go-authgate · appleboy · Mar 5, 2026 · Mar 5, 2026 · Mar 5, 2026
diff --git a/internal/bootstrap/handlers.go b/internal/bootstrap/handlers.go
@@ -17,6 +17,7 @@ type handlerSet struct {
 	device        *handlers.DeviceHandler
 	token         *handlers.TokenHandler
 	client        *handlers.ClientHandler
+	userClient    *handlers.UserClientHandler
 	session       *handlers.SessionHandler
 	oauth         *handlers.OAuthHandler
 	audit         *handlers.AuditHandler
@@ -58,8 +59,9 @@ func initializeHandlers(deps handlerDeps) handlerSet {
 			deps.services.authorization,
 			deps.cfg,
 		),
-		client:  handlers.NewClientHandler(deps.services.client, deps.services.authorization),
-		session: handlers.NewSessionHandler(deps.services.token, deps.services.user),
+		client:     handlers.NewClientHandler(deps.services.client, deps.services.authorization),
+		userClient: handlers.NewUserClientHandler(deps.services.client),
+		session:    handlers.NewSessionHandler(deps.services.token, deps.services.user),
 		oauth: handlers.NewOAuthHandler(
 			deps.oauthProviders,
 			deps.services.user,

diff --git a/internal/bootstrap/router.go b/internal/bootstrap/router.go
@@ -172,17 +172,21 @@ func setupAllRoutes(
 		oauthProtected.POST("/authorize", h.authorization.HandleAuthorize)
 	}
 
+	// injectPendingCount adds the pending client count to context for admin users.
+	// Applied to all authenticated route groups so the navbar badge is visible site-wide.
+	injectPending := h.client.InjectPendingCount()
+
 	// Protected routes (require login)
 	protected := r.Group("")
-	protected.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware())
+	protected.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
 	{
 		protected.GET("/device", h.device.DevicePage)
 		protected.POST("/device/verify", rateLimiters.deviceVerify, h.device.DeviceVerify)
 	}
 
 	// Account routes (require login)
 	account := r.Group("/account")
-	account.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware())
+	account.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
 	{
 		account.GET("/sessions", h.session.ListSessions)
 		account.POST("/sessions/:id/revoke", h.session.RevokeSession)
@@ -194,12 +198,27 @@ func setupAllRoutes(
 		account.POST("/authorizations/:uuid/revoke", h.authorization.RevokeAuthorization)
 	}
 
+	// User apps area (all authenticated users, not admin-only)
+	apps := r.Group("/apps")
+	apps.Use(middleware.RequireAuth(h.userService), middleware.CSRFMiddleware(), injectPending)
+	{
+		apps.GET("", h.userClient.ShowMyAppsPage)
+		apps.GET("/new", h.userClient.ShowCreateAppPage)
+		apps.POST("", h.userClient.CreateApp)
+		apps.GET("/:id", h.userClient.ShowAppPage)
+		apps.GET("/:id/edit", h.userClient.ShowEditAppPage)
+		apps.POST("/:id", h.userClient.UpdateApp)
+		apps.POST("/:id/delete", h.userClient.DeleteApp)
+		apps.GET("/:id/regenerate-secret", h.userClient.RegenerateAppSecret)
+	}
+
 	// Admin routes (require admin role)
 	admin := r.Group("/admin")
 	admin.Use(
 		middleware.RequireAuth(h.userService),
 		middleware.RequireAdmin(h.userService),
 		middleware.CSRFMiddleware(),
+		injectPending,
 	)
 	{
 		admin.GET("/clients", h.client.ShowClientsPage)
@@ -212,6 +231,8 @@ func setupAllRoutes(
 		admin.GET("/clients/:id/regenerate-secret", h.client.RegenerateSecret)
 		admin.POST("/clients/:id/revoke-all", h.client.RevokeAllTokens)
 		admin.GET("/clients/:id/authorizations", h.client.ListClientAuthorizations)
+		admin.POST("/clients/:id/approve", h.client.ApproveClient)
+		admin.POST("/clients/:id/reject", h.client.RejectClient)
 
 		// Audit log routes (HTML pages)
 		admin.GET("/audit", h.audit.ShowAuditLogsPage)

diff --git a/internal/handlers/audit.go b/internal/handlers/audit.go
@@ -95,7 +95,7 @@ func (h *AuditHandler) ShowAuditLogsPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminAuditLogs(templates.AuditLogsPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "audit"),
+		NavbarProps: buildNavbarProps(c, userModel, "audit"),
 		User:        userModel,
 		Logs:        toPointerSlice(logs),
 		Page:        pagination.CurrentPage,

diff --git a/internal/handlers/authorization.go b/internal/handlers/authorization.go
@@ -113,7 +113,7 @@ func (h *AuthorizationHandler) ShowAuthorizePage(c *gin.Context) {
 	// Render the consent page
 	templates.RenderTempl(c, http.StatusOK, templates.AuthorizePage(templates.AuthorizePageProps{
 		BaseProps:           templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps:         buildNavbarProps(user, ""),
+		NavbarProps:         buildNavbarProps(c, user, ""),
 		Username:            user.Username,
 		ClientID:            req.Client.ClientID,
 		ClientName:          req.Client.ClientName,

diff --git a/internal/handlers/client.go b/internal/handlers/client.go
@@ -42,15 +42,33 @@ func parseRedirectURIs(input string) []string {
 	return redirectURIs
 }
 
