Seperated iam logic into multiple services

2025-09-08 17:40:26 +00:00 · 2024-06-26 12:15:38 -05:00 · 2024-06-26 12:15:38 -05:00 · ff51d75c1e
commit ff51d75c1e
parent 7827b479f0
36 changed files with 1250 additions and 273 deletions
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@ -31,6 +31,7 @@ services:
      - MINIO_ROOT_USER=user
      - MINIO_ROOT_PASSWORD=password
      - MINIO_DEFAULT_BUCKETS=dev
+  
 volumes:
  postgres_data:
  redis_data:
--- a/package.json
+++ b/package.json
@ -74,6 +74,7 @@
 	"type": "module",
 	"dependencies": {
 		"@internationalized/date": "^3.5.4",
+		"@node-rs/argon2": "^1.8.3",
 		"bits-ui": "^0.21.10",
 		"clsx": "^2.1.1",
 		"cmdk-sv": "^0.0.17",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -11,6 +11,9 @@ importers:
      '@internationalized/date':
        specifier: ^3.5.4
        version: 3.5.4
+      '@node-rs/argon2':
+        specifier: ^1.8.3
+        version: 1.8.3
      bits-ui:
        specifier: ^0.21.10
        version: 0.21.10(svelte@5.0.0-next.164)
@ -231,9 +234,18 @@ packages:
  '@emnapi/core@0.45.0':
    resolution: {integrity: sha512-DPWjcUDQkCeEM4VnljEOEcXdAD7pp8zSZsgOujk/LGIwCXWbXJngin+MO4zbH429lzeC3WbYLGjE2MaUOwzpyw==}

+  '@emnapi/core@1.2.0':
+    resolution: {integrity: sha512-E7Vgw78I93we4ZWdYCb4DGAwRROGkMIXk7/y87UmANR+J6qsWusmC3gLt0H+O0KOt5e6O38U8oJamgbudrES/w==}
+
  '@emnapi/runtime@0.45.0':
    resolution: {integrity: sha512-Txumi3td7J4A/xTTwlssKieHKTGl3j4A1tglBx72auZ49YK7ePY6XZricgIg9mnZT4xPfA+UPCUdnhRuEFDL+w==}

+  '@emnapi/runtime@1.2.0':
+    resolution: {integrity: sha512-bV21/9LQmcQeCPEg3BDFtvwL6cwiTMksYNWQQ4KOxCZikEGalWtenoZ0wCiukJINlGCIi2KXx01g4FoH/LxpzQ==}
+
+  '@emnapi/wasi-threads@1.0.1':
+    resolution: {integrity: sha512-iIBu7mwkq4UQGeMEM8bLwNK962nXdhodeScX4slfQnRhEMMzvYivHhutCIk8uojvmASXXPC2WNEjwxFWk72Oqw==}
+
  '@esbuild-kit/core-utils@3.3.2':
    resolution: {integrity: sha512-sPRAnw9CdSsRmEtnsl2WXWdyquogVpB3yZ3dgwJfe8zrOzTsV7cJvmwrKVa+0ma5BoiGJ+BoqkMvawbayKUsqQ==}

@ -752,6 +764,9 @@ packages:
    peerDependencies:
      svelte: '>=3 <5'

+  '@napi-rs/wasm-runtime@0.2.4':
+    resolution: {integrity: sha512-9zESzOO5aDByvhIAsOy9TbpZ0Ur2AJbUI7UT73kcUTS2mxAMHOBaa1st/jAymNoCtvrit99kkzT1FZuXVcgfIQ==}
+
  '@noble/hashes@1.4.0':
    resolution: {integrity: sha512-V1JJ1WTRUqHHrOSh597hURcMqVKVGL/ea3kv0gSnEdsEZ0/+VyPghM1lMNGc00z7CIQorSvbKpuJkxvuHbvdbg==}
    engines: {node: '>= 16'}
@ -762,87 +777,174 @@ packages:
    cpu: [arm]
    os: [android]

+  '@node-rs/argon2-android-arm-eabi@1.8.3':
+    resolution: {integrity: sha512-JFZPlNM0A8Og+Tncb8UZsQrhEMlbHBXPsT3hRoKImzVmTmq28Os0ucFWow0AACp2coLHBSydXH3Dh0lZup3rWw==}
+    engines: {node: '>= 10'}
+    cpu: [arm]
+    os: [android]
+
  '@node-rs/argon2-android-arm64@1.7.0':
    resolution: {integrity: sha512-s9j/G30xKUx8WU50WIhF0fIl1EdhBGq0RQ06lEhZ0Gi0ap8lhqbE2Bn5h3/G2D1k0Dx+yjeVVNmt/xOQIRG38A==}
    engines: {node: '>= 10'}
    cpu: [arm64]
    os: [android]

+  '@node-rs/argon2-android-arm64@1.8.3':
+    resolution: {integrity: sha512-zaf8P3T92caeW2xnMA7P1QvRA4pIt/04oilYP44XlTCtMye//vwXDMeK53sl7dvYiJKnzAWDRx41k8vZvpZazg==}
+    engines: {node: '>= 10'}
+    cpu: [arm64]
+    os: [android]
+
  '@node-rs/argon2-darwin-arm64@1.7.0':
    resolution: {integrity: sha512-ZIz4L6HGOB9U1kW23g+m7anGNuTZ0RuTw0vNp3o+2DWpb8u8rODq6A8tH4JRL79S+Co/Nq608m9uackN2pe0Rw==}
    engines: {node: '>= 10'}
    cpu: [arm64]
    os: [darwin]

+  '@node-rs/argon2-darwin-arm64@1.8.3':
+    resolution: {integrity: sha512-DV/IbmLGdNXBtXb5o2UI5ba6kvqXqPAJgmMOTUCuHeBSp992GlLHdfU4rzGu0dNrxudBnunNZv+crd0YdEQSUA==}
+    engines: {node: '>= 10'}
+    cpu: [arm64]
+    os: [darwin]
+
  '@node-rs/argon2-darwin-x64@1.7.0':
    resolution: {integrity: sha512-5oi/pxqVhODW/pj1+3zElMTn/YukQeywPHHYDbcAW3KsojFjKySfhcJMd1DjKTc+CHQI+4lOxZzSUzK7mI14Hw==}
    engines: {node: '>= 10'}
    cpu: [x64]
    os: [darwin]

+  '@node-rs/argon2-darwin-x64@1.8.3':
+    resolution: {integrity: sha512-YMjmBGFZhLfYjfQ2gll9A+BZu/zAMV7lWZIbKxb7ZgEofILQwuGmExjDtY3Jplido/6leCEdpmlk2oIsME00LA==}
+    engines: {node: '>= 10'}
+    cpu: [x64]
+    os: [darwin]
+
  '@node-rs/argon2-freebsd-x64@1.7.0':
    resolution: {integrity: sha512-Ify08683hA4QVXYoIm5SUWOY5DPIT/CMB0CQT+IdxQAg/F+qp342+lUkeAtD5bvStQuCx/dFO3bnnzoe2clMhA==}
    engines: {node: '>= 10'}
    cpu: [x64]
    os: [freebsd]

+  '@node-rs/argon2-freebsd-x64@1.8.3':
+    resolution: {integrity: sha512-Hq3Rj5Yb2RolTG/luRPnv+XiGCbi5nAK25Pc8ou/tVapwX+iktEm/NXbxc5zsMxraYVkCvfdwBjweC5O+KqCGw==}
+    engines: {node: '>= 10'}
+    cpu: [x64]
+    os: [freebsd]
+
  '@node-rs/argon2-linux-arm-gnueabihf@1.7.0':
    resolution: {integrity: sha512-7DjDZ1h5AUHAtRNjD19RnQatbhL+uuxBASuuXIBu4/w6Dx8n7YPxwTP4MXfsvuRgKuMWiOb/Ub/HJ3kXVCXRkg==}
    engines: {node: '>= 10'}
    cpu: [arm]
    os: [linux]

+  '@node-rs/argon2-linux-arm-gnueabihf@1.8.3':
+    resolution: {integrity: sha512-x49l8RgzKoG0/V0IXa5rrEl1TcJEc936ctlYFvqcunSOyowZ6kiWtrp1qrbOR8gbaNILl11KTF52vF6+h8UlEQ==}
+    engines: {node: '>= 10'}
+    cpu: [arm]
+    os: [linux]
+
  '@node-rs/argon2-linux-arm64-gnu@1.7.0':
    resolution: {integrity: sha512-nJDoMP4Y3YcqGswE4DvP080w6O24RmnFEDnL0emdI8Nou17kNYBzP2546Nasx9GCyLzRcYQwZOUjrtUuQ+od2g==}
    engines: {node: '>= 10'}
    cpu: [arm64]
    os: [linux]

+  '@node-rs/argon2-linux-arm64-gnu@1.8.3':
+    resolution: {integrity: sha512-gJesam/qA63reGkb9qJ2TjFSLBtY41zQh2oei7nfnYsmVQPuHHWItJxEa1Bm21SPW53gZex4jFJbDIgj0+PxIw==}
+    engines: {node: '>= 10'}
+    cpu: [arm64]
+    os: [linux]
+
  '@node-rs/argon2-linux-arm64-musl@1.7.0':
    resolution: {integrity: sha512-BKWS8iVconhE3jrb9mj6t1J9vwUqQPpzCbUKxfTGJfc+kNL58F1SXHBoe2cDYGnHrFEHTY0YochzXoAfm4Dm/A==}
    engines: {node: '>= 10'}
    cpu: [arm64]
    os: [linux]

+  '@node-rs/argon2-linux-arm64-musl@1.8.3':
+    resolution: {integrity: sha512-7O6kQdSKzB4Tjx/EBa8zKIxnmLkQE8VdJgPm6Ksrpn+ueo0mx2xf76fIDnbbTCtm3UbB+y+FkTo2wLA7tOqIKg==}
+    engines: {node: '>= 10'}
+    cpu: [arm64]
+    os: [linux]
+
  '@node-rs/argon2-linux-x64-gnu@1.7.0':
    resolution: {integrity: sha512-EmgqZOlf4Jurk/szW1iTsVISx25bKksVC5uttJDUloTgsAgIGReCpUUO1R24pBhu9ESJa47iv8NSf3yAfGv6jQ==}
    engines: {node: '>= 10'}
    cpu: [x64]
    os: [linux]

+  '@node-rs/argon2-linux-x64-gnu@1.8.3':
+    resolution: {integrity: sha512-OBH+EFG7BGjFyldaao2H2gSCLmjtrrwf420B1L+lFn7JLW9UAjsIPFKAcWsYwPa/PwYzIge9Y7SGcpqlsSEX0w==}
+    engines: {node: '>= 10'}
+    cpu: [x64]
+    os: [linux]
+
  '@node-rs/argon2-linux-x64-musl@1.7.0':
    resolution: {integrity: sha512-/o1efYCYIxjfuoRYyBTi2Iy+1iFfhqHCvvVsnjNSgO1xWiWrX0Rrt/xXW5Zsl7vS2Y+yu8PL8KFWRzZhaVxfKA==}
    engines: {node: '>= 10'}
    cpu: [x64]
    os: [linux]

+  '@node-rs/argon2-linux-x64-musl@1.8.3':
+    resolution: {integrity: sha512-bDbMuyekIxZaN7NaX+gHVkOyABB8bcMEJYeRPW1vCXKHj3brJns1wiUFSxqeUXreupifNVJlQfPt1Y5B/vFXgQ==}
+    engines: {node: '>= 10'}
+    cpu: [x64]
+    os: [linux]
+
  '@node-rs/argon2-wasm32-wasi@1.7.0':
    resolution: {integrity: sha512-Evmk9VcxqnuwQftfAfYEr6YZYSPLzmKUsbFIMep5nTt9PT4XYRFAERj7wNYp+rOcBenF3X4xoB+LhwcOMTNE5w==}
    engines: {node: '>=14.0.0'}
    cpu: [wasm32]

