Fix trailing whitespace

Reviewed-on: #9

.github/workflows/test.yml

@@ -67,6 +67,34 @@ jobs:
       - name: Check code formatting
         run: cargo fmt --all -- --check
 
+  lint-frontend:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 10
+          run_install: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: 'pnpm'
+          cache-dependency-path: apps/frontend/pnpm-lock.yaml
+
+      - name: Install frontend dependencies
+        run: |
+          cd apps/frontend
+          pnpm install
+      
+      - name: Run frontend linter
+        run: |
+          cd apps/frontend
+          pnpm lint
+
   test-frontend:
     runs-on: ubuntu-latest
     steps:

.vscode/settings.json

@@ -1,3 +1,12 @@
 {
-  "cSpell.words": ["YANPM"]
+  "cSpell.words": ["chrono", "jsonwebtoken", "oneshot", "utoipa", "YANPM"],
+  "sqltools.useNodeRuntime": true,
+  "sqltools.connections": [
+    {
+      "previewLimit": 50,
+      "driver": "SQLite",
+      "database": "${workspaceFolder:yet-another-nginx-proxy-manager}/apps/container/generated/sqlite/sqlite.db",
+      "name": "YANPM"
+    }
+  ]
 }

Cargo.lock

@@ -224,6 +224,28 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "axum-extra"
+version = "0.12.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbfe9f610fe4e99cf0cfcd03ccf8c63c28c616fe714d80475ef731f3b13dd21b"
+dependencies = [
+ "axum",
+ "axum-core",
+ "bytes",
+ "cookie",
+ "futures-core",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-body-util",
+ "mime",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+ "tracing",
+]
+
 [[package]]
 name = "axum-macros"
 version = "0.5.0"
@@ -607,6 +629,17 @@ dependencies = [
  "unicode-segmentation",
 ]
 
+[[package]]
+name = "cookie"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747"
+dependencies = [
+ "percent-encoding",
+ "time",
+ "version_check",
+]
+
 [[package]]
 name = "core-foundation"
 version = "0.9.4"
@@ -3942,6 +3975,20 @@ dependencies = [
  "tracing",
 ]
 
+[[package]]
+name = "tower-http"
+version = "0.6.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
+dependencies = [
+ "bitflags 2.10.0",
+ "bytes",
+ "http",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.3"
@@ -4665,6 +4712,7 @@ dependencies = [
  "argon2",
  "async-trait",
  "axum",
+ "axum-extra",
  "chrono",
  "clap",
  "config",
@@ -4679,6 +4727,7 @@ dependencies = [
  "serde_json",
  "tokio",
  "tower",
+ "tower-http",
  "tracing",
  "tracing-subscriber",
  "utoipa",

apps/api/Cargo.toml

@@ -7,7 +7,8 @@ edition = "2024"
 database = { path = "../../public/database" }
 migration = { path = "../../public/migration" }
 
-axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"]}
+axum = { version = "0.8.7", features = ["form", "http1", "http2", "json", "matched-path", "original-uri", "query", "tokio", "tower-log", "tracing", "macros"] }
+axum-extra = { version = "0.12.2", features = ["cookie"] }
 async-trait = { version = "0.1.89" }
 chrono = { version = "0.4.42", features = ["clock", "std", "oldtime", "wasmbind", "serde"] }
 config = { version = "0.15.19", features = ["toml", "json", "yaml", "ini", "ron", "json5", "convert-case", "async"] }
@@ -26,3 +27,5 @@ once_cell = { version = "1.21.3" }
 argon2 = { version = "0.5.3", features = ["std"] }
 jsonwebtoken = { version = "10.2.0", features = ["rust_crypto"] }
 uuid = { version = "1.19.0", features = ["v4", "serde", "fast-rng"] }
+tower-http = { version = "0.6.8", features = ["cors"] }
+

apps/api/src/cmd/start_server.rs

@@ -13,7 +13,11 @@ use crate::{
     log,
     routes::{self, AppService, AppState},
     services::{
-        auth::{authentication::AuthenticationServiceImpl, user::UserServiceImpl},
+        auth::{
+            authentication::{AuthenticationServiceImpl, strategies::password::PasswordStrategy},
+            user::UserServiceImpl,
+        },
+        server_state::ServerStateService,
         settings::SettingsService,
     },
     tasks,
@@ -84,7 +88,23 @@ pub async fn start_server() {
 
     // build the axum app and run the server...
     info!("Starting application...");
-    let app: Router = routes::get_root_router(Arc::new(get_app_state(&db_connection, &settings)));
+    let mut app: Router = routes::get_root_router(
+        Arc::new(get_app_state(&db_connection, &settings)),
+        Arc::new(settings.server.cors.clone()),
+    );
+
+    if settings.server.serve_openapi {
+        info!("Enabling OpenAPI documentation endpoint at /openapi.json");
+        app = app.route(
+            "/openapi.json",
+            axum::routing::get(|| async {
+                use utoipa::OpenApi;
+                let doc = routes::ApiDoc::openapi();
+                doc.to_pretty_json()
+                    .expect("Failed to serialize OpenAPI doc to JSON")
+            }),
+        );
+    }
 
     let address = format!("{}:{}", settings.server.address, settings.server.port);
     info!("Starting server at http://{}", address);
@@ -127,11 +147,18 @@ fn get_app_state(
 ) -> AppState {
     AppState {
         database_connection: db_connection.clone(),
+        config: Arc::new(settings.clone()),
         service: Arc::new(AppService {
+            server_state: Arc::new(ServerStateService::new(db_connection.clone())),
             settings: Arc::new(SettingsService::new(db_connection.clone())),
-            authentication: Arc::new(AuthenticationServiceImpl::new(
+            auth_state: routes::AuthState {
-                settings.auth.jwt_secret.clone(),
+                strategy: routes::AuthStrategy {
-            )),
+                    password: Arc::new(PasswordStrategy::new(db_connection.clone())),
+                },
+                authentication: Arc::new(AuthenticationServiceImpl::new(
+                    settings.auth.jwt_secret.clone(),
+                )),
+            },
             user: Arc::new(UserServiceImpl::new(db_connection.clone())),
         }),
     }

apps/api/src/configs.rs

@@ -11,6 +11,8 @@ use tracing::{debug, error};
 pub trait FromConfig: Sized {
     fn from_config(config: &Config) -> Result<Self, String>;
     fn validate(&self) -> Result<(), String>;
+    #[cfg(test)]
+    fn mock() -> Self;
 }
 
 #[derive(Debug, Clone)]
@@ -40,6 +42,16 @@ impl FromConfig for ProgramSettings {
         self.auth.validate()?;
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        ProgramSettings {
+            logging: logging::LoggingSettings::mock(),
+            database: database::DatabaseSettings::mock(),
+            server: server::ServerSettings::mock(),
+            auth: auth::AuthSettings::mock(),
+        }
+    }
 }
 
 pub fn get_program_settings() -> ProgramSettings {

apps/api/src/configs/auth.rs

@@ -48,4 +48,13 @@ impl FromConfig for AuthSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        AuthSettings {
+            jwt_secret: Some("mock_jwt_secret".to_string()),
+            default_admin_username: Some("admin".to_string()),
+            default_admin_password: Some("password".to_string()),
+        }
+    }
 }

apps/api/src/configs/database.rs

@@ -50,4 +50,13 @@ impl FromConfig for DatabaseSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        DatabaseSettings {
+            url: "sqlite::memory:".to_string(),
+            max_connections: 5,
+            migrate_on_startup: true,
+        }
+    }
 }

apps/api/src/configs/key.rs

@@ -3,6 +3,9 @@ pub(crate) const LOGGING_UTC_KEY: &str = "LOGGING.UTC";
 //
 pub(crate) const SERVER_ADDRESS_KEY: &str = "SERVER.ADDRESS";
 pub(crate) const SERVER_PORT_KEY: &str = "SERVER.PORT";
+pub(crate) const SERVER_SERVE_OPENAPI_KEY: &str = "SERVER.SERVE_OPENAPI";
+pub(crate) const SERVER_CORS_ALLOWED_ORIGINS_KEY: &str = "SERVER.CORS.ALLOWED_ORIGINS";
+pub(crate) const SERVER_COOKIES_SECURE_KEY: &str = "SERVER.COOKIES.SECURE";
 //
 pub(crate) const DATABASE_URL_KEY: &str = "DATABASE.URL";
 pub(crate) const DATABASE_MAX_CONNECTIONS_KEY: &str = "DATABASE.MAX_CONNECTIONS";

apps/api/src/configs/logging.rs

@@ -49,4 +49,12 @@ impl FromConfig for LoggingSettings {
     fn validate(&self) -> Result<(), String> {
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        LoggingSettings {
+            level: Level::INFO,
+            utc: false,
+        }
+    }
 }

apps/api/src/configs/server.rs

@@ -3,6 +3,10 @@ use std::net::IpAddr;
 use config::{Config, ConfigError};
 use tracing::warn;
 
+use crate::configs::key::{
+    SERVER_COOKIES_SECURE_KEY, SERVER_CORS_ALLOWED_ORIGINS_KEY, SERVER_SERVE_OPENAPI_KEY,
+};
+
 use super::{
     FromConfig,
     key::{SERVER_ADDRESS_KEY, SERVER_PORT_KEY},
@@ -12,6 +16,19 @@ use super::{
 pub struct ServerSettings {
     pub address: IpAddr,
     pub port: u16,
+    pub serve_openapi: bool,
+    pub cors: CORSSettings,
+    pub cookies: CookiesSettings,
+}
+
+#[derive(Debug, Clone)]
+pub struct CORSSettings {
+    pub allowed_origins: Vec<String>,
+}
+
+#[derive(Debug, Clone)]
+pub struct CookiesSettings {
+    pub secure: bool,
 }
 
 impl FromConfig for ServerSettings {
@@ -43,6 +60,53 @@ impl FromConfig for ServerSettings {
                 );
                 DEFAULT_PORT
             }) as u16,
+
+            serve_openapi: _config
+                .get_bool(SERVER_SERVE_OPENAPI_KEY)
+                .unwrap_or_else(|err| {
+                    const DEFAULT_SERVE_OPENAPI: bool = false;
+                    warn!(
+                        "{} not set or invalid in configuration, defaulting to {}. Error: {}",
+                        SERVER_SERVE_OPENAPI_KEY, DEFAULT_SERVE_OPENAPI, err
+                    );
+                    DEFAULT_SERVE_OPENAPI
+                }),
+
+            cors: CORSSettings {
+                allowed_origins: _config
+                    .get_array(SERVER_CORS_ALLOWED_ORIGINS_KEY)
+                    .unwrap_or_else(|_| vec![])
+                    .into_iter()
+                    .filter_map(|val| match val.into_string() {
+                        Ok(s) => Some(s),
+                        Err(e) => {
+                            warn!(
+                                "Invalid origin in {} configuration: {}",
+                                SERVER_CORS_ALLOWED_ORIGINS_KEY, e
+                            );
+                            None
+                        }
+                    })
+                    .collect(),
+            },
+
+            cookies: CookiesSettings {
+                secure: _config
+                    .get_bool(SERVER_COOKIES_SECURE_KEY)
+                    .inspect(|is_secure| {
+                        if !*is_secure {
+                            warn!("Cookie 'secure' flag is disabled; this is not recommended in production environments.");
+                        }
+                    })
+                    .unwrap_or_else(|err| {
+                        const DEFAULT_COOKIES_SECURE: bool = true;
+                        warn!(
+                            "{} not set or invalid in configuration, defaulting to {}. Error: {}",
+                            SERVER_COOKIES_SECURE_KEY, DEFAULT_COOKIES_SECURE, err
+                        );
+                        DEFAULT_COOKIES_SECURE
+                    }),
+            },
         })
     }
 
@@ -53,4 +117,17 @@ impl FromConfig for ServerSettings {
         }
         Ok(())
     }
+
+    #[cfg(test)]
+    fn mock() -> Self {
+        ServerSettings {
+            address: "0.0.0.0".parse().unwrap(),
+            port: 8080,
+            serve_openapi: false,
+            cors: CORSSettings {
+                allowed_origins: vec![],
+            },
+            cookies: CookiesSettings { secure: true },
+        }
+    }
 }

apps/api/src/helpers/constants.rs

@@ -1 +1,3 @@
 pub const ADMIN_INIT_SECRET_KEY: &str = "admin_init_secret";
+//
+pub const JWT_COOKIE_NAME: &str = "session_jwt";

apps/api/src/main.rs

@@ -1,3 +1,5 @@
+#![forbid(unsafe_code)]
+
 mod cmd;
 mod configs;
 mod errors;

apps/api/src/middlewares.rs

@@ -1,25 +1,60 @@
+pub mod request_info;
+pub mod require_auth;
+
+use std::{sync::Arc, time::Duration};
+
 use axum::{
     BoxError, Router,
     error_handling::HandleErrorLayer,
-    http::{Method, StatusCode, Uri},
+    http::{HeaderValue, Method, StatusCode, Uri},
 };
-use std::time::Duration;
 use tower::{ServiceBuilder, timeout::TimeoutLayer};
-
+use tower_http::cors::{AllowHeaders, AllowOrigin, CorsLayer};
 use tracing::warn;
 
+use crate::{configs::server::CORSSettings, routes::AppState};
+
 pub const TIMEOUT_DURATION_SECS: u64 = 30;
 
