refactor: began refactoring access control in sql

refactor: made guid foreign key for wish object for more ease of use

backend/go.mod

@@ -52,6 +52,7 @@ require (
 	github.com/minio/crc64nvme v1.0.2 // indirect
 	github.com/minio/md5-simd v1.1.2 // indirect
 	github.com/minio/minio-go/v7 v7.0.95 // indirect
+	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect

backend/go.sum

@@ -99,6 +99,8 @@ github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
 github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
 github.com/minio/minio-go/v7 v7.0.95 h1:ywOUPg+PebTMTzn9VDsoFJy32ZuARN9zhB+K3IYEvYU=
 github.com/minio/minio-go/v7 v7.0.95/go.mod h1:wOOX3uxS334vImCNRVyIDdXX9OsXDm89ToynKgqUKlo=
+github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY=
+github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=

backend/internal/database/models.go

@@ -15,7 +15,7 @@ type BannedUser struct {
 	Reason     *string
 	ExpiresAt  pgtype.Timestamp
 	BannedBy   *string
-	Pardoned   *bool
+	Pardoned   bool
 	PardonedBy *string
 }
 
@@ -25,8 +25,8 @@ type ConfirmationCode struct {
 	CodeType  int32
 	CodeHash  string
 	ExpiresAt pgtype.Timestamp
-	Used      *bool
-	Deleted   *bool
+	Used      bool
+	Deleted   bool
 }
 
 type LoginInformation struct {
@@ -78,8 +78,35 @@ type Session struct {
 type User struct {
 	ID               int64
 	Username         string
-	Verified         *bool
+	Verified         bool
 	RegistrationDate pgtype.Timestamp
 	Role             int32
 	Deleted          *bool
 }
+
+type Wish struct {
+	ID            int64
+	Guid          pgtype.UUID
+	WishListID    int64
+	WishListGuid  pgtype.UUID
+	Name          string
+	Description   string
+	PictureUrl    string
+	Stars         int16
+	CreationDate  pgtype.Timestamp
+	Fulfilled     bool
+	FulfilledDate pgtype.Timestamp
+	Deleted       bool
+}
+
+type WishList struct {
+	ID        int64
+	Guid      pgtype.UUID
+	ProfileID int64
+	Hidden    bool
+	Name      string
+	IconName  string
+	Color     string
+	ColorGrad string
+	Deleted   bool
+}

backend/internal/database/query.sql.go

@@ -11,6 +11,52 @@ import (
 	"github.com/jackc/pgx/v5/pgtype"
 )
 
+const checkProfileAccess = `-- name: CheckProfileAccess :one
+SELECT
+  CASE WHEN u.deleted OR NOT u.verified THEN TRUE ELSE FALSE END AS user_unavailable,
+  CASE WHEN EXISTS (
+      SELECT 1
+      FROM banned_users
+      WHERE user_id = u.id AND
+      pardoned IS FALSE AND
+      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
+  ) THEN TRUE ELSE FALSE END AS user_banned, 
+  CASE WHEN ps.hide_profile_details THEN TRUE ELSE FALSE END AS hidden,
+  CASE WHEN ps.hide_for_unauthenticated AND $2::text = '' THEN TRUE ELSE FALSE END AS auth_required,
+  CASE WHEN ps.captcha THEN TRUE ELSE FALSE END AS captcha_required
+FROM profiles p
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE p.id = $1
+`
+
+type CheckProfileAccessParams struct {
+	ID        int64
+	Requester string
+}
+
+type CheckProfileAccessRow struct {
+	UserUnavailable bool
+	UserBanned      bool
+	Hidden          bool
+	AuthRequired    bool
+	CaptchaRequired bool
+}
+
+// XXX: recheck, was tired
+func (q *Queries) CheckProfileAccess(ctx context.Context, arg CheckProfileAccessParams) (CheckProfileAccessRow, error) {
+	row := q.db.QueryRow(ctx, checkProfileAccess, arg.ID, arg.Requester)
+	var i CheckProfileAccessRow
+	err := row.Scan(
+		&i.UserUnavailable,
+		&i.UserBanned,
+		&i.Hidden,
+		&i.AuthRequired,
+		&i.CaptchaRequired,
+	)
+	return i, err
+}
+
 const checkUserRegistrationAvailability = `-- name: CheckUserRegistrationAvailability :one
 SELECT 
   COUNT(CASE WHEN users.username = $1::text THEN 1 END) > 0 AS username_busy,
@@ -253,6 +299,108 @@ func (q *Queries) CreateUser(ctx context.Context, username string) (User, error)
 	return i, err
 }
 
