From 3d42591ee571f9c8f6ab32dd361b5c56b12dd2c3 Mon Sep 17 00:00:00 2001
From: Andy Burke <andy.burke@mailbox.earth>
Date: Wed, 25 Jun 2025 20:51:29 -0700
Subject: [PATCH] feature: signup and login work

---
 README.md                           |   1 +
 deno.json                           |   7 +-
 deno.lock                           | 101 ++++++++++++++++--
 models/session.ts                   |   1 +
 public/api/auth/index.ts            |  38 +++----
 public/api/users/:id/index.ts       |  46 ++++----
 public/api/users/index.ts           |  23 ++--
 public/api/users/me/README.md       |   7 ++
 public/api/users/me/index.ts        |  25 +++++
 public/index.html                   |  99 ++++++++++++++++++
 tests/api/users/create_user.test.ts |  77 ++++++++++++++
 tests/api/users/delete_user.test.ts |  84 +++++++++++++++
 tests/api/users/login.test.ts       | 157 ++++++++++++++++++++++++++++
 tests/api/users/update_user.test.ts |  82 +++++++++++++++
 tests/helpers.ts                    |  96 +++++++++++++++++
 utils/api.ts                        | 121 +++++++++++++++++++++
 utils/canned_responses.ts           |  13 +++
 utils/prechecks.ts                  |  43 ++++++++
 18 files changed, 956 insertions(+), 65 deletions(-)
 create mode 100644 public/api/users/me/README.md
 create mode 100644 public/api/users/me/index.ts
 create mode 100644 tests/api/users/create_user.test.ts
 create mode 100644 tests/api/users/delete_user.test.ts
 create mode 100644 tests/api/users/login.test.ts
 create mode 100644 tests/api/users/update_user.test.ts
 create mode 100644 tests/helpers.ts
 create mode 100644 utils/api.ts
 create mode 100644 utils/canned_responses.ts
 create mode 100644 utils/prechecks.ts

diff --git a/README.md b/README.md
index b583423..2c93bc7 100644
--- a/README.md
+++ b/README.md
@@ -27,6 +27,7 @@
 ## TODO
 
