Merge branch 'master' into 166_add_scopes_analysis

2025-09-06 00:42:59 +02:00 · 2023-08-22 15:26:20 +02:00
parent f7571211fd 2ddc24b7ee
commit 2f35482aff
63 changed files with 3864 additions and 2601 deletions
--- a/internal/api/api_test.go
+++ b/internal/api/api_test.go
@@ -39,6 +39,9 @@ func setup(t *testing.T) *api.RestApi {
 		"kind": "file",
 		"path": "./var/job-archive"
 	},
+    "jwts": {
+        "max-age": "2m"
+    },
 	"clusters": [
 	{
 	   "name": "testcluster",
--- a/internal/api/rest.go
+++ b/internal/api/rest.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -20,11 +20,13 @@ import (
 	"time"

 	"github.com/ClusterCockpit/cc-backend/internal/auth"
+	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/graph"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/internal/importer"
 	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/internal/util"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -75,6 +77,13 @@ func (api *RestApi) MountRoutes(r *mux.Router) {
 	r.HandleFunc("/jobs/delete_job/", api.deleteJobByRequest).Methods(http.MethodDelete)
 	r.HandleFunc("/jobs/delete_job/{id}", api.deleteJobById).Methods(http.MethodDelete)
 	r.HandleFunc("/jobs/delete_job_before/{ts}", api.deleteJobBefore).Methods(http.MethodDelete)
+	// r.HandleFunc("/secured/addProject/{id}/{project}", api.secureUpdateUser).Methods(http.MethodPost)
+	// r.HandleFunc("/secured/addRole/{id}/{role}", api.secureUpdateUser).Methods(http.MethodPost)
+
+	if api.MachineStateDir != "" {
+		r.HandleFunc("/machine_state/{cluster}/{host}", api.getMachineState).Methods(http.MethodGet)
+		r.HandleFunc("/machine_state/{cluster}/{host}", api.putMachineState).Methods(http.MethodPut, http.MethodPost)
+	}

 	if api.Authentication != nil {
 		r.HandleFunc("/jwt/", api.getJWT).Methods(http.MethodGet)
@@ -85,11 +94,6 @@ func (api *RestApi) MountRoutes(r *mux.Router) {
 		r.HandleFunc("/user/{id}", api.updateUser).Methods(http.MethodPost)
 		r.HandleFunc("/configuration/", api.updateConfiguration).Methods(http.MethodPost)
 	}
-
-	if api.MachineStateDir != "" {
-		r.HandleFunc("/machine_state/{cluster}/{host}", api.getMachineState).Methods(http.MethodGet)
-		r.HandleFunc("/machine_state/{cluster}/{host}", api.putMachineState).Methods(http.MethodPut, http.MethodPost)
-	}
 }

 // StartJobApiResponse model
@@ -103,6 +107,11 @@ type DeleteJobApiResponse struct {
 	Message string `json:"msg"`
 }

+// UpdateUserApiResponse model
+type UpdateUserApiResponse struct {
+	Message string `json:"msg"`
+}
+
 // StopJobApiRequest model
 type StopJobApiRequest struct {
 	// Stop Time of job as epoch
@@ -172,6 +181,36 @@ func decode(r io.Reader, val interface{}) error {
 	return dec.Decode(val)
 }

+func securedCheck(r *http.Request) error {
+	user := repository.GetUserFromContext(r.Context())
+	if user == nil {
+		return fmt.Errorf("no user in context")
+	}
+
+	if user.AuthType == schema.AuthToken {
+		// If nothing declared in config: deny all request to this endpoint
+		if config.Keys.ApiAllowedIPs == nil || len(config.Keys.ApiAllowedIPs) == 0 {
+			return fmt.Errorf("missing configuration key ApiAllowedIPs")
+		}
+
+		// extract IP address
+		IPAddress := r.Header.Get("X-Real-Ip")
+		if IPAddress == "" {
+			IPAddress = r.Header.Get("X-Forwarded-For")
+		}
+		if IPAddress == "" {
+			IPAddress = r.RemoteAddr
+		}
+
+		// check if IP is allowed
+		if !util.Contains(config.Keys.ApiAllowedIPs, IPAddress) {
+			return fmt.Errorf("unknown ip: %v", IPAddress)
+		}
+	}
+
+	return nil
+}
+
 // getJobs godoc
 // @summary     Lists all jobs
 // @tags query
@@ -193,8 +232,10 @@ func decode(r io.Reader, val interface{}) error {
 // @router      /jobs/ [get]
 func (api *RestApi) getJobs(rw http.ResponseWriter, r *http.Request) {

-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -335,9 +376,11 @@ func (api *RestApi) getJobs(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/{id} [post]
 func (api *RestApi) getJobById(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
 		handleError(fmt.Errorf("missing role: %v",
-			auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+			schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -426,8 +469,10 @@ func (api *RestApi) getJobById(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/tag_job/{id} [post]
 func (api *RestApi) tagJob(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -491,8 +536,10 @@ func (api *RestApi) tagJob(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/start_job/ [post]
 func (api *RestApi) startJob(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -572,8 +619,10 @@ func (api *RestApi) startJob(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/stop_job/{id} [post]
 func (api *RestApi) stopJobById(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -625,8 +674,10 @@ func (api *RestApi) stopJobById(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/stop_job/ [post]
 func (api *RestApi) stopJobByRequest(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -671,8 +722,8 @@ func (api *RestApi) stopJobByRequest(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/delete_job/{id} [delete]
 func (api *RestApi) deleteJobById(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil && !user.HasRole(schema.RoleApi) {
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -719,8 +770,9 @@ func (api *RestApi) deleteJobById(rw http.ResponseWriter, r *http.Request) {
 // @security    ApiKeyAuth
 // @router      /jobs/delete_job/ [delete]
 func (api *RestApi) deleteJobByRequest(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil &&
+		!user.HasRole(schema.RoleApi) {
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -775,8 +827,8 @@ func (api *RestApi) deleteJobByRequest(rw http.ResponseWriter, r *http.Request)
 // @security    ApiKeyAuth
 // @router      /jobs/delete_job_before/{ts} [delete]
 func (api *RestApi) deleteJobBefore(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
-		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+	if user := repository.GetUserFromContext(r.Context()); user != nil && !user.HasRole(schema.RoleApi) {
+		handleError(fmt.Errorf("missing role: %v", schema.GetRoleString(schema.RoleApi)), http.StatusForbidden, rw)
 		return
 	}

@@ -892,10 +944,15 @@ func (api *RestApi) getJobMetrics(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) getJWT(rw http.ResponseWriter, r *http.Request) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
 	rw.Header().Set("Content-Type", "text/plain")
 	username := r.FormValue("username")
-	me := auth.GetUser(r.Context())
-	if !me.HasRole(auth.RoleAdmin) {
+	me := repository.GetUserFromContext(r.Context())
+	if !me.HasRole(schema.RoleAdmin) {
 		if username != me.Username {
 			http.Error(rw, "Only admins are allowed to sign JWTs not for themselves",
 				http.StatusForbidden)
@@ -903,7 +960,7 @@ func (api *RestApi) getJWT(rw http.ResponseWriter, r *http.Request) {
 		}
 	}

-	user, err := api.Authentication.GetUser(username)
+	user, err := repository.GetUserRepository().GetUser(username)
 	if err != nil {
 		http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 		return
@@ -920,28 +977,38 @@ func (api *RestApi) getJWT(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) createUser(rw http.ResponseWriter, r *http.Request) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
 	rw.Header().Set("Content-Type", "text/plain")
-	me := auth.GetUser(r.Context())
-	if !me.HasRole(auth.RoleAdmin) {
+	me := repository.GetUserFromContext(r.Context())
+	if !me.HasRole(schema.RoleAdmin) {
 		http.Error(rw, "Only admins are allowed to create new users", http.StatusForbidden)
 		return
 	}

-	username, password, role, name, email, project := r.FormValue("username"), r.FormValue("password"), r.FormValue("role"), r.FormValue("name"), r.FormValue("email"), r.FormValue("project")
-	if len(password) == 0 && role != auth.GetRoleString(auth.RoleApi) {
+	username, password, role, name, email, project := r.FormValue("username"),
+		r.FormValue("password"), r.FormValue("role"), r.FormValue("name"),
+		r.FormValue("email"), r.FormValue("project")
+
+	if len(password) == 0 && role != schema.GetRoleString(schema.RoleApi) {
 		http.Error(rw, "Only API users are allowed to have a blank password (login will be impossible)", http.StatusBadRequest)
 		return
 	}

-	if len(project) != 0 && role != auth.GetRoleString(auth.RoleManager) {
-		http.Error(rw, "only managers require a project (can be changed later)", http.StatusBadRequest)
+	if len(project) != 0 && role != schema.GetRoleString(schema.RoleManager) {
+		http.Error(rw, "only managers require a project (can be changed later)",
+			http.StatusBadRequest)
 		return
-	} else if len(project) == 0 && role == auth.GetRoleString(auth.RoleManager) {
-		http.Error(rw, "managers require a project to manage (can be changed later)", http.StatusBadRequest)
+	} else if len(project) == 0 && role == schema.GetRoleString(schema.RoleManager) {
+		http.Error(rw, "managers require a project to manage (can be changed later)",
+			http.StatusBadRequest)
 		return
 	}

-	if err := api.Authentication.AddUser(&auth.User{
+	if err := repository.GetUserRepository().AddUser(&schema.User{
 		Username: username,
 		Name:     name,
 		Password: password,
@@ -956,13 +1023,18 @@ func (api *RestApi) createUser(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) deleteUser(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); !user.HasRole(auth.RoleAdmin) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
+	if user := repository.GetUserFromContext(r.Context()); !user.HasRole(schema.RoleAdmin) {
 		http.Error(rw, "Only admins are allowed to delete a user", http.StatusForbidden)
 		return
 	}

 	username := r.FormValue("username")
-	if err := api.Authentication.DelUser(username); err != nil {
+	if err := repository.GetUserRepository().DelUser(username); err != nil {
 		http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 		return
 	}
@@ -971,12 +1043,17 @@ func (api *RestApi) deleteUser(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) getUsers(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); !user.HasRole(auth.RoleAdmin) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
+	if user := repository.GetUserFromContext(r.Context()); !user.HasRole(schema.RoleAdmin) {
 		http.Error(rw, "Only admins are allowed to fetch a list of users", http.StatusForbidden)
 		return
 	}

-	users, err := api.Authentication.ListUsers(r.URL.Query().Get("not-just-user") == "true")
+	users, err := repository.GetUserRepository().ListUsers(r.URL.Query().Get("not-just-user") == "true")
 	if err != nil {
 		http.Error(rw, err.Error(), http.StatusInternalServerError)
 		return
@@ -986,13 +1063,18 @@ func (api *RestApi) getUsers(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) getRoles(rw http.ResponseWriter, r *http.Request) {
-	user := auth.GetUser(r.Context())
-	if !user.HasRole(auth.RoleAdmin) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
+	user := repository.GetUserFromContext(r.Context())
+	if !user.HasRole(schema.RoleAdmin) {
 		http.Error(rw, "only admins are allowed to fetch a list of roles", http.StatusForbidden)
 		return
 	}

-	roles, err := auth.GetValidRoles(user)
+	roles, err := schema.GetValidRoles(user)
 	if err != nil {
 		http.Error(rw, err.Error(), http.StatusInternalServerError)
 		return
@@ -1002,7 +1084,12 @@ func (api *RestApi) getRoles(rw http.ResponseWriter, r *http.Request) {
 }

 func (api *RestApi) updateUser(rw http.ResponseWriter, r *http.Request) {
-	if user := auth.GetUser(r.Context()); !user.HasRole(auth.RoleAdmin) {
+	err := securedCheck(r)
+	if err != nil {
+		http.Error(rw, err.Error(), http.StatusForbidden)
+	}
+
+	if user := repository.GetUserFromContext(r.Context()); !user.HasRole(schema.RoleAdmin) {
 		http.Error(rw, "Only admins are allowed to update a user", http.StatusForbidden)
 		return
 	}
@@ -1015,25 +1102,25 @@ func (api *RestApi) updateUser(rw http.ResponseWriter, r *http.Request) {

 	// TODO: Handle anything but roles...
 	if newrole != "" {
-		if err := api.Authentication.AddRole(r.Context(), mux.Vars(r)["id"], newrole); err != nil {
+		if err := repository.GetUserRepository().AddRole(r.Context(), mux.Vars(r)["id"], newrole); err != nil {
 			http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 			return
 		}
 		rw.Write([]byte("Add Role Success"))
 	} else if delrole != "" {
-		if err := api.Authentication.RemoveRole(r.Context(), mux.Vars(r)["id"], delrole); err != nil {
+		if err := repository.GetUserRepository().RemoveRole(r.Context(), mux.Vars(r)["id"], delrole); err != nil {
 			http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 			return
 		}
 		rw.Write([]byte("Remove Role Success"))
 	} else if newproj != "" {
-		if err := api.Authentication.AddProject(r.Context(), mux.Vars(r)["id"], newproj); err != nil {
+		if err := repository.GetUserRepository().AddProject(r.Context(), mux.Vars(r)["id"], newproj); err != nil {
 			http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 			return
 		}
 		rw.Write([]byte("Add Project Success"))
 	} else if delproj != "" {
-		if err := api.Authentication.RemoveProject(r.Context(), mux.Vars(r)["id"], delproj); err != nil {
+		if err := repository.GetUserRepository().RemoveProject(r.Context(), mux.Vars(r)["id"], delproj); err != nil {
 			http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 			return
 		}
@@ -1043,13 +1130,78 @@ func (api *RestApi) updateUser(rw http.ResponseWriter, r *http.Request) {
 	}
 }

