From e7837af0e71a071a9f2ba81d176bb8dce764fa80 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:05:13 +1030
Subject: [PATCH 01/22] feat(news): added ability to delete news articles

---
 components/DeleteNewsModal.vue | 72 ++++++++++++++++++++++++++++++++++
 1 file changed, 72 insertions(+)
 create mode 100644 components/DeleteNewsModal.vue

diff --git a/components/DeleteNewsModal.vue b/components/DeleteNewsModal.vue
new file mode 100644
index 00000000..475c8bd5
--- /dev/null
+++ b/components/DeleteNewsModal.vue
@@ -0,0 +1,72 @@
+<template>
+  <ModalTemplate :modelValue="!!article">
+    <template #default>
+      <div>
+        <DialogTitle
+          as="h3"
+          class="text-lg font-bold font-display text-zinc-100"
+        >
+          Delete Article
+        </DialogTitle>
+        <p class="mt-1 text-sm text-zinc-400">
+          Are you sure you want to delete "{{ article?.title }}"?
+        </p>
+        <p class="mt-2 text-sm font-bold text-red-500">
+          This action cannot be undone.
+        </p>
+      </div>
+    </template>
+    <template #buttons>
+      <LoadingButton
+        :loading="deleteLoading"
+        @click="() => deleteArticle()"
+        class="bg-red-600 text-white hover:bg-red-500"
+      >
+        Delete
+      </LoadingButton>
+      <button
+        @click="() => (article = undefined)"
+        class="inline-flex items-center rounded-md bg-zinc-800 px-3 py-2 text-sm font-semibold font-display text-white hover:bg-zinc-700"
+      >
+        Cancel
+      </button>
+    </template>
+  </ModalTemplate>
+</template>
+
+<script setup lang="ts">
+import { DialogTitle } from "@headlessui/vue";
+
+interface Article {
+  id: string;
+  title: string;
+}
+
+const article = defineModel<Article | undefined>();
+const deleteLoading = ref(false);
+const router = useRouter();
+const news = useNews();
+
+async function deleteArticle() {
+  try {
+    if (!article.value) return;
+
+    deleteLoading.value = true;
+    await news.remove(article.value.id);
+
+    article.value = undefined;
+    await router.push('/news');
+  } catch (e: any) {
+    createModal(
+      ModalType.Notification,
+      {
+        title: "Failed to delete article",
+        description: `Drop couldn't delete this article: ${e?.statusMessage}`,
+      },
+      (_, c) => c()
+    );
+  } finally {
+    deleteLoading.value = false;
+  }
+}
+</script> 

From 866c4d354e461a93185b9e300ae4537e2fa007ac Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:05:55 +1030
Subject: [PATCH 02/22] feat(news): Created ability to create news articles

---
 components/NewsArticleCreate.vue | 346 +++++++++++++++++++++++++++++++
 1 file changed, 346 insertions(+)
 create mode 100644 components/NewsArticleCreate.vue

diff --git a/components/NewsArticleCreate.vue b/components/NewsArticleCreate.vue
new file mode 100644
index 00000000..77590623
--- /dev/null
+++ b/components/NewsArticleCreate.vue
@@ -0,0 +1,346 @@
+<template>
+  <div class="w-full">
+    <!-- Create article button - only show for admin users -->
+    <button
+      v-if="user?.admin"
+      @click="isCreateExpanded = !isCreateExpanded"
+      class="inline-flex items-center gap-x-2 px-4 py-2 rounded-lg bg-blue-600 text-white font-semibold font-display shadow-sm transition-all duration-200 hover:bg-blue-500 hover:scale-105 hover:shadow-blue-500/25 hover:shadow-lg active:scale-95"
+    >
+      <PlusIcon 
+        class="h-5 w-5 transition-transform duration-200" 
+        :class="{ 'rotate-90': isCreateExpanded }" 
+      />
+      <span>New Article</span>
+    </button>
+
+    <Transition
+      enter-active-class="transition duration-200 ease-out"
+      enter-from-class="transform -translate-y-4 opacity-0"
+      enter-to-class="transform translate-y-0 opacity-100"
+      leave-active-class="transition duration-200 ease-in"
+      leave-from-class="transform translate-y-0 opacity-100"
+      leave-to-class="transform -translate-y-4 opacity-0"
+    >
+      <div v-if="isCreateExpanded" class="mt-6 p-6 rounded-lg bg-zinc-900/50 border border-zinc-800 w-full">
+        <h3 class="text-lg font-semibold text-zinc-100 mb-4">Create New Article</h3>
+        <form @submit.prevent="createArticle" class="space-y-4">
+          <div>
+            <label for="title" class="block text-sm font-medium text-zinc-400">Title</label>
+            <input
+              id="title"
+              v-model="newArticle.title"
+              type="text"
+              autocomplete="off"
+              class="mt-1 block w-full rounded-md bg-zinc-900 border-zinc-700 text-zinc-100 shadow-sm focus:border-primary-500 focus:ring-primary-500"
+              required
+            />
+          </div>
+
+          <div>
+            <label for="excerpt" class="block text-sm font-medium text-zinc-400">Excerpt</label>
+            <input
+              id="excerpt"
+              v-model="newArticle.excerpt"
+              type="text"
+              class="mt-1 block w-full rounded-md bg-zinc-900 border-zinc-700 text-zinc-100 shadow-sm focus:border-primary-500 focus:ring-primary-500"
+              required
+            />
+          </div>
+
+          <div>
+            <label for="content" class="block text-sm font-medium text-zinc-400">Content (Markdown)</label>
+            <div class="mt-1 flex flex-col gap-4">
+              <!-- Markdown shortcuts -->
+              <div class="flex flex-wrap gap-2">
+                <button
+                  v-for="shortcut in markdownShortcuts"
+                  :key="shortcut.label"
+                  type="button"
+                  @click="applyMarkdown(shortcut)"
+                  class="px-2 py-1 text-sm rounded bg-zinc-800 text-zinc-300 hover:bg-zinc-700 transition-colors"
+                >
+                  {{ shortcut.label }}
+                </button>
+              </div>
+
+              <div class="grid grid-cols-2 gap-4 h-[400px]">
+                <!-- Editor -->
+                <div class="flex flex-col">
+                  <span class="text-sm text-zinc-500 mb-2">Editor</span>
+                  <textarea
+                    id="content"
+                    v-model="newArticle.content"
+                    ref="contentEditor"
+                    @keydown="handleContentKeydown"
+                    class="flex-1 rounded-md bg-zinc-900 border-zinc-700 text-zinc-100 shadow-sm focus:border-primary-500 focus:ring-primary-500 font-mono resize-none"
+                    required
+                  ></textarea>
+                </div>
+                
+                <!-- Preview -->
+                <div class="flex flex-col">
+                  <span class="text-sm text-zinc-500 mb-2">Preview</span>
+                  <div class="flex-1 p-4 rounded-md bg-zinc-900 border border-zinc-700 overflow-y-auto">
+                    <div 
+                      class="prose prose-invert prose-sm h-full overflow-y-auto"
+                      v-html="markdownPreview"
+                    />
+                  </div>
+                </div>
+              </div>
+            </div>
+            <p class="mt-2 text-sm text-zinc-500">
+              Use the shortcuts above or write Markdown directly. Supports **bold**, *italic*, [links](url), and more.
+            </p>
+          </div>
+
+          <div>
+            <label for="image" class="block text-sm font-medium text-zinc-400">Image URL (optional)</label>
+            <input
+              id="image"
+              v-model="newArticle.image"
+              type="url"
+              class="mt-1 block w-full rounded-md bg-zinc-900 border-zinc-700 text-zinc-100 shadow-sm focus:border-primary-500 focus:ring-primary-500"
+            />
+          </div>
+
+          <div>
+            <label class="block text-sm font-medium text-zinc-400 mb-2">Tags</label>
+            <div class="flex flex-wrap gap-2 mb-2">
+              <span
+                v-for="tag in newArticle.tags"
+                :key="tag"
+                class="inline-flex items-center gap-x-1 px-2 py-1 rounded-full text-xs font-medium bg-blue-600/80 text-white"
+              >
+                {{ tag }}
+                <button
+                  type="button"
+                  @click="removeTag(tag)"
+                  class="text-white hover:text-white/80"
+                >
+                  <XMarkIcon class="h-3 w-3" />
+                </button>
+              </span>
+            </div>
+            <div class="flex gap-x-2">
+              <input
+                type="text"
+                v-model="newTagInput"
+                @keydown.enter.prevent="addTag"
+                placeholder="Add a tag..."
+                class="mt-1 block w-full rounded-md bg-zinc-900 border-zinc-700 text-zinc-100 shadow-sm focus:border-primary-500 focus:ring-primary-500"
+              />
+              <button
+                type="button"
+                @click="addTag"
+                class="mt-1 px-3 py-2 rounded-md bg-zinc-800 text-zinc-100 hover:bg-zinc-700"
+              >
+                Add
+              </button>
+            </div>
+          </div>
+
+          <div class="flex justify-end">
+            <button
+              type="submit"
+              class="px-4 py-2 rounded-md bg-blue-600 text-white font-semibold font-display shadow-sm transition-all duration-200 hover:bg-blue-500 hover:scale-105 hover:shadow-blue-500/25 hover:shadow-lg active:scale-95 focus:outline-none focus:ring-2 focus:ring-offset-2 focus:ring-blue-500"
+              :disabled="isSubmitting"
+            >
+              {{ isSubmitting ? 'Creating...' : 'Create Article' }}
+            </button>
+          </div>
+        </form>
+      </div>
+    </Transition>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { PlusIcon, XMarkIcon } from "@heroicons/vue/24/solid";
+import { micromark } from 'micromark';
+
+const emit = defineEmits<{
+  'refresh': []
+}>();
+
+const user = useUser();
+const news = useNews();
+const isCreateExpanded = ref(false);
+const isSubmitting = ref(false);
+const newTagInput = ref('');
+
+const newArticle = ref({
+  title: '',
+  excerpt: '',
+  content: '',
+  image: '',
+  tags: [] as string[]
+});
+
+const contentEditor = ref<HTMLTextAreaElement>();
+
+const markdownShortcuts = [
+  { label: 'Bold', prefix: '**', suffix: '**', placeholder: 'bold text' },
+  { label: 'Italic', prefix: '_', suffix: '_', placeholder: 'italic text' },
+  { label: 'Link', prefix: '[', suffix: '](url)', placeholder: 'link text' },
+  { label: 'Code', prefix: '`', suffix: '`', placeholder: 'code' },
+  { label: 'List Item', prefix: '- ', suffix: '', placeholder: 'list item' },
+  { label: 'Heading', prefix: '## ', suffix: '', placeholder: 'heading' },
+];
+
+const handleContentKeydown = (e: KeyboardEvent) => {
+  if (e.key === 'Enter') {
+    e.preventDefault();
+    
+    const textarea = contentEditor.value;
+    if (!textarea) return;
+    
+    const start = textarea.selectionStart;
+    const text = textarea.value;
+    const lineStart = text.lastIndexOf('\n', start - 1) + 1;
+    const currentLine = text.slice(lineStart, start);
+    
+    // Check if the current line starts with a list marker
+    const listMatch = currentLine.match(/^(\s*)([-*+]|\d+\.)\s/);
+    let insertion = '\n';
+    
+    if (listMatch) {
+      // If the line is empty except for the list marker, end the list
+      if (currentLine.trim() === listMatch[0].trim()) {
+        const removeLength = currentLine.length;
+        newArticle.value.content = 
+          text.slice(0, lineStart) + 
+          text.slice(lineStart + removeLength);
+        
+        // Move cursor to new position after removing the list marker
+        nextTick(() => {
+          textarea.selectionStart = textarea.selectionEnd = lineStart;
+        });
+        return;
+      }
+      // Otherwise, continue the list
+      insertion = '\n' + listMatch[1] + listMatch[2] + ' ';
+    }
+    
+    newArticle.value.content = 
+      text.slice(0, start) + 
+      insertion + 
+      text.slice(start);
+    
+    nextTick(() => {
+      textarea.selectionStart = textarea.selectionEnd = 
+        start + insertion.length;
+    });
+  }
+};
+
+const addTag = () => {
+  const tag = newTagInput.value.trim();
+  if (tag && !newArticle.value.tags.includes(tag)) {
+    newArticle.value.tags.push(tag);
+    newTagInput.value = ''; // Clear the input
+  }
+};
+
+const removeTag = (tagToRemove: string) => {
+  newArticle.value.tags = newArticle.value.tags.filter(tag => tag !== tagToRemove);
+};
+
+const applyMarkdown = (shortcut: typeof markdownShortcuts[0]) => {
+  const textarea = contentEditor.value;
+  if (!textarea) return;
+
+  const start = textarea.selectionStart;
+  const end = textarea.selectionEnd;
+  const text = textarea.value;
+  
+  const selectedText = text.substring(start, end);
+  const replacement = selectedText || shortcut.placeholder;
+  
+  const newText = 
+    text.substring(0, start) + 
+    shortcut.prefix + 
+    replacement + 
+    shortcut.suffix + 
+    text.substring(end);
+  
+  newArticle.value.content = newText;
+  
+  nextTick(() => {
+    textarea.focus();
+    const newStart = start + shortcut.prefix.length;
+    const newEnd = newStart + replacement.length;
+    textarea.setSelectionRange(newStart, newEnd);
+  });
+};
+
+const createArticle = async () => {
+  if (!user.value?.id) {
+    console.error('User not authenticated');
+    return;
+  }
+
+  isSubmitting.value = true;
+  try {
+    await news.create({
+      ...newArticle.value,
+      authorId: user.value.id,
+    });
+    
+    // Reset form
+    newArticle.value = {
+      title: '',
+      excerpt: '',
+      content: '',
+      image: '',
+      tags: []
+    };
+    
+    emit('refresh');
+    
+    isCreateExpanded.value = false;
+    
+  } catch (error) {
+    console.error('Failed to create article:', error);
+  } finally {
+    isSubmitting.value = false;
+  }
+};
+
+const markdownPreview = computed(() => {
+  return micromark(newArticle.value.content);
+});
+</script>
+
+<style scoped>
+
+.prose {
+  max-width: none;
+}
+
+.prose a {
+  color: #60a5fa;
+  text-decoration: none;
+}
+
+.prose a:hover {
+  text-decoration: underline;
+}
+
+.prose img {
+  border-radius: 0.5rem;
+}
+
+.prose code {
+  background: #27272a;
+  padding: 0.2em 0.4em;
+  border-radius: 0.25rem;
+  font-size: 0.875em;
+}
+
+.prose pre {
+  background: #18181b;
+  padding: 1em;
+  border-radius: 0.5rem;
+}
+</style> 

From 28bf070ce233816e67e69e0501608f122b73eb81 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:06:38 +1030
Subject: [PATCH 03/22] feat(news): Added ability to search and filter news
 articles

---
 components/NewsDirectory.vue | 193 +++++++++++++++++++++++++++++++++++
 1 file changed, 193 insertions(+)
 create mode 100644 components/NewsDirectory.vue

diff --git a/components/NewsDirectory.vue b/components/NewsDirectory.vue
new file mode 100644
index 00000000..2bff2ad3
--- /dev/null
+++ b/components/NewsDirectory.vue
@@ -0,0 +1,193 @@
+<template>
+  <div class="flex grow flex-col gap-y-5 overflow-y-auto bg-zinc-900 px-6 py-6 ring-1 ring-white/10">
+    <!-- Search and filters -->
+    <div class="space-y-6">
+      <div>
+        <label for="search" class="sr-only">Search articles</label>
+        <div class="relative">
+          <div class="pointer-events-none absolute inset-y-0 left-0 flex items-center pl-3">
+            <MagnifyingGlassIcon class="h-5 w-5 text-zinc-400" aria-hidden="true" />
+          </div>
+          <input
+            id="search"
+            type="text"
+            v-model="searchQuery"
+            class="block w-full rounded-md border-0 bg-zinc-800 py-2.5 pl-10 pr-3 text-zinc-100 placeholder:text-zinc-400 focus:ring-2 focus:ring-inset focus:ring-blue-500 sm:text-sm sm:leading-6"
+            placeholder="Search articles..."
+          />
+        </div>
+      </div>
+
+      <div class="pt-2">
+        <label for="date" class="block text-sm font-medium text-zinc-400 mb-2">Date</label>
+        <select
+          id="date"
+          v-model="dateFilter"
+          class="mt-1 block w-full rounded-md border-0 bg-zinc-800 py-2 pl-3 pr-10 text-zinc-100 focus:ring-2 focus:ring-inset focus:ring-blue-500 sm:text-sm sm:leading-6"
+        >
+          <option value="all">All time</option>
+          <option value="today">Today</option>
+          <option value="week">This week</option>
+          <option value="month">This month</option>
+          <option value="year">This year</option>
+        </select>
+      </div>
+
+      <!-- Tags -->
+      <div>
+        <label class="block text-sm font-medium text-zinc-400 mb-2">Tags</label>
+        <div class="flex flex-wrap gap-2">
+          <button
+            v-for="tag in availableTags"
+            :key="tag"
+            @click="toggleTag(tag)"
+            class="inline-flex items-center rounded-full px-2.5 py-0.5 text-xs font-medium transition-colors duration-200"
+            :class="[
+              selectedTags.includes(tag)
+                ? 'bg-blue-600 text-white'
+                : 'bg-zinc-800 text-zinc-300 hover:bg-zinc-700'
+            ]"
+          >
+            {{ tag }}
+          </button>
+        </div>
+      </div>
+    </div>
+
+    <nav class="flex-1 space-y-2">
+      <NuxtLink
+        v-for="article in filteredArticles"
+        :key="article.id"
+        :to="`/news/article/${article.id}`"
+        class="group block rounded-lg hover-lift"
+      >
+        <div 
+          class="relative flex flex-col gap-y-2 rounded-lg p-3 transition-all duration-200"
+          :class="[
+            route.params.id === article.id 
+              ? 'bg-zinc-800' 
+              : 'hover:bg-zinc-800/50'
+          ]"
+        >
+          <div 
+            v-if="article.image"
+            class="absolute inset-0 rounded-lg transition-all duration-200 overflow-hidden"
+          >
+            <img 
+              :src="article.image"
+              class="absolute inset-0 w-full h-full object-cover transition-all duration-200"
+              :class="[
+                'blur-sm group-hover:blur-none scale-105 group-hover:scale-100 duration-500'
+              ]"
+              alt=""
+            />
+            <div 
+              class="absolute inset-0 bg-gradient-to-b from-zinc-900/80 to-zinc-900/90 group-hover:from-zinc-900/40 group-hover:to-zinc-900/60 transition-all duration-200"
+            />
+          </div>
+
+          <h3 class="relative text-sm font-medium text-zinc-100">{{ article.title }}</h3>
+          <p class="relative mt-1 text-xs text-zinc-400 line-clamp-2" v-html="formatExcerpt(article.excerpt)"></p>
+          <div class="relative mt-2 flex items-center gap-x-2 text-xs text-zinc-500">
+            <time :datetime="article.publishedAt">{{ formatDate(article.publishedAt) }}</time>
+          </div>
+        </div>
+      </NuxtLink>
+    </nav>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { ref, computed } from 'vue';
+import { MagnifyingGlassIcon } from '@heroicons/vue/24/solid';
+import { micromark } from 'micromark';
+
+const route = useRoute();
+const searchQuery = ref("");
+const dateFilter = ref("all");
+const selectedTags = ref<string[]>([]);
+const { data: articles, refresh: refreshArticles } = await useNews().getAll();
+
+defineExpose({ refresh: refreshArticles });
+
+// Get unique tags from all articles
+const availableTags = computed(() => {
+  if (!articles.value) return [];
+  const tags = new Set<string>();
+  articles.value.forEach(article => {
+    article.tags.forEach(tag => tags.add(tag));
+  });
+  return Array.from(tags);
+});
+
+const toggleTag = (tag: string) => {
+  const index = selectedTags.value.indexOf(tag);
+  if (index === -1) {
+    selectedTags.value.push(tag);
+  } else {
+    selectedTags.value.splice(index, 1);
+  }
+};
+
+const formatDate = (date: string) => {
+  return new Date(date).toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric",
+  });
+};
+
+const formatExcerpt = (excerpt: string) => {
+  // Convert markdown to HTML
+  const html = micromark(excerpt);
+  // Strip HTML tags using regex
+  return html.replace(/<[^>]*>/g, '');
+};
+
+const filteredArticles = computed(() => {
+  if (!articles.value) return [];
+  
+  // filter articles based on search, date, and tags
+  return articles.value.filter((article) => {
+    const matchesSearch = 
+      article.title.toLowerCase().includes(searchQuery.value.toLowerCase()) ||
+      article.excerpt.toLowerCase().includes(searchQuery.value.toLowerCase());
+    
+    const articleDate = new Date(article.publishedAt);
+    const now = new Date();
+    let matchesDate = true;
+    
+    switch (dateFilter.value) {
+      case 'today':
+        matchesDate = articleDate.toDateString() === now.toDateString();
+        break;
+      case 'week':
+        const weekAgo = new Date(now.setDate(now.getDate() - 7));
+        matchesDate = articleDate >= weekAgo;
+        break;
+      case 'month':
+        matchesDate = articleDate.getMonth() === now.getMonth() && 
+                     articleDate.getFullYear() === now.getFullYear();
+        break;
+      case 'year':
+        matchesDate = articleDate.getFullYear() === now.getFullYear();
+        break;
+    }
+    
+    const matchesTags = selectedTags.value.length === 0 || 
+                       selectedTags.value.every(tag => article.tags.includes(tag));
+    
+    return matchesSearch && matchesDate && matchesTags;
+  });
+});
+</script>
+
+<style scoped>
+.hover-lift {
+  transition: all 0.5s cubic-bezier(0.34, 1.56, 0.64, 1);
+}
+
+.hover-lift:hover {
+  transform: translateY(-2px) scale(1.02);
+}
+</style>

From 5d8f9d38133e136a04ba3bb6b1b26ae04067fe99 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:07:24 +1030
Subject: [PATCH 04/22] Create useNews.ts

---
 composables/useNews.ts | 50 ++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 composables/useNews.ts

diff --git a/composables/useNews.ts b/composables/useNews.ts
new file mode 100644
index 00000000..f5f20936
--- /dev/null
+++ b/composables/useNews.ts
@@ -0,0 +1,50 @@
+export const useNews = () => {
+  const getAll = async (options?: {
+    limit?: number;
+    skip?: number;
+    orderBy?: 'asc' | 'desc';
+    tags?: string[];
+    search?: string;
+  }) => {
+    const query = new URLSearchParams();
+    
+    if (options?.limit) query.set('limit', options.limit.toString());
+    if (options?.skip) query.set('skip', options.skip.toString());
+    if (options?.orderBy) query.set('order', options.orderBy);
+    if (options?.tags?.length) query.set('tags', options.tags.join(','));
+    if (options?.search) query.set('search', options.search);
+
+    return await useFetch(`/api/v1/news?${query.toString()}`);
+  };
+
+  const getById = async (id: string) => {
+    return await useFetch(`/api/v1/news/${id}`);
+  };
+
+  const create = async (article: {
+    title: string;
+    excerpt: string;
+    content: string;
+    image?: string;
+    tags: string[];
+    authorId: string;
+  }) => {
+    return await $fetch('/api/v1/news', {
+      method: 'POST',
+      body: article
+    });
+  };
+
+  const remove = async (id: string) => {
+    return await $fetch(`/api/v1/news/${id}`, {
+      method: 'DELETE'
+    });
+  };
+
+  return {
+    getAll,
+    getById,
+    create,
+    remove
+  };
+}; 

From d8e964e06b232e710416dffc343aa0759878442b Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:08:34 +1030
Subject: [PATCH 05/22] feat(news): Added backend for news


From f78b29b7fd381f28377382caf16c1316f6347ecb Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:09:25 +1030
Subject: [PATCH 06/22] feat(news) Added news page/sidebar

