android-sms-gateway
diff --git a/‎cmd/sms-gateway/main.go‎
Lines changed: 5 additions & 0 deletions b/‎cmd/sms-gateway/main.go‎
Lines changed: 5 additions & 0 deletions
diff --git a/‎configs/config.example.yml‎
Lines changed: 9 additions & 5 deletions b/‎configs/config.example.yml‎
Lines changed: 9 additions & 5 deletions
diff --git a/‎internal/config/config.go‎
Lines changed: 13 additions & 0 deletions b/‎internal/config/config.go‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎internal/config/module.go‎
Lines changed: 8 additions & 0 deletions b/‎internal/config/module.go‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎internal/config/types.go‎
Lines changed: 48 additions & 0 deletions b/‎internal/config/types.go‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎internal/sms-gateway/app.go‎
Lines changed: 4 additions & 0 deletions b/‎internal/sms-gateway/app.go‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎internal/sms-gateway/handlers/3rdparty.go‎
Lines changed: 45 additions & 33 deletions b/‎internal/sms-gateway/handlers/3rdparty.go‎
Lines changed: 45 additions & 33 deletions
diff --git a/‎internal/sms-gateway/handlers/devices/3rdparty.go‎
Lines changed: 8 additions & 5 deletions b/‎internal/sms-gateway/handlers/devices/3rdparty.go‎
Lines changed: 8 additions & 5 deletions
diff --git a/‎internal/sms-gateway/handlers/devices/permissions.go‎
Lines changed: 6 additions & 0 deletions b/‎internal/sms-gateway/handlers/devices/permissions.go‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎internal/sms-gateway/handlers/logs/3rdparty.go‎
Lines changed: 5 additions & 3 deletions b/‎internal/sms-gateway/handlers/logs/3rdparty.go‎
Lines changed: 5 additions & 3 deletions
@@ -10,6 +10,11 @@ import (
 //	@securitydefinitions.basic	ApiAuth
 //	@description				User authentication
 
+//  @securitydefinitions.apikey	JWTAuth
+//	@in							header
+//	@name						Authorization
+//	@description				JWT authentication
+
 //	@securitydefinitions.apikey	UserCode
 //	@in							header
 //	@name						Authorization
 
@@ -38,15 +38,19 @@ cache: # cache config
   url: memory:// # cache url (memory:// or redis://) [CACHE__URL]
 pubsub: # pubsub config
   url: memory:// # pubsub url (memory:// or redis://) [PUBSUB__URL]
+jwt:
+  secret: # jwt secret (leave empty to disable JWT functionality) [JWT__SECRET]
+  ttl: 24h # jwt ttl [JWT__TTL]
+  issuer: # jwt issuer [JWT__ISSUER]
 
 ## Worker Config ##
 
 tasks: # tasks config
   messages_hashing:
-    interval: 168h # task execution interval in hours [TASKS__MESSAGES_HASHING__INTERVAL]
+    interval: 168h # task execution interval [TASKS__MESSAGES_HASHING__INTERVAL]
   messages_cleanup:
-    interval: 24h # task execution interval in hours [TASKS__MESSAGES_CLEANUP__INTERVAL]
-    max_age: 720h # messages max age in hours [TASKS__MESSAGES_CLEANUP__MAX_AGE]
+    interval: 24h # task execution interval [TASKS__MESSAGES_CLEANUP__INTERVAL]
+    max_age: 720h # messages max age [TASKS__MESSAGES_CLEANUP__MAX_AGE]
   devices_cleanup:
-    interval: 24h # task execution interval in hours [TASKS__DEVICES_CLEANUP__INTERVAL]
-    max_age: 8760h # inactive devices max age in hours [TASKS__DEVICES_CLEANUP__MAX_AGE]
+    interval: 24h # task execution interval [TASKS__DEVICES_CLEANUP__INTERVAL]
+    max_age: 8760h # inactive devices max age [TASKS__DEVICES_CLEANUP__MAX_AGE]
@@ -1,5 +1,7 @@
 package config
 