+  '@node-rs/argon2-wasm32-wasi@1.8.3':
+    resolution: {integrity: sha512-NBf2cMCDbNKMzp13Pog8ZPmI0M9U4Ak5b95EUjkp17kdKZFds12dwW67EMnj7Zy+pRqby2QLECaWebDYfNENTg==}
+    engines: {node: '>=14.0.0'}
+    cpu: [wasm32]
+
  '@node-rs/argon2-win32-arm64-msvc@1.7.0':
    resolution: {integrity: sha512-qgsU7T004COWWpSA0tppDqDxbPLgg8FaU09krIJ7FBl71Sz8SFO40h7fDIjfbTT5w7u6mcaINMQ5bSHu75PCaA==}
    engines: {node: '>= 10'}
    cpu: [arm64]
    os: [win32]

+  '@node-rs/argon2-win32-arm64-msvc@1.8.3':
+    resolution: {integrity: sha512-AHpPo7UbdW5WWjwreVpgFSY0o1RY4A7cUFaqDXZB2OqEuyrhMxBdZct9PX7PQKI18D85pLsODnR+gvVuTwJ6rQ==}
+    engines: {node: '>= 10'}
+    cpu: [arm64]
+    os: [win32]
+
  '@node-rs/argon2-win32-ia32-msvc@1.7.0':
    resolution: {integrity: sha512-JGafwWYQ/HpZ3XSwP4adQ6W41pRvhcdXvpzIWtKvX+17+xEXAe2nmGWM6s27pVkg1iV2ZtoYLRDkOUoGqZkCcg==}
    engines: {node: '>= 10'}
    cpu: [ia32]
    os: [win32]

+  '@node-rs/argon2-win32-ia32-msvc@1.8.3':
+    resolution: {integrity: sha512-bqzn2rcQkEwCINefhm69ttBVVkgHJb/V03DdBKsPFtiX6H47axXKz62d1imi26zFXhOEYxhKbu3js03GobJOLw==}
+    engines: {node: '>= 10'}
+    cpu: [ia32]
+    os: [win32]
+
  '@node-rs/argon2-win32-x64-msvc@1.7.0':
    resolution: {integrity: sha512-9oq4ShyFakw8AG3mRls0AoCpxBFcimYx7+jvXeAf2OqKNO+mSA6eZ9z7KQeVCi0+SOEUYxMGf5UiGiDb9R6+9Q==}
    engines: {node: '>= 10'}
    cpu: [x64]
    os: [win32]

+  '@node-rs/argon2-win32-x64-msvc@1.8.3':
+    resolution: {integrity: sha512-ILlrRThdbp5xNR5gwYM2ic1n/vG5rJ8dQZ+YMRqksl+lnTJ/6FDe5BOyIhiPtiDwlCiCtUA+1NxpDB9KlUCAIA==}
+    engines: {node: '>= 10'}
+    cpu: [x64]
+    os: [win32]
+
  '@node-rs/argon2@1.7.0':
    resolution: {integrity: sha512-zfULc+/tmcWcxn+nHkbyY8vP3+MpEqKORbszt4UkpqZgBgDAAIYvuDN/zukfTgdmo6tmJKKVfzigZOPk4LlIog==}
    engines: {node: '>= 10'}

+  '@node-rs/argon2@1.8.3':
+    resolution: {integrity: sha512-sf/QAEI59hsMEEE2J8vO4hKrXrv4Oplte3KI2N4MhMDYpytH0drkVfErmHBfWFZxxIEK03fX1WsBNswS2nIZKg==}
+    engines: {node: '>= 10'}
+
  '@node-rs/bcrypt-android-arm-eabi@1.9.0':
    resolution: {integrity: sha512-nOCFISGtnodGHNiLrG0WYLWr81qQzZKYfmwHc7muUeq+KY0sQXyHOwZk9OuNQAWv/lnntmtbwkwT0QNEmOyLvA==}
    engines: {node: '>= 10'}
@ -1150,6 +1252,9 @@ packages:
  '@tybys/wasm-util@0.8.3':
    resolution: {integrity: sha512-Z96T/L6dUFFxgFJ+pQtkPpne9q7i6kIPYCFnQBHSgSPV9idTsKfIhCss0h5iM9irweZCatkrdeP8yi5uM1eX6Q==}

+  '@tybys/wasm-util@0.9.0':
+    resolution: {integrity: sha512-6+7nlbMVX/PVDCwaIQ8nTOPveOcFLSt8GcXdx8hD0bt39uWxYT88uXzqTd4fTvqta7oeUJqudepapKNt2DYJFw==}
+
  '@types/cookie@0.6.0':
    resolution: {integrity: sha512-4Kh9a6B2bQciAhf7FSuMRRkUWecJgJu9nPnx3yzpsfXX/c50REIqpHY4C82bXP90qrLtXtkDxTZosYO3UpOwlA==}

@ -3535,11 +3640,27 @@ snapshots:
      tslib: 2.6.3
    optional: true

+  '@emnapi/core@1.2.0':
+    dependencies:
+      '@emnapi/wasi-threads': 1.0.1
+      tslib: 2.6.3
+    optional: true
+
  '@emnapi/runtime@0.45.0':
    dependencies:
      tslib: 2.6.3
    optional: true

+  '@emnapi/runtime@1.2.0':
+    dependencies:
+      tslib: 2.6.3
+    optional: true
+
+  '@emnapi/wasi-threads@1.0.1':
+    dependencies:
+      tslib: 2.6.3
+    optional: true
+
  '@esbuild-kit/core-utils@3.3.2':
    dependencies:
      esbuild: 0.18.20
@ -3885,38 +4006,75 @@ snapshots:
      nanoid: 5.0.7
      svelte: 5.0.0-next.164

+  '@napi-rs/wasm-runtime@0.2.4':
+    dependencies:
+      '@emnapi/core': 1.2.0
+      '@emnapi/runtime': 1.2.0
+      '@tybys/wasm-util': 0.9.0
+    optional: true
+
  '@noble/hashes@1.4.0': {}

  '@node-rs/argon2-android-arm-eabi@1.7.0':
    optional: true

+  '@node-rs/argon2-android-arm-eabi@1.8.3':
+    optional: true
+
  '@node-rs/argon2-android-arm64@1.7.0':
    optional: true

+  '@node-rs/argon2-android-arm64@1.8.3':
+    optional: true
+
  '@node-rs/argon2-darwin-arm64@1.7.0':
    optional: true

+  '@node-rs/argon2-darwin-arm64@1.8.3':
+    optional: true
+
  '@node-rs/argon2-darwin-x64@1.7.0':
    optional: true

+  '@node-rs/argon2-darwin-x64@1.8.3':
+    optional: true
+
  '@node-rs/argon2-freebsd-x64@1.7.0':
    optional: true

+  '@node-rs/argon2-freebsd-x64@1.8.3':
+    optional: true
+
  '@node-rs/argon2-linux-arm-gnueabihf@1.7.0':
    optional: true

+  '@node-rs/argon2-linux-arm-gnueabihf@1.8.3':
+    optional: true
+
  '@node-rs/argon2-linux-arm64-gnu@1.7.0':
    optional: true

+  '@node-rs/argon2-linux-arm64-gnu@1.8.3':
+    optional: true
+
  '@node-rs/argon2-linux-arm64-musl@1.7.0':
    optional: true

+  '@node-rs/argon2-linux-arm64-musl@1.8.3':
+    optional: true
+
  '@node-rs/argon2-linux-x64-gnu@1.7.0':
    optional: true

+  '@node-rs/argon2-linux-x64-gnu@1.8.3':
+    optional: true
+
  '@node-rs/argon2-linux-x64-musl@1.7.0':
    optional: true

+  '@node-rs/argon2-linux-x64-musl@1.8.3':
+    optional: true
+
  '@node-rs/argon2-wasm32-wasi@1.7.0':
    dependencies:
      '@emnapi/core': 0.45.0
@ -3925,15 +4083,29 @@ snapshots:
      memfs-browser: 3.5.10302
    optional: true

+  '@node-rs/argon2-wasm32-wasi@1.8.3':
+    dependencies:
+      '@napi-rs/wasm-runtime': 0.2.4
+    optional: true
+
  '@node-rs/argon2-win32-arm64-msvc@1.7.0':
    optional: true

+  '@node-rs/argon2-win32-arm64-msvc@1.8.3':
+    optional: true
+
  '@node-rs/argon2-win32-ia32-msvc@1.7.0':
    optional: true

+  '@node-rs/argon2-win32-ia32-msvc@1.8.3':
+    optional: true
+
  '@node-rs/argon2-win32-x64-msvc@1.7.0':
    optional: true

+  '@node-rs/argon2-win32-x64-msvc@1.8.3':
+    optional: true
+
  '@node-rs/argon2@1.7.0':
    optionalDependencies:
      '@node-rs/argon2-android-arm-eabi': 1.7.0
@ -3951,6 +4123,23 @@ snapshots:
      '@node-rs/argon2-win32-ia32-msvc': 1.7.0
      '@node-rs/argon2-win32-x64-msvc': 1.7.0

+  '@node-rs/argon2@1.8.3':
+    optionalDependencies:
+      '@node-rs/argon2-android-arm-eabi': 1.8.3
+      '@node-rs/argon2-android-arm64': 1.8.3
+      '@node-rs/argon2-darwin-arm64': 1.8.3
+      '@node-rs/argon2-darwin-x64': 1.8.3
+      '@node-rs/argon2-freebsd-x64': 1.8.3
+      '@node-rs/argon2-linux-arm-gnueabihf': 1.8.3
+      '@node-rs/argon2-linux-arm64-gnu': 1.8.3
+      '@node-rs/argon2-linux-arm64-musl': 1.8.3
+      '@node-rs/argon2-linux-x64-gnu': 1.8.3
+      '@node-rs/argon2-linux-x64-musl': 1.8.3
+      '@node-rs/argon2-wasm32-wasi': 1.8.3
+      '@node-rs/argon2-win32-arm64-msvc': 1.8.3
+      '@node-rs/argon2-win32-ia32-msvc': 1.8.3
+      '@node-rs/argon2-win32-x64-msvc': 1.8.3
+
  '@node-rs/bcrypt-android-arm-eabi@1.9.0':
    optional: true

@ -4232,6 +4421,11 @@ snapshots:
      tslib: 2.6.3
    optional: true

+  '@tybys/wasm-util@0.9.0':
+    dependencies:
+      tslib: 2.6.3
+    optional: true
+
  '@types/cookie@0.6.0': {}

  '@types/eslint@8.56.10':
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@ -4,6 +4,7 @@ import { redirect, type Handle } from '@sveltejs/kit';
 import { sequence } from '@sveltejs/kit/hooks';
 import type { ApiRoutes } from '$lib/server/api';
 import { parseApiResponse } from '$lib/utils/api';
+import { StatusCodes } from '$lib/constants/status-codes';

 const apiClient: Handle = async ({ event, resolve }) => {
 	/* ------------------------------ Register api ------------------------------ */
@ -23,7 +24,7 @@ const apiClient: Handle = async ({ event, resolve }) => {

 	async function getAuthedUserOrThrow() {
 		const { data } = await api.iam.user.$get().then(parseApiResponse);
-		if (!data || !data.user) throw redirect(307, '/');
+		if (!data || !data.user) throw redirect(StatusCodes.TEMPORARY_REDIRECT, '/');
 		return data?.user;
 	}

--- a/src/lib/components/pin-input.svelte
+++ b/src/lib/components/pin-input.svelte
@ -1,26 +1,25 @@
 <script lang="ts">
-	import { cn } from "$lib/utils/ui";
-  import { PinInput, type PinInputProps } from "bits-ui";
+	import { cn } from '$lib/utils/ui';
+	import { PinInput, type PinInputProps } from 'bits-ui';

 	interface Props extends Omit<PinInputProps, 'value'> {
-    value: string
-    inputCount?: number 
+		value: string;
+		inputCount?: number;
 	}

-  let {value = $bindable(), inputCount = 6, ...rest}: Props = $props();
-  let pin = $state<string[] | undefined>(value?.split("") ?? [])
-  let inputs = $derived(Array(inputCount).fill(null))
-
+	let { value = $bindable(), inputCount = 6, ...rest }: Props = $props();
+	let pin = $state<string[] | undefined>(value?.split('') ?? []);
+	let inputs = $derived(Array(inputCount).fill(null));

 	$effect(() => {
-    value = pin?.join("") ?? ""
-  })
+		value = pin?.join('') ?? '';
+	});
 </script>