---
 pages/news.vue | 156 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 156 insertions(+)
 create mode 100644 pages/news.vue

diff --git a/pages/news.vue b/pages/news.vue
new file mode 100644
index 00000000..8f00aa73
--- /dev/null
+++ b/pages/news.vue
@@ -0,0 +1,156 @@
+<template>
+    <div class="flex flex-col lg:flex-row grow">
+      <TransitionRoot as="template" :show="sidebarOpen">
+        <Dialog class="relative z-50 lg:hidden" @close="sidebarOpen = false">
+          <TransitionChild
+            as="template"
+            enter="transition-opacity ease-linear duration-300"
+            enter-from="opacity-0"
+            enter-to="opacity-100"
+            leave="transition-opacity ease-linear duration-300"
+            leave-from="opacity-100"
+            leave-to="opacity-0"
+          >
+            <div class="fixed inset-0 bg-zinc-900/80" />
+          </TransitionChild>
+  
+          <div class="fixed inset-0 flex">
+            <TransitionChild
+              as="template"
+              enter="transition ease-in-out duration-300 transform"
+              enter-from="-translate-x-full"
+              enter-to="translate-x-0"
+              leave="transition ease-in-out duration-300 transform"
+              leave-from="translate-x-0"
+              leave-to="-translate-x-full"
+            >
+              <DialogPanel class="relative mr-16 flex w-full max-w-xs flex-1">
+                <TransitionChild
+                  as="template"
+                  enter="ease-in-out duration-300"
+                  enter-from="opacity-0"
+                  enter-to="opacity-100"
+                  leave="ease-in-out duration-300"
+                  leave-from="opacity-100"
+                  leave-to="opacity-0"
+                >
+                  <div
+                    class="absolute top-0 left-full flex w-16 justify-center pt-5"
+                  >
+                    <button
+                      type="button"
+                      class="-m-2.5 p-2.5"
+                      @click="sidebarOpen = false"
+                    >
+                      <span class="sr-only">Close sidebar</span>
+                      <XMarkIcon class="size-6 text-white" aria-hidden="true" />
+                    </button>
+                  </div>
+                </TransitionChild>
+                <div class="bg-zinc-900">
+                  <NewsDirectory ref="newsDirectory" />
+                </div>
+              </DialogPanel>
+            </TransitionChild>
+          </div>
+        </Dialog>
+      </TransitionRoot>
+  
+      <!-- Static sidebar for desktop -->
+      <div
+        class="hidden lg:block lg:inset-y-0 lg:z-50 lg:flex lg:w-72 lg:flex-col lg:border-r-2 lg:border-zinc-800"
+      >
+        <NewsDirectory ref="newsDirectory" />
+      </div>
+  
+      <div
+        class="block flex items-center gap-x-2 bg-zinc-950 px-2 py-1 shadow-xs sm:px-4 lg:hidden border-b border-zinc-700"
+      >
+        <button
+          type="button"
+          class="-m-2.5 p-2.5 text-zinc-400 lg:hidden"
+          @click="sidebarOpen = true"
+        >
+          <span class="sr-only">Open sidebar</span>
+          <Bars3Icon class="size-6" aria-hidden="true" />
+        </button>
+        <div
+          class="flex-1 text-sm/6 font-semibold uppercase font-display text-zinc-400"
+        >
+          News
+        </div>
+      </div>
+  
+      <div class="px-4 py-10 sm:px-6 lg:px-8 lg:py-6 grow">
+        <NuxtPage />
+      </div>
+    </div>
+  </template>
+  
+  <script setup lang="ts">
+  import { ref } from "vue";
+  import {
+    Dialog,
+    DialogPanel,
+    TransitionChild,
+    TransitionRoot,
+  } from "@headlessui/vue";
+  import {
+    Bars3Icon,
+    CalendarIcon,
+    ChartPieIcon,
+    DocumentDuplicateIcon,
+    FolderIcon,
+    HomeIcon,
+    UsersIcon,
+    XMarkIcon,
+  } from "@heroicons/vue/24/outline";
+  
+  const router = useRouter();
+  const sidebarOpen = ref(false);
+  
+  router.afterEach(() => {
+    sidebarOpen.value = false;
+  });
+  
+  useHead({
+    title: "News",
+  });
+  </script>
+  
+  <style scoped>
+  
+  /* Hide scrollbar for Chrome, Safari and Opera */
+  .no-scrollbar::-webkit-scrollbar {
+    display: none;
+  }
+  
+  /* Hide scrollbar for IE, Edge and Firefox */
+  .no-scrollbar {
+    -ms-overflow-style: none; /* IE and Edge */
+    scrollbar-width: none; /* Firefox */
+  }
+  
+  .hover-lift {
+    transition: all 0.5s cubic-bezier(0.34, 1.56, 0.64, 1);
+  }
+  
+  .hover-lift:hover {
+    transform: translateY(-2px) scale(1.02);
+    box-shadow: 0 8px 20px -6px rgba(0, 0, 0, 0.2);
+  }
+  
+  /* Springy list animations */
+  .list-enter-active {
+    transition: all 0.4s cubic-bezier(0.34, 1.56, 0.64, 1);
+  }
+  
+  .list-leave-active {
+    transition: all 0.3s ease;
+  }
+  
+  .list-move {
+    transition: transform 0.4s cubic-bezier(0.34, 1.56, 0.64, 1);
+  }
+  </style>
+  

From 6c7866ad143d9d07597b9a93c0c3d59da9635b49 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:10:16 +1030
Subject: [PATCH 07/22] feat(news): Created article overview page

---
 pages/news/index.vue | 137 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 137 insertions(+)
 create mode 100644 pages/news/index.vue

diff --git a/pages/news/index.vue b/pages/news/index.vue
new file mode 100644
index 00000000..9ae7fc9f
--- /dev/null
+++ b/pages/news/index.vue
@@ -0,0 +1,137 @@
+<template>
+  <div class="flex flex-col max-w-4xl mx-auto">
+    <div class="mb-8">
+      <div class="flex flex-col gap-y-4">
+        <div>
+          <h2 class="text-2xl font-bold font-display text-zinc-100">
+            Latest News
+          </h2>
+          <p class="mt-2 text-zinc-400">
+            Stay up to date with the latest updates and announcements.
+          </p>
+        </div>
+        
+        <NewsArticleCreate @refresh="refreshAll" />
+      </div>
+    </div>
+
+    <!-- Articles list -->
+    <TransitionGroup
+      name="article-list"
+      tag="div"
+      class="space-y-6"
+    >
+      <NuxtLink
+        v-for="article in articles"
+        :key="article.id"
+        :to="`/news/article/${article.id}`"
+        class="block"
+      >
+        <article
+          class="group relative flex flex-col overflow-hidden rounded-lg bg-zinc-800/50 hover:bg-zinc-800 transition-all duration-200"
+        >
+          <div class="relative h-48 w-full overflow-hidden">
+            <img
+              :src="article.image || '/images/default-news-image.jpg'"
+              alt=""
+              class="h-full w-full object-cover object-center transition-all duration-500 group-hover:scale-110 scale-105"
+            />
+            <div class="absolute top-4 left-4 flex gap-2">
+              <span
+                v-for="tag in article.tags"
+                :key="tag"
+                class="inline-flex items-center rounded-full bg-zinc-900/75 px-3 py-1 text-sm font-semibold text-zinc-100 backdrop-blur"
+              >
+                {{ tag }}
+              </span>
+            </div>
+          </div>
+
+          <div class="flex flex-1 flex-col justify-between p-6">
+            <div class="flex-1">
+              <div class="flex items-center gap-x-2">
+                <time :datetime="article.publishedAt" class="text-sm text-zinc-400">
+                  {{ formatDate(article.publishedAt) }}
+                </time>
+                <span class="text-sm text-blue-400">{{ article.author.displayName }}</span>
+              </div>
+              <div class="mt-2">
+                <h3 class="text-xl font-semibold text-zinc-100 group-hover:text-primary-400">
+                  {{ article.title }}
+                </h3>
+                <p class="mt-3 text-base text-zinc-400">
+                  {{ article.excerpt }}
+                </p>
+              </div>
+            </div>
+          </div>
+        </article>
+      </NuxtLink>
+    </TransitionGroup>
+
+    <div
+      v-if="articles.length === 0"
+      class="text-center py-12"
+    >
+      <DocumentIcon class="mx-auto h-12 w-12 text-zinc-400" />
+      <h3 class="mt-2 text-sm font-semibold text-zinc-100">No articles</h3>
+      <p class="mt-1 text-sm text-zinc-500">Check back later for updates.</p>
+    </div>
+  </div>
+</template>
+
+<script setup lang="ts">
+import { DocumentIcon } from "@heroicons/vue/24/outline";
+
+interface Article {
+  id: string;
+  title: string;
+  excerpt: string;
+  content: string;
+  tags: string[];
+  image: string | null;
+  publishedAt: string;
+  author: {
+    id: string;
+    displayName: string;
+  };
+}
+
+const newsDirectory = ref();
+const { data: articles, refresh: refreshArticles } = await useNews().getAll();
+
+const formatDate = (date: string) => {
+  return new Date(date).toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric",
+  });
+};
+
+useHead({
+  title: "News",
+});
+
+const refreshAll = async () => {
+  await refreshArticles();
+  await newsDirectory.value?.refresh();
+};
+</script>
+
+<style scoped>
+/* Article list transitions */
+.article-list-enter-active,
+.article-list-leave-active {
+  transition: all 0.5s ease;
+}
+
+.article-list-enter-from,
+.article-list-leave-to {
+  opacity: 0;
+  transform: translateY(30px);
+}
+
+.article-list-move {
+  transition: transform 0.5s ease;
+}
+</style>

From 3a5507553279b3add7bcd3aff91443679fe9eac4 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:15:09 +1030
Subject: [PATCH 08/22] feat(news): Created article full screen view

---
 pages/news/article/[id]/index.vue | 150 ++++++++++++++++++++++++++++++
 1 file changed, 150 insertions(+)
 create mode 100644 pages/news/article/[id]/index.vue

diff --git a/pages/news/article/[id]/index.vue b/pages/news/article/[id]/index.vue
new file mode 100644
index 00000000..112beb1c
--- /dev/null
+++ b/pages/news/article/[id]/index.vue
@@ -0,0 +1,150 @@
+<template>
+  <div class="max-w-7xl mx-auto px-4 sm:px-6 lg:px-8">
+    <!-- Banner header with blurred background -->
+    <div class="relative w-full h-[300px] mb-8 rounded-lg overflow-hidden">
+      <div class="absolute inset-0">
+        <template v-if="article.image">
+          <img
+            :src="article.image"
+            alt=""
+            class="w-full h-full object-cover blur-sm scale-110"
+          />
+          <div class="absolute inset-0 bg-gradient-to-b from-zinc-950/70 via-zinc-950/60 to-zinc-950/90"></div>
+        </template>
+        <template v-else>
+          <!-- Fallback gradient background when no image -->
+          <div class="absolute inset-0 bg-gradient-to-b from-zinc-800 to-zinc-900"></div>
+        </template>
+      </div>
+
+      <div class="relative h-full flex flex-col justify-end p-8">
+        <div class="flex items-center gap-x-3 mb-6">
+          <NuxtLink
+            to="/news"
+            class="px-2 py-1 rounded bg-zinc-900/80 backdrop-blur-sm transition text-sm/6 font-semibold text-zinc-400 hover:text-zinc-100 inline-flex gap-x-2 items-center duration-200 hover:scale-105"
+          >
+            <ArrowLeftIcon class="h-4 w-4" aria-hidden="true" />
+            Back to News
+          </NuxtLink>
+          
+          <button
+            v-if="user?.admin"
+            @click="() => currentlyDeleting = article"
+            class="px-2 py-1 rounded bg-red-900/50 backdrop-blur-sm transition text-sm/6 font-semibold text-red-400 hover:text-red-100 inline-flex gap-x-2 items-center duration-200 hover:scale-105"
+          >
+            <TrashIcon class="h-4 w-4" aria-hidden="true" />
+            Delete Article
+          </button>
+        </div>
+
+        <div class="max-w-[calc(100%-2rem)]">
+          <h1 class="text-4xl font-bold text-white mb-3">{{ article.title }}</h1>
+          <div class="flex flex-col gap-y-3 sm:flex-row sm:items-center sm:gap-x-4 text-zinc-300">
+            <div class="flex items-center gap-x-4">
+              <time :datetime="article.publishedAt">{{ formatDate(article.publishedAt) }}</time>
+              <span class="text-blue-400">{{ article.author.displayName }}</span>
+            </div>
+            <div class="flex flex-wrap gap-2">
+              <span
+                v-for="tag in article.tags"
+                :key="tag"
+                class="inline-flex items-center rounded-full bg-zinc-800/80 backdrop-blur-sm px-3 py-1 text-sm font-semibold text-zinc-100"
+              >
+                {{ tag }}
+              </span>
+            </div>
+          </div>
+          <p class="mt-4 text-lg text-zinc-300">{{ article.excerpt }}</p>
+        </div>
+      </div>
+    </div>
+
+    <!-- Article content - markdown -->
+    <div 
+      class="max-w-[calc(100%-2rem)] mx-auto prose prose-invert prose-lg"
+      v-html="renderedContent"
+    />
+  </div>
+
+  <DeleteNewsModal v-model="currentlyDeleting" />
+</template>
+
+<script setup lang="ts">
+import { ArrowLeftIcon } from "@heroicons/vue/20/solid";
+import { TrashIcon } from "@heroicons/vue/24/outline";
+import { micromark } from 'micromark';
+
+const route = useRoute();
+const { data: article } = await useNews().getById(route.params.id as string);
+const currentlyDeleting = ref();
+const user = useUser();
+
+if (!article.value) {
+  throw createError({
+    statusCode: 404,
+    message: 'Article not found'
+  });
+}
+
+// Render markdown content
+const renderedContent = computed(() => {
+  return micromark(article.value.content);
+});
+
+const formatDate = (date: string) => {
+  return new Date(date).toLocaleDateString("en-US", {
+    year: "numeric",
+    month: "long",
+    day: "numeric",
+  });
+};
+
+useHead({
+  title: article.value.title,
+});
+</script>
+
+<style>
+.prose {
+  max-width: none;
+}
+
+.prose a {
+  color: #60a5fa;
+  text-decoration: none;
+}
+
+.prose a:hover {
+  text-decoration: underline;
+}
+
+.prose img {
+  border-radius: 0.5rem;
+}
+
+.prose code {
+  background: #27272a;
+  padding: 0.2em 0.4em;
+  border-radius: 0.25rem;
+  font-size: 0.875em;
+}
+
+.prose pre {
+  background: #18181b;
+  padding: 1em;
+  border-radius: 0.5rem;
+}
+</style>
+
+<style scoped>
+.fade-enter-active,
+.fade-leave-active {
+  transition: all 0.2s ease;
+}
+
+.fade-enter-from,
+.fade-leave-to {
+  opacity: 0;
+  transform: translateX(30px);
+}
+</style>

From 1ed15902a37777f8471bd8ece7c14cde09abe736 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:16:28 +1030
Subject: [PATCH 09/22] feat(news): Updated user for authoring articles

---
 prisma/schema/user.prisma | 1 +
 1 file changed, 1 insertion(+)

diff --git a/prisma/schema/user.prisma b/prisma/schema/user.prisma
index 0e46c0d4..539af45a 100644
--- a/prisma/schema/user.prisma
+++ b/prisma/schema/user.prisma
@@ -11,6 +11,7 @@ model User {
     clients       Client[]
     notifications Notification[]
     collections   Collection[]
+    news          News[]
 }
 
 model Notification {

From 623ab7d786ebd7dd1538910b422c574a1f96b613 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:17:21 +1030
Subject: [PATCH 10/22] feat(DB): Updated DB for news articles to be stored in
 the DB

---
 prisma/schema/news.prisma | 13 +++++++++++++
 1 file changed, 13 insertions(+)
 create mode 100644 prisma/schema/news.prisma

diff --git a/prisma/schema/news.prisma b/prisma/schema/news.prisma
new file mode 100644
index 00000000..dd2bde6b
--- /dev/null
+++ b/prisma/schema/news.prisma
@@ -0,0 +1,13 @@
+model News {
+  id          String   @id @default(uuid())
+  title       String
+  content     String   @db.Text
+  excerpt     String
+  tags        String[]
+  image       String?
+  publishedAt DateTime @default(now())
+  author      User     @relation(fields: [authorId], references: [id])
+  authorId    String
+
+  @@map("news")
+} 

From 88453f1ec44b62316f4086735d1df08ce0e9b6bf Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:18:27 +1030
Subject: [PATCH 11/22] feat(backend): Added backend communction between API &
 Frontend

---
 server/internal/news/index.ts | 114 ++++++++++++++++++++++++++++++++++
 1 file changed, 114 insertions(+)
 create mode 100644 server/internal/news/index.ts

diff --git a/server/internal/news/index.ts b/server/internal/news/index.ts
new file mode 100644
index 00000000..e1f91191
--- /dev/null
+++ b/server/internal/news/index.ts
@@ -0,0 +1,114 @@
+import prisma from "../db/database";
+
+class NewsManager {
+  async create(data: {
+    title: string;
+    content: string;
+    excerpt: string;
+    tags: string[];
+    authorId: string;
+    image?: string;
+  }) {
+    return await prisma.news.create({
+      data: {
+        title: data.title,
+        content: data.content,
+        excerpt: data.excerpt,
+        tags: data.tags,
+        image: data.image,
+        author: {
+          connect: {
+            id: data.authorId,
+          },
+        },
+        publishedAt: new Date(),
+      },
+    });
+  }
+
+  async getAll(options?: {
+    take?: number;
+    skip?: number;
+    orderBy?: 'asc' | 'desc';
+    tags?: string[];
+    search?: string;
+  }) {
+    const where = {
+      AND: [
+        options?.tags?.length ? {
+          tags: {
+            hasSome: options.tags,
+          },
+        } : {},
+        options?.search ? {
+          OR: [
+            {
+              title: {
+                contains: options.search,
+                mode: 'insensitive' as const,
+              },
+            },
+            {
+              content: {
+                contains: options.search,
+                mode: 'insensitive' as const,
+              },
+            },
+          ],
+        } : {},
+      ],
+    };
+
+    return await prisma.news.findMany({
+      where,
+      take: options?.take,
+      skip: options?.skip,
+      orderBy: {
+        publishedAt: options?.orderBy || 'desc',
+      },
+      include: {
+        author: {
+          select: {
+            id: true,
+            displayName: true,
+          },
+        },
+      },
+    });
+  }
+
+  async getById(id: string) {
+    return await prisma.news.findUnique({
+      where: { id },
+      include: {
+        author: {
+          select: {
+            id: true,
+            displayName: true,
+          },
+        },
+      },
+    });
+  }
+
+  async update(id: string, data: {
+    title?: string;
+    content?: string;
+    excerpt?: string;
+    tags?: string[];
+    image?: string;
+  }) {
+    return await prisma.news.update({
+      where: { id },
+      data,
+    });
+  }
+
+  async delete(id: string) {
+    return await prisma.news.delete({
+      where: { id },
+    });
+  }
+}
+
+export default new NewsManager(); 

From 86053815f059f5e76e6bd7d7d46337fe7c5cd0b4 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:19:31 +1030
Subject: [PATCH 12/22] feat(api): Added API for creating articles

---
 server/api/v1/news/index.post.ts | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)
 create mode 100644 server/api/v1/news/index.post.ts

diff --git a/server/api/v1/news/index.post.ts b/server/api/v1/news/index.post.ts
new file mode 100644
index 00000000..61c4d926
--- /dev/null
+++ b/server/api/v1/news/index.post.ts
@@ -0,0 +1,24 @@
+import { defineEventHandler, createError, readBody } from "h3";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (event) => {
+  const body = await readBody(event);
+  
+  if (!body.authorId) {
+    throw createError({
+      statusCode: 400,
+      message: 'Author ID is required'
+    });
+  }
+
+  const article = await newsManager.create({
+    title: body.title,
+    content: body.content,
+    excerpt: body.excerpt,
+    tags: body.tags,
+    image: body.image,
+    authorId: body.authorId,
+  });
+
+  return article;
+});

From 2ef8f2f93c51c2174bd77589fdab6b3a1d36c3e5 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:20:26 +1030
Subject: [PATCH 13/22] feat(api): Added API for fetching news articles

---
 server/api/v1/news/index.get.ts | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 server/api/v1/news/index.get.ts

diff --git a/server/api/v1/news/index.get.ts b/server/api/v1/news/index.get.ts
new file mode 100644
index 00000000..3bc4108e
--- /dev/null
+++ b/server/api/v1/news/index.get.ts
@@ -0,0 +1,17 @@
+import { defineEventHandler, getQuery } from "h3";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (event) => {
+  const query = getQuery(event);
+  
+  const options = {
+    take: query.limit ? parseInt(query.limit as string) : undefined,
+    skip: query.skip ? parseInt(query.skip as string) : undefined,
+    orderBy: query.order as 'asc' | 'desc',
+    tags: query.tags ? (query.tags as string).split(',') : undefined,
+    search: query.search as string,
+  };
+
+  const news = await newsManager.getAll(options);
+  return news;
+});

From 1286248207b65f39b5fe1200f6631c3d1f459619 Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:21:10 +1030
Subject: [PATCH 14/22] feat(api): Added API for retriving information about a
 spesific news article

---
 server/api/v1/news/[id].get.ts | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)
 create mode 100644 server/api/v1/news/[id].get.ts

diff --git a/server/api/v1/news/[id].get.ts b/server/api/v1/news/[id].get.ts
new file mode 100644
index 00000000..07c62dfe
--- /dev/null
+++ b/server/api/v1/news/[id].get.ts
@@ -0,0 +1,22 @@
+import { defineEventHandler, createError } from "h3";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (event) => {
+  const id = event.context.params?.id;
+  if (!id) {
+    throw createError({
+      statusCode: 400,
+      message: "Missing news ID",
+    });
+  }
+
+  const news = await newsManager.getById(id);
+  if (!news) {
+    throw createError({
+      statusCode: 404,
+      message: "News article not found",
+    });
+  }
+
+  return news;
+}); 

From 9344d94e4ccd21d2e1015346d1aed3fa112b588d Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Sun, 2 Feb 2025 10:21:43 +1030
Subject: [PATCH 15/22] feat(api): Added API for deleting news articles

---
 server/api/v1/news/[id].delete.ts | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)
 create mode 100644 server/api/v1/news/[id].delete.ts

diff --git a/server/api/v1/news/[id].delete.ts b/server/api/v1/news/[id].delete.ts
new file mode 100644
index 00000000..09949df9
--- /dev/null
+++ b/server/api/v1/news/[id].delete.ts
@@ -0,0 +1,23 @@
+import { defineEventHandler, createError } from "h3";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (event) => {
+  const userId = await event.context.session.getUserId(event);
+  if (!userId) {
+    throw createError({
+      statusCode: 401,
+      message: "Unauthorized",
+    });
+  }
+
+  const id = event.context.params?.id;
+  if (!id) {
+    throw createError({
+      statusCode: 400,
+      message: "Missing news ID",
+    });
+  }
+
+  await newsManager.delete(id);
+  return { success: true };
+}); 

From 256fbd6afa5446c7841989c95ad2e444c8191abf Mon Sep 17 00:00:00 2001
From: Aden Lindsay <140392385+AdenMGB@users.noreply.github.com>
Date: Mon, 3 Feb 2025 16:50:10 +1030
Subject: [PATCH 16/22] fix(backend): Add forgotton migration for news storage

---
 .../20250128102738_add_news/migration.sql        | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)
 create mode 100644 prisma/migrations/20250128102738_add_news/migration.sql

diff --git a/prisma/migrations/20250128102738_add_news/migration.sql b/prisma/migrations/20250128102738_add_news/migration.sql
new file mode 100644
index 00000000..68b2aca1
--- /dev/null
+++ b/prisma/migrations/20250128102738_add_news/migration.sql
@@ -0,0 +1,16 @@
+-- CreateTable
+CREATE TABLE "news" (
+    "id" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "content" TEXT NOT NULL,
+    "excerpt" TEXT NOT NULL,
+    "tags" TEXT[],
+    "image" TEXT,
+    "publishedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "authorId" TEXT NOT NULL,
+
+    CONSTRAINT "news_pkey" PRIMARY KEY ("id")
+);
+
+-- AddForeignKey
+ALTER TABLE "news" ADD CONSTRAINT "news_authorId_fkey" FOREIGN KEY ("authorId") REFERENCES "User"("id") ON DELETE RESTRICT ON UPDATE CASCADE; 

From 090d2e6586affbff9e1080bfb599dcb120edd3e2 Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Tue, 4 Feb 2025 13:15:34 +1100
Subject: [PATCH 17/22] feat(acls): added backend acls

