fix: update internal/irc import to pkg/irc after rebase

Update 4 remaining references where the JSON field name was still
'hashcash' instead of 'pow_token' in README.md.

README.md

@@ -113,9 +113,8 @@ mechanisms or stuffing data into CTCP.
 Everything else is IRC. `PRIVMSG`, `JOIN`, `PART`, `NICK`, `TOPIC`, `MODE`,
 `KICK`, `353`, `433` — same commands, same semantics. Channels start with `#`.
 Joining a nonexistent channel creates it. Channels disappear when empty. Nicks
-are unique per server. Identity starts with a key — a nick is a display name.
-Accounts are optional: you can create an anonymous session instantly, or
-register with a password for multi-client access to a single session.
+are unique per server. There are no accounts — identity is a key, a nick is a
+display name.
 
 ### On the resemblance to JSON-RPC
 
@@ -149,45 +148,16 @@ not arbitrary choices — each one follows from the project's core thesis that
 IRC's command model is correct and only the transport and session management
 need to change.
 
-### Identity & Sessions — Dual Authentication Model
+### Identity & Sessions — No Accounts
 
-The server supports two authentication paths: **anonymous sessions** for
-instant access, and **optional account registration** for multi-client access.
-
-#### Anonymous Sessions (No Account Required)
-
-The simplest entry point. No registration, no passwords.
+There are no accounts, no registration, no passwords. Identity is a signing
+key; a nick is just a display name. The two are decoupled.
 
 - **Session creation**: client sends `POST /api/v1/session` with a desired
   nick → server assigns an **auth token** (64 hex characters of
   cryptographically random bytes) and returns the user ID, nick, and token.
 - The auth token implicitly identifies the client. Clients present it via
   `Authorization: Bearer <token>`.
-- Anonymous sessions are ephemeral — when the session expires or the user
-  QUITs, the nick is released and there is no way to reclaim it.
-
-#### Registered Accounts (Optional)
-
-For users who want multi-client access (multiple devices sharing one session):
-
-- **Registration**: client sends `POST /api/v1/register` with a nick and
-  password (minimum 8 characters) → server creates a session with the
-  password hashed via bcrypt, and returns the user ID, nick, and auth token.
-- **Login**: client sends `POST /api/v1/login` with nick and password →
-  server verifies the password against the stored bcrypt hash and creates a
-  new client token for the existing session. This enables multi-client
-  access: logging in from a new device adds a client to the existing session
-  rather than creating a new one, so channel memberships and message queues
-  are shared. Note: login only works while the session still exists — if all
-  clients have logged out or the user has sent QUIT, the session is deleted
-  and the registration is lost.
-- Registered accounts cannot be logged into via `POST /api/v1/session` —
-  that endpoint is for anonymous sessions only.
-- Anonymous sessions (created via `/session`) cannot be logged into via
-  `/login` because they have no password set.
-
-#### Common Properties (Both Paths)
-
 - Nicks are changeable via the `NICK` command; the server-assigned user ID is
   the stable identity.
 - Server-assigned IDs — clients do not choose their own IDs.
@@ -195,17 +165,11 @@ For users who want multi-client access (multiple devices sharing one session):
   in the token, no client-side decode. The server is the sole authority on
   token validity.
 
-**Rationale:** IRC has no accounts. You connect, pick a nick, and talk.
-Anonymous sessions preserve that simplicity — instant access, zero friction.
-But some users want to access the same session from multiple devices without
-a bouncer. Optional registration with password enables multi-client login
-without adding friction for casual users: if you don't want an account,
-don't create one. Note: in the current implementation, both anonymous and
-registered sessions are deleted when the last client disconnects (QUIT or
-logout); registration does not make a session survive all-client
-removal. Identity verification at the message layer via cryptographic
-signatures (see [Security Model](#security-model)) remains independent
-of account registration.
+**Rationale:** IRC has no accounts. You connect, pick a nick, and talk. Adding
+registration, email verification, or OAuth would solve a problem nobody asked
+about and add complexity that drives away casual users. Identity verification
+is handled at the message layer via cryptographic signatures (see
+[Security Model](#security-model)), not at the session layer.
 
