fix: Updated CI with ubuntu-latest.

Signed-off-by: Ivan Chvets <ivan.chvets@kinarasystems.com>
Merge pull request #113 from Telecominfraproject/version_update
2025-10-29 18:02:29 +00:00 · 2025-05-02 10:20:07 -04:00 · 2024-09-30 10:12:29 -04:00 · 2024-09-30 09:35:21 -04:00 · 2024-06-19 16:59:56 -04:00 · 2024-06-19 16:43:47 -04:00
282 changed files with 36267 additions and 24473 deletions
--- a/.clang-format
+++ b/.clang-format
@@ -0,0 +1,178 @@
+---
+Language:        Cpp
+# BasedOnStyle:  LLVM
+AccessModifierOffset: -2
+AlignAfterOpenBracket: Align
+AlignArrayOfStructures: None
+AlignConsecutiveMacros: None
+AlignConsecutiveAssignments: None
+AlignConsecutiveBitFields: None
+AlignConsecutiveDeclarations: None
+AlignEscapedNewlines: Right
+AlignOperands:   Align
+AlignTrailingComments: true
+AllowAllArgumentsOnNextLine: true
+AllowAllConstructorInitializersOnNextLine: true
+AllowAllParametersOfDeclarationOnNextLine: true
+AllowShortEnumsOnASingleLine: true
+AllowShortBlocksOnASingleLine: Never
+AllowShortCaseLabelsOnASingleLine: false
+AllowShortFunctionsOnASingleLine: All
+AllowShortLambdasOnASingleLine: All
+AllowShortIfStatementsOnASingleLine: Never
+AllowShortLoopsOnASingleLine: false
+AlwaysBreakAfterDefinitionReturnType: None
+AlwaysBreakAfterReturnType: None
+AlwaysBreakBeforeMultilineStrings: false
+AlwaysBreakTemplateDeclarations: MultiLine
+AttributeMacros:
+  - __capability
+BinPackArguments: true
+BinPackParameters: true
+BraceWrapping:
+  AfterCaseLabel:  false
+  AfterClass:      false
+  AfterControlStatement: Never
+  AfterEnum:       false
+  AfterFunction:   false
+  AfterNamespace:  false
+  AfterObjCDeclaration: false
+  AfterStruct:     false
+  AfterUnion:      false
+  AfterExternBlock: false
+  BeforeCatch:     false
+  BeforeElse:      false
+  BeforeLambdaBody: false
+  BeforeWhile:     false
+  IndentBraces:    false
+  SplitEmptyFunction: true
+  SplitEmptyRecord: true
+  SplitEmptyNamespace: true
+BreakBeforeBinaryOperators: None
+BreakBeforeConceptDeclarations: true
+BreakBeforeBraces: Attach
+BreakBeforeInheritanceComma: false
+BreakInheritanceList: BeforeColon
+BreakBeforeTernaryOperators: true
+BreakConstructorInitializersBeforeComma: false
+BreakConstructorInitializers: BeforeColon
+BreakAfterJavaFieldAnnotations: false
+BreakStringLiterals: true
+ColumnLimit:     100
+CommentPragmas:  '^ IWYU pragma:'
+CompactNamespaces: false
+ConstructorInitializerAllOnOneLineOrOnePerLine: false
+ConstructorInitializerIndentWidth: 4
+ContinuationIndentWidth: 4
+Cpp11BracedListStyle: true
+DeriveLineEnding: true
+DerivePointerAlignment: false
+DisableFormat:   false
+EmptyLineAfterAccessModifier: Never
+EmptyLineBeforeAccessModifier: LogicalBlock
+ExperimentalAutoDetectBinPacking: false
+FixNamespaceComments: true
+ForEachMacros:
+  - foreach
+  - Q_FOREACH
+  - BOOST_FOREACH
+IfMacros:
+  - KJ_IF_MAYBE
+IncludeBlocks:   Preserve
+IncludeCategories:
+  - Regex:           '^"(llvm|llvm-c|clang|clang-c)/'
+    Priority:        2
+    SortPriority:    0
+    CaseSensitive:   false
+  - Regex:           '^(<|"(gtest|gmock|isl|json)/)'
+    Priority:        3
+    SortPriority:    0
+    CaseSensitive:   false
+  - Regex:           '.*'
+    Priority:        1
+    SortPriority:    0
+    CaseSensitive:   false
+IncludeIsMainRegex: '(Test)?$'
+IncludeIsMainSourceRegex: ''
+IndentAccessModifiers: false
+IndentCaseLabels: false
+IndentCaseBlocks: false
+IndentGotoLabels: true
+IndentPPDirectives: None
+IndentExternBlock: AfterExternBlock
+IndentRequires:  false
+IndentWidth:     4
+IndentWrappedFunctionNames: false
+InsertTrailingCommas: None
+JavaScriptQuotes: Leave
+JavaScriptWrapImports: true
+KeepEmptyLinesAtTheStartOfBlocks: true
+LambdaBodyIndentation: Signature
+MacroBlockBegin: ''
+MacroBlockEnd:   ''
+MaxEmptyLinesToKeep: 1
+NamespaceIndentation: All
+ObjCBinPackProtocolList: Auto
+ObjCBlockIndentWidth: 2
+ObjCBreakBeforeNestedBlockParam: true
+ObjCSpaceAfterProperty: false
+ObjCSpaceBeforeProtocolList: true
+PenaltyBreakAssignment: 2
+PenaltyBreakBeforeFirstCallParameter: 19
+PenaltyBreakComment: 300
+PenaltyBreakFirstLessLess: 120
+PenaltyBreakString: 1000
+PenaltyBreakTemplateDeclaration: 10
+PenaltyExcessCharacter: 1000000
+PenaltyReturnTypeOnItsOwnLine: 60
+PenaltyIndentedWhitespace: 0
+PointerAlignment: Right
+PPIndentWidth:   -1
+ReferenceAlignment: Pointer
+ReflowComments:  true
+ShortNamespaceLines: 1
+SortIncludes:    CaseSensitive
+SortJavaStaticImport: Before
+SortUsingDeclarations: true
+SpaceAfterCStyleCast: false
+SpaceAfterLogicalNot: false
+SpaceAfterTemplateKeyword: true
+SpaceBeforeAssignmentOperators: true
+SpaceBeforeCaseColon: false
+SpaceBeforeCpp11BracedList: false
+SpaceBeforeCtorInitializerColon: true
+SpaceBeforeInheritanceColon: true
+SpaceBeforeParens: ControlStatements
+SpaceAroundPointerQualifiers: Default
+SpaceBeforeRangeBasedForLoopColon: true
+SpaceInEmptyBlock: false
+SpaceInEmptyParentheses: false
+SpacesBeforeTrailingComments: 1
+SpacesInAngles:  Never
+SpacesInConditionalStatement: false
+SpacesInContainerLiterals: true
+SpacesInCStyleCastParentheses: false
+SpacesInLineCommentPrefix:
+  Minimum:         1
+  Maximum:         -1
+SpacesInParentheses: false
+SpacesInSquareBrackets: false
+SpaceBeforeSquareBrackets: false
+BitFieldColonSpacing: Both
+Standard:        Latest
+StatementAttributeLikeMacros:
+  - Q_EMIT
+StatementMacros:
+  - Q_UNUSED
+  - QT_REQUIRE_VERSION
+TabWidth:        4
+UseCRLF:         false
+UseTab:          Always
+WhitespaceSensitiveMacros:
+  - STRINGIZE
+  - PP_STRINGIZE
+  - BOOST_PP_STRINGIZE
+  - NS_SWIFT_NAME
+  - CF_SWIFT_NAME
+...
+
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -21,13 +21,13 @@ defaults:

 jobs:
  docker:
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-latest
    env:
      DOCKER_REGISTRY_URL: tip-tip-wlan-cloud-ucentral.jfrog.io
      DOCKER_REGISTRY_USERNAME: ucentral
    steps:
    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
      with:
        repository: Telecominfraproject/.github
        path: github
@@ -58,11 +58,11 @@ jobs:
    - name: Get base branch name and set as output
      id: get_base_branch
      run: |
-        echo ::set-output name=branch::$(echo ${GITHUB_BASE_REF##*/})
-        echo ::set-output name=owgw_branch::$(echo ${GITHUB_BASE_REF##*/} | sed 's/main/master/g')
+        echo "branch=$(echo ${GITHUB_BASE_REF##*/})" >> $GITHUB_OUTPUT
+        echo "owgw_branch=$(echo ${GITHUB_BASE_REF##*/} | sed 's/main/master/g')" >> $GITHUB_OUTPUT

    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
      with:
        repository: Telecominfraproject/.github
        path: github
@@ -87,7 +87,7 @@ jobs:
      - docker
    steps:
    - name: Checkout actions repo
-      uses: actions/checkout@v2
+      uses: actions/checkout@v3
      with:
        repository: Telecominfraproject/.github
        path: github
--- a/.github/workflows/enforce-jira-issue-key.yml
+++ b/.github/workflows/enforce-jira-issue-key.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout actions repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          repository: Telecominfraproject/.github
          path: github
--- a/.github/workflows/openapi-pages.yml
+++ b/.github/workflows/openapi-pages.yml
@@ -0,0 +1,38 @@
+name: Update OpenAPI docs on GitHub Pages
+
+on:
+  push:
+    paths:
+      - 'openapi/**'
+    branches:
+      - main
+  workflow_dispatch:
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  docsgen:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Generate static HTML page with docs from OpenAPI definition
+        run: |
+          docker run --rm -v "${PWD}:/local" openapitools/openapi-generator-cli:v6.2.1 generate -i https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml -g html2 --skip-validate-spec -o /local/
+
+      - name: Update OpenAPI docs
+        run: |
+          mkdir -p ~/.ssh
+          ssh-keyscan -H github.com >> ~/.ssh/known_hosts
+          echo https://tip-automation:${{ secrets.GIT_PUSH_PAT }}@github.com > ~/.git-credentials
+          git config --global credential.helper store
+          git config --global user.email "tip-automation@telecominfraproject.com"
+          git config --global user.name "TIP Automation User"
+          git pull
+          git checkout gh-pages || git checkout -b gh-pages
+          mv index.html docs/index.html
+          git add docs
+          git commit -m'Update OpenAPI docs for GitHub pages'
+          git push --set-upstream origin gh-pages
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
      HELM_REPO_USERNAME: ucentral
    steps:
      - name: Checkout uCentral assembly chart repo
-        uses: actions/checkout@v2
+        uses: actions/checkout@v3
        with:
          path: wlan-cloud-ucentralsec

--- a/.idea/.gitignore
+++ b/.idea/.gitignore
@@ -1,21 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
-# Datasource local storage ignored files
-/dataSources/
-/dataSources.local.xml
-# Editor-based HTTP Client requests
-/httpRequests/
-/certs/
-/logs/
-*.csr
-*.db
-/docker-compose/certs/
-/docker-compose/*-data/data/
-/docker-compose/*-data/uploads/
-/docker-compose/.env
-/docker-compose/.env_*
-/cmake-build/
-*.pem
-result.json
-token.json
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -0,0 +1,197 @@
+# Building from source
+
+In order to build OWSEC, you will need to install its dependencies, which includes the following:
+- cmake
+- boost
+- POCO 1.10.1 or later
+- a C++17 compiler
+- openssl
+- libpq-dev (PortgreSQL development libraries)
+- mysql-client (MySQL client)
+- librdkafka
+- cppkafka
+
+The build is done in 2 parts. The first part is to build a local copy of the framework tailored to your environment. This
+framework is called [Poco](https://github.com/pocoproject/poco). The version used in this project has a couple of fixes
+from the master copy needed for cmake. Please use the version of this [Poco fix](https://github.com/Telecominfraproject/wlan-cloud-lib-poco). Building
+Poco may take several minutes depending on the platform you are building on.
+
+## Ubuntu
+These instructions have proven to work on Ubuntu 20.4.
+```bash
+sudo apt install git cmake g++ libssl-dev libmariadb-dev \
+    libpq-dev libaprutil1-dev apache2-dev libboost-all-dev \
+    librdkafka-dev default-libmysqlclient-dev \
+    nlohmann-json-dev
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+cd cppkafka
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+cd valijson
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/fmtlib/fmt --branch 9.0.0 /fmtlib
+cd fmtlib
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make
+make install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make -j 8
+cd ../..
+```
+
+## Fedora
+The following instructions have proven to work on Fedora 33
+```bash
+sudo yum install cmake g++ openssl-devel mysql-devel mysql apr-util-devel boost boost-devel \
+    yaml-cpp-devel lua-devel
+sudo dnf install postgresql.x86_64 librdkafka-devel
+sudo dnf install postgresql-devel json-devel
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+cd cppkafka
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+cd valijson
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake ..
+make
+cd ../..
+```
+
+## macOS Build
+The following instructions have proven to work on macOS Big Sur. You need to install [Homebrew](https://brew.sh/). You must also have installed [XCode for OS X](https://www.freecodecamp.org/news/how-to-download-and-install-xcode/).
+```bash
+brew install openssl \
+	cmake \
+	libpq \
+	mysql-client \
+	apr \
+	apr-util \
+	boost \
+	yaml-cpp \
+	postgresql \
+	librdkafka \
+	nlohmann-json \
+	fmt
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+pushd poco
+mkdir cmake-build
+push cmake-build
+cmake -DOPENSSL_ROOT_DIR=</path/to/openssl> -DENABLE_NETSSL=1 -DENABLE_JWT=1 -DENABLE_CRYPTO=1 ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch tip-v1 cppkafka
+pushd cppkafka
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch tip-v1 valijson
+pushd valijson
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+popd
+popd
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+pushd wlan-cloud-ucentralsec
+mkdir cmake-build
+pushd cmake-build
+cmake ..
+make -j
+popd
+popd
+```
+
+## Raspberry
+The build on a rPI takes a while. You can shorten that build time and requirements by disabling all the larger database
+support. You can build with only SQLite support by not installing the packages for PostgreSQL, and MySQL by
+adding -DSMALL_BUILD=1 on the cmake build line.
+
+```bash
+sudo apt install git cmake g++ libssl-dev libaprutil1-dev apache2-dev \
+    libboost-all-dev libyaml-cpp-dev
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch poco-tip-v1 poco
+cd poco
+mkdir cmake-build
+cd cmake-build
+cmake ..
+cmake --build . --config Release
+sudo cmake --build . --target install
+cd ../..
+
+git clone https://github.com/Telecominfraproject/wlan-cloud-ucentralsec
+cd wlan-cloud-ucentralsec
+mkdir cmake-build
+cd cmake-build
+cmake -DSMALL_BUILD=1 ..
+make
+cd ../..
+```
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -1,5 +1,5 @@
 cmake_minimum_required(VERSION 3.13)
-project(owsec VERSION 2.6.0)
+project(owsec VERSION 3.2.0)

 set(CMAKE_CXX_STANDARD 17)

@@ -32,21 +32,22 @@ endif()

 find_package(Git QUIET)
 if(GIT_FOUND AND EXISTS "${PROJECT_SOURCE_DIR}/.git")
-    execute_process(COMMAND ${GIT_EXECUTABLE} describe --always --tags
+    execute_process(COMMAND ${GIT_EXECUTABLE} rev-parse --short HEAD
            WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}
            RESULT_VARIABLE GIT_RESULT
            OUTPUT_VARIABLE GIT_HASH)
    if(NOT GIT_RESULT EQUAL "0")
-        message(FATAL_ERROR "git describe --always --tags failed with ${GIT_RESULT}")
+        message(FATAL_ERROR "git rev-parse --short HEAD failed with ${GIT_RESULT}")
    endif()
    string(REGEX REPLACE "\n$" "" GIT_HASH "${GIT_HASH}")
 endif()

-add_definitions(-DAWS_CUSTOM_MEMORY_MANAGEMENT)
+add_definitions(-DAWS_CUSTOM_MEMORY_MANAGEMENT -DBOOST_NO_CXX98_FUNCTION_BASE=1)

 set(BUILD_SHARED_LIBS 1)

 add_definitions(-DTIP_SECURITY_SERVICE="1")
+add_definitions(-DPOCO_LOG_DEBUG="1")

 add_compile_options(-Wall -Wextra)
 if(ASAN)
@@ -74,18 +75,63 @@ add_executable( owsec
        src/framework/CountryCodes.h
        src/framework/KafkaTopics.h
        src/framework/MicroService.h
+        src/framework/OpenWifiTypes.h
        src/framework/orm.h
        src/framework/StorageClass.h
-        src/framework/ow_constants.h
-        src/framework/WebSocketClientNotifications.h
+        src/framework/MicroServiceErrorHandler.h
+        src/framework/UI_WebSocketClientServer.cpp
+        src/framework/UI_WebSocketClientServer.h
+        src/framework/UI_WebSocketClientNotifications.cpp
+        src/framework/UI_WebSocketClientNotifications.h
+        src/framework/utils.h
+        src/framework/utils.cpp
+        src/framework/AppServiceRegistry.h
+        src/framework/SubSystemServer.cpp
+        src/framework/SubSystemServer.h
+        src/framework/RESTAPI_utils.h
+        src/framework/AuthClient.cpp
+        src/framework/AuthClient.h
+        src/framework/MicroServiceNames.h
+        src/framework/MicroServiceFuncs.h
+        src/framework/OpenAPIRequests.cpp
+        src/framework/OpenAPIRequests.h
+        src/framework/MicroServiceFuncs.cpp
+        src/framework/ALBserver.cpp
+        src/framework/ALBserver.h
+        src/framework/KafkaManager.cpp
+        src/framework/KafkaManager.h
+        src/framework/RESTAPI_RateLimiter.h
+        src/framework/WebSocketLogger.h
+        src/framework/RESTAPI_GenericServerAccounting.h
+        src/framework/RESTAPI_SystemConfiguration.h
+        src/framework/CIDR.h
+        src/framework/RESTAPI_Handler.cpp
+        src/framework/RESTAPI_Handler.h
+        src/framework/RESTAPI_ExtServer.h
+        src/framework/RESTAPI_ExtServer.cpp
+        src/framework/RESTAPI_IntServer.cpp
+        src/framework/RESTAPI_IntServer.h
+        src/framework/RESTAPI_SystemCommand.h
+        src/framework/RESTAPI_WebSocketServer.h
+        src/framework/EventBusManager.cpp
+        src/framework/EventBusManager.h
+        src/framework/RESTAPI_PartHandler.h
+        src/framework/MicroService.cpp
+        src/framework/MicroServiceExtra.h
+        src/framework/default_device_types.h
+        src/RESTObjects/RESTAPI_SecurityObjects.h src/RESTObjects/RESTAPI_SecurityObjects.cpp
+        src/RESTObjects/RESTAPI_GWobjects.h src/RESTObjects/RESTAPI_GWobjects.cpp
+        src/RESTObjects/RESTAPI_FMSObjects.h src/RESTObjects/RESTAPI_FMSObjects.cpp
+        src/RESTObjects/RESTAPI_CertObjects.cpp src/RESTObjects/RESTAPI_CertObjects.h
+        src/RESTObjects/RESTAPI_OWLSobjects.cpp src/RESTObjects/RESTAPI_OWLSobjects.h
+        src/RESTObjects/RESTAPI_ProvObjects.cpp src/RESTObjects/RESTAPI_ProvObjects.h
+        src/RESTObjects/RESTAPI_AnalyticsObjects.cpp src/RESTObjects/RESTAPI_AnalyticsObjects.h
+        src/RESTObjects/RESTAPI_SubObjects.cpp src/RESTObjects/RESTAPI_SubObjects.h
+
        src/seclibs/qrcode/qrcodegen.hpp src/seclibs/qrcode/qrcodegen.cpp
        src/seclibs/cpptotp/bytes.cpp src/seclibs/cpptotp/bytes.h
        src/seclibs/cpptotp/otp.cpp src/seclibs/cpptotp/otp.h
        src/seclibs/cpptotp/sha1.cpp src/seclibs/cpptotp/sha1.h
-        src/RESTObjects/RESTAPI_SecurityObjects.h src/RESTObjects/RESTAPI_SecurityObjects.cpp
-        src/RESTObjects/RESTAPI_ProvObjects.cpp src/RESTObjects/RESTAPI_ProvObjects.h
-        src/RESTObjects/RESTAPI_GWobjects.h src/RESTObjects/RESTAPI_GWobjects.cpp
-        src/RESTObjects/RESTAPI_FMSObjects.h src/RESTObjects/RESTAPI_FMSObjects.cpp
        src/RESTAPI/RESTAPI_oauth2_handler.h src/RESTAPI/RESTAPI_oauth2_handler.cpp
        src/RESTAPI/RESTAPI_users_handler.cpp src/RESTAPI/RESTAPI_users_handler.h
        src/RESTAPI/RESTAPI_user_handler.cpp src/RESTAPI/RESTAPI_user_handler.h
@@ -117,14 +163,19 @@ add_executable( owsec
        src/SMS_provider_twilio.cpp src/SMS_provider_twilio.h
        src/ActionLinkManager.cpp src/ActionLinkManager.h
        src/ACLProcessor.h
-        src/framework/OpenWifiTypes.h
        src/storage/orm_users.cpp src/storage/orm_users.h
        src/storage/orm_tokens.cpp src/storage/orm_tokens.h
        src/storage/orm_preferences.cpp src/storage/orm_preferences.h
        src/storage/orm_actionLinks.cpp src/storage/orm_actionLinks.h
        src/storage/orm_avatar.cpp src/storage/orm_avatar.h
        src/SpecialUserHelpers.h
-        src/RESTAPI/RESTAPI_db_helpers.h src/storage/orm_logins.cpp src/storage/orm_logins.h src/RESTAPI/RESTAPI_totp_handler.cpp src/RESTAPI/RESTAPI_totp_handler.h src/TotpCache.h src/RESTAPI/RESTAPI_subtotp_handler.cpp src/RESTAPI/RESTAPI_subtotp_handler.h src/RESTAPI/RESTAPI_signup_handler.cpp src/RESTAPI/RESTAPI_signup_handler.h)
+        src/RESTAPI/RESTAPI_db_helpers.h src/storage/orm_logins.cpp src/storage/orm_logins.h
+        src/RESTAPI/RESTAPI_totp_handler.cpp
+        src/RESTAPI/RESTAPI_totp_handler.h
+        src/TotpCache.h
+        src/RESTAPI/RESTAPI_subtotp_handler.cpp src/RESTAPI/RESTAPI_subtotp_handler.h
+        src/RESTAPI/RESTAPI_signup_handler.cpp src/RESTAPI/RESTAPI_signup_handler.h
+        src/MessagingTemplates.h src/RESTAPI/RESTAPI_apiKey_handler.cpp src/RESTAPI/RESTAPI_apiKey_handler.h src/storage/orm_apikeys.cpp src/storage/orm_apikeys.h src/RESTAPI/RESTAPI_validate_apikey.cpp src/RESTAPI/RESTAPI_validate_apikey.h src/RESTAPI/RESTAPI_systemSecret_handler.cpp src/RESTAPI/RESTAPI_systemSecret_handler.h src/SecretStore.cpp src/SecretStore.h)

 if(NOT SMALL_BUILD)
    target_link_libraries(owsec PUBLIC
@@ -134,8 +185,9 @@ if(NOT SMALL_BUILD)
            CppKafka::cppkafka
            ${AWSSDK_LINK_LIBRARIES}
            fmt::fmt
+            resolv
            )
    if(UNIX AND NOT APPLE)
        target_link_libraries(owsec PUBLIC PocoJSON)
    endif()
-endif()
+endif()
--- a/CONFIGURATION.md
+++ b/CONFIGURATION.md
@@ -0,0 +1,270 @@
+# OWSEC Configuration
+Here is the list of parameters you can configure in the `owsec.properties` file.
+
+## OWSEC Specific Parameters
+### OWSEC Login
+```properties
+authentication.default.password: 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
+authentication.default.username: tip@ucentral.com
+authentication.enabled: true
+```
+
+```properties
+authentication.token.ageing = 30 * 24 * 60 * 60
+authentication.oldpasswords = 5
+openwifi.document.policy.access = /wwwassets/access_policy.html
+openwifi.document.policy.password = /wwwassets/password_policy.html
+authentication.validation.expression =
+subscriber.validation.expression =
+subscriber.policy.access = /wwwassets/access_policy.html
+subscriber.policy.password = /wwwassets/password_policy.html
+```
+
+### Mail template variables
+```properties
+helper.user.email = charles.bourque@arilia.com
+helper.sub.email = charles.bourque@arilia.com
+helper.user.global.email = info@arilia.com
+helper.sub.global.email = info@arilia.com
+helper.user.site = https://ucentral.dpaas.arilia.com
+helper.sub.site = https://ucentral.dpaas.arilia.com
+helper.user.login = https://ucentral.dpaas.arilia.com
+helper.sub.login = https://ucentral.dpaas.arilia.com
+helper.user.signature = Arilia Wireless Inc.
+helper.sub.signature = Arilia Wireless Inc.
+```
+
+### Google authenticator
+```properties
+totp.issuer: Arilia
+```
+
+### Mailer 
+```properties
+mailer.enabled: true
+mailer.hostname: email-smtp.us-west-2.amazonaws.com
+mailer.loginmethod: login
+mailer.password: ***********************************************
+mailer.port: 587
+mailer.sender: no-reply@arilia.com
+mailer.templates: $OWSEC_ROOT/templates
+mailer.username: AKIATXEXGKF3QZN543VS
+```
+
+### Built-in web server 
+```properties
+openwifi.avatar.maxsize: 2000000
+openwifi.document.policy.access: /wwwassets/access_policy.html
+openwifi.document.policy.password: /wwwassets/password_policy.html
+```
+
+### SMS Sender
+```properties
+smssender.aws.accesskey: ***********************
+smssender.aws.region: us-west-2
+smssender.aws.secretkey: ******************************************+X
+smssender.enabled: true
+smssender.provider: aws
+```
+
+```properties
+smssender.provider = twilio
+smssender.twilio.sid = ***********************
+smssender.twilio.token = **********************
+smssender.twilio.phonenumber = +18888888888
+```
+
+## Generic OpenWiFi SDK parameters
+### REST API External parameters
+These are the parameters required for the configuration of the external facing REST API server
+```properties
+openwifi.restapi.host.0.backlog = 100
+openwifi.restapi.host.0.security = relaxed
+openwifi.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.restapi.host.0.address = *
+openwifi.restapi.host.0.port = 16001
+openwifi.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.restapi.host.0.key.password = mypassword
+```
+
+#### openwifi.restapi.host.0.backlog
+This is the number of concurrent REST API calls that maybe be kept in the backlog for processing. That's a good rule of thumb. Never go above 500.
+#### openwifi.restapi.host.0.rootca
+This is the root file of your own certificate CA in `pem` format.
+#### openwifi.restapi.host.0.cert
+This is your own server certificate in `pem` format..
+#### openwifi.restapi.host.0.key
+This is the private key associated with your own certificate in `pem` format.
+#### openwifi.restapi.host.0.address
+Leve this a `*` in the case you want to bind to all interfaces on your gateway host or select the address of a single interface.
+#### openwifi.restapi.host.0.port
+The port on which the REST API server is listening. By default, this is 16002.
+#### openwifi.restapi.host.0.security
+Leave this as `relaxed` for now for devices.
+#### openwifi.restapi.host.0.key.password
+If you key file uses a password, please enter it here.
+
+### REST API Intra microservice parameters
+The following parameters describe the configuration for the inter-microservice HTTP server. You may use the same certificate/key
+you are using for your extenral server or another certificate.
+```properties
+openwifi.internal.restapi.host.0.backlog = 100
+openwifi.internal.restapi.host.0.security = relaxed
+openwifi.internal.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
+openwifi.internal.restapi.host.0.address = *
+openwifi.internal.restapi.host.0.port = 17001
+openwifi.internal.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
+openwifi.internal.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.internal.restapi.host.0.key.password = mypassword
+```
+
+#### openwifi.internal.host.0.backlog
+This is the number of concurrent REST API calls that maybe be kept in the backlog for processing. That's a good rule of thumb. Never go above 500.
+#### openwifi.internal.host.0.rootca
+This is the root file of your own certificate CA in `pem` format.
+#### openwifi.internal.host.0.cert
+This is your own server certificate in `pem` format..
+#### openwifi.internal.host.0.key
+This is the private key associated with your own certificate in `pem` format.
+#### openwifi.internal.host.0.address
+Leve this a `*` in the case you want to bind to all interfaces on your gateway host or select the address of a single interface.
+#### openwifi.internal.host.0.port
+The port on which the REST API server is listening. By default, this is 17002.
+#### openwifi.internal.host.0.security
+Leave this as `relaxed` for now for devices.
+#### openwifi.internal.host.0.key.password
+If you key file uses a password, please enter it here.
+
+### Microservice information
+These are different Microservie parameters. Following is a brief explanation.
+```properties
+openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
+openwifi.service.key.password = mypassword
+openwifi.system.data = $OWSEC_ROOT/data
+openwifi.system.uri.private = https://localhost:17004
+openwifi.system.uri.public = https://ucentral.dpaas.arilia.com:16002
+openwifi.system.uri.ui = https://ucentral-ui.arilia.com
+openwifi.security.restapi.disable = false
+openwifi.system.commandchannel = /tmp/app.ucentralfms
+openwifi.autoprovisioning = true
+```
+#### openwifi.service.key
+From time to time, the microservice must encrypt information. This is the key it should use. You may use the
+same keey as you RESTAPI or your server.
+#### openwifi.service.key.password
+The password for the `openwifi.service.key`
+#### openwifi.system.data
+The location of system data. This path must exist.
+#### openwifi.system.uri.private
+The URI to reach the controller on the internal port.
+#### openwifi.system.uri.public
+The URI to reach the controller from the outside world.
+#### openwifi.system.uri.ui
+The URI of the UI to manage this service
+#### openwifi.security.restapi.disable
+This allows to disable security for internal and external API calls. This should only be used if the controller
+sits behind an application load balancer that will actually do TLS. Setting this to `true` disables security.
+#### openwifi.system.commandchannel
+The UNIX socket command channel used by this service.
+#### openwifi.autoprovisioning
+Allow unknown devices to be provisioned by the system.
+
+### ALB Support
+In order to support an application load balancer health check verification, your need to provide the following parameters.
+```properties
+alb.enable = true
+alb.port = 16101
+```
+
+### Kafka
+The controller use Kafka, like all the other microservices. You must configure the kafka section in order for the
+system to work.
+```properties
+openwifi.kafka.group.id = security
+openwifi.kafka.client.id = security1
+openwifi.kafka.enable = true
+openwifi.kafka.brokerlist = my_Kafka.example.com:9092
+openwifi.kafka.auto.commit = false
+openwifi.kafka.queue.buffering.max.ms = 50
+```
+
+### openwifi.kafka.group.id
+The group ID is a single word that should identify the type of service tuning. In the case `security`
+### openwifi.kafka.client.id
+The client ID is a single service within that group ID. Each participant must have a unique client ID.
+### openwifi.kafka.enable
+Kafka should always be enabled.
+### openwifi.kafka.brokerlist
+The list of servers where your Kafka server is running. Comma separated.
+### openwifi.kafka.auto.commit
+Auto commit flag in Kafka. Leave as `false`.
+### openwifi.kafka.queue.buffering.max.ms
+Kafka buffering. Leave as `50`.
+### Kafka security
+If you intend to use SSL, you should look into Kafka Connect and specify the certificates below.
+```properties
+penwifi.kafka.ssl.ca.location =
+openwifi.kafka.ssl.certificate.location =
+openwifi.kafka.ssl.key.location =
+openwifi.kafka.ssl.key.password =
+```
+
+### DB Type
+The controller supports 3 types of Database. SQLite should only be used for sites with less than 100 APs or for testing in the lab.
+In order to select which database to use, you must set the `storage.type` value to sqlite, postgresql, or mysql.
+
+```properties
+storage.type = sqlite
+#storage.type = postgresql
+#storage.type = mysql
+```
+
+### Storage SQLite parameters
+Additional parameters to set for SQLite. The only important one is `storage.type.sqlite.db` which is the database name on disk.
+```properties
+storage.type.sqlite.db = security.db
+storage.type.sqlite.idletime = 120
+storage.type.sqlite.maxsessions = 128
+```
+
+### Storage Postgres
+Additional parameters to set if you select Postgres for your database. You must specify `host`, `username`, `password`,
+`database`, and `port`.
+```properties
+storage.type.postgresql.maxsessions = 64
+storage.type.postgresql.idletime = 60
+storage.type.postgresql.host = localhost
+storage.type.postgresql.username = security
+storage.type.postgresql.password = security
+storage.type.postgresql.database = security
+storage.type.postgresql.port = 5432
+storage.type.postgresql.connectiontimeout = 60
+```
+
+### Storage MySQL/MariaDB
+Additional parameters to set if you select mysql for your database. You must specify `host`, `username`, `password`,
+`database`, and `port`.
+```properties
+storage.type.mysql.maxsessions = 64
+storage.type.mysql.idletime = 60
+storage.type.mysql.host = localhost
+storage.type.postgresql.username = security
+storage.type.postgresql.password = security
+storage.type.postgresql.database = security
+storage.type.mysql.port = 3306
+storage.type.mysql.connectiontimeout = 60
+```
+
+### Logging Parameters
+The microservice provides extensive logging. If you would like to keep logging on disk, set the `logging.type = file`. If you only want
+console logging, `set logging.type = console`. When selecting file, `logging.path` must exist. `logging.level` sets the
+basic logging level for the entire controller. `logging.websocket` disables WebSocket logging.
+
+```properties
+logging.type = file
+logging.path = $OWSEC_ROOT/logs
+logging.level = information
+logging.asynch = true
+logging.websocket = false
+```
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -0,0 +1,38 @@
+# How to Contribute
+
+We'd love to accept your patches and contributions to this project. There are
+just a few small guidelines you need to follow.
+
+## Version of C++
+This project is based on the C++17 standard and compiles as-is on most platforms 
+using either clang or g++. Do not use C++21 or C++23 features for now. Some core 
+libraries used in this project do not support C++21 or C++23 yet.
+
+## Variable Naming
+Naming of pretty much anything uses Pascal naming. Longer explicit names using casing. 
+Member variable naming adds a `_` at the end of the vars. Try to
+keep this standard going. Sometimes you must override a base class function and then of course
+you need to follow the base class.
+
+## This is a cmake project
+This is a cmake project, and you need to adhere to the cmake rules. If you need
+to add a package to the CMakeList, you need to ensure that the package is available
+on all required platforms and compiles. Remember that this project runs on Linux, OS X, 
+and the Raspberry PI.
+
+## Licensed packages
+When adding a package, you must also state the licensing for the package. MIT, BSD, Apache licenses
+are acceptable. No commercial licenses are allowed. 
+
+## clang formatting
+Please format your code using the included `.clang-format` file included in the project.
+
+```bash
+clang-format -i --style=<project root>/.clang-format myfile.cpp
+```
+
+## Pull Requests
+All submissions, including submissions by project members, require review. We
+accept GitHub pull requests. Please create a branch with the Jira name for addressing the issue you are fixing or the 
+feature you are implementing.
+Create a pull-request from the branch into master. 
--- a/109
+++ b/109
@@ -1,16 +1,22 @@
-FROM alpine:3.15 AS build-base
+ARG DEBIAN_VERSION=11.5-slim
+ARG POCO_VERSION=poco-tip-v2
+ARG CPPKAFKA_VERSION=tip-v1
+ARG VALIJASON_VERSION=tip-v1