---
 drop-base                                     |   2 +-
 pages/admin/library/[id]/index.vue            |   2 +-
 .../20250204010021_add_tokens/migration.sql   |  15 +
 .../migration.sql                             |   5 +
 prisma/schema/auth.prisma                     |  15 +
 prisma/schema/collection.prisma               |   2 +-
 prisma/schema/user.prisma                     |   2 +
 .../v1/admin/auth/invitation/index.delete.ts  |   7 +-
 .../api/v1/admin/auth/invitation/index.get.ts |   7 +-
 .../v1/admin/auth/invitation/index.post.ts    |   9 +-
 .../api/v1/admin/game/image/index.delete.ts   |   7 +-
 server/api/v1/admin/game/image/index.post.ts  |   7 +-
 server/api/v1/admin/game/index.delete.ts      |   7 +-
 server/api/v1/admin/game/index.get.ts         |   7 +-
 server/api/v1/admin/game/index.patch.ts       |   7 +-
 server/api/v1/admin/game/metadata.post.ts     |   7 +-
 .../api/v1/admin/game/version/index.delete.ts |   7 +-
 .../version/{index.post.ts => index.patch.ts} |   7 +-
 server/api/v1/admin/import/game/index.get.ts  |   7 +-
 server/api/v1/admin/import/game/index.post.ts |   7 +-
 server/api/v1/admin/import/game/search.get.ts |   7 +-
 .../api/v1/admin/import/version/index.get.ts  |   7 +-
 .../api/v1/admin/import/version/index.post.ts |   7 +-
 .../v1/admin/import/version/preload.get.ts    |   7 +-
 server/api/v1/admin/index.get.ts              |   6 -
 server/api/v1/admin/library/index.get.ts      |   5 +-
 server/api/v1/{ => admin}/news/[id].delete.ts |   0
 server/api/v1/{ => admin}/news/index.post.ts  |   0
 server/api/v1/admin/user/index.get.ts         |   5 +-
 server/api/v1/auth/signin/simple.post.ts      |   3 +-
 .../api/v1/client/auth/callback/index.get.ts  |   3 +-
 .../api/v1/client/auth/callback/index.post.ts |   3 +-
 server/api/v1/collection/[id]/entry.delete.ts |   4 +-
 server/api/v1/collection/[id]/entry.post.ts   |   4 +-
 server/api/v1/collection/[id]/index.delete.ts |   3 +-
 server/api/v1/collection/[id]/index.get.ts    |   3 +-
 .../api/v1/collection/default/entry.delete.ts |   3 +-
 .../api/v1/collection/default/entry.post.ts   |   3 +-
 server/api/v1/collection/default/index.get.ts |   3 +-
 server/api/v1/collection/index.get.ts         |   4 +-
 server/api/v1/collection/index.post.ts        |   4 +-
 server/api/v1/games/[id]/index.get.ts         |   3 +-
 .../news/{[id].get.ts => [id]/index.get.ts}   |   0
 .../api/v1/notifications/[id]/index.delete.ts |   3 +-
 server/api/v1/notifications/[id]/index.get.ts |   3 +-
 server/api/v1/notifications/[id]/read.post.ts |   3 +-
 server/api/v1/notifications/index.get.ts      |   3 +-
 server/api/v1/notifications/readall.post.ts   |   3 +-
 server/api/v1/notifications/ws.get.ts         |  15 +-
 server/api/v1/object/[id]/index.delete.ts     |   4 +-
 server/api/v1/object/[id]/index.get.ts        |   4 +-
 server/api/v1/object/[id]/index.post.ts       |   4 +-
 server/api/v1/store/developers.ts             |   3 +-
 server/api/v1/store/publishers.ts             |   3 +-
 server/api/v1/store/recent.get.ts             |   3 +-
 server/api/v1/store/released.get.ts           |   3 +-
 server/api/v1/store/updated.get.ts            |   3 +-
 server/api/v1/task/index.get.ts               |  29 +-
 server/api/v1/user/index.get.ts               |   4 +-
 server/h3.d.ts                                |   6 +-
 server/internal/acls/index.ts                 | 152 +++++++++
 server/internal/applibrary/README.md          |  11 -
 server/internal/applibrary/index.ts           | 309 ------------------
 server/internal/library/index.ts              |   2 +-
 server/internal/objects/index.ts              |   2 +-
 server/internal/session/index.ts              |  41 +--
 server/internal/tasks/index.ts                |  20 +-
 server/plugins/redirect.ts                    |   4 +-
 server/plugins/session.ts                     |   7 -
 server/routes/signout.get.ts                  |   4 +-
 70 files changed, 397 insertions(+), 474 deletions(-)
 create mode 100644 prisma/migrations/20250204010021_add_tokens/migration.sql
 create mode 100644 prisma/migrations/20250204020918_add_collection_entry_casacade_delete/migration.sql
 rename server/api/v1/admin/game/version/{index.post.ts => index.patch.ts} (83%)
 delete mode 100644 server/api/v1/admin/index.get.ts
 rename server/api/v1/{ => admin}/news/[id].delete.ts (100%)
 rename server/api/v1/{ => admin}/news/index.post.ts (100%)
 rename server/api/v1/news/{[id].get.ts => [id]/index.get.ts} (100%)
 create mode 100644 server/internal/acls/index.ts
 delete mode 100644 server/internal/applibrary/README.md
 delete mode 100644 server/internal/applibrary/index.ts
 delete mode 100644 server/plugins/session.ts

diff --git a/drop-base b/drop-base
index 533eb483..637b4e1e 160000
--- a/drop-base
+++ b/drop-base
@@ -1 +1 @@
-Subproject commit 533eb483eac6cddcc18e1b2a0de3364353997535
+Subproject commit 637b4e1e9b943605e9f25234dd1f879d5a58b493
diff --git a/pages/admin/library/[id]/index.vue b/pages/admin/library/[id]/index.vue
index 328ae414..d62553b6 100644
--- a/pages/admin/library/[id]/index.vue
+++ b/pages/admin/library/[id]/index.vue
@@ -785,7 +785,7 @@ async function deleteVersion(versionName: string) {
 async function updateVersionOrder() {
   try {
     const newVersions = await $fetch("/api/v1/admin/game/version", {
-      method: "POST",
+      method: "PATCH",
       body: {
         id: gameId,
         versions: game.value.versions.map((e) => e.versionName),
diff --git a/prisma/migrations/20250204010021_add_tokens/migration.sql b/prisma/migrations/20250204010021_add_tokens/migration.sql
new file mode 100644
index 00000000..30237279
--- /dev/null
+++ b/prisma/migrations/20250204010021_add_tokens/migration.sql
@@ -0,0 +1,15 @@
+-- CreateEnum
+CREATE TYPE "APITokenMode" AS ENUM ('User', 'System');
+
+-- CreateTable
+CREATE TABLE "APIToken" (
+    "token" TEXT NOT NULL,
+    "mode" "APITokenMode" NOT NULL,
+    "userId" TEXT,
+    "acls" TEXT[],
+
+    CONSTRAINT "APIToken_pkey" PRIMARY KEY ("token")
+);
+
+-- AddForeignKey
+ALTER TABLE "APIToken" ADD CONSTRAINT "APIToken_userId_fkey" FOREIGN KEY ("userId") REFERENCES "User"("id") ON DELETE SET NULL ON UPDATE CASCADE;
diff --git a/prisma/migrations/20250204020918_add_collection_entry_casacade_delete/migration.sql b/prisma/migrations/20250204020918_add_collection_entry_casacade_delete/migration.sql
new file mode 100644
index 00000000..846ce199
--- /dev/null
+++ b/prisma/migrations/20250204020918_add_collection_entry_casacade_delete/migration.sql
@@ -0,0 +1,5 @@
+-- DropForeignKey
+ALTER TABLE "CollectionEntry" DROP CONSTRAINT "CollectionEntry_gameId_fkey";
+
+-- AddForeignKey
+ALTER TABLE "CollectionEntry" ADD CONSTRAINT "CollectionEntry_gameId_fkey" FOREIGN KEY ("gameId") REFERENCES "Game"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/schema/auth.prisma b/prisma/schema/auth.prisma
index 436373c4..64677b8a 100644
--- a/prisma/schema/auth.prisma
+++ b/prisma/schema/auth.prisma
@@ -21,3 +21,18 @@ model Invitation {
     email    String?
     expires  DateTime
 }
+
+enum APITokenMode {
+    User
+    System
+}
+
+model APIToken {
+    token String       @id @default(uuid())
+    mode  APITokenMode
+
+    userId String?
+    user   User?   @relation(fields: [userId], references: [id])
+
+    acls String[]
+}
diff --git a/prisma/schema/collection.prisma b/prisma/schema/collection.prisma
index b18cf4aa..179ada52 100644
--- a/prisma/schema/collection.prisma
+++ b/prisma/schema/collection.prisma
@@ -14,7 +14,7 @@ model CollectionEntry {
     collection   Collection @relation(fields: [collectionId], references: [id], onDelete: Cascade)
 
     gameId String
-    game   Game   @relation(fields: [gameId], references: [id])
+    game   Game   @relation(fields: [gameId], references: [id], onDelete: Cascade)
 
     @@id([collectionId, gameId])
 }
diff --git a/prisma/schema/user.prisma b/prisma/schema/user.prisma
index 539af45a..30173fec 100644
--- a/prisma/schema/user.prisma
+++ b/prisma/schema/user.prisma
@@ -12,6 +12,8 @@ model User {
     notifications Notification[]
     collections   Collection[]
     news          News[]
+
+    tokens APIToken[]
 }
 
 model Notification {
diff --git a/server/api/v1/admin/auth/invitation/index.delete.ts b/server/api/v1/admin/auth/invitation/index.delete.ts
index 065c6a40..381dea30 100644
--- a/server/api/v1/admin/auth/invitation/index.delete.ts
+++ b/server/api/v1/admin/auth/invitation/index.delete.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "auth:simple:invitation:delete",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const id = body.id;
diff --git a/server/api/v1/admin/auth/invitation/index.get.ts b/server/api/v1/admin/auth/invitation/index.get.ts
index 0b7efb4c..e0b6881a 100644
--- a/server/api/v1/admin/auth/invitation/index.get.ts
+++ b/server/api/v1/admin/auth/invitation/index.get.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "auth:simple:invitation:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   await runTask("cleanup:invitations");
 
diff --git a/server/api/v1/admin/auth/invitation/index.post.ts b/server/api/v1/admin/auth/invitation/index.post.ts
index 60a700c6..015557e3 100644
--- a/server/api/v1/admin/auth/invitation/index.post.ts
+++ b/server/api/v1/admin/auth/invitation/index.post.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "auth:simple:invitation:new",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const isAdmin = body.isAdmin;
@@ -30,7 +33,7 @@ export default defineEventHandler(async (h3) => {
       isAdmin: isAdmin,
       username: username,
       email: email,
-      expires: expiresDate
+      expires: expiresDate,
     },
   });
 
diff --git a/server/api/v1/admin/game/image/index.delete.ts b/server/api/v1/admin/game/image/index.delete.ts
index 6e84ec25..3b6252c1 100644
--- a/server/api/v1/admin/game/image/index.delete.ts
+++ b/server/api/v1/admin/game/image/index.delete.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:image:delete",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const gameId = body.gameId;
diff --git a/server/api/v1/admin/game/image/index.post.ts b/server/api/v1/admin/game/image/index.post.ts
index b94b304a..8453b6fc 100644
--- a/server/api/v1/admin/game/image/index.post.ts
+++ b/server/api/v1/admin/game/image/index.post.ts
@@ -1,9 +1,12 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import { handleFileUpload } from "~/server/internal/utils/handlefileupload";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:image:new",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const form = await readMultipartFormData(h3);
   if (!form)
diff --git a/server/api/v1/admin/game/index.delete.ts b/server/api/v1/admin/game/index.delete.ts
index 4cab69c9..0f98b3ef 100644
--- a/server/api/v1/admin/game/index.delete.ts
+++ b/server/api/v1/admin/game/index.delete.ts
@@ -1,9 +1,12 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:delete",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
   const gameId = query.id?.toString();
diff --git a/server/api/v1/admin/game/index.get.ts b/server/api/v1/admin/game/index.get.ts
index 7ff78c14..8878c805 100644
--- a/server/api/v1/admin/game/index.get.ts
+++ b/server/api/v1/admin/game/index.get.ts
@@ -1,9 +1,12 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
   const gameId = query.id?.toString();
diff --git a/server/api/v1/admin/game/index.patch.ts b/server/api/v1/admin/game/index.patch.ts
index 83ec5df0..578bf96e 100644
--- a/server/api/v1/admin/game/index.patch.ts
+++ b/server/api/v1/admin/game/index.patch.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:update",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const id = body.id;
diff --git a/server/api/v1/admin/game/metadata.post.ts b/server/api/v1/admin/game/metadata.post.ts
index ded9eae1..4540dfd2 100644
--- a/server/api/v1/admin/game/metadata.post.ts
+++ b/server/api/v1/admin/game/metadata.post.ts
@@ -1,9 +1,12 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import { handleFileUpload } from "~/server/internal/utils/handlefileupload";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:update",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const form = await readMultipartFormData(h3);
   if (!form)
diff --git a/server/api/v1/admin/game/version/index.delete.ts b/server/api/v1/admin/game/version/index.delete.ts
index a80da87c..cf85c465 100644
--- a/server/api/v1/admin/game/version/index.delete.ts
+++ b/server/api/v1/admin/game/version/index.delete.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:version:delete",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const gameId = body.id.toString();
diff --git a/server/api/v1/admin/game/version/index.post.ts b/server/api/v1/admin/game/version/index.patch.ts
similarity index 83%
rename from server/api/v1/admin/game/version/index.post.ts
rename to server/api/v1/admin/game/version/index.patch.ts
index bbb2fc31..3771179d 100644
--- a/server/api/v1/admin/game/version/index.post.ts
+++ b/server/api/v1/admin/game/version/index.patch.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "game:version:update",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const gameId = body.id?.toString();
diff --git a/server/api/v1/admin/import/game/index.get.ts b/server/api/v1/admin/import/game/index.get.ts
index 9137adaa..b1b3c3d0 100644
--- a/server/api/v1/admin/import/game/index.get.ts
+++ b/server/api/v1/admin/import/game/index.get.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:game:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const unimportedGames = await libraryManager.fetchAllUnimportedGames();
   return { unimportedGames };
diff --git a/server/api/v1/admin/import/game/index.post.ts b/server/api/v1/admin/import/game/index.post.ts
index d7712036..15992334 100644
--- a/server/api/v1/admin/import/game/index.post.ts
+++ b/server/api/v1/admin/import/game/index.post.ts
@@ -1,3 +1,4 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 import {
   GameMetadataSearchResult,
@@ -5,8 +6,10 @@ import {
 } from "~/server/internal/metadata/types";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:game:new",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
 
diff --git a/server/api/v1/admin/import/game/search.get.ts b/server/api/v1/admin/import/game/search.get.ts
index 90c93445..adf5109a 100644
--- a/server/api/v1/admin/import/game/search.get.ts
+++ b/server/api/v1/admin/import/game/search.get.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:game:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
   const search = query.q?.toString();
diff --git a/server/api/v1/admin/import/version/index.get.ts b/server/api/v1/admin/import/version/index.get.ts
index 98251a4f..8d60a05b 100644
--- a/server/api/v1/admin/import/version/index.get.ts
+++ b/server/api/v1/admin/import/version/index.get.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:version:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const query = await getQuery(h3);
   const gameId = query.id?.toString();
diff --git a/server/api/v1/admin/import/version/index.post.ts b/server/api/v1/admin/import/version/index.post.ts
index 1dfe99a7..3460b20e 100644
--- a/server/api/v1/admin/import/version/index.post.ts
+++ b/server/api/v1/admin/import/version/index.post.ts
@@ -1,10 +1,13 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 import libraryManager from "~/server/internal/library";
 import { parsePlatform } from "~/server/internal/utils/parseplatform";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:version:new",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
   const gameId = body.id;
diff --git a/server/api/v1/admin/import/version/preload.get.ts b/server/api/v1/admin/import/version/preload.get.ts
index d14e0f53..b8429b34 100644
--- a/server/api/v1/admin/import/version/preload.get.ts
+++ b/server/api/v1/admin/import/version/preload.get.ts
@@ -1,8 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, [
+    "import:version:read",
+  ]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const query = await getQuery(h3);
   const gameId = query.id?.toString();
diff --git a/server/api/v1/admin/index.get.ts b/server/api/v1/admin/index.get.ts
deleted file mode 100644
index 9cb0d05e..00000000
--- a/server/api/v1/admin/index.get.ts
+++ /dev/null
@@ -1,6 +0,0 @@
-export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getUser(h3);
-  if (!user)
-    throw createError({ statusCode: 403, statusMessage: "Not authenticated" });
-  return { admin: user.admin };
-});
diff --git a/server/api/v1/admin/library/index.get.ts b/server/api/v1/admin/library/index.get.ts
index d526c1f7..192a7c25 100644
--- a/server/api/v1/admin/library/index.get.ts
+++ b/server/api/v1/admin/library/index.get.ts
@@ -1,8 +1,9 @@
+import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, ["library:read"]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const unimportedGames = await libraryManager.fetchAllUnimportedGames();
   const games = await libraryManager.fetchGamesWithStatus();
diff --git a/server/api/v1/news/[id].delete.ts b/server/api/v1/admin/news/[id].delete.ts
similarity index 100%
rename from server/api/v1/news/[id].delete.ts
rename to server/api/v1/admin/news/[id].delete.ts
diff --git a/server/api/v1/news/index.post.ts b/server/api/v1/admin/news/index.post.ts
similarity index 100%
rename from server/api/v1/news/index.post.ts
rename to server/api/v1/admin/news/index.post.ts
diff --git a/server/api/v1/admin/user/index.get.ts b/server/api/v1/admin/user/index.get.ts
index b241860d..8b1df155 100644
--- a/server/api/v1/admin/user/index.get.ts
+++ b/server/api/v1/admin/user/index.get.ts
@@ -1,8 +1,9 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getAdminUser(h3);
-  if (!user) throw createError({ statusCode: 403 });
+  const allowed = await aclManager.allowSystemACL(h3, ["user:read"]);
+  if (!allowed) throw createError({ statusCode: 403 });
 
   const users = await prisma.user.findMany({});
 
diff --git a/server/api/v1/auth/signin/simple.post.ts b/server/api/v1/auth/signin/simple.post.ts
index 54e9f14e..996bf2b3 100644
--- a/server/api/v1/auth/signin/simple.post.ts
+++ b/server/api/v1/auth/signin/simple.post.ts
@@ -2,6 +2,7 @@ import { AuthMec } from "@prisma/client";
 import { JsonArray } from "@prisma/client/runtime/library";
 import prisma from "~/server/internal/db/database";
 import { checkHash } from "~/server/internal/security/simple";
+import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
     const body = await readBody(h3);
@@ -31,7 +32,7 @@ export default defineEventHandler(async (h3) => {
     if (!await checkHash(password, hash.toString()))
         throw createError({ statusCode: 401, statusMessage: "Invalid username or password." });
 
-    await h3.context.session.setUserId(h3, authMek.userId, rememberMe);
+    await sessionHandler.setUserId(h3, authMek.userId, rememberMe);
 
     return { result: true, userId: authMek.userId }
 });
\ No newline at end of file
diff --git a/server/api/v1/client/auth/callback/index.get.ts b/server/api/v1/client/auth/callback/index.get.ts
index fd3a6176..ea8e4b31 100644
--- a/server/api/v1/client/auth/callback/index.get.ts
+++ b/server/api/v1/client/auth/callback/index.get.ts
@@ -1,7 +1,8 @@
 import clientHandler from "~/server/internal/clients/handler";
+import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await sessionHandler.getUserId(h3);
   if (!userId) throw createError({ statusCode: 403 });
 
   const query = getQuery(h3);
diff --git a/server/api/v1/client/auth/callback/index.post.ts b/server/api/v1/client/auth/callback/index.post.ts
index bcc151e4..46eb0b34 100644
--- a/server/api/v1/client/auth/callback/index.post.ts
+++ b/server/api/v1/client/auth/callback/index.post.ts
@@ -1,7 +1,8 @@
 import clientHandler from "~/server/internal/clients/handler";
+import sessionHandler from "~/server/internal/session";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await sessionHandler.getUserId(h3);
   if (!userId) throw createError({ statusCode: 403 });
 
   const body = await readBody(h3);
diff --git a/server/api/v1/collection/[id]/entry.delete.ts b/server/api/v1/collection/[id]/entry.delete.ts
index 17c34765..575ae3c0 100644
--- a/server/api/v1/collection/[id]/entry.delete.ts
+++ b/server/api/v1/collection/[id]/entry.delete.ts
@@ -1,11 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:remove"]);
   if (!userId)
     throw createError({
       statusCode: 403,
-      statusMessage: "Requires authentication",
     });
 
   const id = getRouterParam(h3, "id");
diff --git a/server/api/v1/collection/[id]/entry.post.ts b/server/api/v1/collection/[id]/entry.post.ts
index 2356e432..d6a2394f 100644
--- a/server/api/v1/collection/[id]/entry.post.ts
+++ b/server/api/v1/collection/[id]/entry.post.ts
@@ -1,11 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:add"]);
   if (!userId)
     throw createError({
       statusCode: 403,
-      statusMessage: "Requires authentication",
     });
 
   const id = getRouterParam(h3, "id");
diff --git a/server/api/v1/collection/[id]/index.delete.ts b/server/api/v1/collection/[id]/index.delete.ts
index d275036a..e00b3d63 100644
--- a/server/api/v1/collection/[id]/index.delete.ts
+++ b/server/api/v1/collection/[id]/index.delete.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:delete"]);
   if (!userId)
     throw createError({
       statusCode: 403,
diff --git a/server/api/v1/collection/[id]/index.get.ts b/server/api/v1/collection/[id]/index.get.ts
index 04609e5c..9bb18540 100644
--- a/server/api/v1/collection/[id]/index.get.ts
+++ b/server/api/v1/collection/[id]/index.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:read"]);
   if (!userId)
     throw createError({
       statusCode: 403,
diff --git a/server/api/v1/collection/default/entry.delete.ts b/server/api/v1/collection/default/entry.delete.ts
index d72dd74a..77f3c393 100644
--- a/server/api/v1/collection/default/entry.delete.ts
+++ b/server/api/v1/collection/default/entry.delete.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["library:remove"]);
   if (!userId)
     throw createError({
       statusCode: 403,
diff --git a/server/api/v1/collection/default/entry.post.ts b/server/api/v1/collection/default/entry.post.ts
index c4af2fc6..4c8b8fde 100644
--- a/server/api/v1/collection/default/entry.post.ts
+++ b/server/api/v1/collection/default/entry.post.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["library:add"]);
   if (!userId)
     throw createError({
       statusCode: 403,
diff --git a/server/api/v1/collection/default/index.get.ts b/server/api/v1/collection/default/index.get.ts
index 25057794..22a357d5 100644
--- a/server/api/v1/collection/default/index.get.ts
+++ b/server/api/v1/collection/default/index.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:read"]);
   if (!userId)
     throw createError({
       statusCode: 403,
diff --git a/server/api/v1/collection/index.get.ts b/server/api/v1/collection/index.get.ts
index 76a3f51f..2d4c4202 100644
--- a/server/api/v1/collection/index.get.ts
+++ b/server/api/v1/collection/index.get.ts
@@ -1,11 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:new"]);
   if (!userId)
     throw createError({
       statusCode: 403,
-      statusMessage: "Requires authentication",
     });
     
   const collections = await userLibraryManager.fetchCollections(userId);
diff --git a/server/api/v1/collection/index.post.ts b/server/api/v1/collection/index.post.ts
index 4841b133..1d3daadd 100644
--- a/server/api/v1/collection/index.post.ts
+++ b/server/api/v1/collection/index.post.ts
@@ -1,11 +1,11 @@
+import aclManager from "~/server/internal/acls";
 import userLibraryManager from "~/server/internal/userlibrary";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["collections:read"]);
   if (!userId)
     throw createError({
       statusCode: 403,
-      statusMessage: "Requires authentication",
     });
 
   const body = await readBody(h3);
diff --git a/server/api/v1/games/[id]/index.get.ts b/server/api/v1/games/[id]/index.get.ts
index 94d4b6f0..d7c1ed8c 100644
--- a/server/api/v1/games/[id]/index.get.ts
+++ b/server/api/v1/games/[id]/index.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const gameId = getRouterParam(h3, "id");
diff --git a/server/api/v1/news/[id].get.ts b/server/api/v1/news/[id]/index.get.ts
similarity index 100%
rename from server/api/v1/news/[id].get.ts
rename to server/api/v1/news/[id]/index.get.ts
diff --git a/server/api/v1/notifications/[id]/index.delete.ts b/server/api/v1/notifications/[id]/index.delete.ts
index c89a147d..a8f63ab3 100644
--- a/server/api/v1/notifications/[id]/index.delete.ts
+++ b/server/api/v1/notifications/[id]/index.delete.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["notifications:delete"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const notificationId = getRouterParam(h3, "id");
diff --git a/server/api/v1/notifications/[id]/index.get.ts b/server/api/v1/notifications/[id]/index.get.ts
index 0d9b2c21..75129aaf 100644
--- a/server/api/v1/notifications/[id]/index.get.ts
+++ b/server/api/v1/notifications/[id]/index.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["notifications:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const notificationId = getRouterParam(h3, "id");
diff --git a/server/api/v1/notifications/[id]/read.post.ts b/server/api/v1/notifications/[id]/read.post.ts
index ef180c40..8f938448 100644
--- a/server/api/v1/notifications/[id]/read.post.ts
+++ b/server/api/v1/notifications/[id]/read.post.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["notifications:mark"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const notificationId = getRouterParam(h3, "id");
diff --git a/server/api/v1/notifications/index.get.ts b/server/api/v1/notifications/index.get.ts
index 65a6cba1..9c3502f4 100644
--- a/server/api/v1/notifications/index.get.ts
+++ b/server/api/v1/notifications/index.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["notifications:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const notifications = await prisma.notification.findMany({
diff --git a/server/api/v1/notifications/readall.post.ts b/server/api/v1/notifications/readall.post.ts
index 9f29bbaf..7b119277 100644
--- a/server/api/v1/notifications/readall.post.ts
+++ b/server/api/v1/notifications/readall.post.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["notifications:mark"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   await prisma.notification.updateMany({
diff --git a/server/api/v1/notifications/ws.get.ts b/server/api/v1/notifications/ws.get.ts
index 13091285..ebd65745 100644
--- a/server/api/v1/notifications/ws.get.ts
+++ b/server/api/v1/notifications/ws.get.ts
@@ -1,6 +1,7 @@
 import notificationSystem from "~/server/internal/notifications";
 import session from "~/server/internal/session";
 import { parse as parseCookies } from "cookie-es";
+import aclManager from "~/server/internal/acls";
 