 - [x] sign up
+- [ ] check for logged in user session
 - [ ] log in
 - [ ] chat rooms
 - [ ] chat messages
diff --git a/deno.json b/deno.json
index 89e4bcd..0c12e83 100644
--- a/deno.json
+++ b/deno.json
@@ -7,7 +7,8 @@
 	"tasks": {
 		"lint": "deno lint",
 		"fmt": "deno fmt",
-		"serve": "FSDB_ROOT=$PWD/.fsdb deno --allow-env --allow-read --allow-write --allow-net jsr:@andyburke/serverus --root ./public"
+		"serve": "FSDB_ROOT=$PWD/.fsdb SERVERUS_TYPESCRIPT_IMPORT_LOGGING=1 deno --allow-env --allow-read --allow-write --allow-net jsr:@andyburke/serverus --root ./public",
+		"test": "DENO_ENV=test FSDB_ROOT=$PWD/tests/data/$(date --iso-8601=seconds) SERVERUS_TYPESCRIPT_IMPORT_LOGGING=1 SERVERUS_ROOT=$PWD/public deno test --allow-env --allow-read --allow-write --allow-net --trace-leaks --fail-fast tests/"
 	},
 	"test": {
 		"exclude": ["tests/data/"]
@@ -33,8 +34,10 @@
 	"imports": {
 		"@andyburke/fsdb": "jsr:@andyburke/fsdb@^0.4.0",
 		"@andyburke/lurid": "jsr:@andyburke/lurid@^0.2.0",
-		"@andyburke/serverus": "jsr:@andyburke/serverus@^0.0.12",
+		"@andyburke/serverus": "jsr:@andyburke/serverus@^0.6.0",
+		"@std/assert": "jsr:@std/assert@^1.0.13",
 		"@std/encoding": "jsr:@std/encoding@^1.0.10",
+		"@std/http": "jsr:@std/http@^1.0.18",
 		"@std/path": "jsr:@std/path@^1.1.0",
 		"@stdext/crypto": "jsr:@stdext/crypto@^0.1.0"
 	}
diff --git a/deno.lock b/deno.lock
index 4246f0c..f3037bd 100644
--- a/deno.lock
+++ b/deno.lock
@@ -1,21 +1,34 @@
 {
   "version": "5",
   "specifiers": {
+    "jsr:@andyburke/fsdb@*": "0.4.0",
     "jsr:@andyburke/fsdb@0.4": "0.4.0",
+    "jsr:@andyburke/lurid@*": "0.2.0",
     "jsr:@andyburke/lurid@0.2": "0.2.0",
-    "jsr:@andyburke/serverus@^0.0.12": "0.0.12",
+    "jsr:@andyburke/serverus@0.6": "0.6.0",
+    "jsr:@std/assert@*": "1.0.13",
+    "jsr:@std/assert@^1.0.13": "1.0.13",
     "jsr:@std/async@^1.0.13": "1.0.13",
     "jsr:@std/cli@^1.0.19": "1.0.20",
     "jsr:@std/cli@^1.0.20": "1.0.20",
+    "jsr:@std/encoding@*": "1.0.10",
     "jsr:@std/encoding@1": "1.0.10",
     "jsr:@std/encoding@^1.0.10": "1.0.10",
     "jsr:@std/fmt@^1.0.6": "1.0.8",
+    "jsr:@std/fmt@^1.0.8": "1.0.8",
     "jsr:@std/fs@^1.0.14": "1.0.18",
     "jsr:@std/fs@^1.0.18": "1.0.18",
-    "jsr:@std/http@^1.0.13": "1.0.17",
+    "jsr:@std/html@^1.0.4": "1.0.4",
+    "jsr:@std/http@*": "1.0.18",
+    "jsr:@std/http@^1.0.13": "1.0.18",
+    "jsr:@std/http@^1.0.18": "1.0.18",
+    "jsr:@std/internal@^1.0.6": "1.0.8",
     "jsr:@std/media-types@^1.1.0": "1.1.0",
+    "jsr:@std/net@^1.0.4": "1.0.4",
     "jsr:@std/path@^1.0.8": "1.1.0",
     "jsr:@std/path@^1.1.0": "1.1.0",
+    "jsr:@std/streams@^1.0.10": "1.0.10",
+    "jsr:@stdext/crypto@*": "0.1.0",
     "jsr:@stdext/crypto@0.1": "0.1.0"
   },
   "jsr": {
@@ -33,18 +46,24 @@
         "jsr:@std/cli@^1.0.19"
       ]
     },
-    "@andyburke/serverus@0.0.12": {
-      "integrity": "051cbffd30577e39ca604e009c3870c4b32b7e4118f2da58fc18ec05afa5b5bb",
+    "@andyburke/serverus@0.6.0": {
+      "integrity": "89f013c1d77e3d5d2c4e0908b29cc4a1acd19ebf22fa2890a6c5aa777e7b0de3",
       "dependencies": [
         "jsr:@std/async",
         "jsr:@std/cli@^1.0.19",
-        "jsr:@std/fmt",
+        "jsr:@std/fmt@^1.0.6",
         "jsr:@std/fs@^1.0.14",
-        "jsr:@std/http",
+        "jsr:@std/http@^1.0.13",
         "jsr:@std/media-types",
         "jsr:@std/path@^1.0.8"
       ]
     },
+    "@std/assert@1.0.13": {
+      "integrity": "ae0d31e41919b12c656c742b22522c32fb26ed0cba32975cb0de2a273cb68b29",
+      "dependencies": [
+        "jsr:@std/internal"
+      ]
+    },
     "@std/async@1.0.13": {
       "integrity": "1d76ca5d324aef249908f7f7fe0d39aaf53198e5420604a59ab5c035adc97c96"
     },
@@ -63,15 +82,41 @@
         "jsr:@std/path@^1.1.0"
       ]
     },
+    "@std/html@1.0.4": {
+      "integrity": "eff3497c08164e6ada49b7f81a28b5108087033823153d065e3f89467dd3d50e"
+    },
     "@std/http@1.0.17": {
       "integrity": "98aec8ab4080d95c21f731e3008f69c29c5012d12f1b4e553f85935db601569f"
     },
+    "@std/http@1.0.18": {
+      "integrity": "8d9546aa532c52a0cf318c74616db0638b4c1073405355d1b14f9e1591dccf20",
+      "dependencies": [
+        "jsr:@std/cli@^1.0.20",
+        "jsr:@std/encoding@^1.0.10",
+        "jsr:@std/fmt@^1.0.8",
+        "jsr:@std/fs@^1.0.18",
+        "jsr:@std/html",
+        "jsr:@std/media-types",
+        "jsr:@std/net",
+        "jsr:@std/path@^1.1.0",
+        "jsr:@std/streams"
+      ]
+    },
+    "@std/internal@1.0.8": {
+      "integrity": "fc66e846d8d38a47cffd274d80d2ca3f0de71040f855783724bb6b87f60891f5"
+    },
     "@std/media-types@1.1.0": {
       "integrity": "c9d093f0c05c3512932b330e3cc1fe1d627b301db33a4c2c2185c02471d6eaa4"
     },
+    "@std/net@1.0.4": {
+      "integrity": "2f403b455ebbccf83d8a027d29c5a9e3a2452fea39bb2da7f2c04af09c8bc852"
+    },
     "@std/path@1.1.0": {
       "integrity": "ddc94f8e3c275627281cbc23341df6b8bcc874d70374f75fec2533521e3d6886"
     },
+    "@std/streams@1.0.10": {
+      "integrity": "75c0b1431873cd0d8b3d679015220204d36d3c7420d93b60acfc379eb0dc30af"
+    },
     "@stdext/crypto@0.1.0": {
       "integrity": "05dc9e754c2529574d8bf98bd40c7dc468a02dcb2fa5e8644fff6813ceab66a4",
       "dependencies": [
@@ -79,12 +124,54 @@
       ]
     }
   },
+  "remote": {
+    "https://deno.land/std@0.167.0/_util/asserts.ts": "d0844e9b62510f89ce1f9878b046f6a57bf88f208a10304aab50efcb48365272",
+    "https://deno.land/std@0.167.0/_util/os.ts": "8a33345f74990e627b9dfe2de9b040004b08ea5146c7c9e8fe9a29070d193934",
