itsLeonB · itsLeonB · Jun 15, 2026 · Jun 15, 2026
@@ -14,9 +14,8 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/itsLeonB/ezutil/v2 v2.4.0
 	github.com/itsLeonB/ginkgo v0.6.1
-	github.com/itsLeonB/go-authkit v0.0.3
+	github.com/itsLeonB/go-authkit v0.0.5
 	github.com/itsLeonB/go-crud v1.4.0
-	github.com/itsLeonB/sekure v0.1.1
 	github.com/itsLeonB/ungerr v0.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/kelseyhightower/envconfig v1.4.0

@@ -318,12 +318,10 @@ github.com/itsLeonB/ezutil/v2 v2.4.0 h1:ylhQWF0yoBGltfuU4zi0wPj+JCoVv9jPoNvZsNON
 github.com/itsLeonB/ezutil/v2 v2.4.0/go.mod h1:h30JTcbfmdbMXfgc9ARGlqoudR2UMG2EV49dpIZ60Os=
 github.com/itsLeonB/ginkgo v0.6.1 h1:M6oNaA+V+t2zEiq7Oao53zz1Pn3ucAzl5ESL3JFduTo=
 github.com/itsLeonB/ginkgo v0.6.1/go.mod h1:BeT3tcIuen91lNjMyUTmP0N+ckCzlZsv+wMoxj4kqEo=
-github.com/itsLeonB/go-authkit v0.0.3 h1:ICGLle0hWu5FoV+71Cs01/VqPDagqOZ9WXT+n4DjGfI=
-github.com/itsLeonB/go-authkit v0.0.3/go.mod h1:ojg5B2Ld99dnyzKgJZuaVnGeabah9IE+/dnTAaDygCM=
+github.com/itsLeonB/go-authkit v0.0.5 h1:1SctZlCh6/X92AZ6zrBD5jNn67BRw1S460NoKmvuNCo=
+github.com/itsLeonB/go-authkit v0.0.5/go.mod h1:LaTtHS4Wkn3lqrd5rf5RLYgeJ5UEAQ+KFK1x6Fr6Tx8=
 github.com/itsLeonB/go-crud v1.4.0 h1:A8gRbxFJ9VrrqkoBUKvhf1I3EmXz2evFM660gk5wexI=
 github.com/itsLeonB/go-crud v1.4.0/go.mod h1:cndhkAF9Z0m2cMsKfD8Z2R07lPAJqHpazCF0UlfW89U=
-github.com/itsLeonB/sekure v0.1.1 h1:4xoL/rZs0ouvR86edkEkjOsxJM+d04R8i0NU4JiPJu8=
-github.com/itsLeonB/sekure v0.1.1/go.mod h1:YWC1y5HnG02hy/WltPUqCem3+RtV8Q9BRp2+esDKjX8=
 github.com/itsLeonB/ungerr v0.4.0 h1:unXts8ahcD7mTnlzJgem5twGcQLMPzo3Vn35PbORito=
 github.com/itsLeonB/ungerr v0.4.0/go.mod h1:6zc0blpoIkdqkq90Q9rqCYFjyxR1uOn5n+5z7KSgWxM=
 github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsIM=