 <PinInput.Root
 	{...rest}
 	bind:value={pin}
-	class={cn("flex items-center gap-2", rest.class)}
+	class={cn('flex items-center gap-2', rest.class)}
 	type="text"
 	placeholder=""
 >
--- a/src/lib/components/ui/pagination/pagination-ellipsis.svelte
+++ b/src/lib/components/ui/pagination/pagination-ellipsis.svelte
@ -10,7 +10,7 @@
 </script>

 <span
-	aria-hidden
+	aria-hidden='true'
 	class={cn("flex h-9 w-9 items-center justify-center", className)}
 	{...$$restProps}
 >
--- a/src/lib/constants/status-codes.ts
+++ b/src/lib/constants/status-codes.ts
@ -0,0 +1,357 @@
+// Taken from https://github.com/prettymuchbryce/http-status-codes/blob/master/src/status-codes.ts
+export enum StatusCodes {
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.2.1
+   *
+   * This interim response indicates that everything so far is OK and that the client should continue with the request or ignore it if it is already finished.
+   */
+  CONTINUE = 100,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.2.2
+   *
+   * This code is sent in response to an Upgrade request header by the client, and indicates the protocol the server is switching too.
+   */
+  SWITCHING_PROTOCOLS = 101,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.1
+   *
+   * This code indicates that the server has received and is processing the request, but no response is available yet.
+   */
+  PROCESSING = 102,
+  /**
+   * Official Documentation @ https://www.rfc-editor.org/rfc/rfc8297#page-3
+   *
+   * This code indicates to the client that the server is likely to send a final response with the header fields included in the informational response.
+   */
+  EARLY_HINTS = 103,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.1
+   *
+   * The request has succeeded. The meaning of a success varies depending on the HTTP method:
+   * GET: The resource has been fetched and is transmitted in the message body.
+   * HEAD: The entity headers are in the message body.
+   * POST: The resource describing the result of the action is transmitted in the message body.
+   * TRACE: The message body contains the request message as received by the server
+   */
+  OK = 200,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.2
+   *
+   * The request has succeeded and a new resource has been created as a result of it. This is typically the response sent after a PUT request.
+   */
+  CREATED = 201,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.3
+   *
+   * The request has been received but not yet acted upon. It is non-committal, meaning that there is no way in HTTP to later send an asynchronous response indicating the outcome of processing the request. It is intended for cases where another process or server handles the request, or for batch processing.
+   */
+  ACCEPTED = 202,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.4
+   *
+   * This response code means returned meta-information set is not exact set as available from the origin server, but collected from a local or a third party copy. Except this condition, 200 OK response should be preferred instead of this response.
+   */
+  NON_AUTHORITATIVE_INFORMATION = 203,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.5
+   *
+   * There is no content to send for this request, but the headers may be useful. The user-agent may update its cached headers for this resource with the new ones.
+   */
+  NO_CONTENT = 204,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.3.6
+   *
+   * This response code is sent after accomplishing request to tell user agent reset document view which sent this request.
+   */
+  RESET_CONTENT = 205,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7233#section-4.1
+   *
+   * This response code is used because of range header sent by the client to separate download into multiple streams.
+   */
+  PARTIAL_CONTENT = 206,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.2
+   *
+   * A Multi-Status response conveys information about multiple resources in situations where multiple status codes might be appropriate.
+   */
+  MULTI_STATUS = 207,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.1
+   *
+   * The request has more than one possible responses. User-agent or user should choose one of them. There is no standardized way to choose one of the responses.
+   */
+  MULTIPLE_CHOICES = 300,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.2
+   *
+   * This response code means that URI of requested resource has been changed. Probably, new URI would be given in the response.
+   */
+  MOVED_PERMANENTLY = 301,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.3
+   *
+   * This response code means that URI of requested resource has been changed temporarily. New changes in the URI might be made in the future. Therefore, this same URI should be used by the client in future requests.
+   */
+  MOVED_TEMPORARILY = 302,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.4
+   *
+   * Server sent this response to directing client to get requested resource to another URI with an GET request.
+   */
+  SEE_OTHER = 303,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7232#section-4.1
+   *
+   * This is used for caching purposes. It is telling to client that response has not been modified. So, client can continue to use same cached version of response.
+   */
+  NOT_MODIFIED = 304,
+  /**
+   * @deprecated
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.6
+   *
+   * Was defined in a previous version of the HTTP specification to indicate that a requested response must be accessed by a proxy. It has been deprecated due to security concerns regarding in-band configuration of a proxy.
+   */
+  USE_PROXY = 305,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.4.7
+   *
+   * Server sent this response to directing client to get requested resource to another URI with same method that used prior request. This has the same semantic than the 302 Found HTTP response code, with the exception that the user agent must not change the HTTP method used: if a POST was used in the first request, a POST must be used in the second request.
+   */
+  TEMPORARY_REDIRECT = 307,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7538#section-3
+   *
+   * This means that the resource is now permanently located at another URI, specified by the Location: HTTP Response header. This has the same semantics as the 301 Moved Permanently HTTP response code, with the exception that the user agent must not change the HTTP method used: if a POST was used in the first request, a POST must be used in the second request.
+   */
+  PERMANENT_REDIRECT = 308,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.1
+   *
+   * This response means that server could not understand the request due to invalid syntax.
+   */
+  BAD_REQUEST = 400,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7235#section-3.1
+   *
+   * Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response.
+   */
+  UNAUTHORIZED = 401,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.2
+   *
+   * This response code is reserved for future use. Initial aim for creating this code was using it for digital payment systems however this is not used currently.
+   */
+  PAYMENT_REQUIRED = 402,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.3
+   *
+   * The client does not have access rights to the content, i.e. they are unauthorized, so server is rejecting to give proper response. Unlike 401, the client's identity is known to the server.
+   */
+  FORBIDDEN = 403,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.4
+   *
+   * The server can not find requested resource. In the browser, this means the URL is not recognized. In an API, this can also mean that the endpoint is valid but the resource itself does not exist. Servers may also send this response instead of 403 to hide the existence of a resource from an unauthorized client. This response code is probably the most famous one due to its frequent occurence on the web.
+   */
+  NOT_FOUND = 404,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.5
+   *
+   * The request method is known by the server but has been disabled and cannot be used. For example, an API may forbid DELETE-ing a resource. The two mandatory methods, GET and HEAD, must never be disabled and should not return this error code.
+   */
+  METHOD_NOT_ALLOWED = 405,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.6
+   *
+   * This response is sent when the web server, after performing server-driven content negotiation, doesn't find any content following the criteria given by the user agent.
+   */
+  NOT_ACCEPTABLE = 406,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7235#section-3.2
+   *
+   * This is similar to 401 but authentication is needed to be done by a proxy.
+   */
+  PROXY_AUTHENTICATION_REQUIRED = 407,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.7
+   *
+   * This response is sent on an idle connection by some servers, even without any previous request by the client. It means that the server would like to shut down this unused connection. This response is used much more since some browsers, like Chrome, Firefox 27+, or IE9, use HTTP pre-connection mechanisms to speed up surfing. Also note that some servers merely shut down the connection without sending this message.
+   */
+  REQUEST_TIMEOUT = 408,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.8
+   *
+   * This response is sent when a request conflicts with the current state of the server.
+   */
+  CONFLICT = 409,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.9
+   *
+   * This response would be sent when the requested content has been permenantly deleted from server, with no forwarding address. Clients are expected to remove their caches and links to the resource. The HTTP specification intends this status code to be used for "limited-time, promotional services". APIs should not feel compelled to indicate resources that have been deleted with this status code.
+   */
+  GONE = 410,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.10
+   *
+   * The server rejected the request because the Content-Length header field is not defined and the server requires it.
+   */
+  LENGTH_REQUIRED = 411,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7232#section-4.2
+   *
+   * The client has indicated preconditions in its headers which the server does not meet.
+   */
+  PRECONDITION_FAILED = 412,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.11
+   *
+   * Request entity is larger than limits defined by server; the server might close the connection or return an Retry-After header field.
+   */
+  REQUEST_TOO_LONG = 413,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.12
+   *
+   * The URI requested by the client is longer than the server is willing to interpret.
+   */
+  REQUEST_URI_TOO_LONG = 414,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.13
+   *
+   * The media format of the requested data is not supported by the server, so the server is rejecting the request.
+   */
+  UNSUPPORTED_MEDIA_TYPE = 415,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7233#section-4.4
+   *
+   * The range specified by the Range header field in the request can't be fulfilled; it's possible that the range is outside the size of the target URI's data.
+   */
+  REQUESTED_RANGE_NOT_SATISFIABLE = 416,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.5.14
+   *
+   * This response code means the expectation indicated by the Expect request header field can't be met by the server.
+   */
+  EXPECTATION_FAILED = 417,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2324#section-2.3.2
+   *
+   * Any attempt to brew coffee with a teapot should result in the error code "418 I'm a teapot". The resulting entity body MAY be short and stout.
+   */
+  IM_A_TEAPOT = 418,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.6
+   *
+   * The 507 (Insufficient Storage) status code means the method could not be performed on the resource because the server is unable to store the representation needed to successfully complete the request. This condition is considered to be temporary. If the request which received this status code was the result of a user action, the request MUST NOT be repeated until it is requested by a separate user action.
+   */
+  INSUFFICIENT_SPACE_ON_RESOURCE = 419,
+  /**
+   * @deprecated
+   * Official Documentation @ https://tools.ietf.org/rfcdiff?difftype=--hwdiff&url2=draft-ietf-webdav-protocol-06.txt
+   *
+   * A deprecated response used by the Spring Framework when a method has failed.
+   */
+  METHOD_FAILURE = 420,
+  /**
+   * Official Documentation @ https://datatracker.ietf.org/doc/html/rfc7540#section-9.1.2
+   *
+   * Defined in the specification of HTTP/2 to indicate that a server is not able to produce a response for the combination of scheme and authority that are included in the request URI.
+   */
+  MISDIRECTED_REQUEST = 421,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.3
+   *
+   * The request was well-formed but was unable to be followed due to semantic errors.
+   */
+  UNPROCESSABLE_ENTITY = 422,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.4
+   *
+   * The resource that is being accessed is locked.
+   */
+  LOCKED = 423,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.5
+   *
+   * The request failed due to failure of a previous request.
+   */
+  FAILED_DEPENDENCY = 424,
+  /**
+   * Official Documentation @ https://datatracker.ietf.org/doc/html/rfc7231#section-6.5.15
+   *
+   * The server refuses to perform the request using the current protocol but might be willing to do so after the client upgrades to a different protocol.
+   */
+  UPGRADE_REQUIRED = 426,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc6585#section-3
+   *
+   * The origin server requires the request to be conditional. Intended to prevent the 'lost update' problem, where a client GETs a resource's state, modifies it, and PUTs it back to the server, when meanwhile a third party has modified the state on the server, leading to a conflict.
+   */
+  PRECONDITION_REQUIRED = 428,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc6585#section-4
+   *
+   * The user has sent too many requests in a given amount of time ("rate limiting").
+   */
+  TOO_MANY_REQUESTS = 429,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc6585#section-5
+   *
+   * The server is unwilling to process the request because its header fields are too large. The request MAY be resubmitted after reducing the size of the request header fields.
+   */
+  REQUEST_HEADER_FIELDS_TOO_LARGE = 431,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7725
+   *
+   * The user-agent requested a resource that cannot legally be provided, such as a web page censored by a government.
+   */
+  UNAVAILABLE_FOR_LEGAL_REASONS = 451,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.1
+   *
+   * The server encountered an unexpected condition that prevented it from fulfilling the request.
+   */
+  INTERNAL_SERVER_ERROR = 500,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.2
+   *
+   * The request method is not supported by the server and cannot be handled. The only methods that servers are required to support (and therefore that must not return this code) are GET and HEAD.
+   */
+  NOT_IMPLEMENTED = 501,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.3
+   *
+   * This error response means that the server, while working as a gateway to get a response needed to handle the request, got an invalid response.
+   */
+  BAD_GATEWAY = 502,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.4
+   *
+   * The server is not ready to handle the request. Common causes are a server that is down for maintenance or that is overloaded. Note that together with this response, a user-friendly page explaining the problem should be sent. This responses should be used for temporary conditions and the Retry-After: HTTP header should, if possible, contain the estimated time before the recovery of the service. The webmaster must also take care about the caching-related headers that are sent along with this response, as these temporary condition responses should usually not be cached.
+   */
+  SERVICE_UNAVAILABLE = 503,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.5
+   *
+   * This error response is given when the server is acting as a gateway and cannot get a response in time.
+   */
+  GATEWAY_TIMEOUT = 504,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc7231#section-6.6.6
+   *
+   * The HTTP version used in the request is not supported by the server.
+   */
+  HTTP_VERSION_NOT_SUPPORTED = 505,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc2518#section-10.6
+   *
+   * The server has an internal configuration error: the chosen variant resource is configured to engage in transparent content negotiation itself, and is therefore not a proper end point in the negotiation process.
+   */
+  INSUFFICIENT_STORAGE = 507,
+  /**
+   * Official Documentation @ https://tools.ietf.org/html/rfc6585#section-6
+   *
+   * The 511 status code indicates that the client needs to authenticate to gain network access.
+   */
+  NETWORK_AUTHENTICATION_REQUIRED = 511
+}
--- a/src/lib/server/api/common/errors.ts
+++ b/src/lib/server/api/common/errors.ts
@ -1,25 +1,26 @@
+import { StatusCodes } from '$lib/constants/status-codes';
 import { HTTPException } from 'hono/http-exception';