 ### Nick Semantics
 
@@ -243,12 +207,12 @@ User Session
 └── Client C (token_c, queue_c)
 ```
 
-**Multi-client via login:** The `POST /api/v1/login` endpoint adds a new
-client to an existing registered session, enabling true multi-client support
-(multiple tokens sharing one nick/session with independent message queues).
-Anonymous sessions created via `POST /api/v1/session` always create a new
-user with a new nick. A future endpoint to "add a client to an existing
-anonymous session" is planned but not yet implemented.
+**Current MVP note:** The current implementation creates a new user (with new
+nick) per `POST /api/v1/session` call. True multi-client (multiple tokens
+sharing one nick/session) is supported by the schema (`client_queues` is keyed
+by user_id, and multiple tokens can point to the same user) but the session
+creation endpoint does not yet support "add a client to an existing session."
+This will be added post-MVP.
 
 **Rationale:** The fundamental IRC mobile problem is that you can't have your
 phone and laptop connected simultaneously without a bouncer. Server-side
@@ -363,8 +327,8 @@ needs to revoke a token, change the expiry model, or add/remove claims, JWT
 clients may break or behave incorrectly.
 
 Opaque tokens are simpler:
-- Server generates 32 random bytes → hex-encodes → stores SHA-256 hash
-- Client presents the raw token; server hashes and looks it up
+- Server generates 32 random bytes → hex-encodes → stores hash
+- Client presents the token; server looks it up
 - Revocation is a database delete
 - No clock skew issues, no algorithm confusion, no "none" algorithm attacks
 - Token format can change without breaking clients
@@ -391,8 +355,6 @@ The entire read/write loop for a client is two endpoints. Everything else
 
 ### Session Lifecycle
 
-#### Anonymous Session
-
 ```
 ┌─ Client ──────────────────────────────────────────────────┐
 │                                                            │
@@ -423,30 +385,6 @@ The entire read/write loop for a client is two endpoints. Everything else
 └────────────────────────────────────────────────────────────┘
 ```
 
-#### Registered Account
-
-```
-┌─ Client ──────────────────────────────────────────────────┐
-│                                                            │
-│  1. POST /api/v1/register                                  │
-│     {"nick":"alice", "password":"s3cret!!"}                │
-│     → {"id":1, "nick":"alice", "token":"a1b2c3..."}       │
-│     (Session created with bcrypt-hashed password)          │
-│                                                            │
-│  ... use the API normally (JOIN, PRIVMSG, poll, etc.) ...  │
-│                                                            │
-│  (From another device, while session is still active)      │
-│                                                            │
-│  2. POST /api/v1/login                                     │
-│     {"nick":"alice", "password":"s3cret!!"}                │
-│     → {"id":1, "nick":"alice", "token":"d4e5f6..."}       │
-│     (New client added to existing session — channels       │
-│      and message queues are preserved. If all clients      │
-│      have logged out, session no longer exists.)           │
-│                                                            │
-└────────────────────────────────────────────────────────────┘
-```
-
 ### Queue Architecture
 