-pub fn apply_root_middleware(router: Router) -> Router {
+pub fn apply_root_middleware(
+    router: Router,
+    _state: Arc<AppState>,
+    cors_settings: Arc<CORSSettings>,
+) -> Router {
     let timeout_layer = TimeoutLayer::new(Duration::from_secs(TIMEOUT_DURATION_SECS));
 
     let service_builder = ServiceBuilder::new()
         .layer(HandleErrorLayer::new(handle_timeout_error))
-        .layer(timeout_layer);
+        .layer(timeout_layer)
+        .layer(get_cors_layer(cors_settings));
 
     router.layer(service_builder)
 }
 
+pub fn get_cors_layer(cors_settings: Arc<CORSSettings>) -> CorsLayer {
+    let mut cors_layer = CorsLayer::new()
+        .allow_credentials(true)
+        .allow_headers(AllowHeaders::mirror_request());
+
+    let allowed_origins = &cors_settings.allowed_origins;
+    if allowed_origins.contains(&"*".to_string()) {
+        cors_layer = cors_layer.allow_origin(AllowOrigin::mirror_request());
+        warn!(
+            "Wildcard origin is found in allowed origins. CORS is configured to allow requests from any origin. Only use this setting in development or if you understand the security implications."
+        );
+    } else {
+        for origin in allowed_origins {
+            if let Ok(header_value) = HeaderValue::from_str(origin) {
+                cors_layer = cors_layer.allow_origin(AllowOrigin::exact(header_value));
+            } else {
+                warn!("Invalid CORS origin: {}", origin);
+            }
+        }
+    }
+
+    cors_layer
+}
+
 pub async fn handle_timeout_error(
     method: Method,
     uri: Uri,

apps/api/src/middlewares/request_info.rs

@@ -0,0 +1,6 @@
+use uuid::Uuid;
+
+#[derive(Clone, Debug)]
+pub struct RequestInfo {
+    pub user_id: Option<Uuid>,
+}

apps/api/src/middlewares/require_auth.rs

@@ -0,0 +1,70 @@
+use std::sync::Arc;
+
+use axum::{
+    extract::State,
+    http::{Request, StatusCode},
+    middleware::Next,
+    response::Response,
+};
+use axum_extra::extract::cookie::CookieJar;
+use tracing::debug;
+use uuid::Uuid;
+
+use crate::{
+    errors::service_error::ServiceError, helpers::constants::JWT_COOKIE_NAME,
+    middlewares::request_info::RequestInfo, routes::AppState,
+};
+
+pub async fn require_auth(
+    cookies: CookieJar,
+    State(state): State<Arc<AppState>>,
+    req: Request<axum::body::Body>,
+    next: Next,
+) -> Result<Response, StatusCode> {
+    // get jwt from cookies
+    let auth_service = &state.service.auth_state.authentication;
+    let token = if let Some(cookie) = cookies.get(JWT_COOKIE_NAME) {
+        cookie.value().to_string()
+    } else {
+        debug!("No JWT cookie found. cookies: {:?}", cookies);
+        return handle_unauthenticated().await;
+    };
+
+    // validate jwt
+    let is_valid = auth_service.is_valid_jwt(&token, None).await;
+    let user_id = match is_valid {
+        Ok(Some(claims)) => claims
+            .sub
+            .parse::<Uuid>()
+            .map_err(|_| StatusCode::UNAUTHORIZED)?,
+        Ok(None) => return handle_unauthenticated().await,
+        Err(err) => {
+            tracing::error!("Error validating JWT: {}", err);
+            return Err(StatusCode::INTERNAL_SERVER_ERROR);
+        }
+    };
+
+    // ensure user exists
+    if let Err(err) = state.service.user.get_user_by_id(user_id, None).await {
+        match err {
+            ServiceError::NotFound(_) => return handle_unauthenticated().await,
+            _ => {
+                tracing::error!("Error fetching user by ID: {}", err);
+                return Err(StatusCode::INTERNAL_SERVER_ERROR);
+            }
+        }
+    }
+
+    let mut req = req;
+    let user = req
+        .extensions_mut()
+        .get_or_insert_with(|| RequestInfo { user_id: None });
+    user.user_id = Some(user_id);
+
+    Ok(next.run(req).await)
+}
+
+async fn handle_unauthenticated() -> Result<Response, StatusCode> {
+    // TODO: log unauthenticated access attempts
+    Err(StatusCode::UNAUTHORIZED)
+}

apps/api/src/routes.rs

@@ -9,44 +9,57 @@ use axum::{Extension, Router};
 use migration::sea_orm::DatabaseConnection;
 
 use crate::{
+    configs::{ProgramSettings, server::CORSSettings},
     middlewares,
     services::{
-        auth::{authentication::AuthenticationService, user::UserService},
+        auth::{
+            authentication::{AuthenticationService, strategies::password::PasswordStrategy},
+            user::UserService,
+        },
+        server_state::ServerStateStore,
         settings::SettingsStore,
     },
 };
 
 #[derive(Clone)]
 pub struct AppState {
-    // TODO: remove dead_code allowances when fields are used
-    #[allow(dead_code)]
     pub database_connection: Arc<DatabaseConnection>,
-    // TODO: remove dead_code allowances when fields are used
-    #[allow(dead_code)]
     pub service: Arc<AppService>,
+    pub config: Arc<ProgramSettings>,
 }
 
 pub type ServiceState<T> = Arc<T>;
 
-pub struct AppService {
+pub struct AuthStrategy {
-    #[allow(dead_code)] // TODO: remove when used
+    pub password: ServiceState<PasswordStrategy>,
-    pub settings: ServiceState<dyn SettingsStore>,
-    #[allow(dead_code)] // TODO: remove when used
-    pub authentication: ServiceState<dyn AuthenticationService>,
-    #[allow(dead_code)] // TODO: remove when used
-    pub user: ServiceState<dyn UserService>,
 }
 
-pub fn get_root_router(state: impl Into<Arc<AppState>>) -> Router {
+pub struct AuthState {
+    pub strategy: AuthStrategy,
+    pub authentication: ServiceState<dyn AuthenticationService>,
+}
+
+pub struct AppService {
+    pub settings: ServiceState<dyn SettingsStore>,
+    pub auth_state: AuthState,
+    pub user: ServiceState<dyn UserService>,
+    pub server_state: ServiceState<dyn ServerStateStore>,
+}
+
+pub fn get_root_router(
+    state: impl Into<Arc<AppState>>,
+    cors_settings: Arc<CORSSettings>,
+) -> Router {
     let mut router = Router::new();
+    let state = state.into();
 
     router = router
-        .nest("/api", api::get_api_router())
+        .nest("/api", api::get_api_router(state.clone()))
         .merge(view::get_view_router());
 
-    router = middlewares::apply_root_middleware(router);
+    router = middlewares::apply_root_middleware(router, state.clone(), cors_settings);
 
-    router = router.layer(Extension(state.into()));
+    router = router.layer(Extension(state.clone()));
 
     router
 }

apps/api/src/routes/api.rs

@@ -1,13 +1,21 @@
+mod auth;
 mod health;
 mod openapi;
+mod restricted;
+
+use std::sync::Arc;
+
+use crate::routes::AppState;
 
 pub use self::openapi::ApiDoc;
 
 use axum::{Router, response::IntoResponse, routing::any};
 
-pub fn get_api_router() -> Router {
+pub fn get_api_router(state: Arc<AppState>) -> Router {
     Router::new()
-        .nest("/health", health::get_health_router())
+        .nest("/health", health::get_health_router(state.clone()))
+        .merge(auth::get_basic_auth_router(state.clone()))
+        .merge(restricted::get_restricted_router(state.clone()))
         // explicit fallback for unmatched API routes
         .route("/{*wildcard}", any(api_fallback_handler))
 }

apps/api/src/routes/api/auth.rs

@@ -0,0 +1,15 @@
+pub mod init_admin;
+pub mod login;
+
+use std::sync::Arc;
+
+use axum::{Router, routing::post};
+
+use crate::routes::AppState;
+
+pub fn get_basic_auth_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .route("/auth/login", post(login::login))
+        .route("/auth/init_admin", post(init_admin::init_admin))
+        .with_state(state)
+}

apps/api/src/routes/api/auth/init_admin.rs

@@ -0,0 +1,143 @@
+use std::sync::Arc;
+
+use axum::{
+    Json,
+    extract::State,
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+use database::generated::entities::user;
+use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, TransactionTrait};
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, from_value};
+use tracing::{debug, error, info, warn};
+
+use crate::{
+    helpers::constants::ADMIN_INIT_SECRET_KEY,
+    routes::{AppState, api::openapi::tag::AUTH_TAG},
+    services::auth::user::NewUser,
+};
+
+/// Login request payload
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct AdminInitRequest {
+    username: String,
+    password: String,
+    // The secret key required to initialize the admin user
+    setup_secret: String,
+}
+
+/// Initializes the admin user
+///
+/// Initializes the admin user if no admin user exists and the correct setup secret is provided.
+#[utoipa::path(
+        post,
+        path = "/api/auth/init_admin",
+        request_body = AdminInitRequest,
+        responses(
+            (status = 200, description = "Admin user initialized successfully"),
+            (status = 400, description = "Invalid request payload"),
+            (status = 401, description = "Unauthorized: Admin user already exists or invalid setup secret"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = AUTH_TAG,
+    )]
+pub async fn init_admin(
+    State(state): State<Arc<AppState>>,
+    Json(payload): Json<Value>,
+) -> Response {
+    if user::Entity::find()
+        .filter(user::Column::IsAdmin.eq(true))
+        .filter(user::Column::IsActive.eq(true))
+        .one(state.database_connection.as_ref())
+        .await
+        .map_err(|err| {
+            error!("Failed to query for existing admin user: {}", err);
+            StatusCode::INTERNAL_SERVER_ERROR
+        })
+        .unwrap_or(None)
+        .is_some()
+    {
+        warn!("Admin user already exists. Skipping admin initialization.");
+        return (StatusCode::UNAUTHORIZED).into_response();
+    }
+
+    let init_request: AdminInitRequest = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid login request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let admin_secret = match state
+        .service
+        .settings
+        .get_setting(ADMIN_INIT_SECRET_KEY)
+        .await
+    {
+        Ok(secret) => secret,
+        Err(e) => {
+            error!(
+                "Failed to retrieve admin initialization secret. Invalid internal state?: {}",
+                e
+            );
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    if init_request.setup_secret != admin_secret {
+        info!("{},{}", init_request.setup_secret, admin_secret);
+        warn!("Invalid admin initialization secret provided.");
+        return (StatusCode::UNAUTHORIZED).into_response();
+    }
+
+    let mut tx = match state.database_connection.begin().await {
+        Ok(tx) => tx,
+        Err(e) => {
+            error!("Failed to start transaction: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    let user = match state
+        .service
+        .user
+        .create_user(
+            NewUser {
+                username: init_request.username,
+                is_admin: true,
+            },
+            Some(&mut tx),
+        )
+        .await
+    {
+        Ok(user) => user,
+        Err(e) => {
+            error!("Failed to initialize admin user: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    debug!("Created admin user with ID: {}", user.id);
+    match state
+        .service
+        .auth_state
+        .strategy
+        .password
+        .create_identity(user.id, &init_request.password, Some(&mut tx))
+        .await
+    {
+        Ok(_) => {}
+        Err(e) => {
+            error!("Failed to create admin user identity: {}", e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    tx.commit().await.unwrap_or_else(|e| {
+        error!("Failed to commit transaction: {}", e);
+    });
+
+    (StatusCode::OK).into_response()
+}

apps/api/src/routes/api/auth/login.rs

@@ -0,0 +1,107 @@
+use std::sync::Arc;
+
+use axum::{
+    Json,
+    body::Body,
+    extract::State,
+    http::{StatusCode, header::SET_COOKIE},
+    response::{IntoResponse, Response},
+};
+use serde::{Deserialize, Serialize};
+use serde_json::{Value, from_value};
+use tracing::{error, warn};
+
+use crate::{
+    helpers::constants::JWT_COOKIE_NAME,
+    routes::{AppState, api::openapi::tag::AUTH_TAG},
+};
+
+/// Login request payload
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct LoginRequest {
+    username: String,
+    password: String,
+}
+
+/// Login endpoint
+///
+/// Authenticates a user and returns a JWT in an HttpOnly cookie.
+#[utoipa::path(
+        post,
+        path = "/api/auth/login",
+        request_body = LoginRequest,
+        responses(
+            (status = 200, description = "User authenticated successfully", body = ()),
+            (status = 401, description = "Authentication failed"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = AUTH_TAG,
+    )]
+pub async fn login(State(state): State<Arc<AppState>>, Json(payload): Json<Value>) -> Response {
+    let login_request: LoginRequest = match from_value(payload) {
+        Ok(req) => req,
+        Err(e) => {
+            warn!("Invalid login request: {}", e);
+            return (StatusCode::BAD_REQUEST).into_response();
+        }
+    };
+
+    let user_id = match state
+        .service
+        .auth_state
+        .strategy
+        .password
+        .authenticate(&login_request.username, &login_request.password, None)
+        .await
+    {
+        Ok(user_id) => user_id,
+        Err(e) => {
+            warn!(
+                "Authentication failed for user {}: {}",
+                login_request.username, e
+            );
+            return (StatusCode::UNAUTHORIZED).into_response();
+        }
+    };
+
+    let (jwt, claims) = match state
+        .service
+        .auth_state
+        .authentication
+        .generate_jwt(user_id, 3600)
+        .await
+    {
+        Ok(token) => token,
+        Err(e) => {
+            error!("Error generating JWT for user {}: {}", user_id, e);
+            return (StatusCode::INTERNAL_SERVER_ERROR).into_response();
+        }
+    };
+
+    let response_builder = Response::builder()
+        .status(StatusCode::OK)
+        // add jwt as cookie
+        .header(
+            SET_COOKIE,
+            format!(
+                "{}={}; HttpOnly; Path=/; Max-Age={}; SameSite=Strict;{}",
+                JWT_COOKIE_NAME,
+                jwt,
+                claims.exp - claims.iat,
+                if state.config.server.cookies.secure {
+                    " Secure;"
+                } else {
+                    ""
+                }
+            ),
+        )
+        .body(Body::from(()));
+
+    match response_builder {
+        Ok(resp) => resp,
+        Err(e) => {
+            error!("Error building response: {}", e);
+            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
+        }
+    }
+}

apps/api/src/routes/api/health.rs

@@ -5,8 +5,13 @@ use std::sync::Arc;
 
 use axum::{Router, routing::get};
 
-pub fn get_health_router() -> Router {
+use crate::routes::{AppState, api::health::state::AppStateWithHealth};
+
+pub fn get_health_router(app_state: Arc<AppState>) -> Router {
     Router::new()
         .route("/info", get(info::get_health_info))
-        .with_state(Arc::new(state::HealthState::default()))
+        .with_state(Arc::new(AppStateWithHealth {
+            app_state: app_state.clone(),
+            health_state: Arc::new(state::HealthState::default()),
+        }))
 }

apps/api/src/routes/api/health/info.rs

@@ -3,8 +3,9 @@ use std::sync::Arc;
 use axum::{Json, extract::State, http::StatusCode};
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
+use tracing::error;
 