 // TODO add web socket sessions for horizontal scaling
 // Peer ID to user ID
@@ -8,16 +9,10 @@ const socketSessions: { [key: string]: string } = {};
 
 export default defineWebSocketHandler({
   async open(peer) {
-    const cookies = peer.request?.headers?.get("Cookie");
-    if (!cookies) {
-      peer.send("unauthenticated");
-      return;
-    }
-
-    const parsedCookies = parseCookies(cookies);
-    const token = parsedCookies[session.getDropTokenCookie()];
-
-    const userId = await session.getUserIdRaw(token);
+    const userId = await aclManager.getUserIdACL(
+      { headers: peer.request?.headers ?? new Headers() },
+      ["notifications:listen"]
+    );
     if (!userId) {
       peer.send("unauthenticated");
       return;
diff --git a/server/api/v1/object/[id]/index.delete.ts b/server/api/v1/object/[id]/index.delete.ts
index 2bd2e352..60802f1b 100644
--- a/server/api/v1/object/[id]/index.delete.ts
+++ b/server/api/v1/object/[id]/index.delete.ts
@@ -1,8 +1,10 @@
+import aclManager from "~/server/internal/acls";
+
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
   if (!id) throw createError({ statusCode: 400, statusMessage: "Invalid ID" });
 
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["object:delete"]);
 
   const result = await h3.context.objects.deleteWithPermission(id, userId);
   return { success: result };
diff --git a/server/api/v1/object/[id]/index.get.ts b/server/api/v1/object/[id]/index.get.ts
index afdf6927..3e48981b 100644
--- a/server/api/v1/object/[id]/index.get.ts
+++ b/server/api/v1/object/[id]/index.get.ts
@@ -1,8 +1,10 @@
+import aclManager from "~/server/internal/acls";
+
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
   if (!id) throw createError({ statusCode: 400, statusMessage: "Invalid ID" });
 
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["object:read"]);
 
   const object = await h3.context.objects.fetchWithPermissions(id, userId);
   if (!object)
diff --git a/server/api/v1/object/[id]/index.post.ts b/server/api/v1/object/[id]/index.post.ts
index 6fcbb1cd..a27e18dc 100644
--- a/server/api/v1/object/[id]/index.post.ts
+++ b/server/api/v1/object/[id]/index.post.ts
@@ -1,3 +1,5 @@
+import aclManager from "~/server/internal/acls";
+
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
   if (!id) throw createError({ statusCode: 400, statusMessage: "Invalid ID" });
@@ -9,7 +11,7 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Invalid upload",
     });
 
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserIdACL(h3, ["object:update"]);
   const buffer = Buffer.from(body);
 
   const result = await h3.context.objects.writeWithPermissions(
diff --git a/server/api/v1/store/developers.ts b/server/api/v1/store/developers.ts
index a47f846a..79e3124c 100644
--- a/server/api/v1/store/developers.ts
+++ b/server/api/v1/store/developers.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const developers = await prisma.developer.findMany({
diff --git a/server/api/v1/store/publishers.ts b/server/api/v1/store/publishers.ts
index 85873366..9fef6ff6 100644
--- a/server/api/v1/store/publishers.ts
+++ b/server/api/v1/store/publishers.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const publishers = await prisma.publisher.findMany({
diff --git a/server/api/v1/store/recent.get.ts b/server/api/v1/store/recent.get.ts
index 16d3fac8..be137f0b 100644
--- a/server/api/v1/store/recent.get.ts
+++ b/server/api/v1/store/recent.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const games = await prisma.game.findMany({
diff --git a/server/api/v1/store/released.get.ts b/server/api/v1/store/released.get.ts
index 494d5fe2..37c729c2 100644
--- a/server/api/v1/store/released.get.ts
+++ b/server/api/v1/store/released.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const games = await prisma.game.findMany({
diff --git a/server/api/v1/store/updated.get.ts b/server/api/v1/store/updated.get.ts
index a1862163..520033e3 100644
--- a/server/api/v1/store/updated.get.ts
+++ b/server/api/v1/store/updated.get.ts
@@ -1,7 +1,8 @@
+import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
 
 export default defineEventHandler(async (h3) => {
-  const userId = await h3.context.session.getUserId(h3);
+  const userId = await aclManager.getUserACL(h3, ["store:read"]);
   if (!userId) throw createError({ statusCode: 403 });
 
   const versions = await prisma.gameVersion.findMany({
diff --git a/server/api/v1/task/index.get.ts b/server/api/v1/task/index.get.ts
index dc856346..ccb2b3ad 100644
--- a/server/api/v1/task/index.get.ts
+++ b/server/api/v1/task/index.get.ts
@@ -1,46 +1,39 @@
 import session from "~/server/internal/session";
 import taskHandler, { TaskMessage } from "~/server/internal/tasks";
 import { parse as parseCookies } from "cookie-es";
+import { MinimumRequestObject } from "~/server/h3";
 
 // TODO add web socket sessions for horizontal scaling
 // ID to admin
-const adminSocketSessions: { [key: string]: boolean } = {};
+const socketHeaders: { [key: string]: MinimumRequestObject } = {};
 
 export default defineWebSocketHandler({
   async open(peer) {
-    const cookies = peer.request?.headers?.get("Cookie");
-    if (!cookies) {
+    const request = peer.request;
+    if (!request) {
       peer.send("unauthenticated");
       return;
     }
 
-    const parsedCookies = parseCookies(cookies);
-    const token = parsedCookies[session.getDropTokenCookie()];
-
-    const userId = await session.getUserIdRaw(token);
-    if (!userId) {
-      peer.send("unauthenticated");
-      return;
-    }
-
-    const admin = session.getAdminUser(token);
-    adminSocketSessions[peer.id] = admin !== undefined;
+    socketHeaders[peer.id] = {
+      headers: request.headers ?? new Headers(),
+    };
     peer.send(`connect`);
   },
   message(peer, message) {
     if (!peer.id) return;
-    if (adminSocketSessions[peer.id] === undefined) return;
+    if (socketHeaders[peer.id] === undefined) return;
     const text = message.text();
     if (text.startsWith("connect/")) {
       const id = text.substring("connect/".length);
-      taskHandler.connect(peer.id, id, peer, adminSocketSessions[peer.id]);
+      taskHandler.connect(peer.id, id, peer, socketHeaders[peer.id]);
       return;
     }
   },
   close(peer, details) {
     if (!peer.id) return;
-    if (adminSocketSessions[peer.id] === undefined) return;
-    delete adminSocketSessions[peer.id];
+    if (socketHeaders[peer.id] === undefined) return;
+    delete socketHeaders[peer.id];
 
     taskHandler.disconnectAll(peer.id);
   },
diff --git a/server/api/v1/user/index.get.ts b/server/api/v1/user/index.get.ts
index b611c1c0..fb8a2544 100644
--- a/server/api/v1/user/index.get.ts
+++ b/server/api/v1/user/index.get.ts
@@ -1,4 +1,6 @@
+import aclManager from "~/server/internal/acls";
+
 export default defineEventHandler(async (h3) => {
-  const user = await h3.context.session.getUser(h3);
+  const user = await aclManager.getUserACL(h3, ["read"]);
   return user ?? null; // Need to specifically return null
 });
diff --git a/server/h3.d.ts b/server/h3.d.ts
index 7b7c1baf..e2fddb45 100644
--- a/server/h3.d.ts
+++ b/server/h3.d.ts
@@ -6,9 +6,9 @@ import { SessionHandler } from "./internal/session";
 export * from "h3";
 declare module "h3" {
   interface H3EventContext {
-    session: SessionHandler;
-    metadataHandler: MetadataHandler;
     ca: CertificateAuthority;
-    objects: ObjectBackend
+    objects: ObjectBackend;
   }
 }
+
+export type MinimumRequestObject = { headers: Headers };
diff --git a/server/internal/acls/index.ts b/server/internal/acls/index.ts
new file mode 100644
index 00000000..874fa542
--- /dev/null
+++ b/server/internal/acls/index.ts
@@ -0,0 +1,152 @@
+import { APITokenMode, User } from "@prisma/client";
+import { H3Context, H3Event } from "h3";
+import prisma from "../db/database";
+import sessionHandler from "../session";
+import { MinimumRequestObject } from "~/server/h3";
+
+const userACLs = [
+  "read",
+
+  "store:read",
+
+  "object:read",
+  "object:update",
+  "object:delete",
+
+  "notifications:read",
+  "notifications:mark",
+  "notifications:listen",
+  "notifications:delete",
+
+  "collections:new",
+  "collections:read",
+  "collections:delete",
+  "collections:add",
+  "collections:remove",
+  "library:add",
+  "library:remove",
+
+  "news:read",
+] as const;
+const userACLPrefix = "user:";
+
+type UserACL = Array<(typeof userACLs)[number]>;
+
+const systemACLs = [
+  "auth:simple:invitation:read",
+  "auth:simple:invitation:new",
+  "auth:simple:invitation:delete",
+
+  "library:read",
+  "game:read",
+  "game:update",
+  "game:delete",
+  "game:version:update",
+  "game:version:delete",
+  "game:image:new",
+  "game:image:delete",
+
+  "import:version:read",
+  "import:version:new",
+
+  "import:game:read",
+  "import:game:new",
+
+  "user:read",
+] as const;
+const systemACLPrefix = "system:";
+
+type SystemACL = Array<(typeof systemACLs)[number]>;
+
+class ACLManager {
+  private getAuthorizationToken(request: MinimumRequestObject) {
+    const [type, token] =
+      request.headers.get("Authorization")?.split(" ") ?? [];
+    if (!type || !token) return undefined;
+    if (type != "Bearer") return undefined;
+    return token;
+  }
+
+  async getUserIdACL(request: MinimumRequestObject | undefined, acls: UserACL) {
+    if (!request)
+      throw new Error("Native web requests not available - weird deployment?");
+    // Sessions automatically have all ACLs
+    const userId = await sessionHandler.getUserId(request);
+    if (userId) return userId;
+
+    const authorizationToken = this.getAuthorizationToken(request);
+    if (!authorizationToken) return undefined;
+    const token = await prisma.aPIToken.findUnique({
+      where: { token: authorizationToken },
+    });
+    if (!token) return undefined;
+    if (token.mode != APITokenMode.User || !token.userId) return undefined; // If it's a system token
+
+    for (const acl of acls) {
+      const tokenACLIndex = token.acls.findIndex((e) => e == acl);
+      if (tokenACLIndex != -1) return token.userId;
+    }
+
+    return undefined;
+  }
+
+  async getUserACL(request: MinimumRequestObject | undefined, acls: UserACL) {
+    if (!request)
+      throw new Error("Native web requests not available - weird deployment?");
+    const userId = await this.getUserIdACL(request, acls);
+    if (!userId) return undefined;
+    const user = await prisma.user.findUnique({ where: { id: userId } });
+    if (user) return user;
+    return undefined;
+  }
+
+  async allowSystemACL(
+    request: MinimumRequestObject | undefined,
+    acls: SystemACL
+  ) {
+    if (!request)
+      throw new Error("Native web requests not available - weird deployment?");
+    const userId = await sessionHandler.getUserId(request);
+    if (userId) {
+      const user = await prisma.user.findUnique({ where: { id: userId } });
+      if (!user) return false;
+      if (user.admin) return true;
+      return false;
+    }
+
+    const authorizationToken = this.getAuthorizationToken(request);
+    if (!authorizationToken) return false;
+    const token = await prisma.aPIToken.findUnique({
+      where: { token: authorizationToken },
+    });
+    if (!token) return false;
+    if (token.mode != APITokenMode.System) return false;
+    for (const acl of acls) {
+      const tokenACLIndex = token.acls.findIndex((e) => e == acl);
+      if (tokenACLIndex != -1) return true;
+    }
+
+    return false;
+  }
+
+  async hasACL(request: MinimumRequestObject | undefined, acls: string[]) {
+    for (const acl of acls) {
+      if (acl.startsWith(userACLPrefix)) {
+        const rawACL = acl.substring(userACLPrefix.length);
+        const userId = await this.getUserIdACL(request, [rawACL as any]);
+        if (!userId) return false;
+      }
+
+      if (acl.startsWith(systemACLPrefix)) {
+        const rawACL = acl.substring(systemACLPrefix.length);
+        const allowed = await this.allowSystemACL(request, [rawACL as any]);
+        if (!allowed) return false;
+      }
+    }
+
+    return true;
+  }
+}
+
+export const aclManager = new ACLManager();
+export default aclManager;
diff --git a/server/internal/applibrary/README.md b/server/internal/applibrary/README.md
deleted file mode 100644
index e33b8add..00000000
--- a/server/internal/applibrary/README.md
+++ /dev/null
@@ -1,11 +0,0 @@
-# Library Format
-
-Drop uses a filesystem-based library format, as it targets homelabs and not enterprise-grade solutions. The format works as follows:
-
-## /{game name}
-
-The game name is only used for initial matching, and doesn't affect actual metadata. Metadata is linked to the game's database entry, which is linked to it's filesystem name (they, however, can be completely different).
-
-## /{game name}/{version name}
-
-The version name can be anything. Versions have to manually imported within the web UI. There, you can change the order of the updates and mark them as deltas. Delta updates apply files over the previous versions. 
\ No newline at end of file
diff --git a/server/internal/applibrary/index.ts b/server/internal/applibrary/index.ts
deleted file mode 100644
index 308c90d6..00000000
--- a/server/internal/applibrary/index.ts
+++ /dev/null
@@ -1,309 +0,0 @@
-/**
- * The Library Manager keeps track of games in Drop's library and their various states.
- * It uses path relative to the library, so it can moved without issue
- *
- * It also provides the endpoints with information about unmatched games
- */
-
-import fs from "fs";
-import path from "path";
-import prisma from "../db/database";
-import { GameVersion, Platform } from "@prisma/client";
-import { fuzzy } from "fast-fuzzy";
-import { recursivelyReaddir } from "../utils/recursivedirs";
-import taskHandler from "../tasks";
-import { parsePlatform } from "../utils/parseplatform";
-import droplet from "@drop/droplet";
-
-class AppLibraryManager {
-  private basePath: string;
-
-  constructor() {
-    this.basePath = process.env.LIBRARY ?? "./.data/library";
-    fs.mkdirSync(this.basePath, { recursive: true });
-  }
-
-  fetchLibraryPath() {
-    return this.basePath;
-  }
-
-  async fetchAllUnimportedGames() {
-    const dirs = fs.readdirSync(this.basePath).filter((e) => {
-      const fullDir = path.join(this.basePath, e);
-      return fs.lstatSync(fullDir).isDirectory();
-    });
-
-    const validGames = await prisma.game.findMany({
-      where: {
-        libraryBasePath: { in: dirs },
-      },
-      select: {
-        libraryBasePath: true,
-      },
-    });
-    const validGameDirs = validGames.map((e) => e.libraryBasePath);
-
-    const unregisteredGames = dirs.filter((e) => !validGameDirs.includes(e));
-
-    return unregisteredGames;
-  }
-
-  async fetchUnimportedGameVersions(
-    libraryBasePath: string,
-    versions: Array<GameVersion>
-  ) {
-    const gameDir = path.join(this.basePath, libraryBasePath);
-    const versionsDirs = fs.readdirSync(gameDir);
-    const importedVersionDirs = versions.map((e) => e.versionName);
-    const unimportedVersions = versionsDirs.filter(
-      (e) => !importedVersionDirs.includes(e)
-    );
-
-    return unimportedVersions;
-  }
-
-  async fetchGamesWithStatus() {
-    const games = await prisma.game.findMany({
-      select: {
-        id: true,
-        versions: true,
-        mName: true,
-        mShortDescription: true,
-        metadataSource: true,
-        mDevelopers: true,
-        mPublishers: true,
-        mIconId: true,
-        libraryBasePath: true,
-      },
-      orderBy: {
-        mName: "asc",
-      },
-    });
-
-    return await Promise.all(
-      games.map(async (e) => ({
-        game: e,
-        status: {
-          noVersions: e.versions.length == 0,
-          unimportedVersions: await this.fetchUnimportedGameVersions(
-            e.libraryBasePath,
-            e.versions
-          ),
-        },
-      }))
-    );
-  }
-
-  async fetchUnimportedVersions(gameId: string) {
-    const game = await prisma.game.findUnique({
-      where: { id: gameId },
-      select: {
-        versions: {
-          select: {
-            versionName: true,
-          },
-        },
-        libraryBasePath: true,
-      },
-    });
-
-    if (!game) return undefined;
-    const targetDir = path.join(this.basePath, game.libraryBasePath);
-    if (!fs.existsSync(targetDir))
-      throw new Error(
-        "Game in database, but no physical directory? Something is very very wrong..."
-      );
-    const versions = fs.readdirSync(targetDir);
-    const validVersions = versions.filter((versionDir) => {
-      const versionPath = path.join(targetDir, versionDir);
-      const stat = fs.statSync(versionPath);
-      return stat.isDirectory();
-    });
-    const currentVersions = game.versions.map((e) => e.versionName);
-
-    const unimportedVersions = validVersions.filter(
-      (e) => !currentVersions.includes(e)
-    );
-    return unimportedVersions;
-  }
-
-  async fetchUnimportedVersionInformation(gameId: string, versionName: string) {
-    const game = await prisma.game.findUnique({
-      where: { id: gameId },
-      select: { libraryBasePath: true, mName: true },
-    });
-    if (!game) return undefined;
-    const targetDir = path.join(
-      this.basePath,
-      game.libraryBasePath,
-      versionName
-    );
-    if (!fs.existsSync(targetDir)) return undefined;
-
-    const fileExts: { [key: string]: string[] } = {
-      Linux: [
-        // Ext for Unity games
-        ".x86_64",
-        // Shell scripts
-        ".sh",
-        // No extension is common for Linux binaries
-        "",
-      ],
-      Windows: [
-        // Pretty much the only one
-        ".exe",
-      ],
-    };
-
-    const options: Array<{
-      filename: string;
-      platform: string;
-      match: number;
-    }> = [];
-
-    const files = recursivelyReaddir(targetDir, 2);
-    for (const file of files) {
-      const filename = path.basename(file);
-      const dotLocation = file.lastIndexOf(".");
-      const ext = dotLocation == -1 ? "" : file.slice(dotLocation);
-      for (const [platform, checkExts] of Object.entries(fileExts)) {
-        for (const checkExt of checkExts) {
-          if (checkExt != ext) continue;
-          const fuzzyValue = fuzzy(filename, game.mName);
-          const relative = path.relative(targetDir, file);
-          options.push({
-            filename: relative,
-            platform: platform,
-            match: fuzzyValue,
-          });
-        }
-      }
-    }
-
-    const sortedOptions = options.sort((a, b) => b.match - a.match);
-
-    return sortedOptions;
-  }
-
-  // Checks are done in least to most expensive order
-  async checkUnimportedGamePath(targetPath: string) {
-    const targetDir = path.join(this.basePath, targetPath);
-    if (!fs.existsSync(targetDir)) return false;
-
-    const hasGame =
-      (await prisma.game.count({ where: { libraryBasePath: targetPath } })) > 0;
-    if (hasGame) return false;
-
-    return true;
-  }
-
-  async importVersion(
-    gameId: string,
-    versionName: string,
-    metadata: {
-      platform: string;
-      onlySetup: boolean;
-
-      setup: string;
-      setupArgs: string;
-      launch: string;
-      launchArgs: string;
-      delta: boolean;
-
-      umuId: string;
-    }
-  ) {
-    const taskId = `import:${gameId}:${versionName}`;
-
-    const platform = parsePlatform(metadata.platform);
-    if (!platform) return undefined;
-
-    const game = await prisma.game.findUnique({
-      where: { id: gameId },
-      select: { mName: true, libraryBasePath: true },
-    });
-    if (!game) return undefined;
-
-    const baseDir = path.join(this.basePath, game.libraryBasePath, versionName);
-    if (!fs.existsSync(baseDir)) return undefined;
-
-    taskHandler.create({
-      id: taskId,
-      name: `Importing version ${versionName} for ${game.mName}`,
-      requireAdmin: true,
-      async run({ progress, log }) {
-        // First, create the manifest via droplet.
-        // This takes up 90% of our progress, so we wrap it in a *0.9
-        const manifest = await new Promise<string>((resolve, reject) => {
-          droplet.generateManifest(
-            baseDir,
-            (err, value) => {
-              if (err) return reject(err);
-              progress(value * 0.9);
-            },
-            (err, line) => {
-              if (err) return reject(err);
-              log(line);
-            },
-            (err, manifest) => {
-              if (err) return reject(err);
-              resolve(manifest);
-            }
-          );
-        });
-
-        log("Created manifest successfully!");
-
-        const currentIndex = await prisma.gameVersion.count({
-          where: { gameId: gameId },
-        });
-
-        // Then, create the database object
-        if (metadata.onlySetup) {
-          await prisma.gameVersion.create({
-            data: {
-              gameId: gameId,
-              versionName: versionName,
-              dropletManifest: manifest,
-              versionIndex: currentIndex,
-              delta: metadata.delta,
-              umuIdOverride: metadata.umuId,
-              platform: platform,
-
-              onlySetup: true,
-              setupCommand: metadata.setup,
-              setupArgs: metadata.setupArgs.split(" "),
-            },
-          });
-        } else {
-          await prisma.gameVersion.create({
-            data: {
-              gameId: gameId,
-              versionName: versionName,
-              dropletManifest: manifest,
-              versionIndex: currentIndex,
-              delta: metadata.delta,
-              umuIdOverride: metadata.umuId,
-              platform: platform,
-
-              onlySetup: false,
-              setupCommand: metadata.setup,
-              setupArgs: metadata.setupArgs.split(" "),
-              launchCommand: metadata.launch,
-              launchArgs: metadata.launchArgs.split(" "),
-            },
-          });
-        }
-
-        log("Successfully created version!");
-
-        progress(100);
-      },
-    });
-
-    return taskId;
-  }
-}
-
-export const appLibraryManager = new AppLibraryManager();
-export default appLibraryManager;
diff --git a/server/internal/library/index.ts b/server/internal/library/index.ts
index 2ed0a4e9..b33f9980 100644
--- a/server/internal/library/index.ts
+++ b/server/internal/library/index.ts
@@ -230,7 +230,7 @@ class LibraryManager {
     taskHandler.create({
       id: taskId,
       name: `Importing version ${versionName} for ${game.mName}`,
-      requireAdmin: true,
+      acls: ["system:import:version:read"],
       async run({ progress, log }) {
         // First, create the manifest via droplet.
         // This takes up 90% of our progress, so we wrap it in a *0.9
diff --git a/server/internal/objects/index.ts b/server/internal/objects/index.ts
index 1a6b4508..5d97c451 100644
--- a/server/internal/objects/index.ts
+++ b/server/internal/objects/index.ts
@@ -76,7 +76,7 @@ export abstract class ObjectBackend {
       }
       if (source instanceof Buffer) {
         const mime =
-          getMimeTypeBuffer(source)?.mime ?? "application/octet-stream";
+          getMimeTypeBuffer(new Uint8Array(source).buffer)?.mime ?? "application/octet-stream";
         return { source: source, mime };
       }
 
diff --git a/server/internal/session/index.ts b/server/internal/session/index.ts
index ec9cf96c..3049b221 100644
--- a/server/internal/session/index.ts
+++ b/server/internal/session/index.ts
@@ -4,6 +4,8 @@ import { SessionProvider } from "./types";
 import prisma from "../db/database";
 import { v4 as uuidv4 } from "uuid";
 import moment from "moment";
+import { parse as parseCookies } from "cookie-es";
+import { MinimumRequestObject } from "~/server/h3";
 