-RUN apk add --update --no-cache \
-    make cmake g++ git \
-    unixodbc-dev postgresql-dev mariadb-dev \
-    librdkafka-dev boost-dev openssl-dev \
-    zlib-dev nlohmann-json \
-    curl-dev
+FROM debian:$DEBIAN_VERSION AS build-base
+
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    make cmake g++ git curl zip unzip pkg-config \
+    libpq-dev libmariadb-dev libmariadbclient-dev-compat \
+    librdkafka-dev libboost-all-dev libssl-dev \
+    zlib1g-dev ca-certificates libcurl4-openssl-dev libfmt-dev

 FROM build-base AS poco-build

-ADD https://api.github.com/repos/stephb9959/poco/git/refs/heads/master version.json
-RUN git clone https://github.com/stephb9959/poco /poco
+ARG POCO_VERSION
+
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-poco/git/refs/tags/${POCO_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-poco --branch ${POCO_VERSION} /poco

 WORKDIR /poco
 RUN mkdir cmake-build
@@ -19,22 +25,12 @@ RUN cmake ..
 RUN cmake --build . --config Release -j8
 RUN cmake --build . --target install

-FROM build-base AS fmtlib-build
-
-ADD https://api.github.com/repos/fmtlib/fmt/git/refs/heads/master version.json
-RUN git clone https://github.com/fmtlib/fmt /fmtlib
-
-WORKDIR /fmtlib
-RUN mkdir cmake-build
-WORKDIR cmake-build
-RUN cmake ..
-RUN make
-RUN make install
-
 FROM build-base AS cppkafka-build

-ADD https://api.github.com/repos/stephb9959/cppkafka/git/refs/heads/master version.json
-RUN git clone https://github.com/stephb9959/cppkafka /cppkafka
+ARG CPPKAFKA_VERSION
+
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-cppkafka/git/refs/tags/${CPPKAFKA_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-cppkafka --branch ${CPPKAFKA_VERSION} /cppkafka

 WORKDIR /cppkafka
 RUN mkdir cmake-build
@@ -43,75 +39,61 @@ RUN cmake ..
 RUN cmake --build . --config Release -j8
 RUN cmake --build . --target install

-FROM build-base AS json-schema-validator-build
+FROM build-base AS valijson-build

-ADD https://api.github.com/repos/pboettch/json-schema-validator/git/refs/heads/master version.json
-RUN git clone https://github.com/pboettch/json-schema-validator /json-schema-validator
+ARG VALIJASON_VERSION

-WORKDIR /json-schema-validator
+ADD https://api.github.com/repos/Telecominfraproject/wlan-cloud-lib-valijson/git/refs/tags/${VALIJASON_VERSION} version.json
+RUN git clone https://github.com/Telecominfraproject/wlan-cloud-lib-valijson --branch ${VALIJASON_VERSION} /valijson
+
+WORKDIR /valijson
 RUN mkdir cmake-build
 WORKDIR cmake-build
 RUN cmake ..
-RUN make
-RUN make install
-
-FROM build-base AS aws-sdk-cpp-build
-
-ADD https://api.github.com/repos/aws/aws-sdk-cpp/git/refs/heads/main version.json
-RUN git clone --recurse-submodules https://github.com/aws/aws-sdk-cpp /aws-sdk-cpp
-
-WORKDIR /aws-sdk-cpp
-RUN mkdir cmake-build
-WORKDIR cmake-build
-RUN cmake .. -DBUILD_ONLY="sns;s3" \
-             -DCMAKE_BUILD_TYPE=Release \
-             -DCMAKE_CXX_FLAGS="-Wno-error=stringop-overflow -Wno-error=uninitialized" \
-             -DAUTORUN_UNIT_TESTS=OFF
 RUN cmake --build . --config Release -j8
 RUN cmake --build . --target install

 FROM build-base AS owsec-build

 ADD CMakeLists.txt build /owsec/
+ADD overlays /owsec/overlays
 ADD cmake /owsec/cmake
 ADD src /owsec/src
 ADD .git /owsec/.git
+ARG VCPKG_VERSION=2022.11.14
+RUN git clone --depth 1 --branch ${VCPKG_VERSION} https://github.com/microsoft/vcpkg && \
+    ./vcpkg/bootstrap-vcpkg.sh && \
+    mkdir /vcpkg/custom-triplets && \
+    cp /vcpkg/triplets/x64-linux.cmake /vcpkg/custom-triplets/x64-linux.cmake && \
+    sed -i 's/set(VCPKG_LIBRARY.*/set(VCPKG_LIBRARY_LINKAGE dynamic)/g' /vcpkg/custom-triplets/x64-linux.cmake && \
+    ./vcpkg/vcpkg install aws-sdk-cpp[sns]:x64-linux json-schema-validator:x64-linux --overlay-triplets=/vcpkg/custom-triplets --overlay-ports=/owsec/overlays

 COPY --from=poco-build /usr/local/include /usr/local/include
 COPY --from=poco-build /usr/local/lib /usr/local/lib
 COPY --from=cppkafka-build /usr/local/include /usr/local/include
 COPY --from=cppkafka-build /usr/local/lib /usr/local/lib
-COPY --from=json-schema-validator-build /usr/local/include /usr/local/include
-COPY --from=json-schema-validator-build /usr/local/lib /usr/local/lib
-COPY --from=aws-sdk-cpp-build /usr/local/include /usr/local/include
-COPY --from=aws-sdk-cpp-build /usr/local/lib /usr/local/lib
-
-COPY --from=fmtlib-build /usr/local/include /usr/local/include
-COPY --from=fmtlib-build /usr/local/lib /usr/local/lib

 WORKDIR /owsec
 RUN mkdir cmake-build
 WORKDIR /owsec/cmake-build
-RUN cmake .. \
-          -Dcrypto_LIBRARY=/usr/lib/libcrypto.so \
-          -DBUILD_SHARED_LIBS=ON
+RUN cmake -DCMAKE_TOOLCHAIN_FILE=/vcpkg/scripts/buildsystems/vcpkg.cmake ..
 RUN cmake --build . --config Release -j8

-FROM alpine:3.15
+FROM debian:$DEBIAN_VERSION

 ENV OWSEC_USER=owsec \
    OWSEC_ROOT=/owsec-data \
    OWSEC_CONFIG=/owsec-data

-RUN addgroup -S "$OWSEC_USER" && \
-    adduser -S -G "$OWSEC_USER" "$OWSEC_USER"
+RUN useradd "$OWSEC_USER"

 RUN mkdir /openwifi
 RUN mkdir -p "$OWSEC_ROOT" "$OWSEC_CONFIG" && \
    chown "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"

-RUN apk add --update --no-cache librdkafka su-exec gettext ca-certificates bash jq curl \
-    mariadb-connector-c libpq unixodbc postgresql-client
+RUN apt-get update && apt-get install --no-install-recommends -y \
+    librdkafka++1 gosu gettext ca-certificates bash jq curl wget \
+    libmariadb-dev-compat libpq5 postgresql-client libfmt7

 COPY readiness_check /readiness_check
 COPY test_scripts/curl/cli /cli
@@ -122,14 +104,15 @@ COPY templates /dist/templates
 COPY docker-entrypoint.sh /
 COPY wait-for-postgres.sh /
 RUN wget https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentral-deploy/main/docker-compose/certs/restapi-ca.pem \
-    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.pem
+    -O /usr/local/share/ca-certificates/restapi-ca-selfsigned.crt

 COPY --from=owsec-build /owsec/cmake-build/owsec /openwifi/owsec
-COPY --from=cppkafka-build /cppkafka/cmake-build/src/lib/* /usr/local/lib
-COPY --from=poco-build /poco/cmake-build/lib/* /usr/local/lib
-COPY --from=aws-sdk-cpp-build /aws-sdk-cpp/cmake-build/aws-cpp-sdk-core/libaws-cpp-sdk-core.so /usr/local/lib
-COPY --from=aws-sdk-cpp-build /aws-sdk-cpp/cmake-build/aws-cpp-sdk-s3/libaws-cpp-sdk-s3.so /usr/local/lib
-COPY --from=aws-sdk-cpp-build /aws-sdk-cpp/cmake-build/aws-cpp-sdk-sns/libaws-cpp-sdk-sns.so /usr/local/lib
+COPY --from=owsec-build /vcpkg/installed/x64-linux/lib/ /usr/local/lib/
+COPY --from=cppkafka-build /cppkafka/cmake-build/src/lib/ /usr/local/lib/
+COPY --from=poco-build /poco/cmake-build/lib/ /usr/local/lib/
+COPY --from=valijson-build /usr/local/include /usr/local/include
+
+RUN ldconfig

 EXPOSE 16001 17001 16101

--- a/OPERATOR.md
+++ b/OPERATOR.md
@@ -0,0 +1,37 @@
+# Operator Support
+In order to support multiple tenants and operators, you must prepare the security service to serve
+customized e-mails and messages.
+
+## Structure for `templates`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_invitation.html/txt : This email message will be sent to a newly added user. 
+- email_verification.html/txt : This email is sent when an email verification is required.
+- password_reset.html/txt : This is sent when a pasword reset is requested.
+- verification_code.html/txt : This is used during MFA when email based.
+- signup_verification.html/txt : This email is send to a new subscriber who signed up for service.
+- sub_email_verification.html/txt : This is sent to a subscriber requiring an email verification.
+- sub_verification_code.html/txt : This is used during MFA when email based for a subscriber.
+- logo.jpg : The default logo to use in any of these emails.
+
+## Structure for `wwwassets`
+Any file in the root of the directory will be used as defaults. The following files must be present:
+- email_verification_error.html : Used when email verification has failed.
+- email_verification_success.html : Used when emil verification has succeeded.
+- invitation_error.html :
+- invitation_success.html :
+- password_policy.html :
+- password_reset.html :
+- password_reset_success.html :
+- password_reset_error.html :
+- signup_verification.html :
+- signup_verification_error.html :
+- signup_verification_success.html :
+- favicon.ico : icon for the application
+- 404_error.html : your customized 404 page
+- the_logo : the logo to use.
+
+## For tenants
+When creating a tenant/operator, you must create a subdirectory inside each `wwwassets` and `templates` and replicate 
+all the files that appear at the root level. You need to use the short Operator name (also known as RegistrantId in the API). This means 
+no spaces, all lowercase characters and numbers. No special characters: 0-9 and a-z. 
+
--- a/README.md
+++ b/README.md
@@ -1,66 +1,100 @@
-# ucentralsec
+<p align="center">
+    <img src="images/project/logo.svg" width="200"/>
+</p>

-uCentralSec is the Authentication & Resource Policy Access service for the uCentral system. In order to use the uCentral system
-you must have at least 1 uCentralSec. uCentralSec is the first point of contact for the entire architecture. We strongly recommend using Docker 
-to deploy all the uCentral services. If you would like to develop and play with the source, please do.
+# OpenWiFi Security  (OWSEC)
+
+## What is it?
+The OWSEC is a service for the TIP OpenWiFi CloudSDK (OWSDK).
+OWSEC is the Authentication and Resource Policy Access service for the TIP
+OpenWiFi Cloud SDK (OWSDK). OWSEC,
+like all other OWSDK microservices, is defined using an OpenAPI definition and uses the ucentral communication
+protocol to interact with Access Points. To use the OWSUB, you either need to [build it](#building) or use the
+[Docker version](#docker).
+
+## Building
+To build the microservice from source, please follow the instructions in [here](./BUILDING.md)
+
+## Docker
+To use the CLoudSDK deployment please follow [here](https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy)

 ## OpenAPI
-Like all other uCentral services, uCentralSec is defined through an OpenAPI. You can use this API to build your own applications or integration modules
-into your own systems. If all you need it to access the uCentralGW for example (the service that manages the APs), you will need to:
+You may get static page with OpenAPI docs generated from the definition on [GitHub Page](https://telecominfraproject.github.io/wlan-cloud-ucentralsec/).
+Also, you may use [Swagger UI](https://petstore.swagger.io/#/) with OpenAPI definition file raw link (i.e. [latest version file](https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openapi/owsec.yaml)) to get interactive docs page.

+## Usage
+Like all other OWSDK services, OWSEC is defined through an OpenAPI. You can use this API to build your own 
+applications or integration modules into your own systems. If all you need it to access the OWGW for 
+example (the service that manages the APs), you will need to:
 - get a token (`/oauth2`)
 - find the endpoints on the system (`/systemEndpoints`) 
- choose one to manage (pick an endpoint that matches what you are trying to do by looking at its `type`. For the gateway, type = ucentrtalgw)
- make your calls (use the PublicEndPoint of the corresponding entry to make your calls, do not forget to add `/api/v1` as the root os the call)
+- choose a microservice to manage (pick an endpoint that matches what you are trying to do by looking at its 
+`type`. For the Cloud SDK Controller, type = owgw)
+- make your calls (use the PublicEndPoint of the corresponding entry to make your calls, 
+do not forget to add `/api/v1` as the root os the call)

-The CLI for the [uCentralGW](https://github.com/telecominfraproject/wlan-cloud-ucentralgw/blob/main/test_scripts/curl/cli) has a very good example of this. 
-Look for the `setgateway` function.
+The CLI for the [OWGW](https://github.com/telecominfraproject/wlan-cloud-ucentralsec/blob/main/test_scripts/curl/cli) has 
+a very good example of this. Look for the `setgateway` function.
+
+You may get static page with OpenAPI docs generated from the definition on [GitHub Page](https://telecominfraproject.github.io/wlan-cloud-ucentralsec/).
+
+Also, you may use [Swagger UI](https://petstore.swagger.io/#/) with OpenAPI definition file raw link (i.e. [latest version file](https://validator.swagger.io/validator?url=https://raw.githubusercontent.com/Telecominfraproject/wlan-cloud-ucentralsec/main/openpapi/owsec.yaml)) to get interactive docs page.
+
+#### Expected directory layout
+From the directory where your cloned source is, you will need to create the `certs`, `logs`, and `uploads` directories.
+```bash
+mkdir certs
+mkdir certs/cas
+mkdir logs
+mkdir uploads
+```
+You should now have the following:
+```text
+--+-- certs
+  |   +--- cas
+  +-- cmake
+  +-- cmake-build
+  +-- logs
+  +-- src
+  +-- test_scripts
+  +-- openapi
+  +-- uploads
+  +-- owsec.properties
+```
+
+### Certificate
+The OWSEC uses a certificate to provide security for the REST API Certificate to secure the Northbound API.
+
+#### The `certs` directory
+For all deployments, you will need the following `certs` directory, populated with the proper files.
+
+```text
+certs ---+--- restapi-ca.pem
+         +--- restapi-cert.pem
+         +--- restapi-key.pem
+```

 ## Firewall Considerations
-The entire uCentral systems uses several MicroServices. In order for the whole system to work, you should provide the following port
-access:
+| Port  | Description                                | Configurable |
+|:------|:-------------------------------------------|:------------:|
+| 16001 | Default port from the devices to the OWSEC |     yes      |

- Security
-  - Properties file: owsec.properties
-  - Ports
-    - Public: 16001
-    - Private: 17001
-    - ALB: 16101
+### Environment variables
+The following environment variables should be set from the root directory of the service. They tell the OWGW process where to find
+the configuration and the root directory.
+```bash
+export OWGW_ROOT=`pwd`
+export OWGW_CONFIG=`pwd`
+```
+You can run the shell script `set_env.sh` from the microservice root.

- Gateway:
-  - Properties file: owgw.properties
-  - Ports
-    - Public: 16002
-    - Private: 17002
-    - ALB: 16102
-
- Firmware:
-  - Properties file: owfms.properties
-  - Ports
-    - Public: 16004
-    - Private: 17004
-    - ALB: 16104
-
- Provisioning:
-  - Properties file: owprov.properties
-  - Ports
-    - Public: 16004
-    - Private: 17004
-    - ALB: 16104
-
-## Security Configuration
-The service relies on a properties configuration file called `owsec.properties`. In this file, you should configure several entries. Many values are optional 
-and you can rely on the defaults. Here are some values of note:
-
-### `authentication.default.password`
-Set the hash of the default username and password. Please look below on how to do this. 
-
-### `authentication.default.username`
-Set the default username to use to login.
+### OWSEC Service Configuration
+The configuration is kept in a file called `owsec.properties`. To understand the content of this file,
+please look [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/blob/main/CONFIGURATION.md)

 ### Default username and password
 The default username and password are set in `owsec.properties` file. The following entries manage the username and password
-```text
+```properties
 authentication.default.username = tip@ucentral.com
 authentication.default.password = XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 ```
@@ -75,36 +109,17 @@ echo -n "weLoveWifiroot@system.com" | shasum -a 256
 b5bfed31e2a272e52973a57b95042ab842db3999475f3d79f1ce0f45f465e34c  -
 ```
 Then you need to modify your properties file like this
-```text
+```properties
 authentication.default.username = root@system.com
 authentication.default.password = b5bfed31e2a272e52973a57b95042ab842db3999475f3d79f1ce0f45f465e34c
 ```
 Remember, when you login, use `root@system.com` with the password `weLoveWifi`, not this monster digit sequence.

-#### Is this safe?
-Is this safe to show the hash in a text file? Let me put it this way, if you can find a way to break this encryption, you
-would have control over the entire internet. It's incredibly safe. If you love math, you can find a lot of videos explaining
-how hashes work and why they are safe.
-
-### `authentication.validation.expression`
-This is a regular expression (regex) to verify the incoming password. You can find many examples on the internet on how to create these expressions. I suggest 
-that using Google is your friend. Someone has figured out what you want to do already. Click [here](https://stackoverflow.com/questions/19605150/regex-for-password-must-contain-at-least-eight-characters-at-least-one-number-a)
-to get a sample. The default is
-
-```
-^(?=.*?[A-Z])(?=.*?[a-z])(?=.*?[0-9])(?=.*?[#?!@$%^&*-]).{8,}$
-```
-
-### `authentication.oldpasswords`
-The number of older passwords to keep. Default is 5.
-
 ### Changing default password
-
 On the first startup of the service new user will be created with the default credentials from properties `authentication.default.username` and `authentication.default.password`, but **you will have to change the password** before making any real requests.
-
 You can this using [owgw-ui](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw-ui/) on first login or using the following script:

-```
+```bash
 export OWSEC=openwifi.wlan.local:16001 # endpoint to your owsec RESTAPI endpoint
 #export FLAGS="-k" # uncomment and add curl flags that you would like to pass for the request (for example '-k' may be used to pass errors with self-signed certificates)
 export OWSEC_DEFAULT_USERNAME=root@system.com # default username that you've set in property 'authentication.default.username'
@@ -115,7 +130,7 @@ test_scripts/curl/cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD

 CLI is also included in Docker image if you want to run it this way:

-```
+```bash
 export OWSEC=openwifi.wlan.local:16001
 #export FLAGS="-k"
 export OWSEC_DEFAULT_USERNAME=root@system.com
@@ -132,136 +147,25 @@ docker run --rm -ti \
  /cli testlogin $OWSEC_DEFAULT_USERNAME $OWSEC_DEFAULT_PASSWORD $OWSEC_NEW_PASSWORD
 ```

-### Kafka integration
-This security service uses Kafka to coordinate security with other services that are part of the system. You must have a Kafka service running
-in order to use this. You can find several examples of Kafka services available with Docker. Here are the values you need to configure.
+It is very important that you not use spaces in your OrgName.
+## Kafka topics
+Toe read more about Kafka, follow the [document](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/main/KAFKA.md)

-```
-openwifi.kafka.group.id = security
-openwifi.kafka.client.id = security1
-openwifi.kafka.enable = true
-openwifi.kafka.brokerlist = my.kafkaserver.arilia.com:9092
-openwifi.kafka.auto.commit = false
-openwifi.kafka.queue.buffering.max.ms = 50
-```
+## Contributions
+We need more contributors. Should you wish to contribute,
+please follow the [contributions](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/CONTRIBUTING.md) document.

-#### `openwifi.kafka.brokerlist`
-This is the list of your kafka brokers. This is a comma separated list. You should use IP addresses or FQDNs and the relevant ports, usually 9092 is the 
-default.
+## Pull Requests
+Please create a branch with the Jira addressing the issue you are fixing or the feature you are implementing.
+Create a pull-request from the branch into master.

-#### `openwifi.kafka.group.id`
-Every service on the Kafka bux must have a unique value (at least in our case). This should be a string. We suggest using a name corresponding to the 
-function provided. In this case, security.
-
-### Certificates
-Of course we need certificates. In our case, we already have existing certificates we have. You should find out how your file name correspond
-to our names. We suggest reusing the same names we use so it is easier to use our default configuration files. We suggest using proper certificates 
-for the publicly visible interfaces. For private interfaces, self-signed certificates are OK. We will not describe how to use/create private certificates 
-here.
-
-#### The public interface
-Here are the parameters for the public interface. The important files are:
- `restapi-ca.pem` : the CA of your certificate
- `restapi-cert.pem` : the certificate for the public interface
- `restapi-key.pem` : the key associated with this certificate
- `openwifi.restapi.host.0.key.password` : if you key is password protected, you may supply that password here.
-
-```
-openwifi.restapi.host.0.backlog = 100
-openwifi.restapi.host.0.security = relaxed
-openwifi.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
-openwifi.restapi.host.0.address = *
-openwifi.restapi.host.0.port = 16001
-openwifi.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
-openwifi.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
-openwifi.restapi.host.0.key.password = mypassword
-```
-
-#### The private interface
-The private interface is used for service-to-service communication. You can use self-signed certificates here or letsencrypt. The file names are similar 
-to the filenames used in the previous section.
-
-```
-openwifi.internal.restapi.host.0.backlog = 100
-openwifi.internal.restapi.host.0.security = relaxed
-openwifi.internal.restapi.host.0.rootca = $OWSEC_ROOT/certs/restapi-ca.pem
-openwifi.internal.restapi.host.0.address = *
-openwifi.internal.restapi.host.0.port = 17001
-openwifi.internal.restapi.host.0.cert = $OWSEC_ROOT/certs/restapi-cert.pem
-openwifi.internal.restapi.host.0.key = $OWSEC_ROOT/certs/restapi-key.pem
-openwifi.internal.restapi.host.0.key.password = mypassword
-```
-
-### Other important values
-Here are other important values you must set.
-
-
-```
-openwifi.system.data = $OWSEC_ROOT/data
-openwifi.system.uri.private = https://localhost:17001
-openwifi.system.uri.public = https://openwifi.dpaas.arilia.com:16001
-openwifi.system.uri.ui = https://ucentral-ui.arilia.com
-openwifi.system.commandchannel = /tmp/app.ucentralsec
-openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
-openwifi.service.key.password = mypassword
-```
-#### `openwifi.system.data`
-The location of some important data files including the user name database.
-
-#### `openwifi.system.uri.private`
-This is the FQDN used internally between services.
-
-#### `openwifi.system.uri.public`
-This is the FQDN used externally serving the OpenAPI interface.
-
-### Sending SMS for Multifactor Aithentication
-`owsec` hs the ability to send SMS messages to users during login or to send notifications. In order to do so,
-an SMS provider must be configured. At present time, 2 providers are supported: Tilio and AWS SNS
-
-#### AWS SMS
-For SNS you must create an IAM ID that has sns:sendmessage rights.  
-
-```
-smssender.enabled = true
-smssender.provider = aws
-smssender.aws.secretkey = ***************************************
-smssender.aws.accesskey = ***************************************
-smssender.aws.region = **************
-```
-
-#### Twilio
-For Twilio, you must provide the following
-
-```
-smssender.enabled = true
-smssender.provider = twilio
-smssender.twilio.sid = ***********************
-smssender.twilio.token = **********************
-smssender.twilio.phonenumber = +18888888888
-```
-
-### `owsec` Messaging Configuration
-`owsec` nay require to send e-mails. In order to do so, you must configure an email sender. We have run tests 
-with GMail and AWS SES. For each, you must obtain the proper credentials and insert them in this configuration as well
-as the proper mail host.
-
-```
-mailer.enabled = true
-mailer.hostname = smtp.gmail.com
-mailer.username = ************************
-mailer.password = ************************
-mailer.sender = OpenWIFI
-mailer.loginmethod = login
-mailer.port = 587
-mailer.templates = $OWSEC_ROOT/templates
-```
-
-#### Google Authenticator
-In order to use the Google Time-based One-Time Password (TOTP), the user must download the Google Authenticator 
-on any other app that support the TOTP protocol. You should include the following in your configuration
-
-```
-totp.issuer = OrgName
-```
-
-It is very important that you not use spaces in your OrgName.
+## Additional OWSDK Microservices
+Here is a list of additional OWSDK microservices
+| Name | Description | Link | OpenAPI |
+| :--- | :--- | :---: | :---: |
+| OWSEC | Security Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralsec/blob/main/openpapi/owsec.yaml) |
+| OWGW | Controller Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralgw/blob/master/openapi/owgw.yaml) |
+| OWFMS | Firmware Management Service | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralfms) | [here](https://github.com/Telecominfraproject/wlan-cloud-ucentralfms/blob/main/openapi/owfms.yaml) |
+| OWPROV | Provisioning Service | [here](https://github.com/Telecominfraproject/wlan-cloud-owprov) | [here](https://github.com/Telecominfraproject/wlan-cloud-owprov/blob/main/openapi/owprov.yaml) |
+| OWANALYTICS | Analytics Service | [here](https://github.com/Telecominfraproject/wlan-cloud-analytics) | [here](https://github.com/Telecominfraproject/wlan-cloud-analytics/blob/main/openapi/owanalytics.yaml) |
+| OWSUB | Subscriber Service | [here](https://github.com/Telecominfraproject/wlan-cloud-userportal) | [here](https://github.com/Telecominfraproject/wlan-cloud-userportal/blob/main/openapi/userportal.yaml) |
--- a/2
+++ b/2
@@ -1 +1 @@
-60
+1
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/bash
 set -e

 if [ "$SELFSIGNED_CERTS" = 'true' ]; then
@@ -23,6 +23,7 @@ if [[ "$TEMPLATE_CONFIG" = 'true' ]]; then
  SYSTEM_URI_PRIVATE=${SYSTEM_URI_PRIVATE:-"https://localhost:17001"} \
  SYSTEM_URI_PUBLIC=${SYSTEM_URI_PUBLIC:-"https://localhost:16001"} \
  SYSTEM_URI_UI=${SYSTEM_URI_UI:-"http://localhost"} \
+  SECURITY_RESTAPI_DISABLE=${SECURITY_RESTAPI_DISABLE:-"false"} \
  SERVICE_KEY=${SERVICE_KEY:-"\$OWSEC_ROOT/certs/restapi-key.pem"} \
  SERVICE_KEY_PASSWORD=${SERVICE_KEY_PASSWORD:-"mypassword"} \
  SMSSENDER_ENABLED=${SMSSENDER_ENABLED:-"false"} \
@@ -59,6 +60,16 @@ if [[ "$TEMPLATE_CONFIG" = 'true' ]]; then
  STORAGE_TYPE_MYSQL_PASSWORD=${STORAGE_TYPE_MYSQL_PASSWORD:-"owsec"} \
  STORAGE_TYPE_MYSQL_DATABASE=${STORAGE_TYPE_MYSQL_DATABASE:-"owsec"} \
  STORAGE_TYPE_MYSQL_PORT=${STORAGE_TYPE_MYSQL_PORT:-"3306"} \
+  USER_HELPER_EMAIL=${USER_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  SUB_HELPER_EMAIL=${SUB_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  GLOBAL_USER_HELPER_EMAIL=${GLOBAL_USER_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  GLOBAL_SUB_HELPER_EMAIL=${GLOBAL_SUB_HELPER_EMAIL:-"openwifi@telecominfraproject.com"} \
+  USER_HELPER_SITE=${USER_HELPER_SITE:-"https://openwifi.telecominfraproject.com"} \
+  SUB_HELPER_SITE=${SUB_HELPER_SITE:-"https://openwifi.telecominfraproject.com"} \
+  USER_SYSTEM_LOGIN=${USER_SYSTEM_LOGIN:-"https://openwifi.telecominfraproject.com"} \
+  SUB_SYSTEM_LOGIN=${SUB_SYSTEM_LOGIN:-"https://openwifi.telecominfraproject.com"} \
+  USER_SIGNATURE=${USER_SIGNATURE:-"Telecom Infra Project"} \
+  SUB_SIGNATURE=${SUB_SIGNATURE:-"Telecom Infra Project"} \
  envsubst < /owsec.properties.tmpl > $OWSEC_CONFIG/owsec.properties
 fi

@@ -84,7 +95,7 @@ if [ "$1" = '/openwifi/owsec' -a "$(id -u)" = '0' ]; then
    if [ "$RUN_CHOWN" = 'true' ]; then
      chown -R "$OWSEC_USER": "$OWSEC_ROOT" "$OWSEC_CONFIG"
    fi
-    exec su-exec "$OWSEC_USER" "$@"
+    exec gosu "$OWSEC_USER" "$@"
 fi

 exec "$@"
--- a/helm/.gitignore
+++ b/helm/.gitignore
@@ -1 +1,3 @@
 *.swp
+Chart.lock
+charts/
--- a/helm/README.md
+++ b/helm/README.md
@@ -70,8 +70,8 @@ The following table lists the configurable parameters of the chart and their def
 | persistence.size | string | Defines PV size | `'10Gi'` |
 | public_env_variables | hash | Defines list of environment variables to be passed to the Security | |
 | configProperties | hash | Configuration properties that should be passed to the application in `owsec.properties`. May be passed by key in set (i.e. `configProperties."rtty\.token"`) | |
-| certs | hash | Defines files (keys and certificates) that should be passed to the Security (PEM format is adviced to be used) (see `volumes.owsec` on where it is mounted) |  |
-
+| existingCertsSecret | string | Existing Kubernetes secret containing all required certificates and private keys for microservice operation. If set, certificates from `certs` key are ignored | `""` |
+| certs | hash | Defines files (keys and certificates) that should be passed to the Gateway (PEM format is adviced to be used) (see `volumes.owsec` on where it is mounted). If `existingCertsSecret` is set, certificates passed this way will not be used. |  |

 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. For example,

--- a/helm/templates/deployment.yaml
+++ b/helm/templates/deployment.yaml
@@ -1,4 +1,5 @@
 {{- $root := . -}}
+{{- $storageType := index .Values.configProperties "storage.type" -}}
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -46,6 +47,39 @@ spec:
            - -timeout
            - 600s

+{{- if eq $storageType "postgresql" }}
+        - name: wait-postgres
+          image: "{{ .Values.images.owsec.repository }}:{{ .Values.images.owsec.tag }}"
+          imagePullPolicy: {{ .Values.images.owsec.pullPolicy }}
+          command:
+            - /wait-for-postgres.sh
+            - {{ index .Values.configProperties "storage.type.postgresql.host" }}
+            - echo
+            - "PostgreSQL is ready"
+          env:
+            - name: KUBERNETES_DEPLOYED
+              value: "{{ now }}"
+          {{- range $key, $value := .Values.public_env_variables }}
+            - name: {{ $key }}
+              value: {{ $value | quote }}
+          {{- end }}
+          {{- range $key, $value := .Values.secret_env_variables }}
+            - name: {{ $key }}
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "owsec.fullname" $root }}-env
+                  key: {{ $key }}
+          {{- end }}
+          volumeMounts:
+          {{- range .Values.volumes.owsec }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            {{- if .subPath }}
+            subPath: {{ .subPath }}
+            {{- end }}
+          {{- end }}
+{{- end }}
+
      containers:

        - name: owsec
--- a/helm/values.yaml
+++ b/helm/values.yaml
@@ -71,7 +71,7 @@ volumes:
      mountPath: /owsec-data/certs
      volumeDefinition: |
        secret:
-          secretName: {{ include "owsec.fullname" . }}-certs
+          secretName: {{ if .Values.existingCertsSecret }}{{ .Values.existingCertsSecret }}{{ else }}{{ include "owsec.fullname" . }}-certs{{ end }}
    # Change this if you want to use another volume type
    - name: persist
      mountPath: /owsec-data/persist
@@ -92,7 +92,7 @@ resources: {}
  #  memory: 128Mi

 securityContext:
-  fsGroup: 101
+  fsGroup: 1000

 nodeSelector: {}

@@ -228,6 +228,9 @@ configProperties:
  storage.type.mysql.username: stephb
  storage.type.mysql.password: snoopy99

+# NOTE: List of required certificates may be found in "certs" key. Alternative way to pass required certificates is to create external secret with all required certificates and set secret name in "existingCertsSecret" key. Details may be found in https://github.com/Telecominfraproject/wlan-cloud-ucentral-deploy/tree/main/chart#tldr
+existingCertsSecret: ""
+
 certs:
  # restapi-ca.pem: ""
  # restapi-cert.pem: ""
--- a/images/device_types/cig_wf160d.png
+++ b/images/device_types/cig_wf160d.png
--- a/images/device_types/cig_wf188.png
+++ b/images/device_types/cig_wf188.png
--- a/images/device_types/cig_wf188n.png
+++ b/images/device_types/cig_wf188n.png
--- a/images/device_types/cig_wf194c.png
+++ b/images/device_types/cig_wf194c.png
--- a/images/device_types/cig_wf194c4.png
+++ b/images/device_types/cig_wf194c4.png
--- a/images/device_types/cig_wf808.png
+++ b/images/device_types/cig_wf808.png
--- a/images/device_types/cig_wf809.png
+++ b/images/device_types/cig_wf809.png
--- a/images/device_types/edgecore_eap101.png
+++ b/images/device_types/edgecore_eap101.png
--- a/images/device_types/edgecore_eap102.png
+++ b/images/device_types/edgecore_eap102.png
--- a/images/device_types/edgecore_ecs4100-12ph.png
+++ b/images/device_types/edgecore_ecs4100-12ph.png
--- a/images/device_types/edgecore_ecw5211.png
+++ b/images/device_types/edgecore_ecw5211.png
--- a/images/device_types/edgecore_ecw5410.png
+++ b/images/device_types/edgecore_ecw5410.png
--- a/images/device_types/edgecore_oap100.png
+++ b/images/device_types/edgecore_oap100.png
--- a/images/device_types/edgecore_spw2ac1200-lan-poe.png
+++ b/images/device_types/edgecore_spw2ac1200-lan-poe.png
--- a/images/device_types/edgecore_spw2ac1200.png
+++ b/images/device_types/edgecore_spw2ac1200.png
--- a/images/device_types/edgecore_ssw2ac2600.png
+++ b/images/device_types/edgecore_ssw2ac2600.png
--- a/images/device_types/hfcl_ion4.png
+++ b/images/device_types/hfcl_ion4.png
--- a/images/device_types/hfcl_ion4.yml.png
+++ b/images/device_types/hfcl_ion4.yml.png
--- a/images/device_types/indio_um-305ac.png
+++ b/images/device_types/indio_um-305ac.png
--- a/images/device_types/linksys_e8450-ubi.png
+++ b/images/device_types/linksys_e8450-ubi.png
--- a/images/device_types/linksys_ea6350-v4.png
+++ b/images/device_types/linksys_ea6350-v4.png
--- a/images/device_types/linksys_ea6350.png
+++ b/images/device_types/linksys_ea6350.png
--- a/images/device_types/linksys_ea8300.png
+++ b/images/device_types/linksys_ea8300.png
--- a/images/device_types/tp-link_ec420-g1.png
+++ b/images/device_types/tp-link_ec420-g1.png
--- a/images/device_types/tplink_ec420.png
+++ b/images/device_types/tplink_ec420.png
--- a/images/device_types/tplink_ex227.png
+++ b/images/device_types/tplink_ex227.png
--- a/images/device_types/tplink_ex228.png
+++ b/images/device_types/tplink_ex228.png
--- a/images/device_types/tplink_ex447.png
+++ b/images/device_types/tplink_ex447.png
--- a/images/device_types/wallys_dr40x9.png
+++ b/images/device_types/wallys_dr40x9.png
--- a/images/device_types/wallys_dr6018.png
+++ b/images/device_types/wallys_dr6018.png
--- a/images/device_types/wallys_dr6018_v4.png
+++ b/images/device_types/wallys_dr6018_v4.png
--- a/images/project/logo.png
+++ b/images/project/logo.png
--- a/images/project/logo.svg
+++ b/images/project/logo.svg
@@ -0,0 +1,165 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.2.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 141.5 185.6" style="enable-background:new 0 0 141.5 185.6;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#414141;}
+	.st1{fill:#FFFFFF;}
+	.st2{fill:#FED206;}
+	.st3{fill:#EB6F53;}
+	.st4{fill:#3BA9B6;}
+</style>
+<g>
+	<g>
+		<path class="st0" d="M120.7,183.9H21.5c-10.8,0-19.5-8.7-19.5-19.5V20.5c0-10.8,8.7-19.5,19.5-19.5h99.2
+			c10.8,0,19.5,8.7,19.5,19.5v143.9C140.2,175.2,131.5,183.9,120.7,183.9z"/>
+		<g>
+			<g>
+				<g>
+					<path class="st1" d="M46.3,166.2v-3.4h-1.2v-0.6h3.1v0.6H47v3.4H46.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M49,166.2v-4h2.7v0.6h-2v1h2v0.6h-2v1.1h2v0.6H49z"/>
+				</g>
+				<g>
+					<path class="st1" d="M52.6,166.2v-4h0.7v3.4h1.8v0.6H52.6z"/>
+				</g>
+				<g>
+					<path class="st1" d="M55.7,166.2v-4h2.7v0.6h-2v1h2v0.6h-2v1.1h2v0.6H55.7z"/>
+				</g>
+				<g>
+					<path class="st1" d="M59.1,164.2c0-1.2,0.9-2.1,2.1-2.1c0.8,0,1.3,0.4,1.6,0.9l-0.6,0.3c-0.2-0.3-0.6-0.6-1-0.6
+						c-0.8,0-1.4,0.6-1.4,1.4c0,0.8,0.6,1.4,1.4,1.4c0.4,0,0.8-0.3,1-0.6l0.6,0.3c-0.3,0.5-0.8,0.9-1.6,0.9
+						C60,166.3,59.1,165.5,59.1,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M63.2,164.2c0-1.2,0.8-2.1,2-2.1c1.2,0,2,0.9,2,2.1c0,1.2-0.8,2.1-2,2.1C64,166.3,63.2,165.4,63.2,164.2z
+						 M66.5,164.2c0-0.8-0.5-1.4-1.3-1.4c-0.8,0-1.3,0.6-1.3,1.4c0,0.8,0.5,1.4,1.3,1.4C66,165.7,66.5,165,66.5,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M71.3,166.2v-3.1l-1.2,3.1h-0.3l-1.2-3.1v3.1h-0.7v-4h1l1.1,2.7l1.1-2.7h1v4H71.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M75.7,166.2v-4h0.7v4H75.7z"/>
+				</g>
+				<g>
+					<path class="st1" d="M80.4,166.2l-2.1-2.8v2.8h-0.7v-4h0.7l2,2.8v-2.8h0.7v4H80.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M82.3,166.2v-4H85v0.6h-2v1h2v0.6h-2v1.7H82.3z"/>
+				</g>
+				<g>
+					<path class="st1" d="M87.9,166.2l-0.9-1.5h-0.7v1.5h-0.7v-4h1.7c0.8,0,1.3,0.5,1.3,1.2c0,0.7-0.5,1.1-0.9,1.2l1,1.6H87.9z
+						 M88,163.5c0-0.4-0.3-0.6-0.7-0.6h-1v1.3h1C87.7,164.1,88,163.9,88,163.5z"/>
+				</g>
+				<g>
+					<path class="st1" d="M92.4,166.2l-0.3-0.8h-1.8l-0.3,0.8h-0.8l1.6-4h0.9l1.6,4H92.4z M91.2,162.9l-0.7,1.9h1.4L91.2,162.9z"/>
+				</g>
+				<g>
+					<path class="st1" d="M95.8,166.2v-4h1.5c0.8,0,1.2,0.5,1.2,1.2c0,0.6-0.4,1.2-1.2,1.2h-1.2v1.7H95.8z M98.2,163.4
+						c0-0.5-0.3-0.9-0.9-0.9h-1.1v1.7h1.1C97.8,164.3,98.2,163.9,98.2,163.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M101.5,166.2l-1.1-1.6h-0.9v1.6h-0.3v-4h1.5c0.7,0,1.2,0.4,1.2,1.2c0,0.7-0.5,1.1-1.1,1.1l1.2,1.7H101.5z
+						 M101.6,163.4c0-0.5-0.4-0.9-0.9-0.9h-1.1v1.7h1.1C101.2,164.3,101.6,163.9,101.6,163.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M102.8,164.2c0-1.2,0.8-2.1,1.9-2.1c1.2,0,1.9,0.9,1.9,2.1c0,1.2-0.8,2.1-1.9,2.1
+						C103.6,166.3,102.8,165.4,102.8,164.2z M106.3,164.2c0-1-0.6-1.7-1.6-1.7c-1,0-1.6,0.7-1.6,1.7c0,1,0.6,1.7,1.6,1.7
+						C105.7,166,106.3,165.2,106.3,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M106.9,165.8l0.2-0.3c0.2,0.2,0.4,0.4,0.8,0.4c0.5,0,0.9-0.4,0.9-0.9v-2.8h0.3v2.8c0,0.8-0.5,1.2-1.2,1.2
+						C107.5,166.3,107.2,166.1,106.9,165.8z"/>
+				</g>
+				<g>
+					<path class="st1" d="M110.4,166.2v-4h2.5v0.3h-2.2v1.5h2.1v0.3h-2.1v1.6h2.2v0.3H110.4z"/>
+				</g>
+				<g>
+					<path class="st1" d="M113.5,164.2c0-1.2,0.9-2.1,2-2.1c0.6,0,1.1,0.3,1.5,0.7l-0.3,0.2c-0.3-0.3-0.7-0.6-1.2-0.6
+						c-0.9,0-1.7,0.7-1.7,1.7c0,1,0.7,1.7,1.7,1.7c0.5,0,0.9-0.2,1.2-0.6l0.3,0.2c-0.4,0.4-0.8,0.7-1.5,0.7
+						C114.4,166.3,113.5,165.5,113.5,164.2z"/>
+				</g>
+				<g>
+					<path class="st1" d="M118.7,166.2v-3.7h-1.3v-0.3h2.9v0.3H119v3.7H118.7z"/>
+				</g>
+			</g>
+			<g>
+				<polygon class="st1" points="26.3,163.8 31.6,158.5 36.9,163.8 37.7,163.8 31.6,157.6 25.5,163.8 				"/>
+				<polygon class="st1" points="36.9,164.7 31.6,170 26.3,164.7 25.5,164.7 31.6,170.8 37.7,164.7 				"/>
+				<polygon class="st1" points="31,163.8 36.3,158.5 41.6,163.8 42.5,163.8 36.3,157.6 30.2,163.8 				"/>
+				<polygon class="st1" points="41.6,164.7 36.3,170 31,164.7 30.2,164.7 36.3,170.8 42.5,164.7 				"/>
+			</g>
+		</g>
+		<g>
+			<path class="st1" d="M33.2,100.7c-4.6,0-8.3,3.7-8.3,8.3s3.7,8.3,8.3,8.3s8.3-3.7,8.3-8.3S37.8,100.7,33.2,100.7z"/>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st2" d="M33.2,35.2c40.7,0,73.8,33.1,73.8,73.8c0,0.7,0,1.4,0,2.1c0,1.7,0.6,3.3,1.7,4.6c1.2,1.2,2.8,1.9,4.5,2
+						l0.2,0c3.5,0,6.3-2.7,6.4-6.2c0-0.8,0-1.7,0-2.5c0-47.7-38.8-86.6-86.6-86.6c-0.8,0-1.7,0-2.5,0c-1.7,0-3.3,0.8-4.5,2
+						c-1.2,1.2-1.8,2.9-1.7,4.6c0.1,3.5,3,6.3,6.6,6.2C31.8,35.2,32.5,35.2,33.2,35.2z"/>
+				</g>
+			</g>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st3" d="M33.2,60.5c26.7,0,48.5,21.7,48.5,48.5c0,0.6,0,1.3,0,2c-0.1,1.7,0.5,3.3,1.7,4.6c1.2,1.3,2.7,2,4.4,2.1
+						c1.7,0.1,3.3-0.5,4.6-1.7c1.2-1.2,2-2.7,2-4.4c0-0.9,0.1-1.8,0.1-2.6c0-33.8-27.5-61.2-61.2-61.2c-0.8,0-1.6,0-2.6,0.1
+						c-1.7,0.1-3.3,0.8-4.4,2.1c-1.2,1.3-1.8,2.9-1.7,4.6s0.8,3.3,2.1,4.4c1.3,1.2,2.9,1.8,4.6,1.7C31.9,60.5,32.6,60.5,33.2,60.5z"
+						/>
+				</g>
+			</g>
+		</g>
+		<g>
+			<g>
+				<g>
+					<path class="st4" d="M33.2,86.7c12.3,0,22.3,10,22.3,22.3c0,0.5,0,1.1-0.1,1.8c-0.3,3.5,2.3,6.6,5.8,6.9
+						c3.5,0.3,6.6-2.3,6.9-5.8c0.1-1,0.1-1.9,0.1-2.8c0-19.3-15.7-35.1-35.1-35.1c-0.9,0-1.8,0-2.8,0.1c-1.7,0.1-3.2,0.9-4.3,2.2
+						c-1.1,1.3-1.6,2.9-1.5,4.6c0.1,1.7,0.9,3.2,2.2,4.3c1.3,1.1,2.9,1.6,4.6,1.5C32.1,86.7,32.7,86.7,33.2,86.7z"/>
+				</g>
+			</g>
+		</g>
+	</g>
+	<g>
+		<path class="st1" d="M35.8,130.4c1.1,0.6,2.1,1.5,2.7,2.6c0.7,1.1,1,2.3,1,3.7s-0.3,2.6-1,3.7c-0.7,1.1-1.6,2-2.7,2.6
+			c-1.1,0.6-2.4,1-3.8,1s-2.7-0.3-3.8-1c-1.1-0.6-2.1-1.5-2.7-2.6c-0.7-1.1-1-2.3-1-3.7c0-1.3,0.3-2.6,1-3.7c0.7-1.1,1.6-2,2.7-2.6
+			c1.1-0.6,2.4-0.9,3.8-0.9C33.4,129.5,34.7,129.8,35.8,130.4z M29.9,132.9c-0.7,0.4-1.2,0.9-1.6,1.6s-0.6,1.4-0.6,2.2
+			c0,0.8,0.2,1.6,0.6,2.3c0.4,0.7,0.9,1.2,1.6,1.6c0.7,0.4,1.4,0.6,2.1,0.6c0.8,0,1.5-0.2,2.1-0.6c0.6-0.4,1.2-0.9,1.5-1.6
+			c0.4-0.7,0.6-1.4,0.6-2.3c0-0.8-0.2-1.6-0.6-2.2s-0.9-1.2-1.5-1.6c-0.6-0.4-1.4-0.6-2.1-0.6C31.3,132.3,30.6,132.5,29.9,132.9z"/>
+		<path class="st1" d="M50.6,133.6c0.8,0.5,1.4,1.1,1.8,2c0.4,0.8,0.6,1.8,0.6,2.9c0,1.1-0.2,2-0.6,2.8c-0.4,0.8-1,1.5-1.8,1.9
+			c-0.8,0.5-1.6,0.7-2.6,0.7c-0.7,0-1.4-0.1-2-0.4s-1.1-0.7-1.5-1.2v5.4h-3.1V133h3.1v1.6c0.4-0.5,0.9-1,1.4-1.2s1.2-0.4,2-0.4
+			C48.9,132.9,49.8,133.1,50.6,133.6z M49.1,140.5c0.5-0.6,0.7-1.3,0.7-2.2c0-0.9-0.2-1.6-0.7-2.1c-0.5-0.6-1.1-0.8-1.9-0.8
+			s-1.4,0.3-1.9,0.8c-0.5,0.6-0.8,1.3-0.8,2.1c0,0.9,0.2,1.6,0.8,2.2s1.1,0.8,1.9,0.8S48.6,141,49.1,140.5z"/>
+		<path class="st1" d="M63.4,134.4c0.9,1,1.4,2.4,1.4,4.2c0,0.3,0,0.6,0,0.7H57c0.2,0.7,0.5,1.2,1,1.6c0.5,0.4,1.1,0.6,1.8,0.6
+			c0.5,0,1-0.1,1.5-0.3s0.9-0.5,1.3-0.9l1.6,1.6c-0.5,0.6-1.2,1.1-2,1.4c-0.8,0.3-1.6,0.5-2.6,0.5c-1.1,0-2.1-0.2-3-0.7
+			s-1.5-1.1-2-1.9c-0.5-0.8-0.7-1.8-0.7-2.9c0-1.1,0.2-2.1,0.7-2.9s1.1-1.5,2-1.9c0.8-0.5,1.8-0.7,2.9-0.7
+			C61.2,132.9,62.5,133.4,63.4,134.4z M61.8,137.5c0-0.7-0.3-1.3-0.7-1.7s-1-0.6-1.7-0.6c-0.7,0-1.2,0.2-1.7,0.6
+			c-0.4,0.4-0.7,1-0.9,1.7H61.8z"/>
+		<path class="st1" d="M76.2,134c0.7,0.7,1.1,1.7,1.1,3v6.8h-3.1v-5.9c0-0.7-0.2-1.2-0.6-1.6s-0.9-0.6-1.5-0.6
+			c-0.8,0-1.4,0.3-1.8,0.8c-0.4,0.5-0.7,1.2-0.7,2v5.3h-3.1V133h3.1v1.9c0.7-1.3,2-2,3.7-2C74.6,132.8,75.5,133.2,76.2,134z"/>
+		<path class="st1" d="M96,129.7h3.3l-4.7,14h-3.3l-2.9-10.1l-3,10.1h-3.2l-4.7-14h3.4l3,10.7l3-10.7H90l3.1,10.7L96,129.7z"/>
+		<path class="st1" d="M103.3,128.7c0.3,0.3,0.5,0.7,0.5,1.2s-0.2,0.9-0.5,1.2c-0.3,0.3-0.7,0.5-1.2,0.5c-0.5,0-0.9-0.2-1.2-0.5
+			c-0.3-0.3-0.5-0.7-0.5-1.2c0-0.5,0.2-0.9,0.5-1.2c0.3-0.3,0.7-0.5,1.2-0.5C102.6,128.2,103,128.3,103.3,128.7z M100.6,133h3.1
+			v10.8h-3.1V133z"/>
+		<path class="st1" d="M106.5,129.7h10.1l0,2.6h-6.9v3.4h6.3v2.6h-6.3v5.3h-3.2V129.7z"/>
+		<path class="st1" d="M120.9,128.7c0.3,0.3,0.5,0.7,0.5,1.2s-0.2,0.9-0.5,1.2c-0.3,0.3-0.7,0.5-1.2,0.5c-0.5,0-0.9-0.2-1.2-0.5
+			c-0.3-0.3-0.5-0.7-0.5-1.2c0-0.5,0.2-0.9,0.5-1.2c0.3-0.3,0.7-0.5,1.2-0.5C120.1,128.2,120.5,128.3,120.9,128.7z M118.1,133h3.1
+			v10.8h-3.1V133z"/>
+	</g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+<g>
+</g>
+</svg>
--- a/openpapi/owsec.yaml
+++ b/openpapi/owsec.yaml
@@ -17,6 +17,7 @@ servers:
 security:
  - bearerAuth: []
  - ApiKeyAuth: []
+  - ApiToken: []

 components:
  securitySchemes:
@@ -28,6 +29,10 @@ components:
      type: http
      scheme: bearer
      bearerFormat: JWT
+    ApiToken:
+      type: apiKey
+      in: header
+      name: X-API-TOKEN

  responses:
    NotFound:
@@ -66,7 +71,8 @@ components:
                  - 11    # BAD_MFA_TRANSACTION
                  - 12    # MFA_FAILURE
                  - 13    # SECURITY_SERVICE_UNREACHABLE
-                  - 14    # CANNOT REFRESH TOKEN
+                  - 14    # CANNOT_REFRESH_TOKEN
+                  - 15    # ACCOUNT_SUSPENDED
              ErrorDetails:
                type: string
              ErrorDescription:
@@ -164,18 +170,61 @@ components:
        aclTemplate:
          $ref: '#/components/schemas/AclTemplate'

-    ApiKeyCreationRequest:
+    ApiKeyAccessRight:
      type: object
      properties:
+        service:
+          type: string
+        access:
+          type: string
+          enum:
+            - read
+            - modify
+            - create
+            - delete
+            - noaccess
+
+    ApiKeyAccessRightList:
+      type: object
+      properties:
+        acls:
+          type: array
+          items:
+            $ref: '#/components/schemas/ApiKeyAccessRight'
+
+    ApiKeyEntry:
+      type: object
+      properties:
+        id:
+          type: string
+          format: uuid
+        userUuid:
+          type: string
+          format: uuid
        name:
          type: string
        description:
          type: string
+        apiKey:
+          type: string
+        salt:
+          type: string
        expiresOn:
          type: integer
          format: int64
+        lastUse:
+          type: integer
+          format: int64
        rights:
-          $ref: '#/components/schemas/AclTemplate'
+          $ref: '#/components/schemas/ApiKeyAccessRightList'
+
+    ApiKeyEntryList:
+      type: object
+      properties:
+        apiKeys:
+          type: array
+          items:
+            $ref: '#/components/schemas/ApiKeyEntry'

    ApiKeyCreationAnswer:
      type: object
@@ -194,7 +243,7 @@ components:
        apiKey:
          type: string
        rights:
-          $ref: '#/components/schemas/AclTemplate'
+          $ref: '#/components/schemas/ApiKeyAccessRightList'

    AclTemplate:
      type: object
@@ -444,6 +493,16 @@ components:
        sms:
          type: string

+    ExtraSystemConfiguration:
+      type: array
+      items:
+        type: object
+        properties:
+          parameterName:
+            type: string
+          parameterValue:
+            type: string
+
    #########################################################################################
    ##
    ## These are endpoints that all services in the uCentral stack must provide
@@ -506,12 +565,6 @@ components:
            - $ref: '#/components/schemas/StringList'
            - $ref: '#/components/schemas/TagValuePairList'

-    SystemCommandResults:
-      type: object
-      oneOf:
-        - $ref: '#/components/schemas/StringList'
-        - $ref: '#/components/schemas/TagValuePairList'
-
    SystemInfoResults:
      type: object
      properties:
@@ -540,6 +593,33 @@ components:
                type: integer
                format: int64

+    SystemResources:
+      type: object
+      properties:
+        numberOfFileDescriptors:
+          type: integer
+          format: int64
+        currRealMem:
+          type: integer
+          format: int64
+        peakRealMem:
+          type: integer
+          format: int64
+        currVirtMem:
+          type: integer
+          format: int64
+        peakVirtMem:
+          type: integer
+          format: int64
+
+    SystemCommandResults:
+      type: object
+      oneOf:
+        - $ref: '#/components/schemas/SystemResources'
+        - $ref: '#/components/schemas/SystemInfoResults'
+        - $ref: '#/components/schemas/StringList'
+        - $ref: '#/components/schemas/TagValuePairList'
+
    ProfileAction:
      type: object
      properties:
@@ -704,6 +784,23 @@ components:
              value:
                type: string

+    SystemSecretEntry:
+      type: object
+      properties:
+        name:
+          type: string
+        value:
+          type: string
+
+    SystemSecretEntryList:
+      type: object
+      properties:
+        secrets:
+          type: array
+          items:
+            $ref: '#/components/schemas/SystemSecretEntry'
+
+
    #########################################################################################
    ##
    ## End of uCentral system wide values
@@ -894,7 +991,7 @@ paths:
  /systemEndpoints:
    get:
      tags:
-        - Authentication
+        - System Commands
      summary: Retrieve the system layout.
      operationId: getSystemInfo
      responses:
@@ -1034,6 +1131,12 @@ paths:
            type: string
            format: uuid
          required: true
+        - in: query
+          description: When used, signifies the the id is actually the email address of the user, and not its uuid
+          name: byEmail
+          schema:
+            type: boolean
+          required: false
      responses:
        200:
          $ref: '#/components/schemas/UserInfo'
@@ -1150,6 +1253,12 @@ paths:
            type: string
            format: uuid
          required: true
+        - in: query
+          description: When used, signifies the the id is actually the email address of the user, and not its uuid
+          name: byEmail
+          schema:
+            type: boolean
+          required: false
      responses:
        200:
          $ref: '#/components/schemas/UserInfo'
@@ -1348,7 +1457,7 @@ paths:
  /email:
    post:
      tags:
-        - Email
+        - Messaging
      summary: Send test email with the system.
      operationId: Send a test email
      requestBody:
@@ -1379,7 +1488,7 @@ paths:
  /sms:
    post:
      tags:
-        - Email
+        - Messaging
      summary: Send test email with the system.
      operationId: Send a test SMS
      parameters:
@@ -1634,7 +1743,103 @@ paths:
        404:
          $ref: '#/components/responses/NotFound'

-
+  /apiKey/{uuid}:
+    get:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: getApiKeyList
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntryList'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    delete:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: deleteApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+        - in: query
+          name: keyUuid
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    post:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: createApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ApiKeyEntry'
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntry'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+    put:
+      tags:
+        - API Tokens
+      summary: Retrieve all the APIKeys for a given user UUID
+      operationId: modifyApiKey
+      parameters:
+        - in: path
+          name: uuid
+          schema:
+            type: string
+            format: uuid
+          required: true
+        - in: query
+          name: name
+          schema:
+            type: string
+          required: true
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ApiKeyEntry'
+      responses:
+        200:
+          $ref: '#/components/schemas/ApiKeyEntry'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'

  #########################################################################################
  ##
@@ -1677,19 +1882,6 @@ paths:
  #########################################################################################
  ##  The following calls are restricted to the private system side APIs
  #########################################################################################
-  /systemServices:
-    get:
-      tags:
-        - Security
-      summary: Retrieve the basic system information. This information is used between services only.
-      operationId: getSystemServices
-      responses:
-        200:
-          $ref: '#/components/schemas/InternalSystemServices'
-        403:
-          $ref: '#/components/responses/Unauthorized'
-        404:
-          $ref: '#/components/responses/NotFound'

  /validateToken:
    get:
@@ -1732,6 +1924,26 @@ paths:
        404:
          $ref: '#/components/responses/NotFound'

+  /validateApiKey:
+    get:
+      tags:
+        - Security
+      summary: Allows an application to validate an API Key.
+      operationId: validateApiKey
+      parameters:
+        - in: query
+          name: token
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/TokenValidationResult'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
  /system:
    post:
      tags:
@@ -1776,21 +1988,167 @@ paths:
            type: string
            enum:
              - info
+              - extraConfiguration
+              - resources
          required: true
-
      responses:
        200:
-          description: Successful command execution
-          content:
-            application/json:
-              schema:
-                oneOf:
-                  - $ref: '#/components/schemas/SystemInfoResults'
+          $ref: '#/components/schemas/SystemCommandResults'
        403:
          $ref: '#/components/responses/Unauthorized'
        404:
          $ref: '#/components/responses/NotFound'

+  /systemSecret/{secret}:
+    get:
+      tags:
+        - System Secrets
+      description: Retrieve a specific secret
+      operationId: getSecret
+      parameters:
+        - in: path
+          name: secret
+          schema:
+            type: string
+          required: true
+        - in: query
+          name: all
+          schema:
+            type: boolean
+          required: false
+        - in: query
+          name: dictionary
+          schema:
+            type: boolean
+          required: false
+      responses:
+        200:
+          description: Successfull retrieval
+          content:
+            application/json:
+              schema:
+                oneOf:
+                  - type: object
+                    properties:
+                      knownKeys:
+                        type: array
+                        items:
+                          type: object
+                          properties:
+                            key:
+                              type: string
+                            helper:
+                              type: string
+                  - $ref: '#/components/schemas/SystemSecretEntry'
+                  - $ref: '#/components/schemas/SystemSecretEntryList'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    put:
+      tags:
+        - System Secrets
+      description: Modify a specific secret
+      operationId: modifySecret
+      parameters:
+        - in: path
+          name: secret
+          schema:
+            type: string
+          required: true
+        - in: query
+          name: value
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/schemas/SystemSecretEntry'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    delete:
+      description: Remove a specific secret
+      operationId: deleteSecret
+      parameters:
+        - in: path
+          name: secret
+          schema:
+            type: string
+          required: true
+      responses:
+        200:
+          $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+  /systemConfiguration:
+    get:
+      tags:
+        - SystemConfiguration
+      summary: Retrieve system configuration items
+      operationId: getSystemConfiguration
+      parameters:
+        - in: query
+          description: Which parameters you want to retrieve
+          name: entries
+          schema:
+            type: string
+            example:
+              - element1
+              - element1,element2,element3
+          required: false
+      responses:
+        200:
+          description: List of configuration elements
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/ExtraSystemConfiguration'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    put:
+      tags:
+        - SystemConfiguration
+      summary: Set some or all system configuration
+      operationId: setSystemConfiguration
+      requestBody:
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ExtraSystemConfiguration'
+
+      responses:
+        200:
+          $ref: '#/components/schemas/ExtraSystemConfiguration'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'
