Revert "[FIX/BE-US]add feature restrict by location and areas in roles"

This reverts commit dff9e73ab1.
2026-05-20 21:41:55 +00:00 · 2026-01-14 13:30:48 +07:00
parent dff9e73ab1
commit 26bf7f165e
30 changed files with 37 additions and 1258 deletions
@@ -9,7 +9,7 @@ import (
 	"time"

 	entity "gitlab.com/mbugroup/lti-api.git/internal/entities"
-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
+	middleware "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	repository "gitlab.com/mbugroup/lti-api.git/internal/modules/daily-checklists/repositories"
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/daily-checklists/validations"
 	phaseRepo "gitlab.com/mbugroup/lti-api.git/internal/modules/master/phasess/repositories"
@@ -456,7 +456,7 @@ func (s dailyChecklistService) UpdateOne(c *fiber.Ctx, req *validation.Update, i
 		updateBody["reject_reason"] = *req.RejectReason
 	}

-	actorID, err := m.ActorIDFromContext(c)
+	actorID, err := middleware.ActorIDFromContext(c)
 	if err != nil {
 		return &entity.DailyChecklist{}, fiber.NewError(fiber.StatusUnauthorized, "Failed to get actor ID from context")
 	}
@@ -946,11 +946,6 @@ func (s dailyChecklistService) GetReport(c *fiber.Ctx, params *validation.Report
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	buildBase := func() *gorm.DB {
@@ -967,8 +962,6 @@ func (s dailyChecklistService) GetReport(c *fiber.Ctx, params *validation.Report
 			Where("EXTRACT(YEAR FROM dc.date) = ?", params.Year).
 			Where("dc.status = ?", "APPROVED")

-		db = m.ApplyScopeFilter(db, scope, "loc.id")
-
 		if params.AreaID != nil {
 			db = db.Where("a.id = ?", *params.AreaID)
 		}
@@ -6,7 +6,6 @@ import (
 	"strings"
 	"time"

-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/dashboards/dto"
 	service "gitlab.com/mbugroup/lti-api.git/internal/modules/dashboards/services"
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/dashboards/validations"
@@ -82,20 +81,6 @@ func (u *DashboardController) GetAll(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusBadRequest, "Invalid include")
 	}

-	scope, err := m.ResolveLocationScope(c, u.DashboardService.DB())
-	if err != nil {
-		return err
-	}
-	if scope.Restrict {
-		if len(scope.IDs) == 0 {
-			lokasiIds = []uint{}
-		} else if len(lokasiIds) > 0 {
-			lokasiIds = intersectUint(lokasiIds, scope.IDs)
-		} else {
-			lokasiIds = scope.IDs
-		}
-	}
-
 	analysisMode := strings.ToUpper(strings.TrimSpace(c.Query("analysis_mode", validation.AnalysisModeOverview)))
 	metric := strings.ToLower(strings.TrimSpace(c.Query("metric", "")))

@@ -191,23 +176,6 @@ func defaultUintSlice(values []uint) []uint {
 	return values
 }

-func intersectUint(a, b []uint) []uint {
-	if len(a) == 0 || len(b) == 0 {
-		return nil
-	}
-	set := make(map[uint]struct{}, len(b))
-	for _, id := range b {
-		set[id] = struct{}{}
-	}
-	out := make([]uint, 0, len(a))
-	for _, id := range a {
-		if _, ok := set[id]; ok {
-			out = append(out, id)
-		}
-	}
-	return out
-}
-
 func parsePeriodDates(startDateRaw, endDateRaw string, location *time.Location) (time.Time, time.Time, time.Time, error) {
 	now := time.Now().In(location)
 	startDate := time.Date(now.Year(), now.Month(), 1, 0, 0, 0, 0, location)
@@ -17,12 +17,10 @@ import (

 	"github.com/go-playground/validator/v10"
 	"github.com/sirupsen/logrus"
-	"gorm.io/gorm"
 )

 type DashboardService interface {
 	GetAll(ctx context.Context, params *validation.Query) (dto.DashboardPerformanceOverviewDTO, int64, error)
-	DB() *gorm.DB
 }

 type dashboardService struct {
@@ -39,10 +37,6 @@ func NewDashboardService(repo repository.DashboardRepository, validate *validato
 	}
 }

-func (s dashboardService) DB() *gorm.DB {
-	return s.Repository.DB()
-}
-
 func (s dashboardService) GetAll(ctx context.Context, params *validation.Query) (dto.DashboardPerformanceOverviewDTO, int64, error) {
 	if err := s.Validate.Struct(params); err != nil {
 		return dto.DashboardPerformanceOverviewDTO{}, 0, err
@@ -138,28 +138,9 @@ func (r *ExpenseRealizationRepositoryImpl) GetAllWithFilters(ctx context.Context
 	locationID := filters.LocationId
 	areaID := filters.AreaId

-	if filters.AllowedLocationIDs != nil || filters.AllowedAreaIDs != nil || locationID > 0 || areaID > 0 {
-		db = db.Joins("JOIN kandangs ON kandangs.id = expense_nonstocks.kandang_id")
-	}
-
-	if filters.AllowedLocationIDs != nil {
-		if len(filters.AllowedLocationIDs) == 0 {
-			db = db.Where("1 = 0")
-		} else {
-			db = db.Where("kandangs.location_id IN ?", filters.AllowedLocationIDs)
-		}
-	}
-
-	if filters.AllowedAreaIDs != nil {
-		if len(filters.AllowedAreaIDs) == 0 {
-			db = db.Where("1 = 0")
-		} else {
-			db = db.Joins("JOIN locations ON locations.id = kandangs.location_id").
-				Where("locations.area_id IN ?", filters.AllowedAreaIDs)
-		}
-	}
-
 	if locationID > 0 || areaID > 0 {
+		db = db.Joins("JOIN kandangs ON kandangs.id = expense_nonstocks.kandang_id")
+
 		if locationID > 0 {
 			db = db.Where("kandangs.location_id = ?", uint(locationID))
 		}
@@ -87,16 +87,10 @@ func (s expenseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]expens
 		return nil, 0, err
 	}

-	scope, err := middleware.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	expenses, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		db = middleware.ApplyScopeFilter(db, scope, "location_id")
 		if params.Search != "" {
 			return db.Where("category ILIKE ?", "%"+params.Search+"%")
 		}
@@ -123,16 +117,7 @@ func (s expenseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]expens
 }

 func (s expenseService) GetOne(c *fiber.Ctx, id uint) (*expenseDto.ExpenseDetailDTO, error) {
-	scope, err := middleware.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	expense, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		db = middleware.ApplyScopeFilter(db, scope, "location_id")
-		return db
-	})
+	expense, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {

@@ -4,7 +4,6 @@ import (
 	"errors"

 	entity "gitlab.com/mbugroup/lti-api.git/internal/entities"
-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/inventory/product-stocks/validations"
 	productRepository "gitlab.com/mbugroup/lti-api.git/internal/modules/master/products/repositories"
 	"gitlab.com/mbugroup/lti-api.git/internal/utils"
@@ -62,34 +61,15 @@ func (s productStockService) GetAll(c *fiber.Ctx, params *validation.Query) ([]e
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.ProductRepository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	productStocks, total, err := s.ProductRepository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where(`EXISTS (
-				SELECT 1
-				FROM product_warehouses pw
-				JOIN warehouses w ON w.id = pw.warehouse_id
-				WHERE pw.product_id = products.id
-					AND pw.qty > 0
-					AND w.location_id IN ?
-			)`, scope.IDs)
-		} else {
-			db = db.Where(`EXISTS (
-				SELECT 1
-				FROM product_warehouses pw
-				WHERE pw.product_id = products.id
-					AND pw.qty > 0
-			)`)
-		}
+		db = db.Where(`EXISTS (
+			SELECT 1
+			FROM product_warehouses pw
+			WHERE pw.product_id = products.id
+				AND pw.qty > 0
+		)`)

 		db = s.withRelations(db)
 		if params.Search != "" {
@@ -106,30 +86,6 @@ func (s productStockService) GetAll(c *fiber.Ctx, params *validation.Query) ([]e
 }