+    "https://deno.land/std@0.167.0/path/_constants.ts": "df1db3ffa6dd6d1252cc9617e5d72165cd2483df90e93833e13580687b6083c3",
+    "https://deno.land/std@0.167.0/path/_interface.ts": "ee3b431a336b80cf445441109d089b70d87d5e248f4f90ff906820889ecf8d09",
+    "https://deno.land/std@0.167.0/path/_util.ts": "d16be2a16e1204b65f9d0dfc54a9bc472cafe5f4a190b3c8471ec2016ccd1677",
+    "https://deno.land/std@0.167.0/path/common.ts": "bee563630abd2d97f99d83c96c2fa0cca7cee103e8cb4e7699ec4d5db7bd2633",
+    "https://deno.land/std@0.167.0/path/glob.ts": "81cc6c72be002cd546c7a22d1f263f82f63f37fe0035d9726aa96fc8f6e4afa1",
+    "https://deno.land/std@0.167.0/path/mod.ts": "cf7cec7ac11b7048bb66af8ae03513e66595c279c65cfa12bfc07d9599608b78",
+    "https://deno.land/std@0.167.0/path/posix.ts": "b859684bc4d80edfd4cad0a82371b50c716330bed51143d6dcdbe59e6278b30c",
+    "https://deno.land/std@0.167.0/path/separator.ts": "fe1816cb765a8068afb3e8f13ad272351c85cbc739af56dacfc7d93d710fe0f9",
+    "https://deno.land/std@0.167.0/path/win32.ts": "7cebd2bda6657371adc00061a1d23fdd87bcdf64b4843bb148b0b24c11b40f69",
+    "https://deno.land/std@0.184.0/_util/asserts.ts": "178dfc49a464aee693a7e285567b3d0b555dc805ff490505a8aae34f9cfb1462",
+    "https://deno.land/std@0.184.0/_util/os.ts": "d932f56d41e4f6a6093d56044e29ce637f8dcc43c5a90af43504a889cf1775e3",
+    "https://deno.land/std@0.184.0/async/abortable.ts": "fd682fa46f3b7b16b4606a5ab52a7ce309434b76f820d3221bdfb862719a15d7",
+    "https://deno.land/std@0.184.0/async/deadline.ts": "c5facb0b404eede83e38bd2717ea8ab34faa2ffb20ef87fd261fcba32ba307aa",
+    "https://deno.land/std@0.184.0/async/debounce.ts": "adab11d04ca38d699444ac8a9d9856b4155e8dda2afd07ce78276c01ea5a4332",
+    "https://deno.land/std@0.184.0/async/deferred.ts": "42790112f36a75a57db4a96d33974a936deb7b04d25c6084a9fa8a49f135def8",
+    "https://deno.land/std@0.184.0/async/delay.ts": "73aa04cec034c84fc748c7be49bb15cac3dd43a57174bfdb7a4aec22c248f0dd",
+    "https://deno.land/std@0.184.0/async/mod.ts": "f04344fa21738e5ad6bea37a6bfffd57c617c2d372bb9f9dcfd118a1b622e576",
+    "https://deno.land/std@0.184.0/async/mux_async_iterator.ts": "70c7f2ee4e9466161350473ad61cac0b9f115cff4c552eaa7ef9d50c4cbb4cc9",
+    "https://deno.land/std@0.184.0/async/pool.ts": "fd082bd4aaf26445909889435a5c74334c017847842ec035739b4ae637ae8260",
+    "https://deno.land/std@0.184.0/async/retry.ts": "dd19d93033d8eaddbfcb7654c0366e9d3b0a21448bdb06eba4a7d8a8cf936a92",
+    "https://deno.land/std@0.184.0/async/tee.ts": "47e42d35f622650b02234d43803d0383a89eb4387e1b83b5a40106d18ae36757",
+    "https://deno.land/std@0.184.0/fmt/colors.ts": "d67e3cd9f472535241a8e410d33423980bec45047e343577554d3356e1f0ef4e",
+    "https://deno.land/std@0.184.0/fs/_util.ts": "579038bebc3bd35c43a6a7766f7d91fbacdf44bc03468e9d3134297bb99ed4f9",
+    "https://deno.land/std@0.184.0/fs/ensure_dir.ts": "dc64c4c75c64721d4e3fb681f1382f803ff3d2868f08563ff923fdd20d071c40",
+    "https://deno.land/std@0.184.0/fs/walk.ts": "920be35a7376db6c0b5b1caf1486fb962925e38c9825f90367f8f26b5e5d0897",
+    "https://deno.land/std@0.184.0/http/server.ts": "cbb17b594651215ba95c01a395700684e569c165a567e4e04bba327f41197433",
+    "https://deno.land/std@0.184.0/path/_constants.ts": "e49961f6f4f48039c0dfed3c3f93e963ca3d92791c9d478ac5b43183413136e0",
+    "https://deno.land/std@0.184.0/path/_interface.ts": "6471159dfbbc357e03882c2266d21ef9afdb1e4aa771b0545e90db58a0ba314b",
+    "https://deno.land/std@0.184.0/path/_util.ts": "d7abb1e0dea065f427b89156e28cdeb32b045870acdf865833ba808a73b576d0",
+    "https://deno.land/std@0.184.0/path/common.ts": "ee7505ab01fd22de3963b64e46cff31f40de34f9f8de1fff6a1bd2fe79380000",
+    "https://deno.land/std@0.184.0/path/glob.ts": "d479e0a695621c94d3fd7fe7abd4f9499caf32a8de13f25073451c6ef420a4e1",
+    "https://deno.land/std@0.184.0/path/mod.ts": "bf718f19a4fdd545aee1b06409ca0805bd1b68ecf876605ce632e932fe54510c",
+    "https://deno.land/std@0.184.0/path/posix.ts": "8b7c67ac338714b30c816079303d0285dd24af6b284f7ad63da5b27372a2c94d",
+    "https://deno.land/std@0.184.0/path/separator.ts": "0fb679739d0d1d7bf45b68dacfb4ec7563597a902edbaf3c59b50d5bcadd93b1",
+    "https://deno.land/std@0.184.0/path/win32.ts": "d186344e5583bcbf8b18af416d13d82b35a317116e6460a5a3953508c3de5bba",
+    "https://deno.land/x/ulid@v0.3.0/mod.ts": "f7ff065b66abd485051fc68af23becef6ccc7e81f7774d7fcfd894a4b2da1984"
+  },
   "workspace": {
     "dependencies": [
       "jsr:@andyburke/fsdb@0.4",
       "jsr:@andyburke/lurid@0.2",
-      "jsr:@andyburke/serverus@^0.0.12",
+      "jsr:@andyburke/serverus@0.6",
+      "jsr:@std/assert@^1.0.13",
       "jsr:@std/encoding@^1.0.10",
+      "jsr:@std/http@^1.0.18",
       "jsr:@std/path@^1.1.0",
       "jsr:@stdext/crypto@0.1"
     ]
diff --git a/models/session.ts b/models/session.ts
index b88241f..75903de 100644
--- a/models/session.ts
+++ b/models/session.ts
@@ -19,6 +19,7 @@ export const SESSIONS = new FSDB_COLLECTION<SESSION>({
 		user_id: new FSDB_INDEXER_SYMLINKS<SESSION>({
 			name: 'user_id',
 			field: 'user_id',
+			to_many: true,
 			organize: by_lurid
 		})
 	}
diff --git a/public/api/auth/index.ts b/public/api/auth/index.ts
index aa749dc..3a8743d 100644
--- a/public/api/auth/index.ts
+++ b/public/api/auth/index.ts
@@ -9,15 +9,15 @@ import { TOTP_ENTRIES } from '../../../models/totp_entry.ts';
 import { verifyTotp } from 'jsr:@stdext/crypto/totp';
 import { encodeBase64 } from 'jsr:@std/encoding/base64';
 import parse_body from '../../../utils/bodyparser.ts';
+import { SESSION_ID_TOKEN, SESSION_SECRET_TOKEN } from '../../../utils/prechecks.ts';
 