+const createWish = `-- name: CreateWish :one
+INSERT INTO wishes(
+  wish_list_id,
+  wish_list_guid,
+  name,
+  description,
+  picture_url,
+  stars)
+VALUES
+  (
+    (SELECT id FROM wish_lists wl WHERE wl.guid = ($1::text)::uuid),
+    ($1::text)::uuid,
+    $2::text,
+    $3::text,
+    $4::text,
+    $5::smallint
+  )
+RETURNING id, guid, wish_list_id, wish_list_guid, name, description, picture_url, stars, creation_date, fulfilled, fulfilled_date, deleted
+`
+
+type CreateWishParams struct {
+	WishListGuid string
+	Name         string
+	Description  string
+	PictureUrl   string
+	Stars        int16
+}
+
+func (q *Queries) CreateWish(ctx context.Context, arg CreateWishParams) (Wish, error) {
+	row := q.db.QueryRow(ctx, createWish,
+		arg.WishListGuid,
+		arg.Name,
+		arg.Description,
+		arg.PictureUrl,
+		arg.Stars,
+	)
+	var i Wish
+	err := row.Scan(
+		&i.ID,
+		&i.Guid,
+		&i.WishListID,
+		&i.WishListGuid,
+		&i.Name,
+		&i.Description,
+		&i.PictureUrl,
+		&i.Stars,
+		&i.CreationDate,
+		&i.Fulfilled,
+		&i.FulfilledDate,
+		&i.Deleted,
+	)
+	return i, err
+}
+
+const createWishList = `-- name: CreateWishList :one
+INSERT INTO wish_lists(profile_id, hidden, name, icon_name, color, color_grad)
+VALUES (
+  (SELECT p.id FROM profiles AS p
+  JOIN users AS u ON u.id = p.user_id
+  WHERE u.username = $1::text),
+  $2::boolean,
+  $3::text,
+  $4::text,
+  $5::text,
+  $6::boolean
+)
+RETURNING id, guid, profile_id, hidden, name, icon_name, color, color_grad, deleted
+`
+
+type CreateWishListParams struct {
+	Username  string
+	Hidden    bool
+	Name      string
+	IconName  string
+	Color     string
+	ColorGrad bool
+}
+
+func (q *Queries) CreateWishList(ctx context.Context, arg CreateWishListParams) (WishList, error) {
+	row := q.db.QueryRow(ctx, createWishList,
+		arg.Username,
+		arg.Hidden,
+		arg.Name,
+		arg.IconName,
+		arg.Color,
+		arg.ColorGrad,
+	)
+	var i WishList
+	err := row.Scan(
+		&i.ID,
+		&i.Guid,
+		&i.ProfileID,
+		&i.Hidden,
+		&i.Name,
+		&i.IconName,
+		&i.Color,
+		&i.ColorGrad,
+		&i.Deleted,
+	)
+	return i, err
+}
+
 const deleteUnverifiedAccountsHavingUsernameOrEmail = `-- name: DeleteUnverifiedAccountsHavingUsernameOrEmail :one
 WITH deleted_rows AS (
   DELETE FROM users
@@ -353,45 +501,28 @@ SELECT
   p.avatar_url,
   CASE WHEN ps.hide_birthday THEN NULL ELSE p.birthday END AS birthday,
   p.color,
-  p.color_grad,
-  NOT ($1::text = '' AND ps.hide_for_unauthenticated) AS access_allowed
+  p.color_grad
 FROM
   users AS u
 JOIN profiles AS p ON u.id = p.user_id
 JOIN profile_settings AS ps ON p.id = ps.profile_id
 WHERE
-  u.username = $2::text
-  AND (
-    $2::text = $1::text
-    OR
-    u.deleted IS FALSE
-    AND u.verified IS TRUE
-    AND NOT EXISTS (
-      SELECT 1
-      FROM banned_users
-      WHERE user_id = u.id
-    )
-  )
+  u.username = $1::text
 `
 
-type GetProfileByUsernameWithPrivacyParams struct {
-	Requester        string
-	SearchedUsername string
-}
-
 type GetProfileByUsernameWithPrivacyRow struct {
-	Username      string
-	Name          string
-	Bio           string
-	AvatarUrl     string
-	Birthday      pgtype.Timestamp
-	Color         string
-	ColorGrad     string
-	AccessAllowed *bool
+	Username  string
+	Name      string
+	Bio       string
+	AvatarUrl string
+	Birthday  pgtype.Timestamp
+	Color     string
+	ColorGrad string
 }
 
-func (q *Queries) GetProfileByUsernameWithPrivacy(ctx context.Context, arg GetProfileByUsernameWithPrivacyParams) (GetProfileByUsernameWithPrivacyRow, error) {
-	row := q.db.QueryRow(ctx, getProfileByUsernameWithPrivacy, arg.Requester, arg.SearchedUsername)
+// FIXME: tweak backend code to handle privacy correctly
+func (q *Queries) GetProfileByUsernameWithPrivacy(ctx context.Context, searchedUsername string) (GetProfileByUsernameWithPrivacyRow, error) {
+	row := q.db.QueryRow(ctx, getProfileByUsernameWithPrivacy, searchedUsername)
 	var i GetProfileByUsernameWithPrivacyRow
 	err := row.Scan(
 		&i.Username,
@@ -401,7 +532,6 @@ func (q *Queries) GetProfileByUsernameWithPrivacy(ctx context.Context, arg GetPr
 		&i.Birthday,
 		&i.Color,
 		&i.ColorGrad,
-		&i.AccessAllowed,
 	)
 	return i, err
 }
@@ -726,11 +856,11 @@ type GetValidConfirmationCodesByUsernameRow struct {
 	CodeType         int32
 	CodeHash         string
 	ExpiresAt        pgtype.Timestamp
-	Used             *bool
-	Deleted          *bool
+	Used             bool
+	Deleted          bool
 	ID_2             int64
 	Username         string
-	Verified         *bool
+	Verified         bool
 	RegistrationDate pgtype.Timestamp
 	Role             int32
 	Deleted_2        *bool
@@ -777,12 +907,17 @@ SELECT
   linfo.totp_encrypted
 FROM users
 JOIN login_informations AS linfo ON users.id = linfo.user_id
-LEFT JOIN banned_users AS banned ON users.id = banned.user_id
 WHERE 
   users.username = $1 AND
   users.verified IS TRUE AND -- Verified
   users.deleted IS FALSE AND -- Not deleted
-  banned.user_id IS NULL AND -- Not banned
+  NOT EXISTS (
+    SELECT 1
+    FROM banned_users
+    WHERE user_id = users.id AND
+    pardoned IS FALSE AND
+    (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)
+  ) AND -- Not banned
   linfo.password_hash = crypt($2::text, linfo.password_hash)
 `
 
@@ -794,7 +929,7 @@ type GetValidUserByLoginCredentialsParams struct {
 type GetValidUserByLoginCredentialsRow struct {
 	ID               int64
 	Username         string
-	Verified         *bool
+	Verified         bool
 	RegistrationDate pgtype.Timestamp
 	Role             int32
 	Deleted          *bool
@@ -856,6 +991,315 @@ func (q *Queries) GetValidUserSessions(ctx context.Context, userID int64) ([]Ses
 	return items, nil
 }
 