 export function TooManyRequests(message: string = 'Too many requests') {
-	return new HTTPException(429, { message });
+	return new HTTPException(StatusCodes.TOO_MANY_REQUESTS, { message });
 }

 export function Forbidden(message: string = 'Forbidden') {
-	return new HTTPException(403, { message });
+	return new HTTPException(StatusCodes.FORBIDDEN, { message });
 }

 export function Unauthorized(message: string = 'Unauthorized') {
-	return new HTTPException(401, { message });
+	return new HTTPException(StatusCodes.UNAUTHORIZED, { message });
 }

 export function NotFound(message: string = 'Not Found') {
-	return new HTTPException(404, { message });
+	return new HTTPException(StatusCodes.NOT_FOUND, { message });
 }

 export function BadRequest(message: string = 'Bad Request') {
-	return new HTTPException(400, { message });
+	return new HTTPException(StatusCodes.BAD_REQUEST, { message });
 }

 export function InternalError(message: string = 'Internal Error') {
-	return new HTTPException(500, { message });
+	return new HTTPException(StatusCodes.INTERNAL_SERVER_ERROR, { message });
 }
--- a/src/lib/server/api/controllers/iam.controller.ts
+++ b/src/lib/server/api/controllers/iam.controller.ts
@ -1,17 +1,19 @@
+import { Hono } from 'hono';
+import { setCookie } from 'hono/cookie';
+import type { HonoTypes } from '../types';
 import { inject, injectable } from 'tsyringe';
 import { zValidator } from '@hono/zod-validator';
-import { registerEmailDto } from '../../../dtos/register-email.dto';
 import { IamService } from '../services/iam.service';
-import { signInEmailDto } from '../../../dtos/signin-email.dto';
-import { setCookie } from 'hono/cookie';
 import { LuciaProvider } from '../providers/lucia.provider';
+import { requireAuth } from '../middleware/auth.middleware';
+import { limiter } from '../middleware/rate-limiter.middlware';
+import { signInEmailDto } from '../../../dtos/signin-email.dto';
 import { updateEmailDto } from '../../../dtos/update-email.dto';
 import { verifyEmailDto } from '../../../dtos/verify-email.dto';
-import { Hono } from 'hono';
-import type { HonoTypes } from '../types';
+import { registerEmailDto } from '../../../dtos/register-email.dto';
 import type { Controller } from '../interfaces/controller.interface';
-import { limiter } from '../middleware/rate-limiter.middlware';
-import { requireAuth } from '../middleware/auth.middleware';
+import { EmailVerificationsService } from '../services/email-verifications.service';
+import { LoginRequestsService } from '../services/login-requests.service';

 /* -------------------------------------------------------------------------- */
 /*                                 Controller                                 */
@ -42,6 +44,8 @@ export class IamController implements Controller {

 	constructor(
 		@inject(IamService) private iamService: IamService,
+		@inject(LoginRequestsService) private loginRequestsService: LoginRequestsService,
+		@inject(EmailVerificationsService) private emailVerificationsService: EmailVerificationsService,
 		@inject(LuciaProvider) private lucia: LuciaProvider
 	) { }

@ -51,14 +55,14 @@ export class IamController implements Controller {
 				const user = c.var.user;
 				return c.json({ user: user });
 			})
-			.post('/email/register', zValidator('json', registerEmailDto), async (c) => {
+			.post('/login/request', zValidator('json', registerEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const { email } = c.req.valid('json');
-				await this.iamService.registerEmail({ email });
+				await this.loginRequestsService.create({ email });
 				return c.json({ message: 'Verification email sent' });
 			})
-			.post('/email/signin', zValidator('json', signInEmailDto), limiter({ limit: 15, minutes: 15 }), async (c) => {
+			.post('/login/verify', zValidator('json', signInEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const { email, token } = c.req.valid('json');
-				const session = await this.iamService.signinEmail({ email, token });
+				const session = await this.loginRequestsService.verify({ email, token });
 				const sessionCookie = this.lucia.createSessionCookie(session.id);
 				setCookie(c, sessionCookie.name, sessionCookie.value, {
 					path: sessionCookie.attributes.path,
@ -86,14 +90,14 @@ export class IamController implements Controller {
 				});
 				return c.json({ status: 'success' });
 			})
-			.post('/email/update', requireAuth, zValidator('json', updateEmailDto), limiter({ limit: 5, minutes: 15 }), async (c) => {
+			.post('/email/sendVerification', requireAuth, zValidator('json', updateEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const json = c.req.valid('json');
-				await this.iamService.updateEmail(c.var.user.id, json);
+				await this.emailVerificationsService.dispatchEmailVerificationToken(c.var.user.id, json.email);
 				return c.json({ message: 'Verification email sent' });
 			})
-			.post('/email/verify', requireAuth, zValidator('json', verifyEmailDto), limiter({ limit: 5, minutes: 15 }), async (c) => {
+			.post('/email/verify', requireAuth, zValidator('json', verifyEmailDto), limiter({ limit: 10, minutes: 60 }), async (c) => {
 				const json = c.req.valid('json');
-				await this.iamService.verifyEmail(c.var.user.id, json.token);
+				await this.emailVerificationsService.processEmailVerificationToken(c.var.user.id, json.token);
 				return c.json({ message: 'Verified and updated' });
 			});
 	}
--- a/src/lib/server/api/infrastructure/database/tables/email-verifications.table.ts
+++ b/src/lib/server/api/infrastructure/database/tables/email-verifications.table.ts
@ -0,0 +1,28 @@
+import { createId } from '@paralleldrive/cuid2';
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+import { timestamps } from '../utils';
+import { relations } from 'drizzle-orm';
+import { usersTable } from './users.table';
+
+export const emailVerificationsTable = pgTable('email_verifications', {
+  id: text('id')
+    .primaryKey()
+    .$defaultFn(() => createId()),
+  hashedToken: text('hashed_token').notNull(),
+  userId: text('user_id')
+    .notNull()
+    .references(() => usersTable.id).unique(),
+  requestedEmail: text('requested_email').notNull(),
+  expiresAt: timestamp('expires_at', {
+    mode: 'date',
+    withTimezone: true
+  }).notNull(),
+  ...timestamps
+});
+
+export const emailVerificationsRelations = relations(emailVerificationsTable, ({ one }) => ({
+  user: one(usersTable, {
+    fields: [emailVerificationsTable.userId],
+    references: [usersTable.id]
+  })
+}));
--- a/src/lib/server/api/infrastructure/database/tables/index.ts
+++ b/src/lib/server/api/infrastructure/database/tables/index.ts
@ -1,3 +1,4 @@
 export * from './sessions.table';
 export * from './users.table';
-export * from './tokens.table';
+export * from './login-requests.table';
+export * from './email-verifications.table';
--- a/src/lib/server/api/infrastructure/database/tables/login-requests.table.ts
+++ b/src/lib/server/api/infrastructure/database/tables/login-requests.table.ts
@ -0,0 +1,19 @@
+import { timestamps } from '../utils';
+import { relations } from 'drizzle-orm';
+import { createId } from '@paralleldrive/cuid2';
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
+
+export const loginRequestsTable = pgTable('login_requests', {
+  id: text('id')
+    .primaryKey()
+    .$defaultFn(() => createId()),
+  hashedToken: text('hashed_token').notNull(),
+  email: text('email').notNull().unique(),
+  expiresAt: timestamp('expires_at', {
+    mode: 'date',
+    withTimezone: true
+  }).notNull(),
+  ...timestamps
+});
+
+export const loginRequestsRelations = relations(loginRequestsTable, () => ({}));
--- a/src/lib/server/api/infrastructure/database/tables/sessions.table.ts
+++ b/src/lib/server/api/infrastructure/database/tables/sessions.table.ts
@ -1,6 +1,6 @@
-import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
-import { usersTable } from './users.table';
 import { cuid2 } from '../utils';
+import { usersTable } from './users.table';
+import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';

 export const sessionsTable = pgTable('sessions', {
 	id: cuid2('id').primaryKey(),
--- a/src/lib/server/api/infrastructure/database/tables/tokens.table.ts
+++ b/src/lib/server/api/infrastructure/database/tables/tokens.table.ts
@ -1,25 +0,0 @@
-import { createId } from '@paralleldrive/cuid2';
-import { pgTable, text, timestamp } from 'drizzle-orm/pg-core';
-import { timestamps } from '../utils';
-import { relations } from 'drizzle-orm';
-import { usersTable } from './users.table';
-
-export const tokensTable = pgTable('tokens', {
-	id: text('id')
-		.primaryKey()
-		.$defaultFn(() => createId()),
-	token: text('token').notNull().unique(),
-	userId: text('user_id')
-		.notNull()
-		.references(() => usersTable.id),
-	email: text('email').notNull(),
-	expiresAt: timestamp('expires_at', {
-		mode: 'date',
-		withTimezone: true
-	}).notNull(),
-	...timestamps
-});
-
-export const tokensRealations = relations(tokensTable, ({ one }) => ({
-	user: one(usersTable)
-}));
--- a/src/lib/server/api/infrastructure/database/tables/users.table.ts
+++ b/src/lib/server/api/infrastructure/database/tables/users.table.ts
@ -1,9 +1,9 @@
-import { createId } from '@paralleldrive/cuid2';
-import { boolean, pgTable, text } from 'drizzle-orm/pg-core';
-import { citext, timestamps } from '../utils';
 import { relations } from 'drizzle-orm';
+import { citext, timestamps } from '../utils';
+import { createId } from '@paralleldrive/cuid2';
 import { sessionsTable } from './sessions.table';
-import { tokensTable } from './tokens.table';
+import { boolean, pgTable, text } from 'drizzle-orm/pg-core';
+import { emailVerificationsTable } from './email-verifications.table';

 export const usersTable = pgTable('users', {
 	id: text('id')
@ -15,7 +15,10 @@ export const usersTable = pgTable('users', {
 	...timestamps
 });