 /*
 This implementation may need work.
@@ -25,8 +27,12 @@ export class SessionHandler {
     this.sessionProvider = createMemorySessionProvider();
   }
 
-  private getSessionToken(h3: H3Event) {
-    const cookie = getCookie(h3, dropTokenCookie);
+  private getSessionToken(request: MinimumRequestObject | undefined) {
+    if(!request) throw new Error("Native web request not available");
+    const cookieHeader = request.headers.get("Cookie");
+    if (!cookieHeader) return undefined;
+    const cookies = parseCookies(cookieHeader);
+    const cookie = cookies[dropTokenCookie];
     return cookie;
   }
 
@@ -47,8 +53,8 @@ export class SessionHandler {
     return dropTokenCookie;
   }
 
-  async getSession<T extends Session>(h3: H3Event) {
-    const token = this.getSessionToken(h3);
+  async getSession<T extends Session>(request: MinimumRequestObject) {
+    const token = this.getSessionToken(request);
     if (!token) return undefined;
     const data = await this.sessionProvider.getSession<{ [userSessionKey]: T }>(
       token
@@ -68,14 +74,14 @@ export class SessionHandler {
 
     return result;
   }
-  async clearSession(h3: H3Event) {
-    const token = this.getSessionToken(h3);
+  async clearSession(request: MinimumRequestObject) {
+    const token = this.getSessionToken(request);
     if (!token) return false;
     await this.sessionProvider.clearSession(token);
     return true;
   }
 
-  async getUserId(h3: H3Event) {
+  async getUserId(h3: MinimumRequestObject) {
     const token = this.getSessionToken(h3);
     if (!token) return undefined;
 
@@ -91,17 +97,6 @@ export class SessionHandler {
     return session[userIdKey];
   }
 
-  async getUser(obj: H3Event | string) {
-    const userId =
-      typeof obj === "string"
-        ? await this.getUserIdRaw(obj)
-        : await this.getUserId(obj);
-    if (!userId) return undefined;
-
-    const user = await prisma.user.findFirst({ where: { id: userId } });
-    return user;
-  }
-
   async setUserId(h3: H3Event, userId: string, extend = false) {
     const token =
       this.getSessionToken(h3) ?? (await this.createSession(h3, extend));
@@ -112,13 +107,7 @@ export class SessionHandler {
       userId
     );
   }
-
-  async getAdminUser(h3: H3Event | string) {
-    const user = await this.getUser(h3);
-    if (!user) return undefined;
-    if (!user.admin) return undefined;
-    return user;
-  }
 }
 
-export default new SessionHandler();
+export const sessionHandler = new SessionHandler();
+export default sessionHandler;
diff --git a/server/internal/tasks/index.ts b/server/internal/tasks/index.ts
index 8868b6ea..a70cf501 100644
--- a/server/internal/tasks/index.ts
+++ b/server/internal/tasks/index.ts
@@ -1,4 +1,6 @@
 import droplet from "@drop/droplet";
+import { MinimumRequestObject } from "~/server/h3";
+import aclManager from "../acls";
 
 /**
  * The TaskHandler setups up two-way connections to web clients and manages the state for them
@@ -13,7 +15,7 @@ type TaskRegistryEntry = {
   error: { title: string; description: string } | undefined;
   clients: { [key: string]: boolean };
   name: string;
-  requireAdmin: boolean;
+  acls: string[];
 };
 
 class TaskHandler {
@@ -84,7 +86,7 @@ class TaskHandler {
       error: undefined,
       log: [],
       clients: {},
-      requireAdmin: task.requireAdmin ?? false,
+      acls: task.acls,
     };
 
     updateAllClients(true);
@@ -113,7 +115,12 @@ class TaskHandler {
     });
   }
 
-  connect(id: string, taskId: string, peer: PeerImpl, isAdmin = false) {
+  async connect(
+    id: string,
+    taskId: string,
+    peer: PeerImpl,
+    request: MinimumRequestObject
+  ) {
     const task = this.taskRegistry[taskId];
     if (!task) {
       peer.send(
@@ -122,8 +129,9 @@ class TaskHandler {
       return;
     }
 
-    if (task.requireAdmin && !isAdmin) {
-      console.warn("user is not an admin, so cannot view this task");
+    const allowed = await aclManager.hasACL(request, task.acls);
+    if (!allowed) {
+      console.warn("user does not have necessary ACLs");
       peer.send(
         `error/${taskId}/Unknown task/Drop couldn't find the task you're looking for.`
       );
@@ -186,7 +194,7 @@ export interface Task {
   id: string;
   name: string;
   run: (context: TaskRunContext) => Promise<void>;
-  requireAdmin?: boolean;
+  acls: string[];
 }
 
 export type TaskMessage = {
diff --git a/server/plugins/redirect.ts b/server/plugins/redirect.ts
index fd1031c2..9ef78e30 100644
--- a/server/plugins/redirect.ts
+++ b/server/plugins/redirect.ts
@@ -1,4 +1,5 @@
 import { H3Error } from "h3";
+import sessionHandler from "../internal/session";
 
 export default defineNitroPlugin((nitro) => {
   nitro.hooks.hook("error", async (error, { event }) => {
@@ -13,9 +14,8 @@ export default defineNitroPlugin((nitro) => {
     switch (error.statusCode) {
       case 401:
       case 403:
-        const userId = await event.context.session.getUserId(event);
+        const userId = await sessionHandler.getUserId(event);
         if (userId) break;
-        console.log("user is signed out, redirecting");
         return sendRedirect(
           event,
           `/signin?redirect=${encodeURIComponent(event.path)}`
diff --git a/server/plugins/session.ts b/server/plugins/session.ts
deleted file mode 100644
index e8aea3cc..00000000
--- a/server/plugins/session.ts
+++ /dev/null
@@ -1,7 +0,0 @@
-import session from "../internal/session";
-
-export default defineNitroPlugin((nitro) => {
-    nitro.hooks.hook('request', (h3) => {
-        h3.context.session = session;
-    })
-});
\ No newline at end of file
diff --git a/server/routes/signout.get.ts b/server/routes/signout.get.ts
index 36b5a6f8..9706df9c 100644
--- a/server/routes/signout.get.ts
+++ b/server/routes/signout.get.ts
@@ -1,5 +1,7 @@
+import sessionHandler from "../internal/session";
+
 export default defineEventHandler(async (h3) => {
-  await h3.context.session.clearSession(h3);
+  await sessionHandler.clearSession(h3);
 
   return sendRedirect(h3, "/signin");
 });

From 0877638fc450b32d0a9b27c93dfe3a652306cbe2 Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Fri, 7 Feb 2025 17:26:23 +1100
Subject: [PATCH 18/22] feat(acls): refactor & acl descriptions

---
 nuxt.config.ts                                |   2 +-
 .../api/v1/admin/game/image/index.delete.ts   |   3 +-
 server/api/v1/admin/import/game/index.post.ts |   5 +-
 server/api/v1/admin/import/game/search.get.ts |   4 +-
 server/api/v1/admin/user/token/token.get.ts   |   9 +
 server/api/v1/auth/signup/simple.post.ts      |   3 +-
 server/api/v1/client/auth/handshake.post.ts   |   7 +-
 server/api/v1/client/object/[id]/index.get.ts |   3 +-
 server/api/v1/object/[id]/index.delete.ts     |   3 +-
 server/api/v1/object/[id]/index.get.ts        |   3 +-
 server/api/v1/object/[id]/index.post.ts       |   3 +-
 server/internal/acls/descriptions.ts          |  58 ++++++
 server/internal/acls/index.ts                 |   4 +-
 server/internal/clients/ca.ts                 |   5 +-
 server/internal/clients/event-handler.ts      |   5 +-
 server/internal/metadata/index.ts             |   3 +-
 server/internal/objects/fsBackend.ts          |   2 +-
 server/internal/objects/index.ts              | 189 +-----------------
 server/internal/objects/objectHandler.ts      | 187 +++++++++++++++++
 server/internal/objects/transactional.ts      |   2 +-
 server/plugins/ca.ts                          |   9 -
 server/plugins/metadata.ts                    |  25 ---
 server/plugins/objects.ts                     |  10 -
 23 files changed, 291 insertions(+), 253 deletions(-)
 create mode 100644 server/api/v1/admin/user/token/token.get.ts
 create mode 100644 server/internal/acls/descriptions.ts
 create mode 100644 server/internal/objects/objectHandler.ts
 delete mode 100644 server/plugins/metadata.ts
 delete mode 100644 server/plugins/objects.ts

diff --git a/nuxt.config.ts b/nuxt.config.ts
index 2852dbbe..f241a58b 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -32,7 +32,7 @@ export default defineNuxtConfig({
     },
   },
 
-  extends: ['./drop-base'],
+  extends: ["./drop-base"],
 
   // Module config from here down
   modules: ["@nuxt/content", "vue3-carousel-nuxt"],
diff --git a/server/api/v1/admin/game/image/index.delete.ts b/server/api/v1/admin/game/image/index.delete.ts
index 3b6252c1..feb338e3 100644
--- a/server/api/v1/admin/game/image/index.delete.ts
+++ b/server/api/v1/admin/game/image/index.delete.ts
@@ -1,5 +1,6 @@
 import aclManager from "~/server/internal/acls";
 import prisma from "~/server/internal/db/database";
+import objectHandler from "~/server/internal/objects";
 
 export default defineEventHandler(async (h3) => {
   const allowed = await aclManager.allowSystemACL(h3, [
@@ -36,7 +37,7 @@ export default defineEventHandler(async (h3) => {
     throw createError({ statusCode: 400, statusMessage: "Image not found" });
 
   game.mImageLibrary.splice(imageIndex, 1);
-  await h3.context.objects.delete(imageId);
+  await objectHandler.delete(imageId);
   
   if (game.mBannerId === imageId) {
     game.mBannerId = game.mImageLibrary[0];
diff --git a/server/api/v1/admin/import/game/index.post.ts b/server/api/v1/admin/import/game/index.post.ts
index 15992334..504ea5f9 100644
--- a/server/api/v1/admin/import/game/index.post.ts
+++ b/server/api/v1/admin/import/game/index.post.ts
@@ -1,5 +1,6 @@
 import aclManager from "~/server/internal/acls";
 import libraryManager from "~/server/internal/library";
+import metadataHandler from "~/server/internal/metadata";
 import {
   GameMetadataSearchResult,
   GameMetadataSource,
@@ -30,8 +31,8 @@ export default defineEventHandler(async (h3) => {
     });
 
   if (!metadata || !metadata.id || !metadata.sourceId) {
-    return await h3.context.metadataHandler.createGameWithoutMetadata(path);
+    return await metadataHandler.createGameWithoutMetadata(path);
   } else {
-    return await h3.context.metadataHandler.createGame(metadata, path);
+    return await metadataHandler.createGame(metadata, path);
   }
 });
diff --git a/server/api/v1/admin/import/game/search.get.ts b/server/api/v1/admin/import/game/search.get.ts
index adf5109a..723de480 100644
--- a/server/api/v1/admin/import/game/search.get.ts
+++ b/server/api/v1/admin/import/game/search.get.ts
@@ -1,5 +1,5 @@
 import aclManager from "~/server/internal/acls";
-import libraryManager from "~/server/internal/library";
+import metadataHandler from "~/server/internal/metadata";
 
 export default defineEventHandler(async (h3) => {
   const allowed = await aclManager.allowSystemACL(h3, [
@@ -12,7 +12,7 @@ export default defineEventHandler(async (h3) => {
   if (!search)
     throw createError({ statusCode: 400, statusMessage: "Invalid search" });
 
-  const results = await h3.context.metadataHandler.search(search);
+  const results = await metadataHandler.search(search);
 
   if (results.length == 0)
     throw createError({
diff --git a/server/api/v1/admin/user/token/token.get.ts b/server/api/v1/admin/user/token/token.get.ts
new file mode 100644
index 00000000..d118809f
--- /dev/null
+++ b/server/api/v1/admin/user/token/token.get.ts
@@ -0,0 +1,9 @@
+import aclManager from "~/server/internal/acls";
+import { userACLDescriptions } from "~/server/internal/acls/descriptions";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  return userACLDescriptions;
+});
diff --git a/server/api/v1/auth/signup/simple.post.ts b/server/api/v1/auth/signup/simple.post.ts
index e4e44181..f6e27faa 100644
--- a/server/api/v1/auth/signup/simple.post.ts
+++ b/server/api/v1/auth/signup/simple.post.ts
@@ -3,6 +3,7 @@ import prisma from "~/server/internal/db/database";
 import { createHash } from "~/server/internal/security/simple";
 import { v4 as uuidv4 } from "uuid";
 import * as jdenticon from "jdenticon";
+import objectHandler from "~/server/internal/objects";
 
 // Only really a simple test, in case people mistype their emails
 const mailRegex = /^\S+@\S+\.\S+$/;
@@ -88,7 +89,7 @@ export default defineEventHandler(async (h3) => {
   const userId = uuidv4();
 
   const profilePictureId = uuidv4();
-  await h3.context.objects.createFromSource(
+  await objectHandler.createFromSource(
     profilePictureId,
     async () => jdenticon.toPng(username, 256),
     {},
diff --git a/server/api/v1/client/auth/handshake.post.ts b/server/api/v1/client/auth/handshake.post.ts
index 9d69b51d..62785f50 100644
--- a/server/api/v1/client/auth/handshake.post.ts
+++ b/server/api/v1/client/auth/handshake.post.ts
@@ -1,4 +1,5 @@
 import clientHandler from "~/server/internal/clients/handler";
+import { useCertificateAuthority } from "~/server/plugins/ca";
 
 export default defineEventHandler(async (h3) => {
   const body = await readBody(h3);
@@ -27,14 +28,14 @@ export default defineEventHandler(async (h3) => {
       statusMessage: "Invalid token",
     });
 
-  const ca = h3.context.ca;
-  const bundle = await ca.generateClientCertificate(
+  const certificateAuthority = useCertificateAuthority();
+  const bundle = await certificateAuthority.generateClientCertificate(
     clientId,
     metadata.data.name
   );
 
   const client = await clientHandler.finialiseClient(clientId);
-  await ca.storeClientCertificate(clientId, bundle);
+  await certificateAuthority.storeClientCertificate(clientId, bundle);
 
   return {
     private: bundle.priv,
diff --git a/server/api/v1/client/object/[id]/index.get.ts b/server/api/v1/client/object/[id]/index.get.ts
index 5793b69c..962d30d3 100644
--- a/server/api/v1/client/object/[id]/index.get.ts
+++ b/server/api/v1/client/object/[id]/index.get.ts
@@ -1,4 +1,5 @@
 import { defineClientEventHandler } from "~/server/internal/clients/event-handler";
+import objectHandler from "~/server/internal/objects";
 
 export default defineClientEventHandler(async (h3, utils) => {
   const id = getRouterParam(h3, "id");
@@ -6,7 +7,7 @@ export default defineClientEventHandler(async (h3, utils) => {
 
   const user = await utils.fetchUser();
 
-  const object = await h3.context.objects.fetchWithPermissions(id, user.id);
+  const object = await objectHandler.fetchWithPermissions(id, user.id);
   if (!object)
     throw createError({ statusCode: 404, statusMessage: "Object not found" });
 
diff --git a/server/api/v1/object/[id]/index.delete.ts b/server/api/v1/object/[id]/index.delete.ts
index 60802f1b..ba8f568c 100644
--- a/server/api/v1/object/[id]/index.delete.ts
+++ b/server/api/v1/object/[id]/index.delete.ts
@@ -1,4 +1,5 @@
 import aclManager from "~/server/internal/acls";
+import objectHandler from "~/server/internal/objects";
 
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
@@ -6,6 +7,6 @@ export default defineEventHandler(async (h3) => {
 
   const userId = await aclManager.getUserIdACL(h3, ["object:delete"]);
 
-  const result = await h3.context.objects.deleteWithPermission(id, userId);
+  const result = await objectHandler.deleteWithPermission(id, userId);
   return { success: result };
 });
diff --git a/server/api/v1/object/[id]/index.get.ts b/server/api/v1/object/[id]/index.get.ts
index 3e48981b..a67115c5 100644
--- a/server/api/v1/object/[id]/index.get.ts
+++ b/server/api/v1/object/[id]/index.get.ts
@@ -1,4 +1,5 @@
 import aclManager from "~/server/internal/acls";
+import objectHandler from "~/server/internal/objects";
 
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
@@ -6,7 +7,7 @@ export default defineEventHandler(async (h3) => {
 
   const userId = await aclManager.getUserIdACL(h3, ["object:read"]);
 
-  const object = await h3.context.objects.fetchWithPermissions(id, userId);
+  const object = await objectHandler.fetchWithPermissions(id, userId);
   if (!object)
     throw createError({ statusCode: 404, statusMessage: "Object not found" });
 
diff --git a/server/api/v1/object/[id]/index.post.ts b/server/api/v1/object/[id]/index.post.ts
index a27e18dc..7b08d2fb 100644
--- a/server/api/v1/object/[id]/index.post.ts
+++ b/server/api/v1/object/[id]/index.post.ts
@@ -1,4 +1,5 @@
 import aclManager from "~/server/internal/acls";
+import objectHandler from "~/server/internal/objects";
 
 export default defineEventHandler(async (h3) => {
   const id = getRouterParam(h3, "id");
@@ -14,7 +15,7 @@ export default defineEventHandler(async (h3) => {
   const userId = await aclManager.getUserIdACL(h3, ["object:update"]);
   const buffer = Buffer.from(body);
 
-  const result = await h3.context.objects.writeWithPermissions(
+  const result = await objectHandler.writeWithPermissions(
     id,
     async () => buffer,
     userId
diff --git a/server/internal/acls/descriptions.ts b/server/internal/acls/descriptions.ts
new file mode 100644
index 00000000..7b3bad58
--- /dev/null
+++ b/server/internal/acls/descriptions.ts
@@ -0,0 +1,58 @@
+import { systemACLs, userACLs } from ".";
+
+type ObjectFromList<T extends ReadonlyArray<string>, V = string> = {
+  [K in T extends ReadonlyArray<infer U> ? U : never]: V;
+};
+
+export const userACLDescriptions: ObjectFromList<typeof userACLs> = {
+  read: "Fetch user information like username, display name, email, etc...",
+
+  "store:read":
+    "Fetch and search the store for games, developers and publishers.",
+
+  "object:read":
+    "Read object objects like game images, profile pictures, and downloads.",
+  "object:update":
+    "Update objects like game images, profile pictures, and downloads.",
+  "object:delete":
+    "Delete objects like game images, profile pictures, and downloads.",
+
+  "notifications:read": "Fetch this account's notifications.",
+  "notifications:mark": "Mark notifications as read for this account.",
+  "notifications:listen": "Connect to a websocket to recieve notifications.",
+  "notifications:delete": "Delete this account's notifications.",
+
+  "collections:new": "Create collections for this account.",
+  "collections:read": "Fetch all collections (including library).",
+  "collections:delete": "Delete a collection for this account.",
+  "collections:add": "Add a game to any collection (excluding library).",
+  "collections:remove":
+    "Remove a game from any collection (excluding library).",
+  "library:add": "Add a game to your library.",
+  "library:remove": "Remove a game from your library.",
+};
+
+export const systemACLDescriptions: ObjectFromList<typeof systemACLs> = {
+  "auth:simple:invitation:read": "Fetch simple auth invitations.",
+  "auth:simple:invitation:new": "Create new simple auth invitations.",
+  "auth:simple:invitation:delete": "Delete a simple auth invitation.",
+
+  "library:read": "Fetch a list of all games on this instance.",
+
+  "game:read": "Fetch a given game on this instance.",
+  "game:update": "Update a game on this instance.",
+  "game:delete": "Delete a game on this instance.",
+  "game:version:update": "Update the version order on a game.",
+  "game:version:delete": "Delete a version for a game.",
+  "game:image:new": "Upload an image for a game.",
+  "game:image:delete": "Delete an image for a game.",
+
+  "import:version:read":
+    "Fetch versions to be imported, and information about versions to be imported.",
+  "import:version:new": "Import a game version.",
+  "import:game:read":
+    "Fetch games to be imported, and search the metadata for games.",
+  "import:game:new": "Import a game.",
+
+  "user:read": "Fetch any user's information.",
+};
diff --git a/server/internal/acls/index.ts b/server/internal/acls/index.ts
index 874fa542..65b4664f 100644
--- a/server/internal/acls/index.ts
+++ b/server/internal/acls/index.ts
@@ -4,7 +4,7 @@ import prisma from "../db/database";
 import sessionHandler from "../session";
 import { MinimumRequestObject } from "~/server/h3";
 
-const userACLs = [
+export const userACLs = [
   "read",
 
   "store:read",
@@ -32,7 +32,7 @@ const userACLPrefix = "user:";
 
 type UserACL = Array<(typeof userACLs)[number]>;
 
-const systemACLs = [
+export const systemACLs = [
   "auth:simple:invitation:read",
   "auth:simple:invitation:new",
   "auth:simple:invitation:delete",
diff --git a/server/internal/clients/ca.ts b/server/internal/clients/ca.ts
index 7665ec40..065b1850 100644
--- a/server/internal/clients/ca.ts
+++ b/server/internal/clients/ca.ts
@@ -1,6 +1,7 @@
 import path from "path";
+import fs from "fs";
 import droplet from "@drop/droplet";
-import { CertificateStore } from "./ca-store";
+import { CertificateStore, fsCertificateStore } from "./ca-store";
 
 export type CertificateBundle = {
   priv: string;
@@ -72,4 +73,4 @@ export class CertificateAuthority {
   async blacklistClient(clientId: string) {
     await this.certificateStore.blacklistCertificate(clientId);
   }
-}
+}
\ No newline at end of file
diff --git a/server/internal/clients/event-handler.ts b/server/internal/clients/event-handler.ts
index 66249fbf..aea667d4 100644
--- a/server/internal/clients/event-handler.ts
+++ b/server/internal/clients/event-handler.ts
@@ -2,6 +2,7 @@ import { Client, User } from "@prisma/client";
 import { EventHandlerRequest, H3Event } from "h3";
 import droplet from "@drop/droplet";
 import prisma from "../db/database";
+import { useCertificateAuthority } from "~/server/plugins/ca";
 
 export type EventHandlerFunction<T> = (
   h3: H3Event<EventHandlerRequest>,
@@ -47,8 +48,8 @@ export function defineClientEventHandler<T>(handler: EventHandlerFunction<T>) {
           });
         }
 
-        const ca = h3.context.ca;
-        const certBundle = await ca.fetchClientCertificate(clientId);
+        const certificateAuthority = useCertificateAuthority();
+        const certBundle = await certificateAuthority.fetchClientCertificate(clientId);
         // This does the blacklist check already
         if (!certBundle)
           throw createError({
diff --git a/server/internal/metadata/index.ts b/server/internal/metadata/index.ts
index 5588f8c8..3746525c 100644
--- a/server/internal/metadata/index.ts
+++ b/server/internal/metadata/index.ts
@@ -232,4 +232,5 @@ export class MetadataHandler {
   }
 }
 
