calvinmclean · Apr 12, 2024
diff --git a/‎examples/event-rsvp/Dockerfile
+13 b/‎examples/event-rsvp/Dockerfile
+13
diff --git a/‎examples/event-rsvp/README.md
+31 b/‎examples/event-rsvp/README.md
+31
diff --git a/‎examples/event-rsvp/main.go
+454 b/‎examples/event-rsvp/main.go
+454
diff --git a/‎examples/event-rsvp/main_test.go
+526 b/‎examples/event-rsvp/main_test.go
+526
diff --git a/‎examples/event-rsvp/template.html
+235 b/‎examples/event-rsvp/template.html
+235
@@ -0,0 +1,13 @@
+FROM golang:1.21-alpine AS build
+RUN mkdir /build
+ADD . /build
+WORKDIR /build
+RUN go mod init event-rsvp && \
+    go mod tidy && \
+    go build -o event-rsvp .
+
+FROM alpine:latest AS production
+RUN mkdir /app
+WORKDIR /app
+COPY --from=build /build/event-rsvp .
+ENTRYPOINT ["/app/event-rsvp", "serve"]
@@ -0,0 +1,31 @@
+# Event RSVP Example
+
+This example implements a simple application for managing event invites and RSVPs. An `Event` is created with a password so only the owner can modify it. Then, an `Invite` each includes a unique identifier to ID the RSVPer and grant them read-only access to the `Event`.
+
+> [!CAUTION]
+> This example application deals with passwords, salts, and hashes but is not intended to be 100% cryptographically secure. Passwords are included in visible query params and sent without encryption. The salt and hash are stored in plain text. Invite IDs are used to grant read-only access to the `Event` and [`rs/xid`](https://github.com/rs/xid) is not cryptographically secure
+
+ You can use the CLI the create Events and Invites:
+
+```shell
+# Create a new Event
+go run examples/event-rsvp/main.go \
+  post Event '{"Name": "Party", "Password": "password", "Address": "My House", "Details": "Party on!", "Date": "2024-01-01T20:00:00-07:00"}'
+
+# Add Invite to the Event
+go run examples/event-rsvp/main.go \
+  -q 'password=password' \
+  post Invite '{"Name": "Firstname Lastname"}' cm2vm15o4026969kq690
+```
+
+Or use the UI!
+
+
+## How To
+
+Run the application:
+```shell
+go run main.go
+```
+
+Then, use the UI at http://localhost:8080/events
@@ -0,0 +1,454 @@
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+	"encoding/csv"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"html/template"
+	"net/http"
+	"os"
+	"strings"
+
+	"github.com/calvinmclean/babyapi"
+	"github.com/calvinmclean/babyapi/extensions"
+	"github.com/go-chi/render"
+
+	_ "embed"
+)
+
+//go:embed template.html
+var templates []byte
+
+const (
+	invitesCtxKey  babyapi.ContextKey = "invites"
+	passwordCtxKey babyapi.ContextKey = "password"
+)
+
+type API struct {
+	Events  *babyapi.API[*Event]
+	Invites *babyapi.API[*Invite]
+}
+
+// Export invites to CSV format for use with external tools
+func (api *API) export(w http.ResponseWriter, r *http.Request) render.Renderer {
+	event, httpErr := api.Events.GetRequestedResource(r)
+	if httpErr != nil {
+		return httpErr
+	}
+
+	invites, err := api.Invites.Storage.GetAll(func(i *Invite) bool {
+		return i.EventID == event.GetID()
+	})
+	if err != nil {
+		return babyapi.InternalServerError(err)
+	}
+
+	w.Header().Set("Content-Type", "text/csv")
+	w.Header().Set("Content-Disposition", fmt.Sprintf("attachment;filename=event_%s_invites.csv", event.GetID()))
+
+	csvWriter := csv.NewWriter(w)
+	err = csvWriter.Write([]string{"ID", "Name", "Contact", "RSVP", "Link"})
+	if err != nil {
+		return babyapi.InternalServerError(err)
+	}
+
+	for _, invite := range invites {
+		rsvp := ""
+		if invite.RSVP != nil {
+			rsvp = fmt.Sprintf("%t", *invite.RSVP)
+		}
+		err = csvWriter.Write([]string{
+			invite.GetID(),
+			invite.Name,
+			invite.Contact,
+			rsvp,
+			invite.link(r),
+		})
+		if err != nil {
+			return babyapi.InternalServerError(err)
+		}
+	}
+
+	csvWriter.Flush()
+
+	err = csvWriter.Error()
+	if err != nil {
+		return babyapi.InternalServerError(err)
+	}
+
+	return nil
+}
+
+// Use a custom route to set RSVP so rsvpResponse can be used to return HTML buttons
+func (api *API) rsvp(r *http.Request, invite *Invite) (render.Renderer, *babyapi.ErrResponse) {
+	if err := r.ParseForm(); err != nil {
+		return nil, babyapi.ErrInvalidRequest(fmt.Errorf("error parsing form data: %w", err))
+	}
+
