Fix csrf

Add in mark as reaad button to list view, use ajax to preform the action without page refresh.
Fix archiving and unarchiving functionality.
2025-11-02 09:50:50 +00:00 · 2025-11-02 09:11:48 +00:00 · 2025-11-01 22:37:47 +00:00 · 2025-10-31 22:55:04 +00:00 · 2025-10-31 12:08:38 +00:00 · 2025-10-31 12:00:43 +00:00
31 changed files with 814 additions and 297 deletions
--- a/internal/domain/messages/domain.go
+++ b/internal/domain/messages/domain.go
@@ -7,7 +7,8 @@ import (
 type Message = models.Message

 type CreateMessageInput struct {
-	RecipientID int64  `form:"to" binding:"required,username"`
+	SenderID    int64
+	RecipientID int64  `form:"recipientId" binding:"required,numeric"`
 	Subject     string `form:"subject" binding:"required,max=200"`
 	Body        string `form:"body" binding:"required"`
 }
@@ -17,4 +18,8 @@ type MessageService interface {
 	ListArchived(userID int64) ([]Message, error)
 	GetByID(userID, id int64) (*Message, error)
 	Create(userID int64, in CreateMessageInput) (int64, error)
+	Archive(userID, id int64) error
+	Unarchive(userID, id int64) error
+	MarkRead(userID, id int64) error
+	//MarkUnread(userID, id int64) error
 }
--- a/internal/handlers/account/messages/archive.go
+++ b/internal/handlers/account/messages/archive.go
@@ -5,12 +5,17 @@
 package accountMessageHandler

 import (
+	"bytes"
+	"database/sql"
+	"errors"
 	"net/http"
+	"strconv"

+	templateHandlers "synlotto-website/internal/handlers/template"
 	templateHelpers "synlotto-website/internal/helpers/template"
+	httpErrors "synlotto-website/internal/http/error"

 	"synlotto-website/internal/logging"
-	"synlotto-website/internal/models"
 	"synlotto-website/internal/platform/bootstrap"

 	"github.com/gin-gonic/gin"
@@ -22,31 +27,126 @@ import (
 func (h *AccountMessageHandlers) ArchivedList(c *gin.Context) {
 	app := c.MustGet("app").(*bootstrap.App)
 	sm := app.SessionManager
-
 	userID := mustUserID(c)
-	msgs, err := h.Svc.ListArchived(userID)
+
+	// pagination
+	page := 1
+	if ps := c.Query("page"); ps != "" {
+		if n, err := strconv.Atoi(ps); err == nil && n > 0 {
+			page = n
+		}
+	}
+	pageSize := 20
+
+	totalPages, totalCount, err := templateHelpers.GetTotalPages(
+		c.Request.Context(),
+		app.DB,
+		"user_messages",
+		"recipientId = ? AND is_archived = TRUE",
+		[]any{userID},
+		pageSize,
+	)
+	if err != nil {
+		logging.Info("❌ count archived error: %v", err)
+		c.String(http.StatusInternalServerError, "Failed to load archived messages")
+		return
+	}
+	if page > totalPages {
+		page = totalPages
+	}
+
+	msgsAll, err := h.Svc.ListArchived(userID)
 	if err != nil {
 		logging.Info("❌ list archived error: %v", err)
 		c.String(http.StatusInternalServerError, "Failed to load archived messages")
 		return
 	}

-	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
+	// slice in-memory for now
+	start := (page - 1) * pageSize
+	if start > len(msgsAll) {
+		start = len(msgsAll)
+	}
+	end := start + pageSize
+	if end > len(msgsAll) {
+		end = len(msgsAll)
+	}
+	msgs := msgsAll[start:end]
+
+	data := templateHandlers.BuildTemplateData(app, c.Writer, c.Request)
+	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, data)
 	if f := sm.PopString(c.Request.Context(), "flash"); f != "" {
 		ctx["Flash"] = f
 	}
 	ctx["CSRFToken"] = nosurf.Token(c.Request)
 	ctx["Title"] = "Archived Messages"
 	ctx["Messages"] = msgs
+	ctx["CurrentPage"] = page
+	ctx["TotalPages"] = totalPages
+	ctx["TotalCount"] = totalCount
+	ctx["PageRange"] = templateHelpers.MakePageRange(1, totalPages)

-	tmpl := templateHelpers.LoadTemplateFiles(
-		"layout.html",
-		"web/templates/account/messages/archived.html",
-	)
+	tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/account/messages/archived.html")