-export default new MetadataHandler();
+export const metadataHandler = new MetadataHandler();
+export default metadataHandler;
diff --git a/server/internal/objects/fsBackend.ts b/server/internal/objects/fsBackend.ts
index 9ce0d31e..3d7f000e 100644
--- a/server/internal/objects/fsBackend.ts
+++ b/server/internal/objects/fsBackend.ts
@@ -1,4 +1,4 @@
-import { Object, ObjectBackend, ObjectMetadata, ObjectReference, Source } from ".";
+import { Object, ObjectBackend, ObjectMetadata, ObjectReference, Source } from "./objectHandler";
 
 import sanitize from "sanitize-filename";
 
diff --git a/server/internal/objects/index.ts b/server/internal/objects/index.ts
index 5d97c451..e18afa23 100644
--- a/server/internal/objects/index.ts
+++ b/server/internal/objects/index.ts
@@ -1,186 +1,3 @@
-/**
- * Objects are basically files, like images or downloads, that have a set of metadata and permissions attached
- * They're served by the API from the /api/v1/object/${objectId} endpoint.
- *
- * It supports streams and buffers, depending on the use case. Buffers will likely only be used internally if
- * the data needs to be manipulated somehow.
- *
- * Objects are designed to be created once, and link to a single ID. For example, each user gets a single object
- * that's tied to their profile picture. If they want to update their profile picture, they overwrite that object.
- *
- * Permissions are a list of strings. Each permission string is in the id:permission format. Eg
- * anonymous:read
- * myUserId:read
- * anotherUserId:write
- */
-
-import { parse as getMimeTypeBuffer } from "file-type-mime";
-import { Readable } from "stream";
-import { getMimeType as getMimeTypeStream } from "stream-mime-type";
-import { v4 as uuidv4 } from "uuid";
-
-export type ObjectReference = string;
-export type ObjectMetadata = {
-  mime: string;
-  permissions: string[];
-  userMetadata: { [key: string]: string };
-};
-
-export enum ObjectPermission {
-  Read = "read",
-  Write = "write",
-  Delete = "delete",
-}
-export const ObjectPermissionPriority: Array<ObjectPermission> = [
-  ObjectPermission.Read,
-  ObjectPermission.Write,
-  ObjectPermission.Delete,
-];
-
-export type Object = { mime: string; data: Source };
-
-export type Source = Readable | Buffer;
-
-export abstract class ObjectBackend {
-  // Interface functions, not designed to be called directly.
-  // They don't check permissions to provide any utilities
-  abstract fetch(id: ObjectReference): Promise<Source | undefined>;
-  abstract write(id: ObjectReference, source: Source): Promise<boolean>;
-  abstract create(
-    id: string,
-    source: Source,
-    metadata: ObjectMetadata
-  ): Promise<ObjectReference | undefined>;
-  abstract delete(id: ObjectReference): Promise<boolean>;
-  abstract fetchMetadata(
-    id: ObjectReference
-  ): Promise<ObjectMetadata | undefined>;
-  abstract writeMetadata(
-    id: ObjectReference,
-    metadata: ObjectMetadata
-  ): Promise<boolean>;
-
-  async createFromSource(
-    id: string,
-    sourceFetcher: () => Promise<Source>,
-    metadata: { [key: string]: string },
-    permissions: Array<string>
-  ) {
-    async function fetchMimeType(source: Source) {
-      if (source instanceof ReadableStream) {
-        source = Readable.from(source);
-      }
-      if (source instanceof Readable) {
-        const { stream, mime } = await getMimeTypeStream(source);
-        return { source: Readable.from(stream), mime: mime };
-      }
-      if (source instanceof Buffer) {
-        const mime =
-          getMimeTypeBuffer(new Uint8Array(source).buffer)?.mime ?? "application/octet-stream";
-        return { source: source, mime };
-      }
-
-      return { source: undefined, mime: undefined };
-    }
-    const { source, mime } = await fetchMimeType(await sourceFetcher());
-    if (!mime)
-      throw new Error("Unable to calculate MIME type - is the source empty?");
-
-    await this.create(id, source, {
-      permissions,
-      userMetadata: metadata,
-      mime,
-    });
-  }
-
-  async fetchWithPermissions(id: ObjectReference, userId?: string) {
-    const metadata = await this.fetchMetadata(id);
-    if (!metadata) return;
-
-    // We only need one permission, so find instead of filter is faster
-    const myPermissions = metadata.permissions.find((e) => {
-      if (userId !== undefined && e.startsWith(userId)) return true;
-      if (userId !== undefined && e.startsWith("internal")) return true;
-      if (e.startsWith("anonymous")) return true;
-      return false;
-    });
-
-    if (!myPermissions) {
-      // We do not have access to this object
-      return;
-    }
-
-    // Because any permission can be read or up, we automatically know we can read this object
-    // So just straight return the object
-    const source = await this.fetch(id);
-    if (!source) return undefined;
-    const object: Object = {
-      data: source,
-      mime: metadata.mime,
-    };
-    return object;
-  }
-
-  // If we need to fetch a remote resource, it doesn't make sense
-  // to immediately fetch the object, *then* check permissions.
-  // Instead the caller can pass a simple anonymous funciton, like
-  // () => $fetch('/my-image');
-  // And if we actually have permission to write, it fetches it then.
-  async writeWithPermissions(
-    id: ObjectReference,
-    sourceFetcher: () => Promise<Source>,
-    userId?: string
-  ) {
-    const metadata = await this.fetchMetadata(id);
-    if (!metadata) return false;
-
-    const myPermissions = metadata.permissions
-      .filter((e) => {
-        if (userId !== undefined && e.startsWith(userId)) return true;
-        if (userId !== undefined && e.startsWith("internal")) return true;
-        if (e.startsWith("anonymous")) return true;
-        return false;
-      })
-      // Strip IDs from permissions
-      .map((e) => e.split(":").at(1))
-      // Map to priority according to array
-      .map((e) => ObjectPermissionPriority.findIndex((c) => c === e));
-
-    const requiredPermissionIndex = 1;
-    const hasPermission =
-      myPermissions.find((e) => e >= requiredPermissionIndex) != undefined;
-
-    if (!hasPermission) return false;
-
-    const source = await sourceFetcher();
-    const result = await this.write(id, source);
-
-    return result;
-  }
-
-  async deleteWithPermission(id: ObjectReference, userId?: string) {
-    const metadata = await this.fetchMetadata(id);
-    if (!metadata) return false;
-
-    const myPermissions = metadata.permissions
-      .filter((e) => {
-        if (userId !== undefined && e.startsWith(userId)) return true;
-        if (userId !== undefined && e.startsWith("internal")) return true;
-        if (e.startsWith("anonymous")) return true;
-        return false;
-      })
-      // Strip IDs from permissions
-      .map((e) => e.split(":").at(1))
-      // Map to priority according to array
-      .map((e) => ObjectPermissionPriority.findIndex((c) => c === e));
-
-    const requiredPermissionIndex = 2;
-    const hasPermission =
-      myPermissions.find((e) => e >= requiredPermissionIndex) != undefined;
-
-    if (!hasPermission) return false;
-
-    const result = await this.delete(id);
-    return result;
-  }
-}
+import { FsObjectBackend } from "./fsBackend";
+export const objectHandler = new FsObjectBackend();
+export default objectHandler
\ No newline at end of file
diff --git a/server/internal/objects/objectHandler.ts b/server/internal/objects/objectHandler.ts
new file mode 100644
index 00000000..8ea48034
--- /dev/null
+++ b/server/internal/objects/objectHandler.ts
@@ -0,0 +1,187 @@
+/**
+ * Objects are basically files, like images or downloads, that have a set of metadata and permissions attached
+ * They're served by the API from the /api/v1/object/${objectId} endpoint.
+ *
+ * It supports streams and buffers, depending on the use case. Buffers will likely only be used internally if
+ * the data needs to be manipulated somehow.
+ *
+ * Objects are designed to be created once, and link to a single ID. For example, each user gets a single object
+ * that's tied to their profile picture. If they want to update their profile picture, they overwrite that object.
+ *
+ * Permissions are a list of strings. Each permission string is in the id:permission format. Eg
+ * anonymous:read
+ * myUserId:read
+ * anotherUserId:write
+ */
+
+import { parse as getMimeTypeBuffer } from "file-type-mime";
+import { Readable } from "stream";
+import { getMimeType as getMimeTypeStream } from "stream-mime-type";
+import { v4 as uuidv4 } from "uuid";
+
+export type ObjectReference = string;
+export type ObjectMetadata = {
+  mime: string;
+  permissions: string[];
+  userMetadata: { [key: string]: string };
+};
+
+export enum ObjectPermission {
+  Read = "read",
+  Write = "write",
+  Delete = "delete",
+}
+export const ObjectPermissionPriority: Array<ObjectPermission> = [
+  ObjectPermission.Read,
+  ObjectPermission.Write,
+  ObjectPermission.Delete,
+];
+
+export type Object = { mime: string; data: Source };
+
+export type Source = Readable | Buffer;
+
+export abstract class ObjectBackend {
+  // Interface functions, not designed to be called directly.
+  // They don't check permissions to provide any utilities
+  abstract fetch(id: ObjectReference): Promise<Source | undefined>;
+  abstract write(id: ObjectReference, source: Source): Promise<boolean>;
+  abstract create(
+    id: string,
+    source: Source,
+    metadata: ObjectMetadata
+  ): Promise<ObjectReference | undefined>;
+  abstract delete(id: ObjectReference): Promise<boolean>;
+  abstract fetchMetadata(
+    id: ObjectReference
+  ): Promise<ObjectMetadata | undefined>;
+  abstract writeMetadata(
+    id: ObjectReference,
+    metadata: ObjectMetadata
+  ): Promise<boolean>;
+
+  async createFromSource(
+    id: string,
+    sourceFetcher: () => Promise<Source>,
+    metadata: { [key: string]: string },
+    permissions: Array<string>
+  ) {
+    async function fetchMimeType(source: Source) {
+      if (source instanceof ReadableStream) {
+        source = Readable.from(source);
+      }
+      if (source instanceof Readable) {
+        const { stream, mime } = await getMimeTypeStream(source);
+        return { source: Readable.from(stream), mime: mime };
+      }
+      if (source instanceof Buffer) {
+        const mime =
+          getMimeTypeBuffer(new Uint8Array(source).buffer)?.mime ??
+          "application/octet-stream";
+        return { source: source, mime };
+      }
+
+      return { source: undefined, mime: undefined };
+    }
+    const { source, mime } = await fetchMimeType(await sourceFetcher());
+    if (!mime)
+      throw new Error("Unable to calculate MIME type - is the source empty?");
+
+    await this.create(id, source, {
+      permissions,
+      userMetadata: metadata,
+      mime,
+    });
+  }
+
+  async fetchWithPermissions(id: ObjectReference, userId?: string) {
+    const metadata = await this.fetchMetadata(id);
+    if (!metadata) return;
+
+    // We only need one permission, so find instead of filter is faster
+    const myPermissions = metadata.permissions.find((e) => {
+      if (userId !== undefined && e.startsWith(userId)) return true;
+      if (userId !== undefined && e.startsWith("internal")) return true;
+      if (e.startsWith("anonymous")) return true;
+      return false;
+    });
+
+    if (!myPermissions) {
+      // We do not have access to this object
+      return;
+    }
+
+    // Because any permission can be read or up, we automatically know we can read this object
+    // So just straight return the object
+    const source = await this.fetch(id);
+    if (!source) return undefined;
+    const object: Object = {
+      data: source,
+      mime: metadata.mime,
+    };
+    return object;
+  }
+
+  // If we need to fetch a remote resource, it doesn't make sense
+  // to immediately fetch the object, *then* check permissions.
+  // Instead the caller can pass a simple anonymous funciton, like
+  // () => $fetch('/my-image');
+  // And if we actually have permission to write, it fetches it then.
+  async writeWithPermissions(
+    id: ObjectReference,
+    sourceFetcher: () => Promise<Source>,
+    userId?: string
+  ) {
+    const metadata = await this.fetchMetadata(id);
+    if (!metadata) return false;
+
+    const myPermissions = metadata.permissions
+      .filter((e) => {
+        if (userId !== undefined && e.startsWith(userId)) return true;
+        if (userId !== undefined && e.startsWith("internal")) return true;
+        if (e.startsWith("anonymous")) return true;
+        return false;
+      })
+      // Strip IDs from permissions
+      .map((e) => e.split(":").at(1))
+      // Map to priority according to array
+      .map((e) => ObjectPermissionPriority.findIndex((c) => c === e));
+
+    const requiredPermissionIndex = 1;
+    const hasPermission =
+      myPermissions.find((e) => e >= requiredPermissionIndex) != undefined;
+
+    if (!hasPermission) return false;
+
+    const source = await sourceFetcher();
+    const result = await this.write(id, source);
+
+    return result;
+  }
+
+  async deleteWithPermission(id: ObjectReference, userId?: string) {
+    const metadata = await this.fetchMetadata(id);
+    if (!metadata) return false;
+
+    const myPermissions = metadata.permissions
+      .filter((e) => {
+        if (userId !== undefined && e.startsWith(userId)) return true;
+        if (userId !== undefined && e.startsWith("internal")) return true;
+        if (e.startsWith("anonymous")) return true;
+        return false;
+      })
+      // Strip IDs from permissions
+      .map((e) => e.split(":").at(1))
+      // Map to priority according to array
+      .map((e) => ObjectPermissionPriority.findIndex((c) => c === e));
+
+    const requiredPermissionIndex = 2;
+    const hasPermission =
+      myPermissions.find((e) => e >= requiredPermissionIndex) != undefined;
+
+    if (!hasPermission) return false;
+
+    const result = await this.delete(id);
+    return result;
+  }
+}
diff --git a/server/internal/objects/transactional.ts b/server/internal/objects/transactional.ts
index 15fb41b9..922ff6ae 100644
--- a/server/internal/objects/transactional.ts
+++ b/server/internal/objects/transactional.ts
@@ -4,7 +4,7 @@ This is used as a utility in metadata handling, so we only fetch the objects if
 */
 import { Readable } from "stream";
 import { v4 as uuidv4 } from "uuid";
-import { objectHandler } from "~/server/plugins/objects";
+import objectHandler from ".";
 
 export type TransactionDataType = string | Readable | Buffer;
 type TransactionTable = { [key: string]: TransactionDataType }; // ID to data
diff --git a/server/plugins/ca.ts b/server/plugins/ca.ts
index 1b99d792..000764ae 100644
--- a/server/plugins/ca.ts
+++ b/server/plugins/ca.ts
@@ -15,13 +15,4 @@ export default defineNitroPlugin(async (nitro) => {
   const store = fsCertificateStore(basePath);
 
   ca = await CertificateAuthority.new(store);
-
-  nitro.hooks.hook("request", (h3) => {
-    if (!ca)
-      throw createError({
-        statusCode: 500,
-        statusMessage: "Certificate authority not initialised",
-      });
-    h3.context.ca = ca;
-  });
 });
diff --git a/server/plugins/metadata.ts b/server/plugins/metadata.ts
deleted file mode 100644
index 8fbd8fa1..00000000
--- a/server/plugins/metadata.ts
+++ /dev/null
@@ -1,25 +0,0 @@
-import { MetadataHandler, MetadataProvider } from "../internal/metadata";
-import { GiantBombProvider } from "../internal/metadata/giantbomb";
-import { ManualMetadataProvider } from "../internal/metadata/manual";
-
-export const metadataHandler = new MetadataHandler();
-
-const providerCreators: Array<() => MetadataProvider> = [
-  () => new GiantBombProvider(),
-  () => new ManualMetadataProvider(),
-];
-
-export default defineNitroPlugin(async (nitro) => {
-  for (const creator of providerCreators) {
-    try {
-      const instance = creator();
-      metadataHandler.addProvider(instance);
-    } catch (e) {
-      console.warn(e);
-    }
-  }
-
-  nitro.hooks.hook("request", (h3) => {
-    h3.context.metadataHandler = metadataHandler;
-  });
-});
diff --git a/server/plugins/objects.ts b/server/plugins/objects.ts
deleted file mode 100644
index 8e9ee40c..00000000
--- a/server/plugins/objects.ts
+++ /dev/null
@@ -1,10 +0,0 @@
-import { FsObjectBackend } from "../internal/objects/fsBackend";
-
-// To-do insert logic surrounding deciding what object backend to use
-export const objectHandler = new FsObjectBackend();
-
-export default defineNitroPlugin((nitro) => {
-  nitro.hooks.hook("request", (h3) => {
-    h3.context.objects = objectHandler;
-  });
-});

From b6189d12e70cbb8c499b9df052c5d4e96f48ea5a Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Sat, 8 Feb 2025 11:37:42 +1100
Subject: [PATCH 19/22] fix(droplet): add aarch64 optional packages

---
 package.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 03d1cadd..dcf408de 100644
--- a/package.json
+++ b/package.json
@@ -52,7 +52,9 @@
   },
   "optionalDependencies": {
     "@drop/droplet-linux-x64-gnu": "^0.7.0",
-    "@drop/droplet-win32-x64-msvc": "^0.7.0"
+    "@drop/droplet-win32-x64-msvc": "^0.7.0",
+    "@drop/droplet-darwin-arm64": "^0.7.0",
+    "@drop/droplet-linux-arm64-gnu": "^0.7.0"
   },
   "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }

From 97792f0707dcdfdad351a82ad444af1da47b570a Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Sat, 8 Feb 2025 11:41:16 +1100
Subject: [PATCH 20/22] fix: home page now (temporarily) redirects to store

---
 pages/index.vue | 16 +++-------------
 yarn.lock       | 10 ++++++++++
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/pages/index.vue b/pages/index.vue
index 4388b2a8..458e24a6 100644
--- a/pages/index.vue
+++ b/pages/index.vue
@@ -1,15 +1,5 @@
 <template>
-    <div class="px-12 py-4">
-        <h1 class="text-zinc-100 text-2xl font-bold font-display">
-            Newly added
-        </h1>
-        <NuxtLink class="text-blue-600 font-semibold"
-            >Explore more &rarr;</NuxtLink
-        >
-        <div class="mt-4 grid grid-cols-8 gap-x-8 w-max">
-            <GamePanel v-for="i in 8" :game="games[i - 1]" />
-        </div>
-    </div>
+    
 </template>
 
 <script setup lang="ts">
@@ -17,6 +7,6 @@ useHead({
     title: "Home",
 });
 
-const headers = useRequestHeaders(["cookie"]);
-const games = await $fetch("/api/v1/store/recent", { headers });
+const router = useRouter();
+router.replace('/store')
 </script>
diff --git a/yarn.lock b/yarn.lock
index 365d4880..8569b10a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -288,6 +288,16 @@
   resolved "https://registry.yarnpkg.com/@csstools/selector-specificity/-/selector-specificity-5.0.0.tgz#037817b574262134cabd68fc4ec1a454f168407b"
   integrity sha512-PCqQV3c4CoVm3kdPhyeZ07VmBRdH2EpMFA/pd9OASpOEC3aXNGoqPDAZ80D0cLpMBxnmk0+yNhGsEx31hq7Gtw==
 
+"@drop/droplet-darwin-arm64@^0.7.0":
+  version "0.7.0"
+  resolved "https://lab.deepcore.dev/api/v4/projects/57/packages/npm/@drop/droplet-darwin-arm64/-/@drop/droplet-darwin-arm64-0.7.0.tgz#34f7c6d168d6738d471c5f7287772e9b42fa7e33"
+  integrity sha1-NPfG0WjWc41HHF9yh3cum0L6fjM=
+
+"@drop/droplet-linux-arm64-gnu@^0.7.0":
+  version "0.7.0"
+  resolved "https://lab.deepcore.dev/api/v4/projects/57/packages/npm/@drop/droplet-linux-arm64-gnu/-/@drop/droplet-linux-arm64-gnu-0.7.0.tgz#783b9d24879d9a4e3ae8c8693cc1de7868284a61"
+  integrity sha1-eDudJIedmk466MhpPMHeeGgoSmE=
+
 "@drop/droplet-linux-x64-gnu@0.7.0", "@drop/droplet-linux-x64-gnu@^0.7.0":
   version "0.7.0"
   resolved "https://lab.deepcore.dev/api/v4/projects/57/packages/npm/@drop/droplet-linux-x64-gnu/-/@drop/droplet-linux-x64-gnu-0.7.0.tgz#128e37707481cfcbbeb057142164f3e637f13f26"

From 31aaec74af642d35d5d3c22bd23b5231d150dbee Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Fri, 14 Feb 2025 20:01:18 +1100
Subject: [PATCH 21/22] feat: migrate to tailwind v4 and fix user token API

---
 assets/core.scss                              |  13 +-
 assets/tailwindcss.css                        |   4 +
 components/AddLibraryButton.vue               |   4 +-
 components/UserHeader/UserWidget.vue          |  16 +-
 nuxt.config.ts                                |  12 +-
 package.json                                  |   9 +-
 .../migration.sql                             |   8 +
 .../migration.sql                             |  14 ++
 .../migration.sql                             |  20 ++
 prisma/schema/auth.prisma                     |   6 +-
 prisma/schema/content.prisma                  |   4 +-
 prisma/schema/schema.prisma                   |   2 +-
 server/api/v1/user/token/[id]/index.delete.ts |  23 ++
 .../token.get.ts => user/token/acls.get.ts}   |   0
 server/api/v1/user/token/index.get.ts         |  15 ++
 server/api/v1/user/token/index.post.ts        |  41 ++++
 server/internal/db/database.ts                |   2 +-
 tailwind.config.js                            |   1 -
 yarn.lock                                     | 211 +++++++++++++++---
 19 files changed, 348 insertions(+), 57 deletions(-)
 create mode 100644 assets/tailwindcss.css
 create mode 100644 prisma/migrations/20250208004345_add_api_token_name/migration.sql
 create mode 100644 prisma/migrations/20250208005625_add_id_to_token/migration.sql
 create mode 100644 prisma/migrations/20250211230021_ensure_non_null_launch_and_setup_commands/migration.sql
 create mode 100644 server/api/v1/user/token/[id]/index.delete.ts
 rename server/api/v1/{admin/user/token/token.get.ts => user/token/acls.get.ts} (100%)
 create mode 100644 server/api/v1/user/token/index.get.ts
 create mode 100644 server/api/v1/user/token/index.post.ts

diff --git a/assets/core.scss b/assets/core.scss
index c510b1db..eddfa750 100644
--- a/assets/core.scss
+++ b/assets/core.scss
@@ -1,7 +1,3 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
 $motiva: (
   ("MotivaSansThin.ttf", "ttf", 100, normal),
   ("MotivaSansLight.woff.ttf", "woff", 300, normal),
@@ -72,3 +68,12 @@ $helvetica: (
 .store-caoursel > .carousel__viewport {
   overflow: visible !important;
 }
+
+
+button {
+  cursor: pointer !important;
+}
+
+html {
+  background-color: oklch(.21 .006 285.885);
+}
\ No newline at end of file
diff --git a/assets/tailwindcss.css b/assets/tailwindcss.css
new file mode 100644
index 00000000..c64f75c3
--- /dev/null
+++ b/assets/tailwindcss.css
@@ -0,0 +1,4 @@
+@import "tailwindcss";
+@plugin "@tailwindcss/typography";
+@plugin "@tailwindcss/forms";
+@config "../tailwind.config.js";
\ No newline at end of file
diff --git a/components/AddLibraryButton.vue b/components/AddLibraryButton.vue
index 171720b9..19c7ceee 100644
--- a/components/AddLibraryButton.vue
+++ b/components/AddLibraryButton.vue
@@ -4,7 +4,7 @@
       :loading="isLibraryLoading"
       @click="() => toggleLibrary()"
       :style="'none'"
-      class="transition w-48 inline-flex items-center justify-center gap-x-2 rounded-l-md bg-white/10 group-hover:bg-white/15 text-zinc-100 backdrop-blur px-5 py-3 active:scale-95"
+      class="transition w-48 h-fit gap-x-2 rounded-none rounded-l-md bg-white/10 hover:bg-white/20 text-zinc-100 backdrop-blur px-5 py-3 active:scale-95"
     >
       {{ inLibrary ? "In Library" : "Add to Library" }}
       <CheckIcon v-if="inLibrary" class="-mr-0.5 h-5 w-5" aria-hidden="true" />
@@ -15,7 +15,7 @@
     <Menu as="div" class="relative">
       <MenuButton
         as="div"
-        class="transition cursor-pointer inline-flex items-center rounded-r-md h-full ml-[2px] bg-white/10 group-hover:bg-white/15 backdrop-blur py-3.5 px-2 justify-center focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-white/20"
+        class="transition cursor-pointer inline-flex items-center rounded-r-md h-full ml-[2px] bg-white/10 hover:bg-white/20 backdrop-blur py-3.5 px-2 justify-center focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-white/20"
       >
         <ChevronDownIcon class="h-5 w-5 text-white" aria-hidden="true" />
       </MenuButton>
diff --git a/components/UserHeader/UserWidget.vue b/components/UserHeader/UserWidget.vue
index de99c97e..92942187 100644
--- a/components/UserHeader/UserWidget.vue
+++ b/components/UserHeader/UserWidget.vue
@@ -39,15 +39,16 @@
           </NuxtLink>
           <div class="h-0.5 rounded-full w-full bg-zinc-800" />
           <div class="flex flex-col">
-            <MenuItem v-for="(nav, navIdx) in navigation" v-slot="{ active }">
-              <NuxtLink
+            <MenuItem v-for="(nav, navIdx) in navigation" v-slot="{ active, close }">
+              <button
                 :href="nav.route"
+                @click="() => navigateTo(nav.route, close)"
                 :class="[
                   active ? 'bg-zinc-800 text-zinc-100' : 'text-zinc-400',
-                  'transition block px-4 py-2 text-sm',
+                  'text-left transition block px-4 py-2 text-sm',
                 ]"
               >
-                {{ nav.label }}</NuxtLink
+                {{ nav.label }}</button
               >
             </MenuItem>
           </div>
@@ -84,4 +85,11 @@ const navigation: NavigationItem[] = [
     prefix: "",
   },
 ].filter((e) => e !== undefined);
+
+const router = useRouter();
+
+function navigateLink(href: string, closeFn: () => any) {
+  closeFn();
+  router.push(href);
+}
 </script>
diff --git a/nuxt.config.ts b/nuxt.config.ts
index f241a58b..26547a83 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -1,4 +1,5 @@
 import path from "path";
+import tailwindcss from "@tailwindcss/vite";
 