-const DEFAULT_SESSION_TIME: number = 60 * 60; // 1 Hour
+const DEFAULT_SESSION_TIME: number = 60 * 60 * 1_000; // 1 Hour
 
 // POST /api/auth - Authenticate
 export async function POST(req: Request, meta: Record<string, any>): Promise<Response> {
 	try {
 		const body = await parse_body(req);
 
-		const email: string = body.email?.toLowerCase().trim() ?? '';
 		const username: string = body.username?.toLowerCase() ?? '';
 		const password: string | undefined = body.password;
 		const password_hash: string | undefined = body.password_hash ?? (typeof password === 'string'
@@ -27,11 +27,11 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			: undefined);
 		const totp: string | undefined = body.totp;
 
-		if ((!email.length && !username.length) || (email.length && username.length)) {
+		if (!username.length) {
 			return Response.json({
 				error: {
-					message: 'You must specify either an email or username to log in.',
-					cause: 'email_or_username_required'
+					message: 'You must specify a username to log in.',
+					cause: 'username_required'
 				}
 			}, {
 				status: 400
@@ -51,20 +51,14 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 		}
 
 		let user: USER | undefined = undefined;
-		if (email.length) {
-			user = (await USERS.find({
-				email
-			})).shift();
-		} else if (username.length) {
-			user = (await USERS.find({
-				username
-			})).shift();
-		}
+		user = (await USERS.find({
+			username
+		})).shift();
 
 		if (!user) {
 			return Response.json({
 				error: {
-					message: 'Could not locate an account with this email or username.',
+					message: `Could not locate an account with username: ${username}`,
 					cause: 'missing_account'
 				}
 			}, {
@@ -105,7 +99,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 				}, {
 					status: 202,
 					headers: {
-						'Set-Cookie': `checklist_observer_totp_user_id=${user.id}; Path=/; Max-Age=300`
+						'Set-Cookie': `totp_user_id=${user.id}; Path=/; Max-Age=300`
 					}
 				});
 			}
@@ -123,7 +117,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 			}
 		}
 