 func (s productStockService) GetOne(c *fiber.Ctx, id uint) (*entity.Product, error) {
-	scope, err := m.ResolveLocationScope(c, s.ProductRepository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	if scope.Restrict {
-		if len(scope.IDs) == 0 {
-			return nil, fiber.NewError(fiber.StatusNotFound, "Product not found")
-		}
-		var count int64
-		if err := s.ProductRepository.DB().WithContext(c.Context()).
-			Table("product_warehouses pw").
-			Joins("JOIN warehouses w ON w.id = pw.warehouse_id").
-			Where("pw.product_id = ?", id).
-			Where("pw.qty > 0").
-			Where("w.location_id IN ?", scope.IDs).
-			Count(&count).Error; err != nil {
-			return nil, err
-		}
-		if count == 0 {
-			return nil, fiber.NewError(fiber.StatusNotFound, "Product not found")
-		}
-	}
-
 	product, err := s.ProductRepository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "Product not found")
@@ -8,7 +8,7 @@ import (
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/inventory/product-warehouses/validations"
 	kandangrepo "gitlab.com/mbugroup/lti-api.git/internal/modules/master/kandangs/repositories"
 	"gitlab.com/mbugroup/lti-api.git/internal/utils"
-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
+
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"github.com/sirupsen/logrus"
@@ -53,11 +53,6 @@ func (s productWarehouseService) GetAll(c *fiber.Ctx, params *validation.Query)
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	if params.ProductId > 0 {
 		isProductExist, err := s.Repository.IsProductExist(c.Context(), params.ProductId)
 		if err != nil {
@@ -95,14 +90,6 @@ func (s productWarehouseService) GetAll(c *fiber.Ctx, params *validation.Query)
 	productWarehouses, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)

-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Joins("JOIN warehouses w_scope ON product_warehouses.warehouse_id = w_scope.id").
-				Where("w_scope.location_id IN ?", scope.IDs)
-		}
-
 		if params.ProductId != 0 {
 			db = db.Where("product_id = ?", params.ProductId)
 		}
@@ -129,22 +116,7 @@ func (s productWarehouseService) GetAll(c *fiber.Ctx, params *validation.Query)
 }

 func (s productWarehouseService) GetOne(c *fiber.Ctx, id uint) (*entity.ProductWarehouse, error) {
-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	productWarehouse, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Joins("JOIN warehouses w_scope ON product_warehouses.warehouse_id = w_scope.id").
-				Where("w_scope.location_id IN ?", scope.IDs)
-		}
-		return db
-	})
+	productWarehouse, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "ProductWarehouse not found")
 	}
@@ -94,24 +94,10 @@ func (s transferService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entit
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.StockTransferRepo.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	transfers, total, err := s.StockTransferRepo.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.
-				Joins("JOIN warehouses w_from ON w_from.id = stock_transfers.from_warehouse_id").
-				Joins("JOIN warehouses w_to ON w_to.id = stock_transfers.to_warehouse_id").
-				Where("w_from.location_id IN ? OR w_to.location_id IN ?", scope.IDs, scope.IDs)
-		}
 		if params.Search != "" {
 			db = db.Where("movement_number ILIKE ?", "%"+strings.TrimSpace(params.Search)+"%")
 		}
@@ -126,28 +112,6 @@ func (s transferService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entit
 }

 func (s transferService) GetOne(c *fiber.Ctx, id uint) (*entity.StockTransfer, error) {
-	scope, err := m.ResolveLocationScope(c, s.StockTransferRepo.DB())
-	if err != nil {
-		return nil, err
-	}
-	if scope.Restrict {
-		if len(scope.IDs) == 0 {
-			return nil, fiber.NewError(fiber.StatusNotFound, "Transfer not found")
-		}
-		var count int64
-		if err := s.StockTransferRepo.DB().WithContext(c.Context()).
-			Table("stock_transfers").
-			Joins("JOIN warehouses w_from ON w_from.id = stock_transfers.from_warehouse_id").
-			Joins("JOIN warehouses w_to ON w_to.id = stock_transfers.to_warehouse_id").
-			Where("stock_transfers.id = ?", id).
-			Where("w_from.location_id IN ? OR w_to.location_id IN ?", scope.IDs, scope.IDs).
-			Count(&count).Error; err != nil {
-			return nil, err
-		}
-		if count == 0 {
-			return nil, fiber.NewError(fiber.StatusNotFound, "Transfer not found")
-		}
-	}

 	transferPtr, err := s.StockTransferRepo.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
 		return s.withRelations(db)
@@ -47,21 +47,10 @@ func (s areaService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entity.Ar
 		return nil, 0, err
 	}

-	scope, err := m.ResolveAreaScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	areas, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where("id IN ?", scope.IDs)
-		}
 		if params.Search != "" {
 			return db.Where("name ILIKE ?", "%"+params.Search+"%")
 		}
@@ -76,21 +65,7 @@ func (s areaService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entity.Ar
 }

 func (s areaService) GetOne(c *fiber.Ctx, id uint) (*entity.Area, error) {
-	scope, err := m.ResolveAreaScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	area, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where("id IN ?", scope.IDs)
-		}
-		return db
-	})
+	area, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "Area not found")
 	}
@@ -49,16 +49,10 @@ func (s kandangService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entity
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	kandangs, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		db = m.ApplyScopeFilter(db, scope, "location_id")
 		if params.Search != "" {
 			return db.Where("name ILIKE ?", "%"+params.Search+"%")
 		}
@@ -79,16 +73,7 @@ func (s kandangService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entity
 }

 func (s kandangService) GetOne(c *fiber.Ctx, id uint) (*entity.Kandang, error) {
-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	kandang, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		db = m.ApplyScopeFilter(db, scope, "location_id")
-		return db
-	})
+	kandang, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "Kandang not found")
 	}
@@ -47,21 +47,10 @@ func (s locationService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entit
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	locations, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where("id IN ?", scope.IDs)
-		}
 		if params.Search != "" {
 			db = db.Where("name ILIKE ?", "%"+params.Search+"%")
 		}
@@ -79,21 +68,7 @@ func (s locationService) GetAll(c *fiber.Ctx, params *validation.Query) ([]entit
 }

 func (s locationService) GetOne(c *fiber.Ctx, id uint) (*entity.Location, error) {
-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	location, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where("id IN ?", scope.IDs)
-		}
-		return db
-	})
+	location, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "Location not found")
 	}
@@ -48,16 +48,10 @@ func (s warehouseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]enti
 		return nil, 0, err
 	}

-	scope, err := m.ResolveAreaScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	warehouses, total, err := s.Repository.GetAll(c.Context(), offset, params.Limit, func(db *gorm.DB) *gorm.DB {
 		db = s.withRelations(db)
-		db = m.ApplyScopeFilter(db, scope, "area_id")
 		if params.Search != "" {
 			db = db.Where("warehouses.name ILIKE ?", "%"+params.Search+"%")
 		}
@@ -92,16 +86,7 @@ func (s warehouseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]enti
 }

 func (s warehouseService) GetOne(c *fiber.Ctx, id uint) (*entity.Warehouse, error) {
-	scope, err := m.ResolveAreaScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	warehouse, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		db = m.ApplyScopeFilter(db, scope, "area_id")
-		return db
-	})
+	warehouse, err := s.Repository.GetByID(c.Context(), id, s.withRelations)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, fiber.NewError(fiber.StatusNotFound, "Warehouse not found")
 	}
@@ -88,14 +88,9 @@ func (s projectFlockKandangService) GetAll(c *fiber.Ctx, params *validation.Quer
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