 // https://nuxt.com/docs/api/configuration/nuxt-config
 export default defineNuxtConfig({
@@ -6,13 +7,12 @@ export default defineNuxtConfig({
   telemetry: false,
   compatibilityDate: "2024-04-03",
   devtools: { enabled: false },
-  css: ["~/assets/core.scss"],
+  css: ["~/assets/tailwindcss.css", "~/assets/core.scss"],
 
-  postcss: {
-    plugins: {
-      tailwindcss: {},
-      autoprefixer: {},
-    },
+  vite: {
+    plugins: [
+      tailwindcss()
+    ]
   },
 
   app: {
diff --git a/package.json b/package.json
index dcf408de..958cbcc8 100644
--- a/package.json
+++ b/package.json
@@ -17,6 +17,7 @@
     "@nuxt/content": "^2.13.4",
     "@nuxtjs/tailwindcss": "^6.12.2",
     "@prisma/client": "^6.1.0",
+    "@tailwindcss/vite": "^4.0.6",
     "axios": "^1.7.7",
     "bcryptjs": "^2.4.3",
     "cookie-es": "^1.2.2",
@@ -48,13 +49,13 @@
     "nitropack": "^2.9.7",
     "postcss": "^8.4.47",
     "sass": "^1.79.4",
-    "tailwindcss": "^3.4.15"
+    "tailwindcss": "^4.0.0"
   },
   "optionalDependencies": {
-    "@drop/droplet-linux-x64-gnu": "^0.7.0",
-    "@drop/droplet-win32-x64-msvc": "^0.7.0",
     "@drop/droplet-darwin-arm64": "^0.7.0",
-    "@drop/droplet-linux-arm64-gnu": "^0.7.0"
+    "@drop/droplet-linux-arm64-gnu": "^0.7.0",
+    "@drop/droplet-linux-x64-gnu": "^0.7.0",
+    "@drop/droplet-win32-x64-msvc": "^0.7.0"
   },
   "packageManager": "yarn@1.22.22+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e"
 }
diff --git a/prisma/migrations/20250208004345_add_api_token_name/migration.sql b/prisma/migrations/20250208004345_add_api_token_name/migration.sql
new file mode 100644
index 00000000..26cfe969
--- /dev/null
+++ b/prisma/migrations/20250208004345_add_api_token_name/migration.sql
@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - Added the required column `name` to the `APIToken` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- AlterTable
+ALTER TABLE "APIToken" ADD COLUMN     "name" TEXT NOT NULL;
diff --git a/prisma/migrations/20250208005625_add_id_to_token/migration.sql b/prisma/migrations/20250208005625_add_id_to_token/migration.sql
new file mode 100644
index 00000000..2a9e0b07
--- /dev/null
+++ b/prisma/migrations/20250208005625_add_id_to_token/migration.sql
@@ -0,0 +1,14 @@
+/*
+  Warnings:
+
+  - The primary key for the `APIToken` table will be changed. If it partially fails, the table could be left without primary key constraint.
+  - The required column `id` was added to the `APIToken` table with a prisma-level default value. This is not possible if the table is not empty. Please add this column as optional, then populate it before making it required.
+
+*/
+-- AlterTable
+ALTER TABLE "APIToken" DROP CONSTRAINT "APIToken_pkey",
+ADD COLUMN     "id" TEXT NOT NULL,
+ADD CONSTRAINT "APIToken_pkey" PRIMARY KEY ("id");
+
+-- CreateIndex
+CREATE INDEX "APIToken_token_idx" ON "APIToken"("token");
diff --git a/prisma/migrations/20250211230021_ensure_non_null_launch_and_setup_commands/migration.sql b/prisma/migrations/20250211230021_ensure_non_null_launch_and_setup_commands/migration.sql
new file mode 100644
index 00000000..79a655db
--- /dev/null
+++ b/prisma/migrations/20250211230021_ensure_non_null_launch_and_setup_commands/migration.sql
@@ -0,0 +1,20 @@
+/*
+  Warnings:
+
+  - Made the column `launchCommand` on table `GameVersion` required. This step will fail if there are existing NULL values in that column.
+  - Made the column `setupCommand` on table `GameVersion` required. This step will fail if there are existing NULL values in that column.
+
+*/
+UPDATE "GameVersion"
+SET "launchCommand" = ''
+WHERE "launchCommand" is NULL;
+
+UPDATE "GameVersion"
+SET "setupCommand" = ''
+WHERE "launchCommand" is NULL;
+
+-- AlterTable
+ALTER TABLE "GameVersion" ALTER COLUMN "launchCommand" SET NOT NULL,
+ALTER COLUMN "launchCommand" SET DEFAULT '',
+ALTER COLUMN "setupCommand" SET NOT NULL,
+ALTER COLUMN "setupCommand" SET DEFAULT '';
diff --git a/prisma/schema/auth.prisma b/prisma/schema/auth.prisma
index 64677b8a..b321ac54 100644
--- a/prisma/schema/auth.prisma
+++ b/prisma/schema/auth.prisma
@@ -28,11 +28,15 @@ enum APITokenMode {
 }
 
 model APIToken {
-    token String       @id @default(uuid())
+    id    String       @id @default(uuid())
+    token String       @default(uuid())
     mode  APITokenMode
+    name  String
 
     userId String?
     user   User?   @relation(fields: [userId], references: [id])
 
     acls String[]
+
+    @@index([token])
 }
diff --git a/prisma/schema/content.prisma b/prisma/schema/content.prisma
index dc278a1d..f64fdac5 100644
--- a/prisma/schema/content.prisma
+++ b/prisma/schema/content.prisma
@@ -46,9 +46,9 @@ model GameVersion {
 
     platform Platform
 
-    launchCommand String? // Command to run to start. Platform-specific. Windows games on Linux will wrap this command in Proton/Wine
+    launchCommand String @default("") // Command to run to start. Platform-specific. Windows games on Linux will wrap this command in Proton/Wine
     launchArgs    String[]
-    setupCommand  String? // Command to setup game (dependencies and such)
+    setupCommand  String @default("") // Command to setup game (dependencies and such)
     setupArgs     String[]
     onlySetup     Boolean  @default(false)
 
diff --git a/prisma/schema/schema.prisma b/prisma/schema/schema.prisma
index 7df96a9e..37dc089c 100644
--- a/prisma/schema/schema.prisma
+++ b/prisma/schema/schema.prisma
@@ -6,7 +6,7 @@
 
 generator client {
   provider        = "prisma-client-js"
-  previewFeatures = ["prismaSchemaFolder"]
+  previewFeatures = ["prismaSchemaFolder", "omitApi"]
 }
 
 datasource db {
diff --git a/server/api/v1/user/token/[id]/index.delete.ts b/server/api/v1/user/token/[id]/index.delete.ts
new file mode 100644
index 00000000..be199013
--- /dev/null
+++ b/server/api/v1/user/token/[id]/index.delete.ts
@@ -0,0 +1,23 @@
+import { APITokenMode } from "@prisma/client";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const id = h3.context.params?.id;
+  if (!id)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "No id in router params",
+    });
+
+  const deleted = await prisma.aPIToken.delete({
+    where: { id: id, userId: userId, mode: APITokenMode.User },
+  })!!;
+  if (!deleted)
+    throw createError({ statusCode: 404, statusMessage: "Token not found" });
+
+  return;
+});
diff --git a/server/api/v1/admin/user/token/token.get.ts b/server/api/v1/user/token/acls.get.ts
similarity index 100%
rename from server/api/v1/admin/user/token/token.get.ts
rename to server/api/v1/user/token/acls.get.ts
diff --git a/server/api/v1/user/token/index.get.ts b/server/api/v1/user/token/index.get.ts
new file mode 100644
index 00000000..b8953c52
--- /dev/null
+++ b/server/api/v1/user/token/index.get.ts
@@ -0,0 +1,15 @@
+import { APITokenMode } from "@prisma/client";
+import aclManager from "~/server/internal/acls";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const tokens = await prisma.aPIToken.findMany({
+    where: { userId: userId, mode: APITokenMode.User },
+    omit: { token: true },
+  });
+
+  return tokens;
+});
diff --git a/server/api/v1/user/token/index.post.ts b/server/api/v1/user/token/index.post.ts
new file mode 100644
index 00000000..be458004
--- /dev/null
+++ b/server/api/v1/user/token/index.post.ts
@@ -0,0 +1,41 @@
+import { APITokenMode } from "@prisma/client";
+import aclManager, { userACLs } from "~/server/internal/acls";
+import { userACLDescriptions } from "~/server/internal/acls/descriptions";
+import prisma from "~/server/internal/db/database";
+
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, []); // No ACLs only allows session authentication
+  if (!userId) throw createError({ statusCode: 403 });
+
+  const body = await readBody(h3);
+  const name: string = body.name;
+  const acls: string[] = body.acls;
+
+  if (!name || typeof name !== "string")
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Token name required",
+    });
+  if (!acls || !Array.isArray(acls))
+    throw createError({ statusCode: 400, statusMessage: "ACLs required" });
+
+  if (acls.length == 0)
+    throw createError({
+      statusCode: 400,
+      statusMessage: "Token requires more than zero ACLs",
+    });
+
+    const invalidACLs = acls.filter((e) => userACLs.findIndex((v) => e == v) == -1);
+    if(invalidACLs.length > 0) throw createError({statusCode: 400, statusMessage: `Invalid ACLs: ${invalidACLs.join(", ")}`});
+
+    const token = await prisma.aPIToken.create({
+      data: {
+        mode: APITokenMode.User,
+        name: name,
+        userId: userId,
+        acls: acls,
+      }
+    })
+    
+    return token;
+});
diff --git a/server/internal/db/database.ts b/server/internal/db/database.ts
index 595f4495..34cbd220 100644
--- a/server/internal/db/database.ts
+++ b/server/internal/db/database.ts
@@ -1,7 +1,7 @@
 import { PrismaClient } from '@prisma/client'
 
 const prismaClientSingleton = () => {
-    return new PrismaClient()
+    return new PrismaClient({});
 }
 
 declare const globalThis: {
diff --git a/tailwind.config.js b/tailwind.config.js
index afc5408f..56bcc590 100644
--- a/tailwind.config.js
+++ b/tailwind.config.js
@@ -21,5 +21,4 @@ export default {
       },
     },
   },
-  plugins: [require("@tailwindcss/forms"), require("@tailwindcss/typography")],
 };
diff --git a/yarn.lock b/yarn.lock
index 8569b10a..c5ac8085 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1400,6 +1400,87 @@
   dependencies:
     mini-svg-data-uri "^1.2.3"
 
+"@tailwindcss/node@^4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/node/-/node-4.0.6.tgz#d07152f447b37c8ce68244b0ec1ce427f5ed856e"
+  integrity sha512-jb6E0WeSq7OQbVYcIJ6LxnZTeC4HjMvbzFBMCrQff4R50HBlo/obmYNk6V2GCUXDeqiXtvtrQgcIbT+/boB03Q==
+  dependencies:
+    enhanced-resolve "^5.18.0"
+    jiti "^2.4.2"
+    tailwindcss "4.0.6"
+
+"@tailwindcss/oxide-android-arm64@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-android-arm64/-/oxide-android-arm64-4.0.6.tgz#0dbee5042870ceaf756829c48c1e6ddacbb4b35b"
+  integrity sha512-xDbym6bDPW3D2XqQqX3PjqW3CKGe1KXH7Fdkc60sX5ZLVUbzPkFeunQaoP+BuYlLc2cC1FoClrIRYnRzof9Sow==
+
+"@tailwindcss/oxide-darwin-arm64@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-darwin-arm64/-/oxide-darwin-arm64-4.0.6.tgz#9b5574626464b2ba658a7ecf689a4a835dc97369"
+  integrity sha512-1f71/ju/tvyGl5c2bDkchZHy8p8EK/tDHCxlpYJ1hGNvsYihZNurxVpZ0DefpN7cNc9RTT8DjrRoV8xXZKKRjg==
+
+"@tailwindcss/oxide-darwin-x64@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-darwin-x64/-/oxide-darwin-x64-4.0.6.tgz#576b9fcd422790371efdb9e3733862759e76639c"
+  integrity sha512-s/hg/ZPgxFIrGMb0kqyeaqZt505P891buUkSezmrDY6lxv2ixIELAlOcUVTkVh245SeaeEiUVUPiUN37cwoL2g==
+
+"@tailwindcss/oxide-freebsd-x64@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-freebsd-x64/-/oxide-freebsd-x64-4.0.6.tgz#787421ebad9460a7ff4a17ca7d1c495579db00ae"
+  integrity sha512-Z3Wo8FWZnmio8+xlcbb7JUo/hqRMSmhQw8IGIRoRJ7GmLR0C+25Wq+bEX/135xe/yEle2lFkhu9JBHd4wZYiig==
+
+"@tailwindcss/oxide-linux-arm-gnueabihf@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-linux-arm-gnueabihf/-/oxide-linux-arm-gnueabihf-4.0.6.tgz#07872b2a1d4404a9819788ca5e8384d42a4004fd"
+  integrity sha512-SNSwkkim1myAgmnbHs4EjXsPL7rQbVGtjcok5EaIzkHkCAVK9QBQsWeP2Jm2/JJhq4wdx8tZB9Y7psMzHYWCkA==
+
+"@tailwindcss/oxide-linux-arm64-gnu@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-linux-arm64-gnu/-/oxide-linux-arm64-gnu-4.0.6.tgz#fd314d294aec5f40c19c5fd09d448b23628dc384"
+  integrity sha512-tJ+mevtSDMQhKlwCCuhsFEFg058kBiSy4TkoeBG921EfrHKmexOaCyFKYhVXy4JtkaeeOcjJnCLasEeqml4i+Q==
+
+"@tailwindcss/oxide-linux-arm64-musl@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-linux-arm64-musl/-/oxide-linux-arm64-musl-4.0.6.tgz#67b74205d72d3a83e6893adf5b35ac55118e0ebc"
+  integrity sha512-IoArz1vfuTR4rALXMUXI/GWWfx2EaO4gFNtBNkDNOYhlTD4NVEwE45nbBoojYiTulajI4c2XH8UmVEVJTOJKxA==
+
+"@tailwindcss/oxide-linux-x64-gnu@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-linux-x64-gnu/-/oxide-linux-x64-gnu-4.0.6.tgz#2268beea15f18adcaa83c0e6540d3ee464130082"
+  integrity sha512-QtsUfLkEAeWAC3Owx9Kg+7JdzE+k9drPhwTAXbXugYB9RZUnEWWx5x3q/au6TvUYcL+n0RBqDEO2gucZRvRFgQ==
+
+"@tailwindcss/oxide-linux-x64-musl@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-linux-x64-musl/-/oxide-linux-x64-musl-4.0.6.tgz#869b49cc783eabe7c33283abe23aafd35b4dd645"
+  integrity sha512-QthvJqIji2KlGNwLcK/PPYo7w1Wsi/8NK0wAtRGbv4eOPdZHkQ9KUk+oCoP20oPO7i2a6X1aBAFQEL7i08nNMA==
+
+"@tailwindcss/oxide-win32-arm64-msvc@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-win32-arm64-msvc/-/oxide-win32-arm64-msvc-4.0.6.tgz#c7e3650b19a24bbebc9d513f188e1d75e1fccf2a"
+  integrity sha512-+oka+dYX8jy9iP00DJ9Y100XsqvbqR5s0yfMZJuPR1H/lDVtDfsZiSix1UFBQ3X1HWxoEEl6iXNJHWd56TocVw==
+
+"@tailwindcss/oxide-win32-x64-msvc@4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide-win32-x64-msvc/-/oxide-win32-x64-msvc-4.0.6.tgz#ba736748c72273f277e7afb4eaf401108e10ccfd"
+  integrity sha512-+o+juAkik4p8Ue/0LiflQXPmVatl6Av3LEZXpBTfg4qkMIbZdhCGWFzHdt2NjoMiLOJCFDddoV6GYaimvK1Olw==
+
+"@tailwindcss/oxide@^4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/oxide/-/oxide-4.0.6.tgz#57035c941065195db4e5b26eebb3e63b56885a83"
+  integrity sha512-lVyKV2y58UE9CeKVcYykULe9QaE1dtKdxDEdrTPIdbzRgBk6bdxHNAoDqvcqXbIGXubn3VOl1O/CFF77v/EqSA==
+  optionalDependencies:
+    "@tailwindcss/oxide-android-arm64" "4.0.6"
+    "@tailwindcss/oxide-darwin-arm64" "4.0.6"
+    "@tailwindcss/oxide-darwin-x64" "4.0.6"
+    "@tailwindcss/oxide-freebsd-x64" "4.0.6"
+    "@tailwindcss/oxide-linux-arm-gnueabihf" "4.0.6"
+    "@tailwindcss/oxide-linux-arm64-gnu" "4.0.6"
+    "@tailwindcss/oxide-linux-arm64-musl" "4.0.6"
+    "@tailwindcss/oxide-linux-x64-gnu" "4.0.6"
+    "@tailwindcss/oxide-linux-x64-musl" "4.0.6"
+    "@tailwindcss/oxide-win32-arm64-msvc" "4.0.6"
+    "@tailwindcss/oxide-win32-x64-msvc" "4.0.6"
+
 "@tailwindcss/typography@^0.5.15":
   version "0.5.15"
   resolved "https://registry.yarnpkg.com/@tailwindcss/typography/-/typography-0.5.15.tgz#007ab9870c86082a1c76e5b3feda9392c7c8d648"
@@ -1410,6 +1491,16 @@
     lodash.merge "^4.6.2"
     postcss-selector-parser "6.0.10"
 
+"@tailwindcss/vite@^4.0.6":
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/@tailwindcss/vite/-/vite-4.0.6.tgz#e43be7bfaabaf3f157d08273e21edb74faf24f47"
+  integrity sha512-O25vZ/URWbZ2JHdk2o8wH7jOKqEGCsYmX3GwGmYS5DjE4X3mpf93a72Rn7VRnefldNauBzr5z2hfZptmBNtTUQ==
+  dependencies:
+    "@tailwindcss/node" "^4.0.6"
+    "@tailwindcss/oxide" "^4.0.6"
+    lightningcss "^1.29.1"
+    tailwindcss "4.0.6"
+
 "@tanstack/virtual-core@3.10.8":
   version "3.10.8"
   resolved "https://registry.yarnpkg.com/@tanstack/virtual-core/-/virtual-core-3.10.8.tgz#975446a667755222f62884c19e5c3c66d959b8b4"
@@ -2869,6 +2960,14 @@ enhanced-resolve@^5.14.1:
     graceful-fs "^4.2.4"
     tapable "^2.2.0"
 
+enhanced-resolve@^5.18.0:
+  version "5.18.1"
+  resolved "https://registry.yarnpkg.com/enhanced-resolve/-/enhanced-resolve-5.18.1.tgz#728ab082f8b7b6836de51f1637aab5d3b9568faf"
+  integrity sha512-ZSW3ma5GkcQBIpwZTSRAI8N71Uuwgs93IezB7mf7R60tC8ZbJideoDNKjHn2O9KIlx6rkGTTEk1xUCK2E1Y2Yg==
+  dependencies:
+    graceful-fs "^4.2.4"
+    tapable "^2.2.0"
+
 entities@^4.2.0, entities@^4.5.0:
   version "4.5.0"
   resolved "https://registry.yarnpkg.com/entities/-/entities-4.5.0.tgz#5d268ea5e7113ec74c4d033b79ea5a35a488fb48"
@@ -3881,6 +3980,11 @@ jiti@^2.1.2, jiti@^2.3.0, jiti@^2.3.1, jiti@^2.4.0:
   resolved "https://registry.yarnpkg.com/jiti/-/jiti-2.4.0.tgz#393d595fb6031a11d11171b5e4fc0b989ba3e053"
   integrity sha512-H5UpaUI+aHOqZXlYOaFP/8AzKsg+guWu+Pr3Y8i7+Y3zr1aXAvCvTAQ1RxSc6oVD8R8c7brgNtTVP91E7upH/g==
 
+jiti@^2.4.2:
+  version "2.4.2"
+  resolved "https://registry.yarnpkg.com/jiti/-/jiti-2.4.2.tgz#d19b7732ebb6116b06e2038da74a55366faef560"
+  integrity sha512-rg9zJN+G4n2nfJl5MW3BMygZX56zKPNVEYYqq7adpmMh4Jn2QNEwhvQlFy6jPVdcod7txZtKHWnyZiA3a0zP7A==
+
 js-base64@^3.6.0:
   version "3.7.7"
   resolved "https://registry.yarnpkg.com/js-base64/-/js-base64-3.7.7.tgz#e51b84bf78fbf5702b9541e2cb7bfcb893b43e79"
@@ -4033,10 +4137,73 @@ lazystream@^1.0.0:
   dependencies:
     readable-stream "^2.0.5"
 