+
+    delete:
+      tags:
+        - SystemConfiguration
+      summary: Delete all additional system configuration
+      operationId: deleteSystemConfiguration
+
+      responses:
+        200:
+          $ref: '#/components/responses/Success'
+        403:
+          $ref: '#/components/responses/Unauthorized'
+        404:
+          $ref: '#/components/responses/NotFound'

 #########################################################################################
 ##
--- a/overlays/curl/portfile.cmake
+++ b/overlays/curl/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/curl/vcpkg.json
+++ b/overlays/curl/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "curl",
+    "version-string": "7.74.0-1.3+deb11u3"
+}
--- a/overlays/openssl/portfile.cmake
+++ b/overlays/openssl/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/openssl/vcpkg.json
+++ b/overlays/openssl/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "openssl",
+    "version-string": "1.1.1n-0+deb11u3"
+}
--- a/overlays/zlib/portfile.cmake
+++ b/overlays/zlib/portfile.cmake
@@ -0,0 +1 @@
+set(VCPKG_POLICY_EMPTY_PACKAGE enabled)
--- a/overlays/zlib/vcpkg.json
+++ b/overlays/zlib/vcpkg.json
@@ -0,0 +1,4 @@
+{
+    "name": "zlib",
+    "version-string": "1:1.2.11.dfsg-2+deb11u2"
+}
--- a/owsec.properties
+++ b/owsec.properties
@@ -34,8 +34,9 @@ authentication.default.username = tip@ucentral.com
 authentication.default.password = 13268b7daa751240369d125e79c873bd8dd3bef7981bdfd38ea03dbb1fbe7dcf
 openwifi.system.data = $OWSEC_ROOT/data
 openwifi.system.uri.private = https://localhost:17001
-openwifi.system.uri.public = https://local.dpaas.arilia.com:16001
-openwifi.system.uri.ui = https://ucentral-ui.arilia.com
+openwifi.system.uri.public = https://main.server.com:16001
+openwifi.system.uri.ui = https://ucentral-ui.main.server.com
+openwifi.security.restapi.disable = false
 openwifi.system.commandchannel = /tmp/app.ucentralsec
 openwifi.service.key = $OWSEC_ROOT/certs/restapi-key.pem
 openwifi.service.key.password = mypassword
@@ -63,9 +64,19 @@ mailer.loginmethod = login
 mailer.port = 587
 mailer.templates = $OWSEC_ROOT/templates

+helper.user.email = openwifi@telecominfraproject.com
+helper.sub.email = openwifi@telecominfraproject.com
+helper.user.global.email = openwifi@telecominfraproject.com
+helper.sub.global.email = openwifi@telecominfraproject.com
+helper.user.site = https://openwifi.telecominfraproject.com
+helper.sub.site = https://openwifi.telecominfraproject.com
+helper.user.login = https://openwifi.telecominfraproject.com
+helper.sub.login = https://openwifi.telecominfraproject.com
+helper.user.signature = Telecom Infra Project
+helper.sub.signature = Telecom Infra Project

 #############################
-# Generic information for all micro services
+# Generic information for all micro-services
 #############################
 #
 # NLB Support
@@ -79,7 +90,7 @@ alb.port = 16101
 openwifi.kafka.group.id = security
 openwifi.kafka.client.id = security1
 openwifi.kafka.enable = true
-openwifi.kafka.brokerlist = a1.arilia.com:9092
+openwifi.kafka.brokerlist = kafka:9092
 openwifi.kafka.auto.commit = false
 openwifi.kafka.queue.buffering.max.ms = 50
 openwifi.kafka.ssl.ca.location =
@@ -109,18 +120,18 @@ storage.type.sqlite.maxsessions = 128
 storage.type.postgresql.maxsessions = 64
 storage.type.postgresql.idletime = 60
 storage.type.postgresql.host = localhost
-storage.type.postgresql.username = stephb
-storage.type.postgresql.password = snoopy99
-storage.type.postgresql.database = ucentral
+storage.type.postgresql.username = owsec
+storage.type.postgresql.password = owsec
+storage.type.postgresql.database = owsec
 storage.type.postgresql.port = 5432
 storage.type.postgresql.connectiontimeout = 60

 storage.type.mysql.maxsessions = 64
 storage.type.mysql.idletime = 60
 storage.type.mysql.host = localhost
-storage.type.mysql.username = stephb
-storage.type.mysql.password = snoopy99
-storage.type.mysql.database = ucentral
+storage.type.mysql.username = owsec
+storage.type.mysql.password = owsec
+storage.type.mysql.database = owsec
 storage.type.mysql.port = 3306
 storage.type.mysql.connectiontimeout = 60

@@ -132,4 +143,4 @@ storage.type.mysql.connectiontimeout = 60
 ########################################################################
 logging.type = file
 logging.path = $OWSEC_ROOT/logs
-logging.level = debug
+logging.level = debug
--- a/owsec.properties.tmpl
+++ b/owsec.properties.tmpl
@@ -36,6 +36,7 @@ openwifi.system.data = ${SYSTEM_DATA}
 openwifi.system.uri.private = ${SYSTEM_URI_PRIVATE}
 openwifi.system.uri.public = ${SYSTEM_URI_PUBLIC}
 openwifi.system.uri.ui = ${SYSTEM_URI_UI}
+openwifi.security.restapi.disable = ${SECURITY_RESTAPI_DISABLE}
 openwifi.system.commandchannel = /tmp/app.ucentralsec
 openwifi.service.key = ${SERVICE_KEY}
 openwifi.service.key.password = ${SERVICE_KEY_PASSWORD}
@@ -63,6 +64,16 @@ mailer.loginmethod = login
 mailer.port = ${MAILER_PORT}
 mailer.templates = ${MAILER_TEMPLATES}

+helper.user.email = ${USER_HELPER_EMAIL}
+helper.sub.email = ${SUB_HELPER_EMAIL}
+helper.user.global.email = ${GLOBAL_USER_HELPER_EMAIL}
+helper.sub.global.email = ${GLOBAL_SUB_HELPER_EMAIL}
+helper.user.site = ${USER_HELPER_SITE}
+helper.sub.site = ${SUB_HELPER_SITE}
+helper.user.login = ${USER_SYSTEM_LOGIN}
+helper.sub.login = ${SUB_SYSTEM_LOGIN}
+helper.user.signature = ${USER_SIGNATURE}
+helper.sub.signature = ${SUB_SIGNATURE}

 #############################
 # Generic information for all micro services
--- a/src/ACLProcessor.h
+++ b/src/ACLProcessor.h
@@ -9,82 +9,124 @@

 namespace OpenWifi {

-    class ACLProcessor {
-    public:
-        enum ACL_OPS {
-            READ,
-            MODIFY,
-            DELETE,
-            CREATE
-        };
-/*
- *  0) You can only delete yourself if you are a subscriber
-    1) You cannot delete yourself
-    2) If you are root, you can do anything.
-    3) You can do anything to yourself
-    4) Nobody can touch a root, unless they are a root, unless it is to get information on a ROOT
-    5) Creation rules:
-        ROOT -> create anything
-        PARTNER -> (multi-tenant owner) admin,subs,csr,installer,noc,accounting - matches to an entity in provisioning
-        ADMIN -> admin-subs-csr-installer-noc-accounting
-        ACCOUNTING -> subs-installer-csr
+	class ACLProcessor {
+	  public:
+		enum ACL_OPS { READ, MODIFY, DELETE, CREATE };
+		/*
+		 *  0) You can only delete yourself if you are a subscriber
+			1) You cannot delete yourself
+			2) If you are root, you can do anything.
+			3) You can do anything to yourself
+			4) Nobody can touch a root, unless they are a root, unless it is to get information on a
+		 ROOT 5) Creation rules: ROOT -> create anything PARTNER -> (multi-tenant owner)
+		 admin,subs,csr,installer,noc,accounting - matches to an entity in provisioning ADMIN ->
+		 admin-subs-csr-installer-noc-accounting ACCOUNTING -> subs-installer-csr

- */
-        static inline bool Can( const SecurityObjects::UserInfo & User, const SecurityObjects::UserInfo & Target, ACL_OPS Op) {
+		 */
+		static inline bool Can(const SecurityObjects::UserInfo &User,
+							   const SecurityObjects::UserInfo &Target, ACL_OPS Op) {

-            // rule 0
-            if(User.id == Target.id && User.userRole == SecurityObjects::SUBSCRIBER && Op == DELETE)
-                return true;
+			switch (Op) {
+			case DELETE: {
+				//  can a user delete themselves - yes - only if not root. We do not want a system
+				//  to end up rootless
+				if (User.id == Target.id) {
+					return User.userRole != SecurityObjects::ROOT;
+				}
+				//  Root can delete anyone
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return User.id == Target.id;
+				case SecurityObjects::CSR:
+					return false;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return User.id == Target.id;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;

-            //  rule 1
-            if(User.id == Target.id && Op==DELETE)
-                return false;
+			case READ: {
+				return User.userRole == SecurityObjects::ROOT ||
+					   User.userRole == SecurityObjects::ADMIN ||
+					   User.userRole == SecurityObjects::PARTNER;
+			} break;

-            //  rule 2
-            if(User.userRole==SecurityObjects::ROOT)
-                return true;
+			case CREATE: {
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return false;
+				case SecurityObjects::CSR:
+					return Target.userRole == SecurityObjects::CSR;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return Target.userRole == SecurityObjects::INSTALLER;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;

-            //  rule 3
-            if(User.id == Target.id)
-                return true;
+			case MODIFY: {
+				switch (User.userRole) {
+				case SecurityObjects::ROOT:
+					return true;
+				case SecurityObjects::ADMIN:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::SUBSCRIBER:
+					return User.id == Target.id;
+				case SecurityObjects::CSR:
+					return Target.userRole == SecurityObjects::CSR;
+				case SecurityObjects::SYSTEM:
+					return Target.userRole != SecurityObjects::ROOT &&
+						   Target.userRole != SecurityObjects::PARTNER;
+				case SecurityObjects::INSTALLER:
+					return Target.userRole == SecurityObjects::INSTALLER;
+				case SecurityObjects::NOC:
+					return Target.userRole == SecurityObjects::NOC;
+				case SecurityObjects::ACCOUNTING:
+					return Target.userRole == SecurityObjects::ACCOUNTING;
+				case SecurityObjects::PARTNER:
+					return Target.userRole != SecurityObjects::ROOT;
+				default:
+					return false;
+				}
+			} break;
+			default:
+				return false;
+			}
+		}

-            //  rule 4
-            if(Target.userRole==SecurityObjects::ROOT && Op!=READ)
-                return false;
+	  private:
+	};

-            if(Op==CREATE) {
-                if(User.userRole==SecurityObjects::ROOT)
-                    return true;
-                if(User.userRole==SecurityObjects::PARTNER && (Target.userRole==SecurityObjects::ADMIN ||
-                    Target.userRole==SecurityObjects::SUBSCRIBER ||
-                    Target.userRole==SecurityObjects::CSR ||
-                    Target.userRole==SecurityObjects::INSTALLER ||
-                    Target.userRole==SecurityObjects::NOC ||
-                    Target.userRole==SecurityObjects::ACCOUNTING))
-                    return true;
-                if(User.userRole==SecurityObjects::ADMIN &&
-                    (Target.userRole==SecurityObjects::ADMIN ||
-                    Target.userRole==SecurityObjects::SUBSCRIBER ||
-                    Target.userRole==SecurityObjects::CSR ||
-                    Target.userRole==SecurityObjects::INSTALLER ||
-                    Target.userRole==SecurityObjects::NOC ||
-                    Target.userRole==SecurityObjects::ACCOUNTING))
-                    return true;
-                if(User.userRole==SecurityObjects::ACCOUNTING &&
-                    (Target.userRole==SecurityObjects::SUBSCRIBER ||
-                    Target.userRole==SecurityObjects::INSTALLER ||
-                    Target.userRole==SecurityObjects::CSR))
-                    return true;
-                return false;
-            }
+} // namespace OpenWifi

-            return true;
-        }
-    private:
-
-    };
-
-}
-
-
-#endif //OWSEC_ACLPROCESSOR_H
+#endif // OWSEC_ACLPROCESSOR_H
--- a/src/ActionLinkManager.cpp
+++ b/src/ActionLinkManager.cpp
@@ -3,105 +3,142 @@
 //

 #include "ActionLinkManager.h"
-#include "StorageService.h"
+#include "MessagingTemplates.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "StorageService.h"
+#include "fmt/format.h"
+#include "framework/utils.h"

 namespace OpenWifi {

-    int ActionLinkManager::Start() {
-        if(!Running_)
-            Thr_.start(*this);
-        return 0;
-    }
+	int ActionLinkManager::Start() {
+		poco_information(Logger(), "Starting...");
+		if (!Running_)
+			Thr_.start(*this);
+		return 0;
+	}
+
+	void ActionLinkManager::Stop() {
+		poco_information(Logger(), "Stopping...");
+		if (Running_) {
+			Running_ = false;
+			Thr_.wakeUp();
+			Thr_.join();
+		}
+		poco_information(Logger(), "Stopped...");
+	}

-    void ActionLinkManager::Stop() {
-        if(Running_) {
-            Running_ = false;
-            Thr_.wakeUp();
-            Thr_.join();
-        }
-    }

    void ActionLinkManager::run() {
-        Running_ = true ;
-        Utils::SetThreadName("action-mgr");
+		Running_ = true;
+		Utils::SetThreadName("action-mgr");

-        while(Running_) {
-            Poco::Thread::trySleep(2000);
-            if(!Running_)
-                break;
-            std::vector<SecurityObjects::ActionLink>    Links;
-            {
-                std::lock_guard G(Mutex_);
-                StorageService()->ActionLinksDB().GetActions(Links);
-            }
+        Poco::Thread::trySleep(10000);

-            if(Links.empty())
-                continue;
+		while (Running_) {
+			Poco::Thread::trySleep(2000);
+			if (!Running_)
+				break;
+			std::vector<SecurityObjects::ActionLink> Links;
+			{
+				std::lock_guard G(Mutex_);
+				StorageService()->ActionLinksDB().GetActions(Links);
+			}

-            for(auto &i:Links) {
-                if(!Running_)
-                    break;
+			if (Links.empty())
+				continue;

-                SecurityObjects::UserInfo UInfo;
-                if((i.action==OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD ||
-                    i.action==OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL) && !StorageService()->UserDB().GetUserById(i.userId,UInfo)) {
-                    StorageService()->ActionLinksDB().CancelAction(i.id);
-                    continue;
-                } else if(( i.action==OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD ||
-                            i.action==OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL ||
-                            i.action==OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP ) && !StorageService()->SubDB().GetUserById(i.userId,UInfo)) {
-                    StorageService()->ActionLinksDB().CancelAction(i.id);
-                    continue;
-                }
+			for (auto &i : Links) {
+				if (!Running_)
+					break;

-                switch(i.action) {
-                    case OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD: {
-                            if(AuthService::SendEmailToUser(i.id, UInfo.email, AuthService::FORGOT_PASSWORD)) {
-                                Logger().information(fmt::format("Send password reset link to {}",UInfo.email));
-                            }
-                            StorageService()->ActionLinksDB().SentAction(i.id);
-                        }
-                        break;
+				SecurityObjects::UserInfo UInfo;
+				if ((i.action == OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD ||
+					 i.action == OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL) &&
+					!StorageService()->UserDB().GetUserById(i.userId, UInfo)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				} else if ((i.action ==
+								OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD ||
+							i.action == OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL ||
+							i.action == OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP) &&
+						   !StorageService()->SubDB().GetUserById(i.userId, UInfo)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				} else if ((i.action == OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION) &&
+						   (OpenWifi::Now() - i.created) > (24 * 60 * 60)) {
+					StorageService()->ActionLinksDB().CancelAction(i.id);
+					continue;
+				}

-                    case OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL: {
-                            if(AuthService::SendEmailToUser(i.id, UInfo.email, AuthService::EMAIL_VERIFICATION)) {
-                                Logger().information(fmt::format("Send email verification link to {}",UInfo.email));
-                            }
-                            StorageService()->ActionLinksDB().SentAction(i.id);
-                        }
-                        break;
+				switch (i.action) {
+				case OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::FORGOT_PASSWORD)) {
+						poco_information(
+							Logger(), fmt::format("Send password reset link to {}", UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;

-                    case OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD: {
-                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email, AuthService::FORGOT_PASSWORD)) {
-                                Logger().information(fmt::format("Send subscriber password reset link to {}",UInfo.email));
-                            }
-                            StorageService()->ActionLinksDB().SentAction(i.id);
-                        }
-                        break;
+				case OpenWifi::SecurityObjects::LinkActions::VERIFY_EMAIL: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::EMAIL_VERIFICATION)) {
+						poco_information(Logger(), fmt::format("Send email verification link to {}",
+															   UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;

-                    case OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL: {
-                            if(AuthService::SendEmailToSubUser(i.id, UInfo.email, AuthService::EMAIL_VERIFICATION)) {
-                                Logger().information(fmt::format("Send subscriber email verification link to {}",UInfo.email));
-                            }
-                            StorageService()->ActionLinksDB().SentAction(i.id);
-                        }
-                        break;
+				case OpenWifi::SecurityObjects::LinkActions::EMAIL_INVITATION: {
+					if (AuthService()->SendEmailToUser(i.id, UInfo.email,
+													   MessagingTemplates::EMAIL_INVITATION)) {
+						poco_information(
+							Logger(), fmt::format("Send new subscriber email invitation link to {}",
+												  UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;

-                    case OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP: {
-                        if(AuthService::SendEmailToSubUser(i.id, UInfo.email, AuthService::SIGNUP_VERIFICATION)) {
-                            Logger().information(fmt::format("Send new subscriber email verification link to {}",UInfo.email));
-                        }
-                        StorageService()->ActionLinksDB().SentAction(i.id);
-                        }
-                        break;
+				case OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD: {
+					if (AuthService()->SendEmailToSubUser(i.id, UInfo.email,
+														  MessagingTemplates::SUB_FORGOT_PASSWORD,"")) {
+						poco_information(
+							Logger(),
+							fmt::format("Send subscriber password reset link to {}", UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;

-                    default: {
-                        StorageService()->ActionLinksDB().SentAction(i.id);
-                    }
-                }
-            }
-        }
-    }
+				case OpenWifi::SecurityObjects::LinkActions::SUB_VERIFY_EMAIL: {
+					if (AuthService()->SendEmailToSubUser(
+							i.id, UInfo.email, MessagingTemplates::SUB_EMAIL_VERIFICATION,"")) {
+						poco_information(
+							Logger(), fmt::format("Send subscriber email verification link to {}",
+												  UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;

-}
+				case OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP: {
+					auto Signup = Poco::StringTokenizer(UInfo.signingUp, ":");
+					if (AuthService()->SendEmailToSubUser(
+							i.id, UInfo.email, MessagingTemplates::SUB_SIGNUP_VERIFICATION,
+							Signup.count() == 1 ? "" : Signup[0])) {
+						poco_information(
+							Logger(),
+							fmt::format("Send new subscriber email verification link to {}",
+										UInfo.email));
+					}
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				} break;
+
+				default: {
+					StorageService()->ActionLinksDB().SentAction(i.id);
+				}
+				}
+			}
+		}
+	}
+
+} // namespace OpenWifi
--- a/src/ActionLinkManager.h
+++ b/src/ActionLinkManager.h
@@ -2,43 +2,29 @@
 // Created by stephane bourque on 2021-11-08.
 //

-#ifndef OWSEC_ACTIONLINKMANAGER_H
-#define OWSEC_ACTIONLINKMANAGER_H
+#pragma once

-#include "framework/MicroService.h"
+#include "framework/SubSystemServer.h"

 namespace OpenWifi {

-    class ActionLinkManager : public SubSystemServer, Poco::Runnable {
-    public:
+	class ActionLinkManager : public SubSystemServer, Poco::Runnable {
+	  public:
+		static ActionLinkManager *instance() {
+			static auto instance_ = new ActionLinkManager;
+			return instance_;
+		}

-/*        enum Actions {
-            FORGOT_PASSWORD,
-            VERIFY_EMAIL,
-            SUB_FORGOT_PASSWORD,
-            SUB_VERIFY_EMAIL,
-            SUB_SIGNUP
-        };
-*/
-        static ActionLinkManager * instance() {
-            static auto instance_ = new ActionLinkManager;
-            return instance_;
-        }
+		int Start() final;
+		void Stop() final;
+		void run() final;

-        int Start() final;
-        void Stop() final;
-        void run() final;
+	  private:
+		Poco::Thread Thr_;
+		std::atomic_bool Running_ = false;

-    private:
-        Poco::Thread        Thr_;
-        std::atomic_bool    Running_ = false;
-
-        ActionLinkManager() noexcept:
-            SubSystemServer("ActionLinkManager", "ACTION-SVR", "action.server")
-                {
-                }
-    };
-    inline ActionLinkManager * ActionLinkManager() { return ActionLinkManager::instance(); }
-}
-
-#endif //OWSEC_ACTIONLINKMANAGER_H
+		ActionLinkManager() noexcept
+			: SubSystemServer("ActionLinkManager", "ACTION-SVR", "action.server") {}
+	};
+	inline ActionLinkManager *ActionLinkManager() { return ActionLinkManager::instance(); }
+} // namespace OpenWifi
--- a/src/AuthService.cpp
+++ b/src/AuthService.cpp
--- a/src/AuthService.h
+++ b/src/AuthService.h
@@ -6,165 +6,229 @@
 //	Arilia Wireless Inc.
 //

-#ifndef UCENTRAL_UAUTHSERVICE_H
-#define UCENTRAL_UAUTHSERVICE_H
+#pragma once

 #include <regex>

+#include "Poco/Crypto/DigestEngine.h"
+#include "Poco/ExpireLRUCache.h"
+#include "Poco/HMACEngine.h"
 #include "Poco/JSON/Object.h"
+#include "Poco/JWT/Signer.h"
 #include "Poco/Net/HTTPServerRequest.h"
 #include "Poco/Net/HTTPServerResponse.h"
-#include "Poco/JWT/Signer.h"
 #include "Poco/SHA2Engine.h"
-#include "Poco/Crypto/DigestEngine.h"
-#include "Poco/HMACEngine.h"
-#include "Poco/ExpireLRUCache.h"
+#include "framework/SubSystemServer.h"

-#include "framework/MicroService.h"
+#include "framework/MicroServiceFuncs.h"
+#include "framework/ow_constants.h"
+
+#include "MessagingTemplates.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"

-namespace OpenWifi{
+namespace OpenWifi {

-    static const std::string AUTHENTICATION_SYSTEM{"SYSTEM"};
+	static const std::string AUTHENTICATION_SYSTEM{"SYSTEM"};

-    class AuthService : public SubSystemServer {
-    public:
+	class AuthService : public SubSystemServer {
+	  public:
+		enum ACCESS_TYPE { USERNAME, SERVER, CUSTOM };

-        enum ACCESS_TYPE {
-            USERNAME,
-            SERVER,
-            CUSTOM
-        };
+		static ACCESS_TYPE IntToAccessType(int C);
+		static int AccessTypeToInt(ACCESS_TYPE T);

-        enum EMAIL_REASON {
-            FORGOT_PASSWORD,
-            EMAIL_VERIFICATION,
-            SIGNUP_VERIFICATION
-        };
+		static auto instance() {
+			static auto instance_ = new AuthService;
+			return instance_;
+		}

-        static ACCESS_TYPE IntToAccessType(int C);
-        static int AccessTypeToInt(ACCESS_TYPE T);
+		int Start() override;
+		void Stop() override;

-        static auto instance() {
-            static auto instance_ = new AuthService;
-            return instance_;
-        }
+		[[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest &Request,
+										std::string &SessionToken,
+										SecurityObjects::UserInfoAndPolicy &UInfo,
+										std::uint64_t TID, bool &Expired);
+		[[nodiscard]] bool IsAuthorized(const std::string &SessionToken,
+										SecurityObjects::UserInfoAndPolicy &UInfo,
+										std::uint64_t TID, bool &Expired);

-        int Start() override;
-        void Stop() override;
+		[[nodiscard]] UNAUTHORIZED_REASON Authorize(std::string &UserName,
+													const std::string &Password,
+													const std::string &NewPassword,
+													SecurityObjects::UserInfoAndPolicy &UInfo,
+													bool &Expired);
+		void CreateToken(const std::string &UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
+		[[nodiscard]] bool SetPassword(const std::string &Password,
+									   SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] const std::string &PasswordValidationExpression() const {
+			return PasswordValidationStr_;
+		};
+		void Logout(const std::string &token, bool EraseFromCache = true);

-        [[nodiscard]] bool IsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired);
-        [[nodiscard]] UNAUTHORIZED_REASON Authorize( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired );
-        void CreateToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
-        [[nodiscard]] bool SetPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
-        [[nodiscard]] const std:: string & PasswordValidationExpression() const { return PasswordValidationStr_;};
-        void Logout(const std::string &token, bool EraseFromCache=true);
+		[[nodiscard]] bool IsSubAuthorized(Poco::Net::HTTPServerRequest &Request,
+										   std::string &SessionToken,
+										   SecurityObjects::UserInfoAndPolicy &UInfo,
+										   std::uint64_t TID, bool &Expired);
+		[[nodiscard]] UNAUTHORIZED_REASON AuthorizeSub(std::string &UserName,
+													   const std::string &Password,
+													   const std::string &NewPassword,
+													   SecurityObjects::UserInfoAndPolicy &UInfo,
+													   bool &Expired);

-        [[nodiscard]] bool IsSubAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired);
-        [[nodiscard]] UNAUTHORIZED_REASON AuthorizeSub( std::string & UserName, const std::string & Password, const std::string & NewPassword, SecurityObjects::UserInfoAndPolicy & UInfo, bool & Expired );
-        void CreateSubToken(const std::string & UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
-        [[nodiscard]] bool SetSubPassword(const std::string &Password, SecurityObjects::UserInfo & UInfo);
-        [[nodiscard]] const std:: string & SubPasswordValidationExpression() const { return PasswordValidationStr_;};
-        void SubLogout(const std::string &token, bool EraseFromCache=true);
+		void CreateSubToken(const std::string &UserName, SecurityObjects::UserInfoAndPolicy &UInfo);
+		[[nodiscard]] bool SetSubPassword(const std::string &Password,
+										  SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] const std::string &SubPasswordValidationExpression() const {
+			return PasswordValidationStr_;
+		};
+		void SubLogout(const std::string &token, bool EraseFromCache = true);

-        void RemoveTokenSystemWide(const std::string &token);
+		void RemoveTokenSystemWide(const std::string &token);

-        bool ValidatePassword(const std::string &pwd);
-        bool ValidateSubPassword(const std::string &pwd);
+		bool ValidatePassword(const std::string &pwd);
+		bool ValidateSubPassword(const std::string &pwd);

-        [[nodiscard]] bool IsValidToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired);
-        [[nodiscard]] bool IsValidSubToken(const std::string &Token, SecurityObjects::WebToken &WebToken, SecurityObjects::UserInfo &UserInfo, bool & Expired);
-        [[nodiscard]] std::string GenerateTokenJWT(const std::string & UserName, ACCESS_TYPE Type);
-        [[nodiscard]] std::string GenerateTokenHMAC(const std::string & UserName, ACCESS_TYPE Type);
+		[[nodiscard]] bool IsValidToken(const std::string &Token,
+										SecurityObjects::WebToken &WebToken,
+										SecurityObjects::UserInfo &UserInfo, bool &Expired);
+		[[nodiscard]] bool IsValidSubToken(const std::string &Token,
+										   SecurityObjects::WebToken &WebToken,
+										   SecurityObjects::UserInfo &UserInfo, bool &Expired);
+		[[nodiscard]] std::string GenerateTokenJWT(const std::string &UserName, ACCESS_TYPE Type);
+		[[nodiscard]] std::string GenerateTokenHMAC(const std::string &UserName, ACCESS_TYPE Type);

-        [[nodiscard]] std::string ComputeNewPasswordHash(const std::string &UserName, const std::string &Password);
-        [[nodiscard]] bool ValidatePasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
-        [[nodiscard]] bool ValidateSubPasswordHash(const std::string & UserName, const std::string & Password, const std::string &StoredPassword);
+		[[nodiscard]] bool IsValidApiKey(const std::string &ApiKey,
+										 SecurityObjects::WebToken &WebToken,
+										 SecurityObjects::UserInfo &UserInfo, bool &Expired,
+										 std::uint64_t &expiresOn, bool &Suspended);
+		[[nodiscard]] std::string ComputeNewPasswordHash(const std::string &UserName,
+														 const std::string &Password);
+		[[nodiscard]] bool ValidatePasswordHash(const std::string &UserName,
+												const std::string &Password,
+												const std::string &StoredPassword);
+		[[nodiscard]] bool ValidateSubPasswordHash(const std::string &UserName,
+												   const std::string &Password,
+												   const std::string &StoredPassword);

-        [[nodiscard]] bool UpdatePassword(const std::string &Admin, const std::string &UserName, const std::string & OldPassword, const std::string &NewPassword);
-        [[nodiscard]] std::string ResetPassword(const std::string &Admin, const std::string &UserName);
+		[[nodiscard]] bool UpdatePassword(const std::string &Admin, const std::string &UserName,
+										  const std::string &OldPassword,
+										  const std::string &NewPassword);
+		[[nodiscard]] std::string ResetPassword(const std::string &Admin,
+												const std::string &UserName);

-        [[nodiscard]] bool UpdateSubPassword(const std::string &Admin, const std::string &UserName, const std::string & OldPassword, const std::string &NewPassword);
-        [[nodiscard]] std::string ResetSubPassword(const std::string &Admin, const std::string &UserName);
+		[[nodiscard]] bool UpdateSubPassword(const std::string &Admin, const std::string &UserName,
+											 const std::string &OldPassword,
+											 const std::string &NewPassword);
+		[[nodiscard]] std::string ResetSubPassword(const std::string &Admin,
+												   const std::string &UserName);

-        [[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
-        [[nodiscard]] static bool VerifySubEmail(SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] static bool VerifyEmail(SecurityObjects::UserInfo &UInfo);
+		[[nodiscard]] static bool VerifySubEmail(SecurityObjects::UserInfo &UInfo);

-        [[nodiscard]] static bool SendEmailToUser(const std::string &LinkId, std::string &Email, EMAIL_REASON Reason);
-        [[nodiscard]] static bool SendEmailToSubUser(const std::string &LinkId, std::string &Email, EMAIL_REASON Reason);
-        [[nodiscard]] bool RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo);
+		[[nodiscard]] bool SendEmailToUser(const std::string &LinkId, std::string &Email,
+										   MessagingTemplates::EMAIL_REASON Reason);
+		[[nodiscard]] bool SendEmailToSubUser(const std::string &LinkId, std::string &Email,
+											  MessagingTemplates::EMAIL_REASON Reason,
+											  const std::string &OperatorName);
+		[[nodiscard]] bool RequiresMFA(const SecurityObjects::UserInfoAndPolicy &UInfo);

-        bool DeleteUserFromCache(const std::string &UserName);
-        bool DeleteSubUserFromCache(const std::string &UserName);
-        void RevokeToken(std::string & Token);
-        void RevokeSubToken(std::string & Token);
+		[[nodiscard]] bool SendEmailChallengeCode(const SecurityObjects::UserInfoAndPolicy &UInfo,
+												  const std::string &code);

-        [[nodiscard]] static inline const std::string GetLogoAssetURI() {
-            return MicroService::instance().PublicEndPoint() + "/wwwassets/the_logo.png";
-        }
+		bool DeleteUserFromCache(const std::string &UserName);
+		bool DeleteSubUserFromCache(const std::string &UserName);
+		void RevokeToken(std::string &Token);
+		void RevokeSubToken(std::string &Token);

-        [[nodiscard]] static inline const std::string GetLogoAssetFileName() {
-            return MicroService::instance().WWWAssetsDir() + "/the_logo.png";
-        }
+		[[nodiscard]] static inline const std::string GetLogoAssetURI() {
+			return MicroServicePublicEndPoint() + "/wwwassets/logo.png";
+		}

-        inline const std::string & GetPasswordPolicy() const { return PasswordPolicy_; }
-        inline const std::string & GetAccessPolicy() const { return AccessPolicy_; }
+		[[nodiscard]] static inline const std::string GetLogoAssetFileName() {
+			return MicroServiceWWWAssetsDir() + "/logo.png";
+		}

-        inline const std::string & GetSubPasswordPolicy() const { return SubPasswordPolicy_; }
-        inline const std::string & GetSubAccessPolicy() const { return SubAccessPolicy_; }
+		[[nodiscard]] static inline const std::string GetSubLogoAssetURI() {
+			return MicroServicePublicEndPoint() + "/wwwassets/sub_logo.png";
+		}

-        bool RefreshUserToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);
-        bool RefreshSubToken(Poco::Net::HTTPServerRequest & Request, const std::string & RefreshToken, SecurityObjects::UserInfoAndPolicy & UI);
+		[[nodiscard]] static inline const std::string GetSubLogoAssetFileName() {
+			return MicroServiceWWWAssetsDir() + "/sub_logo.png";
+		}

-    private:
-		Poco::SHA2Engine	SHA2_;
+		inline const std::string &GetPasswordPolicy() const { return PasswordPolicy_; }
+		inline const std::string &GetAccessPolicy() const { return AccessPolicy_; }

-		std::string         AccessPolicy_;
-		std::string         PasswordPolicy_;
-		std::string         SubAccessPolicy_;
-		std::string         SubPasswordPolicy_;
-		std::string         PasswordValidationStr_;
-        std::string         SubPasswordValidationStr_;
-        std::regex          PasswordValidation_;
-        std::regex          SubPasswordValidation_;
+		inline const std::string &GetSubPasswordPolicy() const { return SubPasswordPolicy_; }
+		inline const std::string &GetSubAccessPolicy() const { return SubAccessPolicy_; }

-        uint64_t            TokenAging_ = 15 * 24 * 60 * 60;
-        uint64_t            HowManyOldPassword_=5;
-        uint64_t            RefreshTokenLifeSpan_ = 90 * 24 * 60 * 60 ;
+		bool RefreshUserToken(Poco::Net::HTTPServerRequest &Request,
+							  const std::string &RefreshToken,
+							  SecurityObjects::UserInfoAndPolicy &UI);
+		bool RefreshSubToken(Poco::Net::HTTPServerRequest &Request, const std::string &RefreshToken,
+							 SecurityObjects::UserInfoAndPolicy &UI);

-        class SHA256Engine : public Poco::Crypto::DigestEngine
-                {
-                public:
-                    enum
-                    {
-                        BLOCK_SIZE = 64,
-                        DIGEST_SIZE = 32
-                    };
+		[[nodiscard]] inline auto HelperEmail() const { return HelperEmail_; };
+		[[nodiscard]] inline auto SubHelperEmail() const { return SubHelperEmail_; };
+		[[nodiscard]] inline auto GlobalHelperEmail() const { return GlobalHelperEmail_; };
+		[[nodiscard]] inline auto GlobalSubHelperEmail() const { return GlobalSubHelperEmail_; };
+		[[nodiscard]] inline auto HelperSite() const { return HelperSite_; };
+		[[nodiscard]] inline auto SubHelperSite() const { return SubHelperSite_; };
+		[[nodiscard]] inline auto SystemLoginSite() const { return SystemLoginSite_; };
+		[[nodiscard]] inline auto SubSystemLoginSite() const { return SubSystemLoginSite_; };
+		[[nodiscard]] inline auto UserSignature() const { return UserSignature_; };
+		[[nodiscard]] inline auto SubSignature() const { return SubSignature_; };

-                    SHA256Engine()
-                    : DigestEngine("SHA256")
-                    {
-                    }
+	  private:
+		Poco::SHA2Engine SHA2_;

-                };
+		std::string AccessPolicy_;
+		std::string PasswordPolicy_;
+		std::string SubAccessPolicy_;
+		std::string SubPasswordPolicy_;
+		std::string PasswordValidationStr_;
+		std::string SubPasswordValidationStr_;
+		std::regex PasswordValidation_;
+		std::regex SubPasswordValidation_;

-        Poco::HMACEngine<SHA256Engine> HMAC_{"tipopenwifi"};
+		uint64_t TokenAging_ = 15 * 24 * 60 * 60;
+		uint64_t HowManyOldPassword_ = 5;
+		uint64_t RefreshTokenLifeSpan_ = 90 * 24 * 60 * 60;

-        AuthService() noexcept:
-            SubSystemServer("Authentication", "AUTH-SVR", "authentication")
-        {
-        }
-    };
+		std::string HelperEmail_;
+		std::string SubHelperEmail_;
+		std::string GlobalHelperEmail_;
+		std::string GlobalSubHelperEmail_;
+		std::string HelperSite_;
+		std::string SubHelperSite_;
+		std::string SystemLoginSite_;
+		std::string SubSystemLoginSite_;
+		std::string UserSignature_;
+		std::string SubSignature_;

-    inline auto AuthService() { return AuthService::instance(); }
