initial commit

2017-09-25 18:23:11 +02:00 · 2017-09-25 18:23:11 +02:00 · 93d8310491
commit 93d8310491
46 changed files with 3379 additions and 0 deletions
--- a/api/admin/accounts.go
+++ b/api/admin/accounts.go
@ -0,0 +1,172 @@
+package admin
+
+import (
+	"context"
+	"errors"
+	"net/http"
+	"strconv"
+
+	"github.com/go-ozzo/ozzo-validation"
+
+	"github.com/dhax/go-base/models"
+	"github.com/go-chi/chi"
+	"github.com/go-chi/render"
+)
+
+// The list of error types returned from account resource.
+var (
+	ErrAccountValidation = errors.New("account validation error")
+)
+
+type ctxKey int
+
+const (
+	ctxAccount ctxKey = iota
+)
+
+// AccountStore defines database operations for account management.
+type AccountStore interface {
+	List(f models.AccountFilter) (*[]models.Account, int, error)
+	Create(*models.Account) error
+	Get(id int) (*models.Account, error)
+	Update(*models.Account) error
+	Delete(*models.Account) error
+}
+
+// AccountResource implements account managment handler.
+type AccountResource struct {
+	Store AccountStore
+}
+
+// NewAccountResource creates and returns an account resource.
+func NewAccountResource(store AccountStore) *AccountResource {
+	return &AccountResource{
+		Store: store,
+	}
+}
+
+func (rs *AccountResource) router() *chi.Mux {
+	r := chi.NewRouter()
+	r.Get("/", rs.list)
+	r.Post("/", rs.create)
+	r.Route("/{accountID}", func(r chi.Router) {
+		r.Use(rs.accountCtx)
+		r.Get("/", rs.get)
+		r.Put("/", rs.update)
+		r.Delete("/", rs.delete)
+	})
+	return r
+}
+
+func (rs *AccountResource) accountCtx(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		id, err := strconv.Atoi(chi.URLParam(r, "accountID"))
+		if err != nil {
+			render.Render(w, r, ErrBadRequest)
+			return
+		}
+		account, err := rs.Store.Get(id)
+		if err != nil {
+			render.Render(w, r, ErrNotFound)
+			return
+		}
+		ctx := context.WithValue(r.Context(), ctxAccount, account)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+type accountRequest struct {
+	*models.Account
+}
+
+func (d *accountRequest) Bind(r *http.Request) error {
+	return nil
+}
+
+type accountResponse struct {
+	*models.Account
+}
+
+func newAccountResponse(a *models.Account) *accountResponse {
+	resp := &accountResponse{Account: a}
+	return resp
+}
+
+type accountListResponse struct {
+	Accounts *[]models.Account `json:"accounts"`
+	Count    int               `json:"count"`
+}
+
+func newAccountListResponse(a *[]models.Account, count int) *accountListResponse {
+	resp := &accountListResponse{
+		Accounts: a,
+		Count:    count,
+	}
+	return resp
+}
+
+func (rs *AccountResource) list(w http.ResponseWriter, r *http.Request) {
+	f := models.NewAccountFilter(r.URL.Query())
+	al, count, err := rs.Store.List(f)
+	if err != nil {
+		render.Render(w, r, ErrRender(err))
+		return
+	}
+	render.Respond(w, r, newAccountListResponse(al, count))
+}
+
+func (rs *AccountResource) create(w http.ResponseWriter, r *http.Request) {
+	data := &accountRequest{}
+	if err := render.Bind(r, data); err != nil {
+		render.Respond(w, r, ErrInvalidRequest(err))
+		return
+	}
+
+	acc := data.Account
+	if err := rs.Store.Create(acc); err != nil {
+		switch err.(type) {
+		case validation.Errors:
+			render.Render(w, r, ErrValidation(ErrAccountValidation, err))
+			return
+		}
+		render.Render(w, r, ErrInvalidRequest(err))
+		return
+	}
+	render.Respond(w, r, newAccountResponse(acc))
+}
+
+func (rs *AccountResource) get(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	render.Respond(w, r, newAccountResponse(acc))
+}
+
+func (rs *AccountResource) update(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	data := &accountRequest{Account: acc}
+	if err := render.Bind(r, data); err != nil {
+		render.Render(w, r, ErrInvalidRequest(err))
+		return
+	}
+
+	acc = data.Account