-	c.Status(http.StatusOK)
-	if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
+	var buf bytes.Buffer
+	if err := tmpl.ExecuteTemplate(&buf, "layout", ctx); err != nil {
 		logging.Info("❌ Template render error: %v", err)
 		c.String(http.StatusInternalServerError, "Error rendering archived messages")
+		return
 	}
+	c.Data(http.StatusOK, "text/html; charset=utf-8", buf.Bytes())
+}
+
+// POST /account/messages/archive
+func (h *AccountMessageHandlers) ArchivePost(c *gin.Context) {
+	app := c.MustGet("app").(*bootstrap.App)
+	sm := app.SessionManager
+	userID := mustUserID(c)
+
+	idStr := c.PostForm("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil || id <= 0 {
+		httpErrors.RenderStatus(c, sm, http.StatusBadRequest)
+		return
+	}
+
+	if err := h.Svc.Archive(userID, id); err != nil {
+		logging.Info("❌ Archive error: %v", err)
+		sm.Put(c.Request.Context(), "flash", "Could not archive message.")
+		c.Redirect(http.StatusSeeOther, "/account/messages")
+		return
+	}
+
+	sm.Put(c.Request.Context(), "flash", "Message archived.")
+	c.Redirect(http.StatusSeeOther, "/account/messages")
+}
+
+// POST /account/messages/archived
+func (h *AccountMessageHandlers) RestoreArchived(c *gin.Context) {
+	app := c.MustGet("app").(*bootstrap.App)
+	sm := app.SessionManager
+	userID := mustUserID(c)
+
+	idStr := c.PostForm("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil || id <= 0 {
+		sm.Put(c.Request.Context(), "flash", "Invalid message id.")
+		c.Redirect(http.StatusSeeOther, "/account/messages/archive")
+		return
+	}
+
+	if err := h.Svc.Unarchive(userID, id); err != nil {
+		logging.Info("❌ restore/unarchive error: %v", err)
+		// If no rows affected, show friendly flash; otherwise generic message.
+		if errors.Is(err, sql.ErrNoRows) {
+			sm.Put(c.Request.Context(), "flash", "Message not found or not permitted.")
+		} else {
+			sm.Put(c.Request.Context(), "flash", "Could not restore message.")
+		}
+		c.Redirect(http.StatusSeeOther, "/account/messages/archive")
+		return
+	}
+
+	sm.Put(c.Request.Context(), "flash", "Message restored.")
+	c.Redirect(http.StatusSeeOther, "/account/messages/archive")
 }
--- a/internal/handlers/account/messages/list.go
+++ b/internal/handlers/account/messages/list.go
@@ -10,7 +10,6 @@ import (
 )

 func mustUserID(c *gin.Context) int64 {
-	// Pull from your auth middleware/session. Panic-unsafe alternative:
 	if v, ok := c.Get("userID"); ok {
 		if id, ok2 := v.(int64); ok2 {
 			return id
@@ -19,26 +18,3 @@ func mustUserID(c *gin.Context) int64 {
 	// Fallback for stubs:
 	return 1
 }
-
-func parseIDParam(c *gin.Context, name string) (int64, error) {
-	// typical atoi wrapper
-	// (implement: strconv.ParseInt(c.Param(name), 10, 64))
-	return atoi64(c.Param(name))
-}
-
-func atoi64(s string) (int64, error) {
-	// small helper to keep imports focused
-	// replace with strconv.ParseInt in real code
-	var n int64
-	for _, ch := range []byte(s) {
-		if ch < '0' || ch > '9' {
-			return 0, &strconvNumErr{}
-		}
-		n = n*10 + int64(ch-'0')
-	}
-	return n, nil
-}
-
-type strconvNumErr struct{}
-
-func (e *strconvNumErr) Error() string { return "invalid number" }
--- a/internal/handlers/account/messages/read.go
+++ b/internal/handlers/account/messages/read.go
@@ -1,16 +1,21 @@
 // Package accountMessageHandler
 // Path: /internal/handlers/account/messages
 // File: read.go
+// ToDo: Remove SQL

 package accountMessageHandler

 import (
+	"bytes"
+	"database/sql"
 	"net/http"
+	"strconv"

+	templateHandlers "synlotto-website/internal/handlers/template"
 	templateHelpers "synlotto-website/internal/helpers/template"
+	errors "synlotto-website/internal/http/error"

 	"synlotto-website/internal/logging"
-	"synlotto-website/internal/models"
 	"synlotto-website/internal/platform/bootstrap"

 	"github.com/gin-gonic/gin"
@@ -22,73 +27,147 @@ import (
 func (h *AccountMessageHandlers) List(c *gin.Context) {
 	app := c.MustGet("app").(*bootstrap.App)
 	sm := app.SessionManager
-
 	userID := mustUserID(c)

-	// Pull messages (via service)
-	msgs, err := h.Svc.ListInbox(userID)
+	// --- Pagination ---
+	page := 1
+	if ps := c.Query("page"); ps != "" {
+		if n, err := strconv.Atoi(ps); err == nil && n > 0 {
+			page = n
+		}
+	}
+
+	pageSize := 20
+
+	totalPages, totalCount, err := templateHelpers.GetTotalPages(
+		c.Request.Context(),
+		app.DB,
+		"user_messages",
+		"recipientId = ? AND is_archived = FALSE",
+		[]any{userID},
+		pageSize,
+	)
+	if err != nil {
+		logging.Info("❌ count inbox error: %v", err)
+		c.String(http.StatusInternalServerError, "Failed to load messages")
+		return
+	}
+	if page > totalPages {
+		page = totalPages
+	}
+
+	// --- Data ---
+	msgsAll, err := h.Svc.ListInbox(userID)
 	if err != nil {
 		logging.Info("❌ list inbox error: %v", err)
 		c.String(http.StatusInternalServerError, "Failed to load messages")
 		return
 	}

-	// Build template context just like LoginGet
-	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
+	// Temporary in-memory slice (until LIMIT/OFFSET is added)
+	start := (page - 1) * pageSize
+	if start > len(msgsAll) {
+		start = len(msgsAll)
+	}
+	end := start + pageSize
+	if end > len(msgsAll) {
+		end = len(msgsAll)
+	}
+	msgs := msgsAll[start:end]
+
+	// --- Template context ---
+	data := templateHandlers.BuildTemplateData(app, c.Writer, c.Request)
+	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, data)

 	if f := sm.PopString(c.Request.Context(), "flash"); f != "" {
 		ctx["Flash"] = f
 	}
-
 	ctx["CSRFToken"] = nosurf.Token(c.Request)
 	ctx["Title"] = "Messages"
 	ctx["Messages"] = msgs
+	ctx["CurrentPage"] = page
+	ctx["TotalPages"] = totalPages
+	ctx["TotalCount"] = totalCount
+	ctx["PageRange"] = templateHelpers.MakePageRange(1, totalPages)