+		class SHA256Engine : public Poco::Crypto::DigestEngine {
+		  public:
+			enum { BLOCK_SIZE = 64, DIGEST_SIZE = 32 };

-    [[nodiscard]] inline bool AuthServiceIsAuthorized(Poco::Net::HTTPServerRequest & Request,std::string &SessionToken, SecurityObjects::UserInfoAndPolicy & UInfo , bool & Expired, bool Sub ) {
-        if(Sub)
-            return AuthService()->IsSubAuthorized(Request, SessionToken, UInfo, Expired );
-        else
-            return AuthService()->IsAuthorized(Request, SessionToken, UInfo, Expired );
-    }
+			SHA256Engine() : DigestEngine("SHA256") {}
+		};

-} // end of namespace
+		Poco::HMACEngine<SHA256Engine> HMAC_{"tipopenwifi"};

-#endif //UCENTRAL_UAUTHSERVICE_H
+		AuthService() noexcept : SubSystemServer("Authentication", "AUTH-SVR", "authentication") {}
+	};
+
+	inline auto AuthService() { return AuthService::instance(); }
+
+	[[nodiscard]] inline bool AuthServiceIsAuthorized(Poco::Net::HTTPServerRequest &Request,
+													  std::string &SessionToken,
+													  SecurityObjects::UserInfoAndPolicy &UInfo,
+													  std::uint64_t TID, bool &Expired, bool Sub) {
+		if (Sub)
+			return AuthService()->IsSubAuthorized(Request, SessionToken, UInfo, TID, Expired);
+		else
+			return AuthService()->IsAuthorized(Request, SessionToken, UInfo, TID, Expired);
+	}
+
+} // namespace OpenWifi
--- a/src/Daemon.cpp
+++ b/src/Daemon.cpp
@@ -10,73 +10,70 @@
 //	Arilia Wireless Inc.
 //

-
+#include "Poco/Environment.h"
 #include "Poco/Util/Application.h"
 #include "Poco/Util/Option.h"
-#include "Poco/Environment.h"

 #include "Daemon.h"

 #include <aws/core/Aws.h>
 #include <aws/s3/model/AccessControlPolicy.h>

-#include "StorageService.h"
-#include "SMTPMailerService.h"
+#include "ActionLinkManager.h"
 #include "AuthService.h"
 #include "SMSSender.h"
-#include "ActionLinkManager.h"
+#include "SMTPMailerService.h"
+#include "StorageService.h"
 #include "TotpCache.h"
+#include "framework/RESTAPI_RateLimiter.h"
+#include "framework/UI_WebSocketClientServer.h"
+#include <SecretStore.h>

 namespace OpenWifi {
-    class Daemon *Daemon::instance_ = nullptr;
+	class Daemon *Daemon::instance_ = nullptr;

-    class Daemon *Daemon::instance() {
-        if (instance_ == nullptr) {
-            instance_ = new Daemon(vDAEMON_PROPERTIES_FILENAME,
-                                   vDAEMON_ROOT_ENV_VAR,
-                                   vDAEMON_CONFIG_ENV_VAR,
-                                   vDAEMON_APP_NAME,
-                                   vDAEMON_BUS_TIMER,
-                                   SubSystemVec{
-                                           StorageService(),
-                                           SMSSender(),
-                                           ActionLinkManager(),
-                                           SMTPMailerService(),
-                                           RESTAPI_RateLimiter(),
-                                           TotpCache(),
-                                           AuthService()
-                                   });
-        }
-        return instance_;
-    }
+	class Daemon *Daemon::instance() {
+		if (instance_ == nullptr) {
+			instance_ =
+				new Daemon(vDAEMON_PROPERTIES_FILENAME, vDAEMON_ROOT_ENV_VAR,
+						   vDAEMON_CONFIG_ENV_VAR, vDAEMON_APP_NAME, vDAEMON_BUS_TIMER,
+						   SubSystemVec{StorageService(), SMSSender(), AuthService(), ActionLinkManager(),
+										SMTPMailerService(), RESTAPI_RateLimiter(), TotpCache(),
+										UI_WebSocketClientServer(), SecretStore()});
+		}
+		return instance_;
+	}

-    void Daemon::PostInitialization([[maybe_unused]] Poco::Util::Application &self) {
-        AssetDir_ = MicroService::instance().ConfigPath("openwifi.restapi.wwwassets");
-    }
-}
+	void Daemon::PostInitialization([[maybe_unused]] Poco::Util::Application &self) {
+		AssetDir_ = MicroService::instance().ConfigPath("openwifi.restapi.wwwassets");
+	}
+
+	void DaemonPostInitialization(Poco::Util::Application &self) {
+		Daemon()->PostInitialization(self);
+	}
+} // namespace OpenWifi

 int main(int argc, char **argv) {
-    try {
-        SSL_library_init();
-        Aws::SDKOptions AwsOptions;
-        AwsOptions.memoryManagementOptions.memoryManager = nullptr;
-        AwsOptions.cryptoOptions.initAndCleanupOpenSSL = false;
-        AwsOptions.httpOptions.initAndCleanupCurl = true;
+	try {
+		SSL_library_init();
+		Aws::SDKOptions AwsOptions;
+		AwsOptions.memoryManagementOptions.memoryManager = nullptr;
+		AwsOptions.cryptoOptions.initAndCleanupOpenSSL = false;
+		AwsOptions.httpOptions.initAndCleanupCurl = true;

-        Aws::InitAPI(AwsOptions);
+		Aws::InitAPI(AwsOptions);

-        int ExitCode=0;
-        {
-            auto App = OpenWifi::Daemon::instance();
-            ExitCode =  App->run(argc, argv);
-        }
-        ShutdownAPI(AwsOptions);
-        return ExitCode;
-    } catch (Poco::Exception &exc) {
-        std::cout << exc.displayText() << std::endl;
-        return Poco::Util::Application::EXIT_SOFTWARE;
-    }
+		int ExitCode = 0;
+		{
+			auto App = OpenWifi::Daemon::instance();
+			ExitCode = App->run(argc, argv);
+		}
+		ShutdownAPI(AwsOptions);
+		return ExitCode;
+	} catch (Poco::Exception &exc) {
+		std::cout << exc.displayText() << std::endl;
+		return Poco::Util::Application::EXIT_SOFTWARE;
+	}
 }

-
 // end of namespace
--- a/src/Daemon.h
+++ b/src/Daemon.h
@@ -2,56 +2,50 @@
 // Created by stephane bourque on 2021-06-10.
 //

-#ifndef UCENTRALSEC_DAEMON_H
-#define UCENTRALSEC_DAEMON_H
+#pragma once

-#include <iostream>
 #include <cstdlib>
-#include <vector>
+#include <iostream>
 #include <set>
-
-#include "Poco/Util/Application.h"
-#include "Poco/Util/ServerApplication.h"
-#include "Poco/Util/Option.h"
-#include "Poco/Util/OptionSet.h"
-#include "Poco/UUIDGenerator.h"
-#include "Poco/ErrorHandler.h"
-#include "Poco/Crypto/RSAKey.h"
-#include "Poco/Crypto/CipherFactory.h"
-#include "Poco/Crypto/Cipher.h"
+#include <vector>

 #include "framework/MicroService.h"
+#include "framework/MicroServiceNames.h"
+
+#include "Poco/Crypto/Cipher.h"
+#include "Poco/Crypto/CipherFactory.h"
+#include "Poco/Crypto/RSAKey.h"
+#include "Poco/ErrorHandler.h"
+#include "Poco/UUIDGenerator.h"
+#include "Poco/Util/Application.h"
+#include "Poco/Util/Option.h"
+#include "Poco/Util/OptionSet.h"
+#include "Poco/Util/ServerApplication.h"

 namespace OpenWifi {

-    [[maybe_unused]] static const char * vDAEMON_PROPERTIES_FILENAME = "owsec.properties";
-    [[maybe_unused]] static const char * vDAEMON_ROOT_ENV_VAR = "OWSEC_ROOT";
-    [[maybe_unused]] static const char * vDAEMON_CONFIG_ENV_VAR = "OWSEC_CONFIG";
-    [[maybe_unused]] static const char * vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
-    [[maybe_unused]] static const uint64_t vDAEMON_BUS_TIMER = 5000;
+	[[maybe_unused]] static const char *vDAEMON_PROPERTIES_FILENAME = "owsec.properties";
+	[[maybe_unused]] static const char *vDAEMON_ROOT_ENV_VAR = "OWSEC_ROOT";
+	[[maybe_unused]] static const char *vDAEMON_CONFIG_ENV_VAR = "OWSEC_CONFIG";
+	[[maybe_unused]] static const char *vDAEMON_APP_NAME = uSERVICE_SECURITY.c_str();
+	[[maybe_unused]] static const uint64_t vDAEMON_BUS_TIMER = 5000;

-    class Daemon : public MicroService {
-    public:
-        explicit Daemon(const std::string & PropFile,
-                        const std::string & RootEnv,
-                        const std::string & ConfigEnv,
-                        const std::string & AppName,
-                        uint64_t BusTimer,
-                        const SubSystemVec & SubSystems) :
-                MicroService( PropFile, RootEnv, ConfigEnv, AppName, BusTimer, SubSystems) {};
+	class Daemon : public MicroService {
+	  public:
+		explicit Daemon(const std::string &PropFile, const std::string &RootEnv,
+						const std::string &ConfigEnv, const std::string &AppName, uint64_t BusTimer,
+						const SubSystemVec &SubSystems)
+			: MicroService(PropFile, RootEnv, ConfigEnv, AppName, BusTimer, SubSystems){};

-        void PostInitialization(Poco::Util::Application &self);
-        static Daemon *instance();
-        inline const std::string & AssetDir() { return AssetDir_; }
-    private:
-        static Daemon 		*instance_;
-        std::string         AssetDir_;
-    };
+		void PostInitialization(Poco::Util::Application &self);
+		static Daemon *instance();
+		inline const std::string &AssetDir() { return AssetDir_; }

-    inline Daemon * Daemon() { return Daemon::instance(); }
-    inline void DaemonPostInitialization(Poco::Util::Application &self) {
-        Daemon()->PostInitialization(self);
-    }
-}
+	  private:
+		static Daemon *instance_;
+		std::string AssetDir_;
+	};

-#endif //UCENTRALSEC_DAEMON_H
+	inline Daemon *Daemon() { return Daemon::instance(); }
+	void DaemonPostInitialization(Poco::Util::Application &self);
+} // namespace OpenWifi
--- a/src/MFAServer.cpp
+++ b/src/MFAServer.cpp
@@ -3,117 +3,124 @@
 //

 #include "MFAServer.h"
+#include "AuthService.h"
 #include "SMSSender.h"
 #include "SMTPMailerService.h"
-#include "framework/MicroService.h"
-#include "AuthService.h"
 #include "TotpCache.h"

+#include "framework/MicroServiceFuncs.h"
+#include "framework/utils.h"
+
 namespace OpenWifi {

-    int MFAServer::Start() {
-        return 0;
-    }
+	int MFAServer::Start() { return 0; }

-    void MFAServer::Stop() {
-    }
+	void MFAServer::Stop() {}

-    bool MFAServer::StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, Poco::JSON::Object &ChallengeStart) {
-        std::lock_guard G(Mutex_);
+	bool MFAServer::StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+									  Poco::JSON::Object &ChallengeStart) {
+		std::lock_guard G(Mutex_);

-        CleanCache();
+		CleanCache();

-        if(!MethodEnabled(UInfo.userinfo.userTypeProprietaryInfo.mfa.method))
-            return false;
+		if (!MethodEnabled(UInfo.userinfo.userTypeProprietaryInfo.mfa.method))
+			return false;

-        std::string Challenge = MakeChallenge();
-        std::string uuid = MicroService::CreateUUID();
-        uint64_t Created = OpenWifi::Now();
+		std::string Challenge = MakeChallenge();
+		std::string uuid = MicroServiceCreateUUID();
+		uint64_t Created = Utils::Now();

-        ChallengeStart.set("uuid",uuid);
-        ChallengeStart.set("created", Created);
-        ChallengeStart.set("question", "mfa challenge");
-        ChallengeStart.set("method", UInfo.userinfo.userTypeProprietaryInfo.mfa.method);
+		ChallengeStart.set("uuid", uuid);
+		ChallengeStart.set("created", Created);
+		ChallengeStart.set("question", "mfa challenge");
+		ChallengeStart.set("method", UInfo.userinfo.userTypeProprietaryInfo.mfa.method);

-        Cache_[uuid] = MFACacheEntry{ .UInfo = UInfo, .Answer=Challenge, .Created=Created, .Method=UInfo.userinfo.userTypeProprietaryInfo.mfa.method };
-        return SendChallenge(UInfo, UInfo.userinfo.userTypeProprietaryInfo.mfa.method, Challenge);
-    }
+		Cache_[uuid] = MFACacheEntry{.UInfo = UInfo,
+									 .Answer = Challenge,
+									 .Created = Created,
+									 .Method = UInfo.userinfo.userTypeProprietaryInfo.mfa.method};
+		return SendChallenge(UInfo, UInfo.userinfo.userTypeProprietaryInfo.mfa.method, Challenge);
+	}

-    bool MFAServer::SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Method, const std::string &Challenge) {
-        if(Method==MFAMETHODS::SMS && SMSSender()->Enabled() && !UInfo.userinfo.userTypeProprietaryInfo.mobiles.empty()) {
-            std::string Message = "This is your login code: " + Challenge + " Please enter this in your login screen.";
-            return SMSSender()->Send(UInfo.userinfo.userTypeProprietaryInfo.mobiles[0].number, Message);
-        } else if(Method==MFAMETHODS::EMAIL && SMTPMailerService()->Enabled() && !UInfo.userinfo.email.empty()) {
-            MessageAttributes Attrs;
-            Attrs[RECIPIENT_EMAIL] = UInfo.userinfo.email;
-            Attrs[LOGO] = AuthService::GetLogoAssetURI();
-            Attrs[SUBJECT] = "Login validation code";
-            Attrs[CHALLENGE_CODE] = Challenge;
-            return SMTPMailerService()->SendMessage(UInfo.userinfo.email, "verification_code.txt", Attrs);
-        } else if(Method==MFAMETHODS::AUTHENTICATOR && !UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret.empty()) {
-            return true;
-        }
+	bool MFAServer::SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+								  const std::string &Method, const std::string &Challenge) {
+		if (Method == MFAMETHODS::SMS && SMSSender()->Enabled() &&
+			!UInfo.userinfo.userTypeProprietaryInfo.mobiles.empty()) {
+			std::string Message = "This is your login code: " + Challenge +
+								  " Please enter this in your login screen.";
+			return SMSSender()->Send(UInfo.userinfo.userTypeProprietaryInfo.mobiles[0].number,
+									 Message);
+		} else if (Method == MFAMETHODS::EMAIL && SMTPMailerService()->Enabled() &&
+				   !UInfo.userinfo.email.empty()) {
+			return AuthService()->SendEmailChallengeCode(UInfo, Challenge);
+		} else if (Method == MFAMETHODS::AUTHENTICATOR &&
+				   !UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret.empty()) {
+			return true;
+		}

-        return false;
-    }
+		return false;
+	}

-    bool MFAServer::ResendCode(const std::string &uuid) {
-        std::lock_guard G(Mutex_);
-        auto Hint = Cache_.find(uuid);
-        if(Hint==Cache_.end())
-            return false;
-        return SendChallenge(Hint->second.UInfo, Hint->second.Method, Hint->second.Answer);
-    }
+	bool MFAServer::ResendCode(const std::string &uuid) {
+		std::lock_guard G(Mutex_);
+		auto Hint = Cache_.find(uuid);
+		if (Hint == Cache_.end())
+			return false;
+		return SendChallenge(Hint->second.UInfo, Hint->second.Method, Hint->second.Answer);
+	}

-    bool MFAServer::CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo) {
-        std::lock_guard G(Mutex_);
+	bool MFAServer::CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse,
+										 SecurityObjects::UserInfoAndPolicy &UInfo) {
+		std::lock_guard G(Mutex_);

-        if(!ChallengeResponse->has("uuid") || !ChallengeResponse->has("answer"))
-            return false;
+		if (!ChallengeResponse->has("uuid") || !ChallengeResponse->has("answer"))
+			return false;

-        auto uuid = ChallengeResponse->get("uuid").toString();
-        auto Hint = Cache_.find(uuid);
-        if(Hint == end(Cache_)) {
-            return false;
-        }
+		auto uuid = ChallengeResponse->get("uuid").toString();
+		auto Hint = Cache_.find(uuid);
+		if (Hint == end(Cache_)) {
+			return false;
+		}

-        auto answer = ChallengeResponse->get("answer").toString();
-        std::string Expecting;
-        if(Hint->second.Method==MFAMETHODS::AUTHENTICATOR) {
-            if(!TotpCache()->ValidateCode(Hint->second.UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret,answer, Expecting)) {
-                return false;
-            }
-        } else if(Hint->second.Answer!=answer) {
-            return false;
-        }
+		auto answer = ChallengeResponse->get("answer").toString();
+		std::string Expecting;
+		if (Hint->second.Method == MFAMETHODS::AUTHENTICATOR) {
+			if (!TotpCache()->ValidateCode(
+					Hint->second.UInfo.userinfo.userTypeProprietaryInfo.authenticatorSecret, answer,
+					Expecting)) {
+				return false;
+			}
+		} else if (Hint->second.Answer != answer) {
+			return false;
+		}

-        UInfo = Hint->second.UInfo;
-        Cache_.erase(Hint);
-        return true;
-    }
+		UInfo = Hint->second.UInfo;
+		Cache_.erase(Hint);
+		return true;
+	}

-    bool MFAServer::MethodEnabled(const std::string &Method) {
-        if(Method==MFAMETHODS::SMS)
-            return SMSSender()->Enabled();
+	bool MFAServer::MethodEnabled(const std::string &Method) {
+		if (Method == MFAMETHODS::SMS)
+			return SMSSender()->Enabled();

-        if(Method==MFAMETHODS::EMAIL)
-            return SMTPMailerService()->Enabled();
+		if (Method == MFAMETHODS::EMAIL)
+			return SMTPMailerService()->Enabled();

-        if(Method==MFAMETHODS::AUTHENTICATOR)
-            return true;
+		if (Method == MFAMETHODS::AUTHENTICATOR)
+			return true;

-        return false;
-    }
+		return false;
+	}

-    void MFAServer::CleanCache() {
-        // it is assumed that you have locked Cache_ at this point.
-        uint64_t Now = OpenWifi::Now();
-        for(auto i=begin(Cache_);i!=end(Cache_);) {
-            if((Now-i->second.Created)>300) {
-                i = Cache_.erase(i);
-            } else {
-                ++i;
-            }
-        }
-    }
-}
+	void MFAServer::CleanCache() {
+		// it is assumed that you have locked Cache_ at this point.
+		uint64_t Now = Utils::Now();
+		for (auto i = begin(Cache_); i != end(Cache_);) {
+			if ((Now - i->second.Created) > 300) {
+				i = Cache_.erase(i);
+			} else {
+				++i;
+			}
+		}
+	}
+} // namespace OpenWifi
--- a/src/MFAServer.h
+++ b/src/MFAServer.h
@@ -4,61 +4,62 @@

 #pragma once

-#include "framework/MicroService.h"
 #include "Poco/JSON/Object.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "framework/MicroServiceFuncs.h"
+#include "framework/SubSystemServer.h"
+
+#include "fmt/format.h"

 namespace OpenWifi {

-    namespace MFAMETHODS {
-        inline const static std::string SMS{"sms"};
-        inline const static std::string EMAIL{"email"};
-        inline const static std::string AUTHENTICATOR{"authenticator"};
-        inline const static std::vector<std::string> Methods{ SMS, EMAIL, AUTHENTICATOR };
-        inline bool Validate(const std::string &M) {
-            return std::find(cbegin(Methods), cend(Methods),M)!=Methods.end();
-        }
-    }
+	namespace MFAMETHODS {
+		inline const static std::string SMS{"sms"};
+		inline const static std::string EMAIL{"email"};
+		inline const static std::string AUTHENTICATOR{"authenticator"};
+		inline const static std::vector<std::string> Methods{SMS, EMAIL, AUTHENTICATOR};
+		inline bool Validate(const std::string &M) {
+			return std::find(cbegin(Methods), cend(Methods), M) != Methods.end();
+		}
+	} // namespace MFAMETHODS

-    struct MFACacheEntry {
-        SecurityObjects::UserInfoAndPolicy  UInfo;
-        std::string                         Answer;
-        uint64_t                            Created;
-        std::string                         Method;
-    };
+	struct MFACacheEntry {
+		SecurityObjects::UserInfoAndPolicy UInfo;
+		std::string Answer;
+		uint64_t Created;
+		std::string Method;
+	};

+	typedef std::map<std::string, MFACacheEntry> MFAChallengeCache;

-    typedef std::map<std::string,MFACacheEntry>     MFAChallengeCache;
+	class MFAServer : public SubSystemServer {
+	  public:
+		int Start() override;
+		void Stop() override;
+		static auto instance() {
+			static auto instance_ = new MFAServer;
+			return instance_;
+		}

-    class MFAServer : public SubSystemServer{
-    public:
-        int Start() override;
-        void Stop() override;
-        static auto instance() {
-            static auto instance_ = new MFAServer;
-            return instance_;
-        }
+		bool StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+							   Poco::JSON::Object &Challenge);
+		bool CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse,
+								  SecurityObjects::UserInfoAndPolicy &UInfo);
+		static bool MethodEnabled(const std::string &Method);
+		bool ResendCode(const std::string &uuid);
+		static bool SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo,
+								  const std::string &Method, const std::string &Challenge);

-        bool StartMFAChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, Poco::JSON::Object &Challenge);
-        bool CompleteMFAChallenge(const Poco::JSON::Object::Ptr &ChallengeResponse, SecurityObjects::UserInfoAndPolicy &UInfo);
-        static bool MethodEnabled(const std::string &Method);
-        bool ResendCode(const std::string &uuid);
-        static bool SendChallenge(const SecurityObjects::UserInfoAndPolicy &UInfo, const std::string &Method, const std::string &Challenge);
+		static inline std::string MakeChallenge() {
+			return fmt::format("{0:06}", MicroServiceRandom(1, 999999));
+		}

-        static inline std::string MakeChallenge() {
-            return fmt::format("{0:06}" , MicroService::instance().Random(1,999999) );
-        }
+	  private:
+		MFAChallengeCache Cache_;
+		MFAServer() noexcept : SubSystemServer("MFServer", "MFA-SVR", "mfa") {}

-    private:
-        MFAChallengeCache   Cache_;
-        MFAServer() noexcept:
-            SubSystemServer("MFServer", "MFA-SVR", "mfa")
-            {
-            }
-
-        void CleanCache();
-    };
-
-    inline auto MFAServer() { return MFAServer::instance(); }
-}
+		void CleanCache();
+	};

+	inline auto MFAServer() { return MFAServer::instance(); }
+} // namespace OpenWifi
--- a/src/MessagingTemplates.h
+++ b/src/MessagingTemplates.h
@@ -0,0 +1,112 @@
+//
+// Created by stephane bourque on 2022-07-25.
+//
+
+#pragma once
+
+#include <string>
+#include <vector>
+
+namespace OpenWifi {
+
+	class MessagingTemplates {
+	  public:
+		static MessagingTemplates &instance() {
+			static auto instance = new MessagingTemplates;
+			return *instance;
+		}
+
+		enum EMAIL_REASON {
+			FORGOT_PASSWORD = 0,
+			EMAIL_VERIFICATION,
+			SUB_SIGNUP_VERIFICATION,
+			EMAIL_INVITATION,
+			VERIFICATION_CODE,
+			SUB_FORGOT_PASSWORD,
+			SUB_EMAIL_VERIFICATION,
+			SUB_VERIFICATION_CODE,
+			CERTIFICATE_TRANSFER_NOTIFICATION,
+			CERTIFICATE_TRANSFER_AUTHORIZATION,
+			CERTIFICATE_DISPUTE_SUCCESS,
+			CERTIFICATE_DISPUTE_REJECTED,
+			CERTIFICATE_TRANSFER_CANCELED,
+			CERTIFICATE_TRANSFER_ACCEPTED,
+			CERTIFICATE_TRANSFER_REJECTED
+		};
+
+		static std::string AddOperator(const std::string &filename,
+									   const std::string &OperatorName) {
+			if (OperatorName.empty())
+				return "/" + filename;
+			return "/" + OperatorName + "/" + filename;
+		}
+
+		static std::string TemplateName(EMAIL_REASON r, const std::string &OperatorName = "") {
+			switch (r) {
+			case FORGOT_PASSWORD:
+				return AddOperator(EmailTemplateNames[FORGOT_PASSWORD], OperatorName);
+			case EMAIL_VERIFICATION:
+				return AddOperator(EmailTemplateNames[EMAIL_VERIFICATION], OperatorName);
+			case SUB_SIGNUP_VERIFICATION:
+				return AddOperator(EmailTemplateNames[SUB_SIGNUP_VERIFICATION], OperatorName);
+			case EMAIL_INVITATION:
+				return AddOperator(EmailTemplateNames[EMAIL_INVITATION], OperatorName);
+			case VERIFICATION_CODE:
+				return AddOperator(EmailTemplateNames[VERIFICATION_CODE], OperatorName);
+			case SUB_FORGOT_PASSWORD:
+				return AddOperator(EmailTemplateNames[SUB_FORGOT_PASSWORD], OperatorName);
+			case SUB_EMAIL_VERIFICATION:
+				return AddOperator(EmailTemplateNames[SUB_EMAIL_VERIFICATION], OperatorName);
+			case SUB_VERIFICATION_CODE:
+				return AddOperator(EmailTemplateNames[SUB_VERIFICATION_CODE], OperatorName);
+			case CERTIFICATE_TRANSFER_NOTIFICATION:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_NOTIFICATION],
+								   OperatorName);
+			case CERTIFICATE_TRANSFER_AUTHORIZATION:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_AUTHORIZATION],
+								   OperatorName);
+			case CERTIFICATE_DISPUTE_SUCCESS:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_SUCCESS], OperatorName);
+			case CERTIFICATE_DISPUTE_REJECTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_DISPUTE_REJECTED], OperatorName);
+			case CERTIFICATE_TRANSFER_CANCELED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_CANCELED], OperatorName);
+			case CERTIFICATE_TRANSFER_ACCEPTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_ACCEPTED], OperatorName);
+			case CERTIFICATE_TRANSFER_REJECTED:
+				return AddOperator(EmailTemplateNames[CERTIFICATE_TRANSFER_REJECTED], OperatorName);
+			default:
+				return "";
+			}
+		}
+
+		static std::string Logo(const std::string &OperatorName = "") {
+			return AddOperator("logo.png", OperatorName);
+		}
+
+		static std::string SubLogo(const std::string &OperatorName = "") {
+			return AddOperator("sub_logo.png", OperatorName);
+		}
+
+	  private:
+		inline const static std::vector<std::string> EmailTemplateNames = {
+			"password_reset",
+			"email_verification",
+			"sub_signup_verification",
+			"email_invitation",
+			"verification_code",
+			"sub_password_reset",
+			"sub_email_verification",
+			"sub_verification_code",
+			"certificate_transfer_notification",
+			"certificate_transfer_authorization",
+			"certificate_dispute_success",
+			"certificate_dispute_rejected",
+			"certificate_transfer_canceled",
+			"certificate_transfer_accepted",
+			"certificate_transfer_rejected"};
+	};
+
+	inline MessagingTemplates &MessagingTemplates() { return MessagingTemplates::instance(); }
+
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_action_links.cpp
+++ b/src/RESTAPI/RESTAPI_action_links.cpp
@@ -7,259 +7,350 @@

 #include "RESTAPI_action_links.h"
 #include "StorageService.h"
-#include "framework/MicroService.h"
+#include "framework/OpenAPIRequests.h"
+#include "framework/RESTAPI_PartHandler.h"
+
 #include "Daemon.h"

 namespace OpenWifi {

-    void RESTAPI_action_links::DoGet() {
+#if defined(TIP_CERT_SERVICE)
+	bool ProcessExternalActionLinks(RESTAPIHandler &handler, const std::string &Id,
+									const std::string &Action);
+#endif

-        auto Action = GetParameter("action","");
-        auto Id = GetParameter("id","");
+	void RESTAPI_action_links::DoGet() {

-        SecurityObjects::ActionLink Link;
-        if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link))
-            return DoReturnA404();
+		auto Action = GetParameter("action", "");
+		auto Id = GetParameter("id", "");

-        if(Action=="password_reset")
-            return RequestResetPassword(Link);
-        else if(Action=="email_verification")
-            return DoEmailVerification(Link);
-        else if(Action=="signup_verification")
-            return DoNewSubVerification(Link);
-        else
-            return DoReturnA404();
-    }
+#if defined(TIP_CERT_SERVICE)
+		if (!OpenWifi::ProcessExternalActionLinks(*this, Id, Action)) {
+			return;
+		}
+#endif

-    void RESTAPI_action_links::DoPost() {
-        auto Action = GetParameter("action","");
+		SecurityObjects::ActionLink Link;
+		if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link))
+			return DoReturnA404();

-        if(Action=="password_reset")
-            return CompleteResetPassword();
-        else if(Action=="signup_completion")
-            return CompleteSubVerification();
-        else
-            return DoReturnA404();
-    }
+		if (Action == "password_reset")
+			return RequestResetPassword(Link);
+		else if (Action == "sub_password_reset")
+			return RequestResetPassword(Link);
+		else if (Action == "email_verification")
+			return DoEmailVerification(Link);
+		else if (Action == "sub_email_verification")
+			return DoEmailVerification(Link);
+		else if (Action == "signup_verification")
+			return DoNewSubVerification(Link);
+		else
+			return DoReturnA404();
+	}

-    void RESTAPI_action_links::RequestResetPassword(SecurityObjects::ActionLink &Link) {
-        Logger_.information(fmt::format("REQUEST-PASSWORD-RESET({}): For ID={}", Request->clientAddress().toString(), Link.userId));
-        Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset.html"};
-        Types::StringPairVec    FormVars{ {"UUID", Link.id},
-                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
-        SendHTMLFileBack(FormFile,FormVars);
-    }
+	void RESTAPI_action_links::DoPost() {
+		auto Action = GetParameter("action", "");

-    void RESTAPI_action_links::DoNewSubVerification(SecurityObjects::ActionLink &Link) {
-        Logger_.information(fmt::format("REQUEST-SUB-SIGNUP({}): For ID={}", Request->clientAddress().toString(), Link.userId));
-        Poco::File  FormFile{ Daemon()->AssetDir() + "/signup_verification.html"};
-        Types::StringPairVec    FormVars{ {"UUID", Link.id},
-                                          {"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
-        SendHTMLFileBack(FormFile,FormVars);
-    }
+		if (Action == "password_reset")
+			return CompleteResetPassword();
+		else if (Action == "sub_password_reset")
+			return CompleteResetPassword();
+		else if (Action == "signup_completion")
+			return CompleteSubVerification();
+		else if (Action == "email_invitation")
+			return CompleteEmailInvitation();
+		else
+			return DoReturnA404();
+	}

-    void RESTAPI_action_links::CompleteResetPassword() {
-        //  form has been posted...
-        RESTAPI_PartHandler PartHandler;
-        Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
-        if (!Form.empty()) {
+	void RESTAPI_action_links::AddGlobalVars(Types::StringPairVec &Vars) {
+		Vars.push_back(std::make_pair("USER_HELPER_EMAIL", AuthService()->HelperEmail()));
+		Vars.push_back(std::make_pair("SUB_HELPER_EMAIL", AuthService()->SubHelperEmail()));
+		Vars.push_back(
+			std::make_pair("GLOBAL_USER_HELPER_EMAIL", AuthService()->GlobalHelperEmail()));
+		Vars.push_back(
+			std::make_pair("GLOBAL_SUB_HELPER_EMAIL", AuthService()->GlobalSubHelperEmail()));
+		Vars.push_back(std::make_pair("USER_HELPER_SITE", AuthService()->HelperSite()));
+		Vars.push_back(std::make_pair("SUB_HELPER_SITE", AuthService()->SubHelperSite()));
+		Vars.push_back(std::make_pair("USER_SYSTEM_LOGIN", AuthService()->SystemLoginSite()));
+		Vars.push_back(std::make_pair("SUB_SYSTEM_LOGIN", AuthService()->SubSystemLoginSite()));
+		Vars.push_back(std::make_pair("USER_SIGNATURE", AuthService()->UserSignature()));
+		Vars.push_back(std::make_pair("SUB_SIGNATURE", AuthService()->SubSignature()));
+	}

-            auto Password1 = Form.get("password1","bla");
-            auto Password2 = Form.get("password2","blu");
-            auto Id = Form.get("id","");
-            auto now = OpenWifi::Now();
+	void RESTAPI_action_links::RequestResetPassword(SecurityObjects::ActionLink &Link) {
+		Logger_.information(fmt::format("REQUEST-PASSWORD-RESET({}): For ID={}",
+										Request->clientAddress().toString(), Link.userId));
+		Poco::File FormFile{Daemon()->AssetDir() + "/password_reset.html"};
+		Types::StringPairVec FormVars{
+			{"UUID", Link.id},
+			{"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}

-            SecurityObjects::ActionLink Link;
-            if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link))
-                return DoReturnA404();
+	void RESTAPI_action_links::DoNewSubVerification(SecurityObjects::ActionLink &Link) {
+		Logger_.information(fmt::format("REQUEST-SUB-SIGNUP({}): For ID={}",
+										Request->clientAddress().toString(), Link.userId));
+		Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification.html"};
+		Types::StringPairVec FormVars{
+			{"UUID", Link.id},
+			{"PASSWORD_VALIDATION", AuthService()->PasswordValidationExpression()}};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}

-            if(now > Link.expires) {
-                StorageService()->ActionLinksDB().CancelAction(Id);
-                return DoReturnA404();
-            }
+	void RESTAPI_action_links::CompleteResetPassword() {
+		RESTAPI_PartHandler PartHandler;
+		Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
+		if (!Form.empty()) {

-            if(Password1!=Password2 || !AuthService()->ValidatePassword(Password2) || !AuthService()->ValidatePassword(Password1)) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "For some reason, the passwords entered do not match or they do not comply with"
-                                                                 " accepted password creation restrictions. Please consult our on-line help"
-                                                                 " to look at the our password policy. If you would like to contact us, please mention"
-                                                                 " id(" + Id + ")"}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			auto Password1 = Form.get("password1", "bla");
+			auto Password2 = Form.get("password2", "blu");
+			auto Id = Form.get("id", "");
+			auto now = OpenWifi::Now();

-            SecurityObjects::UserInfo   UInfo;
+			SecurityObjects::ActionLink Link;
+			if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link))
+				return DoReturnA404();

-            bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId,UInfo) : StorageService()->SubDB().GetUserById(Link.userId,UInfo);
-            if(!Found) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			if (now > Link.expires) {
+				StorageService()->ActionLinksDB().CancelAction(Id);
+				return DoReturnA404();
+			}

-            if(UInfo.blackListed || UInfo.suspended) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "Please contact our system administrators. We have identified an error in your account that must be resolved first."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			if (Password1 != Password2 || !AuthService()->ValidatePassword(Password2) ||
+				!AuthService()->ValidatePassword(Password1)) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT",
+					 "For some reason, the passwords entered do not match or they do not comply "
+					 "with"
+					 " accepted password creation restrictions. Please consult our on-line help"
+					 " to look at the our password policy. If you would like to contact us, please "
+					 "mention"
+					 " id(" +
+						 Id + ")"}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            bool GoodPassword = Link.userAction ? AuthService()->SetPassword(Password1,UInfo) : AuthService()->SetSubPassword(Password1,UInfo);
-            if(!GoodPassword) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			SecurityObjects::UserInfo UInfo;

-            UInfo.modified = OpenWifi::Now();
-            if(Link.userAction)
-                StorageService()->UserDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
-            else
-                StorageService()->SubDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
+			bool Found = Link.userAction
+							 ? StorageService()->UserDB().GetUserById(Link.userId, UInfo)
+							 : StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+			if (!Found) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "This request does not contain a valid user ID. Please contact "
+								   "your system administrator."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_success.html"};
-            Types::StringPairVec    FormVars{ {"UUID", Id},
-                                              {"USERNAME", UInfo.email},
-                                              {"ACTION_LINK",MicroService::instance().GetUIURI()}};
-            StorageService()->ActionLinksDB().CompleteAction(Id);
-            SendHTMLFileBack(FormFile,FormVars);
-        } else {
-            DoReturnA404();
-        }
-    }
+			if (UInfo.blackListed || UInfo.suspended) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "Please contact our system administrators. We have identified "
+								   "an error in your account that must be resolved first."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-    void RESTAPI_action_links::CompleteSubVerification() {
-        RESTAPI_PartHandler PartHandler;
-        Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);
+			bool GoodPassword = Link.userAction ? AuthService()->SetPassword(Password1, UInfo)
+												: AuthService()->SetSubPassword(Password1, UInfo);
+			if (!GoodPassword) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id}, {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-        if (!Form.empty()) {
-            auto Password1 = Form.get("password1","bla");
-            auto Password2 = Form.get("password2","blu");
-            auto Id = Form.get("id","");
-            auto now = OpenWifi::Now();
+			UInfo.modified = OpenWifi::Now();
+			if (Link.userAction)
+				StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+			else
+				StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);

-            SecurityObjects::ActionLink Link;
-            if(!StorageService()->ActionLinksDB().GetActionLink(Id,Link)) {
-                return DoReturnA404();
-            }
+			Poco::File FormFile{Daemon()->AssetDir() + "/password_reset_success.html"};
+			Types::StringPairVec FormVars{{"UUID", Id},
+										  {"USERNAME", UInfo.email},
+										  {"ACTION_LINK", MicroService::instance().GetUIURI()}};
+			AddGlobalVars(FormVars);
+			StorageService()->ActionLinksDB().CompleteAction(Id);
+			SendHTMLFileBack(FormFile, FormVars);
+		} else {
+			DoReturnA404();
+		}
+	}

-            if(now > Link.expires) {
-                StorageService()->ActionLinksDB().CancelAction(Id);
-                return DoReturnA404();
-            }
+	void RESTAPI_action_links::CompleteSubVerification() {
+		RESTAPI_PartHandler PartHandler;
+		Poco::Net::HTMLForm Form(*Request, Request->stream(), PartHandler);

-            if(Password1!=Password2 || !AuthService()->ValidateSubPassword(Password1)) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/password_reset_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "For some reason, the passwords entered do not match or they do not comply with"
-                                                                 " accepted password creation restrictions. Please consult our on-line help"