-	projectFlockKandangs, total, err := s.Repository.GetAllWithFiltersScoped(c.Context(), offset, params.Limit, params, scope.IDs, scope.Restrict)
+	projectFlockKandangs, total, err := s.Repository.GetAllWithFilters(c.Context(), offset, params.Limit, params)

 	if err != nil {
 		s.Log.Errorf("Failed to get projectFlockKandangs: %+v", err)
@@ -111,28 +106,6 @@ func (s projectFlockKandangService) GetAll(c *fiber.Ctx, params *validation.Quer
 }

 func (s projectFlockKandangService) GetOne(c *fiber.Ctx, id uint) (*entity.ProjectFlockKandang, map[uint]float64, []entity.ProductWarehouse, error) {
-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, nil, nil, err
-	}
-	if scope.Restrict {
-		if len(scope.IDs) == 0 {
-			return nil, nil, nil, fiber.NewError(fiber.StatusNotFound, "ProjectFlockKandang not found")
-		}
-		var count int64
-		if err := s.Repository.DB().WithContext(c.Context()).
-			Table("project_flock_kandangs").
-			Joins("JOIN project_flocks ON project_flocks.id = project_flock_kandangs.project_flock_id").
-			Where("project_flock_kandangs.id = ?", id).
-			Where("project_flocks.location_id IN ?", scope.IDs).
-			Count(&count).Error; err != nil {
-			return nil, nil, nil, err
-		}
-		if count == 0 {
-			return nil, nil, nil, fiber.NewError(fiber.StatusNotFound, "ProjectFlockKandang not found")
-		}
-	}
-
 	projectFlockKandang, err := s.Repository.GetByID(c.Context(), id)
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, nil, nil, fiber.NewError(fiber.StatusNotFound, "ProjectFlockKandang not found")
@@ -14,7 +14,6 @@ import (
 type ProjectflockRepository interface {
 	repository.BaseRepository[entity.ProjectFlock]
 	GetAllWithFilters(ctx context.Context, offset, limit int, params *validation.Query) ([]entity.ProjectFlock, int64, error)
-	GetAllWithFiltersScoped(ctx context.Context, offset, limit int, params *validation.Query, locationIDs []uint, restrict bool) ([]entity.ProjectFlock, int64, error)
 	WithDefaultRelations() func(*gorm.DB) *gorm.DB
 	ExistsByFlockName(ctx context.Context, flockName string, excludeID *uint) (bool, error)
 	GetNextPeriodsForKandangs(ctx context.Context, kandangIDs []uint) (map[uint]int, error)
@@ -49,19 +48,6 @@ func (r *ProjectflockRepositoryImpl) GetAllWithFilters(ctx context.Context, offs
 	})
 }

-func (r *ProjectflockRepositoryImpl) GetAllWithFiltersScoped(ctx context.Context, offset, limit int, params *validation.Query, locationIDs []uint, restrict bool) ([]entity.ProjectFlock, int64, error) {
-	return r.GetAll(ctx, offset, limit, func(db *gorm.DB) *gorm.DB {
-		db = r.applyQueryFilters(r.WithDefaultRelations()(db), params)
-		if restrict {
-			if len(locationIDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where("project_flocks.location_id IN ?", locationIDs)
-		}
-		return db
-	})
-}
-
 func (r *ProjectflockRepositoryImpl) WithDefaultRelations() func(*gorm.DB) *gorm.DB {
 	return func(db *gorm.DB) *gorm.DB {
 		return db.
@@ -20,7 +20,6 @@ type ProjectFlockKandangRepository interface {
 	DeleteMany(ctx context.Context, projectFlockID uint, kandangIDs []uint) error
 	GetAll(ctx context.Context, offset int, limit int, modifier func(*gorm.DB) *gorm.DB) ([]entity.ProjectFlockKandang, int64, error)
 	GetAllWithFilters(ctx context.Context, offset int, limit int, params interface{}) ([]entity.ProjectFlockKandang, int64, error)
-	GetAllWithFiltersScoped(ctx context.Context, offset int, limit int, params interface{}, locationIDs []uint, restrict bool) ([]entity.ProjectFlockKandang, int64, error)
 	GetByProjectFlockID(ctx context.Context, projectFlockID uint) ([]entity.ProjectFlockKandang, error)
 	ListExistingKandangIDs(ctx context.Context, projectFlockID uint, kandangIDs []uint) ([]uint, error)
 	HasKandangsLinkedToOtherProject(ctx context.Context, kandangIDs []uint, exceptProjectID *uint) (bool, error)
@@ -197,104 +196,6 @@ func (r *projectFlockKandangRepositoryImpl) GetAllWithFilters(ctx context.Contex
 	return records, total, nil
 }

-func (r *projectFlockKandangRepositoryImpl) GetAllWithFiltersScoped(ctx context.Context, offset int, limit int, params interface{}, locationIDs []uint, restrict bool) ([]entity.ProjectFlockKandang, int64, error) {
-	var records []entity.ProjectFlockKandang
-	var total int64
-
-	query, ok := params.(*validation.Query)
-
-	q := r.db.WithContext(ctx).
-		Joins("JOIN \"kandangs\" ON \"project_flock_kandangs\".\"kandang_id\" = \"kandangs\".\"id\"").
-		Joins("JOIN \"project_flocks\" ON \"project_flock_kandangs\".\"project_flock_id\" = \"project_flocks\".\"id\"").
-		Preload("ProjectFlock").
-		Preload("ProjectFlock.Fcr").
-		Preload("ProjectFlock.Area").
-		Preload("ProjectFlock.Location").
-		Preload("ProjectFlock.CreatedUser").
-		Preload("ProjectFlock.Kandangs").
-		Preload("ProjectFlock.KandangHistory").
-		Preload("Kandang").
-		Preload("Chickins").
-		Preload("Chickins.CreatedUser").
-		Preload("Chickins.ProductWarehouse")
-
-	if restrict {
-		if len(locationIDs) == 0 {
-			return []entity.ProjectFlockKandang{}, 0, nil
-		}
-		q = q.Where("\"project_flocks\".\"location_id\" IN ?", locationIDs)
-	}
-
-	if ok && query != nil && query.StepName != "" {
-		q = q.Where(`
-			EXISTS (
-				SELECT 1 FROM "approvals"
-				WHERE "approvals"."approvable_id" = "project_flock_kandangs"."id"
-				AND "approvals"."approvable_type" = ?
-				AND LOWER("approvals"."step_name") = LOWER(?)
-				AND "approvals"."id" IN (
-					SELECT "approvals"."id" FROM "approvals"
-					WHERE "approvals"."approvable_id" = "project_flock_kandangs"."id"
-					AND "approvals"."approvable_type" = ?
-					ORDER BY "approvals"."id" DESC
-					LIMIT 1
-				)
-			)
-		`, "PROJECT_FLOCK_KANDANGS", query.StepName, "PROJECT_FLOCK_KANDANGS")
-	}
-
-	if ok && query != nil {
-		if query.Search != "" {
-			escapedSearch := strings.NewReplacer("\\", "\\\\", "%", "\\%", "_", "\\_").Replace(query.Search)
-			q = q.Where(
-				r.db.Where("LOWER(\"kandangs\".\"name\") LIKE LOWER(?) ESCAPE '\\'", "%"+escapedSearch+"%").
-					Or("LOWER(\"project_flocks\".\"flock_name\") LIKE LOWER(?) ESCAPE '\\'", "%"+escapedSearch+"%"),
-			)
-		}
-
-		if query.ProjectFlockId > 0 {
-			q = q.Where("\"project_flock_kandangs\".\"project_flock_id\" = ?", query.ProjectFlockId)
-		}
-
-		if query.KandangId > 0 {
-			q = q.Where("\"project_flock_kandangs\".\"kandang_id\" = ?", query.KandangId)
-		}
-
-		if query.Category != "" {
-			q = q.Where("\"project_flocks\".\"category\" = ?", query.Category)
-		}
-
-		if query.AreaId > 0 {
-			q = q.Where("\"project_flocks\".\"area_id\" = ?", query.AreaId)
-		}
-	}
-
-	if err := q.Model(&entity.ProjectFlockKandang{}).Count(&total).Error; err != nil {
-		return nil, 0, err
-	}
-
-	sortBy := "\"project_flock_kandangs\".\"created_at\" DESC"
-	if ok && query != nil && query.SortBy != "" {
-		sortOrder := "DESC"
-		if query.SortOrder == "ASC" {
-			sortOrder = "ASC"
-		}
-
-		switch query.SortBy {
-		case "created_at":
-			sortBy = "\"project_flock_kandangs\".\"created_at\" " + sortOrder
-		case "period":
-			sortBy = "\"project_flocks\".\"period\" " + sortOrder
-		}
-	}
-
-	if err := q.Order(sortBy).Offset(offset).Limit(limit).Find(&records).Error; err != nil {
-		return nil, 0, err
-	}
-
-	return records, total, nil
-}
-
 func (r *projectFlockKandangRepositoryImpl) WithTx(tx *gorm.DB) ProjectFlockKandangRepository {
 	return &projectFlockKandangRepositoryImpl{db: tx}
 }
@@ -114,14 +114,9 @@ func (s projectflockService) GetAll(c *fiber.Ctx, params *validation.Query) ([]e
 		return nil, 0, nil, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, 0, nil, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