-	// Use the same loader + layout pattern
+	// --- Render ---
 	tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/account/messages/index.html")

-	c.Status(http.StatusOK)
-	if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
+	var buf bytes.Buffer
+	if err := tmpl.ExecuteTemplate(&buf, "layout", ctx); err != nil {
 		logging.Info("❌ Template render error: %v", err)
 		c.String(http.StatusInternalServerError, "Error rendering messages page")
+		return
 	}
+	c.Data(http.StatusOK, "text/html; charset=utf-8", buf.Bytes())
 }

-// GET /account/messages/:id
+// GET /account/messages/read?id=123
 // Renders: web/templates/account/messages/read.html
 func (h *AccountMessageHandlers) ReadGet(c *gin.Context) {
 	app := c.MustGet("app").(*bootstrap.App)
 	sm := app.SessionManager
-
 	userID := mustUserID(c)
-	id, err := parseIDParam(c, "id")
-	if err != nil {
-		c.AbortWithStatus(http.StatusNotFound)
+
+	idStr := c.Query("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil || id <= 0 {
+		errors.RenderStatus(c, sm, http.StatusNotFound)
 		return
 	}

 	msg, err := h.Svc.GetByID(userID, id)
 	if err != nil || msg == nil {
-		c.AbortWithStatus(http.StatusNotFound)
+		errors.RenderStatus(c, sm, http.StatusNotFound)
 		return
 	}

-	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
-	if f := sm.PopString(c.Request.Context(), "flash"); f != "" {
-		ctx["Flash"] = f
-	}
+	data := templateHandlers.BuildTemplateData(app, c.Writer, c.Request)
+	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, data)
 	ctx["CSRFToken"] = nosurf.Token(c.Request)
 	ctx["Title"] = msg.Subject
 	ctx["Message"] = msg

-	tmpl := templateHelpers.LoadTemplateFiles(
-		"layout.html",
-		"web/templates/account/messages/read.html",
-	)
+	tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/account/messages/read.html")

-	c.Status(http.StatusOK)
-	if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
+	var buf bytes.Buffer
+	if err := tmpl.ExecuteTemplate(&buf, "layout", ctx); err != nil {
 		logging.Info("❌ Template render error: %v", err)
 		c.String(http.StatusInternalServerError, "Error rendering message")
+		return
+	}
+	c.Data(http.StatusOK, "text/html; charset=utf-8", buf.Bytes())
+}
+
+func (h *AccountMessageHandlers) MarkReadPost(c *gin.Context) {
+	app := c.MustGet("app").(*bootstrap.App)
+	sm := app.SessionManager
+	userID := mustUserID(c)
+
+	idStr := c.PostForm("id")
+	id, err := strconv.ParseInt(idStr, 10, 64)
+	if err != nil || id <= 0 {
+		sm.Put(c.Request.Context(), "flash", "Invalid message id.")
+		c.Redirect(http.StatusSeeOther, c.Request.Referer()) // back to where they came from
+		return
+	}
+
+	if err := h.Svc.MarkRead(userID, id); err != nil {
+		logging.Info("❌ MarkRead error: %v", err)
+		if err == sql.ErrNoRows {
+			sm.Put(c.Request.Context(), "flash", "Message not found or not permitted.")
+		} else {
+			sm.Put(c.Request.Context(), "flash", "Could not mark message as read.")
+		}
+		c.Redirect(http.StatusSeeOther, "/account/messages")
+		return
+	}
+
+	sm.Put(c.Request.Context(), "flash", "Message marked as read.")
+	// Redirect back to referer when possible so UX is smooth.
+	if ref := c.Request.Referer(); ref != "" {
+		c.Redirect(http.StatusSeeOther, ref)
+	} else {
+		c.Redirect(http.StatusSeeOther, "/account/messages")
 	}
 }
--- a/internal/handlers/account/messages/send.go
+++ b/internal/handlers/account/messages/send.go
@@ -8,6 +8,7 @@ import (
 	"net/http"

 	domain "synlotto-website/internal/domain/messages"
+	templateHandlers "synlotto-website/internal/handlers/template"
 	templateHelpers "synlotto-website/internal/helpers/template"

 	"synlotto-website/internal/logging"
@@ -18,23 +19,22 @@ import (
 	"github.com/justinas/nosurf"
 )

-// GET /account/messages/add
+// GET /account/messages/send
 // Renders: web/templates/account/messages/send.html
-func (h *AccountMessageHandlers) AddGet(c *gin.Context) {
+func (h *AccountMessageHandlers) SendGet(c *gin.Context) {
 	app := c.MustGet("app").(*bootstrap.App)
 	sm := app.SessionManager

-	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
+	data := templateHandlers.BuildTemplateData(app, c.Writer, c.Request)
+	ctx := templateHelpers.TemplateContext(c.Writer, c.Request, data)
+
 	if f := sm.PopString(c.Request.Context(), "flash"); f != "" {
 		ctx["Flash"] = f
 	}
 	ctx["CSRFToken"] = nosurf.Token(c.Request)
 	ctx["Title"] = "Send Message"