-                                                                 " to look at the our password policy. If you would like to contact us, please mention"
-                                                                 " id(" + Id + ")"}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+		if (!Form.empty()) {
+			auto Password1 = Form.get("password1", "bla");
+			auto Password2 = Form.get("password2", "blu");
+			auto Id = Form.get("id", "");
+			auto now = OpenWifi::Now();

-            SecurityObjects::UserInfo   UInfo;
-            bool Found = StorageService()->SubDB().GetUserById(Link.userId,UInfo);
-            if(!Found) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/signup_verification_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "This request does not contain a valid user ID. Please contact your system administrator."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			SecurityObjects::ActionLink Link;
+			if (!StorageService()->ActionLinksDB().GetActionLink(Id, Link)) {
+				return DoReturnA404();
+			}

-            if(UInfo.blackListed || UInfo.suspended) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/signup_verification_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "Please contact our system administrators. We have identified an error in your account that must be resolved first."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			if (now > Link.expires) {
+				StorageService()->ActionLinksDB().CancelAction(Id);
+				return DoReturnA404();
+			}

-            bool GoodPassword = AuthService()->SetSubPassword(Password1,UInfo);
-            if(!GoodPassword) {
-                Poco::File  FormFile{ Daemon()->AssetDir() + "/signup_verification_error.html"};
-                Types::StringPairVec    FormVars{ {"UUID", Id},
-                                                  {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
-                return SendHTMLFileBack(FormFile,FormVars);
-            }
+			if (Password1 != Password2 || !AuthService()->ValidateSubPassword(Password1)) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_password_reset_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT",
+					 "For some reason, the passwords entered do not match or they do not comply "
+					 "with"
+					 " accepted password creation restrictions. Please consult our on-line help"
+					 " to look at the our password policy. If you would like to contact us, please "
+					 "mention"
+					 " id(" +
+						 Id + ")"}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            UInfo.modified = OpenWifi::Now();
-            UInfo.changePassword = false;
-            UInfo.lastEmailCheck = OpenWifi::Now();
-            UInfo.waitingForEmailCheck = false;
-            UInfo.validated = OpenWifi::Now();
+			SecurityObjects::UserInfo UInfo;
+			bool Found = StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+			if (!Found) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "This request does not contain a valid user ID. Please contact "
+								   "your system administrator."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            StorageService()->SubDB().UpdateUserInfo(UInfo.email,Link.userId,UInfo);
+			if (UInfo.blackListed || UInfo.suspended) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id},
+					{"ERROR_TEXT", "Please contact our system administrators. We have identified "
+								   "an error in your account that must be resolved first."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            Poco::File  FormFile{ Daemon()->AssetDir() + "/signup_verification_success.html"};
-            Types::StringPairVec    FormVars{ {"UUID", Id},
-                                              {"USERNAME", UInfo.email} };
-            StorageService()->ActionLinksDB().CompleteAction(Id);
+			bool GoodPassword = AuthService()->SetSubPassword(Password1, UInfo);
+			if (!GoodPassword) {
+				Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_error.html"};
+				Types::StringPairVec FormVars{
+					{"UUID", Id}, {"ERROR_TEXT", "You cannot reuse one of your recent passwords."}};
+				AddGlobalVars(FormVars);
+				return SendHTMLFileBack(FormFile, FormVars);
+			}

-            //  Send the update to the provisioning service
-            Poco::JSON::Object  Body;
-            Body.set("signupUUID", UInfo.signingUp);
-            OpenAPIRequestPut   ProvRequest(uSERVICE_PROVISIONING,"/api/v1/signup",
-                                            {
-                                                {"signupUUID", UInfo.signingUp} ,
-                                                {"operation", "emailVerified"}
-                                            },
-                                            Body,30000);
-            Logger().information(fmt::format("({}): Completed subscriber e-mail verification and password.",UInfo.email));
-            Poco::JSON::Object::Ptr Response;
-            auto Status = ProvRequest.Do(Response);
-            std::stringstream ooo;
-            if(Response!= nullptr)
-                Response->stringify(ooo);
-            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. Provisioning notified, Error={}.",
-                                             UInfo.email, Status));
-            SendHTMLFileBack(FormFile,FormVars);
-            Logger().information(fmt::format("({}): Completed subscriber e-mail verification. FORM notified.",UInfo.email));
-        } else {
-            DoReturnA404();
-        }
-    }
+			UInfo.modified = OpenWifi::Now();
+			UInfo.changePassword = false;
+			UInfo.lastEmailCheck = OpenWifi::Now();
+			UInfo.waitingForEmailCheck = false;
+			UInfo.validated = OpenWifi::Now();

-    void RESTAPI_action_links::DoEmailVerification(SecurityObjects::ActionLink &Link) {
-        auto now = OpenWifi::Now();
+			StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);

-        if(now > Link.expires) {
-            StorageService()->ActionLinksDB().CancelAction(Link.id);
-            return DoReturnA404();
-        }
+			Poco::File FormFile{Daemon()->AssetDir() + "/sub_signup_verification_success.html"};
+			Types::StringPairVec FormVars{{"UUID", Id}, {"USERNAME", UInfo.email}};
+			StorageService()->ActionLinksDB().CompleteAction(Id);

-        SecurityObjects::UserInfo UInfo;
-        bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId,UInfo) : StorageService()->SubDB().GetUserById(Link.userId,UInfo);
-        if (!Found) {
-            Types::StringPairVec FormVars{{"UUID",       Link.id},
-                                          {"ERROR_TEXT", "This does not appear to be a valid email verification link.."}};
-            Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_error.html"};
-            return SendHTMLFileBack(FormFile, FormVars);
-        }
+			//  Send the update to the provisioning service
+			Poco::JSON::Object Body;
+			auto RawSignup = Poco::StringTokenizer(UInfo.signingUp, ":");
+			Body.set("signupUUID", RawSignup.count() == 1 ? UInfo.signingUp : RawSignup[1]);
+			OpenAPIRequestPut ProvRequest(
+				uSERVICE_PROVISIONING, "/api/v1/signup",
+				{{"signupUUID", RawSignup.count() == 1 ? UInfo.signingUp : RawSignup[1]},
+				 {"operation", "emailVerified"}},
+				Body, 30000);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification and password.", UInfo.email));
+			Poco::JSON::Object::Ptr Response;
+			auto Status = ProvRequest.Do(Response);
+			std::stringstream ooo;
+			if (Response != nullptr)
+				Response->stringify(ooo);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification. Provisioning notified, Error={}.",
+				UInfo.email, Status));
+			AddGlobalVars(FormVars);
+			SendHTMLFileBack(FormFile, FormVars);
+			Logger().information(fmt::format(
+				"({}): Completed subscriber e-mail verification. FORM notified.", UInfo.email));
+		} else {
+			DoReturnA404();
+		}
+	}

-        Logger_.information(fmt::format("EMAIL-VERIFICATION(%s): For ID={}", Request->clientAddress().toString(), UInfo.email));
-        UInfo.waitingForEmailCheck = false;
-        UInfo.validated = true;
-        UInfo.lastEmailCheck = OpenWifi::Now();
-        UInfo.validationDate = OpenWifi::Now();
-        UInfo.modified  = OpenWifi::Now();
-        if(Link.userAction)
-            StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
-        else
-            StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
-        Types::StringPairVec FormVars{{"UUID",     Link.id},
-                                      {"USERNAME", UInfo.email},
-                                      {"ACTION_LINK",MicroService::instance().GetUIURI()}};
-        Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_success.html"};
-        StorageService()->ActionLinksDB().CompleteAction(Link.id);
-        SendHTMLFileBack(FormFile, FormVars);
-    }
+	void RESTAPI_action_links::DoEmailVerification(SecurityObjects::ActionLink &Link) {
+		auto now = OpenWifi::Now();

-    void RESTAPI_action_links::DoReturnA404() {
-        Types::StringPairVec FormVars;
-        Poco::File FormFile{Daemon()->AssetDir() + "/404_error.html"};
-        SendHTMLFileBack(FormFile, FormVars);
-    }
+		if (now > Link.expires) {
+			StorageService()->ActionLinksDB().CancelAction(Link.id);
+			return DoReturnA404();
+		}

-}
+		SecurityObjects::UserInfo UInfo;
+		bool Found = Link.userAction ? StorageService()->UserDB().GetUserById(Link.userId, UInfo)
+									 : StorageService()->SubDB().GetUserById(Link.userId, UInfo);
+		if (!Found) {
+			Types::StringPairVec FormVars{
+				{"UUID", Link.id},
+				{"ERROR_TEXT", "This does not appear to be a valid email verification link.."}};
+			Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_error.html"};
+			AddGlobalVars(FormVars);
+			return SendHTMLFileBack(FormFile, FormVars);
+		}
+
+		Logger_.information(fmt::format("EMAIL-VERIFICATION(%s): For ID={}",
+										Request->clientAddress().toString(), UInfo.email));
+		UInfo.waitingForEmailCheck = false;
+		UInfo.validated = true;
+		UInfo.lastEmailCheck = OpenWifi::Now();
+		UInfo.validationDate = OpenWifi::Now();
+		UInfo.modified = OpenWifi::Now();
+		if (Link.userAction)
+			StorageService()->UserDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+		else
+			StorageService()->SubDB().UpdateUserInfo(UInfo.email, Link.userId, UInfo);
+		Types::StringPairVec FormVars{{"UUID", Link.id},
+									  {"USERNAME", UInfo.email},
+									  {"ACTION_LINK", MicroService::instance().GetUIURI()}};
+		Poco::File FormFile{Daemon()->AssetDir() + "/email_verification_success.html"};
+		AddGlobalVars(FormVars);
+		StorageService()->ActionLinksDB().CompleteAction(Link.id);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::DoReturnA404() {
+		Types::StringPairVec FormVars;
+		Poco::File FormFile{Daemon()->AssetDir() + "/404_error.html"};
+		AddGlobalVars(FormVars);
+		SendHTMLFileBack(FormFile, FormVars);
+	}
+
+	void RESTAPI_action_links::CompleteEmailInvitation() {
+		/// TODO:
+	}
+
+	void RESTAPI_action_links::RequestSubResetPassword(
+		[[maybe_unused]] SecurityObjects::ActionLink &Link) {}
+
+	void RESTAPI_action_links::DoSubEmailVerification(
+		[[maybe_unused]] SecurityObjects::ActionLink &Link) {}
+
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_action_links.h
+++ b/src/RESTAPI/RESTAPI_action_links.h
@@ -4,33 +4,35 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_action_links : public RESTAPIHandler {
-    public:
-        RESTAPI_action_links(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-                : RESTAPIHandler(bindings, L,
-             std::vector<std::string>{
-                                        Poco::Net::HTTPRequest::HTTP_GET,
-                                        Poco::Net::HTTPRequest::HTTP_POST,
-                                        Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                        Server,
-                                        TransactionId,
-                                        Internal,
-                                        false,
-                                        true, RateLimit{.Interval=1000,.MaxCalls=10}) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/actionLink"}; };
-        void RequestResetPassword(SecurityObjects::ActionLink &Link);
-        void CompleteResetPassword();
-        void CompleteSubVerification();
-        void DoEmailVerification(SecurityObjects::ActionLink &Link);
-        void DoReturnA404();
-        void DoNewSubVerification(SecurityObjects::ActionLink &Link);
+	class RESTAPI_action_links : public RESTAPIHandler {
+	  public:
+		RESTAPI_action_links(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							 RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							 bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal, false, true,
+							 RateLimit{.Interval = 1000, .MaxCalls = 10}) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/actionLink"}; };
+		void RequestResetPassword(SecurityObjects::ActionLink &Link);
+		void RequestSubResetPassword(SecurityObjects::ActionLink &Link);
+		void CompleteResetPassword();
+		void CompleteSubVerification();
+		void DoEmailVerification(SecurityObjects::ActionLink &Link);
+		void DoSubEmailVerification(SecurityObjects::ActionLink &Link);
+		void DoReturnA404();
+		void DoNewSubVerification(SecurityObjects::ActionLink &Link);
+		void CompleteEmailInvitation();
+		static void AddGlobalVars(Types::StringPairVec &Vars);

-        void DoGet() final;
-        void DoPost() final;
-        void DoDelete() final {};
-        void DoPut() final {};
-    };
-}
+		void DoGet() final;
+		void DoPost() final;
+		void DoDelete() final{};
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_apiKey_handler.cpp
+++ b/src/RESTAPI/RESTAPI_apiKey_handler.cpp
@@ -0,0 +1,165 @@
+//
+// Created by stephane bourque on 2022-11-04.
+//
+
+#include "RESTAPI_apiKey_handler.h"
+#include "RESTAPI/RESTAPI_db_helpers.h"
+
+namespace OpenWifi {
+
+	void RESTAPI_apiKey_handler::DoGet() {
+		std::string user_uuid = GetBinding("uuid", "");
+		if (user_uuid.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		if (user_uuid != UserInfo_.userinfo.id &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ROOT) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}
+
+		SecurityObjects::ApiKeyEntryList List;
+		if (DB_.GetRecords(0, 500, List.apiKeys, fmt::format(" userUuid='{}' ", user_uuid))) {
+			for (auto &key : List.apiKeys) {
+				Sanitize(UserInfo_, key);
+			}
+			Poco::JSON::Object Answer;
+			List.to_json(Answer);
+			return ReturnObject(Answer);
+		}
+		return NotFound();
+	}
+
+	void RESTAPI_apiKey_handler::DoDelete() {
+		std::string user_uuid = GetBinding("uuid", "");
+		if (user_uuid.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		if (user_uuid != UserInfo_.userinfo.id &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ROOT) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}
+
+		if (user_uuid != UserInfo_.userinfo.id) {
+			if (!StorageService()->UserDB().Exists("id", user_uuid)) {
+				return NotFound();
+			}
+		}
+
+		std::string ApiKeyId = GetParameter("keyUuid", "");
+		if (ApiKeyId.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		SecurityObjects::ApiKeyEntry ApiKey;
+		if (StorageService()->ApiKeyDB().GetRecord("id", ApiKeyId, ApiKey)) {
+			if (ApiKey.userUuid == user_uuid) {
+				AuthService()->RemoveTokenSystemWide(ApiKey.apiKey);
+				DB_.DeleteRecord("id", ApiKeyId);
+				return OK();
+			}
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		return NotFound();
+	}
+
+	void RESTAPI_apiKey_handler::DoPost() {
+		std::string user_uuid = GetBinding("uuid", "");
+
+		if (user_uuid.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		if (user_uuid != UserInfo_.userinfo.id &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ROOT) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}
+
+		if (user_uuid != UserInfo_.userinfo.id) {
+			//  Must verify if the user exists
+			if (!StorageService()->UserDB().Exists("id", user_uuid)) {
+				return BadRequest(RESTAPI::Errors::UserMustExist);
+			}
+		}
+
+		SecurityObjects::ApiKeyEntry NewKey;
+		if (!NewKey.from_json(ParsedBody_)) {
+			return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+		}
+		NewKey.lastUse = 0;
+
+		if (!Utils::IsAlphaNumeric(NewKey.name) || NewKey.name.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		Poco::toLowerInPlace(NewKey.name);
+		NewKey.userUuid = user_uuid;
+		if (NewKey.expiresOn < Utils::Now()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+
+		//  does a key of that name already exit for this user?
+		SecurityObjects::ApiKeyEntryList ExistingList;
+		if (DB_.GetRecords(0, 500, ExistingList.apiKeys,
+						   fmt::format(" userUuid='{}' ", user_uuid))) {
+			if (std::find_if(ExistingList.apiKeys.begin(), ExistingList.apiKeys.end(),
+							 [NewKey](const SecurityObjects::ApiKeyEntry &E) -> bool {
+								 return E.name == NewKey.name;
+							 }) != ExistingList.apiKeys.end()) {
+				return BadRequest(RESTAPI::Errors::ApiKeyNameAlreadyExists);
+			}
+		}
+
+		if (ExistingList.apiKeys.size() >= 10) {
+			return BadRequest(RESTAPI::Errors::TooManyApiKeys);
+		}
+
+		NewKey.id = MicroServiceCreateUUID();
+		NewKey.userUuid = user_uuid;
+		NewKey.salt = std::to_string(Utils::Now());
+		NewKey.apiKey = Utils::ComputeHash(NewKey.salt, UserInfo_.userinfo.id,
+										   UserInfo_.webtoken.access_token_);
+		NewKey.created = Utils::Now();
+
+		if (DB_.CreateRecord(NewKey)) {
+			Poco::JSON::Object Answer;
+			NewKey.to_json(Answer);
+			return ReturnObject(Answer);
+		}
+		return BadRequest(RESTAPI::Errors::RecordNotCreated);
+	}
+
+	void RESTAPI_apiKey_handler::DoPut() {
+		std::string user_uuid = GetBinding("uuid", "");
+		if (user_uuid.empty()) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		if (user_uuid != UserInfo_.userinfo.id &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ROOT) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}
+		SecurityObjects::ApiKeyEntry NewKey;
+		if (!NewKey.from_json(ParsedBody_)) {
+			return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+		}
+
+		SecurityObjects::ApiKeyEntry ExistingKey;
+		if (!DB_.GetRecord("id", NewKey.id, ExistingKey)) {
+			return BadRequest(RESTAPI::Errors::ApiKeyDoesNotExist);
+		}
+
+		if (ExistingKey.userUuid != user_uuid) {
+			return BadRequest(RESTAPI::Errors::MissingUserID);
+		}
+
+		AssignIfPresent(ParsedBody_, "description", ExistingKey.description);
+
+		if (DB_.UpdateRecord("id", ExistingKey.id, ExistingKey)) {
+			Poco::JSON::Object Answer;
+			ExistingKey.to_json(Answer);
+			return ReturnObject(Answer);
+		}
+		BadRequest(RESTAPI::Errors::RecordNotUpdated);
+	}
+
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_apiKey_handler.h
+++ b/src/RESTAPI/RESTAPI_apiKey_handler.h
@@ -0,0 +1,32 @@
+//
+// Created by stephane bourque on 2022-11-04.
+//
+
+#pragma once
+
+#include "StorageService.h"
+#include "framework/RESTAPI_Handler.h"
+namespace OpenWifi {
+	class RESTAPI_apiKey_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_apiKey_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_PUT,
+													  Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_DELETE,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/apiKey/{uuid}"}; };
+
+	  private:
+		ApiKeyDB &DB_ = StorageService()->ApiKeyDB();
+
+		void DoGet() final;
+		void DoPut() final;
+		void DoPost() final;
+		void DoDelete() final;
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_asset_server.cpp
+++ b/src/RESTAPI/RESTAPI_asset_server.cpp
@@ -3,23 +3,23 @@
 //

 #include "RESTAPI_asset_server.h"
+#include "Daemon.h"
 #include "Poco/File.h"
 #include "framework/ow_constants.h"
-#include "Daemon.h"

 namespace OpenWifi {
-    void RESTAPI_asset_server::DoGet() {
-        Poco::File  AssetFile;
+	void RESTAPI_asset_server::DoGet() {
+		Poco::File AssetFile;

-        if(Request->getURI().find("/favicon.ico") != std::string::npos) {
-            AssetFile = Daemon()->AssetDir() + "/favicon.ico";
-        } else {
-            std::string AssetName = GetBinding(RESTAPI::Protocol::ID, "");
-            AssetFile = Daemon()->AssetDir() + "/" + AssetName;
-        }
-        if(!AssetFile.isFile()) {
-            return NotFound();
-        }
-        SendFile(AssetFile);
-    }
-}
+		if (Request->getURI().find("/favicon.ico") != std::string::npos) {
+			AssetFile = Daemon()->AssetDir() + "/favicon.ico";
+		} else {
+			std::string AssetName = GetBinding(RESTAPI::Protocol::ID, "");
+			AssetFile = Daemon()->AssetDir() + "/" + AssetName;
+		}
+		if (!AssetFile.isFile()) {
+			return NotFound();
+		}
+		SendFile(AssetFile);
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_asset_server.h
+++ b/src/RESTAPI/RESTAPI_asset_server.h
@@ -4,31 +4,29 @@

 #pragma once

-#include "../framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_asset_server : public RESTAPIHandler {
-    public:
-        RESTAPI_asset_server(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-                : RESTAPIHandler(bindings, L,
-                                 std::vector<std::string>
-                                         {Poco::Net::HTTPRequest::HTTP_POST,
-                                          Poco::Net::HTTPRequest::HTTP_GET,
-                                          Poco::Net::HTTPRequest::HTTP_PUT,
-                                          Poco::Net::HTTPRequest::HTTP_DELETE,
-                                          Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                          Server,
-                                          TransactionId,
-                                          Internal, false) {}
-        static auto PathName() { return std::list<std::string>{"/wwwassets/{id}" ,
-                                                                                         "/favicon.ico"}; };
-        void DoGet() final;
-        void DoPost() final {};
-        void DoDelete() final {};
-        void DoPut() final {};
-
-    private:
-
-    };
-}
+	class RESTAPI_asset_server : public RESTAPIHandler {
+	  public:
+		RESTAPI_asset_server(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							 RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							 bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_PUT,
+													  Poco::Net::HTTPRequest::HTTP_DELETE,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal, false) {}
+		static auto PathName() {
+			return std::list<std::string>{"/wwwassets/{id}", "/favicon.ico"};
+		};
+		void DoGet() final;
+		void DoPost() final{};
+		void DoDelete() final{};
+		void DoPut() final{};

+	  private:
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_avatar_handler.cpp
+++ b/src/RESTAPI/RESTAPI_avatar_handler.cpp
@@ -5,78 +5,85 @@
 #include <fstream>
 #include <iostream>

+#include "Poco/CountingStream.h"
+#include "Poco/Net/HTMLForm.h"
 #include "RESTAPI_avatar_handler.h"
 #include "StorageService.h"
-#include "Poco/Net/HTMLForm.h"
-#include "framework/MicroService.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

-    void AvatarPartHandler::handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream) {
-        FileType_ = Header.get(RESTAPI::Protocol::CONTENTTYPE, RESTAPI::Protocol::UNSPECIFIED);
-        if (Header.has(RESTAPI::Protocol::CONTENTDISPOSITION)) {
-            std::string Disposition;
-            Poco::Net::NameValueCollection Parameters;
-            Poco::Net::MessageHeader::splitParameters(Header[RESTAPI::Protocol::CONTENTDISPOSITION], Disposition, Parameters);
-            Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
-        }
-        Poco::CountingInputStream InputStream(Stream);
-        Poco::StreamCopier::copyStream(InputStream, OutputStream_);
-        Length_ = OutputStream_.str().size();
-    };
+	void AvatarPartHandler::handlePart(const Poco::Net::MessageHeader &Header,
+									   std::istream &Stream) {
+		FileType_ = Header.get(RESTAPI::Protocol::CONTENTTYPE, RESTAPI::Protocol::UNSPECIFIED);
+		if (Header.has(RESTAPI::Protocol::CONTENTDISPOSITION)) {
+			std::string Disposition;
+			Poco::Net::NameValueCollection Parameters;
+			Poco::Net::MessageHeader::splitParameters(Header[RESTAPI::Protocol::CONTENTDISPOSITION],
+													  Disposition, Parameters);
+			Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
+		}
+		Poco::CountingInputStream InputStream(Stream);
+		Poco::StreamCopier::copyStream(InputStream, OutputStream_);
+		Length_ = OutputStream_.str().size();
+	};

-    void RESTAPI_avatar_handler::DoPost() {
-        std::string Id = UserInfo_.userinfo.id;
-        SecurityObjects::UserInfo UInfo;
+	void RESTAPI_avatar_handler::DoPost() {
+		std::string Id = UserInfo_.userinfo.id;
+		SecurityObjects::UserInfo UInfo;

-        std::stringstream SS;
-        AvatarPartHandler partHandler(Id, Logger_, SS);
-        Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
-        Poco::JSON::Object Answer;
+		std::stringstream SS;
+		AvatarPartHandler partHandler(Id, Logger_, SS);
+		Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
+		Poco::JSON::Object Answer;

-        if (!partHandler.Name().empty() && partHandler.Length()< MicroService::instance().ConfigGetInt("openwifi.avatar.maxsize",2000000)) {
-            Answer.set(RESTAPI::Protocol::AVATARID, Id);
-            Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
-            Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(), partHandler.ContentType()));
-            StorageService()->AvatarDB().SetAvatar(UserInfo_.userinfo.email,
-                                 Id, SS.str(), partHandler.ContentType(), partHandler.Name());
-            StorageService()->UserDB().SetAvatar(Id,"1");
-            Logger().information(fmt::format("Adding avatar for {}",UserInfo_.userinfo.email));
-        } else {
-            Answer.set(RESTAPI::Protocol::AVATARID, Id);
-            Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
-            Answer.set(RESTAPI::Protocol::ERRORTEXT, "Avatar upload could not complete.");
-        }
-        ReturnObject(Answer);
-    }
+		if (!partHandler.Name().empty() &&
+			partHandler.Length() < MicroServiceConfigGetInt("openwifi.avatar.maxsize", 2000000)) {
+			Answer.set(RESTAPI::Protocol::AVATARID, Id);
+			Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
+			Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(),
+											partHandler.ContentType()));
+			StorageService()->AvatarDB().SetAvatar(UserInfo_.userinfo.email, Id, SS.str(),
+												   partHandler.ContentType(), partHandler.Name());
+			StorageService()->UserDB().SetAvatar(Id, "1");
+			Logger().information(fmt::format("Adding avatar for {}", UserInfo_.userinfo.email));
+		} else {
+			Answer.set(RESTAPI::Protocol::AVATARID, Id);
+			Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
+			Answer.set(RESTAPI::Protocol::ERRORTEXT, "Avatar upload could not complete.");
+		}
+		ReturnObject(Answer);
+	}

-    void RESTAPI_avatar_handler::DoGet() {
-        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
-        if (Id.empty()) {
-            return NotFound();
-        }
+	void RESTAPI_avatar_handler::DoGet() {
+		std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+		if (Id.empty()) {
+			return NotFound();
+		}

-        std::string Type, Name, AvatarContent;
-        if (!StorageService()->AvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent, Type, Name)) {
-            return NotFound();
-        }
-        Logger().information(fmt::format("Retrieving avatar for {}, size:{}",UserInfo_.userinfo.email,AvatarContent.size()));
-        return SendFileContent(AvatarContent, Type, Name);
-    }
+		std::string Type, Name, AvatarContent;
+		if (!StorageService()->AvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent,
+													Type, Name)) {
+			return NotFound();
+		}
+		Logger().information(fmt::format("Retrieving avatar for {}, size:{}",
+										 UserInfo_.userinfo.email, AvatarContent.size()));
+		return SendFileContent(AvatarContent, Type, Name);
+	}

-    void RESTAPI_avatar_handler::DoDelete() {
-        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+	void RESTAPI_avatar_handler::DoDelete() {
+		std::string Id = GetBinding(RESTAPI::Protocol::ID, "");

-        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && Id!=UserInfo_.userinfo.id) {
-            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
-        }
+		if (UserInfo_.userinfo.userRole != SecurityObjects::ROOT && Id != UserInfo_.userinfo.id) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}

-        if (!StorageService()->AvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
-            return NotFound();
-        }
+		if (!StorageService()->AvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
+			return NotFound();
+		}

-        Logger().information(fmt::format("Deleted avatar for {}",UserInfo_.userinfo.email));
-        StorageService()->UserDB().SetAvatar(Id,"");
-        OK();
-    }
-}
+		Logger().information(fmt::format("Deleted avatar for {}", UserInfo_.userinfo.email));
+		StorageService()->UserDB().SetAvatar(Id, "");
+		OK();
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_avatar_handler.h
+++ b/src/RESTAPI/RESTAPI_avatar_handler.h
@@ -3,51 +3,47 @@
 //
 #pragma once

-#include "framework/MicroService.h"
+#include "Poco/Net/PartHandler.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {

-    class AvatarPartHandler : public Poco::Net::PartHandler {
-    public:
-        AvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream & ofs) :
-                Id_(std::move(Id)),
-                Logger_(Logger),
-                OutputStream_(ofs){
-        }
-        void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
-        [[nodiscard]] uint64_t Length() const { return Length_; }
-        [[nodiscard]] std::string &Name() { return Name_; }
-        [[nodiscard]] std::string &ContentType() { return FileType_; }
+	class AvatarPartHandler : public Poco::Net::PartHandler {
+	  public:
+		AvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream &ofs)
+			: Id_(std::move(Id)), Logger_(Logger), OutputStream_(ofs) {}
+		void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
+		[[nodiscard]] uint64_t Length() const { return Length_; }
+		[[nodiscard]] std::string &Name() { return Name_; }
+		[[nodiscard]] std::string &ContentType() { return FileType_; }

-    private:
-        uint64_t        Length_ = 0;
-        std::string     FileType_;
-        std::string     Name_;
-        std::string     Id_;
-        Poco::Logger    &Logger_;
-        std::stringstream &OutputStream_;
+	  private:
+		uint64_t Length_ = 0;
+		std::string FileType_;
+		std::string Name_;
+		std::string Id_;
+		Poco::Logger &Logger_;
+		std::stringstream &OutputStream_;

-        inline Poco::Logger & Logger() { return Logger_; };
-    };
+		inline Poco::Logger &Logger() { return Logger_; };
+	};

-    class RESTAPI_avatar_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_avatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-                : RESTAPIHandler(bindings, L,
-                                 std::vector<std::string>{
-                                         Poco::Net::HTTPRequest::HTTP_GET,
-                                         Poco::Net::HTTPRequest::HTTP_POST,
-                                         Poco::Net::HTTPRequest::HTTP_DELETE,
-                                         Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                         Server,
-                                         TransactionId,
-                                         Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/avatar/{id}"}; };
+	class RESTAPI_avatar_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_avatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_DELETE,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/avatar/{id}"}; };

-        void DoGet() final;
-        void DoPost() final;
-        void DoDelete() final;
-        void DoPut() final {};
-
-    };
-}
+		void DoGet() final;
+		void DoPost() final;
+		void DoDelete() final;
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_db_helpers.h
+++ b/src/RESTAPI/RESTAPI_db_helpers.h
@@ -8,10 +8,15 @@

 namespace OpenWifi {

-    inline void Sanitize([[maybe_unused]] const SecurityObjects::UserInfoAndPolicy &User, SecurityObjects::UserInfo & U) {
-        U.currentPassword.clear();
-        U.lastPasswords.clear();
-        U.oauthType.clear();
-    }
+	inline void Sanitize([[maybe_unused]] const SecurityObjects::UserInfoAndPolicy &User,
+						 SecurityObjects::UserInfo &U) {
+		U.currentPassword.clear();
+		U.lastPasswords.clear();
+		U.oauthType.clear();
+	}

-}
+	inline void Sanitize([[maybe_unused]] const SecurityObjects::UserInfoAndPolicy &User,
+						 SecurityObjects::ApiKeyEntry &U) {
+		U.salt.clear();
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_email_handler.cpp
+++ b/src/RESTAPI/RESTAPI_email_handler.cpp
@@ -3,36 +3,29 @@
 //

 #include "RESTAPI_email_handler.h"
-
-
-#include "Poco/Exception.h"
 #include "Poco/JSON/Parser.h"

 #include "SMTPMailerService.h"
 #include "framework/ow_constants.h"
-#include "framework/MicroService.h"

 namespace OpenWifi {
-    void RESTAPI_email_handler::DoPost() {
-        const auto & Obj = ParsedBody_;
-        if (Obj->has("subject") &&
-            Obj->has("from") &&
-            Obj->has("text") &&
-            Obj->has("recipients") &&
-            Obj->isArray("recipients")) {
+	void RESTAPI_email_handler::DoPost() {
+		const auto &Obj = ParsedBody_;
+		if (Obj->has("subject") && Obj->has("from") && Obj->has("text") && Obj->has("recipients") &&
+			Obj->isArray("recipients")) {

-            Poco::JSON::Array::Ptr Recipients = Obj->getArray("recipients");
-            auto Recipient = Recipients->get(0).toString();
-            MessageAttributes Attrs;
-            Attrs[RECIPIENT_EMAIL] = Recipient;
-            Attrs[SUBJECT] = Obj->get("subject").toString();
-            Attrs[TEXT] = Obj->get("text").toString();
-            Attrs[SENDER] = Obj->get("from").toString();
-            if(SMTPMailerService()->SendMessage(Recipient, "password_reset.txt", Attrs)) {
-                return OK();
-            }
-            return ReturnStatus(Poco::Net::HTTPResponse::HTTP_SERVICE_UNAVAILABLE);
-        }
-        BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-    }
-}
+			Poco::JSON::Array::Ptr Recipients = Obj->getArray("recipients");
+			auto Recipient = Recipients->get(0).toString();
+			MessageAttributes Attrs;
+			Attrs[RECIPIENT_EMAIL] = Recipient;
+			Attrs[SUBJECT] = Obj->get("subject").toString();
+			Attrs[TEXT] = Obj->get("text").toString();
+			Attrs[SENDER] = Obj->get("from").toString();
+			if (SMTPMailerService()->SendMessage(Recipient, "password_reset.txt", Attrs, false)) {
+				return OK();
+			}
+			return ReturnStatus(Poco::Net::HTTPResponse::HTTP_SERVICE_UNAVAILABLE);
+		}
+		BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_email_handler.h
+++ b/src/RESTAPI/RESTAPI_email_handler.h
@@ -4,22 +4,22 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_email_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_email_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
-                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                                  Server,
-                                                  TransactionId,
-                                                  Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/email"};}
-        void DoGet() final {};
-        void DoPost() final;
-        void DoDelete() final {};
-        void DoPut() final {};
-    };
-}
+	class RESTAPI_email_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_email_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							  RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							  bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/email"}; }
+		void DoGet() final{};
+		void DoPost() final;
+		void DoDelete() final{};
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_oauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_oauth2_handler.cpp
@@ -9,170 +9,176 @@
 #include "Poco/JSON/Parser.h"

 #include "AuthService.h"
-#include "RESTAPI_oauth2_handler.h"
 #include "MFAServer.h"
-#include "framework/ow_constants.h"
-#include "framework/MicroService.h"
-#include "StorageService.h"
 #include "RESTAPI_db_helpers.h"
+#include "RESTAPI_oauth2_handler.h"
+#include "StorageService.h"
+#include "framework/MicroService.h"
+#include "framework/ow_constants.h"

 namespace OpenWifi {

-    void RESTAPI_oauth2_handler::DoGet() {
-        bool Expired = false, Contacted = false;
-        if (!IsAuthorized(Expired, Contacted)) {
-            if (Expired)
-                return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
-            return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
-        }
-        if (GetBoolParameter(RESTAPI::Protocol::ME)) {
-            Logger_.information(fmt::format("REQUEST-ME({}): Request for {}", Request->clientAddress().toString(),
-                                            UserInfo_.userinfo.email));
-            Poco::JSON::Object Me;
-            SecurityObjects::UserInfo ReturnedUser = UserInfo_.userinfo;