+const getWishByGuid = `-- name: GetWishByGuid :one
+SELECT id, guid, wish_list_id, wish_list_guid, name, description, picture_url, stars, creation_date, fulfilled, fulfilled_date, deleted FROM wishes w
+WHERE w.guid = ($1::text)::uuid
+`
+
+func (q *Queries) GetWishByGuid(ctx context.Context, guid string) (Wish, error) {
+	row := q.db.QueryRow(ctx, getWishByGuid, guid)
+	var i Wish
+	err := row.Scan(
+		&i.ID,
+		&i.Guid,
+		&i.WishListID,
+		&i.WishListGuid,
+		&i.Name,
+		&i.Description,
+		&i.PictureUrl,
+		&i.Stars,
+		&i.CreationDate,
+		&i.Fulfilled,
+		&i.FulfilledDate,
+		&i.Deleted,
+	)
+	return i, err
+}
+
+const getWishByGuidWithPrivacy = `-- name: GetWishByGuidWithPrivacy :one
+SELECT 
+  w.id, w.guid, w.wish_list_id, w.wish_list_guid, w.name, w.description, w.picture_url, w.stars, w.creation_date, w.fulfilled, w.fulfilled_date, w.deleted,
+  CASE 
+    WHEN 
+      (
+        $1::text = u.username OR
+        NOT ps.hide_profile_details AND 
+        NOT
+          (
+            ps.hide_for_unauthenticated AND
+            $1::text = ''
+          ) AND
+        NOT wl.hidden
+      )
+    THEN TRUE 
+    ELSE FALSE
+  END AS access_allowed
+FROM wishes w
+JOIN wish_lists wl ON w.wish_list_id = wl.id
+JOIN profiles p ON wl.profile_id = p.id
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE
+  w.guid = ($2::text)::uuid AND
+  w.deleted IS FALSE
+`
+
+type GetWishByGuidWithPrivacyParams struct {
+	Requester string
+	Guid      string
+}
+
+type GetWishByGuidWithPrivacyRow struct {
+	ID            int64
+	Guid          pgtype.UUID
+	WishListID    int64
+	WishListGuid  pgtype.UUID
+	Name          string
+	Description   string
+	PictureUrl    string
+	Stars         int16
+	CreationDate  pgtype.Timestamp
+	Fulfilled     bool
+	FulfilledDate pgtype.Timestamp
+	Deleted       bool
+	AccessAllowed bool
+}
+
+// XXX: Obsolete, use the according access check query instead
+func (q *Queries) GetWishByGuidWithPrivacy(ctx context.Context, arg GetWishByGuidWithPrivacyParams) (GetWishByGuidWithPrivacyRow, error) {
+	row := q.db.QueryRow(ctx, getWishByGuidWithPrivacy, arg.Requester, arg.Guid)
+	var i GetWishByGuidWithPrivacyRow
+	err := row.Scan(
+		&i.ID,
+		&i.Guid,
+		&i.WishListID,
+		&i.WishListGuid,
+		&i.Name,
+		&i.Description,
+		&i.PictureUrl,
+		&i.Stars,
+		&i.CreationDate,
+		&i.Fulfilled,
+		&i.FulfilledDate,
+		&i.Deleted,
+		&i.AccessAllowed,
+	)
+	return i, err
+}
+
+const getWishlistByGuid = `-- name: GetWishlistByGuid :one
+SELECT id, guid, profile_id, hidden, name, icon_name, color, color_grad, deleted FROM wish_lists wl
+WHERE wl.guid = ($1::text)::uuid
+`
+
+func (q *Queries) GetWishlistByGuid(ctx context.Context, guid string) (WishList, error) {
+	row := q.db.QueryRow(ctx, getWishlistByGuid, guid)
+	var i WishList
+	err := row.Scan(
+		&i.ID,
+		&i.Guid,
+		&i.ProfileID,
+		&i.Hidden,
+		&i.Name,
+		&i.IconName,
+		&i.Color,
+		&i.ColorGrad,
+		&i.Deleted,
+	)
+	return i, err
+}
+
+const getWishlistsByUsername = `-- name: GetWishlistsByUsername :many
+SELECT wl.id, guid, profile_id, hidden, wl.name, icon_name, wl.color, wl.color_grad, wl.deleted, p.id, user_id, p.name, bio, avatar_url, birthday, p.color, p.color_grad, u.id, username, verified, registration_date, role, u.deleted FROM wish_lists wl
+JOIN profiles p ON p.id = wl.profile_id
+JOIN users u ON u.id = p.user_id
+WHERE u.username = $1::text
+`
+
+type GetWishlistsByUsernameRow struct {
+	ID               int64
+	Guid             pgtype.UUID
+	ProfileID        int64
+	Hidden           bool
+	Name             string
+	IconName         string
+	Color            string
+	ColorGrad        string
+	Deleted          bool
+	ID_2             int64
+	UserID           int64
+	Name_2           string
+	Bio              string
+	AvatarUrl        string
+	Birthday         pgtype.Timestamp
+	Color_2          string
+	ColorGrad_2      string
+	ID_3             int64
+	Username         string
+	Verified         bool
+	RegistrationDate pgtype.Timestamp
+	Role             int32
+	Deleted_2        *bool
+}
+
+func (q *Queries) GetWishlistsByUsername(ctx context.Context, username string) ([]GetWishlistsByUsernameRow, error) {
+	rows, err := q.db.Query(ctx, getWishlistsByUsername, username)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetWishlistsByUsernameRow
+	for rows.Next() {
+		var i GetWishlistsByUsernameRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Guid,
+			&i.ProfileID,
+			&i.Hidden,
+			&i.Name,
+			&i.IconName,
+			&i.Color,
+			&i.ColorGrad,
+			&i.Deleted,
+			&i.ID_2,
+			&i.UserID,
+			&i.Name_2,
+			&i.Bio,
+			&i.AvatarUrl,
+			&i.Birthday,
+			&i.Color_2,
+			&i.ColorGrad_2,
+			&i.ID_3,
+			&i.Username,
+			&i.Verified,
+			&i.RegistrationDate,
+			&i.Role,
+			&i.Deleted_2,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const getWishlistsByUsernameWithPrivacy = `-- name: GetWishlistsByUsernameWithPrivacy :many
+SELECT 
+  wl.id, wl.guid, wl.profile_id, wl.hidden, wl.name, wl.icon_name, wl.color, wl.color_grad, wl.deleted, 
+  CASE 
+    WHEN (
+      ps.hide_profile_details OR (
+        ps.hide_for_unauthenticated AND
+        $1::text = ''
+      )
+    ) THEN FALSE 
+    ELSE TRUE 
+  END AS access_allowed
+FROM 
+  wish_lists wl
+JOIN 
+  profiles AS p ON wl.profile_id = p.id
+JOIN
+  profile_settings AS ps ON ps.profile_id = p.id
+JOIN 
+  users AS u ON p.user_id = u.id
+WHERE 
+  wl.deleted IS FALSE AND
+  u.username = $2::text AND
+  (
+    u.username = $1::text OR
+    (u.verified IS TRUE AND 
+    NOT EXISTS (
+      SELECT 1
+      FROM banned_users
+      WHERE user_id = u.id AND
+      pardoned IS FALSE AND
+      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
+    ))
+  )
+`
+
+type GetWishlistsByUsernameWithPrivacyParams struct {
+	Requester string
+	Username  string
+}
+
+type GetWishlistsByUsernameWithPrivacyRow struct {
+	ID            int64
+	Guid          pgtype.UUID
+	ProfileID     int64
+	Hidden        bool
+	Name          string
+	IconName      string
+	Color         string
+	ColorGrad     string
+	Deleted       bool
+	AccessAllowed bool
+}
+
+// XXX: Obsolete, use the according access check query instead
+func (q *Queries) GetWishlistsByUsernameWithPrivacy(ctx context.Context, arg GetWishlistsByUsernameWithPrivacyParams) ([]GetWishlistsByUsernameWithPrivacyRow, error) {
+	rows, err := q.db.Query(ctx, getWishlistsByUsernameWithPrivacy, arg.Requester, arg.Username)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var items []GetWishlistsByUsernameWithPrivacyRow
+	for rows.Next() {
+		var i GetWishlistsByUsernameWithPrivacyRow
+		if err := rows.Scan(
+			&i.ID,
+			&i.Guid,
+			&i.ProfileID,
+			&i.Hidden,
+			&i.Name,
+			&i.IconName,
+			&i.Color,
+			&i.ColorGrad,
+			&i.Deleted,
+			&i.AccessAllowed,
+		); err != nil {
+			return nil, err
+		}
+		items = append(items, i)
+	}
+	if err := rows.Err(); err != nil {
+		return nil, err
+	}
+	return items, nil
+}
+
+const moveWishToWishListWithGuid = `-- name: MoveWishToWishListWithGuid :one
+WITH updated AS (
+  UPDATE wishes w
+  SET
+    wish_list_id = wl.id,
+    wish_list_guid = ($1::text)::uuid
+  FROM wish_lists wl
+  WHERE 
+    wl.guid = ($1::text)::uuid AND
+    wl.profile_id = ( -- Make sure the wish is not moved to another profile
+      SELECT profile_id
+      FROM wish_lists
+      WHERE wish_lists.id = w.wish_list_id
+    )
+  RETURNING w.id
+)
+SELECT 
+  COUNT(*) > 0 AS target_found
+FROM updated
+`
+
+func (q *Queries) MoveWishToWishListWithGuid(ctx context.Context, wishListGuid string) (bool, error) {
+	row := q.db.QueryRow(ctx, moveWishToWishListWithGuid, wishListGuid)
+	var target_found bool
+	err := row.Scan(&target_found)
+	return target_found, err
+}
+
 const pruneExpiredConfirmationCodes = `-- name: PruneExpiredConfirmationCodes :exec
 DELETE FROM confirmation_codes
 WHERE expires_at < CURRENT_TIMESTAMP
@@ -920,7 +1364,7 @@ type UpdateBannedUserParams struct {
 	Reason     *string
 	ExpiresAt  pgtype.Timestamp
 	BannedBy   *string
-	Pardoned   *bool
+	Pardoned   bool
 	PardonedBy *string
 }
 
