initial commit

2020-04-09 21:40:22 -05:00
commit 9611105364
141 changed files with 29236 additions and 0 deletions
--- a/api/Pipfile
+++ b/api/Pipfile
@ -0,0 +1,13 @@
+[[source]]
+name = "pypi"
+url = "https://pypi.org/simple"
+verify_ssl = true
+
+[dev-packages]
+
+[packages]
+click = "*"
+requests = "*"
+
+[requires]
+python_version = "3.8"
--- a/api/README.md
+++ b/api/README.md
@ -0,0 +1,18 @@
+## Authentication
+
+Uses a refresh_token and access_token system.
+
+The refresh_token is an opaque UUID based token. The access_token is a JWT
+token containing several claims such as `sub` & `roles`
+
+The refresh_token is stored in a database and is long lived (24 hours). It is sent to the client
+as a cookie set to be `HttpOnly`.
+
+The access_token is not stored in the database & is only stored in memory on the client side.
+It is short lived (5 minutes).
+
+The access_token is used to authenticate all endpoints except endpoints under /auth
+
+The access_token is refreshed using the refresh_token through the /auth/refresh_token endpoint.
+This endpoint takes in the refresh_token set VIA a cookie header & returns a new refresh_token & access_token
+if the refresh_token is still valid. The old refresh_token is invalidated.
--- a/api/cmd/citadel/main.go
+++ b/api/cmd/citadel/main.go
@ -0,0 +1,28 @@
+package main
+
+import (
+	_ "github.com/lib/pq"
+
+	"fmt"
+	"net/http"
+
+	"github.com/jmoiron/sqlx"
+	"github.com/jordanknott/project-citadel/api/router"
+	log "github.com/sirupsen/logrus"
+)
+
+func main() {
+	Formatter := new(log.TextFormatter)
+	Formatter.TimestampFormat = "02-01-2006 15:04:05"
+	Formatter.FullTimestamp = true
+	log.SetFormatter(Formatter)
+	db, err := sqlx.Connect("postgres", "user=postgres password=test host=0.0.0.0 dbname=citadel sslmode=disable")
+	if err != nil {
+		log.Panic(err)
+	}
+	defer db.Close()
+	fmt.Println("starting graphql server on http://localhost:3333")
+	fmt.Println("starting graphql playground on http://localhost:3333/__graphql")
+	r, _ := router.NewRouter(db)
+	http.ListenAndServe(":3333", r)
+}
--- a/api/cmd/citadelctl/main.go
+++ b/api/cmd/citadelctl/main.go
@ -0,0 +1,16 @@
+package main
+
+import (
+	"fmt"
+	"github.com/jordanknott/project-citadel/api/router"
+	"time"
+)
+
+func main() {
+	dur := time.Hour * 24 * 7 * 30
+	token, err := router.NewAccessTokenCustomExpiration("21345076-6423-4a00-a6bd-cd9f830e2764", dur)
+	if err != nil {
+		panic(err)
+	}
+	fmt.Println(token)
+}
--- a/api/go.mod
+++ b/api/go.mod
@ -0,0 +1,18 @@
+module github.com/jordanknott/project-citadel/api
+
+go 1.13
+
+require (
+	github.com/99designs/gqlgen v0.11.1
+	github.com/dgrijalva/jwt-go v3.2.0+incompatible
+	github.com/go-chi/chi v3.3.2+incompatible
+	github.com/go-chi/cors v1.0.0
+	github.com/google/martian v2.1.0+incompatible
+	github.com/google/uuid v1.1.1
+	github.com/jmoiron/sqlx v1.2.0
+	github.com/lib/pq v1.0.0
+	github.com/pkg/errors v0.8.1
+	github.com/sirupsen/logrus v1.4.2
+	github.com/vektah/gqlparser/v2 v2.0.1
+	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
+)
--- a/api/go.sum
+++ b/api/go.sum
@ -0,0 +1,105 @@
+github.com/99designs/gqlgen v0.11.1 h1:QoSL8/AAJ2T3UOeQbdnBR32JcG4pO08+P/g5jdbFkUg=
+github.com/99designs/gqlgen v0.11.1/go.mod h1:vjFOyBZ7NwDl+GdSD4PFn7BQn5Fy7ohJwXn7Vk8zz+c=
+github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM=
+github.com/agnivade/levenshtein v1.0.3 h1:M5ZnqLOoZR8ygVq0FfkXsNOKzMCk0xRiow0R5+5VkQ0=
+github.com/agnivade/levenshtein v1.0.3/go.mod h1:4SFRZbbXWLF4MU1T9Qg0pGgH3Pjs+t6ie5efyrwRJXs=
+github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8=
+github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0/go.mod h1:t2tdKJDJF9BV14lnkjHmOQgcvEKgtqs5a1N3LNdJhGE=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
+github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
+github.com/dgryski/trifles v0.0.0-20190318185328-a8d75aae118c/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/go-chi/chi v3.3.2+incompatible h1:uQNcQN3NsV1j4ANsPh42P4ew4t6rnRbJb8frvpp31qQ=
+github.com/go-chi/chi v3.3.2+incompatible/go.mod h1:eB3wogJHnLi3x/kFX2A+IbTBlXxmMeXJVKy9tTv1XzQ=
+github.com/go-chi/cors v1.0.0 h1:e6x8k7uWbUwYs+aXDoiUzeQFT6l0cygBYyNhD7/1Tg0=
+github.com/go-chi/cors v1.0.0/go.mod h1:K2Yje0VW/SJzxiyMYu6iPQYa7hMjQX2i/F491VChg1I=
+github.com/go-sql-driver/mysql v1.4.0 h1:7LxgVwFb2hIQtMm87NdgAVfXjnt4OePseqT1tKx+opk=
+github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
+github.com/gogo/protobuf v1.0.0/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
+github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
+github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
+github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
+github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gorilla/context v0.0.0-20160226214623-1ea25387ff6f/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg=
+github.com/gorilla/mux v1.6.1/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs=
+github.com/gorilla/websocket v1.2.0 h1:VJtLvh6VQym50czpZzx07z/kw9EgAxI3x1ZB8taTMQQ=
+github.com/gorilla/websocket v1.2.0/go.mod h1:E7qHFY5m1UJ88s3WnNqhKjPHQ0heANvMoAMk2YaljkQ=
+github.com/hashicorp/golang-lru v0.5.0 h1:CL2msUPvZTLb5O648aiLNJw3hnBxN2+1Jq8rCOH9wdo=
+github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8=
+github.com/jmoiron/sqlx v1.2.0 h1:41Ip0zITnmWNR/vHV+S4m+VoUivnWY5E4OJfLZjCJMA=
+github.com/jmoiron/sqlx v1.2.0/go.mod h1:1FEQNm3xlJgrMD+FBdI9+xvCksHtbpVBBw5dYhBSsks=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1 h1:mweAR1A6xJ3oS2pRaGiHgQ4OO8tzTaLawm8vnODuwDk=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
+github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0 h1:45sCR5RtlFHMR4UwH9sdQ5TC8v0qDQCHnXt+kaKSTVE=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/lib/pq v1.0.0 h1:X5PMW56eZitiTeO7tKzZxFCSpbFZJtkMMooicw2us9A=
+github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
+github.com/logrusorgru/aurora v0.0.0-20200102142835-e9ef32dff381/go.mod h1:7rIyQOR62GCctdiQpZ/zOJlFyk6y+94wXzv6RNZgaR4=
+github.com/matryer/moq v0.0.0-20200106131100-75d0ddfc0007 h1:reVOUXwnhsYv/8UqjvhrMOu5CNT9UapHFLbQ2JcXsmg=
+github.com/matryer/moq v0.0.0-20200106131100-75d0ddfc0007/go.mod h1:9ELz6aaclSIGnZBoaSLZ3NAl1VTufbOrXBPvtcy6WiQ=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
+github.com/mattn/go-sqlite3 v1.9.0 h1:pDRiWfl+++eC2FEFRy6jXmQlvp4Yh3z1MJKg4UeYM/4=
+github.com/mattn/go-sqlite3 v1.9.0/go.mod h1:FPy6KqzDD04eiIsT53CuJW3U88zkxoIYsOqkbpncsNc=
+github.com/mitchellh/mapstructure v0.0.0-20180203102830-a4e142e9c047 h1:zCoDWFD5nrJJVjbXiDZcVhOBSzKn3o9LgRLLMRNuru8=
+github.com/mitchellh/mapstructure v0.0.0-20180203102830-a4e142e9c047/go.mod h1:FVVH3fgwuzCH5S8UJGiWEs2h04kUh9fWfEaFds41c1Y=
+github.com/opentracing/basictracer-go v1.0.0/go.mod h1:QfBfYuafItcjQuMwinw9GhYKwFXS9KnPs5lxoYwgW74=
+github.com/opentracing/opentracing-go v1.0.2/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/rs/cors v1.6.0/go.mod h1:gFx+x8UowdsKA9AchylcLynDq+nNFfI8FkUZdN/jGCU=
+github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
+github.com/shurcooL/httpfs v0.0.0-20171119174359-809beceb2371/go.mod h1:ZY1cvUeJuFPAdZ/B6v7RHavJWZn2YPVFQ1OSXhCGOkg=
+github.com/shurcooL/vfsgen v0.0.0-20180121065927-ffb13db8def0/go.mod h1:TrYk7fJVaAttu97ZZKrO9UbRa8izdowaMIZcxYMbVaw=
+github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.2.1/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.4.0 h1:2E4SXV/wtOkTonXsotYi4li6zVWxYlZuYNCXe9XRJyk=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/urfave/cli v1.20.0 h1:fDqGv3UG/4jbVl/QkFwEdddtEDjh/5Ov6X+0B/3bPaw=
+github.com/urfave/cli v1.20.0/go.mod h1:70zkFmudgCuE/ngEzBv17Jvp/497gISqfk5gWijbERA=
+github.com/vektah/dataloaden v0.2.1-0.20190515034641-a19b9a6e7c9e h1:+w0Zm/9gaWpEAyDlU1eKOuk5twTjAjuevXqcJJw8hrg=
+github.com/vektah/dataloaden v0.2.1-0.20190515034641-a19b9a6e7c9e/go.mod h1:/HUdMve7rvxZma+2ZELQeNh88+003LL7Pf/CZ089j8U=
+github.com/vektah/gqlparser/v2 v2.0.1 h1:xgl5abVnsd4hkN9rk65OJID9bfcLSMuTaTcZj777q1o=
+github.com/vektah/gqlparser/v2 v2.0.1/go.mod h1:SyUiHgLATUR8BiYURfTirrTcGpcE+4XkV2se04Px1Ms=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550 h1:ObdrDkeb4kJdCP557AjRjq69pTHfNouLtWZG7j9rPN8=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42 h1:vEOn+mP2zCOVzKckCZy6YsCtDblrpj/w7B9nxGNELpg=
+golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/tools v0.0.0-20190125232054-d66bd3c5d5a6/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190515012406-7d7faa4812bd/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20200114235610-7ae403b6b589 h1:rjUrONFu4kLchcZTfp3/96bR8bW8dIa8uz3cR5n0cgM=
+golang.org/x/tools v0.0.0-20200114235610-7ae403b6b589/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 h1:YR8cESwS4TdDjEe65xsg0ogRM/Nc3DYOhEAlW+xobZo=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
+gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+sourcegraph.com/sourcegraph/appdash v0.0.0-20180110180208-2cc67fd64755/go.mod h1:hI742Nqp5OhwiqlzhgfbWU4mW4yO10fP+LoT9WOswdU=
+sourcegraph.com/sourcegraph/appdash-data v0.0.0-20151005221446-73f23eafcf67/go.mod h1:L5q+DGLGOQFpo1snNEkLOJT2d1YTW66rWNzatr3He1k=
--- a/api/gqlgen.yml
+++ b/api/gqlgen.yml
@ -0,0 +1,47 @@
+# Where are all the schema files located? globs are supported eg  src/**/*.graphqls
+schema:
+  - graph/*.graphqls
+
+# Where should the generated server code go?