-	projectflocks, total, err := s.Repository.GetAllWithFiltersScoped(c.Context(), offset, params.Limit, params, scope.IDs, scope.Restrict)
+	projectflocks, total, err := s.Repository.GetAllWithFilters(c.Context(), offset, params.Limit, params)

 	if err != nil {
 		s.Log.Errorf("Failed to get projectflocks: %+v", err)
@@ -195,16 +190,7 @@ func (s projectflockService) getOneEntityOnly(c *fiber.Ctx, id uint) (*entity.Pr
 }

 func (s projectflockService) GetOne(c *fiber.Ctx, id uint) (*entity.ProjectFlock, *flockDTO.FlockRelationDTO, error) {
-	scope, err := m.ResolveLocationScope(c, s.Repository.DB())
-	if err != nil {
-		return nil, nil, err
-	}
-
-	projectflock, err := s.Repository.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.Repository.WithDefaultRelations()(db)
-		db = m.ApplyScopeFilter(db, scope, "project_flocks.location_id")
-		return db
-	})
+	projectflock, err := s.Repository.GetByID(c.Context(), id, s.Repository.WithDefaultRelations())
 	if errors.Is(err, gorm.ErrRecordNotFound) {
 		return nil, nil, fiber.NewError(fiber.StatusNotFound, "Projectflock not found")
 	}
@@ -124,11 +124,6 @@ func (s *purchaseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]enti
 		return nil, 0, err
 	}

-	scope, err := m.ResolveLocationScope(c, s.PurchaseRepo.DB())
-	if err != nil {
-		return nil, 0, err
-	}
-
 	offset := (params.Page - 1) * params.Limit

 	createdFrom, createdTo, err := utils.ParseDateRangeForQuery(params.CreatedFrom, params.CreatedTo)
@@ -152,21 +147,6 @@ func (s *purchaseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]enti
 			db = db.Where("created_at < ?", *createdTo)
 		}

-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where(
-				`EXISTS (
-					SELECT 1
-					FROM purchase_items pi
-					JOIN warehouses w ON w.id = pi.warehouse_id
-					WHERE pi.purchase_id = purchases.id AND w.location_id IN ?
-				)`,
-				scope.IDs,
-			)
-		}
-
 		if params.AreaID > 0 {
 			db = db.Where(
 				`EXISTS (
@@ -221,42 +201,7 @@ func (s *purchaseService) GetAll(c *fiber.Ctx, params *validation.Query) ([]enti
 }

 func (s *purchaseService) GetOne(c *fiber.Ctx, id uint) (*entity.Purchase, error) {
-	scope, err := m.ResolveLocationScope(c, s.PurchaseRepo.DB())
-	if err != nil {
-		return nil, err
-	}
-
-	purchase, err := s.PurchaseRepo.GetByID(c.Context(), id, func(db *gorm.DB) *gorm.DB {
-		db = s.withRelations(db)
-		if scope.Restrict {
-			if len(scope.IDs) == 0 {
-				return db.Where("1 = 0")
-			}
-			db = db.Where(
-				`EXISTS (
-					SELECT 1
-					FROM purchase_items pi
-					JOIN warehouses w ON w.id = pi.warehouse_id
-					WHERE pi.purchase_id = purchases.id AND w.location_id IN ?
-				)`,
-				scope.IDs,
-			)
-		}
-		return db
-	})
-	if err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, utils.NotFound("Purchase not found")
-		}
-		s.Log.Errorf("Failed to get purchase %d: %+v", id, err)
-		return nil, utils.Internal("Failed to get purchase")
-	}
-	if err := s.attachLatestApproval(c.Context(), purchase); err != nil {
-		s.Log.Warnf("Unable to attach latest approval for purchase %d: %+v", id, err)
-	}
-	s.applyTravelDocumentURLs(c.Context(), purchase)
-
-	return purchase, nil
+	return s.loadPurchase(c.Context(), id)
 }

 func (s *purchaseService) CreateOne(c *fiber.Ctx, req *validation.CreatePurchaseRequest) (*entity.Purchase, error) {
@@ -5,7 +5,6 @@ import (
 	"strconv"
 	"strings"

-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/repports/dto"
 	service "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/services"
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/validations"
@@ -50,21 +49,6 @@ func (c *RepportController) GetExpense(ctx *fiber.Ctx) error {
 		RealizationDate:       ctx.Query("realization_date", ""),
 	}

-	locationScope, err := m.ResolveLocationScope(ctx, c.RepportService.DB())
-	if err != nil {
-		return err
-	}
-	areaScope, err := m.ResolveAreaScope(ctx, c.RepportService.DB())
-	if err != nil {
-		return err
-	}
-	if locationScope.Restrict {
-		query.AllowedLocationIDs = toInt64Slice(locationScope.IDs)
-	}
-	if areaScope.Restrict {
-		query.AllowedAreaIDs = toInt64Slice(areaScope.IDs)
-	}
-
 	if query.Page < 1 || query.Limit < 1 {
 		return fiber.NewError(fiber.StatusBadRequest, "page and limit must be greater than 0")
 	}
@@ -146,14 +130,6 @@ func (c *RepportController) GetPurchaseSupplier(ctx *fiber.Ctx) error {
 		FilterBy:          ctx.Query("filter_by", ""),
 	}

-	areaScope, err := m.ResolveAreaScope(ctx, c.RepportService.DB())
-	if err != nil {
-		return err
-	}
-	if areaScope.Restrict {
-		query.AllowedAreaIDs = toInt64Slice(areaScope.IDs)
-	}
-
 	if query.Page < 1 || query.Limit < 1 {
 		return fiber.NewError(fiber.StatusBadRequest, "page and limit must be greater than 0")
 	}
@@ -330,14 +306,3 @@ func parseCommaSeparatedInt64s(raw string) ([]int64, error) {

 	return result, nil
 }
-
-func toInt64Slice(ids []uint) []int64 {
-	if len(ids) == 0 {
-		return nil
-	}
-	out := make([]int64, 0, len(ids))
-	for _, id := range ids {
-		out = append(out, int64(id))
-	}
-	return out
-}
@@ -53,18 +53,10 @@ func (r *purchaseSupplierRepositoryImpl) baseSupplierQuery(ctx context.Context,
 			Where("products.product_category_id = ?", filters.ProductCategoryId)
 	}

-	if filters.AreaId > 0 || filters.AllowedAreaIDs != nil {
-		db = db.Joins("JOIN warehouses ON warehouses.id = purchase_items.warehouse_id")
-		if filters.AreaId > 0 {
-			db = db.Where("warehouses.area_id = ?", filters.AreaId)
-		}
-		if filters.AllowedAreaIDs != nil {
-			if len(filters.AllowedAreaIDs) == 0 {
-				db = db.Where("1 = 0")
-			} else {
-				db = db.Where("warehouses.area_id IN ?", filters.AllowedAreaIDs)
-			}
-		}
+	if filters.AreaId > 0 {
+		db = db.
+			Joins("JOIN warehouses ON warehouses.id = purchase_items.warehouse_id").
+			Where("warehouses.area_id = ?", filters.AreaId)
 	}

 	if filters.StartDate != "" {
@@ -172,18 +164,10 @@ func (r *purchaseSupplierRepositoryImpl) GetItemsBySuppliers(ctx context.Context
 			Where("products.product_category_id = ?", filters.ProductCategoryId)
 	}

-	if filters.AreaId > 0 || filters.AllowedAreaIDs != nil {
-		db = db.Joins("JOIN warehouses ON warehouses.id = purchase_items.warehouse_id")
-		if filters.AreaId > 0 {
-			db = db.Where("warehouses.area_id = ?", filters.AreaId)
-		}
-		if filters.AllowedAreaIDs != nil {
-			if len(filters.AllowedAreaIDs) == 0 {
-				db = db.Where("1 = 0")
-			} else {
-				db = db.Where("warehouses.area_id IN ?", filters.AllowedAreaIDs)
-			}
-		}
+	if filters.AreaId > 0 {
+		db = db.
+			Joins("JOIN warehouses ON warehouses.id = purchase_items.warehouse_id").
+			Where("warehouses.area_id = ?", filters.AreaId)
 	}

 	if filters.StartDate != "" {
@@ -9,7 +9,6 @@ import (
 	"strings"
 	"time"