+	if err := rs.Store.Update(acc); err != nil {
+		switch err.(type) {
+		case validation.Errors:
+			render.Render(w, r, ErrValidation(ErrAccountValidation, err))
+			return
+		}
+		render.Render(w, r, ErrInvalidRequest(err))
+		return
+	}
+
+	render.Respond(w, r, newAccountResponse(acc))
+}
+
+func (rs *AccountResource) delete(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	if err := rs.Store.Delete(acc); err != nil {
+		render.Render(w, r, ErrInvalidRequest(err))
+		return
+	}
+	render.Respond(w, r, http.NoBody)
+}
--- a/api/admin/api.go
+++ b/api/admin/api.go
@ -0,0 +1,52 @@
+package admin
+
+import (
+	"net/http"
+
+	"github.com/sirupsen/logrus"
+
+	"github.com/go-chi/chi"
+	"github.com/go-pg/pg"
+
+	"github.com/dhax/go-base/auth"
+	"github.com/dhax/go-base/database"
+	"github.com/dhax/go-base/logging"
+)
+
+const (
+	roleAdmin = "admin"
+)
+
+// API provides admin application resources and handlers.
+type API struct {
+	Accounts *AccountResource
+}
+
+// NewAPI configures and returns admin application API.
+func NewAPI(db *pg.DB) (*API, error) {
+
+	accountStore := database.NewAdmAccountStore(db)
+	accounts := NewAccountResource(accountStore)
+
+	api := &API{
+		Accounts: accounts,
+	}
+	return api, nil
+}
+
+// Router provides admin application routes.
+func (a *API) Router() *chi.Mux {
+	r := chi.NewRouter()
+	r.Use(auth.RequiresRole(roleAdmin))
+
+	r.Get("/", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("Hello Admin"))
+	})
+
+	r.Mount("/accounts", a.Accounts.router())
+	return r
+}
+
+func log(r *http.Request) logrus.FieldLogger {
+	return logging.GetLogEntry(r)
+}
--- a/api/admin/errors.go
+++ b/api/admin/errors.go
@ -0,0 +1,81 @@
+package admin
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/go-chi/render"
+)
+
+// ErrResponse renderer type for handling all sorts of errors.
+type ErrResponse struct {
+	Err            error `json:"-"` // low-level runtime error
+	HTTPStatusCode int   `json:"-"` // http response status code
+
+	StatusText string `json:"status"`          // user-level status message
+	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
+	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
+}
+
+// Render sets the application-specific error code in AppCode.
+func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, e.HTTPStatusCode)
+	return nil
+}
+
+// ErrInvalidRequest returns status 422 Unprocessable Entity including error message.
+func ErrInvalidRequest(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnprocessableEntity,
+		StatusText:     http.StatusText(http.StatusUnprocessableEntity),
+		ErrorText:      err.Error(),
+	}
+}
+
+// ErrRender returns status 422 Unprocessable Entity rendering response error.
+func ErrRender(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnprocessableEntity,
+		StatusText:     "Error rendering response.",
+		ErrorText:      err.Error(),
+	}
+}
+
+// ErrValidationResponse renderer for handling validation errors.
+type ErrValidationResponse struct {
+	*ErrResponse
+	Errors string `json:"errors,omitempty"`
+}
+
+// Render sets the application-specific error code in AppCode.
+func (ev *ErrValidationResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, ev.ErrResponse.HTTPStatusCode)
+	return nil
+}
+
+// ErrValidation returns status 422 Unprocessable Entity stating validation errors.
+func ErrValidation(err error, valErrors error) render.Renderer {
+	b, _ := json.Marshal(valErrors)
+	return &ErrValidationResponse{
+		&ErrResponse{
+			Err:            err,
+			HTTPStatusCode: http.StatusUnprocessableEntity,
+			StatusText:     http.StatusText(http.StatusUnprocessableEntity),
+			ErrorText:      err.Error(),
+		},
+		string(b),
+	}
+}
+
+var (
+	// ErrBadRequest return status 400 Bad Request for malformed request body.
