Chg: update image tag in helm values to v2.8.0

Chg: update image tag in helm values to v2.8.0-RC2
Merge pull request #103 from Telecominfraproject/main
2025-10-30 02:12:32 +00:00 · 2023-01-03 21:56:53 +00:00 · 2022-12-16 14:51:54 +00:00 · 2022-12-14 20:53:51 -08:00 · 2022-12-14 11:52:00 -08:00 · 2022-12-14 11:51:34 -08:00
254 changed files with 31207 additions and 8026 deletions
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,7 @@ on:
  pull_request:
    branches:
      - main
+      - 'release/*'

 defaults:
  run:
@@ -25,45 +26,78 @@ jobs:
      DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
      DOCKER_REGISTRY_USERNAME: ucentral
    steps:
-    - uses: actions/checkout@v2
-
-    - name: Build Docker image
-      run: docker build -t wlan-cloud-owsec:${{ github.sha }} .
-
-    - name: Tag Docker image
-      run: |
-        TAGS="${{ github.sha }}"
-
-        if [[ ${GITHUB_REF} == "refs/heads/"* ]]
-        then
-          CURRENT_TAG=$(echo ${GITHUB_REF#refs/heads/} | tr '/' '-')
-          TAGS="$TAGS $CURRENT_TAG"
-        else
-          if [[ ${GITHUB_REF} == "refs/tags/"* ]]
-          then
-            CURRENT_TAG=$(echo ${GITHUB_REF#refs/tags/} | tr '/' '-')
-            TAGS="$TAGS $CURRENT_TAG"
-          else # PR build
-            CURRENT_TAG=$(echo ${GITHUB_HEAD_REF#refs/heads/} | tr '/' '-')
-            TAGS="$TAGS $CURRENT_TAG"
-          fi
-        fi
-
-        echo "Result tags: $TAGS"
-
-        for tag in $TAGS; do
-          docker tag wlan-cloud-owsec:${{ github.sha }} ${{ env.DOCKER_REGISTRY_URL }}/owsec:$tag
-        done
-
-    - name: Log into Docker registry
-      if: startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') || github.ref == 'refs/heads/main'
-      uses: docker/login-action@v1
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
      with:
-        registry: ${{ env.DOCKER_REGISTRY_URL }}
-        username: ${{ env.DOCKER_REGISTRY_USERNAME }}
-        password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+        repository: Telecominfraproject/.github
+        path: github

-    - name: Push Docker images
-      if: startsWith(github.ref, 'refs/tags/') || startsWith(github.ref, 'refs/pull/') || github.ref == 'refs/heads/main'
+    - name: Build and push Docker image
+      uses: ./github/composite-actions/docker-image-build
+      with:
+        image_name: owsec
+        registry: tip-tip-wlan-cloud-ucentral.jfrog.io
+        registry_user: ucentral
+        registry_password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
+
+    - name: Notify on failure via Slack
+      if: failure() && github.ref == 'refs/heads/main'
+      uses: rtCamp/action-slack-notify@v2
+      env:
+        SLACK_USERNAME: GitHub Actions failure notifier
+        SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK }}
+        SLACK_COLOR: "${{ job.status }}"
+        SLACK_ICON: https://raw.githubusercontent.com/quintessence/slack-icons/master/images/github-logo-slack-icon.png
+        SLACK_TITLE: Docker build failed for OWSec service
+
+  trigger-testing:
+    if: startsWith(github.ref, 'refs/pull/')
+    runs-on: ubuntu-latest
+    needs: docker
+    steps:
+    - name: Get base branch name and set as output
+      id: get_base_branch
      run: |
-        docker images | grep ${{ env.DOCKER_REGISTRY_URL }}/owsec | awk -F ' ' '{print $1":"$2}' | xargs -I {} docker push {}
+        echo "branch=$(echo ${GITHUB_BASE_REF##*/})" >> $GITHUB_OUTPUT
+        echo "owgw_branch=$(echo ${GITHUB_BASE_REF##*/} | sed 's/main/master/g')" >> $GITHUB_OUTPUT
+
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
+      with:
+        repository: Telecominfraproject/.github
+        path: github
+
+    - name: Trigger testing of OpenWifi Docker Compose deployment and wait for result
+      uses: ./github/composite-actions/trigger-workflow-and-wait
+      env:
+        BASE_BRANCH: ${{ steps.get_base_branch.outputs.branch }}
+        OWGW_BASE_BRANCH: ${{ steps.get_base_branch.outputs.owgw_branch }}
+      with:
+        owner: Telecominfraproject
+        repo: wlan-testing
+        workflow: ow_docker-compose.yml
+        token: ${{ secrets.WLAN_TESTING_PAT }}
+        ref: master
+        inputs: '{"deployment_version": "${{ env.BASE_BRANCH }}", "owgw_version": "${{ env.OWGW_BASE_BRANCH }}", "owsec_version": "${{ github.sha }}", "owfms_version": "${{ env.BASE_BRANCH }}", "owprov_version": "${{ env.BASE_BRANCH }}", "owanalytics_version": "${{ env.BASE_BRANCH }}", "owsub_version": "${{ env.BASE_BRANCH }}", "microservice": "owsec"}'
+
+  trigger-deploy-to-dev:
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main'
+    needs:
+      - docker
+    steps:
+    - name: Checkout actions repo
+      uses: actions/checkout@v3
+      with:
+        repository: Telecominfraproject/.github
+        path: github
+
+    - name: Trigger deployment of the latest version to dev instance and wait for result
+      uses: ./github/composite-actions/trigger-workflow-and-wait
+      with:
+        owner: Telecominfraproject
+        repo: wlan-testing
+        workflow: ucentralgw-dev-deployment.yaml
+        token: ${{ secrets.WLAN_TESTING_PAT }}
+        ref: master
+        inputs: '{"force_latest": "true"}'
--- a/.github/workflows/cleanup.yml
+++ b/.github/workflows/cleanup.yml
@@ -4,6 +4,7 @@ on:
  pull_request:
    branches:
      - main
+      - 'release/*'
    types: [ closed ]

 defaults:
@@ -16,4 +17,10 @@ jobs:
    steps:
      - run: |
          export PR_BRANCH_TAG=$(echo ${GITHUB_HEAD_REF#refs/heads/} | tr '/' '-')
-          curl -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/owsec/$PR_BRANCH_TAG"
+
+          if [[ ! $PR_BRANCH_TAG =~ (main|master|release-*) ]]; then
+            echo "PR branch is $PR_BRANCH_TAG, deleting Docker image"
+            curl -s -uucentral:${{ secrets.DOCKER_REGISTRY_PASSWORD }} -X DELETE "https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral/owsec/$PR_BRANCH_TAG"
+          else
+            echo "PR branch is $PR_BRANCH_TAG, not deleting Docker image"
+          fi
--- a/.github/workflows/enforce-jira-issue-key.yml
+++ b/.github/workflows/enforce-jira-issue-key.yml
@@ -0,0 +1,24 @@
+name: Ensure Jira issue is linked
+
+on:
+  pull_request:
+    types: [opened, edited, reopened, synchronize]
+    branches:
+      - 'release/*'
+
+jobs:
+  check_for_issue_key:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout actions repo
+        uses: actions/checkout@v3
+        with:
+          repository: Telecominfraproject/.github
+          path: github
+
+      - name: Run JIRA check
+        uses: ./github/composite-actions/enforce-jira-issue-key
+        with:
+          jira_base_url: ${{ secrets.TIP_JIRA_URL }}
+          jira_user_email: ${{ secrets.TIP_JIRA_USER_EMAIL }}
+          jira_api_token: ${{ secrets.TIP_JIRA_API_TOKEN }}
--- a/.github/workflows/openapi-pages.yml
+++ b/.github/workflows/openapi-pages.yml
@@ -0,0 +1,38 @@
+name: Update OpenAPI docs on GitHub Pages
+
+on:
+  push:
+    paths:
+      - 'openapi/**'
+    branches:
+      - main
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  docsgen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate static HTML page with docs from OpenAPI definition
+        run: |
+          docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli:v6.2.1 generate -i https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml -g html2 --skip-validate-spec -o /local/
+
+      - name: Update OpenAPI docs
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H github.com >> ~/.ssh/known_hosts
+          echo https://tip-automation:${{ secrets.GIT_PUSH_PAT }}@github.com > ~/.git-credentials
+          git config --global credential.helper store
+          git config --global user.email "tip-automation@telecominfraproject.com"
+          git config --global user.name "TIP Automation User"
+          git pull
+          git checkout gh-pages || git checkout -b gh-pages
+          mv index.html docs/index.html
+          git add docs
+          git commit -m'Update OpenAPI docs for GitHub pages'
+          git push --set-upstream origin gh-pages
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -0,0 +1,46 @@
+name: Release chart package
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  helm-package:
+    runs-on: ubuntu-20.04
+    env:
+      HELM_REPO_URL: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
+      HELM_REPO_USERNAME: ucentral
+    steps:
+      - name: Checkout uCentral assembly chart repo
+        uses: actions/checkout@v3
+        with:
+          path: wlan-cloud-ucentralsec
+
+      - name: Build package
+        working-directory: wlan-cloud-ucentralsec/helm
+        run: |
+          helm plugin install https://github.com/aslafy-z/helm-git --version 0.10.0
+          helm repo add bitnami https://charts.bitnami.com/bitnami
+          helm repo update
+          helm dependency update
+          mkdir dist
+          helm package . -d dist
+
+      - name: Generate GitHub release body
+        working-directory: wlan-cloud-ucentralsec/helm
+        run: |
+          pip3 install yq -q
+          echo "Docker image - tip-tip-wlan-cloud-ucentral.jfrog.io/owsec:$GITHUB_REF_NAME" > release.txt
+          echo "Helm charted may be attached to this release" >> release.txt
+          echo "Deployment artifacts may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/$GITHUB_REF_NAME" >> release.txt
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v1
+        with:
+          body_path: wlan-cloud-ucentralsec/helm/release.txt
+          files: wlan-cloud-ucentralsec/helm/dist/*
--- a/.gitignore
+++ b/.gitignore
@@ -18,3 +18,4 @@ _deps
 *.csr
 /cmake-build/
 /smake-build-debug/
+test_scripts/curl/result.json
--- a/.idea/.gitignore
+++ b/.idea/.gitignore
@@ -1,21 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-/certs/
-/logs/
-*.csr
-*.db
-/docker-compose/certs/
-/docker-compose/*-data/data/
-/docker-compose/*-data/uploads/
-/docker-compose/.env
-/docker-compose/.env_*
-/cmake-build/
-*.pem
-result.json
-token.json
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.13)
-project(owsec VERSION 2.3.0)
+project(owsec VERSION 2.8.0)

 set(CMAKE_CXX_STANDARD 17)

@@ -20,29 +20,46 @@ endif()

 # Auto build increment. You must define BUILD_INCREMENT with cmake -DBUILD_INCREMENT=1
 if(EXISTS ${CMAKE_CURRENT_SOURCE_DIR}/build)
-    file(READ build BUILD_NUM)
+    file(READ ${CMAKE_CURRENT_SOURCE_DIR}/build BUILD_NUM)
    if(BUILD_INCREMENT)
        MATH(EXPR BUILD_NUM "${BUILD_NUM}+1")
-        file(WRITE build ${BUILD_NUM})
+        file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/build ${BUILD_NUM})
    endif()
 else()
    set(BUILD_NUM 1)
-    file(WRITE build ${BUILD_NUM})
+    file(WRITE ${CMAKE_CURRENT_SOURCE_DIR}/build ${BUILD_NUM})
 endif()

+find_package(Git QUIET)
+if(GIT_FOUND AND EXISTS "${PROJECT_SOURCE_DIR}/.git")
+    execute_process(COMMAND ${GIT_EXECUTABLE} rev-parse --short HEAD
+            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
+            RESULT_VARIABLE GIT_RESULT
+            OUTPUT_VARIABLE GIT_HASH)
+    if(NOT GIT_RESULT EQUAL "0")
+        message(FATAL_ERROR "git rev-parse --short HEAD failed with ${GIT_RESULT}")
+    endif()
+    string(REGEX REPLACE "\n$" "" GIT_HASH "${GIT_HASH}")
+endif()
+
+add_definitions(-DAWS_CUSTOM_MEMORY_MANAGEMENT)
+
 set(BUILD_SHARED_LIBS 1)

-add_definitions(-DAPP_VERSION="${CMAKE_PROJECT_VERSION}" -DBUILD_NUMBER="${BUILD_NUM}")
 add_definitions(-DTIP_SECURITY_SERVICE="1")
+add_definitions(-DPOCO_LOG_DEBUG="1")
+
+add_compile_options(-Wall -Wextra)
+if(ASAN)
+    add_compile_options(-fsanitize=address)
+    add_link_options(-fsanitize=address)
+endif()

-set(Boost_USE_STATIC_LIBS OFF)
-set(Boost_USE_MULTITHREADED ON)
-set(Boost_USE_STATIC_RUNTIME OFF)
-find_package(Boost REQUIRED system)
 find_package(OpenSSL REQUIRED)
 find_package(ZLIB REQUIRED)
+find_package(fmt  REQUIRED)
 find_package(AWSSDK     REQUIRED COMPONENTS sns)
-
+find_package(nlohmann_json  REQUIRED)
 find_package(CppKafka REQUIRED)
 find_package(PostgreSQL REQUIRED)
 find_package(MySQL REQUIRED)
@@ -50,35 +67,92 @@ find_package(Poco REQUIRED COMPONENTS JSON Crypto JWT Net Util NetSSL Data DataS

 include_directories(/usr/local/include  /usr/local/opt/openssl/include src include/kafka /usr/local/opt/mysql-client/include)

+configure_file(src/ow_version.h.in ${PROJECT_SOURCE_DIR}/src/ow_version.h @ONLY)
+
 add_executable( owsec
        build
+        src/ow_version.h.in
        src/framework/CountryCodes.h
        src/framework/KafkaTopics.h
        src/framework/MicroService.h
        src/framework/OpenWifiTypes.h
        src/framework/orm.h
-        src/framework/RESTAPI_errors.h
-        src/framework/RESTAPI_protocol.h
        src/framework/StorageClass.h
-        src/framework/uCentral_Protocol.h
+        src/framework/MicroServiceErrorHandler.h
+        src/framework/UI_WebSocketClientServer.cpp
+        src/framework/UI_WebSocketClientServer.h
+        src/framework/UI_WebSocketClientNotifications.cpp
+        src/framework/UI_WebSocketClientNotifications.h
+        src/framework/utils.h
+        src/framework/utils.cpp
+        src/framework/AppServiceRegistry.h
+        src/framework/SubSystemServer.cpp
+        src/framework/SubSystemServer.h
+        src/framework/RESTAPI_utils.h
+        src/framework/AuthClient.cpp
+        src/framework/AuthClient.h
+        src/framework/MicroServiceNames.h
+        src/framework/MicroServiceFuncs.h
+        src/framework/OpenAPIRequests.cpp
+        src/framework/OpenAPIRequests.h
+        src/framework/MicroServiceFuncs.cpp
+        src/framework/ALBserver.cpp
+        src/framework/ALBserver.h
+        src/framework/KafkaManager.cpp
+        src/framework/KafkaManager.h
+        src/framework/RESTAPI_RateLimiter.h
+        src/framework/WebSocketLogger.h
+        src/framework/RESTAPI_GenericServerAccounting.h
+        src/framework/RESTAPI_SystemConfiguration.h
+        src/framework/CIDR.h
+        src/framework/RESTAPI_Handler.cpp
+        src/framework/RESTAPI_Handler.h
+        src/framework/RESTAPI_ExtServer.h
+        src/framework/RESTAPI_ExtServer.cpp
+        src/framework/RESTAPI_IntServer.cpp
+        src/framework/RESTAPI_IntServer.h
+        src/framework/RESTAPI_SystemCommand.h
+        src/framework/RESTAPI_WebSocketServer.h
+        src/framework/EventBusManager.cpp
+        src/framework/EventBusManager.h
+        src/framework/RESTAPI_PartHandler.h
+        src/framework/MicroService.cpp
+        src/framework/MicroServiceExtra.h
+
        src/RESTObjects/RESTAPI_SecurityObjects.h src/RESTObjects/RESTAPI_SecurityObjects.cpp
-        src/RESTObjects/RESTAPI_ProvObjects.cpp src/RESTObjects/RESTAPI_ProvObjects.h
        src/RESTObjects/RESTAPI_GWobjects.h src/RESTObjects/RESTAPI_GWobjects.cpp
        src/RESTObjects/RESTAPI_FMSObjects.h src/RESTObjects/RESTAPI_FMSObjects.cpp
-        src/RESTAPI/RESTAPI_oauth2Handler.h src/RESTAPI/RESTAPI_oauth2Handler.cpp
+        src/RESTObjects/RESTAPI_CertObjects.cpp src/RESTObjects/RESTAPI_CertObjects.h
+        src/RESTObjects/RESTAPI_OWLSobjects.cpp src/RESTObjects/RESTAPI_OWLSobjects.h
+        src/RESTObjects/RESTAPI_ProvObjects.cpp src/RESTObjects/RESTAPI_ProvObjects.h
+        src/RESTObjects/RESTAPI_AnalyticsObjects.cpp src/RESTObjects/RESTAPI_AnalyticsObjects.h
+        src/RESTObjects/RESTAPI_SubObjects.cpp src/RESTObjects/RESTAPI_SubObjects.h
+
+        src/seclibs/qrcode/qrcodegen.hpp src/seclibs/qrcode/qrcodegen.cpp
+        src/seclibs/cpptotp/bytes.cpp src/seclibs/cpptotp/bytes.h
+        src/seclibs/cpptotp/otp.cpp src/seclibs/cpptotp/otp.h
+        src/seclibs/cpptotp/sha1.cpp src/seclibs/cpptotp/sha1.h
+        src/RESTAPI/RESTAPI_oauth2_handler.h src/RESTAPI/RESTAPI_oauth2_handler.cpp
        src/RESTAPI/RESTAPI_users_handler.cpp src/RESTAPI/RESTAPI_users_handler.h
        src/RESTAPI/RESTAPI_user_handler.cpp src/RESTAPI/RESTAPI_user_handler.h
        src/RESTAPI/RESTAPI_action_links.cpp src/RESTAPI/RESTAPI_action_links.h
-        src/RESTAPI/RESTAPI_validateToken_handler.cpp src/RESTAPI/RESTAPI_validateToken_handler.h
-        src/RESTAPI/RESTAPI_systemEndpoints_handler.cpp src/RESTAPI/RESTAPI_systemEndpoints_handler.h
-        src/RESTAPI/RESTAPI_AssetServer.cpp src/RESTAPI/RESTAPI_AssetServer.h
-        src/RESTAPI/RESTAPI_avatarHandler.cpp src/RESTAPI/RESTAPI_avatarHandler.h
+        src/RESTAPI/RESTAPI_validate_token_handler.cpp src/RESTAPI/RESTAPI_validate_token_handler.h
+        src/RESTAPI/RESTAPI_system_endpoints_handler.cpp src/RESTAPI/RESTAPI_system_endpoints_handler.h
+        src/RESTAPI/RESTAPI_asset_server.cpp src/RESTAPI/RESTAPI_asset_server.h
+        src/RESTAPI/RESTAPI_avatar_handler.cpp src/RESTAPI/RESTAPI_avatar_handler.h
+        src/RESTAPI/RESTAPI_subavatar_handler.cpp src/RESTAPI/RESTAPI_subavatar_handler.h
        src/RESTAPI/RESTAPI_email_handler.cpp src/RESTAPI/RESTAPI_email_handler.h
        src/RESTAPI/RESTAPI_sms_handler.cpp src/RESTAPI/RESTAPI_sms_handler.h
-        src/storage/storage_avatar.cpp src/storage/storage_avatar.h src/storage/storage_users.h
-        src/storage/storage_tables.cpp src/storage/storage_users.cpp src/storage/storage_tokens.cpp
-        src/APIServers.cpp
+        src/RESTAPI/RESTAPI_suboauth2_handler.h src/RESTAPI/RESTAPI_suboauth2_handler.cpp
+        src/RESTAPI/RESTAPI_subuser_handler.h src/RESTAPI/RESTAPI_subuser_handler.cpp
+        src/RESTAPI/RESTAPI_subusers_handler.h src/RESTAPI/RESTAPI_subusers_handler.cpp
+        src/RESTAPI/RESTAPI_validate_sub_token_handler.cpp src/RESTAPI/RESTAPI_validate_sub_token_handler.h
+        src/RESTAPI/RESTAPI_submfa_handler.cpp src/RESTAPI/RESTAPI_submfa_handler.h
+        src/RESTAPI/RESTAPI_preferences.cpp src/RESTAPI/RESTAPI_preferences.h
+        src/RESTAPI/RESTAPI_subpreferences.cpp src/RESTAPI/RESTAPI_subpreferences.h
+        src/RESTAPI/RESTAPI_routers.cpp
        src/Daemon.h src/Daemon.cpp
+        src/SpecialUserHelpers.h
        src/AuthService.h src/AuthService.cpp
        src/StorageService.cpp src/StorageService.h
        src/SMTPMailerService.cpp src/SMTPMailerService.h
@@ -86,14 +160,33 @@ add_executable( owsec
        src/MFAServer.cpp src/MFAServer.h
        src/SMS_provider_aws.cpp src/SMS_provider_aws.h
        src/SMS_provider.cpp src/SMS_provider.h
-        src/SMS_provider_twilio.cpp src/SMS_provider_twilio.h)
+        src/SMS_provider_twilio.cpp src/SMS_provider_twilio.h
+        src/ActionLinkManager.cpp src/ActionLinkManager.h
+        src/ACLProcessor.h
+        src/storage/orm_users.cpp src/storage/orm_users.h
+        src/storage/orm_tokens.cpp src/storage/orm_tokens.h
+        src/storage/orm_preferences.cpp src/storage/orm_preferences.h
+        src/storage/orm_actionLinks.cpp src/storage/orm_actionLinks.h
+        src/storage/orm_avatar.cpp src/storage/orm_avatar.h
+        src/SpecialUserHelpers.h
+        src/RESTAPI/RESTAPI_db_helpers.h src/storage/orm_logins.cpp src/storage/orm_logins.h
+        src/RESTAPI/RESTAPI_totp_handler.cpp
+        src/RESTAPI/RESTAPI_totp_handler.h
+        src/TotpCache.h
+        src/RESTAPI/RESTAPI_subtotp_handler.cpp src/RESTAPI/RESTAPI_subtotp_handler.h
+        src/RESTAPI/RESTAPI_signup_handler.cpp src/RESTAPI/RESTAPI_signup_handler.h
+        src/MessagingTemplates.cpp src/MessagingTemplates.h src/RESTAPI/RESTAPI_apiKey_handler.cpp src/RESTAPI/RESTAPI_apiKey_handler.h src/storage/orm_apikeys.cpp src/storage/orm_apikeys.h src/RESTAPI/RESTAPI_validate_apikey.cpp src/RESTAPI/RESTAPI_validate_apikey.h)

 if(NOT SMALL_BUILD)
    target_link_libraries(owsec PUBLIC
-            ${Poco_LIBRARIES} ${Boost_LIBRARIES} ${MySQL_LIBRARIES}  ${ZLIB_LIBRARIES}
-            CppKafka::cppkafka ${AWSSDK_LINK_LIBRARIES}
+            ${Poco_LIBRARIES}
+            ${MySQL_LIBRARIES}
+            ${ZLIB_LIBRARIES}
+            CppKafka::cppkafka
+            ${AWSSDK_LINK_LIBRARIES}
+            fmt::fmt
            )
    if(UNIX AND NOT APPLE)
        target_link_libraries(owsec PUBLIC PocoJSON)
    endif()
-endif()
+endif()
--- a/102
+++ b/102
@@ -1,34 +1,21 @@
-FROM alpine AS builder
+ARG DEBIAN_VERSION=11.5-slim
+ARG POCO_VERSION=poco-tip-v2
+ARG CPPKAFKA_VERSION=tip-v1

-RUN apk add --update --no-cache \
-    openssl openssh \
-    ncurses-libs \
-    bash util-linux coreutils curl libcurl \
-    make cmake gcc g++ libstdc++ libgcc git zlib-dev \
-    openssl-dev boost-dev curl-dev unixodbc-dev postgresql-dev mariadb-dev \
-    apache2-utils yaml-dev apr-util-dev \
-    librdkafka-dev
+FROM debian:$DEBIAN_VERSION AS build-base

-RUN git clone https://github.com/stephb9959/poco /poco
-RUN git clone https://github.com/stephb9959/cppkafka /cppkafka
-RUN git clone --recurse-submodules https://github.com/aws/aws-sdk-cpp /aws-sdk-cpp
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    make cmake g++ git curl zip unzip pkg-config \
+    libpq-dev libmariadb-dev libmariadbclient-dev-compat \
+    librdkafka-dev libboost-all-dev libssl-dev \
+    zlib1g-dev ca-certificates libcurl4-openssl-dev libfmt-dev

-WORKDIR /aws-sdk-cpp
-RUN mkdir cmake-build
-WORKDIR cmake-build
-RUN cmake .. -DBUILD_ONLY="sns;s3" \
-             -DCMAKE_BUILD_TYPE=Release \
-             -DCMAKE_CXX_FLAGS="-Wno-error=stringop-overflow -Wno-error=uninitialized" \
-             -DAUTORUN_UNIT_TESTS=OFF
-RUN cmake --build . --config Release -j8
-RUN cmake --build . --target install
+FROM build-base AS poco-build

-WORKDIR /cppkafka
-RUN mkdir cmake-build
-WORKDIR cmake-build
-RUN cmake ..
-RUN cmake --build . --config Release -j8
-RUN cmake --build . --target install
+ARG POCO_VERSION
+
+ADD https://api.github.com/repos/AriliaWireless/poco/git/refs/tags/${POCO_VERSION} version.json
+RUN git clone https://github.com/AriliaWireless/poco --branch ${POCO_VERSION} /poco

 WORKDIR /poco
 RUN mkdir cmake-build
@@ -37,44 +24,79 @@ RUN cmake ..
 RUN cmake --build . --config Release -j8
 RUN cmake --build . --target install

+FROM build-base AS cppkafka-build
+
+ARG CPPKAFKA_VERSION
+
+ADD https://api.github.com/repos/AriliaWireless/cppkafka/git/refs/tags/${CPPKAFKA_VERSION} version.json
+RUN git clone https://github.com/AriliaWireless/cppkafka --branch ${CPPKAFKA_VERSION} /cppkafka
+
+WORKDIR /cppkafka
+RUN mkdir cmake-build
+WORKDIR cmake-build
+RUN cmake ..
+RUN cmake --build . --config Release -j8
+RUN cmake --build . --target install
+
+FROM build-base AS owsec-build
+
 ADD CMakeLists.txt build /owsec/
+ADD overlays /owsec/overlays
 ADD cmake /owsec/cmake
 ADD src /owsec/src
+ADD .git /owsec/.git
+ARG VCPKG_VERSION=2022.11.14
+RUN git clone --depth 1 --branch ${VCPKG_VERSION} https://github.com/microsoft/vcpkg && \
+    ./vcpkg/bootstrap-vcpkg.sh && \
+    mkdir /vcpkg/custom-triplets && \
+    cp /vcpkg/triplets/x64-linux.cmake /vcpkg/custom-triplets/x64-linux.cmake && \
+    sed -i 's/set(VCPKG_LIBRARY.*/set(VCPKG_LIBRARY_LINKAGE dynamic)/g' /vcpkg/custom-triplets/x64-linux.cmake && \
+    ./vcpkg/vcpkg install aws-sdk-cpp[sns]:x64-linux json-schema-validator:x64-linux --overlay-triplets=/vcpkg/custom-triplets --overlay-ports=/owsec/overlays
+
+COPY --from=poco-build /usr/local/include /usr/local/include
+COPY --from=poco-build /usr/local/lib /usr/local/lib
+COPY --from=cppkafka-build /usr/local/include /usr/local/include
+COPY --from=cppkafka-build /usr/local/lib /usr/local/lib

 WORKDIR /owsec
 RUN mkdir cmake-build
 WORKDIR /owsec/cmake-build
-RUN cmake ..
+RUN cmake -DCMAKE_TOOLCHAIN_FILE=/vcpkg/scripts/buildsystems/vcpkg.cmake ..
 RUN cmake --build . --config Release -j8

-FROM alpine
+FROM debian:$DEBIAN_VERSION

 ENV OWSEC_USER=owsec \
    OWSEC_ROOT=/owsec-data \
    OWSEC_CONFIG=/owsec-data

-RUN addgroup -S "$OWSEC_USER" && \
-    adduser -S -G "$OWSEC_USER" "$OWSEC_USER"
+RUN useradd "$OWSEC_USER"

 RUN mkdir /openwifi
 RUN mkdir -p "$OWSEC_ROOT" "$OWSEC_CONFIG" && \
    chown "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"
-RUN apk add --update --no-cache librdkafka mariadb-connector-c libpq unixodbc su-exec gettext ca-certificates libcurl curl-dev bash jq curl
-COPY --from=builder /owsec/cmake-build/owsec /openwifi/owsec
-COPY --from=builder /cppkafka/cmake-build/src/lib/* /lib/
-COPY --from=builder /poco/cmake-build/lib/* /lib/
-COPY --from=builder /aws-sdk-cpp/cmake-build/aws-cpp-sdk-core/libaws-cpp-sdk-core.so /lib/
-COPY --from=builder /aws-sdk-cpp/cmake-build/aws-cpp-sdk-s3/libaws-cpp-sdk-s3.so /lib/
-COPY --from=builder /aws-sdk-cpp/cmake-build/aws-cpp-sdk-sns/libaws-cpp-sdk-sns.so /lib/
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    librdkafka++1 gosu gettext ca-certificates bash jq curl wget \
+    libmariadb-dev-compat libpq5 postgresql-client libfmt7
+
+COPY readiness_check /readiness_check
+COPY test_scripts/curl/cli /cli

 COPY owsec.properties.tmpl /
 COPY wwwassets /dist/wwwassets
 COPY templates /dist/templates
 COPY docker-entrypoint.sh /
+COPY wait-for-postgres.sh /
 RUN wget https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentral-deploy/main/docker-compose/certs/restapi-ca.pem \
-    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt

-COPY readiness_check /readiness_check
+COPY --from=owsec-build /owsec/cmake-build/owsec /openwifi/owsec
+COPY --from=owsec-build /vcpkg/installed/x64-linux/lib/ /usr/local/lib/
+COPY --from=cppkafka-build /cppkafka/cmake-build/src/lib/ /usr/local/lib/
+COPY --from=poco-build /poco/cmake-build/lib/ /usr/local/lib/
+
+RUN ldconfig

 EXPOSE 16001 17001 16101

--- a/OPERATOR.md
+++ b/OPERATOR.md
@@ -0,0 +1,37 @@
+# Operator Support
+In order to support multiple tenants and operators, you must prepare the security service to serve
+customized e-mails and messages.
+
+## Structure for `templates`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_invitation.html/txt : This email message will be sent to a newly added user. 
+- email_verification.html/txt : This email is sent when an email verification is required.
+- password_reset.html/txt : This is sent when a pasword reset is requested.
+- verification_code.html/txt : This is used during MFA when email based.
+- signup_verification.html/txt : This email is send to a new subscriber who signed up for service.
+- sub_email_verification.html/txt : This is sent to a subscriber requiring an email verification.
+- sub_verification_code.html/txt : This is used during MFA when email based for a subscriber.
+- logo.jpg : The default logo to use in any of these emails.
+
+## Structure for `wwwassets`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_verification_error.html : Used when email verification has failed.
+- email_verification_success.html : Used when emil verification has succeeded.
+- invitation_error.html :
+- invitation_success.html :
+- password_policy.html :
+- password_reset.html :
+- password_reset_success.html :
+- password_reset_error.html :
+- signup_verification.html :
+- signup_verification_error.html :
+- signup_verification_success.html :
+- favicon.ico : icon for the application
+- 404_error.html : your customized 404 page
+- the_logo : the logo to use.
+
+## For tenants
+When creating a tenant/operator, you must create a subdirectory inside each `wwwassets` and `templates` and replicate 
+all the files that appear at the root level. You need to use the short Operator name (also known as RegistrantId in the API). This means 
+no spaces, all lowercase characters and numbers. No special characters: 0-9 and a-z. 
+
--- a/README.md
+++ b/README.md
@@ -16,6 +16,10 @@ into your own systems. If all you need it to access the uCentralGW for example (
 The CLI for the [uCentralGW](https://github.com/telecominfraproject/wlan-cloud-ucentralgw/blob/main/test_scripts/curl/cli) has a very good example of this. 
 Look for the `setgateway` function.

+You may get static page with OpenAPI docs generated from the definition on [GitHub Page](https://telecominfraproject.github.io/wlan-cloud-ucentralsec/).
+
+Also you may use [Swagger UI](https://petstore.swagger.io/#/) with OpenAPI definition file raw link (i.e. [latest version file](https://validator.swagger.io/validator?url=https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml)) to get interactive docs page.
+
 ## Firewall Considerations
 The entire uCentral systems uses several MicroServices. In order for the whole system to work, you should provide the following port
 access:
@@ -98,11 +102,45 @@ to get a sample. The default is
 ### `authentication.oldpasswords`
 The number of older passwords to keep. Default is 5.

+### Changing default password
+
+On the first startup of the service new user will be created with the default credentials from properties `authentication.default.username` and `authentication.default.password`, but **you will have to change the password** before making any real requests.
+
+You can this using [owgw-ui](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui/) on first login or using the following script:
+
+```
+export OWSEC=openwifi.wlan.local:16001 # endpoint to your owsec RESTAPI endpoint
+#export FLAGS="-k" # uncomment and add curl flags that you would like to pass for the request (for example '-k' may be used to pass errors with self-signed certificates)
+export OWSEC_DEFAULT_USERNAME=root@system.com # default username that you've set in property 'authentication.default.username'
+export OWSEC_DEFAULT_PASSWORD=weLoveWifi # default password __in cleartext__ from property 'authentication.default.password'
+export OWSEC_NEW_PASSWORD=NewPass123% # new password that must be set for the user (must comply with 'authentication.validation.expression')
+test_scripts/curl/cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD $OWSEC_NEW_PASSWORD
+```
+
+CLI is also included in Docker image if you want to run it this way:
+
+```
+export OWSEC=openwifi.wlan.local:16001
+#export FLAGS="-k"
+export OWSEC_DEFAULT_USERNAME=root@system.com
+export OWSEC_DEFAULT_PASSWORD=weLoveWifi
+export OWSEC_NEW_PASSWORD=NewPass123%
+docker run --rm -ti \
+  --network=host \
+  --env OWSEC \
+  --env FLAGS \
+  --env OWSEC_DEFAULT_USERNAME \
+  --env OWSEC_DEFAULT_PASSWORD \
+  --env OWSEC_NEW_PASSWORD \
+  tip-tip-wlan-cloud-ucentral.jfrog.io/owsec:main \
+  /cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD $OWSEC_NEW_PASSWORD
+```
+
 ### Kafka integration
 This security service uses Kafka to coordinate security with other services that are part of the system. You must have a Kafka service running
 in order to use this. You can find several examples of Kafka services available with Docker. Here are the values you need to configure.

-```asm
+```
 openwifi.kafka.group.id = security
 openwifi.kafka.client.id = security1
 openwifi.kafka.enable = true
@@ -132,7 +170,7 @@ Here are the parameters for the public interface. The important files are:
 - `restapi-key.pem` : the key associated with this certificate
 - `openwifi.restapi.host.0.key.password` : if you key is password protected, you may supply that password here.

-```asm
+```
 openwifi.restapi.host.0.backlog = 100
 openwifi.restapi.host.0.security = relaxed
 openwifi.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
@@ -147,7 +185,7 @@ openwifi.restapi.host.0.key.password = mypassword
 The private interface is used for service-to-service communication. You can use self-signed certificates here or letsencrypt. The file names are similar 
 to the filenames used in the previous section.

-```asm
+```
 openwifi.internal.restapi.host.0.backlog = 100
 openwifi.internal.restapi.host.0.security = relaxed
 openwifi.internal.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
@@ -162,7 +200,7 @@ openwifi.internal.restapi.host.0.key.password = mypassword
 Here are other important values you must set.


-```asm
+```
 openwifi.system.data = $OWSEC_ROOT/data
 openwifi.system.uri.private = https://localhost:17001
 openwifi.system.uri.public = https://openwifi.dpaas.arilia.com:16001
@@ -184,10 +222,11 @@ This is the FQDN used externally serving the OpenAPI interface.
 `owsec` hs the ability to send SMS messages to users during login or to send notifications. In order to do so,
 an SMS provider must be configured. At present time, 2 providers are supported: Tilio and AWS SNS

-#### AWS SNS
-For SNS you must create an IAM ID that has sns:sendmessage rights. 
+#### AWS SMS
+For SNS you must create an IAM ID that has sns:sendmessage rights.  

-```asm
+```
+smssender.enabled = true
 smssender.provider = aws
 smssender.aws.secretkey = ***************************************
 smssender.aws.accesskey = ***************************************
@@ -197,7 +236,8 @@ smssender.aws.region = **************
 #### Twilio
 For Twilio, you must provide the following

-```asm
+```
+smssender.enabled = true
 smssender.provider = twilio
 smssender.twilio.sid = ***********************
 smssender.twilio.token = **********************
@@ -209,7 +249,8 @@ smssender.twilio.phonenumber = +18888888888
 with GMail and AWS SES. For each, you must obtain the proper credentials and insert them in this configuration as well
 as the proper mail host.

-```asm
+```
+mailer.enabled = true
 mailer.hostname = smtp.gmail.com
 mailer.username = ************************
 mailer.password = ************************
@@ -217,4 +258,14 @@ mailer.sender = OpenWIFI
 mailer.loginmethod = login
 mailer.port = 587
 mailer.templates = $OWSEC_ROOT/templates
-```
+```
+
+#### Google Authenticator
+In order to use the Google Time-based One-Time Password (TOTP), the user must download the Google Authenticator 
+on any other app that support the TOTP protocol. You should include the following in your configuration
+
+```
+totp.issuer = OrgName
+```
+
+It is very important that you not use spaces in your OrgName.
--- a/2
+++ b/2
@@ -1 +1 @@
-12
+41
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,11 +1,11 @@
-#!/bin/sh
+#!/bin/bash
 set -e

 if [ "$SELFSIGNED_CERTS" = 'true' ]; then
    update-ca-certificates
 fi

-if [[ "$TEMPLATE_CONFIG" = 'true' && ! -f "$OWSEC_CONFIG"/owsec.properties ]]; then
+if [[ "$TEMPLATE_CONFIG" = 'true' ]]; then
  RESTAPI_HOST_ROOTCA=${RESTAPI_HOST_ROOTCA:-"\$OWSEC_ROOT/certs/restapi-ca.pem"} \
  RESTAPI_HOST_PORT=${RESTAPI_HOST_PORT:-"16001"} \
  RESTAPI_HOST_CERT=${RESTAPI_HOST_CERT:-"\$OWSEC_ROOT/certs/restapi-cert.pem"} \
@@ -23,16 +23,30 @@ if [[ "$TEMPLATE_CONFIG" = 'true' && ! -f "$OWSEC_CONFIG"/owsec.properties ]]; t
  SYSTEM_URI_PRIVATE=${SYSTEM_URI_PRIVATE:-"https://localhost:17001"} \
  SYSTEM_URI_PUBLIC=${SYSTEM_URI_PUBLIC:-"https://localhost:16001"} \
  SYSTEM_URI_UI=${SYSTEM_URI_UI:-"http://localhost"} \
+  SECURITY_RESTAPI_DISABLE=${SECURITY_RESTAPI_DISABLE:-"false"} \
  SERVICE_KEY=${SERVICE_KEY:-"\$OWSEC_ROOT/certs/restapi-key.pem"} \
  SERVICE_KEY_PASSWORD=${SERVICE_KEY_PASSWORD:-"mypassword"} \
-  MAILER_HOSTNAME=${MAILER_HOSTNAME:-"smtp.gmail.com"} \
-  MAILER_USERNAME=${MAILER_USERNAME:-"************************"} \
-  MAILER_PASSWORD=${MAILER_PASSWORD:-"************************"} \
+  SMSSENDER_ENABLED=${SMSSENDER_ENABLED:-"false"} \
+  SMSSENDER_PROVIDER=${SMSSENDER_PROVIDER:-""} \
+  SMSSENDER_AWS_SECRETKEY=${SMSSENDER_AWS_SECRETKEY:-""} \
+  SMSSENDER_AWS_ACCESSKEY=${SMSSENDER_AWS_ACCESSKEY:-""} \
+  SMSSENDER_AWS_REGION=${SMSSENDER_AWS_REGION:-""} \
+  SMSSENDER_TWILIO_SID=${SMSSENDER_TWILIO_SID:-""} \
+  SMSSENDER_TWILIO_TOKEN=${SMSSENDER_TWILIO_TOKEN:-""} \
+  SMSSENDER_TWILIO_PHONENUMBER=${SMSSENDER_TWILIO_PHONENUMBER:-""} \
+  MAILER_ENABLED=${MAILER_ENABLED:-"false"} \
+  MAILER_HOSTNAME=${MAILER_HOSTNAME:-"localhost"} \
+  MAILER_USERNAME=${MAILER_USERNAME:-""} \
+  MAILER_PASSWORD=${MAILER_PASSWORD:-""} \
  MAILER_SENDER=${MAILER_SENDER:-"OpenWIFI"} \
  MAILER_PORT=${MAILER_PORT:-"587"} \
  MAILER_TEMPLATES=${MAILER_TEMPLATES:-"\$OWSEC_ROOT/persist/templates"} \
  KAFKA_ENABLE=${KAFKA_ENABLE:-"true"} \
  KAFKA_BROKERLIST=${KAFKA_BROKERLIST:-"localhost:9092"} \
+  KAFKA_SSL_CA_LOCATION=${KAFKA_SSL_CA_LOCATION:-""} \
+  KAFKA_SSL_CERTIFICATE_LOCATION=${KAFKA_SSL_CERTIFICATE_LOCATION:-""} \
+  KAFKA_SSL_KEY_LOCATION=${KAFKA_SSL_KEY_LOCATION:-""} \
+  KAFKA_SSL_KEY_PASSWORD=${KAFKA_SSL_KEY_PASSWORD:-""} \
  DOCUMENT_POLICY_ACCESS=${DOCUMENT_POLICY_ACCESS:-"\$OWSEC_ROOT/persist/wwwassets/access_policy.html"} \
  DOCUMENT_POLICY_PASSWORD=${DOCUMENT_POLICY_PASSWORD:-"\$OWSEC_ROOT/persist/wwwassets/password_policy.html"} \
  STORAGE_TYPE=${STORAGE_TYPE:-"sqlite"} \
@@ -71,7 +85,7 @@ if [ "$1" = '/openwifi/owsec' -a "$(id -u)" = '0' ]; then
    if [ "$RUN_CHOWN" = 'true' ]; then
      chown -R "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"
    fi
-    exec su-exec "$OWSEC_USER" "$@"
+    exec gosu "$OWSEC_USER" "$@"
 fi

 exec "$@"
--- a/helm/.gitignore
+++ b/helm/.gitignore
@@ -1 +1,3 @@
 *.swp
+Chart.lock
+charts/
--- a/helm/Chart.yaml
+++ b/helm/Chart.yaml
@@ -5,14 +5,14 @@ name: owsec
 version: 0.1.0
 dependencies:
 - name: postgresql
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
  version: 10.9.2
  condition: postgresql.enabled
 - name: mysql
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
  version: 8.8.3
  condition: mysql.enabled
 - name: mariadb
-  repository: https://charts.bitnami.com/bitnami
+  repository: https://tip.jfrog.io/artifactory/tip-wlan-cloud-ucentral-helm/
  version: 9.4.2
  condition: mariadb.enabled
--- a/helm/README.md
+++ b/helm/README.md
@@ -70,8 +70,8 @@ The following table lists the configurable parameters of the chart and their def
 | persistence.size | string | Defines PV size | `'10Gi'` |
 | public_env_variables | hash | Defines list of environment variables to be passed to the Security | |
 | configProperties | hash | Configuration properties that should be passed to the application in `owsec.properties`. May be passed by key in set (i.e. `configProperties."rtty\.token"`) | |
-| certs | hash | Defines files (keys and certificates) that should be passed to the Security (PEM format is adviced to be used) (see `volumes.owsec` on where it is mounted) |  |
-
+| existingCertsSecret | string | Existing Kubernetes secret containing all required certificates and private keys for microservice operation. If set, certificates from `certs` key are ignored | `""` |
+| certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.owsec` on where it is mounted). If `existingCertsSecret` is set, certificates passed this way will not be used. |  |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

--- a/helm/templates/_helpers.tpl
+++ b/helm/templates/_helpers.tpl
@@ -30,3 +30,13 @@ Create chart name and version as used by the chart label.
 {{- define "owsec.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{- define "owsec.ingress.apiVersion" -}}
+  {{- if .Capabilities.APIVersions.Has "networking.k8s.io/v1" -}}
+      {{- print "networking.k8s.io/v1" -}}
+  {{- else if .Capabilities.APIVersions.Has "networking.k8s.io/v1beta1" -}}
+    {{- print "networking.k8s.io/v1beta1" -}}
+  {{- else -}}
+    {{- print "extensions/v1beta1" -}}
+  {{- end -}}
+{{- end -}}
--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -1,4 +1,5 @@
 {{- $root := . -}}
+{{- $storageType := index .Values.configProperties "storage.type" -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -13,6 +14,7 @@ spec:
  replicas: {{ .Values.replicaCount }}
  strategy:
    type: {{ .Values.strategyType }}
+  revisionHistoryLimit: {{ .Values.revisionHistoryLimit }}
  selector:
    matchLabels:
      app.kubernetes.io/name: {{ include "owsec.name" . }}
@@ -24,6 +26,9 @@ spec:
    metadata:
      annotations:
        checksum/config: {{ include "owsec.config" . | sha256sum }}
+        {{- with .Values.podAnnotations }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
      labels:
        app.kubernetes.io/name: {{ include "owsec.name" . }}
        app.kubernetes.io/instance: {{ .Release.Name }}
@@ -32,6 +37,49 @@ spec:
        {{- end }}
    spec:

+      initContainers:
+        - name: wait-kafka
+          image: "{{ .Values.images.dockerize.repository }}:{{ .Values.images.dockerize.tag }}"
+          imagePullPolicy: {{ .Values.images.dockerize.pullPolicy }}
+          args:
+            - -wait
+            - tcp://{{ index .Values.configProperties "openwifi.kafka.brokerlist" }}
+            - -timeout
+            - 600s
+
+{{- if eq $storageType "postgresql" }}
+        - name: wait-postgres
+          image: "{{ .Values.images.owsec.repository }}:{{ .Values.images.owsec.tag }}"
+          imagePullPolicy: {{ .Values.images.owsec.pullPolicy }}
+          command:
+            - /wait-for-postgres.sh
+            - {{ index .Values.configProperties "storage.type.postgresql.host" }}
+            - echo
+            - "PostgreSQL is ready"
+          env:
+            - name: KUBERNETES_DEPLOYED
+              value: "{{ now }}"
+          {{- range $key, $value := .Values.public_env_variables }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.secret_env_variables }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "owsec.fullname" $root }}-env
+                  key: {{ $key }}
+          {{- end }}
+          volumeMounts:
+          {{- range .Values.volumes.owsec }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            {{- if .subPath }}
+            subPath: {{ .subPath }}
+            {{- end }}
+          {{- end }}
+{{- end }}
+
      containers:

        - name: owsec
--- a/helm/templates/ingress.yaml
+++ b/helm/templates/ingress.yaml
@@ -2,7 +2,7 @@
 {{- range $ingress, $ingressValue := .Values.ingresses }}
 {{- if $ingressValue.enabled }}
 ---
-apiVersion: extensions/v1beta1
+apiVersion: {{ include "owsec.ingress.apiVersion" $root }}
 kind: Ingress
 metadata:
  name: {{ include "owsec.fullname" $root }}-{{ $ingress }}
@@ -36,9 +36,23 @@ spec:
      paths:
      {{- range $ingressValue.paths }}
        - path: {{ .path }}
+          {{- if $root.Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
+          pathType: {{ .pathType | default "ImplementationSpecific" }}
+          {{- end }}
          backend:
+            {{- if $root.Capabilities.APIVersions.Has "networking.k8s.io/v1" }}
+            service:
+              name: {{ include "owsec.fullname" $root }}-{{ .serviceName }}
+              port:
+              {{- if kindIs "string" .servicePort }}
+                name: {{ .servicePort }}
+              {{- else }}
+                number: {{ .servicePort }}
+              {{- end }}
+            {{- else }}
            serviceName: {{ include "owsec.fullname" $root }}-{{ .serviceName }}
            servicePort: {{ .servicePort }}
+            {{- end }}
      {{- end }}
  {{- end }}

--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -1,6 +1,7 @@
 # System
 replicaCount: 1
 strategyType: Recreate
+revisionHistoryLimit: 2

 nameOverride: ""
 fullnameOverride: ""
@@ -8,16 +9,20 @@ fullnameOverride: ""
 images:
  owsec:
    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/owsec
-    tag: main
+    tag: v2.8.0
    pullPolicy: Always
 #    regcred:
 #      registry: tip-tip-wlan-cloud-ucentral.jfrog.io
 #      username: username
 #      password: password
+  dockerize:
+    repository: tip-tip-wlan-cloud-ucentral.jfrog.io/dockerize
+    tag: 0.16.0
+    pullPolicy: IfNotPresent

 services:
  owsec:
-    type: LoadBalancer
+    type: ClusterIP
    ports:
      restapi:
        servicePort: 16001
@@ -38,7 +43,6 @@ checks:
      exec:
        command:
          - /readiness_check
-      failureThreshold: 1

 ingresses:
  restapi:
@@ -50,6 +54,7 @@ ingresses:
    - restapi.chart-example.local
    paths:
    - path: /
+      pathType: ImplementationSpecific
      serviceName: owsec
      servicePort: restapi

@@ -66,7 +71,7 @@ volumes:
      mountPath: /owsec-data/certs
      volumeDefinition: |
        secret:
-          secretName: {{ include "owsec.fullname" . }}-certs
+          secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owsec.fullname" . }}-certs{{ end }}
    # Change this if you want to use another volume type
    - name: persist
      mountPath: /owsec-data/persist
@@ -87,7 +92,7 @@ resources: {}
  #  memory: 128Mi

 securityContext:
-  fsGroup: 101
+  fsGroup: 1000

 nodeSelector: {}

@@ -95,6 +100,8 @@ tolerations: []

 affinity: {}

+podAnnotations: {}
+
 persistence:
  enabled: true
  # storageClassName: "-"
@@ -139,11 +146,17 @@ configProperties:
  authentication.default.access: master
  authentication.service.type: internal
  # Mailer
+  mailer.enabled: "false"
  mailer.hostname: smtp.gmail.com
  mailer.sender: OpenWIFI
  mailer.loginmethod: login
  mailer.port: 587
  mailer.templates: $OWSEC_ROOT/persist/templates
+  # SMS
+  smssender.enabled: "false"
+  smssender.provider: "aws"
+  #smssender.aws.region: ""
+  #smssender.twilio.phonenumber: ""
  # ALB
  alb.enable: "true"
  alb.port: 16101
@@ -154,6 +167,10 @@ configProperties:
  openwifi.kafka.brokerlist: localhost:9092
  openwifi.kafka.auto.commit: false
  openwifi.kafka.queue.buffering.max.ms: 50
+  openwifi.kafka.ssl.ca.location: ""
+  openwifi.kafka.ssl.certificate.location: ""
+  openwifi.kafka.ssl.key.location: ""
+  openwifi.kafka.ssl.key.password: ""
  # Storage
  storage.type: sqlite # (sqlite|postgresql|mysql|odbc)
  ## SQLite
@@ -183,22 +200,9 @@ configProperties:
  openwifi.system.uri.ui: https://localhost
  openwifi.system.commandchannel: /tmp/app_owsec
  # Logging
-  logging.formatters.f1.class: PatternFormatter
-  logging.formatters.f1.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t"
-  logging.formatters.f1.times: UTC
-  logging.channels.c1.class: ConsoleChannel
-  logging.channels.c1.formatter: f1
-  logging.channels.c2.class: FileChannel
-  logging.channels.c2.path: /tmp/log_owsec
-  logging.channels.c2.formatter.class: PatternFormatter
-  logging.channels.c2.formatter.pattern: "%Y-%m-%d %H:%M:%S %s: [%p] %t"
-  logging.channels.c2.rotation: "20 M"
-  logging.channels.c2.archive: timestamp
-  logging.channels.c2.purgeCount: 20
-  logging.channels.c3.class: ConsoleChannel
-  logging.channels.c3.pattern: "%s: [%p] %t"
-  logging.loggers.root.channel: c1
-  logging.loggers.root.level: debug
+  logging.type: console
+  logging.path: $OWSEC_ROOT/logs
+  logging.level: debug

  # -> Secret part
  # REST API
@@ -210,6 +214,12 @@ configProperties:
  # Mailer
  mailer.username: no-reply@arilia.com
  mailer.password: "**************************"
+  # SMS
+  #smssender.aws.secretkey: ""
+  #smssender.aws.accesskey: ""
+  #smssender.twilio.sid: ""
+  #smssender.twilio.token: ""
+  #
  # Storage
  ## PostgreSQL
  storage.type.postgresql.username: stephb
@@ -218,6 +228,9 @@ configProperties:
  storage.type.mysql.username: stephb
  storage.type.mysql.password: snoopy99

+# NOTE: List of required certificates may be found in "certs" key. Alternative way to pass required certificates is to create external secret with all required certificates and set secret name in "existingCertsSecret" key. Details may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart#tldr
+existingCertsSecret: ""
+
 certs:
  # restapi-ca.pem: ""
  # restapi-cert.pem: ""
--- a/openpapi/ucentralsec/owsec.yaml
+++ b/openpapi/ucentralsec/owsec.yaml
@@ -2,7 +2,7 @@ openapi: 3.0.1
 info:
  title: uCentral Security API
  description: A process to manage security logins.
-  version: 2.0.0
+  version: 2.5.0
  license:
    name: BSD3
    url: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
@@ -17,6 +17,7 @@ servers:
 security:
  - bearerAuth: []
  - ApiKeyAuth: []
+  - ApiToken: []

 components:
  securitySchemes:
@@ -28,6 +29,10 @@ components:
      type: http
      scheme: bearer
      bearerFormat: JWT
+    ApiToken:
+      type: apiKey
+      in: header
+      name: X-API-TOKEN

  responses:
    NotFound:
@@ -51,6 +56,22 @@ components:
            properties:
              ErrorCode:
                type: integer
+                enum:
+                  - 0     # Success
+                  - 1     # PASSWORD_CHANGE_REQUIRED,
+                  - 2     # INVALID_CREDENTIALS,
+                  - 3     # PASSWORD_ALREADY_USED,
+                  - 4     # USERNAME_PENDING_VERIFICATION,
+                  - 5     # PASSWORD_INVALID,
+                  - 6     # INTERNAL_ERROR,
+                  - 7     # ACCESS_DENIED,
+                  - 8     # INVALID_TOKEN
+                  - 9     # EXPIRED_TOKEN
+                  - 10    # RATE_LIMIT_EXCEEDED
+                  - 11    # BAD_MFA_TRANSACTION
+                  - 12    # MFA_FAILURE
+                  - 13    # SECURITY_SERVICE_UNREACHABLE
+                  - 14    # CANNOT REFRESH TOKEN
              ErrorDetails:
                type: string
              ErrorDescription:
@@ -69,8 +90,20 @@ components:
              Code:
                type: integer

-  schemas:
+    BadRequest:
+      description: The requested operation failed.
+      content:
+        application/json:
+          schema:
+            properties:
+              ErrorCode:
+                type: integer
+              ErrorDetails:
+                type: string
+              ErrorDescription:
+                type: integer

+  schemas:
    WebTokenRequest:
      description: User Id and password.
      type: object
@@ -93,6 +126,15 @@ components:
        userId: support@example.com
        password: support

+    WebTokenRefreshRequest:
+      type: object
+      properties:
+        userId:
+          type: string
+          default: support@example.com
+        refresh_token:
+          type: string
+
    WebTokenResult:
      description: Login and Refresh Tokens to be used in subsequent API calls.
      type: object
@@ -127,18 +169,61 @@ components:
        aclTemplate:
          $ref: '#/components/schemas/AclTemplate'

-    ApiKeyCreationRequest:
+    ApiKeyAccessRight:
      type: object
      properties:
+        service:
+          type: string
+        access:
+          type: string
+          enum:
+            - read
+            - modify
+            - create
+            - delete
+            - noaccess
+
+    ApiKeyAccessRightList:
+      type: object
+      properties:
+        acls:
+          type: array
+          items:
+            $ref: '#/components/schemas/ApiKeyAccessRight'
+
+    ApiKeyEntry:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        userUuid:
+          type: string
+          format: uuid
        name:
          type: string
        description:
          type: string
+        apiKey:
+          type: string
+        salt:
+          type: string
        expiresOn:
          type: integer
          format: int64
+        lastUse:
+          type: integer
+          format: int64
        rights:
-          $ref: '#/components/schemas/AclTemplate'
+          $ref: '#/components/schemas/ApiKeyAccessRightList'
+
+    ApiKeyEntryList:
+      type: object
+      properties:
+        apiKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/ApiKeyEntry'

    ApiKeyCreationAnswer:
      type: object
@@ -157,7 +242,7 @@ components:
        apiKey:
          type: string
        rights:
-          $ref: '#/components/schemas/AclTemplate'
+          $ref: '#/components/schemas/ApiKeyAccessRights'

    AclTemplate:
      type: object
@@ -216,7 +301,7 @@ components:
          enum:
            - sms
            - email
-            - voice
+            - authenticator

    UserLoginLoginExtensions:
      type: object
@@ -225,6 +310,8 @@ components:
          type: array
          items:
            $ref: '#/components/schemas/MobilePhoneNumber'
+        authenticatorSecret:
+          type: string
        mfa:
          $ref: '#/components/schemas/MfaAuthInfo'

@@ -321,8 +408,14 @@ components:
        securityPolicyChange:
          type: integer
          format: int64
+        modified:
+          type: integer
+          format: int64
        userTypeProprietaryInfo:
          $ref: '#/components/schemas/UserLoginLoginExtensions'
+        signupUUID:
+          type: string
+          format: uuid

    UserList:
      type: object
@@ -381,6 +474,24 @@ components:
        answer:
          type: string

+    SubMfaConfig:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        type:
+          type: string
+          enum:
+            - disabled
+            - sms
+            - email
+        email:
+          type: string
+          format: email
+        sms:
+          type: string
+
    #########################################################################################
    ##
    ## These are endpoints that all services in the uCentral stack must provide
@@ -625,6 +736,22 @@ components:
          items:
            $ref: '#/components/schemas/TagValuePair'

+    Preferences:
+      type: object
+      properties:
+        modified:
+          type: integer
+          format: int64
+        data:
+          type: array
+          items:
+            type: object
+            properties:
+              tag:
+                type: string
+              value:
+                type: string
+
    #########################################################################################
    ##
    ## End of uCentral system wide values
@@ -667,6 +794,12 @@ paths:
          schema:
            type: boolean
          required: false
+        - in: query
+          name: grant_type
+          schema:
+            type: string
+            example: refresh_token
+          required: false
      requestBody:
        description: User id and password
        required: true
@@ -676,6 +809,72 @@ paths:
              oneOf:
                - $ref: '#/components/schemas/WebTokenRequest'
                - $ref: '#/components/schemas/MFAChallengeResponse'
+                - $ref: '#/components/schemas/WebTokenRefreshRequest'
+      responses:
+        200:
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                oneOf:
+                  - $ref: '#/components/schemas/WebTokenResult'
+                  - $ref: '#/components/schemas/MFAChallengeRequest'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /suboauth2:
+    post:
+      tags:
+        - Authentication
+      summary: Get access token - to be used as Bearer token header for all other API requests.
+      operationId: getSubAccessToken
+      parameters:
+        - in: query
+          name: newPassword
+          description: used when a user is trying to change her password. This will be the new password.
+          schema:
+            type: string
+          required: false
+        - in: query
+          name: forgotPassword
+          description: A user forgot her password. She needs to present her e-mail address in the userId and set this to true
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: requirements
+          description: A user forgot her password. She needs to present her e-mail address in the userId and set this to true
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: resendMFACode
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: completeMFAChallenge
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: grant_type
+          schema:
+            type: string
+            example: refresh_token
+          required: false
+      requestBody:
+        description: User id and password
+        required: true
+        content:
+          application/json:
+            schema:
+              oneOf:
+                - $ref: '#/components/schemas/WebTokenRequest'
+                - $ref: '#/components/schemas/MFAChallengeResponse'
+                - $ref: '#/components/schemas/WebTokenRefreshRequest'
      responses:
        200:
          description: successful operation
@@ -715,10 +914,35 @@ paths:
        404:
          $ref: '#/components/responses/NotFound'

+  /suboauth2/{token}:
+    delete:
+      tags:
+        - Authentication
+      summary: Revoke a token.
+      operationId: removeSubAccessToken
+      parameters:
+        - in: path
+          name: token
+          schema:
+            type:
+              string
+          required: true
+      responses:
+        204:
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
  /systemEndpoints:
    get:
      tags:
-        - Authentication
+        - System Commands
      summary: Retrieve the system layout.
      operationId: getSystemInfo
      responses:
@@ -771,6 +995,72 @@ paths:
            type: string
            example: id1,id2,id3,id4,id5
          required: false
+        - in: query
+          description: Name matching
+          name: nameSearch
+          schema:
+            type: string
+        - in: query
+          description: Name matching
+          name: emailSearch
+          schema:
+            type: string
+      responses:
+        200:
+          $ref: '#/components/schemas/UserList'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /subusers:
+    get:
+      tags:
+        - Subscribers
+      summary: Retrieve a list of existing users as well as some information about them.
+      operationId: getSubUsers
+      parameters:
+        - in: query
+          name: offset
+          schema:
+            type: integer
+            format: int64
+          required: false
+        - in: query
+          name: limit
+          schema:
+            type: integer
+            format: int64
+          required: false
+        - in: query
+          description: Selecting this option means the newest record will be returned. Use limit to select how many.
+          name: filter
+          schema:
+            type: string
+          required: false
+        - in: query
+          description: Return only the ids.
+          name: idOnly
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          description: Return only the ids.
+          name: select
+          schema:
+            type: string
+            example: id1,id2,id3,id4,id5
+          required: false
+        - in: query
+          description: Name matching
+          name: nameSearch
+          schema:
+            type: string
+        - in: query
+          description: Name matching
+          name: emailSearch
+          schema:
+            type: string
      responses:
        200:
          $ref: '#/components/schemas/UserList'
@@ -869,6 +1159,134 @@ paths:
          schema:
            type: boolean
          required: false
+        - in: query
+          name: forgotPassword
+          schema:
+            type: boolean
+            default: false
+          required: false
+        - in: query
+          name: resetMFA
+          schema:
+            type: boolean
+            default: false
+          required: false
+      requestBody:
+        description: User details (some fields are ignored during update)
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserInfo'
+      responses:
+        200:
+          $ref: '#/components/schemas/UserInfo'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /subuser/{id}:
+    get:
+      tags:
+        - Subscribers
+      operationId: getSubUser
+      summary: Retrieve the information for a single user.
+      parameters:
+        - in: path
+          name: id
+          schema:
+            type: string
+            format: uuid
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/UserInfo'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    delete:
+      tags:
+        - Subscribers
+      operationId: deleteSubUser
+      summary: Delete a single user.
+      parameters:
+        - in: path
+          name: id
+          schema:
+            type: integer
+            format: int64
+          required: true
+      responses:
+        204:
+          $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    post:
+      tags:
+        - Subscribers
+      operationId: createSubUser
+      summary: Create a single user.
+      parameters:
+        - in: path
+          name: id
+          #must be set to 0 for user creation
+          schema:
+            type: integer
+            format: int64
+          required: true
+        - in: query
+          name: email_verification
+          schema:
+            type: boolean
+          required: false
+      requestBody:
+        description: User details (some fields are ignored during creation)
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/UserInfo'
+      responses:
+        200:
+          $ref: '#/components/schemas/UserInfo'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    put:
+      tags:
+        - Subscribers
+      operationId: updateSubUser
+      summary: Modify a single user.
+      parameters:
+        - in: path
+          name: id
+          schema:
+            type: integer
+            format: int64
+          required: true
+        - in: query
+          name: email_verification
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: forgotPassword
+          schema:
+            type: boolean
+            default: false
+          required: false
+        - in: query
+          name: resetMFA
+          schema:
+            type: boolean
+            default: false
+          required: false
      requestBody:
        description: User details (some fields are ignored during update)
        content:
@@ -978,7 +1396,7 @@ paths:
  /email:
    post:
      tags:
-        - Email
+        - Messaging
      summary: Send test email with the system.
      operationId: Send a test email
      requestBody:
@@ -1009,7 +1427,7 @@ paths:
  /sms:
    post:
      tags:
-        - Email
+        - Messaging
      summary: Send test email with the system.
      operationId: Send a test SMS
      parameters:
@@ -1053,6 +1471,315 @@ paths:
                    items:
                      type: string

+  /userPreferences:
+    get:
+      tags:
+        - Preferences
+      operationId: getUserPreferences
+      summary: Get the list of recorded preferences for a user
+      responses:
+        200:
+          $ref: '#/components/schemas/Preferences'
+        400:
+          $ref: '#/components/responses/BadRequest'
+    post:
+      tags:
+        - Preferences
+      operationId: setUserPreferences
+      summary: Set the list of recorded preferences for a user
+      requestBody:
+        description: Setting the list of preferences
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Preferences'
+      responses:
+        200:
+          $ref: '#/components/schemas/Preferences'
+        400:
+          $ref: '#/components/responses/BadRequest'
+
+  /submfa:
+    get:
+      tags:
+        - MFA
+      summary: Retrieve the cyrrent setting for MFA
+      operationId: getMFS
+      responses:
+        200:
+          $ref: '#/components/schemas/SubMfaConfig'
+
+    put:
+      tags:
+        - MFA
+      summary: Retrieve the cyrrent setting for MFA
+      operationId: modifyMFS
+      parameters:
+        - in: query
+          name: startValidation
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: completeValidation
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: challengeCode
+          schema:
+            type: string
+          required: false
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SubMfaConfig'
+      responses:
+        200:
+          $ref: '#/components/schemas/SubMfaConfig'
+        400:
+          $ref: '#/components/responses/BadRequest'
+
+  /totp:
+    get:
+      tags:
+        - Security
+      summary: Retrieve the Authenticator QR Code
+      operationId: getTotpQrCode
+      parameters:
+        - in: query
+          name: reset
+          schema:
+            type: boolean
+            default: false
+          required: false
+      responses:
+        200:
+          description: QRCode
+          content:
+            image/svg+xml:
+              schema:
+                type: string
+                format: binary
+        400:
+          $ref: '#/components/responses/BadRequest'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+
+    put:
+      tags:
+        - Security
+      summary: Send the first security code to validate your setup
+      operationId: sendToptTestCode
+      parameters:
+        - in: query
+          name: value
+          schema:
+            type: integer
+            format: int64
+          required: true
+        - in: query
+          name: index
+          schema:
+            type: integer
+            format: int64
+            example: 1,2,3
+          required: true
+      responses:
+        200:
+          description: Succesful posting of response.
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  nextIndex:
+                    type: integer
+                  moreCodes:
+                    type: boolean
+        400:
+          $ref: '#/components/responses/BadRequest'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+
+  /signup:
+    post:
+      tags:
+        - Subscriber Registration
+      summary: This call allows a new subscriber to register themselves and their devices.
+      operationId: postSignup
+      parameters:
+        - in: query
+          name: email
+          schema:
+            type: string
+            format: email
+          required: true
+        - in: query
+          name: signupUUID
+          schema:
+            type: string
+            format: uuid
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/UserInfo'
+        400:
+          $ref: '#/components/responses/BadRequest'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    put:
+      tags:
+        - Subscriber Registration
+      summary: modify the signup command in play
+      operationId: modifySignup
+      parameters:
+        - in: query
+          name: signupUUID
+          schema:
+            type: string
+            format: uuid
+          required: true
+        - in: query
+          name: operation
+          schema:
+            type: string
+            enum:
+              - cancel
+              - success
+              - inprogress
+              - failed
+              - poll
+              - emailVerified
+          required: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                reason:
+                  type: string
+                time:
+                  type: integer
+                  format: int64
+                errorCode:
+                  type: integer
+                  format: int32
+        required: false
+
+      responses:
+        200:
+          $ref: '#/components/responses/Success'
+        400:
+          $ref: '#/components/responses/BadRequest'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /apiKey/{uuid}:
+    get:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: getApiKeyList
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntryList'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    delete:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: deleteApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+        - in: query
+          name: keyUuid
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    post:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: createApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ApiKeyEntry'
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntry'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    put:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: modifyApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+        - in: query
+          name: name
+          schema:
+            type: string
+          required: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ApiKeyEntry'
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntry'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
  #########################################################################################
  ##
  ## These are endpoints that all services in the uCentral stack must provide
@@ -1128,6 +1855,47 @@ paths:
        404:
          $ref: '#/components/responses/NotFound'

+  /validateSubToken:
+    get:
+      tags:
+        - Security
+        - Subscribers
+      summary: Allows any microservice to validate a token and get security policy for a specific user.
+      operationId: validateSubToken
+      parameters:
+        - in: query
+          name: token
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/TokenValidationResult'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /validateApiKey:
+    get:
+      tags:
+        - Security
+      summary: Allows an application to validate an API Key.
+      operationId: validateApiKey
+      parameters:
+        - in: query
+          name: token
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/TokenValidationResult'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
  /system:
    post:
      tags:
--- a/overlays/curl/portfile.cmake
+++ b/overlays/curl/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/curl/vcpkg.json
+++ b/overlays/curl/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "curl",
+    "version-string": "7.74.0-1.3+deb11u3"
+}
--- a/overlays/openssl/portfile.cmake
+++ b/overlays/openssl/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/openssl/vcpkg.json
+++ b/overlays/openssl/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "openssl",
+    "version-string": "1.1.1n-0+deb11u3"
+}
--- a/overlays/zlib/portfile.cmake
+++ b/overlays/zlib/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/zlib/vcpkg.json
+++ b/overlays/zlib/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "zlib",
+    "version-string": "1:1.2.11.dfsg-2+deb11u2"
+}
--- a/owsec.properties
+++ b/owsec.properties
@@ -36,10 +36,12 @@ openwifi.system.data = $OWSEC_ROOT/data
 openwifi.system.uri.private = https://localhost:17001
 openwifi.system.uri.public = https://local.dpaas.arilia.com:16001
 openwifi.system.uri.ui = https://ucentral-ui.arilia.com
+openwifi.security.restapi.disable = false
 openwifi.system.commandchannel = /tmp/app.ucentralsec
 openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
 openwifi.service.key.password = mypassword

+smssender.enabled = false
 smssender.provider = aws
 smssender.aws.secretkey = ***************************************
 smssender.aws.accesskey = ***************************************
@@ -53,6 +55,7 @@ smssender.aws.region = **************
 #
 # Security Microservice Specific Section
 #
+mailer.enabled = false
 mailer.hostname = smtp.gmail.com
 mailer.username = ************************
 mailer.password = ************************
@@ -80,10 +83,16 @@ openwifi.kafka.enable = true
 openwifi.kafka.brokerlist = a1.arilia.com:9092
 openwifi.kafka.auto.commit = false
 openwifi.kafka.queue.buffering.max.ms = 50
+openwifi.kafka.ssl.ca.location =
+openwifi.kafka.ssl.certificate.location =
+openwifi.kafka.ssl.key.location =
+openwifi.kafka.ssl.key.password =
+
 openwifi.document.policy.access = /wwwassets/access_policy.html
 openwifi.document.policy.password = /wwwassets/password_policy.html
 openwifi.avatar.maxsize = 2000000

+totp.issuer = OpenWiFi
 #
 # This section select which form of persistence you need
 # Only one selected at a time. If you select multiple, this service will die if a horrible
@@ -116,44 +125,12 @@ storage.type.mysql.database = ucentral
 storage.type.mysql.port = 3306
 storage.type.mysql.connectiontimeout = 60

-
 ########################################################################
 ########################################################################
 #
 # Logging: please leave as is for now.
 #
 ########################################################################
-logging.formatters.f1.class = PatternFormatter
-logging.formatters.f1.pattern = %s: [%p] %t
-logging.formatters.f1.times = UTC
-logging.channels.c1.class = ConsoleChannel
-logging.channels.c1.formatter = f1
-
-# This is where the logs will be written. This path MUST exist
-logging.channels.c2.class = FileChannel
-logging.channels.c2.path = $OWSEC_ROOT/logs/log
-logging.channels.c2.formatter.class = PatternFormatter
-logging.channels.c2.formatter.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
-logging.channels.c2.rotation = 20 M
-logging.channels.c2.archive = timestamp
-logging.channels.c2.purgeCount = 20
-logging.channels.c3.class = ConsoleChannel
-logging.channels.c3.pattern = %s: [%p] %t
-
-# External Channel
-logging.loggers.root.channel = c2
-logging.loggers.root.level = debug
-
-# Inline Channel with PatternFormatter
-# logging.loggers.l1.name = logger1
-# logging.loggers.l1.channel.class = ConsoleChannel
-# logging.loggers.l1.channel.pattern = %s: [%p] %t
-# logging.loggers.l1.level = information
-# SplitterChannel
-# logging.channels.splitter.class = SplitterChannel
-# logging.channels.splitter.channels = l1,l2
-# logging.loggers.l2.name = logger2
-# logging.loggers.l2.channel = splitter
-
-
-
+logging.type = file
+logging.path = $OWSEC_ROOT/logs
+logging.level = debug
--- a/owsec.properties.tmpl
+++ b/owsec.properties.tmpl
@@ -36,13 +36,26 @@ openwifi.system.data = ${SYSTEM_DATA}
 openwifi.system.uri.private = ${SYSTEM_URI_PRIVATE}
 openwifi.system.uri.public = ${SYSTEM_URI_PUBLIC}
 openwifi.system.uri.ui = ${SYSTEM_URI_UI}
+openwifi.security.restapi.disable = ${SECURITY_RESTAPI_DISABLE}
 openwifi.system.commandchannel = /tmp/app.ucentralsec
 openwifi.service.key = ${SERVICE_KEY}
 openwifi.service.key.password = ${SERVICE_KEY_PASSWORD}

+smssender.enabled = ${SMSSENDER_ENABLED}
+smssender.provider = ${SMSSENDER_PROVIDER}
+
+smssender.aws.secretkey = ${SMSSENDER_AWS_SECRETKEY}
+smssender.aws.accesskey = ${SMSSENDER_AWS_ACCESSKEY}
+smssender.aws.region = ${SMSSENDER_AWS_REGION}
+
+smssender.twilio.sid = ${SMSSENDER_TWILIO_SID}
+smssender.twilio.token = ${SMSSENDER_TWILIO_TOKEN}
+smssender.twilio.phonenumber = ${SMSSENDER_TWILIO_PHONENUMBER}
+
 #
 # Security Microservice Specific Section
 #
+mailer.enabled = ${MAILER_ENABLED}
 mailer.hostname = ${MAILER_HOSTNAME}
 mailer.username = ${MAILER_USERNAME}
 mailer.password = ${MAILER_PASSWORD}
@@ -70,6 +83,10 @@ openwifi.kafka.enable = ${KAFKA_ENABLE}
 openwifi.kafka.brokerlist = ${KAFKA_BROKERLIST}
 openwifi.kafka.auto.commit = false
 openwifi.kafka.queue.buffering.max.ms = 50
+openwifi.kafka.ssl.ca.location = ${KAFKA_SSL_CA_LOCATION}
+openwifi.kafka.ssl.certificate.location = ${KAFKA_SSL_CERTIFICATE_LOCATION}
+openwifi.kafka.ssl.key.location = ${KAFKA_SSL_KEY_LOCATION}
+openwifi.kafka.ssl.key.password = ${KAFKA_SSL_KEY_PASSWORD}

 openwifi.document.policy.access = ${DOCUMENT_POLICY_ACCESS}
 openwifi.document.policy.password = ${DOCUMENT_POLICY_PASSWORD}
@@ -110,37 +127,6 @@ storage.type.mysql.connectiontimeout = 60
 # Logging: please leave as is for now.
 #
 ########################################################################
-logging.formatters.f1.class = PatternFormatter
-logging.formatters.f1.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
-logging.formatters.f1.times = UTC
-logging.channels.c1.class = ConsoleChannel
-logging.channels.c1.formatter = f1
-
-# This is where the logs will be written. This path MUST exist
-logging.channels.c2.class = FileChannel
-logging.channels.c2.path = $OWSEC_ROOT/logs/log
-logging.channels.c2.formatter.class = PatternFormatter
-logging.channels.c2.formatter.pattern = %Y-%m-%d %H:%M:%S %s: [%p] %t
-logging.channels.c2.rotation = 20 M
-logging.channels.c2.archive = timestamp
-logging.channels.c2.purgeCount = 20
-logging.channels.c3.class = ConsoleChannel
-logging.channels.c3.pattern = %s: [%p] %t
-
-# External Channel
-logging.loggers.root.channel = c1
-logging.loggers.root.level = debug
-
-# Inline Channel with PatternFormatter
-# logging.loggers.l1.name = logger1
-# logging.loggers.l1.channel.class = ConsoleChannel
-# logging.loggers.l1.channel.pattern = %s: [%p] %t
-# logging.loggers.l1.level = information
-# SplitterChannel
-# logging.channels.splitter.class = SplitterChannel
-# logging.channels.splitter.channels = l1,l2
-# logging.loggers.l2.name = logger2
-# logging.loggers.l2.channel = splitter
-
-
-
+logging.type = console
+logging.path = $OWSEC_ROOT/logs
+logging.level = debug
--- a/27
+++ b/27
@@ -13,22 +13,23 @@ then
  exit 1
 fi

-if [[ "${OWSEC_USERNAME}" == "" ]]
-then
-  echo "You must set the variable OWSEC_USERNAME in order to use this script. Something like"
-  echo "OWSEC_USERNAME=tip@ucentral.com"
-  exit 1
-fi
-
-if [[ "${OWSEC_PASSWORD}" == "" ]]
-then
-  echo "You must set the variable OWSEC_PASSWORD in order to use this script. Something like"
-  echo "OWSEC_PASSWORD=openwifi"
-  exit 1
-fi

 if [[ "${READINESS_METHOD}" == "systeminfo" ]]
 then
+  if [[ "${OWSEC_USERNAME}" == "" ]]
+  then
+    echo "You must set the variable OWSEC_USERNAME in order to use this script. Something like"
+    echo "OWSEC_USERNAME=tip@ucentral.com"
+    exit 1
+  fi
+
+  if [[ "${OWSEC_PASSWORD}" == "" ]]
+  then
+    echo "You must set the variable OWSEC_PASSWORD in order to use this script. Something like"
+    echo "OWSEC_PASSWORD=openwifi"
+    exit 1
+  fi
+
  export RESTAPI_PORT=$(grep 'openwifi.restapi.host.0.port' $OWSEC_CONFIG/owsec.properties | awk -F '=' '{print $2}' | xargs | envsubst)
  # Get OAuth token from OWSEC and cache it or use cached one
  payload="{ \"userId\" : \"$OWSEC_USERNAME\" , \"password\" : \"$OWSEC_PASSWORD\" }"
--- a/src/ACLProcessor.h
+++ b/src/ACLProcessor.h
@@ -0,0 +1,139 @@
+//
+// Created by stephane bourque on 2021-11-12.
+//
+
+#ifndef OWSEC_ACLPROCESSOR_H
+#define OWSEC_ACLPROCESSOR_H
+
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+
+namespace OpenWifi {
+
+    class ACLProcessor {
+    public:
+        enum ACL_OPS {
+            READ,
+            MODIFY,
+            DELETE,
+            CREATE
+        };
+/*
+ *  0) You can only delete yourself if you are a subscriber
+    1) You cannot delete yourself
+    2) If you are root, you can do anything.
+    3) You can do anything to yourself
+    4) Nobody can touch a root, unless they are a root, unless it is to get information on a ROOT
+    5) Creation rules:
+        ROOT -> create anything
+        PARTNER -> (multi-tenant owner) admin,subs,csr,installer,noc,accounting - matches to an entity in provisioning
+        ADMIN -> admin-subs-csr-installer-noc-accounting
+        ACCOUNTING -> subs-installer-csr
+
+ */
+        static inline bool Can( const SecurityObjects::UserInfo & User, const SecurityObjects::UserInfo & Target, ACL_OPS Op) {
+
+            switch(Op) {
+                case DELETE: {
+                    //  can a user delete themselves - yes - only if not root. We do not want a system to end up rootless
+                    if(User.id==Target.id) {
+                        return User.userRole != SecurityObjects::ROOT;
+                    }
+                    //  Root can delete anyone
+                    switch (User.userRole) {
+                        case SecurityObjects::ROOT:
+                            return true;
+                        case SecurityObjects::ADMIN:
+                            return Target.userRole!=SecurityObjects::ROOT && Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::SUBSCRIBER:
+                            return User.id==Target.id;
+                        case SecurityObjects::CSR:
+                            return false;
+                        case SecurityObjects::SYSTEM:
+                            return Target.userRole!=SecurityObjects::ROOT && Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::INSTALLER:
+                            return User.id==Target.id;
+                        case SecurityObjects::NOC:
+                            return Target.userRole==SecurityObjects::NOC;
+                        case SecurityObjects::ACCOUNTING:
+                            return Target.userRole==SecurityObjects::ACCOUNTING;
+                        case SecurityObjects::PARTNER:
+                            return Target.userRole!=SecurityObjects::ROOT;
+                        default:
+                            return false;
+                    }
+                }
+                break;
+
+                case READ: {
+                    return  User.userRole == SecurityObjects::ROOT ||
+                            User.userRole == SecurityObjects::ADMIN ||
+                            User.userRole == SecurityObjects::PARTNER;
+                }
+                break;
+
+                case CREATE: {
+                    switch(User.userRole) {
+                        case SecurityObjects::ROOT:
+                            return true;
+                        case SecurityObjects::ADMIN:
+                            return  Target.userRole!=SecurityObjects::ROOT &&
+                                    Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::SUBSCRIBER:
+                            return false;
+                        case SecurityObjects::CSR:
+                            return Target.userRole==SecurityObjects::CSR;
+                        case SecurityObjects::SYSTEM:
+                            return Target.userRole!=SecurityObjects::ROOT && Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::INSTALLER:
+                            return Target.userRole==SecurityObjects::INSTALLER;
+                        case SecurityObjects::NOC:
+                            return Target.userRole==SecurityObjects::NOC;
+                        case SecurityObjects::ACCOUNTING:
+                            return Target.userRole==SecurityObjects::ACCOUNTING;
+                        case SecurityObjects::PARTNER:
+                            return Target.userRole!=SecurityObjects::ROOT;
+                        default:
+                            return false;
+                    }
+                }
+                break;
+
+                case MODIFY: {
+                    switch(User.userRole) {
+                        case SecurityObjects::ROOT:
+                            return true;
+                        case SecurityObjects::ADMIN:
+                            return  Target.userRole!=SecurityObjects::ROOT &&
+                                    Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::SUBSCRIBER:
+                            return  User.id==Target.id;
+                        case SecurityObjects::CSR:
+                            return  Target.userRole==SecurityObjects::CSR;
+                        case SecurityObjects::SYSTEM:
+                            return  Target.userRole!=SecurityObjects::ROOT &&
+                                    Target.userRole!=SecurityObjects::PARTNER;
+                        case SecurityObjects::INSTALLER:
+                            return  Target.userRole==SecurityObjects::INSTALLER;
+                        case SecurityObjects::NOC:
+                            return  Target.userRole==SecurityObjects::NOC;
+                        case SecurityObjects::ACCOUNTING:
+                            return  Target.userRole==SecurityObjects::ACCOUNTING;
+                        case SecurityObjects::PARTNER:
+                            return  Target.userRole!=SecurityObjects::ROOT;
+                        default:
+                            return false;
+                    }
+                }
+                    break;
+                default:
+                    return false;
+            }
+        }
+    private:
+
+    };
+
+}
+
+
+#endif //OWSEC_ACLPROCESSOR_H
--- a/src/APIServers.cpp
+++ b/src/APIServers.cpp
@@ -1,47 +0,0 @@
-//
-// Created by stephane bourque on 2021-10-23.
-//
-
-#include "framework/MicroService.h"
-
-#include "RESTAPI/RESTAPI_oauth2Handler.h"
-#include "RESTAPI/RESTAPI_user_handler.h"
-#include "RESTAPI/RESTAPI_users_handler.h"
-#include "RESTAPI/RESTAPI_action_links.h"
-#include "RESTAPI/RESTAPI_systemEndpoints_handler.h"
-#include "RESTAPI/RESTAPI_AssetServer.h"
-#include "RESTAPI/RESTAPI_avatarHandler.h"
-#include "RESTAPI/RESTAPI_email_handler.h"
-#include "RESTAPI/RESTAPI_sms_handler.h"
-#include "RESTAPI/RESTAPI_validateToken_handler.h"
-
-namespace OpenWifi {
-
-    Poco::Net::HTTPRequestHandler * RESTAPI_external_server(const char *Path, RESTAPIHandler::BindingMap &Bindings,
-                                                            Poco::Logger & L, RESTAPI_GenericServer & S) {
-        return RESTAPI_Router<
-            RESTAPI_oauth2Handler,
-            RESTAPI_users_handler,
-            RESTAPI_user_handler,
-            RESTAPI_system_command,
-            RESTAPI_AssetServer,
-            RESTAPI_systemEndpoints_handler,
-            RESTAPI_action_links,
-            RESTAPI_avatarHandler,
-            RESTAPI_email_handler,
-            RESTAPI_sms_handler
-        >(Path, Bindings, L, S);
-    }
-
-    Poco::Net::HTTPRequestHandler * RESTAPI_internal_server(const char *Path, RESTAPIHandler::BindingMap &Bindings,
-                                                            Poco::Logger & L, RESTAPI_GenericServer & S) {
-        return RESTAPI_Router_I<
-            RESTAPI_users_handler,
-            RESTAPI_user_handler,
-            RESTAPI_system_command,
-            RESTAPI_action_links,
-            RESTAPI_validateToken_handler,
-            RESTAPI_sms_handler
-        >(Path, Bindings, L, S);
-    }
-}
--- a/src/ActionLinkManager.cpp
+++ b/src/ActionLinkManager.cpp
@@ -0,0 +1,128 @@
+//
+// Created by stephane bourque on 2021-11-08.
+//
+
+#include "ActionLinkManager.h"
+#include "StorageService.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "MessagingTemplates.h"
+#include "framework/utils.h"
+#include "fmt/format.h"
+
+namespace OpenWifi {
+
+    int ActionLinkManager::Start() {
+        poco_information(Logger(),"Starting...");
+        if(!Running_)
+            Thr_.start(*this);
+        return 0;
+    }
+
+    void ActionLinkManager::Stop() {
+        poco_information(Logger(),"Stopping...");
+        if(Running_) {
+            Running_ = false;
+            Thr_.wakeUp();
+            Thr_.join();
+        }
+        poco_information(Logger(),"Stopped...");
+    }
+
+    void ActionLinkManager::run() {
+        Running_ = true ;
+        Utils::SetThreadName("action-mgr");
+
+        while(Running_) {
+            Poco::Thread::trySleep(2000);
+            if(!Running_)
+                break;
+            std::vector<SecurityObjects::ActionLink>    Links;
+            {
+                std::lock_guard G(Mutex_);
+                StorageService()->ActionLinksDB().GetActions(Links);
+            }
+
+            if(Links.empty())
+                continue;
+
+            for(auto &i:Links) {
+                if(!Running_)
+                    break;
+
+                SecurityObjects::UserInfo UInfo;
+                if((i.action==OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD ||
+                    i.action==OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL) && !StorageService()->UserDB().GetUserById(i.userId,UInfo)) {
+                    StorageService()->ActionLinksDB().CancelAction(i.id);
+                    continue;
+                } else if(( i.action==OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD ||
+                            i.action==OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL ||
+                            i.action==OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP ) && !StorageService()->SubDB().GetUserById(i.userId,UInfo)) {
+                    StorageService()->ActionLinksDB().CancelAction(i.id);
+                    continue;
+                } else if((i.action==OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION) &&
+                        (OpenWifi::Now()-i.created)>(24*60*60)) {
+                    StorageService()->ActionLinksDB().CancelAction(i.id);
+                    continue;
+                }
+
+                switch(i.action) {
+                    case OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD: {
+                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::FORGOT_PASSWORD)) {
+                                poco_information(Logger(),fmt::format("Send password reset link to {}",UInfo.email));
+                            }
+                            StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    case OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL: {
+                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_VERIFICATION)) {
+                                poco_information(Logger(),fmt::format("Send email verification link to {}",UInfo.email));
+                            }
+                            StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    case OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION: {
+                            if(AuthService::SendEmailToUser(i.id, UInfo.email, MessagingTemplates::EMAIL_INVITATION)) {
+                                poco_information(Logger(),fmt::format("Send new subscriber email invitation link to {}",UInfo.email));
+                            }
+                            StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    case OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD: {
+                            auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
+                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email,MessagingTemplates::SUB_FORGOT_PASSWORD, Signup.count()==1 ? "" : Signup[0])) {
+                                poco_information(Logger(),fmt::format("Send subscriber password reset link to {}",UInfo.email));
+                            }
+                            StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    case OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL: {
+                            auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
+                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_EMAIL_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
+                                poco_information(Logger(),fmt::format("Send subscriber email verification link to {}",UInfo.email));
+                            }
+                            StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    case OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP: {
+                        auto Signup = Poco::StringTokenizer(UInfo.signingUp,":");
+                        if(AuthService::SendEmailToSubUser(i.id, UInfo.email, MessagingTemplates::SUB_SIGNUP_VERIFICATION, Signup.count()==1 ? "" : Signup[0])) {
+                            poco_information(Logger(),fmt::format("Send new subscriber email verification link to {}",UInfo.email));
+                        }
+                        StorageService()->ActionLinksDB().SentAction(i.id);
+                        }
+                        break;
+
+                    default: {
+                        StorageService()->ActionLinksDB().SentAction(i.id);
+                    }
+                }
+            }
+        }
+    }
+
+}
--- a/src/ActionLinkManager.h
+++ b/src/ActionLinkManager.h
@@ -0,0 +1,34 @@
+//
+// Created by stephane bourque on 2021-11-08.
+//
+
+#pragma once
+
+#include "framework/SubSystemServer.h"
+
+namespace OpenWifi {
+
+    class ActionLinkManager : public SubSystemServer, Poco::Runnable {
+    public:
+
+        static ActionLinkManager * instance() {
+            static auto instance_ = new ActionLinkManager;
+            return instance_;
+        }
+
+        int Start() final;
+        void Stop() final;
+        void run() final;
+
+    private:
+        Poco::Thread        Thr_;
+        std::atomic_bool    Running_ = false;
+
+        ActionLinkManager() noexcept:
+            SubSystemServer("ActionLinkManager", "ACTION-SVR", "action.server")
+                {
+                }
+    };
+    inline ActionLinkManager * ActionLinkManager() { return ActionLinkManager::instance(); }
+}
+
--- a/src/AuthService.cpp
+++ b/src/AuthService.cpp
@@ -8,20 +8,23 @@