+	rsvp := r.Form.Get("RSVP") == "true"
+	invite.RSVP = &rsvp
+
+	err := api.Invites.Storage.Set(invite)
+	if err != nil {
+		return nil, babyapi.InternalServerError(err)
+	}
+	return &rsvpResponse{invite}, nil
+}
+
+// Allow adding bulk invites with a single request
+func (api *API) addBulkInvites(r *http.Request, event *Event) (render.Renderer, *babyapi.ErrResponse) {
+	if err := r.ParseForm(); err != nil {
+		return nil, babyapi.ErrInvalidRequest(fmt.Errorf("error parsing form data: %w", err))
+	}
+
+	inputs := strings.Split(r.Form.Get("invites"), ";")
+
+	invites := []*Invite{}
+	for _, invite := range inputs {
+		split := strings.Split(invite, ",")
+
+		name := split[0]
+
+		var contact string
+		if len(split) > 1 {
+			contact = split[1]
+		}
+
+		inv := &Invite{
+			DefaultResource: babyapi.NewDefaultResource(),
+			Name:            strings.TrimSpace(name),
+			Contact:         strings.TrimSpace(contact),
+			EventID:         event.GetID(),
+		}
+		invites = append(invites, inv)
+
+		err := api.Invites.Storage.Set(inv)
+		if err != nil {
+			return nil, babyapi.InternalServerError(err)
+		}
+	}
+
+	return &bulkInvitesResponse{nil, invites}, nil
+}
+
+// authenticationMiddleware enforces access to Events and Invites. Admin access to an Event requires a password query parameter.
+// Access to Invites is allowed by the invite ID and requires no extra auth. The invite ID in the path or query parameter allows
+// read-only access to the Event
+func (api *API) authenticationMiddleware(r *http.Request, event *Event) (*http.Request, *babyapi.ErrResponse) {
+	password := r.URL.Query().Get("password")
+	inviteID := r.URL.Query().Get("invite")
+	if inviteID == "" {
+		inviteID = api.Invites.GetIDParam(r)
+	}
+
+	switch {
+	case password != "":
+		err := event.Authenticate(password)
+		if err == nil {
+			return r, nil
+		}
+	case inviteID != "":
+		invite, err := api.Invites.Storage.Get(inviteID)
+		if err != nil {
+			if errors.Is(err, babyapi.ErrNotFound) {
+				return r, babyapi.ErrForbidden
+			}
+			return r, babyapi.InternalServerError(err)
+		}
+		if invite.EventID == event.GetID() {
+			return r, nil
+		}
+	}
+
+	return r, babyapi.ErrForbidden
+}
+
+// getAllInvitesMiddleware will get all invites when rendering HTML so it is accessible to the endpoint
+func (api *API) getAllInvitesMiddleware(r *http.Request, event *Event) (*http.Request, *babyapi.ErrResponse) {
+	if render.GetAcceptedContentType(r) != render.ContentTypeHTML {
+		return r, nil
+	}
+	// If password auth is used and this middleware is reached, we know it's admin
+	// Otherwise, don't fetch invites
+	if r.URL.Query().Get("password") == "" {
+		return r, nil
+	}
+
+	invites, err := api.Invites.Storage.GetAll(func(i *Invite) bool {
+		return i.EventID == event.GetID()
+	})
+	if err != nil {
+		return r, babyapi.InternalServerError(err)
+	}
+
+	ctx := context.WithValue(r.Context(), invitesCtxKey, invites)
+	r = r.WithContext(ctx)
+	return r, nil
+}
+
+type Event struct {
+	babyapi.DefaultResource
+
+	Name     string
+	Contact  string
+	Date     string
+	Location string
+	Details  string
+
+	// Password should only be used in POST requests to create new Events and then is removed
+	Password string `json:",omitempty"`
+	// this unexported password allows using it internally without exporting to storage or responses
+	password string
+
+	// These fields are excluded from responses
+	Salt string `json:",omitempty"`
+	Key  string `json:",omitempty"`
+}
+
+func (e *Event) Render(w http.ResponseWriter, r *http.Request) error {
+	// Keep Salt and Key private when creating responses
+	e.Salt = ""
+	e.Key = ""
+
+	if r.Method == http.MethodPost {
+		path := fmt.Sprintf("/events/%s?password=%s", e.GetID(), e.password)
+		headers := `{"Accept": "text/html"}`
+		w.Header().Add("HX-Location", fmt.Sprintf(`{"path": "%s", "headers": %s}`, path, headers))
+	}
+
+	return nil
+}
+
+// Disable PUT requests for Events because it complicates things with passwords
+// When creating a new resource with POST, salt and hash the password for storing
+func (e *Event) Bind(r *http.Request) error {
+	switch r.Method {
+	case http.MethodPut:
+		render.Status(r, http.StatusMethodNotAllowed)