-use crate::routes::api::{health::state::HealthState, openapi::tag::HEALTH_TAG};
+use crate::routes::api::{health::state::AppStateWithHealth, openapi::tag::HEALTH_TAG};
 
 const STATUS_HEALTHY: &str = "healthy";
 const STATUS_UNHEALTHY: &str = "unhealthy";
@@ -20,6 +21,8 @@ pub struct HealthInfo {
     pub up_since: DateTime<Utc>,
     /// List of error messages if unhealthy
     pub errors: Option<Vec<String>>,
+    /// Is initialized
+    pub is_initialized: bool,
 }
 
 /// Health check endpoint
@@ -35,12 +38,23 @@ pub struct HealthInfo {
         tag = HEALTH_TAG,
     )]
 pub async fn get_health_info(
-    State(state): State<Arc<HealthState>>,
+    State(app_state_with_health): State<Arc<AppStateWithHealth>>,
 ) -> (StatusCode, Json<HealthInfo>) {
     #[allow(unused_mut)]
     let mut errors = vec![];
 
     let is_healthy = errors.is_empty();
+    let health_state = &app_state_with_health.health_state;
+    let app_state = &app_state_with_health.app_state;
+
+    let is_initialized = match app_state.service.server_state.is_server_initialized().await {
+        Ok(initialized) => initialized,
+        Err(err) => {
+            errors.push("Failed to determine if server is initialized".to_string());
+            error!("Error checking server initialization status: {}", err);
+            false
+        }
+    };
 
     (
         if is_healthy {
@@ -55,14 +69,30 @@ pub async fn get_health_info(
                 STATUS_UNHEALTHY.into()
             },
             version: env!("CARGO_PKG_VERSION").into(),
-            up_since: *state.get_start_at(),
+            up_since: *health_state.get_start_at(),
             errors: if is_healthy { None } else { Some(errors) },
+            is_initialized,
         }),
     )
 }
 
 #[cfg(test)]
 mod test {
+    use crate::configs::FromConfig;
+    use crate::{
+        routes::{AppState, api::health::state::HealthState},
+        services::{
+            auth::{
+                authentication::{
+                    AuthenticationServiceImpl, strategies::password::PasswordStrategy,
+                },
+                user::UserServiceImpl,
+            },
+            server_state::ServerStateService,
+            settings::SettingsService,
+        },
+    };
+
     use super::*;
     use axum::body::to_bytes;
     use axum::{
@@ -70,14 +100,39 @@ mod test {
         body::Body,
         http::{Request, StatusCode},
     };
+    use sea_orm::MockDatabase;
     use tower::ServiceExt;
 
     #[tokio::test]
     async fn test_get_health_info() {
         let health_state = Arc::new(HealthState::default());
+        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
+            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
+            .into_connection();
+        let db = Arc::new(db);
+
+        let app_state = Arc::new(AppState {
+            database_connection: db.clone(),
+            config: Arc::new(crate::configs::ProgramSettings::mock()),
+            service: Arc::new(crate::routes::AppService {
+                settings: Arc::new(SettingsService::new(db.clone())),
+                auth_state: crate::routes::AuthState {
+                    strategy: crate::routes::AuthStrategy {
+                        password: Arc::new(PasswordStrategy::new(db.clone())),
+                    },
+                    authentication: Arc::new(AuthenticationServiceImpl::new(None)),
+                },
+                user: Arc::new(UserServiceImpl::new(db.clone())),
+                server_state: Arc::new(ServerStateService::new(db.clone())),
+            }),
+        });
+
         let app = Router::new()
             .route("/info", axum::routing::get(get_health_info))
-            .with_state(health_state);
+            .with_state(Arc::new(AppStateWithHealth {
+                app_state: app_state.clone(),
+                health_state: health_state.clone(),
+            }));
 
         let response = app
             .oneshot(Request::builder().uri("/info").body(Body::empty()).unwrap())

apps/api/src/routes/api/health/state.rs

@@ -1,5 +1,14 @@
+use std::sync::Arc;
+
 use chrono::{DateTime, Utc};
 
+use crate::routes::AppState;
+
+pub struct AppStateWithHealth {
+    pub app_state: Arc<AppState>,
+    pub health_state: Arc<HealthState>,
+}
+
 pub struct HealthState {
     start_at: DateTime<Utc>,
 }

apps/api/src/routes/api/openapi.rs

@@ -1,18 +1,32 @@
 pub mod tag {
     /// Health tag constant
     pub const HEALTH_TAG: &str = "Health";
+    pub const AUTH_TAG: &str = "Authentication";
+    pub const USER_TAG: &str = "User";
 }
 
 #[derive(utoipa::OpenApi)]
 #[openapi(
   paths(
-    crate::routes::api::health::info::get_health_info
+    crate::routes::api::health::info::get_health_info,
+    // Authentication paths
+    crate::routes::api::auth::login::login,
+    crate::routes::api::auth::init_admin::init_admin,
+    // User management paths
+    crate::routes::api::restricted::user::me::get_user_info,
   ),
   components(
-      schemas(crate::routes::api::health::info::HealthInfo) // Register any schemas used in your paths
+      schemas(crate::routes::api::health::info::HealthInfo),
+      // Authentication schemas
+      schemas(crate::routes::api::auth::login::LoginRequest),
+      schemas(crate::routes::api::auth::init_admin::AdminInitRequest),
+      // User management schemas
+      schemas(crate::routes::api::restricted::user::me::UserInfo),
   ),
   tags(
-      (name = tag::HEALTH_TAG, description = "Health information API")
+      (name = tag::HEALTH_TAG, description = "Health information API"),
+      (name = tag::AUTH_TAG, description = "Authentication API"),
+      (name = tag::USER_TAG, description = "User management API")
   )
 )]
 pub struct ApiDoc;

apps/api/src/routes/api/restricted.rs

@@ -0,0 +1,16 @@
+pub mod user;
+
+use std::sync::Arc;
+
+use axum::Router;
+
+use crate::{middlewares::require_auth::require_auth, routes::AppState};
+
+pub fn get_restricted_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .nest("/user", user::get_user_router(state.clone()))
+        .layer(axum::middleware::from_fn_with_state(
+            state.clone(),
+            require_auth,
+        ))
+}

apps/api/src/routes/api/restricted/user.rs

@@ -0,0 +1,13 @@
+pub mod me;
+
+use std::sync::Arc;
+
+use axum::Router;
+
+use crate::routes::AppState;
+
+pub fn get_user_router(state: Arc<AppState>) -> Router {
+    Router::new()
+        .route("/me", axum::routing::get(me::get_user_info))
+        .with_state(state)
+}

apps/api/src/routes/api/restricted/user/me.rs

@@ -0,0 +1,64 @@
+use std::sync::Arc;
+
+use axum::{
+    Extension, Json,
+    extract::State,
+    http::StatusCode,
+    response::{IntoResponse, Response},
+};
+use serde::{Deserialize, Serialize};
+use tracing::error;
+
+use crate::{
+    middlewares::request_info::RequestInfo,
+    routes::{AppState, api::openapi::tag::USER_TAG},
+};
+
+/// System health information
+#[derive(Serialize, Deserialize, utoipa::ToSchema)]
+pub struct UserInfo {
+    /// User ID
+    pub id: uuid::Uuid,
+    /// Username
+    pub username: String,
+}
+
+/// Get current user information
+///
+/// Returns the information of the currently authenticated user.
+#[utoipa::path(
+        get,
+        path = "/api/user/me",
+        responses(
+            (status = 200, description = "User information retrieved successfully", body = UserInfo),
+            (status = 401, description = "Unauthorized"),
+            (status = 500, description = "Internal server error"),
+        ),
+        tag = USER_TAG,
+    )]
+pub async fn get_user_info(
+    State(app_state): State<Arc<AppState>>,
+    request_info: Extension<Arc<RequestInfo>>,
+) -> Response {
+    let user_id = match request_info.user_id {
+        Some(id) => id,
+        None => {
+            error!("User ID not found in request info");
+            return (StatusCode::UNAUTHORIZED).into_response();
+        }
+    };
+
+    match app_state.service.user.get_user_by_id(user_id, None).await {
+        Ok(user) => {
+            let user_info = UserInfo {
+                id: user.id,
+                username: user.username,
+            };
+            (StatusCode::OK, Json(user_info)).into_response()
+        }
+        Err(err) => {
+            error!("Error fetching user info: {}", err);
+            (StatusCode::INTERNAL_SERVER_ERROR).into_response()
+        }
+    }
+}

apps/api/src/services.rs

@@ -1,2 +1,3 @@
 pub mod auth;
+pub mod server_state;
 pub mod settings;

apps/api/src/services/auth/authentication.rs

@@ -5,7 +5,7 @@ use std::{collections::HashSet, sync::Arc};
 use argon2::password_hash::{SaltString, rand_core::OsRng};
 use jsonwebtoken::{
     DecodingKey, EncodingKey, Header, Validation, decode, encode,
-    errors::ErrorKind::{ExpiredSignature, InvalidSubject, InvalidToken},
+    errors::ErrorKind::{ExpiredSignature, InvalidSignature, InvalidSubject, InvalidToken},
 };
 use sea_orm::prelude::Uuid;
 use serde::{Deserialize, Serialize};
@@ -14,6 +14,7 @@ use tokio::sync::RwLock;
 use crate::errors::service_error::ServiceError;
 
 // Number of requests between invalidation cache cleanups
+#[allow(dead_code)] // TODO: remove when used
 const INVALIDATE_CACHE_CLEANUP_INTERVAL_REQUESTS: usize = 100; // Cleanup every 100 for invalidation checks
 
 #[derive(Serialize, Deserialize, Clone)]
@@ -28,17 +29,25 @@ pub struct Claims {
 
 #[async_trait::async_trait]
 pub trait AuthenticationService: Send + Sync {
-    async fn generate_jwt(&self, user_id: Uuid, duration_secs: u64)
+    async fn generate_jwt(
-    -> Result<String, ServiceError>;
+        &self,
+        user_id: Uuid,
+        duration_secs: u64,
+    ) -> Result<(String, Claims), ServiceError>;
     async fn is_valid_jwt(
         &self,
         token: &str,
         target_sub: Option<String>,
-    ) -> Result<bool, ServiceError>;
+    ) -> Result<Option<Claims>, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn parse_jwt(&self, token: &str) -> Result<Claims, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn invalidate_jwt(&self, token: &str) -> Result<(), ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn refresh_jwt(&self, token: &str, duration_secs: u64) -> Result<String, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn logout(&self, token: &str) -> Result<(), ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn cleanup_invalidation_cache(&self);
 }
 
@@ -51,7 +60,9 @@ struct InvalidationEntry {
 
 pub struct AuthenticationServiceImpl {
     secret: String,
+    #[allow(dead_code)] // TODO: remove when used
     invalidation_cache: Arc<RwLock<HashSet<InvalidationEntry>>>,
+    #[allow(dead_code)] // TODO: remove when used
     cache_cleanup_counter: Arc<RwLock<usize>>,
 }
 
@@ -76,7 +87,7 @@ impl AuthenticationService for AuthenticationServiceImpl {
         &self,
         user_id: Uuid,
         duration_secs: u64,
-    ) -> Result<String, ServiceError> {
+    ) -> Result<(String, Claims), ServiceError> {
         let header = Header::default();
         let expiration = chrono::Utc::now()
             .checked_add_signed(chrono::Duration::seconds(duration_secs as i64))
@@ -95,23 +106,25 @@ impl AuthenticationService for AuthenticationServiceImpl {
             &EncodingKey::from_secret(self.secret.as_ref()),
         )
         .map_err(|e| ServiceError::InternalError(format!("JWT generation error: {}", e)))?;
-        Ok(token)
+        Ok((token, claims))
     }
 
     async fn is_valid_jwt(
         &self,
         token: &str,
         target_sub: Option<String>,
-    ) -> Result<bool, ServiceError> {
+    ) -> Result<Option<Claims>, ServiceError> {
         let mut validation = Validation::default();
+        // disable leeway for strict expiration checking
+        validation.leeway = 0;
         if let Some(expected_sub) = target_sub {
             validation.sub = Some(expected_sub);
         }
         let decoding_key = DecodingKey::from_secret(self.secret.as_ref());
         match decode::<Claims>(token, &decoding_key, &validation) {
-            Ok(_) => Ok(true),
+            Ok(data) => Ok(Some(data.claims)),
             Err(err) => match *err.kind() {
-                InvalidToken | InvalidSubject | ExpiredSignature => Ok(false),
+                InvalidToken | InvalidSubject | ExpiredSignature | InvalidSignature => Ok(None),
                 _ => Err(ServiceError::InternalError(format!(
                     "JWT validation error: {}",
                     err
@@ -156,7 +169,7 @@ impl AuthenticationService for AuthenticationServiceImpl {
         let user_id = Uuid::parse_str(&claims.sub).map_err(|e| {
             ServiceError::InternalError(format!("Invalid user ID in JWT claims: {}", e))
         })?;
-        let new_token = self.generate_jwt(user_id, duration_secs).await?;
+        let (new_token, _) = self.generate_jwt(user_id, duration_secs).await?;
         Ok(new_token)
     }
 
@@ -181,7 +194,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service
+        let (token, _) = service
             .generate_jwt(user_id, 60)
             .await
             .expect("generate jwt");
@@ -190,8 +203,7 @@ mod tests {
             .is_valid_jwt(&token, None)
             .await
             .expect("validate jwt");
-        assert!(valid, "Generated token should be valid");
+        assert!(valid.is_some(), "Generated token should be valid");
-
         let claims = service.parse_jwt(&token).await.expect("parse jwt");
         assert_eq!(claims.sub, user_id.to_string());
     }
@@ -201,11 +213,14 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
 
         let other_sub = Uuid::new_v4().to_string();
         let valid = service.is_valid_jwt(&token, Some(other_sub)).await.unwrap();
-        assert!(!valid, "Token should be invalid for a different subject");
+        assert!(
+            valid.is_none(),
+            "Token should be invalid for a different subject"
+        );
     }
 