 ```
@@ -1096,105 +1034,6 @@ TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/session \
 echo $TOKEN
 ```
 
-### POST /api/v1/register — Register Account
-
-Create a new user session with a password. The password is hashed
-with bcrypt and stored server-side. The password enables login from
-additional clients via `POST /api/v1/login` while the session
-remains active.
-
-**Request Body:**
-```json
-{"nick": "alice", "password": "mypassword"}
-```
-
-| Field      | Type   | Required | Constraints |
-|------------|--------|----------|-------------|
-| `nick`     | string | Yes      | 1–32 characters, must be unique on the server |
-| `password` | string | Yes      | Minimum 8 characters |
-
-**Response:** `201 Created`
-```json
-{
-  "id": 1,
-  "nick": "alice",
-  "token": "494ba9fc0f2242873fc5c285dd4a24fc3844ba5e67789a17e69b6fe5f8c132e3"
-}
-```
-
-| Field   | Type    | Description |
-|---------|---------|-------------|
-| `id`    | integer | Server-assigned user ID |
-| `nick`  | string  | Confirmed nick |
-| `token` | string  | 64-character hex auth token |
-
-**Errors:**
-
-| Status | Error | When |
-|--------|-------|------|
-| 400    | `invalid nick format` | Nick doesn't match allowed format |
-| 400    | `password must be at least 8 characters` | Password too short |
-| 409    | `nick already taken` | Another active session holds this nick |
-
-**curl example:**
-```bash
-TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/register \
-  -H 'Content-Type: application/json' \
-  -d '{"nick":"alice","password":"mypassword"}' | jq -r .token)
-echo $TOKEN
-```
-
-### POST /api/v1/login — Login to Account
-
-Authenticate with a previously registered nick and password. Creates a new
-client token for the existing session, preserving channel memberships and
-message queues. This is how multi-client access works for registered accounts:
-each login adds a new client to the session.
-
-On successful login, the server enqueues MOTD messages and synthetic channel
-state (JOIN + TOPIC + NAMES for each channel the session belongs to) into the
-new client's queue, so the client can immediately restore its UI state.
-
-**Request Body:**
-```json
-{"nick": "alice", "password": "mypassword"}
-```
-
-| Field      | Type   | Required | Constraints |
-|------------|--------|----------|-------------|
-| `nick`     | string | Yes      | Must match a registered account |
-| `password` | string | Yes      | Must match the account's password |
-
-**Response:** `200 OK`
-```json
-{
-  "id": 1,
-  "nick": "alice",
-  "token": "7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f"
-}
-```
-
-| Field   | Type    | Description |
-|---------|---------|-------------|
-| `id`    | integer | Session ID (same as when registered) |
-| `nick`  | string  | Current nick |
-| `token` | string  | New 64-character hex auth token for this client |
-
-**Errors:**
-
-| Status | Error | When |
-|--------|-------|------|
-| 400    | `nick and password required` | Missing nick or password |
-| 401    | `invalid credentials` | Wrong password, nick not found, or account has no password |
-
-**curl example:**
-```bash
-TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/login \
-  -H 'Content-Type: application/json' \
-  -d '{"nick":"alice","password":"mypassword"}' | jq -r .token)
-echo $TOKEN
-```
-
 ### GET /api/v1/state — Get Session State
 
 Return the current user's session state.
@@ -1751,16 +1590,9 @@ authenticity.
 ### Authentication
 
 - **Session auth**: Opaque bearer tokens (64 hex chars = 256 bits of entropy).
-  Tokens are hashed (SHA-256) before storage and validated on every request.
-- **Anonymous sessions**: `POST /api/v1/session` requires only a nick. No
-  password, instant access. The token is the sole credential.
-- **Registered accounts**: `POST /api/v1/register` accepts a nick and password
-  (minimum 8 characters). The password is hashed with bcrypt at the default
-  cost factor and stored alongside the session. `POST /api/v1/login`
-  authenticates against the stored hash and issues a new client token.
-- **Password security**: Passwords are never stored in plain text. bcrypt
-  handles salting and key stretching automatically. Anonymous sessions have
-  an empty `password_hash` and cannot be logged into via `/login`.
+  Tokens are stored in the database and validated on every request.
+- **No passwords**: Session creation requires only a nick. The token is the
+  sole credential.
 - **Token security**: Tokens should be treated like session cookies. Transmit
   only over HTTPS in production. If a token is compromised, the attacker has
   full access to the session until QUIT or expiry.
@@ -1908,26 +1740,13 @@ The database schema is managed via embedded SQL migration files in
 
 **Current tables:**
 
-#### `sessions`
-| Column         | Type     | Description |
-|----------------|----------|-------------|
-| `id`           | INTEGER  | Primary key (auto-increment) |
-| `uuid`         | TEXT     | Unique session UUID |
-| `nick`         | TEXT     | Unique nick |
-| `password_hash`| TEXT     | bcrypt hash (empty string for anonymous sessions) |
-| `signing_key`  | TEXT     | Public signing key (empty string if unset) |
-| `away_message` | TEXT     | Away message (empty string if not away) |
-| `created_at`   | DATETIME | Session creation time |
-| `last_seen`    | DATETIME | Last API request time |
-
-#### `clients`
+#### `users`
 | Column      | Type     | Description |
 |-------------|----------|-------------|
 | `id`        | INTEGER  | Primary key (auto-increment) |
-| `uuid`      | TEXT     | Unique client UUID |
-| `session_id`| INTEGER  | FK → sessions.id (cascade delete) |
-| `token`     | TEXT     | Unique auth token (SHA-256 hash of 64 hex chars) |
-| `created_at`| DATETIME | Client creation time |
+| `nick`      | TEXT     | Unique nick |
+| `token`     | TEXT     | Unique auth token (64 hex chars) |
+| `created_at`| DATETIME | Session creation time |
 | `last_seen` | DATETIME | Last API request time |
 
 #### `channels`
@@ -1984,19 +1803,10 @@ skew issues) and simpler than UUIDs (integer comparison vs. string comparison).
 - **Client output queue entries**: Pruned automatically when older than
   `QUEUE_MAX_AGE` (default 30 days).
 - **Channels**: Deleted when the last member leaves (ephemeral).
-- **Sessions**: Both anonymous and registered sessions are deleted on `QUIT`
-  or when the last client logs out (`POST /api/v1/logout` with no remaining
-  clients triggers session cleanup). There is no distinction between session
-  types in the cleanup path — `handleQuit` and `cleanupUser` both call
-  `DeleteSession` unconditionally. Idle sessions are automatically expired
-  after `SESSION_IDLE_TIMEOUT`
-  (default 30 days) — the server runs a background cleanup loop that parts
-  idle users from all channels, broadcasts QUIT, and releases their nicks.
-- **Clients**: Individual client tokens are deleted on `POST /api/v1/logout`.
-  A session can have multiple clients; removing one doesn't affect others.
-  However, when the last client is removed (via logout), the entire session
-  is deleted — the user is parted from all channels, QUIT is broadcast, and
-  the nick is released.
+- **Users/sessions**: Deleted on `QUIT` or `POST /api/v1/logout`. Idle
+  sessions are automatically expired after `SESSION_IDLE_TIMEOUT` (default
+  30 days) — the server runs a background cleanup loop that parts idle users
+  from all channels, broadcasts QUIT, and releases their nicks.
 
 ---
 
@@ -2145,21 +1955,11 @@ A complete client needs only four HTTP calls:
 ### Step-by-Step with curl
 