+	ErrBadRequest = &ErrResponse{HTTPStatusCode: http.StatusBadRequest, StatusText: http.StatusText(http.StatusBadRequest)}
+
+	// ErrNotFound returns status 404 Not Found for invalid resource request.
+	ErrNotFound = &ErrResponse{HTTPStatusCode: http.StatusNotFound, StatusText: http.StatusText(http.StatusNotFound)}
+
+	// ErrInternalServerError returns status 500 Internal Server Error.
+	ErrInternalServerError = &ErrResponse{HTTPStatusCode: http.StatusInternalServerError, StatusText: http.StatusText(http.StatusInternalServerError)}
+)
--- a/api/api.go
+++ b/api/api.go
@ -0,0 +1,113 @@
+package api
+
+import (
+	"net/http"
+	"path"
+	"strings"
+	"time"
+
+	"github.com/dhax/go-base/api/admin"
+	"github.com/dhax/go-base/api/app"
+	"github.com/dhax/go-base/auth"
+	"github.com/dhax/go-base/database"
+	"github.com/dhax/go-base/email"
+	"github.com/dhax/go-base/logging"
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
+	"github.com/go-chi/cors"
+	"github.com/go-chi/render"
+)
+
+// NewAPI configures application resources and routes
+func NewAPI() (*chi.Mux, error) {
+	logger := logging.NewLogger()
+
+	db, err := database.DBConn()
+	if err != nil {
+		return nil, err
+	}
+
+	emailService, err := email.NewEmailService()
+	if err != nil {
+		return nil, err
+	}
+
+	authStore := database.NewAuthStore(db)
+	authResource, err := auth.NewResource(authStore, emailService)
+	if err != nil {
+		return nil, err
+	}
+
+	adminAPI, err := admin.NewAPI(db)
+	if err != nil {
+		return nil, err
+	}
+
+	appAPI, err := app.NewAPI(db)
+	if err != nil {
+		return nil, err
+	}
+
+	r := chi.NewRouter()
+	r.Use(middleware.Recoverer)
+	r.Use(middleware.RequestID)
+	// r.Use(middleware.RealIP)
+	r.Use(middleware.DefaultCompress)
+	r.Use(middleware.Timeout(15 * time.Second))
+
+	r.Use(logging.NewStructuredLogger(logger))
+	r.Use(render.SetContentType(render.ContentTypeJSON))
+
+	// use CORS middleware if client is not served by this api, e.g. from other domain or CDN
+	// r.Use(corsConfig().Handler)
+
+	r.Mount("/auth", authResource.Router())
+	r.Group(func(r chi.Router) {
+		r.Use(authResource.Token.Verifier())
+		r.Use(auth.Authenticator)
+		r.Mount("/admin", adminAPI.Router())
+		r.Mount("/api", appAPI.Router())
+	})
+
+	r.Get("/ping", func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte("pong"))
+	})
+
+	client := "./public"
+	r.Get("/*", SPAHandler(client))
+
+	return r, nil
+}
+
+func corsConfig() *cors.Cors {
+	// Basic CORS
+	// for more ideas, see: https://developer.github.com/v3/#cross-origin-resource-sharing
+	return cors.New(cors.Options{
+		// AllowedOrigins: []string{"https://foo.com"}, // Use this to allow specific origin hosts
+		AllowedOrigins: []string{"*"},
+		// AllowOriginFunc:  func(r *http.Request, origin string) bool { return true },
+		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+		ExposedHeaders:   []string{"Link"},
+		AllowCredentials: true,
+		MaxAge:           86400, // Maximum value not ignored by any of major browsers
+	})
+}
+
+// SPAHandler serves the public Single Page Application
+func SPAHandler(publicDir string) http.HandlerFunc {
+	handler := http.FileServer(http.Dir(publicDir))
+
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		url := r.URL.String()
+
+		// serve static files
+		if strings.Contains(url, ".") || url == "/" {
+			handler.ServeHTTP(w, r)
+			return
+		}
+
+		// otherwise always serve index.html
+		http.ServeFile(w, r, path.Join(publicDir, "/index.html"))
+	})
+}
--- a/api/app/account.go
+++ b/api/app/account.go
@ -0,0 +1,225 @@
+package app
+
+import (
+	"context"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"github.com/go-chi/chi"
+	"github.com/go-chi/render"
+	validation "github.com/go-ozzo/ozzo-validation"
+
+	"github.com/dhax/go-base/auth"
+	"github.com/dhax/go-base/logging"
+	"github.com/dhax/go-base/models"
+)
+
+type ctxKey int
+
+const (
+	ctxAccount ctxKey = iota
+)
+
+// AccountStore defines database operations for account.