     #[tokio::test]
@@ -221,7 +236,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 60).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 60).await.unwrap();
         let new_token = service.refresh_jwt(&token, 120).await.unwrap();
 
         let claims = service.parse_jwt(&new_token).await.unwrap();
@@ -234,11 +249,16 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, claims) = service.generate_jwt(user_id, 1).await.unwrap();
         sleep(Duration::from_secs(2)).await;
 
         let valid = service.is_valid_jwt(&token, None).await.unwrap();
-        assert!(!valid, "Token should be expired and thus invalid");
+        assert!(
+            valid.is_none(),
+            "Token should be expired and thus invalid. Current time: {:?}. Diff: {}",
+            chrono::Utc::now(),
+            chrono::Utc::now().timestamp() - claims.exp as i64
+        );
     }
 
     #[tokio::test]
@@ -246,7 +266,7 @@ mod tests {
         let service = AuthenticationServiceImpl::new(Some("secret".to_string()));
 
         let user_id = Uuid::new_v4();
-        let token = service.generate_jwt(user_id, 1).await.unwrap();
+        let (token, _) = service.generate_jwt(user_id, 1).await.unwrap();
 
         service.invalidate_jwt(&token).await.unwrap();
 

apps/api/src/services/auth/authentication/strategies/password.rs

@@ -68,7 +68,7 @@ impl PasswordStrategy {
 
         Ok(user.id)
     }
-
+    #[allow(dead_code)] // TODO: remove when used
     pub async fn revoke_identity(
         &self,
         user_id: Uuid,
@@ -102,12 +102,30 @@ impl PasswordStrategy {
     ) -> Result<(), ServiceError> {
         Self::is_valid_password(password).map_err(ServiceError::BadRequest)?;
 
+        // If an identity already exists for this user/provider, treat as success.
+        // This also allows tests using MockDatabase to provide a query result
+        // for an existing identity without requiring an insert exec result.
+        let existing = with_conn!(&*self.connection, tx, conn, {
+            user_identity::Entity::find()
+                .filter(user_identity::Column::UserId.eq(user_id))
+                .filter(user_identity::Column::Provider.eq(PASSWORD_PROVIDER.to_string()))
+                .one(*conn)
+                .await?
+        });
+
+        if existing.is_some() {
+            return Err(ServiceError::BadRequest(
+                "Identity already exists".to_string(),
+            ));
+        }
+
         let password_hash = Argon2::default()
             .hash_password(password.as_bytes(), &SaltString::generate(&mut OsRng))
             .map_err(|_| ServiceError::InternalError("Failed to hash password".to_string()))?
             .to_string();
 
         let new_identity = user_identity::ActiveModel {
+            id: sea_orm::ActiveValue::Set(Uuid::new_v4()),
             user_id: sea_orm::ActiveValue::Set(user_id),
             provider: sea_orm::ActiveValue::Set(PASSWORD_PROVIDER.to_string()),
             password_hash: sea_orm::ActiveValue::Set(Some(password_hash)),
@@ -125,7 +143,7 @@ impl PasswordStrategy {
 
         Ok(())
     }
-
+    #[allow(dead_code)] // TODO: remove when used
     pub async fn update_password(
         &self,
         user_id: Uuid,
@@ -362,19 +380,14 @@ mod test {
     #[tokio::test]
     async fn create_identity_success() {
         let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
-            .append_query_results(vec![vec![user_identity::Model {
+            // No existing identity
-                id: Uuid::new_v4(),
+            .append_query_results(vec![Vec::<sea_orm::MockRow>::new()])
-                user_id: Uuid::new_v4(),
+            // Insert exec result (mock exec result for insert)
-                email: None,
+            .append_exec_results(vec![sea_orm::MockExecResult {
-                provider: PASSWORD_PROVIDER.to_string(),
+                rows_affected: 1,
-                password_hash: Some("somehash".to_string()),
+                last_insert_id: 0,
-                metadata: None,
+            }])
-                is_revoked: false,
+            // Return inserted identity for any subsequent queries
-                revoked_at: None,
-                created_at: chrono::Utc::now(),
-                updated_at: chrono::Utc::now(),
-                password_changed_at: None,
-            }]])
             .into_connection();
 
         let strategy = PasswordStrategy::new(Arc::new(db));
@@ -390,6 +403,30 @@ mod test {
         );
     }
 
+    #[tokio::test]
+    async fn create_identity_existing() {
+        let user_id = Uuid::new_v4();
+        let identity = user_identity::Model {
+            id: Uuid::new_v4(),
+            user_id,
+            email: None,
+            provider: PASSWORD_PROVIDER.to_string(),
+            password_hash: Some("hash".to_string()),
+            metadata: None,
+            is_revoked: false,
+            revoked_at: None,
+            created_at: chrono::Utc::now(),
+            updated_at: chrono::Utc::now(),
+            password_changed_at: None,
+        };
+        let db = MockDatabase::new(sea_orm::DatabaseBackend::Sqlite)
+            .append_query_results(vec![vec![identity]])
+            .into_connection();
+        let strategy = PasswordStrategy::new(Arc::new(db));
+        let result = strategy.create_identity(user_id, "ValidPass1!", None).await;
+        assert!(matches!(result, Err(ServiceError::BadRequest(_))));
+    }
+
     #[tokio::test]
     async fn update_password_not_found() {
         let user_id = Uuid::new_v4();
@@ -412,7 +449,7 @@ mod test {
             user_id,
             email: None,
             provider: PASSWORD_PROVIDER.to_string(),
-            password_hash: Some("oldhash".to_string()),
+            password_hash: Some("old_hash".to_string()),
             metadata: None,
             is_revoked: false,
             revoked_at: None,
@@ -429,7 +466,7 @@ mod test {
                     user_id,
                     email: None,
                     provider: PASSWORD_PROVIDER.to_string(),
-                    password_hash: Some("newhash".to_string()),
+                    password_hash: Some("new_hash".to_string()),
                     metadata: None,
                     is_revoked: false,
                     revoked_at: None,

apps/api/src/services/auth/user.rs

@@ -17,11 +17,13 @@ pub trait UserService: Send + Sync {
         user_id: Uuid,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn is_admin(
         &self,
         user_id: Uuid,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<bool, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn user_exists(
         &self,
         username: &str,
@@ -32,12 +34,14 @@ pub trait UserService: Send + Sync {
         user: NewUser,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn update_user(
         &self,
         user_id: Uuid,
         user: UpdateUser,
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError>;
+    #[allow(dead_code)] // TODO: remove when used
     async fn delete_user(
         &self,
         user_id: Uuid,
@@ -48,6 +52,7 @@ pub trait UserService: Send + Sync {
 pub struct User {
     pub id: Uuid,
     pub username: String,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_admin: bool,
 }
 
@@ -67,12 +72,16 @@ pub struct NewUser {
 }
 
 pub struct UpdateUser {
+    #[allow(dead_code)] // TODO: remove when used
     pub username: Option<String>,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_admin: Option<bool>,
+    #[allow(dead_code)] // TODO: remove when used
     pub is_active: Option<bool>,
 }
 
 impl UpdateUser {
+    #[allow(dead_code)] // TODO: remove when used
     fn apply_to_active_model(&self, model: &mut UserActiveModel) {
         if let Some(username) = &self.username {
             model.name = ActiveValue::Set(username.clone());
@@ -163,7 +172,7 @@ impl UserService for UserServiceImpl {
         tx: Option<&mut DatabaseTransaction>,
     ) -> Result<User, ServiceError> {
         let user_active_model = UserActiveModel {
-            id: ActiveValue::NotSet,
+            id: ActiveValue::Set(Uuid::new_v4()),
             name: ActiveValue::Set(user.username),
             is_admin: ActiveValue::Set(user.is_admin),
             is_active: ActiveValue::Set(true),

apps/api/src/services/server_state.rs

@@ -0,0 +1,36 @@
+use std::sync::Arc;
+
+use sea_orm::{DatabaseConnection, prelude::*};
+
+use crate::errors::service_error::ServiceError;
+
+#[async_trait::async_trait]
+pub trait ServerStateStore: Send + Sync {
+    async fn is_server_initialized(&self) -> Result<bool, ServiceError>;
+}
+
+pub struct ServerStateService {
+    connection: Arc<DatabaseConnection>,
+}
+
+impl ServerStateService {
+    pub fn new(connection: Arc<DatabaseConnection>) -> Self {
+        Self { connection }
+    }
+}
+
+#[async_trait::async_trait]
+impl ServerStateStore for ServerStateService {
+    async fn is_server_initialized(&self) -> Result<bool, ServiceError> {
+        // For example, check if any admin user exists to determine if the server is initialized
+        let admin_exists = database::generated::entities::user::Entity::find()
+            .filter(database::generated::entities::user::Column::IsAdmin.eq(true))
+            .filter(database::generated::entities::user::Column::IsActive.eq(true))
+            .one(&*self.connection)
+            .await
+            .map_err(ServiceError::from)?
+            .is_some();
+
+        Ok(admin_exists)
+    }
+}

apps/api/src/services/settings.rs

@@ -11,14 +11,11 @@ use crate::errors::service_error::ServiceError;
 
 #[async_trait::async_trait]
 pub trait SettingsStore: Send + Sync {
-    #[allow(dead_code)] // TODO: remove when used
     async fn get_setting(&self, key: &str) -> Result<String, ServiceError>;
-    #[allow(dead_code)] // TODO: remove when used
     async fn set_setting(&self, key: &str, value: String) -> Result<(), ServiceError>;
 }
 
 pub struct SettingsService {
-    #[allow(dead_code)] // TODO: remove when used
     connection: Arc<DatabaseConnection>,
 }
 
@@ -77,10 +74,11 @@ impl SettingsStore for SettingsService {
             Ok(None) => {
                 handle_not_found(key.to_string(), value).await?;
             }
-            Ok(Some(mut record)) => {
+            Ok(Some(record)) => {
-                record.value = value;
+                let mut record_active_model = record.into_active_model();
-                record
+                record_active_model.value = ActiveValue::Set(value);
-                    .into_active_model()
+                record_active_model.updated_at = ActiveValue::Set(chrono::Utc::now());
+                record_active_model
                     .update(&*self.connection)
                     .await
                     .map_err(ServiceError::from)?;

apps/api/swagger.json

@@ -9,6 +9,78 @@
     "version": "0.1.0"
   },
   "paths": {
+    "/api/auth/init_admin": {
+      "post": {
+        "tags": [
+          "Authentication"
+        ],
+        "summary": "Initializes the admin user",
+        "description": "Initializes the admin user if no admin user exists and the correct setup secret is provided.",
+        "operationId": "init_admin",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/AdminInitRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "Admin user initialized successfully"
+          },
+          "400": {
+            "description": "Invalid request payload"
+          },
+          "401": {
+            "description": "Unauthorized: Admin user already exists or invalid setup secret"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
+    },
+    "/api/auth/login": {
+      "post": {
+        "tags": [
+          "Authentication"
+        ],
+        "summary": "Login endpoint",
+        "description": "Authenticates a user and returns a JWT in an HttpOnly cookie.",
+        "operationId": "login",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "$ref": "#/components/schemas/LoginRequest"
+              }
+            }
+          },
+          "required": true
+        },
+        "responses": {
+          "200": {
+            "description": "User authenticated successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "default": null
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Authentication failed"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
+    },
     "/api/health/info": {
       "get": {
         "tags": [
@@ -33,17 +105,66 @@
           }
         }
       }
+    },
+    "/api/user/me": {
+      "get": {
+        "tags": [
+          "User"
+        ],
+        "summary": "Get current user information",
+        "description": "Returns the information of the currently authenticated user.",
+        "operationId": "get_user_info",
+        "responses": {
+          "200": {
+            "description": "User information retrieved successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/UserInfo"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized"
+          },
+          "500": {
+            "description": "Internal server error"
+          }
+        }
+      }
     }
   },
   "components": {
     "schemas": {
+      "AdminInitRequest": {
+        "type": "object",
+        "description": "Login request payload",
+        "required": [
+          "username",
+          "password",
+          "setup_secret"
+        ],
+        "properties": {
+          "password": {
+            "type": "string"
+          },
+          "setup_secret": {
+            "type": "string"
+          },
+          "username": {
+            "type": "string"
+          }
+        }
+      },
       "HealthInfo": {
         "type": "object",
         "description": "System health information",
         "required": [
           "status",
           "version",
-          "up_since"
+          "up_since",
+          "is_initialized"
         ],
         "properties": {
           "errors": {
@@ -56,6 +177,10 @@
             },
             "description": "List of error messages if unhealthy"
           },
+          "is_initialized": {
+            "type": "boolean",
+            "description": "Is initialized"
+          },
           "status": {
             "type": "string",
             "description": "Health status: \"healthy\" or \"unhealthy\""
@@ -70,6 +195,41 @@
             "description": "Application version"
           }
         }
+      },
+      "LoginRequest": {
+        "type": "object",
+        "description": "Login request payload",
+        "required": [
+          "username",
+          "password"
+        ],
+        "properties": {
+          "password": {
+            "type": "string"
+          },
+          "username": {
+            "type": "string"
+          }
+        }
+      },
+      "UserInfo": {
+        "type": "object",
+        "description": "System health information",
+        "required": [
+          "id",
+          "username"
+        ],
+        "properties": {
+          "id": {
+            "type": "string",
+            "format": "uuid",
+            "description": "User ID"
+          },
+          "username": {
+            "type": "string",
+            "description": "Username"
+          }
+        }
       }
     }
   },
@@ -77,6 +237,14 @@
     {
       "name": "Health",
       "description": "Health information API"
+    },
+    {
+      "name": "Authentication",
+      "description": "Authentication API"
+    },
+    {
+      "name": "User",
+      "description": "User management API"
     }
   ]
 }

apps/frontend/app/app.css

@@ -1,15 +1,9 @@
-@import "tailwindcss";
+@import 'tailwindcss';
 
