docs: add reverse proxy security note to login rate limiting section

feat: add per-IP rate limiting to login endpoint
Add a token-bucket rate limiter (golang.org/x/time/rate) that limits login attempts per client IP on POST /api/v1/login. Returns 429 Too Many Requests with a Retry-After header when the limit is exceeded. Configurable via LOGIN_RATE_LIMIT (requests/sec, default 1) and LOGIN_RATE_BURST (burst size, default 5). Stale per-IP entries are automatically cleaned up every 10 minutes. Only the login endpoint is rate-limited per sneak's instruction — session creation and registration use hashcash proof-of-work instead.
2026-03-19 22:52:31 -07:00 · 2026-03-19 22:52:31 -07:00
20 changed files with 1041 additions and 8888 deletions
--- a/2
+++ b/2
@@ -32,7 +32,7 @@ fmt-check:
 	@test -z "$$(gofmt -l .)" || (echo "Files not formatted:" && gofmt -l . && exit 1)

 test: ensure-web-dist
-	go test -timeout 30s -race -cover ./... || go test -timeout 30s -race -v ./...
+	go test -timeout 30s -v -race -cover ./...

 # check runs all validation without making changes
 # Used by CI and Docker build — fails if anything is wrong
--- a/README.md
+++ b/README.md
--- a/internal/cli/api/client.go
+++ b/internal/cli/api/client.go
@@ -9,7 +9,6 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	"net/http/cookiejar"
 	"net/url"
 	"strconv"
 	"strings"
@@ -29,19 +28,16 @@ var errHTTP = errors.New("HTTP error")
 // Client wraps HTTP calls to the neoirc server API.
 type Client struct {
 	BaseURL    string
+	Token      string
 	HTTPClient *http.Client
 }

-// NewClient creates a new API client with a cookie jar
-// for automatic auth cookie management.
+// NewClient creates a new API client.
 func NewClient(baseURL string) *Client {
-	jar, _ := cookiejar.New(nil)
-
-	return &Client{
+	return &Client{ //nolint:exhaustruct // Token set after CreateSession
 		BaseURL: baseURL,
 		HTTPClient: &http.Client{ //nolint:exhaustruct // defaults fine
 			Timeout: httpTimeout,
-			Jar:     jar,
 		},
 	}
 }
@@ -83,6 +79,8 @@ func (client *Client) CreateSession(
 		return nil, fmt.Errorf("decode session: %w", err)
 	}

+	client.Token = resp.Token
+
 	return &resp, nil
 }

@@ -123,7 +121,6 @@ func (client *Client) PollMessages(
 		Timeout: time.Duration(
 			timeout+pollExtraTime,
 		) * time.Second,
-		Jar: client.HTTPClient.Jar,
 	}

 	params := url.Values{}
@@ -148,6 +145,10 @@ func (client *Client) PollMessages(
 		return nil, fmt.Errorf("new request: %w", err)
 	}

+	request.Header.Set(
+		"Authorization", "Bearer "+client.Token,
+	)
+
 	resp, err := pollClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("poll request: %w", err)
@@ -303,6 +304,12 @@ func (client *Client) do(
 		"Content-Type", "application/json",
 	)

+	if client.Token != "" {
+		request.Header.Set(
+			"Authorization", "Bearer "+client.Token,
+		)
+	}
+
 	resp, err := client.HTTPClient.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("http: %w", err)
--- a/internal/cli/api/types.go
+++ b/internal/cli/api/types.go
@@ -12,6 +12,7 @@ type SessionRequest struct {
 type SessionResponse struct {
 	ID    int64  `json:"id"`
 	Nick  string `json:"nick"`
+	Token string `json:"token"`
 }

 // StateResponse is the response from GET /api/v1/state.
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -46,8 +46,6 @@ type Config struct {
 	FederationKey      string
 	SessionIdleTimeout string
 	HashcashBits       int
-	OperName           string
-	OperPassword       string
 	LoginRateLimit     float64
 	LoginRateBurst     int
 	params             *Params
@@ -82,8 +80,6 @@ func New(
 	viper.SetDefault("FEDERATION_KEY", "")
 	viper.SetDefault("SESSION_IDLE_TIMEOUT", "720h")
 	viper.SetDefault("NEOIRC_HASHCASH_BITS", "20")
-	viper.SetDefault("NEOIRC_OPER_NAME", "")
-	viper.SetDefault("NEOIRC_OPER_PASSWORD", "")
 	viper.SetDefault("LOGIN_RATE_LIMIT", "1")
 	viper.SetDefault("LOGIN_RATE_BURST", "5")

@@ -112,8 +108,6 @@ func New(
 		FederationKey:      viper.GetString("FEDERATION_KEY"),
 		SessionIdleTimeout: viper.GetString("SESSION_IDLE_TIMEOUT"),
 		HashcashBits:       viper.GetInt("NEOIRC_HASHCASH_BITS"),
-		OperName:           viper.GetString("NEOIRC_OPER_NAME"),
-		OperPassword:       viper.GetString("NEOIRC_OPER_PASSWORD"),
 		LoginRateLimit:     viper.GetFloat64("LOGIN_RATE_LIMIT"),
 		LoginRateBurst:     viper.GetInt("LOGIN_RATE_BURST"),
 		log:                log,
--- a/internal/db/auth.go
+++ b/internal/db/auth.go
@@ -10,46 +10,93 @@ import (
 	"golang.org/x/crypto/bcrypt"
 )

-//nolint:gochecknoglobals // var so tests can override via SetBcryptCost
-var bcryptCost = bcrypt.DefaultCost
-
-// SetBcryptCost overrides the bcrypt cost.
-// Use bcrypt.MinCost in tests to avoid slow hashing.
-func SetBcryptCost(cost int) { bcryptCost = cost }
+const bcryptCost = bcrypt.DefaultCost

 var errNoPassword = errors.New(
 	"account has no password set",
 )

-// SetPassword sets a bcrypt-hashed password on a session,
-// enabling multi-client login via POST /api/v1/login.
-func (database *Database) SetPassword(
+// RegisterUser creates a session with a hashed password
+// and returns session ID, client ID, and token.
+func (database *Database) RegisterUser(
 	ctx context.Context,
-	sessionID int64,
-	password string,
-) error {
+	nick, password string,
+) (int64, int64, string, error) {
 	hash, err := bcrypt.GenerateFromPassword(
 		[]byte(password), bcryptCost,
 	)
 	if err != nil {
-		return fmt.Errorf("hash password: %w", err)
+		return 0, 0, "", fmt.Errorf(
+			"hash password: %w", err,
+		)
 	}

-	_, err = database.conn.ExecContext(ctx,
-		"UPDATE sessions SET password_hash = ? WHERE id = ?",
-		string(hash), sessionID)
+	sessionUUID := uuid.New().String()
+	clientUUID := uuid.New().String()
+
+	token, err := generateToken()
 	if err != nil {
-		return fmt.Errorf("set password: %w", err)
+		return 0, 0, "", err
 	}

-	return nil
+	now := time.Now()
+
+	transaction, err := database.conn.BeginTx(ctx, nil)
+	if err != nil {
+		return 0, 0, "", fmt.Errorf(
+			"begin tx: %w", err,
+		)
+	}
+
+	res, err := transaction.ExecContext(ctx,
+		`INSERT INTO sessions
+		 (uuid, nick, password_hash,
+		  created_at, last_seen)
+		 VALUES (?, ?, ?, ?, ?)`,
+		sessionUUID, nick, string(hash), now, now)
+	if err != nil {
+		_ = transaction.Rollback()
+
+		return 0, 0, "", fmt.Errorf(
+			"create session: %w", err,
+		)
+	}
+
+	sessionID, _ := res.LastInsertId()
+
+	tokenHash := hashToken(token)
+
+	clientRes, err := transaction.ExecContext(ctx,
+		`INSERT INTO clients
+		 (uuid, session_id, token,
+		  created_at, last_seen)
+		 VALUES (?, ?, ?, ?, ?)`,
+		clientUUID, sessionID, tokenHash, now, now)
+	if err != nil {
+		_ = transaction.Rollback()
+
+		return 0, 0, "", fmt.Errorf(
+			"create client: %w", err,
+		)
+	}
+
+	clientID, _ := clientRes.LastInsertId()
+
+	err = transaction.Commit()
+	if err != nil {
+		return 0, 0, "", fmt.Errorf(
+			"commit registration: %w", err,
+		)
+	}
+
+	return sessionID, clientID, token, nil
 }

 // LoginUser verifies a nick/password and creates a new
 // client token.
 func (database *Database) LoginUser(
 	ctx context.Context,
-	nick, password, remoteIP, hostname string,
+	nick, password string,
 ) (int64, int64, string, error) {
 	var (
 		sessionID    int64
@@ -96,11 +143,10 @@ func (database *Database) LoginUser(

 	res, err := database.conn.ExecContext(ctx,
 		`INSERT INTO clients
-		 (uuid, session_id, token, ip, hostname,
+		 (uuid, session_id, token,
 		  created_at, last_seen)
-		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
-		clientUUID, sessionID, tokenHash,
-		remoteIP, hostname, now, now)
+		 VALUES (?, ?, ?, ?, ?)`,
+		clientUUID, sessionID, tokenHash, now, now)
 	if err != nil {
 		return 0, 0, "", fmt.Errorf(
 			"create login client: %w", err,
--- a/internal/db/auth_test.go
+++ b/internal/db/auth_test.go
@@ -6,65 +6,63 @@ import (
 	_ "modernc.org/sqlite"
 )

-func TestSetPassword(t *testing.T) {
+func TestRegisterUser(t *testing.T) {
 	t.Parallel()

 	database := setupTestDB(t)
 	ctx := t.Context()

-	sessionID, _, _, err :=
-		database.CreateSession(ctx, "passuser", "", "", "")
+	sessionID, clientID, token, err :=
+		database.RegisterUser(ctx, "reguser", "password123")
 	if err != nil {
 		t.Fatal(err)
 	}