-		const session_result: SESSION_RESULT = await get_session({
+		const session_result: SESSION_RESULT = await create_new_session({
 			user,
 			expires: body.session?.expires
 		});
@@ -164,7 +158,7 @@ export type SESSION_INFO = {
 	expires: string | undefined;
 };
 
-export async function get_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
+export async function create_new_session(session_settings: SESSION_INFO): Promise<SESSION_RESULT> {
 	const now = new Date().toISOString();
 	const expires: string = session_settings.expires ??
 		new Date(new Date(now).valueOf() + DEFAULT_SESSION_TIME).toISOString();
@@ -183,7 +177,13 @@ export async function get_session(session_settings: SESSION_INFO): Promise<SESSI
 	await SESSIONS.create(session);
 
 	const headers = new Headers();
-	headers.append('Set-Cookie', `checklist_observer_session_id=${session.id}; Path=/; Expires=${expires}`);
+
+	headers.append('Set-Cookie', `${SESSION_ID_TOKEN}=${session.id}; Path=/; Expires=${expires}`);
+	headers.append(`x-${SESSION_ID_TOKEN}`, session.id);
+
+	// TODO: this wasn't really intended to be persisted in a cookie, but we are using it to
+	// generate the TOTP for the call to /api/users/me
+	headers.append('Set-Cookie', `${SESSION_SECRET_TOKEN}=${session.secret}; Path=/; Expires=${expires}`);
 
 	return {
 		session,
diff --git a/public/api/users/:id/index.ts b/public/api/users/:id/index.ts
index a7de0ba..0e45e93 100644
--- a/public/api/users/:id/index.ts
+++ b/public/api/users/:id/index.ts
@@ -1,19 +1,24 @@
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
 import { PASSWORD_ENTRIES, PASSWORD_ENTRY } from '../../../../models/password_entry.ts';
 import { SESSIONS } from '../../../../models/session.ts';
 import { USER, USERS } from '../../../../models/user.ts';
 import { PERMISSIONS_STORE, USER_PERMISSIONS } from '../../../../models/user_permissions.ts';
 import parse_body from '../../../../utils/bodyparser.ts';
+import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';
 
-export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
+export const PRECHECKS: PRECHECK_TABLE = {};
 
 // GET /api/users/:id - Get single user
-PERMISSIONS.GET = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
 	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');
 
-	return can_read_others || (can_read_self && user_is_self);
-};
+	const has_permission = can_read_others || (can_read_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
 	const user_id: string = meta.params?.id?.toLowerCase().trim() ?? '';
 	const user: USER | null = user_id.length === 49 ? await USERS.get(user_id) : null; // lurid is 49 chars as we use them, eg: "also-play-flow-want-form-wide-thus-work-burn-same"
@@ -29,34 +34,22 @@ export async function GET(_req: Request, meta: Record<string, any>): Promise<Res
 		});
 	}
 
-	const user_is_self = meta.user?.id === user.id;
-	const has_permission_to_read = (user_is_self && meta.user_permissions?.permissions?.includes('self.read')) ||
-		(meta.user_permissions?.permissions?.includes('users.read'));
-
-	if (!has_permission_to_read) {
-		return Response.json({
-			error: {
-				message: 'Permission denied.',
-				cause: 'permission_denied'
-			}
-		}, {
-			status: 400
-		});
-	}
-
 	return Response.json(user, {
 		status: 200
 	});
 }
 
 // PUT /api/users/:id - Update user
-PERMISSIONS.PUT = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.PUT = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
 	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');
 
-	return can_write_others || (can_write_self && user_is_self);
-};
+	const has_permission = can_write_others || (can_write_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function PUT(req: Request, meta: { params: Record<string, any> }): Promise<Response> {
 	const now = new Date().toISOString();
 	const id: string = meta.params.id ?? '';
@@ -101,13 +94,16 @@ export async function PUT(req: Request, meta: { params: Record<string, any> }):
 }
 
 // DELETE /api/users/:id - Delete user
-PERMISSIONS.DELETE = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.DELETE = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const user_is_self = !!meta.user && !!meta.params && meta.user.id === meta.params.id;
 	const can_write_self = meta.user_permissions?.permissions.includes('self.write');
 	const can_write_others = meta.user_permissions?.permissions?.includes('users.write');
 
-	return can_write_others || (can_write_self && user_is_self);
-};
+	const has_permission = can_write_others || (can_write_self && user_is_self);
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function DELETE(_req: Request, meta: { params: Record<string, any> }): Promise<Response> {
 	const user_id: string = meta.params.id ?? '';
 
diff --git a/public/api/users/index.ts b/public/api/users/index.ts
index 68e4705..558dfe3 100644
--- a/public/api/users/index.ts
+++ b/public/api/users/index.ts
@@ -6,28 +6,27 @@ import { hash } from 'jsr:@stdext/crypto/hash';
 import lurid from 'jsr:@andyburke/lurid';
 import { encodeBase64 } from 'jsr:@std/encoding';
 import parse_body from '../../../utils/bodyparser.ts';
-import { get_session, SESSION_RESULT } from '../auth/index.ts';
+import { create_new_session, SESSION_RESULT } from '../auth/index.ts';
+import { PRECHECKS } from './me/index.ts';
+import { get_session, get_user, require_user } from '../../../utils/prechecks.ts';
+import { CANNED_RESPONSES } from '../../../utils/canned_responses.ts';
 
 // TODO: figure out a better solution for doling out permissions
 const DEFAULT_USER_PERMISSIONS: string[] = [
 	'self.read',
-	'self.write',
-	'checklists.read',
-	'checklists.write',
-	'checklists.events.read',
-	'checklists.events.write'
+	'self.write'
 ];
 
-export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
-
 // GET /api/users - get users
 // query parameters:
 //   partial_id: the partial id subset you would like to match (remember, lurids are lexigraphically sorted)
-PERMISSIONS.GET = (_req: Request, meta: Record<string, any>): Promise<boolean> => {
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
 	const can_read_others = meta.user_permissions?.permissions?.includes('users.read');
 
-	return can_read_others;
-};
+	if (!can_read_others) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
 export async function GET(_req: Request, meta: Record<string, any>): Promise<Response> {
 	const query: URLSearchParams = meta.query;
 	const partial_id: string | undefined = query.get('partial_id')?.toLowerCase().trim();
@@ -132,7 +131,7 @@ export async function POST(req: Request, meta: Record<string, any>): Promise<Res
 
 		await PERMISSIONS_STORE.create(user_permissions);
 