-export const usersRelations = relations(usersTable, ({ many }) => ({
+export const usersRelations = relations(usersTable, ({ many, one }) => ({
 	sessions: many(sessionsTable),
-	tokens: many(tokensTable)
+	emailVerifications: one(emailVerificationsTable, {
+		fields: [usersTable.id],
+		references: [emailVerificationsTable.userId]
+	})
 }));
--- a/src/lib/server/api/repositories/email-verifications.repository.ts
+++ b/src/lib/server/api/repositories/email-verifications.repository.ts
@ -0,0 +1,39 @@
+import { inject, injectable } from "tsyringe";
+import { DatabaseProvider } from "../providers";
+import { and, eq, lte, type InferInsertModel } from "drizzle-orm";
+import type { Repository } from "../interfaces/repository.interface";
+import { takeFirst, takeFirstOrThrow } from "../infrastructure/database/utils";
+import { emailVerificationsTable } from "../infrastructure/database/tables/email-verifications.table";
+
+export type CreateEmailVerification = Pick<InferInsertModel<typeof emailVerificationsTable>, 'requestedEmail' | 'hashedToken' | 'userId' | 'expiresAt'>;
+
+@injectable()
+export class EmailVerificationsRepository implements Repository {
+  constructor(@inject(DatabaseProvider) private readonly db: DatabaseProvider) { }
+
+  // creates a new email verification record or updates an existing one
+  async create(data: CreateEmailVerification) {
+    return this.db.insert(emailVerificationsTable).values(data).onConflictDoUpdate({
+      target: emailVerificationsTable.userId,
+      set: data
+    }).returning().then(takeFirstOrThrow)
+  }
+
+  // finds a valid record by token and userId
+  async findValidRecord(userId: string, hashedToken: string) {
+    return this.db.select().from(emailVerificationsTable).where(
+      and(
+        eq(emailVerificationsTable.userId, userId),
+        eq(emailVerificationsTable.hashedToken, hashedToken),
+        lte(emailVerificationsTable.expiresAt, new Date())
+      )).then(takeFirst)
+  }
+
+  async deleteById(id: string) {
+    return this.db.delete(emailVerificationsTable).where(eq(emailVerificationsTable.id, id))
+  }
+
+  trxHost(trx: DatabaseProvider) {
+    return new EmailVerificationsRepository(trx)
+  }
+}
--- a/src/lib/server/api/repositories/login-requests.repository.ts
+++ b/src/lib/server/api/repositories/login-requests.repository.ts
@ -0,0 +1,37 @@
+import { inject, injectable } from "tsyringe";
+import { DatabaseProvider } from "../providers";
+import type { Repository } from "../interfaces/repository.interface";
+import { and, eq, gte, type InferInsertModel } from "drizzle-orm";
+import { takeFirst } from "../infrastructure/database/utils";
+import { loginRequestsTable } from "../infrastructure/database/tables/login-requests.table";
+
+export type CreateLoginRequest = Pick<InferInsertModel<typeof loginRequestsTable>, 'email' | 'expiresAt' | 'hashedToken'>;
+
+@injectable()
+export class LoginRequestsRepository implements Repository {
+  constructor(@inject(DatabaseProvider) private readonly db: DatabaseProvider) { }
+
+  async create(data: CreateLoginRequest) {
+    return this.db.insert(loginRequestsTable).values(data).onConflictDoUpdate({
+      target: loginRequestsTable.email,
+      set: data
+    })
+  }
+
+  async findOneByEmail(email: string) {
+    return this.db.select().from(loginRequestsTable).where(
+      and(
+        eq(loginRequestsTable.email, email),
+        gte(loginRequestsTable.expiresAt, new Date())
+      )
+    ).then(takeFirst)
+  }
+
+  async deleteById(id: string) {
+    return this.db.delete(loginRequestsTable).where(eq(loginRequestsTable.id, id));
+  }
+
+  trxHost(trx: DatabaseProvider) {
+    return new LoginRequestsRepository(trx);
+  }
+}
--- a/src/lib/server/api/repositories/tokens.repository.ts
+++ b/src/lib/server/api/repositories/tokens.repository.ts
@ -1,49 +0,0 @@
-import { inject, injectable } from 'tsyringe';
-import { DatabaseProvider } from '../providers';
-import { eq, type InferInsertModel } from 'drizzle-orm';
-import { tokensTable } from '../infrastructure/database/tables';
-import { takeFirstOrThrow } from '../infrastructure/database/utils';
-import type { Repository } from '../interfaces/repository.interface';
-
-/* -------------------------------------------------------------------------- */
-/*                                 Repository                                 */
-/* -------------------------------------------------------------------------- */
-/* ---------------------------------- About --------------------------------- */
-/*
-Repositories are the layer that interacts with the database. They are responsible for retrieving and 
-storing data. They should not contain any business logic, only database queries.
-*/
-/* ---------------------------------- Notes --------------------------------- */
-/*
- Repositories should only contain methods for CRUD operations and any other database interactions. 
- Any complex logic should be delegated to a service. If a repository method requires a transaction,
- it should be passed in as an argument or the class should have a method to set the transaction.
- In our case the method 'trxHost' is used to set the transaction context.
-*/
-
-export type InsertToken = InferInsertModel<typeof tokensTable>;
-
-@injectable()
-export class TokensRepository implements Repository {
-	constructor(@inject(DatabaseProvider) private db: DatabaseProvider) {}
-
-	async findOneByToken(token: string) {
-		return this.db.query.tokensTable.findFirst({ where: eq(tokensTable.token, token) });
-	}
-
-	async delete(id: string) {
-		return this.db
-			.delete(tokensTable)
-			.where(eq(tokensTable.id, id))
-			.returning()
-			.then(takeFirstOrThrow);
-	}
-
-	async create(data: InsertToken) {
-		return this.db.insert(tokensTable).values(data).returning().then(takeFirstOrThrow);
-	}
-
-	trxHost(trx: DatabaseProvider) {
-		return new TokensRepository(trx);
-	}
-}
--- a/src/lib/server/api/services/email-verifications.service.ts
+++ b/src/lib/server/api/services/email-verifications.service.ts
@ -0,0 +1,78 @@
+import { inject, injectable } from 'tsyringe';
+import { BadRequest } from '../common/errors';
+import { DatabaseProvider } from '../providers';
+import { MailerService } from './mailer.service';
+import { TokensService } from './tokens.service';
+import { UsersRepository } from '../repositories/users.repository';
+import { EmailVerificationsRepository } from '../repositories/email-verifications.repository';
+
+/* -------------------------------------------------------------------------- */
+/*                                   Service                                  */
+/* -------------------------------------------------------------------------- */
+/* -------------------------------------------------------------------------- */
+/* ---------------------------------- About --------------------------------- */
+/*
+Services are responsible for handling business logic and data manipulation. 
+They genreally call on repositories or other services to complete a use-case.
+*/
+/* ---------------------------------- Notes --------------------------------- */
+/*
+Services should be kept as clean and simple as possible. 
+
+Create private functions to handle complex logic and keep the public methods as 
+simple as possible. This makes the service easier to read, test and understand.
+*/
+/* -------------------------------------------------------------------------- */
+
+@injectable()
+export class EmailVerificationsService {
+  constructor(
+    @inject(DatabaseProvider) private readonly db: DatabaseProvider,
+    @inject(TokensService) private readonly tokensService: TokensService,
+    @inject(MailerService) private readonly mailerService: MailerService,
+    @inject(UsersRepository) private readonly usersRepository: UsersRepository,
+    @inject(EmailVerificationsRepository) private readonly emailVerificationsRepository: EmailVerificationsRepository,
+  ) { }
+
+
+  async dispatchEmailVerificationToken(userId: string, requestedEmail: string) {
+    // generate a token and expiry
+    const { token, expiry, hashedToken } = await this.tokensService.generateTokenWithExpiryAndHash(15, 'm')
+
+    // create a new email verification record
+    await this.emailVerificationsRepository.create({ requestedEmail, userId, hashedToken, expiresAt: expiry })
+
+    // send the verification email - we don't need to await success and will opt for good-faith since we 
+    // will offer a way to resend the email if it fails
+    this.mailerService.sendEmailVerification({
+      to: requestedEmail,
+      props: {
+        token
+      }
+    })
+  }
+
+  async processEmailVerificationToken(userId: string, token: string) {
+    const validRecord = await this.findAndBurnEmailVerificationToken(userId, token)
+    if (!validRecord) throw BadRequest('Invalid token');
+
+    // burn the token and update the user
+    await this.usersRepository.update(userId, { email: validRecord.requestedEmail, verified: true });
+  }
+
+  private async findAndBurnEmailVerificationToken(userId: string, token: string) {
+    return this.db.transaction(async (trx) => {
+      // find a valid record
+      const emailVerificationRecord = await this.emailVerificationsRepository.trxHost(trx).findValidRecord(userId, token);
+      if (!emailVerificationRecord) return null;
+
+      // check if the token is valid
+      const isValidRecord = await this.tokensService.verifyHashedToken(emailVerificationRecord.hashedToken, token);
+      if (!isValidRecord) return null
+
+      // burn the token if it is valid
+      await this.emailVerificationsRepository.trxHost(trx).deleteById(emailVerificationRecord.id)
+      return emailVerificationRecord
+    })
+  }
+}
--- a/src/lib/server/api/services/hashing.service.ts
+++ b/src/lib/server/api/services/hashing.service.ts
@ -0,0 +1,36 @@
+import { injectable } from "tsyringe";
+import { Scrypt } from "oslo/password";
+
+/* ---------------------------------- Note ---------------------------------- */
+/*
+Reference: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id
+
+I use Scrpt as the hashing algorithm due to its higher compatability 
+with vite's build system and it uses less memory than Argon2id. 
+
+You can use Argon2id or any other hashing algorithm you prefer.
+*/
+/* -------------------------------------------------------------------------- */
+/*
+With Argon2id, you get the following error at times when vite optimizes its dependencies at times,
+
+Error: Build failed with 2 errors:
+node_modules/.pnpm/@node-rs+argon2@1.7.0/node_modules/@node-rs/argon2/index.js:159:36: ERROR: No loader is configured for ".node" files: node_module
+*/
+/* -------------------------------------------------------------------------- */
+// If you don't use a hasher from oslo, which are preconfigured with recommended parameters from OWASP,
+// ensure that you configure them properly.
+
+@injectable()
+export class HashingService {
+  private readonly hasher = new Scrypt();
+  // private readonly hasher = new Argon2id(); // argon2id hasher
+
+  async hash(data: string) {
+    return this.hasher.hash(data);
+  }
+
+  async verify(hash: string, data: string) {
+    return this.hasher.verify(hash, data)
+  }
+}
--- a/src/lib/server/api/services/iam.service.ts
+++ b/src/lib/server/api/services/iam.service.ts
@ -1,12 +1,5 @@
 import { inject, injectable } from 'tsyringe';
-import type { RegisterEmailDto } from '../../../dtos/register-email.dto';
-import { UsersRepository } from '../repositories/users.repository';
-import { MailerService } from './mailer.service';
-import { TokensService } from './tokens.service';
-import type { SignInEmailDto } from '../../../dtos/signin-email.dto';
-import { BadRequest } from '../common/errors';
 import { LuciaProvider } from '../providers/lucia.provider';
-import type { UpdateEmailDto } from '../../../dtos/update-email.dto';

 /* -------------------------------------------------------------------------- */
 /*                                   Service                                  */
@ -29,65 +22,10 @@ simple as possible. This makes the service easier to read, test and understand.
@injectable()
 export class IamService {
 	constructor(
-		@inject(UsersRepository) private usersRepository: UsersRepository,
-		@inject(TokensService) private tokensService: TokensService,
-		@inject(MailerService) private mailerService: MailerService,
-		@inject(LuciaProvider) private lucia: LuciaProvider
+		@inject(LuciaProvider) private readonly lucia: LuciaProvider,
 	) { }