-	err = database.SetPassword(
-		ctx, sessionID, "password123",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Verify we can now log in with the password.
-	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "passuser", "password123", "", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if loginSID == 0 || loginCID == 0 || loginToken == "" {
+	if sessionID == 0 || clientID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}
+
+	// Verify session works via token lookup.
+	sid, cid, nick, err :=
+		database.GetSessionByToken(ctx, token)
+	if err != nil {
+		t.Fatal(err)
 	}

-func TestSetPasswordThenWrongLogin(t *testing.T) {
+	if sid != sessionID || cid != clientID {
+		t.Fatal("session/client id mismatch")
+	}
+
+	if nick != "reguser" {
+		t.Fatalf("expected reguser, got %s", nick)
+	}
+}
+
+func TestRegisterUserDuplicateNick(t *testing.T) {
 	t.Parallel()

 	database := setupTestDB(t)
 	ctx := t.Context()

-	sessionID, _, _, err :=
-		database.CreateSession(ctx, "wrongpw", "", "", "")
+	regSID, regCID, regToken, err :=
+		database.RegisterUser(ctx, "dupnick", "password123")
 	if err != nil {
 		t.Fatal(err)
 	}

-	err = database.SetPassword(
-		ctx, sessionID, "correctpass",
-	)
-	if err != nil {
-		t.Fatal(err)
+	_ = regSID
+	_ = regCID
+	_ = regToken
+
+	dupSID, dupCID, dupToken, dupErr :=
+		database.RegisterUser(ctx, "dupnick", "other12345")
+	if dupErr == nil {
+		t.Fatal("expected error for duplicate nick")
 	}

-	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "wrongpw", "wrongpass12", "", "")
-	if loginErr == nil {
-		t.Fatal("expected error for wrong password")
-	}
-
-	_ = loginSID
-	_ = loginCID
-	_ = loginToken
+	_ = dupSID
+	_ = dupCID
+	_ = dupToken
 }

 func TestLoginUser(t *testing.T) {
@@ -73,26 +71,23 @@ func TestLoginUser(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()

-	sessionID, _, _, err :=
-		database.CreateSession(ctx, "loginuser", "", "", "")
+	regSID, regCID, regToken, err :=
+		database.RegisterUser(ctx, "loginuser", "mypassword")
 	if err != nil {
 		t.Fatal(err)
 	}

-	err = database.SetPassword(
-		ctx, sessionID, "mypassword",
-	)
+	_ = regSID
+	_ = regCID
+	_ = regToken
+
+	sessionID, clientID, token, err :=
+		database.LoginUser(ctx, "loginuser", "mypassword")
 	if err != nil {
 		t.Fatal(err)
 	}

-	loginSID, loginCID, token, err :=
-		database.LoginUser(ctx, "loginuser", "mypassword", "", "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if loginSID == 0 || loginCID == 0 || token == "" {
+	if sessionID == 0 || clientID == 0 || token == "" {
 		t.Fatal("expected valid ids and token")
 	}

@@ -108,6 +103,33 @@ func TestLoginUser(t *testing.T) {
 	}
 }

+func TestLoginUserWrongPassword(t *testing.T) {
+	t.Parallel()
+
+	database := setupTestDB(t)
+	ctx := t.Context()
+
+	regSID, regCID, regToken, err :=
+		database.RegisterUser(ctx, "wrongpw", "correctpass")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	_ = regSID
+	_ = regCID
+	_ = regToken
+
+	loginSID, loginCID, loginToken, loginErr :=
+		database.LoginUser(ctx, "wrongpw", "wrongpass12")
+	if loginErr == nil {
+		t.Fatal("expected error for wrong password")
+	}
+
+	_ = loginSID
+	_ = loginCID
+	_ = loginToken
+}
+
 func TestLoginUserNoPassword(t *testing.T) {
 	t.Parallel()

@@ -116,7 +138,7 @@ func TestLoginUserNoPassword(t *testing.T) {

 	// Create anonymous session (no password).
 	anonSID, anonCID, anonToken, err :=
-		database.CreateSession(ctx, "anon", "", "", "")
+		database.CreateSession(ctx, "anon")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -126,7 +148,7 @@ func TestLoginUserNoPassword(t *testing.T) {
 	_ = anonToken

 	loginSID, loginCID, loginToken, loginErr :=
-		database.LoginUser(ctx, "anon", "anything1", "", "")
+		database.LoginUser(ctx, "anon", "anything1")
 	if loginErr == nil {
 		t.Fatal(
 			"expected error for login on passwordless account",
@@ -145,7 +167,7 @@ func TestLoginUserNonexistent(t *testing.T) {
 	ctx := t.Context()

 	loginSID, loginCID, loginToken, err :=
-		database.LoginUser(ctx, "ghost", "password123", "", "")
+		database.LoginUser(ctx, "ghost", "password123")
 	if err == nil {
 		t.Fatal("expected error for nonexistent user")
 	}
--- a/internal/db/main_test.go
+++ b/internal/db/main_test.go
@@ -1,14 +0,0 @@
-package db_test
-
-import (
-	"os"
-	"testing"
-
-	"git.eeqj.de/sneak/neoirc/internal/db"
-	"golang.org/x/crypto/bcrypt"
-)
-
-func TestMain(m *testing.M) {
-	db.SetBcryptCost(bcrypt.MinCost)
-	os.Exit(m.Run())
-}
--- a/internal/db/queries.go
+++ b/internal/db/queries.go
--- a/internal/db/queries_test.go
+++ b/internal/db/queries_test.go
@@ -34,7 +34,7 @@ func TestCreateSession(t *testing.T) {
 	ctx := t.Context()

 	sessionID, _, token, err := database.CreateSession(
-		ctx, "alice", "", "", "",
+		ctx, "alice",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -45,7 +45,7 @@ func TestCreateSession(t *testing.T) {
 	}

 	_, _, dupToken, dupErr := database.CreateSession(
-		ctx, "alice", "", "", "",
+		ctx, "alice",
 	)
 	if dupErr == nil {
 		t.Fatal("expected error for duplicate nick")
@@ -54,249 +54,13 @@ func TestCreateSession(t *testing.T) {
 	_ = dupToken
 }

-// assertSessionHostInfo creates a session and verifies
-// the stored username and hostname match expectations.
-func assertSessionHostInfo(
-	t *testing.T,
-	database *db.Database,
-	nick, inputUser, inputHost,
-	expectUser, expectHost string,
-) {
-	t.Helper()
-
-	sessionID, _, _, err := database.CreateSession(
-		t.Context(), nick, inputUser, inputHost, "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	info, err := database.GetSessionHostInfo(
-		t.Context(), sessionID,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if info.Username != expectUser {
-		t.Fatalf(
-			"expected username %s, got %s",
-			expectUser, info.Username,
-		)
-	}
-
-	if info.Hostname != expectHost {
-		t.Fatalf(
-			"expected hostname %s, got %s",
-			expectHost, info.Hostname,
-		)
-	}
-}
-
-func TestCreateSessionWithUserHost(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-
-	assertSessionHostInfo(
-		t, database,
-		"hostuser", "myident", "example.com",
-		"myident", "example.com",
-	)
-}
-
-func TestCreateSessionDefaultUsername(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-
-	// Empty username defaults to nick.
-	assertSessionHostInfo(
-		t, database,
-		"defaultu", "", "host.local",
-		"defaultu", "host.local",
-	)
-}
-
-func TestCreateSessionStoresIP(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sessionID, clientID, _, err := database.CreateSession(
-		ctx, "ipuser", "ident", "host.example.com",
-		"192.168.1.42",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	info, err := database.GetSessionHostInfo(
-		ctx, sessionID,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if info.IP != "192.168.1.42" {
-		t.Fatalf(
-			"expected session IP 192.168.1.42, got %s",
-			info.IP,
-		)
-	}
-
-	clientInfo, err := database.GetClientHostInfo(
-		ctx, clientID,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if clientInfo.IP != "192.168.1.42" {
-		t.Fatalf(
-			"expected client IP 192.168.1.42, got %s",
-			clientInfo.IP,
-		)
-	}
-
-	if clientInfo.Hostname != "host.example.com" {
-		t.Fatalf(
-			"expected client hostname host.example.com, got %s",
-			clientInfo.Hostname,
-		)
-	}
-}
-
-func TestGetClientHostInfoNotFound(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-
-	_, err := database.GetClientHostInfo(
-		t.Context(), 99999,
-	)
-	if err == nil {
-		t.Fatal("expected error for nonexistent client")
-	}
-}
-
-func TestGetSessionHostInfoNotFound(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-
-	_, err := database.GetSessionHostInfo(
-		t.Context(), 99999,
-	)
-	if err == nil {
-		t.Fatal("expected error for nonexistent session")
-	}
-}
-
-func TestFormatHostmask(t *testing.T) {
-	t.Parallel()
-
-	result := db.FormatHostmask(
-		"nick", "user", "host.com",
-	)
-	if result != "nick!user@host.com" {
-		t.Fatalf(
-			"expected nick!user@host.com, got %s",
-			result,
-		)
-	}
-}
-
-func TestFormatHostmaskDefaults(t *testing.T) {
-	t.Parallel()
-
-	result := db.FormatHostmask("nick", "", "")
-	if result != "nick!nick@*" {
-		t.Fatalf(
-			"expected nick!nick@*, got %s",
-			result,
-		)
-	}
-}
-
-func TestMemberInfoHostmask(t *testing.T) {
-	t.Parallel()
-
-	member := &db.MemberInfo{ //nolint:exhaustruct // test only uses hostmask fields
-		Nick:     "alice",
-		Username: "aliceident",
-		Hostname: "alice.example.com",
-	}
-
-	hostmask := member.Hostmask()
-	expected := "alice!aliceident@alice.example.com"
-
-	if hostmask != expected {
-		t.Fatalf(
-			"expected %s, got %s", expected, hostmask,
-		)
-	}
-}
-
-func TestChannelMembersIncludeUserHost(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sid, _, _, err := database.CreateSession(
-		ctx, "memuser", "myuser", "myhost.net", "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	chID, err := database.GetOrCreateChannel(
-		ctx, "#hostchan",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = database.JoinChannel(ctx, chID, sid)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	members, err := database.ChannelMembers(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(members) != 1 {
-		t.Fatalf(
-			"expected 1 member, got %d", len(members),
-		)
-	}
-
-	if members[0].Username != "myuser" {
-		t.Fatalf(
-			"expected username myuser, got %s",
-			members[0].Username,
-		)
-	}
-
-	if members[0].Hostname != "myhost.net" {
-		t.Fatalf(
-			"expected hostname myhost.net, got %s",
-			members[0].Hostname,
-		)
-	}
-}
-
 func TestGetSessionByToken(t *testing.T) {
 	t.Parallel()

 	database := setupTestDB(t)
 	ctx := t.Context()