-		const session_result: SESSION_RESULT = await get_session({
+		const session_result: SESSION_RESULT = await create_new_session({
 			user,
 			expires: undefined
 		});
diff --git a/public/api/users/me/README.md b/public/api/users/me/README.md
new file mode 100644
index 0000000..f6352b9
--- /dev/null
+++ b/public/api/users/me/README.md
@@ -0,0 +1,7 @@
+# /api/users/me
+
+Get the current user.
+
+## GET /api/users/me
+
+Return the currently logged in user or an error.
diff --git a/public/api/users/me/index.ts b/public/api/users/me/index.ts
new file mode 100644
index 0000000..0d72973
--- /dev/null
+++ b/public/api/users/me/index.ts
@@ -0,0 +1,25 @@
+import { CANNED_RESPONSES } from '../../../../utils/canned_responses.ts';
+import { get_session, get_user, PRECHECK_TABLE, require_user } from '../../../../utils/prechecks.ts';
+
+export const PERMISSIONS: Record<string, (req: Request, meta: Record<string, any>) => Promise<boolean>> = {};
+export const PRECHECKS: PRECHECK_TABLE = {};
+
+// GET /api/users/me - Get the current user
+PRECHECKS.GET = [get_session, get_user, require_user, (_req: Request, meta: Record<string, any>): Response | undefined => {
+	const can_read_self = meta.user_permissions?.permissions.includes('self.read');
+
+	const has_permission = can_read_self;
+	console.dir({
+		meta,
+		can_read_self,
+		has_permission
+	});
+	if (!has_permission) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}];
+export function GET(_req: Request, meta: Record<string, any>): Response {
+	return Response.json(meta.user, {
+		status: 200
+	});
+}
diff --git a/public/index.html b/public/index.html
index 3342ab7..a6180cf 100644
--- a/public/index.html
+++ b/public/index.html
@@ -468,6 +468,54 @@
 				top: 8px;
 			}
 		</style>
+
+		<script>
+			/* https://github.com/turistu/totp-in-javascript/blob/main/totp.js */
+
+			async function otp_totp(key, secs = 30, digits = 6) {
+				return otp_hotp(otp_unbase32(key), otp_pack64bu(Date.now() / 1000 / secs), digits);
+			}
+			async function otp_hotp(key, counter, digits) {
+				let y = self.crypto.subtle;
+				if (!y) throw Error("no self.crypto.subtle object available");
+				let k = await y.importKey("raw", key, { name: "HMAC", hash: "SHA-1" }, false, [
+					"sign",
+				]);
+				return otp_hotp_truncate(await y.sign("HMAC", k, counter), digits);
+			}
+			function otp_hotp_truncate(buf, digits) {
+				let a = new Uint8Array(buf),
+					i = a[19] & 0xf;
+				return otp_fmt(
+					10,
+					digits,
+					(((a[i] & 0x7f) << 24) | (a[i + 1] << 16) | (a[i + 2] << 8) | a[i + 3]) %
+						10 ** digits,
+				);
+			}
+
+			function otp_fmt(base, width, num) {
+				return num.toString(base).padStart(width, "0");
+			}
+			function otp_unbase32(s) {
+				let t = (s.toLowerCase().match(/\S/g) || [])
+					.map((c) => {
+						let i = "abcdefghijklmnopqrstuvwxyz234567".indexOf(c);
+						if (i < 0) throw Error(`bad char '${c}' in key`);
+						return otp_fmt(2, 5, i);
+					})
+					.join("");
+				if (t.length < 8) throw Error("key too short");
+				return new Uint8Array(t.match(/.{8}/g).map((d) => parseInt(d, 2)));
+			}
+			function otp_pack64bu(v) {
+				let b = new ArrayBuffer(8),
+					d = new DataView(b);
+				d.setUint32(0, v / 2 ** 32);
+				d.setUint32(4, v);
+				return b;
+			}
+		</script>
 	</head>
 	<body>
 		<div id="signup-login-wall">
@@ -578,6 +626,13 @@
 								action="/api/auth"
 								onreply="(user)=>{ document.body.dataset.user = user; }"
 							>
+								<script>
+									const form = document.currentScript.closest("form");
+									form.on_response = (response) => {
+										// TODO: we should hold the session secret only in memory, not the cookie?
+										document.body.dataset.user = response.user;
+									};
+								</script>
 								<div>
 									<input
 										id="login-username"
@@ -763,6 +818,50 @@
 	</body>
 	<script>
 		document.addEventListener("DOMContentLoaded", () => {
+			/* check if we are logged in */
+			(async () => {
+				try {
+					const session_id = (document.cookie.match(
+						/^(?:.*;)?\s*session_id\s*=\s*([^;]+)(?:.*)?$/,
+					) || [, null])[1];
+
+					// TODO: this wasn't really intended to be persisted in a cookie
+					const session_secret = (document.cookie.match(
+						/^(?:.*;)?\s*session_secret\s*=\s*([^;]+)(?:.*)?$/,
+					) || [, null])[1];
+
+					if (session_id && session_secret) {
+						const session_response = await fetch("/api/users/me", {
+							method: "GET",
+							headers: {
+								Accept: "application/json",
+								"x-session_id": session_id,
+								"x-totp": await otp_totp(session_secret),
+							},
+						});
+
+						if (!session_response.ok) {
+							const error_body = await session_response.json();
+							const error = error_body?.error;
+
+							console.dir({
+								error_body,
+								error,
+							});
+							return;
+						}
+
+						const user = await session_response.json();
+						document.body.dataset.user = user;
+					}
+				} catch (error) {
+					console.dir({
+						error,
+					});
+				}
+			})();
+
+			/* make all forms semi-smart */
 			const forms = document.querySelectorAll("form");
 			for (const form of forms) {
 				const script = form.querySelector("script");
diff --git a/tests/api/users/create_user.test.ts b/tests/api/users/create_user.test.ts
new file mode 100644
index 0000000..a14f050
--- /dev/null
+++ b/tests/api/users/create_user.test.ts
@@ -0,0 +1,77 @@
+import { api, API_CLIENT } from '../../../utils/api.ts';
+import * as asserts from 'jsr:@std/assert';
+import { USER } from '../../../models/user.ts';
+import { EPHEMERAL_SERVER, get_ephemeral_listen_server, random_username } from '../../helpers.ts';
+import { Cookie, getSetCookies } from '@std/http/cookie';
+import { encodeBase64 } from '@std/encoding';
+import { generateTotp } from '@stdext/crypto/totp';
+
+Deno.test({
+	name: 'API - USERS - Create',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+			const password_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
+
+			let cookies: Cookie[] = [];
+
+			const user_creation_response: Record<string, any> = await client.fetch('/users', {
+				method: 'POST',
+				json: {
+					username,
+					password_hash
+				},
+				done: (response) => {
+					cookies = getSetCookies(response.headers);
+				}
+			});
+
+			asserts.assert(user_creation_response?.user);
+			asserts.assert(user_creation_response?.session);
+
+			const user: USER | undefined = user_creation_response.user;
+			const session: Record<string, any> | undefined = user_creation_response.session;
+
+			cookies.push({
+				name: 'totp',
+				value: await generateTotp(session?.secret),
+				maxAge: 30,
+				expires: Date.now() + 30_000,
+				path: '/'
+			});
+
+			const headers_for_get = new Headers();
+			for (const cookie of cookies) {
+				headers_for_get.append(`x-${cookie.name}`, cookie.value);
+			}
+			headers_for_get.append('cookie', cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; '));
+
+			const retrieved_user: USER = await client.fetch(`/users/${user?.id}`, {
+				headers: headers_for_get
+			}) as USER;
+
+			asserts.assertObjectMatch(retrieved_user, user ?? {});
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
diff --git a/tests/api/users/delete_user.test.ts b/tests/api/users/delete_user.test.ts
new file mode 100644
index 0000000..2066137
--- /dev/null
+++ b/tests/api/users/delete_user.test.ts
@@ -0,0 +1,84 @@
+import { api, API_CLIENT } from '../../../utils/api.ts';
+import * as asserts from '@std/assert';
+import { USER } from '../../../models/user.ts';
+import { EPHEMERAL_SERVER, get_ephemeral_listen_server, random_username } from '../../helpers.ts';
+import { Cookie, getSetCookies } from '@std/http/cookie';
+import { encodeBase64 } from '@std/encoding';
+import { generateTotp } from '@stdext/crypto/totp';
+
+Deno.test({
+	name: 'API - USERS - Delete',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+			const password_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
+
+			let cookies: Cookie[] = [];
+
+			const user_creation_response: Record<string, any> = await client.fetch('/users', {
+				method: 'POST',
+				json: {
+					username,
+					password_hash
+				},
+				done: (response) => {