@@ -946,8 +1390,8 @@ WHERE id = $1
 
 type UpdateConfirmationCodeParams struct {
 	ID      int64
-	Used    *bool
-	Deleted *bool
+	Used    bool
+	Deleted bool
 }
 
 func (q *Queries) UpdateConfirmationCode(ctx context.Context, arg UpdateConfirmationCodeParams) error {
@@ -1112,7 +1556,7 @@ WHERE id = $1
 
 type UpdateUserParams struct {
 	ID       int64
-	Verified *bool
+	Verified bool
 	Deleted  *bool
 }
 
@@ -1123,13 +1567,15 @@ func (q *Queries) UpdateUser(ctx context.Context, arg UpdateUserParams) error {
 
 const updateUserByUsername = `-- name: UpdateUserByUsername :exec
 UPDATE users 
-SET verified = $2, deleted = $3
+SET
+  verified = COALESCE($2, verified), 
+  deleted = COALESCE($3, deleted)
 WHERE username = $1
 `
 
 type UpdateUserByUsernameParams struct {
 	Username string
-	Verified *bool
+	Verified bool
 	Deleted  *bool
 }
 
@@ -1137,3 +1583,76 @@ func (q *Queries) UpdateUserByUsername(ctx context.Context, arg UpdateUserByUser
 	_, err := q.db.Exec(ctx, updateUserByUsername, arg.Username, arg.Verified, arg.Deleted)
 	return err
 }
+
+const updateWishByGuid = `-- name: UpdateWishByGuid :exec
+UPDATE wishes w
+SET 
+  name = COALESCE($1::text, w.name),
+  description = COALESCE($2::text, w.description),
+  picture_url = COALESCE($3::text, w.picture_url),
+  stars = COALESCE($4::smallint, w.stars),
+  fulfilled = COALESCE($5::boolean, w.fulfilled),
+  fulfilled_date = COALESCE($6::timestamp, w.fulfilled_date),
+  deleted = COALESCE($7::boolean, w.deleted)
+WHERE w.guid = ($8::text)::uuid
+`
+
+type UpdateWishByGuidParams struct {
+	Name          string
+	Description   string
+	PictureUrl    string
+	Stars         int16
+	Fulfilled     bool
+	FulfilledDate pgtype.Timestamp
+	Deleted       bool
+	Guid          string
+}
+
+func (q *Queries) UpdateWishByGuid(ctx context.Context, arg UpdateWishByGuidParams) error {
+	_, err := q.db.Exec(ctx, updateWishByGuid,
+		arg.Name,
+		arg.Description,
+		arg.PictureUrl,
+		arg.Stars,
+		arg.Fulfilled,
+		arg.FulfilledDate,
+		arg.Deleted,
+		arg.Guid,
+	)
+	return err
+}
+
+const updateWishListByGuid = `-- name: UpdateWishListByGuid :exec
+UPDATE wish_lists wl
+SET 
+  hidden = COALESCE($1::boolean, wl.hidden),
+  name = COALESCE($2::text, wl.name),
+  icon_name = COALESCE($3::text, wl.icon_name),
+  color = COALESCE($4::text, wl.color),
+  color_grad = COALESCE($5::text, wl.color_grad),
+  deleted = COALESCE($6::boolean, wl.deleted)
+WHERE wl.guid = ($7::text)::uuid
+`
+
+type UpdateWishListByGuidParams struct {
+	Hidden    bool
+	Name      string
+	IconName  string
+	Color     string
+	ColorGrad string
+	Deleted   bool
+	Guid      string
+}
+
+func (q *Queries) UpdateWishListByGuid(ctx context.Context, arg UpdateWishListByGuidParams) error {
+	_, err := q.db.Exec(ctx, updateWishListByGuid,
+		arg.Hidden,
+		arg.Name,
+		arg.IconName,
+		arg.Color,
+		arg.ColorGrad,
+		arg.Deleted,
+		arg.Guid,
+	)
+	return err
+}