+// func (api *RestApi) secureUpdateUser(rw http.ResponseWriter, r *http.Request) {
+// 	if user := auth.GetUser(r.Context()); user != nil && !user.HasRole(auth.RoleApi) {
+// 		handleError(fmt.Errorf("missing role: %v", auth.GetRoleString(auth.RoleApi)), http.StatusForbidden, rw)
+// 		return
+// 	}
+//
+// 	// IP CHECK HERE (WIP)
+// 	// Probably better as private routine
+// 	IPAddress := r.Header.Get("X-Real-Ip")
+// 	if IPAddress == "" {
+// 		IPAddress = r.Header.Get("X-Forwarded-For")
+// 	}
+// 	if IPAddress == "" {
+// 		IPAddress = r.RemoteAddr
+// 	}
+//
+// 	// Also This
+// 	ipOk := false
+// 	for _, a := range config.Keys.ApiAllowedAddrs {
+// 		if a == IPAddress {
+// 			ipOk = true
+// 		}
+// 	}
+//
+// 	if IPAddress == "" || ipOk == false {
+// 		handleError(fmt.Errorf("unknown ip: %v", IPAddress), http.StatusForbidden, rw)
+// 		return
+// 	}
+// 	// IP CHECK END
+//
+// 	// Get Values
+// 	id := mux.Vars(r)["id"]
+// 	newproj := mux.Vars(r)["project"]
+// 	newrole := mux.Vars(r)["role"]
+//
+// 	// TODO: Handle anything but roles...
+// 	if newrole != "" {
+// 		if err := api.Authentication.AddRole(r.Context(), id, newrole); err != nil {
+// 			handleError(errors.New(err.Error()), http.StatusUnprocessableEntity, rw)
+// 			return
+// 		}
+//
+// 		rw.Header().Add("Content-Type", "application/json")
+// 		rw.WriteHeader(http.StatusOK)
+// 		json.NewEncoder(rw).Encode(UpdateUserApiResponse{
+// 			Message: fmt.Sprintf("Successfully added role %s to %s", newrole, id),
+// 		})
+//
+// 	} else if newproj != "" {
+// 		if err := api.Authentication.AddProject(r.Context(), id, newproj); err != nil {
+// 			handleError(errors.New(err.Error()), http.StatusUnprocessableEntity, rw)
+// 			return
+// 		}
+//
+// 		rw.Header().Add("Content-Type", "application/json")
+// 		rw.WriteHeader(http.StatusOK)
+// 		json.NewEncoder(rw).Encode(UpdateUserApiResponse{
+// 			Message: fmt.Sprintf("Successfully added project %s to %s", newproj, id),
+// 		})
+//
+// 	} else {
+// 		handleError(errors.New("Not Add [role|project]?"), http.StatusBadRequest, rw)
+// 	}
+// }
+
 func (api *RestApi) updateConfiguration(rw http.ResponseWriter, r *http.Request) {
 	rw.Header().Set("Content-Type", "text/plain")
 	key, value := r.FormValue("key"), r.FormValue("value")

 	fmt.Printf("REST > KEY: %#v\nVALUE: %#v\n", key, value)

-	if err := repository.GetUserCfgRepo().UpdateConfig(key, value, auth.GetUser(r.Context())); err != nil {
+	if err := repository.GetUserCfgRepo().UpdateConfig(key, value, repository.GetUserFromContext(r.Context())); err != nil {
 		http.Error(rw, err.Error(), http.StatusUnprocessableEntity)
 		return
 	}
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -7,224 +7,26 @@ package auth
 import (
 	"context"
 	"crypto/rand"
+	"database/sql"
 	"encoding/base64"
 	"errors"
-	"fmt"
 	"net/http"
 	"os"
-	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/gorilla/sessions"
-	"github.com/jmoiron/sqlx"
 )

-type AuthSource int
-
-const (
-	AuthViaLocalPassword AuthSource = iota
-	AuthViaLDAP
-	AuthViaToken
-)
-
-type User struct {
-	Username   string     `json:"username"`
-	Password   string     `json:"-"`
-	Name       string     `json:"name"`
-	Roles      []string   `json:"roles"`
-	AuthSource AuthSource `json:"via"`
-	Email      string     `json:"email"`
-	Projects   []string   `json:"projects"`
-	Expiration time.Time
-}
-
-type Role int
-
-const (
-	RoleAnonymous Role = iota
-	RoleApi
-	RoleUser
-	RoleManager
-	RoleSupport
-	RoleAdmin
-	RoleError
-)
-
-func GetRoleString(roleInt Role) string {
-	return [6]string{"anonymous", "api", "user", "manager", "support", "admin"}[roleInt]
-}
-
-func getRoleEnum(roleStr string) Role {
-	switch strings.ToLower(roleStr) {
-	case "admin":
-		return RoleAdmin
-	case "support":
-		return RoleSupport
-	case "manager":
-		return RoleManager
-	case "user":
-		return RoleUser
-	case "api":
-		return RoleApi
-	case "anonymous":
-		return RoleAnonymous
-	default:
-		return RoleError
-	}
-}
-
-func isValidRole(role string) bool {
-	return getRoleEnum(role) != RoleError
-}
-
-func (u *User) HasValidRole(role string) (hasRole bool, isValid bool) {
-	if isValidRole(role) {
-		for _, r := range u.Roles {
-			if r == role {
-				return true, true
-			}
-		}
-		return false, true
-	}
-	return false, false
-}
-
-func (u *User) HasRole(role Role) bool {
-	for _, r := range u.Roles {
-		if r == GetRoleString(role) {
-			return true
-		}
-	}
-	return false
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasAnyRole(queryroles []Role) bool {
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				return true
-			}
-		}
-	}
-	return false
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasAllRoles(queryroles []Role) bool {
-	target := len(queryroles)
-	matches := 0
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				matches += 1
-				break
-			}
-		}
-	}
-
-	if matches == target {
-		return true
-	} else {
-		return false
-	}
-}
-
-// Role-Arrays are short: performance not impacted by nested loop
-func (u *User) HasNotRoles(queryroles []Role) bool {
-	matches := 0
-	for _, ur := range u.Roles {
-		for _, qr := range queryroles {
-			if ur == GetRoleString(qr) {
-				matches += 1
-				break
-			}
-		}
-	}
-
-	if matches == 0 {
-		return true
-	} else {
-		return false
-	}
-}
-
-// Called by API endpoint '/roles/' from frontend: Only required for admin config -> Check Admin Role
-func GetValidRoles(user *User) ([]string, error) {
-	var vals []string
-	if user.HasRole(RoleAdmin) {
-		for i := RoleApi; i < RoleError; i++ {
-			vals = append(vals, GetRoleString(i))
-		}
-		return vals, nil
-	}
-
-	return vals, fmt.Errorf("%s: only admins are allowed to fetch a list of roles", user.Username)
-}
-
-// Called by routerConfig web.page setup in backend: Only requires known user and/or not API user
-func GetValidRolesMap(user *User) (map[string]Role, error) {
-	named := make(map[string]Role)
-	if user.HasNotRoles([]Role{RoleApi, RoleAnonymous}) {
-		for i := RoleApi; i < RoleError; i++ {
-			named[GetRoleString(i)] = i
-		}
-		return named, nil
-	}
-	return named, fmt.Errorf("only known users are allowed to fetch a list of roles")
-}
-
-// Find highest role
-func (u *User) GetAuthLevel() Role {
-	if u.HasRole(RoleAdmin) {
-		return RoleAdmin
-	} else if u.HasRole(RoleSupport) {
-		return RoleSupport
-	} else if u.HasRole(RoleManager) {
-		return RoleManager
-	} else if u.HasRole(RoleUser) {
-		return RoleUser
-	} else if u.HasRole(RoleApi) {
-		return RoleApi
-	} else if u.HasRole(RoleAnonymous) {
-		return RoleAnonymous
-	} else {
-		return RoleError
-	}
-}
-
-func (u *User) HasProject(project string) bool {
-	for _, p := range u.Projects {
-		if p == project {
-			return true
-		}
-	}
-	return false
-}
-
-func GetUser(ctx context.Context) *User {
-	x := ctx.Value(ContextUserKey)
-	if x == nil {
-		return nil
-	}
-
-	return x.(*User)
-}
-
 type Authenticator interface {
-	Init(auth *Authentication, config interface{}) error
-	CanLogin(user *User, rw http.ResponseWriter, r *http.Request) bool
-	Login(user *User, rw http.ResponseWriter, r *http.Request) (*User, error)
-	Auth(rw http.ResponseWriter, r *http.Request) (*User, error)
+	CanLogin(user *schema.User, username string, rw http.ResponseWriter, r *http.Request) (*schema.User, bool)
+	Login(user *schema.User, rw http.ResponseWriter, r *http.Request) (*schema.User, error)
 }

-type ContextKey string
-
-const ContextUserKey ContextKey = "user"
-
 type Authentication struct {
-	db            *sqlx.DB
 	sessionStore  *sessions.CookieStore
 	SessionMaxAge time.Duration

@@ -234,10 +36,34 @@ type Authentication struct {
 	LocalAuth      *LocalAuthenticator
 }

-func Init(db *sqlx.DB,
-	configs map[string]interface{}) (*Authentication, error) {
+func (auth *Authentication) AuthViaSession(
+	rw http.ResponseWriter,
+	r *http.Request) (*schema.User, error) {
+	session, err := auth.sessionStore.Get(r, "session")
+	if err != nil {
+		log.Error("Error while getting session store")
+		return nil, err
+	}
+
+	if session.IsNew {
+		return nil, nil
+	}
+
+	// TODO: Check if session keys exist
+	username, _ := session.Values["username"].(string)
+	projects, _ := session.Values["projects"].([]string)
+	roles, _ := session.Values["roles"].([]string)
+	return &schema.User{
+		Username:   username,
+		Projects:   projects,
+		Roles:      roles,
+		AuthType:   schema.AuthSession,
+		AuthSource: -1,
+	}, nil
+}
+
+func Init() (*Authentication, error) {
 	auth := &Authentication{}
-	auth.db = db

 	sessKey := os.Getenv("SESSION_KEY")
 	if sessKey == "" {
@@ -257,78 +83,78 @@ func Init(db *sqlx.DB,
 		auth.sessionStore = sessions.NewCookieStore(bytes)
 	}

+	if config.Keys.LdapConfig != nil {
+		ldapAuth := &LdapAuthenticator{}
+		if err := ldapAuth.Init(); err != nil {
+			log.Warn("Error while initializing authentication -> ldapAuth init failed")
+		} else {
+			auth.LdapAuth = ldapAuth
+			auth.authenticators = append(auth.authenticators, auth.LdapAuth)
+		}
+	} else {
+		log.Info("Missing LDAP configuration: No LDAP support!")
+	}
+
+	if config.Keys.JwtConfig != nil {
+		auth.JwtAuth = &JWTAuthenticator{}
+		if err := auth.JwtAuth.Init(); err != nil {
+			log.Error("Error while initializing authentication -> jwtAuth init failed")
+			return nil, err
+		}
+
+		jwtSessionAuth := &JWTSessionAuthenticator{}
+		if err := jwtSessionAuth.Init(); err != nil {
+			log.Info("jwtSessionAuth init failed: No JWT login support!")
+		} else {
+			auth.authenticators = append(auth.authenticators, jwtSessionAuth)
+		}
+
+		jwtCookieSessionAuth := &JWTCookieSessionAuthenticator{}
+		if err := jwtCookieSessionAuth.Init(); err != nil {
+			log.Info("jwtCookieSessionAuth init failed: No JWT cookie login support!")
+		} else {
+			auth.authenticators = append(auth.authenticators, jwtCookieSessionAuth)
+		}
+	} else {
+		log.Info("Missing JWT configuration: No JWT token support!")
+	}
+
 	auth.LocalAuth = &LocalAuthenticator{}
-	if err := auth.LocalAuth.Init(auth, nil); err != nil {
+	if err := auth.LocalAuth.Init(); err != nil {
 		log.Error("Error while initializing authentication -> localAuth init failed")
 		return nil, err
 	}
 	auth.authenticators = append(auth.authenticators, auth.LocalAuth)

-	auth.JwtAuth = &JWTAuthenticator{}
-	if err := auth.JwtAuth.Init(auth, configs["jwt"]); err != nil {
-		log.Error("Error while initializing authentication -> jwtAuth init failed")
-		return nil, err
-	}
-	auth.authenticators = append(auth.authenticators, auth.JwtAuth)
-
-	if config, ok := configs["ldap"]; ok {
-		auth.LdapAuth = &LdapAuthenticator{}
-		if err := auth.LdapAuth.Init(auth, config); err != nil {
-			log.Error("Error while initializing authentication -> ldapAuth init failed")
-			return nil, err
-		}
-		auth.authenticators = append(auth.authenticators, auth.LdapAuth)
-	}
-
 	return auth, nil
 }

-func (auth *Authentication) AuthViaSession(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	session, err := auth.sessionStore.Get(r, "session")
-	if err != nil {
-		log.Error("Error while getting session store")
-		return nil, err
-	}
-
-	if session.IsNew {
-		return nil, nil
-	}
-
-	// TODO Check if keys are present in session?
-	username, _ := session.Values["username"].(string)
-	projects, _ := session.Values["projects"].([]string)
-	roles, _ := session.Values["roles"].([]string)
-	return &User{
-		Username:   username,
-		Projects:   projects,
-		Roles:      roles,
-		AuthSource: -1,
-	}, nil
-}
-
-// Handle a POST request that should log the user in, starting a new session.
 func (auth *Authentication) Login(
 	onsuccess http.Handler,
 	onfailure func(rw http.ResponseWriter, r *http.Request, loginErr error)) http.Handler {

 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		err := errors.New("no authenticator applied")
 		username := r.FormValue("username")
-		user := (*User)(nil)
+		var dbUser *schema.User

 		if username != "" {
-			user, _ = auth.GetUser(username)
+			var err error
+			dbUser, err = repository.GetUserRepository().GetUser(username)
+			if err != nil && err != sql.ErrNoRows {
+				log.Errorf("Error while loading user '%v'", username)
+			}
 		}

 		for _, authenticator := range auth.authenticators {
-			if !authenticator.CanLogin(user, rw, r) {
+			var ok bool
+			var user *schema.User
+			if user, ok = authenticator.CanLogin(dbUser, username, rw, r); !ok {
 				continue
+			} else {
+				log.Debugf("Can login with user %v", user)
 			}

-			user, err = authenticator.Login(user, rw, r)
+			user, err := authenticator.Login(user, rw, r)
 			if err != nil {
 				log.Warnf("user login failed: %s", err.Error())
 				onfailure(rw, r, err)
@@ -355,49 +181,50 @@ func (auth *Authentication) Login(
 			}

 			log.Infof("login successfull: user: %#v (roles: %v, projects: %v)", user.Username, user.Roles, user.Projects)
-			ctx := context.WithValue(r.Context(), ContextUserKey, user)
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
 			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
 			return
 		}

 		log.Debugf("login failed: no authenticator applied")
-		onfailure(rw, r, err)
+		onfailure(rw, r, errors.New("no authenticator applied"))
 	})
 }

-// Authenticate the user and put a User object in the
-// context of the request. If authentication fails,
-// do not continue but send client to the login screen.
 func (auth *Authentication) Auth(
 	onsuccess http.Handler,
 	onfailure func(rw http.ResponseWriter, r *http.Request, authErr error)) http.Handler {

 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
-		for _, authenticator := range auth.authenticators {
-			user, err := authenticator.Auth(rw, r)
+
+		user, err := auth.JwtAuth.AuthViaJWT(rw, r)
+		if err != nil {
+			log.Infof("authentication failed: %s", err.Error())
+			http.Error(rw, err.Error(), http.StatusUnauthorized)
+			return
+		}
+
+		if user == nil {
+			user, err = auth.AuthViaSession(rw, r)
 			if err != nil {
 				log.Infof("authentication failed: %s", err.Error())
 				http.Error(rw, err.Error(), http.StatusUnauthorized)
 				return
 			}
-			if user == nil {
-				continue
-			}
+		}

