
+		w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		w.Header().Set("Content-Security-Policy", "default-src 'self'")
+
+		next.ServeHTTP(w, r)
+	})
+}

internal/shared/utils/random.go

@@ -0,0 +1,16 @@
+// internal/shared/utils/random.go
+package utils
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+)
+
+func SecureRandom(n int) (string, error) {
+	b := make([]byte, n)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	return base64.RawURLEncoding.EncodeToString(b), nil
+}