+import "time"
+
 type GatewayMode string
 
 const (
@@ -17,6 +19,7 @@ type Config struct {
 	Messages Messages  `yaml:"messages"` // messages config
 	Cache    Cache     `yaml:"cache"`    // cache (memory or redis) config
 	PubSub   PubSub    `yaml:"pubsub"`   // pubsub (memory or redis) config
+	JWT      JWT       `yaml:"jwt"`      // jwt config
 }
 
 type Gateway struct {
@@ -85,6 +88,12 @@ type PubSub struct {
 	URL string `yaml:"url" envconfig:"PUBSUB__URL"`
 }
 
+type JWT struct {
+	Secret string   `yaml:"secret" envconfig:"JWT__SECRET"`
+	TTL    Duration `yaml:"ttl" envconfig:"JWT__TTL"`
+	Issuer string   `yaml:"issuer" envconfig:"JWT__ISSUER"`
+}
+
 var defaultConfig = Config{
 	Gateway: Gateway{Mode: GatewayModePublic},
 	HTTP: HTTP{
@@ -119,4 +128,8 @@ var defaultConfig = Config{
 	PubSub: PubSub{
 		URL: "memory://",
 	},
+	JWT: JWT{
+		TTL:    Duration(time.Hour * 24),
+		Issuer: "sms-gate.app",
+	},
 }
@@ -6,6 +6,7 @@ import (
 
 	"github.com/android-sms-gateway/server/internal/sms-gateway/cache"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/jwt"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/auth"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/devices"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/messages"
@@ -124,4 +125,11 @@ var Module = fx.Module(
 			BufferSize: 128,
 		}
 	}),
+	fx.Provide(func(cfg Config) jwt.Config {
+		return jwt.Config{
+			Secret: cfg.JWT.Secret,
+			TTL:    time.Duration(cfg.JWT.TTL),
+			Issuer: cfg.JWT.Issuer,
+		}
+	}),
 )
@@ -0,0 +1,48 @@
+package config
+
+import (
+	"encoding"
+	"fmt"
+	"time"
+
+	"gopkg.in/yaml.v3"
+)
+
+type Duration time.Duration
+
+// Duration returns the underlying time.Duration value.
+func (d *Duration) Duration() time.Duration {
+	if d == nil {
+		return 0
+	}
+	return time.Duration(*d)
+}
+
+// String returns the string representation of the duration.
+func (d *Duration) String() string {
+	if d == nil {
+		return ""
+	}
+	return time.Duration(*d).String()
+}
+
+func (d *Duration) UnmarshalText(text []byte) error {
+	t, err := time.ParseDuration(string(text))
+	if err != nil {
+		return fmt.Errorf("can't parse duration: %w", err)
+	}
+	*d = Duration(t)
+	return nil
+}
+
+func (d *Duration) UnmarshalYAML(value *yaml.Node) error {
+	var s string
+	if err := value.Decode(&s); err != nil {
+		return fmt.Errorf("can't unmarshal duration: %w", err)
+	}
+
+	return d.UnmarshalText([]byte(s))
+}
+
+var _ yaml.Unmarshaler = (*Duration)(nil)
+var _ encoding.TextUnmarshaler = (*Duration)(nil)
@@ -7,6 +7,7 @@ import (
 	appconfig "github.com/android-sms-gateway/server/internal/config"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/cache"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/jwt"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/auth"
 	appdb "github.com/android-sms-gateway/server/internal/sms-gateway/modules/db"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/devices"
@@ -20,6 +21,7 @@ import (
 	"github.com/android-sms-gateway/server/internal/sms-gateway/online"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/openapi"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/pubsub"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/users"
 	"github.com/android-sms-gateway/server/pkg/health"
 	"github.com/capcom6/go-infra-fx/cli"
 	"github.com/capcom6/go-infra-fx/db"
@@ -39,6 +41,7 @@ var Module = fx.Module(
 	validator.Module,
 	openapi.Module(),
 	handlers.Module,
+	users.Module(),
 	auth.Module,
 	push.Module(),
 	db.Module,
@@ -53,6 +56,7 @@ var Module = fx.Module(
 	metrics.Module,
 	sse.Module,
 	online.Module(),
+	jwt.Module(),
 )
 
 func Run() {
 
@@ -5,43 +5,65 @@ import (
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/devices"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/logs"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/messages"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/jwtauth"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/userauth"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/settings"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/thirdparty"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/webhooks"
-	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/auth"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/jwt"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/users"
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
-	"go.uber.org/fx"
 	"go.uber.org/zap"
 )
 