-			ctx := context.WithValue(r.Context(), ContextUserKey, user)
+		if user != nil {
+			ctx := context.WithValue(r.Context(), repository.ContextUserKey, user)
 			onsuccess.ServeHTTP(rw, r.WithContext(ctx))
 			return
 		}

-		log.Debugf("authentication failed: %s", "no authenticator applied")
-		// http.Error(rw, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
-		onfailure(rw, r, errors.New("unauthorized (login first or use a token)"))
+		log.Debug("authentication failed")
+		onfailure(rw, r, errors.New("unauthorized (please login first)"))
 	})
 }

-// Clears the session cookie
 func (auth *Authentication) Logout(onsuccess http.Handler) http.Handler {
-
 	return http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
 		session, err := auth.sessionStore.Get(r, "session")
 		if err != nil {
--- a/internal/auth/auth_test.go
+++ b/internal/auth/auth_test.go
@@ -1,129 +0,0 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
-// All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-package auth
-
-import (
-	"testing"
-)
-
-func TestHasValidRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	exists, _ := u.HasValidRole("user")
-
-	if !exists {
-		t.Fatalf(`User{Roles: ["user"]} -> HasValidRole("user"): EXISTS = %v, expected 'true'.`, exists)
-	}
-}
-
-func TestHasNotValidRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	exists, _ := u.HasValidRole("manager")
-
-	if exists {
-		t.Fatalf(`User{Roles: ["user"]} -> HasValidRole("manager"): EXISTS = %v, expected 'false'.`, exists)
-	}
-}
-
-func TestHasInvalidRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	_, valid := u.HasValidRole("invalid")
-
-	if valid {
-		t.Fatalf(`User{Roles: ["user"]} -> HasValidRole("invalid"): VALID = %v, expected 'false'.`, valid)
-	}
-}
-
-func TestHasNotInvalidRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	_, valid := u.HasValidRole("user")
-
-	if !valid {
-		t.Fatalf(`User{Roles: ["user"]} -> HasValidRole("user"): VALID = %v, expected 'true'.`, valid)
-	}
-}
-
-func TestHasRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	exists := u.HasRole(RoleUser)
-
-	if !exists {
-		t.Fatalf(`User{Roles: ["user"]} -> HasRole(RoleUser): EXISTS = %v, expected 'true'.`, exists)
-	}
-}
-
-func TestHasNotRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user"}}
-
-	exists := u.HasRole(RoleManager)
-
-	if exists {
-		t.Fatalf(`User{Roles: ["user"]} -> HasRole(RoleManager): EXISTS = %v, expected 'false'.`, exists)
-	}
-}
-
-func TestHasAnyRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager"}}
-
-	result := u.HasAnyRole([]Role{RoleManager, RoleSupport, RoleAdmin})
-
-	if !result {
-		t.Fatalf(`User{Roles: ["user", "manager"]} -> HasAnyRole([]Role{RoleManager, RoleSupport, RoleAdmin}): RESULT = %v, expected 'true'.`, result)
-	}
-}
-
-func TestHasNotAnyRole(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager"}}
-
-	result := u.HasAnyRole([]Role{RoleSupport, RoleAdmin})
-
-	if result {
-		t.Fatalf(`User{Roles: ["user", "manager"]} -> HasAllRoles([]Role{RoleSupport, RoleAdmin}): RESULT = %v, expected 'false'.`, result)
-	}
-}
-
-func TestHasAllRoles(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager", "support"}}
-
-	result := u.HasAllRoles([]Role{RoleUser, RoleManager, RoleSupport})
-
-	if !result {
-		t.Fatalf(`User{Roles: ["user", "manager", "support"]} -> HasAllRoles([]Role{RoleUser, RoleManager, RoleSupport}): RESULT = %v, expected 'true'.`, result)
-	}
-}
-
-func TestHasNotAllRoles(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager"}}
-
-	result := u.HasAllRoles([]Role{RoleUser, RoleManager, RoleSupport})
-
-	if result {
-		t.Fatalf(`User{Roles: ["user", "manager"]} -> HasAllRoles([]Role{RoleUser, RoleManager, RoleSupport}): RESULT = %v, expected 'false'.`, result)
-	}
-}
-
-func TestHasNotRoles(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager"}}
-
-	result := u.HasNotRoles([]Role{RoleSupport, RoleAdmin})
-
-	if !result {
-		t.Fatalf(`User{Roles: ["user", "manager"]} -> HasNotRoles([]Role{RoleSupport, RoleAdmin}): RESULT = %v, expected 'true'.`, result)
-	}
-}
-
-func TestHasAllNotRoles(t *testing.T) {
-	u := User{Username: "testuser", Roles: []string{"user", "manager"}}
-
-	result := u.HasNotRoles([]Role{RoleUser, RoleManager})
-
-	if result {
-		t.Fatalf(`User{Roles: ["user", "manager"]} -> HasNotRoles([]Role{RoleUser, RoleManager}): RESULT = %v, expected 'false'.`, result)
-	}
-}
--- a/internal/auth/jwt.go
+++ b/internal/auth/jwt.go
@@ -6,39 +6,26 @@ package auth

 import (
 	"crypto/ed25519"
-	"database/sql"
 	"encoding/base64"
 	"errors"
-	"fmt"
 	"net/http"
 	"os"
 	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/golang-jwt/jwt/v4"
 )

 type JWTAuthenticator struct {
-	auth *Authentication
-
-	publicKey           ed25519.PublicKey
-	privateKey          ed25519.PrivateKey
-	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs
-
-	loginTokenKey []byte // HS256 key
-
-	config *schema.JWTAuthConfig
+	publicKey  ed25519.PublicKey
+	privateKey ed25519.PrivateKey
 }

-var _ Authenticator = (*JWTAuthenticator)(nil)
-
-func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
-
-	ja.auth = auth
-	ja.config = conf.(*schema.JWTAuthConfig)
-
+func (ja *JWTAuthenticator) Init() error {
 	pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
 	if pubKey == "" || privKey == "" {
 		log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
@@ -57,130 +44,12 @@ func (ja *JWTAuthenticator) Init(auth *Authentication, conf interface{}) error {
 		ja.privateKey = ed25519.PrivateKey(bytes)
 	}

-	if pubKey = os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKey)
-		if err != nil {
-			log.Warn("Could not decode cross login JWT HS512 key")
-			return err
-		}
-		ja.loginTokenKey = bytes
-	}
-
-	// Look for external public keys
-	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
-	if keyFound && pubKeyCrossLogin != "" {
-		bytes, err := base64.StdEncoding.DecodeString(pubKeyCrossLogin)
-		if err != nil {
-			log.Warn("Could not decode cross login JWT public key")
-			return err
-		}
-		ja.publicKeyCrossLogin = ed25519.PublicKey(bytes)
-
-		// Warn if other necessary settings are not configured
-		if ja.config != nil {
-			if ja.config.CookieName == "" {
-				log.Warn("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
-			}
-			if !ja.config.ForceJWTValidationViaDatabase {
-				log.Warn("forceJWTValidationViaDatabase not set to true: CC will accept users and roles defined in JWTs regardless of its own database!")
-			}
-			if ja.config.TrustedExternalIssuer == "" {
-				log.Warn("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
-			}
-		} else {
-			log.Warn("cookieName and trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
-		}
-	} else {
-		ja.publicKeyCrossLogin = nil
-		log.Debug("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
-	}
-
 	return nil
 }

-func (ja *JWTAuthenticator) CanLogin(
-	user *User,
+func (ja *JWTAuthenticator) AuthViaJWT(
 	rw http.ResponseWriter,
-	r *http.Request) bool {
-
-	return (user != nil && user.AuthSource == AuthViaToken) ||
-		r.Header.Get("Authorization") != "" ||
-		r.URL.Query().Get("login-token") != ""
-}
-
-func (ja *JWTAuthenticator) Login(
-	user *User,
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
-	if rawtoken == "" {
-		rawtoken = r.URL.Query().Get("login-token")
-	}
-
-	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
-		if t.Method == jwt.SigningMethodEdDSA {
-			return ja.publicKey, nil
-		}
-		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
-			return ja.loginTokenKey, nil
-		}
-		return nil, fmt.Errorf("AUTH/JWT > unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
-	})
-	if err != nil {
-		log.Warn("Error while parsing jwt token")
-		return nil, err
-	}
-
-	if err = token.Claims.Valid(); err != nil {
-		log.Warn("jwt token claims are not valid")
-		return nil, err
-	}
-
-	claims := token.Claims.(jwt.MapClaims)
-	sub, _ := claims["sub"].(string)
-	exp, _ := claims["exp"].(float64)
-	var roles []string
-	if rawroles, ok := claims["roles"].([]interface{}); ok {
-		for _, rr := range rawroles {
-			if r, ok := rr.(string); ok {
-				if isValidRole(r) {
-					roles = append(roles, r)
-				}
-			}
-		}
-	}
-	if rawrole, ok := claims["roles"].(string); ok {
-		if isValidRole(rawrole) {
-			roles = append(roles, rawrole)
-		}
-	}
-
-	if user == nil {
-		user, err = ja.auth.GetUser(sub)
-		if err != nil && err != sql.ErrNoRows {
-			log.Errorf("Error while loading user '%v'", sub)
-			return nil, err
-		} else if user == nil {
-			user = &User{
-				Username:   sub,
-				Roles:      roles,
-				AuthSource: AuthViaToken,
-			}
-			if err := ja.auth.AddUser(user); err != nil {
-				log.Errorf("Error while adding user '%v' to auth from token", user.Username)
-				return nil, err
-			}
-		}
-	}
-
-	user.Expiration = time.Unix(int64(exp), 0)
-	return user, nil
-}
-
-func (ja *JWTAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
+	r *http.Request) (*schema.User, error) {

 	rawtoken := r.Header.Get("X-Auth-Token")
 	if rawtoken == "" {
@@ -188,59 +57,22 @@ func (ja *JWTAuthenticator) Auth(
 		rawtoken = strings.TrimPrefix(rawtoken, "Bearer ")
 	}

-	// If no auth header was found, check for a certain cookie containing a JWT
-	cookieName := ""
-	cookieFound := false
-	if ja.config != nil && ja.config.CookieName != "" {
-		cookieName = ja.config.CookieName
-	}
-
-	// Try to read the JWT cookie
-	if rawtoken == "" && cookieName != "" {
-		jwtCookie, err := r.Cookie(cookieName)
-
-		if err == nil && jwtCookie.Value != "" {
-			rawtoken = jwtCookie.Value
-			cookieFound = true
-		}
-	}
-
-	// Because a user can also log in via a token, the
-	// session cookie must be checked here as well:
+	// there is no token
 	if rawtoken == "" {
-		return ja.auth.AuthViaSession(rw, r)
+		return nil, nil
 	}

-	// Try to parse JWT
 	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
 		if t.Method != jwt.SigningMethodEdDSA {
 			return nil, errors.New("only Ed25519/EdDSA supported")
 		}

-		// Is there more than one public key?
-		if ja.publicKeyCrossLogin != nil &&
-			ja.config != nil &&
-			ja.config.TrustedExternalIssuer != "" {
-
-			// Determine whether to use the external public key
-			unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
-			if success && unvalidatedIssuer == ja.config.TrustedExternalIssuer {
-				// The (unvalidated) issuer seems to be the expected one,
-				// use public cross login key from config
-				return ja.publicKeyCrossLogin, nil
-			}
-		}
-
-		// No cross login key configured or issuer not expected
-		// Try own key
 		return ja.publicKey, nil
 	})
 	if err != nil {
-		log.Warn("Error while parsing token")
+		log.Warn("Error while parsing JWT token")
 		return nil, err
 	}
-
-	// Check token validity
 	if err := token.Claims.Valid(); err != nil {
 		log.Warn("jwt token claims are not valid")
 		return nil, err
@@ -253,15 +85,15 @@ func (ja *JWTAuthenticator) Auth(
 	var roles []string

 	// Validate user + roles from JWT against database?
-	if ja.config != nil && ja.config.ForceJWTValidationViaDatabase {
-		user, err := ja.auth.GetUser(sub)
+	if config.Keys.JwtConfig.ValidateUser {
+		ur := repository.GetUserRepository()
+		user, err := ur.GetUser(sub)

 		// Deny any logins for unknown usernames
 		if err != nil {
 			log.Warn("Could not find user from JWT in internal database.")
 			return nil, errors.New("unknown user")
 		}
-
 		// Take user roles from database instead of trusting the JWT
 		roles = user.Roles
 	} else {
@@ -275,47 +107,16 @@ func (ja *JWTAuthenticator) Auth(
 		}
 	}

-	if cookieFound {
-		// Create a session so that we no longer need the JTW Cookie
-		session, err := ja.auth.sessionStore.New(r, "session")
-		if err != nil {
-			log.Errorf("session creation failed: %s", err.Error())
-			http.Error(rw, err.Error(), http.StatusInternalServerError)
-			return nil, err
-		}
-
-		if ja.auth.SessionMaxAge != 0 {
-			session.Options.MaxAge = int(ja.auth.SessionMaxAge.Seconds())
-		}
-		session.Values["username"] = sub
-		session.Values["roles"] = roles
-
-		if err := ja.auth.sessionStore.Save(r, rw, session); err != nil {
-			log.Warnf("session save failed: %s", err.Error())
-			http.Error(rw, err.Error(), http.StatusInternalServerError)
-			return nil, err
-		}
-
-		// (Ask browser to) Delete JWT cookie
-		deletedCookie := &http.Cookie{
-			Name:     cookieName,
-			Value:    "",
-			Path:     "/",
-			MaxAge:   -1,
-			HttpOnly: true,
-		}
-		http.SetCookie(rw, deletedCookie)
-	}
-
-	return &User{
+	return &schema.User{
 		Username:   sub,
 		Roles:      roles,
-		AuthSource: AuthViaToken,
+		AuthType:   schema.AuthToken,
+		AuthSource: -1,
 	}, nil
 }