 ```bash
-# 1a. Create an anonymous session (no account)
+# 1. Create a session
 export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/session \
   -H 'Content-Type: application/json' \
   -d '{"nick":"testuser"}' | jq -r .token)
 
-# 1b. Or register an account (multi-client support)
-export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/register \
-  -H 'Content-Type: application/json' \
-  -d '{"nick":"testuser","password":"mypassword"}' | jq -r .token)
-
-# 1c. Or login to an existing account
-export TOKEN=$(curl -s -X POST http://localhost:8080/api/v1/login \
-  -H 'Content-Type: application/json' \
-  -d '{"nick":"testuser","password":"mypassword"}' | jq -r .token)
-
 # 2. Join a channel
 curl -s -X POST http://localhost:8080/api/v1/messages \
   -H "Authorization: Bearer $TOKEN" \
@@ -2292,11 +2092,9 @@ Clients should handle these message commands from the queue:
 
 ### Error Handling
 
-- **HTTP 401**: Token expired or invalid. Re-create session (anonymous) or
-  re-login (registered account).
+- **HTTP 401**: Token expired or invalid. Re-create session.
 - **HTTP 404**: Channel or user not found.
-- **HTTP 409**: Nick already taken (on session creation, registration, or
-  NICK change).
+- **HTTP 409**: Nick already taken (on session creation or NICK change).
 - **HTTP 400**: Malformed request. Check the `error` field in the response.
 - **Network errors**: Back off exponentially (1s, 2s, 4s, ..., max 30s).
 
@@ -2313,10 +2111,8 @@ Clients should handle these message commands from the queue:
 4. **DM tab logic**: When you receive a PRIVMSG where `to` is not a channel
    (no `#` prefix), the DM tab should be keyed by the **other** user's nick:
    if `from` is you, use `to`; if `from` is someone else, use `from`.
-5. **Reconnection**: If the poll loop fails with 401, the token is invalid.
-   For anonymous sessions, create a new session. For registered accounts,
-   log in again via `POST /api/v1/login` to get a fresh token on the same
-   session. If it fails with a network error, retry with backoff.
+5. **Reconnection**: If the poll loop fails with 401, the session is gone.
+   Create a new session. If it fails with a network error, retry with backoff.
 
 ---
 
@@ -2587,13 +2383,9 @@ neoirc/
    build a working IRC-style TUI client against this API in an afternoon, the
    API is too complex.
 
-2. **Accounts optional** — anonymous sessions are instant: pick a nick and
-   talk. No registration, no email verification. The cost of entry is a
-   hashcash proof, not bureaucracy. For users who want multi-client access
-   (multiple devices sharing one session), optional account registration
-   with password is available — but never required. Identity
-   verification at the message layer uses cryptographic signing,
-   independent of account status.
+2. **No accounts** — identity is a signing key, nick is a display name. No
+   registration, no passwords, no email verification. Session creation is
+   instant. The cost of entry is a hashcash proof, not bureaucracy.
 