+		return fmt.Errorf("PUT not allowed")
+	case http.MethodPost:
+		if e.Password == "" {
+			return errors.New("missing required 'password' field")
+		}
+
+		var err error
+		e.Salt, err = randomSalt()
+		if err != nil {
+			return fmt.Errorf("error generating random salt: %w", err)
+		}
+
+		e.Key = hash(e.Salt, e.Password)
+
+		e.password = e.Password
+		e.Password = ""
+	}
+
+	return e.DefaultResource.Bind(r)
+}
+
+func (e *Event) HTML(r *http.Request) string {
+	return renderTemplate(r, "eventPage", struct {
+		Password string
+		*Event
+		Invites []*Invite
+	}{r.URL.Query().Get("password"), e, getInvitesFromContext(r.Context())})
+}
+
+func (e *Event) Authenticate(password string) error {
+	if hash(e.Salt, password) != e.Key {
+		return errors.New("invalid password")
+	}
+	return nil
+}
+
+type Invite struct {
+	babyapi.DefaultResource
+
+	Name    string
+	Contact string
+
+	EventID string
+	RSVP    *bool // nil = no response, otherwise true/false
+}
+
+// Set EventID to event from URL path when creating a new Invite
+func (i *Invite) Bind(r *http.Request) error {
+	switch r.Method {
+	case http.MethodPost:
+		i.EventID = babyapi.GetIDParam(r, "Event")
+	}
+
+	return i.DefaultResource.Bind(r)
+}
+
+func (i *Invite) HTML(r *http.Request) string {
+	event, _ := babyapi.GetResourceFromContext[*Event](r.Context(), babyapi.ContextKey("Event"))
+
+	return renderTemplate(r, "invitePage", struct {
+		*Invite
+		Attending string
+		Event     *Event
+	}{i, i.attending(), event})
+}
+
+// get RSVP status as a string for easier template processing
+func (i *Invite) attending() string {
+	attending := "unknown"
+	if i.RSVP != nil && *i.RSVP {
+		attending = "attending"
+	}
+	if i.RSVP != nil && !*i.RSVP {
+		attending = "not attending"
+	}
+
+	return attending
+}
+
+func (i *Invite) link(r *http.Request) string {
+	return fmt.Sprintf("%s/events/%s/invites/%s", r.Host, i.EventID, i.GetID())
+}
+
+// rsvpResponse is a custom response struct that allows implementing a different HTML method for HTMLer
+// This will just render the HTML buttons for an HTMX partial swap
+type rsvpResponse struct {
+	*Invite
+}
+
+func (rsvp *rsvpResponse) HTML(r *http.Request) string {
+	return renderTemplate(
+		r,
+		"rsvpButtons",
+		struct {
+			*Invite
+			Attending string
+		}{rsvp.Invite, rsvp.attending()},
+	)
+}
+
+type bulkInvitesResponse struct {
+	*babyapi.DefaultRenderer
+
+	Invites []*Invite
+}
+
+func (bi *bulkInvitesResponse) HTML(r *http.Request) string {
+	return renderTemplate(r, "bulkInvites", bi)
+}
+
+func main() {
+	api := createAPI()
+	api.Events.RunCLI()
+}
+
+func createAPI() *API {
+	api := &API{
+		Events: babyapi.NewAPI(
+			"Event", "/events",
+			func() *Event { return &Event{} },
+		),
+		Invites: babyapi.NewAPI(
+			"Invite", "/invites",
+			func() *Invite { return &Invite{} },
+		),
+	}
+
+	api.Invites.ApplyExtension(extensions.HTMX[*Invite]{})
+
+	api.Invites.AddCustomRoute(http.MethodPost, "/bulk", api.Events.GetRequestedResourceAndDo(api.addBulkInvites))
+
+	api.Invites.AddCustomRoute(http.MethodGet, "/export", babyapi.Handler(api.export))
+
+	api.Invites.AddCustomIDRoute(http.MethodPut, "/rsvp", api.Invites.GetRequestedResourceAndDo(api.rsvp))
+
+	api.Events.AddCustomRootRoute(http.MethodGet, "/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		http.Redirect(w, r, api.Events.Base(), http.StatusSeeOther)
+	}))
+
+	api.Events.AddNestedAPI(api.Invites)
+
+	api.Events.GetAll = func(w http.ResponseWriter, r *http.Request) {
+		if render.GetAcceptedContentType(r) != render.ContentTypeHTML {
+			render.Render(w, r, babyapi.ErrForbidden)
+			return
+		}
+
+		render.HTML(w, r, renderTemplate(r, "createEventPage", map[string]any{}))
+	}
+
+	api.Events.AddIDMiddleware(api.Events.GetRequestedResourceAndDoMiddleware(api.authenticationMiddleware))
+
+	api.Events.AddIDMiddleware(api.Events.GetRequestedResourceAndDoMiddleware(api.getAllInvitesMiddleware))
+
+	filename := os.Getenv("STORAGE_FILE")
+	if filename == "" {
+		filename = "storage.json"
+	}
+
+	dbConfig := extensions.KVConnectionConfig{
+		Filename:      filename,
+		RedisHost:     os.Getenv("REDIS_HOST"),
+		RedisPassword: os.Getenv("REDIS_PASS"),
+	}
+
+	db, err := dbConfig.CreateDB()