 // Generate a new JWT that can be used for authentication
-func (ja *JWTAuthenticator) ProvideJWT(user *User) (string, error) {
+func (ja *JWTAuthenticator) ProvideJWT(user *schema.User) (string, error) {

 	if ja.privateKey == nil {
 		return "", errors.New("environment variable 'JWT_PRIVATE_KEY' not set")
@@ -327,8 +128,12 @@ func (ja *JWTAuthenticator) ProvideJWT(user *User) (string, error) {
 		"roles": user.Roles,
 		"iat":   now.Unix(),
 	}
-	if ja.config != nil && ja.config.MaxAge != 0 {
-		claims["exp"] = now.Add(time.Duration(ja.config.MaxAge)).Unix()
+	if config.Keys.JwtConfig.MaxAge != "" {
+		d, err := time.ParseDuration(config.Keys.JwtConfig.MaxAge)
+		if err != nil {
+			return "", errors.New("cannot parse max-age config key")
+		}
+		claims["exp"] = now.Add(d).Unix()
 	}

 	return jwt.NewWithClaims(jwt.SigningMethodEdDSA, claims).SignedString(ja.privateKey)
--- a/internal/auth/jwtCookieSession.go
+++ b/internal/auth/jwtCookieSession.go
@@ -0,0 +1,219 @@
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"crypto/ed25519"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type JWTCookieSessionAuthenticator struct {
+	publicKey           ed25519.PublicKey
+	privateKey          ed25519.PrivateKey
+	publicKeyCrossLogin ed25519.PublicKey // For accepting externally generated JWTs
+}
+
+var _ Authenticator = (*JWTCookieSessionAuthenticator)(nil)
+
+func (ja *JWTCookieSessionAuthenticator) Init() error {
+	pubKey, privKey := os.Getenv("JWT_PUBLIC_KEY"), os.Getenv("JWT_PRIVATE_KEY")
+	if pubKey == "" || privKey == "" {
+		log.Warn("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
+		return errors.New("environment variables 'JWT_PUBLIC_KEY' or 'JWT_PRIVATE_KEY' not set (token based authentication will not work)")
+	} else {
+		bytes, err := base64.StdEncoding.DecodeString(pubKey)
+		if err != nil {
+			log.Warn("Could not decode JWT public key")
+			return err
+		}
+		ja.publicKey = ed25519.PublicKey(bytes)
+		bytes, err = base64.StdEncoding.DecodeString(privKey)
+		if err != nil {
+			log.Warn("Could not decode JWT private key")
+			return err
+		}
+		ja.privateKey = ed25519.PrivateKey(bytes)
+	}
+
+	// Look for external public keys
+	pubKeyCrossLogin, keyFound := os.LookupEnv("CROSS_LOGIN_JWT_PUBLIC_KEY")
+	if keyFound && pubKeyCrossLogin != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKeyCrossLogin)
+		if err != nil {
+			log.Warn("Could not decode cross login JWT public key")
+			return err
+		}
+		ja.publicKeyCrossLogin = ed25519.PublicKey(bytes)
+	} else {
+		ja.publicKeyCrossLogin = nil
+		log.Debug("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
+		return errors.New("environment variable 'CROSS_LOGIN_JWT_PUBLIC_KEY' not set (cross login token based authentication will not work)")
+	}
+
+	jc := config.Keys.JwtConfig
+	// Warn if other necessary settings are not configured
+	if jc != nil {
+		if jc.CookieName == "" {
+			log.Info("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
+			return errors.New("cookieName for JWTs not configured (cross login via JWT cookie will fail)")
+		}
+		if !jc.ValidateUser {
+			log.Info("forceJWTValidationViaDatabase not set to true: CC will accept users and roles defined in JWTs regardless of its own database!")
+		}
+		if jc.TrustedIssuer == "" {
+			log.Info("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+			return errors.New("trustedExternalIssuer for JWTs not configured (cross login via JWT cookie will fail)")
+		}
+	} else {
+		log.Warn("config for JWTs not configured (cross login via JWT cookie will fail)")
+		return errors.New("config for JWTs not configured (cross login via JWT cookie will fail)")
+	}
+
+	log.Info("JWT Cookie Session authenticator successfully registered")
+	return nil
+}
+
+func (ja *JWTCookieSessionAuthenticator) CanLogin(
+	user *schema.User,
+	username string,
+	rw http.ResponseWriter,
+	r *http.Request) (*schema.User, bool) {
+
+	jc := config.Keys.JwtConfig
+	cookieName := ""
+	if jc.CookieName != "" {
+		cookieName = jc.CookieName
+	}
+
+	// Try to read the JWT cookie
+	if cookieName != "" {
+		jwtCookie, err := r.Cookie(cookieName)
+
+		if err == nil && jwtCookie.Value != "" {
+			return user, true
+		}
+	}
+
+	return nil, false
+}
+
+func (ja *JWTCookieSessionAuthenticator) Login(
+	user *schema.User,
+	rw http.ResponseWriter,
+	r *http.Request) (*schema.User, error) {
+
+	jc := config.Keys.JwtConfig
+	jwtCookie, err := r.Cookie(jc.CookieName)
+	var rawtoken string
+
+	if err == nil && jwtCookie.Value != "" {
+		rawtoken = jwtCookie.Value
+	}
+
+	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
+		if t.Method != jwt.SigningMethodEdDSA {
+			return nil, errors.New("only Ed25519/EdDSA supported")
+		}
+
+		unvalidatedIssuer, success := t.Claims.(jwt.MapClaims)["iss"].(string)
+		if success && unvalidatedIssuer == jc.TrustedIssuer {
+			// The (unvalidated) issuer seems to be the expected one,
+			// use public cross login key from config
+			return ja.publicKeyCrossLogin, nil
+		}
+
+		// No cross login key configured or issuer not expected
+		// Try own key
+		return ja.publicKey, nil
+	})
+	if err != nil {
+		log.Warn("JWT cookie session: error while parsing token")
+		return nil, err
+	}
+
+	// Check token validity and extract paypload
+	if err := token.Claims.Valid(); err != nil {
+		log.Warn("jwt token claims are not valid")
+		return nil, err
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	sub, _ := claims["sub"].(string)
+
+	var name string
+	if wrap, ok := claims["name"].(map[string]interface{}); ok {
+		if vals, ok := wrap["values"].([]interface{}); ok {
+			if len(vals) != 0 {
+				name = fmt.Sprintf("%v", vals[0])
+
+				for i := 1; i < len(vals); i++ {
+					name += fmt.Sprintf(" %v", vals[i])
+				}
+			}
+		}
+	}
+
+	var roles []string
+
+	if jc.ValidateUser {
+		// Deny any logins for unknown usernames
+		if user == nil {
+			log.Warn("Could not find user from JWT in internal database.")
+			return nil, errors.New("unknown user")
+		}
+
+		// Take user roles from database instead of trusting the JWT
+		roles = user.Roles
+	} else {
+		// Extract roles from JWT (if present)
+		if rawroles, ok := claims["roles"].([]interface{}); ok {
+			for _, rr := range rawroles {
+				if r, ok := rr.(string); ok {
+					roles = append(roles, r)
+				}
+			}
+		}
+	}
+
+	// (Ask browser to) Delete JWT cookie
+	deletedCookie := &http.Cookie{
+		Name:     jc.CookieName,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+	}
+	http.SetCookie(rw, deletedCookie)
+
+	if user == nil {
+		projects := make([]string, 0)
+		user = &schema.User{
+			Username:   sub,
+			Name:       name,
+			Roles:      roles,
+			Projects:   projects,
+			AuthType:   schema.AuthSession,
+			AuthSource: schema.AuthViaToken,
+		}
+
+		if jc.SyncUserOnLogin {
+			if err := repository.GetUserRepository().AddUser(user); err != nil {
+				log.Errorf("Error while adding user '%s' to DB", user.Username)
+			}
+		}
+	}
+
+	return user, nil
+}
--- a/internal/auth/jwtSession.go
+++ b/internal/auth/jwtSession.go
@@ -0,0 +1,150 @@
+// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package auth
+
+import (
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/golang-jwt/jwt/v4"
+)
+
+type JWTSessionAuthenticator struct {
+	loginTokenKey []byte // HS256 key
+}
+
+var _ Authenticator = (*JWTSessionAuthenticator)(nil)
+
+func (ja *JWTSessionAuthenticator) Init() error {
+	if pubKey := os.Getenv("CROSS_LOGIN_JWT_HS512_KEY"); pubKey != "" {
+		bytes, err := base64.StdEncoding.DecodeString(pubKey)
+		if err != nil {
+			log.Warn("Could not decode cross login JWT HS512 key")
+			return err
+		}
+		ja.loginTokenKey = bytes
+	}
+
+	log.Info("JWT Session authenticator successfully registered")
+	return nil
+}
+
+func (ja *JWTSessionAuthenticator) CanLogin(
+	user *schema.User,
+	username string,
+	rw http.ResponseWriter,
+	r *http.Request) (*schema.User, bool) {
+
+	return user, r.Header.Get("Authorization") != "" ||
+		r.URL.Query().Get("login-token") != ""
+}
+
+func (ja *JWTSessionAuthenticator) Login(
+	user *schema.User,
+	rw http.ResponseWriter,
+	r *http.Request) (*schema.User, error) {
+
+	rawtoken := strings.TrimPrefix(r.Header.Get("Authorization"), "Bearer ")
+	if rawtoken == "" {
+		rawtoken = r.URL.Query().Get("login-token")
+	}
+
+	token, err := jwt.Parse(rawtoken, func(t *jwt.Token) (interface{}, error) {
+		if t.Method == jwt.SigningMethodHS256 || t.Method == jwt.SigningMethodHS512 {
+			return ja.loginTokenKey, nil
+		}
+		return nil, fmt.Errorf("unkown signing method for login token: %s (known: HS256, HS512, EdDSA)", t.Method.Alg())
+	})
+	if err != nil {
+		log.Warn("Error while parsing jwt token")
+		return nil, err
+	}
+
+	if err = token.Claims.Valid(); err != nil {
+		log.Warn("jwt token claims are not valid")
+		return nil, err
+	}
+
+	claims := token.Claims.(jwt.MapClaims)
+	sub, _ := claims["sub"].(string)
+
+	var name string
+	if wrap, ok := claims["name"].(map[string]interface{}); ok {
+		if vals, ok := wrap["values"].([]interface{}); ok {
+			if len(vals) != 0 {
+				name = fmt.Sprintf("%v", vals[0])
+
+				for i := 1; i < len(vals); i++ {
+					name += fmt.Sprintf(" %v", vals[i])
+				}
+			}
+		}
+	}
+
+	var roles []string
+
+	if config.Keys.JwtConfig.ValidateUser {
+		// Deny any logins for unknown usernames
+		if user == nil {
+			log.Warn("Could not find user from JWT in internal database.")
+			return nil, errors.New("unknown user")
+		}
+
+		// Take user roles from database instead of trusting the JWT
+		roles = user.Roles
+	} else {
+		// Extract roles from JWT (if present)
+		if rawroles, ok := claims["roles"].([]interface{}); ok {
+			for _, rr := range rawroles {
+				if r, ok := rr.(string); ok {
+					if schema.IsValidRole(r) {
+						roles = append(roles, r)
+					}
+				}
+			}
+		}
+	}
+
+	projects := make([]string, 0)
+	// Java/Grails Issued Token
+	// if rawprojs, ok := claims["projects"].([]interface{}); ok {
+	// 	for _, pp := range rawprojs {
+	// 		if p, ok := pp.(string); ok {
+	// 			projects = append(projects, p)
+	// 		}
+	// 	}
+	// } else if rawprojs, ok := claims["projects"]; ok {
+	// 	for _, p := range rawprojs.([]string) {
+	// 		projects = append(projects, p)
+	// 	}
+	// }
+
+	if user == nil {
+		user = &schema.User{
+			Username:   sub,
+			Name:       name,
+			Roles:      roles,
+			Projects:   projects,
+			AuthType:   schema.AuthSession,
+			AuthSource: schema.AuthViaToken,
+		}
+
+		if config.Keys.JwtConfig.SyncUserOnLogin {
+			if err := repository.GetUserRepository().AddUser(user); err != nil {
+				log.Errorf("Error while adding user '%s' to DB", user.Username)
+			}
+		}
+	}
+
+	return user, nil
+}
--- a/internal/auth/ldap.go
+++ b/internal/auth/ldap.go
@@ -1,4 +1,4 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
@@ -12,35 +12,30 @@ import (
 	"strings"
 	"time"

+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/repository"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/go-ldap/ldap/v3"
 )

 type LdapAuthenticator struct {
-	auth         *Authentication
-	config       *schema.LdapConfig
 	syncPassword string
 }

 var _ Authenticator = (*LdapAuthenticator)(nil)

-func (la *LdapAuthenticator) Init(
-	auth *Authentication,
-	conf interface{}) error {
-
-	la.auth = auth
-	la.config = conf.(*schema.LdapConfig)
-
+func (la *LdapAuthenticator) Init() error {
 	la.syncPassword = os.Getenv("LDAP_ADMIN_PASSWORD")
 	if la.syncPassword == "" {
 		log.Warn("environment variable 'LDAP_ADMIN_PASSWORD' not set (ldap sync will not work)")
 	}

-	if la.config != nil && la.config.SyncInterval != "" {
-		interval, err := time.ParseDuration(la.config.SyncInterval)
+	if config.Keys.LdapConfig.SyncInterval != "" {
+		interval, err := time.ParseDuration(config.Keys.LdapConfig.SyncInterval)
 		if err != nil {
-			log.Warnf("Could not parse duration for sync interval: %v", la.config.SyncInterval)
+			log.Warnf("Could not parse duration for sync interval: %v",
+				config.Keys.LdapConfig.SyncInterval)
 			return err
 		}

@@ -59,23 +54,82 @@ func (la *LdapAuthenticator) Init(
 				log.Print("sync done")
 			}
 		}()
+	} else {
+		log.Info("LDAP configuration key sync_interval invalid")
 	}

 	return nil
 }

 func (la *LdapAuthenticator) CanLogin(
-	user *User,
+	user *schema.User,
+	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {

-	return user != nil && user.AuthSource == AuthViaLDAP
+	lc := config.Keys.LdapConfig
+
+	if user != nil {
+		if user.AuthSource == schema.AuthViaLDAP {
+			return user, true
+		}
+	} else {
+		if lc.SyncUserOnLogin {
+			l, err := la.getLdapConnection(true)
+			if err != nil {
+				log.Error("LDAP connection error")
+			}
+			defer l.Close()
+
+			// Search for the given username
+			searchRequest := ldap.NewSearchRequest(
+				lc.UserBase,
+				ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+				fmt.Sprintf("(&%s(uid=%s))", lc.UserFilter, username),
+				[]string{"dn", "uid", "gecos"}, nil)
+
+			sr, err := l.Search(searchRequest)
+			if err != nil {
+				log.Warn(err)
+				return nil, false
+			}
+
+			if len(sr.Entries) != 1 {
+				log.Warn("LDAP: User does not exist or too many entries returned")
+				return nil, false
+			}
+
+			entry := sr.Entries[0]
+			name := entry.GetAttributeValue("gecos")
+			var roles []string
+			roles = append(roles, schema.GetRoleString(schema.RoleUser))
+			projects := make([]string, 0)
+
+			user = &schema.User{
+				Username:   username,
+				Name:       name,
+				Roles:      roles,
+				Projects:   projects,
+				AuthType:   schema.AuthSession,
+				AuthSource: schema.AuthViaLDAP,
+			}
+
+			if err := repository.GetUserRepository().AddUser(user); err != nil {
+				log.Errorf("User '%s' LDAP: Insert into DB failed", username)
+				return nil, false
+			}
+
+			return user, true
+		}
+	}
+
+	return nil, false
 }

 func (la *LdapAuthenticator) Login(
-	user *User,
+	user *schema.User,
 	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
+	r *http.Request) (*schema.User, error) {

 	l, err := la.getLdapConnection(false)
 	if err != nil {
@@ -84,42 +138,30 @@ func (la *LdapAuthenticator) Login(
 	}
 	defer l.Close()