-	_, _, token, err := database.CreateSession(ctx, "bob", "", "", "")
+	_, _, token, err := database.CreateSession(ctx, "bob")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -329,7 +93,7 @@ func TestGetSessionByNick(t *testing.T) {
 	ctx := t.Context()

 	charlieID, charlieClientID, charlieToken, err :=
-		database.CreateSession(ctx, "charlie", "", "", "")
+		database.CreateSession(ctx, "charlie")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -386,7 +150,7 @@ func TestJoinAndPart(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()

-	sid, _, _, err := database.CreateSession(ctx, "user1", "", "", "")
+	sid, _, _, err := database.CreateSession(ctx, "user1")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -435,7 +199,7 @@ func TestDeleteChannelIfEmpty(t *testing.T) {
 		t.Fatal(err)
 	}

-	sid, _, _, err := database.CreateSession(ctx, "temp", "", "", "")
+	sid, _, _, err := database.CreateSession(ctx, "temp")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -470,7 +234,7 @@ func createSessionWithChannels(

 	ctx := t.Context()

-	sid, _, _, err := database.CreateSession(ctx, nick, "", "", "")
+	sid, _, _, err := database.CreateSession(ctx, nick)
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -553,7 +317,7 @@ func TestChangeNick(t *testing.T) {
 	ctx := t.Context()

 	sid, _, token, err := database.CreateSession(
-		ctx, "old", "", "", "",
+		ctx, "old",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -637,7 +401,7 @@ func TestPollMessages(t *testing.T) {
 	ctx := t.Context()

 	sid, _, token, err := database.CreateSession(
-		ctx, "poller", "", "", "",
+		ctx, "poller",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -744,7 +508,7 @@ func TestDeleteSession(t *testing.T) {
 	ctx := t.Context()

 	sid, _, _, err := database.CreateSession(
-		ctx, "deleteme", "", "", "",
+		ctx, "deleteme",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -784,12 +548,12 @@ func TestChannelMembers(t *testing.T) {
 	database := setupTestDB(t)
 	ctx := t.Context()

-	sid1, _, _, err := database.CreateSession(ctx, "m1", "", "", "")
+	sid1, _, _, err := database.CreateSession(ctx, "m1")
 	if err != nil {
 		t.Fatal(err)
 	}

-	sid2, _, _, err := database.CreateSession(ctx, "m2", "", "", "")
+	sid2, _, _, err := database.CreateSession(ctx, "m2")
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -847,7 +611,7 @@ func TestEnqueueToClient(t *testing.T) {
 	ctx := t.Context()

 	_, _, token, err := database.CreateSession(
-		ctx, "enqclient", "", "", "",
+		ctx, "enqclient",
 	)
 	if err != nil {
 		t.Fatal(err)
@@ -887,604 +651,3 @@ func TestEnqueueToClient(t *testing.T) {
 		t.Fatalf("expected 1, got %d", len(msgs))
 	}
 }
-
-func TestSetAndCheckSessionOper(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sessionID, _, _, err := database.CreateSession(
-		ctx, "opernick", "", "", "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Initially not oper.
-	isOper, err := database.IsSessionOper(ctx, sessionID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if isOper {
-		t.Fatal("expected session not to be oper")
-	}
-
-	// Set oper.
-	err = database.SetSessionOper(ctx, sessionID, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	isOper, err = database.IsSessionOper(ctx, sessionID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if !isOper {
-		t.Fatal("expected session to be oper")
-	}
-
-	// Unset oper.
-	err = database.SetSessionOper(ctx, sessionID, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	isOper, err = database.IsSessionOper(ctx, sessionID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if isOper {
-		t.Fatal("expected session not to be oper")
-	}
-}
-
-func TestGetLatestClientForSession(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sessionID, _, _, err := database.CreateSession(
-		ctx, "clientnick", "", "", "10.0.0.1",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	clientInfo, err := database.GetLatestClientForSession(
-		ctx, sessionID,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if clientInfo.IP != "10.0.0.1" {
-		t.Fatalf(
-			"expected IP 10.0.0.1, got %s",
-			clientInfo.IP,
-		)
-	}
-}
-
-func TestGetOperCount(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	// Create two sessions.
-	sid1, _, _, err := database.CreateSession(
-		ctx, "user1", "", "", "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	sid2, _, _, err := database.CreateSession(
-		ctx, "user2", "", "", "",
-	)
-	_ = sid2
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Initially zero opers.
-	count, err := database.GetOperCount(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if count != 0 {
-		t.Fatalf("expected 0 opers, got %d", count)
-	}
-
-	// Set one as oper.
-	err = database.SetSessionOper(ctx, sid1, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	count, err = database.GetOperCount(ctx)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if count != 1 {
-		t.Fatalf("expected 1 oper, got %d", count)
-	}
-}
-
-// --- Tier 2 Tests ---
-
-func TestWildcardMatch(t *testing.T) {
-	t.Parallel()
-
-	tests := []struct {
-		pattern string
-		input   string
-		match   bool
-	}{
-		{"*!*@*", "nick!user@host", true},
-		{"*!*@*.example.com", "nick!user@foo.example.com", true},
-		{"*!*@*.example.com", "nick!user@other.net", false},
-		{"badnick!*@*", "badnick!user@host", true},
-		{"badnick!*@*", "goodnick!user@host", false},
-		{"nick!user@host", "nick!user@host", true},
-		{"nick!user@host", "nick!user@other", false},
-		{"*", "anything", true},
-		{"?ick!*@*", "nick!user@host", true},
-		{"?ick!*@*", "nn!user@host", false},
-		// Case-insensitive.
-		{"Nick!*@*", "nick!user@host", true},
-	}
-
-	for _, tc := range tests {
-		result := db.MatchBanMask(tc.pattern, tc.input)
-		if result != tc.match {
-			t.Errorf(
-				"MatchBanMask(%q, %q) = %v, want %v",
-				tc.pattern, tc.input, result, tc.match,
-			)
-		}
-	}
-}
-
-func TestChannelBanCRUD(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	chID, err := database.GetOrCreateChannel(ctx, "#test")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// No bans initially.
-	bans, err := database.ListChannelBans(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(bans) != 0 {
-		t.Fatalf("expected 0 bans, got %d", len(bans))
-	}
-
-	// Add a ban.
-	err = database.AddChannelBan(
-		ctx, chID, "*!*@evil.com", "op",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	bans, err = database.ListChannelBans(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(bans) != 1 {
-		t.Fatalf("expected 1 ban, got %d", len(bans))
-	}
-
-	if bans[0].Mask != "*!*@evil.com" {
-		t.Fatalf("wrong mask: %s", bans[0].Mask)
-	}
-
-	// Duplicate add is ignored (OR IGNORE).
-	err = database.AddChannelBan(
-		ctx, chID, "*!*@evil.com", "op2",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	bans, _ = database.ListChannelBans(ctx, chID)
-	if len(bans) != 1 {
-		t.Fatalf("expected 1 ban after dup, got %d", len(bans))
-	}
-
-	// Remove ban.
-	err = database.RemoveChannelBan(
-		ctx, chID, "*!*@evil.com",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	bans, _ = database.ListChannelBans(ctx, chID)
-	if len(bans) != 0 {
-		t.Fatalf("expected 0 bans after remove, got %d", len(bans))
-	}
-}
-
-func TestIsSessionBanned(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sid, _, _, err := database.CreateSession(
-		ctx, "victim", "victim", "evil.com", "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	chID, err := database.GetOrCreateChannel(ctx, "#bantest")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Not banned initially.
-	banned, err := database.IsSessionBanned(ctx, chID, sid)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if banned {
-		t.Fatal("should not be banned initially")
-	}
-
-	// Add ban matching the hostmask.
-	err = database.AddChannelBan(
-		ctx, chID, "*!*@evil.com", "op",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	banned, err = database.IsSessionBanned(ctx, chID, sid)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if !banned {
-		t.Fatal("should be banned")
-	}
-}
-
-func TestChannelInviteOnly(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	chID, err := database.GetOrCreateChannel(ctx, "#invite")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Default: not invite-only.
-	isIO, err := database.IsChannelInviteOnly(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if isIO {
-		t.Fatal("should not be invite-only by default")
-	}
-
-	// Set invite-only.
-	err = database.SetChannelInviteOnly(ctx, chID, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
-	if !isIO {
-		t.Fatal("should be invite-only")
-	}
-
-	// Unset.
-	err = database.SetChannelInviteOnly(ctx, chID, false)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	isIO, _ = database.IsChannelInviteOnly(ctx, chID)
-	if isIO {
-		t.Fatal("should not be invite-only")
-	}
-}
-
-func TestChannelInviteCRUD(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sid, _, _, err := database.CreateSession(
-		ctx, "invited", "", "", "",
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	chID, err := database.GetOrCreateChannel(ctx, "#inv")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// No invite initially.
-	has, err := database.HasChannelInvite(ctx, chID, sid)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if has {
-		t.Fatal("should not have invite")
-	}
-
-	// Add invite.
-	err = database.AddChannelInvite(ctx, chID, sid, "op")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	has, _ = database.HasChannelInvite(ctx, chID, sid)
-	if !has {
-		t.Fatal("should have invite")
-	}
-
-	// Clear invite.
-	err = database.ClearChannelInvite(ctx, chID, sid)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	has, _ = database.HasChannelInvite(ctx, chID, sid)
-	if has {
-		t.Fatal("invite should be cleared")
-	}
-}
-
-func TestChannelSecret(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	chID, err := database.GetOrCreateChannel(ctx, "#secret")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Default: not secret.
-	isSec, err := database.IsChannelSecret(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if isSec {
-		t.Fatal("should not be secret by default")
-	}
-
-	err = database.SetChannelSecret(ctx, chID, true)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	isSec, _ = database.IsChannelSecret(ctx, chID)
-	if !isSec {
-		t.Fatal("should be secret")
-	}
-}
-
-// createTestSession is a helper to create a session and
-// return only the session ID.
-func createTestSession(
-	t *testing.T,
-	database *db.Database,
-	nick string,
-) int64 {
-	t.Helper()
-
-	sid, _, _, err := database.CreateSession(
-		t.Context(), nick, "", "", "",
-	)
-	if err != nil {
-		t.Fatalf("create session %s: %v", nick, err)
-	}
-
-	return sid
-}
-
-func TestSecretChannelFiltering(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	// Create two sessions.
-	sid1 := createTestSession(t, database, "member")
-	sid2 := createTestSession(t, database, "outsider")
-
-	// Create a secret channel.
-	chID, _ := database.GetOrCreateChannel(ctx, "#secret")
-	_ = database.SetChannelSecret(ctx, chID, true)
-	_ = database.JoinChannel(ctx, chID, sid1)
-
-	// Create a non-secret channel.
-	chID2, _ := database.GetOrCreateChannel(ctx, "#public")
-	_ = database.JoinChannel(ctx, chID2, sid1)
-
-	// Member should see both.
-	list, err := database.ListAllChannelsWithCountsFiltered(
-		ctx, sid1,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(list) != 2 {
-		t.Fatalf("member should see 2 channels, got %d", len(list))
-	}
-
-	// Outsider should only see public.
-	list, _ = database.ListAllChannelsWithCountsFiltered(
-		ctx, sid2,
-	)
-	if len(list) != 1 {
-		t.Fatalf("outsider should see 1 channel, got %d", len(list))
-	}
-
-	if list[0].Name != "#public" {
-		t.Fatalf("outsider should see #public, got %s", list[0].Name)
-	}
-}
-
-func TestWhoisChannelFiltering(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	sid1 := createTestSession(t, database, "target")
-	sid2 := createTestSession(t, database, "querier")
-
-	// Create secret channel, target joins it.
-	chID, _ := database.GetOrCreateChannel(ctx, "#hidden")
-	_ = database.SetChannelSecret(ctx, chID, true)
-	_ = database.JoinChannel(ctx, chID, sid1)
-
-	// Querier (non-member) should not see the channel.
-	channels, err := database.GetSessionChannelsFiltered(
-		ctx, sid1, sid2,
-	)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if len(channels) != 0 {
-		t.Fatalf(
-			"querier should see 0 channels, got %d",
-			len(channels),
-		)
-	}
-
-	// Target querying self should see it.
-	channels, _ = database.GetSessionChannelsFiltered(
-		ctx, sid1, sid1,
-	)
-	if len(channels) != 1 {
-		t.Fatalf(
-			"self-query should see 1 channel, got %d",
-			len(channels),
-		)
-	}
-}
-
-//nolint:dupl // structurally similar to TestChannelUserLimit
-func TestChannelKey(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	chID, err := database.GetOrCreateChannel(ctx, "#keyed")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Default: no key.
-	key, err := database.GetChannelKey(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if key != "" {
-		t.Fatalf("expected empty key, got %q", key)
-	}
-
-	// Set key.
-	err = database.SetChannelKey(ctx, chID, "secret123")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	key, _ = database.GetChannelKey(ctx, chID)
-	if key != "secret123" {
-		t.Fatalf("expected secret123, got %q", key)
-	}
-
-	// Clear key.
-	err = database.SetChannelKey(ctx, chID, "")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	key, _ = database.GetChannelKey(ctx, chID)
-	if key != "" {
-		t.Fatalf("expected empty key, got %q", key)
-	}
-}
-
-//nolint:dupl // structurally similar to TestChannelKey
-func TestChannelUserLimit(t *testing.T) {
-	t.Parallel()
-
-	database := setupTestDB(t)
-	ctx := t.Context()
-
-	chID, err := database.GetOrCreateChannel(ctx, "#limited")
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	// Default: no limit.
-	limit, err := database.GetChannelUserLimit(ctx, chID)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	if limit != 0 {
-		t.Fatalf("expected 0 limit, got %d", limit)
-	}
-
-	// Set limit.
-	err = database.SetChannelUserLimit(ctx, chID, 50)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	limit, _ = database.GetChannelUserLimit(ctx, chID)
-	if limit != 50 {
-		t.Fatalf("expected 50, got %d", limit)
-	}
-
-	// Clear limit.
-	err = database.SetChannelUserLimit(ctx, chID, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	limit, _ = database.GetChannelUserLimit(ctx, chID)
-	if limit != 0 {
-		t.Fatalf("expected 0, got %d", limit)
-	}
-}
--- a/internal/db/schema/001_initial.sql
+++ b/internal/db/schema/001_initial.sql
@@ -6,11 +6,6 @@ CREATE TABLE IF NOT EXISTS sessions (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    uuid TEXT NOT NULL UNIQUE,
    nick TEXT NOT NULL UNIQUE,
-    username TEXT NOT NULL DEFAULT '',
-    hostname TEXT NOT NULL DEFAULT '',
-    ip TEXT NOT NULL DEFAULT '',
-    is_oper INTEGER NOT NULL DEFAULT 0,
-    is_wallops INTEGER NOT NULL DEFAULT 0,
    password_hash TEXT NOT NULL DEFAULT '',
    signing_key TEXT NOT NULL DEFAULT '',
    away_message TEXT NOT NULL DEFAULT '',
@@ -25,8 +20,6 @@ CREATE TABLE IF NOT EXISTS clients (
    uuid TEXT NOT NULL UNIQUE,
    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
    token TEXT NOT NULL UNIQUE,
-    ip TEXT NOT NULL DEFAULT '',
-    hostname TEXT NOT NULL DEFAULT '',
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    last_seen DATETIME DEFAULT CURRENT_TIMESTAMP
 );
@@ -41,45 +34,15 @@ CREATE TABLE IF NOT EXISTS channels (
    topic_set_by TEXT NOT NULL DEFAULT '',
    topic_set_at DATETIME,
    hashcash_bits INTEGER NOT NULL DEFAULT 0,
-    is_moderated INTEGER NOT NULL DEFAULT 0,
-    is_topic_locked INTEGER NOT NULL DEFAULT 1,
-    is_invite_only INTEGER NOT NULL DEFAULT 0,
-    is_secret INTEGER NOT NULL DEFAULT 0,
-    channel_key TEXT NOT NULL DEFAULT '',
-    user_limit INTEGER NOT NULL DEFAULT 0,
    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
 );