+					cookies = getSetCookies(response.headers);
+				}
+			});
+
+			asserts.assert(user_creation_response?.user);
+			asserts.assert(user_creation_response?.session);
+
+			const user: USER | undefined = user_creation_response.user;
+			const session: Record<string, any> | undefined = user_creation_response.session;
+
+			cookies.push({
+				name: 'totp',
+				value: await generateTotp(session?.secret),
+				maxAge: 30,
+				expires: Date.now() + 30_000,
+				path: '/'
+			});
+
+			const headers_for_get = new Headers();
+			for (const cookie of cookies) {
+				headers_for_get.append(`x-${cookie.name}`, cookie.value);
+			}
+			headers_for_get.append('cookie', cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; '));
+
+			const retrieved_user: USER = await client.fetch(`/users/${user?.id}`, {
+				headers: headers_for_get
+			}) as USER;
+
+			asserts.assertObjectMatch(retrieved_user, user ?? {});
+
+			const deleted_user_response: Record<string, any> = await client.fetch(`/users/${user?.id}`, {
+				method: 'DELETE',
+				headers: headers_for_get
+			}) as USER;
+
+			asserts.assert(deleted_user_response?.deleted);
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
diff --git a/tests/api/users/login.test.ts b/tests/api/users/login.test.ts
new file mode 100644
index 0000000..72993a8
--- /dev/null
+++ b/tests/api/users/login.test.ts
@@ -0,0 +1,157 @@
+import { api, API_CLIENT } from '../../../utils/api.ts';
+import * as asserts from '@std/assert';
+import { USER } from '../../../models/user.ts';
+import { EPHEMERAL_SERVER, get_ephemeral_listen_server, random_username } from '../../helpers.ts';
+import { Cookie, getSetCookies } from '@std/http/cookie';
+import { encodeBase64 } from '@std/encoding';
+import { generateTotp } from '@stdext/crypto/totp';
+
+Deno.test({
+	name: 'API - USERS - Login (password)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+
+			const user_creation_response: Record<string, any> = await client.fetch('/users', {
+				method: 'POST',
+				json: {
+					username,
+					password
+				}
+			});
+
+			asserts.assert(user_creation_response?.user);
+			asserts.assert(user_creation_response?.session);
+
+			let cookies: Cookie[] = [];
+			const auth_response: any = await client.fetch('/auth', {
+				method: 'POST',
+				json: {
+					username,
+					password: 'password'
+				},
+				done: (response) => {
+					cookies = getSetCookies(response.headers);
+				}
+			});
+
+			const user: USER | undefined = auth_response.user;
+			const session: Record<string, any> | undefined = auth_response.session;
+
+			cookies.push({
+				name: 'totp',
+				value: await generateTotp(session?.secret ?? ''),
+				maxAge: 30,
+				expires: Date.now() + 30_000,
+				path: '/'
+			});
+
+			const headers_for_get = new Headers();
+			for (const cookie of cookies) {
+				headers_for_get.append(`x-${cookie.name}`, cookie.value);
+			}
+			headers_for_get.append(
+				'cookie',
+				cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; ')
+			);
+
+			const retrieved_user: USER = await client.fetch(`/users/${user?.id}`, {
+				headers: headers_for_get
+			}) as USER;
+
+			asserts.assertObjectMatch(retrieved_user, user ?? {});
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
+
+Deno.test({
+	name: 'API - USERS - Login (password_hash)',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'hashed password!!!';
+			const password_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
+
+			let cookies: Cookie[] = [];
+
+			const user_creation_response: Record<string, any> = await client.fetch('/users', {
+				method: 'POST',
+				json: {
+					username,
+					password_hash
+				},
+				done: (response) => {
+					cookies = getSetCookies(response.headers);
+				}
+			});
+
+			asserts.assert(user_creation_response?.user);
+			asserts.assert(user_creation_response?.session);
+
+			const user: USER | undefined = user_creation_response.user;
+			const session: Record<string, any> | undefined = user_creation_response.session;
+
+			cookies.push({
+				name: 'totp',
+				value: await generateTotp(session?.secret),
+				maxAge: 30,
+				expires: Date.now() + 30_000,
+				path: '/'
+			});
+
+			const headers_for_get = new Headers();
+			for (const cookie of cookies) {
+				headers_for_get.append(`x-${cookie.name}`, cookie.value);
+			}
+			headers_for_get.append(
+				'cookie',
+				cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; ')
+			);
+
+			const retrieved_user: USER = await client.fetch(`/users/${user?.id}`, {
+				headers: headers_for_get
+			}) as USER;
+
+			asserts.assertObjectMatch(retrieved_user, user ?? {});
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
diff --git a/tests/api/users/update_user.test.ts b/tests/api/users/update_user.test.ts
new file mode 100644
index 0000000..59dc3ba
--- /dev/null
+++ b/tests/api/users/update_user.test.ts
@@ -0,0 +1,82 @@
+import { api, API_CLIENT } from '../../../utils/api.ts';
+import * as asserts from '@std/assert';
+import { USER } from '../../../models/user.ts';
+import { EPHEMERAL_SERVER, get_ephemeral_listen_server, random_username } from '../../helpers.ts';
+import { Cookie, getSetCookies } from '@std/http/cookie';
+import { encodeBase64 } from '@std/encoding';
+import { generateTotp } from '@stdext/crypto/totp';
+
+Deno.test({
+	name: 'API - USERS - Update',
+	permissions: {
+		env: true,
+		read: true,
+		write: true,
+		net: true
+	},
+	fn: async () => {
+		let test_server_info: EPHEMERAL_SERVER | null = null;
+		try {
+			test_server_info = await get_ephemeral_listen_server();
+			const client: API_CLIENT = api({
+				prefix: '/api',
+				hostname: test_server_info.hostname,
+				port: test_server_info.port
+			});
+
+			const username = random_username();
+			const password = 'password';
+			const password_hash = encodeBase64(
+				await crypto.subtle.digest('SHA-256', new TextEncoder().encode(password))
+			);
+
+			let cookies: Cookie[] = [];
+
+			const user_creation_response: Record<string, any> = await client.fetch('/users', {
+				method: 'POST',
+				json: {
+					username,
+					password_hash
+				},
+				done: (response) => {
+					cookies = getSetCookies(response.headers);
+				}
+			});
+
+			asserts.assert(user_creation_response?.user);
+			asserts.assert(user_creation_response?.session);
+
+			const user: USER | undefined = user_creation_response.user;
+			const session: Record<string, any> | undefined = user_creation_response.session;
+
+			cookies.push({
+				name: 'totp',
+				value: await generateTotp(session?.secret),
+				maxAge: 30,
+				expires: Date.now() + 30_000,
+				path: '/'
+			});
+
+			const headers_for_put = new Headers();
+			for (const cookie of cookies) {
+				headers_for_put.append(`x-${cookie.name}`, cookie.value);
+			}
+			headers_for_put.append('cookie', cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; '));
+
+			const updated_user: USER = await client.fetch(`/users/${user?.id}`, {
+				method: 'PUT',
+				json: {
+					username: random_username()
+				},
+				headers: headers_for_put
+			}) as USER;
+
+			asserts.assertNotEquals(user?.username ?? '', updated_user?.username ?? '');
+			asserts.assertNotEquals(user?.timestamps.updated ?? '', updated_user?.timestamps.updated ?? '');
+		} finally {
+			if (test_server_info) {
+				await test_server_info?.server?.stop();
+			}
+		}
+	}
+});
diff --git a/tests/helpers.ts b/tests/helpers.ts
new file mode 100644
index 0000000..9899760
--- /dev/null
+++ b/tests/helpers.ts
@@ -0,0 +1,96 @@
+import { SERVER, SERVER_OPTIONS } from 'jsr:@andyburke/serverus/server';
+import { convert_to_words } from 'jsr:@andyburke/lurid/word_bytes';
+
+const TLDs: string[] = [
+	'com',
+	'org',
+	'net',
+	'edu',
+	'gov',
+	'nexus',
+	'shop',
+	'unreasonablylongtldname'
+];
+
+const random_byte_buffer: Uint8Array = new Uint8Array(3);
+export function random_email_address(): string {
+	crypto.getRandomValues(random_byte_buffer);
+	const name = convert_to_words(random_byte_buffer).join('-');
+
+	crypto.getRandomValues(random_byte_buffer);
+	const domain = convert_to_words(random_byte_buffer).join('-');
+
+	const tld = TLDs[Math.floor(Math.random() * TLDs.length)];
+	return `${name}@${domain}.${tld}`;
+}
+