-	m "gitlab.com/mbugroup/lti-api.git/internal/middleware"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/repports/dto"
 	repportRepo "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/repositories"
 	validation "gitlab.com/mbugroup/lti-api.git/internal/modules/repports/validations"
@@ -41,7 +40,6 @@ type RepportService interface {
 	GetDebtSupplier(ctx *fiber.Ctx, params *validation.DebtSupplierQuery) ([]dto.DebtSupplierDTO, int64, error)
 	GetHppPerKandang(ctx *fiber.Ctx) (*dto.HppPerKandangResponseData, *dto.HppPerKandangMetaDTO, error)
 	GetProductionResult(ctx *fiber.Ctx, params *validation.ProductionResultQuery) ([]dto.ProductionResultDTO, int64, error)
-	DB() *gorm.DB
 }

 type repportService struct {
@@ -97,10 +95,6 @@ func NewRepportService(
 	}
 }

-func (s *repportService) DB() *gorm.DB {
-	return s.ExpenseRealizationRepo.DB()
-}
-
 func (s *repportService) GetExpense(c *fiber.Ctx, params *validation.ExpenseQuery) ([]dto.RepportExpenseListDTO, int64, error) {
 	if err := s.Validate.Struct(params); err != nil {
 		return nil, 0, err
@@ -1309,36 +1303,6 @@ func (s *repportService) parseHppPerKandangQuery(ctx *fiber.Ctx) (*validation.Hp
 		return nil, dto.HppPerKandangFiltersDTO{}, fiber.NewError(fiber.StatusBadRequest, err.Error())
 	}

-	locationScope, err := m.ResolveLocationScope(ctx, s.ExpenseRealizationRepo.DB())
-	if err != nil {
-		return nil, dto.HppPerKandangFiltersDTO{}, err
-	}
-	areaScope, err := m.ResolveAreaScope(ctx, s.ExpenseRealizationRepo.DB())
-	if err != nil {
-		return nil, dto.HppPerKandangFiltersDTO{}, err
-	}
-
-	if locationScope.Restrict {
-		allowed := toInt64Slice(locationScope.IDs)
-		if len(allowed) == 0 {
-			locationIDs = []int64{-1}
-		} else if len(locationIDs) > 0 {
-			locationIDs = intersectInt64(locationIDs, allowed)
-		} else {
-			locationIDs = allowed
-		}
-	}
-	if areaScope.Restrict {
-		allowed := toInt64Slice(areaScope.IDs)
-		if len(allowed) == 0 {
-			areaIDs = []int64{-1}
-		} else if len(areaIDs) > 0 {
-			areaIDs = intersectInt64(areaIDs, allowed)
-		} else {
-			areaIDs = allowed
-		}
-	}
-
 	weightMin, err := parseOptionalFloat64(rawWeightMin)
 	if err != nil {
 		return nil, dto.HppPerKandangFiltersDTO{}, fiber.NewError(fiber.StatusBadRequest, err.Error())
@@ -1402,34 +1366,6 @@ func parseCommaSeparatedInt64s(raw string) ([]int64, error) {
 	return result, nil
 }

-func toInt64Slice(ids []uint) []int64 {
-	if len(ids) == 0 {
-		return nil
-	}
-	out := make([]int64, 0, len(ids))
-	for _, id := range ids {
-		out = append(out, int64(id))
-	}
-	return out
-}
-
-func intersectInt64(a, b []int64) []int64 {
-	if len(a) == 0 || len(b) == 0 {
-		return nil
-	}
-	set := make(map[int64]struct{}, len(b))
-	for _, id := range b {
-		set[id] = struct{}{}
-	}
-	out := make([]int64, 0, len(a))
-	for _, id := range a {
-		if _, ok := set[id]; ok {
-			out = append(out, id)
-		}
-	}
-	return out
-}
-
 func parseOptionalFloat64(raw string) (*float64, error) {
 	raw = strings.TrimSpace(raw)
 	if raw == "" {
@@ -13,8 +13,6 @@ type ExpenseQuery struct {
 	AreaId                int64  `query:"area_id" validate:"omitempty"`
 	LocationId            int64  `query:"location_id" validate:"omitempty"`
 	RealizationDate       string `query:"realization_date" validate:"omitempty"`
-	AllowedAreaIDs        []int64 `query:"-"`
-	AllowedLocationIDs    []int64 `query:"-"`
 }

 type MarketingQuery struct {
@@ -44,7 +42,6 @@ type PurchaseSupplierQuery struct {
 	EndDate           string `query:"end_date" validate:"omitempty"`
 	SortBy            string `query:"sort_by" validate:"omitempty"`
 	FilterBy          string `query:"filter_by" validate:"omitempty"`
-	AllowedAreaIDs    []int64 `query:"-"`
 }