 3. **IRC semantics over HTTP** — command names and numeric codes from
    RFC 1459/2812. If you've built an IRC client or bot, you already know the

go.mod

@@ -6,7 +6,7 @@ require (
 	github.com/99designs/basicauth-go v0.0.0-20230316000542-bf6f9cbbf0f8
 	github.com/gdamore/tcell/v2 v2.13.8
 	github.com/getsentry/sentry-go v0.42.0
-	github.com/go-chi/chi/v5 v5.2.1
+	github.com/go-chi/chi v1.5.5
 	github.com/go-chi/cors v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1

go.sum

@@ -18,8 +18,8 @@ github.com/gdamore/tcell/v2 v2.13.8 h1:Mys/Kl5wfC/GcC5Cx4C2BIQH9dbnhnkPgS9/wF3Rl
 github.com/gdamore/tcell/v2 v2.13.8/go.mod h1:+Wfe208WDdB7INEtCsNrAN6O2m+wsTPk1RAovjaILlo=
 github.com/getsentry/sentry-go v0.42.0 h1:eeFMACuZTbUQf90RE8dE4tXeSe4CZyfvR1MBL7RLEt8=
 github.com/getsentry/sentry-go v0.42.0/go.mod h1:eRXCoh3uvmjQLY6qu63BjUZnaBu5L5WhMV1RwYO8W5s=
-github.com/go-chi/chi/v5 v5.2.1 h1:KOIHODQj58PmL80G2Eak4WdvUzjSJSm0vG72crDCqb8=
-github.com/go-chi/chi/v5 v5.2.1/go.mod h1:L2yAIGWB3H+phAw1NxKwWM+7eUH/lU8pOMm5hHcoops=
+github.com/go-chi/chi v1.5.5 h1:vOB/HbEMt9QqBqErz07QehcOKHaWFtuj87tTDVz2qXE=
+github.com/go-chi/chi v1.5.5/go.mod h1:C9JqLr3tIYjDOZpzn+BCuxY8z8vmca43EeMgyZt7irw=
 github.com/go-chi/cors v1.2.2 h1:Jmey33TE+b+rB7fT8MUy1u0I4L+NARQlK6LhzKPSyQE=
 github.com/go-chi/cors v1.2.2/go.mod h1:sSbTewc+6wYHBBCW7ytsFSn836hqM7JxpglAy2Vzc58=
 github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA=

internal/db/queries.go

@@ -1110,121 +1110,6 @@ func (database *Database) GetSessionCreatedAt(
 	return createdAt, nil
 }
 
-// SetAway sets the away message for a session.
-// An empty message clears the away status.
-func (database *Database) SetAway(
-	ctx context.Context,
-	sessionID int64,
-	message string,
-) error {
-	_, err := database.conn.ExecContext(ctx,
-		"UPDATE sessions SET away_message = ? WHERE id = ?",
-		message, sessionID)
-	if err != nil {
-		return fmt.Errorf("set away: %w", err)
-	}
-
-	return nil
-}
-
-// GetAway returns the away message for a session.
-// Returns an empty string if the user is not away.
-func (database *Database) GetAway(
-	ctx context.Context,
-	sessionID int64,
-) (string, error) {
-	var msg string
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT away_message FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&msg)
-	if err != nil {
-		return "", fmt.Errorf("get away: %w", err)
-	}
-
-	return msg, nil
-}
-
-// SetTopicMeta sets the topic along with who set it and
-// when.
-func (database *Database) SetTopicMeta(
-	ctx context.Context,
-	channelName, topic, setBy string,
-) error {
-	now := time.Now()
-
-	_, err := database.conn.ExecContext(ctx,
-		`UPDATE channels
-		 SET topic = ?, topic_set_by = ?,
-		     topic_set_at = ?, updated_at = ?
-		 WHERE name = ?`,
-		topic, setBy, now, now, channelName)
-	if err != nil {
-		return fmt.Errorf("set topic meta: %w", err)
-	}
-
-	return nil
-}
-
-// TopicMeta holds topic metadata for a channel.
-type TopicMeta struct {
-	SetBy string
-	SetAt time.Time
-}
-
-// GetTopicMeta returns who set the topic and when.
-func (database *Database) GetTopicMeta(
-	ctx context.Context,
-	channelID int64,
-) (*TopicMeta, error) {
-	var (
-		setBy string
-		setAt sql.NullTime
-	)
-
-	err := database.conn.QueryRowContext(ctx,
-		`SELECT topic_set_by, topic_set_at
-		 FROM channels WHERE id = ?`,
-		channelID,
-	).Scan(&setBy, &setAt)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"get topic meta: %w", err,
-		)
-	}
-
-	if setBy == "" || !setAt.Valid {
-		return nil, nil //nolint:nilnil
-	}
-
-	return &TopicMeta{
-		SetBy: setBy,
-		SetAt: setAt.Time,
-	}, nil
-}
-
-// GetSessionLastSeen returns the last_seen time for a
-// session.
-func (database *Database) GetSessionLastSeen(
-	ctx context.Context,
-	sessionID int64,
-) (time.Time, error) {
-	var lastSeen time.Time
-
-	err := database.conn.QueryRowContext(ctx,
-		"SELECT last_seen FROM sessions WHERE id = ?",
-		sessionID,
-	).Scan(&lastSeen)
-	if err != nil {
-		return time.Time{}, fmt.Errorf(
-			"get session last_seen: %w", err,
-		)
-	}
-
-	return lastSeen, nil
-}
-
 // PruneOldQueueEntries deletes client output queue entries
 // older than cutoff and returns the number of rows removed.
 func (database *Database) PruneOldQueueEntries(