-            Sanitize(UserInfo_, ReturnedUser);
-            ReturnedUser.to_json(Me);
-            return ReturnObject(Me);
-        }
-        BadRequest(RESTAPI::Errors::UnrecognizedRequest);
-    }
+	void RESTAPI_oauth2_handler::DoGet() {
+		bool Expired = false, Contacted = false;
+		if (!IsAuthorized(Expired, Contacted)) {
+			if (Expired)
+				return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
+			return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
+		}
+		if (GetBoolParameter(RESTAPI::Protocol::ME)) {
+			Logger_.information(fmt::format("REQUEST-ME({}): Request for {}",
+											Request->clientAddress().toString(),
+											UserInfo_.userinfo.email));
+			Poco::JSON::Object Me;
+			SecurityObjects::UserInfo ReturnedUser = UserInfo_.userinfo;
+			Sanitize(UserInfo_, ReturnedUser);
+			ReturnedUser.to_json(Me);
+			return ReturnObject(Me);
+		}
+		BadRequest(RESTAPI::Errors::UnrecognizedRequest);
+	}

-    void RESTAPI_oauth2_handler::DoDelete() {
-        auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
-        std::string SessionToken;
-        try {
-            Poco::Net::OAuth20Credentials Auth(*Request);
-            if (Auth.getScheme() == "Bearer") {
-                SessionToken = Auth.getBearerToken();
-            }
-        } catch (const Poco::Exception &E) {
-            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-        }
-        if (Token.empty() || (Token != SessionToken)) {
-            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-        }
+	void RESTAPI_oauth2_handler::DoDelete() {
+		auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
+		std::string SessionToken;
+		try {
+			Poco::Net::OAuth20Credentials Auth(*Request);
+			if (Auth.getScheme() == "Bearer") {
+				SessionToken = Auth.getBearerToken();
+			}
+		} catch (const Poco::Exception &E) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		if (Token.empty() || (Token != SessionToken)) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}

-        AuthService()->Logout(Token);
-        return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
-    }
+		AuthService()->Logout(Token);
+		return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
+	}

 	void RESTAPI_oauth2_handler::DoPost() {

-        const auto & Obj = ParsedBody_;
-        if(Obj == nullptr) {
-            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
-        }
+		const auto &Obj = ParsedBody_;
+		if (Obj == nullptr) {
+			return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+		}

-        auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
-        auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
-        auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
-        auto refreshToken = GetS("refreshToken", Obj);
-        auto grant_type = GetParameter("grant_type");
+		auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
+		auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
+		auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
+		auto refreshToken = GetS("refreshToken", Obj);
+		auto grant_type = GetParameter("grant_type");

-        Poco::toLowerInPlace(userId);
+		Poco::toLowerInPlace(userId);

-        if(!refreshToken.empty() && grant_type == "refresh_token") {
-            SecurityObjects::UserInfoAndPolicy UInfo;
-            if(AuthService()->RefreshUserToken(*Request, refreshToken, UInfo)) {
-                Poco::JSON::Object  Answer;
-                UInfo.webtoken.to_json(Answer);
-                return ReturnObject(Answer);
-            } else {
-                return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
-            }
-        }
+		if (!refreshToken.empty() && grant_type == "refresh_token") {
+			SecurityObjects::UserInfoAndPolicy UInfo;
+			if (AuthService()->RefreshUserToken(*Request, refreshToken, UInfo)) {
+				Poco::JSON::Object Answer;
+				UInfo.webtoken.to_json(Answer);
+				return ReturnObject(Answer);
+			} else {
+				return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
+			}
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
-            Logger_.information(fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
-            Poco::JSON::Object  Answer;
-            Answer.set(RESTAPI::Protocol::PASSWORDPATTERN, AuthService()->PasswordValidationExpression());
-            Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetAccessPolicy());
-            Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetPasswordPolicy());
-            return ReturnObject(Answer);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
+			Logger_.information(
+				fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
+			Poco::JSON::Object Answer;
+			Answer.set(RESTAPI::Protocol::PASSWORDPATTERN,
+					   AuthService()->PasswordValidationExpression());
+			Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetAccessPolicy());
+			Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetPasswordPolicy());
+			return ReturnObject(Answer);
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
-            SecurityObjects::UserInfo UInfo1;
-            auto UserExists = StorageService()->UserDB().GetUserByEmail(userId,UInfo1);
-            if(UserExists) {
-                Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), userId));
-                SecurityObjects::ActionLink NewLink;
+		if (GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
+			SecurityObjects::UserInfo UInfo1;
+			auto UserExists = StorageService()->UserDB().GetUserByEmail(userId, UInfo1);
+			if (UserExists) {
+				Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}",
+												Request->clientAddress().toString(), userId));
+				SecurityObjects::ActionLink NewLink;

-                NewLink.action = OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD;
-                NewLink.id = MicroService::CreateUUID();
-                NewLink.userId = UInfo1.id;
-                NewLink.created = OpenWifi::Now();
-                NewLink.expires = NewLink.created + (24*60*60);
-                NewLink.userAction = true;
-                StorageService()->ActionLinksDB().CreateAction(NewLink);
+				NewLink.action = OpenWifi::SecurityObjects::LinkActions::FORGOT_PASSWORD;
+				NewLink.id = MicroService::CreateUUID();
+				NewLink.userId = UInfo1.id;
+				NewLink.created = OpenWifi::Now();
+				NewLink.expires = NewLink.created + (24 * 60 * 60);
+				NewLink.userAction = true;
+				StorageService()->ActionLinksDB().CreateAction(NewLink);

-                Poco::JSON::Object ReturnObj;
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                UInfo.webtoken.userMustChangePassword = true;
-                UInfo.webtoken.to_json(ReturnObj);
-                return ReturnObject(ReturnObj);
-            } else {
-                Poco::JSON::Object ReturnObj;
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                UInfo.webtoken.userMustChangePassword = true;
-                UInfo.webtoken.to_json(ReturnObj);
-                return ReturnObject(ReturnObj);
-            }
-        }
+				Poco::JSON::Object ReturnObj;
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				UInfo.webtoken.userMustChangePassword = true;
+				UInfo.webtoken.to_json(ReturnObj);
+				return ReturnObject(ReturnObj);
+			} else {
+				Poco::JSON::Object ReturnObj;
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				UInfo.webtoken.userMustChangePassword = true;
+				UInfo.webtoken.to_json(ReturnObj);
+				return ReturnObject(ReturnObj);
+			}
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
-            Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid")) {
-                auto uuid = Obj->get("uuid").toString();
-                if(MFAServer()->ResendCode(uuid))
-                    return OK();
-            }
-            return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
+			Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}",
+											Request->clientAddress().toString(), userId));
+			if (Obj->has("uuid")) {
+				auto uuid = Obj->get("uuid").toString();
+				if (MFAServer()->ResendCode(uuid))
+					return OK();
+			}
+			return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE,false)) {
-            Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid")) {
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                if(MFAServer()->CompleteMFAChallenge(Obj,UInfo)) {
-                    Poco::JSON::Object ReturnObj;
-                    UInfo.webtoken.to_json(ReturnObj);
-                    return ReturnObject(ReturnObj);
-                }
-            }
-            return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE, false)) {
+			Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}",
+											Request->clientAddress().toString(), userId));
+			if (Obj->has("uuid")) {
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				if (MFAServer()->CompleteMFAChallenge(Obj, UInfo)) {
+					Poco::JSON::Object ReturnObj;
+					UInfo.webtoken.to_json(ReturnObj);
+					return ReturnObject(ReturnObj);
+				}
+			}
+			return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
+		}

-        SecurityObjects::UserInfoAndPolicy UInfo;
-        bool Expired=false;
-        auto Code=AuthService()->Authorize(userId, password, newPassword, UInfo, Expired);
-        if (Code==SUCCESS) {
-            Poco::JSON::Object ReturnObj;
-            if(AuthService()->RequiresMFA(UInfo)) {
-                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
-                    return ReturnObject(ReturnObj);
-                }
-                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
-            }
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        } else {
-
-            switch(Code) {
-                case INVALID_CREDENTIALS:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-                case PASSWORD_INVALID:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
-                case PASSWORD_ALREADY_USED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
-                case USERNAME_PENDING_VERIFICATION:
-                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
-                case PASSWORD_CHANGE_REQUIRED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
-                default:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-            }
-            return;
-        }
+		SecurityObjects::UserInfoAndPolicy UInfo;
+		bool Expired = false;
+		auto Code = AuthService()->Authorize(userId, password, newPassword, UInfo, Expired);
+		switch (Code) {
+		case SUCCESS: {
+			Poco::JSON::Object ReturnObj;
+			if (AuthService()->RequiresMFA(UInfo)) {
+				if (MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+					return ReturnObject(ReturnObj);
+				}
+				Logger_.warning(
+					"MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+			}
+			UInfo.webtoken.to_json(ReturnObj);
+			return ReturnObject(ReturnObj);
+		}
+		case INVALID_CREDENTIALS:
+			return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+		case PASSWORD_INVALID:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+		case PASSWORD_ALREADY_USED:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+		case USERNAME_PENDING_VERIFICATION:
+			return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+		case PASSWORD_CHANGE_REQUIRED:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+		case ACCOUNT_SUSPENDED:
+			return UnAuthorized(RESTAPI::Errors::ACCOUNT_SUSPENDED);
+		default:
+			return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+		}
 	}
-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_oauth2_handler.h
+++ b/src/RESTAPI/RESTAPI_oauth2_handler.h
@@ -7,26 +7,27 @@
 //

 #pragma once
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
 	class RESTAPI_oauth2_handler : public RESTAPIHandler {
 	  public:
-	    RESTAPI_oauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
+		RESTAPI_oauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
 			: RESTAPIHandler(bindings, L,
 							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
 													  Poco::Net::HTTPRequest::HTTP_DELETE,
-                                                      Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_GET,
 													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
-													  Server,
-                                                      TransactionId,
-													  Internal, false, true , RateLimit{.Interval=1000,.MaxCalls=10}) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/oauth2/{token}","/api/v1/oauth2"}; };
+							 Server, TransactionId, Internal, false, true,
+							 RateLimit{.Interval = 1000, .MaxCalls = 10}) {}
+		static auto PathName() {
+			return std::list<std::string>{"/api/v1/oauth2/{token}", "/api/v1/oauth2"};
+		};
 		void DoGet() final;
 		void DoPost() final;
 		void DoDelete() final;
-		void DoPut() final {};
+		void DoPut() final{};
 	};
-}
-
-
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_preferences.cpp
+++ b/src/RESTAPI/RESTAPI_preferences.cpp
@@ -7,30 +7,30 @@

 namespace OpenWifi {

-    void RESTAPI_preferences::DoGet() {
-        SecurityObjects::Preferences    P;
-        Poco::JSON::Object  Answer;
-        StorageService()->PreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
-        P.to_json(Answer);
-        ReturnObject(Answer);
-    }
+	void RESTAPI_preferences::DoGet() {
+		SecurityObjects::Preferences P;
+		Poco::JSON::Object Answer;
+		StorageService()->PreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
+		P.to_json(Answer);
+		ReturnObject(Answer);
+	}

-    void RESTAPI_preferences::DoPut() {
+	void RESTAPI_preferences::DoPut() {

-        SecurityObjects::Preferences    P;
+		SecurityObjects::Preferences P;

-        const auto & RawObject = ParsedBody_;
-        if(!P.from_json(RawObject)) {
-            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
-        }
+		const auto &RawObject = ParsedBody_;
+		if (!P.from_json(RawObject)) {
+			return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+		}

-        P.id = UserInfo_.userinfo.id;
-        P.modified = OpenWifi::Now();
-        StorageService()->PreferencesDB().SetPreferences(P);
+		P.id = UserInfo_.userinfo.id;
+		P.modified = OpenWifi::Now();
+		StorageService()->PreferencesDB().SetPreferences(P);

-        Poco::JSON::Object  Answer;
-        P.to_json(Answer);
-        ReturnObject(Answer);
-    }
+		Poco::JSON::Object Answer;
+		P.to_json(Answer);
+		ReturnObject(Answer);
+	}

-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_preferences.h
+++ b/src/RESTAPI/RESTAPI_preferences.h
@@ -4,24 +4,23 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_preferences : public RESTAPIHandler {
-    public:
-        RESTAPI_preferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{
-            Poco::Net::HTTPRequest::HTTP_GET,
-            Poco::Net::HTTPRequest::HTTP_PUT,
-            Poco::Net::HTTPRequest::HTTP_OPTIONS},
-            Server,
-            TransactionId,
-            Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/preferences"}; };
-        void DoGet() final;
-        void DoPut() final;
-        void DoPost() final {};
-        void DoDelete() final {};
-    };
-}
+	class RESTAPI_preferences : public RESTAPIHandler {
+	  public:
+		RESTAPI_preferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_PUT,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/preferences"}; };
+		void DoGet() final;
+		void DoPut() final;
+		void DoPost() final{};
+		void DoDelete() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_routers.cpp
+++ b/src/RESTAPI/RESTAPI_routers.cpp
@@ -1,87 +1,67 @@
-//
+ //
 // Created by stephane bourque on 2021-10-23.
 //

-#include "framework/MicroService.h"
-
-#include "RESTAPI/RESTAPI_oauth2_handler.h"
-#include "RESTAPI/RESTAPI_user_handler.h"
-#include "RESTAPI/RESTAPI_users_handler.h"
 #include "RESTAPI/RESTAPI_action_links.h"
-#include "RESTAPI/RESTAPI_system_endpoints_handler.h"
+#include "RESTAPI/RESTAPI_apiKey_handler.h"
 #include "RESTAPI/RESTAPI_asset_server.h"
 #include "RESTAPI/RESTAPI_avatar_handler.h"
-#include "RESTAPI/RESTAPI_subavatar_handler.h"
 #include "RESTAPI/RESTAPI_email_handler.h"
-#include "RESTAPI/RESTAPI_sms_handler.h"
-#include "RESTAPI/RESTAPI_validate_token_handler.h"
+#include "RESTAPI/RESTAPI_oauth2_handler.h"
 #include "RESTAPI/RESTAPI_preferences.h"
-#include "RESTAPI/RESTAPI_subpreferences.h"
+#include "RESTAPI/RESTAPI_signup_handler.h"
+#include "RESTAPI/RESTAPI_sms_handler.h"
+#include "RESTAPI/RESTAPI_subavatar_handler.h"
+#include "RESTAPI/RESTAPI_submfa_handler.h"
 #include "RESTAPI/RESTAPI_suboauth2_handler.h"
+#include "RESTAPI/RESTAPI_subpreferences.h"
+#include "RESTAPI/RESTAPI_subtotp_handler.h"
 #include "RESTAPI/RESTAPI_subuser_handler.h"
 #include "RESTAPI/RESTAPI_subusers_handler.h"
-#include "RESTAPI/RESTAPI_validate_sub_token_handler.h"
-#include "RESTAPI/RESTAPI_submfa_handler.h"
+#include "RESTAPI/RESTAPI_system_endpoints_handler.h"
 #include "RESTAPI/RESTAPI_totp_handler.h"
-#include "RESTAPI/RESTAPI_subtotp_handler.h"
-#include "RESTAPI/RESTAPI_signup_handler.h"
+#include "RESTAPI/RESTAPI_user_handler.h"
+#include "RESTAPI/RESTAPI_users_handler.h"
+#include "RESTAPI/RESTAPI_validate_apikey.h"
+#include "RESTAPI/RESTAPI_validate_sub_token_handler.h"
+#include "RESTAPI/RESTAPI_validate_token_handler.h"
+
+#include "RESTAPI_systemSecret_handler.h"
+#include "framework/RESTAPI_SystemCommand.h"
+#include "framework/RESTAPI_WebSocketServer.h"
+#include "framework/RESTAPI_SystemConfiguration.h"

 namespace OpenWifi {

-    Poco::Net::HTTPRequestHandler * RESTAPI_ExtRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
-                                                            Poco::Logger & L, RESTAPI_GenericServer & S, uint64_t TransactionId) {
-        return RESTAPI_Router<
-            RESTAPI_oauth2_handler,
-            RESTAPI_user_handler,
-            RESTAPI_users_handler,
-            RESTAPI_system_command,
-            RESTAPI_asset_server,
-            RESTAPI_system_endpoints_handler,
-            RESTAPI_action_links,
-            RESTAPI_avatar_handler,
-            RESTAPI_subavatar_handler,
-            RESTAPI_email_handler,
-            RESTAPI_sms_handler,
-            RESTAPI_preferences,
-            RESTAPI_subpreferences,
-            RESTAPI_suboauth2_handler,
-            RESTAPI_subuser_handler,
-            RESTAPI_subusers_handler,
-            RESTAPI_submfa_handler,
-            RESTAPI_totp_handler,
-            RESTAPI_subtotp_handler,
-            RESTAPI_signup_handler,
-            RESTAPI_validate_sub_token_handler,
-            RESTAPI_validate_token_handler
-        >(Path, Bindings, L, S,TransactionId);
-    }
+	Poco::Net::HTTPRequestHandler *
+	RESTAPI_ExtRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
+					  Poco::Logger &L, RESTAPI_GenericServerAccounting &S, uint64_t TransactionId) {
+		return RESTAPI_Router<
+			RESTAPI_oauth2_handler, RESTAPI_user_handler, RESTAPI_users_handler,
+			RESTAPI_system_command, RESTAPI_system_configuration, RESTAPI_asset_server, RESTAPI_system_endpoints_handler,
+			RESTAPI_action_links, RESTAPI_avatar_handler, RESTAPI_subavatar_handler,
+			RESTAPI_email_handler, RESTAPI_sms_handler, RESTAPI_preferences, RESTAPI_subpreferences,
+			RESTAPI_suboauth2_handler, RESTAPI_subuser_handler, RESTAPI_subusers_handler,
+			RESTAPI_submfa_handler, RESTAPI_totp_handler, RESTAPI_subtotp_handler,
+			RESTAPI_signup_handler, RESTAPI_validate_sub_token_handler,
+			RESTAPI_validate_token_handler, RESTAPI_validate_apikey, RESTAPI_webSocketServer,
+			RESTAPI_apiKey_handler, RESTAPI_systemSecret_handler>(Path, Bindings, L, S,
+																  TransactionId);
+	}

-    Poco::Net::HTTPRequestHandler * RESTAPI_IntRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
-                                                            Poco::Logger & L, RESTAPI_GenericServer & S, uint64_t TransactionId) {
+	Poco::Net::HTTPRequestHandler *
+	RESTAPI_IntRouter(const std::string &Path, RESTAPIHandler::BindingMap &Bindings,
+					  Poco::Logger &L, RESTAPI_GenericServerAccounting &S, uint64_t TransactionId) {

-        return RESTAPI_Router_I<
-            RESTAPI_oauth2_handler,
-            RESTAPI_user_handler,
-            RESTAPI_users_handler,
-            RESTAPI_system_command,
-            RESTAPI_asset_server,
-            RESTAPI_system_endpoints_handler,
-            RESTAPI_action_links,
-            RESTAPI_avatar_handler,
-            RESTAPI_subavatar_handler,
-            RESTAPI_email_handler,
-            RESTAPI_sms_handler,
-            RESTAPI_preferences,
-            RESTAPI_subpreferences,
-            RESTAPI_suboauth2_handler,
-            RESTAPI_subuser_handler,
-            RESTAPI_subusers_handler,
-            RESTAPI_submfa_handler,
-            RESTAPI_totp_handler,
-            RESTAPI_subtotp_handler,
-            RESTAPI_validate_sub_token_handler,
-            RESTAPI_validate_token_handler,
-            RESTAPI_signup_handler
-        >(Path, Bindings, L, S, TransactionId);
-    }
-}
+		return RESTAPI_Router_I<
+			RESTAPI_oauth2_handler, RESTAPI_user_handler, RESTAPI_users_handler,
+			RESTAPI_system_command, RESTAPI_system_configuration, RESTAPI_asset_server, RESTAPI_system_endpoints_handler,
+			RESTAPI_action_links, RESTAPI_avatar_handler, RESTAPI_subavatar_handler,
+			RESTAPI_email_handler, RESTAPI_sms_handler, RESTAPI_preferences, RESTAPI_subpreferences,
+			RESTAPI_suboauth2_handler, RESTAPI_subuser_handler, RESTAPI_subusers_handler,
+			RESTAPI_submfa_handler, RESTAPI_totp_handler, RESTAPI_subtotp_handler,
+			RESTAPI_validate_sub_token_handler, RESTAPI_validate_token_handler,
+			RESTAPI_validate_apikey, RESTAPI_signup_handler, RESTAPI_systemSecret_handler>(
+			Path, Bindings, L, S, TransactionId);
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_signup_handler.cpp
+++ b/src/RESTAPI/RESTAPI_signup_handler.cpp
@@ -3,71 +3,74 @@
 //

 #include "RESTAPI_signup_handler.h"
-#include "StorageService.h"
 #include "RESTObjects/RESTAPI_SecurityObjects.h"
+#include "StorageService.h"
+#include "framework/MicroServiceFuncs.h"

 #define __DBG__ std::cout << __LINE__ << std::endl;
 namespace OpenWifi {

-    void RESTAPI_signup_handler::DoPost() {
-        auto UserName = GetParameter("email");
-        auto signupUUID = GetParameter("signupUUID");
-        auto owner = GetParameter("owner");
-        if(UserName.empty() || signupUUID.empty() || owner.empty()) {
-            Logger().error("Signup requires: email, signupUUID, and owner.");
-            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-        }
+	void RESTAPI_signup_handler::DoPost() {
+		auto UserName = GetParameter("email");
+		auto signupUUID = GetParameter("signupUUID");
+		auto owner = GetParameter("owner");
+		auto operatorName = GetParameter("operatorName");
+		if (UserName.empty() || signupUUID.empty() || owner.empty() || operatorName.empty()) {
+			Logger().error("Signup requires: email, signupUUID, operatorName, and owner.");
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}

-        if(!Utils::ValidEMailAddress(UserName)) {
-            return BadRequest(RESTAPI::Errors::InvalidEmailAddress);
-        }
+		if (!Utils::ValidEMailAddress(UserName)) {
+			return BadRequest(RESTAPI::Errors::InvalidEmailAddress);
+		}

-        // Do we already exist? Can only signup once...
-        SecurityObjects::UserInfo   Existing;
-        if(StorageService()->SubDB().GetUserByEmail(UserName,Existing)) {
-            if(Existing.signingUp.empty()) {
-                return BadRequest(RESTAPI::Errors::SignupAlreadySigned);
-            }
+		// Do we already exist? Can only signup once...
+		SecurityObjects::UserInfo Existing;
+		if (StorageService()->SubDB().GetUserByEmail(UserName, Existing)) {
+			if (Existing.signingUp.empty()) {
+				return BadRequest(RESTAPI::Errors::SignupAlreadySigned);
+			}

-            if(Existing.waitingForEmailCheck) {
-                return BadRequest(RESTAPI::Errors::SignupEmailCheck);
-            }
+			if (Existing.waitingForEmailCheck) {
+				return BadRequest(RESTAPI::Errors::SignupEmailCheck);
+			}

-            return BadRequest(RESTAPI::Errors::SignupWaitingForDevice);
-        }
+			return BadRequest(RESTAPI::Errors::SignupWaitingForDevice);
+		}

-        SecurityObjects::UserInfo   NewSub;
-        NewSub.signingUp = signupUUID;
-        NewSub.waitingForEmailCheck = true;
-        NewSub.name = UserName;
-        NewSub.modified = OpenWifi::Now();
-        NewSub.creationDate = OpenWifi::Now();
-        NewSub.id = MicroService::instance().CreateUUID();
-        NewSub.email = UserName;
-        NewSub.userRole = SecurityObjects::SUBSCRIBER;
-        NewSub.changePassword = true;
-        NewSub.owner = owner;
+		SecurityObjects::UserInfo NewSub;
+		NewSub.signingUp = operatorName + ":" + signupUUID;
+		NewSub.waitingForEmailCheck = true;
+		NewSub.name = UserName;
+		NewSub.modified = OpenWifi::Now();
+		NewSub.creationDate = OpenWifi::Now();
+		NewSub.id = MicroServiceCreateUUID();
+		NewSub.email = UserName;
+		NewSub.userRole = SecurityObjects::SUBSCRIBER;
+		NewSub.changePassword = true;
+		NewSub.owner = owner;

-        StorageService()->SubDB().CreateRecord(NewSub);
+		StorageService()->SubDB().CreateRecord(NewSub);

-        Logger_.information(fmt::format("SIGNUP-PASSWORD({}): Request for {}", Request->clientAddress().toString(), UserName));
-        SecurityObjects::ActionLink NewLink;
+		Logger_.information(fmt::format("SIGNUP-PASSWORD({}): Request for {}",
+										Request->clientAddress().toString(), UserName));
+		SecurityObjects::ActionLink NewLink;

-        NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP;
-        NewLink.id = MicroService::CreateUUID();
-        NewLink.userId = NewSub.id;
-        NewLink.created = OpenWifi::Now();
-        NewLink.expires = NewLink.created + (1*60*60);  // 1 hour
-        NewLink.userAction = false;
-        StorageService()->ActionLinksDB().CreateAction(NewLink);
+		NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_SIGNUP;
+		NewLink.id = MicroServiceCreateUUID();
+		NewLink.userId = NewSub.id;
+		NewLink.created = OpenWifi::Now();
+		NewLink.expires = NewLink.created + (1 * 60 * 60); // 1 hour
+		NewLink.userAction = false;
+		StorageService()->ActionLinksDB().CreateAction(NewLink);

-        Poco::JSON::Object  Answer;
-        NewSub.to_json(Answer);
-        return ReturnObject(Answer);
-    }
+		Poco::JSON::Object Answer;
+		NewSub.to_json(Answer);
+		return ReturnObject(Answer);
+	}

-    void RESTAPI_signup_handler::DoPut() {
-        // TODO
-    }
+	void RESTAPI_signup_handler::DoPut() {
+		// TODO
+	}

-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_signup_handler.h
+++ b/src/RESTAPI/RESTAPI_signup_handler.h
@@ -4,36 +4,35 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_signup_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_signup_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer & Server, uint64_t TransactionId, bool Internal)
-                : RESTAPIHandler(bindings, L,
-                                 std::vector<std::string>{
-                                         Poco::Net::HTTPRequest::HTTP_POST,
-                                         Poco::Net::HTTPRequest::HTTP_OPTIONS,
-                                         Poco::Net::HTTPRequest::HTTP_PUT},
-                                 Server,
-                                 TransactionId,
-                                 Internal, false, true ){}
+	class RESTAPI_signup_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_signup_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS,
+													  Poco::Net::HTTPRequest::HTTP_PUT},
+							 Server, TransactionId, Internal, false, true) {}

-        static auto PathName() { return std::list<std::string>{"/api/v1/signup"}; };
+		static auto PathName() { return std::list<std::string>{"/api/v1/signup"}; };

-/*        inline bool RoleIsAuthorized(std::string & Reason) {
-            if(UserInfo_.userinfo.userRole != SecurityObjects::USER_ROLE::SUBSCRIBER) {
-                Reason = "User must be a subscriber";
-                return false;
-            }
-            return true;
-        }
-*/
-        void DoGet() final {};
-        void DoPost() final;
-        void DoPut() final ;
-        void DoDelete() final {};
-    private:
+		/*        inline bool RoleIsAuthorized(std::string & Reason) {
+					if(UserInfo_.userinfo.userRole != SecurityObjects::USER_ROLE::SUBSCRIBER) {
+						Reason = "User must be a subscriber";
+						return false;
+					}
+					return true;
+				}
+		*/
+		void DoGet() final{};
+		void DoPost() final;
+		void DoPut() final;
+		void DoDelete() final{};

-    };
-}
+	  private:
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_sms_handler.cpp
+++ b/src/RESTAPI/RESTAPI_sms_handler.cpp
@@ -5,55 +5,53 @@
 #include "RESTAPI_sms_handler.h"
 #include "SMSSender.h"
 #include "framework/ow_constants.h"
-#include "framework/MicroService.h"

 namespace OpenWifi {

-    void OpenWifi::RESTAPI_sms_handler::DoPost() {
-        const auto &Obj = ParsedBody_;
+	void OpenWifi::RESTAPI_sms_handler::DoPost() {
+		const auto &Obj = ParsedBody_;

-        if(!SMSSender()->Enabled()) {
-            return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
-        }
+		if (!SMSSender()->Enabled()) {
+			return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+		}

-        std::string Arg;
-        if(HasParameter("validateNumber",Arg) && Arg=="true" && Obj->has("to")) {
-            auto Number = Obj->get("to").toString();
-            if(SMSSender()->StartValidation(Number, UserInfo_.userinfo.email)) {
-                return OK();
-            }
-            return BadRequest(RESTAPI::Errors::SMSCouldNotBeSentRetry);
-        }
+		std::string Arg;
+		if (HasParameter("validateNumber", Arg) && Arg == "true" && Obj->has("to")) {
+			auto Number = Obj->get("to").toString();
+			if (SMSSender()->StartValidation(Number, UserInfo_.userinfo.email)) {
+				return OK();
+			}
+			return BadRequest(RESTAPI::Errors::SMSCouldNotBeSentRetry);
+		}

-        std::string Code;
-        if( HasParameter("completeValidation",Arg) &&
-            Arg=="true" &&
-            HasParameter("validationCode", Code) &&
-            Obj->has("to")) {
-            auto Number = Obj->get("to").toString();
-            if(SMSSender()->CompleteValidation(Number, Code, UserInfo_.userinfo.email)) {
-                return OK();
-            }
-            return BadRequest(RESTAPI::Errors::SMSCouldNotValidate);
-        }
+		std::string Code;
+		if (HasParameter("completeValidation", Arg) && Arg == "true" &&
+			HasParameter("validationCode", Code) && Obj->has("to")) {
+			auto Number = Obj->get("to").toString();
+			if (SMSSender()->CompleteValidation(Number, Code, UserInfo_.userinfo.email)) {
+				return OK();
+			}
+			return BadRequest(RESTAPI::Errors::SMSCouldNotValidate);
+		}

-        if( UserInfo_.userinfo.userRole!=SecurityObjects::ROOT &&
-            UserInfo_.userinfo.userRole!=SecurityObjects::PARTNER &&
-            UserInfo_.userinfo.userRole!=SecurityObjects::ADMIN) {
-            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
-        }
+        if(Internal_) {
+            poco_information(Logger(),fmt::format("Internal SMS request: TID={}", TransactionId_));
+        } else if (UserInfo_.userinfo.userRole != SecurityObjects::ROOT &&
+			UserInfo_.userinfo.userRole != SecurityObjects::PARTNER &&
+			UserInfo_.userinfo.userRole != SecurityObjects::ADMIN) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}

-        if (Obj->has("to") &&
-            Obj->has("text")) {
+		if (Obj->has("to") && Obj->has("text")) {

-            std::string PhoneNumber = Obj->get("to").toString();
-            std::string Text = Obj->get("text").toString();
-            if(SMSSender()->Send(PhoneNumber, Text))
-                return OK();
+			std::string PhoneNumber = Obj->get("to").toString();
+			std::string Text = Obj->get("text").toString();
+			if (SMSSender()->Send(PhoneNumber, Text))
+				return OK();

-            return InternalError(RESTAPI::Errors::SMSCouldNotBeSentRetry);
-        }
-        BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-    }
+			return InternalError(RESTAPI::Errors::SMSCouldNotBeSentRetry);
+		}
+		BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+	}

-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_sms_handler.h
+++ b/src/RESTAPI/RESTAPI_sms_handler.h
@@ -4,22 +4,22 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_sms_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_sms_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
-                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                                  Server,
-                                                  TransactionId,
-                                                  Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/sms"};}
-        void DoGet() final {};
-        void DoPost() final;
-        void DoDelete() final {};
-        void DoPut() final {};
-    };
-}
+	class RESTAPI_sms_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_sms_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/sms"}; }
+		void DoGet() final{};
+		void DoPost() final;
+		void DoDelete() final{};
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_subavatar_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subavatar_handler.cpp
@@ -5,77 +5,84 @@
 #include <fstream>
 #include <iostream>

+#include "Poco/CountingStream.h"
+#include "Poco/Net/HTMLForm.h"
 #include "RESTAPI_subavatar_handler.h"
 #include "StorageService.h"
-#include "Poco/Net/HTMLForm.h"
-#include "framework/MicroService.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

-    void SubAvatarPartHandler::handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream) {
-        FileType_ = Header.get(RESTAPI::Protocol::CONTENTTYPE, RESTAPI::Protocol::UNSPECIFIED);
-        if (Header.has(RESTAPI::Protocol::CONTENTDISPOSITION)) {
-            std::string Disposition;
-            Poco::Net::NameValueCollection Parameters;
-            Poco::Net::MessageHeader::splitParameters(Header[RESTAPI::Protocol::CONTENTDISPOSITION], Disposition, Parameters);
-            Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
-        }
-        Poco::CountingInputStream InputStream(Stream);
-        Poco::StreamCopier::copyStream(InputStream, OutputStream_);
-        Length_ = OutputStream_.str().size();
-    };
+	void SubAvatarPartHandler::handlePart(const Poco::Net::MessageHeader &Header,
+										  std::istream &Stream) {
+		FileType_ = Header.get(RESTAPI::Protocol::CONTENTTYPE, RESTAPI::Protocol::UNSPECIFIED);
+		if (Header.has(RESTAPI::Protocol::CONTENTDISPOSITION)) {
+			std::string Disposition;
+			Poco::Net::NameValueCollection Parameters;
+			Poco::Net::MessageHeader::splitParameters(Header[RESTAPI::Protocol::CONTENTDISPOSITION],
+													  Disposition, Parameters);
+			Name_ = Parameters.get(RESTAPI::Protocol::NAME, RESTAPI::Protocol::UNNAMED);
+		}
+		Poco::CountingInputStream InputStream(Stream);
+		Poco::StreamCopier::copyStream(InputStream, OutputStream_);
+		Length_ = OutputStream_.str().size();
+	};

-    void RESTAPI_subavatar_handler::DoPost() {
-        std::string Id = UserInfo_.userinfo.id;
-        SecurityObjects::UserInfo UInfo;
+	void RESTAPI_subavatar_handler::DoPost() {
+		std::string Id = UserInfo_.userinfo.id;
+		SecurityObjects::UserInfo UInfo;

-        std::stringstream SS;
-        SubAvatarPartHandler partHandler(Id, Logger_, SS);
-        Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
-        Poco::JSON::Object Answer;
+		std::stringstream SS;
+		SubAvatarPartHandler partHandler(Id, Logger_, SS);
+		Poco::Net::HTMLForm form(*Request, Request->stream(), partHandler);
+		Poco::JSON::Object Answer;

-        if (!partHandler.Name().empty() && partHandler.Length()< MicroService::instance().ConfigGetInt("openwifi.avatar.maxsize",2000000)) {
-            Answer.set(RESTAPI::Protocol::AVATARID, Id);
-            Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
-            Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(), partHandler.ContentType()));
-            StorageService()->SubAvatarDB().SetAvatar(UserInfo_.userinfo.email,
-                                 Id, SS.str(), partHandler.ContentType(), partHandler.Name());
-            StorageService()->SubDB().SetAvatar(Id,"1");
-            Logger().information(fmt::format("Adding avatar for {}",UserInfo_.userinfo.email));
-        } else {
-            Answer.set(RESTAPI::Protocol::AVATARID, Id);
-            Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
-            Answer.set(RESTAPI::Protocol::ERRORTEXT, "Avatar upload could not complete.");
-        }
-        ReturnObject(Answer);
-    }
+		if (!partHandler.Name().empty() &&
+			partHandler.Length() < MicroServiceConfigGetInt("openwifi.avatar.maxsize", 2000000)) {
+			Answer.set(RESTAPI::Protocol::AVATARID, Id);
+			Answer.set(RESTAPI::Protocol::ERRORCODE, 0);
+			Logger_.information(fmt::format("Uploaded avatar: {} Type: {}", partHandler.Name(),
+											partHandler.ContentType()));