-	async registerEmail(data: RegisterEmailDto) {
-		const existingUser = await this.usersRepository.findOneByEmail(data.email);
-
-		if (!existingUser) {
-			const newUser = await this.usersRepository.create({ email: data.email, verified: false });
-			return this.createValidationReuqest(newUser.id, newUser.email);
-		}
-
-		return this.createValidationReuqest(existingUser.id, existingUser.email);
-	}
-
-	async signinEmail(data: SignInEmailDto) {
-		const user = await this.usersRepository.findOneByEmail(data.email);
-		if (!user) throw BadRequest('Bad credentials');
-
-		const isValidToken = await this.tokensService.validateToken(user.id, data.token);
-		if (!isValidToken) throw BadRequest('Bad credentials');
-
-		// if this is a new unverified user, send a welcome email and update the user
-		if (!user.verified) {
-			await this.usersRepository.update(user.id, { verified: true });
-			this.mailerService.sendWelcomeEmail({
-				to: user.email,
-				props: null
-			});
-		}
-
-		return this.lucia.createSession(user.id, {});
-	}
-
-	async verifyEmail(userId: string, token: string) {
-		const user = await this.usersRepository.findOneById(userId);
-		if (!user) throw BadRequest('User not found');
-
-		const validToken = await this.tokensService.validateToken(user.id, token);
-		if (!validToken) throw BadRequest('Invalid token');
-		
-		await this.usersRepository.update(user.id, { email: validToken.email });
-	}
-
-	async updateEmail(userId: string, data: UpdateEmailDto) {
-		return this.createValidationReuqest(userId, data.email);
-	}
-
 	async logout(sessionId: string) {
 		return this.lucia.invalidateSession(sessionId);
 	}
-
-	private async createValidationReuqest(userId: string, email: string) {
-		const validationToken = await this.tokensService.create(userId, email);
-		this.mailerService.sendEmailVerification({
-			to: email,
-			props: { token: validationToken.token }
-		});
-	}
 }
--- a/src/lib/server/api/services/login-requests.service.ts
+++ b/src/lib/server/api/services/login-requests.service.ts
@ -0,0 +1,72 @@
+import { inject, injectable } from 'tsyringe';
+import { BadRequest } from '../common/errors';
+import { DatabaseProvider } from '../providers';
+import { MailerService } from './mailer.service';
+import { TokensService } from './tokens.service';
+import { LuciaProvider } from '../providers/lucia.provider';
+import { UsersRepository } from '../repositories/users.repository';
+import type { SignInEmailDto } from '../../../dtos/signin-email.dto';
+import type { RegisterEmailDto } from '../../../dtos/register-email.dto';
+import { LoginRequestsRepository } from '../repositories/login-requests.repository';
+
+@injectable()
+export class LoginRequestsService {
+  constructor(
+    @inject(LuciaProvider) private readonly lucia: LuciaProvider,
+    @inject(DatabaseProvider) private readonly db: DatabaseProvider,
+    @inject(TokensService) private readonly tokensService: TokensService,
+    @inject(MailerService) private readonly mailerService: MailerService,
+    @inject(UsersRepository) private readonly usersRepository: UsersRepository,
+    @inject(LoginRequestsRepository) private readonly loginRequetsRepository: LoginRequestsRepository,
+  ) { }
+
+  async create(data: RegisterEmailDto) {
+    // generate a token, expiry date, and hash
+    const { token, expiry, hashedToken } = await this.tokensService.generateTokenWithExpiryAndHash(15, 'm');
+    // save the login request to the database - ensuring we save the hashedToken
+    await this.loginRequetsRepository.create({ email: data.email, hashedToken, expiresAt: expiry });
+    // send the login request email
+    this.mailerService.sendLoginRequest({
+      to: data.email,
+      props: { token: token }
+    });
+  }
+
+  async verify(data: SignInEmailDto) {
+    const validLoginRequest = await this.fetchValidRequest(data.email, data.token);
+    if (!validLoginRequest) throw BadRequest('Invalid token');
+
+    let existingUser = await this.usersRepository.findOneByEmail(data.email);
+
+    if (!existingUser) {
+      const newUser = await this.handleNewUserRegistration(data.email);
+      return this.lucia.createSession(newUser.id, {});
+    }
+
+    return this.lucia.createSession(existingUser.id, {});
+  }
+
+  // Create a new user and send a welcome email - or other onboarding process
+  private async handleNewUserRegistration(email: string) {
+    const newUser = await this.usersRepository.create({ email, verified: true, avatar: null })
+    this.mailerService.sendWelcome({ to: email, props: null });
+    return newUser
+  }
+
+  // Fetch a valid request from the database, verify the token and burn the request if it is valid
+  private async fetchValidRequest(email: string, token: string) {
+    return await this.db.transaction(async (trx) => {
+      // fetch the login request
+      const loginRequest = await this.loginRequetsRepository.trxHost(trx).findOneByEmail(email)
+      if (!loginRequest) return null;
+
+      // check if the token is valid
+      const isValidRequest = await this.tokensService.verifyHashedToken(loginRequest.hashedToken, token);
+      if (!isValidRequest) return null
+
+      // if the token is valid, burn the request
+      await this.loginRequetsRepository.trxHost(trx).deleteById(loginRequest.id);
+      return loginRequest
+    })
+  }
+}
--- a/src/lib/server/api/services/mailer.service.ts
+++ b/src/lib/server/api/services/mailer.service.ts
@ -1,9 +1,9 @@
-import nodemailer from 'nodemailer';
-import { injectable } from 'tsyringe';
-import handlebars from 'handlebars';
-import path from 'path';
 import fs from 'fs';
+import path from 'path';
+import nodemailer from 'nodemailer';
+import handlebars from 'handlebars';
 import { fileURLToPath } from 'url';
+import { injectable } from 'tsyringe';

 /* -------------------------------------------------------------------------- */
 /*                                   Service                                  */
@ -55,7 +55,16 @@ export class MailerService {
 		});
 	}

-	sendWelcomeEmail(data: SendTemplate<null>) {
+	sendLoginRequest(data: SendTemplate<{ token: string }>) {
+		const template = handlebars.compile(this.getTemplate('email-verification'));
+		return this.send({
+			to: data.to,
+			subject: 'Login Request',
+			html: template({ token: data.props.token })
+		});
+	}
+
+	sendWelcome(data: SendTemplate<null>) {
 		const template = handlebars.compile(this.getTemplate('welcome'));
 		return this.send({
 			to: data.to,
--- a/src/lib/server/api/services/tokens.service.ts
+++ b/src/lib/server/api/services/tokens.service.ts
@ -1,8 +1,7 @@
 import { inject, injectable } from 'tsyringe';
-import { TokensRepository } from '../repositories/tokens.repository';
-import dayjs from 'dayjs';
-import { DatabaseProvider } from '../providers';
-import { generateRandomString, alphabet } from "oslo/crypto";
+import { generateRandomString } from "oslo/crypto";
+import { TimeSpan, createDate, type TimeSpanUnit } from 'oslo';
+import { HashingService } from './hashing.service';

 /* -------------------------------------------------------------------------- */
 /*                                   Service                                  */
@ -24,44 +23,31 @@ simple as possible. This makes the service easier to read, test and understand.

@injectable()
 export class TokensService {
-	constructor(
-		@inject(TokensRepository) private tokensRepository: TokensRepository,
-		@inject(DatabaseProvider) private db: DatabaseProvider
-	) { }
-
-	async create(userId: string, email: string) {
-		return this.tokensRepository.create({
-			userId,
-			email,
-			token: this.generateToken(),
-			expiresAt: dayjs().add(15, 'minutes').toDate()
-		});
-	}
-
-	async validateToken(userId: string, token: string) {
-		const foundToken = await this.db.transaction(async (trx) => {
-			const foundToken = await this.tokensRepository.trxHost(trx).findOneByToken(token);
-			foundToken && (await this.tokensRepository.trxHost(trx).delete(foundToken.id));
-			return foundToken;
-		});
-
-		if (!foundToken) {
-			return false;
-		}
-
-		if (foundToken.userId !== userId) {
-			return false;
-		}
-
-		if (foundToken.expiresAt < new Date()) {
-			return false;
-		}
-
-		return foundToken;
-	}
+	constructor(@inject(HashingService) private readonly hashingService: HashingService) { }

 	generateToken() {
 		const alphabet = '23456789ACDEFGHJKLMNPQRSTUVWXYZ'; // alphabet with removed look-alike characters (0, 1, O, I)
 		return generateRandomString(6, alphabet);
 	}
+
+	generateTokenWithExpiry(number: number, lifespan: TimeSpanUnit) {
+		return {
+			token: this.generateToken(),
+			expiry: createDate(new TimeSpan(number, lifespan))
+		}
+	}
+
+	async generateTokenWithExpiryAndHash(number: number, lifespan: TimeSpanUnit) {
+		const token = this.generateToken()
+		const hashedToken = await this.hashingService.hash(token)
+		return {
+			token,
+			hashedToken,
+			expiry: createDate(new TimeSpan(number, lifespan))
+		}
+	}
+
+	async verifyHashedToken(hashedToken: string, token: string) {
+		return this.hashingService.verify(hashedToken, token)
+	}
 }
--- a/src/lib/utils/helpers.ts
+++ b/src/lib/utils/helpers.ts
@ -1,5 +1,3 @@
-import { createAvatar } from '@dicebear/core';
-import { funEmoji } from '@dicebear/collection'; // you can choose any type
 import { PUBLIC_IMAGE_URI } from '$env/static/public';

 export function ciEquals(a: string, b: string) {
@ -21,11 +19,3 @@ export function getFileByKey(key: string) {
 	if (key.startsWith('http')) return key;
 	return `${PUBLIC_IMAGE_URI}/${key}`;
 }
-
-export function getUserAvatar({ id, avatar }: { id: string; avatar: string | null }) {
-	return avatar
-		? getFileByKey(avatar)
-		: createAvatar(funEmoji, {
-			seed: id
-		}).toDataUri();
-}
--- a/src/routes/(app)/+layout.svelte
+++ b/src/routes/(app)/+layout.svelte
@ -12,7 +12,7 @@
 	import { page } from '$app/stores';
 	import { enhance } from '$app/forms';

-	let { children } = $props();
+	let { children, data } = $props();

 	const routes = [
 		{
@ -86,6 +86,21 @@
 					/>
 				</div>
 			</form>
+			{#if data.authedUser}
+				{@render userDropdown()}
+			{:else}
+				<Button href="/register">Login</Button>
+			{/if}
+		</div>
+	</header>
+	<main
+		class="flex min-h-[calc(100vh_-_theme(spacing.16))] flex-1 flex-col gap-4 bg-muted/40 p-4 md:gap-8 md:p-10"
+	>
+		{@render children()}
+	</main>
+</div>
+
+{#snippet userDropdown()}
 	<DropdownMenu.Root>
 		<DropdownMenu.Trigger asChild let:builder>
 			<Button builders={[builder]} variant="secondary" size="icon" class="rounded-full">
@ -98,16 +113,9 @@
 			<DropdownMenu.Separator />
 			<DropdownMenu.Item>
 				<form action="/?/logout" method="POST" use:enhance class="w-full">
-							<button class="w-full text-start cursor-default" type="submit">Logout</button>
+					<button class="w-full cursor-default text-start" type="submit">Logout</button>
 				</form></DropdownMenu.Item
 			>
 		</DropdownMenu.Content>
 	</DropdownMenu.Root>
-		</div>
-	</header>
-	<main
-		class="flex min-h-[calc(100vh_-_theme(spacing.16))] flex-1 flex-col gap-4 bg-muted/40 p-4 md:gap-8 md:p-10"
-	>
-		{@render children()}
-	</main>
-</div>
+{/snippet}
--- a/src/routes/(app)/+page.server.ts
+++ b/src/routes/(app)/+page.server.ts
@ -1,12 +1,15 @@
+import { StatusCodes } from "$lib/constants/status-codes";
+import { redirect } from "@sveltejs/kit";
+
 export const load = async ({ locals }) => {
 	const user = await locals.getAuthedUser();
 	return { user: user };
 };

-
 export const actions = {
 	logout: async ({ locals }) => {
-		console.log("Logging out")
 		await locals.api.iam.logout.$post()
+		redirect(StatusCodes.SEE_OTHER, '/register')
 	}
 }
+
--- a/src/routes/(app)/settings/account/+page.server.ts
+++ b/src/routes/(app)/settings/account/+page.server.ts
@ -1,7 +1,8 @@
+import { zod } from "sveltekit-superforms/adapters";
 import { updateEmailDto } from "$lib/dtos/update-email.dto.js";
 import { verifyEmailDto } from "$lib/dtos/verify-email.dto.js";
 import { fail, setError, superValidate } from "sveltekit-superforms";
-import { zod } from "sveltekit-superforms/adapters";
+import { StatusCodes } from "$lib/constants/status-codes.js";

 export let load = async (event) => {
 	const authedUser = await event.locals.getAuthedUserOrThrow()
@ -16,15 +17,15 @@ export let load = async (event) => {
 export const actions = {
 	updateEmail: async ({ request, locals }) => {
 		const updateEmailForm = await superValidate(request, zod(updateEmailDto));
-		if (!updateEmailForm.valid) return fail(400, { updateEmailForm })
-		const { data, error } = await locals.api.iam.email.update.$post({ json: updateEmailForm.data }).then(locals.parseApiResponse);
+		if (!updateEmailForm.valid) return fail(StatusCodes.BAD_REQUEST, { updateEmailForm })
+		const { data, error } = await locals.api.iam.email.sendVerification.$post({ json: updateEmailForm.data }).then(locals.parseApiResponse);
 		if (error) return setError(updateEmailForm, 'email', error);
 		return { updateEmailForm }
 	},
 	verifyEmail: async ({ request, locals }) => {
 		const verifyEmailForm = await superValidate(request, zod(verifyEmailDto));
 		console.log(verifyEmailForm)
-		if (!verifyEmailForm.valid) return fail(400, { verifyEmailForm })
+		if (!verifyEmailForm.valid) return fail(StatusCodes.BAD_REQUEST, { verifyEmailForm })
 		const { error } = await locals.api.iam.email.verify.$post({ json: verifyEmailForm.data }).then(locals.parseApiResponse);
 		if (error) return setError(verifyEmailForm, 'token', error);
 		return { verifyEmailForm }
--- a/src/routes/(app)/settings/account/update-email-card.svelte
+++ b/src/routes/(app)/settings/account/update-email-card.svelte
@ -1,12 +1,12 @@
-<script context="module">
+<script context="module" lang="ts">
 	import type { SuperValidated, Infer } from 'sveltekit-superforms';
 	import type { updateEmailDto } from '$lib/dtos/update-email.dto';
 	import type { verifyEmailDto } from '$lib/dtos/verify-email.dto';