+	if err != nil {
+		panic(err)
+	}
+
+	api.Events.ApplyExtension(extensions.KeyValueStorage[*Event]{DB: db})
+	api.Invites.ApplyExtension(extensions.KeyValueStorage[*Invite]{DB: db})
+
+	return api
+}
+
+func hash(salt, password string) string {
+	hasher := sha256.New()
+	hasher.Write([]byte(salt + password))
+
+	return hex.EncodeToString(hasher.Sum(nil))
+}
+
+func randomSalt() (string, error) {
+	randomBytes := make([]byte, 24)
+	_, err := rand.Read(randomBytes)
+	if err != nil {
+		return "", err
+	}
+
+	return base64.URLEncoding.EncodeToString(randomBytes), nil
+}
+
+func getInvitesFromContext(ctx context.Context) []*Invite {
+	ctxData := ctx.Value(invitesCtxKey)
+	if ctxData == nil {
+		return nil
+	}
+
+	invites, ok := ctxData.([]*Invite)
+	if !ok {
+		return nil
+	}
+
+	return invites
+}
+
+func renderTemplate(r *http.Request, name string, data any) string {
+	tmpl, err := template.New(name).Funcs(map[string]any{
+		"serverURL": func() string {
+			return r.Host
+		},
+		"attending": func(i *Invite) string {
+			return i.attending()
+		},
+	}).Parse(string(templates))
+	if err != nil {
+		panic(err)
+	}
+
+	return babyapi.MustRenderHTML(tmpl, data)
+}
@@ -0,0 +1,526 @@
+package main
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+	"testing"
+
+	"github.com/calvinmclean/babyapi"
+	babytest "github.com/calvinmclean/babyapi/test"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAPI(t *testing.T) {
+	defer os.RemoveAll("storage.json")
+
+	api := createAPI()
+
+	babytest.RunTableTest(t, api.Events, []babytest.TestCase[*babyapi.AnyResource]{
+		{
+			Name: "ErrorCreatingEventWithoutPassword",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodPost,
+				Body:   `{"Name": "Party"}`,
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusBadRequest,
+				Body:   `{"status":"Invalid request.","error":"missing required 'password' field"}`,
+				Error:  "error posting resource: unexpected response with text: Invalid request.",
+			},
+		},
+		{
+			Name: "CreateEvent",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodPost,
+				Body:   `{"Name": "Party", "Password": "secret"}`,
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusCreated,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+			},
+		},
+		{
+			Name: "GetEventForbidden",
+			Test: babytest.RequestFuncTest[*babyapi.AnyResource](func(getResponse babytest.PreviousResponseGetter, address string) *http.Request {
+				id := getResponse("CreateEvent").Data.GetID()
+				address = fmt.Sprintf("%s/events/%s", address, id)
+
+				r, err := http.NewRequest(http.MethodGet, address, http.NoBody)
+				require.NoError(t, err)
+				return r
+			}),
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+			},
+		},
+		{
+			Name: "GetEvent",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   http.MethodGet,
+				RawQuery: "password=secret",
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateEvent").Data.GetID()
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+			},
+		},
+		{
+			Name: "GetAllEventsForbidden",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   babytest.MethodGetAll,
+				RawQuery: "password=secret",
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateEvent").Data.GetID()
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error getting all resources: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "GetAllEventsForbiddenUsingRequestFuncTest",
+			Test: babytest.RequestFuncTest[*babyapi.AnyResource](func(getResponse babytest.PreviousResponseGetter, address string) *http.Request {
+				r, err := http.NewRequest(http.MethodGet, address+"/events", http.NoBody)
+				require.NoError(t, err)
+				return r
+			}),
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+			},
+		},
+		{
+			Name: "GetEventWithInvalidInvite",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   http.MethodGet,
+				RawQuery: "invite=DoesNotExist",
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateEvent").Data.GetID()
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error getting resource: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "PUTNotAllowed",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   http.MethodPut,