 type DebtSupplierQuery struct {
@@ -1,331 +0,0 @@
-package controllers
-
-import (
-	"context"
-	"crypto/hmac"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/hex"
-	"errors"
-	"fmt"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/gofiber/fiber/v2"
-	"github.com/redis/go-redis/v9"
-	"gorm.io/gorm"
-
-	"gitlab.com/mbugroup/lti-api.git/internal/config"
-	entity "gitlab.com/mbugroup/lti-api.git/internal/entities"
-	sso "gitlab.com/mbugroup/lti-api.git/internal/modules/sso/verifier"
-	"gitlab.com/mbugroup/lti-api.git/internal/response"
-	"gitlab.com/mbugroup/lti-api.git/internal/utils"
-)
-
-type MasterDataController struct {
-	db         *gorm.DB
-	redis      *redis.Client
-	clients    map[string]config.SSOClientConfig
-	drift      time.Duration
-	nonceTTL   time.Duration
-	localNonce sync.Map
-}
-
-type masterArea struct {
-	ID   uint   `json:"id"`
-	Name string `json:"name"`
-}
-
-type masterLocation struct {
-	ID     uint   `json:"id"`
-	Name   string `json:"name"`
-	AreaID uint   `json:"area_id"`
-}
-
-func NewMasterDataController(db *gorm.DB, redis *redis.Client, clients map[string]config.SSOClientConfig) *MasterDataController {
-	normalized := make(map[string]config.SSOClientConfig, len(clients))
-	for alias, cfg := range clients {
-		alias = strings.ToLower(strings.TrimSpace(alias))
-		normalized[alias] = cfg
-	}
-
-	drift := config.SSOUserSyncDrift
-	if drift <= 0 {
-		drift = 2 * time.Minute
-	}
-
-	nonceTTL := config.SSOUserSyncNonceTTL
-	if nonceTTL <= 0 {
-		nonceTTL = 10 * time.Minute
-	}
-
-	return &MasterDataController{
-		db:       db,
-		redis:    redis,
-		clients:  normalized,
-		drift:    drift,
-		nonceTTL: nonceTTL,
-	}
-}
-
-func (h *MasterDataController) GetAreas(c *fiber.Ctx) error {
-	if _, _, err := h.authenticate(c, nil); err != nil {
-		return err
-	}
-
-	search := strings.TrimSpace(c.Query("search", ""))
-	ids := parseUintList(c.Query("ids", ""))
-
-	query := h.db.WithContext(c.Context()).
-		Model(&entity.Area{}).
-		Where("deleted_at IS NULL")
-	if search != "" {
-		query = query.Where("name ILIKE ?", "%"+search+"%")
-	}
-	if len(ids) > 0 {
-		query = query.Where("id IN ?", ids)
-	}
-
-	var areas []masterArea
-	if err := query.Order("name ASC").Find(&areas).Error; err != nil {
-		utils.Log.WithError(err).Error("failed to fetch areas for master data")
-		return fiber.NewError(fiber.StatusInternalServerError, "failed to fetch areas")
-	}
-
-	return c.Status(fiber.StatusOK).JSON(response.Success{
-		Code:    fiber.StatusOK,
-		Status:  "success",
-		Message: "Get areas successfully",
-		Data:    areas,
-	})
-}
-
-func (h *MasterDataController) GetLocations(c *fiber.Ctx) error {
-	if _, _, err := h.authenticate(c, nil); err != nil {
-		return err
-	}
-
-	search := strings.TrimSpace(c.Query("search", ""))
-	areaIDs := parseUintList(c.Query("area_ids", ""))
-	ids := parseUintList(c.Query("ids", ""))
-
-	query := h.db.WithContext(c.Context()).
-		Model(&entity.Location{}).
-		Where("deleted_at IS NULL")
-	if search != "" {
-		query = query.Where("name ILIKE ?", "%"+search+"%")
-	}
-	if len(areaIDs) > 0 {
-		query = query.Where("area_id IN ?", areaIDs)
-	}
-	if len(ids) > 0 {
-		query = query.Where("id IN ?", ids)
-	}
-
-	var locations []masterLocation
-	if err := query.Order("name ASC").Find(&locations).Error; err != nil {
-		utils.Log.WithError(err).Error("failed to fetch locations for master data")
-		return fiber.NewError(fiber.StatusInternalServerError, "failed to fetch locations")
-	}
-
-	return c.Status(fiber.StatusOK).JSON(response.Success{
-		Code:    fiber.StatusOK,
-		Status:  "success",
-		Message: "Get locations successfully",
-		Data:    locations,
-	})
-}
-
-func (h *MasterDataController) authenticate(c *fiber.Ctx, body []byte) (string, config.SSOClientConfig, error) {
-	rawAlias := strings.TrimSpace(c.Get("X-Sync-Client"))
-	if rawAlias == "" {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "missing sync client header")
-	}
-
-	aliasKey := strings.ToLower(rawAlias)
-	clientCfg, ok := h.clients[aliasKey]
-	if !ok {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "unknown sync client")
-	}
-
-	if err := h.verifyAuthorization(c, aliasKey); err != nil {
-		return "", config.SSOClientConfig{}, err
-	}
-
-	secret := strings.TrimSpace(clientCfg.SyncSecret)
-	if secret == "" {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "sync secret not configured")
-	}
-
-	timestamp := strings.TrimSpace(c.Get("X-Sync-Timestamp"))
-	nonce := strings.TrimSpace(c.Get("X-Sync-Nonce"))
-	signature := strings.TrimSpace(c.Get("X-Sync-Signature"))
-	if timestamp == "" || nonce == "" || signature == "" {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "missing signature headers")
-	}
-	if len(nonce) < 16 {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "nonce too short")
-	}
-
-	ts, err := strconv.ParseInt(timestamp, 10, 64)
-	if err != nil {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusBadRequest, "invalid timestamp")
-	}
-
-	msgTime := time.Unix(ts, 0).UTC()
-	now := time.Now().UTC()
-	drift := now.Sub(msgTime)
-	if drift > h.drift || drift < -h.drift {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "timestamp outside allowed window")
-	}
-
-	providedSig, err := decodeMasterSignature(signature)
-	if err != nil {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "invalid signature encoding")
-	}
-
-	expectedSignature := calculateSignature(secret, rawAlias, timestamp, nonce, body)
-	if !hmac.Equal(providedSig, expectedSignature) {
-		return "", config.SSOClientConfig{}, fiber.NewError(fiber.StatusUnauthorized, "invalid signature")
-	}
-
-	if err := h.registerNonce(c.Context(), aliasKey, nonce); err != nil {
-		return "", config.SSOClientConfig{}, err
-	}
-
-	return aliasKey, clientCfg, nil
-}
-
-func (h *MasterDataController) verifyAuthorization(c *fiber.Ctx, alias string) error {
-	authHeader := strings.TrimSpace(c.Get(fiber.HeaderAuthorization))
-	if authHeader == "" {
-		return fiber.NewError(fiber.StatusUnauthorized, "missing authorization header")
-	}
-	parts := strings.SplitN(authHeader, " ", 2)
-	if len(parts) != 2 || !strings.EqualFold(parts[0], "Bearer") {
-		return fiber.NewError(fiber.StatusUnauthorized, "invalid authorization header")
-	}
-
-	token := strings.TrimSpace(parts[1])
-	if token == "" {
-		return fiber.NewError(fiber.StatusUnauthorized, "invalid authorization header")
-	}
-
-	verification, err := sso.VerifyAccessToken(token)
-	if err != nil {
-		return fiber.NewError(fiber.StatusUnauthorized, "invalid access token")
-	}
-
-	if verification.ServiceAlias == "" || verification.ServiceAlias != alias {
-		return fiber.NewError(fiber.StatusUnauthorized, "service subject mismatch")
-	}
-	if !hasAnyScope(verification.Claims.Scopes(), []string{"sync.master", "sync.users"}) {
-		return fiber.NewError(fiber.StatusForbidden, "missing sync scope")
-	}
-	return nil
-}
-
-func (h *MasterDataController) registerNonce(ctx context.Context, alias, nonce string) error {
-	ttl := h.nonceTTL
-	if ttl <= 0 {
-		ttl = 10 * time.Minute
-	}
-
-	key := fmt.Sprintf("sso:sync:%s:%s", alias, nonce)
-	if h.redis != nil {
-		stored, err := h.redis.SetNX(ctx, key, "1", ttl).Result()
-		if err == nil {
-			if !stored {
-				return fiber.NewError(fiber.StatusUnauthorized, "nonce already used")
-			}
-			return nil
-		}
-		utils.Log.WithError(err).Warn("store sync nonce failed")
-	}
-
-	now := time.Now().UTC()
-	if expRaw, ok := h.localNonce.Load(key); ok {
-		if expTime, ok := expRaw.(time.Time); ok && expTime.After(now) {
-			return fiber.NewError(fiber.StatusUnauthorized, "nonce already used")
-		}
-	}
-	h.localNonce.Store(key, now.Add(ttl))
-	return nil
-}
-
-func calculateSignature(secret, alias, timestamp, nonce string, body []byte) []byte {
-	mac := hmac.New(sha256.New, []byte(secret))
-	mac.Write([]byte(alias))
-	mac.Write([]byte("\n"))
-	mac.Write([]byte(timestamp))
-	mac.Write([]byte("\n"))
-	mac.Write([]byte(nonce))
-	mac.Write([]byte("\n"))
-	if len(body) > 0 {
-		mac.Write(body)
-	}
-	return mac.Sum(nil)
-}
-
-func decodeMasterSignature(sig string) ([]byte, error) {
-	sig = strings.TrimSpace(sig)
-	if sig == "" {
-		return nil, errors.New("empty signature")
-	}
-	if decoded, err := hex.DecodeString(sig); err == nil {
-		return decoded, nil
-	}
-	if decoded, err := base64.StdEncoding.DecodeString(sig); err == nil {
-		return decoded, nil
-	}
-	if decoded, err := base64.URLEncoding.DecodeString(sig); err == nil {
-		return decoded, nil
-	}
-	return nil, errors.New("unrecognized signature encoding")
-}
-
-func parseUintList(raw string) []uint {
-	raw = strings.TrimSpace(raw)
-	if raw == "" {
-		return nil
-	}
-	parts := strings.Split(raw, ",")
-	out := make([]uint, 0, len(parts))
-	seen := make(map[uint]struct{}, len(parts))
-	for _, part := range parts {
-		part = strings.TrimSpace(part)
-		if part == "" {
-			continue
-		}
-		val, err := strconv.ParseUint(part, 10, 64)
-		if err != nil || val == 0 {
-			continue
-		}
-		if _, ok := seen[uint(val)]; ok {
-			continue
-		}
-		seen[uint(val)] = struct{}{}
-		out = append(out, uint(val))
-	}
-	return out
-}
-
-func hasAnyScope(scopes []string, targets []string) bool {
-	if len(scopes) == 0 || len(targets) == 0 {
-		return false
-	}
-	for _, scope := range scopes {
-		scope = strings.ToLower(strings.TrimSpace(scope))
-		if scope == "" {
-			continue
-		}
-		for _, target := range targets {
-			if scope == strings.ToLower(strings.TrimSpace(target)) {
-				return true
-			}
-		}
-	}
-	return false
-}
@@ -16,7 +16,7 @@ import (

 	"gitlab.com/mbugroup/lti-api.git/internal/config"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/sso/session"
-	sso "gitlab.com/mbugroup/lti-api.git/internal/modules/sso/verifier"
+	"gitlab.com/mbugroup/lti-api.git/internal/sso"
 	"gitlab.com/mbugroup/lti-api.git/internal/utils"
 	"gitlab.com/mbugroup/lti-api.git/internal/utils/secure"
 )
@@ -9,24 +9,23 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
 	"github.com/go-playground/validator/v10"
 	"github.com/gofiber/fiber/v2"
 	"github.com/redis/go-redis/v9"
 	"github.com/sirupsen/logrus"
 	"gorm.io/gorm"
+	"strconv"
+	"strings"
+	"sync"
+	"time"