+type AccountStore interface {
+	Get(id int) (*models.Account, error)
+	Update(*models.Account) error
+	Delete(*models.Account) error
+	UpdateToken(*models.Token) error
+	DeleteToken(*models.Token) error
+	UpdateProfile(*models.Profile) error
+}
+
+// AccountResource implements account managment handler.
+type AccountResource struct {
+	Store AccountStore
+}
+
+// NewAccountResource creates and returns an account resource.
+func NewAccountResource(store AccountStore) *AccountResource {
+	return &AccountResource{
+		Store: store,
+	}
+}
+
+func (rs *AccountResource) router() *chi.Mux {
+	r := chi.NewRouter()
+	r.Use(rs.accountCtx)
+	r.Get("/", rs.get)
+	r.Put("/", rs.update)
+	r.Delete("/", rs.delete)
+	r.Route("/token/{tokenID}", func(r chi.Router) {
+		r.Put("/", rs.updateToken)
+		r.Delete("/", rs.deleteToken)
+	})
+	r.Put("/profile", rs.updateProfile)
+	return r
+}
+
+func (rs *AccountResource) accountCtx(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		claims := auth.ClaimsFromCtx(r.Context())
+		logging.GetLogEntry(r).WithField("account_id", claims.ID)
+		account, err := rs.Store.Get(claims.ID)
+		if err != nil {
+			// account deleted while access token still valid
+			logging.GetLogEntry(r).WithField("account", claims.Sub).Warn(err)
+			render.Render(w, r, ErrNotFound)
+			return
+		}
+		ctx := context.WithValue(r.Context(), ctxAccount, account)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+type accountRequest struct {
+	*models.Account
+	// not really neccessary here as we limit updated database columns in store
+	ProtectedID     int      `json:"id"`
+	ProtectedActive bool     `json:"active"`
+	ProtectedRoles  []string `json:"roles"`
+}
+
+func (d *accountRequest) Bind(r *http.Request) error {
+	// d.ProtectedActive = true
+	// d.ProtectedRoles = []string{}
+	return nil
+}
+
+type accountResponse struct {
+	*models.Account
+}
+
+func newAccountResponse(a *models.Account) *accountResponse {
+	resp := &accountResponse{Account: a}
+	return resp
+}
+
+func (rs *AccountResource) get(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	render.Respond(w, r, newAccountResponse(acc))
+}
+
+func (rs *AccountResource) update(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	data := &accountRequest{Account: acc}
+	if err := render.Bind(r, data); err != nil {
+		render.Render(w, r, ErrInvalidRequest(err))
+		return
+	}
+
+	acc = data.Account
+	if err := rs.Store.Update(acc); err != nil {
+		switch err.(type) {
+		case validation.Errors:
+			render.Render(w, r, ErrValidation(err))
+			return
+		}
+		render.Render(w, r, ErrRender(err))
+		return
+	}
+
+	render.Respond(w, r, newAccountResponse(acc))
+}
+
+func (rs *AccountResource) delete(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	if err := rs.Store.Delete(acc); err != nil {
+		render.Render(w, r, ErrRender(err))
+		return
+	}
+	render.Respond(w, r, http.NoBody)
+}
+
+type tokenRequest struct {
+	Identifier  string
+	ProtectedID int `json:"id"`
+}
+
+func (d *tokenRequest) Bind(r *http.Request) error {
+	d.Identifier = strings.TrimSpace(d.Identifier)
+	return nil
+}
+
+func (rs *AccountResource) updateToken(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.Atoi(chi.URLParam(r, "tokenID"))
+	if err != nil {