+exec:
+  filename: graph/generated.go
+  package: graph
+
+# Uncomment to enable federation
+# federation:
+#   filename: graph/generated/federation.go
+#   package: generated
+
+# Where should any generated models go?
+model:
+  filename: graph/models_gen.go
+  package: graph
+
+# Where should the resolver implementations go?
+resolver:
+  layout: follow-schema
+  dir: graph
+  package: graph
+
+# Optional: turn on to use []Thing instead of []*Thing
+omit_slice_element_pointers: true
+
+# gqlgen will search for any type names in the schema in these go packages
+# if they match it will use them, otherwise it will generate them.
+autobind:
+  - "github.com/jordanknott/project-citadel/api/pg"
+
+# This section declares type mapping between the GraphQL and go type systems
+#
+# The first line in each type will be used as defaults for resolver arguments and
+# modelgen, the others will be allowed when binding to fields. Configure them to
+# your liking
+models:
+  ID:
+    model: github.com/jordanknott/project-citadel/api/graph.UUID
+  Int:
+    model:
+      - github.com/99designs/gqlgen/graphql.Int
+
+  UUID:
+    model: github.com/jordanknott/project-citadel/api/graph.UUID
--- a/api/graph/generated.go
+++ b/api/graph/generated.go
--- a/api/graph/graph.go
+++ b/api/graph/graph.go
@ -0,0 +1,22 @@
+package graph
+
+import (
+	"net/http"
+
+	"github.com/99designs/gqlgen/handler"
+	"github.com/jordanknott/project-citadel/api/pg"
+)
+
+// NewHandler returns a new graphql endpoint handler.
+func NewHandler(repo pg.Repository) http.Handler {
+	return handler.GraphQL(NewExecutableSchema(Config{
+		Resolvers: &Resolver{
+			Repository: repo,
+		},
+	}))
+}
+
+// NewPlaygroundHandler returns a new GraphQL Playground handler.
+func NewPlaygroundHandler(endpoint string) http.Handler {
+	return handler.Playground("GraphQL Playground", endpoint)
+}
--- a/api/graph/models_gen.go
+++ b/api/graph/models_gen.go
@ -0,0 +1,75 @@
+// Code generated by github.com/99designs/gqlgen, DO NOT EDIT.
+
+package graph
+
+type DeleteTaskInput struct {
+	TaskID string `json:"taskID"`
+}
+
+type DeleteTaskPayload struct {
+	TaskID string `json:"taskID"`
+}
+
+type FindProject struct {
+	ProjectID string `json:"projectId"`
+}
+
+type FindUser struct {
+	UserID string `json:"userId"`
+}
+
+type LogoutUser struct {
+	UserID string `json:"userID"`
+}
+
+type NewOrganization struct {
+	Name string `json:"name"`
+}
+
+type NewProject struct {
+	TeamID string `json:"teamID"`
+	Name   string `json:"name"`
+}
+
+type NewRefreshToken struct {
+	UserID string `json:"userId"`
+}
+
+type NewTask struct {
+	TaskGroupID string  `json:"taskGroupID"`
+	Name        string  `json:"name"`
+	Position    float64 `json:"position"`
+}
+
+type NewTaskGroup struct {
+	ProjectID string  `json:"projectID"`
+	Name      string  `json:"name"`
+	Position  float64 `json:"position"`
+}
+
+type NewTaskLocation struct {
+	TaskID      string  `json:"taskID"`
+	TaskGroupID string  `json:"taskGroupID"`
+	Position    float64 `json:"position"`
+}
+
+type NewTeam struct {
+	Name           string `json:"name"`
+	OrganizationID string `json:"organizationID"`
+}
+
+type NewUserAccount struct {
+	Username    string `json:"username"`
+	Email       string `json:"email"`
+	DisplayName string `json:"displayName"`
+	Password    string `json:"password"`
+}
+
+type ProjectsFilter struct {
+	TeamID *string `json:"teamID"`
+}
+
+type UpdateTaskName struct {
+	TaskID string `json:"taskID"`
+	Name   string `json:"name"`
+}
--- a/api/graph/resolver.go
+++ b/api/graph/resolver.go
@ -0,0 +1,13 @@
+//go:generate go run github.com/99designs/gqlgen
+package graph
+
+import (
+	"sync"
+
+	"github.com/jordanknott/project-citadel/api/pg"
+)
+
+type Resolver struct {
+	Repository pg.Repository
+	mu         sync.Mutex
+}
--- a/api/graph/scalars.go
+++ b/api/graph/scalars.go
@ -0,0 +1,23 @@
+package graph
+
+import (
+	"io"
+
+	"github.com/99designs/gqlgen/graphql"
+	"github.com/google/uuid"
+	"github.com/pkg/errors"
+	"strconv"
+)
+
+func MarshalUUID(uuid uuid.UUID) graphql.Marshaler {
+	return graphql.WriterFunc(func(w io.Writer) {
+		w.Write([]byte(strconv.Quote(uuid.String())))
+	})
+}
+
+func UnmarshalUUID(v interface{}) (uuid.UUID, error) {
+	if uuidRaw, ok := v.(string); ok {
+		return uuid.Parse(uuidRaw)
+	}
+	return uuid.UUID{}, errors.New("uuid must be a string")
+}
--- a/api/graph/schema.graphqls
+++ b/api/graph/schema.graphqls
@ -0,0 +1,151 @@
+scalar Time
+
+scalar UUID
+
+type RefreshToken {
+  tokenId: ID!
+  userId: UUID!
+  expiresAt: Time!
+  createdAt: Time!
+}
+
+type UserAccount {
+  userID: ID!
+  email: String!
+  createdAt: Time!
+  displayName: String!
+  username: String!
+}
+
+type Organization {
+  organizationID: ID!
+  createdAt: Time!
+  name: String!
+  teams: [Team!]!
+}
+
+type Team {
+  teamID: ID!
+  createdAt: Time!
+  name: String!
+  projects: [Project!]!
+}
+
+type Project {
+  projectID: ID!
+  teamID: String!
+  createdAt: Time!
+  name: String!
+  taskGroups: [TaskGroup!]!
+}
+
+type TaskGroup {
+  taskGroupID: ID!
+  projectID: String!
+  createdAt: Time!
+  name: String!
+  position: Float!
+  tasks: [Task!]!
+}
+
+type Task {
+  taskID: ID!
+  taskGroupID: String!
+  createdAt: Time!
+  name: String!
+  position: Float!
+}
+
+input ProjectsFilter {
+  teamID: String
+}
+
+input FindUser {
+  userId: String!
+}
+
+input FindProject {
+  projectId: String!
+}
+
+type Query {
+  organizations: [Organization!]!
+  users: [UserAccount!]!
+  findUser(input: FindUser!): UserAccount!
+  findProject(input: FindProject!): Project!
+  teams: [Team!]!
+  projects(input: ProjectsFilter): [Project!]!
+  taskGroups: [TaskGroup!]!
+}
+
+input NewRefreshToken {
+  userId: String!
+}
+
+input NewUserAccount {
+  username: String!
+  email: String!
+  displayName: String!
+  password: String!
+}
+
+input NewTeam {
+  name: String!
+  organizationID: String!
+}
+
+input NewProject {
+  teamID: String!
+  name: String!
+}
+
+input NewTaskGroup {
+  projectID: String!
+  name: String!
+  position: Float!
+}
+
+input NewOrganization {
+  name: String!
+}
+
+input LogoutUser {
+  userID: String!
+}
+input NewTask {
+  taskGroupID: String!
+  name: String!
+  position: Float!
+}
+input NewTaskLocation {
+  taskID: String!
+  taskGroupID: String!
+  position: Float!
+}
+
+input DeleteTaskInput {
+  taskID: String!
+}
+
+type DeleteTaskPayload {
+  taskID: String!
+}
+
+input UpdateTaskName {
+  taskID: String!
+  name: String!
+}
+
+type Mutation {
+  createRefreshToken(input: NewRefreshToken!): RefreshToken!
+  createUserAccount(input: NewUserAccount!): UserAccount!
+  createOrganization(input: NewOrganization!): Organization!
+  createTeam(input: NewTeam!): Team!
+  createProject(input: NewProject!): Project!