 #include <ctime>

+#include "framework/KafkaManager.h"
+#include "framework/KafkaTopics.h"
+
 #include "Poco/Net/OAuth20Credentials.h"
 #include "Poco/JWT/Token.h"
 #include "Poco/JWT/Signer.h"
+#include "Poco/StringTokenizer.h"

-#include "framework/MicroService.h"
 #include "StorageService.h"
 #include "AuthService.h"
-#include "framework/KafkaTopics.h"
+#include "framework/MicroServiceFuncs.h"

 #include "SMTPMailerService.h"
 #include "MFAServer.h"
+#include "MessagingTemplates.h"

 namespace OpenWifi {
-    class AuthService *AuthService::instance_ = nullptr;

    AuthService::ACCESS_TYPE AuthService::IntToAccessType(int C) {
 		switch (C) {
@@ -42,108 +45,276 @@ namespace OpenWifi {
 		return 1;	// some compilers complain...
 	}

+#if defined(TIP_CERT_SERVICE)
+    static const std::string DefaultPasswordRule{"^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[\\{\\}\\(\\)~_\\+\\|\\\\\\[\\]\\;\\:\\<\\>\\.\\,\\/\\?\\\"\\'\\`\\=#?!@$%^&*-]).{12,}$"};
+#else
+    static const std::string DefaultPasswordRule{"^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[\\{\\}\\(\\)~_\\+\\|\\\\\\[\\]\\;\\:\\<\\>\\.\\,\\/\\?\\\"\\'\\`\\=#?!@$%^&*-]).{8,}$"};
+#endif
+
    int AuthService::Start() {
-		Signer_.setRSAKey(MicroService::instance().Key());
-		Signer_.addAllAlgorithms();
-		Logger_.notice("Starting...");
-        Secure_ = MicroService::instance().ConfigGetBool("authentication.enabled",true);
-        DefaultPassword_ = MicroService::instance().ConfigGetString("authentication.default.password","");
-        DefaultUserName_ = MicroService::instance().ConfigGetString("authentication.default.username","");
-        Mechanism_ = MicroService::instance().ConfigGetString("authentication.service.type","internal");
-        PasswordValidation_ = PasswordValidationStr_ = MicroService::instance().ConfigGetString("authentication.validation.expression","^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$");
-        TokenAging_ = (uint64_t) MicroService::instance().ConfigGetInt("authentication.token.ageing", 30 * 24 * 60 * 60);
-        HowManyOldPassword_ = MicroService::instance().ConfigGetInt("authentication.oldpasswords", 5);
+        poco_information(Logger(),"Starting...");
+        TokenAging_ = (uint64_t) MicroServiceConfigGetInt("authentication.token.ageing", 30 * 24 * 60 * 60);
+        RefreshTokenLifeSpan_ = (uint64_t) MicroServiceConfigGetInt("authentication.refresh_token.lifespan", 90 * 24 * 60 * 600);
+        HowManyOldPassword_ = MicroServiceConfigGetInt("authentication.oldpasswords", 5);
+
+        AccessPolicy_ = MicroServiceConfigGetString("openwifi.document.policy.access", "/wwwassets/access_policy.html");
+        PasswordPolicy_ = MicroServiceConfigGetString("openwifi.document.policy.password", "/wwwassets/password_policy.html");
+        PasswordValidation_ = PasswordValidationStr_ = MicroServiceConfigGetString("authentication.validation.expression",DefaultPasswordRule);
+
+        SubPasswordValidation_ = SubPasswordValidationStr_ = MicroServiceConfigGetString("subscriber.validation.expression",DefaultPasswordRule);
+        SubAccessPolicy_ = MicroServiceConfigGetString("subscriber.policy.access", "/wwwassets/access_policy.html");
+        SubPasswordPolicy_ = MicroServiceConfigGetString("subscriber.policy.password", "/wwwassets/password_policy.html");
+
        return 0;
    }

    void AuthService::Stop() {
-		Logger_.notice("Stopping...");
+        poco_information(Logger(),"Stopping...");
+        poco_information(Logger(),"Stopped...");
    }

-	bool AuthService::IsAuthorized(Poco::Net::HTTPServerRequest & Request, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo )
+    bool AuthService::RefreshUserToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI) {
+        try {
+            std::string CallToken;
+            Poco::Net::OAuth20Credentials Auth(Request);
+            if (Auth.getScheme() == "Bearer") {
+                CallToken = Auth.getBearerToken();
+            }
+
+            if (CallToken.empty()) {
+                return false;
+            }
+
+            uint64_t                    RevocationDate=0;
+            std::string                 UserId;
+            if(StorageService()->UserTokenDB().GetToken(CallToken, UI.webtoken, UserId, RevocationDate) && UI.webtoken.refresh_token_==RefreshToken) {
+                auto now = Utils::Now();
+
+                //  Create a new token
+                auto NewToken = GenerateTokenHMAC( UI.webtoken.access_token_, CUSTOM);
+                auto NewRefreshToken = RefreshToken;
+                if(now - UI.webtoken.lastRefresh_ < RefreshTokenLifeSpan_) {
+                    NewRefreshToken = GenerateTokenHMAC( UI.webtoken.refresh_token_, CUSTOM);
+                    UI.webtoken.lastRefresh_ = now;
+                }
+
+                StorageService()->UserTokenDB().RefreshToken(CallToken, NewToken, NewRefreshToken, UI.webtoken.lastRefresh_ );
+                UI.webtoken.access_token_ = NewToken;
+                UI.webtoken.refresh_token_ = NewRefreshToken;
+                return true;
+            }
+            return false;
+
+        } catch (...) {
+
+        }
+        return false;
+    }
+
+    bool AuthService::RefreshSubToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI) {
+        try {
+            std::string CallToken;
+            Poco::Net::OAuth20Credentials Auth(Request);
+            if (Auth.getScheme() == "Bearer") {
+                CallToken = Auth.getBearerToken();
+            }
+
+            if (CallToken.empty()) {
+                return false;
+            }
+
+            uint64_t                    RevocationDate=0;
+            std::string                 UserId;
+            if(StorageService()->SubTokenDB().GetToken(CallToken, UI.webtoken, UserId, RevocationDate) && UI.webtoken.refresh_token_==RefreshToken) {
+                auto now = Utils::Now();
+
+                //  Create a new token
+                auto NewToken = GenerateTokenHMAC( UI.webtoken.access_token_, CUSTOM);
+                auto NewRefreshToken = RefreshToken;
+                if(now - UI.webtoken.lastRefresh_ < RefreshTokenLifeSpan_) {
+                    NewRefreshToken = GenerateTokenHMAC( UI.webtoken.refresh_token_, CUSTOM);
+                    UI.webtoken.lastRefresh_ = now;
+                }
+
+                StorageService()->SubTokenDB().RefreshToken(CallToken, NewToken, NewRefreshToken, UI.webtoken.lastRefresh_ );
+                UI.webtoken.access_token_ = NewToken;
+                UI.webtoken.refresh_token_ = NewRefreshToken;
+                return true;
+            }
+            return false;
+
+        } catch (...) {
+
+        }
+        return false;
+    }
+
+    [[nodiscard]] bool AuthService::IsAuthorized(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired) {
+        // std::lock_guard	Guard(Mutex_);
+        std::string CallToken{SessionToken};
+        Expired = false;
+        try {
+            SecurityObjects::WebToken   WT;
+            uint64_t                    RevocationDate=0;
+            std::string                 UserId;
+            if(StorageService()->UserTokenDB().GetToken(CallToken, WT, UserId, RevocationDate)) {
+                if(RevocationDate!=0) {
+                    poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                    return false;
+                }
+                auto now=Utils::Now();
+                Expired = (WT.created_ + WT.expires_in_) < now;
+                if(StorageService()->UserDB().GetUserById(UserId,UInfo.userinfo)) {
+                    UInfo.webtoken = WT;
+                    poco_debug(Logger(), fmt::format("TokenValidation success for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                    return true;
+                }
+            }
+        } catch(const Poco::Exception &E) {
+            Logger().log(E);
+        }
+        poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+        return false;
+    }
+
+    bool AuthService::IsAuthorized(Poco::Net::HTTPServerRequest & Request, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired )
    {
-        if(!Secure_)
-            return true;
-
-        std::lock_guard		Guard(Mutex_);
-
-		std::string CallToken;
+        // std::lock_guard	Guard(Mutex_);
+        std::string CallToken;
+        Expired = false;

 		try {
-			Poco::Net::OAuth20Credentials Auth(Request);
+            Poco::Net::OAuth20Credentials Auth(Request);
+            if (Auth.getScheme() == "Bearer") {
+                CallToken = Auth.getBearerToken();
+            }

-			if (Auth.getScheme() == "Bearer") {
-				CallToken = Auth.getBearerToken();
-			}
-		} catch(const Poco::Exception &E) {
-		}
-
-		if(!CallToken.empty()) {
-		    if(StorageService()->IsTokenRevoked(CallToken))
-		        return false;
-		    auto Client = UserCache_.find(CallToken);
-		    if( Client == UserCache_.end() )
-		        return ValidateToken(CallToken, CallToken, UInfo);
-
-		    if((Client->second.webtoken.created_ + Client->second.webtoken.expires_in_) > time(nullptr)) {
-		        SessionToken = CallToken;
-		        UInfo = Client->second ;
-		        return true;
-		    }
-		    UserCache_.erase(CallToken);
-		    StorageService()->RevokeToken(CallToken);
-		    return false;
-		}
-
-		return false;
+            if (CallToken.empty()) {
+                poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                return false;
+            }
+            SessionToken = CallToken;
+            return IsAuthorized(SessionToken, UInfo, TID, Expired);
+        } catch(const Poco::Exception &E) {
+            Logger().log(E);
+        }
+        poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+        return false;
    }

-    bool AuthService::DeleteUserFromCache(const std::string &UserName) {
-        std::lock_guard		Guard(Mutex_);
+    bool AuthService::IsSubAuthorized(Poco::Net::HTTPServerRequest & Request, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired )
+    {
+        // std::lock_guard	Guard(Mutex_);

-        for(auto i=UserCache_.begin();i!=UserCache_.end();) {
-            if (i->second.userinfo.email==UserName) {
-                Logout(i->first, false);
-                i = UserCache_.erase(i);
-            } else {
-                ++i;
+        std::string CallToken;
+        Expired = false;
+        try {
+            Poco::Net::OAuth20Credentials Auth(Request);
+            if (Auth.getScheme() == "Bearer") {
+                CallToken = Auth.getBearerToken();
            }
+
+            if(CallToken.empty()) {
+                poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                return false;
+            }
+
+            SecurityObjects::WebToken   WT;
+            uint64_t                    RevocationDate=0;
+            std::string                 UserId;
+            if(StorageService()->SubTokenDB().GetToken(CallToken, WT, UserId, RevocationDate)) {
+                if(RevocationDate!=0) {
+                    poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                    return false;
+                }
+                auto now=Utils::Now();
+                Expired = (WT.created_ + WT.expires_in_) < now;
+                if(StorageService()->SubDB().GetUserById(UserId,UInfo.userinfo)) {
+                    UInfo.webtoken = WT;
+                    SessionToken = CallToken;
+                    poco_debug(Logger(), fmt::format("TokenValidation success for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+                    return true;
+                }
+            }
+        } catch(const Poco::Exception &E) {
+            Logger().log(E);
        }
-        return true;
+        poco_debug(Logger(), fmt::format("TokenValidation failed for TID={} Token={}", TID, Utils::SanitizeToken(CallToken)));
+        return false;
+    }
+
+    void AuthService::RevokeToken(std::string & Token) {
+        StorageService()->UserTokenDB().RevokeToken(Token);
+    }
+
+    void AuthService::RevokeSubToken(std::string & Token) {
+        StorageService()->SubTokenDB().RevokeToken(Token);
+    }
+
+    bool AuthService::DeleteUserFromCache(const std::string &Id) {
+        return StorageService()->UserTokenDB().DeleteRecordsFromCache("userName",Id);
+    }
+
+    bool AuthService::DeleteSubUserFromCache(const std::string &Id) {
+        return StorageService()->SubTokenDB().DeleteRecordsFromCache("userName",Id);
    }

    bool AuthService::RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo) {
-        return (UInfo.userinfo.userTypeProprietaryInfo.mfa.enabled && MFAServer().MethodEnabled(UInfo.userinfo.userTypeProprietaryInfo.mfa.method));
+        return (UInfo.userinfo.userTypeProprietaryInfo.mfa.enabled && MFAServer::MethodEnabled(UInfo.userinfo.userTypeProprietaryInfo.mfa.method));
    }

    bool AuthService::ValidatePassword(const std::string &Password) {
        return std::regex_match(Password, PasswordValidation_);
    }

-    void AuthService::Logout(const std::string &token, bool EraseFromCache) {
-		std::lock_guard		Guard(Mutex_);
-
-		if(EraseFromCache)
-		    UserCache_.erase(token);
+    bool AuthService::ValidateSubPassword(const std::string &Password) {
+        return std::regex_match(Password, SubPasswordValidation_);
+    }

+    void AuthService::RemoveTokenSystemWide(const std::string &token) {
        try {
-            Poco::JSON::Object Obj;
-            Obj.set("event", "remove-token");
-            Obj.set("id", MicroService::instance().ID());
-            Obj.set("token", token);
-            std::stringstream ResultText;
-            Poco::JSON::Stringifier::stringify(Obj, ResultText);
-            std::string Tmp{token};
-            StorageService()->RevokeToken(Tmp);
-            KafkaManager()->PostMessage(KafkaTopics::SERVICE_EVENTS, MicroService::instance().PrivateEndPoint(), ResultText.str(),
-                                        false);
+            if(KafkaManager()->Enabled()) {
+                Poco::JSON::Object Obj;
+                Obj.set("event", "remove-token");
+                Obj.set("id", MicroServiceID());
+                Obj.set("token", token);
+                std::stringstream ResultText;
+                Poco::JSON::Stringifier::stringify(Obj, ResultText);
+                KafkaManager()->PostMessage(KafkaTopics::SERVICE_EVENTS, MicroServicePrivateEndPoint(),
+                                            ResultText.str(),
+                                            false);
+            }
        } catch (const Poco::Exception &E) {
-            Logger_.log(E);
+            Logger().log(E);
        }
    }

-    [[nodiscard]] std::string AuthService::GenerateTokenHMAC(const std::string & UserName, ACCESS_TYPE Type) {
-        std::string Identity(UserName + ":" + Poco::format("%d",(int)std::time(nullptr)));
+    void AuthService::Logout(const std::string &Token,[[maybe_unused]]  bool EraseFromCache) {
+		std::lock_guard		Guard(Mutex_);
+
+        try {
+            auto tToken{Token};
+            StorageService()->UserTokenDB().DeleteRecord("token",tToken);
+            StorageService()->LoginDB().AddLogout(Token);
+        } catch (const Poco::Exception &E) {
+            Logger().log(E);
+        }
+    }
+
+    void AuthService::SubLogout(const std::string &Token, [[maybe_unused]] bool EraseFromCache) {
+        std::lock_guard		Guard(Mutex_);
+
+        try {
+            auto tToken{Token};
+            StorageService()->SubTokenDB().DeleteRecord("token",tToken);
+            StorageService()->SubLoginDB().AddLogout(Token);
+        } catch (const Poco::Exception &E) {
+            Logger().log(E);
+        }
+    }
+
+    [[nodiscard]] std::string AuthService::GenerateTokenHMAC(const std::string & UserName, [[maybe_unused]] ACCESS_TYPE Type) {
+        std::string Identity(UserName + ":" + fmt::format("{}",Utils::Now()) + ":" + std::to_string(rand()));
        HMAC_.update(Identity);
        return Poco::DigestEngine::digestToHex(HMAC_.digest());
    }
@@ -163,33 +334,11 @@ namespace OpenWifi {
 		T.payload().set("identity", Identity);
 		T.setIssuedAt(Poco::Timestamp());
 		T.setExpiration(Poco::Timestamp() + (long long)TokenAging_);
-		std::string JWT = Signer_.sign(T,Poco::JWT::Signer::ALGO_RS256);
+		std::string JWT = MicroServiceSign(T,Poco::JWT::Signer::ALGO_RS256);

 		return JWT;
    }

-	bool AuthService::ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo  ) {
-        std::lock_guard		Guard(Mutex_);
-
-		try {
-            auto E = UserCache_.find(SessionToken);
-            if(E == UserCache_.end()) {
-                if(StorageService()->GetToken(SessionToken,UInfo)) {
-                    if(StorageService()->GetUserById(UInfo.userinfo.email,UInfo.userinfo)) {
-                        UserCache_[UInfo.webtoken.access_token_] = UInfo;
-                        return true;
-                    }
-                }
-            } else {
-                UInfo = E->second;
-                return true;
-            }
-		} catch (const Poco::Exception &E ) {
-			Logger_.log(E);
-		}
-		return false;
-	}
-
    void AuthService::CreateToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo)
    {
        std::lock_guard		Guard(Mutex_);
@@ -200,50 +349,170 @@ namespace OpenWifi {
        UInfo.webtoken.expires_in_ = TokenAging_ ;
        UInfo.webtoken.idle_timeout_ = 5 * 60;
        UInfo.webtoken.token_type_ = "Bearer";
-        UInfo.webtoken.access_token_ = GenerateTokenHMAC(UInfo.userinfo.Id,USERNAME);
-        UInfo.webtoken.id_token_ = GenerateTokenHMAC(UInfo.userinfo.Id,USERNAME);
-        UInfo.webtoken.refresh_token_ = GenerateTokenHMAC(UInfo.userinfo.Id,CUSTOM);
+        UInfo.webtoken.access_token_ = GenerateTokenHMAC(UInfo.userinfo.id,USERNAME);
+        UInfo.webtoken.id_token_ = GenerateTokenHMAC(UInfo.userinfo.id,USERNAME);
+        UInfo.webtoken.refresh_token_ = GenerateTokenHMAC(UInfo.userinfo.id,CUSTOM);
        UInfo.webtoken.created_ = time(nullptr);
        UInfo.webtoken.username_ = UserName;
        UInfo.webtoken.errorCode = 0;
        UInfo.webtoken.userMustChangePassword = false;
-        UserCache_[UInfo.webtoken.access_token_] = UInfo;
-        StorageService()->SetLastLogin(UInfo.userinfo.Id);
-        StorageService()->AddToken(UInfo.webtoken.username_, UInfo.webtoken.access_token_,
+        StorageService()->UserDB().SetLastLogin(UInfo.userinfo.id);
+        StorageService()->UserTokenDB().AddToken(UInfo.userinfo.id, UInfo.webtoken.access_token_,
                            UInfo.webtoken.refresh_token_, UInfo.webtoken.token_type_,
                                UInfo.webtoken.expires_in_, UInfo.webtoken.idle_timeout_);
+        StorageService()->LoginDB().AddLogin(UInfo.userinfo.id, UInfo.userinfo.email,UInfo.webtoken.access_token_ );
+    }
+
+    void AuthService::CreateSubToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo)
+    {
+        std::lock_guard		Guard(Mutex_);
+
+        SecurityObjects::AclTemplate	ACL;
+        ACL.PortalLogin_ = ACL.Read_ = ACL.ReadWrite_ = ACL.ReadWriteCreate_ = ACL.Delete_ = true;
+        UInfo.webtoken.acl_template_ = ACL;
+        UInfo.webtoken.expires_in_ = TokenAging_ ;
+        UInfo.webtoken.idle_timeout_ = 5 * 60;
+        UInfo.webtoken.token_type_ = "Bearer";
+        UInfo.webtoken.access_token_ = GenerateTokenHMAC(UInfo.userinfo.id,USERNAME);
+        UInfo.webtoken.id_token_ = GenerateTokenHMAC(UInfo.userinfo.id,USERNAME);
+        UInfo.webtoken.refresh_token_ = GenerateTokenHMAC(UInfo.userinfo.id,CUSTOM);
+        UInfo.webtoken.created_ = time(nullptr);
+        UInfo.webtoken.username_ = UserName;
+        UInfo.webtoken.errorCode = 0;
+        UInfo.webtoken.userMustChangePassword = false;
+        StorageService()->SubDB().SetLastLogin(UInfo.userinfo.id);
+        StorageService()->SubTokenDB().AddToken(UInfo.userinfo.id, UInfo.webtoken.access_token_,
+                                   UInfo.webtoken.refresh_token_, UInfo.webtoken.token_type_,
+                                   UInfo.webtoken.expires_in_, UInfo.webtoken.idle_timeout_);
+        StorageService()->SubLoginDB().AddLogin(UInfo.userinfo.id, UInfo.userinfo.email,UInfo.webtoken.access_token_ );
    }

    bool AuthService::SetPassword(const std::string &NewPassword, SecurityObjects::UserInfo & UInfo) {
-        auto NewPasswordHash = ComputePasswordHash(UInfo.email, NewPassword);
-        for (auto const &i:UInfo.lastPasswords) {
-            if (i == NewPasswordHash) {
-                return false;
+        std::lock_guard     G(Mutex_);
+
+        Poco::toLowerInPlace(UInfo.email);
+        for (const auto &i:UInfo.lastPasswords) {
+            auto Tokens = Poco::StringTokenizer(i,"|");
+            if(Tokens.count()==2) {
+                const auto & Salt = Tokens[0];
+                for(const auto &j:UInfo.lastPasswords) {
+                    auto OldTokens = Poco::StringTokenizer(j,"|");
+                    if(OldTokens.count()==2) {
+                        SHA2_.update(Salt+NewPassword+UInfo.email);
+                        if(OldTokens[1]==Utils::ToHex(SHA2_.digest()))
+                            return false;
+                    }
+                }
+            } else {
+                SHA2_.update(NewPassword+UInfo.email);
+                if(Tokens[0]==Utils::ToHex(SHA2_.digest()))
+                    return false;
            }
        }
+
        if(UInfo.lastPasswords.size()==HowManyOldPassword_) {
            UInfo.lastPasswords.erase(UInfo.lastPasswords.begin());
        }
-        UInfo.lastPasswords.push_back(NewPasswordHash);
-        UInfo.currentPassword = NewPasswordHash;
+
+        auto NewHash = ComputeNewPasswordHash(UInfo.email,NewPassword);
+        UInfo.lastPasswords.push_back(NewHash);
+        UInfo.currentPassword = NewHash;
        UInfo.changePassword = false;
        return true;
    }

-    AuthService::AUTH_ERROR AuthService::Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo )
+    bool AuthService::SetSubPassword(const std::string &NewPassword, SecurityObjects::UserInfo & UInfo) {
+        std::lock_guard     G(Mutex_);
+
+        Poco::toLowerInPlace(UInfo.email);
+        for (const auto &i:UInfo.lastPasswords) {
+            auto Tokens = Poco::StringTokenizer(i,"|");
+            if(Tokens.count()==2) {
+                const auto & Salt = Tokens[0];
+                for(const auto &j:UInfo.lastPasswords) {
+                    auto OldTokens = Poco::StringTokenizer(j,"|");
+                    if(OldTokens.count()==2) {
+                        SHA2_.update(Salt+NewPassword+UInfo.email);
+                        if(OldTokens[1]==Utils::ToHex(SHA2_.digest()))
+                            return false;
+                    }
+                }
+            } else {
+                SHA2_.update(NewPassword+UInfo.email);
+                if(Tokens[0]==Utils::ToHex(SHA2_.digest()))
+                    return false;
+            }
+        }
+
+        if(UInfo.lastPasswords.size()==HowManyOldPassword_) {
+            UInfo.lastPasswords.erase(UInfo.lastPasswords.begin());
+        }
+
+        auto NewHash = ComputeNewPasswordHash(UInfo.email,NewPassword);
+        UInfo.lastPasswords.push_back(NewHash);
+        UInfo.currentPassword = NewHash;
+        UInfo.changePassword = false;
+        return true;
+    }
+
+    static std::string GetMeSomeSalt() {
+        auto start = std::chrono::high_resolution_clock::now();
+        return std::to_string(start.time_since_epoch().count());
+    }
+
+    std::string AuthService::ComputeNewPasswordHash(const std::string &UserName, const std::string &Password) {
+        std::string UName = Poco::trim(Poco::toLower(UserName));
+        auto Salt = GetMeSomeSalt();
+        SHA2_.update(Salt + Password + UName );
+        return Salt + "|" + Utils::ToHex(SHA2_.digest());
+    }
+
+    bool AuthService::ValidatePasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword) {
+        std::lock_guard G(Mutex_);
+
+        std::string UName = Poco::trim(Poco::toLower(UserName));
+        auto Tokens = Poco::StringTokenizer(StoredPassword,"|");
+        if(Tokens.count()==1) {
+            SHA2_.update(Password+UName);
+            if(Tokens[0]==Utils::ToHex(SHA2_.digest()))
+                return true;
+        } else if (Tokens.count()==2) {
+            SHA2_.update(Tokens[0]+Password+UName);
+            if(Tokens[1]==Utils::ToHex(SHA2_.digest()))
+                return true;
+        }
+        return false;
+    }
+
+    bool AuthService::ValidateSubPasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword) {
+        std::lock_guard G(Mutex_);
+
+        std::string UName = Poco::trim(Poco::toLower(UserName));
+        auto Tokens = Poco::StringTokenizer(StoredPassword,"|");
+        if(Tokens.count()==1) {
+            SHA2_.update(Password+UName);
+            if(Tokens[0]==Utils::ToHex(SHA2_.digest()))
+                return true;
+        } else if (Tokens.count()==2) {
+            SHA2_.update(Tokens[0]+Password+UName);
+            if(Tokens[1]==Utils::ToHex(SHA2_.digest()))
+                return true;
+        }
+        return false;
+    }
+
+    UNAUTHORIZED_REASON AuthService::Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo , [[maybe_unused]] bool & Expired )
    {
        std::lock_guard		Guard(Mutex_);
-        SecurityObjects::AclTemplate	ACL;

        Poco::toLowerInPlace(UserName);
-        auto PasswordHash = ComputePasswordHash(UserName, Password);

-        if(StorageService()->GetUserByEmail(UserName,UInfo.userinfo)) {
+        if(StorageService()->UserDB().GetUserByEmail(UserName,UInfo.userinfo)) {
            if(UInfo.userinfo.waitingForEmailCheck) {
                return USERNAME_PENDING_VERIFICATION;
            }

-            if(PasswordHash != UInfo.userinfo.currentPassword) {
+            if(!ValidatePasswordHash(UserName,Password,UInfo.userinfo.currentPassword)) {
                return INVALID_CREDENTIALS;
            }

@@ -261,98 +530,275 @@ namespace OpenWifi {
                    UInfo.webtoken.errorCode = 1;
                    return PASSWORD_ALREADY_USED;
                }
-                UInfo.userinfo.lastPasswordChange = std::time(nullptr);
+                UInfo.userinfo.lastPasswordChange = Utils::Now();
                UInfo.userinfo.changePassword = false;
-                StorageService()->UpdateUserInfo(AUTHENTICATION_SYSTEM, UInfo.userinfo.Id,UInfo.userinfo);
+                UInfo.userinfo.modified = Utils::Now();
+                StorageService()->UserDB().UpdateUserInfo(AUTHENTICATION_SYSTEM, UInfo.userinfo.id,UInfo.userinfo);
            }

            //  so we have a good password, password up date has taken place if need be, now generate the token.
-            UInfo.userinfo.lastLogin=std::time(nullptr);
-            StorageService()->SetLastLogin(UInfo.userinfo.Id);
+            UInfo.userinfo.lastLogin=Utils::Now();
+            StorageService()->UserDB().SetLastLogin(UInfo.userinfo.id);
            CreateToken(UserName, UInfo );
-            return SUCCESS;
-        }

-        if(((UserName == DefaultUserName_) && (DefaultPassword_== ComputePasswordHash(UserName,Password))) || !Secure_)
-        {
-            ACL.PortalLogin_ = ACL.Read_ = ACL.ReadWrite_ = ACL.ReadWriteCreate_ = ACL.Delete_ = true;
-            UInfo.webtoken.acl_template_ = ACL;
-            UInfo.userinfo.email = DefaultUserName_;
-            UInfo.userinfo.currentPassword = DefaultPassword_;
-            UInfo.userinfo.name = DefaultUserName_;
-            UInfo.userinfo.userRole = SecurityObjects::ROOT;
-            CreateToken(UserName, UInfo );
            return SUCCESS;
        }
        return INVALID_CREDENTIALS;
    }

-    std::string AuthService::ComputePasswordHash(const std::string &UserName, const std::string &Password) {
-        std::string UName = Poco::trim(Poco::toLower(UserName));
-        SHA2_.update(Password + UName);
-        return Utils::ToHex(SHA2_.digest());
+    UNAUTHORIZED_REASON AuthService::AuthorizeSub( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo , [[maybe_unused]] bool & Expired )
+    {
+        std::lock_guard		Guard(Mutex_);
+
+        Poco::toLowerInPlace(UserName);
+
+        if(StorageService()->SubDB().GetUserByEmail(UserName,UInfo.userinfo)) {
+            if(UInfo.userinfo.waitingForEmailCheck) {
+                return USERNAME_PENDING_VERIFICATION;
+            }
+
+            if(!ValidateSubPasswordHash(UserName,Password,UInfo.userinfo.currentPassword)) {
+                return INVALID_CREDENTIALS;
+            }
+
+            if(UInfo.userinfo.changePassword && NewPassword.empty()) {
+                UInfo.webtoken.userMustChangePassword = true ;
+                return PASSWORD_CHANGE_REQUIRED;
+            }
+
+            if(!NewPassword.empty() && !ValidateSubPassword(NewPassword)) {
+                return PASSWORD_INVALID;
+            }
+
+            if(UInfo.userinfo.changePassword || !NewPassword.empty()) {
+                if(!SetSubPassword(NewPassword,UInfo.userinfo)) {
+                    UInfo.webtoken.errorCode = 1;
+                    return PASSWORD_ALREADY_USED;
+                }
+                UInfo.userinfo.lastPasswordChange = Utils::Now();
+                UInfo.userinfo.changePassword = false;
+                UInfo.userinfo.modified = Utils::Now();
+                StorageService()->SubDB().UpdateUserInfo(AUTHENTICATION_SYSTEM, UInfo.userinfo.id,UInfo.userinfo);
+            }
+
+            //  so we have a good password, password update has taken place if need be, now generate the token.
+            UInfo.userinfo.lastLogin=Utils::Now();
+            StorageService()->SubDB().SetLastLogin(UInfo.userinfo.id);
+            CreateSubToken(UserName, UInfo );
+
+            return SUCCESS;
+        }
+
+        return INVALID_CREDENTIALS;
    }

-    bool AuthService::SendEmailToUser(std::string &Email, EMAIL_REASON Reason) {
+    bool AuthService::SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Challenge) {
+        auto OperatorParts = Poco::StringTokenizer(UInfo.userinfo.signingUp,":");
+        if(UInfo.userinfo.signingUp.empty() || OperatorParts.count()!=2) {
+            MessageAttributes Attrs;
+            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
+            Attrs[LOGO] = AuthService::GetLogoAssetURI();
+            Attrs[SUBJECT] = "Login validation code";
+            Attrs[CHALLENGE_CODE] = Challenge;
+            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, MessagingTemplates::TemplateName(MessagingTemplates::VERIFICATION_CODE), Attrs, false);
+        } else {
+            MessageAttributes Attrs;
+            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
+            Attrs[LOGO] = AuthService::GetSubLogoAssetURI();
+            Attrs[SUBJECT] = "Login validation code";
+            Attrs[CHALLENGE_CODE] = Challenge;
+            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_VERIFICATION_CODE,OperatorParts[0]), Attrs, true );
+        }
+    }
+
+    bool AuthService::SendEmailToUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason) {
        SecurityObjects::UserInfo   UInfo;

-        if(StorageService()->GetUserByEmail(Email,UInfo)) {
+        if(StorageService()->UserDB().GetUserByEmail(Email,UInfo)) {
            switch (Reason) {
-                case FORGOT_PASSWORD: {
-                        MessageAttributes Attrs;

+                case MessagingTemplates::FORGOT_PASSWORD: {
+                        MessageAttributes Attrs;
                        Attrs[RECIPIENT_EMAIL] = UInfo.email;
-                        Attrs[LOGO] = "logo.jpg";
+                        Attrs[LOGO] = GetLogoAssetURI();
                        Attrs[SUBJECT] = "Password reset link";
-                        Attrs[ACTION_LINK] =
-                                MicroService::instance().GetPublicAPIEndPoint() + "/actionLink?action=password_reset&id=" + UInfo.Id ;
-                        SMTPMailerService()->SendMessage(UInfo.email, "password_reset.txt", Attrs);
+                        Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=password_reset&id=" + LinkId ;
+                        Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=password_reset&id=" + LinkId ;
+                        SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::FORGOT_PASSWORD), Attrs, false);
                    }
                    break;

-                case EMAIL_VERIFICATION: {
+                case MessagingTemplates::EMAIL_VERIFICATION: {
                        MessageAttributes Attrs;
-
                        Attrs[RECIPIENT_EMAIL] = UInfo.email;
-                        Attrs[LOGO] = "logo.jpg";
-                        Attrs[SUBJECT] = "EMail Address Verification";
-                        Attrs[ACTION_LINK] =
-                                MicroService::instance().GetPublicAPIEndPoint() + "/actionLink?action=email_verification&id=" + UInfo.Id ;
-                        SMTPMailerService()->SendMessage(UInfo.email, "email_verification.txt", Attrs);
+                        Attrs[LOGO] = GetLogoAssetURI();
+                        Attrs[SUBJECT] = "e-mail Address Verification";
+                        Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=email_verification&id=" + LinkId ;
+                        Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=email_verification&id=" + LinkId ;
+                        SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::EMAIL_VERIFICATION), Attrs, false);
                        UInfo.waitingForEmailCheck = true;
                    }
                    break;

+                case MessagingTemplates::EMAIL_INVITATION: {
+                    MessageAttributes Attrs;
+                    Attrs[RECIPIENT_EMAIL] = UInfo.email;
+                    Attrs[LOGO] = GetLogoAssetURI();
+                    Attrs[SUBJECT] = "e-mail Invitation";
+                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=email_invitation&id=" + LinkId ;
+                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=email_invitation&id=" + LinkId ;
+                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::EMAIL_INVITATION), Attrs, false);
+                    UInfo.waitingForEmailCheck = true;
+                    }
+                    break;
+
                default:
                    break;
            }
+            return true;
+        }
+        return false;
+    }
+
+    bool AuthService::SendEmailToSubUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason, const std::string &OperatorName ) {
+        SecurityObjects::UserInfo   UInfo;
+
+        if(StorageService()->SubDB().GetUserByEmail(Email,UInfo)) {
+            switch (Reason) {
+
+                case MessagingTemplates::SUB_FORGOT_PASSWORD: {
+                    MessageAttributes Attrs;
+                    Attrs[RECIPIENT_EMAIL] = UInfo.email;
+                    Attrs[LOGO] = GetSubLogoAssetURI();
+                    Attrs[SUBJECT] = "Password reset link";
+                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=sub_password_reset&id=" + LinkId ;
+                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=sub_password_reset&id=" + LinkId ;
+                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_FORGOT_PASSWORD, OperatorName), Attrs, true);
+                }
+                break;
+
+                case MessagingTemplates::SUB_EMAIL_VERIFICATION: {
+                    MessageAttributes Attrs;
+                    Attrs[RECIPIENT_EMAIL] = UInfo.email;
+                    Attrs[LOGO] = GetSubLogoAssetURI();
+                    Attrs[SUBJECT] = "e-mail Address Verification";
+                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=sub_email_verification&id=" + LinkId ;
+                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=sub_email_verification&id=" + LinkId ;
+                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_EMAIL_VERIFICATION, OperatorName), Attrs, true);
+                    UInfo.waitingForEmailCheck = true;
+                }
+                break;
+
+                case MessagingTemplates::SUB_SIGNUP_VERIFICATION: {
+                    MessageAttributes Attrs;
+                    Attrs[RECIPIENT_EMAIL] = UInfo.email;
+                    Attrs[LOGO] = GetSubLogoAssetURI();
+                    Attrs[SUBJECT] = "Signup e-mail Address Verification";
+                    Attrs[ACTION_LINK] = MicroServiceGetPublicAPIEndPoint() + "/actionLink?action=signup_verification&id=" + LinkId ;
+                    Attrs[ACTION_LINK_HTML] = "/api/v1/actionLink?action=signup_verification&id=" + LinkId ;
+                    SMTPMailerService()->SendMessage(UInfo.email, MessagingTemplates::TemplateName(MessagingTemplates::SUB_SIGNUP_VERIFICATION, OperatorName), Attrs, true);
+                    UInfo.waitingForEmailCheck = true;
+                }
+                break;
+
+                default:
+                    break;
+            }
+            return true;
        }
        return false;
    }

    bool AuthService::VerifyEmail(SecurityObjects::UserInfo &UInfo) {
-        MessageAttributes Attrs;
+        SecurityObjects::ActionLink A;

-        Attrs[RECIPIENT_EMAIL] = UInfo.email;
-        Attrs[LOGO] = "logo.jpg";
-        Attrs[SUBJECT] = "EMail Address Verification";
-        Attrs[ACTION_LINK] =
-                MicroService::instance().GetPublicAPIEndPoint() + "/actionLink?action=email_verification&id=" + UInfo.Id ;
-        SMTPMailerService()->SendMessage(UInfo.email, "email_verification.txt", Attrs);
+        A.action = OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL;
+        A.userId = UInfo.id;
+        A.id = MicroServiceCreateUUID();
+        A.created = Utils::Now();
+        A.expires = A.created + 24*60*60;
+        A.userAction = true;
+        StorageService()->ActionLinksDB().CreateAction(A);
        UInfo.waitingForEmailCheck = true;
+        UInfo.validated = false;
        return true;
    }

-    bool AuthService::IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo) {
+    bool AuthService::VerifySubEmail(SecurityObjects::UserInfo &UInfo) {
+        SecurityObjects::ActionLink A;
+
+        A.action = OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL;
+        A.userId = UInfo.id;
+        A.id = MicroServiceCreateUUID();
+        A.created = Utils::Now();
+        A.expires = A.created + 24*60*60;
+        A.userAction = false;
+        StorageService()->ActionLinksDB().CreateAction(A);
+        UInfo.waitingForEmailCheck = true;
+        UInfo.validated = false;
+        return true;
+    }
+
+    bool AuthService::IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired) {
+
        std::lock_guard G(Mutex_);
-        auto It = UserCache_.find(Token);
+        Expired = false;

-        if(It==UserCache_.end())
-            return false;
-        WebToken = It->second.webtoken;
-        UserInfo = It->second.userinfo;
-        return true;
+        std::string TToken{Token}, UserId;
+        SecurityObjects::WebToken   WT;
+        uint64_t RevocationDate=0;
+        if(StorageService()->UserTokenDB().GetToken(TToken, WT, UserId, RevocationDate)) {
+            if(RevocationDate!=0)
+                return false;
+            Expired = (WT.created_ + WT.expires_in_) < Utils::Now();
+            if(StorageService()->UserDB().GetUserById(UserId,UserInfo)) {
+                WebToken = WT;
+                return true;
+            }
+        }
+        return false;
    }

+    bool AuthService::IsValidSubToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired) {
+        std::lock_guard G(Mutex_);
+        Expired = false;
+
+        std::string TToken{Token}, UserId;
+        SecurityObjects::WebToken   WT;
+        uint64_t RevocationDate=0;
+        if(StorageService()->SubTokenDB().GetToken(TToken, WT, UserId, RevocationDate)) {
+            if(RevocationDate!=0)
+                return false;
+            Expired = (WT.created_ + WT.expires_in_) < Utils::Now();
+            if(StorageService()->SubDB().GetUserById(UserId,UserInfo)) {
+                WebToken = WT;
+                return true;
+            }
+        }
+        return false;
+    }
+
+    bool AuthService::IsValidApiKey(const std::string &ApiKey, SecurityObjects::WebToken &WebToken,
+                                    SecurityObjects::UserInfo &UserInfo, bool &Expired, std::uint64_t &expiresOn) {
+
+        std::lock_guard G(Mutex_);
+
+        std::string UserId;
+        SecurityObjects::WebToken   WT;
+        SecurityObjects::ApiKeyEntry    ApiKeyEntry;
+        if(StorageService()->ApiKeyDB().GetRecord("apiKey", ApiKey, ApiKeyEntry)) {
+            expiresOn = ApiKeyEntry.expiresOn;
+            Expired = ApiKeyEntry.expiresOn < Utils::Now();
+            if(Expired)
+                return false;
+            if(StorageService()->UserDB().GetUserById(ApiKeyEntry.userUuid,UserInfo)) {
+                WebToken = WT;
+                ApiKeyEntry.lastUse = Utils::Now();
+                StorageService()->ApiKeyDB().UpdateRecord("id", ApiKeyEntry.id, ApiKeyEntry);
+                return true;
+            }
+        }
+        return false;
+    }

 }  // end of namespace
--- a/src/AuthService.h
+++ b/src/AuthService.h
@@ -6,11 +6,11 @@
 //	Arilia Wireless Inc.
 //

-#ifndef UCENTRAL_UAUTHSERVICE_H
-#define UCENTRAL_UAUTHSERVICE_H
+#pragma once

 #include <regex>

+#include "framework/SubSystemServer.h"
 #include "Poco/JSON/Object.h"
 #include "Poco/Net/HTTPServerRequest.h"
 #include "Poco/Net/HTTPServerResponse.h"
@@ -18,9 +18,13 @@
 #include "Poco/SHA2Engine.h"
 #include "Poco/Crypto/DigestEngine.h"
 #include "Poco/HMACEngine.h"
+#include "Poco/ExpireLRUCache.h"
+
+#include "framework/MicroServiceFuncs.h"
+#include "framework/ow_constants.h"

-#include "framework/MicroService.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "MessagingTemplates.h"

 namespace OpenWifi{

@@ -35,71 +39,109 @@ namespace OpenWifi{
            CUSTOM
        };

-        enum AUTH_ERROR {
-            SUCCESS,
-            PASSWORD_CHANGE_REQUIRED,
-            INVALID_CREDENTIALS,
-            PASSWORD_ALREADY_USED,
-            USERNAME_PENDING_VERIFICATION,
-            PASSWORD_INVALID,
-            INTERNAL_ERROR
-        };
-
-        enum EMAIL_REASON {
-            FORGOT_PASSWORD,
-            EMAIL_VERIFICATION
-        };
-
        static ACCESS_TYPE IntToAccessType(int C);
        static int AccessTypeToInt(ACCESS_TYPE T);

-        static AuthService *instance() {
-            if (instance_ == nullptr) {
-                instance_ = new AuthService;
-            }
+        static auto instance() {
+            static auto instance_ = new AuthService;
            return instance_;
        }

        int Start() override;
        void Stop() override;

-        [[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo );
-        [[nodiscard]] AUTH_ERROR Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo );
+        [[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired);
+        [[nodiscard]] bool IsAuthorized(const std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired);
+
+        [[nodiscard]] UNAUTHORIZED_REASON Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired );
        void CreateToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
-        [[nodiscard]] bool ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::UserInfoAndPolicy & UserInfo  );
        [[nodiscard]] bool SetPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
        [[nodiscard]] const std:: string & PasswordValidationExpression() const { return PasswordValidationStr_;};
        void Logout(const std::string &token, bool EraseFromCache=true);

-        bool ValidatePassword(const std::string &pwd);
+        [[nodiscard]] bool IsSubAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, std::uint64_t TID, bool & Expired);
+        [[nodiscard]] UNAUTHORIZED_REASON AuthorizeSub( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired );

-        [[nodiscard]] bool IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo);
-        [[nodiscard]] bool IsValidAPIKEY(const Poco::Net::HTTPServerRequest &Request);
+        void CreateSubToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
+        [[nodiscard]] bool SetSubPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
+        [[nodiscard]] const std:: string & SubPasswordValidationExpression() const { return PasswordValidationStr_;};
+        void SubLogout(const std::string &token, bool EraseFromCache=true);
+
+        void RemoveTokenSystemWide(const std::string &token);
+
+        bool ValidatePassword(const std::string &pwd);
+        bool ValidateSubPassword(const std::string &pwd);
+
+        [[nodiscard]] bool IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired);
+        [[nodiscard]] bool IsValidSubToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired);
        [[nodiscard]] std::string GenerateTokenJWT(const std::string & UserName, ACCESS_TYPE Type);
        [[nodiscard]] std::string GenerateTokenHMAC(const std::string & UserName, ACCESS_TYPE Type);
-        [[nodiscard]] bool ValidateToken(const std::string & Token, std::string & SessionToken, SecurityObjects::WebToken & UserInfo  );
-        [[nodiscard]] std::string ComputePasswordHash(const std::string &UserName, const std::string &Password);
+
+        [[nodiscard]] bool IsValidApiKey(const std::string &ApiKey, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired, std::uint64_t & expiresOn);
+        [[nodiscard]] std::string ComputeNewPasswordHash(const std::string &UserName, const std::string &Password);
+        [[nodiscard]] bool ValidatePasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
+        [[nodiscard]] bool ValidateSubPasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
+
        [[nodiscard]] bool UpdatePassword(const std::string &Admin, const std::string &UserName, const std::string & OldPassword, const std::string &NewPassword);
        [[nodiscard]] std::string ResetPassword(const std::string &Admin, const std::string &UserName);