+// InjectPendingCount is a middleware that queries the pending client count for
+// admin users and stores it in the gin context so buildNavbarProps can show the
+// badge on every page. Non-admin users are skipped to avoid unnecessary queries.
+func (h *ClientHandler) InjectPendingCount() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		if u, exists := c.Get("user"); exists {
+			if user, ok := u.(*models.User); ok && user.IsAdmin() {
+				if count, err := h.clientService.CountPendingClients(); err == nil {
+					c.Set(ctxKeyPendingClientsCount, int(count))
+				}
+			}
+		}
+		c.Next()
+	}
+}
+
 // ShowClientsPage displays the list of all OAuth clients
 func (h *ClientHandler) ShowClientsPage(c *gin.Context) {
 	// Parse pagination parameters
 	page, _ := strconv.Atoi(c.DefaultQuery("page", "1"))
 	pageSize, _ := strconv.Atoi(c.DefaultQuery("page_size", "10"))
 	search := c.Query("search")
+	statusFilter := c.Query("status")
 
-	// Create pagination params
+	// Create pagination params (with optional status filter)
 	params := store.NewPaginationParams(page, pageSize, search)
+	params.StatusFilter = statusFilter
 
 	// Get paginated clients with creator information
 	clients, pagination, err := h.clientService.ListClientsPaginatedWithCreator(params)
@@ -77,15 +95,18 @@ func (h *ClientHandler) ShowClientsPage(c *gin.Context) {
 	user, _ := c.Get("user")
 	userModel := user.(*models.User)
 
+	navbar := buildNavbarProps(c, userModel, "clients")
+
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClients(templates.ClientsPageProps{
-		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
-		User:        userModel,
-		Clients:     clients,
-		Pagination:  pagination,
-		Search:      search,
-		PageSize:    pageSize,
-		Success:     successMsg,
+		BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
+		NavbarProps:  navbar,
+		User:         userModel,
+		Clients:      clients,
+		Pagination:   pagination,
+		Search:       search,
+		PageSize:     pageSize,
+		Success:      successMsg,
+		StatusFilter: statusFilter,
 	}))
 }
 
@@ -96,7 +117,7 @@ func (h *ClientHandler) ShowCreateClientPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClientForm(templates.ClientFormPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
+		NavbarProps: buildNavbarProps(c, userModel, "clients"),
 		Title:       "Create OAuth Client",
 		Method:      http.MethodPost,
 		Action:      "/admin/clients",
@@ -119,6 +140,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 		EnableDeviceFlow:            c.PostForm("enable_device_flow") == queryValueTrue,
 		EnableAuthCodeFlow:          c.PostForm("enable_auth_code_flow") == queryValueTrue,
 		EnableClientCredentialsFlow: c.PostForm("enable_client_credentials_flow") == queryValueTrue,
+		IsAdminCreated:              true, // admin-created clients are immediately active
 	}
 
 	resp, err := h.clientService.CreateClient(c.Request.Context(), req)
@@ -143,7 +165,7 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 			http.StatusBadRequest,
 			templates.AdminClientForm(templates.ClientFormPageProps{
 				BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps: buildNavbarProps(userModel, "clients"),
+				NavbarProps: buildNavbarProps(c, userModel, "clients"),
 				Client:      clientData,
 				Error:       err.Error(),
 				Title:       "Create OAuth Client",
@@ -173,14 +195,15 @@ func (h *ClientHandler) CreateClient(c *gin.Context) {
 		EnableAuthCodeFlow:          resp.EnableAuthCodeFlow,
 		EnableClientCredentialsFlow: resp.EnableClientCredentialsFlow,
 		IsActive:                    resp.IsActive,
+		Status:                      resp.Status,
 	}
 