+			StorageService()->SubAvatarDB().SetAvatar(UserInfo_.userinfo.email, Id, SS.str(),
+													  partHandler.ContentType(),
+													  partHandler.Name());
+			StorageService()->SubDB().SetAvatar(Id, "1");
+			Logger().information(fmt::format("Adding avatar for {}", UserInfo_.userinfo.email));
+		} else {
+			Answer.set(RESTAPI::Protocol::AVATARID, Id);
+			Answer.set(RESTAPI::Protocol::ERRORCODE, 13);
+			Answer.set(RESTAPI::Protocol::ERRORTEXT, "Avatar upload could not complete.");
+		}
+		ReturnObject(Answer);
+	}

-    void RESTAPI_subavatar_handler::DoGet() {
-        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
-        if (Id.empty()) {
-            return NotFound();
-        }
+	void RESTAPI_subavatar_handler::DoGet() {
+		std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+		if (Id.empty()) {
+			return NotFound();
+		}

-        std::string Type, Name, AvatarContent;
-        if (!StorageService()->SubAvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent, Type, Name)) {
-            return NotFound();
-        }
-        Logger().information(fmt::format("Retrieving avatar for {}",UserInfo_.userinfo.email));
-        return SendFileContent(AvatarContent, Type, Name);
-    }
+		std::string Type, Name, AvatarContent;
+		if (!StorageService()->SubAvatarDB().GetAvatar(UserInfo_.userinfo.email, Id, AvatarContent,
+													   Type, Name)) {
+			return NotFound();
+		}
+		Logger().information(fmt::format("Retrieving avatar for {}", UserInfo_.userinfo.email));
+		return SendFileContent(AvatarContent, Type, Name);
+	}

-    void RESTAPI_subavatar_handler::DoDelete() {
-        std::string Id = GetBinding(RESTAPI::Protocol::ID, "");
+	void RESTAPI_subavatar_handler::DoDelete() {
+		std::string Id = GetBinding(RESTAPI::Protocol::ID, "");

-        if(UserInfo_.userinfo.userRole!=SecurityObjects::ROOT && Id!=UserInfo_.userinfo.id) {
-            return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
-        }
+		if (UserInfo_.userinfo.userRole != SecurityObjects::ROOT && Id != UserInfo_.userinfo.id) {
+			return UnAuthorized(RESTAPI::Errors::ACCESS_DENIED);
+		}

-        if (!StorageService()->SubAvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
-            return NotFound();
-        }
-        Logger().information(fmt::format("Deleted avatar for {}",UserInfo_.userinfo.email));
-        StorageService()->SubDB().SetAvatar(Id,"");
-        OK();
-    }
-}
+		if (!StorageService()->SubAvatarDB().DeleteAvatar(UserInfo_.userinfo.email, Id)) {
+			return NotFound();
+		}
+		Logger().information(fmt::format("Deleted avatar for {}", UserInfo_.userinfo.email));
+		StorageService()->SubDB().SetAvatar(Id, "");
+		OK();
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_subavatar_handler.h
+++ b/src/RESTAPI/RESTAPI_subavatar_handler.h
@@ -3,51 +3,47 @@
 //
 #pragma once

-#include "framework/MicroService.h"
+#include "Poco/Net/PartHandler.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {

-    class SubAvatarPartHandler : public Poco::Net::PartHandler {
-    public:
-        SubAvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream & ofs) :
-                Id_(std::move(Id)),
-                Logger_(Logger),
-                OutputStream_(ofs){
-        }
-        void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
-        [[nodiscard]] uint64_t Length() const { return Length_; }
-        [[nodiscard]] std::string &Name() { return Name_; }
-        [[nodiscard]] std::string &ContentType() { return FileType_; }
+	class SubAvatarPartHandler : public Poco::Net::PartHandler {
+	  public:
+		SubAvatarPartHandler(std::string Id, Poco::Logger &Logger, std::stringstream &ofs)
+			: Id_(std::move(Id)), Logger_(Logger), OutputStream_(ofs) {}
+		void handlePart(const Poco::Net::MessageHeader &Header, std::istream &Stream);
+		[[nodiscard]] uint64_t Length() const { return Length_; }
+		[[nodiscard]] std::string &Name() { return Name_; }
+		[[nodiscard]] std::string &ContentType() { return FileType_; }

-    private:
-        uint64_t        Length_ = 0;
-        std::string     FileType_;
-        std::string     Name_;
-        std::string     Id_;
-        Poco::Logger    &Logger_;
-        std::stringstream &OutputStream_;
+	  private:
+		uint64_t Length_ = 0;
+		std::string FileType_;
+		std::string Name_;
+		std::string Id_;
+		Poco::Logger &Logger_;
+		std::stringstream &OutputStream_;

-        inline Poco::Logger & Logger() { return Logger_; }
-    };
+		inline Poco::Logger &Logger() { return Logger_; }
+	};

-    class RESTAPI_subavatar_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_subavatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-                : RESTAPIHandler(bindings, L,
-                                 std::vector<std::string>{
-                                         Poco::Net::HTTPRequest::HTTP_GET,
-                                         Poco::Net::HTTPRequest::HTTP_POST,
-                                         Poco::Net::HTTPRequest::HTTP_DELETE,
-                                         Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                         Server,
-                                         TransactionId,
-                                         Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/subavatar/{id}"}; };
+	class RESTAPI_subavatar_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_subavatar_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+								  RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+								  bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_DELETE,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/subavatar/{id}"}; };

-        void DoGet() final;
-        void DoPost() final;
-        void DoDelete() final;
-        void DoPut() final {};
-
-    };
-}
+		void DoGet() final;
+		void DoPost() final;
+		void DoDelete() final;
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_submfa_handler.cpp
+++ b/src/RESTAPI/RESTAPI_submfa_handler.cpp
@@ -3,135 +3,140 @@
 //

 #include "RESTAPI_submfa_handler.h"
-#include "StorageService.h"
 #include "SMSSender.h"
+#include "StorageService.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

-    void RESTAPI_submfa_handler::DoGet() {
-        SecurityObjects::UserInfo   User;
+	void RESTAPI_submfa_handler::DoGet() {
+		SecurityObjects::UserInfo User;

-        if (StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id,User)) {
-            Poco::JSON::Object              Answer;
-            SecurityObjects::SubMfaConfig   MFC;
+		if (StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User)) {
+			Poco::JSON::Object Answer;
+			SecurityObjects::SubMfaConfig MFC;

-            MFC.id = User.id;
-            if(User.userTypeProprietaryInfo.mfa.enabled) {
-                if(User.userTypeProprietaryInfo.mfa.method == "sms") {
-                    MFC.sms = User.userTypeProprietaryInfo.mobiles[0].number;
-                    MFC.type = "sms";
-                } else if(User.userTypeProprietaryInfo.mfa.method == "email") {
-                    MFC.email = User.email;
-                    MFC.type = "email";
-                }
-            } else {
-                MFC.type = "disabled";
-            }
-            MFC.to_json(Answer);
-            return ReturnObject(Answer);
-        }
-        NotFound();
-    }
+			MFC.id = User.id;
+			if (User.userTypeProprietaryInfo.mfa.enabled) {
+				if (User.userTypeProprietaryInfo.mfa.method == "sms") {
+					MFC.sms = User.userTypeProprietaryInfo.mobiles[0].number;
+					MFC.type = "sms";
+				} else if (User.userTypeProprietaryInfo.mfa.method == "email") {
+					MFC.email = User.email;
+					MFC.type = "email";
+				}
+			} else {
+				MFC.type = "disabled";
+			}
+			MFC.to_json(Answer);
+			return ReturnObject(Answer);
+		}
+		NotFound();
+	}

-    void RESTAPI_submfa_handler::DoPut() {
+	void RESTAPI_submfa_handler::DoPut() {

-        try {
-            const auto & Body = ParsedBody_;
+		try {
+			const auto &Body = ParsedBody_;

-            SecurityObjects::SubMfaConfig MFC;
+			SecurityObjects::SubMfaConfig MFC;

-            if (!MFC.from_json(Body)) {
-                return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
-            }
+			if (!MFC.from_json(Body)) {
+				return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+			}

-            if (MFC.type == "disabled") {
-                SecurityObjects::UserInfo User;
-                StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
-                User.userTypeProprietaryInfo.mfa.enabled = false;
-                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+			if (MFC.type == "disabled") {
+				SecurityObjects::UserInfo User;
+				StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+				User.userTypeProprietaryInfo.mfa.enabled = false;
+				StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,
+														 UserInfo_.userinfo.id, User);

-                Poco::JSON::Object Answer;
-                MFC.to_json(Answer);
-                return ReturnObject(Answer);
-            } else if (MFC.type == "email") {
-                SecurityObjects::UserInfo User;
+				Poco::JSON::Object Answer;
+				MFC.to_json(Answer);
+				return ReturnObject(Answer);
+			} else if (MFC.type == "email") {
+				SecurityObjects::UserInfo User;

-                StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
-                User.userTypeProprietaryInfo.mfa.enabled = true;
-                User.userTypeProprietaryInfo.mfa.method = "email";
-                StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+				StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+				User.userTypeProprietaryInfo.mfa.enabled = true;
+				User.userTypeProprietaryInfo.mfa.method = "email";
+				StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,
+														 UserInfo_.userinfo.id, User);

-                MFC.sms = MFC.sms;
-                MFC.type = "email";
-                MFC.email = UserInfo_.userinfo.email;
-                MFC.id = MicroService::instance().CreateUUID();
+				MFC.sms = MFC.sms;
+				MFC.type = "email";
+				MFC.email = UserInfo_.userinfo.email;
+				MFC.id = MicroServiceCreateUUID();

-                Poco::JSON::Object Answer;
-                MFC.to_json(Answer);
-                return ReturnObject(Answer);
+				Poco::JSON::Object Answer;
+				MFC.to_json(Answer);
+				return ReturnObject(Answer);

-            } else if (MFC.type == "sms") {
-                if (GetBoolParameter("startValidation", false)) {
-                    if (MFC.sms.empty()) {
-                        return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
-                    }
+			} else if (MFC.type == "sms") {
+				if (GetBoolParameter("startValidation", false)) {
+					if (MFC.sms.empty()) {
+						return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
+					}

-                    if(!SMSSender()->Enabled()) {
-                        return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
-                    }
+					if (!SMSSender()->Enabled()) {
+						return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+					}

-                    if (SMSSender()->StartValidation(MFC.sms, UserInfo_.userinfo.email)) {
-                        return OK();
-                    } else {
-                        return InternalError(RESTAPI::Errors::SMSTryLater);
-                    }
-                } else if (GetBoolParameter("completeValidation", false)) {
+					if (SMSSender()->StartValidation(MFC.sms, UserInfo_.userinfo.email)) {
+						return OK();
+					} else {
+						return InternalError(RESTAPI::Errors::SMSTryLater);
+					}
+				} else if (GetBoolParameter("completeValidation", false)) {

-                    if(!SMSSender()->Enabled()) {
-                        return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
-                    }
+					if (!SMSSender()->Enabled()) {
+						return BadRequest(RESTAPI::Errors::SMSMFANotEnabled);
+					}

-                    auto ChallengeCode = GetParameter("challengeCode", "");
-                    if (ChallengeCode.empty()) {
-                        return BadRequest(RESTAPI::Errors::SMSMissingChallenge);
-                    }
-                    if (MFC.sms.empty()) {
-                        return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
-                    }
-                    if (SMSSender()->CompleteValidation(MFC.sms, ChallengeCode, UserInfo_.userinfo.email)) {
-                        SecurityObjects::UserInfo User;
+					auto ChallengeCode = GetParameter("challengeCode", "");
+					if (ChallengeCode.empty()) {
+						return BadRequest(RESTAPI::Errors::SMSMissingChallenge);
+					}
+					if (MFC.sms.empty()) {
+						return BadRequest(RESTAPI::Errors::SMSMissingPhoneNumber);
+					}
+					if (SMSSender()->CompleteValidation(MFC.sms, ChallengeCode,
+														UserInfo_.userinfo.email)) {
+						SecurityObjects::UserInfo User;

-                        StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
-                        User.userTypeProprietaryInfo.mfa.enabled = true;
-                        User.userTypeProprietaryInfo.mfa.method = "sms";
-                        SecurityObjects::MobilePhoneNumber PhoneNumber;
-                        PhoneNumber.number = MFC.sms;
-                        PhoneNumber.primary = true;
-                        PhoneNumber.verified = true;
-                        User.userTypeProprietaryInfo.mobiles.clear();
-                        User.userTypeProprietaryInfo.mobiles.push_back(PhoneNumber);
+						StorageService()->SubDB().GetUserById(UserInfo_.userinfo.id, User);
+						User.userTypeProprietaryInfo.mfa.enabled = true;
+						User.userTypeProprietaryInfo.mfa.method = "sms";
+						SecurityObjects::MobilePhoneNumber PhoneNumber;
+						PhoneNumber.number = MFC.sms;
+						PhoneNumber.primary = true;
+						PhoneNumber.verified = true;
+						User.userTypeProprietaryInfo.mobiles.clear();
+						User.userTypeProprietaryInfo.mobiles.push_back(PhoneNumber);

-                        StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email, UserInfo_.userinfo.id, User);
+						StorageService()->SubDB().UpdateUserInfo(UserInfo_.userinfo.email,
+																 UserInfo_.userinfo.id, User);

-                        MFC.sms = MFC.sms;
-                        MFC.type = "sms";
-                        MFC.email = UserInfo_.userinfo.email;
-                        MFC.id = MicroService::instance().CreateUUID();
+						MFC.sms = MFC.sms;
+						MFC.type = "sms";
+						MFC.email = UserInfo_.userinfo.email;
+						MFC.id = MicroServiceCreateUUID();

-                        Poco::JSON::Object Answer;
-                        MFC.to_json(Answer);
+						Poco::JSON::Object Answer;
+						MFC.to_json(Answer);

-                        return ReturnObject(Answer);
+						return ReturnObject(Answer);

-                    } else {
-                        return InternalError(RESTAPI::Errors::SMSTryLater);
-                    }
-                }
-            }
-        } catch (const Poco::Exception &E) {
-            Logger_.log(E);
-        }
-        return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-    }
+					} else {
+						return InternalError(RESTAPI::Errors::SMSTryLater);
+					}
+				}
+			}
+		} catch (const Poco::Exception &E) {
+			Logger_.log(E);
+		}
+		return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+	}

-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_submfa_handler.h
+++ b/src/RESTAPI/RESTAPI_submfa_handler.h
@@ -4,24 +4,24 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_submfa_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_submfa_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_PUT,
-                                                  Poco::Net::HTTPRequest::HTTP_GET,
-                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                                  Server,
-                                                  TransactionId,
-                                                  Internal, true, false , RateLimit{.Interval=1000,.MaxCalls=10},
-                                                  true) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/submfa"}; };
-        void DoGet() final;
-        void DoPost() final {};
-        void DoDelete() final {};
-        void DoPut() final ;
-    };
-}
+	class RESTAPI_submfa_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_submfa_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_PUT,
+													  Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal, true, false,
+							 RateLimit{.Interval = 1000, .MaxCalls = 10}, true) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/submfa"}; };
+		void DoGet() final;
+		void DoPost() final{};
+		void DoDelete() final{};
+		void DoPut() final;
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
+++ b/src/RESTAPI/RESTAPI_suboauth2_handler.cpp
@@ -5,161 +5,167 @@
 #include "RESTAPI_suboauth2_handler.h"
 #include "AuthService.h"
 #include "MFAServer.h"
-#include "framework/MicroService.h"
-#include "StorageService.h"
 #include "RESTAPI/RESTAPI_db_helpers.h"
+#include "StorageService.h"

 namespace OpenWifi {

-    void RESTAPI_suboauth2_handler::DoGet() {
-        bool Expired = false, Contacted = false;
-        if (!IsAuthorized(Expired, Contacted, true)) {
-            if(Expired)
-                return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
-            return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
-        }
-        bool GetMe = GetBoolParameter(RESTAPI::Protocol::ME, false);
-        if(GetMe) {
-            Logger_.information(fmt::format("REQUEST-ME({}): Request for {}", Request->clientAddress().toString(),
-                                             UserInfo_.userinfo.email));
-            Poco::JSON::Object Me;
-            SecurityObjects::UserInfo   ReturnedUser = UserInfo_.userinfo;
-            Sanitize(UserInfo_, ReturnedUser);
-            ReturnedUser.to_json(Me);
-            return ReturnObject(Me);
-        }
-        BadRequest(RESTAPI::Errors::UnrecognizedRequest);
-    }
+	void RESTAPI_suboauth2_handler::DoGet() {
+		bool Expired = false, Contacted = false;
+		if (!IsAuthorized(Expired, Contacted, true)) {
+			if (Expired)
+				return UnAuthorized(RESTAPI::Errors::EXPIRED_TOKEN);
+			return UnAuthorized(RESTAPI::Errors::INVALID_TOKEN);
+		}
+		bool GetMe = GetBoolParameter(RESTAPI::Protocol::ME, false);
+		if (GetMe) {
+			Logger_.information(fmt::format("REQUEST-ME({}): Request for {}",
+											Request->clientAddress().toString(),
+											UserInfo_.userinfo.email));
+			Poco::JSON::Object Me;
+			SecurityObjects::UserInfo ReturnedUser = UserInfo_.userinfo;
+			Sanitize(UserInfo_, ReturnedUser);
+			ReturnedUser.to_json(Me);
+			return ReturnObject(Me);
+		}
+		BadRequest(RESTAPI::Errors::UnrecognizedRequest);
+	}

-    void RESTAPI_suboauth2_handler::DoDelete() {
-        auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
-        std::string SessionToken;
-        try {
-            Poco::Net::OAuth20Credentials Auth(*Request);
-            if (Auth.getScheme() == "Bearer") {
-                SessionToken = Auth.getBearerToken();
-            }
-        } catch (const Poco::Exception &E) {
-            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-        }
-        if (Token.empty() || (Token != SessionToken)) {
-            return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
-        }
-        AuthService()->SubLogout(Token);
-        return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
-    }
+	void RESTAPI_suboauth2_handler::DoDelete() {
+		auto Token = GetBinding(RESTAPI::Protocol::TOKEN, "");
+		std::string SessionToken;
+		try {
+			Poco::Net::OAuth20Credentials Auth(*Request);
+			if (Auth.getScheme() == "Bearer") {
+				SessionToken = Auth.getBearerToken();
+			}
+		} catch (const Poco::Exception &E) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		if (Token.empty() || (Token != SessionToken)) {
+			return BadRequest(RESTAPI::Errors::MissingOrInvalidParameters);
+		}
+		AuthService()->SubLogout(Token);
+		return ReturnStatus(Poco::Net::HTTPResponse::HTTP_NO_CONTENT, true);
+	}

-    void RESTAPI_suboauth2_handler::DoPost() {
-        const auto & Obj = ParsedBody_;
-        auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
-        auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
-        auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
-        auto refreshToken = GetS("refreshToken", Obj);
-        auto grant_type = GetParameter("grant_type");
+	void RESTAPI_suboauth2_handler::DoPost() {
+		const auto &Obj = ParsedBody_;
+		auto userId = GetS(RESTAPI::Protocol::USERID, Obj);
+		auto password = GetS(RESTAPI::Protocol::PASSWORD, Obj);
+		auto newPassword = GetS(RESTAPI::Protocol::NEWPASSWORD, Obj);
+		auto refreshToken = GetS("refreshToken", Obj);
+		auto grant_type = GetParameter("grant_type");

-        Poco::toLowerInPlace(userId);
+		Poco::toLowerInPlace(userId);

-        if(!refreshToken.empty() && grant_type == "refresh_token") {
-            SecurityObjects::UserInfoAndPolicy UInfo;
-            if(AuthService()->RefreshSubToken(*Request, refreshToken, UInfo)) {
-                Poco::JSON::Object  Answer;
-                UInfo.webtoken.to_json(Answer);
-                return ReturnObject(Answer);
-            } else {
-                return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
-            }
-        }
+		if (!refreshToken.empty() && grant_type == "refresh_token") {
+			SecurityObjects::UserInfoAndPolicy UInfo;
+			if (AuthService()->RefreshSubToken(*Request, refreshToken, UInfo)) {
+				Poco::JSON::Object Answer;
+				UInfo.webtoken.to_json(Answer);
+				return ReturnObject(Answer);
+			} else {
+				return UnAuthorized(RESTAPI::Errors::CANNOT_REFRESH_TOKEN);
+			}
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
-            Logger_.information(fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
-            Poco::JSON::Object  Answer;
-            Answer.set(RESTAPI::Protocol::PASSWORDPATTERN, AuthService()->SubPasswordValidationExpression());
-            Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetSubAccessPolicy());
-            Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetSubPasswordPolicy());
-            return ReturnObject(Answer);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::REQUIREMENTS)) {
+			Logger_.information(
+				fmt::format("POLICY-REQUEST({}): Request.", Request->clientAddress().toString()));
+			Poco::JSON::Object Answer;
+			Answer.set(RESTAPI::Protocol::PASSWORDPATTERN,
+					   AuthService()->SubPasswordValidationExpression());
+			Answer.set(RESTAPI::Protocol::ACCESSPOLICY, AuthService()->GetSubAccessPolicy());
+			Answer.set(RESTAPI::Protocol::PASSWORDPOLICY, AuthService()->GetSubPasswordPolicy());
+			return ReturnObject(Answer);
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
-            SecurityObjects::UserInfo UInfo1;
-            auto UserExists = StorageService()->SubDB().GetUserByEmail(userId,UInfo1);
-            if(UserExists) {
-                Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}", Request->clientAddress().toString(), userId));
-                SecurityObjects::ActionLink NewLink;
+		if (GetBoolParameter(RESTAPI::Protocol::FORGOTPASSWORD)) {
+			SecurityObjects::UserInfo UInfo1;
+			auto UserExists = StorageService()->SubDB().GetUserByEmail(userId, UInfo1);
+			if (UserExists) {
+				Logger_.information(fmt::format("FORGOTTEN-PASSWORD({}): Request for {}",
+												Request->clientAddress().toString(), userId));
+				SecurityObjects::ActionLink NewLink;

-                NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD;
-                NewLink.id = MicroService::CreateUUID();
-                NewLink.userId = UInfo1.id;
-                NewLink.created = OpenWifi::Now();
-                NewLink.expires = NewLink.created + (24*60*60);
-                NewLink.userAction = false;
-                StorageService()->ActionLinksDB().CreateAction(NewLink);
+				NewLink.action = OpenWifi::SecurityObjects::LinkActions::SUB_FORGOT_PASSWORD;
+				NewLink.id = MicroServiceCreateUUID();
+				NewLink.userId = UInfo1.id;
+				NewLink.created = OpenWifi::Now();
+				NewLink.expires = NewLink.created + (24 * 60 * 60);
+				NewLink.userAction = false;
+				StorageService()->ActionLinksDB().CreateAction(NewLink);

-                Poco::JSON::Object ReturnObj;
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                UInfo.webtoken.userMustChangePassword = true;
-                UInfo.webtoken.to_json(ReturnObj);
-                return ReturnObject(ReturnObj);
-            } else {
-                Poco::JSON::Object ReturnObj;
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                UInfo.webtoken.userMustChangePassword = true;
-                UInfo.webtoken.to_json(ReturnObj);
-                return ReturnObject(ReturnObj);
-            }
-        }
+				Poco::JSON::Object ReturnObj;
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				UInfo.webtoken.userMustChangePassword = true;
+				UInfo.webtoken.to_json(ReturnObj);
+				return ReturnObject(ReturnObj);
+			} else {
+				Poco::JSON::Object ReturnObj;
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				UInfo.webtoken.userMustChangePassword = true;
+				UInfo.webtoken.to_json(ReturnObj);
+				return ReturnObject(ReturnObj);
+			}
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
-            Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid")) {
-                auto uuid = Obj->get("uuid").toString();
-                if(MFAServer()->ResendCode(uuid))
-                    return OK();
-            }
-            return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::RESENDMFACODE)) {
+			Logger_.information(fmt::format("RESEND-MFA-CODE({}): Request for {}",
+											Request->clientAddress().toString(), userId));
+			if (Obj->has("uuid")) {
+				auto uuid = Obj->get("uuid").toString();
+				if (MFAServer()->ResendCode(uuid))
+					return OK();
+			}
+			return UnAuthorized(RESTAPI::Errors::BAD_MFA_TRANSACTION);
+		}

-        if(GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE)) {
-            Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}", Request->clientAddress().toString(), userId));
-            if(Obj->has("uuid") && Obj->has("answer")) {
-                SecurityObjects::UserInfoAndPolicy UInfo;
-                if(MFAServer()->CompleteMFAChallenge(Obj,UInfo)) {
-                    Poco::JSON::Object ReturnObj;
-                    UInfo.webtoken.to_json(ReturnObj);
-                    return ReturnObject(ReturnObj);
-                }
-            }
-            return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
-        }
+		if (GetBoolParameter(RESTAPI::Protocol::COMPLETEMFACHALLENGE)) {
+			Logger_.information(fmt::format("COMPLETE-MFA-CHALLENGE({}): Request for {}",
+											Request->clientAddress().toString(), userId));
+			if (Obj->has("uuid") && Obj->has("answer")) {
+				SecurityObjects::UserInfoAndPolicy UInfo;
+				if (MFAServer()->CompleteMFAChallenge(Obj, UInfo)) {
+					Poco::JSON::Object ReturnObj;
+					UInfo.webtoken.to_json(ReturnObj);
+					return ReturnObject(ReturnObj);
+				}
+			}
+			return UnAuthorized(RESTAPI::Errors::MFA_FAILURE);
+		}

-        SecurityObjects::UserInfoAndPolicy UInfo;
-        bool Expired=false;
-        auto Code=AuthService()->AuthorizeSub(userId, password, newPassword, UInfo, Expired);
-        if (Code==SUCCESS) {
-            Poco::JSON::Object ReturnObj;
-            if(AuthService()->RequiresMFA(UInfo)) {
-                if(MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
-                    return ReturnObject(ReturnObj);
-                }
-                Logger_.warning("MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
-            }
-            UInfo.webtoken.to_json(ReturnObj);
-            return ReturnObject(ReturnObj);
-        } else {
-            switch(Code) {
-                case INVALID_CREDENTIALS:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
-                case PASSWORD_INVALID:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
-                case PASSWORD_ALREADY_USED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
-                case USERNAME_PENDING_VERIFICATION:
-                    return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
-                case PASSWORD_CHANGE_REQUIRED:
-                    return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
-                default:
-                    return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS); break;
-            }
-            return;
-        }
-    }
-}
+		SecurityObjects::UserInfoAndPolicy UInfo;
+		bool Expired = false;
+		auto Code = AuthService()->AuthorizeSub(userId, password, newPassword, UInfo, Expired);
+		switch (Code) {
+		case SUCCESS: {
+			Poco::JSON::Object ReturnObj;
+			if (AuthService()->RequiresMFA(UInfo)) {
+				if (MFAServer()->StartMFAChallenge(UInfo, ReturnObj)) {
+					return ReturnObject(ReturnObj);
+				}
+				Logger_.warning(
+					"MFA Seems to be broken. Please fix. Disabling MFA checking for now.");
+			}
+			UInfo.webtoken.to_json(ReturnObj);
+			return ReturnObject(ReturnObj);
+		}
+		case INVALID_CREDENTIALS:
+			return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+		case PASSWORD_INVALID:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_INVALID);
+		case PASSWORD_ALREADY_USED:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_ALREADY_USED);
+		case USERNAME_PENDING_VERIFICATION:
+			return UnAuthorized(RESTAPI::Errors::USERNAME_PENDING_VERIFICATION);
+		case PASSWORD_CHANGE_REQUIRED:
+			return UnAuthorized(RESTAPI::Errors::PASSWORD_CHANGE_REQUIRED);
+		case ACCOUNT_SUSPENDED:
+			return UnAuthorized(RESTAPI::Errors::ACCOUNT_SUSPENDED);
+		default:
+			return UnAuthorized(RESTAPI::Errors::INVALID_CREDENTIALS);
+		}
+	}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_suboauth2_handler.h
+++ b/src/RESTAPI/RESTAPI_suboauth2_handler.h
@@ -3,25 +3,27 @@
 //

 #pragma once
-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_suboauth2_handler : public RESTAPIHandler {
-    public:
-        RESTAPI_suboauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
-                                                  Poco::Net::HTTPRequest::HTTP_DELETE,
-                                                  Poco::Net::HTTPRequest::HTTP_GET,
-                                                  Poco::Net::HTTPRequest::HTTP_OPTIONS},
-                                                  Server,
-                                                  TransactionId,
-                                                  Internal, false, false , RateLimit{.Interval=1000,.MaxCalls=10},
-                                                  false) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/suboauth2/{token}","/api/v1/suboauth2"}; };
-        void DoGet() final;
-        void DoPost() final;
-        void DoDelete() final;
-        void DoPut() final {};
-    };
-}
+	class RESTAPI_suboauth2_handler : public RESTAPIHandler {
+	  public:
+		RESTAPI_suboauth2_handler(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+								  RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+								  bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_POST,
+													  Poco::Net::HTTPRequest::HTTP_DELETE,
+													  Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal, false, false,
+							 RateLimit{.Interval = 1000, .MaxCalls = 10}, false) {}
+		static auto PathName() {
+			return std::list<std::string>{"/api/v1/suboauth2/{token}", "/api/v1/suboauth2"};
+		};
+		void DoGet() final;
+		void DoPost() final;
+		void DoDelete() final;
+		void DoPut() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_subpreferences.cpp
+++ b/src/RESTAPI/RESTAPI_subpreferences.cpp
@@ -7,30 +7,30 @@

 namespace OpenWifi {

-    void RESTAPI_subpreferences::DoGet() {
-        SecurityObjects::Preferences    P;
-        Poco::JSON::Object  Answer;
-        StorageService()->SubPreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
-        P.to_json(Answer);
-        ReturnObject(Answer);
-    }
+	void RESTAPI_subpreferences::DoGet() {
+		SecurityObjects::Preferences P;
+		Poco::JSON::Object Answer;
+		StorageService()->SubPreferencesDB().GetPreferences(UserInfo_.userinfo.id, P);
+		P.to_json(Answer);
+		ReturnObject(Answer);
+	}

-    void RESTAPI_subpreferences::DoPut() {
+	void RESTAPI_subpreferences::DoPut() {

-        SecurityObjects::Preferences    P;
+		SecurityObjects::Preferences P;

-        const auto & RawObject = ParsedBody_;
-        if(!P.from_json(RawObject)) {
-            return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
-        }
+		const auto &RawObject = ParsedBody_;
+		if (!P.from_json(RawObject)) {
+			return BadRequest(RESTAPI::Errors::InvalidJSONDocument);
+		}

-        P.id = UserInfo_.userinfo.id;
-        P.modified = OpenWifi::Now();
-        StorageService()->SubPreferencesDB().SetPreferences(P);
+		P.id = UserInfo_.userinfo.id;
+		P.modified = OpenWifi::Now();
+		StorageService()->SubPreferencesDB().SetPreferences(P);

-        Poco::JSON::Object  Answer;
-        P.to_json(Answer);
-        ReturnObject(Answer);
-    }
+		Poco::JSON::Object Answer;
+		P.to_json(Answer);
+		ReturnObject(Answer);
+	}

-}
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_subpreferences.h
+++ b/src/RESTAPI/RESTAPI_subpreferences.h
@@ -4,24 +4,23 @@

 #pragma once

-#include "framework/MicroService.h"
+#include "framework/RESTAPI_Handler.h"

 namespace OpenWifi {
-    class RESTAPI_subpreferences : public RESTAPIHandler {
-    public:
-        RESTAPI_subpreferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L, RESTAPI_GenericServer &Server, uint64_t TransactionId, bool Internal)
-        : RESTAPIHandler(bindings, L,
-                         std::vector<std::string>{
-            Poco::Net::HTTPRequest::HTTP_GET,
-            Poco::Net::HTTPRequest::HTTP_PUT,
-            Poco::Net::HTTPRequest::HTTP_OPTIONS},
-            Server,
-            TransactionId,
-            Internal) {}
-        static auto PathName() { return std::list<std::string>{"/api/v1/subpreferences"}; };
-        void DoGet() final;
-        void DoPut() final;
-        void DoPost() final {};
-        void DoDelete() final {};
-    };
-}
+	class RESTAPI_subpreferences : public RESTAPIHandler {
+	  public:
+		RESTAPI_subpreferences(const RESTAPIHandler::BindingMap &bindings, Poco::Logger &L,
+							   RESTAPI_GenericServerAccounting &Server, uint64_t TransactionId,
+							   bool Internal)
+			: RESTAPIHandler(bindings, L,
+							 std::vector<std::string>{Poco::Net::HTTPRequest::HTTP_GET,
+													  Poco::Net::HTTPRequest::HTTP_PUT,
+													  Poco::Net::HTTPRequest::HTTP_OPTIONS},
+							 Server, TransactionId, Internal) {}
+		static auto PathName() { return std::list<std::string>{"/api/v1/subpreferences"}; };
+		void DoGet() final;
+		void DoPut() final;
+		void DoPost() final{};
+		void DoDelete() final{};
+	};
+} // namespace OpenWifi
--- a/src/RESTAPI/RESTAPI_subtotp_handler.cpp
+++ b/src/RESTAPI/RESTAPI_subtotp_handler.cpp
@@ -5,33 +5,35 @@
 #include "RESTAPI_subtotp_handler.h"

 #include "TotpCache.h"
+#include "framework/MicroServiceFuncs.h"

 namespace OpenWifi {

-    void RESTAPI_subtotp_handler::DoGet() {
+	void RESTAPI_subtotp_handler::DoGet() {

-        auto Reset = GetBoolParameter("reset",false);
-        std::string QRCode;
+		auto Reset = GetBoolParameter("reset", false);
+		std::string QRCode;

-        if(TotpCache()->StartValidation(UserInfo_.userinfo,true,QRCode,Reset)) {
-            return SendFileContent(QRCode, "image/svg+xml","qrcode.svg");
-        }
-        return BadRequest(RESTAPI::Errors::InvalidCommand);
-    }
+		if (TotpCache()->StartValidation(UserInfo_.userinfo, true, QRCode, Reset)) {
+			return SendFileContent(QRCode, "image/svg+xml", "qrcode.svg");
+		}
+		return BadRequest(RESTAPI::Errors::InvalidCommand);
+	}

-    void RESTAPI_subtotp_handler::DoPut() {
-        auto Value = GetParameter("value","");
-        auto nextIndex = GetParameter("index",0);
-        bool moreCodes=false;
+	void RESTAPI_subtotp_handler::DoPut() {
+		auto Value = GetParameter("value", "");
+		auto nextIndex = GetParameter("index", 0);
+		bool moreCodes = false;

-        RESTAPI::Errors::msg    Error;
-        if(TotpCache()->ContinueValidation(UserInfo_.userinfo,true,Value,nextIndex,moreCodes, Error )) {
-            Poco::JSON::Object Answer;
-            Answer.set("nextIndex", nextIndex);
-            Answer.set("moreCodes", moreCodes);
-            return ReturnObject(Answer);
-        }
-        return BadRequest(Error);
-    }
+		RESTAPI::Errors::msg Error;
+		if (TotpCache()->ContinueValidation(UserInfo_.userinfo, true, Value, nextIndex, moreCodes,
+											Error)) {
+			Poco::JSON::Object Answer;
+			Answer.set("nextIndex", nextIndex);
+			Answer.set("moreCodes", moreCodes);
+			return ReturnObject(Answer);
+		}
+		return BadRequest(Error);
+	}

-}
+} // namespace OpenWifi
--- a/Show More
+++ b/Show More