-	userDn := strings.Replace(la.config.UserBind, "{username}", user.Username, -1)
+	userDn := strings.Replace(config.Keys.LdapConfig.UserBind, "{username}", user.Username, -1)
 	if err := l.Bind(userDn, r.FormValue("password")); err != nil {
-		log.Errorf("AUTH/LOCAL > Authentication for user %s failed: %v", user.Username, err)
-		return nil, fmt.Errorf("AUTH/LDAP > Authentication failed")
+		log.Errorf("AUTH/LDAP > Authentication for user %s failed: %v",
+			user.Username, err)
+		return nil, fmt.Errorf("Authentication failed")
 	}

 	return user, nil
 }

-func (la *LdapAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	return la.auth.AuthViaSession(rw, r)
-}
-
 func (la *LdapAuthenticator) Sync() error {
-
 	const IN_DB int = 1
 	const IN_LDAP int = 2
 	const IN_BOTH int = 3
+	ur := repository.GetUserRepository()
+	lc := config.Keys.LdapConfig

 	users := map[string]int{}
-	rows, err := la.auth.db.Query(`SELECT username FROM user WHERE user.ldap = 1`)
+	usernames, err := ur.GetLdapUsernames()
 	if err != nil {
-		log.Warn("Error while querying LDAP users")
 		return err
 	}

-	for rows.Next() {
-		var username string
-		if err := rows.Scan(&username); err != nil {
-			log.Warnf("Error while scanning for user '%s'", username)
-			return err
-		}
-
+	for _, username := range usernames {
 		users[username] = IN_DB
 	}

@@ -131,8 +173,10 @@ func (la *LdapAuthenticator) Sync() error {
 	defer l.Close()

 	ldapResults, err := l.Search(ldap.NewSearchRequest(
-		la.config.UserBase, ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		la.config.UserFilter, []string{"dn", "uid", "gecos"}, nil))
+		lc.UserBase,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		lc.UserFilter,
+		[]string{"dn", "uid", "gecos"}, nil))
 	if err != nil {
 		log.Warn("LDAP search error")
 		return err
@@ -155,18 +199,27 @@ func (la *LdapAuthenticator) Sync() error {
 	}

 	for username, where := range users {
-		if where == IN_DB && la.config.SyncDelOldUsers {
+		if where == IN_DB && lc.SyncDelOldUsers {
+			ur.DelUser(username)
 			log.Debugf("sync: remove %v (does not show up in LDAP anymore)", username)
-			if _, err := la.auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username); err != nil {
-				log.Errorf("User '%s' not in LDAP anymore: Delete from DB failed", username)
-				return err
-			}
 		} else if where == IN_LDAP {
 			name := newnames[username]
+
+			var roles []string
+			roles = append(roles, schema.GetRoleString(schema.RoleUser))
+			projects := make([]string, 0)
+
+			user := &schema.User{
+				Username:   username,
+				Name:       name,
+				Roles:      roles,
+				Projects:   projects,
+				AuthSource: schema.AuthViaLDAP,
+			}
+
 			log.Debugf("sync: add %v (name: %v, roles: [user], ldap: true)", username, name)
-			if _, err := la.auth.db.Exec(`INSERT INTO user (username, ldap, name, roles) VALUES (?, ?, ?, ?)`,
-				username, 1, name, "[\""+GetRoleString(RoleUser)+"\"]"); err != nil {
-				log.Errorf("User '%s' new in LDAP: Insert into DB failed", username)
+			if err := ur.AddUser(user); err != nil {
+				log.Errorf("User '%s' LDAP: Insert into DB failed", username)
 				return err
 			}
 		}
@@ -175,18 +228,17 @@ func (la *LdapAuthenticator) Sync() error {
 	return nil
 }

-// TODO: Add a connection pool or something like
-// that so that connections can be reused/cached.
 func (la *LdapAuthenticator) getLdapConnection(admin bool) (*ldap.Conn, error) {

-	conn, err := ldap.DialURL(la.config.Url)
+	lc := config.Keys.LdapConfig
+	conn, err := ldap.DialURL(lc.Url)
 	if err != nil {
 		log.Warn("LDAP URL dial failed")
 		return nil, err
 	}

 	if admin {
-		if err := conn.Bind(la.config.SearchDN, la.syncPassword); err != nil {
+		if err := conn.Bind(lc.SearchDN, la.syncPassword); err != nil {
 			conn.Close()
 			log.Warn("LDAP connection bind failed")
 			return nil, err
--- a/internal/auth/local.go
+++ b/internal/auth/local.go
@@ -9,6 +9,7 @@ import (
 	"net/http"

 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"golang.org/x/crypto/bcrypt"
 )

@@ -18,38 +19,29 @@ type LocalAuthenticator struct {

 var _ Authenticator = (*LocalAuthenticator)(nil)

-func (la *LocalAuthenticator) Init(
-	auth *Authentication,
-	_ interface{}) error {
-
-	la.auth = auth
+func (la *LocalAuthenticator) Init() error {
 	return nil
 }

 func (la *LocalAuthenticator) CanLogin(
-	user *User,
+	user *schema.User,
+	username string,
 	rw http.ResponseWriter,
-	r *http.Request) bool {
+	r *http.Request) (*schema.User, bool) {

-	return user != nil && user.AuthSource == AuthViaLocalPassword
+	return user, user != nil && user.AuthSource == schema.AuthViaLocalPassword
 }

 func (la *LocalAuthenticator) Login(
-	user *User,
+	user *schema.User,
 	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
+	r *http.Request) (*schema.User, error) {

-	if e := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(r.FormValue("password"))); e != nil {
+	if e := bcrypt.CompareHashAndPassword([]byte(user.Password),
+		[]byte(r.FormValue("password"))); e != nil {
 		log.Errorf("AUTH/LOCAL > Authentication for user %s failed!", user.Username)
-		return nil, fmt.Errorf("AUTH/LOCAL > Authentication failed")
+		return nil, fmt.Errorf("Authentication failed")
 	}

 	return user, nil
 }
-
-func (la *LocalAuthenticator) Auth(
-	rw http.ResponseWriter,
-	r *http.Request) (*User, error) {
-
-	return la.auth.AuthViaSession(rw, r)
-}
--- a/internal/auth/users.go
+++ b/internal/auth/users.go
@@ -1,289 +0,0 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
-// All rights reserved.
-// Use of this source code is governed by a MIT-style
-// license that can be found in the LICENSE file.
-package auth
-
-import (
-	"context"
-	"database/sql"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
-	"github.com/ClusterCockpit/cc-backend/pkg/log"
-	sq "github.com/Masterminds/squirrel"
-	"github.com/jmoiron/sqlx"
-	"golang.org/x/crypto/bcrypt"
-)
-
-func (auth *Authentication) GetUser(username string) (*User, error) {
-
-	user := &User{Username: username}
-	var hashedPassword, name, rawRoles, email, rawProjects sql.NullString
-	if err := sq.Select("password", "ldap", "name", "roles", "email", "projects").From("user").
-		Where("user.username = ?", username).RunWith(auth.db).
-		QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email, &rawProjects); err != nil {
-		log.Warnf("Error while querying user '%v' from database", username)
-		return nil, err
-	}
-
-	user.Password = hashedPassword.String
-	user.Name = name.String
-	user.Email = email.String
-	if rawRoles.Valid {
-		if err := json.Unmarshal([]byte(rawRoles.String), &user.Roles); err != nil {
-			log.Warn("Error while unmarshaling raw roles from DB")
-			return nil, err
-		}
-	}
-	if rawProjects.Valid {
-		if err := json.Unmarshal([]byte(rawProjects.String), &user.Projects); err != nil {
-			return nil, err
-		}
-	}
-
-	return user, nil
-}
-
-func (auth *Authentication) AddUser(user *User) error {
-
-	rolesJson, _ := json.Marshal(user.Roles)
-	projectsJson, _ := json.Marshal(user.Projects)
-
-	cols := []string{"username", "roles", "projects"}
-	vals := []interface{}{user.Username, string(rolesJson), string(projectsJson)}
-
-	if user.Name != "" {
-		cols = append(cols, "name")
-		vals = append(vals, user.Name)
-	}
-	if user.Email != "" {
-		cols = append(cols, "email")
-		vals = append(vals, user.Email)
-	}
-	if user.Password != "" {
-		password, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
-		if err != nil {
-			log.Error("Error while encrypting new user password")
-			return err
-		}
-		cols = append(cols, "password")
-		vals = append(vals, string(password))
-	}
-
-	if _, err := sq.Insert("user").Columns(cols...).Values(vals...).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while inserting new user '%v' into DB", user.Username)
-		return err
-	}
-
-	log.Infof("new user %#v created (roles: %s, auth-source: %d, projects: %s)", user.Username, rolesJson, user.AuthSource, projectsJson)
-	return nil
-}
-
-func (auth *Authentication) DelUser(username string) error {
-
-	_, err := auth.db.Exec(`DELETE FROM user WHERE user.username = ?`, username)
-	log.Errorf("Error while deleting user '%s' from DB", username)
-	return err
-}
-
-func (auth *Authentication) ListUsers(specialsOnly bool) ([]*User, error) {
-
-	q := sq.Select("username", "name", "email", "roles", "projects").From("user")
-	if specialsOnly {
-		q = q.Where("(roles != '[\"user\"]' AND roles != '[]')")
-	}
-
-	rows, err := q.RunWith(auth.db).Query()
-	if err != nil {
-		log.Warn("Error while querying user list")
-		return nil, err
-	}
-
-	users := make([]*User, 0)
-	defer rows.Close()
-	for rows.Next() {
-		rawroles := ""
-		rawprojects := ""
-		user := &User{}
-		var name, email sql.NullString
-		if err := rows.Scan(&user.Username, &name, &email, &rawroles, &rawprojects); err != nil {
-			log.Warn("Error while scanning user list")
-			return nil, err
-		}
-
-		if err := json.Unmarshal([]byte(rawroles), &user.Roles); err != nil {
-			log.Warn("Error while unmarshaling raw role list")
-			return nil, err
-		}
-
-		if err := json.Unmarshal([]byte(rawprojects), &user.Projects); err != nil {
-			return nil, err
-		}
-
-		user.Name = name.String
-		user.Email = email.String
-		users = append(users, user)
-	}
-	return users, nil
-}
-
-func (auth *Authentication) AddRole(
-	ctx context.Context,
-	username string,
-	queryrole string) error {
-
-	newRole := strings.ToLower(queryrole)
-	user, err := auth.GetUser(username)
-	if err != nil {
-		log.Warnf("Could not load user '%s'", username)
-		return err
-	}
-
-	exists, valid := user.HasValidRole(newRole)
-
-	if !valid {
-		return fmt.Errorf("Supplied role is no valid option : %v", newRole)
-	}
-	if exists {
-		return fmt.Errorf("User %v already has role %v", username, newRole)
-	}
-
-	roles, _ := json.Marshal(append(user.Roles, newRole))
-	if _, err := sq.Update("user").Set("roles", roles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while adding new role for user '%s'", user.Username)
-		return err
-	}
-	return nil
-}
-
-func (auth *Authentication) RemoveRole(ctx context.Context, username string, queryrole string) error {
-	oldRole := strings.ToLower(queryrole)
-	user, err := auth.GetUser(username)
-	if err != nil {
-		log.Warnf("Could not load user '%s'", username)
-		return err
-	}
-
-	exists, valid := user.HasValidRole(oldRole)
-
-	if !valid {
-		return fmt.Errorf("Supplied role is no valid option : %v", oldRole)
-	}
-	if !exists {
-		return fmt.Errorf("Role already deleted for user '%v': %v", username, oldRole)
-	}
-
-	if oldRole == GetRoleString(RoleManager) && len(user.Projects) != 0 {
-		return fmt.Errorf("Cannot remove role 'manager' while user %s still has assigned project(s) : %v", username, user.Projects)
-	}
-
-	var newroles []string
-	for _, r := range user.Roles {
-		if r != oldRole {
-			newroles = append(newroles, r) // Append all roles not matching requested to be deleted role
-		}
-	}
-
-	var mroles, _ = json.Marshal(newroles)
-	if _, err := sq.Update("user").Set("roles", mroles).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		log.Errorf("Error while removing role for user '%s'", user.Username)
-		return err
-	}
-	return nil
-}
-
-func (auth *Authentication) AddProject(
-	ctx context.Context,
-	username string,
-	project string) error {
-
-	user, err := auth.GetUser(username)
-	if err != nil {
-		return err
-	}
-
-	if !user.HasRole(RoleManager) {
-		return fmt.Errorf("user '%s' is not a manager!", username)
-	}
-
-	if user.HasProject(project) {
-		return fmt.Errorf("user '%s' already manages project '%s'", username, project)
-	}
-
-	projects, _ := json.Marshal(append(user.Projects, project))
-	if _, err := sq.Update("user").Set("projects", projects).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-func (auth *Authentication) RemoveProject(ctx context.Context, username string, project string) error {
-	user, err := auth.GetUser(username)
-	if err != nil {
-		return err
-	}
-
-	if !user.HasRole(RoleManager) {
-		return fmt.Errorf("user '%#v' is not a manager!", username)
-	}
-
-	if !user.HasProject(project) {
-		return fmt.Errorf("user '%#v': Cannot remove project '%#v' - Does not match!", username, project)
-	}
-
-	var exists bool
-	var newprojects []string
-	for _, p := range user.Projects {
-		if p != project {
-			newprojects = append(newprojects, p) // Append all projects not matching requested to be deleted project
-		} else {
-			exists = true
-		}
-	}
-
-	if exists == true {
-		var result interface{}
-		if len(newprojects) == 0 {
-			result = "[]"
-		} else {
-			result, _ = json.Marshal(newprojects)
-		}
-		if _, err := sq.Update("user").Set("projects", result).Where("user.username = ?", username).RunWith(auth.db).Exec(); err != nil {
-			return err
-		}
-		return nil
-	} else {
-		return fmt.Errorf("user %s already does not manage project %s", username, project)
-	}
-}
-
-func FetchUser(ctx context.Context, db *sqlx.DB, username string) (*model.User, error) {
-	me := GetUser(ctx)
-	if me != nil && me.Username != username && me.HasNotRoles([]Role{RoleAdmin, RoleSupport, RoleManager}) {
-		return nil, errors.New("forbidden")
-	}
-
-	user := &model.User{Username: username}
-	var name, email sql.NullString
-	if err := sq.Select("name", "email").From("user").Where("user.username = ?", username).
-		RunWith(db).QueryRow().Scan(&name, &email); err != nil {
-		if err == sql.ErrNoRows {
-			/* This warning will be logged *often* for non-local users, i.e. users mentioned only in job-table or archive, */
-			/* since FetchUser will be called to retrieve full name and mail for every job in query/list									 */
-			// log.Warnf("User '%s' Not found in DB", username)
-			return nil, nil
-		}
-
-		log.Warnf("Error while fetching user '%s'", username)
-		return nil, err
-	}
-
-	user.Name = name.String
-	user.Email = email.String
-	return user, nil
-}
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -22,7 +22,6 @@ var Keys schema.ProgramConfig = schema.ProgramConfig{
 	Archive:                   json.RawMessage(`{\"kind\":\"file\",\"path\":\"./var/job-archive\"}`),
 	DisableArchive:            false,
 	Validate:                  false,
-	LdapConfig:                nil,
 	SessionMaxAge:             "168h",
 	StopJobsExceedingWalltime: 0,
 	ShortRunningJobsDuration:  5 * 60,
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -37,27 +37,27 @@ type IntRangeOutput struct {
 }