 	"gitlab.com/mbugroup/lti-api.git/internal/config"
 	entity "gitlab.com/mbugroup/lti-api.git/internal/entities"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/sso/session"
-	sso "gitlab.com/mbugroup/lti-api.git/internal/modules/sso/verifier"
 	"gitlab.com/mbugroup/lti-api.git/internal/modules/users/dto"
 	userRepository "gitlab.com/mbugroup/lti-api.git/internal/modules/users/repositories"
 	"gitlab.com/mbugroup/lti-api.git/internal/response"
+	"gitlab.com/mbugroup/lti-api.git/internal/sso"
 	"gitlab.com/mbugroup/lti-api.git/internal/utils"
 )

@@ -26,7 +26,6 @@ func Routes(router fiber.Router, db *gorm.DB, validate *validator.Validate) {
 	ctrl := ssoController.NewController(&http.Client{Timeout: 10 * time.Second}, store, session.GetRevocationStore())
 	userRepo := userRepository.NewUserRepository(db)
 	syncCtrl := ssoController.NewUserSyncController(validate, userRepo, cache.Redis(), config.SSOClients)
-	masterCtrl := ssoController.NewMasterDataController(db, cache.Redis(), config.SSOClients)

 	group := router.Group("/sso")
 	group.Get("/start", middleware.NewLimiter(30, time.Minute), ctrl.Start)
@@ -35,6 +34,4 @@ func Routes(router fiber.Router, db *gorm.DB, validate *validator.Validate) {
 	group.Post("/refresh", middleware.NewLimiter(60, time.Minute), ctrl.Refresh)
 	group.Post("/logout", middleware.NewLimiter(60, time.Minute), ctrl.Logout)
 	group.Post("/users/sync", middleware.NewLimiter(30, time.Minute), syncCtrl.Sync)
-	group.Get("/master/areas", middleware.NewLimiter(60, time.Minute), masterCtrl.GetAreas)
-	group.Get("/master/locations", middleware.NewLimiter(60, time.Minute), masterCtrl.GetLocations)
 }
@@ -1,319 +0,0 @@
-package sso
-
-import (
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"net/http"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/redis/go-redis/v9"
-
-	"gitlab.com/mbugroup/lti-api.git/internal/cache"
-	"gitlab.com/mbugroup/lti-api.git/internal/config"
-	"gitlab.com/mbugroup/lti-api.git/internal/utils"
-)
-
-const (
-	profileCachePrefix = "sso:profile:user:"
-	profileCacheTTL    = time.Minute
-)
-
-var (
-	profileClient = &http.Client{Timeout: 5 * time.Second}
-
-	profileLocalCache sync.Map // map[string]cachedProfile
-)
-
-type cachedProfile struct {
-	Profile   *UserProfile
-	ExpiresAt time.Time
-}
-
-// UserProfile represents the enriched user information returned by the central SSO.
-type UserProfile struct {
-	UserID      uint
-	Roles       []Role
-	Permissions []Permission
-}
-
-// Role describes a role assignment from the SSO profile response.
-type Role struct {
-	ID           uint
-	Key          string
-	Name         string
-	ClientID     uint
-	ClientAlias  string
-	ClientName   string
-	AllArea      bool
-	AllLocation  bool
-	AreaIDs      []uint
-	LocationIDs  []uint
-	Permissions  []Permission
-	RawReference json.RawMessage `json:"-"`
-}
-
-// Permission describes a granular permission entry from the SSO profile.
-type Permission struct {
-	ID          uint
-	Name        string
-	Action      string
-	ClientID    uint
-	ClientAlias string
-	ClientName  string
-}
-
-// PermissionNames returns a de-duplicated slice of permission identifiers in canonical form.
-func (p *UserProfile) PermissionNames() []string {
-	if p == nil || len(p.Permissions) == 0 {
-		return nil
-	}
-	set := make(map[string]struct{}, len(p.Permissions))
-	for _, perm := range p.Permissions {
-		name := canonicalPermissionName(perm.Name)
-		if name != "" {
-			set[name] = struct{}{}
-		}
-	}
-	out := make([]string, 0, len(set))
-	for name := range set {
-		out = append(out, name)
-	}
-	return out
-}
-
-// FetchProfile retrieves the SSO profile for the authenticated user, using Redis/in-memory
-// caching to reduce load on the SSO service. Only end-user tokens (subject user:ID) are supported.
-func FetchProfile(ctx context.Context, token string, verification *VerificationResult) (*UserProfile, error) {
-	if verification == nil || verification.UserID == 0 {
-		return nil, errors.New("profile only available for user tokens")
-	}
-	key := profileCacheKey(verification.UserID)
-
-	if profile := loadProfileFromLocalCache(key); profile != nil {
-		return profile, nil
-	}
-
-	if profile := loadProfileFromRedis(ctx, key); profile != nil {
-		storeProfileInLocalCache(key, profile)
-		return profile, nil
-	}
-
-	profile, err := fetchProfileFromSSO(ctx, token)
-	if err != nil {
-		return nil, err
-	}
-
-	storeProfileInLocalCache(key, profile)
-	storeProfileInRedis(ctx, key, profile)
-	return profile, nil
-}
-
-func fetchProfileFromSSO(ctx context.Context, token string) (*UserProfile, error) {
-	endpoint := strings.TrimSpace(config.SSOGetMeURL)
-	if endpoint == "" {
-		return nil, errors.New("sso get-me endpoint not configured")
-	}
-
-	if ctx == nil {
-		ctx = context.Background()
-	}
-
-	req, err := http.NewRequestWithContext(ctx, http.MethodGet, endpoint, nil)
-	if err != nil {
-		return nil, fmt.Errorf("build profile request: %w", err)
-	}
-	req.Header.Set("Accept", "application/json")
-	req.Header.Set("Authorization", "Bearer "+token)
-	if cookieName := strings.TrimSpace(config.SSOAccessCookieName); cookieName != "" {
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", cookieName, token))
-	}
-
-	resp, err := profileClient.Do(req)
-	if err != nil {
-		return nil, fmt.Errorf("fetch profile: %w", err)
-	}
-	defer resp.Body.Close()
-
-	if resp.StatusCode >= 400 {
-		return nil, fmt.Errorf("fetch profile: status %d", resp.StatusCode)
-	}
-
-	var envelope userInfoEnvelope
-	if err := json.NewDecoder(resp.Body).Decode(&envelope); err != nil {
-		return nil, fmt.Errorf("decode profile: %w", err)
-	}
-
-	roles := envelope.getRoles()
-	profile := &UserProfile{}
-
-	// Attempt to infer user id if provided.
-	if envelope.User != nil && envelope.User.ID > 0 {
-		profile.UserID = uint(envelope.User.ID)
-	}
-
-	perms := make([]Permission, 0)
-	convertedRoles := make([]Role, 0, len(roles))
-	for _, r := range roles {
-		role := Role{
-			ID:          uint(r.ID),
-			Key:         strings.TrimSpace(r.Key),
-			Name:        strings.TrimSpace(r.Name),
-			ClientAlias: strings.TrimSpace(r.Client.Alias),
-			ClientName:  strings.TrimSpace(r.Client.Name),
-			ClientID:    uint(r.Client.ID),
-			AllArea:     r.AllArea,
-			AllLocation: r.AllLocation,
-			AreaIDs:     r.AreaIDs,
-			LocationIDs: r.LocationIDs,
-		}
-		rolePerms := make([]Permission, 0, len(r.Permissions))
-		for _, p := range r.Permissions {
-			perm := Permission{
-				ID:          uint(p.ID),
-				Name:        strings.TrimSpace(p.Name),
-				Action:      strings.TrimSpace(p.Action),
-				ClientAlias: strings.TrimSpace(p.Client.Alias),
-				ClientName:  strings.TrimSpace(p.Client.Name),
-				ClientID:    uint(p.Client.ID),
-			}
-			if perm.Name != "" {
-				rolePerms = append(rolePerms, perm)
-				perms = append(perms, perm)
-			}
-		}
-		role.Permissions = rolePerms
-		convertedRoles = append(convertedRoles, role)
-	}
-	profile.Roles = convertedRoles
-	profile.Permissions = perms
-
-	return profile, nil