backend/internal/dto/wishList.go

@@ -0,0 +1,55 @@
+// Copyright (c) 2025 Nikolai Papin
+//
+// This file is part of Easywish
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+// the GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package dto
+
+type WishListDto struct {
+	Guid 				string	`json:"guid" mapstructure:"guid"`
+	Name 				string	`json:"name" mapstructure:"name"`
+	Hidden 			bool		`json:"hidden" mapstructure:"hidden"`
+	IconName 		string	`json:"icon_name" mapstructure:"icon_name"`
+	Color 			string	`json:"color" mapstructure:"color"`
+	ColorGrad 	string	`json:"color_grad" mapstructure:"color_grad"`
+}
+
+type NewWishListDto struct {
+	Name 			string	`json:"name" mapstructure:"name" binding:"required" validate:"max=32"`
+	Hidden 		bool		`json:"hidden" mapstructure:"hidden"`
+	IconName 	string	`json:"icon_name" mapstructure:"icon_name" validate:"omitempty,max=64"`
+	Color			string	`json:"color" mapstructure:"color" validate:"omitempty,color_hex"`
+	ColorGrad	string	`json:"color_grad" mapstructure:"color_grad" validate:"omitempty,color_hex"`
+}
+
+type WishDto struct {
+	Guid 					string	`json:"guid" mapstructure:"guid"`
+	WishListGuid 	string	`json:"wish_list_guid" mapstructure:"wish_list_guid"`
+	Name 					string	`json:"name" mapstructure:"name"`
+	Description 	string	`json:"description" mapstructure:"description"`
+	PictureUrl 		string	`json:"picture_url" mapstructure:"picture_url"`
+	Stars 				int			`json:"stars" mapstructure:"stars"`
+	CreationDate 	int64		`json:"creation_date" mapstructure:"creation_date"`
+	Fulfilled 		bool		`json:"fulfilled" mapstructure:"fulfilled"`
+	FulfilledDate	int64		`json:"fulfilled_date" mapstructure:"fulfilled_date"`
+}
+
+type NewWishDto struct {
+	WishListGuid			string	`json:"wish_list_guid" mapstructure:"wish_list_guid" binding:"required" validate:"guid"`
+	Name							string	`json:"name" mapstructure:"name" binding:"required" validate:"max=64"`
+	Description				string	`json:"description" mapstructure:"description" validate:"omitempty,max=1000"`
+	PictureUploadId		string	`json:"picture_upload_id" mapstructure:"picture_upload_id" validate:"omitempty,upload_id=image"`
+	Stars							int			`json:"stars" mapstructure:"stars" validate:"min=1,max=5"`
+}

backend/internal/services/auth.go

@@ -422,7 +422,7 @@ func (a *authServiceImpl) RegistrationComplete(cinfo dto.ClientInfo, request mod
 
 	err = db.TXQueries.UpdateConfirmationCode(db.CTX, database.UpdateConfirmationCodeParams{
 		ID:   confirmationCode.ID,
-		Used: utils.NewPointer(true),
+		Used: true,
 	})
 
 	if err != nil {
@@ -436,7 +436,7 @@ func (a *authServiceImpl) RegistrationComplete(cinfo dto.ClientInfo, request mod
 
 	err = db.TXQueries.UpdateUser(db.CTX, database.UpdateUserParams{
 		ID:       user.ID,
-		Verified: utils.NewPointer(true),
+		Verified: true,
 	})
 
 	if err != nil {
@@ -880,7 +880,7 @@ func (a *authServiceImpl) PasswordResetComplete(request models.PasswordResetComp
 
 	if err = db.TXQueries.UpdateConfirmationCode(db.CTX, database.UpdateConfirmationCodeParams{
 		ID:   resetCode.ID,
-		Used: utils.NewPointer(true),
+		Used: true,
 	}); err != nil {
 		a.log.Error(
 			"Failed to invalidate password reset code upon use",

backend/internal/services/wishlist.go

@@ -0,0 +1,36 @@
+// Copyright (c) 2025 Nikolai Papin
+//
+// This file is part of Easywish
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+// the GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package services
+
+import (
+	"easywish/internal/dto"
+	"easywish/internal/utils/enums"
+)
+
+type WishListService interface {
+	CreateWishList(cinfo dto.ClientInfo, object dto.NewWishListDto) (*dto.WishListDto, error)
+	UpdateWishListByGuid(cinfo dto.ClientInfo, guid string, object dto.NewWishDto) (bool, error)
+	DeleteWishListByGuid(cinfo dto.ClientInfo, guid string) (bool, error)
+	GetWishListByGuid(cinfo dto.ClientInfo, guid string) (*dto.WishListDto, error)
+	GetUserWishListsPaginated(cinfo dto.ClientInfo, amount int, page int, sorting enums.Sorting, sortOrder enums.SortOrder) (*[]dto.WishListDto, error)
+
+	CreateWish(cinfo dto.ClientInfo, object dto.NewWishDto) (*dto.WishDto, error)
+	UpdateWish(cinfo dto.ClientInfo, guid string, object dto.NewWishDto) (bool, error)
+	GetWishByGuid(cinfo dto.ClientInfo, guid string) (*dto.WishDto, error)
+	GetWishesByWishListGuidPaginated(cinfo dto.ClientInfo, guid string, amount int, page int, sorting enums.Sorting, sortOrder enums.SortOrder) (*[]dto.WishDto, error)
+}

backend/internal/utils/enums/enums.go

@@ -35,3 +35,15 @@ const (
 	JwtAccessTokenType JwtTokenType = iota
 	JwtRefreshTokenType
 )
+
+type Sorting int32
+const (
+	ByDate Sorting = iota
+	ByScore
+)
+
+type SortOrder int32
+const (
+	Descending = iota
+	Ascending
+)