+export function random_username(): string {
+	crypto.getRandomValues(random_byte_buffer);
+	return convert_to_words(random_byte_buffer).join('-');
+}
+
+const BASE_PORT: number = 50_000;
+const MAX_PORT_OFFSET: number = 10_000;
+let current_port_offset = 0;
+function get_next_free_port(): number {
+	let free_port: number | undefined = undefined;
+	let attempts = 0;
+	do {
+		const port_to_try: number = BASE_PORT + (current_port_offset++ % MAX_PORT_OFFSET);
+
+		try {
+			Deno.listen({ port: port_to_try }).close();
+			free_port = port_to_try;
+		} catch (error) {
+			if (!(error instanceof Deno.errors.AddrInUse)) {
+				throw error;
+			}
+		}
+
+		++attempts;
+
+		if (attempts % MAX_PORT_OFFSET === 0) {
+			console.warn(`Tried all ports at least once while trying to locate a free one, something wrong?`);
+		}
+	} while (!free_port);
+
+	return free_port;
+}
+
+/**
+ * Interface defining the configuration for an ephemeral server
+ * @property {string} hostname - hostname bound to, default: 'localhost'
+ * @property {number} port - port bound to, default: next free port
+ * @property {SERVER} server - server instance
+ */
+export interface EPHEMERAL_SERVER {
+	hostname: string;
+	port: number;
+	server: SERVER;
+}
+
+/**
+ * Gets an ephemeral Serverus SERVER on an unused port.
+ *
+ * @param options Optional SERVER_OPTIONS
+ * @returns A LISTEN_SERVER_SETUP object with information and a reference to the server
+ */
+export async function get_ephemeral_listen_server(options?: SERVER_OPTIONS): Promise<EPHEMERAL_SERVER> {
+	const server_options = {
+		...{
+			hostname: 'localhost',
+			port: get_next_free_port()
+		},
+		...(options ?? {})
+	};
+
+	const server = new SERVER(server_options);
+
+	const ephemeral_server: EPHEMERAL_SERVER = {
+		hostname: server_options.hostname,
+		port: server_options.port,
+		server: await server.start()
+	};
+
+	return ephemeral_server;
+}
diff --git a/utils/api.ts b/utils/api.ts
new file mode 100644
index 0000000..05261e3
--- /dev/null
+++ b/utils/api.ts
@@ -0,0 +1,121 @@
+import { getSetCookies } from '@std/http/cookie';
+import { generateTotp } from '@stdext/crypto/totp';
+
+export interface API_CLIENT {
+	fetch: (url: string, options?: FETCH_OPTIONS, transform?: (obj: any) => any) => Promise<object>;
+}
+
+export type API_CONFIG = {
+	protocol: string;
+	hostname: string;
+	port: number;
+	prefix: string;
+};
+
+const DEFAULT_API_CONFIG: API_CONFIG = {
+	protocol: 'http:',
+	hostname: 'localhost',
+	port: 80,
+	prefix: ''
+};
+
+export interface RETRY_OPTIONS {
+	limit: number;
+	methods: string[];
+	status_codes: number[];
+}
+
+export interface FETCH_OPTIONS extends RequestInit {
+	retry?: RETRY_OPTIONS;
+	json?: Record<string, any>;
+	done?: (response: Response) => void;
+	session?: Record<string, any>;
+	totp_token?: string;
+}
+
+const DEFAULT_TRANSFORM = (response_json: any) => {
+	return response_json;
+};
+
+export function api(api_config?: Record<string, any>): API_CLIENT {
+	const config: API_CONFIG = {
+		...DEFAULT_API_CONFIG,
+		...(api_config ?? {})
+	};
+
+	return {
+		fetch: async (url: string, options?: FETCH_OPTIONS, transform?: (obj: any) => any) => {
+			const prefix: string = `${config.protocol}//${config.hostname}:${config.port}${config.prefix}`;
+			const retry: RETRY_OPTIONS = options?.retry ?? {
+				limit: 0,
+				methods: ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS'],
+				status_codes: [500, 502, 503, 504, 521, 522, 524]
+			};
+
+			const content_type = options?.json ? 'application/json' : 'text/plain';
+			const headers = new Headers(options?.headers ?? {});
+			headers.append('accept', 'application/json');
+			if (options?.json || options?.body) {
+				headers.append('content-type', content_type);
+			}
+			if (options?.session) {
+				const cookies = getSetCookies(headers);
+
+				cookies.push({
+					name: options.totp_token ?? 'totp',
+					value: await generateTotp(options.session.secret),
+					maxAge: 30,
+					expires: Date.now() + 30_000,
+					path: '/'
+				});
+
+				for (const cookie of cookies) {
+					headers.append(`x-${cookie.name}`, cookie.value);
+				}
+				headers.append('cookie', cookies.map((cookie) => `${cookie.name}=${cookie.value}`).join('; '));
+			}
+
+			const request_options: RequestInit = {
+				body: options?.json ? JSON.stringify(options.json, null, 2) : options?.body,
+				method: options?.method ?? 'GET',
+				credentials: options?.credentials ?? 'include',
+				redirect: options?.redirect ?? 'follow',
+				headers
+			};
+
+			const response_transform = transform ?? DEFAULT_TRANSFORM;
+
+			let retries = 0;
+			let delay = 1000;
+			const resolved_url = `${prefix}${url}`;
+			do {
+				const response: Response = await fetch(resolved_url, request_options);
+				if (
+					retries < retry.limit && retry.status_codes.includes(response.status) &&
+					retry.methods.includes(request_options.method ?? 'GET')
+				) {
+					++retries;
+					await new Promise((resolve) => setTimeout(resolve, delay));
+					delay *= 2;
+					continue;
+				}
+
+				if (response.status > 400) {
+					const error_response = await response.json();
+					throw new Error('Bad Request', {
+						cause: error_response?.cause ?? JSON.stringify(error_response)
+					});
+				}
+
+				const data = await response.json();
+				const transformed = await response_transform(data);
+
+				if (options?.done) {
+					options.done(response);
+				}
+
+				return transformed;
+			} while (retries < retry.limit);
+		}
+	};
+}
diff --git a/utils/canned_responses.ts b/utils/canned_responses.ts
new file mode 100644
index 0000000..97b567d
--- /dev/null
+++ b/utils/canned_responses.ts
@@ -0,0 +1,13 @@
+export const CANNED_RESPONSES: Record<string, () => Response> = {
+	permission_denied: (): Response => {
+		console.trace('denied');
+		return Response.json({
+			error: {
+				message: 'Permission denied.',
+				cause: 'permission_denied'
+			}
+		}, {
+			status: 400
+		});
+	}
+};
diff --git a/utils/prechecks.ts b/utils/prechecks.ts
new file mode 100644
index 0000000..5cc58c8
--- /dev/null
+++ b/utils/prechecks.ts
@@ -0,0 +1,43 @@
+import { getCookies } from 'jsr:@std/http/cookie';
+import { SESSIONS } from '../models/session.ts';
+import { verifyTotp } from 'jsr:@stdext/crypto/totp';
+import { USERS } from '../models/user.ts';
+import { PERMISSIONS_STORE } from '../models/user_permissions.ts';
+import { CANNED_RESPONSES } from './canned_responses.ts';
+
+export type PRECHECK = (req: Request, meta: Record<string, any>) => Promise<Response | undefined> | Response | undefined;
+export type PRECHECK_TABLE = Record<string, PRECHECK[]>;
+
+export const SESSION_ID_TOKEN: string = Deno.env.get('SESSION_ID_TOKEN') ?? 'session_id';
+export const SESSION_SECRET_TOKEN: string = Deno.env.get('SESSION_SECRET_TOKEN') ?? 'session_secret';
+export const TOTP_TOKEN: string = Deno.env.get('TOTP_TOKEN') ?? 'totp';
+
+export async function get_session(request: Request, meta: Record<string, any>): Promise<undefined> {
+	meta.now = meta.now ?? Date.now();
+	meta.cookies = meta.cookies ?? getCookies(request.headers);
+	meta.session_id = request.headers.get(`x-${SESSION_ID_TOKEN}`) ?? meta.cookies[SESSION_ID_TOKEN] ?? '';
+	meta.session = meta.session_id?.length ? await SESSIONS.get(meta.session_id) : null;
+	meta.valid_session = !!meta.session && meta.now < new Date(meta.session.timestamps.expires).valueOf();
+
+	meta.request_totp = request.headers.get(`x-${TOTP_TOKEN}`) ?? meta.cookies[TOTP_TOKEN] ?? '';
+	meta.valid_totp = meta.valid_session && meta.session && meta.request_totp
+		? await verifyTotp(meta.request_totp, meta.session.secret)
+		: false;
+}
+
+export async function get_user(request: Request, meta: Record<string, any>): Promise<undefined> {
+	meta.now = meta.now ?? Date.now();
+	meta.cookies = meta.cookies ?? getCookies(request.headers);
+
+	meta.user = meta.valid_totp && meta.session ? await USERS.get(meta.session.user_id) : null;
+	meta.user_permissions = meta.valid_totp && meta.session ? await PERMISSIONS_STORE.get(meta.session.user_id) : null;
+}
+
+export function require_user(
+	_request: Request,
+	meta: Record<string, any>
+): undefined | Response {
+	if (!meta.user) {
+		return CANNED_RESPONSES.permission_denied();
+	}
+}