 @theme {
-  --font-sans: "Inter", ui-sans-serif, system-ui, sans-serif,
+  --font-sans: 'Inter', ui-sans-serif, system-ui, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol', 'Noto Color Emoji';
-    "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Noto Color Emoji";
 }
 
 html,
 body {
-  @apply bg-white dark:bg-gray-950;
-
-  @media (prefers-color-scheme: dark) {
-    color-scheme: dark;
-  }
 }

apps/frontend/app/components/Form/Button.tsx

@@ -0,0 +1,46 @@
+import { Button, type ButtonProps } from '@radix-ui/themes';
+import { LoaderCircle } from 'lucide-react';
+
+export type SubmitButtonProps = {
+  loading?: boolean;
+  label?:
+    | {
+        default?: string;
+        loading?: string;
+      }
+    | string;
+} & React.ButtonHTMLAttributes<HTMLButtonElement> &
+  ButtonProps;
+
+export function SubmitButton({ loading, label, ...props }: SubmitButtonProps) {
+  return (
+    <Button
+      type="submit"
+      disabled={loading}
+      style={{
+        padding: '10px 14px',
+        borderRadius: 6,
+        border: 'none',
+        backgroundColor: 'var(--iris-9)',
+      }}
+      size="3"
+      {...props}
+    >
+      {loading
+        ? typeof label === 'string'
+          ? label
+          : label?.loading ?? <LoaderCircle className="animate-spin" style={{ width: 24, height: 24, marginRight: 4, verticalAlign: 'middle', color: 'white' }} />
+        : typeof label === 'string'
+        ? label
+        : label?.default ?? 'Submit'}
+    </Button>
+  );
+}
+
+export function ResetButton(props: React.ButtonHTMLAttributes<HTMLButtonElement>) {
+  return (
+    <button type="reset" {...props} style={{ padding: '10px 14px', borderRadius: 6, border: '1px solid var(--gray-5)', background: 'white', ...props.style }}>
+      {props.children ?? 'Reset'}
+    </button>
+  );
+}

apps/frontend/app/components/Form/TextField.tsx

@@ -0,0 +1,103 @@
+import type { AnyFieldMeta } from '@tanstack/react-form';
+import { LucideEye, LucideEyeClosed } from 'lucide-react';
+import { useCallback, useId, useState } from 'react';
+import { InfoIcon, type InfoIconProps } from '../info';
+import { Text } from '@radix-ui/themes';
+
+export type TextFieldProps = {
+  label?: string;
+  value?: string;
+  onChange?: (e: React.ChangeEvent<HTMLInputElement>) => void;
+  labelProps?: React.LabelHTMLAttributes<HTMLLabelElement>;
+  labelDivProps?: React.HTMLAttributes<HTMLDivElement>;
+  infoIconProps?: InfoIconProps;
+} & React.InputHTMLAttributes<HTMLInputElement> & {
+    type?: 'password';
+    showPasswordToggle?: boolean;
+  };
+
+export function TextField({ label, value, onChange, labelProps, labelDivProps, showPasswordToggle, infoIconProps, ...rest }: TextFieldProps) {
+  const id = useId();
+  const [isPasswordVisible, setIsPasswordVisible] = useState(false);
+  const handlePasswordVisibilitySet = useCallback(
+    (e: React.MouseEvent | React.TouchEvent, visible: boolean) => {
+      if (rest.type !== 'password') return;
+      e.preventDefault();
+      setIsPasswordVisible(() => visible);
+    },
+    [rest.type]
+  );
+
+  return (
+    <label htmlFor={id} style={{ display: 'block', marginBottom: 8 }} {...labelProps}>
+      {label && (
+        <div style={{ fontSize: 12, color: 'var(--gray-9)', marginBottom: 6, display: 'flex', alignItems: 'center' }} {...labelDivProps}>
+          {label}
+          {rest?.required && (
+            <Text size="3" style={{ color: 'var(--red-9)', marginLeft: 2 }}>
+              *
+            </Text>
+          )}
+          {infoIconProps && <InfoIcon {...infoIconProps} style={{ marginLeft: 4, verticalAlign: 'middle' }} />}
+        </div>
+      )}
+      <div style={{ position: 'relative', display: 'flex', alignItems: 'center', gap: 8 }}>
+        <input
+          {...rest}
+          type={rest.type === 'password' ? (isPasswordVisible && showPasswordToggle ? 'text' : 'password') : rest.type}
+          id={id}
+          value={value}
+          onChange={onChange}
+          style={{
+            width: '100%',
+            padding: '10px 12px',
+            borderRadius: 6,
+            border: '1px solid var(--gray-5)',
+            ...rest?.style,
+          }}
+        />
+
+        <div
+          style={{ position: 'absolute', right: 12 }}
+          onMouseDown={(e) => {
+            handlePasswordVisibilitySet(e, true);
+          }}
+          onMouseUp={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+          onMouseLeave={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+          onTouchStart={(e) => {
+            handlePasswordVisibilitySet(e, true);
+          }}
+          onTouchEnd={(e) => {
+            handlePasswordVisibilitySet(e, false);
+          }}
+        >
+          {showPasswordToggle ? isPasswordVisible ? <LucideEye size={16} /> : <LucideEyeClosed size={16} /> : null}
+        </div>
+      </div>
+    </label>
+  );
+}
+
+export type TextFieldErrorMessageProps = AnyFieldMeta & {
+  errorMessage?: string;
+};
+
+export function TextFieldErrorMessage({ isValid, errors, errorMessage }: TextFieldErrorMessageProps) {
+  return (
+    !isValid && (
+      <div
+        style={{
+          marginTop: 4,
+          fontSize: 12,
+          color: 'var(--red-9)',
+        }}
+      >
+        {errorMessage ?? errors?.reduce((msg, err) => msg + err.message + ' ', '')}
+      </div>
+    )
+  );
+}

apps/frontend/app/components/home/TablePlaceholder.tsx

@@ -0,0 +1,27 @@
+import React from 'react';
+import { Flex, Text, Button, Separator, Box, Badge } from '@radix-ui/themes';
+
+export default function TablePlaceholder() {
+  return (
+    <Flex direction="column" gap="3" p="4">
+      <Flex justify="between" align="center">
+        <Text weight="bold">Proxy Hosts</Text>
+        <Button size="1">Add Host</Button>
+      </Flex>
+      <Separator size="4" />
+      {[1, 2, 3].map((i) => (
+        <Flex key={i} justify="between" align="center">
+          <Box>
+            <Text size="2" weight="bold" as="div">
+              {`host-${i}.example.com`}
+            </Text>
+            <Text size="1" color="gray">
+              {`http://10.0.0.${i}:8080`}
+            </Text>
+          </Box>
+          <Badge color="green">Online</Badge>
+        </Flex>
+      ))}
+    </Flex>
+  );
+}

apps/frontend/app/components/info.tsx

@@ -0,0 +1,59 @@
+import { Box } from '@radix-ui/themes';
+import { Info, type LucideProps } from 'lucide-react';
+import { Tooltip } from 'radix-ui';
+import type { PropsWithChildren } from 'react';
+
+export type InfoIconProps = PropsWithChildren<
+  {
+    tooltipContainerProps?: Omit<Tooltip.TooltipContentProps & React.RefAttributes<HTMLDivElement>, 'children'>;
+  } & Omit<LucideProps, 'ref'> &
+    React.RefAttributes<SVGSVGElement>
+>;
+
+export function InfoIcon({ tooltipContainerProps, children, ...iconProps }: InfoIconProps) {
+  return (
+    <Tooltip.Root>
+      <Tooltip.Trigger asChild>
+        <Info size={16} {...iconProps} />
+      </Tooltip.Trigger>
+      <Tooltip.Portal>
+        <Tooltip.Content
+          //
+          side="top"
+          align="center"
+          sideOffset={5}
+          alignOffset={0}
+          avoidCollisions={true}
+          style={{
+            color: 'black',
+            backgroundColor: 'white',
+            fontSize: 12,
+            boxShadow: '0 2px 10px rgba(0, 0, 0, 0.3)',
+            border: '1px solid var(--gray-5)',
+          }}
+          {...tooltipContainerProps}
+        >
+          {children}
+          <Tooltip.Arrow className="TooltipArrow" fill="white" />
+        </Tooltip.Content>
+      </Tooltip.Portal>
+    </Tooltip.Root>
+  );
+}
+
+export function TooltipContentContainer({ children, ...props }: React.HTMLAttributes<HTMLDivElement>) {
+  return (
+    <Box
+      style={{
+        padding: '8px 12px',
+        color: 'black',
+        backgroundColor: 'white',
+        borderRadius: 4,
+        fontSize: 12,
+      }}
+      {...props}
+    >
+      {children}
+    </Box>
+  );
+}

apps/frontend/app/components/layout/SidebarContent.tsx

@@ -0,0 +1,89 @@
+import type React from 'react';
+import { Box, Button, Flex, Heading, Separator, Text } from '@radix-ui/themes';
+import type { NavItem } from './types';
+import { Home, Globe, ArrowRight, Lock, Settings, User } from 'lucide-react';
+import { useLayout } from '../../providers/LayoutProvider';
+
+const navItems: { label: NavItem; icon: React.ReactNode }[] = [
+  { label: 'Dashboard', icon: <Home size={16} /> },
+  { label: 'Proxy Hosts', icon: <Globe size={16} /> },
+  { label: 'Redirection', icon: <ArrowRight size={16} /> },
+  { label: 'SSL', icon: <Lock size={16} /> },
+  { label: 'Settings', icon: <Settings size={16} /> },
+  { label: 'Profile', icon: <User size={16} /> },
+] as const;
+
+export function SidebarContent() {
+  const { activeTab, setActiveTab, setIsMobileMenuOpen } = useLayout();
+
+  return (
+    <Flex direction="column" gap="2" p="4" style={{ height: '100%' }}>
+      <Flex align="center" gap="2" mb="6" px="2">
+        <Box
+          style={{
+            width: 32,
+            height: 32,
+            backgroundColor: 'var(--iris-9)',
+            borderRadius: 'var(--radius-2)',
+            display: 'flex',
+            alignItems: 'center',
+            justifyContent: 'center',
+            color: 'white',
+            fontWeight: 'bold',
+          }}
+        >
+          Y
+        </Box>
+        <Heading size="4" weight="bold">
+          YANPM
+        </Heading>
+      </Flex>
+
+      <Flex direction="column" gap="1">
+        {navItems.map((item) => (
+          <Button
+            key={item.label}
+            variant={activeTab === item.label ? 'soft' : 'ghost'}
+            color={activeTab === item.label ? 'iris' : 'gray'}
+            onClick={() => {
+              setActiveTab(item.label);
+              setIsMobileMenuOpen(false);
+            }}
+            style={{ cursor: 'pointer', width: '100%', justifyContent: 'flex-start' }}
+          >
+            <Flex align="center" gap="3">
+              {item.icon}
+              <Text size="2" weight={activeTab === item.label ? 'bold' : 'medium'}>
+                {item.label}
+              </Text>
+            </Flex>
+          </Button>
+        ))}
+      </Flex>
+
+      <Box style={{ marginTop: 'auto' }} pt="4">
+        <Separator size="4" mb="4" />
+        <Flex align="center" gap="3" px="2">
+          <Box
+            style={{
+              width: 32,
+              height: 32,
+              backgroundColor: 'var(--gray-5)',
+              borderRadius: '50%',
+            }}
+          />
+          <Box>
+            <Text size="1" weight="bold" as="div">
+              Admin User
+            </Text>
+            <Text size="1" color="gray">
+              admin@example.com
+            </Text>
+          </Box>
+        </Flex>
+      </Box>
+    </Flex>
+  );
+}
+
+export default SidebarContent;

apps/frontend/app/components/layout/types.ts

@@ -0,0 +1 @@
+export type NavItem = 'Dashboard' | 'Proxy Hosts' | 'Redirection' | 'SSL' | 'Settings' | 'Profile';

apps/frontend/app/components/theme.tsx

@@ -0,0 +1,16 @@
+import type React from 'react';
+import { Theme } from '@radix-ui/themes';
+
+export type AppThemeProps = {
+  children: React.ReactNode;
+};
+
+export function AppTheme({ children }: AppThemeProps) {
+  return (
+    <Theme accentColor="iris" grayColor="slate" panelBackground="translucent" radius="large">
+      {children}
+    </Theme>
+  );
+}
+
+export default AppTheme;

apps/frontend/app/empty-toastify.css

@@ -0,0 +1 @@
+/* intentionally empty: used to stub react-toastify CSS in production builds */

apps/frontend/app/generated/api-client/api-client.ts

@@ -1,11 +1,15 @@
 export namespace Schemas {
   // <Schemas>
+  export type AdminInitRequest = { password: string; setup_secret: string; username: string };
   export type HealthInfo = {
     errors?: (Array<string> | null) | undefined;
+    is_initialized: boolean;
     status: string;
     up_since: string;
     version: string;
   };
+  export type LoginRequest = { password: string; username: string };
+  export type UserInfo = { id: string; username: string };
 
   // </Schemas>
 }
@@ -13,6 +17,24 @@ export namespace Schemas {
 export namespace Endpoints {
   // <Endpoints>
 
+  export type post_Init_admin = {
+    method: "POST";
+    path: "/api/auth/init_admin";
+    requestFormat: "json";
+    parameters: {
+      body: Schemas.AdminInitRequest;
+    };
+    responses: { 200: unknown; 400: unknown; 401: unknown; 500: unknown };
+  };
+  export type post_Login = {
+    method: "POST";
+    path: "/api/auth/login";
+    requestFormat: "json";
+    parameters: {
+      body: Schemas.LoginRequest;
+    };
+    responses: { 200: unknown; 401: unknown; 500: unknown };
+  };
   export type get_Get_health_info = {
     method: "GET";
     path: "/api/health/info";
@@ -20,20 +42,33 @@ export namespace Endpoints {
     parameters: never;
     responses: { 200: Schemas.HealthInfo; 404: unknown };
   };
+  export type get_Get_user_info = {
+    method: "GET";
+    path: "/api/user/me";
+    requestFormat: "json";
+    parameters: never;
+    responses: { 200: Schemas.UserInfo; 401: unknown; 500: unknown };
+  };
 
   // </Endpoints>
 }
 
 // <EndpointByMethod>
 export type EndpointByMethod = {
+  post: {
+    "/api/auth/init_admin": Endpoints.post_Init_admin;
+    "/api/auth/login": Endpoints.post_Login;
+  };
   get: {
     "/api/health/info": Endpoints.get_Get_health_info;
+    "/api/user/me": Endpoints.get_Get_user_info;
   };
 };
 
 // </EndpointByMethod>
 
 // <EndpointByMethod.Shorthands>
+export type PostEndpoints = EndpointByMethod["post"];
 export type GetEndpoints = EndpointByMethod["get"];
 // </EndpointByMethod.Shorthands>
 