+				RawQuery: "password=secret",
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateEvent").Data.GetID()
+				},
+				BodyFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return fmt.Sprintf(`{"id": "%s", "name": "New Name"}`, getResponse("CreateEvent").Data.GetID())
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusBadRequest,
+				Body:   `{"status":"Invalid request.","error":"PUT not allowed"}`,
+				Error:  "error putting resource: unexpected response with text: Invalid request.",
+			},
+		},
+		{
+			Name: "CannotCreateInviteWithoutEventPassword",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodPost,
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				Body: `{"Name": "Name"}`,
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error posting resource: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "CreateInvite",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   http.MethodPost,
+				RawQuery: "password=secret",
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				Body: `{"Name": "Firstname Lastname"}`,
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusCreated,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "GetInvite",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodGet,
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateInvite").Data.GetID()
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "ListInvites",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   babytest.MethodGetAll,
+				RawQuery: "password=secret",
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateInvite").Data.GetID()
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"items":\[{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}]`,
+			},
+		},
+		{
+			Name: "ListInviteUsingRequestFuncTest",
+			Test: babytest.RequestFuncTest[*babyapi.AnyResource](func(getResponse babytest.PreviousResponseGetter, address string) *http.Request {
+				id := getResponse("CreateEvent").Data.GetID()
+				address = fmt.Sprintf("%s/events/%s/invites", address, id)
+
+				r, err := http.NewRequest(babytest.MethodGetAll, address, http.NoBody)
+				require.NoError(t, err)
+
+				q := r.URL.Query()
+				q.Add("password", "secret")
+				r.URL.RawQuery = q.Encode()
+
+				return r
+			}),
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"items":\[{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}]`,
+			},
+		},
+		{
+			Name: "GetEventWithInviteIDAsPassword",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodGet,
+				RawQueryFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return "invite=" + getResponse("CreateInvite").Data.GetID()
+				},
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateInvite").Data.GetID()
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "DeleteInvite",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method: http.MethodDelete,
+				ParentIDsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{getResponse("CreateEvent").Data.GetID()}
+				},
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateInvite").Data.GetID()
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusOK,
+				NoBody: true,
+			},
+		},
+		{
+			Name: "PatchErrorNotConfigured",
+			Test: babytest.RequestTest[*babyapi.AnyResource]{
+				Method:   http.MethodPatch,
+				RawQuery: "password=secret",
+				IDFunc: func(getResponse babytest.PreviousResponseGetter) string {
+					return getResponse("CreateEvent").Data.GetID()
+				},
+				Body: `{"Name": "NEW"}`,
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusMethodNotAllowed,
+				Error:  "error patching resource: unexpected response with text: Method not allowed.",
+				Body:   `{"status":"Method not allowed."}`,
+			},
+		},
+	})
+}
+
+func TestIndividualTest(t *testing.T) {
+	defer os.RemoveAll("storage.json")
+
+	api := createAPI()
+
+	client, stop := babytest.NewTestClient[*Event](t, api.Events)
+	defer stop()
+
+	babytest.TestCase[*Event]{
+		Name: "CreateEvent",
+		Test: babytest.RequestTest[*Event]{
+			Method: http.MethodPost,
+			Body:   `{"Name": "Party", "Password": "secret"}`,
+		},
+		ExpectedResponse: babytest.ExpectedResponse{
+			Status:     http.StatusCreated,
+			BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+		},