+        [[nodiscard]] bool UpdateSubPassword(const std::string &Admin, const std::string &UserName, const std::string & OldPassword, const std::string &NewPassword);
+        [[nodiscard]] std::string ResetSubPassword(const std::string &Admin, const std::string &UserName);
+
        [[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
-        [[nodiscard]] static bool SendEmailToUser(std::string &Email, EMAIL_REASON Reason);
-        [[nodiscard]] bool DeleteUserFromCache(const std::string &UserName);
+        [[nodiscard]] static bool VerifySubEmail(SecurityObjects::UserInfo &UInfo);
+
+        [[nodiscard]] static bool SendEmailToUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason);
+        [[nodiscard]] static bool SendEmailToSubUser(const std::string &LinkId, std::string &Email, MessagingTemplates::EMAIL_REASON Reason, const std::string &OperatorName);
        [[nodiscard]] bool RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo);

+        [[nodiscard]] bool SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &code);
+
+        bool DeleteUserFromCache(const std::string &UserName);
+        bool DeleteSubUserFromCache(const std::string &UserName);
+        void RevokeToken(std::string & Token);
+        void RevokeSubToken(std::string & Token);
+
+        [[nodiscard]] static inline const std::string GetLogoAssetURI() {
+            return MicroServicePublicEndPoint() + "/wwwassets/logo.png";
+        }
+
+        [[nodiscard]] static inline const std::string GetLogoAssetFileName() {
+            return MicroServiceWWWAssetsDir() + "/logo.png";
+        }
+
+        [[nodiscard]] static inline const std::string GetSubLogoAssetURI() {
+            return MicroServicePublicEndPoint() + "/wwwassets/sub_logo.png";
+        }
+
+        [[nodiscard]] static inline const std::string GetSubLogoAssetFileName() {
+            return MicroServiceWWWAssetsDir() + "/sub_logo.png";
+        }
+
+        inline const std::string & GetPasswordPolicy() const { return PasswordPolicy_; }
+        inline const std::string & GetAccessPolicy() const { return AccessPolicy_; }
+
+        inline const std::string & GetSubPasswordPolicy() const { return SubPasswordPolicy_; }
+        inline const std::string & GetSubAccessPolicy() const { return SubAccessPolicy_; }
+
+        bool RefreshUserToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);
+        bool RefreshSubToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);
+
    private:
-		static AuthService *instance_;
-		bool    			Secure_ = false ;
-		std::string     	DefaultUserName_;
-		std::string			DefaultPassword_;
-		std::string     	Mechanism_;
-		Poco::JWT::Signer	Signer_;
 		Poco::SHA2Engine	SHA2_;
-		SecurityObjects::UserInfoCache UserCache_;
-        std::string          PasswordValidationStr_;
-		std::regex          PasswordValidation_;
-		uint64_t            TokenAging_ = 30 * 24 * 60 * 60;
+
+		std::string         AccessPolicy_;
+		std::string         PasswordPolicy_;
+		std::string         SubAccessPolicy_;
+		std::string         SubPasswordPolicy_;
+		std::string         PasswordValidationStr_;
+        std::string         SubPasswordValidationStr_;
+        std::regex          PasswordValidation_;
+        std::regex          SubPasswordValidation_;
+
+        uint64_t            TokenAging_ = 15 * 24 * 60 * 60;
        uint64_t            HowManyOldPassword_=5;
+        uint64_t            RefreshTokenLifeSpan_ = 90 * 24 * 60 * 60 ;

        class SHA256Engine : public Poco::Crypto::DigestEngine
                {
@@ -125,12 +167,14 @@ namespace OpenWifi{
        }
    };

-    inline AuthService * AuthService() { return AuthService::instance(); }
+    inline auto AuthService() { return AuthService::instance(); }

-    [[nodiscard]] inline bool AuthServiceIsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo ) {
-        return AuthService()->IsAuthorized(Request, SessionToken, UInfo );
+    [[nodiscard]] inline bool AuthServiceIsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo , std::uint64_t TID, bool & Expired, bool Sub ) {
+        if(Sub)
+            return AuthService()->IsSubAuthorized(Request, SessionToken, UInfo, TID, Expired );
+        else
+            return AuthService()->IsAuthorized(Request, SessionToken, UInfo, TID, Expired );
    }

 } // end of namespace

-#endif //UCENTRAL_UAUTHSERVICE_H
--- a/src/Daemon.cpp
+++ b/src/Daemon.cpp
@@ -10,8 +10,6 @@
 //	Arilia Wireless Inc.
 //

-#include <cstdlib>
-#include <boost/algorithm/string.hpp>

 #include "Poco/Util/Application.h"
 #include "Poco/Util/Option.h"
@@ -20,16 +18,16 @@
 #include "Daemon.h"

 #include <aws/core/Aws.h>
-#include <aws/s3/model/CreateBucketRequest.h>
-#include <aws/s3/model/PutObjectRequest.h>
 #include <aws/s3/model/AccessControlPolicy.h>
-#include <aws/s3/model/PutBucketAclRequest.h>
-#include <aws/s3/model/GetBucketAclRequest.h>

 #include "StorageService.h"
 #include "SMTPMailerService.h"
 #include "AuthService.h"
 #include "SMSSender.h"
+#include "ActionLinkManager.h"
+#include "TotpCache.h"
+#include "framework/RESTAPI_RateLimiter.h"
+#include "framework/UI_WebSocketClientServer.h"

 namespace OpenWifi {
    class Daemon *Daemon::instance_ = nullptr;
@@ -44,21 +42,23 @@ namespace OpenWifi {
                                   SubSystemVec{
                                           StorageService(),
                                           SMSSender(),
+                                           ActionLinkManager(),
                                           SMTPMailerService(),
-                                           AuthService()
+                                           RESTAPI_RateLimiter(),
+                                           TotpCache(),
+                                           AuthService(),
+                                           UI_WebSocketClientServer()
                                   });
        }
        return instance_;
    }

-    void Daemon::initialize() {
+    void Daemon::PostInitialization([[maybe_unused]] Poco::Util::Application &self) {
        AssetDir_ = MicroService::instance().ConfigPath("openwifi.restapi.wwwassets");
-        AccessPolicy_ = MicroService::instance().ConfigGetString("openwifi.document.policy.access", "/wwwassets/access_policy.html");
-        PasswordPolicy_ = MicroService::instance().ConfigGetString("openwifi.document.policy.password", "/wwwassets/password_policy.html");
    }

-    void MicroServicePostInitialization() {
-        Daemon()->initialize();
+    void DaemonPostInitialization(Poco::Util::Application &self) {
+        Daemon()->PostInitialization(self);
    }
 }

--- a/src/Daemon.h
+++ b/src/Daemon.h
@@ -2,14 +2,16 @@
 // Created by stephane bourque on 2021-06-10.
 //

-#ifndef UCENTRALSEC_DAEMON_H
-#define UCENTRALSEC_DAEMON_H
+#pragma once

 #include <iostream>
 #include <cstdlib>
 #include <vector>
 #include <set>

+#include "framework/MicroServiceNames.h"
+#include "framework/MicroService.h"
+
 #include "Poco/Util/Application.h"
 #include "Poco/Util/ServerApplication.h"
 #include "Poco/Util/Option.h"
@@ -20,16 +22,14 @@
 #include "Poco/Crypto/CipherFactory.h"
 #include "Poco/Crypto/Cipher.h"

-#include "framework/OpenWifiTypes.h"
-#include "framework/MicroService.h"

 namespace OpenWifi {

-    static const char * vDAEMON_PROPERTIES_FILENAME = "owsec.properties";
-    static const char * vDAEMON_ROOT_ENV_VAR = "OWSEC_ROOT";
-    static const char * vDAEMON_CONFIG_ENV_VAR = "OWSEC_CONFIG";
-    static const char * vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
-    static const uint64_t vDAEMON_BUS_TIMER = 5000;
+    [[maybe_unused]] static const char * vDAEMON_PROPERTIES_FILENAME = "owsec.properties";
+    [[maybe_unused]] static const char * vDAEMON_ROOT_ENV_VAR = "OWSEC_ROOT";
+    [[maybe_unused]] static const char * vDAEMON_CONFIG_ENV_VAR = "OWSEC_CONFIG";
+    [[maybe_unused]] static const char * vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
+    [[maybe_unused]] static const uint64_t vDAEMON_BUS_TIMER = 5000;

    class Daemon : public MicroService {
    public:
@@ -41,19 +41,15 @@ namespace OpenWifi {
                        const SubSystemVec & SubSystems) :
                MicroService( PropFile, RootEnv, ConfigEnv, AppName, BusTimer, SubSystems) {};

-        void initialize();
+        void PostInitialization(Poco::Util::Application &self);
        static Daemon *instance();
        inline const std::string & AssetDir() { return AssetDir_; }
-        inline const std::string & GetPasswordPolicy() const { return PasswordPolicy_; }
-        inline const std::string & GetAccessPolicy() const { return AccessPolicy_; }
    private:
        static Daemon 		*instance_;
        std::string         AssetDir_;
-        std::string         PasswordPolicy_;
-        std::string         AccessPolicy_;
    };

    inline Daemon * Daemon() { return Daemon::instance(); }
+    void DaemonPostInitialization(Poco::Util::Application &self);
 }

-#endif //UCENTRALSEC_DAEMON_H
--- a/src/MFAServer.cpp
+++ b/src/MFAServer.cpp
@@ -5,12 +5,14 @@
 #include "MFAServer.h"
 #include "SMSSender.h"
 #include "SMTPMailerService.h"
-#include "framework/MicroService.h"
+#include "AuthService.h"
+#include "TotpCache.h"
+
+#include "framework/MicroServiceFuncs.h"
+#include "framework/utils.h"

 namespace OpenWifi {

-    class MFAServer * MFAServer::instance_ = nullptr;
-
    int MFAServer::Start() {
        return 0;
    }
@@ -27,11 +29,12 @@ namespace OpenWifi {
            return false;

        std::string Challenge = MakeChallenge();
-        std::string uuid = MicroService::instance().CreateUUID();
-        uint64_t Created = std::time(nullptr);
+        std::string uuid = MicroServiceCreateUUID();
+        uint64_t Created = Utils::Now();

        ChallengeStart.set("uuid",uuid);
        ChallengeStart.set("created", Created);
+        ChallengeStart.set("question", "mfa challenge");
        ChallengeStart.set("method", UInfo.userinfo.userTypeProprietaryInfo.mfa.method);

        Cache_[uuid] = MFACacheEntry{ .UInfo = UInfo, .Answer=Challenge, .Created=Created, .Method=UInfo.userinfo.userTypeProprietaryInfo.mfa.method };
@@ -39,18 +42,13 @@ namespace OpenWifi {
    }

    bool MFAServer::SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Method, const std::string &Challenge) {
-        if(Method=="sms" && SMSSender()->Enabled() && !UInfo.userinfo.userTypeProprietaryInfo.mobiles.empty()) {
+        if(Method==MFAMETHODS::SMS && SMSSender()->Enabled() && !UInfo.userinfo.userTypeProprietaryInfo.mobiles.empty()) {
            std::string Message = "This is your login code: " + Challenge + " Please enter this in your login screen.";
            return SMSSender()->Send(UInfo.userinfo.userTypeProprietaryInfo.mobiles[0].number, Message);
-        }
-
-        if(Method=="email" && SMTPMailerService()->Enabled() && !UInfo.userinfo.email.empty()) {
-            MessageAttributes Attrs;
-            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
-            Attrs[LOGO] = "logo.jpg";
-            Attrs[SUBJECT] = "Login validation code";
-            Attrs[CHALLENGE_CODE] = Challenge;
-            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, "verification_code.txt", Attrs);
+        } else if(Method==MFAMETHODS::EMAIL && SMTPMailerService()->Enabled() && !UInfo.userinfo.email.empty()) {
+            return AuthService()->SendEmailChallengeCode(UInfo,Challenge);
+        } else if(Method==MFAMETHODS::AUTHENTICATOR && !UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret.empty()) {
+            return true;
        }

        return false;
@@ -64,7 +62,7 @@ namespace OpenWifi {
        return SendChallenge(Hint->second.UInfo, Hint->second.Method, Hint->second.Answer);
    }

-    bool MFAServer::CompleteMFAChallenge(Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo) {
+    bool MFAServer::CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo) {
        std::lock_guard G(Mutex_);

        if(!ChallengeResponse->has("uuid") || !ChallengeResponse->has("answer"))
@@ -72,11 +70,17 @@ namespace OpenWifi {

        auto uuid = ChallengeResponse->get("uuid").toString();
        auto Hint = Cache_.find(uuid);
-        if(Hint == end(Cache_))
+        if(Hint == end(Cache_)) {
            return false;
+        }

        auto answer = ChallengeResponse->get("answer").toString();
-        if(Hint->second.Answer!=answer) {
+        std::string Expecting;
+        if(Hint->second.Method==MFAMETHODS::AUTHENTICATOR) {
+            if(!TotpCache()->ValidateCode(Hint->second.UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret,answer, Expecting)) {
+                return false;
+            }
+        } else if(Hint->second.Answer!=answer) {
            return false;
        }

@@ -86,18 +90,21 @@ namespace OpenWifi {
    }

    bool MFAServer::MethodEnabled(const std::string &Method) {
-        if(Method=="sms")
+        if(Method==MFAMETHODS::SMS)
            return SMSSender()->Enabled();

-        if(Method=="email")
+        if(Method==MFAMETHODS::EMAIL)
            return SMTPMailerService()->Enabled();

+        if(Method==MFAMETHODS::AUTHENTICATOR)
+            return true;
+
        return false;
    }

    void MFAServer::CleanCache() {
        // it is assumed that you have locked Cache_ at this point.
-        uint64_t Now = std::time(nullptr);
+        uint64_t Now = Utils::Now();
        for(auto i=begin(Cache_);i!=end(Cache_);) {
            if((Now-i->second.Created)>300) {
                i = Cache_.erase(i);
--- a/src/MFAServer.h
+++ b/src/MFAServer.h
@@ -2,14 +2,27 @@
 // Created by stephane bourque on 2021-10-11.
 //

-#ifndef OWSEC_MFASERVER_H
-#define OWSEC_MFASERVER_H
+#pragma once

-#include "framework/MicroService.h"
 #include "Poco/JSON/Object.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "framework/SubSystemServer.h"
+#include "framework/MicroServiceFuncs.h"
+
+#include "fmt/format.h"

 namespace OpenWifi {
+
+    namespace MFAMETHODS {
+        inline const static std::string SMS{"sms"};
+        inline const static std::string EMAIL{"email"};
+        inline const static std::string AUTHENTICATOR{"authenticator"};
+        inline const static std::vector<std::string> Methods{ SMS, EMAIL, AUTHENTICATOR };
+        inline bool Validate(const std::string &M) {
+            return std::find(cbegin(Methods), cend(Methods),M)!=Methods.end();
+        }
+    }
+
    struct MFACacheEntry {
        SecurityObjects::UserInfoAndPolicy  UInfo;
        std::string                         Answer;
@@ -17,31 +30,29 @@ namespace OpenWifi {
        std::string                         Method;
    };

+
    typedef std::map<std::string,MFACacheEntry>     MFAChallengeCache;

    class MFAServer : public SubSystemServer{
    public:
        int Start() override;
        void Stop() override;
-        static MFAServer *instance() {
-            if (instance_ == nullptr) {
-                instance_ = new MFAServer;
-            }
+        static auto instance() {
+            static auto instance_ = new MFAServer;
            return instance_;
        }

        bool StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, Poco::JSON::Object &Challenge);
-        bool CompleteMFAChallenge(Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo);
-        bool MethodEnabled(const std::string &Method);
+        bool CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo);
+        static bool MethodEnabled(const std::string &Method);
        bool ResendCode(const std::string &uuid);
-        bool SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Method, const std::string &Challenge);
+        static bool SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Method, const std::string &Challenge);

        static inline std::string MakeChallenge() {
-            return std::to_string(rand() % 999999);
+            return fmt::format("{0:06}" , MicroServiceRandom(1,999999) );
        }

    private:
-        static MFAServer *  instance_;
        MFAChallengeCache   Cache_;
        MFAServer() noexcept:
            SubSystemServer("MFServer", "MFA-SVR", "mfa")
@@ -51,7 +62,6 @@ namespace OpenWifi {
        void CleanCache();
    };

-    inline MFAServer & MFAServer() { return *MFAServer::instance(); }
+    inline auto MFAServer() { return MFAServer::instance(); }
 }

-#endif //OWSEC_MFASERVER_H
--- a/src/MessagingTemplates.cpp
+++ b/src/MessagingTemplates.cpp
@@ -0,0 +1,8 @@
+//
+// Created by stephane bourque on 2022-07-25.
+//
+
+#include "MessagingTemplates.h"
+
+namespace OpenWifi {
+} // OpenWifi
--- a/src/MessagingTemplates.h
+++ b/src/MessagingTemplates.h
@@ -0,0 +1,75 @@
+//
+// Created by stephane bourque on 2022-07-25.
+//
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+namespace OpenWifi {
+
+    class MessagingTemplates {
+    public:
+        static MessagingTemplates & instance() {
+            static auto instance = new MessagingTemplates;
+            return *instance;
+        }
+
+        enum EMAIL_REASON {
+            FORGOT_PASSWORD = 0,
+            EMAIL_VERIFICATION,
+            SUB_SIGNUP_VERIFICATION,
+            EMAIL_INVITATION,
+            VERIFICATION_CODE,
+            SUB_FORGOT_PASSWORD,
+            SUB_EMAIL_VERIFICATION,
+            SUB_VERIFICATION_CODE
+        };
+
+        static std::string AddOperator(const std::string & filename, const std::string &OperatorName) {
+            if(OperatorName.empty())
+                return "/" + filename;
+            return "/" + OperatorName + "/" + filename;
+        }
+
+        static std::string TemplateName( EMAIL_REASON r , const std::string &OperatorName="") {
+            switch (r) {
+                case FORGOT_PASSWORD: return AddOperator(EmailTemplateNames[FORGOT_PASSWORD],OperatorName);
+                case EMAIL_VERIFICATION: return AddOperator(EmailTemplateNames[EMAIL_VERIFICATION],OperatorName);
+                case SUB_SIGNUP_VERIFICATION: return AddOperator(EmailTemplateNames[SUB_SIGNUP_VERIFICATION],OperatorName);
+                case EMAIL_INVITATION: return AddOperator(EmailTemplateNames[EMAIL_INVITATION],OperatorName);
+                case VERIFICATION_CODE: return AddOperator(EmailTemplateNames[VERIFICATION_CODE],OperatorName);
+                case SUB_FORGOT_PASSWORD: return AddOperator(EmailTemplateNames[SUB_FORGOT_PASSWORD],OperatorName);
+                case SUB_EMAIL_VERIFICATION: return AddOperator(EmailTemplateNames[SUB_EMAIL_VERIFICATION],OperatorName);
+                case SUB_VERIFICATION_CODE: return AddOperator(EmailTemplateNames[SUB_VERIFICATION_CODE],OperatorName);
+                default:
+                    return "";
+            }
+        }
+
+        static std::string Logo(const std::string &OperatorName = "" ) {
+            return AddOperator("logo.png", OperatorName);
+        }
+
+        static std::string SubLogo(const std::string &OperatorName = "" ) {
+            return AddOperator("sub_logo.png", OperatorName);
+        }
+
+    private:
+        inline const static std::vector<std::string>  EmailTemplateNames = {
+                "password_reset",
+                "email_verification",
+                "sub_signup_verification",
+                "email_invitation",
+                "verification_code",
+                "sub_password_reset",
+                "sub_email_verification",
+                "sub_verification_code"
+        };
+    };
+
+    inline MessagingTemplates & MessagingTemplates() { return MessagingTemplates::instance(); }
+
+} // OpenWifi
+
--- a/src/RESTAPI/RESTAPI_action_links.cpp
+++ b/src/RESTAPI/RESTAPI_action_links.cpp
@@ -7,50 +7,87 @@

 #include "RESTAPI_action_links.h"
 #include "StorageService.h"
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_PartHandler.h"
+#include "framework/OpenAPIRequests.h"
+
 #include "Daemon.h"

 namespace OpenWifi {
+
    void RESTAPI_action_links::DoGet() {

        auto Action = GetParameter("action","");
        auto Id = GetParameter("id","");

+        SecurityObjects::ActionLink Link;
+        if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link))
+            return DoReturnA404();
+
        if(Action=="password_reset")
-            return RequestResetPassword(Id);
+            return RequestResetPassword(Link);
+        else if(Action=="sub_password_reset")
+            return RequestSubResetPassword(Link);
        else if(Action=="email_verification")
-            return DoEmailVerification(Id);
+            return DoEmailVerification(Link);
+        else if(Action=="sub_email_verification")
+            return DoSubEmailVerification(Link);
+        else if(Action=="signup_verification")
+            return DoNewSubVerification(Link);
        else
            return DoReturnA404();
    }

    void RESTAPI_action_links::DoPost() {
        auto Action = GetParameter("action","");
-        auto Id = GetParameter("id","");

-        Logger_.information(Poco::format("COMPLETE-PASSWORD-RESET(%s): For ID=%s", Request->clientAddress().toString(), Id));
        if(Action=="password_reset")
-            CompleteResetPassword(Id);
+            return CompleteResetPassword();
+        else if(Action=="sub_password_reset")
+            return CompleteResetPassword();
+        else if(Action=="signup_completion")
+            return CompleteSubVerification();
+        else if(Action=="email_invitation")
+            return CompleteEmailInvitation();
        else
-            DoReturnA404();
+            return DoReturnA404();
    }

-    void RESTAPI_action_links::RequestResetPassword(std::string &Id) {
-        Logger_.information(Poco::format("REQUEST-PASSWORD-RESET(%s): For ID=%s", Request->clientAddress().toString(), Id));
+    void RESTAPI_action_links::RequestResetPassword(SecurityObjects::ActionLink &Link) {
+        Logger_.information(fmt::format("REQUEST-PASSWORD-RESET({}): For ID={}", Request->clientAddress().toString(), Link.userId));
        Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset.html"};
-        Types::StringPairVec    FormVars{ {"UUID", Id},
+        Types::StringPairVec    FormVars{ {"UUID", Link.id},
                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
        SendHTMLFileBack(FormFile,FormVars);
    }

-    void RESTAPI_action_links::CompleteResetPassword(std::string &Id) {
+    void RESTAPI_action_links::DoNewSubVerification(SecurityObjects::ActionLink &Link) {
+        Logger_.information(fmt::format("REQUEST-SUB-SIGNUP({}): For ID={}", Request->clientAddress().toString(), Link.userId));
+        Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification.html"};
+        Types::StringPairVec    FormVars{ {"UUID", Link.id},
+                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+        SendHTMLFileBack(FormFile,FormVars);
+    }
+
+    void RESTAPI_action_links::CompleteResetPassword() {
        //  form has been posted...
        RESTAPI_PartHandler PartHandler;
        Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
        if (!Form.empty()) {
+
            auto Password1 = Form.get("password1","bla");
-            auto Password2 = Form.get("password1","blu");
-            Id = Form.get("id","");
+            auto Password2 = Form.get("password2","blu");
+            auto Id = Form.get("id","");
+            auto now = OpenWifi::Now();
+
+            SecurityObjects::ActionLink Link;
+            if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link))
+                return DoReturnA404();
+
+            if(now > Link.expires) {
+                StorageService()->ActionLinksDB().CancelAction(Id);
+                return DoReturnA404();
+            }
+
            if(Password1!=Password2 || !AuthService()->ValidatePassword(Password2) || !AuthService()->ValidatePassword(Password1)) {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
@@ -62,7 +99,9 @@ namespace OpenWifi {
            }

            SecurityObjects::UserInfo   UInfo;
-            if(!StorageService()->GetUserById(Id,UInfo)) {
+
+            bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId,UInfo) : StorageService()->SubDB().GetUserById(Link.userId,UInfo);
+            if(!Found) {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
@@ -76,43 +115,156 @@ namespace OpenWifi {
                return SendHTMLFileBack(FormFile,FormVars);
            }

-            if(!AuthService()->SetPassword(Password1,UInfo)) {
+            bool GoodPassword = Link.userAction ? AuthService()->SetPassword(Password1,UInfo) : AuthService()->SetSubPassword(Password1,UInfo);
+            if(!GoodPassword) {
                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
                Types::StringPairVec    FormVars{ {"UUID", Id},
                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
                return SendHTMLFileBack(FormFile,FormVars);
            }
-            StorageService()->UpdateUserInfo(UInfo.email,Id,UInfo);
+
+            UInfo.modified = OpenWifi::Now();
+            if(Link.userAction)
+                StorageService()->UserDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
+            else
+                StorageService()->SubDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
+
            Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_success.html"};
            Types::StringPairVec    FormVars{ {"UUID", Id},
                                              {"USERNAME", UInfo.email},
                                              {"ACTION_LINK",MicroService::instance().GetUIURI()}};
+            StorageService()->ActionLinksDB().CompleteAction(Id);
            SendHTMLFileBack(FormFile,FormVars);
        } else {
            DoReturnA404();
        }
    }

-    void RESTAPI_action_links::DoEmailVerification(std::string &Id) {
-        SecurityObjects::UserInfo UInfo;
+    void RESTAPI_action_links::CompleteSubVerification() {
+        RESTAPI_PartHandler PartHandler;
+        Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);

-        Logger_.information(Poco::format("EMAIL-VERIFICATION(%s): For ID=%s", Request->clientAddress().toString(), Id));
-        if (!StorageService()->GetUserById(Id, UInfo)) {
-            Types::StringPairVec FormVars{{"UUID",       Id},
+        if (!Form.empty()) {
+            auto Password1 = Form.get("password1","bla");
+            auto Password2 = Form.get("password2","blu");
+            auto Id = Form.get("id","");
+            auto now = OpenWifi::Now();
+
+            SecurityObjects::ActionLink Link;
+            if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link)) {
+                return DoReturnA404();
+            }
+
+            if(now > Link.expires) {
+                StorageService()->ActionLinksDB().CancelAction(Id);
+                return DoReturnA404();
+            }
+
+            if(Password1!=Password2 || !AuthService()->ValidateSubPassword(Password1)) {
+                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_password_reset_error.html"};
+                Types::StringPairVec    FormVars{ {"UUID", Id},
+                                                  {"ERROR_TEXT", "For some reason, the passwords entered do not match or they do not comply with"
+                                                                 " accepted password creation restrictions. Please consult our on-line help"
+                                                                 " to look at the our password policy. If you would like to contact us, please mention"
+                                                                 " id(" + Id + ")"}};
+                return SendHTMLFileBack(FormFile,FormVars);
+            }
+
+            SecurityObjects::UserInfo   UInfo;
+            bool Found = StorageService()->SubDB().GetUserById(Link.userId,UInfo);
+            if(!Found) {
+                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+                Types::StringPairVec    FormVars{ {"UUID", Id},
+                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
+                return SendHTMLFileBack(FormFile,FormVars);
+            }
+
+            if(UInfo.blackListed || UInfo.suspended) {
+                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+                Types::StringPairVec    FormVars{ {"UUID", Id},
+                                                  {"ERROR_TEXT", "Please contact our system administrators. We have identified an error in your account that must be resolved first."}};
+                return SendHTMLFileBack(FormFile,FormVars);
+            }
+
+            bool GoodPassword = AuthService()->SetSubPassword(Password1,UInfo);
+            if(!GoodPassword) {
+                Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+                Types::StringPairVec    FormVars{ {"UUID", Id},
+                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+                return SendHTMLFileBack(FormFile,FormVars);
+            }
+
+            UInfo.modified = OpenWifi::Now();
+            UInfo.changePassword = false;
+            UInfo.lastEmailCheck = OpenWifi::Now();
+            UInfo.waitingForEmailCheck = false;
+            UInfo.validated = OpenWifi::Now();
+
+            StorageService()->SubDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
+
+            Poco::File  FormFile{ Daemon()->AssetDir() + "/sub_signup_verification_success.html"};
+            Types::StringPairVec    FormVars{ {"UUID", Id},
+                                              {"USERNAME", UInfo.email} };
+            StorageService()->ActionLinksDB().CompleteAction(Id);
+
+            //  Send the update to the provisioning service
+            Poco::JSON::Object  Body;
+            auto RawSignup = Poco::StringTokenizer(UInfo.signingUp,":");
+            Body.set("signupUUID", RawSignup.count()==1 ? UInfo.signingUp : RawSignup[1]);
+            OpenAPIRequestPut   ProvRequest(uSERVICE_PROVISIONING,"/api/v1/signup",
+                                            {
+                                                {"signupUUID", RawSignup.count()==1 ? UInfo.signingUp : RawSignup[1]} ,
+                                                {"operation", "emailVerified"}
+                                            },
+                                            Body,30000);
+            Logger().information(fmt::format("({}): Completed subscriber e-mail verification and password.",UInfo.email));
+            Poco::JSON::Object::Ptr Response;
+            auto Status = ProvRequest.Do(Response);
+            std::stringstream ooo;
+            if(Response!= nullptr)
+                Response->stringify(ooo);
+            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. Provisioning notified, Error={}.",
+                                             UInfo.email, Status));
+            SendHTMLFileBack(FormFile,FormVars);
+            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. FORM notified.",UInfo.email));
+        } else {
+            DoReturnA404();
+        }
+    }
+
+    void RESTAPI_action_links::DoEmailVerification(SecurityObjects::ActionLink &Link) {
+        auto now = OpenWifi::Now();
+
+        if(now > Link.expires) {
+            StorageService()->ActionLinksDB().CancelAction(Link.id);
+            return DoReturnA404();
+        }
+
+        SecurityObjects::UserInfo UInfo;
+        bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId,UInfo) : StorageService()->SubDB().GetUserById(Link.userId,UInfo);
+        if (!Found) {
+            Types::StringPairVec FormVars{{"UUID",       Link.id},
                                          {"ERROR_TEXT", "This does not appear to be a valid email verification link.."}};
            Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_error.html"};
            return SendHTMLFileBack(FormFile, FormVars);
        }

+        Logger_.information(fmt::format("EMAIL-VERIFICATION(%s): For ID={}", Request->clientAddress().toString(),
+                                        UInfo.email));
        UInfo.waitingForEmailCheck = false;
        UInfo.validated = true;
-        UInfo.lastEmailCheck = std::time(nullptr);
-        UInfo.validationDate = std::time(nullptr);
-        StorageService()->UpdateUserInfo(UInfo.email, Id, UInfo);
-        Types::StringPairVec FormVars{{"UUID",     Id},
+        UInfo.lastEmailCheck = OpenWifi::Now();
+        UInfo.validationDate = OpenWifi::Now();
+        UInfo.modified  = OpenWifi::Now();
+        if(Link.userAction)
+            StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+        else
+            StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+        Types::StringPairVec FormVars{{"UUID",     Link.id},
                                      {"USERNAME", UInfo.email},
                                      {"ACTION_LINK",MicroService::instance().GetUIURI()}};
        Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_success.html"};
+        StorageService()->ActionLinksDB().CompleteAction(Link.id);
        SendHTMLFileBack(FormFile, FormVars);
    }

@@ -122,4 +274,16 @@ namespace OpenWifi {
        SendHTMLFileBack(FormFile, FormVars);
    }

+    void RESTAPI_action_links::CompleteEmailInvitation() {
+        /// TODO:
+    }
+
+    void RESTAPI_action_links::RequestSubResetPassword([[maybe_unused]] SecurityObjects::ActionLink &Link) {
+
+    }
+
+    void RESTAPI_action_links::DoSubEmailVerification([[maybe_unused]] SecurityObjects::ActionLink &Link) {
+
+    }
+
 }
--- a/src/RESTAPI/RESTAPI_action_links.h
+++ b/src/RESTAPI/RESTAPI_action_links.h
@@ -2,29 +2,34 @@
 // Created by stephane bourque on 2021-06-22.
 //

-#ifndef UCENTRALSEC_RESTAPI_ACTION_LINKS_H
-#define UCENTRALSEC_RESTAPI_ACTION_LINKS_H
+#pragma once

-
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
    class RESTAPI_action_links : public RESTAPIHandler {
    public:
-        RESTAPI_action_links(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_action_links(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
             std::vector<std::string>{
                                        Poco::Net::HTTPRequest::HTTP_GET,
                                        Poco::Net::HTTPRequest::HTTP_POST,
                                        Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                        Server,
+                                        TransactionId,
                                        Internal,
-                                        false) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/actionLink"}; };
-        void RequestResetPassword(std::string &Id);
-        void CompleteResetPassword(std::string &Id);
-        void DoEmailVerification(std::string &Id);
+                                        false,
+                                        true, RateLimit{.Interval=1000,.MaxCalls=10}) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/actionLink"}; };
+        void RequestResetPassword(SecurityObjects::ActionLink &Link);
+        void RequestSubResetPassword(SecurityObjects::ActionLink &Link);
+        void CompleteResetPassword();
+        void CompleteSubVerification();
+        void DoEmailVerification(SecurityObjects::ActionLink &Link);
+        void DoSubEmailVerification(SecurityObjects::ActionLink &Link);
        void DoReturnA404();
+        void DoNewSubVerification(SecurityObjects::ActionLink &Link);
+        void CompleteEmailInvitation();

        void DoGet() final;
        void DoPost() final;
@@ -32,5 +37,3 @@ namespace OpenWifi {
        void DoPut() final {};
    };
 }
-
-#endif //UCENTRALSEC_RESTAPI_ACTION_LINKS_H
--- a/src/RESTAPI/RESTAPI_apiKey_handler.cpp
+++ b/src/RESTAPI/RESTAPI_apiKey_handler.cpp
@@ -0,0 +1,158 @@
+//
+// Created by stephane bourque on 2022-11-04.
+//
+
+#include "RESTAPI_apiKey_handler.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_apiKey_handler::DoGet() {
+        std::string     user_uuid = GetBinding("uuid","");
+        if(user_uuid.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        if(user_uuid!=UserInfo_.userinfo.id && UserInfo_.userinfo.userRole!=SecurityObjects::ROOT) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        SecurityObjects::ApiKeyEntryList    List;
+        if(DB_.GetRecords(0,500, List.apiKeys, fmt::format(" userUuid='{}' ", user_uuid))) {
+            for(auto &key:List.apiKeys) {
+                Sanitize(UserInfo_, key);
+            }
+            Poco::JSON::Object  Answer;
+            List.to_json(Answer);
+            return ReturnObject(Answer);
+        }
+        return NotFound();
+    }
+
+    void RESTAPI_apiKey_handler::DoDelete() {
+        std::string     user_uuid = GetBinding("uuid","");
+        if(user_uuid.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        if(user_uuid!=UserInfo_.userinfo.id && UserInfo_.userinfo.userRole!=SecurityObjects::ROOT) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(user_uuid!=UserInfo_.userinfo.id) {
+            if(!StorageService()->UserDB().Exists("id",user_uuid)) {
+                return NotFound();
+            }
+        }
+
+        std::string ApiKeyId= GetParameter("keyUuid","");
+        if(ApiKeyId.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        SecurityObjects::ApiKeyEntry    ApiKey;
+        if(StorageService()->ApiKeyDB().GetRecord("id",ApiKeyId,ApiKey)) {
+            if(ApiKey.userUuid==user_uuid) {
+                AuthService()->RemoveTokenSystemWide(ApiKey.apiKey);
+                DB_.DeleteRecord("id", ApiKeyId);
+                return OK();
+            }
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        return NotFound();
+    }
+
+    void RESTAPI_apiKey_handler::DoPost() {
+        std::string     user_uuid = GetBinding("uuid","");
+
+        if(user_uuid.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        if(user_uuid!=UserInfo_.userinfo.id && UserInfo_.userinfo.userRole!=SecurityObjects::ROOT) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(user_uuid!=UserInfo_.userinfo.id) {
+            //  Must verify if the user exists
+            if(!StorageService()->UserDB().Exists("id",user_uuid)) {
+                return BadRequest(RESTAPI::Errors::UserMustExist);
+            }
+        }
+
+        SecurityObjects::ApiKeyEntry    NewKey;
+        if(!NewKey.from_json(ParsedBody_)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+        NewKey.lastUse = 0 ;
+
+        if(!Utils::IsAlphaNumeric(NewKey.name) || NewKey.name.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        Poco::toLowerInPlace(NewKey.name);
+        NewKey.userUuid = user_uuid;
+        if(NewKey.expiresOn < Utils::Now()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        //  does a key of that name already exit for this user?
+        SecurityObjects::ApiKeyEntryList    ExistingList;
+        if(DB_.GetRecords(0,500, ExistingList.apiKeys, fmt::format(" userUuid='{}' ", user_uuid))) {
+            if(std::find_if(ExistingList.apiKeys.begin(),ExistingList.apiKeys.end(), [NewKey](const SecurityObjects::ApiKeyEntry &E) -> bool {
+                return E.name==NewKey.name;
+            })!=ExistingList.apiKeys.end()) {
+                return BadRequest(RESTAPI::Errors::ApiKeyNameAlreadyExists);
+            }
+        }
+
+        if(ExistingList.apiKeys.size()>=10) {
+            return BadRequest(RESTAPI::Errors::TooManyApiKeys);
+        }
+
+        NewKey.id = MicroServiceCreateUUID();
+        NewKey.userUuid = user_uuid;
+        NewKey.salt = std::to_string(Utils::Now());
+        NewKey.apiKey = Utils::ComputeHash(NewKey.salt, UserInfo_.userinfo.id, UserInfo_.webtoken.access_token_ );
+        NewKey.created = Utils::Now();
+
+        if(DB_.CreateRecord(NewKey)) {
+            Poco::JSON::Object  Answer;
+            NewKey.to_json(Answer);
+            return ReturnObject(Answer);
+        }
+        return BadRequest(RESTAPI::Errors::RecordNotCreated);
+    }
+
+    void RESTAPI_apiKey_handler::DoPut() {
+        std::string     user_uuid = GetBinding("uuid","");
+        if(user_uuid.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        if(user_uuid!=UserInfo_.userinfo.id && UserInfo_.userinfo.userRole!=SecurityObjects::ROOT) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+        SecurityObjects::ApiKeyEntry    NewKey;
+        if(!NewKey.from_json(ParsedBody_)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        SecurityObjects::ApiKeyEntry    ExistingKey;
+        if(!DB_.GetRecord("id",NewKey.id,ExistingKey)) {
+            return BadRequest(RESTAPI::Errors::ApiKeyDoesNotExist);
+        }
+
+        if(ExistingKey.userUuid!=user_uuid) {
+            return BadRequest(RESTAPI::Errors::MissingUserID);
+        }
+
+        AssignIfPresent(ParsedBody_,"description",ExistingKey.description);
+
+        if(DB_.UpdateRecord("id",ExistingKey.id,ExistingKey)) {
+            Poco::JSON::Object  Answer;
+            ExistingKey.to_json(Answer);
+            return ReturnObject(Answer);
+        }
+        BadRequest(RESTAPI::Errors::RecordNotUpdated);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_apiKey_handler.h
+++ b/src/RESTAPI/RESTAPI_apiKey_handler.h
@@ -0,0 +1,34 @@
+//
+// Created by stephane bourque on 2022-11-04.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+#include "StorageService.h"
+namespace OpenWifi {
+    class RESTAPI_apiKey_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_apiKey_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>{
+                                         Poco::Net::HTTPRequest::HTTP_GET,
+                                         Poco::Net::HTTPRequest::HTTP_PUT,
+                                         Poco::Net::HTTPRequest::HTTP_POST,
+                                         Poco::Net::HTTPRequest::HTTP_DELETE,
+                                         Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                                 Server,
+                                 TransactionId,
+                                 Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/apiKey/{uuid}"}; };
+    private:
+        ApiKeyDB     &DB_=StorageService()->ApiKeyDB();
+
+        void DoGet() final;
+        void DoPut() final;
+        void DoPost() final;
+        void DoDelete() final;
+
+    };
+}
+
--- a/src/RESTAPI/RESTAPI_asset_server.cpp
+++ b/src/RESTAPI/RESTAPI_asset_server.cpp
@@ -2,13 +2,13 @@
 // Created by stephane bourque on 2021-07-10.
 //

-#include "RESTAPI_AssetServer.h"
+#include "RESTAPI_asset_server.h"
 #include "Poco/File.h"
-#include "framework/RESTAPI_protocol.h"
+#include "framework/ow_constants.h"
 #include "Daemon.h"

 namespace OpenWifi {
-    void RESTAPI_AssetServer::DoGet() {
+    void RESTAPI_asset_server::DoGet() {
        Poco::File  AssetFile;

        if(Request->getURI().find("/favicon.ico") != std::string::npos) {
--- a/src/RESTAPI/RESTAPI_asset_server.h
+++ b/src/RESTAPI/RESTAPI_asset_server.h
@@ -2,15 +2,14 @@
 // Created by stephane bourque on 2021-07-10.
 //

-#ifndef UCENTRALSEC_RESTAPI_ASSETSERVER_H
-#define UCENTRALSEC_RESTAPI_ASSETSERVER_H
+#pragma once

-#include "../framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_AssetServer : public RESTAPIHandler {
+    class RESTAPI_asset_server : public RESTAPIHandler {
    public:
-        RESTAPI_AssetServer(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_asset_server(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>
                                         {Poco::Net::HTTPRequest::HTTP_POST,
@@ -19,8 +18,9 @@ namespace OpenWifi {
                                          Poco::Net::HTTPRequest::HTTP_DELETE,
                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                          Server,
+                                          TransactionId,
                                          Internal, false) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/wwwassets/{id}" ,
+        static auto PathName() { return std::list<std::string>{"/wwwassets/{id}" ,
                                                                                         "/favicon.ico"}; };
        void DoGet() final;
        void DoPost() final {};
@@ -32,5 +32,3 @@ namespace OpenWifi {
    };
 }

-
-#endif //UCENTRALSEC_RESTAPI_ASSETSERVER_H
--- a/src/RESTAPI/RESTAPI_avatar_handler.cpp
+++ b/src/RESTAPI/RESTAPI_avatar_handler.cpp
@@ -5,11 +5,11 @@
 #include <fstream>
 #include <iostream>

-#include "RESTAPI_avatarHandler.h"
+#include "RESTAPI_avatar_handler.h"
 #include "StorageService.h"
 #include "Poco/Net/HTMLForm.h"
-#include "framework/RESTAPI_protocol.h"
-#include "framework/MicroService.h"
+#include "Poco/CountingStream.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

@@ -22,33 +22,27 @@ namespace OpenWifi {
            Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
        }
        Poco::CountingInputStream InputStream(Stream);
-        std::ofstream OutputStream(TempFile_.path(), std::ofstream::out);
-        Poco::StreamCopier::copyStream(InputStream, OutputStream);
-        Length_ = InputStream.chars();
+        Poco::StreamCopier::copyStream(InputStream, OutputStream_);
+        Length_ = OutputStream_.str().size();
    };

-    void RESTAPI_avatarHandler::DoPost() {
-        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+    void RESTAPI_avatar_handler::DoPost() {
+        std::string Id = UserInfo_.userinfo.id;
        SecurityObjects::UserInfo UInfo;

-        if (Id.empty() || !StorageService()->GetUserById(Id, UInfo)) {
-            return NotFound();
-        }
-
-        //  if there is an avatar, just remove it...
-        StorageService()->DeleteAvatar(UserInfo_.userinfo.email,Id);
-
-        Poco::TemporaryFile TmpFile;
-        AvatarPartHandler partHandler(Id, Logger_, TmpFile);
-
+        std::stringstream SS;
+        AvatarPartHandler partHandler(Id, Logger_, SS);
        Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
        Poco::JSON::Object Answer;
-        if (!partHandler.Name().empty() && partHandler.Length()< MicroService::instance().ConfigGetInt("openwifi.avatar.maxsize",2000000)) {
+
+        if (!partHandler.Name().empty() && partHandler.Length()< MicroServiceConfigGetInt("openwifi.avatar.maxsize",2000000)) {
            Answer.set(RESTAPI::Protocol::AVATARID, Id);
            Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
-            Logger_.information(Poco::format("Uploaded avatar: %s Type: %s", partHandler.Name(), partHandler.ContentType()));
-            StorageService()->SetAvatar(UserInfo_.userinfo.email,
-                                 Id, TmpFile, partHandler.ContentType(), partHandler.Name());
+            Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(), partHandler.ContentType()));
+            StorageService()->AvatarDB().SetAvatar(UserInfo_.userinfo.email,
+                                 Id, SS.str(), partHandler.ContentType(), partHandler.Name());
+            StorageService()->UserDB().SetAvatar(Id,"1");
+            Logger().information(fmt::format("Adding avatar for {}",UserInfo_.userinfo.email));
        } else {
            Answer.set(RESTAPI::Protocol::AVATARID, Id);
            Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
@@ -57,27 +51,33 @@ namespace OpenWifi {
        ReturnObject(Answer);
    }

-    void RESTAPI_avatarHandler::DoGet() {
+    void RESTAPI_avatar_handler::DoGet() {
        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
        if (Id.empty()) {
            return NotFound();
        }
-        Poco::TemporaryFile TempAvatar;
-        std::string Type, Name;
-        if (!StorageService()->GetAvatar(UserInfo_.userinfo.email, Id, TempAvatar, Type, Name)) {
+
+        std::string Type, Name, AvatarContent;
+        if (!StorageService()->AvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent, Type, Name)) {
            return NotFound();
        }
-        SendFile(TempAvatar, Type, Name);
+        Logger().information(fmt::format("Retrieving avatar for {}, size:{}",UserInfo_.userinfo.email,AvatarContent.size()));
+        return SendFileContent(AvatarContent, Type, Name);
    }