@@ -267,6 +302,37 @@ export class ApiClient {
     return;
   };
 
+  // <ApiClient.post>
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<
+      TEndpoint extends { parameters: infer UParams }
+        ? NotNever<UParams> extends true
+          ? UParams & { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+          : { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+        : { overrides?: RequestInit; withResponse?: false; throwOnStatusError?: boolean }
+    >
+  ): Promise<Extract<InferResponseByStatus<TEndpoint, SuccessStatusCode>, { data: {} }>["data"]>;
+
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<
+      TEndpoint extends { parameters: infer UParams }
+        ? NotNever<UParams> extends true
+          ? UParams & { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+          : { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+        : { overrides?: RequestInit; withResponse?: true; throwOnStatusError?: boolean }
+    >
+  ): Promise<SafeApiResponse<TEndpoint>>;
+
+  post<Path extends keyof PostEndpoints, _TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<any>
+  ): Promise<any> {
+    return this.request("post", path, ...params);
+  }
+  // </ApiClient.post>
+
   // <ApiClient.get>
   get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
     path: Path,

apps/frontend/app/generated/api-client/tanstack-client.ts

@@ -41,6 +41,7 @@ const createQueryKey = <TOptions extends EndpointParameters>(
 };
 
 // <EndpointByMethod.Shorthands>
+export type PostEndpoints = EndpointByMethod["post"];
 export type GetEndpoints = EndpointByMethod["get"];
 // </EndpointByMethod.Shorthands>
 
@@ -69,6 +70,36 @@ type InferResponseData<TEndpoint, TStatusCode> =
 export class TanstackQueryApiClient {
   constructor(public client: ApiClient) {}
 
+  // <ApiClient.post>
+  post<Path extends keyof PostEndpoints, TEndpoint extends PostEndpoints[Path]>(
+    path: Path,
+    ...params: MaybeOptionalArg<TEndpoint["parameters"]>
+  ) {
+    const queryKey = createQueryKey(path as string, params[0]);
+    const query = {
+      /** type-only property if you need easy access to the endpoint params */
+      "~endpoint": {} as TEndpoint,
+      queryKey,
+      queryFn: {} as "You need to pass .queryOptions to the useQuery hook",
+      queryOptions: queryOptions({
+        queryFn: async ({ queryKey, signal }) => {
+          const requestParams = {
+            ...(params[0] || {}),
+            ...(queryKey[0] || {}),
+            overrides: { signal },
+            withResponse: false as const,
+          };
+          const res = await this.client.post(path, requestParams as never);
+          return res as InferResponseData<TEndpoint, SuccessStatusCode>;
+        },
+        queryKey: queryKey,
+      }),
+    };
+
+    return query;
+  }
+  // </ApiClient.post>
+
   // <ApiClient.get>
   get<Path extends keyof GetEndpoints, TEndpoint extends GetEndpoints[Path]>(
     path: Path,

apps/frontend/app/hooks/ResponseHelper.tsx

@@ -0,0 +1,73 @@
+import { AxiosError } from 'axios';
+import { useLocation, useNavigate } from 'react-router';
+import { SearchParamKeys } from '../lib/constants';
+import { useQueryMessage } from './useQueryMessage';
+import { QueryMessageCode, QueryMessageType } from '../lib/QueryMessages';
+import { useCallback } from 'react';
+import { displayForbiddenErrorToast, displayNetworkErrorToast, displayUnexpectedErrorToast } from '../lib/toasts';
+
+export enum ResponseErrorToastId {
+  NetworkError = 'network-error',
+}
+
+export type DefaultResponseErrorHandlerOptions = {
+  disableUnauthorizedHandling?: boolean;
+  disableHandleUnexpectedErrors?: boolean;
+  disableIgnoreCanceledRequests?: boolean;
+};
+
+/**
+ *
+ * @param err error value
+ * @returns {boolean} true if the error was handled, false otherwise
+ */
+
+export function useResponseErrorHandler(): {
+  defaultResponseErrorHandler: typeof defaultResponseErrorHandler;
+} {
+  const navigate = useNavigate();
+  const location = useLocation();
+  const { toSearchParamQueryMessage } = useQueryMessage();
+
+  const defaultResponseErrorHandler = useCallback(
+    (err: unknown, options?: DefaultResponseErrorHandlerOptions): boolean => {
+      if (!(err instanceof AxiosError) && !options?.disableHandleUnexpectedErrors) {
+        displayUnexpectedErrorToast();
+        return true;
+      }
+
+      if (!(err instanceof AxiosError)) return false;
+
+      if (err.message === 'canceled') {
+        // request was aborted, ignore but return true to indicate it was handled
+        return !options?.disableIgnoreCanceledRequests;
+      }
+
+      if (err.message === 'Network Error') {
+        displayNetworkErrorToast();
+        return true;
+      }
+
+      // handle 401 Unauthorized globally
+      if (err.status === 401 && !options?.disableUnauthorizedHandling) {
+        // store current path for redirect after login
+        const currentPath = location.pathname + location.search;
+        const searchParam = new URLSearchParams();
+        searchParam.set(SearchParamKeys.Redirect, currentPath);
+        searchParam.set(SearchParamKeys.Message, toSearchParamQueryMessage(QueryMessageCode.SessionExpired, QueryMessageType.Info));
+        navigate(`/login?${searchParam.toString()}`);
+        return true;
+      }
+
+      if (err.status === 403) {
+        displayForbiddenErrorToast();
+        return true;
+      }
+
+      return false;
+    },
+    [location, navigate, toSearchParamQueryMessage]
+  );
+
+  return { defaultResponseErrorHandler };
+}

apps/frontend/app/hooks/ensureLoggedIn.tsx

@@ -0,0 +1,48 @@
+import { useEffect } from 'react';
+import { useNavigate } from 'react-router';
+import { useAuth } from '../providers/AuthProvider';
+import { useApi } from '../providers/ApiProvider';
+import { useQuery } from '@tanstack/react-query';
+import { useResponseErrorHandler } from './ResponseHelper';
+
+export type EnsureLoggedInResult = {
+  checking: boolean;
+  loggedIn: boolean;
+};
+
+export function useEnsureLoggedIn(): EnsureLoggedInResult {
+  const { user, setUser } = useAuth();
+  const navigate = useNavigate();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+
+  const { queryOptions: currentUserQuery } = tanstackApiClient.get('/api/user/me');
+  const { isFetched, isPending } = useQuery({
+    ...currentUserQuery,
+    queryFn: async (...args) => {
+      try {
+        const data = await currentUserQuery.queryFn!(...args);
+        setUser({
+          id: data.id,
+          name: data.username,
+        });
+        return data;
+      } catch (error) {
+        if (defaultResponseErrorHandler(error)) return {} as never;
+        throw error;
+      }
+    },
+  });
+
+  useEffect(() => {
+    if (user) {
+      navigate('/', { replace: true });
+      return;
+    }
+  }, [user, setUser, navigate]);
+
+  return {
+    checking: isPending,
+    loggedIn: isFetched && !!user,
+  };
+}

apps/frontend/app/hooks/useQueryMessage.tsx

@@ -0,0 +1,111 @@
+import { useCallback, useEffect, useRef, type ReactNode } from 'react';
+import { useLocation, useSearchParams } from 'react-router';
+import { toast } from 'react-toastify/unstyled';
+import { SearchParamKeys } from '../lib/constants';
+import { CODE_TO_MESSAGE_MAP, QueryMessageCode, QueryMessageType } from '../lib/QueryMessages';
+
+type QueryMessageString = `${QueryMessageCode}__${QueryMessageType}`;
+
+export type QueryMessage = {
+  type: QueryMessageType;
+  code: QueryMessageCode;
+  message: ReactNode;
+};
+
+export type UseQueryMessageOptions = {
+  displayMessages?: boolean;
+};
+
+export type UseQueryMessageReturn = {
+  setQueryMessage: (messageCode: QueryMessageCode, messageType: QueryMessageType) => void;
+  clearQueryMessage: () => void;
+  toSearchParamQueryMessage: (message: QueryMessageCode, type: QueryMessageType) => QueryMessageString;
+};
+
+export function useQueryMessage(
+  { displayMessages }: UseQueryMessageOptions = {
+    displayMessages: true,
+  }
+): UseQueryMessageReturn {
+  const location = useLocation();
+  const [searchParams, setSearchParams] = useSearchParams();
+  const messageStr = useRef<QueryMessageString | null>(null);
+
+  useEffect(() => {
+    // Reset messageStr when location changes to allow re-displaying the same message on navigation
+    messageStr.current = null;
+  }, [location.pathname]);
+
+  useEffect(() => {
+    const queryMessageStr = searchParams.get(SearchParamKeys.Message);
+    if (!(queryMessageStr && queryMessageStr !== messageStr.current)) return;
+    const [queryMessage, queryMessageString] = toQueryMessage(queryMessageStr) ?? [null, null];
+    if (!queryMessage) return;
+
+    messageStr.current = queryMessageString;
+    if (displayMessages) {
+      toast[queryMessage.type](queryMessage.message, {
+        position: 'top-center',
+        autoClose: 5000,
+        hideProgressBar: false,
+        closeOnClick: true,
+        pauseOnHover: true,
+        draggable: false,
+        progress: undefined,
+        theme: 'colored',
+        toastId: 'login-route-info-message',
+      });
+    }
+  }, [displayMessages, searchParams]);
+
+  const setQueryMessage = useCallback(
+    (messageCode: QueryMessageCode, messageType: QueryMessageType) => {
+      const queryMessageString: QueryMessageString = `${messageCode}__${messageType}`;
+      messageStr.current = queryMessageString;
+      setSearchParams((prev) => {
+        prev.set(SearchParamKeys.Message, queryMessageString);
+        return prev;
+      });
+    },
+    [setSearchParams]
+  );
+
+  const clearQueryMessage = useCallback(() => {
+    messageStr.current = null;
+    setSearchParams((prev) => {
+      prev.delete(SearchParamKeys.Message);
+      return prev;
+    });
+  }, [setSearchParams]);
+
+  const toSearchParamQueryMessage = useCallback((message: QueryMessageCode, type: QueryMessageType): QueryMessageString => {
+    return `${message}__${type}`;
+  }, []);
+
+  return {
+    setQueryMessage,
+    clearQueryMessage,
+    toSearchParamQueryMessage,
+  };
+}
+
+function isValidQueryMessageCode(code: string): code is QueryMessageCode {
+  return Object.values(QueryMessageCode).includes(code as QueryMessageCode);
+}
+
+function isValidQueryMessageType(type: string): type is QueryMessageType {
+  return Object.values(QueryMessageType).includes(type as QueryMessageType);
+}
+
+function toQueryMessage(value: string): [QueryMessage, QueryMessageString] | null {
+  const [code, type] = value.split('__');
+  if (!isValidQueryMessageCode(code) || !isValidQueryMessageType(type)) return null;
+  return [
+    {
+      code: code,
+      type: type,
+      message: CODE_TO_MESSAGE_MAP[code],
+    },
+    `${code}__${type}`,
+  ];
+}

apps/frontend/app/lib/QueryMessages.tsx

@@ -0,0 +1,20 @@
+import type { ReactNode } from 'react';
+
+export enum QueryMessageType {
+  Info = 'info',
+  Success = 'success',
+  Warning = 'warning',
+  Error = 'error',
+}
+
+export enum QueryMessageCode {
+  SessionExpired = 'SESSION_EXPIRED',
+  InitializationRequired = 'INITIALIZATION_REQUIRED',
+  InitializationSuccessful = 'INITIALIZATION_SUCCESSFUL',
+}
+
+export const CODE_TO_MESSAGE_MAP: Record<QueryMessageCode, ReactNode> = {
+  [QueryMessageCode.SessionExpired]: 'Your session has expired. Please log in again.',
+  [QueryMessageCode.InitializationRequired]: 'The application requires initialization. Please follow the setup instructions.',
+  [QueryMessageCode.InitializationSuccessful]: 'Initialization successful. Please log in.',
+} as const;

apps/frontend/app/lib/api.ts

@@ -65,7 +65,34 @@ function axiosResponseToFetchResponse(response: AxiosResponse): Response {
     }
   });
 
-  return new Response(response.data, {
+  // Normalize Axios response.data to a Fetch-compatible BodyInit
+  let body: BodyInit | null = null;
+  const data = response.data;
+
+  if (data == null) {
+    body = null;
+  } else if (
+    typeof data === 'string' ||
+    data instanceof Blob ||
+    data instanceof ArrayBuffer ||
+    ArrayBuffer.isView(data) ||
+    data instanceof FormData ||
+    data instanceof URLSearchParams
+  ) {
+    body = data as BodyInit;
+  } else {
+    try {
+      body = JSON.stringify(data);
+      if (!headers.has('content-type')) {
+        headers.set('content-type', 'application/json;charset=utf-8');
+      }
+    } catch {
+      console.warn('Failed to stringify response data as JSON, falling back to string conversion.');
+      body = String(data);
+    }
+  }
+
+  return new Response(body, {
     status: response.status,
     statusText: response.statusText,
     headers: headers,

apps/frontend/app/lib/constants.ts

@@ -0,0 +1,4 @@
+export enum SearchParamKeys {
+  Redirect = 'redirect',
+  Message = 'message',
+}

apps/frontend/app/lib/toasts.tsx

@@ -0,0 +1,64 @@
+import { toast, type ToastOptions } from 'react-toastify/unstyled';
+import { Text } from '@radix-ui/themes';
+import { ResponseErrorToastId } from '../hooks/ResponseHelper';
+
+export const displayUnexpectedErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Unexpected Error:</Text>
+      <br /> An unexpected error occurred. Please try again later.
+    </div>,
+    {
+      position: 'top-center',
+      autoClose: false,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};
+
+export const displayNetworkErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Network Error:</Text>
+      <br /> Unable to reach the server. Please check your internet connection and try again.
+    </div>,
+    {
+      toastId: ResponseErrorToastId.NetworkError,
+      position: 'top-center',
+      autoClose: false,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};
+
+export const displayForbiddenErrorToast = (options: ToastOptions = {}) => {
+  toast.error(
+    <div>
+      <Text weight="bold">Forbidden:</Text>
+      <br /> You do not have permission to perform this action.
+    </div>,
+    {
+      position: 'top-center',
+      autoClose: 5000,
+      hideProgressBar: false,
+      closeOnClick: true,
+      pauseOnHover: true,
+      draggable: false,
+      progress: undefined,
+      theme: 'colored',
+      ...options,
+    }
+  );
+};