+		Assert: func(r *babytest.Response[*Event]) {
+			require.Equal(t, "Party", r.Data.Name)
+		},
+	}.Run(t, client)
+
+	resp := babytest.TestCase[*Event]{
+		Name: "CreateEvent",
+		Test: babytest.RequestTest[*Event]{
+			Method: http.MethodPost,
+			Body:   `{"Name": "Party", "Password": "secret"}`,
+		},
+		ExpectedResponse: babytest.ExpectedResponse{
+			Status:     http.StatusCreated,
+			BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+		},
+		Assert: func(r *babytest.Response[*Event]) {
+			require.Equal(t, "Party", r.Data.Name)
+		},
+	}.RunWithResponse(t, client)
+	require.NotNil(t, resp)
+}
+
+func TestCLI(t *testing.T) {
+	defer os.RemoveAll("storage.json")
+
+	api := createAPI()
+
+	babytest.RunTableTest(t, api.Events, []babytest.TestCase[*babyapi.AnyResource]{
+		{
+			Name: "ErrorCreatingEventWithoutPassword",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				Args:    []string{"event", "post", "-d", `{"Name": "Party"}`},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusBadRequest,
+				Body:   `{"status":"Invalid request.","error":"missing required 'password' field"}`,
+				Error:  "error running client from CLI: error running Post: error posting resource: unexpected response with text: Invalid request.",
+			},
+		},
+		{
+			Name: "CreateEvent",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				Args:    []string{"event", "post", "-d", `{"Name": "Party", "Password": "secret"}`},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:       http.StatusCreated,
+				BodyRegexp:   `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+				CLIOutRegexp: `{\s+"Contact": "",\s+"Date": "",\s+"Details": "",\s+"Location": "",\s+"Name": "Party",\s+"id": "[0-9a-v]{20}"\s+}\s*`,
+			},
+		},
+		{
+			Name: "GetEventForbidden",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{"event", "get", getResponse("CreateEvent").Data.GetID()}
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error running client from CLI: error running Get: error getting resource: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "GetEvent",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{"event", "get", getResponse("CreateEvent").Data.GetID(), "-q", "password=secret"}
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Party","Contact":"","Date":"","Location":"","Details":""}`,
+			},
+		},
+		{
+			Name: "GetEventWithInvalidInvite",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{"event", "get", getResponse("CreateEvent").Data.GetID(), "-q", "invite=DoesNotExist"}
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error running client from CLI: error running Get: error getting resource: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "PUTNotAllowed",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					return []string{
+						"event", "put",
+						getResponse("CreateEvent").Data.GetID(),
+						"-d", fmt.Sprintf(`{"id": "%s", "name": "New Name"}`, getResponse("CreateEvent").Data.GetID()),
+						"-q", "password=secret",
+					}
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusBadRequest,
+				Body:   `{"status":"Invalid request.","error":"PUT not allowed"}`,
+				Error:  "error running client from CLI: error running Put: error putting resource: unexpected response with text: Invalid request.",
+			},
+		},
+		{
+			Name: "CannotCreateInviteWithoutEventPassword",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{"invite", "post", "--event-id", eventID, "-d", `{"Name": "Name"}`}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusForbidden,
+				Body:   `{"status":"Forbidden"}`,
+				Error:  "error running client from CLI: error running Post: error posting resource: unexpected response with text: Forbidden",
+			},
+		},
+		{
+			Name: "CreateInvite",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{"invite", "post", "--event-id", eventID, "-d", `{"Name": "Firstname Lastname"}`, "-q", "password=secret"}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusCreated,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "GetInvite",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{
+						"invite", "get",
+						getResponse("CreateInvite").Data.GetID(), "--event-id", eventID,