+  createTaskGroup(input: NewTaskGroup!): TaskGroup!
+  createTask(input: NewTask!): Task!
+  updateTaskLocation(input: NewTaskLocation!): Task!
+  logoutUser(input: LogoutUser!): Boolean!
+  updateTaskName(input: UpdateTaskName!): Task!
+  deleteTask(input: DeleteTaskInput!): DeleteTaskPayload!
+}
--- a/api/graph/schema.resolvers.go
+++ b/api/graph/schema.resolvers.go
@ -0,0 +1,232 @@
+// This file will be automatically regenerated based on the schema, any resolver implementations
+// will be copied through when generating and any unknown code will be moved to the end.
+package graph
+
+import (
+	"context"
+	"database/sql"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/jordanknott/project-citadel/api/pg"
+	log "github.com/sirupsen/logrus"
+	"github.com/vektah/gqlparser/v2/gqlerror"
+)
+
+func (r *mutationResolver) CreateRefreshToken(ctx context.Context, input NewRefreshToken) (*pg.RefreshToken, error) {
+	userID := uuid.MustParse("0183d9ab-d0ed-4c9b-a3df-77a0cdd93dca")
+	refreshCreatedAt := time.Now().UTC()
+	refreshExpiresAt := refreshCreatedAt.AddDate(0, 0, 1)
+	refreshToken, err := r.Repository.CreateRefreshToken(ctx, pg.CreateRefreshTokenParams{userID, refreshCreatedAt, refreshExpiresAt})
+	return &refreshToken, err
+}
+
+func (r *mutationResolver) CreateUserAccount(ctx context.Context, input NewUserAccount) (*pg.UserAccount, error) {
+	createdAt := time.Now().UTC()
+	userAccount, err := r.Repository.CreateUserAccount(ctx, pg.CreateUserAccountParams{input.Username, input.Email, input.DisplayName, createdAt, input.Password})
+	return &userAccount, err
+}
+
+func (r *mutationResolver) CreateOrganization(ctx context.Context, input NewOrganization) (*pg.Organization, error) {
+	createdAt := time.Now().UTC()
+	organization, err := r.Repository.CreateOrganization(ctx, pg.CreateOrganizationParams{createdAt, input.Name})
+	return &organization, err
+}
+
+func (r *mutationResolver) CreateTeam(ctx context.Context, input NewTeam) (*pg.Team, error) {
+	organizationID, err := uuid.Parse(input.OrganizationID)
+	if err != nil {
+		return &pg.Team{}, err
+	}
+	createdAt := time.Now().UTC()
+	team, err := r.Repository.CreateTeam(ctx, pg.CreateTeamParams{organizationID, createdAt, input.Name})
+	return &team, err
+}
+
+func (r *mutationResolver) CreateProject(ctx context.Context, input NewProject) (*pg.Project, error) {
+	createdAt := time.Now().UTC()
+	teamID, err := uuid.Parse(input.TeamID)
+	if err != nil {
+		return &pg.Project{}, err
+	}
+	project, err := r.Repository.CreateProject(ctx, pg.CreateProjectParams{teamID, createdAt, input.Name})
+	return &project, err
+}
+
+func (r *mutationResolver) CreateTaskGroup(ctx context.Context, input NewTaskGroup) (*pg.TaskGroup, error) {
+	createdAt := time.Now().UTC()
+	projectID, err := uuid.Parse(input.ProjectID)
+	if err != nil {
+		return &pg.TaskGroup{}, err
+	}
+	project, err := r.Repository.CreateTaskGroup(ctx,
+		pg.CreateTaskGroupParams{projectID, createdAt, input.Name, input.Position})
+	return &project, err
+}
+
+func (r *mutationResolver) CreateTask(ctx context.Context, input NewTask) (*pg.Task, error) {
+	taskGroupID, err := uuid.Parse(input.TaskGroupID)
+	createdAt := time.Now().UTC()
+	if err != nil {
+		return &pg.Task{}, err
+	}
+
+	task, err := r.Repository.CreateTask(ctx, pg.CreateTaskParams{taskGroupID, createdAt, input.Name, input.Position})
+	return &task, err
+}
+
+func (r *mutationResolver) UpdateTaskLocation(ctx context.Context, input NewTaskLocation) (*pg.Task, error) {
+	taskID, err := uuid.Parse(input.TaskID)
+	if err != nil {
+		return &pg.Task{}, err
+	}
+	taskGroupID, err := uuid.Parse(input.TaskGroupID)
+	if err != nil {
+		return &pg.Task{}, err
+	}
+	task, err := r.Repository.UpdateTaskLocation(ctx, pg.UpdateTaskLocationParams{taskID, taskGroupID, input.Position})
+
+	return &task, err
+}
+
+func (r *mutationResolver) LogoutUser(ctx context.Context, input LogoutUser) (bool, error) {
+	userID, err := uuid.Parse(input.UserID)
+	if err != nil {
+		return false, err
+	}
+
+	err = r.Repository.DeleteRefreshTokenByUserID(ctx, userID)
+	return true, err
+}
+
+func (r *mutationResolver) UpdateTaskName(ctx context.Context, input UpdateTaskName) (*pg.Task, error) {
+	taskID, err := uuid.Parse(input.TaskID)
+	if err != nil {
+		return &pg.Task{}, err
+	}
+	task, err := r.Repository.UpdateTaskName(ctx, pg.UpdateTaskNameParams{taskID, input.Name})
+	return &task, err
+}
+
+func (r *mutationResolver) DeleteTask(ctx context.Context, input DeleteTaskInput) (*DeleteTaskPayload, error) {
+	taskID, err := uuid.Parse(input.TaskID)
+	if err != nil {
+		return &DeleteTaskPayload{}, err
+	}
+
+	log.WithFields(log.Fields{
+		"taskID": taskID.String(),
+	}).Info("deleting task")
+	err = r.Repository.DeleteTaskByID(ctx, taskID)
+	if err != nil {
+		return &DeleteTaskPayload{}, err
+	}
+	return &DeleteTaskPayload{taskID.String()}, nil
+}
+
+func (r *organizationResolver) Teams(ctx context.Context, obj *pg.Organization) ([]pg.Team, error) {
+	teams, err := r.Repository.GetTeamsForOrganization(ctx, obj.OrganizationID)
+	return teams, err
+}
+
+func (r *projectResolver) TeamID(ctx context.Context, obj *pg.Project) (string, error) {
+	return obj.TeamID.String(), nil
+}
+
+func (r *projectResolver) TaskGroups(ctx context.Context, obj *pg.Project) ([]pg.TaskGroup, error) {
+	return r.Repository.GetTaskGroupsForProject(ctx, obj.ProjectID)
+}
+
+func (r *queryResolver) Organizations(ctx context.Context) ([]pg.Organization, error) {
+	return r.Repository.GetAllOrganizations(ctx)
+}
+
+func (r *queryResolver) Users(ctx context.Context) ([]pg.UserAccount, error) {
+	return r.Repository.GetAllUserAccounts(ctx)
+}
+
+func (r *queryResolver) FindUser(ctx context.Context, input FindUser) (*pg.UserAccount, error) {
+	userId, err := uuid.Parse(input.UserID)
+	if err != nil {
+		return &pg.UserAccount{}, err
+	}
+	account, err := r.Repository.GetUserAccountByID(ctx, userId)
+	if err == sql.ErrNoRows {
+		return &pg.UserAccount{}, &gqlerror.Error{
+			Message: "User not found",
+			Extensions: map[string]interface{}{
+				"code": "10-404",
+			},
+		}
+	}
+	return &account, err
+}
+
+func (r *queryResolver) FindProject(ctx context.Context, input FindProject) (*pg.Project, error) {
+	projectID, err := uuid.Parse(input.ProjectID)
+	if err != nil {
+		return &pg.Project{}, err
+	}
+	project, err := r.Repository.GetProjectByID(ctx, projectID)
+	if err == sql.ErrNoRows {
+		return &pg.Project{}, &gqlerror.Error{
+			Message: "Project not found",
+			Extensions: map[string]interface{}{
+				"code": "11-404",
+			},
+		}
+	}
+	return &project, err
+}
+
+func (r *queryResolver) Teams(ctx context.Context) ([]pg.Team, error) {
+	return r.Repository.GetAllTeams(ctx)
+}
+
+func (r *queryResolver) Projects(ctx context.Context, input *ProjectsFilter) ([]pg.Project, error) {
+	if input != nil {
+		teamID, err := uuid.Parse(*input.TeamID)
+		if err != nil {
+			return []pg.Project{}, err
+		}
+		return r.Repository.GetAllProjectsForTeam(ctx, teamID)
+	}
+	return r.Repository.GetAllProjects(ctx)
+}
+
+func (r *queryResolver) TaskGroups(ctx context.Context) ([]pg.TaskGroup, error) {
+	return r.Repository.GetAllTaskGroups(ctx)
+}
+
+func (r *taskResolver) TaskGroupID(ctx context.Context, obj *pg.Task) (string, error) {
+	return obj.TaskGroupID.String(), nil
+}
+
+func (r *taskGroupResolver) ProjectID(ctx context.Context, obj *pg.TaskGroup) (string, error) {
+	return obj.ProjectID.String(), nil
+}
+
+func (r *taskGroupResolver) Tasks(ctx context.Context, obj *pg.TaskGroup) ([]pg.Task, error) {
+	tasks, err := r.Repository.GetTasksForTaskGroupID(ctx, obj.TaskGroupID)
+	return tasks, err
+}
+
+func (r *teamResolver) Projects(ctx context.Context, obj *pg.Team) ([]pg.Project, error) {
+	return r.Repository.GetAllProjectsForTeam(ctx, obj.TeamID)
+}
+
+func (r *Resolver) Mutation() MutationResolver         { return &mutationResolver{r} }
+func (r *Resolver) Organization() OrganizationResolver { return &organizationResolver{r} }
+func (r *Resolver) Project() ProjectResolver           { return &projectResolver{r} }
+func (r *Resolver) Query() QueryResolver               { return &queryResolver{r} }
+func (r *Resolver) Task() TaskResolver                 { return &taskResolver{r} }
+func (r *Resolver) TaskGroup() TaskGroupResolver       { return &taskGroupResolver{r} }
+func (r *Resolver) Team() TeamResolver                 { return &teamResolver{r} }
+
+type mutationResolver struct{ *Resolver }
+type organizationResolver struct{ *Resolver }
+type projectResolver struct{ *Resolver }
+type queryResolver struct{ *Resolver }
+type taskResolver struct{ *Resolver }