-- Channel bans
-CREATE TABLE IF NOT EXISTS channel_bans (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
-    mask TEXT NOT NULL,
-    set_by TEXT NOT NULL,
-    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(channel_id, mask)
-);
-CREATE INDEX IF NOT EXISTS idx_channel_bans_channel ON channel_bans(channel_id);
-
-- Channel invites (in-memory would be simpler but DB survives restarts)
-CREATE TABLE IF NOT EXISTS channel_invites (
-    id INTEGER PRIMARY KEY AUTOINCREMENT,
-    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
-    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
-    invited_by TEXT NOT NULL DEFAULT '',
-    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-    UNIQUE(channel_id, session_id)
-);
-CREATE INDEX IF NOT EXISTS idx_channel_invites_channel ON channel_invites(channel_id);
-
 -- Channel members
 CREATE TABLE IF NOT EXISTS channel_members (
    id INTEGER PRIMARY KEY AUTOINCREMENT,
    channel_id INTEGER NOT NULL REFERENCES channels(id) ON DELETE CASCADE,
    session_id INTEGER NOT NULL REFERENCES sessions(id) ON DELETE CASCADE,
-    is_operator INTEGER NOT NULL DEFAULT 0,
-    is_voiced INTEGER NOT NULL DEFAULT 0,
    joined_at DATETIME DEFAULT CURRENT_TIMESTAMP,
    UNIQUE(channel_id, session_id)
 );
--- a/internal/handlers/api.go
+++ b/internal/handlers/api.go
--- a/internal/handlers/api_test.go
+++ b/internal/handlers/api_test.go
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -2,14 +2,151 @@ package handlers

 import (
 	"encoding/json"
+	"net"
 	"net/http"
 	"strings"

-	"git.eeqj.de/sneak/neoirc/pkg/irc"
+	"git.eeqj.de/sneak/neoirc/internal/db"
 )