+						"-q", "password=secret",
+					}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "ListInvites",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{
+						"invite", "list", "--event-id", eventID, "-q", "password=secret",
+					}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"items":\[{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}]`,
+			},
+		},
+		{
+			Name: "GetEventWithInviteIDAsPassword",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{
+						"invite", "get",
+						getResponse("CreateInvite").Data.GetID(), "--event-id", eventID,
+						"-q", "invite=" + getResponse("CreateInvite").Data.GetID(),
+					}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status:     http.StatusOK,
+				BodyRegexp: `{"id":"[0-9a-v]{20}","Name":"Firstname Lastname","Contact":"","EventID":"[0-9a-v]{20}","RSVP":null}`,
+			},
+		},
+		{
+			Name: "DeleteInvite",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{
+						"invite", "delete",
+						getResponse("CreateInvite").Data.GetID(), "--event-id", eventID,
+					}
+				},
+			},
+			ClientName: "Invite",
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusOK,
+				NoBody: true,
+			},
+		},
+		{
+			Name: "PatchErrorNotConfigured",
+			Test: babytest.CommandLineTest[*babyapi.AnyResource]{
+				Command: api.Events.Command,
+				ArgsFunc: func(getResponse babytest.PreviousResponseGetter) []string {
+					eventID := getResponse("CreateEvent").Data.GetID()
+					return []string{"event", "patch", eventID, "-d", `{"Name": "NEW"}`, "-q", "password=secret"}
+				},
+			},
+			ExpectedResponse: babytest.ExpectedResponse{
+				Status: http.StatusMethodNotAllowed,
+				Body:   `{"status":"Method not allowed."}`,
+				Error:  "error running client from CLI: error running Patch: error patching resource: unexpected response with text: Method not allowed.",
+			},
+		},
+	})
+}
@@ -0,0 +1,235 @@
+{{ define "header" }}
+<!doctype html>
+<html>
+
+<head>
+	<meta charset="UTF-8">
+	<meta name="viewport" content="width=device-width, initial-scale=1.0">
+	<title>Event RSVP</title>
+	<link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/uikit@3.17.11/dist/css/uikit.min.css" />
+	<script src="https://unpkg.com/htmx.org@1.9.8"></script>
+</head>
+
+<style>
+	tr.htmx-swapping td {
+		opacity: 0;
+		transition: opacity 1s ease-out;
+	}
+</style>
+
+<body>
+	{{ end }}
+
+
+	{{ define "footer" }}
+</body>
+
+</html>
+{{ end }}
+
+{{ define "eventPage" }}
+{{ template "header" . }}
+{{ template "eventDetailsTable" . }}
+{{ if .Password }}
+{{ template "eventAdminPage" . }}
+{{ end }}
+{{ template "footer" . }}
+{{ end }}
+
+{{ define "eventDetailsTable" }}
+<div class="uk-card uk-card-body uk-card-default uk-margin-left uk-margin-right uk-margin-top">
+	<h2 class="uk-card-title uk-heading-medium uk-text-center">{{ .Name }}</h2>
+	<table class="uk-table uk-table-divider">
+		<thead>
+		</thead>
+
+		<tbody>
+			<tr>
+				<td><b>Name</b></td>
+				<td>{{ .Name }}</td>
+			</tr>
+			<tr>
+				<td><b>Date</b></td>
+				<td>{{ .Date }}</td>
+			</tr>
+			<tr>
+				<td><b>Location</b></td>
+				<td>{{ .Location }}</td>
+			</tr>
+			<tr>
+				<td><b>Details</b></td>
+				<td>{{ .Details }}</td>
+			</tr>
+		</tbody>
+	</table>
+</div>
+{{ end }}
+
+{{/* Show list of invites and RSVP status */}}
+{{/* Form to create new invite */}}
+{{/* Form for bulk invite from a list of names */}}
+{{ define "eventAdminPage" }}
+<div class="uk-card uk-card-body uk-card-default uk-margin-left uk-margin-right uk-margin-top">
+	<h2 class="uk-card-title uk-heading-medium uk-text-center">Add Invites</h2>
+	<form class="uk-form-horizontal" hx-headers='{"Accept": "text/html"}'
+		hx-post="/events/{{ .ID }}/invites/bulk?password={{ .Password }}" hx-on::after-request="this.reset()"
+		hx-swap="none">
+
+		<input class="uk-input uk-width-3-4@s" type="text" name="invites"
+			placeholder="e.g. Invite 1, invite1@email.com; Invite 2, invite2@email.com; ...">
+		<button type="submit" class="uk-button uk-button-primary uk-margin-left uk-width-1-5@s">Submit</button>
+	</form>
+</div>
+
+<div class="uk-card uk-card-body uk-card-default uk-margin-left uk-margin-right uk-margin-top">