-    void RESTAPI_avatarHandler::DoDelete() {
+    void RESTAPI_avatar_handler::DoDelete() {
        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
-        if (Id.empty()) {
-            return NotFound();
-        }
-        if (!StorageService()->DeleteAvatar(UserInfo_.userinfo.email, Id)) {
+
+        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && Id!=UserInfo_.userinfo.id) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if (!StorageService()->AvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
            return NotFound();
        }
+
+        Logger().information(fmt::format("Deleted avatar for {}",UserInfo_.userinfo.email));
+        StorageService()->UserDB().SetAvatar(Id,"");
        OK();
    }
 }
--- a/src/RESTAPI/RESTAPI_avatar_handler.h
+++ b/src/RESTAPI/RESTAPI_avatar_handler.h
@@ -1,39 +1,39 @@
 //
 // Created by stephane bourque on 2021-07-15.
 //
+#pragma once

-#ifndef UCENTRALSEC_RESTAPI_AVATARHANDLER_H
-#define UCENTRALSEC_RESTAPI_AVATARHANDLER_H
-
-
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"
+#include "Poco/Net/PartHandler.h"

 namespace OpenWifi {

    class AvatarPartHandler : public Poco::Net::PartHandler {
    public:
-        AvatarPartHandler(std::string Id, Poco::Logger &Logger, Poco::TemporaryFile &TmpFile) :
+        AvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream & ofs) :
                Id_(std::move(Id)),
                Logger_(Logger),
-                TempFile_(TmpFile){
+                OutputStream_(ofs){
        }
        void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
        [[nodiscard]] uint64_t Length() const { return Length_; }
        [[nodiscard]] std::string &Name() { return Name_; }
        [[nodiscard]] std::string &ContentType() { return FileType_; }
-        [[nodiscard]] std::string FileName() const { return TempFile_.path(); }
+
    private:
        uint64_t        Length_ = 0;
        std::string     FileType_;
        std::string     Name_;
        std::string     Id_;
        Poco::Logger    &Logger_;
-        Poco::TemporaryFile &TempFile_;
+        std::stringstream &OutputStream_;
+
+        inline Poco::Logger & Logger() { return Logger_; };
    };

-    class RESTAPI_avatarHandler : public RESTAPIHandler {
+    class RESTAPI_avatar_handler : public RESTAPIHandler {
    public:
-        RESTAPI_avatarHandler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_avatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>{
                                         Poco::Net::HTTPRequest::HTTP_GET,
@@ -41,14 +41,13 @@ namespace OpenWifi {
                                         Poco::Net::HTTPRequest::HTTP_DELETE,
                                         Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                         Server,
+                                         TransactionId,
                                         Internal) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/avatar/{id}"}; };
+        static auto PathName() { return std::list<std::string>{"/api/v1/avatar/{id}"}; };

        void DoGet() final;
        void DoPost() final;
        void DoDelete() final;
        void DoPut() final {};
-
    };
 }
-#endif //UCENTRALSEC_RESTAPI_AVATARHANDLER_H
--- a/src/RESTAPI/RESTAPI_db_helpers.h
+++ b/src/RESTAPI/RESTAPI_db_helpers.h
@@ -0,0 +1,20 @@
+//
+// Created by stephane bourque on 2022-01-01.
+//
+
+#pragma once
+
+#include "framework/orm.h"
+
+namespace OpenWifi {
+
+    inline void Sanitize([[maybe_unused]] const SecurityObjects::UserInfoAndPolicy &User, SecurityObjects::UserInfo & U) {
+        U.currentPassword.clear();
+        U.lastPasswords.clear();
+        U.oauthType.clear();
+    }
+
+    inline void Sanitize([[maybe_unused]] const SecurityObjects::UserInfoAndPolicy &User, SecurityObjects::ApiKeyEntry & U) {
+        U.salt.clear();
+    }
+}
--- a/src/RESTAPI/RESTAPI_email_handler.cpp
+++ b/src/RESTAPI/RESTAPI_email_handler.cpp
@@ -3,18 +3,14 @@
 //

 #include "RESTAPI_email_handler.h"
-
-
-#include "Poco/Exception.h"
 #include "Poco/JSON/Parser.h"

 #include "SMTPMailerService.h"
-#include "framework/RESTAPI_errors.h"
-#include "framework/MicroService.h"
+#include "framework/ow_constants.h"

 namespace OpenWifi {
    void RESTAPI_email_handler::DoPost() {
-        auto Obj = ParseStream();
+        const auto & Obj = ParsedBody_;
        if (Obj->has("subject") &&
            Obj->has("from") &&
            Obj->has("text") &&
@@ -28,7 +24,7 @@ namespace OpenWifi {
            Attrs[SUBJECT] = Obj->get("subject").toString();
            Attrs[TEXT] = Obj->get("text").toString();
            Attrs[SENDER] = Obj->get("from").toString();
-            if(SMTPMailerService()->SendMessage(Recipient, "password_reset.txt", Attrs)) {
+            if(SMTPMailerService()->SendMessage(Recipient, "password_reset.txt", Attrs, false)) {
                return OK();
            }
            return ReturnStatus(Poco::Net::HTTPResponse::HTTP_SERVICE_UNAVAILABLE);
--- a/src/RESTAPI/RESTAPI_email_handler.h
+++ b/src/RESTAPI/RESTAPI_email_handler.h
@@ -2,27 +2,24 @@
 // Created by stephane bourque on 2021-09-02.
 //

-#ifndef OWSEC_RESTAPI_EMAIL_HANDLER_H
-#define OWSEC_RESTAPI_EMAIL_HANDLER_H
+#pragma once

-
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
    class RESTAPI_email_handler : public RESTAPIHandler {
    public:
-        RESTAPI_email_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_email_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
        : RESTAPIHandler(bindings, L,
                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                                  Server,
+                                                  TransactionId,
                                                  Internal) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/email"};}
+        static auto PathName() { return std::list<std::string>{"/api/v1/email"};}
        void DoGet() final {};
        void DoPost() final;
        void DoDelete() final {};
        void DoPut() final {};
    };
 }
-
-#endif //OWSEC_RESTAPI_EMAIL_HANDLER_H
--- a/src/RESTAPI/RESTAPI_oauth2Handler.cpp
+++ b/src/RESTAPI/RESTAPI_oauth2Handler.cpp
@@ -1,125 +0,0 @@
-//
-//	License type: BSD 3-Clause License
-//	License copy: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
-//
-//	Created by Stephane Bourque on 2021-03-04.
-//	Arilia Wireless Inc.
-//
-
-#include "Poco/JSON/Parser.h"
-
-#include "Daemon.h"
-#include "AuthService.h"
-#include "RESTAPI_oauth2Handler.h"
-#include "MFAServer.h"
-#include "framework/RESTAPI_protocol.h"
-#include "framework/MicroService.h"
-
-namespace OpenWifi {
-	void RESTAPI_oauth2Handler::DoGet() {
-        if (!IsAuthorized()) {
-            return UnAuthorized("Not authorized.");
-        }
-        bool GetMe = GetBoolParameter(RESTAPI::Protocol::ME, false);
-        if(GetMe) {
-            Logger_.information(Poco::format("REQUEST-ME(%s): Request for %s", Request->clientAddress().toString(), UserInfo_.userinfo.email));
-            Poco::JSON::Object Me;
-            UserInfo_.userinfo.to_json(Me);
-            return ReturnObject(Me);
-        }
-        BadRequest("Ill-formed request. Please consult documentation.");
-	}
-
-    void RESTAPI_oauth2Handler::DoDelete() {
-        if (!IsAuthorized()) {
-            return UnAuthorized("Not authorized.");
-        }
-
-        auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "...");
-        if (Token == SessionToken_) {
-            AuthService()->Logout(Token);
-            return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
-        }
-
-        Logger_.information(Poco::format("BAD-LOGOUT(%s): Request for %s", Request->clientAddress().toString(), UserInfo_.userinfo.email));
-        NotFound();
-	}
-
-	void RESTAPI_oauth2Handler::DoPost() {
-        auto Obj = ParseStream();
-        auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
-        auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
-        auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
-
-        Poco::toLowerInPlace(userId);
-
-        if(GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS, false)) {
-            Logger_.information(Poco::format("POLICY-REQUEST(%s): Request.", Request->clientAddress().toString()));
-            Poco::JSON::Object  Answer;
-            Answer.set(RESTAPI::Protocol::PASSWORDPATTERN, AuthService()->PasswordValidationExpression());
-            Answer.set(RESTAPI::Protocol::ACCESSPOLICY, Daemon()->GetAccessPolicy());
-            Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, Daemon()->GetPasswordPolicy());
-            return ReturnObject(Answer);
-        }
-
-        if(GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD,false)) {
-            //  Send an email to the userId
-            Logger_.information(Poco::format("FORGOTTEN-PASSWORD(%s): Request for %s", Request->clientAddress().toString(), userId));
-            SecurityObjects::UserInfoAndPolicy UInfo;
-            if(AuthService::SendEmailToUser(userId,AuthService::FORGOT_PASSWORD))
-                Logger_.information(Poco::format("Send password reset link to %s",userId));
-            UInfo.webtoken.userMustChangePassword=true;
-            Poco::JSON::Object ReturnObj;
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        }
-
-        if(GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE,false)) {
-            Logger_.information(Poco::format("RESEND-MFA-CODE(%s): Request for %s", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid")) {
-                auto uuid = Obj->get("uuid").toString();
-                if(MFAServer().ResendCode(uuid))
-                    return OK();
-                return UnAuthorized("Unrecognized credentials (username/password).");
-            }
-            return UnAuthorized("Unrecognized credentials (username/password).");
-        }
-
-        if(GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE,false)) {
-            Logger_.information(Poco::format("COMPLETE-MFA-CHALLENGE(%s): Request for %s", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid")) {
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                if(MFAServer().CompleteMFAChallenge(Obj,UInfo)) {
-                    Poco::JSON::Object ReturnObj;
-                    UInfo.webtoken.to_json(ReturnObj);
-                    return ReturnObject(ReturnObj);
-                }
-            }
-            return UnAuthorized("Unrecognized credentials (username/password).");
-        }
-
-        SecurityObjects::UserInfoAndPolicy UInfo;
-        auto Code=AuthService()->Authorize(userId, password, newPassword, UInfo);
-        if (Code==AuthService::SUCCESS) {
-            Poco::JSON::Object ReturnObj;
-            if(AuthService()->RequiresMFA(UInfo)) {
-                if(MFAServer().StartMFAChallenge(UInfo, ReturnObj)) {
-                    return ReturnObject(ReturnObj);
-                }
-                Logger_.warning("MFA Seems ot be broken. Please fix. Disabling MFA checking for now.");
-            }
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        } else {
-            switch(Code) {
-                case AuthService::INVALID_CREDENTIALS: return UnAuthorized("Unrecognized credentials (username/password)."); break;
-                case AuthService::PASSWORD_INVALID: return UnAuthorized("Invalid password."); break;
-                case AuthService::PASSWORD_ALREADY_USED: return UnAuthorized("Password already used previously."); break;
-                case AuthService::USERNAME_PENDING_VERIFICATION: return UnAuthorized("User access pending email verification."); break;
-                case AuthService::PASSWORD_CHANGE_REQUIRED: return UnAuthorized("Password change expected."); break;
-                default: return UnAuthorized("Unrecognized credentials (username/password)."); break;
-            }
-            return;
-        }
-	}
-}
--- a/src/RESTAPI/RESTAPI_oauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_oauth2_handler.cpp
@@ -0,0 +1,179 @@
+//
+//	License type: BSD 3-Clause License
+//	License copy: https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/LICENSE
+//
+//	Created by Stephane Bourque on 2021-03-04.
+//	Arilia Wireless Inc.
+//
+
+#include "Poco/JSON/Parser.h"
+
+#include "AuthService.h"
+#include "RESTAPI_oauth2_handler.h"
+#include "MFAServer.h"
+#include "framework/ow_constants.h"
+#include "StorageService.h"
+#include "RESTAPI_db_helpers.h"
+
+#include "framework/MicroServiceFuncs.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_oauth2_handler::DoGet() {
+        bool Expired = false, Contacted = false;
+        if (!IsAuthorized(Expired, Contacted)) {
+            if (Expired)
+                return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
+            return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
+        }
+        if (GetBoolParameter(RESTAPI::Protocol::ME)) {
+            Logger_.information(fmt::format("REQUEST-ME({}): Request for {}", Request->clientAddress().toString(),
+                                            UserInfo_.userinfo.email));
+            Poco::JSON::Object Me;
+            SecurityObjects::UserInfo ReturnedUser = UserInfo_.userinfo;
+            Sanitize(UserInfo_, ReturnedUser);
+            ReturnedUser.to_json(Me);
+            return ReturnObject(Me);
+        }
+        BadRequest(RESTAPI::Errors::UnrecognizedRequest);
+    }
+
+    void RESTAPI_oauth2_handler::DoDelete() {
+        auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
+        std::string SessionToken;
+        try {
+            Poco::Net::OAuth20Credentials Auth(*Request);
+            if (Auth.getScheme() == "Bearer") {
+                SessionToken = Auth.getBearerToken();
+            }
+        } catch (const Poco::Exception &E) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        if (Token.empty() || (Token != SessionToken)) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        AuthService()->Logout(Token);
+        return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
+    }
+
+	void RESTAPI_oauth2_handler::DoPost() {
+
+        const auto & Obj = ParsedBody_;
+        if(Obj == nullptr) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
+        auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
+        auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
+        auto refreshToken = GetS("refreshToken", Obj);
+        auto grant_type = GetParameter("grant_type");
+
+        Poco::toLowerInPlace(userId);
+
+        if(!refreshToken.empty() && grant_type == "refresh_token") {
+            SecurityObjects::UserInfoAndPolicy UInfo;
+            if(AuthService()->RefreshUserToken(*Request, refreshToken, UInfo)) {
+                Poco::JSON::Object  Answer;
+                UInfo.webtoken.to_json(Answer);
+                return ReturnObject(Answer);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
+            }
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
+            Logger_.information(fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
+            Poco::JSON::Object  Answer;
+            Answer.set(RESTAPI::Protocol::PASSWORDPATTERN, AuthService()->PasswordValidationExpression());
+            Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetAccessPolicy());
+            Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetPasswordPolicy());
+            return ReturnObject(Answer);
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
+            SecurityObjects::UserInfo UInfo1;
+            auto UserExists = StorageService()->UserDB().GetUserByEmail(userId,UInfo1);
+            if(UserExists) {
+                Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), userId));
+                SecurityObjects::ActionLink NewLink;
+
+                NewLink.action = OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD;
+                NewLink.id = MicroServiceCreateUUID();
+                NewLink.userId = UInfo1.id;
+                NewLink.created = OpenWifi::Now();
+                NewLink.expires = NewLink.created + (24*60*60);
+                NewLink.userAction = true;
+                StorageService()->ActionLinksDB().CreateAction(NewLink);
+
+                Poco::JSON::Object ReturnObj;
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                UInfo.webtoken.userMustChangePassword = true;
+                UInfo.webtoken.to_json(ReturnObj);
+                return ReturnObject(ReturnObj);
+            } else {
+                Poco::JSON::Object ReturnObj;
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                UInfo.webtoken.userMustChangePassword = true;
+                UInfo.webtoken.to_json(ReturnObj);
+                return ReturnObject(ReturnObj);
+            }
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
+            Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}", Request->clientAddress().toString(), userId));
+            if(Obj->has("uuid")) {
+                auto uuid = Obj->get("uuid").toString();
+                if(MFAServer()->ResendCode(uuid))
+                    return OK();
+            }
+            return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE,false)) {
+            Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}", Request->clientAddress().toString(), userId));
+            if(Obj->has("uuid")) {
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                if(MFAServer()->CompleteMFAChallenge(Obj,UInfo)) {
+                    Poco::JSON::Object ReturnObj;
+                    UInfo.webtoken.to_json(ReturnObj);
+                    return ReturnObject(ReturnObj);
+                }
+            }
+            return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
+        }
+
+        SecurityObjects::UserInfoAndPolicy UInfo;
+        bool Expired=false;
+        auto Code=AuthService()->Authorize(userId, password, newPassword, UInfo, Expired);
+        if (Code==SUCCESS) {
+            Poco::JSON::Object ReturnObj;
+            if(AuthService()->RequiresMFA(UInfo)) {
+                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+                    return ReturnObject(ReturnObj);
+                }
+                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+            }
+            UInfo.webtoken.to_json(ReturnObj);
+            return ReturnObject(ReturnObj);
+        } else {
+
+            switch(Code) {
+                case INVALID_CREDENTIALS:
+                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+                case PASSWORD_INVALID:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+                case PASSWORD_ALREADY_USED:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+                case USERNAME_PENDING_VERIFICATION:
+                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+                case PASSWORD_CHANGE_REQUIRED:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+                default:
+                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+            }
+            return;
+        }
+	}
+}
--- a/src/RESTAPI/RESTAPI_oauth2_handler.h
+++ b/src/RESTAPI/RESTAPI_oauth2_handler.h
@@ -6,27 +6,27 @@
 //	Arilia Wireless Inc.
 //

-#ifndef UCENTRAL_RESTAPI_OAUTH2HANDLER_H
-#define UCENTRAL_RESTAPI_OAUTH2HANDLER_H
-
-#include "framework/MicroService.h"
+#pragma once
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-	class RESTAPI_oauth2Handler : public RESTAPIHandler {
+	class RESTAPI_oauth2_handler : public RESTAPIHandler {
 	  public:
-	    RESTAPI_oauth2Handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+	    RESTAPI_oauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
 			: RESTAPIHandler(bindings, L,
 							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
 													  Poco::Net::HTTPRequest::HTTP_DELETE,
                                                      Poco::Net::HTTPRequest::HTTP_GET,
 													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
 													  Server,
-													  Internal, false) {}
-		static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/oauth2/{token}","/api/v1/oauth2"}; };
+                                                      TransactionId,
+													  Internal, false, true , RateLimit{.Interval=1000,.MaxCalls=10}) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/oauth2/{token}","/api/v1/oauth2"}; };
 		void DoGet() final;
 		void DoPost() final;
 		void DoDelete() final;
 		void DoPut() final {};
 	};
 }
-#endif //UCENTRAL_RESTAPI_OAUTH2HANDLER_H
+
+
--- a/src/RESTAPI/RESTAPI_preferences.cpp
+++ b/src/RESTAPI/RESTAPI_preferences.cpp
@@ -0,0 +1,36 @@
+//
+// Created by stephane bourque on 2021-11-16.
+//
+
+#include "RESTAPI_preferences.h"
+#include "StorageService.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_preferences::DoGet() {
+        SecurityObjects::Preferences    P;
+        Poco::JSON::Object  Answer;
+        StorageService()->PreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
+        P.to_json(Answer);
+        ReturnObject(Answer);
+    }
+
+    void RESTAPI_preferences::DoPut() {
+
+        SecurityObjects::Preferences    P;
+
+        const auto & RawObject = ParsedBody_;
+        if(!P.from_json(RawObject)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        P.id = UserInfo_.userinfo.id;
+        P.modified = OpenWifi::Now();
+        StorageService()->PreferencesDB().SetPreferences(P);
+
+        Poco::JSON::Object  Answer;
+        P.to_json(Answer);
+        ReturnObject(Answer);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_preferences.h
+++ b/src/RESTAPI/RESTAPI_preferences.h
@@ -0,0 +1,27 @@
+//
+// Created by stephane bourque on 2021-11-16.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_preferences : public RESTAPIHandler {
+    public:
+        RESTAPI_preferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>{
+            Poco::Net::HTTPRequest::HTTP_GET,
+            Poco::Net::HTTPRequest::HTTP_PUT,
+            Poco::Net::HTTPRequest::HTTP_OPTIONS},
+            Server,
+            TransactionId,
+            Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/preferences"}; };
+        void DoGet() final;
+        void DoPut() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+    };
+}
--- a/src/RESTAPI/RESTAPI_routers.cpp
+++ b/src/RESTAPI/RESTAPI_routers.cpp
@@ -0,0 +1,95 @@
+//
+// Created by stephane bourque on 2021-10-23.
+//
+
+#include "RESTAPI/RESTAPI_oauth2_handler.h"
+#include "RESTAPI/RESTAPI_user_handler.h"
+#include "RESTAPI/RESTAPI_users_handler.h"
+#include "RESTAPI/RESTAPI_action_links.h"
+#include "RESTAPI/RESTAPI_system_endpoints_handler.h"
+#include "RESTAPI/RESTAPI_asset_server.h"
+#include "RESTAPI/RESTAPI_avatar_handler.h"
+#include "RESTAPI/RESTAPI_subavatar_handler.h"
+#include "RESTAPI/RESTAPI_email_handler.h"
+#include "RESTAPI/RESTAPI_sms_handler.h"
+#include "RESTAPI/RESTAPI_validate_token_handler.h"
+#include "RESTAPI/RESTAPI_preferences.h"
+#include "RESTAPI/RESTAPI_subpreferences.h"
+#include "RESTAPI/RESTAPI_suboauth2_handler.h"
+#include "RESTAPI/RESTAPI_subuser_handler.h"
+#include "RESTAPI/RESTAPI_subusers_handler.h"
+#include "RESTAPI/RESTAPI_validate_sub_token_handler.h"
+#include "RESTAPI/RESTAPI_submfa_handler.h"
+#include "RESTAPI/RESTAPI_totp_handler.h"
+#include "RESTAPI/RESTAPI_subtotp_handler.h"
+#include "RESTAPI/RESTAPI_signup_handler.h"
+#include "RESTAPI/RESTAPI_apiKey_handler.h"
+#include "RESTAPI/RESTAPI_validate_apikey.h"
+
+#include "framework/RESTAPI_SystemCommand.h"
+#include "framework/RESTAPI_WebSocketServer.h"
+
+namespace OpenWifi {
+
+    Poco::Net::HTTPRequestHandler * RESTAPI_ExtRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
+                                                            Poco::Logger & L, RESTAPI_GenericServerAccounting & S,
+                                                            uint64_t TransactionId) {
+        return RESTAPI_Router<
+            RESTAPI_oauth2_handler,
+            RESTAPI_user_handler,
+            RESTAPI_users_handler,
+            RESTAPI_system_command,
+            RESTAPI_asset_server,
+            RESTAPI_system_endpoints_handler,
+            RESTAPI_action_links,
+            RESTAPI_avatar_handler,
+            RESTAPI_subavatar_handler,
+            RESTAPI_email_handler,
+            RESTAPI_sms_handler,
+            RESTAPI_preferences,
+            RESTAPI_subpreferences,
+            RESTAPI_suboauth2_handler,
+            RESTAPI_subuser_handler,
+            RESTAPI_subusers_handler,
+            RESTAPI_submfa_handler,
+            RESTAPI_totp_handler,
+            RESTAPI_subtotp_handler,
+            RESTAPI_signup_handler,
+            RESTAPI_validate_sub_token_handler,
+            RESTAPI_validate_token_handler,
+            RESTAPI_validate_apikey,
+            RESTAPI_webSocketServer,
+            RESTAPI_apiKey_handler
+        >(Path, Bindings, L, S,TransactionId);
+    }
+
+    Poco::Net::HTTPRequestHandler * RESTAPI_IntRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
+                                                            Poco::Logger & L, RESTAPI_GenericServerAccounting & S, uint64_t TransactionId) {
+
+        return RESTAPI_Router_I<
+            RESTAPI_oauth2_handler,
+            RESTAPI_user_handler,
+            RESTAPI_users_handler,
+            RESTAPI_system_command,
+            RESTAPI_asset_server,
+            RESTAPI_system_endpoints_handler,
+            RESTAPI_action_links,
+            RESTAPI_avatar_handler,
+            RESTAPI_subavatar_handler,
+            RESTAPI_email_handler,
+            RESTAPI_sms_handler,
+            RESTAPI_preferences,
+            RESTAPI_subpreferences,
+            RESTAPI_suboauth2_handler,
+            RESTAPI_subuser_handler,
+            RESTAPI_subusers_handler,
+            RESTAPI_submfa_handler,
+            RESTAPI_totp_handler,
+            RESTAPI_subtotp_handler,
+            RESTAPI_validate_sub_token_handler,
+            RESTAPI_validate_token_handler,
+            RESTAPI_validate_apikey,
+            RESTAPI_signup_handler
+        >(Path, Bindings, L, S, TransactionId);
+    }
+}
--- a/src/RESTAPI/RESTAPI_signup_handler.cpp
+++ b/src/RESTAPI/RESTAPI_signup_handler.cpp
@@ -0,0 +1,75 @@
+//
+// Created by stephane bourque on 2022-02-20.
+//
+
+#include "RESTAPI_signup_handler.h"
+#include "StorageService.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "framework/MicroServiceFuncs.h"
+
+#define __DBG__ std::cout << __LINE__ << std::endl;
+namespace OpenWifi {
+
+    void RESTAPI_signup_handler::DoPost() {
+        auto UserName = GetParameter("email");
+        auto signupUUID = GetParameter("signupUUID");
+        auto owner = GetParameter("owner");
+        auto operatorName = GetParameter("operatorName");
+        if(UserName.empty() || signupUUID.empty() || owner.empty() || operatorName.empty()) {
+            Logger().error("Signup requires: email, signupUUID, operatorName, and owner.");
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+
+        if(!Utils::ValidEMailAddress(UserName)) {
+            return BadRequest(RESTAPI::Errors::InvalidEmailAddress);
+        }
+
+        // Do we already exist? Can only signup once...
+        SecurityObjects::UserInfo   Existing;
+        if(StorageService()->SubDB().GetUserByEmail(UserName,Existing)) {
+            if(Existing.signingUp.empty()) {
+                return BadRequest(RESTAPI::Errors::SignupAlreadySigned);
+            }
+
+            if(Existing.waitingForEmailCheck) {
+                return BadRequest(RESTAPI::Errors::SignupEmailCheck);
+            }
+
+            return BadRequest(RESTAPI::Errors::SignupWaitingForDevice);
+        }
+
+        SecurityObjects::UserInfo   NewSub;
+        NewSub.signingUp = operatorName + ":" + signupUUID;
+        NewSub.waitingForEmailCheck = true;
+        NewSub.name = UserName;
+        NewSub.modified = OpenWifi::Now();
+        NewSub.creationDate = OpenWifi::Now();
+        NewSub.id = MicroServiceCreateUUID();
+        NewSub.email = UserName;
+        NewSub.userRole = SecurityObjects::SUBSCRIBER;
+        NewSub.changePassword = true;
+        NewSub.owner = owner;
+
+        StorageService()->SubDB().CreateRecord(NewSub);
+
+        Logger_.information(fmt::format("SIGNUP-PASSWORD({}): Request for {}", Request->clientAddress().toString(), UserName));
+        SecurityObjects::ActionLink NewLink;
+
+        NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP;
+        NewLink.id = MicroServiceCreateUUID();
+        NewLink.userId = NewSub.id;
+        NewLink.created = OpenWifi::Now();
+        NewLink.expires = NewLink.created + (1*60*60);  // 1 hour
+        NewLink.userAction = false;
+        StorageService()->ActionLinksDB().CreateAction(NewLink);
+
+        Poco::JSON::Object  Answer;
+        NewSub.to_json(Answer);
+        return ReturnObject(Answer);
+    }
+
+    void RESTAPI_signup_handler::DoPut() {
+        // TODO
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_signup_handler.h
+++ b/src/RESTAPI/RESTAPI_signup_handler.h
@@ -0,0 +1,39 @@
+//
+// Created by stephane bourque on 2022-02-20.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_signup_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_signup_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting & Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>{
+                                         Poco::Net::HTTPRequest::HTTP_POST,
+                                         Poco::Net::HTTPRequest::HTTP_OPTIONS,
+                                         Poco::Net::HTTPRequest::HTTP_PUT},
+                                 Server,
+                                 TransactionId,
+                                 Internal, false, true ){}
+
+        static auto PathName() { return std::list<std::string>{"/api/v1/signup"}; };
+
+/*        inline bool RoleIsAuthorized(std::string & Reason) {
+            if(UserInfo_.userinfo.userRole != SecurityObjects::USER_ROLE::SUBSCRIBER) {
+                Reason = "User must be a subscriber";
+                return false;
+            }
+            return true;
+        }
+*/
+        void DoGet() final {};
+        void DoPost() final;
+        void DoPut() final ;
+        void DoDelete() final {};
+    private:
+
+    };
+}
--- a/src/RESTAPI/RESTAPI_sms_handler.cpp
+++ b/src/RESTAPI/RESTAPI_sms_handler.cpp
@@ -4,13 +4,16 @@

 #include "RESTAPI_sms_handler.h"
 #include "SMSSender.h"
-#include "framework/RESTAPI_errors.h"
-#include "framework/MicroService.h"
+#include "framework/ow_constants.h"

 namespace OpenWifi {

    void OpenWifi::RESTAPI_sms_handler::DoPost() {
-        auto Obj = ParseStream();
+        const auto &Obj = ParsedBody_;
+
+        if(!SMSSender()->Enabled()) {
+            return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+        }

        std::string Arg;
        if(HasParameter("validateNumber",Arg) && Arg=="true" && Obj->has("to")) {
@@ -18,7 +21,7 @@ namespace OpenWifi {
            if(SMSSender()->StartValidation(Number, UserInfo_.userinfo.email)) {
                return OK();
            }
-            return BadRequest("SMS could not be sent to validate device, try later or change the phone number.");
+            return BadRequest(RESTAPI::Errors::SMSCouldNotBeSentRetry);
        }

        std::string Code;
@@ -30,7 +33,13 @@ namespace OpenWifi {
            if(SMSSender()->CompleteValidation(Number, Code, UserInfo_.userinfo.email)) {
                return OK();
            }
-            return BadRequest("Code and number could not be validated");
+            return BadRequest(RESTAPI::Errors::SMSCouldNotValidate);
+        }
+
+        if( UserInfo_.userinfo.userRole!=SecurityObjects::ROOT &&
+            UserInfo_.userinfo.userRole!=SecurityObjects::PARTNER &&
+            UserInfo_.userinfo.userRole!=SecurityObjects::ADMIN) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
        }

        if (Obj->has("to") &&
@@ -41,7 +50,7 @@ namespace OpenWifi {
            if(SMSSender()->Send(PhoneNumber, Text))
                return OK();

-            return InternalError("SMS Message could not be sent.");
+            return InternalError(RESTAPI::Errors::SMSCouldNotBeSentRetry);
        }
        BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
    }
--- a/src/RESTAPI/RESTAPI_sms_handler.h
+++ b/src/RESTAPI/RESTAPI_sms_handler.h
@@ -2,27 +2,24 @@
 // Created by stephane bourque on 2021-10-09.
 //

-#ifndef OWSEC_RESTAPI_SMS_HANDLER_H
-#define OWSEC_RESTAPI_SMS_HANDLER_H
+#pragma once