backend/internal/utils/mapSpecial/wishDto.go

@@ -0,0 +1,37 @@
+// Copyright (c) 2025 Nikolai Papin
+//
+// This file is part of Easywish
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+// the GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package mapspecial
+
+import (
+	"easywish/internal/database"
+	"easywish/internal/dto"
+
+	"github.com/rafiulgits/go-automapper"
+)
+
+func MapWishDto(dbModel database.Wish, dtoModel *dto.WishDto) {
+	if dtoModel == nil {
+		dtoModel = &dto.WishDto{}
+	}
+	automapper.Map(&dbModel, dtoModel, func(src *database.Wish, dst *dto.WishDto) {
+		dst.Guid = src.Guid.String()
+		dst.WishListGuid = src.WishListGuid.String()
+		dst.CreationDate = src.CreationDate.Time.UnixMilli()
+		dst.FulfilledDate = src.FulfilledDate.Time.UnixMilli()
+	})
+}

backend/internal/utils/mapSpecial/wishListDto.go

@@ -0,0 +1,35 @@
+// Copyright (c) 2025 Nikolai Papin
+//
+// This file is part of Easywish
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See
+// the GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package mapspecial
+
+import (
+	"easywish/internal/database"
+	"easywish/internal/dto"
+
+	"github.com/rafiulgits/go-automapper"
+)
+
+func MapWishListDto(dbModel database.WishList, dtoModel *dto.WishListDto) {
+	if dtoModel == nil {
+		dtoModel = &dto.WishListDto{}
+	}
+	automapper.Map(&dbModel, dtoModel, func(src *database.WishList, dst *dto.WishListDto) {
+		dst.Guid = src.Guid.String()
+	})
+}
+

backend/internal/validation/custom.go

@@ -42,6 +42,13 @@ func GetCustomHandlers() []CustomValidatorHandler {
         return regexp.MustCompile(`^[a-zA-Z0-9_]{3,20}$`).MatchString(username)
 		}},
 
+		{
+			FieldName: "guid",
+			Function: func(fl validator.FieldLevel) bool {
+				guid := fl.Field().String()
+        return regexp.MustCompile(`^([{(]?([0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12})[})]?)$`).MatchString(guid)
+		}},
+
 		{
 			FieldName: "name",
 			Function: func(fl validator.FieldLevel) bool {

sqlc/query.sql

@@ -32,7 +32,9 @@ WHERE id = $1;
 
 ;-- name: UpdateUserByUsername :exec
 UPDATE users 
-SET verified = $2, deleted = $3
+SET
+  verified = COALESCE($2, verified), 
+  deleted = COALESCE($3, deleted)
 WHERE username = $1; 
 
 ;-- name: DeleteUser :exec
@@ -56,29 +58,6 @@ SELECT users.* FROM users
 JOIN login_informations linfo ON linfo.user_id = users.id
 WHERE linfo.email = @email::text;
 
-;-- name: CheckUserRegistrationAvailability :one
--- SELECT 
---   COUNT(users.username = @username::text) > 0 AS username_busy,
---   COUNT(linfo.email = @email::text) > 0 AS email_busy
--- FROM users
--- JOIN login_informations AS linfo on linfo.user_id = users.id
--- WHERE
---   (
---     users.username = @username::text OR 
---     linfo.email = @email::text
---   )
---   AND
---   (
---     users.verified IS TRUE OR
---     COUNT(
---       SELECT confirmation_codes as codes 
---       JOIN users on users.id = codes.user_id
---       WHERE codes.code_type = 0 AND
---       codes.deleted IS FALSE AND
---       codes.expires_at < CURRENT_TIMESTAMP
---     ) = 0;
---   )
-
 ;-- name: GetValidUserByLoginCredentials :one
 SELECT
   users.*,
@@ -86,12 +65,17 @@ SELECT
   linfo.totp_encrypted
 FROM users
 JOIN login_informations AS linfo ON users.id = linfo.user_id
-LEFT JOIN banned_users AS banned ON users.id = banned.user_id
 WHERE 
   users.username = $1 AND
   users.verified IS TRUE AND -- Verified
   users.deleted IS FALSE AND -- Not deleted
-  banned.user_id IS NULL AND -- Not banned
+  NOT EXISTS (
+    SELECT 1
+    FROM banned_users
+    WHERE user_id = users.id AND
+    pardoned IS FALSE AND
+    (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)
+  ) AND -- Not banned
   linfo.password_hash = crypt(@password::text, linfo.password_hash); -- Password hash matches
 
 ;-- name: CheckUserRegistrationAvailability :one
@@ -296,7 +280,27 @@ SELECT profiles.* FROM profiles
 JOIN users ON users.id = profiles.user_id
 WHERE users.username = $1;
 
+;-- name: CheckProfileAccess :one
+-- XXX: recheck, was tired
+SELECT
+  CASE WHEN u.deleted OR NOT u.verified THEN TRUE ELSE FALSE END AS user_unavailable,
+  CASE WHEN EXISTS (
+      SELECT 1
+      FROM banned_users
+      WHERE user_id = u.id AND
+      pardoned IS FALSE AND
+      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
+  ) THEN TRUE ELSE FALSE END AS user_banned, 
+  CASE WHEN ps.hide_profile_details THEN TRUE ELSE FALSE END AS hidden,
+  CASE WHEN ps.hide_for_unauthenticated AND @requester::text = '' THEN TRUE ELSE FALSE END AS auth_required,
+  CASE WHEN ps.captcha THEN TRUE ELSE FALSE END AS captcha_required
+FROM profiles p
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE p.id = $1;
+
 ;-- name: GetProfileByUsernameWithPrivacy :one
+-- FIXME: tweak backend code to handle privacy correctly
 SELECT
   u.username,
   p.name,
@@ -304,25 +308,13 @@ SELECT
   p.avatar_url,
   CASE WHEN ps.hide_birthday THEN NULL ELSE p.birthday END AS birthday,
   p.color,
-  p.color_grad,
-  NOT (@requester::text = '' AND ps.hide_for_unauthenticated) AS access_allowed
+  p.color_grad
 FROM
   users AS u
 JOIN profiles AS p ON u.id = p.user_id
 JOIN profile_settings AS ps ON p.id = ps.profile_id
 WHERE
-  u.username = @searched_username::text
-  AND (
-    @searched_username::text = @requester::text
-    OR
-    u.deleted IS FALSE
-    AND u.verified IS TRUE
-    AND NOT EXISTS (
-      SELECT 1
-      FROM banned_users
-      WHERE user_id = u.id
-    )
-  );
+  u.username = @searched_username::text;
 
 ;-- name: GetProfilesRestricted :many
 SELECT 
@@ -371,3 +363,165 @@ JOIN users ON users.id = profiles.user_id
 WHERE users.username = $1;
 