-type ThirdPartyHandlerParams struct {
-	fx.In
-
-	HealthHandler   *HealthHandler
-	MessagesHandler *messages.ThirdPartyController
-	WebhooksHandler *webhooks.ThirdPartyController
-	DevicesHandler  *devices.ThirdPartyController
-	SettingsHandler *settings.ThirdPartyController
-	LogsHandler     *logs.ThirdPartyController
-
-	AuthSvc *auth.Service
-
-	Logger    *zap.Logger
-	Validator *validator.Validate
-}
-
 type thirdPartyHandler struct {
 	base.Handler
 
+	usersSvc *users.Service
+	jwtSvc   jwt.Service
+
 	healthHandler   *HealthHandler
 	messagesHandler *messages.ThirdPartyController
 	webhooksHandler *webhooks.ThirdPartyController
 	devicesHandler  *devices.ThirdPartyController
 	settingsHandler *settings.ThirdPartyController
 	logsHandler     *logs.ThirdPartyController
+	authHandler     *thirdparty.AuthHandler
+}
 
-	authSvc *auth.Service
+func newThirdPartyHandler(
+	usersSvc *users.Service,
+	jwtService jwt.Service,
+
+	healthHandler *HealthHandler,
+	messagesHandler *messages.ThirdPartyController,
+	webhooksHandler *webhooks.ThirdPartyController,
+	devicesHandler *devices.ThirdPartyController,
+	settingsHandler *settings.ThirdPartyController,
+	logsHandler *logs.ThirdPartyController,
+	authHandler *thirdparty.AuthHandler,
+
+	logger *zap.Logger,
+	validator *validator.Validate,
+) *thirdPartyHandler {
+	return &thirdPartyHandler{
+		Handler: base.Handler{
+			Logger:    logger,
+			Validator: validator,
+		},
+
+		usersSvc: usersSvc,
+		jwtSvc:   jwtService,
+
+		healthHandler:   healthHandler,
+		messagesHandler: messagesHandler,
+		webhooksHandler: webhooksHandler,
+		devicesHandler:  devicesHandler,
+		settingsHandler: settingsHandler,
+		logsHandler:     logsHandler,
+		authHandler:     authHandler,
+	}
 }
 
 func (h *thirdPartyHandler) Register(router fiber.Router) {
@@ -50,10 +72,13 @@ func (h *thirdPartyHandler) Register(router fiber.Router) {
 	h.healthHandler.Register(router)
 
 	router.Use(
-		userauth.NewBasic(h.authSvc),
+		userauth.NewBasic(h.usersSvc),
+		jwtauth.NewJWT(h.jwtSvc, h.usersSvc),
 		userauth.UserRequired(),
 	)
 
+	h.authHandler.Register(router.Group("/auth"))
+
 	h.messagesHandler.Register(router.Group("/message")) // TODO: remove after 2025-12-31
 	h.messagesHandler.Register(router.Group("/messages"))
 
@@ -66,16 +91,3 @@ func (h *thirdPartyHandler) Register(router fiber.Router) {
 
 	h.logsHandler.Register(router.Group("/logs"))
 }
-
-func newThirdPartyHandler(params ThirdPartyHandlerParams) *thirdPartyHandler {
-	return &thirdPartyHandler{
-		Handler:         base.Handler{Logger: params.Logger.Named("ThirdPartyHandler"), Validator: params.Validator},
-		healthHandler:   params.HealthHandler,
-		messagesHandler: params.MessagesHandler,
-		webhooksHandler: params.WebhooksHandler,
-		devicesHandler:  params.DevicesHandler,
-		settingsHandler: params.SettingsHandler,
-		logsHandler:     params.LogsHandler,
-		authSvc:         params.AuthSvc,
-	}
-}
 