 const minPasswordLength = 8

+// clientIP extracts the client IP address from the request.
+// It checks X-Forwarded-For and X-Real-IP headers before
+// falling back to RemoteAddr.
+func clientIP(request *http.Request) string {
+	if forwarded := request.Header.Get("X-Forwarded-For"); forwarded != "" {
+		// X-Forwarded-For may contain a comma-separated list;
+		// the first entry is the original client.
+		parts := strings.SplitN(forwarded, ",", 2) //nolint:mnd // split into two parts
+		ip := strings.TrimSpace(parts[0])
+
+		if ip != "" {
+			return ip
+		}
+	}
+
+	if realIP := request.Header.Get("X-Real-IP"); realIP != "" {
+		return strings.TrimSpace(realIP)
+	}
+
+	host, _, err := net.SplitHostPort(request.RemoteAddr)
+	if err != nil {
+		return request.RemoteAddr
+	}
+
+	return host
+}
+
+// HandleRegister creates a new user with a password.
+func (hdlr *Handlers) HandleRegister() http.HandlerFunc {
+	return func(
+		writer http.ResponseWriter,
+		request *http.Request,
+	) {
+		request.Body = http.MaxBytesReader(
+			writer, request.Body, hdlr.maxBodySize(),
+		)
+
+		hdlr.handleRegister(writer, request)
+	}
+}
+
+func (hdlr *Handlers) handleRegister(
+	writer http.ResponseWriter,
+	request *http.Request,
+) {
+	type registerRequest struct {
+		Nick     string `json:"nick"`
+		Password string `json:"password"`
+	}
+
+	var payload registerRequest
+
+	err := json.NewDecoder(request.Body).Decode(&payload)
+	if err != nil {
+		hdlr.respondError(
+			writer, request,
+			"invalid request body",
+			http.StatusBadRequest,
+		)
+
+		return
+	}
+
+	payload.Nick = strings.TrimSpace(payload.Nick)
+
+	if !validNickRe.MatchString(payload.Nick) {
+		hdlr.respondError(
+			writer, request,
+			"invalid nick format",
+			http.StatusBadRequest,
+		)
+
+		return
+	}
+
+	if len(payload.Password) < minPasswordLength {
+		hdlr.respondError(
+			writer, request,
+			"password must be at least 8 characters",
+			http.StatusBadRequest,
+		)
+
+		return
+	}
+
+	sessionID, clientID, token, err :=
+		hdlr.params.Database.RegisterUser(
+			request.Context(),
+			payload.Nick,
+			payload.Password,
+		)
+	if err != nil {
+		hdlr.handleRegisterError(
+			writer, request, err,
+		)
+
+		return
+	}
+
+	hdlr.stats.IncrSessions()
+	hdlr.stats.IncrConnections()
+
+	hdlr.deliverMOTD(request, clientID, sessionID, payload.Nick)
+
+	hdlr.respondJSON(writer, request, map[string]any{
+		"id":    sessionID,
+		"nick":  payload.Nick,
+		"token": token,
+	}, http.StatusCreated)
+}
+
+func (hdlr *Handlers) handleRegisterError(
+	writer http.ResponseWriter,
+	request *http.Request,
+	err error,
+) {
+	if db.IsUniqueConstraintError(err) {
+		hdlr.respondError(
+			writer, request,
+			"nick already taken",
+			http.StatusConflict,
+		)
+
+		return
+	}
+
+	hdlr.log.Error(
+		"register user failed", "error", err,
+	)
+	hdlr.respondError(
+		writer, request,
+		"internal error",
+		http.StatusInternalServerError,
+	)
+}
+
 // HandleLogin authenticates a user with nick and password.
 func (hdlr *Handlers) HandleLogin() http.HandlerFunc {
 	return func(
@@ -73,27 +210,11 @@ func (hdlr *Handlers) handleLogin(
 		return
 	}

-	hdlr.executeLogin(
-		writer, request, payload.Nick, payload.Password,
-	)
-}
-
-func (hdlr *Handlers) executeLogin(
-	writer http.ResponseWriter,
-	request *http.Request,
-	nick, password string,
-) {
-	remoteIP := clientIP(request)
-
-	hostname := resolveHostname(
-		request.Context(), remoteIP,
-	)
-
 	sessionID, clientID, token, err :=
 		hdlr.params.Database.LoginUser(
 			request.Context(),
-			nick, password,
-			remoteIP, hostname,
+			payload.Nick,
+			payload.Password,
 		)
 	if err != nil {
 		hdlr.respondError(
@@ -108,75 +229,18 @@ func (hdlr *Handlers) executeLogin(
 	hdlr.stats.IncrConnections()

 	hdlr.deliverMOTD(
-		request, clientID, sessionID, nick,
+		request, clientID, sessionID, payload.Nick,
 	)

 	// Initialize channel state so the new client knows
 	// which channels the session already belongs to.
 	hdlr.initChannelState(
-		request, clientID, sessionID, nick,
+		request, clientID, sessionID, payload.Nick,
 	)