internal/db/schema/001_initial.sql

@@ -8,7 +8,6 @@ CREATE TABLE IF NOT EXISTS sessions (
     nick TEXT NOT NULL UNIQUE,
     password_hash TEXT NOT NULL DEFAULT '',
     signing_key TEXT NOT NULL DEFAULT '',
-    away_message TEXT NOT NULL DEFAULT '',
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -31,8 +30,6 @@ CREATE TABLE IF NOT EXISTS channels (
     id INTEGER PRIMARY KEY AUTOINCREMENT,
     name TEXT NOT NULL UNIQUE,
     topic TEXT NOT NULL DEFAULT '',
-    topic_set_by TEXT NOT NULL DEFAULT '',
-    topic_set_at DATETIME,
     created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
     updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );

internal/handlers/api.go

@@ -12,7 +12,7 @@ import (
 
 	"git.eeqj.de/sneak/neoirc/internal/db"
 	"git.eeqj.de/sneak/neoirc/pkg/irc"
-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 )
 
 var validNickRe = regexp.MustCompile(
@@ -71,10 +71,11 @@ func (hdlr *Handlers) requireAuth(
 	sessionID, clientID, nick, err :=
 		hdlr.authSession(request)
 	if err != nil {
-		hdlr.respondJSON(writer, request, map[string]any{
-			"error":   "not registered",
-			"numeric": irc.ErrNotRegistered,
-		}, http.StatusUnauthorized)
+		hdlr.respondError(
+			writer, request,
+			"unauthorized",
+			http.StatusUnauthorized,
+		)
 
 		return 0, 0, "", false
 	}
@@ -836,11 +837,6 @@ func (hdlr *Handlers) dispatchCommand(
 	bodyLines func() []string,
 ) {
 	switch command {
-	case irc.CmdAway:
-		hdlr.handleAway(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
 	case irc.CmdPrivmsg, irc.CmdNotice:
 		hdlr.handlePrivmsg(
 			writer, request,
@@ -951,8 +947,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if target == "" {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoRecipient, nick, []string{command},
-			"No recipient given",
+			irc.ErrNeedMoreParams, nick, []string{command},
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -966,8 +962,8 @@ func (hdlr *Handlers) handlePrivmsg(
 	if len(lines) == 0 {
 		hdlr.enqueueNumeric(
 			request.Context(), clientID,
-			irc.ErrNoTextToSend, nick, []string{command},
-			"No text to send",
+			irc.ErrNeedMoreParams, nick, []string{command},
+			"Not enough parameters",
 		)
 		hdlr.broker.Notify(sessionID)
 		hdlr.respondJSON(writer, request,
@@ -1054,8 +1050,8 @@ func (hdlr *Handlers) handleChannelMsg(
 	if !isMember {
 		hdlr.respondIRCError(
 			writer, request, clientID, sessionID,
-			irc.ErrCannotSendToChan, nick, []string{target},
-			"Cannot send to channel",
+			irc.ErrNotOnChannel, nick, []string{target},
+			"You're not on that channel",
 		)
 
 		return
@@ -1151,19 +1147,6 @@ func (hdlr *Handlers) handleDirectMsg(
 		return
 	}
 
-	// If the target is away, send RPL_AWAY to the sender.
-	awayMsg, awayErr := hdlr.params.Database.GetAway(
-		request.Context(), targetSID,
-	)
-	if awayErr == nil && awayMsg != "" {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplAway, nick,
-			[]string{target}, awayMsg,
-		)
-		hdlr.broker.Notify(sessionID)
-	}
-
 	hdlr.respondJSON(writer, request,
 		map[string]string{"id": msgUUID, "status": "sent"},
 		http.StatusOK)
@@ -1274,25 +1257,14 @@ func (hdlr *Handlers) deliverJoinNumerics(
 ) {
 	ctx := request.Context()
 