apps/frontend/app/providers/ApiHealthProvider.tsx

@@ -0,0 +1,56 @@
+import { useNavigate } from 'react-router';
+import { useQuery } from '@tanstack/react-query';
+import { createContext, use, type PropsWithChildren } from 'react';
+import { useApi } from './ApiProvider';
+import { useResponseErrorHandler } from '../hooks/ResponseHelper';
+import type { Schemas } from '../generated/api-client/api-client';
+
+export type HealthStatus = Schemas.HealthInfo;
+
+export type ApiHealthProviderProps = PropsWithChildren<object>;
+export type ApiHealthContextType = {
+  healthStatus: HealthStatus | undefined;
+};
+
+const ApiHealthContext = createContext<ApiHealthContextType | null>(null);
+
+export const ApiHealthProvider: React.FC<ApiHealthProviderProps> = ({ children }) => {
+  const navigate = useNavigate();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+
+  const { queryOptions: healthInfoQuery } = tanstackApiClient.get('/api/health/info');
+  const { data } = useQuery({
+    ...healthInfoQuery,
+    queryFn: async (...args) => {
+      try {
+        const data = await healthInfoQuery.queryFn!(...args);
+        if (!data.is_initialized) {
+          navigate('/init');
+        }
+        return data;
+      } catch (error) {
+        if (defaultResponseErrorHandler(error)) return {} as never;
+        throw error;
+      }
+    },
+  });
+
+  return (
+    <ApiHealthContext
+      value={{
+        healthStatus: data,
+      }}
+    >
+      {children}
+    </ApiHealthContext>
+  );
+};
+
+export const useApiHealth = (): ApiHealthContextType => {
+  const context = use(ApiHealthContext);
+  if (!context) {
+    throw new Error('useApiHealth must be used within an ApiHealthProvider');
+  }
+  return context;
+};

apps/frontend/app/providers/ApiProvider.tsx

@@ -1,9 +1,9 @@
-import { createContext, use, useContext, type PropsWithChildren } from 'react';
+import { createContext, use, type PropsWithChildren } from 'react';
 import { createTanstackApi, createApi } from '../lib/api';
 import axios from 'axios';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
 
-type ApiProviderProps = PropsWithChildren<{}>;
+type ApiProviderProps = PropsWithChildren<object>;
 type ApiContextType = {
   apiClient: ReturnType<typeof createApi>;
   tanstackApiClient: ReturnType<typeof createTanstackApi>;
@@ -34,8 +34,14 @@ export const ApiProvider: React.FC<ApiProviderProps> = ({ children }) => {
   const axiosInstance = axios.create({
     withCredentials: true,
   });
+
+  const internalAxiosInstance = axios.create({
+    withCredentials: true,
+  });
+
   const apiClient = createApi(axiosInstance);
-  const tanstackApiClient = createTanstackApi(axiosInstance);
+  const tanstackApiClient = createTanstackApi(internalAxiosInstance);
+
   return (
     <QueryClientProvider client={queryClient}>
       <ApiContext

apps/frontend/app/providers/AuthProvider.tsx

@@ -0,0 +1,47 @@
+import { createContext, use, useCallback, useState, type PropsWithChildren } from 'react';
+
+export type User = {
+  id: string;
+  name: string;
+};
+
+export type AuthProviderProps = PropsWithChildren<object>;
+export type AuthContextType = {
+  setUser: (user: User) => void;
+  logOut: () => void;
+  user: User | null;
+};
+
+const AuthContext = createContext<AuthContextType | null>(null);
+
+export const AuthProvider: React.FC<AuthProviderProps> = ({ children }) => {
+  const [user, setUserState] = useState<User | null>(null);
+
+  const setUser = useCallback((user: User) => {
+    setUserState(user);
+  }, []);
+
+  const logout = useCallback(() => {
+    setUserState(null);
+  }, []);
+
+  return (
+    <AuthContext
+      value={{
+        user: user,
+        logOut: logout,
+        setUser: setUser,
+      }}
+    >
+      {children}
+    </AuthContext>
+  );
+};
+
+export function useAuth() {
+  const context = use(AuthContext);
+  if (!context) {
+    throw new Error('useAuth must be used within a AuthProvider');
+  }
+  return context;
+}

apps/frontend/app/providers/FormProvider.tsx

@@ -0,0 +1,18 @@
+import { createFormHook, createFormHookContexts } from '@tanstack/react-form';
+import { TextField, TextFieldErrorMessage } from '../components/Form/TextField';
+import { ResetButton, SubmitButton } from '../components/Form/Button';
+
+const { fieldContext, formContext } = createFormHookContexts();
+
+export const formHook = createFormHook({
+  fieldComponents: {
+    TextField,
+    TextFieldErrorMessage,
+  },
+  formComponents: {
+    SubmitButton,
+    ResetButton,
+  },
+  fieldContext,
+  formContext,
+});

apps/frontend/app/providers/LayoutProvider.tsx

@@ -0,0 +1,38 @@
+import { createContext, use, useState, type PropsWithChildren } from 'react';
+import type { NavItem } from '../components/layout/types';
+
+type LayoutProviderProps = PropsWithChildren<object>;
+type LayoutContextType = {
+  activeTab: NavItem;
+  setActiveTab: (tab: NavItem) => void;
+  isMobileMenuOpen: boolean;
+  setIsMobileMenuOpen: (open: boolean) => void;
+};
+
+const LayoutContext = createContext<LayoutContextType | null>(null);
+
+export const LayoutProvider: React.FC<LayoutProviderProps> = ({ children }) => {
+  const [activeTab, setActiveTab] = useState<NavItem>('Dashboard');
+  const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
+
+  return (
+    <LayoutContext
+      value={{
+        activeTab,
+        setActiveTab,
+        isMobileMenuOpen,
+        setIsMobileMenuOpen,
+      }}
+    >
+      {children}
+    </LayoutContext>
+  );
+};
+
+export function useLayout() {
+  const context = use(LayoutContext);
+  if (!context) {
+    throw new Error('useLayout must be used within a LayoutProvider');
+  }
+  return context;
+}

apps/frontend/app/root.tsx

@@ -1,8 +1,18 @@
 import { isRouteErrorResponse, Links, Meta, Outlet, Scripts, ScrollRestoration } from 'react-router';
 import type { Route } from './+types/root';
+import '@radix-ui/themes/styles.css';
 import './app.css';
-import { Theme } from '@radix-ui/themes';
+// start: react-toastify special import
+// ! MUST use unstyled version for dev server build, styled version for production build is handled in vite.config.ts
+import { ToastContainer } from 'react-toastify/unstyled';
+import 'react-toastify/ReactToastify.css';
+// end: react-toastify special import
+import AppTheme from './components/theme';
 import { ApiProvider } from './providers/ApiProvider';
+import { LayoutProvider } from './providers/LayoutProvider';
+import { Tooltip } from 'radix-ui';
+import { AuthProvider } from './providers/AuthProvider';
+import { ApiHealthProvider } from './providers/ApiHealthProvider';
 
 export const links: Route.LinksFunction = () => [];
 
@@ -26,11 +36,23 @@ export function Layout({ children }: { children: React.ReactNode }) {
 
 export default function App() {
   return (
-    <Theme>
+    <>
-      <ApiProvider>
+      <AppTheme>
-        <Outlet />
+        <ApiProvider>
-      </ApiProvider>
+          <Tooltip.Provider delayDuration={250}>
-    </Theme>
+            <LayoutProvider>
+              <ApiHealthProvider>
+                <AuthProvider>
+                  <Outlet />
+                </AuthProvider>
+              </ApiHealthProvider>
+            </LayoutProvider>
+          </Tooltip.Provider>
+        </ApiProvider>
+      </AppTheme>
+
+      <ToastContainer />
+    </>
   );
 }
 

apps/frontend/app/routes.ts

@@ -1,7 +1,9 @@
-import { type RouteConfig, index, route } from '@react-router/dev/routes';
+import { type RouteConfig, index, layout, route } from '@react-router/dev/routes';
 
 export default [
-  index('routes/home.tsx'),
+  route('login', 'routes/auth/login.tsx'),
+  route('init', 'routes/init.tsx'),
+  layout('routes/layout.tsx', [index('routes/home.tsx')]),
   // catch-all 404 route
   route('*', 'routes/404.tsx'),
 ] satisfies RouteConfig;

apps/frontend/app/routes/auth/login.tsx

@@ -0,0 +1,153 @@
+import { Box, Container, Flex, Heading } from '@radix-ui/themes';
+import { useMutation } from '@tanstack/react-query';
+import { useLocation, useNavigate } from 'react-router';
+import { toast } from 'react-toastify/unstyled';
+import * as v from 'valibot';
+import { useResponseErrorHandler } from '../../hooks/ResponseHelper';
+import { useApi } from '../../providers/ApiProvider';
+import { formHook } from '../../providers/FormProvider';
+import type { Route } from './+types/login';
+import { SearchParamKeys } from '../../lib/constants';
+import { AxiosError } from 'axios';
+import { useQueryMessage } from '../../hooks/useQueryMessage';
+
+const loginFormSchema = v.object({
+  username: v.pipe(v.string(), v.trim(), v.minLength(1, 'Username is required')),
+  password: v.pipe(v.string(), v.minLength(1, 'Password is required')),
+});
+
+// eslint-disable-next-line no-empty-pattern
+export function meta({}: Route.MetaArgs): Route.MetaDescriptors {
+  return [{ title: 'Login | YANPM' }];
+}
+
+// TODO: remember me
+export default function LoginRoute() {
+  const navigate = useNavigate();
+  const location = useLocation();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+  useQueryMessage();
+
+  const { mutateAsync: login, isPending } = useMutation({
+    ...tanstackApiClient.mutation('post', '/api/auth/login').mutationOptions,
+    onSuccess: async () => {
+      const searchParams = new URLSearchParams(location.search);
+      const redirectTo = searchParams.get(SearchParamKeys.Redirect);
+      if (redirectTo) {
+        navigate(redirectTo);
+        return;
+      }
+      navigate('/');
+    },
+    onError: (error) => {
+      if (defaultResponseErrorHandler(error, { disableUnauthorizedHandling: true })) return;
+      if (error instanceof AxiosError && error.status === 401) {
+        toast.error('Invalid username or password.', {
+          position: 'top-center',
+          autoClose: 5000,
+          hideProgressBar: false,
+          closeOnClick: true,
+          pauseOnHover: true,
+          draggable: false,
+          progress: undefined,
+          theme: 'colored',
+        });
+        return;
+      }
+      console.error('Login failed:', error);
+    },
+  });
+
+  const form = formHook.useAppForm({
+    defaultValues: {
+      username: '',
+      password: '',
+    },
+    validators: {
+      onBlur: loginFormSchema,
+      onSubmit: loginFormSchema,
+    },
+
+    onSubmit: async ({ value }) => {
+      toast.dismiss();
+      return await login({ body: { password: value.password, username: value.username } }).catch(() => {});
+    },
+  });
+
+  return (
+    <>
+      <Flex align="center" justify="center" style={{ minHeight: 'calc(100vh - 64px)' }}>
+        <Container size="3" p="0">
+          <Box
+            style={{
+              display: 'flex',
+              flexDirection: 'column',
+              maxWidth: 420,
+              margin: '40px auto',
+              backgroundColor: 'white',
+              padding: 24,
+              borderRadius: 8,
+              boxShadow: '0 6px 18px rgba(15,23,42,0.2)',
+            }}
+          >
+            <Heading size="6" style={{ marginBottom: 16, alignSelf: 'center' }}>
+              Sign In
+            </Heading>
+            <form
+              onSubmit={(e) => {
+                e.preventDefault();
+                form.handleSubmit();
+              }}
+            >
+              <form.AppField
+                name="username"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label={'Username'}
+                      value={field.state.value}
+                      autoComplete="username"
+                      spellCheck={false}
+                      required
+                      onChange={(e) => field.handleChange(e.target.value)}
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <form.AppField
+                name="password"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label={'Password'}
+                      value={field.state.value}
+                      type="password"
+                      required
+                      autoComplete="current-password"
+                      onChange={(e) => field.handleChange(e.target.value)}
+                      showPasswordToggle
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <div style={{ marginTop: 18, display: 'flex', gap: 8, justifySelf: 'center' }}>
+                <form.SubmitButton
+                  loading={isPending}
+                  label={{
+                    default: 'Sign In',
+                    loading: 'Signing In…',
+                  }}
+                />
+              </div>
+            </form>
+          </Box>
+        </Container>
+      </Flex>
+    </>
+  );
+}

apps/frontend/app/routes/home.tsx

@@ -1,13 +1,75 @@
-import { Text } from '@radix-ui/themes';
+import { Box, Button, Card, Flex, Grid, Heading, Text } from '@radix-ui/themes';
 import type { Route } from './+types/home';
-import { useContext } from 'react';
+import TablePlaceholder from '../components/home/TablePlaceholder';
-import { useApi } from '../providers/ApiProvider';
+import { useLayout } from '../providers/LayoutProvider';
-import { useQuery } from '@tanstack/react-query';
+import { useEnsureLoggedIn } from '../hooks/ensureLoggedIn';
 
+// eslint-disable-next-line no-empty-pattern
 export function meta({}: Route.MetaArgs) {
-  return [{ title: 'YANPM' }, { name: 'description', content: 'Welcome to Yet Another Nginx Proxy Manager!' }];
+  return [{ title: 'Proxy Host Demo | YANPM' }, { name: 'description', content: 'Demo of the unified navigation paradigm.' }];
 }
 