+type taskGroupResolver struct{ *Resolver }
+type teamResolver struct{ *Resolver }
--- a/api/migrations/0001_add-refresh-token-table.up.sql
+++ b/api/migrations/0001_add-refresh-token-table.up.sql
@ -0,0 +1,6 @@
+CREATE TABLE refresh_token (
+  token_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  user_id uuid NOT NULL,
+  created_at timestamptz NOT NULL,
+  expires_at timestamptz NOT NULL
+);
--- a/api/migrations/0002_add-users-table.up.sql
+++ b/api/migrations/0002_add-users-table.up.sql
@ -0,0 +1,8 @@
+CREATE TABLE user_account (
+  user_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  created_at timestamptz NOT NULL,
+  display_name text NOT NULL,
+  email text NOT NULL UNIQUE,
+  username text NOT NULL UNIQUE,
+  password_hash text NOT NULL
+);
--- a/api/migrations/0003_add-team-table.up.sql
+++ b/api/migrations/0003_add-team-table.up.sql
@ -0,0 +1,5 @@
+CREATE TABLE team (
+  team_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  created_at timestamptz NOT NULL,
+  name text NOT NULL
+);
--- a/api/migrations/0004_add-project-table.up.sql
+++ b/api/migrations/0004_add-project-table.up.sql
@ -0,0 +1,6 @@
+CREATE TABLE project (
+  project_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  team_id uuid NOT NULL REFERENCES team(team_id),
+  created_at timestamptz NOT NULL,
+  name text NOT NULL
+);
--- a/api/migrations/0005_add-task-group-table.up.sql
+++ b/api/migrations/0005_add-task-group-table.up.sql
@ -0,0 +1,7 @@
+CREATE TABLE task_group (
+  task_group_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  project_id uuid NOT NULL REFERENCES project(project_id),
+  created_at timestamptz NOT NULL,
+  name text NOT NULL,
+  position float NOT NULL
+);
--- a/api/migrations/0006_add-task.up.sql
+++ b/api/migrations/0006_add-task.up.sql
@ -0,0 +1,7 @@
+CREATE TABLE task (
+  task_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  task_group_id uuid NOT NULL REFERENCES task_group(task_group_id),
+  created_at timestamptz NOT NULL,
+  name text NOT NULL,
+  position float NOT NULL
+);
--- a/api/migrations/0007_add-organization-table.up.sql
+++ b/api/migrations/0007_add-organization-table.up.sql
@ -0,0 +1,5 @@
+CREATE TABLE organization (
+  organization_id uuid PRIMARY KEY DEFAULT uuid_generate_v4(),
+  created_at timestamptz NOT NULL,
+  name text NOT NULL
+);
--- a/api/migrations/0008_add-org-id-to-team-table.up.sql
+++ b/api/migrations/0008_add-org-id-to-team-table.up.sql
@ -0,0 +1 @@
+ALTER TABLE team ADD COLUMN organization_id uuid NOT NULL REFERENCES organization(organization_id);
--- a/api/pg/db.go
+++ b/api/pg/db.go
@ -0,0 +1,29 @@
+// Code generated by sqlc. DO NOT EDIT.
+
+package pg
+
+import (
+	"context"
+	"database/sql"
+)
+
+type DBTX interface {
+	ExecContext(context.Context, string, ...interface{}) (sql.Result, error)
+	PrepareContext(context.Context, string) (*sql.Stmt, error)
+	QueryContext(context.Context, string, ...interface{}) (*sql.Rows, error)
+	QueryRowContext(context.Context, string, ...interface{}) *sql.Row
+}
+
+func New(db DBTX) *Queries {
+	return &Queries{db: db}
+}
+
+type Queries struct {
+	db DBTX
+}
+
+func (q *Queries) WithTx(tx *sql.Tx) *Queries {
+	return &Queries{
+		db: tx,
+	}
+}
--- a/api/pg/models.go
+++ b/api/pg/models.go
@ -0,0 +1,61 @@
+// Code generated by sqlc. DO NOT EDIT.
+
+package pg
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+type Organization struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	CreatedAt      time.Time `json:"created_at"`
+	Name           string    `json:"name"`
+}
+
+type Project struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	TeamID    uuid.UUID `json:"team_id"`
+	CreatedAt time.Time `json:"created_at"`
+	Name      string    `json:"name"`
+}
+
+type RefreshToken struct {
+	TokenID   uuid.UUID `json:"token_id"`
+	UserID    uuid.UUID `json:"user_id"`
+	CreatedAt time.Time `json:"created_at"`
+	ExpiresAt time.Time `json:"expires_at"`
+}
+
+type Task struct {
+	TaskID      uuid.UUID `json:"task_id"`
+	TaskGroupID uuid.UUID `json:"task_group_id"`
+	CreatedAt   time.Time `json:"created_at"`
+	Name        string    `json:"name"`
+	Position    float64   `json:"position"`
+}
+
+type TaskGroup struct {
+	TaskGroupID uuid.UUID `json:"task_group_id"`
+	ProjectID   uuid.UUID `json:"project_id"`
+	CreatedAt   time.Time `json:"created_at"`
+	Name        string    `json:"name"`
+	Position    float64   `json:"position"`
+}
+
+type Team struct {
+	TeamID         uuid.UUID `json:"team_id"`
+	CreatedAt      time.Time `json:"created_at"`
+	Name           string    `json:"name"`
+	OrganizationID uuid.UUID `json:"organization_id"`
+}
+
+type UserAccount struct {
+	UserID       uuid.UUID `json:"user_id"`
+	CreatedAt    time.Time `json:"created_at"`
+	DisplayName  string    `json:"display_name"`
+	Email        string    `json:"email"`
+	Username     string    `json:"username"`
+	PasswordHash string    `json:"password_hash"`
+}
--- a/api/pg/organization.sql.go
+++ b/api/pg/organization.sql.go
@ -0,0 +1,52 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: organization.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+)
+
+const createOrganization = `-- name: CreateOrganization :one
+INSERT INTO organization (created_at, name) VALUES ($1, $2) RETURNING organization_id, created_at, name
+`
+
+type CreateOrganizationParams struct {
+	CreatedAt time.Time `json:"created_at"`
+	Name      string    `json:"name"`
+}
+
+func (q *Queries) CreateOrganization(ctx context.Context, arg CreateOrganizationParams) (Organization, error) {
+	row := q.db.QueryRowContext(ctx, createOrganization, arg.CreatedAt, arg.Name)
+	var i Organization
+	err := row.Scan(&i.OrganizationID, &i.CreatedAt, &i.Name)
+	return i, err
+}
+
+const getAllOrganizations = `-- name: GetAllOrganizations :many
+SELECT organization_id, created_at, name FROM organization
+`
+
+func (q *Queries) GetAllOrganizations(ctx context.Context) ([]Organization, error) {
+	rows, err := q.db.QueryContext(ctx, getAllOrganizations)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Organization
+	for rows.Next() {
+		var i Organization
+		if err := rows.Scan(&i.OrganizationID, &i.CreatedAt, &i.Name); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
--- a/api/pg/pg.go
+++ b/api/pg/pg.go
@ -0,0 +1,51 @@
+package pg
+
+import (
+	"context"
+	"github.com/google/uuid"
+	"github.com/jmoiron/sqlx"
+)
+
+type Repository interface {
+	CreateTeam(ctx context.Context, arg CreateTeamParams) (Team, error)
+	DeleteTeamByID(ctx context.Context, teamID uuid.UUID) error
+	GetTeamByID(ctx context.Context, teamID uuid.UUID) (Team, error)
+	GetAllTeams(ctx context.Context) ([]Team, error)
+	CreateProject(ctx context.Context, arg CreateProjectParams) (Project, error)
+	GetAllProjects(ctx context.Context) ([]Project, error)
+	GetAllProjectsForTeam(ctx context.Context, teamID uuid.UUID) ([]Project, error)
+	GetProjectByID(ctx context.Context, projectID uuid.UUID) (Project, error)
+	GetAllUserAccounts(ctx context.Context) ([]UserAccount, error)
+	GetUserAccountByID(ctx context.Context, userID uuid.UUID) (UserAccount, error)
+	CreateUserAccount(ctx context.Context, arg CreateUserAccountParams) (UserAccount, error)
+	GetUserAccountByUsername(ctx context.Context, username string) (UserAccount, error)
+	CreateRefreshToken(ctx context.Context, arg CreateRefreshTokenParams) (RefreshToken, error)
+	GetRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) (RefreshToken, error)
+	DeleteRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) error
+	DeleteRefreshTokenByUserID(ctx context.Context, userID uuid.UUID) error
+	CreateTaskGroup(ctx context.Context, arg CreateTaskGroupParams) (TaskGroup, error)
+	GetAllTaskGroups(ctx context.Context) ([]TaskGroup, error)
+	GetAllOrganizations(ctx context.Context) ([]Organization, error)
+	GetTaskGroupsForProject(ctx context.Context, projectID uuid.UUID) ([]TaskGroup, error)
+	CreateOrganization(ctx context.Context, arg CreateOrganizationParams) (Organization, error)
+	GetTeamsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]Team, error)
+	CreateTask(ctx context.Context, arg CreateTaskParams) (Task, error)
+	GetAllTasks(ctx context.Context) ([]Task, error)
+	GetTasksForTaskGroupID(ctx context.Context, taskGroupID uuid.UUID) ([]Task, error)
+	UpdateTaskLocation(ctx context.Context, arg UpdateTaskLocationParams) (Task, error)
+	DeleteTaskByID(ctx context.Context, taskID uuid.UUID) error
+	UpdateTaskName(ctx context.Context, arg UpdateTaskNameParams) (Task, error)
+}
+
+type repoSvc struct {
+	*Queries
+	db *sqlx.DB
+}
+
+// NewRepository returns an implementation of the Repository interface.