-	hdlr.deliverTopicNumerics(
-		ctx, clientID, sessionID, nick, channel, chID,
+	chInfo, err := hdlr.params.Database.GetChannelByName(
+		ctx, channel,
 	)
+	if err == nil {
+		_ = chInfo // chInfo is the ID; topic comes from DB.
+	}
 
-	hdlr.deliverNamesNumerics(
-		ctx, clientID, nick, channel, chID,
-	)
-
-	hdlr.broker.Notify(sessionID)
-}
-
-// deliverTopicNumerics sends RPL_TOPIC or RPL_NOTOPIC,
-// plus RPL_TOPICWHOTIME when topic metadata is available.
-func (hdlr *Handlers) deliverTopicNumerics(
-	ctx context.Context,
-	clientID, sessionID int64,
-	nick, channel string,
-	chID int64,
-) {
+	// Get topic from channel info.
 	channels, listErr := hdlr.params.Database.ListChannels(
 		ctx, sessionID,
 	)
@@ -1314,39 +1286,14 @@ func (hdlr *Handlers) deliverTopicNumerics(
 			ctx, clientID, irc.RplTopic, nick,
 			[]string{channel}, topic,
 		)
-
-		topicMeta, tmErr := hdlr.params.Database.
-			GetTopicMeta(ctx, chID)
-		if tmErr == nil && topicMeta != nil {
-			hdlr.enqueueNumeric(
-				ctx, clientID,
-				irc.RplTopicWhoTime, nick,
-				[]string{
-					channel,
-					topicMeta.SetBy,
-					strconv.FormatInt(
-						topicMeta.SetAt.Unix(), 10,
-					),
-				},
-				"",
-			)
-		}
 	} else {
 		hdlr.enqueueNumeric(
 			ctx, clientID, irc.RplNoTopic, nick,
 			[]string{channel}, "No topic is set",
 		)
 	}
-}
 
-// deliverNamesNumerics sends RPL_NAMREPLY and
-// RPL_ENDOFNAMES for a channel.
-func (hdlr *Handlers) deliverNamesNumerics(
-	ctx context.Context,
-	clientID int64,
-	nick, channel string,
-	chID int64,
-) {
+	// Get member list for NAMES reply.
 	members, memErr := hdlr.params.Database.ChannelMembers(
 		ctx, chID,
 	)
@@ -1369,6 +1316,8 @@ func (hdlr *Handlers) deliverNamesNumerics(
 		ctx, clientID, irc.RplEndOfNames, nick,
 		[]string{channel}, "End of /NAMES list",
 	)
+
+	hdlr.broker.Notify(sessionID)
 }
 
 func (hdlr *Handlers) handlePart(
@@ -1652,8 +1601,8 @@ func (hdlr *Handlers) executeTopic(
 	body json.RawMessage,
 	chID int64,
 ) {
-	setErr := hdlr.params.Database.SetTopicMeta(
-		request.Context(), channel, topic, nick,
+	setErr := hdlr.params.Database.SetTopic(
+		request.Context(), channel, topic,
 	)
 	if setErr != nil {
 		hdlr.log.Error(
@@ -1680,25 +1629,6 @@ func (hdlr *Handlers) executeTopic(
 		request.Context(), clientID,
 		irc.RplTopic, nick, []string{channel}, topic,
 	)
-
-	// 333 RPL_TOPICWHOTIME
-	topicMeta, tmErr := hdlr.params.Database.
-		GetTopicMeta(request.Context(), chID)
-	if tmErr == nil && topicMeta != nil {
-		hdlr.enqueueNumeric(
-			request.Context(), clientID,
-			irc.RplTopicWhoTime, nick,
-			[]string{
-				channel,
-				topicMeta.SetBy,
-				strconv.FormatInt(
-					topicMeta.SetAt.Unix(), 10,
-				),
-			},
-			"",
-		)
-	}
-
 	hdlr.broker.Notify(sessionID)
 
 	hdlr.respondJSON(writer, request,
@@ -2088,11 +2018,6 @@ func (hdlr *Handlers) executeWhois(
 		"neoirc server",
 	)
 