-	hdlr.setAuthCookie(writer, request, token)
-
 	hdlr.respondJSON(writer, request, map[string]any{
 		"id":    sessionID,
-		"nick": nick,
+		"nick":  payload.Nick,
+		"token": token,
 	}, http.StatusOK)
 }
-
-// handlePass handles the IRC PASS command to set a
-// password on the authenticated session, enabling
-// multi-client login via POST /api/v1/login.
-func (hdlr *Handlers) handlePass(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	lines := bodyLines()
-	if len(lines) == 0 || lines[0] == "" {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdPass},
-			"Not enough parameters",
-		)
-
-		return
-	}
-
-	password := lines[0]
-
-	if len(password) < minPasswordLength {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdPass},
-			"Password must be at least 8 characters",
-		)
-
-		return
-	}
-
-	err := hdlr.params.Database.SetPassword(
-		request.Context(), sessionID, password,
-	)
-	if err != nil {
-		hdlr.log.Error(
-			"set password failed", "error", err,
-		)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
--- a/internal/handlers/utility.go
+++ b/internal/handlers/utility.go
@@ -1,727 +0,0 @@
-package handlers
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"strings"
-	"time"
-
-	"git.eeqj.de/sneak/neoirc/internal/db"
-	"git.eeqj.de/sneak/neoirc/pkg/irc"
-)
-
-// maxUserhostNicks is the maximum number of nicks allowed
-// in a single USERHOST query (RFC 2812).
-const maxUserhostNicks = 5
-
-// dispatchBodyOnlyCommand routes commands that take
-// (writer, request, sessionID, clientID, nick, bodyLines).
-func (hdlr *Handlers) dispatchBodyOnlyCommand(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick, command string,
-	bodyLines func() []string,
-) {
-	switch command {
-	case irc.CmdAway:
-		hdlr.handleAway(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	case irc.CmdNick:
-		hdlr.handleNick(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	case irc.CmdPass:
-		hdlr.handlePass(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	case irc.CmdInvite:
-		hdlr.handleInvite(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	}
-}
-
-// dispatchOperCommand routes oper-related commands (OPER,
-// KILL, WALLOPS) to their handlers.
-func (hdlr *Handlers) dispatchOperCommand(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick, command string,
-	bodyLines func() []string,
-) {
-	switch command {
-	case irc.CmdOper:
-		hdlr.handleOper(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	case irc.CmdKill:
-		hdlr.handleKill(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	case irc.CmdWallops:
-		hdlr.handleWallops(
-			writer, request,
-			sessionID, clientID, nick, bodyLines,
-		)
-	}
-}
-
-// handleUserhost handles the USERHOST command.
-// Returns user@host info for up to 5 nicks.
-func (hdlr *Handlers) handleUserhost(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	lines := bodyLines()
-	if len(lines) == 0 {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdUserhost},
-			"Not enough parameters",
-		)
-
-		return
-	}
-
-	// Limit to 5 nicks per RFC 2812.
-	nicks := lines
-	if len(nicks) > maxUserhostNicks {
-		nicks = nicks[:maxUserhostNicks]
-	}
-
-	infos, err := hdlr.params.Database.GetUserhostInfo(
-		ctx, nicks,
-	)
-	if err != nil {
-		hdlr.log.Error(
-			"userhost query failed", "error", err,
-		)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	replyStr := hdlr.buildUserhostReply(infos)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplUserHost, nick, nil,
-		replyStr,
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// buildUserhostReply builds the RPL_USERHOST reply
-// string per RFC 2812.
-func (hdlr *Handlers) buildUserhostReply(
-	infos []db.UserhostInfo,
-) string {
-	replies := make([]string, 0, len(infos))
-
-	for idx := range infos {
-		info := &infos[idx]
-
-		username := info.Username
-		if username == "" {
-			username = info.Nick
-		}
-
-		hostname := info.Hostname
-		if hostname == "" {
-			hostname = hdlr.serverName()
-		}
-
-		operStar := ""
-		if info.IsOper {
-			operStar = "*"
-		}
-
-		awayPrefix := "+"
-		if info.AwayMessage != "" {
-			awayPrefix = "-"
-		}
-
-		replies = append(replies,
-			info.Nick+operStar+"="+
-				awayPrefix+username+"@"+hostname,
-		)
-	}
-
-	return strings.Join(replies, " ")
-}
-
-// handleVersion handles the VERSION command.
-// Returns the server version string.
-func (hdlr *Handlers) handleVersion(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-) {
-	ctx := request.Context()
-	srvName := hdlr.serverName()
-	version := hdlr.serverVersion()
-
-	// 351 RPL_VERSION
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplVersion, nick,
-		[]string{version + ".", srvName},
-		"",
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// handleAdmin handles the ADMIN command.
-// Returns server admin contact info.
-func (hdlr *Handlers) handleAdmin(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-) {
-	ctx := request.Context()
-	srvName := hdlr.serverName()
-
-	// 256 RPL_ADMINME
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplAdminMe, nick,
-		[]string{srvName},
-		"Administrative info",
-	)
-
-	// 257 RPL_ADMINLOC1
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplAdminLoc1, nick, nil,
-		"neoirc server",
-	)
-
-	// 258 RPL_ADMINLOC2
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplAdminLoc2, nick, nil,
-		"IRC over HTTP",
-	)
-
-	// 259 RPL_ADMINEMAIL
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplAdminEmail, nick, nil,
-		"admin@"+srvName,
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// handleInfo handles the INFO command.
-// Returns server software information.
-func (hdlr *Handlers) handleInfo(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-) {
-	ctx := request.Context()
-	version := hdlr.serverVersion()
-
-	infoLines := []string{
-		"neoirc — IRC semantics over HTTP",
-		"Version: " + version,
-		"Written in Go",
-		"Started: " +
-			hdlr.params.Globals.StartTime.
-				Format(time.RFC1123),
-	}
-
-	for _, line := range infoLines {
-		// 371 RPL_INFO
-		hdlr.enqueueNumeric(
-			ctx, clientID, irc.RplInfo, nick, nil,
-			line,
-		)
-	}
-
-	// 374 RPL_ENDOFINFO
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplEndOfInfo, nick, nil,
-		"End of /INFO list",
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// handleTime handles the TIME command.
-// Returns the server's local time in RFC format.
-func (hdlr *Handlers) handleTime(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-) {
-	ctx := request.Context()
-	srvName := hdlr.serverName()
-
-	// 391 RPL_TIME
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplTime, nick,
-		[]string{srvName},
-		time.Now().Format(time.RFC1123),
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// handleKill handles the KILL command.
-// Forcibly disconnects a user (oper only).
-func (hdlr *Handlers) handleKill(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	// Check oper status.
-	isOper, err := hdlr.params.Database.IsSessionOper(
-		ctx, sessionID,
-	)
-	if err != nil || !isOper {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNoPrivileges, nick, nil,
-			"Permission Denied- You're not an IRC operator",
-		)
-
-		return
-	}
-
-	lines := bodyLines()
-	if len(lines) == 0 {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdKill},
-			"Not enough parameters",
-		)
-
-		return
-	}
-
-	targetNick := strings.TrimSpace(lines[0])
-	if targetNick == "" {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdKill},
-			"Not enough parameters",
-		)
-
-		return
-	}
-
-	reason := "KILLed"
-	if len(lines) > 1 {
-		reason = lines[1]
-	}
-
-	targetSID, lookupErr := hdlr.params.Database.
-		GetSessionByNick(ctx, targetNick)
-	if lookupErr != nil {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNoSuchNick, nick,
-			[]string{targetNick},
-			"No such nick/channel",
-		)
-
-		return
-	}
-
-	// Do not allow killing yourself.
-	if targetSID == sessionID {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrCantKillServer, nick, nil,
-			"You cannot KILL yourself",
-		)
-
-		return
-	}
-
-	hdlr.executeKillUser(
-		request, targetSID, targetNick, nick, reason,
-	)
-
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// executeKillUser forcibly disconnects a user: broadcasts
-// QUIT to their channels, parts all channels, and deletes
-// the session.
-func (hdlr *Handlers) executeKillUser(
-	request *http.Request,
-	targetSID int64,
-	targetNick, killerNick, reason string,
-) {
-	ctx := request.Context()
-
-	quitMsg := "Killed (" + killerNick + " (" + reason + "))"
-
-	quitBody, err := json.Marshal([]string{quitMsg})
-	if err != nil {
-		hdlr.log.Error(
-			"marshal kill quit body", "error", err,
-		)
-
-		return
-	}
-
-	channels, _ := hdlr.params.Database.
-		GetSessionChannels(ctx, targetSID)
-
-	notified := map[int64]bool{}
-
-	var dbID int64
-
-	if len(channels) > 0 {
-		dbID, _, _ = hdlr.params.Database.InsertMessage(
-			ctx, irc.CmdQuit, targetNick, "",
-			nil, json.RawMessage(quitBody), nil,
-		)
-	}
-
-	for _, chanInfo := range channels {
-		memberIDs, _ := hdlr.params.Database.
-			GetChannelMemberIDs(ctx, chanInfo.ID)
-
-		for _, mid := range memberIDs {
-			if mid != targetSID && !notified[mid] {
-				notified[mid] = true
-
-				_ = hdlr.params.Database.EnqueueToSession(
-					ctx, mid, dbID,
-				)
-
-				hdlr.broker.Notify(mid)
-			}
-		}
-
-		_ = hdlr.params.Database.PartChannel(
-			ctx, chanInfo.ID, targetSID,
-		)
-
-		_ = hdlr.params.Database.DeleteChannelIfEmpty(
-			ctx, chanInfo.ID,
-		)
-	}
-
-	_ = hdlr.params.Database.DeleteSession(
-		ctx, targetSID,
-	)
-}
-
-// handleWallops handles the WALLOPS command.
-// Broadcasts a message to all users with +w usermode
-// (oper only).
-func (hdlr *Handlers) handleWallops(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	// Check oper status.
-	isOper, err := hdlr.params.Database.IsSessionOper(
-		ctx, sessionID,
-	)
-	if err != nil || !isOper {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNoPrivileges, nick, nil,
-			"Permission Denied- You're not an IRC operator",
-		)
-
-		return
-	}
-
-	lines := bodyLines()
-	if len(lines) == 0 {
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrNeedMoreParams, nick,
-			[]string{irc.CmdWallops},
-			"Not enough parameters",
-		)
-
-		return
-	}
-
-	message := strings.Join(lines, " ")
-
-	wallopsSIDs, err := hdlr.params.Database.
-		GetWallopsSessionIDs(ctx)
-	if err != nil {
-		hdlr.log.Error(
-			"get wallops sessions failed", "error", err,
-		)
-		hdlr.respondError(
-			writer, request,
-			"internal error",
-			http.StatusInternalServerError,
-		)
-
-		return
-	}
-
-	if len(wallopsSIDs) > 0 {
-		body, mErr := json.Marshal([]string{message})
-		if mErr != nil {
-			hdlr.log.Error(
-				"marshal wallops body", "error", mErr,
-			)
-			hdlr.respondError(
-				writer, request,
-				"internal error",
-				http.StatusInternalServerError,
-			)
-
-			return
-		}
-
-		_ = hdlr.fanOutSilent(
-			request, irc.CmdWallops, nick, "*",
-			json.RawMessage(body), wallopsSIDs,
-		)
-	}
-
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// handleUserMode handles user mode queries and changes
-// (e.g., MODE nick, MODE nick +w).
-func (hdlr *Handlers) handleUserMode(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick, target string,
-	bodyLines func() []string,
-) {
-	ctx := request.Context()
-
-	lines := bodyLines()
-
-	// Mode change requested.
-	if len(lines) > 0 {
-		// Users can only change their own modes.
-		if target != nick && target != "" {
-			hdlr.respondIRCError(
-				writer, request, clientID, sessionID,
-				irc.ErrUsersDoNotMatch, nick, nil,
-				"Can't change mode for other users",
-			)
-
-			return
-		}
-
-		hdlr.applyUserModeChange(
-			writer, request,
-			sessionID, clientID, nick, lines[0],
-		)
-
-		return
-	}
-
-	// Mode query — build the current mode string.
-	modeStr := hdlr.buildUserModeString(ctx, sessionID)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplUmodeIs, nick, nil,
-		modeStr,
-	)
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// buildUserModeString constructs the mode string for a
-// user (e.g., "+ow" for oper+wallops).
-func (hdlr *Handlers) buildUserModeString(
-	ctx context.Context,
-	sessionID int64,
-) string {
-	modes := "+"
-
-	isOper, err := hdlr.params.Database.IsSessionOper(
-		ctx, sessionID,
-	)
-	if err == nil && isOper {
-		modes += "o"
-	}
-
-	isWallops, err := hdlr.params.Database.IsSessionWallops(
-		ctx, sessionID,
-	)
-	if err == nil && isWallops {
-		modes += "w"
-	}
-
-	return modes
-}
-
-// applyUserModeChange applies a user mode change string
-// (e.g., "+w", "-w").
-func (hdlr *Handlers) applyUserModeChange(
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick, modeStr string,
-) {
-	ctx := request.Context()
-
-	if len(modeStr) < 2 { //nolint:mnd // +/- and mode char
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrUmodeUnknownFlag, nick, nil,
-			"Unknown MODE flag",
-		)
-
-		return
-	}
-
-	adding := modeStr[0] == '+'
-	modeChar := modeStr[1:]
-
-	applied, err := hdlr.applyModeChar(
-		ctx, writer, request,
-		sessionID, clientID, nick,
-		modeChar, adding,
-	)
-	if err != nil || !applied {
-		return
-	}
-
-	newModes := hdlr.buildUserModeString(ctx, sessionID)
-
-	hdlr.enqueueNumeric(
-		ctx, clientID, irc.RplUmodeIs, nick, nil,
-		newModes,
-	)
-
-	hdlr.broker.Notify(sessionID)
-	hdlr.respondJSON(writer, request,
-		map[string]string{"status": "ok"},
-		http.StatusOK)
-}
-
-// applyModeChar applies a single user mode character.
-// Returns (applied, error).
-func (hdlr *Handlers) applyModeChar(
-	ctx context.Context,
-	writer http.ResponseWriter,
-	request *http.Request,
-	sessionID, clientID int64,
-	nick, modeChar string,
-	adding bool,
-) (bool, error) {
-	switch modeChar {
-	case "w":
-		err := hdlr.params.Database.SetSessionWallops(
-			ctx, sessionID, adding,
-		)
-		if err != nil {
-			hdlr.log.Error(
-				"set wallops mode failed", "error", err,
-			)
-			hdlr.respondError(
-				writer, request,
-				"internal error",
-				http.StatusInternalServerError,
-			)
-
-			return false, fmt.Errorf(
-				"set wallops: %w", err,
-			)
-		}
-	case "o":
-		// +o cannot be set via MODE, only via OPER.
-		if adding {
-			hdlr.respondIRCError(
-				writer, request, clientID, sessionID,
-				irc.ErrUmodeUnknownFlag, nick, nil,
-				"Unknown MODE flag",
-			)
-
-			return false, nil
-		}
-
-		err := hdlr.params.Database.SetSessionOper(
-			ctx, sessionID, false,
-		)
-		if err != nil {
-			hdlr.log.Error(
-				"clear oper mode failed", "error", err,
-			)
-			hdlr.respondError(
-				writer, request,
-				"internal error",
-				http.StatusInternalServerError,
-			)
-
-			return false, fmt.Errorf(
-				"clear oper: %w", err,
-			)
-		}
-	default:
-		hdlr.respondIRCError(
-			writer, request, clientID, sessionID,
-			irc.ErrUmodeUnknownFlag, nick, nil,
-			"Unknown MODE flag",
-		)
-
-		return false, nil
-	}
-
-	return true, nil
-}
--- a/internal/handlers/utility_test.go
+++ b/internal/handlers/utility_test.go
@@ -1,982 +0,0 @@
-// Tests for Tier 3 utility IRC commands: USERHOST,
-// VERSION, ADMIN, INFO, TIME, KILL, WALLOPS.
-//
-//nolint:paralleltest
-package handlers_test
-
-import (
-	"strings"
-	"testing"
-)
-
-// --- USERHOST ---
-
-func TestUserhostSingleNick(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("alice")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "USERHOST",
-		bodyKey:    []string{"alice"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 302 RPL_USERHOST.
-	msg := findNumericWithParams(msgs, "302")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_USERHOST (302), got %v",
-			msgs,
-		)
-	}
-
-	// Body should contain "alice" with the
-	// nick=+user@host format.
-	body := getNumericBody(msg)
-	if !strings.Contains(body, "alice") {
-		t.Fatalf(
-			"expected body to contain 'alice', got %q",
-			body,
-		)
-	}
-
-	// '+' means not away.
-	if !strings.Contains(body, "=+") {
-		t.Fatalf(
-			"expected not-away prefix '=+', got %q",
-			body,
-		)
-	}
-}
-
-func TestUserhostMultipleNicks(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token1 := tserver.createSession("bob")
-	token2 := tserver.createSession("carol")
-
-	_ = token2
-
-	_, lastID := tserver.pollMessages(token1, 0)
-
-	tserver.sendCommand(token1, map[string]any{
-		commandKey: "USERHOST",
-		bodyKey:    []string{"bob", "carol"},
-	})
-
-	msgs, _ := tserver.pollMessages(token1, lastID)
-
-	msg := findNumericWithParams(msgs, "302")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_USERHOST (302), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if !strings.Contains(body, "bob") {
-		t.Fatalf(
-			"expected body to contain 'bob', got %q",
-			body,
-		)
-	}
-
-	if !strings.Contains(body, "carol") {
-		t.Fatalf(
-			"expected body to contain 'carol', got %q",
-			body,
-		)
-	}
-}
-
-func TestUserhostNonexistentNick(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("dave")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "USERHOST",
-		bodyKey:    []string{"nobody"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Should still get 302 but with empty body.
-	msg := findNumericWithParams(msgs, "302")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_USERHOST (302), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestUserhostNoParams(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("eve")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "USERHOST",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 461 ERR_NEEDMOREPARAMS.
-	if !findNumeric(msgs, "461") {
-		t.Fatalf(
-			"expected ERR_NEEDMOREPARAMS (461), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestUserhostShowsOper(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	token := tserver.createSession("opernick")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Authenticate as oper.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	// USERHOST should show '*' for oper.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "USERHOST",
-		bodyKey:    []string{"opernick"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	msg := findNumericWithParams(msgs, "302")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_USERHOST (302), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if !strings.Contains(body, "opernick*=") {
-		t.Fatalf(
-			"expected oper '*' in reply, got %q",
-			body,
-		)
-	}
-}
-
-func TestUserhostShowsAway(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("awaynick")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Set away.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "AWAY",
-		bodyKey:    []string{"gone fishing"},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	// USERHOST should show '-' for away.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "USERHOST",
-		bodyKey:    []string{"awaynick"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	msg := findNumericWithParams(msgs, "302")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_USERHOST (302), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if !strings.Contains(body, "=-") {
-		t.Fatalf(
-			"expected away prefix '=-' in reply, got %q",
-			body,
-		)
-	}
-}
-
-// --- VERSION ---
-
-func TestVersion(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("frank")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "VERSION",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 351 RPL_VERSION.
-	msg := findNumericWithParams(msgs, "351")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_VERSION (351), got %v",
-			msgs,
-		)
-	}
-
-	params := getNumericParams(msg)
-	if len(params) == 0 {
-		t.Fatal("expected VERSION params, got none")
-	}
-
-	// First param should contain version string.
-	if !strings.Contains(params[0], "test") {
-		t.Fatalf(
-			"expected version to contain 'test', got %q",
-			params[0],
-		)
-	}
-}
-
-// --- ADMIN ---
-
-func TestAdmin(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("grace")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "ADMIN",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 256 RPL_ADMINME.
-	if !findNumeric(msgs, "256") {
-		t.Fatalf(
-			"expected RPL_ADMINME (256), got %v",
-			msgs,
-		)
-	}
-
-	// Expect 257 RPL_ADMINLOC1.
-	if !findNumeric(msgs, "257") {
-		t.Fatalf(
-			"expected RPL_ADMINLOC1 (257), got %v",
-			msgs,
-		)
-	}
-
-	// Expect 258 RPL_ADMINLOC2.
-	if !findNumeric(msgs, "258") {
-		t.Fatalf(
-			"expected RPL_ADMINLOC2 (258), got %v",
-			msgs,
-		)
-	}
-
-	// Expect 259 RPL_ADMINEMAIL.
-	if !findNumeric(msgs, "259") {
-		t.Fatalf(
-			"expected RPL_ADMINEMAIL (259), got %v",
-			msgs,
-		)
-	}
-}
-
-// --- INFO ---
-
-func TestInfo(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("hank")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "INFO",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 371 RPL_INFO (at least one).
-	if !findNumeric(msgs, "371") {
-		t.Fatalf(
-			"expected RPL_INFO (371), got %v",
-			msgs,
-		)
-	}
-
-	// Expect 374 RPL_ENDOFINFO.
-	if !findNumeric(msgs, "374") {
-		t.Fatalf(
-			"expected RPL_ENDOFINFO (374), got %v",
-			msgs,
-		)
-	}
-}
-
-// --- TIME ---
-
-func TestTime(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("iris")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "TIME",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 391 RPL_TIME.
-	msg := findNumericWithParams(msgs, "391")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_TIME (391), got %v",
-			msgs,
-		)
-	}
-}
-
-// --- KILL ---
-
-func TestKillSuccess(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	// Create the victim first.
-	victimToken := tserver.createSession("victim")
-	_ = victimToken
-
-	// Create oper user.
-	operToken := tserver.createSession("killer")
-	_, lastID := tserver.pollMessages(operToken, 0)
-
-	// Authenticate as oper.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(operToken, lastID)
-
-	// Kill the victim.
-	status, result := tserver.sendCommand(
-		operToken, map[string]any{
-			commandKey: "KILL",
-			bodyKey:    []string{"victim", "go away"},
-		},
-	)
-
-	if status != 200 {
-		t.Fatalf("expected 200, got %d: %v", status, result)
-	}
-
-	resultStatus, _ := result[statusKey].(string)
-	if resultStatus != "ok" {
-		t.Fatalf(
-			"expected status ok, got %v",
-			result,
-		)
-	}
-
-	// Verify the victim's session is gone by trying
-	// to WHOIS them.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "WHOIS",
-		toKey:      "victim",
-	})
-
-	msgs, _ := tserver.pollMessages(operToken, lastID)
-
-	// Should get 401 ERR_NOSUCHNICK.
-	if !findNumeric(msgs, "401") {
-		t.Fatalf(
-			"expected victim to be gone (401), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestKillNotOper(t *testing.T) {
-	tserver := newTestServer(t)
-
-	_ = tserver.createSession("target")
-
-	token := tserver.createSession("notoper")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "KILL",
-		bodyKey:    []string{"target", "no reason"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 481 ERR_NOPRIVILEGES.
-	if !findNumeric(msgs, "481") {
-		t.Fatalf(
-			"expected ERR_NOPRIVILEGES (481), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestKillNoParams(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	token := tserver.createSession("opertest")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "KILL",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 461 ERR_NEEDMOREPARAMS.
-	if !findNumeric(msgs, "461") {
-		t.Fatalf(
-			"expected ERR_NEEDMOREPARAMS (461), got %v",
-			msgs,
-		)
-	}
-}
-
-// sendOperKillCommand is a helper that creates an oper
-// session, authenticates, then sends KILL with the given
-// target nick, and returns the resulting messages.
-func sendOperKillCommand(
-	t *testing.T,
-	tserver *testServer,
-	operNick, targetNick string,
-) []map[string]any {
-	t.Helper()
-
-	token := tserver.createSession(operNick)
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "KILL",
-		bodyKey:    []string{targetNick},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	return msgs
-}
-
-func TestKillNonexistentUser(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	msgs := sendOperKillCommand(
-		t, tserver, "opertest2", "ghost",
-	)
-
-	// Expect 401 ERR_NOSUCHNICK.
-	if !findNumeric(msgs, "401") {
-		t.Fatalf(
-			"expected ERR_NOSUCHNICK (401), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestKillSelf(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	msgs := sendOperKillCommand(
-		t, tserver, "selfkiller", "selfkiller",
-	)
-
-	// Expect 483 ERR_CANTKILLSERVER.
-	if !findNumeric(msgs, "483") {
-		t.Fatalf(
-			"expected ERR_CANTKILLSERVER (483), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestKillBroadcastsQuit(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	// Create victim and join a channel.
-	victimToken := tserver.createSession("vuser")
-
-	tserver.sendCommand(victimToken, map[string]any{
-		commandKey: joinCmd,
-		toKey:      "#killtest",
-	})
-
-	// Create observer and join same channel.
-	observerToken := tserver.createSession("observer")
-
-	tserver.sendCommand(observerToken, map[string]any{
-		commandKey: joinCmd,
-		toKey:      "#killtest",
-	})
-
-	_, lastObs := tserver.pollMessages(observerToken, 0)
-
-	// Create oper.
-	operToken := tserver.createSession("theoper2")
-
-	tserver.pollMessages(operToken, 0)
-
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	tserver.pollMessages(operToken, 0)
-
-	// Kill the victim.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "KILL",
-		bodyKey:    []string{"vuser", "testing kill"},
-	})
-
-	// Observer should see a QUIT message.
-	msgs, _ := tserver.pollMessages(observerToken, lastObs)
-
-	foundQuit := false
-
-	for _, msg := range msgs {
-		cmd, _ := msg["command"].(string)
-		if cmd == "QUIT" {
-			from, _ := msg["from"].(string)
-			if from == "vuser" {
-				foundQuit = true
-
-				break
-			}
-		}
-	}
-
-	if !foundQuit {
-		t.Fatalf(
-			"expected QUIT from vuser, got %v",
-			msgs,
-		)
-	}
-}
-
-// --- WALLOPS ---
-
-func TestWallopsSuccess(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	// Create receiver with +w.
-	receiverToken := tserver.createSession("receiver")
-
-	tserver.sendCommand(receiverToken, map[string]any{
-		commandKey: "MODE",
-		toKey:      "receiver",
-		bodyKey:    []string{"+w"},
-	})
-
-	_, lastRecv := tserver.pollMessages(receiverToken, 0)
-
-	// Create oper.
-	operToken := tserver.createSession("walloper")
-
-	tserver.pollMessages(operToken, 0)
-
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	tserver.pollMessages(operToken, 0)
-
-	// Also set +w on oper so they receive it too.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "MODE",
-		toKey:      "walloper",
-		bodyKey:    []string{"+w"},
-	})
-
-	tserver.pollMessages(operToken, 0)
-
-	// Send WALLOPS.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "WALLOPS",
-		bodyKey:    []string{"server going down"},
-	})
-
-	// Receiver should get the WALLOPS message.
-	msgs, _ := tserver.pollMessages(receiverToken, lastRecv)
-
-	foundWallops := false
-
-	for _, msg := range msgs {
-		cmd, _ := msg["command"].(string)
-		if cmd == "WALLOPS" {
-			foundWallops = true
-
-			break
-		}
-	}
-
-	if !foundWallops {
-		t.Fatalf(
-			"expected WALLOPS message, got %v",
-			msgs,
-		)
-	}
-}
-
-func TestWallopsNotOper(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("notoper2")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "WALLOPS",
-		bodyKey:    []string{"hello"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 481 ERR_NOPRIVILEGES.
-	if !findNumeric(msgs, "481") {
-		t.Fatalf(
-			"expected ERR_NOPRIVILEGES (481), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestWallopsNoParams(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	token := tserver.createSession("operempty")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "WALLOPS",
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 461 ERR_NEEDMOREPARAMS.
-	if !findNumeric(msgs, "461") {
-		t.Fatalf(
-			"expected ERR_NEEDMOREPARAMS (461), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestWallopsNotReceivedWithoutW(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	// Create receiver WITHOUT +w.
-	receiverToken := tserver.createSession("nowallops")
-	_, lastRecv := tserver.pollMessages(receiverToken, 0)
-
-	// Create oper.
-	operToken := tserver.createSession("walloper2")
-
-	tserver.pollMessages(operToken, 0)
-
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	tserver.pollMessages(operToken, 0)
-
-	// Send WALLOPS.
-	tserver.sendCommand(operToken, map[string]any{
-		commandKey: "WALLOPS",
-		bodyKey:    []string{"secret message"},
-	})
-
-	// Receiver should NOT get the WALLOPS message.
-	msgs, _ := tserver.pollMessages(receiverToken, lastRecv)
-
-	for _, msg := range msgs {
-		cmd, _ := msg["command"].(string)
-		if cmd == "WALLOPS" {
-			t.Fatalf(
-				"did not expect WALLOPS for user "+
-					"without +w, got %v",
-				msgs,
-			)
-		}
-	}
-}
-
-// --- User Mode +w ---
-
-func TestUserModeSetW(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("wmoder")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Set +w.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "wmoder",
-		bodyKey:    []string{"+w"},
-	})
-
-	msgs, lastID := tserver.pollMessages(token, lastID)
-
-	// Expect 221 RPL_UMODEIS with "+w".
-	msg := findNumericWithParams(msgs, "221")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_UMODEIS (221), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if !strings.Contains(body, "w") {
-		t.Fatalf(
-			"expected mode string to contain 'w', got %q",
-			body,
-		)
-	}
-
-	// Now query mode.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "wmoder",
-	})
-
-	msgs, _ = tserver.pollMessages(token, lastID)
-
-	msg = findNumericWithParams(msgs, "221")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_UMODEIS (221) on query, got %v",
-			msgs,
-		)
-	}
-
-	body = getNumericBody(msg)
-	if !strings.Contains(body, "w") {
-		t.Fatalf(
-			"expected mode '+w' in query, got %q",
-			body,
-		)
-	}
-}
-
-func TestUserModeUnsetW(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("wunsetter")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Set +w first.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "wunsetter",
-		bodyKey:    []string{"+w"},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	// Unset -w.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "wunsetter",
-		bodyKey:    []string{"-w"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	msg := findNumericWithParams(msgs, "221")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_UMODEIS (221), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if strings.Contains(body, "w") {
-		t.Fatalf(
-			"expected 'w' to be removed, got %q",
-			body,
-		)
-	}
-}
-
-func TestUserModeUnknownFlag(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("badmode")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "badmode",
-		bodyKey:    []string{"+z"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 501 ERR_UMODEUNKNOWNFLAG.
-	if !findNumeric(msgs, "501") {
-		t.Fatalf(
-			"expected ERR_UMODEUNKNOWNFLAG (501), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestUserModeCannotSetO(t *testing.T) {
-	tserver := newTestServer(t)
-
-	token := tserver.createSession("tryoper")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Try to set +o via MODE (should fail).
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "tryoper",
-		bodyKey:    []string{"+o"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 501 ERR_UMODEUNKNOWNFLAG.
-	if !findNumeric(msgs, "501") {
-		t.Fatalf(
-			"expected ERR_UMODEUNKNOWNFLAG (501), got %v",
-			msgs,
-		)
-	}
-}
-
-func TestUserModeDeoper(t *testing.T) {
-	tserver := newTestServerWithOper(t)
-
-	token := tserver.createSession("deoper")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Authenticate as oper.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "OPER",
-		bodyKey:    []string{testOperName, testOperPassword},
-	})
-
-	_, lastID = tserver.pollMessages(token, lastID)
-
-	// Use MODE -o to de-oper.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "deoper",
-		bodyKey:    []string{"-o"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	msg := findNumericWithParams(msgs, "221")
-	if msg == nil {
-		t.Fatalf(
-			"expected RPL_UMODEIS (221), got %v",
-			msgs,
-		)
-	}
-
-	body := getNumericBody(msg)
-	if strings.Contains(body, "o") {
-		t.Fatalf(
-			"expected 'o' to be removed, got %q",
-			body,
-		)
-	}
-}
-
-func TestUserModeCannotChangeOtherUser(t *testing.T) {
-	tserver := newTestServer(t)
-
-	_ = tserver.createSession("other")
-
-	token := tserver.createSession("changer")
-	_, lastID := tserver.pollMessages(token, 0)
-
-	// Try to change another user's mode.
-	tserver.sendCommand(token, map[string]any{
-		commandKey: "MODE",
-		toKey:      "other",
-		bodyKey:    []string{"+w"},
-	})
-
-	msgs, _ := tserver.pollMessages(token, lastID)
-
-	// Expect 502 ERR_USERSDONTMATCH.
-	if !findNumeric(msgs, "502") {
-		t.Fatalf(
-			"expected ERR_USERSDONTMATCH (502), got %v",
-			msgs,
-		)
-	}
-}
-
-// getNumericBody extracts the body text from a numeric
-// message. The body is stored as a JSON array; this
-// returns the first element.
-func getNumericBody(msg map[string]any) string {
-	raw, exists := msg["body"]
-	if !exists || raw == nil {
-		return ""
-	}
-
-	arr, isArr := raw.([]any)
-	if !isArr || len(arr) == 0 {
-		return ""
-	}
-
-	str, isStr := arr[0].(string)
-	if !isStr {
-		return ""
-	}
-
-	return str
-}
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -126,23 +126,18 @@ func (mware *Middleware) Logging() func(http.Handler) http.Handler {
 }