-	export type UpdateEmailCardProps = {
+	interface UpdateEmailCardProps {
 		updateEmailForm: SuperValidated<Infer<typeof updateEmailDto>>;
 		verifyEmailForm: SuperValidated<Infer<typeof verifyEmailDto>>;
-	};
+	}
 </script>

 <script lang="ts">
@ -16,7 +16,6 @@
 	import { superForm } from 'sveltekit-superforms';
 	import * as Dialog from '$lib/components/ui/dialog';
 	import PinInput from '$lib/components/pin-input.svelte';
-	import { toastMessage } from '$lib/utils/superforms';

 	/* ---------------------------------- props --------------------------------- */
 	let { updateEmailForm, verifyEmailForm }: UpdateEmailCardProps = $props();
--- a/src/routes/(auth)/register/+page.server.ts
+++ b/src/routes/(auth)/register/+page.server.ts
@ -1,8 +1,9 @@
-import { registerEmailDto } from '$lib/dtos/register-email.dto.js';
-import { signInEmailDto } from '$lib/dtos/signin-email.dto.js';
 import { fail, redirect } from '@sveltejs/kit';
-import { setError, superValidate } from 'sveltekit-superforms';
 import { zod } from 'sveltekit-superforms/adapters';
+import { signInEmailDto } from '$lib/dtos/signin-email.dto.js';
+import { setError, superValidate } from 'sveltekit-superforms';
+import { registerEmailDto } from '$lib/dtos/register-email.dto.js';
+import { StatusCodes } from '$lib/constants/status-codes';