+func NewRepository(db *sqlx.DB) Repository {
+	return &repoSvc{
+		Queries: New(db.DB),
+		db:      db,
+	}
+}
--- a/api/pg/project.sql.go
+++ b/api/pg/project.sql.go
@ -0,0 +1,113 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: project.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createProject = `-- name: CreateProject :one
+INSERT INTO project(team_id, created_at, name) VALUES ($1, $2, $3) RETURNING project_id, team_id, created_at, name
+`
+
+type CreateProjectParams struct {
+	TeamID    uuid.UUID `json:"team_id"`
+	CreatedAt time.Time `json:"created_at"`
+	Name      string    `json:"name"`
+}
+
+func (q *Queries) CreateProject(ctx context.Context, arg CreateProjectParams) (Project, error) {
+	row := q.db.QueryRowContext(ctx, createProject, arg.TeamID, arg.CreatedAt, arg.Name)
+	var i Project
+	err := row.Scan(
+		&i.ProjectID,
+		&i.TeamID,
+		&i.CreatedAt,
+		&i.Name,
+	)
+	return i, err
+}
+
+const getAllProjects = `-- name: GetAllProjects :many
+SELECT project_id, team_id, created_at, name FROM project
+`
+
+func (q *Queries) GetAllProjects(ctx context.Context) ([]Project, error) {
+	rows, err := q.db.QueryContext(ctx, getAllProjects)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Project
+	for rows.Next() {
+		var i Project
+		if err := rows.Scan(
+			&i.ProjectID,
+			&i.TeamID,
+			&i.CreatedAt,
+			&i.Name,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getAllProjectsForTeam = `-- name: GetAllProjectsForTeam :many
+SELECT project_id, team_id, created_at, name FROM project WHERE team_id = $1
+`
+
+func (q *Queries) GetAllProjectsForTeam(ctx context.Context, teamID uuid.UUID) ([]Project, error) {
+	rows, err := q.db.QueryContext(ctx, getAllProjectsForTeam, teamID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Project
+	for rows.Next() {
+		var i Project
+		if err := rows.Scan(
+			&i.ProjectID,
+			&i.TeamID,
+			&i.CreatedAt,
+			&i.Name,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getProjectByID = `-- name: GetProjectByID :one
+SELECT project_id, team_id, created_at, name FROM project WHERE project_id = $1
+`
+
+func (q *Queries) GetProjectByID(ctx context.Context, projectID uuid.UUID) (Project, error) {
+	row := q.db.QueryRowContext(ctx, getProjectByID, projectID)
+	var i Project
+	err := row.Scan(
+		&i.ProjectID,
+		&i.TeamID,
+		&i.CreatedAt,
+		&i.Name,
+	)
+	return i, err
+}
--- a/api/pg/querier.go
+++ b/api/pg/querier.go
@ -0,0 +1,43 @@
+// Code generated by sqlc. DO NOT EDIT.
+
+package pg
+
+import (
+	"context"
+
+	"github.com/google/uuid"
+)
+
+type Querier interface {
+	CreateOrganization(ctx context.Context, arg CreateOrganizationParams) (Organization, error)
+	CreateProject(ctx context.Context, arg CreateProjectParams) (Project, error)
+	CreateRefreshToken(ctx context.Context, arg CreateRefreshTokenParams) (RefreshToken, error)
+	CreateTask(ctx context.Context, arg CreateTaskParams) (Task, error)
+	CreateTaskGroup(ctx context.Context, arg CreateTaskGroupParams) (TaskGroup, error)
+	CreateTeam(ctx context.Context, arg CreateTeamParams) (Team, error)
+	CreateUserAccount(ctx context.Context, arg CreateUserAccountParams) (UserAccount, error)
+	DeleteExpiredTokens(ctx context.Context) error
+	DeleteRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) error
+	DeleteRefreshTokenByUserID(ctx context.Context, userID uuid.UUID) error
+	DeleteTaskByID(ctx context.Context, taskID uuid.UUID) error
+	DeleteTeamByID(ctx context.Context, teamID uuid.UUID) error
+	GetAllOrganizations(ctx context.Context) ([]Organization, error)
+	GetAllProjects(ctx context.Context) ([]Project, error)
+	GetAllProjectsForTeam(ctx context.Context, teamID uuid.UUID) ([]Project, error)
+	GetAllTaskGroups(ctx context.Context) ([]TaskGroup, error)
+	GetAllTasks(ctx context.Context) ([]Task, error)
+	GetAllTeams(ctx context.Context) ([]Team, error)
+	GetAllUserAccounts(ctx context.Context) ([]UserAccount, error)
+	GetProjectByID(ctx context.Context, projectID uuid.UUID) (Project, error)
+	GetRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) (RefreshToken, error)
+	GetTaskGroupsForProject(ctx context.Context, projectID uuid.UUID) ([]TaskGroup, error)
+	GetTasksForTaskGroupID(ctx context.Context, taskGroupID uuid.UUID) ([]Task, error)
+	GetTeamByID(ctx context.Context, teamID uuid.UUID) (Team, error)
+	GetTeamsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]Team, error)
+	GetUserAccountByID(ctx context.Context, userID uuid.UUID) (UserAccount, error)
+	GetUserAccountByUsername(ctx context.Context, username string) (UserAccount, error)
+	UpdateTaskLocation(ctx context.Context, arg UpdateTaskLocationParams) (Task, error)
+	UpdateTaskName(ctx context.Context, arg UpdateTaskNameParams) (Task, error)
+}
+
+var _ Querier = (*Queries)(nil)
--- a/api/pg/task.sql.go
+++ b/api/pg/task.sql.go
@ -0,0 +1,161 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: task.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createTask = `-- name: CreateTask :one
+INSERT INTO task (task_group_id, created_at, name, position)
+  VALUES($1, $2, $3, $4) RETURNING task_id, task_group_id, created_at, name, position
+`
+
+type CreateTaskParams struct {
+	TaskGroupID uuid.UUID `json:"task_group_id"`
+	CreatedAt   time.Time `json:"created_at"`
+	Name        string    `json:"name"`
+	Position    float64   `json:"position"`
+}
+
+func (q *Queries) CreateTask(ctx context.Context, arg CreateTaskParams) (Task, error) {
+	row := q.db.QueryRowContext(ctx, createTask,
+		arg.TaskGroupID,
+		arg.CreatedAt,
+		arg.Name,
+		arg.Position,
+	)
+	var i Task
+	err := row.Scan(
+		&i.TaskID,
+		&i.TaskGroupID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.Position,
+	)
+	return i, err
+}
+
+const deleteTaskByID = `-- name: DeleteTaskByID :exec
+DELETE FROM task WHERE task_id = $1
+`
+
+func (q *Queries) DeleteTaskByID(ctx context.Context, taskID uuid.UUID) error {
+	_, err := q.db.ExecContext(ctx, deleteTaskByID, taskID)
+	return err
+}
+
+const getAllTasks = `-- name: GetAllTasks :many
+SELECT task_id, task_group_id, created_at, name, position FROM task
+`
+
+func (q *Queries) GetAllTasks(ctx context.Context) ([]Task, error) {
+	rows, err := q.db.QueryContext(ctx, getAllTasks)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Task
+	for rows.Next() {
+		var i Task
+		if err := rows.Scan(
+			&i.TaskID,
+			&i.TaskGroupID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.Position,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getTasksForTaskGroupID = `-- name: GetTasksForTaskGroupID :many
+SELECT task_id, task_group_id, created_at, name, position FROM task WHERE task_group_id = $1
+`
+
+func (q *Queries) GetTasksForTaskGroupID(ctx context.Context, taskGroupID uuid.UUID) ([]Task, error) {
+	rows, err := q.db.QueryContext(ctx, getTasksForTaskGroupID, taskGroupID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Task
+	for rows.Next() {
+		var i Task
+		if err := rows.Scan(
+			&i.TaskID,
+			&i.TaskGroupID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.Position,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const updateTaskLocation = `-- name: UpdateTaskLocation :one
+UPDATE task SET task_group_id = $2, position = $3 WHERE task_id = $1 RETURNING task_id, task_group_id, created_at, name, position
+`
+
+type UpdateTaskLocationParams struct {
+	TaskID      uuid.UUID `json:"task_id"`
+	TaskGroupID uuid.UUID `json:"task_group_id"`
+	Position    float64   `json:"position"`
+}
+
+func (q *Queries) UpdateTaskLocation(ctx context.Context, arg UpdateTaskLocationParams) (Task, error) {
+	row := q.db.QueryRowContext(ctx, updateTaskLocation, arg.TaskID, arg.TaskGroupID, arg.Position)
+	var i Task
+	err := row.Scan(
+		&i.TaskID,
+		&i.TaskGroupID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.Position,