-}
-
-func loadProfileFromLocalCache(key string) *UserProfile {
-	if value, ok := profileLocalCache.Load(key); ok {
-		if cached, ok := value.(cachedProfile); ok {
-			if time.Now().Before(cached.ExpiresAt) && cached.Profile != nil {
-				return cached.Profile
-			}
-			profileLocalCache.Delete(key)
-		}
-	}
-	return nil
-}
-
-func loadProfileFromRedis(ctx context.Context, key string) *UserProfile {
-	client := cache.Redis()
-	if client == nil {
-		return nil
-	}
-
-	data, err := client.Get(ctx, key).Bytes()
-	if err != nil {
-		if !errors.Is(err, redis.Nil) {
-			utils.Log.WithError(err).Warn("sso profile redis lookup failed")
-		}
-		return nil
-	}
-
-	var profile UserProfile
-	if err := json.Unmarshal(data, &profile); err != nil {
-		utils.Log.WithError(err).Warn("sso profile redis decode failed")
-		return nil
-	}
-
-	return &profile
-}
-
-func storeProfileInLocalCache(key string, profile *UserProfile) {
-	if profile == nil {
-		return
-	}
-	profileLocalCache.Store(key, cachedProfile{
-		Profile:   profile,
-		ExpiresAt: time.Now().Add(profileCacheTTL),
-	})
-}
-
-func storeProfileInRedis(ctx context.Context, key string, profile *UserProfile) {
-	client := cache.Redis()
-	if client == nil || profile == nil {
-		return
-	}
-
-	data, err := json.Marshal(profile)
-	if err != nil {
-		utils.Log.WithError(err).Warn("sso profile redis encode failed")
-		return
-	}
-
-	if err := client.Set(ctx, key, data, profileCacheTTL).Err(); err != nil {
-		utils.Log.WithError(err).Warn("sso profile redis store failed")
-	}
-}
-
-func profileCacheKey(userID uint) string {
-	return profileCachePrefix + strconv.FormatUint(uint64(userID), 10)
-}
-
-func canonicalPermissionName(name string) string {
-	return strings.ToLower(strings.TrimSpace(name))
-}
-
-// userInfoEnvelope handles the varying shapes returned by the SSO userinfo endpoint.
-type userInfoEnvelope struct {
-	Roles []userInfoRole `json:"roles"`
-	Data  *struct {
-		ID    int64          `json:"id"`
-		Roles []userInfoRole `json:"roles"`
-	} `json:"data"`
-	User *struct {
-		ID int64 `json:"id"`
-	} `json:"user"`
-}
-
-func (e *userInfoEnvelope) getRoles() []userInfoRole {
-	if len(e.Roles) > 0 {
-		return e.Roles
-	}
-	if e.Data != nil && len(e.Data.Roles) > 0 {
-		if e.User == nil && e.Data.ID > 0 {
-			e.User = &struct {
-				ID int64 `json:"id"`
-			}{ID: e.Data.ID}
-		}
-		return e.Data.Roles
-	}
-	return nil
-}
-
-type userInfoRole struct {
-	ID          int64             `json:"id"`
-	Key         string            `json:"key"`
-	Name        string            `json:"name"`
-	AllArea     bool              `json:"all_area"`
-	AllLocation bool              `json:"all_location"`
-	AreaIDs     []uint            `json:"area_ids"`
-	LocationIDs []uint            `json:"location_ids"`
-	Client      userInfoClient    `json:"client"`
-	Permissions []userInfoPermRaw `json:"permissions"`
-}
-
-type userInfoClient struct {
-	ID    int64  `json:"id"`
-	Name  string `json:"name"`
-	Alias string `json:"alias"`
-}
-
-type userInfoPermRaw struct {
-	ID      int64          `json:"id"`
-	Name    string         `json:"name"`
-	Action  string         `json:"action"`
-	Client  userInfoClient `json:"client"`
-	Details any            `json:"details"`
-}
@@ -1,160 +0,0 @@
-package sso
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"net/http"
-	"strconv"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/MicahParks/keyfunc/v2"
-	"github.com/golang-jwt/jwt/v5"
-
-	"gitlab.com/mbugroup/lti-api.git/internal/utils"
-)
-
-type verifier struct {
-	jwks      *keyfunc.JWKS
-	issuer    string
-	audiences map[string]struct{}
-}
-
-type AccessTokenClaims struct {
-	Scope string `json:"scope"`
-	jwt.RegisteredClaims
-}
-
-func (c AccessTokenClaims) Scopes() []string {
-	if c.Scope == "" {
-		return nil
-	}
-	return strings.Fields(c.Scope)
-}
-
-type VerificationResult struct {
-	UserID       uint
-	ServiceAlias string
-	Subject      string
-	Claims       *AccessTokenClaims
-}
-
-var (
-	globalMu sync.RWMutex
-	globalV  *verifier
-)
-
-func Init(ctx context.Context, jwksURL, issuer string, audiences []string) error {
-	jwksURL = strings.TrimSpace(jwksURL)
-	issuer = strings.TrimSpace(issuer)
-	if jwksURL == "" || issuer == "" {
-		return errors.New("missing SSO JWKS or issuer configuration")
-	}
-
-	client := &http.Client{Timeout: 5 * time.Second}
-	options := keyfunc.Options{
-		Ctx:               ctx,
-		Client:            client,
-		RefreshTimeout:    10 * time.Second,
-		RefreshInterval:   time.Hour,
-		RefreshUnknownKID: true,
-		RefreshErrorHandler: func(err error) {
-			utils.Log.Errorf("sso jwks refresh failed: %v", err)
-		},
-	}
-
-	jwks, err := keyfunc.Get(jwksURL, options)
-	if err != nil {
-		return fmt.Errorf("load jwks: %w", err)
-	}
-
-	audienceMap := make(map[string]struct{}, len(audiences))
-	for _, aud := range audiences {
-		aud = strings.TrimSpace(aud)
-		if aud == "" {
-			continue
-		}
-		audienceMap[aud] = struct{}{}
-	}
-
-	globalMu.Lock()
-	globalV = &verifier{jwks: jwks, issuer: issuer, audiences: audienceMap}
-	globalMu.Unlock()
-
-	utils.Log.Infof("sso verifier initialized for issuer %s (%d keys)", issuer, len(jwks.KIDs()))
-	return nil
-}
-
-func VerifyAccessToken(token string) (*VerificationResult, error) {
-	token = strings.TrimSpace(token)
-	if token == "" {
-		return nil, errors.New("empty token")
-	}
-
-	globalMu.RLock()
-	v := globalV
-	globalMu.RUnlock()
-	if v == nil {
-		return nil, errors.New("sso verifier not initialized")
-	}
-
-	claims := &AccessTokenClaims{}
-	parser := jwt.NewParser(
-		jwt.WithValidMethods([]string{jwt.SigningMethodRS256.Alg()}),
-		jwt.WithIssuedAt(),
-		jwt.WithExpirationRequired(),
-	)
-	
-	tok, err := parser.ParseWithClaims(token, claims, v.jwks.Keyfunc)
-	if err != nil {
-		return nil, fmt.Errorf("parse token: %w", err)
-	}
-	if !tok.Valid {
-		return nil, errors.New("invalid token")
-	}
-
-	if claims.Issuer != v.issuer {
-		return nil, errors.New("unexpected token issuer")
-	}
-
-	if len(v.audiences) > 0 {
-		validAud := false
-		for _, aud := range claims.Audience {
-			if _, ok := v.audiences[aud]; ok {
-				validAud = true
-				break
-			}
-		}
-		if !validAud {
-			return nil, errors.New("unexpected token audience")
-		}
-	}
-
-	sub := strings.TrimSpace(claims.Subject)
-	if sub == "" {
-		return nil, errors.New("missing subject")
-	}
-
-	result := &VerificationResult{Claims: claims, Subject: sub}
-	switch {
-	case strings.HasPrefix(sub, "user:"):
-		idStr := strings.TrimPrefix(sub, "user:")
-		id, err := strconv.ParseUint(idStr, 10, 64)
-		if err != nil {
-			return nil, fmt.Errorf("invalid subject: %w", err)
-		}
-		result.UserID = uint(id)
-	case strings.HasPrefix(sub, "service:"):
-		alias := strings.TrimSpace(strings.TrimPrefix(sub, "service:"))
-		if alias == "" {
-			return nil, errors.New("invalid service subject")
-		}
-		result.ServiceAlias = strings.ToLower(alias)
-	default:
-		return nil, errors.New("unsupported subject type")
-	}
-
-	return result, nil
-}