+		render.Respond(w, r, ErrBadRequest)
+		return
+	}
+	data := &tokenRequest{}
+	if err := render.Bind(r, data); err != nil {
+		render.Respond(w, r, ErrInvalidRequest(err))
+		return
+	}
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	for _, t := range acc.Token {
+		if t.ID == id {
+			if err := rs.Store.UpdateToken(&models.Token{
+				ID:         t.ID,
+				Identifier: data.Identifier,
+			}); err != nil {
+				render.Respond(w, r, ErrInvalidRequest(err))
+				return
+			}
+		}
+	}
+	render.Respond(w, r, http.NoBody)
+}
+
+func (rs *AccountResource) deleteToken(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.Atoi(chi.URLParam(r, "tokenID"))
+	if err != nil {
+		render.Respond(w, r, ErrBadRequest)
+		return
+	}
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	for _, t := range acc.Token {
+		if t.ID == id {
+			rs.Store.DeleteToken(&models.Token{ID: t.ID})
+		}
+	}
+	render.Respond(w, r, http.NoBody)
+}
+
+type profileRequest struct {
+	*models.Profile
+	ProtectedID int `json:"id"`
+}
+
+func (d *profileRequest) Bind(r *http.Request) error {
+	// d.ProtectedActive = true
+	// d.ProtectedRoles = []string{}
+	return nil
+}
+
+type profileResponse struct {
+	*models.Profile
+}
+
+func newProfileResponse(p *models.Profile) *profileResponse {
+	return &profileResponse{
+		Profile: p,
+	}
+}
+
+func (rs *AccountResource) updateProfile(w http.ResponseWriter, r *http.Request) {
+	acc := r.Context().Value(ctxAccount).(*models.Account)
+	data := &profileRequest{Profile: acc.Profile}
+	if err := render.Bind(r, data); err != nil {
+		render.Render(w, r, ErrInvalidRequest(err))
+	}
+
+	p := data.Profile
+	if err := rs.Store.UpdateProfile(p); err != nil {
+		switch err.(type) {
+		case validation.Errors:
+			render.Render(w, r, ErrValidation(err))
+			return
+		}
+		render.Render(w, r, ErrRender(err))
+		return
+	}
+	render.Respond(w, r, newProfileResponse(p))
+}
--- a/api/app/api.go
+++ b/api/app/api.go
@ -0,0 +1,33 @@
+package app
+
+import (
+	"github.com/go-chi/chi"
+	"github.com/go-pg/pg"
+
+	"github.com/dhax/go-base/database"
+)
+
+// API provides application resources and handlers.
+type API struct {
+	Account *AccountResource
+}
+
+// NewAPI configures and returns application API.
+func NewAPI(db *pg.DB) (*API, error) {
+	accountStore := database.NewAccountStore(db)
+	account := NewAccountResource(accountStore)
+
+	api := &API{
+		Account: account,
+	}
+	return api, nil
+}
+
+// Router provides application routes.
+func (a *API) Router() *chi.Mux {
+	r := chi.NewRouter()
+
+	r.Mount("/account", a.Account.router())
+
+	return r
+}
--- a/api/app/errors.go
+++ b/api/app/errors.go
@ -0,0 +1,81 @@
+package app
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/go-chi/render"
+)
+
+// ErrResponse renderer type for handling all sorts of errors.
+type ErrResponse struct {
+	Err            error `json:"-"` // low-level runtime error
+	HTTPStatusCode int   `json:"-"` // http response status code
+
+	StatusText string `json:"status"`          // user-level status message
+	AppCode    int64  `json:"code,omitempty"`  // application-specific error code
+	ErrorText  string `json:"error,omitempty"` // application-level error message, for debugging
+}
+
+// Render sets the application-specific error code in AppCode.