-	// 317 RPL_WHOISIDLE
-	hdlr.deliverWhoisIdle(
-		ctx, clientID, nick, queryNick, targetSID,
-	)
-
 	// 319 RPL_WHOISCHANNELS
 	hdlr.deliverWhoisChannels(
 		ctx, clientID, nick, queryNick, targetSID,
@@ -2510,95 +2435,3 @@ func (hdlr *Handlers) HandleServerInfo() http.HandlerFunc {
 		)
 	}
 }
-
-// handleAway handles the AWAY command. An empty body
-// clears the away status; a non-empty body sets it.
-func (hdlr *Handlers) handleAway(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	lines := bodyLines()
-
-	awayMsg := ""
-	if len(lines) > 0 {
-		awayMsg = strings.Join(lines, " ")
-	}
-
-	err := hdlr.params.Database.SetAway(
-		ctx, sessionID, awayMsg,
-	)
-	if err != nil {
-		hdlr.log.Error("set away failed", "error", err)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	if awayMsg == "" {
-		// 305 RPL_UNAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplUnaway, nick, nil,
-			"You are no longer marked as being away",
-		)
-	} else {
-		// 306 RPL_NOWAWAY
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplNowAway, nick, nil,
-			"You have been marked as being away",
-		)
-	}
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// deliverWhoisIdle sends RPL_WHOISIDLE (317) with idle
-// time and signon time.
-func (hdlr *Handlers) deliverWhoisIdle(
-	ctx context.Context,
-	clientID int64,
-	nick, queryNick string,
-	targetSID int64,
-) {
-	lastSeen, lsErr := hdlr.params.Database.
-		GetSessionLastSeen(ctx, targetSID)
-	if lsErr != nil {
-		return
-	}
-
-	createdAt, caErr := hdlr.params.Database.
-		GetSessionCreatedAt(ctx, targetSID)
-	if caErr != nil {
-		return
-	}
-
-	idleSeconds := int64(time.Since(lastSeen).Seconds())
-	if idleSeconds < 0 {
-		idleSeconds = 0
-	}
-
-	signonUnix := strconv.FormatInt(
-		createdAt.Unix(), 10,
-	)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplWhoisIdle, nick,
-		[]string{
-			queryNick,
-			strconv.FormatInt(idleSeconds, 10),
-			signonUnix,
-		},
-		"seconds idle, signon time",
-	)
-}

internal/handlers/api_test.go

@@ -811,9 +811,9 @@ func TestMessageMissingBody(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "412") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NOTEXTTOSEND (412), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -835,9 +835,9 @@ func TestMessageMissingTo(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(token, lastID)
 
-	if !findNumeric(msgs, "411") {
+	if !findNumeric(msgs, "461") {
 		t.Fatalf(
-			"expected ERR_NORECIPIENT (411), got %v",
+			"expected ERR_NEEDMOREPARAMS (461), got %v",
 			msgs,
 		)
 	}
@@ -870,9 +870,9 @@ func TestNonMemberCannotSend(t *testing.T) {
 
 	msgs, _ := tserver.pollMessages(aliceToken, lastID)
 
-	if !findNumeric(msgs, "404") {
+	if !findNumeric(msgs, "442") {
 		t.Fatalf(
-			"expected ERR_CANNOTSENDTOCHAN (404), got %v",
+			"expected ERR_NOTONCHANNEL (442), got %v",
 			msgs,
 		)
 	}

internal/middleware/middleware.go

@@ -11,7 +11,7 @@ import (
 	"git.eeqj.de/sneak/neoirc/internal/globals"
 	"git.eeqj.de/sneak/neoirc/internal/logger"
 	basicauth "github.com/99designs/basicauth-go"
-	chimw "github.com/go-chi/chi/v5/middleware"
+	chimw "github.com/go-chi/chi/middleware"
 	"github.com/go-chi/cors"
 	metrics "github.com/slok/go-http-metrics/metrics/prometheus"
 	ghmm "github.com/slok/go-http-metrics/middleware"

internal/server/routes.go

@@ -8,8 +8,8 @@ import (
 	"git.eeqj.de/sneak/neoirc/web"
 
 	sentryhttp "github.com/getsentry/sentry-go/http"
-	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/chi"
+	"github.com/go-chi/chi/middleware"
 	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"github.com/spf13/viper"
 )

internal/server/server.go

@@ -20,7 +20,7 @@ import (
 	"go.uber.org/fx"
 
 	"github.com/getsentry/sentry-go"
-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi"
 
 	_ "github.com/joho/godotenv/autoload" // loads .env file
 )

pkg/irc/commands.go

@@ -2,7 +2,6 @@ package irc
 
 // IRC command names (RFC 1459 / RFC 2812).
 const (
-	CmdAway    = "AWAY"
 	CmdJoin    = "JOIN"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"