@@ -0,0 +1,113 @@
+package adminauth
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+	"github.com/itsLeonB/cashback/internal/domain/entity/admin"
+	"github.com/itsLeonB/go-authkit"
+	"github.com/itsLeonB/go-crud"
+)
+
+type UserStore struct {
+	repo crud.Repository[admin.User]
+}
+
+func NewUserStore(repo crud.Repository[admin.User]) *UserStore {
+	return &UserStore{repo: repo}
+}
+
+func (s *UserStore) FindByID(ctx context.Context, userID string) (authkit.User, error) {
+	uid, err := uuid.Parse(userID)
+	if err != nil {
+		return authkit.User{}, authkit.ErrUserNotFound
+	}
+	spec := crud.Specification[admin.User]{}
+	spec.Model.ID = uid
+	user, err := s.repo.FindFirst(ctx, spec)
+	if err != nil {
+		return authkit.User{}, err
+	}
+	if user.IsZero() {
+		return authkit.User{}, authkit.ErrUserNotFound
+	}
+	return toAuthUser(user), nil
+}
+
+func (s *UserStore) FindByEmail(ctx context.Context, email string) (authkit.User, error) {
+	spec := crud.Specification[admin.User]{}
+	spec.Model.Email = email
+	user, err := s.repo.FindFirst(ctx, spec)
+	if err != nil {
+		return authkit.User{}, err
+	}
+	if user.IsZero() {
+		return authkit.User{}, authkit.ErrUserNotFound
+	}
+	return toAuthUser(user), nil
+}
+
+func (s *UserStore) Create(ctx context.Context, email, passwordHash string) (authkit.User, error) {
+	user, err := s.repo.Insert(ctx, admin.User{
+		Email:    email,
+		Password: passwordHash,
+	})
+	if err != nil {
+		return authkit.User{}, err
+	}
+	return toAuthUser(user), nil
+}
+
+func (s *UserStore) CreateOAuth(_ context.Context, _, _, _ string) (authkit.User, error) {
+	return authkit.User{}, authkit.ErrNotSupported
+}
+
+func (s *UserStore) SetVerified(_ context.Context, userID, _, _ string) (authkit.User, error) {
+	// Admin users are always considered verified.
+	return authkit.User{ID: userID, Verified: true}, nil
+}
+
+func (s *UserStore) UpdatePassword(ctx context.Context, userID, passwordHash string) error {
+	uid, err := uuid.Parse(userID)
+	if err != nil {
+		return authkit.ErrUserNotFound
+	}
+	spec := crud.Specification[admin.User]{}
+	spec.Model.ID = uid
+	user, err := s.repo.FindFirst(ctx, spec)
+	if err != nil {
+		return err
+	}
+	if user.IsZero() {
+		return authkit.ErrUserNotFound
+	}
+	user.Password = passwordHash
+	_, err = s.repo.Update(ctx, user)
+	return err
+}
+
+func (s *UserStore) Exists(ctx context.Context, userID string) error {
+	uid, err := uuid.Parse(userID)
+	if err != nil {
+		return authkit.ErrUserNotFound
+	}
+	spec := crud.Specification[admin.User]{}
+	spec.Model.ID = uid
+	user, err := s.repo.FindFirst(ctx, spec)
+	if err != nil {
+		return err
+	}
+	if user.IsZero() {
+		return authkit.ErrUserNotFound
+	}
+	return nil
+}
+
+func toAuthUser(u admin.User) authkit.User {
+	return authkit.User{
+		ID:           u.ID.String(),
+		Email:        u.Email,
+		PasswordHash: u.Password,
+		Verified:     true, // admin users are always verified
+	}
+}
@@ -4,35 +4,26 @@ import (
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"github.com/itsLeonB/cashback/internal/core/util"
 	"github.com/itsLeonB/cashback/internal/domain/dto"
-	"github.com/itsLeonB/cashback/internal/domain/service/admin"
+	adminEntity "github.com/itsLeonB/cashback/internal/domain/entity/admin"
+	"github.com/itsLeonB/go-authkit/authgin"
+	"github.com/itsLeonB/go-crud"
 	"github.com/itsLeonB/ginkgo/pkg/server"
+	"github.com/itsLeonB/ungerr"
 )
 
 type AuthHandler struct {
-	authSvc admin.AuthService
+	stateless *authgin.StatelessHandler
+	userRepo  crud.Repository[adminEntity.User]
 }
 
 func (ah *AuthHandler) HandleRegister() gin.HandlerFunc {
-	return server.Handler("AuthHandler.HandleRegister", http.StatusCreated, func(ctx *gin.Context) (any, error) {
-		request, err := server.BindJSON[dto.RegisterRequest](ctx)
-		if err != nil {
-			return nil, err
-		}
-
-		return nil, ah.authSvc.Register(ctx.Request.Context(), request)
-	})
+	return ah.stateless.Register()
 }
 
 func (ah *AuthHandler) HandleLogin() gin.HandlerFunc {
-	return server.Handler("AuthHandler.HandleLogin", http.StatusOK, func(ctx *gin.Context) (any, error) {
-		request, err := server.BindJSON[dto.InternalLoginRequest](ctx)
-		if err != nil {
-			return nil, err
-		}
-
-		return ah.authSvc.Login(ctx.Request.Context(), request)
-	})
+	return ah.stateless.Login()
 }
 
 func (ah *AuthHandler) HandleMe() gin.HandlerFunc {
@@ -41,7 +32,15 @@ func (ah *AuthHandler) HandleMe() gin.HandlerFunc {
 		if err != nil {
 			return nil, err
 		}
-
-		return ah.authSvc.Me(ctx.Request.Context(), userID)
+		spec := crud.Specification[adminEntity.User]{}
+		spec.Model.ID = userID
+		user, err := ah.userRepo.FindFirst(ctx.Request.Context(), spec)
+		if err != nil {
+			return nil, err
+		}
+		if user.IsZero() {
+			return nil, ungerr.UnauthorizedError("user not found")
+		}
+		return dto.AdminMe{ID: user.ID, FullName: util.GetNameFromEmail(user.Email)}, nil
 	})
 }
@@ -2,7 +2,8 @@ package admin
 