 --: }}}
+
+--: Wish List Object {{{
+
+;-- name: CreateWishList :one
+INSERT INTO wish_lists(profile_id, hidden, name, icon_name, color, color_grad)
+VALUES (
+  (SELECT p.id FROM profiles AS p
+  JOIN users AS u ON u.id = p.user_id
+  WHERE u.username = @username::text),
+  @hidden::boolean,
+  @name::text,
+  @icon_name::text,
+  @color::text,
+  @color_grad::boolean
+)
+RETURNING *;
+
+;-- name: UpdateWishListByGuid :exec
+UPDATE wish_lists wl
+SET 
+  hidden = COALESCE(@hidden::boolean, wl.hidden),
+  name = COALESCE(@name::text, wl.name),
+  icon_name = COALESCE(@icon_name::text, wl.icon_name),
+  color = COALESCE(@color::text, wl.color),
+  color_grad = COALESCE(@color_grad::text, wl.color_grad),
+  deleted = COALESCE(@deleted::boolean, wl.deleted)
+WHERE wl.guid = (@guid::text)::uuid;
+
+;-- name: GetWishlistByGuid :one
+SELECT * FROM wish_lists wl
+WHERE wl.guid = (@guid::text)::uuid;
+
+;-- name: GetWishlistsByUsername :many
+SELECT * FROM wish_lists wl
+JOIN profiles p ON p.id = wl.profile_id
+JOIN users u ON u.id = p.user_id
+WHERE u.username = @username::text;
+
+-- name: GetWishlistsByUsernameWithPrivacy :many
+-- XXX: Obsolete, create according access check query instead
+SELECT 
+  wl.*, 
+  CASE 
+    WHEN (
+      ps.hide_profile_details OR (
+        ps.hide_for_unauthenticated AND
+        @requester::text = ''
+      )
+    ) THEN FALSE 
+    ELSE TRUE 
+  END AS access_allowed
+FROM 
+  wish_lists wl
+JOIN 
+  profiles AS p ON wl.profile_id = p.id
+JOIN
+  profile_settings AS ps ON ps.profile_id = p.id
+JOIN 
+  users AS u ON p.user_id = u.id
+WHERE 
+  wl.deleted IS FALSE AND
+  u.username = @username::text AND
+  (
+    u.username = @requester::text OR
+    (u.verified IS TRUE AND 
+    NOT EXISTS (
+      SELECT 1
+      FROM banned_users
+      WHERE user_id = u.id AND
+      pardoned IS FALSE AND
+      (expires_at IS NULL OR expires_at < CURRENT_TIMESTAMP)
+    ))
+  );
+
+--: }}}
+
+--: Wish Object {{{
+
+;-- name: CreateWish :one
+INSERT INTO wishes(
+  wish_list_id,
+  wish_list_guid,
+  name,
+  description,
+  picture_url,
+  stars)
+VALUES
+  (
+    (SELECT id FROM wish_lists wl WHERE wl.guid = (@wish_list_guid::text)::uuid),
+    (@wish_list_guid::text)::uuid,
+    @name::text,
+    @description::text,
+    @picture_url::text,
+    @stars::smallint
+  )
+RETURNING *;
+
+;-- name: UpdateWishByGuid :exec
+UPDATE wishes w
+SET 
+  name = COALESCE(@name::text, w.name),
+  description = COALESCE(@description::text, w.description),
+  picture_url = COALESCE(@picture_url::text, w.picture_url),
+  stars = COALESCE(@stars::smallint, w.stars),
+  fulfilled = COALESCE(@fulfilled::boolean, w.fulfilled),
+  fulfilled_date = COALESCE(@fulfilled_date::timestamp, w.fulfilled_date),
+  deleted = COALESCE(@deleted::boolean, w.deleted)
+WHERE w.guid = (@guid::text)::uuid;
+
+;-- name: MoveWishToWishListWithGuid :one
+WITH updated AS (
+  UPDATE wishes w
+  SET
+    wish_list_id = wl.id,
+    wish_list_guid = (@wish_list_guid::text)::uuid
+  FROM wish_lists wl
+  WHERE 
+    wl.guid = (@wish_list_guid::text)::uuid AND
+    wl.profile_id = ( -- Make sure the wish is not moved to another profile
+      SELECT profile_id
+      FROM wish_lists
+      WHERE wish_lists.id = w.wish_list_id
+    )
+  RETURNING w.id
+)
+SELECT 
+  COUNT(*) > 0 AS target_found
+FROM updated;
+
+;-- name: GetWishByGuid :one
+SELECT * FROM wishes w
+WHERE w.guid = (@guid::text)::uuid;
+
+;-- name: GetWishByGuidWithPrivacy :one
+-- XXX: Obsolete, create according access check query instead
+SELECT 
+  w.*,
+  CASE 
+    WHEN 
+      (
+        @requester::text = u.username OR
+        NOT ps.hide_profile_details AND 
+        NOT
+          (
+            ps.hide_for_unauthenticated AND
+            @requester::text = ''
+          ) AND
+        NOT wl.hidden
+      )
+    THEN TRUE 
+    ELSE FALSE
+  END AS access_allowed
+FROM wishes w
+JOIN wish_lists wl ON w.wish_list_id = wl.id
+JOIN profiles p ON wl.profile_id = p.id
+JOIN profile_settings ps ON ps.profile_id = p.id
+JOIN users u ON p.user_id = u.id
+WHERE
+  w.guid = (@guid::text)::uuid AND
+  w.deleted IS FALSE;
+
+--: }}}

sqlc/schema.sql

@@ -22,7 +22,7 @@ CREATE EXTENSION IF NOT EXISTS "pgcrypto";
 CREATE TABLE IF NOT EXISTS "users" (
   id BIGSERIAL PRIMARY KEY,
   username VARCHAR(20) UNIQUE NOT NULL,
-  verified BOOLEAN DEFAULT FALSE,
+  verified BOOLEAN NOT NULL DEFAULT FALSE,
   registration_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
   role INTEGER NOT NULL DEFAULT 1, -- enum user
   deleted BOOLEAN DEFAULT FALSE
@@ -35,7 +35,7 @@ CREATE TABLE IF NOT EXISTS "banned_users" (
   reason VARCHAR(512),
   expires_at TIMESTAMP,
   banned_by VARCHAR(20) DEFAULT 'system',
-  pardoned BOOLEAN DEFAULT FALSE,
+  pardoned BOOLEAN NOT NULL DEFAULT FALSE,
   pardoned_by VARCHAR(20)
 );
 