-
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
    class RESTAPI_sms_handler : public RESTAPIHandler {
    public:
-        RESTAPI_sms_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_sms_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
        : RESTAPIHandler(bindings, L,
                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                                  Server,
+                                                  TransactionId,
                                                  Internal) {}
-                                                  static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/sms"};}
+        static auto PathName() { return std::list<std::string>{"/api/v1/sms"};}
        void DoGet() final {};
        void DoPost() final;
        void DoDelete() final {};
        void DoPut() final {};
    };
 }
-
-#endif //OWSEC_RESTAPI_SMS_HANDLER_H
--- a/src/RESTAPI/RESTAPI_subavatar_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subavatar_handler.cpp
@@ -0,0 +1,82 @@
+//
+// Created by stephane bourque on 2021-07-15.
+//
+
+#include <fstream>
+#include <iostream>
+
+#include "RESTAPI_subavatar_handler.h"
+#include "StorageService.h"
+#include "Poco/Net/HTMLForm.h"
+#include "Poco/CountingStream.h"
+#include "framework/MicroServiceFuncs.h"
+
+namespace OpenWifi {
+
+    void SubAvatarPartHandler::handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream) {
+        FileType_ = Header.get(RESTAPI::Protocol::CONTENTTYPE, RESTAPI::Protocol::UNSPECIFIED);
+        if (Header.has(RESTAPI::Protocol::CONTENTDISPOSITION)) {
+            std::string Disposition;
+            Poco::Net::NameValueCollection Parameters;
+            Poco::Net::MessageHeader::splitParameters(Header[RESTAPI::Protocol::CONTENTDISPOSITION], Disposition, Parameters);
+            Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
+        }
+        Poco::CountingInputStream InputStream(Stream);
+        Poco::StreamCopier::copyStream(InputStream, OutputStream_);
+        Length_ = OutputStream_.str().size();
+    };
+
+    void RESTAPI_subavatar_handler::DoPost() {
+        std::string Id = UserInfo_.userinfo.id;
+        SecurityObjects::UserInfo UInfo;
+
+        std::stringstream SS;
+        SubAvatarPartHandler partHandler(Id, Logger_, SS);
+        Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
+        Poco::JSON::Object Answer;
+
+        if (!partHandler.Name().empty() && partHandler.Length()< MicroServiceConfigGetInt("openwifi.avatar.maxsize",2000000)) {
+            Answer.set(RESTAPI::Protocol::AVATARID, Id);
+            Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
+            Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(), partHandler.ContentType()));
+            StorageService()->SubAvatarDB().SetAvatar(UserInfo_.userinfo.email,
+                                 Id, SS.str(), partHandler.ContentType(), partHandler.Name());
+            StorageService()->SubDB().SetAvatar(Id,"1");
+            Logger().information(fmt::format("Adding avatar for {}",UserInfo_.userinfo.email));
+        } else {
+            Answer.set(RESTAPI::Protocol::AVATARID, Id);
+            Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
+            Answer.set(RESTAPI::Protocol::ERRORTEXT, "Avatar upload could not complete.");
+        }
+        ReturnObject(Answer);
+    }
+
+    void RESTAPI_subavatar_handler::DoGet() {
+        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+        if (Id.empty()) {
+            return NotFound();
+        }
+
+        std::string Type, Name, AvatarContent;
+        if (!StorageService()->SubAvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent, Type, Name)) {
+            return NotFound();
+        }
+        Logger().information(fmt::format("Retrieving avatar for {}",UserInfo_.userinfo.email));
+        return SendFileContent(AvatarContent, Type, Name);
+    }
+
+    void RESTAPI_subavatar_handler::DoDelete() {
+        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+
+        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && Id!=UserInfo_.userinfo.id) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if (!StorageService()->SubAvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
+            return NotFound();
+        }
+        Logger().information(fmt::format("Deleted avatar for {}",UserInfo_.userinfo.email));
+        StorageService()->SubDB().SetAvatar(Id,"");
+        OK();
+    }
+}
--- a/src/RESTAPI/RESTAPI_subavatar_handler.h
+++ b/src/RESTAPI/RESTAPI_subavatar_handler.h
@@ -0,0 +1,54 @@
+//
+// Created by stephane bourque on 2021-07-15.
+//
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+#include "Poco/Net/PartHandler.h"
+
+namespace OpenWifi {
+
+    class SubAvatarPartHandler : public Poco::Net::PartHandler {
+    public:
+        SubAvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream & ofs) :
+                Id_(std::move(Id)),
+                Logger_(Logger),
+                OutputStream_(ofs){
+        }
+        void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
+        [[nodiscard]] uint64_t Length() const { return Length_; }
+        [[nodiscard]] std::string &Name() { return Name_; }
+        [[nodiscard]] std::string &ContentType() { return FileType_; }
+
+    private:
+        uint64_t        Length_ = 0;
+        std::string     FileType_;
+        std::string     Name_;
+        std::string     Id_;
+        Poco::Logger    &Logger_;
+        std::stringstream &OutputStream_;
+
+        inline Poco::Logger & Logger() { return Logger_; }
+    };
+
+    class RESTAPI_subavatar_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_subavatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>{
+                                         Poco::Net::HTTPRequest::HTTP_GET,
+                                         Poco::Net::HTTPRequest::HTTP_POST,
+                                         Poco::Net::HTTPRequest::HTTP_DELETE,
+                                         Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                                         Server,
+                                         TransactionId,
+                                         Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/subavatar/{id}"}; };
+
+        void DoGet() final;
+        void DoPost() final;
+        void DoDelete() final;
+        void DoPut() final {};
+
+    };
+}
--- a/src/RESTAPI/RESTAPI_submfa_handler.cpp
+++ b/src/RESTAPI/RESTAPI_submfa_handler.cpp
@@ -0,0 +1,138 @@
+//
+// Created by stephane bourque on 2021-12-01.
+//
+
+#include "RESTAPI_submfa_handler.h"
+#include "StorageService.h"
+#include "SMSSender.h"
+#include "framework/MicroServiceFuncs.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_submfa_handler::DoGet() {
+        SecurityObjects::UserInfo   User;
+
+        if (StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id,User)) {
+            Poco::JSON::Object              Answer;
+            SecurityObjects::SubMfaConfig   MFC;
+
+            MFC.id = User.id;
+            if(User.userTypeProprietaryInfo.mfa.enabled) {
+                if(User.userTypeProprietaryInfo.mfa.method == "sms") {
+                    MFC.sms = User.userTypeProprietaryInfo.mobiles[0].number;
+                    MFC.type = "sms";
+                } else if(User.userTypeProprietaryInfo.mfa.method == "email") {
+                    MFC.email = User.email;
+                    MFC.type = "email";
+                }
+            } else {
+                MFC.type = "disabled";
+            }
+            MFC.to_json(Answer);
+            return ReturnObject(Answer);
+        }
+        NotFound();
+    }
+
+    void RESTAPI_submfa_handler::DoPut() {
+
+        try {
+            const auto & Body = ParsedBody_;
+
+            SecurityObjects::SubMfaConfig MFC;
+
+            if (!MFC.from_json(Body)) {
+                return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+            }
+
+            if (MFC.type == "disabled") {
+                SecurityObjects::UserInfo User;
+                StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+                User.userTypeProprietaryInfo.mfa.enabled = false;
+                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+
+                Poco::JSON::Object Answer;
+                MFC.to_json(Answer);
+                return ReturnObject(Answer);
+            } else if (MFC.type == "email") {
+                SecurityObjects::UserInfo User;
+
+                StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+                User.userTypeProprietaryInfo.mfa.enabled = true;
+                User.userTypeProprietaryInfo.mfa.method = "email";
+                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+
+                MFC.sms = MFC.sms;
+                MFC.type = "email";
+                MFC.email = UserInfo_.userinfo.email;
+                MFC.id = MicroServiceCreateUUID();
+
+                Poco::JSON::Object Answer;
+                MFC.to_json(Answer);
+                return ReturnObject(Answer);
+
+            } else if (MFC.type == "sms") {
+                if (GetBoolParameter("startValidation", false)) {
+                    if (MFC.sms.empty()) {
+                        return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
+                    }
+
+                    if(!SMSSender()->Enabled()) {
+                        return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+                    }
+
+                    if (SMSSender()->StartValidation(MFC.sms, UserInfo_.userinfo.email)) {
+                        return OK();
+                    } else {
+                        return InternalError(RESTAPI::Errors::SMSTryLater);
+                    }
+                } else if (GetBoolParameter("completeValidation", false)) {
+
+                    if(!SMSSender()->Enabled()) {
+                        return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+                    }
+
+                    auto ChallengeCode = GetParameter("challengeCode", "");
+                    if (ChallengeCode.empty()) {
+                        return BadRequest(RESTAPI::Errors::SMSMissingChallenge);
+                    }
+                    if (MFC.sms.empty()) {
+                        return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
+                    }
+                    if (SMSSender()->CompleteValidation(MFC.sms, ChallengeCode, UserInfo_.userinfo.email)) {
+                        SecurityObjects::UserInfo User;
+
+                        StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+                        User.userTypeProprietaryInfo.mfa.enabled = true;
+                        User.userTypeProprietaryInfo.mfa.method = "sms";
+                        SecurityObjects::MobilePhoneNumber PhoneNumber;
+                        PhoneNumber.number = MFC.sms;
+                        PhoneNumber.primary = true;
+                        PhoneNumber.verified = true;
+                        User.userTypeProprietaryInfo.mobiles.clear();
+                        User.userTypeProprietaryInfo.mobiles.push_back(PhoneNumber);
+
+                        StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+
+                        MFC.sms = MFC.sms;
+                        MFC.type = "sms";
+                        MFC.email = UserInfo_.userinfo.email;
+                        MFC.id = MicroServiceCreateUUID();
+
+                        Poco::JSON::Object Answer;
+                        MFC.to_json(Answer);
+
+                        return ReturnObject(Answer);
+
+                    } else {
+                        return InternalError(RESTAPI::Errors::SMSTryLater);
+                    }
+                }
+            }
+        } catch (const Poco::Exception &E) {
+            Logger_.log(E);
+        }
+        return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_submfa_handler.h
+++ b/src/RESTAPI/RESTAPI_submfa_handler.h
@@ -0,0 +1,27 @@
+//
+// Created by stephane bourque on 2021-12-01.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_submfa_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_submfa_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_PUT,
+                                                  Poco::Net::HTTPRequest::HTTP_GET,
+                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                                                  Server,
+                                                  TransactionId,
+                                                  Internal, true, false , RateLimit{.Interval=1000,.MaxCalls=10},
+                                                  true) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/submfa"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final ;
+    };
+}
--- a/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
@@ -0,0 +1,164 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#include "RESTAPI_suboauth2_handler.h"
+#include "AuthService.h"
+#include "MFAServer.h"
+#include "StorageService.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_suboauth2_handler::DoGet() {
+        bool Expired = false, Contacted = false;
+        if (!IsAuthorized(Expired, Contacted, true)) {
+            if(Expired)
+                return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
+            return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
+        }
+        bool GetMe = GetBoolParameter(RESTAPI::Protocol::ME, false);
+        if(GetMe) {
+            Logger_.information(fmt::format("REQUEST-ME({}): Request for {}", Request->clientAddress().toString(),
+                                             UserInfo_.userinfo.email));
+            Poco::JSON::Object Me;
+            SecurityObjects::UserInfo   ReturnedUser = UserInfo_.userinfo;
+            Sanitize(UserInfo_, ReturnedUser);
+            ReturnedUser.to_json(Me);
+            return ReturnObject(Me);
+        }
+        BadRequest(RESTAPI::Errors::UnrecognizedRequest);
+    }
+
+    void RESTAPI_suboauth2_handler::DoDelete() {
+        auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
+        std::string SessionToken;
+        try {
+            Poco::Net::OAuth20Credentials Auth(*Request);
+            if (Auth.getScheme() == "Bearer") {
+                SessionToken = Auth.getBearerToken();
+            }
+        } catch (const Poco::Exception &E) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        if (Token.empty() || (Token != SessionToken)) {
+            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+        }
+        AuthService()->SubLogout(Token);
+        return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
+    }
+
+    void RESTAPI_suboauth2_handler::DoPost() {
+        const auto & Obj = ParsedBody_;
+        auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
+        auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
+        auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
+        auto refreshToken = GetS("refreshToken", Obj);
+        auto grant_type = GetParameter("grant_type");
+
+        Poco::toLowerInPlace(userId);
+
+        if(!refreshToken.empty() && grant_type == "refresh_token") {
+            SecurityObjects::UserInfoAndPolicy UInfo;
+            if(AuthService()->RefreshSubToken(*Request, refreshToken, UInfo)) {
+                Poco::JSON::Object  Answer;
+                UInfo.webtoken.to_json(Answer);
+                return ReturnObject(Answer);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
+            }
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
+            Logger_.information(fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
+            Poco::JSON::Object  Answer;
+            Answer.set(RESTAPI::Protocol::PASSWORDPATTERN, AuthService()->SubPasswordValidationExpression());
+            Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetSubAccessPolicy());
+            Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetSubPasswordPolicy());
+            return ReturnObject(Answer);
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
+            SecurityObjects::UserInfo UInfo1;
+            auto UserExists = StorageService()->SubDB().GetUserByEmail(userId,UInfo1);
+            if(UserExists) {
+                Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), userId));
+                SecurityObjects::ActionLink NewLink;
+
+                NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD;
+                NewLink.id = MicroServiceCreateUUID();
+                NewLink.userId = UInfo1.id;
+                NewLink.created = OpenWifi::Now();
+                NewLink.expires = NewLink.created + (24*60*60);
+                NewLink.userAction = false;
+                StorageService()->ActionLinksDB().CreateAction(NewLink);
+
+                Poco::JSON::Object ReturnObj;
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                UInfo.webtoken.userMustChangePassword = true;
+                UInfo.webtoken.to_json(ReturnObj);
+                return ReturnObject(ReturnObj);
+            } else {
+                Poco::JSON::Object ReturnObj;
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                UInfo.webtoken.userMustChangePassword = true;
+                UInfo.webtoken.to_json(ReturnObj);
+                return ReturnObject(ReturnObj);
+            }
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
+            Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}", Request->clientAddress().toString(), userId));
+            if(Obj->has("uuid")) {
+                auto uuid = Obj->get("uuid").toString();
+                if(MFAServer()->ResendCode(uuid))
+                    return OK();
+            }
+            return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
+        }
+
+        if(GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE)) {
+            Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}", Request->clientAddress().toString(), userId));
+            if(Obj->has("uuid") && Obj->has("answer")) {
+                SecurityObjects::UserInfoAndPolicy UInfo;
+                if(MFAServer()->CompleteMFAChallenge(Obj,UInfo)) {
+                    Poco::JSON::Object ReturnObj;
+                    UInfo.webtoken.to_json(ReturnObj);
+                    return ReturnObject(ReturnObj);
+                }
+            }
+            return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
+        }
+
+        SecurityObjects::UserInfoAndPolicy UInfo;
+        bool Expired=false;
+        auto Code=AuthService()->AuthorizeSub(userId, password, newPassword, UInfo, Expired);
+        if (Code==SUCCESS) {
+            Poco::JSON::Object ReturnObj;
+            if(AuthService()->RequiresMFA(UInfo)) {
+                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+                    return ReturnObject(ReturnObj);
+                }
+                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+            }
+            UInfo.webtoken.to_json(ReturnObj);
+            return ReturnObject(ReturnObj);
+        } else {
+            switch(Code) {
+                case INVALID_CREDENTIALS:
+                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+                case PASSWORD_INVALID:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+                case PASSWORD_ALREADY_USED:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+                case USERNAME_PENDING_VERIFICATION:
+                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+                case PASSWORD_CHANGE_REQUIRED:
+                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+                default:
+                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS); break;
+            }
+            return;
+        }
+    }
+}
--- a/src/RESTAPI/RESTAPI_suboauth2_handler.h
+++ b/src/RESTAPI/RESTAPI_suboauth2_handler.h
@@ -0,0 +1,27 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#pragma once
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_suboauth2_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_suboauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+                                                  Poco::Net::HTTPRequest::HTTP_DELETE,
+                                                  Poco::Net::HTTPRequest::HTTP_GET,
+                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                                                  Server,
+                                                  TransactionId,
+                                                  Internal, false, false , RateLimit{.Interval=1000,.MaxCalls=10},
+                                                  false) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/suboauth2/{token}","/api/v1/suboauth2"}; };
+        void DoGet() final;
+        void DoPost() final;
+        void DoDelete() final;
+        void DoPut() final {};
+    };
+}
--- a/src/RESTAPI/RESTAPI_subpreferences.cpp
+++ b/src/RESTAPI/RESTAPI_subpreferences.cpp
@@ -0,0 +1,36 @@
+//
+// Created by stephane bourque on 2021-11-16.
+//
+
+#include "RESTAPI_subpreferences.h"
+#include "StorageService.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_subpreferences::DoGet() {
+        SecurityObjects::Preferences    P;
+        Poco::JSON::Object  Answer;
+        StorageService()->SubPreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
+        P.to_json(Answer);
+        ReturnObject(Answer);
+    }
+
+    void RESTAPI_subpreferences::DoPut() {
+
+        SecurityObjects::Preferences    P;
+
+        const auto & RawObject = ParsedBody_;
+        if(!P.from_json(RawObject)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        P.id = UserInfo_.userinfo.id;
+        P.modified = OpenWifi::Now();
+        StorageService()->SubPreferencesDB().SetPreferences(P);
+
+        Poco::JSON::Object  Answer;
+        P.to_json(Answer);
+        ReturnObject(Answer);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_subpreferences.h
+++ b/src/RESTAPI/RESTAPI_subpreferences.h
@@ -0,0 +1,27 @@
+//
+// Created by stephane bourque on 2021-11-16.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_subpreferences : public RESTAPIHandler {
+    public:
+        RESTAPI_subpreferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>{
+            Poco::Net::HTTPRequest::HTTP_GET,
+            Poco::Net::HTTPRequest::HTTP_PUT,
+            Poco::Net::HTTPRequest::HTTP_OPTIONS},
+            Server,
+            TransactionId,
+            Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/subpreferences"}; };
+        void DoGet() final;
+        void DoPut() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+    };
+}
--- a/src/RESTAPI/RESTAPI_subtotp_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subtotp_handler.cpp
@@ -0,0 +1,38 @@
+//
+// Created by stephane bourque on 2022-01-31.
+//
+
+#include "RESTAPI_subtotp_handler.h"
+
+#include "TotpCache.h"
+#include "framework/MicroServiceFuncs.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_subtotp_handler::DoGet() {
+
+        auto Reset = GetBoolParameter("reset",false);
+        std::string QRCode;
+
+        if(TotpCache()->StartValidation(UserInfo_.userinfo,true,QRCode,Reset)) {
+            return SendFileContent(QRCode, "image/svg+xml","qrcode.svg");
+        }
+        return BadRequest(RESTAPI::Errors::InvalidCommand);
+    }
+
+    void RESTAPI_subtotp_handler::DoPut() {
+        auto Value = GetParameter("value","");
+        auto nextIndex = GetParameter("index",0);
+        bool moreCodes=false;
+
+        RESTAPI::Errors::msg    Error;
+        if(TotpCache()->ContinueValidation(UserInfo_.userinfo,true,Value,nextIndex,moreCodes, Error )) {
+            Poco::JSON::Object Answer;
+            Answer.set("nextIndex", nextIndex);
+            Answer.set("moreCodes", moreCodes);
+            return ReturnObject(Answer);
+        }
+        return BadRequest(Error);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_subtotp_handler.h
+++ b/src/RESTAPI/RESTAPI_subtotp_handler.h
@@ -0,0 +1,29 @@
+//
+// Created by stephane bourque on 2022-01-31.
+//
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_subtotp_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_subtotp_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>
+                                         {
+                                                 Poco::Net::HTTPRequest::HTTP_GET,
+                                                 Poco::Net::HTTPRequest::HTTP_PUT,
+                                                 Poco::Net::HTTPRequest::HTTP_OPTIONS
+                                         },
+                                 Server,
+                                 TransactionId,
+                                 Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/subtotp"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final;
+    private:
+
+    };
+}
--- a/src/RESTAPI/RESTAPI_subuser_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subuser_handler.cpp
@@ -0,0 +1,318 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#include "RESTAPI_subuser_handler.h"
+#include "StorageService.h"
+#include "framework/ow_constants.h"
+#include "SMSSender.h"
+#include "SMTPMailerService.h"
+#include "ACLProcessor.h"
+#include "AuthService.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+#include "MFAServer.h"
+#include "TotpCache.h"
+
+#include "framework/MicroServiceFuncs.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_subuser_handler::DoGet() {
+        std::string Id = GetBinding("id", "");
+        if(Id.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingUserID);
+        }
+
+        Poco::toLowerInPlace(Id);
+        std::string Arg;
+        SecurityObjects::UserInfo   UInfo;
+        if(HasParameter("byEmail",Arg) && Arg=="true") {
+            if(!StorageService()->SubDB().GetUserByEmail(Id,UInfo)) {
+                return NotFound();
+            }
+        } else if(!StorageService()->SubDB().GetUserById(Id,UInfo)) {
+            return NotFound();
+        }
+
+        Poco::JSON::Object  UserInfoObject;
+        Sanitize(UserInfo_, UInfo);
+        UInfo.to_json(UserInfoObject);
+        ReturnObject(UserInfoObject);
+    }
+
+    void RESTAPI_subuser_handler::DoDelete() {
+        std::string Id = GetBinding("id", "");
+        if(Id.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingUserID);
+        }
+
+        SecurityObjects::UserInfo TargetUser;
+        if(!StorageService()->SubDB().GetUserById(Id,TargetUser)) {
+            return NotFound();
+        }
+
+        if(TargetUser.userRole != SecurityObjects::SUBSCRIBER) {
+            return BadRequest(RESTAPI::Errors::InvalidUserRole);
+        }
+
+        if(!Internal_ && !ACLProcessor::Can(UserInfo_.userinfo, TargetUser,ACLProcessor::DELETE)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(!StorageService()->SubDB().DeleteUser(UserInfo_.userinfo.email,Id)) {
+            return NotFound();
+        }
+
+        AuthService()->DeleteSubUserFromCache(Id);
+        StorageService()->SubTokenDB().RevokeAllTokens(TargetUser.email);
+        StorageService()->SubPreferencesDB().DeleteRecord("id", Id);
+        StorageService()->SubAvatarDB().DeleteRecord("id", Id);
+        Logger_.information(fmt::format("User '{}' deleted by '{}'.",Id,UserInfo_.userinfo.email));
+        OK();
+    }
+
+    void RESTAPI_subuser_handler::DoPost() {
+        std::string Id = GetBinding("id", "");
+        if(Id!="0") {
+            return BadRequest(RESTAPI::Errors::IdMustBe0);
+        }
+
+        SecurityObjects::UserInfo   NewUser;
+        const auto & RawObject = ParsedBody_;
+        if(!NewUser.from_json(RawObject)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        if(NewUser.userRole == SecurityObjects::UNKNOWN || NewUser.userRole != SecurityObjects::SUBSCRIBER) {
+            return BadRequest(RESTAPI::Errors::InvalidUserRole);
+        }
+
+        Poco::toLowerInPlace(NewUser.email);
+        SecurityObjects::UserInfo   Existing;
+        if(StorageService()->SubDB().GetUserByEmail(NewUser.email,Existing)) {
+            return BadRequest(RESTAPI::Errors::UserAlreadyExists);
+        }
+
+        if(!Internal_ && !ACLProcessor::Can(UserInfo_.userinfo,NewUser,ACLProcessor::CREATE)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        Poco::toLowerInPlace(NewUser.email);
+        if(!Utils::ValidEMailAddress(NewUser.email)) {
+            return BadRequest(RESTAPI::Errors::InvalidEmailAddress);
+        }
+
+        if(!NewUser.currentPassword.empty()) {
+            if(!AuthService()->ValidateSubPassword(NewUser.currentPassword)) {
+                return BadRequest(RESTAPI::Errors::InvalidPassword);
+            }
+        }
+
+        if(NewUser.name.empty())
+            NewUser.name = NewUser.email;
+
+        //  You cannot enable MFA during user creation
+        NewUser.userTypeProprietaryInfo.mfa.enabled = false;
+        NewUser.userTypeProprietaryInfo.mfa.method = "";
+        NewUser.userTypeProprietaryInfo.mobiles.clear();
+        NewUser.userTypeProprietaryInfo.authenticatorSecret.clear();
+
+        if(!StorageService()->SubDB().CreateUser(UserInfo_.userinfo.email, NewUser)) {
+            Logger_.information(fmt::format("Could not add user '{}'.",NewUser.email));
+            return BadRequest(RESTAPI::Errors::RecordNotCreated);
+        }
+
+        if(GetParameter("email_verification","false")=="true") {
+            if(AuthService::VerifySubEmail(NewUser))
+                Logger_.information(fmt::format("Verification e-mail requested for {}",NewUser.email));
+            StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,NewUser.id,NewUser);
+        }
+
+        if(!StorageService()->SubDB().GetUserByEmail(NewUser.email, NewUser)) {
+            Logger_.information(fmt::format("User '{}' but not retrieved.",NewUser.email));
+            return NotFound();
+        }
+
+        Poco::JSON::Object  UserInfoObject;
+        Sanitize(UserInfo_, NewUser);
+        NewUser.to_json(UserInfoObject);
+        ReturnObject(UserInfoObject);
+        Logger_.information(fmt::format("User '{}' has been added by '{}')",NewUser.email, UserInfo_.userinfo.email));
+    }
+
+    void RESTAPI_subuser_handler::DoPut() {
+        std::string Id = GetBinding("id", "");
+        if(Id.empty()) {
+            return BadRequest(RESTAPI::Errors::MissingUserID);
+        }
+
+        SecurityObjects::UserInfo   Existing;
+        if(!StorageService()->SubDB().GetUserById(Id,Existing)) {
+            return NotFound();
+        }
+
+        if(!Internal_ && !ACLProcessor::Can(UserInfo_.userinfo,Existing,ACLProcessor::MODIFY)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(GetBoolParameter("resetMFA")) {
+            if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.id == Id)) {
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
+                Existing.userTypeProprietaryInfo.mfa.method.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.modified = OpenWifi::Now();
+                Existing.notes.push_back( SecurityObjects::NoteInfo{
+                        .created=OpenWifi::Now(),
+                        .createdBy=UserInfo_.userinfo.email,
+                        .note="MFA Reset by " + UserInfo_.userinfo.email});
+                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing);
+                SecurityObjects::UserInfo   NewUserInfo;
+                StorageService()->SubDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
+                Poco::JSON::Object  ModifiedObject;
+                Sanitize(UserInfo_, NewUserInfo);
+                NewUserInfo.to_json(ModifiedObject);
+                return ReturnObject(ModifiedObject);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+            }
+        }
+
+        if(GetBoolParameter("forgotPassword")) {
+            Existing.changePassword = true;
+            Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email));
+
+            SecurityObjects::ActionLink NewLink;
+            NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD;
+            NewLink.id = MicroServiceCreateUUID();
+            NewLink.userId = Existing.id;
+            NewLink.created = OpenWifi::Now();
+            NewLink.expires = NewLink.created + (24*60*60);
+            NewLink.userAction = false;
+            StorageService()->ActionLinksDB().CreateAction(NewLink);
+
+            return OK();
+        }
+
+        SecurityObjects::UserInfo   NewUser;
+        const auto & RawObject = ParsedBody_;
+        if(!NewUser.from_json(RawObject)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }
+
+        // some basic validations
+        if(RawObject->has("userRole") &&
+            (SecurityObjects::UserTypeFromString(RawObject->get("userRole").toString())==SecurityObjects::UNKNOWN ||
+            SecurityObjects::UserTypeFromString(RawObject->get("userRole").toString())==SecurityObjects::SUBSCRIBER)) {
+            return BadRequest(RESTAPI::Errors::InvalidUserRole);
+        }
+
+        // The only valid things to change are: changePassword, name,
+        AssignIfPresent(RawObject,"name", Existing.name);
+        AssignIfPresent(RawObject,"description", Existing.description);
+        AssignIfPresent(RawObject,"owner", Existing.owner);
+        AssignIfPresent(RawObject,"location", Existing.location);
+        AssignIfPresent(RawObject,"locale", Existing.locale);
+        AssignIfPresent(RawObject,"changePassword", Existing.changePassword);
+        AssignIfPresent(RawObject,"suspended", Existing.suspended);
+        AssignIfPresent(RawObject,"blackListed", Existing.blackListed);
+
+        if(RawObject->has("userRole")) {
+            auto NewRole = SecurityObjects::UserTypeFromString(RawObject->get("userRole").toString());
+            if(NewRole!=Existing.userRole) {
+                if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && NewRole==SecurityObjects::ROOT) {
+                    return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+                }
+                if(Id==UserInfo_.userinfo.id) {
+                    return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+                }
+                Existing.userRole = NewRole;
+            }
+        }
+
+        if(RawObject->has("notes")) {
+            SecurityObjects::NoteInfoVec NIV;
+            NIV = RESTAPI_utils::to_object_array<SecurityObjects::NoteInfo>(RawObject->get("notes").toString());
+            for(auto const &i:NIV) {
+                SecurityObjects::NoteInfo   ii{.created=(uint64_t)OpenWifi::Now(), .createdBy=UserInfo_.userinfo.email, .note=i.note};
+                Existing.notes.push_back(ii);
+            }
+        }
+        if(RawObject->has("currentPassword")) {
+            if(!AuthService()->ValidateSubPassword(RawObject->get("currentPassword").toString())) {
+                return BadRequest(RESTAPI::Errors::InvalidPassword);
+            }
+            if(!AuthService()->SetPassword(RawObject->get("currentPassword").toString(),Existing)) {
+                return BadRequest(RESTAPI::Errors::PasswordRejected);
+            }
+        }
+
+        if(GetParameter("email_verification","false")=="true") {
+            if(AuthService::VerifySubEmail(Existing))
+                Logger_.information(fmt::format("Verification e-mail requested for {}",Existing.email));
+        }
+
+        if(RawObject->has("userTypeProprietaryInfo")) {
+            if(NewUser.userTypeProprietaryInfo.mfa.enabled) {
+                if (!MFAMETHODS::Validate(NewUser.userTypeProprietaryInfo.mfa.method)) {
+                    return BadRequest(RESTAPI::Errors::BadMFAMethod);
+                }
+
+                if( NewUser.userTypeProprietaryInfo.mfa.enabled &&
+                    NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::SMS &&
+                    !SMSSender()->Enabled()) {
+                    return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+                }
+
+                if( NewUser.userTypeProprietaryInfo.mfa.enabled &&
+                    NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::EMAIL &&
+                    !SMTPMailerService()->Enabled()) {
+                    return BadRequest(RESTAPI::Errors::EMailMFANotEnabled);
+                }
+
+                Existing.userTypeProprietaryInfo.mfa.method = NewUser.userTypeProprietaryInfo.mfa.method;
+                Existing.userTypeProprietaryInfo.mfa.enabled = true;
+
+                if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::SMS) {
+                    if(NewUser.userTypeProprietaryInfo.mobiles.empty()) {
+                        return BadRequest(RESTAPI::Errors::NeedMobileNumber);
+                    }
+                    if (!SMSSender()->IsNumberValid(NewUser.userTypeProprietaryInfo.mobiles[0].number,UserInfo_.userinfo.email)) {
+                        return BadRequest(RESTAPI::Errors::NeedMobileNumber);
+                    }
+                    Existing.userTypeProprietaryInfo.mobiles = NewUser.userTypeProprietaryInfo.mobiles;
+                    Existing.userTypeProprietaryInfo.mobiles[0].verified = true;
+                    Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                } else if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::AUTHENTICATOR) {
+                    std::string Secret;
+                    Existing.userTypeProprietaryInfo.mobiles.clear();
+                    if(Existing.userTypeProprietaryInfo.authenticatorSecret.empty() && TotpCache()->CompleteValidation(UserInfo_.userinfo,false,Secret)) {
+                        Existing.userTypeProprietaryInfo.authenticatorSecret = Secret;
+                    } else if (!Existing.userTypeProprietaryInfo.authenticatorSecret.empty()) {
+                        // we allow someone to use their old secret
+                    } else {
+                        return BadRequest(RESTAPI::Errors::AuthenticatorVerificationIncomplete);
+                    }
+                } else if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::EMAIL) {
+                    Existing.userTypeProprietaryInfo.mobiles.clear();
+                    Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                }
+            } else {
+                Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
+            }
+        }
+
+        if(StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing)) {
+            SecurityObjects::UserInfo   NewUserInfo;
+            StorageService()->SubDB().GetUserById(Id,NewUserInfo);
+            Poco::JSON::Object  ModifiedObject;
+            Sanitize(UserInfo_, NewUserInfo);
+            NewUserInfo.to_json(ModifiedObject);
+            return ReturnObject(ModifiedObject);
+        }
+        BadRequest(RESTAPI::Errors::RecordNotUpdated);
+    }
+}
--- a/src/RESTAPI/RESTAPI_subuser_handler.h
+++ b/src/RESTAPI/RESTAPI_subuser_handler.h
@@ -0,0 +1,31 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_subuser_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_subuser_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>
+                         {Poco::Net::HTTPRequest::HTTP_POST,
+                          Poco::Net::HTTPRequest::HTTP_GET,
+                          Poco::Net::HTTPRequest::HTTP_PUT,
+                          Poco::Net::HTTPRequest::HTTP_DELETE,
+                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                          Server,
+                          TransactionId,
+                          Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/subuser/{id}"}; };
+        void DoGet() final;
+        void DoPost() final;
+        void DoDelete() final;
+        void DoPut() final;
+    private:
+
+    };
+}
--- a/src/RESTAPI/RESTAPI_subusers_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subusers_handler.cpp
@@ -0,0 +1,79 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#include "RESTAPI_subusers_handler.h"
+#include "StorageService.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_subusers_handler::DoGet() {
+        bool IdOnly = GetBoolParameter("idOnly");
+        auto operatorId = GetParameter("operatorId");
+        auto nameSearch = GetParameter("nameSearch");
+        auto emailSearch = GetParameter("emailSearch");
+
+        std::string baseQuery;
+        if(!nameSearch.empty() || !emailSearch.empty()) {
+            if(!nameSearch.empty())
+                baseQuery = fmt::format(" Lower(name) like('%{}%') ", Poco::toLower(nameSearch) );
+            if(!emailSearch.empty())
+                baseQuery += baseQuery.empty() ? fmt::format(" Lower(email) like('%{}%') ", Poco::toLower(emailSearch))
+                : fmt::format(" and Lower(email) like('%{}%') ", Poco::toLower(emailSearch));
+        }
+
+        if(QB_.CountOnly) {
+            std::string whereClause;
+            if(!operatorId.empty()) {
+                whereClause = baseQuery.empty() ? fmt::format(" owner='{}' ", operatorId) :
+                              fmt::format(" owner='{}' and {} ", operatorId, baseQuery);
+                auto count = StorageService()->SubDB().Count(whereClause);
+                return ReturnCountOnly(count);
+            }
+            auto count = StorageService()->UserDB().Count();
+            return ReturnCountOnly(count);
+        } else if(QB_.Select.empty()) {
+            std::string whereClause;
+            if(!operatorId.empty()) {
+                whereClause = baseQuery.empty() ? fmt::format(" owner='{}' ", operatorId) :
+                              fmt::format(" owner='{}' and {} ", operatorId, baseQuery);
+            }
+
+            SecurityObjects::UserInfoList   Users;
+            if (StorageService()->SubDB().GetUsers(QB_.Offset, QB_.Limit, Users.users, whereClause)) {
+                for (auto &i : Users.users) {
+                    Sanitize(UserInfo_, i);
+                }
+            }
+
+            if(IdOnly) {
+                Poco::JSON::Array   Arr;
+                Poco::JSON::Object  Answer;
+
+                for(const auto &i:Users.users) {
+                    Arr.add(i.id);
+                }
+                Answer.set("users",Arr);
+                return ReturnObject(Answer);
+            }
+
+            Poco::JSON::Object  Answer;
+            Users.to_json(Answer);
+            return ReturnObject(Answer);
+        } else {
+            SecurityObjects::UserInfoList   Users;
+            for(auto &i:SelectedRecords()) {
+                SecurityObjects::UserInfo   UInfo;
+                if(StorageService()->SubDB().GetUserById(i,UInfo)) {
+                    Poco::JSON::Object Obj;
+                    Sanitize(UserInfo_, UInfo);
+                    Users.users.emplace_back(UInfo);
+                }
+            }
+            Poco::JSON::Object Answer;
+            Users.to_json(Answer);
+            return ReturnObject(Answer);
+        }
+    }
+}
--- a/src/RESTAPI/RESTAPI_subusers_handler.h
+++ b/src/RESTAPI/RESTAPI_subusers_handler.h
@@ -0,0 +1,26 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_subusers_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_subusers_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>
+                         {Poco::Net::HTTPRequest::HTTP_GET,
+                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                          Server,
+                          TransactionId,
+                          Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/subusers"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final {};
+    };
+};
--- a/src/RESTAPI/RESTAPI_system_endpoints_handler.cpp
+++ b/src/RESTAPI/RESTAPI_system_endpoints_handler.cpp
@@ -2,13 +2,14 @@
 // Created by stephane bourque on 2021-07-01.
 //

-#include "RESTAPI_systemEndpoints_handler.h"
+#include "RESTAPI_system_endpoints_handler.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

-    void RESTAPI_systemEndpoints_handler::DoGet() {
-        auto Services = MicroService::instance().GetServices();
+    void RESTAPI_system_endpoints_handler::DoGet() {
+        auto Services = MicroServiceGetServices();
        SecurityObjects::SystemEndpointList L;
        for(const auto &i:Services) {
            SecurityObjects::SystemEndpoint S{
--- a/src/RESTAPI/RESTAPI_system_endpoints_handler.h
+++ b/src/RESTAPI/RESTAPI_system_endpoints_handler.h
@@ -2,26 +2,24 @@
 // Created by stephane bourque on 2021-07-01.
 //

-#ifndef UCENTRALSEC_RESTAPI_SYSTEMENDPOINTS_HANDLER_H
-#define UCENTRALSEC_RESTAPI_SYSTEMENDPOINTS_HANDLER_H
+#pragma once

-#include "../framework/MicroService.h"
+#include "../framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_systemEndpoints_handler : public RESTAPIHandler {
+    class RESTAPI_system_endpoints_handler : public RESTAPIHandler {
    public:
-        RESTAPI_systemEndpoints_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_system_endpoints_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
                                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                                          Server,
+                                                          TransactionId,
                                                          Internal) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/systemEndpoints"}; };
+        static auto PathName() { return std::list<std::string>{"/api/v1/systemEndpoints"}; };
        void DoGet() final;
        void DoPost() final {};
        void DoDelete() final {};
        void DoPut() final {};
    };
 }
-
-#endif //UCENTRALSEC_RESTAPI_SYSTEMENDPOINTS_HANDLER_H
--- a/src/RESTAPI/RESTAPI_totp_handler.cpp
+++ b/src/RESTAPI/RESTAPI_totp_handler.cpp
@@ -0,0 +1,35 @@
+//
+// Created by stephane bourque on 2022-01-31.
+//
+
+#include "RESTAPI_totp_handler.h"
+#include "TotpCache.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_totp_handler::DoGet() {
+
+        auto Reset = GetBoolParameter("reset",false);
+        std::string QRCode;
+        if(TotpCache()->StartValidation(UserInfo_.userinfo,false,QRCode,Reset)) {
+            return SendFileContent(QRCode, "image/svg+xml","qrcode.svg");
+        }
+        return BadRequest(RESTAPI::Errors::InvalidCommand);
+    }
+
+    void RESTAPI_totp_handler::DoPut() {
+        auto Value = GetParameter("value","");
+        auto nextIndex = GetParameter("index",0);
+        bool moreCodes=false;
+
+        RESTAPI::Errors::msg Err;
+        if(TotpCache()->ContinueValidation(UserInfo_.userinfo,false,Value,nextIndex,moreCodes, Err)) {
+            Poco::JSON::Object Answer;
+            Answer.set("nextIndex", nextIndex);
+            Answer.set("moreCodes", moreCodes);
+            return ReturnObject(Answer);
+        }
+        return BadRequest(Err);
+    }
+
+}
--- a/src/RESTAPI/RESTAPI_totp_handler.h
+++ b/src/RESTAPI/RESTAPI_totp_handler.h
@@ -0,0 +1,31 @@
+//
+// Created by stephane bourque on 2022-01-31.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_totp_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_totp_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>
+                                         {
+                                              Poco::Net::HTTPRequest::HTTP_GET,
+                                              Poco::Net::HTTPRequest::HTTP_PUT,
+                                              Poco::Net::HTTPRequest::HTTP_OPTIONS
+                                          },
+                                 Server,
+                                 TransactionId,
+                                 Internal) {}
+        static auto PathName() { return std::list<std::string>{"/api/v1/totp"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final;
+    private:
+
+    };
+}
--- a/src/RESTAPI/RESTAPI_user_handler.cpp
+++ b/src/RESTAPI/RESTAPI_user_handler.cpp
@@ -4,11 +4,18 @@

 #include "RESTAPI_user_handler.h"
 #include "StorageService.h"
-#include "Poco/JSON/Parser.h"
-#include "framework/RESTAPI_errors.h"
+#include "framework/ow_constants.h"
 #include "SMSSender.h"
+#include "SMTPMailerService.h"
+#include "ACLProcessor.h"
+#include "AuthService.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+#include "MFAServer.h"
+#include "TotpCache.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {
+
    void RESTAPI_user_handler::DoGet() {
        std::string Id = GetBinding("id", "");
        if(Id.empty()) {
@@ -19,13 +26,19 @@ namespace OpenWifi {
        std::string Arg;
        SecurityObjects::UserInfo   UInfo;
        if(HasParameter("byEmail",Arg) && Arg=="true") {
-            if(!StorageService()->GetUserByEmail(Id,UInfo)) {
+            if(!StorageService()->UserDB().GetUserByEmail(Id,UInfo)) {
                return NotFound();
            }
-        } else if(!StorageService()->GetUserById(Id,UInfo)) {
+        } else if(!StorageService()->UserDB().GetUserById(Id,UInfo)) {
            return NotFound();
        }
+
+        if(!ACLProcessor::Can(UserInfo_.userinfo, UInfo,ACLProcessor::READ)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
        Poco::JSON::Object  UserInfoObject;
+        Sanitize(UserInfo_, UInfo);
        UInfo.to_json(UserInfoObject);
        ReturnObject(UserInfoObject);
    }
@@ -37,86 +50,160 @@ namespace OpenWifi {
        }

        SecurityObjects::UserInfo UInfo;
-        if(!StorageService()->GetUserById(Id,UInfo)) {
+        if(!StorageService()->UserDB().GetUserById(Id,UInfo)) {
            return NotFound();
        }

-        if(!StorageService()->DeleteUser(UserInfo_.userinfo.email,Id)) {
+        if(!ACLProcessor::Can(UserInfo_.userinfo, UInfo,ACLProcessor::DELETE)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(!StorageService()->UserDB().DeleteUser(UserInfo_.userinfo.email,Id)) {
            return NotFound();
        }

-        if(AuthService()->DeleteUserFromCache(UInfo.email))
-            ;
-        Logger_.information(Poco::format("Remove all tokens for '%s'", UserInfo_.userinfo.email));
-        StorageService()->RevokeAllTokens(UInfo.email);
-        Logger_.information(Poco::format("User '%s' deleted by '%s'.",Id,UserInfo_.userinfo.email));
+        AuthService()->DeleteUserFromCache(Id);
+        StorageService()->AvatarDB().DeleteAvatar(UserInfo_.userinfo.email,Id);
+        StorageService()->PreferencesDB().DeletePreferences(UserInfo_.userinfo.email,Id);
+        StorageService()->UserTokenDB().RevokeAllTokens(Id);
+        StorageService()->ApiKeyDB().RemoveAllApiKeys(Id);
+        Logger_.information(fmt::format("User '{}' deleted by '{}'.",Id,UserInfo_.userinfo.email));
        OK();
    }

    void RESTAPI_user_handler::DoPost() {
+
        std::string Id = GetBinding("id", "");
        if(Id!="0") {
            return BadRequest(RESTAPI::Errors::IdMustBe0);
        }

-        SecurityObjects::UserInfo   UInfo;
-        RESTAPI_utils::from_request(UInfo,*Request);
+        SecurityObjects::UserInfo   NewUser;
+        const auto & RawObject = ParsedBody_;
+        if(!NewUser.from_json(RawObject)) {
+            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+        }

-        if(UInfo.userRole == SecurityObjects::UNKNOWN) {
+        if(NewUser.userRole == SecurityObjects::UNKNOWN) {
            return BadRequest(RESTAPI::Errors::InvalidUserRole);
        }

-        Poco::toLowerInPlace(UInfo.email);
-        if(!Utils::ValidEMailAddress(UInfo.email)) {
+        if(UserInfo_.userinfo.userRole==SecurityObjects::ROOT) {
+            NewUser.owner = GetParameter("entity","");
+        } else {
+            NewUser.owner = UserInfo_.userinfo.owner;
+        }
+
+        if(!ACLProcessor::Can(UserInfo_.userinfo,NewUser,ACLProcessor::CREATE)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        Poco::toLowerInPlace(NewUser.email);
+        if(!Utils::ValidEMailAddress(NewUser.email)) {
            return BadRequest(RESTAPI::Errors::InvalidEmailAddress);
        }

-        if(!UInfo.currentPassword.empty()) {
-            if(!AuthService()->ValidatePassword(UInfo.currentPassword)) {
+        SecurityObjects::UserInfo   Existing;
+        if(StorageService()->SubDB().GetUserByEmail(NewUser.email,Existing)) {
+            return BadRequest(RESTAPI::Errors::UserAlreadyExists);
+        }
+
+        if(!NewUser.currentPassword.empty()) {
+            if(!AuthService()->ValidatePassword(NewUser.currentPassword)) {
                return BadRequest(RESTAPI::Errors::InvalidPassword);
            }
        }

-        if(UInfo.name.empty())
-            UInfo.name = UInfo.email;
+        if(NewUser.name.empty())
+            NewUser.name = NewUser.email;

-        if(!StorageService()->CreateUser(UInfo.email,UInfo)) {
-            Logger_.information(Poco::format("Could not add user '%s'.",UInfo.email));
+        //  You cannot enable MFA during user creation
+        NewUser.userTypeProprietaryInfo.mfa.enabled = false;
+        NewUser.userTypeProprietaryInfo.mfa.method = "";
+        NewUser.userTypeProprietaryInfo.mobiles.clear();
+        NewUser.userTypeProprietaryInfo.authenticatorSecret.clear();
+        NewUser.validated = true;
+
+        if(!StorageService()->UserDB().CreateUser(NewUser.email,NewUser)) {
+            Logger_.information(fmt::format("Could not add user '{}'.",NewUser.email));
            return BadRequest(RESTAPI::Errors::RecordNotCreated);
        }

-        if(GetParameter("email_verification","false")=="true") {
-            if(AuthService::VerifyEmail(UInfo))
-                Logger_.information(Poco::format("Verification e-mail requested for %s",UInfo.email));
-            StorageService()->UpdateUserInfo(UserInfo_.userinfo.email,UInfo.Id,UInfo);
+        if(GetBoolParameter("email_verification")) {
+            if(AuthService::VerifyEmail(NewUser))
+                Logger_.information(fmt::format("Verification e-mail requested for {}",NewUser.email));
+            StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,NewUser.id,NewUser);
        }

-        if(!StorageService()->GetUserByEmail(UInfo.email, UInfo)) {
-            Logger_.information(Poco::format("User '%s' but not retrieved.",UInfo.email));
+        if(!StorageService()->UserDB().GetUserByEmail(NewUser.email, NewUser)) {
+            Logger_.information(fmt::format("User '{}' but not retrieved.",NewUser.email));
            return NotFound();
        }

        Poco::JSON::Object  UserInfoObject;
-        UInfo.to_json(UserInfoObject);
-
+        Sanitize(UserInfo_, NewUser);
+        NewUser.to_json(UserInfoObject);
        ReturnObject(UserInfoObject);
-
-        Logger_.information(Poco::format("User '%s' has been added by '%s')",UInfo.email, UserInfo_.userinfo.email));
+        Logger_.information(fmt::format("User '{}' has been added by '{}')",NewUser.email, UserInfo_.userinfo.email));
    }

    void RESTAPI_user_handler::DoPut() {
+
        std::string Id = GetBinding("id", "");
        if(Id.empty()) {
            return BadRequest(RESTAPI::Errors::MissingUserID);
        }

        SecurityObjects::UserInfo   Existing;
-        if(!StorageService()->GetUserById(Id,Existing)) {
+        if(!StorageService()->UserDB().GetUserById(Id,Existing)) {
            return NotFound();
        }

+        if(!ACLProcessor::Can(UserInfo_.userinfo,Existing,ACLProcessor::MODIFY)) {
+            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+        }
+
+        if(GetBoolParameter("resetMFA")) {
+            if( (UserInfo_.userinfo.userRole == SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.userRole == SecurityObjects::ADMIN && Existing.userRole!=SecurityObjects::ROOT) ||
+                (UserInfo_.userinfo.id == Id)) {
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
+                Existing.userTypeProprietaryInfo.mfa.method.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.modified = OpenWifi::Now();
+                Existing.notes.push_back( SecurityObjects::NoteInfo{
+                            .created=OpenWifi::Now(),
+                            .createdBy=UserInfo_.userinfo.email,
+                            .note="MFA Reset by " + UserInfo_.userinfo.email});
+                StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing);
+                SecurityObjects::UserInfo   NewUserInfo;
+                StorageService()->UserDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
+                Poco::JSON::Object  ModifiedObject;
+                Sanitize(UserInfo_, NewUserInfo);
+                NewUserInfo.to_json(ModifiedObject);
+                return ReturnObject(ModifiedObject);
+            } else {
+                return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+            }
+        }
+
+        if(GetBoolParameter("forgotPassword")) {
+            Existing.changePassword = true;
+            Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), Existing.email));
+            SecurityObjects::ActionLink NewLink;
+
+            NewLink.action = OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD;
+            NewLink.id = MicroServiceCreateUUID();
+            NewLink.userId = Existing.id;
+            NewLink.created = OpenWifi::Now();
+            NewLink.expires = NewLink.created + (24*60*60);
+            NewLink.userAction = true;
+            StorageService()->ActionLinksDB().CreateAction(NewLink);
+            return OK();
+        }
+
        SecurityObjects::UserInfo   NewUser;
-        auto RawObject = ParseStream();
+        const auto & RawObject = ParsedBody_;
        if(!NewUser.from_json(RawObject)) {
            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
        }
@@ -126,23 +213,39 @@ namespace OpenWifi {
            return BadRequest(RESTAPI::Errors::InvalidUserRole);
        }

+        if(RawObject->has("owner")) {
+            if (UserInfo_.userinfo.userRole == SecurityObjects::ROOT && Existing.owner.empty()) {
+                AssignIfPresent(RawObject, "owner", Existing.owner);
+            }
+        }
+
        // The only valid things to change are: changePassword, name,
        AssignIfPresent(RawObject,"name", Existing.name);
        AssignIfPresent(RawObject,"description", Existing.description);
-        AssignIfPresent(RawObject,"owner", Existing.owner);
        AssignIfPresent(RawObject,"location", Existing.location);
        AssignIfPresent(RawObject,"locale", Existing.locale);
        AssignIfPresent(RawObject,"changePassword", Existing.changePassword);
        AssignIfPresent(RawObject,"suspended", Existing.suspended);
        AssignIfPresent(RawObject,"blackListed", Existing.blackListed);

-        if(RawObject->has("userRole"))
-            Existing.userRole = SecurityObjects::UserTypeFromString(RawObject->get("userRole").toString());
+        if(RawObject->has("userRole")) {
+            auto NewRole = SecurityObjects::UserTypeFromString(RawObject->get("userRole").toString());
+            if(NewRole!=Existing.userRole) {
+                if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && NewRole==SecurityObjects::ROOT) {
+                    return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+                }
+                if(Id==UserInfo_.userinfo.id) {
+                    return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+                }
+                Existing.userRole = NewRole;
+            }
+        }
+
        if(RawObject->has("notes")) {
            SecurityObjects::NoteInfoVec NIV;
            NIV = RESTAPI_utils::to_object_array<SecurityObjects::NoteInfo>(RawObject->get("notes").toString());
            for(auto const &i:NIV) {
-                SecurityObjects::NoteInfo   ii{.created=(uint64_t)std::time(nullptr), .createdBy=UserInfo_.userinfo.email, .note=i.note};
+                SecurityObjects::NoteInfo   ii{.created=(uint64_t)OpenWifi::Now(), .createdBy=UserInfo_.userinfo.email, .note=i.note};
                Existing.notes.push_back(ii);
            }
        }
@@ -155,39 +258,69 @@ namespace OpenWifi {
            }
        }

-        if(GetParameter("email_verification","false")=="true") {
+        if(GetBoolParameter("email_verification")) {
            if(AuthService::VerifyEmail(Existing))
-                Logger_.information(Poco::format("Verification e-mail requested for %s",Existing.email));
+                Logger_.information(fmt::format("Verification e-mail requested for {}",Existing.email));
        }

        if(RawObject->has("userTypeProprietaryInfo")) {
-            Existing.userTypeProprietaryInfo.mfa.enabled = NewUser.userTypeProprietaryInfo.mfa.enabled;
-            if(NewUser.userTypeProprietaryInfo.mfa.method=="sms") {
-                Existing.userTypeProprietaryInfo.mfa.method=NewUser.userTypeProprietaryInfo.mfa.method;
-                auto MobileStruct = RawObject->get("userTypeProprietaryInfo");
-                auto Info = MobileStruct.extract<Poco::JSON::Object::Ptr>();
-                if(Info->isArray("mobiles")) {
-                    Existing.userTypeProprietaryInfo.mobiles = NewUser.userTypeProprietaryInfo.mobiles;
-                }
-                if(!NewUser.userTypeProprietaryInfo.mobiles.empty() && !SMSSender()->IsNumberValid(NewUser.userTypeProprietaryInfo.mobiles[0].number,UserInfo_.userinfo.email)){
-                    return BadRequest(RESTAPI::Errors::NeedMobileNumber);
-                }
-                if(NewUser.userTypeProprietaryInfo.mfa.enabled && Existing.userTypeProprietaryInfo.mobiles.empty()) {
-                    return BadRequest(RESTAPI::Errors::NeedMobileNumber);
-                }
-            } else if(NewUser.userTypeProprietaryInfo.mfa.method=="email") {
-                Existing.userTypeProprietaryInfo.mfa.method=NewUser.userTypeProprietaryInfo.mfa.method;
-            } else {
-                if(NewUser.userTypeProprietaryInfo.mfa.enabled && Existing.userTypeProprietaryInfo.mfa.method.empty()) {
+            if(NewUser.userTypeProprietaryInfo.mfa.enabled) {
+                if (!MFAMETHODS::Validate(NewUser.userTypeProprietaryInfo.mfa.method)) {
                    return BadRequest(RESTAPI::Errors::BadMFAMethod);
                }
+
+                if( NewUser.userTypeProprietaryInfo.mfa.enabled &&
+                    NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::SMS &&
+                    !SMSSender()->Enabled()) {
+                    return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+                }
+
+                if( NewUser.userTypeProprietaryInfo.mfa.enabled &&
+                    NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::EMAIL &&
+                    !SMTPMailerService()->Enabled()) {
+                    return BadRequest(RESTAPI::Errors::EMailMFANotEnabled);
+                }
+
+                Existing.userTypeProprietaryInfo.mfa.method = NewUser.userTypeProprietaryInfo.mfa.method;
+                Existing.userTypeProprietaryInfo.mfa.enabled = true;
+
+                if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::SMS) {
+                    if(NewUser.userTypeProprietaryInfo.mobiles.empty()) {
+                        return BadRequest(RESTAPI::Errors::NeedMobileNumber);
+                    }
+                    if (!SMSSender()->IsNumberValid(NewUser.userTypeProprietaryInfo.mobiles[0].number,UserInfo_.userinfo.email)) {
+                        return BadRequest(RESTAPI::Errors::NeedMobileNumber);
+                    }
+                    Existing.userTypeProprietaryInfo.mobiles = NewUser.userTypeProprietaryInfo.mobiles;
+                    Existing.userTypeProprietaryInfo.mobiles[0].verified = true;
+                    Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                } else if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::AUTHENTICATOR) {
+                    std::string Secret;
+                    Existing.userTypeProprietaryInfo.mobiles.clear();
+                    if(Existing.userTypeProprietaryInfo.authenticatorSecret.empty() && TotpCache()->CompleteValidation(UserInfo_.userinfo,false,Secret)) {
+                        Existing.userTypeProprietaryInfo.authenticatorSecret = Secret;
+                    } else if (!Existing.userTypeProprietaryInfo.authenticatorSecret.empty()) {
+                        // we allow someone to use their old secret
+                    } else {
+                        return BadRequest(RESTAPI::Errors::AuthenticatorVerificationIncomplete);
+                    }
+                } else if (NewUser.userTypeProprietaryInfo.mfa.method == MFAMETHODS::EMAIL) {
+                    Existing.userTypeProprietaryInfo.mobiles.clear();
+                    Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                }
+            } else {
+                Existing.userTypeProprietaryInfo.authenticatorSecret.clear();
+                Existing.userTypeProprietaryInfo.mobiles.clear();
+                Existing.userTypeProprietaryInfo.mfa.enabled = false;
            }
        }

-        if(StorageService()->UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing)) {
+        Existing.modified = OpenWifi::Now();
+        if(StorageService()->UserDB().UpdateUserInfo(UserInfo_.userinfo.email,Id,Existing)) {
            SecurityObjects::UserInfo   NewUserInfo;
-            StorageService()->GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
+            StorageService()->UserDB().GetUserByEmail(UserInfo_.userinfo.email,NewUserInfo);
            Poco::JSON::Object  ModifiedObject;
+            Sanitize(UserInfo_, NewUserInfo);
            NewUserInfo.to_json(ModifiedObject);
            return ReturnObject(ModifiedObject);
        }
--- a/src/RESTAPI/RESTAPI_user_handler.h
+++ b/src/RESTAPI/RESTAPI_user_handler.h
@@ -2,15 +2,14 @@
 // Created by stephane bourque on 2021-06-21.
 //

-#ifndef UCENTRALSEC_RESTAPI_USER_HANDLER_H
-#define UCENTRALSEC_RESTAPI_USER_HANDLER_H
+#pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
    class RESTAPI_user_handler : public RESTAPIHandler {
    public:
-        RESTAPI_user_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_user_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>
                                         {Poco::Net::HTTPRequest::HTTP_POST,
@@ -19,8 +18,9 @@ namespace OpenWifi {
                                          Poco::Net::HTTPRequest::HTTP_DELETE,
                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                          Server,
+                                          TransactionId,
                                          Internal) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/user/{id}"}; };
+        static auto PathName() { return std::list<std::string>{"/api/v1/user/{id}"}; };
        void DoGet() final;
        void DoPost() final;
        void DoDelete() final;
@@ -29,6 +29,3 @@ namespace OpenWifi {

    };
 }
-
-
-#endif //UCENTRALSEC_RESTAPI_USER_HANDLER_H
--- a/src/RESTAPI/RESTAPI_users_handler.cpp
+++ b/src/RESTAPI/RESTAPI_users_handler.cpp
@@ -4,48 +4,54 @@