 // CORS returns middleware that handles Cross-Origin Resource Sharing.
-// AllowCredentials is true so browsers include cookies in
-// cross-origin API requests.
 func (mware *Middleware) CORS() func(http.Handler) http.Handler {
 	return cors.Handler(cors.Options{ //nolint:exhaustruct // optional fields
-		AllowOriginFunc: func(
-			_ *http.Request, _ string,
-		) bool {
-			return true
-		},
+		AllowedOrigins: []string{"*"},
 		AllowedMethods: []string{
 			"GET", "POST", "PUT", "DELETE", "OPTIONS",
 		},
 		AllowedHeaders: []string{
-			"Accept", "Content-Type", "X-CSRF-Token",
+			"Accept", "Authorization",
+			"Content-Type", "X-CSRF-Token",
 		},
 		ExposedHeaders:   []string{"Link"},
-		AllowCredentials: true,
+		AllowCredentials: false,
 		MaxAge:           corsMaxAge,
 	})
 }
--- a/internal/server/routes.go
+++ b/internal/server/routes.go
@@ -75,6 +75,10 @@ func (srv *Server) setupAPIv1(router chi.Router) {
 		"/session",
 		srv.handlers.HandleCreateSession(),
 	)
+	router.Post(
+		"/register",
+		srv.handlers.HandleRegister(),
+	)
 	router.Post(
 		"/login",
 		srv.handlers.HandleLogin(),
--- a/pkg/irc/commands.go
+++ b/pkg/irc/commands.go
@@ -2,13 +2,8 @@ package irc