 type JobFilter struct {
-	Tags            []string          `json:"tags"`
-	JobID           *StringInput      `json:"jobId"`
-	ArrayJobID      *int              `json:"arrayJobId"`
-	User            *StringInput      `json:"user"`
-	Project         *StringInput      `json:"project"`
-	JobName         *StringInput      `json:"jobName"`
-	Cluster         *StringInput      `json:"cluster"`
-	Partition       *StringInput      `json:"partition"`
-	Duration        *schema.IntRange  `json:"duration"`
-	MinRunningFor   *int              `json:"minRunningFor"`
-	NumNodes        *schema.IntRange  `json:"numNodes"`
-	NumAccelerators *schema.IntRange  `json:"numAccelerators"`
-	NumHWThreads    *schema.IntRange  `json:"numHWThreads"`
-	StartTime       *schema.TimeRange `json:"startTime"`
-	State           []schema.JobState `json:"state"`
-	FlopsAnyAvg     *FloatRange       `json:"flopsAnyAvg"`
-	MemBwAvg        *FloatRange       `json:"memBwAvg"`
-	LoadAvg         *FloatRange       `json:"loadAvg"`
-	MemUsedMax      *FloatRange       `json:"memUsedMax"`
-	Exclusive       *int              `json:"exclusive"`
-	Node            *StringInput      `json:"node"`
+	Tags            []string          `json:"tags,omitempty"`
+	JobID           *StringInput      `json:"jobId,omitempty"`
+	ArrayJobID      *int              `json:"arrayJobId,omitempty"`
+	User            *StringInput      `json:"user,omitempty"`
+	Project         *StringInput      `json:"project,omitempty"`
+	JobName         *StringInput      `json:"jobName,omitempty"`
+	Cluster         *StringInput      `json:"cluster,omitempty"`
+	Partition       *StringInput      `json:"partition,omitempty"`
+	Duration        *schema.IntRange  `json:"duration,omitempty"`
+	MinRunningFor   *int              `json:"minRunningFor,omitempty"`
+	NumNodes        *schema.IntRange  `json:"numNodes,omitempty"`
+	NumAccelerators *schema.IntRange  `json:"numAccelerators,omitempty"`
+	NumHWThreads    *schema.IntRange  `json:"numHWThreads,omitempty"`
+	StartTime       *schema.TimeRange `json:"startTime,omitempty"`
+	State           []schema.JobState `json:"state,omitempty"`
+	FlopsAnyAvg     *FloatRange       `json:"flopsAnyAvg,omitempty"`
+	MemBwAvg        *FloatRange       `json:"memBwAvg,omitempty"`
+	LoadAvg         *FloatRange       `json:"loadAvg,omitempty"`
+	MemUsedMax      *FloatRange       `json:"memUsedMax,omitempty"`
+	Exclusive       *int              `json:"exclusive,omitempty"`
+	Node            *StringInput      `json:"node,omitempty"`
 }

 type JobLink struct {
@@ -66,9 +66,9 @@ type JobLink struct {
 }

 type JobLinkResultList struct {
-	ListQuery *string    `json:"listQuery"`
+	ListQuery *string    `json:"listQuery,omitempty"`
 	Items     []*JobLink `json:"items"`
-	Count     *int       `json:"count"`
+	Count     *int       `json:"count,omitempty"`
 }

 type JobMetricWithName struct {
@@ -79,9 +79,9 @@ type JobMetricWithName struct {

 type JobResultList struct {
 	Items  []*schema.Job `json:"items"`
-	Offset *int          `json:"offset"`
-	Limit  *int          `json:"limit"`
-	Count  *int          `json:"count"`
+	Offset *int          `json:"offset,omitempty"`
+	Limit  *int          `json:"limit,omitempty"`
+	Count  *int          `json:"count,omitempty"`
 }

 type JobsStatistics struct {
@@ -120,12 +120,12 @@ type PageRequest struct {
 }

 type StringInput struct {
-	Eq         *string  `json:"eq"`
-	Neq        *string  `json:"neq"`
-	Contains   *string  `json:"contains"`
-	StartsWith *string  `json:"startsWith"`
-	EndsWith   *string  `json:"endsWith"`
-	In         []string `json:"in"`
+	Eq         *string  `json:"eq,omitempty"`
+	Neq        *string  `json:"neq,omitempty"`
+	Contains   *string  `json:"contains,omitempty"`
+	StartsWith *string  `json:"startsWith,omitempty"`
+	EndsWith   *string  `json:"endsWith,omitempty"`
+	In         []string `json:"in,omitempty"`
 }

 type TimeRangeOutput struct {
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -2,7 +2,7 @@ package graph

 // This file will be automatically regenerated based on the schema, any resolver implementations
 // will be copied through when generating and any unknown code will be moved to the end.
-// Code generated by github.com/99designs/gqlgen version v0.17.24
+// Code generated by github.com/99designs/gqlgen version v0.17.36

 import (
 	"context"
@@ -11,7 +11,6 @@ import (
 	"strconv"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/generated"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
@@ -51,7 +50,7 @@ func (r *jobResolver) MetaData(ctx context.Context, obj *schema.Job) (interface{

 // UserData is the resolver for the userData field.
 func (r *jobResolver) UserData(ctx context.Context, obj *schema.Job) (*model.User, error) {
-	return auth.FetchUser(ctx, r.DB, obj.User)
+	return repository.GetUserRepository().FetchUserInCtx(ctx, obj.User)
 }

 // CreateTag is the resolver for the createTag field.
@@ -122,7 +121,7 @@ func (r *mutationResolver) RemoveTagsFromJob(ctx context.Context, job string, ta

 // UpdateConfiguration is the resolver for the updateConfiguration field.
 func (r *mutationResolver) UpdateConfiguration(ctx context.Context, name string, value string) (*string, error) {
-	if err := repository.GetUserCfgRepo().UpdateConfig(name, value, auth.GetUser(ctx)); err != nil {
+	if err := repository.GetUserCfgRepo().UpdateConfig(name, value, repository.GetUserFromContext(ctx)); err != nil {
 		log.Warn("Error while updating user config")
 		return nil, err
 	}
@@ -142,7 +141,7 @@ func (r *queryResolver) Tags(ctx context.Context) ([]*schema.Tag, error) {

 // User is the resolver for the user field.
 func (r *queryResolver) User(ctx context.Context, username string) (*model.User, error) {
-	return auth.FetchUser(ctx, r.DB, username)
+	return repository.GetUserRepository().FetchUserInCtx(ctx, username)
 }

 // AllocatedNodes is the resolver for the allocatedNodes field.
@@ -178,7 +177,9 @@ func (r *queryResolver) Job(ctx context.Context, id string) (*schema.Job, error)
 		return nil, err
 	}

-	if user := auth.GetUser(ctx); user != nil && job.User != user.Username && user.HasNotRoles([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user := repository.GetUserFromContext(ctx); user != nil &&
+		job.User != user.Username &&
+		user.HasNotRoles([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		return nil, errors.New("you are not allowed to see this job")
 	}

@@ -318,8 +319,8 @@ func (r *queryResolver) RooflineHeatmap(ctx context.Context, filter []*model.Job

 // NodeMetrics is the resolver for the nodeMetrics field.
 func (r *queryResolver) NodeMetrics(ctx context.Context, cluster string, nodes []string, scopes []schema.MetricScope, metrics []string, from time.Time, to time.Time) ([]*model.NodeMetrics, error) {
-	user := auth.GetUser(ctx)
-	if user != nil && !user.HasRole(auth.RoleAdmin) {
+	user := repository.GetUserFromContext(ctx)
+	if user != nil && !user.HasRole(schema.RoleAdmin) {
 		return nil, errors.New("you need to be an administrator for this query")
 	}

--- a/internal/importer/importer_test.go
+++ b/internal/importer/importer_test.go
@@ -42,6 +42,9 @@ func setup(t *testing.T) *repository.JobRepository {
 		"kind": "file",
 		"path": "./var/job-archive"
 	},
+    "jwts": {
+        "max-age": "2m"
+    },
 	"clusters": [
 	{
 	   "name": "testcluster",
--- a/internal/metricdata/prometheus.go
+++ b/internal/metricdata/prometheus.go
@@ -326,7 +326,6 @@ func (pdb *PrometheusDataRepository) LoadData(
 					Timestep: metricConfig.Timestep,
 					Series:   make([]schema.Series, 0),
 				}
-				jobData[metric][scope] = jobMetric
 			}
 			step := int64(metricConfig.Timestep)
 			steps := int64(to.Sub(from).Seconds()) / step
@@ -335,6 +334,10 @@ func (pdb *PrometheusDataRepository) LoadData(
 				jobMetric.Series = append(jobMetric.Series,
 					pdb.RowToSeries(from, step, steps, row))
 			}
+			// only add metric if at least one host returned data
+			if !ok && len(jobMetric.Series) > 0{
+				jobData[metric][scope] = jobMetric
+			}
 			// sort by hostname to get uniform coloring
 			sort.Slice(jobMetric.Series, func(i, j int) bool {
 				return (jobMetric.Series[i].Hostname < jobMetric.Series[j].Hostname)
--- a/internal/repository/job.go
+++ b/internal/repository/job.go
@@ -14,7 +14,6 @@ import (
 	"sync"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/internal/metricdata"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
@@ -615,7 +614,7 @@ func (r *JobRepository) WaitForArchiving() {
 	r.archivePending.Wait()
 }

-func (r *JobRepository) FindUserOrProjectOrJobname(user *auth.User, searchterm string) (jobid string, username string, project string, jobname string) {
+func (r *JobRepository) FindUserOrProjectOrJobname(user *schema.User, searchterm string) (jobid string, username string, project string, jobname string) {
 	if _, err := strconv.Atoi(searchterm); err == nil { // Return empty on successful conversion: parent method will redirect for integer jobId
 		return searchterm, "", "", ""
 	} else { // Has to have letters and logged-in user for other guesses
@@ -644,14 +643,14 @@ func (r *JobRepository) FindUserOrProjectOrJobname(user *auth.User, searchterm s
 var ErrNotFound = errors.New("no such jobname, project or user")
 var ErrForbidden = errors.New("not authorized")

-func (r *JobRepository) FindColumnValue(user *auth.User, searchterm string, table string, selectColumn string, whereColumn string, isLike bool) (result string, err error) {
+func (r *JobRepository) FindColumnValue(user *schema.User, searchterm string, table string, selectColumn string, whereColumn string, isLike bool) (result string, err error) {
 	compareStr := " = ?"
 	query := searchterm
 	if isLike {
 		compareStr = " LIKE ?"
 		query = "%" + searchterm + "%"
 	}
-	if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		theQuery := sq.Select(table+"."+selectColumn).Distinct().From(table).
 			Where(table+"."+whereColumn+compareStr, query)

@@ -676,9 +675,9 @@ func (r *JobRepository) FindColumnValue(user *auth.User, searchterm string, tabl
 	}
 }

-func (r *JobRepository) FindColumnValues(user *auth.User, query string, table string, selectColumn string, whereColumn string) (results []string, err error) {
+func (r *JobRepository) FindColumnValues(user *schema.User, query string, table string, selectColumn string, whereColumn string) (results []string, err error) {
 	emptyResult := make([]string, 0)
-	if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+	if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 		rows, err := sq.Select(table+"."+selectColumn).Distinct().From(table).
 			Where(table+"."+whereColumn+" LIKE ?", fmt.Sprint("%", query, "%")).
 			RunWith(r.stmtCache).Query()
--- a/internal/repository/query.go
+++ b/internal/repository/query.go
@@ -12,7 +12,6 @@ import (
 	"strings"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -130,20 +129,20 @@ func (r *JobRepository) CountJobs(
 }

 func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (sq.SelectBuilder, error) {
-	user := auth.GetUser(ctx)
+	user := GetUserFromContext(ctx)
 	if user == nil {
 		var qnil sq.SelectBuilder
 		return qnil, fmt.Errorf("user context is nil!")
-	} else if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleApi}) { // Admin & Co. : All jobs
+	} else if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleApi}) { // Admin & Co. : All jobs
 		return query, nil
-	} else if user.HasRole(auth.RoleManager) { // Manager : Add filter for managed projects' jobs only + personal jobs
+	} else if user.HasRole(schema.RoleManager) { // Manager : Add filter for managed projects' jobs only + personal jobs
 		if len(user.Projects) != 0 {
 			return query.Where(sq.Or{sq.Eq{"job.project": user.Projects}, sq.Eq{"job.user": user.Username}}), nil
 		} else {
 			log.Debugf("Manager-User '%s' has no defined projects to lookup! Query only personal jobs ...", user.Username)
 			return query.Where("job.user = ?", user.Username), nil
 		}
-	} else if user.HasRole(auth.RoleUser) { // User : Only personal jobs
+	} else if user.HasRole(schema.RoleUser) { // User : Only personal jobs
 		return query.Where("job.user = ?", user.Username), nil
 	} else {
 		// Shortterm compatibility: Return User-Query if no roles:
--- a/internal/repository/stats.go
+++ b/internal/repository/stats.go
@@ -10,7 +10,6 @@ import (
 	"fmt"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
@@ -86,7 +85,7 @@ func (r *JobRepository) buildStatsQuery(
 }

 func (r *JobRepository) getUserName(ctx context.Context, id string) string {
-	user := auth.GetUser(ctx)
+	user := GetUserFromContext(ctx)
 	name, _ := r.FindColumnValue(user, id, "user", "name", "username", false)
 	if name != "" {
 		return name
--- a/internal/repository/tags.go
+++ b/internal/repository/tags.go
@@ -7,7 +7,6 @@ package repository
 import (
 	"strings"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/pkg/archive"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
 	"github.com/ClusterCockpit/cc-backend/pkg/schema"
@@ -68,7 +67,7 @@ func (r *JobRepository) CreateTag(tagType string, tagName string) (tagId int64,
 	return res.LastInsertId()
 }