 #include "RESTAPI_users_handler.h"
 #include "StorageService.h"
-#include "framework/RESTAPI_protocol.h"
-#include "framework/MicroService.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"

 namespace OpenWifi {
    void RESTAPI_users_handler::DoGet() {
-        std::vector<SecurityObjects::UserInfo> Users;
        bool IdOnly = (GetParameter("idOnly","false")=="true");
+        auto nameSearch = GetParameter("nameSearch");
+        auto emailSearch = GetParameter("emailSearch");
+
+        std::string baseQuery;
+        if(!nameSearch.empty() || !emailSearch.empty()) {
+            if(!nameSearch.empty())
+                baseQuery = fmt::format(" Lower(name) like('%{}%') ", Poco::toLower(nameSearch) );
+            if(!emailSearch.empty())
+                baseQuery += baseQuery.empty() ? fmt::format(" Lower(email) like('%{}%') ", Poco::toLower(emailSearch))
+                                               : fmt::format(" and Lower(email) like('%{}%') ", Poco::toLower(emailSearch));
+        }

        if(QB_.Select.empty()) {
-            Poco::JSON::Array ArrayObj;
-            Poco::JSON::Object Answer;
-            if (StorageService()->GetUsers(QB_.Offset, QB_.Limit, Users)) {
-                for (const auto &i : Users) {
-                    Poco::JSON::Object Obj;
-                    if (IdOnly) {
-                        ArrayObj.add(i.Id);
-                    } else {
-                        i.to_json(Obj);
-                        ArrayObj.add(Obj);
-                    }
+            SecurityObjects::UserInfoList   Users;
+            if(StorageService()->UserDB().GetUsers(QB_.Offset, QB_.Limit, Users.users, baseQuery)) {
+                for (auto &i : Users.users) {
+                    Sanitize(UserInfo_, i);
+                }
+                if(IdOnly) {
+                    Poco::JSON::Array   Arr;
+                    for(const auto &i:Users.users)
+                        Arr.add(i.id);
+                    Poco::JSON::Object  Answer;
+                    Answer.set("users", Arr);
+                    return ReturnObject(Answer);
                }
-                Answer.set(RESTAPI::Protocol::USERS, ArrayObj);
            }
+            Poco::JSON::Object  Answer;
+            Users.to_json(Answer);
            return ReturnObject(Answer);
        } else {
-            Types::StringVec IDs = Utils::Split(QB_.Select);
-            Poco::JSON::Array ArrayObj;
-            for(auto &i:IDs) {
+            SecurityObjects::UserInfoList   Users;
+            for(auto &i:SelectedRecords()) {
                SecurityObjects::UserInfo   UInfo;
-                if(StorageService()->GetUserById(i,UInfo)) {
+                if(StorageService()->UserDB().GetUserById(i,UInfo)) {
                    Poco::JSON::Object Obj;
-                    if (IdOnly) {
-                        ArrayObj.add(UInfo.Id);
-                    } else {
-                        UInfo.to_json(Obj);
-                        ArrayObj.add(Obj);
-                    }
+                    Sanitize(UserInfo_, UInfo);
+                    Users.users.emplace_back(UInfo);
                }
            }
-            Poco::JSON::Object RetObj;
-            RetObj.set(RESTAPI::Protocol::USERS, ArrayObj);
-            return ReturnObject(RetObj);
+            Poco::JSON::Object Answer;
+            Users.to_json(Answer);
+            return ReturnObject(Answer);
        }
    }
 }
--- a/src/RESTAPI/RESTAPI_users_handler.h
+++ b/src/RESTAPI/RESTAPI_users_handler.h
@@ -2,22 +2,22 @@
 // Created by stephane bourque on 2021-06-21.
 //

-#ifndef UCENTRALSEC_RESTAPI_USERS_HANDLER_H
-#define UCENTRALSEC_RESTAPI_USERS_HANDLER_H
+#pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
    class RESTAPI_users_handler : public RESTAPIHandler {
    public:
-        RESTAPI_users_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_users_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>
                                 {Poco::Net::HTTPRequest::HTTP_GET,
                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                  Server,
+                                  TransactionId,
                                  Internal) {}
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/users"}; };
+        static auto PathName() { return std::list<std::string>{"/api/v1/users"}; };
        void DoGet() final;
        void DoPost() final {};
        void DoDelete() final {};
@@ -25,5 +25,3 @@ namespace OpenWifi {
    };
 };

-
-#endif //UCENTRALSEC_RESTAPI_USERS_HANDLER_H
--- a/src/RESTAPI/RESTAPI_validate_apikey.cpp
+++ b/src/RESTAPI/RESTAPI_validate_apikey.cpp
@@ -0,0 +1,31 @@
+//
+// Created by stephane bourque on 2022-11-07.
+//
+
+#include "RESTAPI_validate_apikey.h"
+#include "AuthService.h"
+
+namespace OpenWifi {
+
+    void RESTAPI_validate_apikey::DoGet() {
+        Poco::URI URI(Request->getURI());
+        auto Parameters = URI.getQueryParameters();
+        for(auto const &i:Parameters) {
+            if (i.first == "apikey") {
+                //  can we find this token?
+                SecurityObjects::UserInfoAndPolicy SecObj;
+                bool Expired = false;
+                std::uint64_t expiresOn=0;
+                if (AuthService()->IsValidApiKey(i.second, SecObj.webtoken, SecObj.userinfo, Expired, expiresOn)) {
+                    Poco::JSON::Object Answer;
+                    SecObj.to_json(Answer);
+                    Answer.set("expiresOn", expiresOn);
+                    return ReturnObject(Answer);
+                }
+                return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+            }
+        }
+        return NotFound();
+    }
+
+} // OpenWifi
--- a/src/RESTAPI/RESTAPI_validate_apikey.h
+++ b/src/RESTAPI/RESTAPI_validate_apikey.h
@@ -0,0 +1,27 @@
+//
+// Created by stephane bourque on 2022-11-07.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_validate_apikey : public RESTAPIHandler {
+    public:
+        RESTAPI_validate_apikey(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+                : RESTAPIHandler(bindings, L,
+                                 std::vector<std::string>
+                                         {Poco::Net::HTTPRequest::HTTP_GET,
+                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                                 Server,
+                                 TransactionId,
+                                 Internal) {};
+        static auto PathName() { return std::list<std::string>{"/api/v1/validateApiKey"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final {};
+    };
+}
+
--- a/src/RESTAPI/RESTAPI_validate_sub_token_handler.cpp
+++ b/src/RESTAPI/RESTAPI_validate_sub_token_handler.cpp
@@ -0,0 +1,26 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#include "RESTAPI_validate_sub_token_handler.h"
+#include "AuthService.h"
+
+namespace OpenWifi {
+    void RESTAPI_validate_sub_token_handler::DoGet() {
+        Poco::URI URI(Request->getURI());
+        auto Parameters = URI.getQueryParameters();
+        for(auto const &i:Parameters) {
+            if (i.first == "token") {
+                //  can we find this token?
+                SecurityObjects::UserInfoAndPolicy SecObj;
+                bool Expired = false;
+                if (AuthService()->IsValidSubToken(i.second, SecObj.webtoken, SecObj.userinfo, Expired)) {
+                    Poco::JSON::Object Obj;
+                    SecObj.to_json(Obj);
+                    return ReturnObject(Obj);
+                }
+            }
+        }
+        return NotFound();
+    }
+}
--- a/src/RESTAPI/RESTAPI_validate_sub_token_handler.h
+++ b/src/RESTAPI/RESTAPI_validate_sub_token_handler.h
@@ -0,0 +1,26 @@
+//
+// Created by stephane bourque on 2021-11-30.
+//
+
+#pragma once
+
+#include "framework/RESTAPI_Handler.h"
+
+namespace OpenWifi {
+    class RESTAPI_validate_sub_token_handler : public RESTAPIHandler {
+    public:
+        RESTAPI_validate_sub_token_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
+        : RESTAPIHandler(bindings, L,
+                         std::vector<std::string>
+                         {Poco::Net::HTTPRequest::HTTP_GET,
+                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
+                          Server,
+                          TransactionId,
+                          Internal) {};
+        static auto PathName() { return std::list<std::string>{"/api/v1/validateSubToken"}; };
+        void DoGet() final;
+        void DoPost() final {};
+        void DoDelete() final {};
+        void DoPut() final {};
+    };
+}
--- a/src/RESTAPI/RESTAPI_validate_token_handler.cpp
+++ b/src/RESTAPI/RESTAPI_validate_token_handler.cpp
@@ -2,18 +2,19 @@
 // Created by stephane bourque on 2021-07-01.
 //

-#include "RESTAPI_validateToken_handler.h"
+#include "RESTAPI_validate_token_handler.h"
 #include "AuthService.h"

 namespace OpenWifi {
-    void RESTAPI_validateToken_handler::DoGet() {
+    void RESTAPI_validate_token_handler::DoGet() {
        Poco::URI URI(Request->getURI());
        auto Parameters = URI.getQueryParameters();
        for(auto const &i:Parameters) {
            if (i.first == "token") {
                //  can we find this token?
                SecurityObjects::UserInfoAndPolicy SecObj;
-                if (AuthService()->IsValidToken(i.second, SecObj.webtoken, SecObj.userinfo)) {
+                bool Expired = false;
+                if (AuthService()->IsValidToken(i.second, SecObj.webtoken, SecObj.userinfo, Expired)) {
                    Poco::JSON::Object Obj;
                    SecObj.to_json(Obj);
                    return ReturnObject(Obj);
--- a/src/RESTAPI/RESTAPI_validate_token_handler.h
+++ b/src/RESTAPI/RESTAPI_validate_token_handler.h
@@ -2,22 +2,22 @@
 // Created by stephane bourque on 2021-07-01.
 //

-#ifndef UCENTRALSEC_RESTAPI_VALIDATETOKEN_HANDLER_H
-#define UCENTRALSEC_RESTAPI_VALIDATETOKEN_HANDLER_H
+#pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_validateToken_handler : public RESTAPIHandler {
+    class RESTAPI_validate_token_handler : public RESTAPIHandler {
    public:
-        RESTAPI_validateToken_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, bool Internal)
+        RESTAPI_validate_token_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId, bool Internal)
                : RESTAPIHandler(bindings, L,
                                 std::vector<std::string>
                                         {Poco::Net::HTTPRequest::HTTP_GET,
                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
                                          Server,
+                                          TransactionId,
                                          Internal) {};
-        static const std::list<const char *> PathName() { return std::list<const char *>{"/api/v1/validateToken"}; };
+        static auto PathName() { return std::list<std::string>{"/api/v1/validateToken"}; };
        void DoGet() final;
        void DoPost() final {};
        void DoDelete() final {};
@@ -25,4 +25,3 @@ namespace OpenWifi {
    };
 }

-#endif //UCENTRALSEC_RESTAPI_VALIDATETOKEN_HANDLER_H
--- a/src/RESTObjects/RESTAPI_AnalyticsObjects.cpp
+++ b/src/RESTObjects/RESTAPI_AnalyticsObjects.cpp
@@ -0,0 +1,624 @@
+//
+// Created by stephane bourque on 2022-01-10.
+//
+
+#include "RESTAPI_AnalyticsObjects.h"
+#include "RESTAPI_ProvObjects.h"
+#include "framework/RESTAPI_utils.h"
+
+using OpenWifi::RESTAPI_utils::field_to_json;
+using OpenWifi::RESTAPI_utils::field_from_json;
+
+namespace OpenWifi::AnalyticsObjects {
+
+    void Report::reset() {
+    }
+
+    void Report::to_json([[maybe_unused]] Poco::JSON::Object &Obj) const {
+    }
+
+    void VenueInfo::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id",id);
+        field_to_json(Obj,"name",name);
+        field_to_json(Obj,"description",description);
+        field_to_json(Obj,"retention",retention);
+        field_to_json(Obj,"interval",interval);
+        field_to_json(Obj,"monitorSubVenues",monitorSubVenues);
+    }
+
+    bool VenueInfo::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id",id);
+            field_from_json(Obj,"name",name);
+            field_from_json(Obj,"description",description);
+            field_from_json(Obj,"retention",retention);
+            field_from_json(Obj,"interval",interval);
+            field_from_json(Obj,"monitorSubVenues",monitorSubVenues);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void BoardInfo::to_json(Poco::JSON::Object &Obj) const {
+        info.to_json(Obj);
+        field_to_json(Obj,"venueList",venueList);
+    }
+
+    bool BoardInfo::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            info.from_json(Obj);
+            field_from_json(Obj,"venueList",venueList);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceInfo::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"boardId",boardId);
+        field_to_json(Obj,"type",type);
+        field_to_json(Obj,"serialNumber",serialNumber);
+        field_to_json(Obj,"deviceType",deviceType);
+        field_to_json(Obj,"lastContact",lastContact);
+        field_to_json(Obj,"lastPing",lastPing);
+        field_to_json(Obj,"lastState",lastState);
+        field_to_json(Obj,"lastFirmware",lastFirmware);
+        field_to_json(Obj,"lastFirmwareUpdate",lastFirmwareUpdate);
+        field_to_json(Obj,"lastConnection",lastConnection);
+        field_to_json(Obj,"lastDisconnection",lastDisconnection);
+        field_to_json(Obj,"pings",pings);
+        field_to_json(Obj,"states",states);
+        field_to_json(Obj,"connected",connected);
+        field_to_json(Obj,"connectionIp",connectionIp);
+        field_to_json(Obj,"associations_2g",associations_2g);
+        field_to_json(Obj,"associations_5g",associations_5g);
+        field_to_json(Obj,"associations_6g",associations_6g);
+        field_to_json(Obj,"health",health);
+        field_to_json(Obj,"lastHealth",lastHealth);
+        field_to_json(Obj,"locale",locale);
+        field_to_json(Obj,"uptime",uptime);
+        field_to_json(Obj,"memory",memory);
+    }
+
+    bool DeviceInfo::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"boardId",boardId);
+            field_from_json(Obj,"type",type);
+            field_from_json(Obj,"serialNumber",serialNumber);
+            field_from_json(Obj,"deviceType",deviceType);
+            field_from_json(Obj,"lastContact",lastContact);
+            field_from_json(Obj,"lastPing",lastPing);
+            field_from_json(Obj,"lastState",lastState);
+            field_from_json(Obj,"lastFirmware",lastFirmware);
+            field_from_json(Obj,"lastFirmwareUpdate",lastFirmwareUpdate);
+            field_from_json(Obj,"lastConnection",lastConnection);
+            field_from_json(Obj,"lastDisconnection",lastDisconnection);
+            field_from_json(Obj,"pings",pings);
+            field_from_json(Obj,"states",states);
+            field_from_json(Obj,"connected",connected);
+            field_from_json(Obj,"connectionIp",connectionIp);
+            field_from_json(Obj,"associations_2g",associations_2g);
+            field_from_json(Obj,"associations_5g",associations_5g);
+            field_from_json(Obj,"associations_6g",associations_6g);
+            field_from_json(Obj,"health",health);
+            field_from_json(Obj,"lastHealth",lastHealth);
+            field_from_json(Obj,"locale",locale);
+            field_from_json(Obj,"uptime",uptime);
+            field_from_json(Obj,"memory",memory);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceInfoList::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"devices",devices);
+    }
+
+    bool DeviceInfoList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"devices",devices);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void UE_rate::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"bitrate",bitrate);
+        field_to_json(Obj,"mcs",mcs);
+        field_to_json(Obj,"nss",nss);
+        field_to_json(Obj,"ht",ht);
+        field_to_json(Obj,"sgi",sgi);
+        field_to_json(Obj,"chwidth",chwidth);
+    }
+
+    bool UE_rate::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"bitrate",bitrate);
+            field_from_json(Obj,"mcs",mcs);
+            field_from_json(Obj,"nss",nss);
+            field_from_json(Obj,"ht",ht);
+            field_from_json(Obj,"sgi",sgi);
+            field_from_json(Obj,"chwidth",chwidth);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void UETimePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"station",station);
+        field_to_json(Obj,"rssi",rssi);
+        field_to_json(Obj,"tx_bytes",tx_bytes);
+        field_to_json(Obj,"rx_bytes",rx_bytes);
+        field_to_json(Obj,"tx_duration",tx_duration);
+        field_to_json(Obj,"rx_packets",rx_packets);
+        field_to_json(Obj,"tx_packets",tx_packets);
+        field_to_json(Obj,"tx_retries",tx_retries);
+        field_to_json(Obj,"tx_failed",tx_failed);
+        field_to_json(Obj,"connected",connected);
+        field_to_json(Obj,"inactive",inactive);
+        field_to_json(Obj,"tx_rate",tx_rate);
+        field_to_json(Obj,"rx_rate",rx_rate);
+//      field_to_json(Obj, "tidstats", tidstats);
+
+        field_to_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+        field_to_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+        field_to_json(Obj,"tx_packets_bw",tx_packets_bw);
+        field_to_json(Obj,"rx_packets_bw",rx_packets_bw);
+        field_to_json(Obj,"tx_failed_pct",tx_failed_pct);
+        field_to_json(Obj,"tx_retries_pct",tx_retries_pct);
+        field_to_json(Obj,"tx_duration_pct",tx_duration_pct);
+
+        field_to_json(Obj,"tx_bytes_delta",tx_bytes_delta);
+        field_to_json(Obj,"rx_bytes_delta",rx_bytes_delta);
+        field_to_json(Obj,"tx_packets_delta",tx_packets_delta);
+        field_to_json(Obj,"rx_packets_delta",rx_packets_delta);
+        field_to_json(Obj,"tx_failed_delta",tx_failed_delta);
+        field_to_json(Obj,"tx_retries_delta",tx_retries_delta);
+        field_to_json(Obj,"tx_duration_delta",tx_duration_delta);
+    }
+
+    bool UETimePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"station",station);
+            field_from_json(Obj,"rssi",rssi);
+            field_from_json(Obj,"tx_bytes",tx_bytes);
+            field_from_json(Obj,"rx_bytes",rx_bytes);
+            field_from_json(Obj,"tx_duration",tx_duration);
+            field_from_json(Obj,"rx_packets",rx_packets);
+            field_from_json(Obj,"tx_packets",tx_packets);
+            field_from_json(Obj,"tx_retries",tx_retries);
+            field_from_json(Obj,"tx_failed",tx_failed);
+            field_from_json(Obj,"connected",connected);
+            field_from_json(Obj,"inactive",inactive);
+            field_from_json(Obj,"tx_rate",tx_rate);
+            field_from_json(Obj,"rx_rate",rx_rate);
+//          field_from_json(Obj,"tidstats",tidstats);
+            field_from_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+            field_from_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+            field_from_json(Obj,"tx_packets_bw",tx_packets_bw);
+            field_from_json(Obj,"rx_packets_bw",rx_packets_bw);
+            field_from_json(Obj,"tx_failed_pct",tx_failed_pct);
+            field_from_json(Obj,"tx_retries_pct",tx_retries_pct);
+            field_from_json(Obj,"tx_duration_pct",tx_duration_pct);
+            field_from_json(Obj,"tx_bytes_delta",tx_bytes_delta);
+            field_from_json(Obj,"rx_bytes_delta",rx_bytes_delta);
+            field_from_json(Obj,"tx_packets_delta",tx_packets_delta);
+            field_from_json(Obj,"rx_packets_delta",rx_packets_delta);
+            field_from_json(Obj,"tx_failed_delta",tx_failed_delta);
+            field_from_json(Obj,"tx_retries_delta",tx_retries_delta);
+            field_from_json(Obj,"tx_duration_delta",tx_duration_delta);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void APTimePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"collisions",collisions);
+        field_to_json(Obj,"multicast",multicast);
+        field_to_json(Obj,"rx_bytes",rx_bytes);
+        field_to_json(Obj,"rx_dropped",rx_dropped);
+        field_to_json(Obj,"rx_errors",rx_errors);
+        field_to_json(Obj,"rx_packets",rx_packets);
+        field_to_json(Obj,"tx_bytes",tx_bytes);
+        field_to_json(Obj,"tx_packets",tx_packets);
+        field_to_json(Obj,"tx_dropped",tx_dropped);
+        field_to_json(Obj,"tx_errors",tx_errors);
+        field_to_json(Obj,"tx_packets",tx_packets);
+
+        field_to_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+        field_to_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+        field_to_json(Obj,"rx_dropped_pct",rx_dropped_pct);
+        field_to_json(Obj,"tx_dropped_pct",tx_dropped_pct);
+        field_to_json(Obj,"rx_packets_bw",rx_packets_bw);
+        field_to_json(Obj,"tx_packets_bw",tx_packets_bw);
+        field_to_json(Obj,"rx_errors_pct",rx_errors_pct);
+        field_to_json(Obj,"tx_errors_pct",tx_errors_pct);
+
+        field_to_json(Obj,"tx_bytes_delta",tx_bytes_delta);
+        field_to_json(Obj,"rx_bytes_delta",rx_bytes_delta);
+        field_to_json(Obj,"rx_dropped_delta",rx_dropped_delta);
+        field_to_json(Obj,"tx_dropped_delta",tx_dropped_delta);
+        field_to_json(Obj,"rx_packets_delta",rx_packets_delta);
+        field_to_json(Obj,"tx_packets_delta",tx_packets_delta);
+        field_to_json(Obj,"rx_errors_delta",rx_errors_delta);
+        field_to_json(Obj,"tx_errors_delta",tx_errors_delta);
+    }
+
+    bool APTimePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"collisions",collisions);
+            field_from_json(Obj,"multicast",multicast);
+            field_from_json(Obj,"rx_bytes",rx_bytes);
+            field_from_json(Obj,"rx_dropped",rx_dropped);
+            field_from_json(Obj,"rx_errors",rx_errors);
+            field_from_json(Obj,"rx_packets",rx_packets);
+            field_from_json(Obj,"tx_bytes",tx_bytes);
+            field_from_json(Obj,"tx_packets",tx_packets);
+            field_from_json(Obj,"tx_dropped",tx_dropped);
+            field_from_json(Obj,"tx_errors",tx_errors);
+            field_from_json(Obj,"tx_packets",tx_packets);
+
+            field_from_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+            field_from_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+            field_from_json(Obj,"rx_dropped_pct",rx_dropped_pct);
+            field_from_json(Obj,"tx_dropped_pct",tx_dropped_pct);
+            field_from_json(Obj,"rx_packets_bw",rx_packets_bw);
+            field_from_json(Obj,"tx_packets_bw",tx_packets_bw);
+            field_from_json(Obj,"rx_errors_pct",rx_errors_pct);
+            field_from_json(Obj,"tx_errors_pct",tx_errors_pct);
+
+            field_from_json(Obj,"tx_bytes_delta",tx_bytes_delta);
+            field_from_json(Obj,"rx_bytes_delta",rx_bytes_delta);
+            field_from_json(Obj,"rx_dropped_delta",rx_dropped_delta);
+            field_from_json(Obj,"tx_dropped_delta",tx_dropped_delta);
+            field_from_json(Obj,"rx_packets_delta",rx_packets_delta);
+            field_from_json(Obj,"tx_packets_delta",tx_packets_delta);
+            field_from_json(Obj,"rx_errors_delta",rx_errors_delta);
+            field_from_json(Obj,"tx_errors_delta",tx_errors_delta);
+
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void TIDstat_entry::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"rx_msdu",rx_msdu);
+        field_to_json(Obj,"tx_msdu",tx_msdu);
+        field_to_json(Obj,"tx_msdu_failed",tx_msdu_failed);
+        field_to_json(Obj,"tx_msdu_retries",tx_msdu_retries);
+    }
+
+    bool TIDstat_entry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"rx_msdu",rx_msdu);
+            field_from_json(Obj,"tx_msdu",tx_msdu);
+            field_from_json(Obj,"tx_msdu_failed",tx_msdu_failed);
+            field_from_json(Obj,"tx_msdu_retries",tx_msdu_retries);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void RadioTimePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"band",band);
+        field_to_json(Obj,"channel_width",channel_width);
+        field_to_json(Obj,"active_ms",active_ms);
+        field_to_json(Obj,"busy_ms",busy_ms);
+        field_to_json(Obj,"receive_ms",receive_ms);
+        field_to_json(Obj,"transmit_ms",transmit_ms);
+        field_to_json(Obj,"tx_power",tx_power);
+        field_to_json(Obj,"channel",channel);
+        field_to_json(Obj,"temperature",temperature);
+        field_to_json(Obj,"noise",noise);
+        field_to_json(Obj,"active_pct",active_pct);
+        field_to_json(Obj,"busy_pct",busy_pct);
+        field_to_json(Obj,"receive_pct",receive_pct);
+        field_to_json(Obj,"transmit_pct",transmit_pct);
+    }
+
+    bool RadioTimePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"band",band);
+            field_from_json(Obj,"channel_width",channel_width);
+            field_from_json(Obj,"active_ms",active_ms);
+            field_from_json(Obj,"busy_ms",busy_ms);
+            field_from_json(Obj,"receive_ms",receive_ms);
+            field_from_json(Obj,"transmit_ms",transmit_ms);
+            field_from_json(Obj,"tx_power",tx_power);
+            field_from_json(Obj,"channel",channel);
+            field_from_json(Obj,"temperature",temperature);
+            field_from_json(Obj,"noise",noise);
+            field_from_json(Obj,"active_pct",active_pct);
+            field_from_json(Obj,"busy_pct",busy_pct);
+            field_from_json(Obj,"receive_pct",receive_pct);
+            field_from_json(Obj,"transmit_pct",transmit_pct);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void AveragePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"min",min);
+        field_to_json(Obj,"max",max);
+        field_to_json(Obj,"avg",avg);
+    }
+
+    bool AveragePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"min",min);
+            field_from_json(Obj,"max",max);
+            field_from_json(Obj,"avg",avg);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void SSIDTimePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"bssid",bssid);
+        field_to_json(Obj,"mode",mode);
+        field_to_json(Obj,"ssid",ssid);
+        field_to_json(Obj,"band",band);
+        field_to_json(Obj,"channel",channel);
+        field_to_json(Obj,"associations",associations);
+        field_to_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+        field_to_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+        field_to_json(Obj,"tx_packets_bw",tx_packets_bw);
+        field_to_json(Obj,"rx_packets_bw",rx_packets_bw);
+        field_to_json(Obj,"tx_failed_pct",tx_failed_pct);
+        field_to_json(Obj,"tx_retries_pct",tx_retries_pct);
+        field_to_json(Obj,"tx_duration_pct",tx_duration_pct);
+    }
+
+    bool SSIDTimePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"bssid",bssid);
+            field_from_json(Obj,"mode",mode);
+            field_from_json(Obj,"ssid",ssid);
+            field_from_json(Obj,"band",band);
+            field_from_json(Obj,"channel",channel);
+            field_from_json(Obj,"associations",associations);
+            field_from_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+            field_from_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+            field_from_json(Obj,"tx_packets_bw",tx_packets_bw);
+            field_from_json(Obj,"rx_packets_bw",rx_packets_bw);
+            field_from_json(Obj,"tx_failed_pct",tx_failed_pct);
+            field_from_json(Obj,"tx_retries_pct",tx_retries_pct);
+            field_from_json(Obj,"tx_duration_pct",tx_duration_pct);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceTimePoint::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id",id);
+        field_to_json(Obj,"boardId",boardId);
+        field_to_json(Obj,"timestamp",timestamp);
+        field_to_json(Obj,"ap_data",ap_data);
+        field_to_json(Obj,"ssid_data",ssid_data);
+        field_to_json(Obj,"radio_data",radio_data);
+        field_to_json(Obj,"device_info",device_info);
+        field_to_json(Obj,"serialNumber",serialNumber);
+    }
+
+    bool DeviceTimePoint::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id",id);
+            field_from_json(Obj,"boardId",boardId);
+            field_from_json(Obj,"timestamp",timestamp);
+            field_from_json(Obj,"ap_data",ap_data);
+            field_from_json(Obj,"ssid_data",ssid_data);
+            field_from_json(Obj,"radio_data",radio_data);
+            field_from_json(Obj,"device_info",device_info);
+            field_from_json(Obj,"serialNumber",serialNumber);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceTimePointAnalysis::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"noise",noise);
+        field_to_json(Obj,"temperature",temperature);
+        field_to_json(Obj,"active_pct",active_pct);
+        field_to_json(Obj,"busy_pct",busy_pct);
+        field_to_json(Obj,"receive_pct",receive_pct);
+        field_to_json(Obj,"transmit_pct",transmit_pct);
+        field_to_json(Obj,"tx_power",tx_power);
+        field_to_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+        field_to_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+        field_to_json(Obj,"rx_dropped_pct",rx_dropped_pct);
+        field_to_json(Obj,"tx_dropped_pct",tx_dropped_pct);
+        field_to_json(Obj,"rx_packets_bw",rx_packets_bw);
+        field_to_json(Obj,"tx_packets_bw",tx_packets_bw);
+        field_to_json(Obj,"rx_errors_pct",rx_errors_pct);
+        field_to_json(Obj,"tx_errors_pct",tx_errors_pct);
+    }
+
+    bool DeviceTimePointAnalysis::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"noise",noise);
+            field_from_json(Obj,"temperature",temperature);
+            field_from_json(Obj,"active_pct",active_pct);
+            field_from_json(Obj,"busy_pct",busy_pct);
+            field_from_json(Obj,"receive_pct",receive_pct);
+            field_from_json(Obj,"transmit_pct",transmit_pct);
+            field_from_json(Obj,"tx_power",tx_power);
+            field_from_json(Obj,"tx_bytes_bw",tx_bytes_bw);
+            field_from_json(Obj,"rx_bytes_bw",rx_bytes_bw);
+            field_from_json(Obj,"rx_dropped_pct",rx_dropped_pct);
+            field_from_json(Obj,"tx_dropped_pct",tx_dropped_pct);
+            field_from_json(Obj,"rx_packets_bw",rx_packets_bw);
+            field_from_json(Obj,"tx_packets_bw",tx_packets_bw);
+            field_from_json(Obj,"rx_errors_pct",rx_errors_pct);
+            field_from_json(Obj,"tx_errors_pct",tx_errors_pct);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceTimePointList::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"points",points);
+        field_to_json(Obj,"stats",stats);
+    }
+
+    bool DeviceTimePointList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"points",points);
+            field_from_json(Obj,"stats",stats);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceTimePointStats::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"firstPoint",firstPoint);
+        field_to_json(Obj,"lastPoint",lastPoint);
+        field_to_json(Obj,"count",count);
+    }
+
+    bool DeviceTimePointStats::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"firstPoint",firstPoint);
+            field_from_json(Obj,"lastPoint",lastPoint);
+            field_from_json(Obj,"count",count);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void WifiClientRate::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"bitrate",bitrate);
+        field_to_json(Obj,"chwidth",chwidth);
+        field_to_json(Obj,"mcs",mcs);
+        field_to_json(Obj,"nss",nss);
+        field_to_json(Obj,"vht",vht);
+    }
+
+    bool WifiClientRate::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"bitrate",bitrate);
+            field_from_json(Obj,"chwidth",chwidth);
+            field_from_json(Obj,"mcs",mcs);
+            field_from_json(Obj,"nss",nss);
+            field_from_json(Obj,"vht",vht);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void WifiClientHistory::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"timestamp",timestamp);
+        field_to_json(Obj,"station_id",station_id);
+        field_to_json(Obj,"bssid",bssid);
+        field_to_json(Obj,"ssid",ssid);
+        field_to_json(Obj,"rssi",rssi);
+        field_to_json(Obj,"rx_bitrate",rx_bitrate);
+        field_to_json(Obj,"rx_chwidth",rx_chwidth);
+        field_to_json(Obj,"rx_mcs",rx_mcs);
+        field_to_json(Obj,"rx_nss",rx_nss);
+        field_to_json(Obj,"rx_vht",rx_vht);
+        field_to_json(Obj,"tx_bitrate",tx_bitrate);
+        field_to_json(Obj,"tx_chwidth",tx_chwidth);
+        field_to_json(Obj,"tx_mcs",tx_mcs);
+        field_to_json(Obj,"tx_nss",tx_nss);
+        field_to_json(Obj,"tx_vht",tx_vht);
+        field_to_json(Obj,"rx_bytes",rx_bytes);
+        field_to_json(Obj,"tx_bytes",tx_bytes);
+        field_to_json(Obj,"rx_duration",rx_duration);
+        field_to_json(Obj,"tx_duration",tx_duration);
+        field_to_json(Obj,"rx_packets",rx_packets);
+        field_to_json(Obj,"tx_packets",tx_packets);
+        field_to_json(Obj,"ipv4",ipv4);
+        field_to_json(Obj,"ipv6",ipv6);
+        field_to_json(Obj,"channel_width",channel_width);
+        field_to_json(Obj,"noise",noise);
+        field_to_json(Obj,"tx_power",tx_power);
+        field_to_json(Obj,"channel",channel);
+        field_to_json(Obj,"active_ms",active_ms);
+        field_to_json(Obj,"busy_ms",busy_ms);
+        field_to_json(Obj,"receive_ms",receive_ms);
+        field_to_json(Obj,"mode",mode);
+        field_to_json(Obj,"ack_signal",ack_signal);
+        field_to_json(Obj,"ack_signal_avg",ack_signal_avg);
+        field_to_json(Obj,"connected",connected);
+        field_to_json(Obj,"inactive",inactive);
+        field_to_json(Obj,"tx_retries",tx_retries);
+        field_to_json(Obj,"venue_id",venue_id);
+    }
+
+    bool WifiClientHistory::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"timestamp",timestamp);
+            field_from_json(Obj,"station_id",station_id);
+            field_from_json(Obj,"bssid",bssid);
+            field_from_json(Obj,"ssid",ssid);
+            field_from_json(Obj,"rssi",rssi);
+            field_from_json(Obj,"rx_bitrate",rx_bitrate);
+            field_from_json(Obj,"rx_chwidth",rx_chwidth);
+            field_from_json(Obj,"rx_mcs",rx_mcs);
+            field_from_json(Obj,"rx_nss",rx_nss);
+            field_from_json(Obj,"rx_vht",rx_vht);
+            field_from_json(Obj,"tx_bitrate",tx_bitrate);
+            field_from_json(Obj,"tx_chwidth",tx_chwidth);
+            field_from_json(Obj,"tx_mcs",tx_mcs);
+            field_from_json(Obj,"tx_nss",tx_nss);
+            field_from_json(Obj,"tx_vht",tx_vht);
+            field_from_json(Obj,"rx_bytes",rx_bytes);
+            field_from_json(Obj,"tx_bytes",tx_bytes);
+            field_from_json(Obj,"rx_duration",rx_duration);
+            field_from_json(Obj,"tx_duration",tx_duration);
+            field_from_json(Obj,"rx_packets",rx_packets);
+            field_from_json(Obj,"tx_packets",tx_packets);
+            field_from_json(Obj,"ipv4",ipv4);
+            field_from_json(Obj,"ipv6",ipv6);
+            field_from_json(Obj,"channel_width",channel_width);
+            field_from_json(Obj,"noise",noise);
+            field_from_json(Obj,"tx_power",tx_power);
+            field_from_json(Obj,"channel",channel);
+            field_from_json(Obj,"active_ms",active_ms);
+            field_from_json(Obj,"busy_ms",busy_ms);
+            field_from_json(Obj,"receive_ms",receive_ms);
+            field_from_json(Obj,"mode",mode);
+            field_from_json(Obj,"ack_signal",ack_signal);
+            field_from_json(Obj,"ack_signal_avg",ack_signal_avg);
+            field_from_json(Obj,"connected",connected);
+            field_from_json(Obj,"inactive",inactive);
+            field_from_json(Obj,"tx_retries",tx_retries);
+            field_from_json(Obj,"venue_id",venue_id);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+}
--- a/src/RESTObjects/RESTAPI_AnalyticsObjects.h
+++ b/src/RESTObjects/RESTAPI_AnalyticsObjects.h
@@ -0,0 +1,423 @@
+//
+// Created by stephane bourque on 2022-01-10.
+//
+
+#pragma once
+
+#include "RESTAPI_ProvObjects.h"
+#include "framework/utils.h"
+#include <vector>
+
+namespace OpenWifi {
+
+    namespace AnalyticsObjects {
+
+        struct Report {
+            uint64_t snapShot = 0;
+
+            void reset();
+
+            void to_json(Poco::JSON::Object &Obj) const;
+        };
+
+        struct VenueInfo {
+            OpenWifi::Types::UUID_t id;
+            std::string name;
+            std::string description;
+            uint64_t retention = 0;
+            uint64_t interval = 0;
+            bool monitorSubVenues = false;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct BoardInfo {
+            ProvObjects::ObjectInfo info;
+            std::vector<VenueInfo> venueList;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+
+            inline bool operator<(const BoardInfo &bb) const {
+                return info.id < bb.info.id;
+            }
+
+            inline bool operator==(const BoardInfo &bb) const {
+                return info.id == bb.info.id;
+            }
+        };
+
+        struct DeviceInfo {
+            std::string boardId;
+            std::string type;
+            std::string serialNumber;
+            std::string deviceType;
+            uint64_t lastContact = 0 ;
+            uint64_t lastPing = 0;
+            uint64_t lastState = 0;
+            std::string lastFirmware;
+            uint64_t lastFirmwareUpdate = 0;
+            uint64_t lastConnection = 0;
+            uint64_t lastDisconnection = 0;
+            uint64_t pings = 0;
+            uint64_t states = 0;
+            bool connected = false;
+            std::string connectionIp;
+            uint64_t associations_2g = 0;
+            uint64_t associations_5g = 0;
+            uint64_t associations_6g = 0;
+            uint64_t health = 0;
+            uint64_t lastHealth = 0;
+            std::string locale;
+            uint64_t uptime = 0;
+            double memory = 0.0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct DeviceInfoList {
+            std::vector<DeviceInfo> devices;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        enum wifi_band {
+            band_2g = 0, band_5g = 1, band_6g = 2
+        };
+
+        struct TIDstat_entry {
+            uint64_t rx_msdu = 0,
+                    tx_msdu = 0,
+                    tx_msdu_failed = 0,
+                    tx_msdu_retries = 0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct UE_rate {
+            uint64_t    bitrate=0;
+            uint64_t    mcs=0;
+            uint64_t    nss=0;
+            bool        ht=false;
+            bool        sgi=false;
+            uint64_t    chwidth=0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct AveragePoint {
+            double      min = 0.0,
+                        max = 0.0,
+                        avg = 0.0;
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct UETimePoint {
+            std::string station;
+            int64_t rssi = 0;
+            uint64_t tx_bytes = 0,
+                    rx_bytes = 0,
+                    tx_duration = 0,
+                    rx_packets = 0,
+                    tx_packets = 0,
+                    tx_retries = 0,
+                    tx_failed = 0,
+                    connected = 0,
+                    inactive = 0;
+
+            double  tx_bytes_bw = 0.0 ,
+                    rx_bytes_bw = 0.0 ,
+                    tx_packets_bw = 0.0 ,
+                    rx_packets_bw = 0.0 ,
+                    tx_failed_pct = 0.0 ,
+                    tx_retries_pct = 0.0 ,
+                    tx_duration_pct = 0.0;
+
+            uint64_t    tx_bytes_delta = 0,
+                        rx_bytes_delta = 0,
+                        tx_duration_delta = 0,
+                        rx_packets_delta = 0,
+                        tx_packets_delta = 0,
+                        tx_retries_delta = 0,
+                        tx_failed_delta = 0;
+
+            UE_rate tx_rate,
+                    rx_rate;
+            std::vector<TIDstat_entry> tidstats;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        enum SSID_MODES {
+            unknown = 0,
+            ap,
+            mesh,
+            sta,
+            wds_ap,
+            wds_sta,
+            wds_repeater
+        };
+
+        inline SSID_MODES SSID_Mode(const std::string &m) {
+            if (m == "ap")
+                return ap;
+            if (m == "sta")
+                return sta;
+            if (m == "mesh")
+                return mesh;
+            if (m == "wds-ap")
+                return wds_ap;
+            if (m == "wds-sta")
+                return wds_sta;
+            if (m == "wds-repeater")
+                return wds_repeater;
+            return unknown;
+        }
+
+        struct SSIDTimePoint {
+            std::string bssid,
+                        mode,
+                        ssid;
+            uint64_t    band=0,
+                        channel=0;
+            std::vector<UETimePoint> associations;
+
+            AveragePoint    tx_bytes_bw,
+                            rx_bytes_bw,
+                            tx_packets_bw,
+                            rx_packets_bw,
+                            tx_failed_pct,
+                            tx_retries_pct,
+                            tx_duration_pct;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+
+        struct APTimePoint {
+            uint64_t    collisions = 0,
+                        multicast = 0,
+                        rx_bytes = 0,
+                        rx_dropped = 0,
+                        rx_errors = 0,
+                        rx_packets = 0,
+                        tx_bytes = 0,
+                        tx_dropped = 0,
+                        tx_errors = 0,
+                        tx_packets = 0;
+
+            double      tx_bytes_bw = 0.0 ,
+                        rx_bytes_bw = 0.0 ,
+                        rx_dropped_pct = 0.0,
+                        tx_dropped_pct = 0.0,
+                        rx_packets_bw = 0.0,
+                        tx_packets_bw = 0.0,
+                        rx_errors_pct = 0.0 ,
+                        tx_errors_pct = 0.0;
+
+            uint64_t    tx_bytes_delta = 0,
+                        rx_bytes_delta = 0 ,
+                        rx_dropped_delta = 0,
+                        tx_dropped_delta = 0,
+                        rx_packets_delta = 0,
+                        tx_packets_delta = 0,
+                        rx_errors_delta = 0,
+                        tx_errors_delta = 0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct RadioTimePoint {
+            uint64_t    band = 0,
+                        channel_width = 0;
+            uint64_t    active_ms = 0,
+                        busy_ms = 0,
+                        receive_ms = 0,
+                        transmit_ms = 0,
+                        tx_power = 0,
+                        channel = 0;
+            int64_t     temperature = 0,
+                        noise = 0;
+
+            double      active_pct = 0.0 ,
+                        busy_pct = 0.0,
+                        receive_pct = 0.0,
+                        transmit_pct = 0.0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+
+        struct DeviceTimePoint {
+            std::string                     id;
+            std::string                     boardId;
+            uint64_t                        timestamp = 0;
+            APTimePoint                     ap_data;
+            std::vector<SSIDTimePoint>      ssid_data;
+            std::vector<RadioTimePoint>     radio_data;
+            AnalyticsObjects::DeviceInfo    device_info;
+            std::string                     serialNumber;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+
+            inline bool operator<(const DeviceTimePoint &rhs) const {
+                if(timestamp < rhs.timestamp)
+                    return true;
+                if(timestamp > rhs.timestamp)
+                    return false;
+                if(device_info.serialNumber < rhs.device_info.serialNumber)
+                    return true;
+                return false;
+            }
+
+            inline bool operator==(const DeviceTimePoint &rhs) const {
+                return timestamp==rhs.timestamp && device_info.serialNumber==rhs.device_info.serialNumber;
+            }
+
+            inline bool operator>(const DeviceTimePoint &rhs) const {
+                if(timestamp > rhs.timestamp)
+                    return true;
+                if(timestamp < rhs.timestamp)
+                    return false;
+                if(device_info.serialNumber > rhs.device_info.serialNumber)
+                    return true;
+                return false;
+            }
+
+        };
+
+        struct DeviceTimePointAnalysis {
+            uint64_t        timestamp;
+
+            AveragePoint    noise;
+            AveragePoint    temperature;
+            AveragePoint    active_pct;
+            AveragePoint    busy_pct;
+            AveragePoint    receive_pct;
+            AveragePoint    transmit_pct;
+            AveragePoint    tx_power;
+
+            AveragePoint    tx_bytes_bw;
+            AveragePoint    rx_bytes_bw;
+            AveragePoint    rx_dropped_pct;
+            AveragePoint    tx_dropped_pct;
+            AveragePoint    rx_packets_bw;
+            AveragePoint    tx_packets_bw;
+            AveragePoint    rx_errors_pct;
+            AveragePoint    tx_errors_pct;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+
+        };
+
+        struct DeviceTimePointList {
+            std::vector<DeviceTimePoint>            points;
+            std::vector<DeviceTimePointAnalysis>    stats;
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct BandwidthAnalysisEntry {
+            uint64_t    timestamp = 0;
+
+        };
+
+        struct BandwidthAnalysis {
+
+        };
+
+        struct AverageValueSigned {
+            int64_t     peak=0, avg=0, low=0;
+        };
+
+        struct AverageValueUnsigned {
+            uint64_t     peak=0, avg=0, low=0;
+        };
+
+        struct RadioAnalysis {
+            uint64_t                timestamp=0;
+            AverageValueSigned      noise, temperature;
+            AverageValueUnsigned    active_ms,
+                                    busy_ms,
+                                    transmit_ms,
+                                    receive_ms;
+        };
+
+        struct DeviceTimePointStats {
+            uint64_t                firstPoint=0;
+            uint64_t                lastPoint=0;
+            uint64_t                count=0;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct WifiClientRate {
+            uint32_t    bitrate=0;
+            uint32_t    chwidth=0;
+            uint16_t    mcs=0;
+            uint16_t    nss=0;
+            bool        vht=false;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+        struct WifiClientHistory {
+            uint64_t        timestamp=Utils::Now();
+            std::string     station_id;
+            std::string     bssid;
+            std::string     ssid;
+            int64_t         rssi=0;
+            uint32_t        rx_bitrate=0;
+            uint32_t        rx_chwidth=0;
+            uint16_t        rx_mcs=0;
+            uint16_t        rx_nss=0;
+            bool            rx_vht=false;
+            uint32_t        tx_bitrate=0;
+            uint32_t        tx_chwidth=0;
+            uint16_t        tx_mcs=0;
+            uint16_t        tx_nss=0;
+            bool            tx_vht=false;
+            uint64_t        rx_bytes=0;
+            uint64_t        tx_bytes=0;
+            uint64_t        rx_duration=0;
+            uint64_t        tx_duration=0;
+            uint64_t        rx_packets=0;
+            uint64_t        tx_packets=0;
+            std::string     ipv4;
+            std::string     ipv6;
+            uint64_t        channel_width=0;
+            int64_t         noise=0;
+            uint64_t        tx_power=0;
+            uint64_t        channel=0;
+            uint64_t        active_ms=0;
+            uint64_t        busy_ms=0;
+            uint64_t        receive_ms=0;
+            std::string     mode;
+            int64_t         ack_signal=0;
+            int64_t         ack_signal_avg=0;
+            uint64_t        connected=0;
+            uint64_t        inactive=0;
+            uint64_t        tx_retries=0;
+            std::string     venue_id;
+
+            void to_json(Poco::JSON::Object &Obj) const;
+            bool from_json(const Poco::JSON::Object::Ptr &Obj);
+        };
+
+    }
+
+}
--- a/src/RESTObjects/RESTAPI_CertObjects.cpp
+++ b/src/RESTObjects/RESTAPI_CertObjects.cpp
@@ -0,0 +1,210 @@
+//
+// Created by stephane bourque on 2021-12-07.
+//
+
+#include "RESTAPI_CertObjects.h"
+#include "framework/RESTAPI_utils.h"
+
+using OpenWifi::RESTAPI_utils::field_to_json;
+using OpenWifi::RESTAPI_utils::field_from_json;
+
+namespace OpenWifi::CertObjects {
+    void CertificateEntry::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"entity", entity);
+        field_to_json(Obj,"creator", creator);
+        field_to_json(Obj,"type", type);
+        field_to_json(Obj,"status", status);
+        field_to_json(Obj,"certificate", certificate);
+        field_to_json(Obj,"key", key);
+        field_to_json(Obj,"devid", devid);
+        field_to_json(Obj,"cas", cas);
+        field_to_json(Obj,"manufacturer", manufacturer);
+        field_to_json(Obj,"model", model);
+        field_to_json(Obj,"redirector", redirector);
+        field_to_json(Obj,"commonName", commonName);
+        field_to_json(Obj,"certificateId", certificateId);
+        field_to_json(Obj,"batch", batch);
+        field_to_json(Obj,"created", created);
+        field_to_json(Obj,"modified", modified);
+        field_to_json(Obj,"revoked", revoked);
+        field_to_json(Obj,"revokeCount", revokeCount);
+        field_to_json(Obj,"synched", synched);
+    }
+
+    bool CertificateEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id", id);
+            field_from_json(Obj,"entity", entity);
+            field_from_json(Obj,"creator", creator);
+            field_from_json(Obj,"type", type);
+            field_from_json(Obj,"status", status);
+            field_from_json(Obj,"certificate", certificate);
+            field_from_json(Obj,"key", key);
+            field_from_json(Obj,"devid", devid);
+            field_from_json(Obj,"cas", cas);
+            field_from_json(Obj,"manufacturer", manufacturer);
+            field_from_json(Obj,"model", model);
+            field_from_json(Obj,"redirector", redirector);
+            field_from_json(Obj,"commonName", commonName);
+            field_from_json(Obj,"certificateId", certificateId);
+            field_from_json(Obj,"batch", batch);
+            field_from_json(Obj,"created", created);
+            field_from_json(Obj,"modified", modified);
+            field_from_json(Obj,"revoked", revoked);
+            field_from_json(Obj,"revokeCount", revokeCount);
+            field_from_json(Obj,"synched", synched);
+            return true;
+        } catch (...) {
+        }
+        return false;
+    }
+
+    void EntityEntry::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"creator", creator);
+        field_to_json(Obj,"name", name);
+        field_to_json(Obj,"description", description);
+        field_to_json(Obj,"defaultRedirector", defaultRedirector);
+        field_to_json(Obj,"apiKey", apiKey);
+        field_to_json(Obj,"serverEnrollmentProfile", serverEnrollmentProfile);
+        field_to_json(Obj,"clientEnrollmentProfile", clientEnrollmentProfile);
+        field_to_json(Obj,"organization", organization);
+        field_to_json(Obj,"created", created);
+        field_to_json(Obj,"modified", modified);
+        field_to_json(Obj,"suspended", suspended);
+        field_to_json(Obj,"deleted", deleted);
+        field_to_json(Obj,"notes", notes);
+    }
+
+    bool EntityEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id", id);
+            field_from_json(Obj,"creator", creator);
+            field_from_json(Obj,"name", name);
+            field_from_json(Obj,"description", description);
+            field_from_json(Obj,"defaultRedirector", defaultRedirector);
+            field_from_json(Obj,"apiKey", apiKey);
+            field_from_json(Obj,"serverEnrollmentProfile", serverEnrollmentProfile);
+            field_from_json(Obj,"clientEnrollmentProfile", clientEnrollmentProfile);
+            field_from_json(Obj,"organization", organization);
+            field_from_json(Obj,"created", created);
+            field_from_json(Obj,"modified", modified);
+            field_from_json(Obj,"suspended", suspended);
+            field_from_json(Obj,"deleted", deleted);
+            field_from_json(Obj,"notes", notes);
+            return true;
+        } catch (...) {
+        }
+        return false;
+    }
+
+    void BatchEntry::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"entity", entity);
+        field_to_json(Obj,"creator", creator);
+        field_to_json(Obj,"name", name);
+        field_to_json(Obj,"description", description);
+        field_to_json(Obj,"manufacturer", manufacturer);
+        field_to_json(Obj,"model", model);
+        field_to_json(Obj,"redirector", redirector);
+        field_to_json(Obj,"commonNames", commonNames);
+        field_to_json(Obj,"jobHistory", jobHistory);
+        field_to_json(Obj,"notes", notes);
+        field_to_json(Obj,"submitted", submitted);
+        field_to_json(Obj,"started", started);
+        field_to_json(Obj,"completed", completed);
+        field_to_json(Obj,"modified", modified);
+    }
+
+    bool BatchEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id", id);
+            field_from_json(Obj,"entity", entity);
+            field_from_json(Obj,"creator", creator);
+            field_from_json(Obj,"name", name);
+            field_from_json(Obj,"description", description);
+            field_from_json(Obj,"manufacturer", manufacturer);
+            field_from_json(Obj,"model", model);
+            field_from_json(Obj,"redirector", redirector);
+            field_from_json(Obj,"commonNames", commonNames);
+            field_from_json(Obj,"jobHistory", jobHistory);
+            field_from_json(Obj,"notes", notes);
+            field_from_json(Obj,"submitted", submitted);
+            field_from_json(Obj,"started", started);
+            field_from_json(Obj,"completed", completed);
+            field_from_json(Obj,"modified", modified);
+            return true;
+        } catch (...) {
+        }
+        return false;
+    }
+
+    void JobEntry::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"entity", entity);
+        field_to_json(Obj,"creator", creator);
+        field_to_json(Obj,"batch", batch);
+        field_to_json(Obj,"commonNames", commonNames);
+        field_to_json(Obj,"completedNames", completedNames);
+        field_to_json(Obj,"errorNames", errorNames);
+        field_to_json(Obj,"status", status);
+        field_to_json(Obj,"command", command);
+        field_to_json(Obj,"parameters", parameters);
+        field_to_json(Obj,"submitted", submitted);
+        field_to_json(Obj,"started", started);
+        field_to_json(Obj,"completed", completed);
+        field_to_json(Obj,"requesterUsername", requesterUsername);
+    }
+
+    bool JobEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id", id);
+            field_from_json(Obj,"entity", entity);
+            field_from_json(Obj,"creator", creator);
+            field_from_json(Obj,"batch", batch);
+            field_from_json(Obj,"commonNames", commonNames);
+            field_from_json(Obj,"completedNames", completedNames);
+            field_from_json(Obj,"errorNames", errorNames);
+            field_from_json(Obj,"status", status);
+            field_from_json(Obj,"command", command);
+            field_from_json(Obj,"parameters", parameters);
+            field_from_json(Obj,"submitted", submitted);
+            field_from_json(Obj,"started", started);
+            field_from_json(Obj,"completed", completed);
+            field_from_json(Obj,"requesterUsername", requesterUsername);
+            return true;
+        } catch (...) {
+        }
+        return false;
+    }
+
+    void DashBoardYearlyStats::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj, "year", year);
+        field_to_json(Obj, "activeCerts", activeCerts);
+        field_to_json(Obj, "revokedCerts", revokedCerts);
+    }
+
+    void Dashboard::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"snapshot", snapshot);
+        field_to_json(Obj,"numberOfIssuedCerts", numberOfIssuedCerts);
+        field_to_json(Obj,"numberOfRevokedCerts", numberOfRevokedCerts);
+        field_to_json(Obj,"activeCertsPerOrganization", activeCertsPerOrganization);
+        field_to_json(Obj,"revokedCertsPerOrganization", revokedCertsPerOrganization);
+        field_to_json(Obj,"numberOfRedirectors", numberOfRedirectors);
+        field_to_json(Obj,"deviceTypes", deviceTypes);
+        field_to_json(Obj,"monthlyNumberOfCerts", monthlyNumberOfCerts);
+        field_to_json(Obj,"monthlyNumberOfCertsPerOrgPerYear", monthlyNumberOfCertsPerOrgPerYear);
+    }
+
+    void Dashboard::reset() {
+        snapshot=0;
+        numberOfRevokedCerts = numberOfIssuedCerts = 0;
+        activeCertsPerOrganization.clear();
+        revokedCertsPerOrganization.clear();
+        numberOfRedirectors.clear();
+        deviceTypes.clear();
+        monthlyNumberOfCerts.clear();
+        monthlyNumberOfCertsPerOrgPerYear.clear();
+    }
+}
--- a/src/RESTObjects/RESTAPI_CertObjects.h
+++ b/src/RESTObjects/RESTAPI_CertObjects.h
@@ -0,0 +1,123 @@
+//
+// Created by stephane bourque on 2021-12-07.
+//
+
+#pragma once
+
+#include <string>
+#include "framework/OpenWifiTypes.h"
+#include "RESTObjects/RESTAPI_SecurityObjects.h"
+
+namespace OpenWifi::CertObjects {
+
+    struct CertificateEntry {
+        OpenWifi::Types::UUID_t         id;
+        OpenWifi::Types::UUID_t         entity;
+        OpenWifi::Types::UUID_t         creator;
+        std::string                     type;
+        std::string                     status;
+        std::string                     certificate;
+        std::string                     key;
+        std::string                     devid;
+        std::string                     cas;
+        std::string                     manufacturer;
+        std::string                     model;
+        std::string                     redirector;
+        std::string                     commonName;
+        std::string                     certificateId;
+        OpenWifi::Types::UUID_t         batch;
+        uint64_t                        created = 0;
+        uint64_t                        modified = 0;
+        uint64_t                        revoked = 0;
+        uint64_t                        revokeCount = 0;
+        uint64_t                        synched = 0;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct EntityEntry {
+        OpenWifi::Types::UUID_t         id;
+        OpenWifi::Types::UUID_t         creator;
+        std::string                     name;
+        std::string                     description;
+        std::string                     defaultRedirector;
+        std::string                     apiKey;
+        std::string                     serverEnrollmentProfile;
+        std::string                     clientEnrollmentProfile;
+        std::string                     organization;
+        SecurityObjects::NoteInfoVec    notes;
+        bool                            suspended=false;
+        bool                            deleted=false;
+        uint64_t                        created = 0 ;
+        uint64_t                        modified = 0 ;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct BatchEntry {
+        OpenWifi::Types::UUID_t         id;
+        OpenWifi::Types::UUID_t         entity;
+        OpenWifi::Types::UUID_t         creator;
+        std::string                     name;
+        std::string                     description;
+        std::string                     manufacturer;
+        std::string                     model;
+        std::string                     redirector;
+        std::vector<std::string>        commonNames;
+        std::vector<std::string>        jobHistory;
+        SecurityObjects::NoteInfoVec    notes;
+        uint64_t                        submitted = 0 ;
+        uint64_t                        started = 0 ;
+        uint64_t                        completed = 0 ;
+        uint64_t                        modified = 0 ;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct JobEntry {
+        OpenWifi::Types::UUID_t         id;
+        OpenWifi::Types::UUID_t         entity;
+        OpenWifi::Types::UUID_t         creator;
+        OpenWifi::Types::UUID_t         batch;
+        std::string                     command;
+        OpenWifi::Types::StringVec      commonNames;
+        OpenWifi::Types::StringVec      completedNames;
+        OpenWifi::Types::StringVec      errorNames;
+        Types::StringPairVec            parameters;
+        std::string                     status;
+        uint64_t                        submitted=0;
+        uint64_t                        started=0;
+        uint64_t                        completed=0;
+        std::string                     requesterUsername;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct DashBoardYearlyStats {
+        uint64_t                            year=0;
+        OpenWifi::Types::Counted3DMapSII    activeCerts;
+        OpenWifi::Types::Counted3DMapSII    revokedCerts;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+    };
+
+    struct Dashboard {
+        uint64_t                            snapshot=0;
+        uint64_t                            numberOfIssuedCerts=0;
+        uint64_t                            numberOfRevokedCerts=0;
+        OpenWifi::Types::CountedMap         activeCertsPerOrganization;
+        OpenWifi::Types::CountedMap         revokedCertsPerOrganization;
+        OpenWifi::Types::CountedMap         numberOfRedirectors;
+        OpenWifi::Types::CountedMap         deviceTypes;
+        OpenWifi::Types::CountedMap         monthlyNumberOfCerts;
+        std::vector<DashBoardYearlyStats>   monthlyNumberOfCertsPerOrgPerYear;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        void reset();
+    };
+
+}
--- a/src/RESTObjects/RESTAPI_FMSObjects.cpp
+++ b/src/RESTObjects/RESTAPI_FMSObjects.cpp
@@ -3,7 +3,8 @@
 //