+	)
+	return i, err
+}
+
+const updateTaskName = `-- name: UpdateTaskName :one
+UPDATE task SET name = $2 WHERE task_id = $1 RETURNING task_id, task_group_id, created_at, name, position
+`
+
+type UpdateTaskNameParams struct {
+	TaskID uuid.UUID `json:"task_id"`
+	Name   string    `json:"name"`
+}
+
+func (q *Queries) UpdateTaskName(ctx context.Context, arg UpdateTaskNameParams) (Task, error) {
+	row := q.db.QueryRowContext(ctx, updateTaskName, arg.TaskID, arg.Name)
+	var i Task
+	err := row.Scan(
+		&i.TaskID,
+		&i.TaskGroupID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.Position,
+	)
+	return i, err
+}
--- a/api/pg/task_group.sql.go
+++ b/api/pg/task_group.sql.go
@ -0,0 +1,107 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: task_group.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createTaskGroup = `-- name: CreateTaskGroup :one
+INSERT INTO task_group (project_id, created_at, name, position)
+  VALUES($1, $2, $3, $4) RETURNING task_group_id, project_id, created_at, name, position
+`
+
+type CreateTaskGroupParams struct {
+	ProjectID uuid.UUID `json:"project_id"`
+	CreatedAt time.Time `json:"created_at"`
+	Name      string    `json:"name"`
+	Position  float64   `json:"position"`
+}
+
+func (q *Queries) CreateTaskGroup(ctx context.Context, arg CreateTaskGroupParams) (TaskGroup, error) {
+	row := q.db.QueryRowContext(ctx, createTaskGroup,
+		arg.ProjectID,
+		arg.CreatedAt,
+		arg.Name,
+		arg.Position,
+	)
+	var i TaskGroup
+	err := row.Scan(
+		&i.TaskGroupID,
+		&i.ProjectID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.Position,
+	)
+	return i, err
+}
+
+const getAllTaskGroups = `-- name: GetAllTaskGroups :many
+SELECT task_group_id, project_id, created_at, name, position FROM task_group
+`
+
+func (q *Queries) GetAllTaskGroups(ctx context.Context) ([]TaskGroup, error) {
+	rows, err := q.db.QueryContext(ctx, getAllTaskGroups)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []TaskGroup
+	for rows.Next() {
+		var i TaskGroup
+		if err := rows.Scan(
+			&i.TaskGroupID,
+			&i.ProjectID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.Position,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getTaskGroupsForProject = `-- name: GetTaskGroupsForProject :many
+SELECT task_group_id, project_id, created_at, name, position FROM task_group WHERE project_id = $1
+`
+
+func (q *Queries) GetTaskGroupsForProject(ctx context.Context, projectID uuid.UUID) ([]TaskGroup, error) {
+	rows, err := q.db.QueryContext(ctx, getTaskGroupsForProject, projectID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []TaskGroup
+	for rows.Next() {
+		var i TaskGroup
+		if err := rows.Scan(
+			&i.TaskGroupID,
+			&i.ProjectID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.Position,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
--- a/api/pg/team.sql.go
+++ b/api/pg/team.sql.go
@ -0,0 +1,122 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: team.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createTeam = `-- name: CreateTeam :one
+INSERT INTO team (organization_id, created_at, name) VALUES ($1, $2, $3) RETURNING team_id, created_at, name, organization_id
+`
+
+type CreateTeamParams struct {
+	OrganizationID uuid.UUID `json:"organization_id"`
+	CreatedAt      time.Time `json:"created_at"`
+	Name           string    `json:"name"`
+}
+
+func (q *Queries) CreateTeam(ctx context.Context, arg CreateTeamParams) (Team, error) {
+	row := q.db.QueryRowContext(ctx, createTeam, arg.OrganizationID, arg.CreatedAt, arg.Name)
+	var i Team
+	err := row.Scan(
+		&i.TeamID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.OrganizationID,
+	)
+	return i, err
+}
+
+const deleteTeamByID = `-- name: DeleteTeamByID :exec
+DELETE FROM team WHERE team_id = $1
+`
+
+func (q *Queries) DeleteTeamByID(ctx context.Context, teamID uuid.UUID) error {
+	_, err := q.db.ExecContext(ctx, deleteTeamByID, teamID)
+	return err
+}
+
+const getAllTeams = `-- name: GetAllTeams :many
+SELECT team_id, created_at, name, organization_id FROM team
+`
+
+func (q *Queries) GetAllTeams(ctx context.Context) ([]Team, error) {
+	rows, err := q.db.QueryContext(ctx, getAllTeams)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Team
+	for rows.Next() {
+		var i Team
+		if err := rows.Scan(
+			&i.TeamID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.OrganizationID,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getTeamByID = `-- name: GetTeamByID :one
+SELECT team_id, created_at, name, organization_id FROM team WHERE team_id = $1
+`
+
+func (q *Queries) GetTeamByID(ctx context.Context, teamID uuid.UUID) (Team, error) {
+	row := q.db.QueryRowContext(ctx, getTeamByID, teamID)
+	var i Team
+	err := row.Scan(
+		&i.TeamID,
+		&i.CreatedAt,
+		&i.Name,
+		&i.OrganizationID,
+	)
+	return i, err
+}
+
+const getTeamsForOrganization = `-- name: GetTeamsForOrganization :many
+SELECT team_id, created_at, name, organization_id FROM team WHERE organization_id = $1
+`
+
+func (q *Queries) GetTeamsForOrganization(ctx context.Context, organizationID uuid.UUID) ([]Team, error) {
+	rows, err := q.db.QueryContext(ctx, getTeamsForOrganization, organizationID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []Team
+	for rows.Next() {
+		var i Team
+		if err := rows.Scan(
+			&i.TeamID,
+			&i.CreatedAt,
+			&i.Name,
+			&i.OrganizationID,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
--- a/api/pg/token.sql.go
+++ b/api/pg/token.sql.go
@ -0,0 +1,76 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: token.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createRefreshToken = `-- name: CreateRefreshToken :one
+INSERT INTO refresh_token (user_id, created_at, expires_at) VALUES ($1, $2, $3) RETURNING token_id, user_id, created_at, expires_at
+`
+
+type CreateRefreshTokenParams struct {
+	UserID    uuid.UUID `json:"user_id"`
+	CreatedAt time.Time `json:"created_at"`
+	ExpiresAt time.Time `json:"expires_at"`
+}
+
+func (q *Queries) CreateRefreshToken(ctx context.Context, arg CreateRefreshTokenParams) (RefreshToken, error) {
+	row := q.db.QueryRowContext(ctx, createRefreshToken, arg.UserID, arg.CreatedAt, arg.ExpiresAt)
+	var i RefreshToken
+	err := row.Scan(
+		&i.TokenID,
+		&i.UserID,
+		&i.CreatedAt,
+		&i.ExpiresAt,
+	)
+	return i, err
+}
+
+const deleteExpiredTokens = `-- name: DeleteExpiredTokens :exec
+DELETE FROM refresh_token WHERE expires_at <= NOW()
+`
+
+func (q *Queries) DeleteExpiredTokens(ctx context.Context) error {
+	_, err := q.db.ExecContext(ctx, deleteExpiredTokens)
+	return err
+}
+
+const deleteRefreshTokenByID = `-- name: DeleteRefreshTokenByID :exec
+DELETE FROM refresh_token WHERE token_id = $1
+`
+
+func (q *Queries) DeleteRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) error {
+	_, err := q.db.ExecContext(ctx, deleteRefreshTokenByID, tokenID)
+	return err
+}
+
+const deleteRefreshTokenByUserID = `-- name: DeleteRefreshTokenByUserID :exec
+DELETE FROM refresh_token WHERE user_id = $1
+`
+
+func (q *Queries) DeleteRefreshTokenByUserID(ctx context.Context, userID uuid.UUID) error {
+	_, err := q.db.ExecContext(ctx, deleteRefreshTokenByUserID, userID)
+	return err
+}
+
+const getRefreshTokenByID = `-- name: GetRefreshTokenByID :one
+SELECT token_id, user_id, created_at, expires_at FROM refresh_token WHERE token_id = $1
+`
+
+func (q *Queries) GetRefreshTokenByID(ctx context.Context, tokenID uuid.UUID) (RefreshToken, error) {
+	row := q.db.QueryRowContext(ctx, getRefreshTokenByID, tokenID)
+	var i RefreshToken
+	err := row.Scan(
+		&i.TokenID,
+		&i.UserID,
+		&i.CreatedAt,
+		&i.ExpiresAt,
+	)
+	return i, err
+}
--- a/api/pg/user_accounts.sql.go
+++ b/api/pg/user_accounts.sql.go
@ -0,0 +1,115 @@
+// Code generated by sqlc. DO NOT EDIT.