 import (
 	"github.com/itsLeonB/cashback/internal/provider"
-	"github.com/itsLeonB/cashback/internal/provider/admin"
+	adminProvider "github.com/itsLeonB/cashback/internal/provider/admin"
+	"github.com/itsLeonB/go-authkit/authgin"
 )
 
 type Handlers struct {
@@ -14,9 +15,9 @@ type Handlers struct {
 	Payment      PaymentHandler
 }
 
-func ProvideHandlers(services *admin.Services, domainServices *provider.Services) *Handlers {
+func ProvideHandlers(adminServices *adminProvider.Services, adminRepos *adminProvider.Repositories, domainServices *provider.Services) *Handlers {
 	return &Handlers{
-		AuthHandler{services.Auth},
+		AuthHandler{stateless: authgin.NewStatelessHandler(adminServices.Kit), userRepo: adminRepos.User},
 		PlanHandler{domainServices.Plan},
 		PlanVersionHandler{domainServices.PlanVersion},
 		SubscriptionHandler{domainServices.Subscription},

@@ -4,7 +4,7 @@ import (
 	"github.com/gin-gonic/gin"
 	"github.com/itsLeonB/cashback/internal/core/config"
 	"github.com/itsLeonB/cashback/internal/core/logger"
-	"github.com/itsLeonB/cashback/internal/domain/service/admin"
+	"github.com/itsLeonB/go-authkit"
 	"github.com/itsLeonB/ginkgo/pkg/middleware"
 )
 
@@ -13,9 +13,13 @@ type Middlewares struct {
 	AdminAuth gin.HandlerFunc
 }
 
-func Provide(configs config.App, adminAuthSvc admin.AuthService) *Middlewares {
+func Provide(configs config.App, adminKit *authkit.AuthKit) *Middlewares {
 	adminTokenCheckFunc := func(ctx *gin.Context, token string) (bool, map[string]any, error) {
-		return adminAuthSvc.VerifyToken(ctx.Request.Context(), token)
+		claims, err := adminKit.VerifyToken(ctx.Request.Context(), token, "")
+		if err != nil {
+			return false, nil, err
+		}
+		return true, claims, nil
 	}
 
 	middlewareProvider := middleware.NewMiddlewareProvider(logger.Global)

@@ -20,7 +20,7 @@ import (
 	ginSwagger "github.com/swaggo/gin-swagger"
 )
 
-func RegisterRoutes(router *gin.Engine, configs config.Config, services *provider.Services, adminServices *admin.Services) (func(), error) {
+func RegisterRoutes(router *gin.Engine, configs config.Config, services *provider.Services, adminServices *admin.Services, adminRepos *admin.Repositories) (func(), error) {
 	authCfg := configs.Auth
 
 	transport, err := authgin.NewCookieTransport(authgin.CookieConfig{
@@ -37,8 +37,8 @@ func RegisterRoutes(router *gin.Engine, configs config.Config, services *provide
 	authMW := authgin.AuthMiddleware(services.AuthKit, transport, authkit.RequireAuth)
 
 	handlers := handler.ProvideHandlers(services, transport)
-	adminHandlers := adminHandler.ProvideHandlers(adminServices, services)
-	mw := middlewares.Provide(configs.App, adminServices.Auth)
+	adminHandlers := adminHandler.ProvideHandlers(adminServices, adminRepos, services)
+	mw := middlewares.Provide(configs.App, adminServices.Kit)
 
 	router.Use(mw.Err)
 

@@ -28,7 +28,7 @@ func Setup(configs config.Config) (*httpserver.Server, func(), error) {
 		return nil, nil, err
 	}
 
-	routesShutdown, err := RegisterRoutes(r, configs, providers.Services, providers.AdminServices)
+	routesShutdown, err := RegisterRoutes(r, configs, providers.Services, providers.AdminServices, providers.AdminRepos)
 	if err != nil {
 		return nil, nil, err
 	}

@@ -6,7 +6,6 @@ type Auth struct {
 	SecretKey     string        `split_words:"true" default:"thisissecret"`
 	TokenDuration time.Duration `split_words:"true" default:"1h"`
 	Issuer        string        `default:"cashdash"`
-	HashCost      int           `split_words:"true" default:"10"`
 }
 
 func (Auth) Prefix() string {