+	<h2 class="uk-card-title uk-heading-medium uk-text-center">Invites</h2>
+	<table class="uk-table uk-table-divider uk-margin-left uk-margin-right">
+		<colgroup>
+			<col>
+			<col>
+			<col>
+			<col style="width: 200px;">
+		</colgroup>
+		<thead>
+			<tr>
+				<th>Name</th>
+				<th>Contact</th>
+				<th>RSVP</th>
+				<th>
+					<a class="uk-button uk-button-small uk-button-default uk-margin-top"
+						href="/events/{{ .ID }}/invites/export?password={{ .Password }}" download>
+						Export CSV
+					</a>
+				</th>
+			</tr>
+		</thead>
+
+		<tbody id="invites-table">
+			{{ range .Invites }}
+			<tr>
+				{{ template "inviteRow" . }}
+			</tr>
+			{{ end }}
+		</tbody>
+	</table>
+</div>
+{{ end }}
+
+{{/* Like inviteRow, but uses HTMX out of band swap to append to the table */}}
+{{ define "inviteRowOOB" }}
+<tbody hx-swap-oob="beforeend:#invites-table">
+	<tr>
+		{{ template "inviteRow" . }}
+	</tr>
+</tbody>
+{{ end }}
+
+{{/* Used in eventAdminTemplate to show individual invite, delete button, and button to copy invite link */}}
+{{ define "inviteRow" }}
+<td>{{ .Name }}</td>
+<td>{{ .Contact }}</td>
+
+<td>
+	{{ attending . }}
+</td>
+
+<td>
+	<button hx-on:click="navigator.clipboard.writeText('{{ serverURL }}/events/{{ .EventID }}/invites/{{ .ID }}')"
+		class="uk-button uk-button-primary uk-button-small">
+		Copy
+	</button>
+	<button class="uk-button uk-button-danger uk-button-small" hx-delete="/events/{{ .EventID }}/invites/{{ .ID }}"
+		hx-swap="swap:1s" hx-target="closest tr">
+		Delete
+	</button>
+</td>
+{{ end }}
+
+{{/* // This renders multiple invite rows and uses HTMX out of band responses */}}
+{{ define "bulkInvites" }}
+{{ range .Invites }}
+{{ template "inviteRowOOB" . }}
+{{ end }}
+{{ end }}
+
+{{/* /invites/{InviteID}: display event details and include buttons to set RSVP */}}
+{{ define "invitePage" }}
+{{ template "header" . }}
+
+{{ template "eventDetailsTable" .Event }}
+
+<div class="uk-card uk-card-body uk-card-default uk-margin-left uk-margin-right uk-margin-top">
+	<h2 class="uk-card-title uk-heading-medium uk-text-center">
+		Hello {{ .Name }}!
+	</h2>
+
+	{{ template "rsvpButtons" . }}
+</div>
+{{ end }}
+
+{{ define "rsvpButtons" }}
+<div class="uk-text-center" id="rsvp-buttons">
+	<p>Your current status is: {{ .Attending }}</p>
+
+	{{ $attendDisabled := "" }}
+	{{ $unattendDisabled := "" }}
+	{{ if eq .Attending "attending" }}
+	{{ $attendDisabled = "disabled" }}
+	{{ end }}
+	{{ if eq .Attending "not attending" }}
+	{{ $unattendDisabled = "disabled" }}
+	{{ end }}
+
+	<div hx-headers='{"Accept": "text/html"}' hx-target="#rsvp-buttons" hx-swap="outerHTML">
+
+		<button class="uk-button uk-button-primary uk-button-large"
+			hx-put="/events/{{ .EventID }}/invites/{{ .ID }}/rsvp" hx-vals='{"RSVP": "true"}' {{ $attendDisabled }}>
+
+			Attend
+		</button>
+
+		<button class="uk-button uk-button-danger uk-button-large"
+			hx-put="/events/{{ .EventID }}/invites/{{ .ID }}/rsvp" hx-vals='{"RSVP": "false"}' {{ $unattendDisabled }}>
+
+			Do Not Attend
+		</button>
+	</div>
+</div>
+{{ template "footer" . }}
+{{ end }}
+
+{{ define "createEventPage" }}
+{{ template "header" . }}
+
+<div class="uk-card uk-card-body uk-card-default uk-margin-left uk-margin-right uk-margin-top">
+	<h2 class="uk-card-title uk-heading-medium uk-text-center">Create New Event</h2>
+	<form hx-post="/events" hx-headers='{"Accept": "text/html"}'>
+		<fieldset class="uk-fieldset">
+
+			<div class="uk-margin">
+				<input class="uk-input" type="text" placeholder="Name" name="Name">
+			</div>
+
+			<div class="uk-margin">
+				<input class="uk-input" type="text" placeholder="Date" name="Date">
+			</div>
+
+			<div class="uk-margin">
+				<input class="uk-input" type="text" placeholder="Location" name="Location">
+			</div>
+
+			<div class="uk-margin">
+				<textarea class="uk-textarea" rows="5" placeholder="Details" name="Details"></textarea>
+			</div>
+
+			<div class="uk-margin">
+				<input class="uk-input" type="password" placeholder="Password" name="Password">
+			</div>
+		</fieldset>
+
+		<button type="submit" class="uk-button uk-button-primary uk-margin-top">Submit</button>
+	</form>
+</div>
+
+{{ template "footer" . }}
+{{ end }}