 	templates.RenderTempl(
 		c,
 		http.StatusOK,
 		templates.AdminClientCreated(templates.ClientCreatedPageProps{
 			BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:  buildNavbarProps(userModel, "clients"),
+			NavbarProps:  buildNavbarProps(c, userModel, "clients"),
 			Client:       clientDisplay,
 			ClientSecret: resp.ClientSecretPlain,
 		}),
@@ -220,7 +243,7 @@ func (h *ClientHandler) ShowEditClientPage(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AdminClientForm(templates.ClientFormPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(userModel, "clients"),
+		NavbarProps: buildNavbarProps(c, userModel, "clients"),
 		Client:      clientDisplay,
 		Title:       "Edit OAuth Client",
 		Method:      http.MethodPost,
@@ -275,7 +298,7 @@ func (h *ClientHandler) UpdateClient(c *gin.Context) {
 			http.StatusBadRequest,
 			templates.AdminClientForm(templates.ClientFormPageProps{
 				BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps: buildNavbarProps(userModel, "clients"),
+				NavbarProps: buildNavbarProps(c, userModel, "clients"),
 				Client:      clientDisplay,
 				Error:       err.Error(),
 				Title:       "Edit OAuth Client",
@@ -340,7 +363,7 @@ func (h *ClientHandler) RegenerateSecret(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientSecret(templates.ClientSecretPageProps{
 			BaseProps:    templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:  buildNavbarProps(userModel, "clients"),
+			NavbarProps:  buildNavbarProps(c, userModel, "clients"),
 			Client:       client,
 			ClientSecret: newSecret,
 		}),
@@ -369,21 +392,59 @@ func (h *ClientHandler) ViewClient(c *gin.Context) {
 		successMsg = "All active tokens have been revoked. Users will need to re-authenticate."
 	case "updated":
 		successMsg = "Client updated successfully."
+	case "approved":
+		successMsg = "Client approved. It is now active and can be used for OAuth flows."
+	case "rejected":
+		successMsg = "Client rejected. It has been set to inactive."
 	}
 
 	templates.RenderTempl(
 		c,
 		http.StatusOK,
 		templates.AdminClientDetail(templates.ClientDetailPageProps{
 			BaseProps:        templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:      buildNavbarProps(userModel, "clients"),
+			NavbarProps:      buildNavbarProps(c, userModel, "clients"),
 			Client:           client,
 			ActiveTokenCount: activeTokenCount,
 			Success:          successMsg,
 		}),
 	)
 }
 
+// ApproveClient sets a pending client's status to active.
+func (h *ClientHandler) ApproveClient(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+
+	if err := h.clientService.ApproveClient(
+		c.Request.Context(),
+		clientID,
+		userID.(string),
+	); err != nil {
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to approve client: "+err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/admin/clients/"+clientID+"?success=approved")
+}
+
+// RejectClient sets a pending client's status to inactive.
+func (h *ClientHandler) RejectClient(c *gin.Context) {
+	clientID := c.Param("id")
+	userID, _ := c.Get("user_id")
+
+	if err := h.clientService.RejectClient(
+		c.Request.Context(),
+		clientID,
+		userID.(string),
+	); err != nil {
+		renderErrorPage(c, http.StatusInternalServerError, "Failed to reject client: "+err.Error())
+		return
+	}
+
+	c.Redirect(http.StatusFound, "/admin/clients/"+clientID+"?success=rejected")
+}
+
 // ListClientAuthorizations shows all users who have granted access to this client (admin overview).
 func (h *ClientHandler) ListClientAuthorizations(c *gin.Context) {
 	clientID := c.Param("id")
@@ -424,7 +485,7 @@ func (h *ClientHandler) ListClientAuthorizations(c *gin.Context) {
 		http.StatusOK,
 		templates.AdminClientAuthorizations(templates.ClientAuthorizationsPageProps{
 			BaseProps:      templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-			NavbarProps:    buildNavbarProps(userModel, "clients"),
+			NavbarProps:    buildNavbarProps(c, userModel, "clients"),
 			Client:         client,
 			Authorizations: displayAuths,
 		}),
@@ -452,7 +513,7 @@ func (h *ClientHandler) RevokeAllTokens(c *gin.Context) {
 			http.StatusInternalServerError,
 			templates.AdminClientDetail(templates.ClientDetailPageProps{
 				BaseProps:        templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-				NavbarProps:      buildNavbarProps(userModel, "clients"),
+				NavbarProps:      buildNavbarProps(c, userModel, "clients"),
 				Client:           client,
 				ActiveTokenCount: activeTokenCount,
 				Error:            "Failed to revoke tokens: " + err.Error(),

diff --git a/internal/handlers/session.go b/internal/handlers/session.go
@@ -59,7 +59,7 @@ func (h *SessionHandler) ListSessions(c *gin.Context) {
 
 	templates.RenderTempl(c, http.StatusOK, templates.AccountSessions(templates.SessionsPageProps{
 		BaseProps:   templates.BaseProps{CSRFToken: middleware.GetCSRFToken(c)},
-		NavbarProps: buildNavbarProps(user, "sessions"),
+		NavbarProps: buildNavbarProps(c, user, "sessions"),
 		Sessions:    tokens,
 		Pagination:  pagination,
 		Search:      search,