 #include "RESTAPI_FMSObjects.h"
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_utils.h"
+#include "framework/utils.h"

 using OpenWifi::RESTAPI_utils::field_to_json;
 using OpenWifi::RESTAPI_utils::field_from_json;
@@ -233,10 +234,10 @@ namespace OpenWifi::FMSObjects {
        UnknownFirmwares_.clear();
        totalSecondsOld_.clear();
        numberOfDevices = 0 ;
-        snapshot = std::time(nullptr);
+        snapshot = Utils::Now();
    }

-    bool DeviceReport::from_json(const Poco::JSON::Object::Ptr &Obj) {
+    bool DeviceReport::from_json([[maybe_unused]] const Poco::JSON::Object::Ptr &Obj) {
        try {

            return true;
@@ -245,4 +246,65 @@ namespace OpenWifi::FMSObjects {
        }
        return false;
    }
+
+    void DeviceInformation::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj, "serialNumber",serialNumber);
+        field_to_json(Obj, "history", history);
+        field_to_json(Obj, "currentFirmware", currentFirmware);
+        field_to_json(Obj, "currentFirmwareDate", currentFirmwareDate);
+        field_to_json(Obj, "latestFirmware", latestFirmware);
+        field_to_json(Obj, "latestFirmwareDate", latestFirmwareDate);
+        field_to_json(Obj, "latestFirmwareAvailable",latestFirmwareAvailable);
+        field_to_json(Obj, "latestFirmwareURI",latestFirmwareURI);
+    }
+
+    bool DeviceInformation::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj, "serialNumber",serialNumber);
+            field_from_json(Obj, "history", history);
+            field_from_json(Obj, "currentFirmware", currentFirmware);
+            field_from_json(Obj, "currentFirmwareDate", currentFirmwareDate);
+            field_from_json(Obj, "latestFirmware", latestFirmware);
+            field_from_json(Obj, "latestFirmwareDate", latestFirmwareDate);
+            field_from_json(Obj, "latestFirmwareAvailable",latestFirmwareAvailable);
+            field_from_json(Obj, "latestFirmwareURI",latestFirmwareURI);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceCurrentInfo::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj, "serialNumber",serialNumber);
+        field_to_json(Obj, "revision", revision);
+        field_to_json(Obj, "upgraded", upgraded);
+    }
+
+    bool DeviceCurrentInfo::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj, "serialNumber",serialNumber);
+            field_from_json(Obj, "revision", revision);
+            field_from_json(Obj, "upgraded", upgraded);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void DeviceCurrentInfoList::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj, "devices",devices);
+    }
+
+    bool DeviceCurrentInfoList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj, "devices",devices);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
 }
--- a/src/RESTObjects/RESTAPI_FMSObjects.h
+++ b/src/RESTObjects/RESTAPI_FMSObjects.h
@@ -4,9 +4,7 @@

 #include <string>

-#ifndef UCENTRALFMS_RESTAPI_FMSOBJECTS_H
-#define UCENTRALFMS_RESTAPI_FMSOBJECTS_H
-
+#pragma once

 #include "RESTAPI_SecurityObjects.h"
 #include "framework/OpenWifiTypes.h"
@@ -127,7 +125,35 @@ namespace OpenWifi::FMSObjects {
        void reset();
        bool from_json(const Poco::JSON::Object::Ptr &Obj);
    };
+
+    struct DeviceInformation {
+        std::string                 serialNumber;
+        RevisionHistoryEntryList    history;
+        std::string                 currentFirmware;
+        uint64_t                    currentFirmwareDate=0;
+        std::string                 latestFirmware;
+        uint64_t                    latestFirmwareDate=0;
+        bool                        latestFirmwareAvailable;
+        std::string                 latestFirmwareURI;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct DeviceCurrentInfo {
+        std::string                 serialNumber;
+        std::string                 revision;
+        uint64_t                    upgraded=0;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
+    struct DeviceCurrentInfoList {
+        std::vector<DeviceCurrentInfo>  devices;
+
+        void to_json(Poco::JSON::Object &Obj) const;
+        bool from_json(const Poco::JSON::Object::Ptr &Obj);
+    };
+
 }
-
-
-#endif //UCENTRALFMS_RESTAPI_FMSOBJECTS_H
--- a/src/RESTObjects/RESTAPI_GWobjects.cpp
+++ b/src/RESTObjects/RESTAPI_GWobjects.cpp
@@ -11,11 +11,13 @@

 #include "Daemon.h"
 #ifdef	TIP_GATEWAY_SERVICE
-#include "DeviceRegistry.h"
+#include "AP_WS_Server.h"
+#include "CapabilitiesCache.h"
 #endif

 #include "RESTAPI_GWobjects.h"
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_utils.h"
+#include "framework/utils.h"

 using OpenWifi::RESTAPI_utils::field_to_json;
 using OpenWifi::RESTAPI_utils::field_from_json;
@@ -26,7 +28,7 @@ namespace OpenWifi::GWObjects {
 	void Device::to_json(Poco::JSON::Object &Obj) const {
 		field_to_json(Obj,"serialNumber", SerialNumber);
 #ifdef TIP_GATEWAY_SERVICE
-		field_to_json(Obj,"deviceType", Daemon::instance()->IdentifyDevice(Compatible));
+		field_to_json(Obj,"deviceType", CapabilitiesCache::instance()->GetPlatform(Compatible));
 #endif
 		field_to_json(Obj,"macAddress", MACAddress);
 		field_to_json(Obj,"manufacturer", Manufacturer);
@@ -44,6 +46,14 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"compatible", Compatible);
 		field_to_json(Obj,"fwUpdatePolicy", FWUpdatePolicy);
 		field_to_json(Obj,"devicePassword", DevicePassword);
+		field_to_json(Obj,"subscriber", subscriber);
+		field_to_json(Obj,"entity", entity);
+		field_to_json(Obj,"modified", modified);
+		field_to_json(Obj,"locale", locale);
+		field_to_json(Obj,"restrictedDevice", restrictedDevice);
+		field_to_json(Obj,"pendingConfiguration", pendingConfiguration);
+		field_to_json(Obj,"pendingConfigurationCmd", pendingConfigurationCmd);
+		field_to_json(Obj,"restrictionDetails", restrictionDetails);
 	}

 	void Device::to_json_with_status(Poco::JSON::Object &Obj) const {
@@ -52,7 +62,7 @@ namespace OpenWifi::GWObjects {
 #ifdef TIP_GATEWAY_SERVICE
 		ConnectionState ConState;

-		if (DeviceRegistry()->GetState(SerialNumber, ConState)) {
+		if (AP_WS_Server()->GetState(SerialNumber, ConState)) {
 			ConState.to_json(Obj);
 		} else {
 			field_to_json(Obj,"ipAddress", "");
@@ -64,11 +74,12 @@ namespace OpenWifi::GWObjects {
 			field_to_json(Obj,"verifiedCertificate", "NO_CERTIFICATE");
 			field_to_json(Obj,"associations_2G", (uint64_t) 0);
 			field_to_json(Obj,"associations_5G", (uint64_t) 0);
+			field_to_json(Obj,"associations_6G", (uint64_t) 0);
 		}
 #endif
 	}

-	bool Device::from_json(Poco::JSON::Object::Ptr Obj) {
+	bool Device::from_json(const Poco::JSON::Object::Ptr &Obj) {
 		try {
 			field_from_json(Obj,"serialNumber",SerialNumber);
 			field_from_json(Obj,"deviceType",DeviceType);
@@ -80,6 +91,13 @@ namespace OpenWifi::GWObjects {
 			field_from_json(Obj,"location",Location);
 			field_from_json(Obj,"venue",Venue);
 			field_from_json(Obj,"compatible",Compatible);
+			field_from_json(Obj,"subscriber", subscriber);
+			field_from_json(Obj,"entity", entity);
+			field_from_json(Obj,"locale", locale);
+			field_from_json(Obj,"restrictedDevice", restrictedDevice);
+			field_from_json(Obj,"pendingConfiguration", pendingConfiguration);
+			field_from_json(Obj,"pendingConfigurationCmd", pendingConfigurationCmd);
+			field_from_json(Obj,"restrictionDetails", restrictionDetails);
 			return true;
 		} catch (const Poco::Exception &E) {
 		}
@@ -145,9 +163,10 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"custom", Custom);
 		field_to_json(Obj,"waitingForFile", WaitingForFile);
 		field_to_json(Obj,"attachFile", AttachDate);
+		field_to_json(Obj,"executionTime", executionTime);
 	}

-	bool DefaultConfiguration::from_json(Poco::JSON::Object::Ptr Obj) {
+	bool DefaultConfiguration::from_json(const Poco::JSON::Object::Ptr &Obj) {
 		try {
 			field_from_json(Obj,"name",Name);
 			field_from_json(Obj,"configuration",Configuration);
@@ -166,7 +185,7 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"created", created);
 	}

-	bool BlackListedDevice::from_json(Poco::JSON::Object::Ptr Obj) {
+	bool BlackListedDevice::from_json(const Poco::JSON::Object::Ptr &Obj) {
 		try {
 			field_from_json(Obj,"serialNumber",serialNumber);
 			field_from_json(Obj,"author",author);
@@ -179,7 +198,6 @@ namespace OpenWifi::GWObjects {
 	}

 	void ConnectionState::to_json(Poco::JSON::Object &Obj) const {
-		field_to_json(Obj,"serialNumber", SerialNumber);
 		field_to_json(Obj,"ipAddress", Address);
 		field_to_json(Obj,"txBytes", TX);
 		field_to_json(Obj,"rxBytes", RX);
@@ -190,6 +208,17 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"lastContact", LastContact);
 		field_to_json(Obj,"associations_2G", Associations_2G);
 		field_to_json(Obj,"associations_5G", Associations_5G);
+		field_to_json(Obj,"associations_6G", Associations_6G);
+		field_to_json(Obj,"webSocketClients", webSocketClients);
+		field_to_json(Obj,"websocketPackets", websocketPackets);
+		field_to_json(Obj,"kafkaClients", kafkaClients);
+		field_to_json(Obj,"kafkaPackets", kafkaPackets);
+		field_to_json(Obj,"locale", locale);
+		field_to_json(Obj,"started", started);
+		field_to_json(Obj,"sessionId", sessionId);
+		field_to_json(Obj,"connectionCompletionTime", connectionCompletionTime);
+		field_to_json(Obj,"totalConnectionTime", Utils::Now() - started);
+		field_to_json(Obj,"certificateExpiryDate", certificateExpiryDate);

 		switch(VerifiedCertificate) {
 			case NO_CERTIFICATE:
@@ -205,6 +234,23 @@ namespace OpenWifi::GWObjects {
 		}
 	}

+	void DeviceConnectionStatistics::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"averageConnectionTime", averageConnectionTime);
+		field_to_json(Obj,"connectedDevices", connectedDevices );
+		field_to_json(Obj,"connectingDevices", connectingDevices );
+	}
+
+	bool DeviceConnectionStatistics::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"averageConnectionTime", averageConnectionTime);
+			field_from_json(Obj,"connectedDevices", connectedDevices );
+			field_from_json(Obj,"connectingDevices", connectingDevices );
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
 	void RttySessionDetails::to_json(Poco::JSON::Object &Obj) const {
 		field_to_json(Obj,"serialNumber", SerialNumber);
 		field_to_json(Obj,"server", Server);
@@ -251,7 +297,7 @@ namespace OpenWifi::GWObjects {
 		lastContact.clear();
 		associations.clear();
 		numberOfDevices = 0 ;
-		snapshot = std::time(nullptr);
+		snapshot = Utils::Now();
 	}

 	void CapabilitiesModel::to_json(Poco::JSON::Object &Obj) const{
@@ -259,5 +305,243 @@ namespace OpenWifi::GWObjects {
 		field_to_json(Obj,"capabilities", capabilities);
 	};

+	void ScriptRequest::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"serialNumber",serialNumber);
+		field_to_json(Obj,"timeout",timeout);
+		field_to_json(Obj,"type",type);
+		field_to_json(Obj,"scriptId",scriptId);
+		field_to_json(Obj,"script",script);
+		field_to_json(Obj,"when",when);
+		field_to_json(Obj,"signature", signature);
+		field_to_json(Obj,"deferred", deferred);
+		field_to_json(Obj,"uri", uri);
+	}
+
+	bool ScriptRequest::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"serialNumber",serialNumber);
+			field_from_json(Obj,"timeout",timeout);
+			field_from_json(Obj,"type",type);
+			field_from_json(Obj,"script",script);
+			field_from_json(Obj,"scriptId",scriptId);
+			field_from_json(Obj,"when",when);
+			field_from_json(Obj,"signature", signature);
+			field_from_json(Obj,"deferred", deferred);
+			field_from_json(Obj,"uri", uri);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void RadiusProxyPoolList::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"pools",pools);
+	}
+
+	bool RadiusProxyPoolList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"pools",pools);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void RadiusProxyPool::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"name",name);
+		field_to_json(Obj,"description",description);
+		field_to_json(Obj,"authConfig",authConfig);
+		field_to_json(Obj,"acctConfig",acctConfig);
+		field_to_json(Obj,"coaConfig",coaConfig);
+		field_to_json(Obj,"useByDefault",useByDefault);
+	}
+
+	bool RadiusProxyPool::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"name",name);
+			field_from_json(Obj,"description",description);
+			field_from_json(Obj,"authConfig",authConfig);
+			field_from_json(Obj,"acctConfig",acctConfig);
+			field_from_json(Obj,"coaConfig",coaConfig);
+			field_from_json(Obj,"useByDefault",useByDefault);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void RadiusProxyServerConfig::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"strategy",strategy);
+		field_to_json(Obj,"monitor",monitor);
+		field_to_json(Obj,"monitorMethod",monitorMethod);
+		field_to_json(Obj,"methodParameters",methodParameters);
+		field_to_json(Obj,"servers",servers);
+	}
+
+	bool RadiusProxyServerConfig::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"strategy",strategy);
+			field_from_json(Obj,"monitor",monitor);
+			field_from_json(Obj,"monitorMethod",monitorMethod);
+			field_from_json(Obj,"methodParameters",methodParameters);
+			field_from_json(Obj,"servers",servers);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void RadiusProxyServerEntry::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"name",name);
+		field_to_json(Obj,"ip",ip);
+		field_to_json(Obj,"port",port);
+		field_to_json(Obj,"weight",weight);
+		field_to_json(Obj,"secret",secret);
+		field_to_json(Obj,"certificate",certificate);
+		field_to_json(Obj,"radsec",radsec);
+		field_to_json(Obj,"allowSelfSigned",allowSelfSigned);
+		field_to_json(Obj,"radsecPort",radsecPort);
+		field_to_json(Obj,"radsecSecret",radsecSecret);
+		field_to_json(Obj,"radsecCacerts",radsecCacerts);
+		field_to_json(Obj,"radsecCert",radsecCert);
+		field_to_json(Obj,"radsecKey",radsecKey);
+		field_to_json(Obj,"radsecRealms",radsecRealms);
+		field_to_json(Obj,"ignore",ignore);
+	}
+
+	bool RadiusProxyServerEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"name",name);
+			field_from_json(Obj,"ip",ip);
+			field_from_json(Obj,"port",port);
+			field_from_json(Obj,"weight",weight);
+			field_from_json(Obj,"secret",secret);
+			field_from_json(Obj,"certificate",certificate);
+			field_from_json(Obj,"radsec",radsec);
+			field_from_json(Obj,"allowSelfSigned",allowSelfSigned);
+			field_from_json(Obj,"radsecSecret",radsecSecret);
+			field_from_json(Obj,"radsecPort",radsecPort);
+			field_from_json(Obj,"radsecCacerts",radsecCacerts);
+			field_from_json(Obj,"radsecCert",radsecCert);
+			field_from_json(Obj,"radsecKey",radsecKey);
+			field_from_json(Obj,"radsecRealms",radsecRealms);
+			field_from_json(Obj,"ignore",ignore);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void ScriptEntry::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"id", id);
+		field_to_json(Obj,"name", name);
+		field_to_json(Obj,"description", description);
+		field_to_json(Obj,"uri", uri);
+		field_to_json(Obj,"content", content);
+		field_to_json(Obj,"version", version);
+		field_to_json(Obj,"type", type);
+		field_to_json(Obj,"created", created);
+		field_to_json(Obj,"modified", modified);
+		field_to_json(Obj,"author", author);
+		field_to_json(Obj,"restricted", restricted);
+		field_to_json(Obj,"deferred", deferred);
+		field_to_json(Obj,"timeout", timeout);
+		field_to_json(Obj,"defaultUploadURI", defaultUploadURI);
+	}
+
+	bool ScriptEntry::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"id", id);
+			field_from_json(Obj,"name", name);
+			field_from_json(Obj,"description", description);
+			field_from_json(Obj,"uri", uri);
+			field_from_json(Obj,"content", content);
+			field_from_json(Obj,"version", version);
+			field_from_json(Obj,"type", type);
+			field_from_json(Obj,"created", created);
+			field_from_json(Obj,"modified", modified);
+			field_from_json(Obj,"author", author);
+			field_from_json(Obj,"restricted", restricted);
+			field_from_json(Obj,"deferred", deferred);
+			field_from_json(Obj,"timeout", timeout);
+			field_from_json(Obj,"defaultUploadURI", defaultUploadURI);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void ScriptEntryList::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"scripts",scripts);
+	}
+
+	bool ScriptEntryList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"scripts",scripts);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	void DeviceRestrictionsKeyInfo::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"vendor", vendor);
+		field_to_json(Obj,"algo", algo);
+	}
+
+	bool DeviceRestrictionsKeyInfo::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"vendor", vendor);
+			field_from_json(Obj,"algo", algo);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+
+	}
+
+	void DeviceRestrictions::to_json(Poco::JSON::Object &Obj) const {
+		field_to_json(Obj,"dfs", dfs);
+		field_to_json(Obj,"ssh", ssh);
+		field_to_json(Obj,"rtty", rtty);
+		field_to_json(Obj,"tty", tty);
+		field_to_json(Obj,"developer", developer);
+		field_to_json(Obj,"upgrade", upgrade);
+		field_to_json(Obj,"commands", commands);
+		field_to_json(Obj,"country", country);
+		field_to_json(Obj,"key_info", key_info);
+	}
+
+	bool DeviceRestrictions::from_json(const Poco::JSON::Object::Ptr &Obj) {
+		try {
+			field_from_json(Obj,"dfs", dfs);
+			field_from_json(Obj,"ssh", ssh);
+			field_from_json(Obj,"rtty", rtty);
+			field_from_json(Obj,"tty", tty);
+			field_from_json(Obj,"developer", developer);
+			field_from_json(Obj,"upgrade", upgrade);
+			field_from_json(Obj,"commands", commands);
+			field_from_json(Obj,"country", country);
+			field_from_json(Obj,"key_info", key_info);
+			return true;
+		} catch (const Poco::Exception &E) {
+		}
+		return false;
+	}
+
+	bool DeviceRestrictionsKeyInfo::operator!=(const OpenWifi::GWObjects::DeviceRestrictionsKeyInfo &T) const {
+		return (T.algo!=algo) || (T.vendor!=vendor);
+	}
+
+	bool DeviceRestrictions::operator!=(const OpenWifi::GWObjects::DeviceRestrictions &T) const {
+		return (	(T.dfs!=dfs)					||
+					(T.rtty!=rtty)					||
+					(T.upgrade!=upgrade)		||
+					(T.commands != commands)		||
+					(T.developer != developer)		||
+					(T.ssh !=ssh) 					||
+					(T.key_info != key_info)		||
+					(T.country != country) );
+	}
 }

--- a/src/RESTObjects/RESTAPI_GWobjects.h
+++ b/src/RESTObjects/RESTAPI_GWobjects.h
@@ -6,8 +6,7 @@
 //	Arilia Wireless Inc.
 //

-#ifndef UCENTRAL_RESTAPI_OBJECTS_H
-#define UCENTRAL_RESTAPI_OBJECTS_H
+#pragma once

 #include "Poco/JSON/Object.h"
 #include "RESTAPI_SecurityObjects.h"
@@ -23,21 +22,58 @@ namespace OpenWifi::GWObjects {

 	struct ConnectionState {
 		uint64_t MessageCount = 0 ;
-		std::string SerialNumber;
 		std::string Address;
 		uint64_t UUID = 0 ;
 		uint64_t PendingUUID = 0 ;
 		uint64_t TX = 0, RX = 0;
 		uint64_t Associations_2G=0;
 		uint64_t Associations_5G=0;
+		uint64_t Associations_6G=0;
 		bool Connected = false;
 		uint64_t LastContact=0;
 		std::string Firmware;
 		CertificateValidation VerifiedCertificate = NO_CERTIFICATE;
-		std::string Compatible;
+		std::string 	Compatible;
+		uint64_t 		kafkaClients=0;
+		uint64_t 		webSocketClients=0;
+		uint64_t 		kafkaPackets=0;
+		uint64_t 		websocketPackets=0;
+		std::string 	locale;
+		uint64_t 		started=0;
+		uint64_t 		sessionId=0;
+		double      	connectionCompletionTime=0.0;
+		std::uint64_t	certificateExpiryDate=0;
+
 		void to_json(Poco::JSON::Object &Obj) const;
 	};

+	struct DeviceRestrictionsKeyInfo {
+		std::string 	vendor;
+		std::string 	algo;
+
+		bool operator !=(const DeviceRestrictionsKeyInfo &b) const;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct DeviceRestrictions {
+		bool    					dfs = false;
+		bool    					ssh = false;
+		bool    					rtty = false;
+		bool    					tty = false;
+		bool    					developer = false;
+		bool    					upgrade = false;
+		bool    					commands = false;
+		std::vector<std::string>   	country;
+		DeviceRestrictionsKeyInfo	key_info;
+
+		bool operator !=(const DeviceRestrictions &D) const;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
 	struct Device {
 		std::string SerialNumber;
 		std::string DeviceType;
@@ -50,40 +86,58 @@ namespace OpenWifi::GWObjects {
 		std::string Firmware;
 		std::string Compatible;
 		std::string FWUpdatePolicy;
-		uint64_t UUID;
-		uint64_t CreationTimestamp;
-		uint64_t LastConfigurationChange;
-		uint64_t LastConfigurationDownload;
-		uint64_t LastFWUpdate;
+		uint64_t UUID = 0 ;
+		uint64_t CreationTimestamp = 0 ;
+		uint64_t LastConfigurationChange = 0 ;
+		uint64_t LastConfigurationDownload = 0 ;
+		uint64_t LastFWUpdate = 0 ;
 		std::string Venue;
 		std::string DevicePassword;
+		std::string subscriber;
+		std::string entity;
+		uint64_t 	modified=0;
+		std::string locale;
+		bool 		restrictedDevice=false;
+		std::string pendingConfiguration;
+		std::string pendingConfigurationCmd;
+		DeviceRestrictions	restrictionDetails;
+
 		void to_json(Poco::JSON::Object &Obj) const;
 		void to_json_with_status(Poco::JSON::Object &Obj) const;
-		bool from_json(Poco::JSON::Object::Ptr Obj);
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
 		void Print() const;
 	};

+	struct DeviceConnectionStatistics {
+		std::uint64_t connectedDevices = 0;
+		std::uint64_t averageConnectionTime = 0;
+		std::uint64_t connectingDevices = 0;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
 	struct Statistics {
 		std::string SerialNumber;
-		uint64_t 	UUID;
+		uint64_t 	UUID = 0 ;
 		std::string Data;
-		uint64_t 	Recorded;
+		uint64_t 	Recorded = 0;
 		void to_json(Poco::JSON::Object &Obj) const;
 	};

 	struct HealthCheck {
 		std::string SerialNumber;
-		uint64_t 	UUID;
+		uint64_t 	UUID = 0 ;
 		std::string Data;
-		uint64_t 	Recorded;
-		uint64_t 	Sanity;
+		uint64_t 	Recorded = 0 ;
+		uint64_t 	Sanity = 0 ;
 		void to_json(Poco::JSON::Object &Obj) const;
 	};

 	struct Capabilities {
 		std::string Capabilities;
-		uint64_t 	FirstUpdate;
-		uint64_t 	LastUpdate;
+		uint64_t 	FirstUpdate = 0 ;
+		uint64_t 	LastUpdate = 0 ;
 		void 		to_json(Poco::JSON::Object &Obj) const;
 	};

@@ -101,22 +155,22 @@ namespace OpenWifi::GWObjects {
 		std::string SerialNumber;
 		std::string Log;
 		std::string Data;
-		uint64_t 	Severity;
-		uint64_t 	Recorded;
-		uint64_t 	LogType;
-		uint64_t 	UUID;
+		uint64_t 	Severity = 0 ;
+		uint64_t 	Recorded = 0 ;
+		uint64_t 	LogType = 0 ;
+		uint64_t 	UUID = 0 ;
 		void 		to_json(Poco::JSON::Object &Obj) const;
 	};

 	struct DefaultConfiguration {
 		std::string Name;
 		std::string Configuration;
-		std::string Models;
+		Types::StringVec Models;
 		std::string Description;
 		uint64_t 	Created;
 		uint64_t 	LastModified;
 		void 		to_json(Poco::JSON::Object &Obj) const;
-		bool 		from_json(Poco::JSON::Object::Ptr Obj);
+		bool 		from_json(const Poco::JSON::Object::Ptr &Obj);
 	};

 	struct CommandDetails {
@@ -138,6 +192,7 @@ namespace OpenWifi::GWObjects {
 		uint64_t AttachDate = 0 ;
 		uint64_t AttachSize = 0 ;
 		std::string AttachType;
+		double 		executionTime = 0.0;
 		void to_json(Poco::JSON::Object &Obj) const;
 	};

@@ -147,26 +202,26 @@ namespace OpenWifi::GWObjects {
 		std::string author;
 		uint64_t created;
 		void to_json(Poco::JSON::Object &Obj) const;
-		bool from_json(Poco::JSON::Object::Ptr Obj);
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
 	};

 	struct RttySessionDetails {
 		std::string SerialNumber;
 		std::string Server;
-		uint64_t 	Port;
+		uint64_t 	Port = 0 ;
 		std::string Token;
-		uint64_t 	TimeOut;
+		uint64_t 	TimeOut = 0 ;
 		std::string ConnectionId;
-		uint64_t 	Started;
+		uint64_t 	Started = 0 ;
 		std::string CommandUUID;
-		uint64_t 	ViewPort;
+		uint64_t 	ViewPort = 0 ;
 		std::string DevicePassword;
 		void to_json(Poco::JSON::Object &Obj) const;
 	};

 	struct Dashboard {
-		uint64_t 		  snapshot;
-		uint64_t 		  numberOfDevices;
+		uint64_t 		  snapshot = 0 ;
+		uint64_t 		  numberOfDevices = 0 ;
 		Types::CountedMap commands;
 		Types::CountedMap upTimes;
 		Types::CountedMap memoryUsed;
@@ -190,6 +245,98 @@ namespace OpenWifi::GWObjects {

 		void to_json(Poco::JSON::Object &Obj) const;
 	};
-}

-#endif //UCENTRAL_RESTAPI_OBJECTS_H
+	struct ScriptEntry {
+		std::string 		id;
+		std::string 		name;
+		std::string 		description;
+		std::string 		uri;
+		std::string 		content;
+		std::string 		version;
+		std::string 		type;
+		std::uint64_t 		created;
+		std::uint64_t 		modified;
+		std::string 		author;
+		Types::StringVec 	restricted;
+		bool				deferred=false;
+		std::uint64_t 		timeout=30;
+		std::string 		defaultUploadURI;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct ScriptEntryList {
+		std::vector<ScriptEntry>	scripts;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct ScriptRequest {
+		std::string serialNumber;
+		uint64_t 	timeout=30;
+		std::string type;
+		std::string script;
+		std::string scriptId;
+		std::uint64_t when;
+		std::string signature;
+		bool deferred;
+		std::string uri;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct RadiusProxyServerEntry {
+		std::string name;
+		std::string ip;
+		uint16_t 	port=0;
+		uint64_t 	weight=0;
+		std::string secret;
+		std::string certificate;
+		bool 		radsec=false;
+		bool 		allowSelfSigned=false;
+		uint16_t 	radsecPort=2083;
+		std::string radsecSecret;
+		std::string radsecKey;
+		std::string radsecCert;
+		std::vector<std::string> 	radsecCacerts;
+		std::vector<std::string>	radsecRealms;
+		bool 		ignore=false;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct RadiusProxyServerConfig {
+		std::string 	strategy;
+		bool 			monitor=false;
+		std::string 	monitorMethod;
+		std::vector<std::string>	methodParameters;
+		std::vector<RadiusProxyServerEntry>	servers;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct 	RadiusProxyPool {
+		std::string name;
+		std::string description;
+		RadiusProxyServerConfig	authConfig;
+		RadiusProxyServerConfig	acctConfig;
+		RadiusProxyServerConfig	coaConfig;
+		bool 		useByDefault=false;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+	struct RadiusProxyPoolList {
+		std::vector<RadiusProxyPool>	pools;
+
+		void to_json(Poco::JSON::Object &Obj) const;
+		bool from_json(const Poco::JSON::Object::Ptr &Obj);
+	};
+
+}
--- a/src/RESTObjects/RESTAPI_OWLSobjects.cpp
+++ b/src/RESTObjects/RESTAPI_OWLSobjects.cpp
@@ -0,0 +1,110 @@
+//
+// Created by stephane bourque on 2021-08-31.
+//
+
+#include "framework/RESTAPI_utils.h"
+
+using OpenWifi::RESTAPI_utils::field_to_json;
+using OpenWifi::RESTAPI_utils::field_from_json;
+using OpenWifi::RESTAPI_utils::EmbedDocument;
+
+#include "RESTAPI_OWLSobjects.h"
+
+// SIM -> 0x53/0x073, 0x49/0x69, 0x4d/0x6d
+
+namespace OpenWifi::OWLSObjects {
+
+    void SimulationDetails::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"name", name);
+        field_to_json(Obj,"gateway", gateway);
+        field_to_json(Obj,"certificate", certificate);
+        field_to_json(Obj,"key", key);
+        field_to_json(Obj,"macPrefix", macPrefix);
+        field_to_json(Obj,"deviceType", deviceType);
+        field_to_json(Obj,"devices", devices);
+        field_to_json(Obj,"healthCheckInterval", healthCheckInterval);
+        field_to_json(Obj,"stateInterval", stateInterval);
+        field_to_json(Obj,"minAssociations", minAssociations);
+        field_to_json(Obj,"maxAssociations", maxAssociations);
+        field_to_json(Obj,"minClients", minClients);
+        field_to_json(Obj,"maxClients", maxClients);
+        field_to_json(Obj,"simulationLength", simulationLength);
+        field_to_json(Obj,"threads", threads);
+        field_to_json(Obj,"clientInterval", clientInterval);
+        field_to_json(Obj,"keepAlive", keepAlive);
+        field_to_json(Obj,"reconnectInterval", reconnectInterval);
+        field_to_json(Obj,"concurrentDevices", concurrentDevices);
+    }
+
+    bool SimulationDetails::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"id", id);
+            field_from_json(Obj,"name", name);
+            field_from_json(Obj,"gateway", gateway);
+            field_from_json(Obj,"certificate", certificate);
+            field_from_json(Obj,"key", key);
+            field_from_json(Obj,"macPrefix", macPrefix);
+            field_from_json(Obj,"deviceType", deviceType);
+            field_from_json(Obj,"devices", devices);
+            field_from_json(Obj,"healthCheckInterval", healthCheckInterval);
+            field_from_json(Obj,"stateInterval", stateInterval);
+            field_from_json(Obj,"minAssociations", minAssociations);
+            field_from_json(Obj,"maxAssociations", maxAssociations);
+            field_from_json(Obj,"minClients", minClients);
+            field_from_json(Obj,"maxClients", maxClients);
+            field_from_json(Obj,"simulationLength", simulationLength);
+            field_from_json(Obj,"threads", threads);
+            field_from_json(Obj,"clientInterval", clientInterval);
+            field_from_json(Obj,"keepAlive", keepAlive);
+            field_from_json(Obj,"reconnectInterval", reconnectInterval);
+            field_from_json(Obj,"concurrentDevices", concurrentDevices);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void SimulationDetailsList::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"list", list);
+    }
+
+    bool SimulationDetailsList::from_json(const Poco::JSON::Object::Ptr &Obj) {
+        try {
+            field_from_json(Obj,"list", list);
+            return true;
+        } catch(...) {
+
+        }
+        return false;
+    }
+
+    void SimulationStatus::to_json(Poco::JSON::Object &Obj) const {
+        field_to_json(Obj,"id", id);
+        field_to_json(Obj,"simulationId", simulationId);
+        field_to_json(Obj,"state", state);
+        field_to_json(Obj,"tx", tx);
+        field_to_json(Obj,"rx", rx);
+        field_to_json(Obj,"msgsTx", msgsTx);
+        field_to_json(Obj,"msgsRx", msgsRx);
+        field_to_json(Obj,"liveDevices", liveDevices);
+        field_to_json(Obj,"timeToFullDevices", timeToFullDevices);
+        field_to_json(Obj,"startTime", startTime);
+        field_to_json(Obj,"endTime", endTime);
+        field_to_json(Obj,"errorDevices", errorDevices);
+        field_to_json(Obj,"owner", owner);
+    }
+
+    void Dashboard::to_json([[maybe_unused]] Poco::JSON::Object &Obj) const {
+
+    }
+
+    bool Dashboard::from_json([[maybe_unused]] const Poco::JSON::Object::Ptr &Obj) {
+        return true;
+    }
+
+    void Dashboard::reset() {
+
+    }
+}
--- a/Show More
+++ b/Show More