-func (r *JobRepository) CountTags(user *auth.User) (tags []schema.Tag, counts map[string]int, err error) {
+func (r *JobRepository) CountTags(user *schema.User) (tags []schema.Tag, counts map[string]int, err error) {
 	tags = make([]schema.Tag, 0, 100)
 	xrows, err := r.DB.Queryx("SELECT id, tag_type, tag_name FROM tag")
 	if err != nil {
@@ -88,10 +87,10 @@ func (r *JobRepository) CountTags(user *auth.User) (tags []schema.Tag, counts ma
 		LeftJoin("jobtag jt ON t.id = jt.tag_id").
 		GroupBy("t.tag_name")

-	if user != nil && user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport}) { // ADMIN || SUPPORT: Count all jobs
+	if user != nil && user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport}) { // ADMIN || SUPPORT: Count all jobs
 		log.Debug("CountTags: User Admin or Support -> Count all Jobs for Tags")
 		// Unchanged: Needs to be own case still, due to UserRole/NoRole compatibility handling in else case
-	} else if user != nil && user.HasRole(auth.RoleManager) { // MANAGER: Count own jobs plus project's jobs
+	} else if user != nil && user.HasRole(schema.RoleManager) { // MANAGER: Count own jobs plus project's jobs
 		// Build ("project1", "project2", ...) list of variable length directly in SQL string
 		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ? OR job.project IN (\""+strings.Join(user.Projects, "\",\"")+"\"))", user.Username)
 	} else if user != nil { // USER OR NO ROLE (Compatibility): Only count own jobs
--- a/internal/repository/testdata/job.db
+++ b/internal/repository/testdata/job.db
--- a/internal/repository/user.go
+++ b/internal/repository/user.go
@@ -1,137 +1,351 @@
-// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
 // All rights reserved.
 // Use of this source code is governed by a MIT-style
 // license that can be found in the LICENSE file.
 package repository

 import (
+	"context"
+	"database/sql"
 	"encoding/json"
+	"errors"
+	"fmt"
+	"strings"
 	"sync"
-	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
-	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
-	"github.com/ClusterCockpit/cc-backend/pkg/lrucache"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	sq "github.com/Masterminds/squirrel"
 	"github.com/jmoiron/sqlx"
+	"golang.org/x/crypto/bcrypt"
 )

 var (
-	userCfgRepoOnce     sync.Once
-	userCfgRepoInstance *UserCfgRepo
+	userRepoOnce     sync.Once
+	userRepoInstance *UserRepository
 )

-type UserCfgRepo struct {
-	DB         *sqlx.DB
-	Lookup     *sqlx.Stmt
-	lock       sync.RWMutex
-	uiDefaults map[string]interface{}
-	cache      *lrucache.Cache
+type UserRepository struct {
+	DB     *sqlx.DB
+	driver string
 }

-func GetUserCfgRepo() *UserCfgRepo {
-	userCfgRepoOnce.Do(func() {
+func GetUserRepository() *UserRepository {
+	userRepoOnce.Do(func() {
 		db := GetConnection()

-		lookupConfigStmt, err := db.DB.Preparex(`SELECT confkey, value FROM configuration WHERE configuration.username = ?`)
-		if err != nil {
-			log.Fatalf("db.DB.Preparex() error: %v", err)
-		}
-
-		userCfgRepoInstance = &UserCfgRepo{
-			DB:         db.DB,
-			Lookup:     lookupConfigStmt,
-			uiDefaults: config.Keys.UiDefaults,
-			cache:      lrucache.New(1024),
+		userRepoInstance = &UserRepository{
+			DB:     db.DB,
+			driver: db.Driver,
 		}
 	})
-
-	return userCfgRepoInstance
+	return userRepoInstance
 }

-// Return the personalised UI config for the currently authenticated
-// user or return the plain default config.
-func (uCfg *UserCfgRepo) GetUIConfig(user *auth.User) (map[string]interface{}, error) {
-	if user == nil {
-		uCfg.lock.RLock()
-		copy := make(map[string]interface{}, len(uCfg.uiDefaults))
-		for k, v := range uCfg.uiDefaults {
-			copy[k] = v
-		}
-		uCfg.lock.RUnlock()
-		return copy, nil
-	}
-
-	data := uCfg.cache.Get(user.Username, func() (interface{}, time.Duration, int) {
-		uiconfig := make(map[string]interface{}, len(uCfg.uiDefaults))
-		for k, v := range uCfg.uiDefaults {
-			uiconfig[k] = v
-		}
-
-		rows, err := uCfg.Lookup.Query(user.Username)
-		if err != nil {
-			log.Warnf("Error while looking up user uiconfig for user '%v'", user.Username)
-			return err, 0, 0
-		}
-
-		size := 0
-		defer rows.Close()
-		for rows.Next() {
-			var key, rawval string
-			if err := rows.Scan(&key, &rawval); err != nil {
-				log.Warn("Error while scanning user uiconfig values")
-				return err, 0, 0
-			}
-
-			var val interface{}
-			if err := json.Unmarshal([]byte(rawval), &val); err != nil {
-				log.Warn("Error while unmarshaling raw user uiconfig json")
-				return err, 0, 0
-			}
-
-			size += len(key)
-			size += len(rawval)
-			uiconfig[key] = val
-		}
-
-		// Add global ShortRunningJobsDuration setting as plot_list_hideShortRunningJobs
-		uiconfig["plot_list_hideShortRunningJobs"] = config.Keys.ShortRunningJobsDuration
-
-		return uiconfig, 24 * time.Hour, size
-	})
-	if err, ok := data.(error); ok {
-		log.Error("Error in returned dataset")
+func (r *UserRepository) GetUser(username string) (*schema.User, error) {
+	user := &schema.User{Username: username}
+	var hashedPassword, name, rawRoles, email, rawProjects sql.NullString
+	if err := sq.Select("password", "ldap", "name", "roles", "email", "projects").From("user").
+		Where("user.username = ?", username).RunWith(r.DB).
+		QueryRow().Scan(&hashedPassword, &user.AuthSource, &name, &rawRoles, &email, &rawProjects); err != nil {
+		log.Warnf("Error while querying user '%v' from database", username)
 		return nil, err
 	}

-	return data.(map[string]interface{}), nil
-}
-
-// If the context does not have a user, update the global ui configuration
-// without persisting it!  If there is a (authenticated) user, update only his
-// configuration.
-func (uCfg *UserCfgRepo) UpdateConfig(
-	key, value string,
-	user *auth.User) error {
-
-	if user == nil {
-		var val interface{}
-		if err := json.Unmarshal([]byte(value), &val); err != nil {
-			log.Warn("Error while unmarshaling raw user config json")
-			return err
+	user.Password = hashedPassword.String
+	user.Name = name.String
+	user.Email = email.String
+	if rawRoles.Valid {
+		if err := json.Unmarshal([]byte(rawRoles.String), &user.Roles); err != nil {
+			log.Warn("Error while unmarshaling raw roles from DB")
+			return nil, err
+		}
+	}
+	if rawProjects.Valid {
+		if err := json.Unmarshal([]byte(rawProjects.String), &user.Projects); err != nil {
+			return nil, err
 		}
-
-		uCfg.lock.Lock()
-		defer uCfg.lock.Unlock()
-		uCfg.uiDefaults[key] = val
-		return nil
 	}

-	if _, err := uCfg.DB.Exec(`REPLACE INTO configuration (username, confkey, value) VALUES (?, ?, ?)`, user.Username, key, value); err != nil {
-		log.Warnf("Error while replacing user config in DB for user '%v'", user.Username)
+	return user, nil
+}
+
+func (r *UserRepository) GetLdapUsernames() ([]string, error) {
+
+	var users []string
+	rows, err := r.DB.Query(`SELECT username FROM user WHERE user.ldap = 1`)
+	if err != nil {
+		log.Warn("Error while querying usernames")
+		return nil, err
+	}
+
+	for rows.Next() {
+		var username string
+		if err := rows.Scan(&username); err != nil {
+			log.Warnf("Error while scanning for user '%s'", username)
+			return nil, err
+		}
+
+		users = append(users, username)
+	}
+
+	return users, nil
+}
+
+func (r *UserRepository) AddUser(user *schema.User) error {
+	rolesJson, _ := json.Marshal(user.Roles)
+	projectsJson, _ := json.Marshal(user.Projects)
+
+	cols := []string{"username", "roles", "projects"}
+	vals := []interface{}{user.Username, string(rolesJson), string(projectsJson)}
+
+	if user.Name != "" {
+		cols = append(cols, "name")
+		vals = append(vals, user.Name)
+	}
+	if user.Email != "" {
+		cols = append(cols, "email")
+		vals = append(vals, user.Email)
+	}
+	if user.Password != "" {
+		password, err := bcrypt.GenerateFromPassword([]byte(user.Password), bcrypt.DefaultCost)
+		if err != nil {
+			log.Error("Error while encrypting new user password")
+			return err
+		}
+		cols = append(cols, "password")
+		vals = append(vals, string(password))
+	}
+	if user.AuthSource != -1 {
+		cols = append(cols, "ldap")
+		vals = append(vals, int(user.AuthSource))
+	}
+
+	if _, err := sq.Insert("user").Columns(cols...).Values(vals...).RunWith(r.DB).Exec(); err != nil {
+		log.Errorf("Error while inserting new user '%v' into DB", user.Username)
 		return err
 	}

-	uCfg.cache.Del(user.Username)
+	log.Infof("new user %#v created (roles: %s, auth-source: %d, projects: %s)", user.Username, rolesJson, user.AuthSource, projectsJson)
 	return nil
 }
+
+func (r *UserRepository) DelUser(username string) error {
+
+	_, err := r.DB.Exec(`DELETE FROM user WHERE user.username = ?`, username)
+	log.Errorf("Error while deleting user '%s' from DB", username)
+	return err
+}
+
+func (r *UserRepository) ListUsers(specialsOnly bool) ([]*schema.User, error) {
+
+	q := sq.Select("username", "name", "email", "roles", "projects").From("user")
+	if specialsOnly {
+		q = q.Where("(roles != '[\"user\"]' AND roles != '[]')")
+	}
+
+	rows, err := q.RunWith(r.DB).Query()
+	if err != nil {
+		log.Warn("Error while querying user list")
+		return nil, err
+	}
+
+	users := make([]*schema.User, 0)
+	defer rows.Close()
+	for rows.Next() {
+		rawroles := ""
+		rawprojects := ""
+		user := &schema.User{}
+		var name, email sql.NullString
+		if err := rows.Scan(&user.Username, &name, &email, &rawroles, &rawprojects); err != nil {
+			log.Warn("Error while scanning user list")
+			return nil, err
+		}
+
+		if err := json.Unmarshal([]byte(rawroles), &user.Roles); err != nil {
+			log.Warn("Error while unmarshaling raw role list")
+			return nil, err
+		}
+
+		if err := json.Unmarshal([]byte(rawprojects), &user.Projects); err != nil {
+			return nil, err
+		}
+
+		user.Name = name.String
+		user.Email = email.String
+		users = append(users, user)
+	}
+	return users, nil
+}
+
+func (r *UserRepository) AddRole(
+	ctx context.Context,
+	username string,
+	queryrole string) error {
+
+	newRole := strings.ToLower(queryrole)
+	user, err := r.GetUser(username)
+	if err != nil {
+		log.Warnf("Could not load user '%s'", username)
+		return err
+	}
+
+	exists, valid := user.HasValidRole(newRole)
+
+	if !valid {
+		return fmt.Errorf("Supplied role is no valid option : %v", newRole)
+	}
+	if exists {
+		return fmt.Errorf("User %v already has role %v", username, newRole)
+	}
+
+	roles, _ := json.Marshal(append(user.Roles, newRole))
+	if _, err := sq.Update("user").Set("roles", roles).Where("user.username = ?", username).RunWith(r.DB).Exec(); err != nil {
+		log.Errorf("Error while adding new role for user '%s'", user.Username)
+		return err
+	}
+	return nil
+}
+
+func (r *UserRepository) RemoveRole(ctx context.Context, username string, queryrole string) error {
+	oldRole := strings.ToLower(queryrole)
+	user, err := r.GetUser(username)
+	if err != nil {
+		log.Warnf("Could not load user '%s'", username)
+		return err
+	}
+
+	exists, valid := user.HasValidRole(oldRole)
+
+	if !valid {
+		return fmt.Errorf("Supplied role is no valid option : %v", oldRole)
+	}
+	if !exists {
+		return fmt.Errorf("Role already deleted for user '%v': %v", username, oldRole)
+	}
+
+	if oldRole == schema.GetRoleString(schema.RoleManager) && len(user.Projects) != 0 {
+		return fmt.Errorf("Cannot remove role 'manager' while user %s still has assigned project(s) : %v", username, user.Projects)
+	}
+
+	var newroles []string
+	for _, r := range user.Roles {
+		if r != oldRole {
+			newroles = append(newroles, r) // Append all roles not matching requested to be deleted role
+		}
+	}
+
+	var mroles, _ = json.Marshal(newroles)
+	if _, err := sq.Update("user").Set("roles", mroles).Where("user.username = ?", username).RunWith(r.DB).Exec(); err != nil {
+		log.Errorf("Error while removing role for user '%s'", user.Username)
+		return err
+	}
+	return nil
+}
+
+func (r *UserRepository) AddProject(
+	ctx context.Context,
+	username string,
+	project string) error {
+
+	user, err := r.GetUser(username)
+	if err != nil {
+		return err
+	}
+
+	if !user.HasRole(schema.RoleManager) {
+		return fmt.Errorf("user '%s' is not a manager!", username)
+	}
+
+	if user.HasProject(project) {
+		return fmt.Errorf("user '%s' already manages project '%s'", username, project)
+	}
+
+	projects, _ := json.Marshal(append(user.Projects, project))
+	if _, err := sq.Update("user").Set("projects", projects).Where("user.username = ?", username).RunWith(r.DB).Exec(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func (r *UserRepository) RemoveProject(ctx context.Context, username string, project string) error {
+	user, err := r.GetUser(username)
+	if err != nil {
+		return err
+	}
+
+	if !user.HasRole(schema.RoleManager) {
+		return fmt.Errorf("user '%#v' is not a manager!", username)
+	}
+
+	if !user.HasProject(project) {
+		return fmt.Errorf("user '%#v': Cannot remove project '%#v' - Does not match!", username, project)
+	}
+
+	var exists bool
+	var newprojects []string
+	for _, p := range user.Projects {
+		if p != project {
+			newprojects = append(newprojects, p) // Append all projects not matching requested to be deleted project
+		} else {
+			exists = true
+		}
+	}
+
+	if exists == true {
+		var result interface{}
+		if len(newprojects) == 0 {
+			result = "[]"
+		} else {
+			result, _ = json.Marshal(newprojects)
+		}
+		if _, err := sq.Update("user").Set("projects", result).Where("user.username = ?", username).RunWith(r.DB).Exec(); err != nil {
+			return err
+		}
+		return nil
+	} else {
+		return fmt.Errorf("user %s already does not manage project %s", username, project)
+	}
+}
+
+type ContextKey string
+
+const ContextUserKey ContextKey = "user"
+
+func GetUserFromContext(ctx context.Context) *schema.User {
+	x := ctx.Value(ContextUserKey)
+	if x == nil {
+		return nil
+	}
+
+	return x.(*schema.User)
+}
+
+func (r *UserRepository) FetchUserInCtx(ctx context.Context, username string) (*model.User, error) {
+	me := GetUserFromContext(ctx)
+	if me != nil && me.Username != username &&
+		me.HasNotRoles([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
+		return nil, errors.New("forbidden")
+	}
+
+	user := &model.User{Username: username}
+	var name, email sql.NullString
+	if err := sq.Select("name", "email").From("user").Where("user.username = ?", username).
+		RunWith(r.DB).QueryRow().Scan(&name, &email); err != nil {
+		if err == sql.ErrNoRows {
+			/* This warning will be logged *often* for non-local users, i.e. users mentioned only in job-table or archive, */
+			/* since FetchUser will be called to retrieve full name and mail for every job in query/list									 */
+			// log.Warnf("User '%s' Not found in DB", username)
+			return nil, nil
+		}
+
+		log.Warnf("Error while fetching user '%s'", username)
+		return nil, err
+	}
+
+	user.Name = name.String
+	user.Email = email.String
+	return user, nil
+}
--- a/internal/repository/userConfig.go
+++ b/internal/repository/userConfig.go
@@ -0,0 +1,137 @@
+// Copyright (C) 2022 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package repository
+
+import (
+	"encoding/json"
+	"sync"
+	"time"
+
+	"github.com/ClusterCockpit/cc-backend/internal/config"
+	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/lrucache"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
+	"github.com/jmoiron/sqlx"
+)
+
+var (
+	userCfgRepoOnce     sync.Once
+	userCfgRepoInstance *UserCfgRepo
+)
+
+type UserCfgRepo struct {
+	DB         *sqlx.DB
+	Lookup     *sqlx.Stmt
+	lock       sync.RWMutex
+	uiDefaults map[string]interface{}
+	cache      *lrucache.Cache
+}
+
+func GetUserCfgRepo() *UserCfgRepo {
+	userCfgRepoOnce.Do(func() {
+		db := GetConnection()
+
+		lookupConfigStmt, err := db.DB.Preparex(`SELECT confkey, value FROM configuration WHERE configuration.username = ?`)
+		if err != nil {
+			log.Fatalf("db.DB.Preparex() error: %v", err)
+		}
+
+		userCfgRepoInstance = &UserCfgRepo{
+			DB:         db.DB,
+			Lookup:     lookupConfigStmt,
+			uiDefaults: config.Keys.UiDefaults,
+			cache:      lrucache.New(1024),
+		}
+	})
+
+	return userCfgRepoInstance
+}
+
+// Return the personalised UI config for the currently authenticated
+// user or return the plain default config.
+func (uCfg *UserCfgRepo) GetUIConfig(user *schema.User) (map[string]interface{}, error) {
+	if user == nil {
+		uCfg.lock.RLock()
+		copy := make(map[string]interface{}, len(uCfg.uiDefaults))
+		for k, v := range uCfg.uiDefaults {
+			copy[k] = v
+		}
+		uCfg.lock.RUnlock()
+		return copy, nil
+	}
+
+	data := uCfg.cache.Get(user.Username, func() (interface{}, time.Duration, int) {
+		uiconfig := make(map[string]interface{}, len(uCfg.uiDefaults))
+		for k, v := range uCfg.uiDefaults {
+			uiconfig[k] = v
+		}
+
+		rows, err := uCfg.Lookup.Query(user.Username)
+		if err != nil {
+			log.Warnf("Error while looking up user uiconfig for user '%v'", user.Username)
+			return err, 0, 0
+		}
+
+		size := 0
+		defer rows.Close()
+		for rows.Next() {
+			var key, rawval string
+			if err := rows.Scan(&key, &rawval); err != nil {
+				log.Warn("Error while scanning user uiconfig values")
+				return err, 0, 0
+			}
+
+			var val interface{}
+			if err := json.Unmarshal([]byte(rawval), &val); err != nil {
+				log.Warn("Error while unmarshaling raw user uiconfig json")
+				return err, 0, 0
+			}
+
+			size += len(key)
+			size += len(rawval)
+			uiconfig[key] = val
+		}
+
+		// Add global ShortRunningJobsDuration setting as plot_list_hideShortRunningJobs
+		uiconfig["plot_list_hideShortRunningJobs"] = config.Keys.ShortRunningJobsDuration
+
+		return uiconfig, 24 * time.Hour, size
+	})
+	if err, ok := data.(error); ok {
+		log.Error("Error in returned dataset")
+		return nil, err
+	}
+
+	return data.(map[string]interface{}), nil
+}
+
+// If the context does not have a user, update the global ui configuration
+// without persisting it!  If there is a (authenticated) user, update only his
+// configuration.
+func (uCfg *UserCfgRepo) UpdateConfig(
+	key, value string,
+	user *schema.User) error {
+
+	if user == nil {
+		var val interface{}
+		if err := json.Unmarshal([]byte(value), &val); err != nil {
+			log.Warn("Error while unmarshaling raw user config json")
+			return err
+		}
+
+		uCfg.lock.Lock()
+		defer uCfg.lock.Unlock()
+		uCfg.uiDefaults[key] = val
+		return nil
+	}
+
+	if _, err := uCfg.DB.Exec(`REPLACE INTO configuration (username, confkey, value) VALUES (?, ?, ?)`, user.Username, key, value); err != nil {
+		log.Warnf("Error while replacing user config in DB for user '%v'", user.Username)
+		return err
+	}
+
+	uCfg.cache.Del(user.Username)
+	return nil
+}
--- a/internal/repository/userConfig_test.go
+++ b/internal/repository/userConfig_test.go
@@ -9,9 +9,9 @@ import (
 	"path/filepath"
 	"testing"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/config"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	_ "github.com/mattn/go-sqlite3"
 )