-	tmpl := templateHelpers.LoadTemplateFiles(
-		"layout.html",
-		"web/templates/account/messages/send.html",
-	)
+	tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/account/messages/send.html")

 	c.Status(http.StatusOK)
 	if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
@@ -43,8 +43,8 @@ func (h *AccountMessageHandlers) AddGet(c *gin.Context) {
 	}
 }

-// POST /account/messages/add
-func (h *AccountMessageHandlers) AddPost(c *gin.Context) {
+// POST /account/messages/send
+func (h *AccountMessageHandlers) SendPost(c *gin.Context) {
 	app := c.MustGet("app").(*bootstrap.App)
 	sm := app.SessionManager

@@ -53,7 +53,8 @@ func (h *AccountMessageHandlers) AddPost(c *gin.Context) {
 	var in domain.CreateMessageInput
 	if err := c.ShouldBind(&in); err != nil {
 		// Re-render form with validation errors
-		ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
+		data := templateHandlers.BuildTemplateData(app, c.Writer, c.Request)
+		ctx := templateHelpers.TemplateContext(c.Writer, c.Request, data)
 		if f := sm.PopString(c.Request.Context(), "flash"); f != "" {
 			ctx["Flash"] = f
 		}
@@ -85,21 +86,17 @@ func (h *AccountMessageHandlers) AddPost(c *gin.Context) {
 		ctx["Error"] = "Could not send message."
 		ctx["Form"] = in

-		tmpl := templateHelpers.LoadTemplateFiles(
-			"layout.html",
-			"web/templates/account/messages/send.html",
-		)
+		tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/account/messages/send.html")

 		c.Status(http.StatusInternalServerError)
 		if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
 			logging.Info("❌ Template render error: %v", err)
 			c.String(http.StatusInternalServerError, "Error rendering send message page")
 		}
+
 		return
 	}

-	// Optional: set a flash message for success (since you already PopString elsewhere)
-	// If you're using scs/v2, Put is available:
 	sm.Put(c.Request.Context(), "flash", "Message sent!")

 	// Redirect back to inbox
--- a/internal/handlers/account/tickets/list.go
+++ b/internal/handlers/account/tickets/list.go
@@ -38,8 +38,8 @@ func List(c *gin.Context) {

 	rows, err := app.DB.QueryContext(c.Request.Context(), `
 		SELECT id, numbers, game, price, purchased_at, created_at
-		FROM tickets
-		WHERE user_id = ?
+		FROM my_tickets
+		WHERE userId = ?
 		ORDER BY purchased_at DESC, id DESC
 	`, userID)
 	if err != nil {
--- a/internal/handlers/messages.go
+++ b/internal/handlers/messages.go
@@ -177,6 +177,6 @@ func RestoreMessageHandler(app *bootstrap.App) http.HandlerFunc {
 			templateHelpers.SetFlash(r, "Message restored.")
 		}

-		http.Redirect(w, r, "/account/messages/archived", http.StatusSeeOther)
+		http.Redirect(w, r, "/account/messages/archive", http.StatusSeeOther)
 	}
 }
--- a/internal/handlers/results.go
+++ b/internal/handlers/results.go
@@ -9,9 +9,8 @@ import (
 	"sort"
 	"strconv"

-	templateHelpers "synlotto-website/internal/helpers/template"
-
 	"synlotto-website/internal/helpers"
+	templateHelpers "synlotto-website/internal/helpers/template"
 	"synlotto-website/internal/http/middleware"
 	"synlotto-website/internal/models"
 )
@@ -20,7 +19,6 @@ func ResultsThunderball(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		ip, _, _ := net.SplitHostPort(r.RemoteAddr)
 		limiter := middleware.GetVisitorLimiter(ip)
-
 		if !limiter.Allow() {
 			http.Error(w, "Rate limit exceeded", http.StatusTooManyRequests)
 			return
@@ -46,7 +44,7 @@ func ResultsThunderball(db *sql.DB) http.HandlerFunc {
 		doSearch := isValidDate(query) || isValidNumber(query)

 		whereClause := "WHERE 1=1"
-		args := []interface{}{}
+		args := []any{}

 		if doSearch {
 			whereClause += " AND (draw_date = ? OR id = ?)"
@@ -65,7 +63,21 @@ func ResultsThunderball(db *sql.DB) http.HandlerFunc {
 			args = append(args, ballSetFilter)
 		}

-		totalPages, totalResults := templateHelpers.GetTotalPages(db, "results_thunderball", whereClause, args, pageSize)
+		// ✅ FIX: Proper GetTotalPages call with context + correct table name
+		totalPages, totalResults, err := templateHelpers.GetTotalPages(
+			r.Context(),
+			db,
+			"results_thunderball",
+			whereClause,
+			args,
+			pageSize,
+		)
+		if err != nil {
+			log.Println("❌ Pagination count error:", err)
+			http.Error(w, "Database error", http.StatusInternalServerError)
+			return
+		}
+
 		if page < 1 || page > totalPages {
 			http.NotFound(w, r)
 			return
@@ -79,7 +91,7 @@ func ResultsThunderball(db *sql.DB) http.HandlerFunc {
 			LIMIT ? OFFSET ?`
 		argsWithLimit := append(args, pageSize, offset)