+// source: user_accounts.sql
+
+package pg
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+const createUserAccount = `-- name: CreateUserAccount :one
+INSERT INTO user_account(display_name, email, username, created_at, password_hash)
+  VALUES ($1, $2, $3, $4, $5)
+RETURNING user_id, created_at, display_name, email, username, password_hash
+`
+
+type CreateUserAccountParams struct {
+	DisplayName  string    `json:"display_name"`
+	Email        string    `json:"email"`
+	Username     string    `json:"username"`
+	CreatedAt    time.Time `json:"created_at"`
+	PasswordHash string    `json:"password_hash"`
+}
+
+func (q *Queries) CreateUserAccount(ctx context.Context, arg CreateUserAccountParams) (UserAccount, error) {
+	row := q.db.QueryRowContext(ctx, createUserAccount,
+		arg.DisplayName,
+		arg.Email,
+		arg.Username,
+		arg.CreatedAt,
+		arg.PasswordHash,
+	)
+	var i UserAccount
+	err := row.Scan(
+		&i.UserID,
+		&i.CreatedAt,
+		&i.DisplayName,
+		&i.Email,
+		&i.Username,
+		&i.PasswordHash,
+	)
+	return i, err
+}
+
+const getAllUserAccounts = `-- name: GetAllUserAccounts :many
+SELECT user_id, created_at, display_name, email, username, password_hash FROM user_account
+`
+
+func (q *Queries) GetAllUserAccounts(ctx context.Context) ([]UserAccount, error) {
+	rows, err := q.db.QueryContext(ctx, getAllUserAccounts)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []UserAccount
+	for rows.Next() {
+		var i UserAccount
+		if err := rows.Scan(
+			&i.UserID,
+			&i.CreatedAt,
+			&i.DisplayName,
+			&i.Email,
+			&i.Username,
+			&i.PasswordHash,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Close(); err != nil {
+		return nil, err
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getUserAccountByID = `-- name: GetUserAccountByID :one
+SELECT user_id, created_at, display_name, email, username, password_hash FROM user_account WHERE user_id = $1
+`
+
+func (q *Queries) GetUserAccountByID(ctx context.Context, userID uuid.UUID) (UserAccount, error) {
+	row := q.db.QueryRowContext(ctx, getUserAccountByID, userID)
+	var i UserAccount
+	err := row.Scan(
+		&i.UserID,
+		&i.CreatedAt,
+		&i.DisplayName,
+		&i.Email,
+		&i.Username,
+		&i.PasswordHash,
+	)
+	return i, err
+}
+
+const getUserAccountByUsername = `-- name: GetUserAccountByUsername :one
+SELECT user_id, created_at, display_name, email, username, password_hash FROM user_account WHERE username = $1
+`
+
+func (q *Queries) GetUserAccountByUsername(ctx context.Context, username string) (UserAccount, error) {
+	row := q.db.QueryRowContext(ctx, getUserAccountByUsername, username)
+	var i UserAccount
+	err := row.Scan(
+		&i.UserID,
+		&i.CreatedAt,
+		&i.DisplayName,
+		&i.Email,
+		&i.Username,
+		&i.PasswordHash,
+	)
+	return i, err
+}
--- a/api/query/organization.sql
+++ b/api/query/organization.sql
@ -0,0 +1,5 @@
+-- name: GetAllOrganizations :many
+SELECT * FROM organization;
+
+-- name: CreateOrganization :one
+INSERT INTO organization (created_at, name) VALUES ($1, $2) RETURNING *;
--- a/api/query/project.sql
+++ b/api/query/project.sql
@ -0,0 +1,11 @@
+-- name: GetAllProjects :many
+SELECT * FROM project;
+
+-- name: GetAllProjectsForTeam :many
+SELECT * FROM project WHERE team_id = $1;
+
+-- name: GetProjectByID :one
+SELECT * FROM project WHERE project_id = $1;
+
+-- name: CreateProject :one
+INSERT INTO project(team_id, created_at, name) VALUES ($1, $2, $3) RETURNING *;
--- a/api/query/task.sql
+++ b/api/query/task.sql
@ -0,0 +1,18 @@
+-- name: CreateTask :one
+INSERT INTO task (task_group_id, created_at, name, position)
+  VALUES($1, $2, $3, $4) RETURNING *;
+
+-- name: GetTasksForTaskGroupID :many
+SELECT * FROM task WHERE task_group_id = $1;
+
+-- name: GetAllTasks :many
+SELECT * FROM task;
+
+-- name: UpdateTaskLocation :one
+UPDATE task SET task_group_id = $2, position = $3 WHERE task_id = $1 RETURNING *;
+
+-- name: DeleteTaskByID :exec
+DELETE FROM task WHERE task_id = $1;
+
+-- name: UpdateTaskName :one
+UPDATE task SET name = $2 WHERE task_id = $1 RETURNING *;
--- a/api/query/task_group.sql
+++ b/api/query/task_group.sql
@ -0,0 +1,9 @@
+-- name: CreateTaskGroup :one
+INSERT INTO task_group (project_id, created_at, name, position)
+  VALUES($1, $2, $3, $4) RETURNING *;
+
+-- name: GetTaskGroupsForProject :many
+SELECT * FROM task_group WHERE project_id = $1;
+
+-- name: GetAllTaskGroups :many
+SELECT * FROM task_group;
--- a/api/query/team.sql
+++ b/api/query/team.sql
@ -0,0 +1,14 @@
+-- name: GetAllTeams :many
+SELECT * FROM team;
+
+-- name: GetTeamByID :one
+SELECT * FROM team WHERE team_id = $1;
+
+-- name: CreateTeam :one
+INSERT INTO team (organization_id, created_at, name) VALUES ($1, $2, $3) RETURNING *;
+
+-- name: DeleteTeamByID :exec
+DELETE FROM team WHERE team_id = $1;
+
+-- name: GetTeamsForOrganization :many
+SELECT * FROM team WHERE organization_id = $1;
--- a/api/query/token.sql
+++ b/api/query/token.sql
@ -0,0 +1,14 @@
+-- name: GetRefreshTokenByID :one
+SELECT * FROM refresh_token WHERE token_id = $1;
+
+-- name: CreateRefreshToken :one
+INSERT INTO refresh_token (user_id, created_at, expires_at) VALUES ($1, $2, $3) RETURNING *;
+
+-- name: DeleteRefreshTokenByID :exec
+DELETE FROM refresh_token WHERE token_id = $1;
+
+-- name: DeleteRefreshTokenByUserID :exec
+DELETE FROM refresh_token WHERE user_id = $1;
+
+-- name: DeleteExpiredTokens :exec
+DELETE FROM refresh_token WHERE expires_at <= NOW();
--- a/api/query/user_accounts.sql
+++ b/api/query/user_accounts.sql
@ -0,0 +1,13 @@
+-- name: GetUserAccountByID :one
+SELECT * FROM user_account WHERE user_id = $1;
+
+-- name: GetAllUserAccounts :many
+SELECT * FROM user_account;
+
+-- name: GetUserAccountByUsername :one
+SELECT * FROM user_account WHERE username = $1;
+
+-- name: CreateUserAccount :one
+INSERT INTO user_account(display_name, email, username, created_at, password_hash)
+  VALUES ($1, $2, $3, $4, $5)
+RETURNING *;
--- a/api/router/auth.go
+++ b/api/router/auth.go
@ -0,0 +1,113 @@
+package router
+
+import (
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/google/uuid"
+	"github.com/jordanknott/project-citadel/api/pg"
+	log "github.com/sirupsen/logrus"
+	"golang.org/x/crypto/bcrypt"
+)
+
+var jwtKey = []byte("citadel_test_key")
+
+type authResource struct{}
+
+func (h *CitadelHandler) RefreshTokenHandler(w http.ResponseWriter, r *http.Request) {
+	c, err := r.Cookie("refreshToken")
+	if err != nil {
+		if err == http.ErrNoCookie {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+	refreshTokenID := uuid.MustParse(c.Value)
+	token, err := h.repo.GetRefreshTokenByID(r.Context(), refreshTokenID)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		return
+	}
+
+	refreshCreatedAt := time.Now().UTC()
+	refreshExpiresAt := refreshCreatedAt.AddDate(0, 0, 1)
+	refreshTokenString, err := h.repo.CreateRefreshToken(r.Context(), pg.CreateRefreshTokenParams{token.UserID, refreshCreatedAt, refreshExpiresAt})
+
+	err = h.repo.DeleteRefreshTokenByID(r.Context(), token.TokenID)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+
+	accessTokenString, err := NewAccessToken("1")
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+
+	w.Header().Set("Content-type", "application/json")
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refreshToken",
+		Value:    refreshTokenString.TokenID.String(),
+		Expires:  refreshExpiresAt,
+		HttpOnly: true,
+	})
+	json.NewEncoder(w).Encode(LoginResponseData{AccessToken: accessTokenString})
+}
+
+func (h *CitadelHandler) LoginHandler(w http.ResponseWriter, r *http.Request) {
+	var requestData LoginRequestData
+	err := json.NewDecoder(r.Body).Decode(&requestData)
+	if err != nil {
+		w.WriteHeader(http.StatusBadRequest)
+		log.Debug("bad request body")
+		return
+	}
+
+	user, err := h.repo.GetUserAccountByUsername(r.Context(), requestData.Username)
+	if err != nil {
+		log.WithFields(log.Fields{
+			"username": requestData.Username,
+		}).Warn("user account not found")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	err = bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(requestData.Password))
+	if err != nil {
+		log.WithFields(log.Fields{
+			"password":      requestData.Password,
+			"password_hash": user.PasswordHash,
+		}).Warn("password incorrect")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	userID := uuid.MustParse("0183d9ab-d0ed-4c9b-a3df-77a0cdd93dca")
+	refreshCreatedAt := time.Now().UTC()
+	refreshExpiresAt := refreshCreatedAt.AddDate(0, 0, 1)
+	refreshTokenString, err := h.repo.CreateRefreshToken(r.Context(), pg.CreateRefreshTokenParams{userID, refreshCreatedAt, refreshExpiresAt})
+
+	accessTokenString, err := NewAccessToken("1")
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+	}
+
+	w.Header().Set("Content-type", "application/json")
+	http.SetCookie(w, &http.Cookie{
+		Name:     "refreshToken",
+		Value:    refreshTokenString.TokenID.String(),
+		Expires:  refreshExpiresAt,
+		HttpOnly: true,
+	})
+	json.NewEncoder(w).Encode(LoginResponseData{accessTokenString})
+}
+
+func (rs authResource) Routes(citadelHandler CitadelHandler) chi.Router {
+	r := chi.NewRouter()
+	r.Post("/login", citadelHandler.LoginHandler)
+	r.Post("/refresh_token", citadelHandler.RefreshTokenHandler)
+	return r
+}
--- a/api/router/errors.go
+++ b/api/router/errors.go
@ -0,0 +1,13 @@
+package router
+
+type ErrExpiredToken struct{}
+
+func (r *ErrExpiredToken) Error() string {
+	return "token is expired"
+}
+
+type ErrMalformedToken struct{}
+
+func (r *ErrMalformedToken) Error() string {
+	return "token is malformed"
+}
--- a/api/router/handlers.go
+++ b/api/router/handlers.go
@ -0,0 +1,7 @@
+package router
+
+import "github.com/jordanknott/project-citadel/api/pg"
+
+type CitadelHandler struct {
+	repo pg.Repository
+}
--- a/api/router/logger.go
+++ b/api/router/logger.go
@ -0,0 +1,93 @@
+package router
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/middleware"
+	"github.com/sirupsen/logrus"
+)
+
+// StructuredLogger is a simple, but powerful implementation of a custom structured
+// logger backed on logrus. I encourage users to copy it, adapt it and make it their
+// own. Also take a look at https://github.com/pressly/lg for a dedicated pkg based
+// on this work, designed for context-based http routers.