 export const load = async () => {
 	return {
@ -14,15 +15,15 @@ export const load = async () => {
 export const actions = {
 	register: async ({ locals, request }) => {
 		const emailRegisterForm = await superValidate(request, zod(registerEmailDto));
-		if (!emailRegisterForm.valid) return fail(400, { emailRegisterForm });
-		const { error } = await locals.api.iam.email.register.$post({ json: emailRegisterForm.data }).then(locals.parseApiResponse);
+		if (!emailRegisterForm.valid) return fail(StatusCodes.BAD_REQUEST, { emailRegisterForm });
+		const { error } = await locals.api.iam.login.request.$post({ json: emailRegisterForm.data }).then(locals.parseApiResponse);
 		if (error) return setError(emailRegisterForm, 'email', error);
 		return { emailRegisterForm };
 	},
 	signin: async ({ locals, request }) => {
 		const emailSignInForm = await superValidate(request, zod(signInEmailDto));
-		if (!emailSignInForm.valid) return fail(400, { emailSignInForm });
-		const { error } = await locals.api.iam.email.signin.$post({ json: emailSignInForm.data }).then(locals.parseApiResponse)
+		if (!emailSignInForm.valid) return fail(StatusCodes.BAD_REQUEST, { emailSignInForm });
+		const { error } = await locals.api.iam.login.verify.$post({ json: emailSignInForm.data }).then(locals.parseApiResponse)
 		if (error) return setError(emailSignInForm, 'token', error);
 		redirect(301, '/');
 	}
--- a/src/routes/+layout.server.ts
+++ b/src/routes/+layout.server.ts
@ -0,0 +1,6 @@
+export const load = async ({ locals }) => {
+  const authedUser = await locals.getAuthedUser();
+  return {
+    authedUser
+  }
+}
--- a/volume/cache/machine.json
+++ b/volume/cache/machine.json
@ -0,0 +1 @@
+{"machine_id": "dkr_4e8cc7cb0ecc"}
--- a/volume/cache/server.test.pem
+++ b/volume/cache/server.test.pem
@ -0,0 +1,119 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmuU6GRc/KMXzc
+qVGR0hrMaFze3C9nG24mEeRdGOdpOqDnFoC1OANAY5nOCPLJzPB3lS+bYZj+6RU
+oPoDSL1Kd5TS8bZEIBgvbkAHexEwQwbtOnPS6j2lL9o0BrLh5OKEv07DinpaPx1H
+EQatZ59+qZnbIEo81fAA0jJUcfVNamb7LBj5sMnpvMS/JnLWmSyOD1/aKUqvixNe
+lNMHZvHWPymN1I/qJa85hNPMVO/4fioyC79DhtUuPl5eLC6RxDU7dv4SBLhNPMYV
+wdM0k1ymUzGDihJ5lpISavX6b/4+inpHzVstGBAXE9xM2hh+hzvlpdULs+KZo8em
+gIIAOiDtAgMBAAECggEASC1pBVAryMjr2W7ZJjet7loqHyiNgki6Z3PlZ98PUSwY
+KqoBfcBSzs6hq6XuOQDbs05hOZ+I0rgaSFj4Y3uWFyr1zuy9j3ilf8MnDRYGNvKN
+iR4JDoJB9cVlnahYwNqqBfYcTyMgHPm93wpL7b4ymk8qQGcWPIgRwwk8qLo9DCoV
+SKEcLPUByv/oRB3VuzTXq9qKK7Qznn6AU5U2ulF+gerG00eYreDkYrAC2xpLYrGY
+d3nORW8jA0jfr8m1rvX8p5dKnLmkM1ZMWSUJQg76Vz6iY7S8A0Z1TRFiYDifqdEb
+CK0eo6FuVKf5D1tgwFZP31gX06kI8E0bjhsCg2GDsQKBgQDS2cuHo6AxgBPDmxyy
+pjpnpvE0y6KNzReg++ZSL0ra6OZYCxHoPXF7zLxYqQt4P1TCTJE+6OxGZhw0lLEN
+U3FEe2X0gUK6/YF/iaCQNiWB97U3CV1OW4VOTawh1xKZYjuin4HbdO7irRkSAym4
+6tsOTYJbB2i8ahyjSvm53hbutwKBgQDKbJt2ZJllIEUbz/9EdNl0qgfF3u+ODI0V
+LWVldGLABen5MX7f7bo1Mn24gInC0lhVOipvCWJbzFI1+uoQKnn1koTfX7ThOR2O
+hQsdnF2AQHSsrZPiHBifTUsDw9ap9F/VgwvyfCOseYzybZiyMZ6IkSxTngBTQJ30
+Etmt6LcJewKBgE7nXAf1ToRXpo3DpRihpieVzJvyPHGON3Jx8b39nqiPEWwPMHNV
+Uvt+IVmYYQdtw702RABjz8+EdLekkSEogbGb8ApwuNUa+vQMP77X1G9vkCv5YCZr
+j1Y/MNQ1FOu7XA++Wy0R9Dd1iXU5I8rkcHdIwChqfGJN30uoSg2pM7G/AoGBAKDJ
+3j8Pr4zVMi/iaticnHJ/8Maqy8wgihxNP+JzrVDsIarQNwB2W9ePsK9SYpr+7C1e
+k4A5iwhx5sd79Fo88z0uUh8AbbQM4z5mzaqKnvaVvFfBVNthB+nZwoFOGQBM3abC
+fkXxd4Cz2FJk3cqFgXDnJ7ePpKB8jjrmkkQCuwlrAoGBAKOB3CY7DyMzzWdUY/pk
+Zh8/JquFmm3F6MeRhsdifc2IeigwU+FTQTmQSTWtfInAsZ0jOgkihYgqRi8+W2y
+r7nYQTlW2zfoMKkqZQ6xiRiBy2PaYwmdkSCSZAQIQ41rBjBlsL95MHcib/xjGBim
+736norwdHWD3IrjS1fJWJglu
+-----END PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+MIILCzCCCfOgAwIBAgISAx0saYDSPGV3sv//Ssy38WrAMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yNDA2MDEwNTA4NTNaFw0yNDA4MzAwNTA4NTJaMCUxIzAhBgNVBAMT
+GmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAprlOhkXPyjF83PqlRkdIazGhc3twvZxtuJhHkXRjnaTqg5xa
+AtTgDQGOZzgjyyczwd5Uvm2GY/ukVKD6A0i9SneU0vG2RCAYL25AB3sRMEMG7Tpz
+0uo9pS/aNAay4eTihL9Ow4p6Wj8dRxEGrWeffqmZ2yBKPNXwANIyVHH1TWpm+ywY
+bDJ6bzEvyZy1pksjg9f2ilKr4sTXpTTB2bx1j8pjdSP6iWvOYTTzFTv+H4qMgu/
+Q4bVLj5eXiwukcQ1O3b+EgS4TTzGFcHTNJNcplMxg4oSeZaSEmr1+m/+Pop6R81b
+LRgQFxPcTNoYfoc75aXVC7PimaPHpoCCADog7QIDAQABo4IIJjCCCCIwDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMB0GA1UdDgQWBBQn7Yd00V9tcEmukJkQCDK8+QA6UjAfBgNVHSMEGDAW
+gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
+MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
+LmkubGVuY3Iub3JnLzCCBi4GA1UdEQSCBiUwggYhgicqLmFtcGxpZnlhcHAubG9j
+YWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCJyouY2xvdWRmcm9udC5sb2NhbGhvc3Qu
+bG9jYWxzdGFjay5jbG91ZIIxKi5ka3IuZWNyLmV1LWNlbnRyYWwtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLmV1LXdlc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLWVhc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLWVhc3QtMi5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLXdlc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLXdlc3QtMi5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIgKi5lbGIubG9jYWxob3N0LmxvY2Fsc3RhY2su
+Y2xvdWSCNCouZXUtY2VudHJhbC0xLm9wZW5zZWFyY2gubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCMSouZXUtd2VzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCKCouZXhlY3V0ZS1hcGkubG9jYWxob3N0LmxvY2Fsc3Rh
+Y2suY2xvdWSCNCoubGFtYmRhLXVybC5ldS1jZW50cmFsLTEubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC5ldS13ZXN0LTEubG9jYWxob3N0
+LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy1lYXN0LTEubG9jYWxo
+b3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy1lYXN0LTIubG9j
+YWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy13ZXN0LTEu
+bG9jYWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy13ZXN0
+LTIubG9jYWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCHCoubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCJyoub3BlbnNlYXJjaC5sb2NhbGhvc3QubG9jYWxzdGFjay5j
+bG91ZIInKi5zMy13ZWJzaXRlLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vkgh8q
+LnMzLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgiAqLnNjbS5sb2NhbGhvc3Qu
+bG9jYWxzdGFjay5jbG91ZIImKi5zbm93Zmxha2UubG9jYWxob3N0LmxvY2Fsc3Rh
+Y2suY2xvdWSCMSoudXMtZWFzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCMSoudXMtZWFzdC0yLm9wZW5zZWFyY2gubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCMSoudXMtd2VzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0
+LmxvY2Fsc3RhY2suY2xvdWSCMSoudXMtd2VzdC0yLm9wZW5zZWFyY2gubG9jYWxo
+b3N0LmxvY2Fsc3RhY2suY2xvdWSCGmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vk
+gitzcXMuZXUtY2VudHJhbC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vkgihz
+cXMuZXUtd2VzdC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMt
+ZWFzdC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtZWFzdC0y
+LmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtd2VzdC0xLmxvY2Fs
+aG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtd2VzdC0yLmxvY2FsaG9zdC5s
+b2NhbHN0YWNrLmNsb3VkMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHW
+eQIEAgSB9ASB8QDvAHUAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A
+AAGP0mpOGwAABAMARjBEAiB5sV2rP0U9GU19xHb2u0rKJ1tg/39OB42jaruRQmEX
+MgIgAoudClE+rY4Jx38b2kVBjYDKmyy+3rnJgo0p+Qq/cMIAdgAZmBBxCfDWUi4w
+gNKeP2S7g24ozPkPUo7u385KPxa0ygAAAY/Sak4qAAAEAwBHMEUCIQDtY4+c4S42
+J6LXeDWMLSOyctL4c/CrBylwwkj34y9x3AIgbeSmmtYRFa0X2aGRnuiFWW26bp8t
+8z+LUIal4LXRCK0wDQYJKoZIhvcNAQELBQADggEBAIROD+OEV8sV8IHCqPE97BhL
+dcreAdYbHfBHr/fuHxhBxL01I7ocfH4fWk9+mXmbTmqaO95R63bQY5I1E6riUXdQ
+kbDN1tM21d41GbgN/Y4ihHeeBTx3Xwch5j/3MEjHAHCo4rP8iizT/X/4kttuSEXC
+LM8zav2rbR1izWq35Z0m571axpU8gJcCzQHFU/Z8E2tSVZ+WelFogIpe7LHu7UIo
+o70j9UQ0AVEqrCos97x2O5mIeuYuJW0SlXFd4R20U52+L/P5XU/h2NGZPTx70VTT
+S36fAzFVc+vbpnRt6Klu0sxf42zq1uVIi7b6UQP0UiGZvdjhioxfoJh+yIJI0XI=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
--- a/volume/cache/server.test.pem.crt
+++ b/volume/cache/server.test.pem.crt
@ -0,0 +1,91 @@
+-----BEGIN CERTIFICATE-----
+MIILCzCCCfOgAwIBAgISAx0saYDSPGV3sv//Ssy38WrAMA0GCSqGSIb3DQEBCwUA
+MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
+EwJSMzAeFw0yNDA2MDEwNTA4NTNaFw0yNDA4MzAwNTA4NTJaMCUxIzAhBgNVBAMT
+GmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAprlOhkXPyjF83PqlRkdIazGhc3twvZxtuJhHkXRjnaTqg5xa
+AtTgDQGOZzgjyyczwd5Uvm2GY/ukVKD6A0i9SneU0vG2RCAYL25AB3sRMEMG7Tpz
+0uo9pS/aNAay4eTihL9Ow4p6Wj8dRxEGrWeffqmZ2yBKPNXwANIyVHH1TWpm+ywY
+bDJ6bzEvyZy1pksjg9f2ilKr4sTXpTTB2bx1j8pjdSP6iWvOYTTzFTv+H4qMgu/
+Q4bVLj5eXiwukcQ1O3b+EgS4TTzGFcHTNJNcplMxg4oSeZaSEmr1+m/+Pop6R81b
+LRgQFxPcTNoYfoc75aXVC7PimaPHpoCCADog7QIDAQABo4IIJjCCCCIwDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMB0GA1UdDgQWBBQn7Yd00V9tcEmukJkQCDK8+QA6UjAfBgNVHSMEGDAW
+gBQULrMXt1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUH
+MAGGFWh0dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3Iz
+LmkubGVuY3Iub3JnLzCCBi4GA1UdEQSCBiUwggYhgicqLmFtcGxpZnlhcHAubG9j
+YWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCJyouY2xvdWRmcm9udC5sb2NhbGhvc3Qu
+bG9jYWxzdGFjay5jbG91ZIIxKi5ka3IuZWNyLmV1LWNlbnRyYWwtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLmV1LXdlc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLWVhc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLWVhc3QtMi5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLXdlc3QtMS5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIuKi5ka3IuZWNyLnVzLXdlc3QtMi5sb2NhbGhv
+c3QubG9jYWxzdGFjay5jbG91ZIIgKi5lbGIubG9jYWxob3N0LmxvY2Fsc3RhY2su
+Y2xvdWSCNCouZXUtY2VudHJhbC0xLm9wZW5zZWFyY2gubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCMSouZXUtd2VzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCKCouZXhlY3V0ZS1hcGkubG9jYWxob3N0LmxvY2Fsc3Rh
+Y2suY2xvdWSCNCoubGFtYmRhLXVybC5ldS1jZW50cmFsLTEubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC5ldS13ZXN0LTEubG9jYWxob3N0
+LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy1lYXN0LTEubG9jYWxo
+b3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy1lYXN0LTIubG9j
+YWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy13ZXN0LTEu
+bG9jYWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCMSoubGFtYmRhLXVybC51cy13ZXN0
+LTIubG9jYWxob3N0LmxvY2Fsc3RhY2suY2xvdWSCHCoubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCJyoub3BlbnNlYXJjaC5sb2NhbGhvc3QubG9jYWxzdGFjay5j
+bG91ZIInKi5zMy13ZWJzaXRlLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vkgh8q
+LnMzLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgiAqLnNjbS5sb2NhbGhvc3Qu
+bG9jYWxzdGFjay5jbG91ZIImKi5zbm93Zmxha2UubG9jYWxob3N0LmxvY2Fsc3Rh
+Y2suY2xvdWSCMSoudXMtZWFzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0LmxvY2Fs
+c3RhY2suY2xvdWSCMSoudXMtZWFzdC0yLm9wZW5zZWFyY2gubG9jYWxob3N0Lmxv
+Y2Fsc3RhY2suY2xvdWSCMSoudXMtd2VzdC0xLm9wZW5zZWFyY2gubG9jYWxob3N0
+LmxvY2Fsc3RhY2suY2xvdWSCMSoudXMtd2VzdC0yLm9wZW5zZWFyY2gubG9jYWxo
+b3N0LmxvY2Fsc3RhY2suY2xvdWSCGmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vk
+gitzcXMuZXUtY2VudHJhbC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3Vkgihz
+cXMuZXUtd2VzdC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMt
+ZWFzdC0xLmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtZWFzdC0y
+LmxvY2FsaG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtd2VzdC0xLmxvY2Fs
+aG9zdC5sb2NhbHN0YWNrLmNsb3VkgihzcXMudXMtd2VzdC0yLmxvY2FsaG9zdC5s
+b2NhbHN0YWNrLmNsb3VkMBMGA1UdIAQMMAowCAYGZ4EMAQIBMIIBAwYKKwYBBAHW
+eQIEAgSB9ASB8QDvAHUAPxdLT9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4A
+AAGP0mpOGwAABAMARjBEAiB5sV2rP0U9GU19xHb2u0rKJ1tg/39OB42jaruRQmEX
+MgIgAoudClE+rY4Jx38b2kVBjYDKmyy+3rnJgo0p+Qq/cMIAdgAZmBBxCfDWUi4w
+gNKeP2S7g24ozPkPUo7u385KPxa0ygAAAY/Sak4qAAAEAwBHMEUCIQDtY4+c4S42
+J6LXeDWMLSOyctL4c/CrBylwwkj34y9x3AIgbeSmmtYRFa0X2aGRnuiFWW26bp8t
+8z+LUIal4LXRCK0wDQYJKoZIhvcNAQELBQADggEBAIROD+OEV8sV8IHCqPE97BhL
+dcreAdYbHfBHr/fuHxhBxL01I7ocfH4fWk9+mXmbTmqaO95R63bQY5I1E6riUXdQ
+kbDN1tM21d41GbgN/Y4ihHeeBTx3Xwch5j/3MEjHAHCo4rP8iizT/X/4kttuSEXC
+LM8zav2rbR1izWq35Z0m571axpU8gJcCzQHFU/Z8E2tSVZ+WelFogIpe7LHu7UIo
+o70j9UQ0AVEqrCos97x2O5mIeuYuJW0SlXFd4R20U52+L/P5XU/h2NGZPTx70VTT
+S36fAzFVc+vbpnRt6Klu0sxf42zq1uVIi7b6UQP0UiGZvdjhioxfoJh+yIJI0XI=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
+TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
+cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
+WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
+RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
+R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
+sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
+NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
+Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
+/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
+Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
+FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
+AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
+Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
+gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
+PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
+ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
+CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
+lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
+avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
+yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
+yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
+hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
+HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
+MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
+nLRbwHOoq7hHwg==
+-----END CERTIFICATE-----
--- a/volume/cache/server.test.pem.key
+++ b/volume/cache/server.test.pem.key
@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCmuU6GRc/KMXzc
+qVGR0hrMaFze3C9nG24mEeRdGOdpOqDnFoC1OANAY5nOCPLJzPB3lS+bYZj+6RU
+oPoDSL1Kd5TS8bZEIBgvbkAHexEwQwbtOnPS6j2lL9o0BrLh5OKEv07DinpaPx1H
+EQatZ59+qZnbIEo81fAA0jJUcfVNamb7LBj5sMnpvMS/JnLWmSyOD1/aKUqvixNe
+lNMHZvHWPymN1I/qJa85hNPMVO/4fioyC79DhtUuPl5eLC6RxDU7dv4SBLhNPMYV
+wdM0k1ymUzGDihJ5lpISavX6b/4+inpHzVstGBAXE9xM2hh+hzvlpdULs+KZo8em
+gIIAOiDtAgMBAAECggEASC1pBVAryMjr2W7ZJjet7loqHyiNgki6Z3PlZ98PUSwY
+KqoBfcBSzs6hq6XuOQDbs05hOZ+I0rgaSFj4Y3uWFyr1zuy9j3ilf8MnDRYGNvKN
+iR4JDoJB9cVlnahYwNqqBfYcTyMgHPm93wpL7b4ymk8qQGcWPIgRwwk8qLo9DCoV
+SKEcLPUByv/oRB3VuzTXq9qKK7Qznn6AU5U2ulF+gerG00eYreDkYrAC2xpLYrGY
+d3nORW8jA0jfr8m1rvX8p5dKnLmkM1ZMWSUJQg76Vz6iY7S8A0Z1TRFiYDifqdEb
+CK0eo6FuVKf5D1tgwFZP31gX06kI8E0bjhsCg2GDsQKBgQDS2cuHo6AxgBPDmxyy
+pjpnpvE0y6KNzReg++ZSL0ra6OZYCxHoPXF7zLxYqQt4P1TCTJE+6OxGZhw0lLEN
+U3FEe2X0gUK6/YF/iaCQNiWB97U3CV1OW4VOTawh1xKZYjuin4HbdO7irRkSAym4
+6tsOTYJbB2i8ahyjSvm53hbutwKBgQDKbJt2ZJllIEUbz/9EdNl0qgfF3u+ODI0V
+LWVldGLABen5MX7f7bo1Mn24gInC0lhVOipvCWJbzFI1+uoQKnn1koTfX7ThOR2O
+hQsdnF2AQHSsrZPiHBifTUsDw9ap9F/VgwvyfCOseYzybZiyMZ6IkSxTngBTQJ30
+Etmt6LcJewKBgE7nXAf1ToRXpo3DpRihpieVzJvyPHGON3Jx8b39nqiPEWwPMHNV
+Uvt+IVmYYQdtw702RABjz8+EdLekkSEogbGb8ApwuNUa+vQMP77X1G9vkCv5YCZr
+j1Y/MNQ1FOu7XA++Wy0R9Dd1iXU5I8rkcHdIwChqfGJN30uoSg2pM7G/AoGBAKDJ
+3j8Pr4zVMi/iaticnHJ/8Maqy8wgihxNP+JzrVDsIarQNwB2W9ePsK9SYpr+7C1e
+k4A5iwhx5sd79Fo88z0uUh8AbbQM4z5mzaqKnvaVvFfBVNthB+nZwoFOGQBM3abC
+fkXxd4Cz2FJk3cqFgXDnJ7ePpKB8jjrmkkQCuwlrAoGBAKOB3CY7DyMzzWdUY/pk
+Zh8/JquFmm3F6MeRhsdifc2IeigwU+FTQTmQSTWtfInAsZ0jOgkihYgqRi8+W2y
+r7nYQTlW2zfoMKkqZQ6xiRiBy2PaYwmdkSCSZAQIQ41rBjBlsL95MHcib/xjGBim
+736norwdHWD3IrjS1fJWJglu
+-----END PRIVATE KEY-----
--- a/volume/cache/service-catalog-3_4_1_dev-1_34_122.pickle
+++ b/volume/cache/service-catalog-3_4_1_dev-1_34_122.pickle