-		rows, err := db.Query(querySQL, argsWithLimit...)
+		rows, err := db.QueryContext(r.Context(), querySQL, argsWithLimit...)
 		if err != nil {
 			http.Error(w, "Database error", http.StatusInternalServerError)
 			log.Println("❌ DB error:", err)
@@ -113,7 +125,7 @@ func ResultsThunderball(db *sql.DB) http.HandlerFunc {
 			noResultsMsg = "No results found for \"" + query + "\""
 		}

-		tmpl := templateHelpers.LoadTemplateFiles("thunderball.html", "web/templates/results/thunderball.html")
+		tmpl := templateHelpers.LoadTemplateFiles("layout.html", "web/templates/results/thunderball.html")

 		err = tmpl.ExecuteTemplate(w, "layout", map[string]interface{}{
 			"Results":       results,
--- a/internal/helpers/template/pagination.go
+++ b/internal/helpers/template/pagination.go
@@ -1,27 +1,72 @@
+// internal/helpers/pagination/pagination.go (move out of template/*)
 package templateHelper

 import (
+	"context"
 	"database/sql"
+	"fmt"
+	"time"
 )

-// ToDo: Sql shouldnt be here.
-func GetTotalPages(db *sql.DB, tableName, whereClause string, args []interface{}, pageSize int) (totalPages, totalCount int) {
-	query := "SELECT COUNT(*) FROM " + tableName + " " + whereClause
-	row := db.QueryRow(query, args...)
-	if err := row.Scan(&totalCount); err != nil {
-		return 1, 0
+// Whitelist
+var allowedTables = map[string]struct{}{
+	"user_messages":       {},
+	"user_notifications":  {},
+	"results_thunderball": {},
+}
+
+// GetTotalPages counts rows and returns (totalPages, totalCount).
+func GetTotalPages(ctx context.Context, db *sql.DB, table, whereClause string, args []any, pageSize int) (int, int64, error) {
+	if pageSize <= 0 {
+		pageSize = 20
 	}
-	totalPages = (totalCount + pageSize - 1) / pageSize
+	if _, ok := allowedTables[table]; !ok {
+		return 1, 0, fmt.Errorf("table not allowed: %s", table)
+	}
+
+	q := fmt.Sprintf("SELECT COUNT(*) FROM %s", table)
+	if whereClause != "" {
+		q += " WHERE " + whereClause
+	}
+
+	var totalCount int64
+	cctx, cancel := context.WithTimeout(ctx, 2*time.Second)
+	defer cancel()
+
+	if err := db.QueryRowContext(cctx, q, args...).Scan(&totalCount); err != nil {
+		return 1, 0, fmt.Errorf("count %s: %w", table, err)
+	}
+	totalPages := int((totalCount + int64(pageSize) - 1) / int64(pageSize))
 	if totalPages < 1 {
 		totalPages = 1
 	}
-	return totalPages, totalCount
+	return totalPages, totalCount, nil
 }

 func MakePageRange(current, total int) []int {
-	var pages []int
+	if total < 1 {
+		return []int{1}
+	}
+
+	pages := make([]int, 0, total)
 	for i := 1; i <= total; i++ {
 		pages = append(pages, i)
 	}
 	return pages
 }
+
+func ClampPage(p, total int) int {
+	if p < 1 {
+		return 1
+	}
+	if p > total {
+		return total
+	}
+	return p
+}
+func OffsetLimit(page, pageSize int) (int, int) {
+	if page < 1 {
+		page = 1
+	}
+	return (page - 1) * pageSize, pageSize
+}
--- a/internal/http/error/errors.go
+++ b/internal/http/error/errors.go
@@ -18,14 +18,9 @@ import (
 // using ONLY session data (no DB) so 404/500 pages don't crash and still
 // look "logged in" when a session exists.
 func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
-	// Synthesize minimal TemplateData from session only
-	var data models.TemplateData
-
-	ctx := c.Request.Context()
-
-	// Read minimal user snapshot from session
-	var uid int64
-	if v := sessions.Get(ctx, sessionkeys.UserID); v != nil {
+	r := c.Request
+	uid := int64(0)
+	if v := sessions.Get(r.Context(), sessionkeys.UserID); v != nil {
 		switch t := v.(type) {
 		case int64:
 			uid = t
@@ -33,22 +28,22 @@ func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
 			uid = int64(t)
 		}
 	}
+
+	// --- build minimal template data from session
+	var data models.TemplateData
 	if uid > 0 {
-		// username and is_admin are optional but make navbar correct
-		var uname string
-		if v := sessions.Get(ctx, sessionkeys.Username); v != nil {
+		uname := ""
+		if v := sessions.Get(r.Context(), sessionkeys.Username); v != nil {
 			if s, ok := v.(string); ok {
 				uname = s
 			}
 		}
-		var isAdmin bool
-		if v := sessions.Get(ctx, sessionkeys.IsAdmin); v != nil {
+		isAdmin := false
+		if v := sessions.Get(r.Context(), sessionkeys.IsAdmin); v != nil {
 			if b, ok := v.(bool); ok {
 				isAdmin = b
 			}
 		}
-
-		// Build a lightweight user; avoids DB lookups in error paths
 		data.User = &models.User{
 			Id:       uid,
 			Username: uname,
@@ -57,15 +52,11 @@ func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
 		data.IsAdmin = isAdmin
 	}