+
+func NewStructuredLogger(logger *logrus.Logger) func(next http.Handler) http.Handler {
+	return middleware.RequestLogger(&StructuredLogger{logger})
+}
+
+type StructuredLogger struct {
+	Logger *logrus.Logger
+}
+
+func (l *StructuredLogger) NewLogEntry(r *http.Request) middleware.LogEntry {
+	entry := &StructuredLoggerEntry{Logger: logrus.NewEntry(l.Logger)}
+	logFields := logrus.Fields{}
+
+	if reqID := middleware.GetReqID(r.Context()); reqID != "" {
+		logFields["req_id"] = reqID
+	}
+
+	scheme := "http"
+	if r.TLS != nil {
+		scheme = "https"
+	}
+	logFields["http_scheme"] = scheme
+	logFields["http_proto"] = r.Proto
+	logFields["http_method"] = r.Method
+
+	logFields["remote_addr"] = r.RemoteAddr
+	logFields["user_agent"] = r.UserAgent()
+
+	logFields["uri"] = fmt.Sprintf("%s://%s%s", scheme, r.Host, r.RequestURI)
+
+	entry.Logger = entry.Logger.WithFields(logFields)
+
+	return entry
+}
+
+type StructuredLoggerEntry struct {
+	Logger logrus.FieldLogger
+}
+
+func (l *StructuredLoggerEntry) Write(status, bytes int, elapsed time.Duration) {
+	l.Logger = l.Logger.WithFields(logrus.Fields{
+		"resp_status": status, "resp_bytes_length": bytes,
+		"resp_elapsed_ms": float64(elapsed.Nanoseconds()) / 1000000.0,
+	})
+
+	l.Logger.Infoln("request complete")
+}
+
+func (l *StructuredLoggerEntry) Panic(v interface{}, stack []byte) {
+	l.Logger = l.Logger.WithFields(logrus.Fields{
+		"stack": string(stack),
+		"panic": fmt.Sprintf("%+v", v),
+	})
+}
+
+// Helper methods used by the application to get the request-scoped
+// logger entry and set additional fields between handlers.
+//
+// This is a useful pattern to use to set state on the entry as it
+// passes through the handler chain, which at any point can be logged
+// with a call to .Print(), .Info(), etc.
+
+func GetLogEntry(r *http.Request) logrus.FieldLogger {
+	entry := middleware.GetLogEntry(r).(*StructuredLoggerEntry)
+	return entry.Logger
+}
+
+func LogEntrySetField(r *http.Request, key string, value interface{}) {
+	if entry, ok := r.Context().Value(middleware.LogEntryCtxKey).(*StructuredLoggerEntry); ok {
+		entry.Logger = entry.Logger.WithField(key, value)
+	}
+}
+
+func LogEntrySetFields(r *http.Request, fields map[string]interface{}) {
+	if entry, ok := r.Context().Value(middleware.LogEntryCtxKey).(*StructuredLoggerEntry); ok {
+		entry.Logger = entry.Logger.WithFields(fields)
+	}
+}
--- a/api/router/middleware.go
+++ b/api/router/middleware.go
@ -0,0 +1,44 @@
+package router
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	log "github.com/sirupsen/logrus"
+)
+
+func AuthenticationMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		bearerTokenRaw := r.Header.Get("Authorization")
+		splitToken := strings.Split(bearerTokenRaw, "Bearer")
+		if len(splitToken) != 2 {
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+		accessTokenString := strings.TrimSpace(splitToken[1])
+		accessClaims, err := ValidateAccessToken(accessTokenString)
+		if err != nil {
+			if _, ok := err.(*ErrExpiredToken); ok {
+				w.Write([]byte(`{
+	"data": {}, 
+	"errors": [
+	{
+		"extensions": {
+			"code": "UNAUTHENTICATED"
+		}
+	}
+	]
+				}`))
+				return
+			}
+			log.Error(err)
+			w.WriteHeader(http.StatusBadRequest)
+			return
+		}
+
+		ctx := context.WithValue(r.Context(), "accessClaims", accessClaims)
+
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
--- a/api/router/models.go
+++ b/api/router/models.go
@ -0,0 +1,28 @@
+package router
+
+import (
+	"github.com/dgrijalva/jwt-go"
+)
+
+type AccessTokenClaims struct {
+	UserID string `json:"userId"`
+	jwt.StandardClaims
+}
+
+type RefreshTokenClaims struct {
+	UserID string `json:"userId"`
+	jwt.StandardClaims
+}
+
+type LoginRequestData struct {
+	Username string
+	Password string
+}
+
+type LoginResponseData struct {
+	AccessToken string `json:"accessToken"`
+}
+
+type RefreshTokenResponseData struct {
+	AccessToken string `json:"accessToken"`
+}
--- a/api/router/router.go
+++ b/api/router/router.go
@ -0,0 +1,61 @@
+package router
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/cors"
+	"github.com/jmoiron/sqlx"
+	log "github.com/sirupsen/logrus"
+
+	"github.com/jordanknott/project-citadel/api/graph"
+	"github.com/jordanknott/project-citadel/api/pg"
+)
+
+func (h *CitadelHandler) PingHandler(w http.ResponseWriter, r *http.Request) {
+	w.Write([]byte("pong"))
+}
+
+func NewRouter(db *sqlx.DB) (chi.Router, error) {
+	formatter := new(log.TextFormatter)
+	formatter.TimestampFormat = "02-01-2006 15:04:05"
+	formatter.FullTimestamp = true
+
+	routerLogger := log.New()
+	routerLogger.SetLevel(log.WarnLevel)
+	routerLogger.Formatter = formatter
+	r := chi.NewRouter()
+	cors := cors.New(cors.Options{
+		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
+		AllowedOrigins: []string{"*"},
+		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
+		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token", "Cookie"},
+		ExposedHeaders:   []string{"Link"},
+		AllowCredentials: true,
+		MaxAge:           300, // Maximum value not ignored by any of major browsers
+	})
+	r.Use(cors.Handler)
+	r.Use(middleware.RequestID)
+	r.Use(middleware.RealIP)
+	r.Use(NewStructuredLogger(routerLogger))
+	r.Use(middleware.Recoverer)
+	r.Use(middleware.Timeout(60 * time.Second))
+
+	repository := pg.NewRepository(db)
+	citadelHandler := CitadelHandler{repository}
+
+	r.Group(func(mux chi.Router) {
+		mux.Mount("/auth", authResource{}.Routes(citadelHandler))
+		mux.Handle("/__graphql", graph.NewPlaygroundHandler("/graphql"))
+	})
+	r.Group(func(mux chi.Router) {
+		mux.Use(AuthenticationMiddleware)
+		mux.Get("/ping", citadelHandler.PingHandler)
+		mux.Handle("/graphql", graph.NewHandler(repository))
+	})
+
+	return r, nil
+}
--- a/api/router/tokens.go
+++ b/api/router/tokens.go
@ -0,0 +1,77 @@
+package router
+
+import (
+	"time"
+
+	"github.com/dgrijalva/jwt-go"
+	log "github.com/sirupsen/logrus"
+)
+
+func NewAccessToken(userID string) (string, error) {
+	accessExpirationTime := time.Now().Add(5 * time.Second)
+	accessClaims := &AccessTokenClaims{
+		UserID:         userID,
+		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
+	}
+
+	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
+	accessTokenString, err := accessToken.SignedString(jwtKey)
+	if err != nil {
+		return "", err
+	}
+	return accessTokenString, nil
+}
+
+func NewAccessTokenCustomExpiration(userID string, dur time.Duration) (string, error) {
+	accessExpirationTime := time.Now().Add(dur)
+	accessClaims := &AccessTokenClaims{
+		UserID:         userID,
+		StandardClaims: jwt.StandardClaims{ExpiresAt: accessExpirationTime.Unix()},
+	}
+
+	accessToken := jwt.NewWithClaims(jwt.SigningMethodHS256, accessClaims)
+	accessTokenString, err := accessToken.SignedString(jwtKey)
+	if err != nil {
+		return "", err
+	}
+	return accessTokenString, nil
+}
+
+func ValidateAccessToken(accessTokenString string) (AccessTokenClaims, error) {
+	accessClaims := &AccessTokenClaims{}
+	accessToken, err := jwt.ParseWithClaims(accessTokenString, accessClaims, func(token *jwt.Token) (interface{}, error) {
+		return jwtKey, nil
+	})
+
+	if accessToken.Valid {
+		log.WithFields(log.Fields{
+			"token":        accessTokenString,
+			"timeToExpire": time.Unix(accessClaims.ExpiresAt, 0),
+		}).Info("token is valid")
+		return *accessClaims, nil
+	}
+
+	if ve, ok := err.(*jwt.ValidationError); ok {
+		if ve.Errors&jwt.ValidationErrorMalformed != 0 {
+			return AccessTokenClaims{}, &ErrMalformedToken{}
+		} else if ve.Errors&(jwt.ValidationErrorExpired|jwt.ValidationErrorNotValidYet) != 0 {
+			return AccessTokenClaims{}, &ErrExpiredToken{}
+		}
+	}
+	return AccessTokenClaims{}, err
+}
+
+func NewRefreshToken(userID string) (string, time.Time, error) {
+	refreshExpirationTime := time.Now().Add(24 * time.Hour)
+	refreshClaims := &RefreshTokenClaims{
+		UserID:         userID,
+		StandardClaims: jwt.StandardClaims{ExpiresAt: refreshExpirationTime.Unix()},
+	}
+
+	refreshToken := jwt.NewWithClaims(jwt.SigningMethodHS256, refreshClaims)
+	refreshTokenString, err := refreshToken.SignedString(jwtKey)
+	if err != nil {
+		return "", time.Time{}, err
+	}
+	return refreshTokenString, refreshExpirationTime, nil
+}
--- a/api/scripts/auth
+++ b/api/scripts/auth
@ -0,0 +1,26 @@
+#!/usr/bin/python3
+# vi: ft=python
+
+import click
+import requests
+
+@click.command()
+def authenticate():
+    s = requests.Session()
+    r = s.post('http://localhost:3333/auth/login', json={
+        'username': 'hello',
+        'password': 'test',
+    })
+    if r.status_code != 200:
+        print('issue during login status_code={}'.format(r.status_code))
+        return
+
+    access_code = r.json()['access_token']
+    r = s.get('http://localhost:3333/ping', headers={
+        'Authorization': 'Bearer {}'.format(access_code)
+    })
+    print(r.status_code)
+    print(r.text)
+
+if __name__ == "__main__":
+    authenticate()
--- a/api/sqlc.yaml
+++ b/api/sqlc.yaml
@ -0,0 +1,10 @@
+version: "1"
+packages:
+  - name: "pg"
+    emit_json_tags: true
+    emit_prepared_queries: false
+    emit_interface: true
+    path: "pg"
+    queries: "./query/"
+    schema: "./migrations/"
+
				`@ -0,0 +1 @@`
				`ALTER TABLE team ADD COLUMN organization_id uuid NOT NULL REFERENCES organization(organization_id);`