 // IRC command names (RFC 1459 / RFC 2812).
 const (
-	CmdAdmin    = "ADMIN"
 	CmdAway    = "AWAY"
-	CmdInfo     = "INFO"
-	CmdInvite   = "INVITE"
 	CmdJoin    = "JOIN"
-	CmdKick     = "KICK"
-	CmdKill     = "KILL"
 	CmdList    = "LIST"
 	CmdLusers  = "LUSERS"
 	CmdMode    = "MODE"
@@ -16,18 +11,12 @@ const (
 	CmdNames   = "NAMES"
 	CmdNick    = "NICK"
 	CmdNotice  = "NOTICE"
-	CmdOper     = "OPER"
-	CmdPass     = "PASS"
 	CmdPart    = "PART"
 	CmdPing    = "PING"
 	CmdPong    = "PONG"
 	CmdPrivmsg = "PRIVMSG"
 	CmdQuit    = "QUIT"
-	CmdTime     = "TIME"
 	CmdTopic   = "TOPIC"
-	CmdUserhost = "USERHOST"
-	CmdVersion  = "VERSION"
-	CmdWallops  = "WALLOPS"
 	CmdWho     = "WHO"
 	CmdWhois   = "WHOIS"
 )
--- a/pkg/irc/numerics.go
+++ b/pkg/irc/numerics.go
@@ -132,7 +132,6 @@ const (
 	RplNoTopic         IRCMessageType = 331
 	RplTopic           IRCMessageType = 332
 	RplTopicWhoTime    IRCMessageType = 333
-	RplWhoisActually   IRCMessageType = 338
 	RplInviting        IRCMessageType = 341
 	RplSummoning       IRCMessageType = 342
 	RplInviteList      IRCMessageType = 346
@@ -296,7 +295,6 @@ var names = map[IRCMessageType]string{
 	RplNoTopic:         "RPL_NOTOPIC",
 	RplTopic:           "RPL_TOPIC",
 	RplTopicWhoTime:    "RPL_TOPICWHOTIME",
-	RplWhoisActually:   "RPL_WHOISACTUALLY",
 	RplInviting:        "RPL_INVITING",
 	RplSummoning:       "RPL_SUMMONING",
 	RplInviteList:      "RPL_INVITELIST",