-	// Turn into the template context map (adds site meta, funcs, etc.)
-	ctxMap := templateHelpers.TemplateContext(c.Writer, c.Request, data)
-
-	// Flash (SCS)
-	if f := sessions.PopString(ctx, sessionkeys.Flash); f != "" {
+	ctxMap := templateHelpers.TemplateContext(c.Writer, r, data)
+	if f := sessions.PopString(r.Context(), sessionkeys.Flash); f != "" {
 		ctxMap["Flash"] = f
 	}

-	// Template paths (layout-first)
 	pagePath := fmt.Sprintf("web/templates/error/%d.html", status)
 	if _, err := os.Stat(pagePath); err != nil {
 		c.String(status, http.StatusText(status))
@@ -86,11 +77,13 @@ func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
 func NoRoute(sessions *scs.SessionManager) gin.HandlerFunc {
 	return func(c *gin.Context) { RenderStatus(c, sessions, http.StatusNotFound) }
 }
+
 func NoMethod(sessions *scs.SessionManager) gin.HandlerFunc {
 	return func(c *gin.Context) { RenderStatus(c, sessions, http.StatusMethodNotAllowed) }
 }
+
 func Recovery(sessions *scs.SessionManager) gin.RecoveryFunc {
-	return func(c *gin.Context, _ interface{}) {
+	return func(c *gin.Context, rec interface{}) {
 		RenderStatus(c, sessions, http.StatusInternalServerError)
 	}
 }
--- a/internal/http/middleware/errorlog.go
+++ b/internal/http/middleware/errorlog.go
@@ -0,0 +1,26 @@
+// internal/http/middleware/errorlog.go
+package middleware
+
+import (
+	"time"
+
+	"synlotto-website/internal/logging"
+
+	"github.com/gin-gonic/gin"
+)
+
+func ErrorLogger() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		start := time.Now()
+		c.Next()
+
+		if len(c.Errors) == 0 {
+			return
+		}
+		for _, e := range c.Errors {
+			logging.Info("❌ %s %s -> %d in %v: %v",
+				c.Request.Method, c.FullPath(), c.Writer.Status(),
+				time.Since(start), e.Err)
+		}
+	}
+}
--- a/internal/http/routes/accountroutes.go
+++ b/internal/http/routes/accountroutes.go
@@ -66,10 +66,13 @@ func RegisterAccountRoutes(app *bootstrap.App) {
 	messages.Use(middleware.AuthMiddleware(), middleware.RequireAuth())
 	{
 		messages.GET("/", msgH.List)
-		messages.GET("/add", msgH.AddGet)
-		messages.POST("/add", msgH.AddPost)
-		messages.GET("/archived", msgH.ArchivedList) // renders archived.html
-		messages.GET("/:id", msgH.ReadGet)           // renders read.html
+		messages.GET("/read", msgH.ReadGet)
+		messages.GET("/send", msgH.SendGet)
+		messages.POST("/send", msgH.SendPost)
+		messages.GET("/archive", msgH.ArchivedList) // view archived messages
+		messages.POST("/archive", msgH.ArchivePost) // archive a message
+		messages.POST("/restore", msgH.RestoreArchived)
+		messages.POST("/mark-read", msgH.MarkReadPost)
 	}

 	// Notifications (auth-required)
--- a/internal/models/message.go
+++ b/internal/models/message.go
@@ -0,0 +1,17 @@
+package models
+
+import (
+	"time"
+)
+
+type Message struct {
+	ID          int
+	SenderId    int
+	RecipientId int
+	Subject     string
+	Body        string
+	IsRead      bool
+	IsArchived  bool
+	CreatedAt   time.Time
+	ArchivedAt  *time.Time
+}
--- a/internal/models/notification.go
+++ b/internal/models/notification.go
@@ -0,0 +1,12 @@
+package models
+
+import "time"
+
+type Notification struct {
+	ID        int
+	UserId    int
+	Title     string
+	Body      string
+	IsRead    bool
+	CreatedAt time.Time
+}
--- a/internal/models/user.go
+++ b/internal/models/user.go
@@ -13,26 +13,3 @@ type User struct {
 	CreatedAt    time.Time
 	UpdatedAt    time.Time
 }
-
-// ToDo: should be in a notification model?
-type Notification struct {
-	ID        int
-	UserId    int
-	Title     string
-	Body      string
-	IsRead    bool
-	CreatedAt time.Time
-}
-
-// ToDo: should be in a message model?
-type Message struct {
-	ID          int
-	SenderId    int
-	RecipientId int
-	Subject     string
-	Body        string
-	IsRead      bool
-	IsArchived  bool
-	CreatedAt   time.Time
-	ArchivedAt  *time.Time
-}
--- a/internal/platform/bootstrap/loader.go
+++ b/internal/platform/bootstrap/loader.go
@@ -151,7 +151,7 @@ func Load(configPath string) (*App, error) {
 	srv := &http.Server{
 		Addr:              addr,
 		Handler:           handler,
-		ReadHeaderTimeout: 10 * time.Second, // ToDo: consider moving to config
+		ReadHeaderTimeout: cfg.HttpServer.ReadHeaderTimeout,
 	}

 	app.Handler = handler
--- a/internal/platform/config/types.go
+++ b/internal/platform/config/types.go
@@ -30,6 +30,8 @@

 package config

+import "time"
+
 // Config represents all runtime configuration for the application.
 // Loaded from JSON and passed into bootstrap for wiring platform components.
 type Config struct {
@@ -55,6 +57,7 @@ type Config struct {
 		Port              int           `json:"port"`
 		Address           string        `json:"address"`
 		ProductionMode    bool          `json:"productionMode"`    // controls Secure cookie flag
+		ReadHeaderTimeout time.Duration `json:"readHeaderTimeout"` // config in nanoseconds
 	} `json:"httpServer"`