+func (e *ErrResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, e.HTTPStatusCode)
+	return nil
+}
+
+// ErrInvalidRequest returns status 422 Unprocessable Entity including error message.
+func ErrInvalidRequest(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnprocessableEntity,
+		StatusText:     http.StatusText(http.StatusUnprocessableEntity),
+		ErrorText:      err.Error(),
+	}
+}
+
+// ErrValidationResponse renderer for handling validation errors.
+type ErrValidationResponse struct {
+	*ErrResponse
+	Errors string `json:"errors,omitempty"`
+}
+
+// Render sets the application-specific error code in AppCode.
+func (ev *ErrValidationResponse) Render(w http.ResponseWriter, r *http.Request) error {
+	render.Status(r, ev.ErrResponse.HTTPStatusCode)
+	return nil
+}
+
+// ErrValidation returns status 422 Unprocessable Entity stating validation errors.
+func ErrValidation(valErrors error) render.Renderer {
+	b, _ := json.Marshal(valErrors)
+	return &ErrValidationResponse{
+		&ErrResponse{
+			Err:            nil,
+			HTTPStatusCode: http.StatusUnprocessableEntity,
+			StatusText:     http.StatusText(http.StatusUnprocessableEntity),
+			ErrorText:      "object validation error",
+		},
+		string(b),
+	}
+}
+
+// ErrRender returns status 422 Unprocessable Entity rendering response error.
+func ErrRender(err error) render.Renderer {
+	return &ErrResponse{
+		Err:            err,
+		HTTPStatusCode: http.StatusUnprocessableEntity,
+		StatusText:     http.StatusText(http.StatusUnprocessableEntity),
+		ErrorText:      err.Error(),
+	}
+}
+
+var (
+	// ErrBadRequest return status 400 Bad Request for malformed request body.
+	ErrBadRequest = &ErrResponse{HTTPStatusCode: http.StatusBadRequest, StatusText: http.StatusText(http.StatusBadRequest)}
+
+	// ErrNotFound returns status 404 Not Found for invalid resource request.
+	ErrNotFound = &ErrResponse{HTTPStatusCode: http.StatusNotFound, StatusText: http.StatusText(http.StatusNotFound)}
+
+	// ErrInternalServerError returns status 500 Internal Server Error.
+	ErrInternalServerError = &ErrResponse{HTTPStatusCode: http.StatusInternalServerError, StatusText: http.StatusText(http.StatusInternalServerError)}
+)
--- a/api/server.go
+++ b/api/server.go
@ -0,0 +1,65 @@
+package api
+
+import (
+	"context"
+	"log"
+	"net/http"
+	"os"
+	"os/signal"
+	"strings"
+
+	"github.com/spf13/viper"
+)
+
+// Server provides an http.Server
+type Server struct {
+	*http.Server
+}
+
+// NewServer creates and configures an APIServer serving all application routes.
+func NewServer() (*Server, error) {
+	log.Println("configuring server...")
+	api, err := NewAPI()
+	if err != nil {
+		return nil, err
+	}
+
+	var addr string
+	port := viper.GetString("port")
+
+	// allow port to be set as localhost:3000 in env during development to avoid "accept incoming network connection" request on restarts
+	if strings.Contains(port, ":") {
+		addr = port
+	} else {
+		addr = ":" + port
+	}
+
+	srv := http.Server{
+		Addr:    addr,
+		Handler: api,
+	}
+
+	return &Server{&srv}, nil
+}
+
+// Start runs ListenAndServe on the http.Server with graceful shutdown
+func (srv *Server) Start() {
+	log.Println("starting server...")
+	go func() {
+		if err := srv.ListenAndServe(); err != nil {
+			panic(err)
+		}
+	}()
+	log.Printf("Listening on %s\n", srv.Addr)
+
+	quit := make(chan os.Signal)
+	signal.Notify(quit, os.Interrupt)
+	sig := <-quit
+	log.Println("Shutting down server... Reason:", sig)
+	// teardown logic...
+
+	if err := srv.Shutdown(context.Background()); err != nil {
+		panic(err)
+	}
+	log.Println("Server gracefully stopped")
+}