-export default function Home() {
+export default function ProxyHostDemo() {
-  return <Text>Welcome to Yet Another Nginx Proxy Manager!</Text>;
+  useEnsureLoggedIn();
+  const { activeTab } = useLayout();
+  return (
+    <Box>
+      <Heading size="7" mb="1">
+        {activeTab}
+      </Heading>
+      <Text color="gray" mb="4" as="p">
+        This is the {activeTab.toLowerCase()} page demo.
+      </Text>
+
+      <Grid columns={{ initial: '1', sm: '2', lg: '3' }} gap="4">
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Status Overview
+            </Text>
+            <Text size="2" color="gray">
+              Everything is running smoothly in your {activeTab.toLowerCase()} section.
+            </Text>
+            <Button variant="surface" size="1" style={{ width: 'fit-content' }} mt="1">
+              View Details
+            </Button>
+          </Flex>
+        </Card>
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Recent Activity
+            </Text>
+            <Text size="2" color="gray">
+              No recent changes detected in the last 24 hours.
+            </Text>
+            <Button variant="surface" size="1" style={{ width: 'fit-content' }} mt="1">
+              Refresh
+            </Button>
+          </Flex>
+        </Card>
+        <Card size="2">
+          <Flex direction="column" gap="2">
+            <Text size="2" weight="bold">
+              Quick Actions
+            </Text>
+            <Text size="2" color="gray">
+              Common tasks related to {activeTab.toLowerCase()} are available here.
+            </Text>
+            <Button variant="solid" size="1" style={{ width: 'fit-content' }} mt="1">
+              Get Started
+            </Button>
+          </Flex>
+        </Card>
+      </Grid>
+
+      {activeTab === 'Proxy Hosts' && (
+        <Box mt="6">
+          <Card variant="surface">
+            <TablePlaceholder />
+          </Card>
+        </Box>
+      )}
+    </Box>
+  );
 }

apps/frontend/app/routes/init.tsx

@@ -0,0 +1,161 @@
+import { Box, Container, Flex, Heading, Text } from '@radix-ui/themes';
+import { useMutation, useQuery } from '@tanstack/react-query';
+import { useNavigate } from 'react-router';
+import { toast } from 'react-toastify/unstyled';
+import * as v from 'valibot';
+import { useResponseErrorHandler } from '../hooks/ResponseHelper';
+import { useApi } from '../providers/ApiProvider';
+import { formHook } from '../providers/FormProvider';
+import { TooltipContentContainer } from '../components/info';
+import { SearchParamKeys } from '../lib/constants';
+import { useQueryMessage } from '../hooks/useQueryMessage';
+import { QueryMessageCode, QueryMessageType } from '../lib/QueryMessages';
+
+const initFormSchema = v.object({
+  username: v.pipe(v.string(), v.trim(), v.minLength(1, 'Username is required')),
+  password: v.pipe(v.string(), v.minLength(1, 'Password is required')),
+  setup_secret: v.pipe(v.string(), v.minLength(1, 'Setup secret is required')),
+});
+
+export default function InitRoute() {
+  const navigate = useNavigate();
+  const { tanstackApiClient } = useApi();
+  const { defaultResponseErrorHandler } = useResponseErrorHandler();
+  const { toSearchParamQueryMessage } = useQueryMessage();
+
+  const { mutateAsync: initAdmin, isPending } = useMutation({
+    ...tanstackApiClient.mutation('post', '/api/auth/init_admin').mutationOptions,
+    onSuccess: async () => {
+      const searchParams = new URLSearchParams();
+      searchParams.set(SearchParamKeys.Message, toSearchParamQueryMessage(QueryMessageCode.InitializationSuccessful, QueryMessageType.Success));
+      navigate(`/login?${searchParams.toString()}`);
+    },
+    onError: (error) => {
+      if (defaultResponseErrorHandler(error)) return;
+      console.error('Init failed:', error);
+    },
+  });
+
+  const { queryOptions: healthInfoQuery } = tanstackApiClient.get('/api/health/info');
+  useQuery({
+    ...healthInfoQuery,
+    queryFn: async (...args) => {
+      try {
+        const data = await healthInfoQuery.queryFn!(...args);
+        if (data.is_initialized) {
+          navigate('/login', { replace: true });
+          return data;
+        }
+        return data;
+      } catch (error) {
+        if (defaultResponseErrorHandler(error)) return {} as never;
+        throw error;
+      }
+    },
+  });
+
+  const form = formHook.useAppForm({
+    defaultValues: { username: '', password: '', setup_secret: '' },
+    validators: { onBlur: initFormSchema, onSubmit: initFormSchema },
+    onSubmit: async ({ value }) => {
+      toast.dismiss();
+      return await initAdmin({ body: { username: value.username, password: value.password, setup_secret: value.setup_secret } });
+    },
+  });
+
+  return (
+    <>
+      <Flex align="center" justify="center" style={{ minHeight: 'calc(100vh - 64px)' }}>
+        <Container size="3" p="0">
+          <Box
+            style={{
+              display: 'flex',
+              flexDirection: 'column',
+              maxWidth: 480,
+              margin: '40px auto',
+              backgroundColor: 'white',
+              padding: 24,
+              borderRadius: 8,
+              boxShadow: '0 6px 18px rgba(15,23,42,0.06)',
+            }}
+          >
+            <Heading size="6" style={{ marginBottom: 12, alignSelf: 'center' }}>
+              Initialize YANPM
+            </Heading>
+
+            <Heading size="3" style={{ marginBottom: 24, color: 'var(--gray-11)', alignSelf: 'center' }}>
+              Create the initial admin user
+            </Heading>
+            <form
+              onSubmit={(e) => {
+                e.preventDefault();
+                form.handleSubmit();
+              }}
+            >
+              <form.AppField
+                name="username"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label="Username"
+                      value={field.state.value}
+                      autoComplete="username"
+                      spellCheck={false}
+                      required
+                      onChange={(e) => field.handleChange(e.target.value)}
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <form.AppField
+                name="password"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label="Password"
+                      value={field.state.value}
+                      type="password"
+                      required
+                      autoComplete="new-password"
+                      onChange={(e) => field.handleChange(e.target.value)}
+                      showPasswordToggle
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <form.AppField
+                name="setup_secret"
+                children={(field) => (
+                  <>
+                    <field.TextField
+                      label="Setup Secret"
+                      value={field.state.value}
+                      required
+                      onChange={(e) => field.handleChange(e.target.value)}
+                      infoIconProps={{
+                        children: (
+                          <TooltipContentContainer>
+                            <Text>This secret is provided when the API server is first started. Refer to your server logs to find it.</Text>
+                          </TooltipContentContainer>
+                        ),
+                      }}
+                    />
+                    <field.TextFieldErrorMessage {...field.state.meta} />
+                  </>
+                )}
+              />
+
+              <div style={{ marginTop: 18, display: 'flex', gap: 8, justifySelf: 'center' }}>
+                <form.SubmitButton loading={isPending} label={{ default: 'Initialize' }} />
+              </div>
+            </form>
+          </Box>
+        </Container>
+      </Flex>
+    </>
+  );
+}

apps/frontend/app/routes/layout.tsx

@@ -0,0 +1,88 @@
+import { Flex, Box, Container, Dialog, Heading, IconButton, TextField } from '@radix-ui/themes';
+import SidebarContent from '../components/layout/SidebarContent';
+import { useLayout } from '../providers/LayoutProvider';
+import { Menu, Search, Bell } from 'lucide-react';
+import { Outlet } from 'react-router';
+
+export default function LayoutContainer() {
+  const { activeTab, isMobileMenuOpen, setIsMobileMenuOpen } = useLayout();
+  return (
+    <Flex style={{ minHeight: '100vh', backgroundColor: 'var(--gray-2)' }}>
+      {/* Desktop Sidebar */}
+      <Box
+        display={{ initial: 'none', md: 'block' }}
+        style={{
+          width: '260px',
+          backgroundColor: 'white',
+          borderRight: '1px solid var(--gray-4)',
+          position: 'sticky',
+          top: 0,
+          minHeight: '100vh',
+          overflowY: 'auto',
+        }}
+      >
+        <SidebarContent />
+      </Box>
+
+      {/* Main Content Area */}
+      <Box style={{ flex: 1, minWidth: 0 }}>
+        {' '}
+        {/* Top Header (Mobile & Desktop) */}
+        <Flex
+          align="center"
+          justify="between"
+          px="4"
+          style={{
+            height: '64px',
+            backgroundColor: 'white',
+            borderBottom: '1px solid var(--gray-4)',
+            position: 'sticky',
+            top: 0,
+            zIndex: 10,
+          }}
+        >
+          <Flex align="center" gap="3">
+            <Box display={{ md: 'none' }}>
+              <Dialog.Root open={isMobileMenuOpen} onOpenChange={setIsMobileMenuOpen}>
+                <Dialog.Trigger>
+                  <IconButton variant="ghost" color="gray">
+                    <Menu />
+                  </IconButton>
+                </Dialog.Trigger>
+                <Dialog.Content
+                  style={{
+                    position: 'fixed',
+                    left: 0,
+                    top: 0,
+                    bottom: 0,
+                    margin: 0,
+                    width: '280px',
+                    borderRadius: 0,
+                    padding: 0,
+                  }}
+                >
+                  <SidebarContent />
+                </Dialog.Content>
+              </Dialog.Root>
+            </Box>
+            <Heading size="4">{activeTab}</Heading>
+          </Flex>
+
+          <Flex align="center" gap="3">
+            <TextField.Root placeholder="Search..." size="2">
+              <TextField.Slot>
+                <Search />
+              </TextField.Slot>
+            </TextField.Root>
+            <IconButton variant="ghost" color="gray">
+              <Bell />
+            </IconButton>
+          </Flex>
+        </Flex>
+        <Container size="4" p="5" style={{ paddingTop: 20 }}>
+          <Outlet />
+        </Container>
+      </Box>
+    </Flex>
+  );
+}

apps/frontend/app/vite-env.d.ts

@@ -1,7 +1,6 @@
 interface ViteTypeOptions {
-  // By adding this line, you can make the type of ImportMetaEnv strict
+  // disallow unknown keys.
-  // to disallow unknown keys.
+  strictImportMetaEnv: unknown;
-  // strictImportMetaEnv: unknown
 }
 
 interface ImportMetaEnv {

apps/frontend/eslint.config.ts

@@ -0,0 +1,42 @@
+import js from '@eslint/js';
+import globals from 'globals';
+import tseslint from 'typescript-eslint';
+import pluginReact from 'eslint-plugin-react';
+import pluginReactHooks from 'eslint-plugin-react-hooks';
+
+export default tseslint.config(
+  {
+    // Ignore files and directories
+    ignores: ['node_modules', 'app/generated', 'build', '.react-router'],
+  },
+  js.configs.recommended,
+  ...tseslint.configs.recommended,
+  {
+    languageOptions: {
+      ecmaVersion: 2020,
+      globals: {
+        ...globals.browser,
+        ...globals.node,
+      },
+      parserOptions: {
+        project: ['./tsconfig.json', './tsconfig.node.json'],
+        tsconfigRootDir: import.meta.dirname,
+      },
+    },
+    rules: {},
+  },
+  {
+    ...pluginReact.configs.flat.recommended, // Enables core React rules
+    ...pluginReactHooks.configs.flat.recommended, // Enables React Hooks rules
+    languageOptions: {
+      parserOptions: {
+        ecmaFeatures: {
+          jsx: true,
+        },
+      },
+      globals: {
+        ...globals.browser,
+      },
+    },
+  }
+);

apps/frontend/package.json

@@ -7,32 +7,45 @@
     "dev": "react-router dev",
     "start": "react-router-serve ./build/server/index.js",
     "typecheck": "react-router typegen && tsc",
+    "lint": "eslint .",
     "test": "echo \"No tests specified\" && exit 0",
     "generate:openapi": "typed-openapi ../api/swagger.json --tanstack tanstack-client.ts -o ./app/generated/api-client/api-client.ts"
   },
   "dependencies": {
+    "@radix-ui/react-tooltip": "^1.2.8",
     "@radix-ui/themes": "^3.2.1",
     "@react-router/node": "^7.9.2",
     "@react-router/serve": "^7.9.2",
+    "@tanstack/react-form": "^1.27.5",
     "@tanstack/react-query": "^5.90.12",
     "axios": "^1.13.2",
+    "globals": "^16.5.0",
     "isbot": "^5.1.31",
+    "lucide-react": "^0.562.0",
     "radix-ui": "^1.4.3",
     "react": "^19.1.1",
     "react-dom": "^19.1.1",
-    "react-router": "^7.9.2"
+    "react-router": "^7.9.2",
+    "react-toastify": "^11.0.5",
+    "valibot": "^1.2.0"
   },
   "devDependencies": {
+    "@eslint/js": "^9.39.2",
     "@react-router/dev": "^7.9.2",
     "@tailwindcss/vite": "^4.1.13",
     "@types/node": "^22",
     "@types/react": "^19.1.13",
     "@types/react-dom": "^19.1.9",
     "dotenv": "^17.2.3",
+    "eslint": "^9.39.2",
+    "eslint-plugin-react": "^7.37.5",
+    "eslint-plugin-react-hooks": "^7.0.1",
     "tailwindcss": "^4.1.13",
     "typed-openapi": "^2.2.3",
     "typescript": "^5.9.2",
+    "typescript-eslint": "^8.50.0",
     "vite": "^7.1.7",
+    "vite-plugin-eslint": "^1.8.1",
     "vite-tsconfig-paths": "^5.1.4"
   }
 }

apps/frontend/vite.config.ts

@@ -2,8 +2,37 @@ import { reactRouter } from '@react-router/dev/vite';
 import tailwindcss from '@tailwindcss/vite';
 import { defineConfig } from 'vite';
 import tsconfigPaths from 'vite-tsconfig-paths';
+// @ts-expect-error vite-plugin-eslint has no types
+import eslint from 'vite-plugin-eslint';
 
-export default defineConfig({
+export default defineConfig(({ command }) => {
-  plugins: [tailwindcss(), reactRouter(), tsconfigPaths()],
+  const isBuild = command === 'build';
-  appType: 'spa',
+
+  return {
+    plugins: [
+      tailwindcss(),
+      reactRouter(),
+      tsconfigPaths(),
+      eslint({
+        failOnError: false,
+      }),
+    ],
+    resolve: {
+      alias: isBuild
+        ? [
+            {
+              // replace unstyled import with styled for SPA build
+              find: 'react-toastify/unstyled',
+              replacement: 'react-toastify',
+            },
+            {
+              // point to the empty CSS file to stub out the import during build, SPA build does not require extra CSS imports
+              find: 'react-toastify/ReactToastify.css',
+              replacement: '~/empty-toastify.css',
+            },
+          ]
+        : [],
+    },
+    appType: 'spa',
+  };
 });