 	// Remote licensing API service configuration
--- a/internal/platform/services/messages/service.go
+++ b/internal/platform/services/messages/service.go
@@ -8,9 +8,14 @@ import (
 	"context"
 	"database/sql"
 	"errors"
+	"fmt"
 	"time"

+	"synlotto-website/internal/logging"
+
 	domain "synlotto-website/internal/domain/messages"
+
+	"github.com/go-sql-driver/mysql"
 )

 // Service implements domain.Service.
@@ -42,9 +47,9 @@ func (s *Service) ListInbox(userID int64) ([]domain.Message, error) {
 	defer cancel()

 	q := `
-		SELECT id, from_email, to_email, subject, body, is_read, is_archived, created_at
-		FROM users_messages
-		WHERE user_id = ? AND is_archived = FALSE
+		SELECT id, senderId, recipientId, subject, body, is_read, is_archived, created_at
+		FROM user_messages
+		WHERE recipientId = ? AND is_archived = FALSE
 		ORDER BY created_at DESC`
 	q = s.bind(q)

@@ -57,7 +62,7 @@ func (s *Service) ListInbox(userID int64) ([]domain.Message, error) {
 	var out []domain.Message
 	for rows.Next() {
 		var m domain.Message
-		if err := rows.Scan(&m.ID, &m.From, &m.To, &m.Subject, &m.Body, &m.IsRead, &m.IsArchived, &m.CreatedAt); err != nil {
+		if err := rows.Scan(&m.ID, &m.SenderId, &m.RecipientId, &m.Subject, &m.Body, &m.IsRead, &m.IsArchived, &m.CreatedAt); err != nil {
 			return nil, err
 		}
 		out = append(out, m)
@@ -71,9 +76,10 @@ func (s *Service) ListArchived(userID int64) ([]domain.Message, error) {
 	defer cancel()

 	q := `
-		SELECT id, from_email, to_email, subject, body, is_read, is_archived, created_at
-		FROM users_messages
-		WHERE user_id = ? AND is_archived = TRUE
+		SELECT id, senderId, recipientId, subject, body,
+		       is_read, is_archived, created_at, archived_at
+		FROM user_messages
+		WHERE recipientId = ? AND is_archived = TRUE
 		ORDER BY created_at DESC`
 	q = s.bind(q)

@@ -86,11 +92,32 @@ func (s *Service) ListArchived(userID int64) ([]domain.Message, error) {
 	var out []domain.Message
 	for rows.Next() {
 		var m domain.Message
-		if err := rows.Scan(&m.ID, &m.From, &m.To, &m.Subject, &m.Body, &m.IsRead, &m.IsArchived, &m.CreatedAt); err != nil {
+		var archived sql.NullTime
+
+		if err := rows.Scan(
+			&m.ID,
+			&m.SenderId,
+			&m.RecipientId,
+			&m.Subject,
+			&m.Body,
+			&m.IsRead,
+			&m.IsArchived,
+			&m.CreatedAt,
+			&archived,
+		); err != nil {
 			return nil, err
 		}
+
+		if archived.Valid {
+			t := archived.Time
+			m.ArchivedAt = &t
+		} else {
+			m.ArchivedAt = nil
+		}
+
 		out = append(out, m)
 	}
+
 	return out, rows.Err()
 }

@@ -99,14 +126,14 @@ func (s *Service) GetByID(userID, id int64) (*domain.Message, error) {
 	defer cancel()

 	q := `
-		SELECT id, from_email, to_email, subject, body, is_read, is_archived, created_at
-		FROM users_messages
-		WHERE user_id = ? AND id = ?`
+		SELECT id, senderId, recipientId, subject, body, is_read, is_archived, created_at
+		FROM user_messages
+		WHERE recipientId = ? AND id = ?`
 	q = s.bind(q)

 	var m domain.Message
 	err := s.DB.QueryRowContext(ctx, q, userID, id).
-		Scan(&m.ID, &m.From, &m.To, &m.Subject, &m.Body, &m.IsRead, &m.IsArchived, &m.CreatedAt)
+		Scan(&m.ID, &m.SenderId, &m.RecipientId, &m.Subject, &m.Body, &m.IsRead, &m.IsArchived, &m.CreatedAt)
 	if errors.Is(err, sql.ErrNoRows) {
 		return nil, nil
 	}
@@ -116,34 +143,65 @@ func (s *Service) GetByID(userID, id int64) (*domain.Message, error) {
 	return &m, nil
 }

-func (s *Service) Create(userID int64, in domain.CreateMessageInput) (int64, error) {
+func (s *Service) Create(senderID int64, in domain.CreateMessageInput) (int64, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), s.Timeout)
 	defer cancel()