@@ -6,9 +6,10 @@ import (
 
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/base"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/converters"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/permissions"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/userauth"
-	"github.com/android-sms-gateway/server/internal/sms-gateway/models"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/modules/devices"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/users"
 	"github.com/capcom6/go-helpers/slices"
 	"github.com/gofiber/fiber/v2"
 	"go.uber.org/fx"
@@ -32,6 +33,7 @@ type ThirdPartyController struct {
 //	@Summary		List devices
 //	@Description	Returns list of registered devices
 //	@Security		ApiAuth
+//	@Security		JWTAuth
 //	@Tags			User, Devices
 //	@Produce		json
 //	@Success		200	{object}	[]smsgateway.Device			"Device list"
@@ -41,7 +43,7 @@ type ThirdPartyController struct {
 //	@Router			/3rdparty/v1/devices [get]
 //
 // List devices
-func (h *ThirdPartyController) get(user models.User, c *fiber.Ctx) error {
+func (h *ThirdPartyController) get(user users.User, c *fiber.Ctx) error {
 	devices, err := h.devicesSvc.Select(user.ID)
 	if err != nil {
 		return fmt.Errorf("can't select devices: %w", err)
@@ -55,6 +57,7 @@ func (h *ThirdPartyController) get(user models.User, c *fiber.Ctx) error {
 //	@Summary		Remove device
 //	@Description	Removes device
 //	@Security		ApiAuth
+//	@Security		JWTAuth
 //	@Tags			User, Devices
 //	@Produce		json
 //	@Param			id	path	string	true	"Device ID"
@@ -66,7 +69,7 @@ func (h *ThirdPartyController) get(user models.User, c *fiber.Ctx) error {
 //	@Router			/3rdparty/v1/devices/{id} [delete]
 //
 // Remove device
-func (h *ThirdPartyController) remove(user models.User, c *fiber.Ctx) error {
+func (h *ThirdPartyController) remove(user users.User, c *fiber.Ctx) error {
 	id := c.Params("id")
 
 	err := h.devicesSvc.Remove(user.ID, devices.WithID(id))
@@ -81,8 +84,8 @@ func (h *ThirdPartyController) remove(user models.User, c *fiber.Ctx) error {
 }
 
 func (h *ThirdPartyController) Register(router fiber.Router) {
-	router.Get("", userauth.WithUser(h.get))
-	router.Delete(":id", userauth.WithUser(h.remove))
+	router.Get("", permissions.RequireScope(ScopeList), userauth.WithUser(h.get))
+	router.Delete(":id", permissions.RequireScope(ScopeDelete), userauth.WithUser(h.remove))
 }
 
 func NewThirdPartyController(params thirdPartyControllerParams) *ThirdPartyController {
 
@@ -0,0 +1,6 @@
+package devices
+
+const (
+	ScopeList   = "devices:list"
+	ScopeDelete = "devices:delete"
+)
@@ -2,8 +2,9 @@ package logs
 
 import (
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/base"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/permissions"
 	"github.com/android-sms-gateway/server/internal/sms-gateway/handlers/middlewares/userauth"
-	"github.com/android-sms-gateway/server/internal/sms-gateway/models"
+	"github.com/android-sms-gateway/server/internal/sms-gateway/users"
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"go.uber.org/fx"
@@ -24,6 +25,7 @@ type ThirdPartyController struct {
 //	@Summary		Get logs
 //	@Description	Retrieve a list of log entries within a specified time range.
 //	@Security		ApiAuth
+//	@Security		JWTAuth
 //	@Tags			System, Logs
 //	@Produce		json
 //	@Param			from	query		string						false	"The start of the time range for the logs to retrieve. Logs created after this timestamp will be included."	Format(date-time)
@@ -35,12 +37,12 @@ type ThirdPartyController struct {
 //	@Router			/3rdparty/v1/logs [get]
 //
 // List webhooks
-func (h *ThirdPartyController) get(user models.User, c *fiber.Ctx) error {
+func (h *ThirdPartyController) get(user users.User, c *fiber.Ctx) error {
 	return fiber.NewError(fiber.StatusNotImplemented, "For privacy reasons, device's logs are not accessible through Cloud server")
 }
 
 func (h *ThirdPartyController) Register(router fiber.Router) {
-	router.Get("", userauth.WithUser(h.get))
+	router.Get("", permissions.RequireScope(ScopeRead), userauth.WithUser(h.get))
 }
 
 func NewThirdPartyController(params thirdPartyControllerParams) *ThirdPartyController {