@@ -55,14 +55,14 @@ CREATE TABLE IF NOT EXISTS "confirmation_codes" (
   code_type INTEGER NOT NULL CHECK (code_type IN (0, 1)),
   code_hash VARCHAR(512) NOT NULL,
   expires_at TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP + INTERVAL '10 minutes',
-  used BOOLEAN DEFAULT FALSE,
-  deleted BOOLEAN DEFAULT FALSE
+  used BOOLEAN NOT NULL DEFAULT FALSE,
+  deleted BOOLEAN NOT NULL DEFAULT FALSE
 );
 
 CREATE TABLE IF NOT EXISTS "sessions" (
   id BIGSERIAL PRIMARY KEY,
   user_id BIGINT NOT NULL REFERENCES users(id) ON DELETE CASCADE,
-  guid UUID NOT NULL DEFAULT gen_random_uuid(),
+  guid UUID UNIQUE NOT NULL DEFAULT gen_random_uuid(),
   name VARCHAR(175),
   platform VARCHAR(175),
   latest_ip VARCHAR(16),
@@ -77,7 +77,7 @@ CREATE TABLE IF NOT EXISTS "profiles" (
   user_id BIGINT UNIQUE NOT NULL REFERENCES users(id) ON DELETE CASCADE,
   name VARCHAR(75) NOT NULL,
   bio VARCHAR(512) NOT NULL DEFAULT '',
-  avatar_url VARCHAR(255) NOT NULL DEFAULT '',
+  avatar_url VARCHAR(512) NOT NULL DEFAULT '',
   birthday TIMESTAMP,
   color VARCHAR(7) NOT NULL DEFAULT '#254333',
   color_grad VARCHAR(7) NOT NULL DEFAULT '#691E4D'
@@ -93,4 +93,91 @@ CREATE TABLE IF NOT EXISTS "profile_settings" (
   hide_dates BOOLEAN NOT NULL DEFAULT FALSE,
   captcha BOOLEAN NOT NULL DEFAULT FALSE,
   followers_only_interaction BOOLEAN NOT NULL DEFAULT FALSE
-)
+);
+
+CREATE TABLE IF NOT EXISTS "wish_lists" (
+  id BIGSERIAL PRIMARY KEY,
+  guid UUID UNIQUE NOT NULL DEFAULT gen_random_uuid(),
+  profile_id BIGINT UNIQUE NOT NULL REFERENCES profiles(id) ON DELETE CASCADE,
+  hidden BOOLEAN NOT NULL DEFAULT FALSE,
+  name VARCHAR(32) NOT NULL DEFAULT 'Wishes',
+  icon_name VARCHAR(64) NOT NULL DEFAULT '',
+  color VARCHAR(7) NOT NULL DEFAULT '',
+  color_grad VARCHAR(7) NOT NULL DEFAULT '',
+  deleted BOOLEAN NOT NULL DEFAULT FALSE
+);
+
+CREATE TABLE IF NOT EXISTS "wishes" (
+  id BIGSERIAL PRIMARY KEY,
+  guid UUID UNIQUE NOT NULL DEFAULT gen_random_uuid(),
+  wish_list_id BIGINT UNIQUE NOT NULL REFERENCES wish_lists(id) ON DELETE CASCADE,
+  wish_list_guid UUID NOT NULL REFERENCES wish_lists(guid) ON DELETE CASCADE,
+  name VARCHAR(64) NOT NULL DEFAULT 'New wish',
+  description VARCHAR(1000) NOT NULL DEFAULT '',
+  picture_url VARCHAR(512) NOT NULL DEFAULT '',
+  stars SMALLINT NOT NULL DEFAULT 3 CHECK (stars BETWEEN 1 AND 5),
+  creation_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  fulfilled BOOLEAN NOT NULL DEFAULT FALSE,
+  fulfilled_date TIMESTAMP NOT NULL DEFAULT CURRENT_TIMESTAMP,
+  deleted BOOLEAN NOT NULL DEFAULT FALSE
+);
+
+CREATE OR REPLACE FUNCTION get_profile(requester_user_id BIGINT, target_profile_id BIGINT)
+RETURNS JSONB AS $$
+DECLARE
+    profile_record profiles%ROWTYPE;
+    settings_record profile_settings%ROWTYPE;
+    is_owner BOOLEAN;
+    is_banned BOOLEAN;
+    is_deleted BOOLEAN;
+BEGIN
+    -- Check if target user exists and is not deleted/banned
+    SELECT p.*, u.deleted INTO profile_record
+    FROM profiles p
+    JOIN users u ON p.user_id = u.id
+    WHERE p.id = target_profile_id;
+    
+    IF NOT FOUND THEN
+        RETURN NULL;  -- Or raise an exception for "not found"
+    END IF;
+    
+    is_deleted := profile_record.deleted;  -- From users table
+    IF is_deleted THEN
+        RETURN NULL;
+    END IF;
+    
+    -- Check if requester is banned (simplified; expand as needed)
+    SELECT EXISTS(SELECT 1 FROM banned_users WHERE user_id = requester_user_id AND pardoned = FALSE AND (expires_at IS NULL OR expires_at > CURRENT_TIMESTAMP)) INTO is_banned;
+    IF is_banned THEN
+        RAISE EXCEPTION 'Requester is banned';
+    END IF;
+    
+    -- Determine ownership
+    is_owner := (profile_record.user_id = requester_user_id);
+    
+    -- Fetch settings
+    SELECT * INTO settings_record FROM profile_settings WHERE profile_id = target_profile_id;
+    
+    -- Apply privacy: Hide for unauthenticated or based on settings
+    IF requester_user_id IS NULL AND settings_record.hide_for_unauthenticated THEN  -- NULL requester means unauth
+        RETURN NULL;
+    END IF;
+    
+    IF NOT is_owner AND settings_record.hide_profile_details THEN
+        RETURN NULL;  -- Or return minimal public data
+    END IF;
+    
+    -- Sanitize fields based on settings
+    IF NOT is_owner AND settings_record.hide_birthday THEN
+        profile_record.birthday := NULL;
+    END IF;
+    -- Add more field-level masking here (e.g., bio, avatar_url)
+    
+    -- Return as JSONB for easy app consumption
+    RETURN row_to_json(profile_record)::JSONB;
+EXCEPTION
+    WHEN OTHERS THEN
+        RAISE NOTICE 'Access denied: %', SQLERRM;
+        RETURN NULL;
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;