-lilconfig@^2.1.0:
-  version "2.1.0"
-  resolved "https://registry.yarnpkg.com/lilconfig/-/lilconfig-2.1.0.tgz#78e23ac89ebb7e1bfbf25b18043de756548e7f52"
-  integrity sha512-utWOt/GHzuUxnLKxB6dk81RoOeoNeHgbrXiuGk4yyF5qlRz+iIVWu56E2fqGHFrXz0QNUhLB/8nKqvRH66JKGQ==
+lightningcss-darwin-arm64@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.29.1.tgz#dce17349c7b9f968f396ec240503de14e7b4870b"
+  integrity sha512-HtR5XJ5A0lvCqYAoSv2QdZZyoHNttBpa5EP9aNuzBQeKGfbyH5+UipLWvVzpP4Uml5ej4BYs5I9Lco9u1fECqw==
+
+lightningcss-darwin-x64@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.29.1.tgz#e79c984180c57d00ee114210ceced83473d72dfc"
+  integrity sha512-k33G9IzKUpHy/J/3+9MCO4e+PzaFblsgBjSGlpAaFikeBFm8B/CkO3cKU9oI4g+fjS2KlkLM/Bza9K/aw8wsNA==
+
+lightningcss-freebsd-x64@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.29.1.tgz#4b3aec9620684a60c45266d50fd843869320f42f"
+  integrity sha512-0SUW22fv/8kln2LnIdOCmSuXnxgxVC276W5KLTwoehiO0hxkacBxjHOL5EtHD8BAXg2BvuhsJPmVMasvby3LiQ==
+
+lightningcss-linux-arm-gnueabihf@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.29.1.tgz#b80e9c4dd75652bec451ffd4d5779492a01791ff"
+  integrity sha512-sD32pFvlR0kDlqsOZmYqH/68SqUMPNj+0pucGxToXZi4XZgZmqeX/NkxNKCPsswAXU3UeYgDSpGhu05eAufjDg==
+
+lightningcss-linux-arm64-gnu@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.29.1.tgz#7825eb119ddf580a4a4f011c6f384a3f9c992060"
+  integrity sha512-0+vClRIZ6mmJl/dxGuRsE197o1HDEeeRk6nzycSy2GofC2JsY4ifCRnvUWf/CUBQmlrvMzt6SMQNMSEu22csWQ==
+
+lightningcss-linux-arm64-musl@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.29.1.tgz#389efccf80088dce2bb00e28bd7d1cfe36a71669"
+  integrity sha512-UKMFrG4rL/uHNgelBsDwJcBqVpzNJbzsKkbI3Ja5fg00sgQnHw/VrzUTEc4jhZ+AN2BvQYz/tkHu4vt1kLuJyw==
+
+lightningcss-linux-x64-gnu@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.29.1.tgz#98fc5df5e39ac8ddc51e51f785849eb21131f789"
+  integrity sha512-u1S+xdODy/eEtjADqirA774y3jLcm8RPtYztwReEXoZKdzgsHYPl0s5V52Tst+GKzqjebkULT86XMSxejzfISw==
+
+lightningcss-linux-x64-musl@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.29.1.tgz#fb4f80895ba7dfa8048ee32e9716a1684fefd6b2"
+  integrity sha512-L0Tx0DtaNUTzXv0lbGCLB/c/qEADanHbu4QdcNOXLIe1i8i22rZRpbT3gpWYsCh9aSL9zFujY/WmEXIatWvXbw==
+
+lightningcss-win32-arm64-msvc@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.29.1.tgz#fd4409fd1505d89d0ff66511c36df5a1379eb7cd"
+  integrity sha512-QoOVnkIEFfbW4xPi+dpdft/zAKmgLgsRHfJalEPYuJDOWf7cLQzYg0DEh8/sn737FaeMJxHZRc1oBreiwZCjog==
+
+lightningcss-win32-x64-msvc@1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.29.1.tgz#54dcd52884f6cbf205a53d49239559603f194927"
+  integrity sha512-NygcbThNBe4JElP+olyTI/doBNGJvLs3bFCRPdvuCcxZCcCZ71B858IHpdm7L1btZex0FvCmM17FK98Y9MRy1Q==
+
+lightningcss@^1.29.1:
+  version "1.29.1"
+  resolved "https://registry.yarnpkg.com/lightningcss/-/lightningcss-1.29.1.tgz#1d4d62332fc5ba4b6c28e04a8c5638c76019702b"
+  integrity sha512-FmGoeD4S05ewj+AkhTY+D+myDvXI6eL27FjHIjoyUkO/uw7WZD1fBVs0QxeYWa7E17CUHJaYX/RUGISCtcrG4Q==
+  dependencies:
+    detect-libc "^1.0.3"
+  optionalDependencies:
+    lightningcss-darwin-arm64 "1.29.1"
+    lightningcss-darwin-x64 "1.29.1"
+    lightningcss-freebsd-x64 "1.29.1"
+    lightningcss-linux-arm-gnueabihf "1.29.1"
+    lightningcss-linux-arm64-gnu "1.29.1"
+    lightningcss-linux-arm64-musl "1.29.1"
+    lightningcss-linux-x64-gnu "1.29.1"
+    lightningcss-linux-x64-musl "1.29.1"
+    lightningcss-win32-arm64-msvc "1.29.1"
+    lightningcss-win32-x64-msvc "1.29.1"
 
 lilconfig@^3.0.0, lilconfig@^3.1.2:
   version "3.1.2"
@@ -6500,33 +6667,15 @@ tailwind-config-viewer@^2.0.4:
     portfinder "^1.0.26"
     replace-in-file "^6.1.0"
 
-tailwindcss@^3.4.15:
-  version "3.4.15"
-  resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-3.4.15.tgz#04808bf4bf1424b105047d19e7d4bfab368044a9"
-  integrity sha512-r4MeXnfBmSOuKUWmXe6h2CcyfzJCEk4F0pptO5jlnYSIViUkVmsawj80N5h2lO3gwcmSb4n3PuN+e+GC1Guylw==
-  dependencies:
-    "@alloc/quick-lru" "^5.2.0"
-    arg "^5.0.2"
-    chokidar "^3.6.0"
-    didyoumean "^1.2.2"
-    dlv "^1.1.3"
-    fast-glob "^3.3.2"
-    glob-parent "^6.0.2"
-    is-glob "^4.0.3"
-    jiti "^1.21.6"
-    lilconfig "^2.1.0"
-    micromatch "^4.0.8"
-    normalize-path "^3.0.0"
-    object-hash "^3.0.0"
-    picocolors "^1.1.1"
-    postcss "^8.4.47"
-    postcss-import "^15.1.0"
-    postcss-js "^4.0.1"
-    postcss-load-config "^4.0.2"
-    postcss-nested "^6.2.0"
-    postcss-selector-parser "^6.1.2"
-    resolve "^1.22.8"
-    sucrase "^3.35.0"
+tailwindcss@4.0.6:
+  version "4.0.6"
+  resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-4.0.6.tgz#c033bfba94d6e3bf70650a2f9fe949f39d3bb191"
+  integrity sha512-mysewHYJKaXgNOW6pp5xon/emCsfAMnO8WMaGKZZ35fomnR/T5gYnRg2/yRTTrtXiEl1tiVkeRt0eMO6HxEZqw==
+
+tailwindcss@^4.0.0:
+  version "4.0.0"
+  resolved "https://registry.yarnpkg.com/tailwindcss/-/tailwindcss-4.0.0.tgz#1f275ed16eb4127cb70bf5e9f53fb8eb7b72be3c"
+  integrity sha512-ULRPI3A+e39T7pSaf1xoi58AqqJxVCLg8F/uM5A3FadUbnyDTgltVnXJvdkTjwCOGA6NazqHVcwPJC5h2vRYVQ==
 
 tailwindcss@~3.4.13:
   version "3.4.17"

From 1ce707788d0c8d1f077c568e1c1a574193559461 Mon Sep 17 00:00:00 2001
From: DecDuck <declanahofmeyr@gmail.com>
Date: Mon, 10 Mar 2025 11:39:45 +1100
Subject: [PATCH 22/22] fix: decduck's code review

---
 .../migration.sql                             |  52 +++++++++
 .../migration.sql                             |   8 ++
 .../migration.sql                             |   8 ++
 prisma/schema/auth.prisma                     |   2 +-
 prisma/schema/news.prisma                     |  32 ++++--
 prisma/schema/schema.prisma                   |   2 +-
 prisma/schema/user.prisma                     |   2 +-
 .../{[id].delete.ts => [id]/index.delete.ts}  |   0
 server/api/v1/admin/news/[id]/index.get.ts    |  27 +++++
 server/api/v1/admin/news/index.get.ts         |  36 ++++++
 server/api/v1/admin/news/index.post.ts        |  19 ++-
 server/api/v1/auth/signup/simple.post.ts      |   2 +-
 server/api/v1/news/[id]/index.get.ts          |  24 ++--
 server/api/v1/news/index.get.ts               |  36 ++++--
 server/internal/acls/descriptions.ts          |   6 +
 server/internal/acls/index.ts                 |   4 +
 server/internal/news/index.ts                 | 108 +++++++++---------
 17 files changed, 274 insertions(+), 94 deletions(-)
 create mode 100644 prisma/migrations/20250309234300_news_articles/migration.sql
 create mode 100644 prisma/migrations/20250309234801_make_tags_unique/migration.sql
 create mode 100644 prisma/migrations/20250309234846_make_tokens_unique/migration.sql
 rename server/api/v1/admin/news/{[id].delete.ts => [id]/index.delete.ts} (100%)
 create mode 100644 server/api/v1/admin/news/[id]/index.get.ts
 create mode 100644 server/api/v1/admin/news/index.get.ts

diff --git a/prisma/migrations/20250309234300_news_articles/migration.sql b/prisma/migrations/20250309234300_news_articles/migration.sql
new file mode 100644
index 00000000..23a25c05
--- /dev/null
+++ b/prisma/migrations/20250309234300_news_articles/migration.sql
@@ -0,0 +1,52 @@
+/*
+  Warnings:
+
+  - You are about to drop the `news` table. If the table is not empty, all the data it contains will be lost.
+
+*/
+-- DropForeignKey
+ALTER TABLE "news" DROP CONSTRAINT "news_authorId_fkey";
+
+-- DropTable
+DROP TABLE "news";
+
+-- CreateTable
+CREATE TABLE "Tag" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+
+    CONSTRAINT "Tag_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "Article" (
+    "id" TEXT NOT NULL,
+    "title" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+    "content" TEXT NOT NULL,
+    "image" TEXT,
+    "publishedAt" TIMESTAMP(3) NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    "authorId" TEXT,
+
+    CONSTRAINT "Article_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "_ArticleToTag" (
+    "A" TEXT NOT NULL,
+    "B" TEXT NOT NULL,
+
+    CONSTRAINT "_ArticleToTag_AB_pkey" PRIMARY KEY ("A","B")
+);
+
+-- CreateIndex
+CREATE INDEX "_ArticleToTag_B_index" ON "_ArticleToTag"("B");
+
+-- AddForeignKey
+ALTER TABLE "Article" ADD CONSTRAINT "Article_authorId_fkey" FOREIGN KEY ("authorId") REFERENCES "User"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "_ArticleToTag" ADD CONSTRAINT "_ArticleToTag_A_fkey" FOREIGN KEY ("A") REFERENCES "Article"("id") ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "_ArticleToTag" ADD CONSTRAINT "_ArticleToTag_B_fkey" FOREIGN KEY ("B") REFERENCES "Tag"("id") ON DELETE CASCADE ON UPDATE CASCADE;
diff --git a/prisma/migrations/20250309234801_make_tags_unique/migration.sql b/prisma/migrations/20250309234801_make_tags_unique/migration.sql
new file mode 100644
index 00000000..918aee1c
--- /dev/null
+++ b/prisma/migrations/20250309234801_make_tags_unique/migration.sql
@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[name]` on the table `Tag` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- CreateIndex
+CREATE UNIQUE INDEX "Tag_name_key" ON "Tag"("name");
diff --git a/prisma/migrations/20250309234846_make_tokens_unique/migration.sql b/prisma/migrations/20250309234846_make_tokens_unique/migration.sql
new file mode 100644
index 00000000..a09d63cc
--- /dev/null
+++ b/prisma/migrations/20250309234846_make_tokens_unique/migration.sql
@@ -0,0 +1,8 @@
+/*
+  Warnings:
+
+  - A unique constraint covering the columns `[token]` on the table `APIToken` will be added. If there are existing duplicate values, this will fail.
+
+*/
+-- CreateIndex
+CREATE UNIQUE INDEX "APIToken_token_key" ON "APIToken"("token");
diff --git a/prisma/schema/auth.prisma b/prisma/schema/auth.prisma
index b321ac54..ac3b5d05 100644
--- a/prisma/schema/auth.prisma
+++ b/prisma/schema/auth.prisma
@@ -29,7 +29,7 @@ enum APITokenMode {
 
 model APIToken {
     id    String       @id @default(uuid())
-    token String       @default(uuid())
+    token String       @default(uuid()) @unique
     mode  APITokenMode
     name  String
 
diff --git a/prisma/schema/news.prisma b/prisma/schema/news.prisma
index dd2bde6b..d9ef63c3 100644
--- a/prisma/schema/news.prisma
+++ b/prisma/schema/news.prisma
@@ -1,13 +1,21 @@
-model News {
-  id          String   @id @default(uuid())
-  title       String
-  content     String   @db.Text
-  excerpt     String
-  tags        String[]
-  image       String?
-  publishedAt DateTime @default(now())
-  author      User     @relation(fields: [authorId], references: [id])
-  authorId    String
+model Tag {
+  id   String @id @default(uuid())
+  name String @unique
 
-  @@map("news")
-} 
+  articles Article[]
+}
+
+model Article {
+  id          String @id @default(uuid())
+  title       String
+  description String
+  content     String @db.Text
+
+  tags Tag[]
+
+  image       String? // Object ID
+  publishedAt DateTime @default(now())
+
+  author   User?   @relation(fields: [authorId], references: [id]) // Optional, if no user, it's a system post
+  authorId String?
+}
diff --git a/prisma/schema/schema.prisma b/prisma/schema/schema.prisma
index 37dc089c..3d004c4e 100644
--- a/prisma/schema/schema.prisma
+++ b/prisma/schema/schema.prisma
@@ -6,7 +6,7 @@
 
 generator client {
   provider        = "prisma-client-js"
-  previewFeatures = ["prismaSchemaFolder", "omitApi"]
+  previewFeatures = ["prismaSchemaFolder", "omitApi", "fullTextSearchPostgres"]
 }
 
 datasource db {
diff --git a/prisma/schema/user.prisma b/prisma/schema/user.prisma
index 30173fec..a664f50a 100644
--- a/prisma/schema/user.prisma
+++ b/prisma/schema/user.prisma
@@ -11,7 +11,7 @@ model User {
     clients       Client[]
     notifications Notification[]
     collections   Collection[]
-    news          News[]
+    articles      Article[]
 
     tokens APIToken[]
 }
diff --git a/server/api/v1/admin/news/[id].delete.ts b/server/api/v1/admin/news/[id]/index.delete.ts
similarity index 100%
rename from server/api/v1/admin/news/[id].delete.ts
rename to server/api/v1/admin/news/[id]/index.delete.ts
diff --git a/server/api/v1/admin/news/[id]/index.get.ts b/server/api/v1/admin/news/[id]/index.get.ts
new file mode 100644
index 00000000..50161e35
--- /dev/null
+++ b/server/api/v1/admin/news/[id]/index.get.ts
@@ -0,0 +1,27 @@
+import { defineEventHandler, createError } from "h3";
+import aclManager from "~/server/internal/acls";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:read"]);
+  if (!allowed)
+    throw createError({
+      statusCode: 403,
+    });
+
+  const id = h3.context.params?.id;
+  if (!id)
+    throw createError({
+      statusCode: 400,
+      message: "Missing news ID",
+    });
+
+  const news = await newsManager.fetchById(id);
+  if (!news)
+    throw createError({
+      statusCode: 404,
+      message: "News article not found",
+    });
+
+  return news;
+});
diff --git a/server/api/v1/admin/news/index.get.ts b/server/api/v1/admin/news/index.get.ts
new file mode 100644
index 00000000..f314917e
--- /dev/null
+++ b/server/api/v1/admin/news/index.get.ts
@@ -0,0 +1,36 @@
+import { defineEventHandler, getQuery } from "h3";
+import aclManager from "~/server/internal/acls";
+import newsManager from "~/server/internal/news";
+
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:read"]);
+  if (!allowed)
+    throw createError({
+      statusCode: 403,
+    });
+
+  const query = getQuery(h3);
+
+  const orderBy = query.order as "asc" | "desc";
+  if (orderBy) {
+    if (typeof orderBy !== "string" || !["asc", "desc"].includes(orderBy))
+      throw createError({ statusCode: 400, statusMessage: "Invalid order" });
+  }
+
+  const tags = query.tags as string[] | undefined;
+  if (tags) {
+    if (typeof tags !== "object" || !Array.isArray(tags))
+      throw createError({ statusCode: 400, statusMessage: "Invalid tags" });
+  }
+
+  const options = {
+    take: parseInt(query.limit as string),
+    skip: parseInt(query.skip as string),
+    orderBy: orderBy,
+    tags: tags?.map((e) => e.toString()),
+    search: query.search as string,
+  };
+
+  const news = await newsManager.fetch(options);
+  return news;
+});
diff --git a/server/api/v1/admin/news/index.post.ts b/server/api/v1/admin/news/index.post.ts
index 61c4d926..16afed14 100644
--- a/server/api/v1/admin/news/index.post.ts
+++ b/server/api/v1/admin/news/index.post.ts
@@ -1,21 +1,20 @@
 import { defineEventHandler, createError, readBody } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const body = await readBody(event);
-  
-  if (!body.authorId) {
-    throw createError({
-      statusCode: 400,
-      message: 'Author ID is required'
-    });
-  }
+export default defineEventHandler(async (h3) => {
+  const allowed = await aclManager.allowSystemACL(h3, ["news:create"]);
+  if (!allowed) throw createError({ statusCode: 403 });
+
+  const body = await readBody(h3);
 
   const article = await newsManager.create({
     title: body.title,
+    description: body.description,
     content: body.content,
-    excerpt: body.excerpt,
+
     tags: body.tags,
+
     image: body.image,
     authorId: body.authorId,
   });
diff --git a/server/api/v1/auth/signup/simple.post.ts b/server/api/v1/auth/signup/simple.post.ts
index f6e27faa..895ec514 100644
--- a/server/api/v1/auth/signup/simple.post.ts
+++ b/server/api/v1/auth/signup/simple.post.ts
@@ -93,7 +93,7 @@ export default defineEventHandler(async (h3) => {
     profilePictureId,
     async () => jdenticon.toPng(username, 256),
     {},
-    [`anonymous:read`, `${userId}:write`]
+    [`internal:read`, `${userId}:write`]
   );
   const user = await prisma.user.create({
     data: {
diff --git a/server/api/v1/news/[id]/index.get.ts b/server/api/v1/news/[id]/index.get.ts
index 07c62dfe..f83047fa 100644
--- a/server/api/v1/news/[id]/index.get.ts
+++ b/server/api/v1/news/[id]/index.get.ts
@@ -1,22 +1,30 @@
 import { defineEventHandler, createError } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const id = event.context.params?.id;
-  if (!id) {
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, ["news:read"]);
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Requires authentication",
+    });
+
+  const id = h3.context.params?.id;
+  if (!id)
     throw createError({
       statusCode: 400,
       message: "Missing news ID",
     });
-  }
+  
 
-  const news = await newsManager.getById(id);
-  if (!news) {
+  const news = await newsManager.fetchById(id);
+  if (!news)
     throw createError({
       statusCode: 404,
       message: "News article not found",
     });
-  }
+
 
   return news;
-}); 
+});
diff --git a/server/api/v1/news/index.get.ts b/server/api/v1/news/index.get.ts
index 3bc4108e..5f846f20 100644
--- a/server/api/v1/news/index.get.ts
+++ b/server/api/v1/news/index.get.ts
@@ -1,17 +1,37 @@
 import { defineEventHandler, getQuery } from "h3";
+import aclManager from "~/server/internal/acls";
 import newsManager from "~/server/internal/news";
 
-export default defineEventHandler(async (event) => {
-  const query = getQuery(event);
-  
+export default defineEventHandler(async (h3) => {
+  const userId = await aclManager.getUserIdACL(h3, ["news:read"]);
+  if (!userId)
+    throw createError({
+      statusCode: 403,
+      statusMessage: "Requires authentication",
+    });
+
+  const query = getQuery(h3);
+
+  const orderBy = query.order as "asc" | "desc";
+  if (orderBy) {
+    if (typeof orderBy !== "string" || !["asc", "desc"].includes(orderBy))
+      throw createError({ statusCode: 400, statusMessage: "Invalid order" });
+  }
+
+  const tags = query.tags as string[] | undefined;
+  if (tags) {
+    if (typeof tags !== "object" || !Array.isArray(tags))
+      throw createError({ statusCode: 400, statusMessage: "Invalid tags" });
+  }
+
   const options = {
-    take: query.limit ? parseInt(query.limit as string) : undefined,
-    skip: query.skip ? parseInt(query.skip as string) : undefined,
-    orderBy: query.order as 'asc' | 'desc',
-    tags: query.tags ? (query.tags as string).split(',') : undefined,
+    take: parseInt(query.limit as string),
+    skip: parseInt(query.skip as string),
+    orderBy: orderBy,
+    tags: tags?.map((e) => e.toString()),
     search: query.search as string,
   };
 
-  const news = await newsManager.getAll(options);
+  const news = await newsManager.fetch(options);
   return news;
 });
diff --git a/server/internal/acls/descriptions.ts b/server/internal/acls/descriptions.ts
index 7b3bad58..dde3aa1b 100644
--- a/server/internal/acls/descriptions.ts
+++ b/server/internal/acls/descriptions.ts
@@ -30,6 +30,8 @@ export const userACLDescriptions: ObjectFromList<typeof userACLs> = {
     "Remove a game from any collection (excluding library).",
   "library:add": "Add a game to your library.",
   "library:remove": "Remove a game from your library.",
+
+  "news:read": "Read the server's news articles.",
 };
 
 export const systemACLDescriptions: ObjectFromList<typeof systemACLs> = {
@@ -55,4 +57,8 @@ export const systemACLDescriptions: ObjectFromList<typeof systemACLs> = {
   "import:game:new": "Import a game.",
 
   "user:read": "Fetch any user's information.",
+  
+  "news:read": "Read news articles.",
+  "news:create": "Create a new news article.",
+  "news:delete": "Delete a news article."
 };
diff --git a/server/internal/acls/index.ts b/server/internal/acls/index.ts
index 65b4664f..d191d59f 100644
--- a/server/internal/acls/index.ts
+++ b/server/internal/acls/index.ts
@@ -53,6 +53,10 @@ export const systemACLs = [
   "import:game:new",
 
   "user:read",
+
+  "news:read",
+  "news:create",
+  "news:delete",
 ] as const;
 const systemACLPrefix = "system:";
 
diff --git a/server/internal/news/index.ts b/server/internal/news/index.ts
index e1f91191..94d3a88e 100644
--- a/server/internal/news/index.ts
+++ b/server/internal/news/index.ts
@@ -1,70 +1,72 @@
+import { triggerAsyncId } from "async_hooks";
 import prisma from "../db/database";
 
 class NewsManager {
   async create(data: {
     title: string;
     content: string;
-    excerpt: string;
+    description: string;
     tags: string[];
     authorId: string;
     image?: string;
   }) {
-    return await prisma.news.create({
+    return await prisma.article.create({
       data: {
         title: data.title,
+        description: data.description,
         content: data.content,
-        excerpt: data.excerpt,
-        tags: data.tags,
+
+        tags: {
+          connectOrCreate: data.tags.map((e) => ({
+            where: { name: e },
+            create: { name: e },
+          })),
+        },
+
         image: data.image,
         author: {
           connect: {
             id: data.authorId,
           },
         },
-        publishedAt: new Date(),
       },
     });
   }
 
-  async getAll(options?: {
-    take?: number;
-    skip?: number;
-    orderBy?: 'asc' | 'desc';
-    tags?: string[];
-    search?: string;
-  }) {
-    const where = {
-      AND: [
-        options?.tags?.length ? {
-          tags: {
-            hasSome: options.tags,
+  async fetch(
+    options: {
+      take?: number;
+      skip?: number;
+      orderBy?: "asc" | "desc";
+      tags?: string[];
+      search?: string;
+    } = {}
+  ) {
+    return await prisma.article.findMany({
+      where: {
+        AND: [
+          {
+            tags: {
+              some: { OR: options.tags?.map((e) => ({ name: e })) ?? [] },
+            },
           },
-        } : {},
-        options?.search ? {
-          OR: [
-            {
-              title: {
-                contains: options.search,
-                mode: 'insensitive' as const,
-              },
+          {
+            title: {
+              search: options.search
             },
-            {
-              content: {
-                contains: options.search,
-                mode: 'insensitive' as const,
-              },
+            description: {
+              search: options.search
             },
-          ],
-        } : {},
-      ],
-    };
-
-    return await prisma.news.findMany({
-      where,
-      take: options?.take,
-      skip: options?.skip,
+            content: {
+              search: options.search
+            }
+          }
+        ],
+      },
+      take: options?.take || 10,
+      skip: options?.skip || 0,
       orderBy: {
-        publishedAt: options?.orderBy || 'desc',
+        publishedAt: options?.orderBy || "desc",
       },
       include: {
         author: {
@@ -77,8 +79,8 @@ class NewsManager {
     });
   }
 
-  async getById(id: string) {
-    return await prisma.news.findUnique({
+  async fetchById(id: string) {
+    return await prisma.article.findUnique({
       where: { id },
       include: {
         author: {
@@ -91,24 +93,26 @@ class NewsManager {
     });
   }
 
-  async update(id: string, data: {
-    title?: string;
-    content?: string;
-    excerpt?: string;
-    tags?: string[];
-    image?: string;
-  }) {
-    return await prisma.news.update({
+  async update(
+    id: string,
+    data: {
+      title?: string;
+      content?: string;
+      excerpt?: string;
+      image?: string;
+    }
+  ) {
+    return await prisma.article.update({
       where: { id },
       data,
     });
   }
 
   async delete(id: string) {
-    return await prisma.news.delete({
+    return await prisma.article.delete({
       where: { id },
     });
   }
 }
 
-export default new NewsManager(); 
+export default new NewsManager();