@@ -22,6 +22,9 @@ func setupUserTest(t *testing.T) *UserCfgRepo {
 		"kind": "file",
 		"path": "./var/job-archive"
 	},
+    "jwts": {
+        "max-age": "2m"
+    },
 	"clusters": [
 	{
 	   "name": "testcluster",
@@ -53,7 +56,7 @@ func setupUserTest(t *testing.T) *UserCfgRepo {

 func TestGetUIConfig(t *testing.T) {
 	r := setupUserTest(t)
-	u := auth.User{Username: "demo"}
+	u := schema.User{Username: "demo"}

 	cfg, err := r.GetUIConfig(&u)
 	if err != nil {
--- a/internal/routerConfig/routes.go
+++ b/internal/routerConfig/routes.go
@@ -8,14 +8,16 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/ClusterCockpit/cc-backend/internal/auth"
 	"github.com/ClusterCockpit/cc-backend/internal/graph/model"
 	"github.com/ClusterCockpit/cc-backend/internal/repository"
+	"github.com/ClusterCockpit/cc-backend/internal/util"
 	"github.com/ClusterCockpit/cc-backend/pkg/log"
+	"github.com/ClusterCockpit/cc-backend/pkg/schema"
 	"github.com/ClusterCockpit/cc-backend/web"
 	"github.com/gorilla/mux"
 )
@@ -60,6 +62,16 @@ func setupHomeRoute(i InfoType, r *http.Request) InfoType {
 	}

 	i["clusters"] = stats
+
+	if util.CheckFileExists("./var/notice.txt") {
+		msg, err := os.ReadFile("./var/notice.txt")
+		if err != nil {
+			log.Warnf("failed to read notice.txt file: %s", err.Error())
+		} else {
+			i["message"] = string(msg)
+		}
+	}
+
 	return i
 }

@@ -69,12 +81,11 @@ func setupJobRoute(i InfoType, r *http.Request) InfoType {
 }

 func setupUserRoute(i InfoType, r *http.Request) InfoType {
-	jobRepo := repository.GetJobRepository()
 	username := mux.Vars(r)["id"]
 	i["id"] = username
 	i["username"] = username
 	// TODO: If forbidden (== err exists), redirect to error page
-	if user, _ := auth.FetchUser(r.Context(), jobRepo.DB, username); user != nil {
+	if user, _ := repository.GetUserRepository().FetchUserInCtx(r.Context(), username); user != nil {
 		i["name"] = user.Name
 		i["email"] = user.Email
 	}
@@ -113,7 +124,7 @@ func setupAnalysisRoute(i InfoType, r *http.Request) InfoType {

 func setupTaglistRoute(i InfoType, r *http.Request) InfoType {
 	jobRepo := repository.GetJobRepository()
-	user := auth.GetUser(r.Context())
+	user := repository.GetUserFromContext(r.Context())

 	tags, counts, err := jobRepo.CountTags(user)
 	tagMap := make(map[string][]map[string]interface{})
@@ -243,7 +254,7 @@ func SetupRoutes(router *mux.Router, buildInfo web.Build) {
 	for _, route := range routes {
 		route := route
 		router.HandleFunc(route.Route, func(rw http.ResponseWriter, r *http.Request) {
-			conf, err := userCfgRepo.GetUIConfig(auth.GetUser(r.Context()))
+			conf, err := userCfgRepo.GetUIConfig(repository.GetUserFromContext(r.Context()))
 			if err != nil {
 				http.Error(rw, err.Error(), http.StatusInternalServerError)
 				return
@@ -256,9 +267,9 @@ func SetupRoutes(router *mux.Router, buildInfo web.Build) {
 			}

 			// Get User -> What if NIL?
-			user := auth.GetUser(r.Context())
+			user := repository.GetUserFromContext(r.Context())
 			// Get Roles
-			availableRoles, _ := auth.GetValidRolesMap(user)
+			availableRoles, _ := schema.GetValidRolesMap(user)

 			page := web.Page{
 				Title:  title,
@@ -273,14 +284,14 @@ func SetupRoutes(router *mux.Router, buildInfo web.Build) {
 				page.FilterPresets = buildFilterPresets(r.URL.Query())
 			}

-			web.RenderTemplate(rw, r, route.Template, &page)
+			web.RenderTemplate(rw, route.Template, &page)
 		})
 	}
 }

 func HandleSearchBar(rw http.ResponseWriter, r *http.Request, buildInfo web.Build) {
-	user := auth.GetUser(r.Context())
-	availableRoles, _ := auth.GetValidRolesMap(user)
+	user := repository.GetUserFromContext(r.Context())
+	availableRoles, _ := schema.GetValidRolesMap(user)

 	if search := r.URL.Query().Get("searchId"); search != "" {
 		repo := repository.GetJobRepository()
@@ -294,11 +305,13 @@ func HandleSearchBar(rw http.ResponseWriter, r *http.Request, buildInfo web.Buil
 				http.Redirect(rw, r, "/monitoring/jobs/?jobName="+url.QueryEscape(strings.Trim(splitSearch[1], " ")), http.StatusFound) // All Users: Redirect to Tablequery
 			case "projectId":
 				http.Redirect(rw, r, "/monitoring/jobs/?projectMatch=eq&project="+url.QueryEscape(strings.Trim(splitSearch[1], " ")), http.StatusFound) // All Users: Redirect to Tablequery
+			case "arrayJobId":
+				http.Redirect(rw, r, "/monitoring/jobs/?arrayJobId="+url.QueryEscape(strings.Trim(splitSearch[1], " ")), http.StatusFound) // All Users: Redirect to Tablequery
 			case "username":
-				if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+				if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 					http.Redirect(rw, r, "/monitoring/users/?user="+url.QueryEscape(strings.Trim(splitSearch[1], " ")), http.StatusFound)
 				} else {
-					web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Missing Access Rights", User: *user, Roles: availableRoles, Build: buildInfo})
+					web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Missing Access Rights", User: *user, Roles: availableRoles, Build: buildInfo})
 				}
 			case "name":
 				usernames, _ := repo.FindColumnValues(user, strings.Trim(splitSearch[1], " "), "user", "username", "name")
@@ -306,14 +319,14 @@ func HandleSearchBar(rw http.ResponseWriter, r *http.Request, buildInfo web.Buil
 					joinedNames := strings.Join(usernames, "&user=")
 					http.Redirect(rw, r, "/monitoring/users/?user="+joinedNames, http.StatusFound)
 				} else {
-					if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleManager}) {
+					if user.HasAnyRole([]schema.Role{schema.RoleAdmin, schema.RoleSupport, schema.RoleManager}) {
 						http.Redirect(rw, r, "/monitoring/users/?user=NoUserNameFound", http.StatusPermanentRedirect)
 					} else {
-						web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Missing Access Rights", User: *user, Roles: availableRoles, Build: buildInfo})
+						web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Missing Access Rights", User: *user, Roles: availableRoles, Build: buildInfo})
 					}
 				}
 			default:
-				web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Warning", MsgType: "alert-warning", Message: fmt.Sprintf("Unknown search type: %s", strings.Trim(splitSearch[0], " ")), User: *user, Roles: availableRoles, Build: buildInfo})
+				web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Warning", MsgType: "alert-warning", Message: fmt.Sprintf("Unknown search type: %s", strings.Trim(splitSearch[0], " ")), User: *user, Roles: availableRoles, Build: buildInfo})
 			}
 		} else if len(splitSearch) == 1 {

@@ -328,13 +341,13 @@ func HandleSearchBar(rw http.ResponseWriter, r *http.Request, buildInfo web.Buil
 			} else if jobname != "" {
 				http.Redirect(rw, r, "/monitoring/jobs/?jobName="+url.QueryEscape(jobname), http.StatusFound) // JobName (contains)
 			} else {
-				web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Info", MsgType: "alert-info", Message: "Search without result", User: *user, Roles: availableRoles, Build: buildInfo})
+				web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Info", MsgType: "alert-info", Message: "Search without result", User: *user, Roles: availableRoles, Build: buildInfo})
 			}

 		} else {
-			web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Searchbar query parameters malformed", User: *user, Roles: availableRoles, Build: buildInfo})
+			web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Error", MsgType: "alert-danger", Message: "Searchbar query parameters malformed", User: *user, Roles: availableRoles, Build: buildInfo})
 		}
 	} else {
-		web.RenderTemplate(rw, r, "message.tmpl", &web.Page{Title: "Warning", MsgType: "alert-warning", Message: "Empty search", User: *user, Roles: availableRoles, Build: buildInfo})
+		web.RenderTemplate(rw, "message.tmpl", &web.Page{Title: "Warning", MsgType: "alert-warning", Message: "Empty search", User: *user, Roles: availableRoles, Build: buildInfo})
 	}
 }
--- a/internal/util/array.go
+++ b/internal/util/array.go
@@ -0,0 +1,14 @@
+// Copyright (C) 2023 NHR@FAU, University Erlangen-Nuremberg.
+// All rights reserved.
+// Use of this source code is governed by a MIT-style
+// license that can be found in the LICENSE file.
+package util
+
+func Contains[T comparable](items []T, item T) bool {
+	for _, v := range items {
+		if v == item {
+			return true
+		}
+	}
+	return false
+}