-	switch s.Dialect {
-	case "postgres":
+	// ✅ make sure this matches your current table/column names
 	const q = `
-			INSERT INTO messages (user_id, from_email, to_email, subject, body, is_read, is_archived, created_at)
-			VALUES ($1, $2, $3, $4, $5, FALSE, FALSE, NOW())
-			RETURNING id`
-		var id int64
-		if err := s.DB.QueryRowContext(ctx, q, userID, "", in.To, in.Subject, in.Body).Scan(&id); err != nil {
-			return 0, err
-		}
-		return id, nil
-	default: // mysql/sqlite
-		const q = `
-			INSERT INTO messages (user_id, from_email, to_email, subject, body, is_read, is_archived, created_at)
-			VALUES (?, ?, ?, ?, ?, FALSE, FALSE, CURRENT_TIMESTAMP)`
-		res, err := s.DB.ExecContext(ctx, q, userID, "", in.To, in.Subject, in.Body)
+		INSERT INTO user_messages
+			(senderId, recipientId, subject, body, is_read, is_archived, created_at)
+		VALUES
+			(?, ?, ?, ?, 0, 0, CURRENT_TIMESTAMP)
+	`
+
+	// 👀 Log the SQL and arguments (truncate body in logs if you prefer)
+	logging.Info("🧪 SQL Exec: %s | args: senderId=%d recipientId=%d subject=%q body_len=%d", compactSQL(q), senderID, in.RecipientID, in.Subject, len(in.Body))
+
+	res, err := s.DB.ExecContext(ctx, q, senderID, in.RecipientID, in.Subject, in.Body)
 	if err != nil {
-			return 0, err
+		// Surface MySQL code/message (very helpful for FK #1452 etc.)
+		var me *mysql.MySQLError
+		if errors.As(err, &me) {
+			wrapped := fmt.Errorf("insert user_messages: mysql #%d %s | args(senderId=%d, recipientId=%d, subject=%q, body_len=%d)",
+				me.Number, me.Message, senderID, in.RecipientID, in.Subject, len(in.Body))
+			logging.Info("❌ %v", wrapped)
+			return 0, wrapped
 		}
-		return res.LastInsertId()
+		wrapped := fmt.Errorf("insert user_messages: %w | args(senderId=%d, recipientId=%d, subject=%q, body_len=%d)",
+			err, senderID, in.RecipientID, in.Subject, len(in.Body))
+		logging.Info("❌ %v", wrapped)
+		return 0, wrapped
 	}
+
+	id, err := res.LastInsertId()
+	if err != nil {
+		wrapped := fmt.Errorf("lastInsertId user_messages: %w", err)
+		logging.Info("❌ %v", wrapped)
+		return 0, wrapped
+	}
+
+	logging.Info("✅ Inserted message id=%d", id)
+	return id, nil
+}
+
+func compactSQL(s string) string {
+	out := make([]rune, 0, len(s))
+	space := false
+	for _, r := range s {
+		if r == '\n' || r == '\t' || r == '\r' || r == ' ' {
+			if !space {
+				out = append(out, ' ')
+				space = true
+			}
+			continue
+		}
+		space = false
+		out = append(out, r)
+	}
+	return string(out)
 }

-// bind replaces '?' with '$1..' only for Postgres. For MySQL/SQLite it returns q unchanged.
 func (s *Service) bind(q string) string {
 	if s.Dialect != "postgres" {
 		return q
@@ -162,7 +220,28 @@ func (s *Service) bind(q string) string {
 	return string(out)
 }

-// ToDo: helper dont think it should be here.
+func (s *Service) Archive(userID, id int64) error {
+	ctx, cancel := context.WithTimeout(context.Background(), s.Timeout)
+	defer cancel()
+
+	q := `
+        UPDATE user_messages
+        SET is_archived = 1, archived_at = CURRENT_TIMESTAMP
+        WHERE id = ? AND recipientId = ?
+    `
+	q = s.bind(q)
+
+	res, err := s.DB.ExecContext(ctx, q, id, userID)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
 func intToStr(n int) string {
 	if n == 0 {
 		return "0"
@@ -176,3 +255,47 @@ func intToStr(n int) string {
 	}
 	return string(b[i:])
 }
+
+func (s *Service) Unarchive(userID, id int64) error {
+	ctx, cancel := context.WithTimeout(context.Background(), s.Timeout)
+	defer cancel()
+
+	q := `
+        UPDATE user_messages
+        SET is_archived = 0, archived_at = NULL
+        WHERE id = ? AND recipientId = ?
+    `
+	q = s.bind(q)
+
+	res, err := s.DB.ExecContext(ctx, q, id, userID)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
+
+func (s *Service) MarkRead(userID, id int64) error {
+	ctx, cancel := context.WithTimeout(context.Background(), s.Timeout)
+	defer cancel()
+
+	q := `
+        UPDATE user_messages
+        SET is_read = 1
+        WHERE id = ? AND recipientId = ?
+    `
+	q = s.bind(q)
+
+	res, err := s.DB.ExecContext(ctx, q, id, userID)
+	if err != nil {
+		return err
+	}
+	n, _ := res.RowsAffected()
+	if n == 0 {
+		return sql.ErrNoRows
+	}
+	return nil
+}
--- a/internal/platform/services/notifications/service.go
+++ b/internal/platform/services/notifications/service.go
@@ -35,14 +35,15 @@ func New(db *sql.DB, opts ...func(*Service)) *Service {
 func WithTimeout(d time.Duration) func(*Service) { return func(s *Service) { s.Timeout = d } }

 // List returns newest-first notifications for a user.
+// ToDo:table is users_notification, where as messages is plural, this table seems oto use user_id reather than userId need to unify. Do i want to prefix with users/user
 func (s *Service) List(userID int64) ([]domain.Notification, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), s.Timeout)
 	defer cancel()

 	const q = `
 SELECT id, title, body, is_read, created_at
-FROM notifications
-WHERE user_id = ?
+FROM users_notification
+WHERE user_Id = ?
 ORDER BY created_at DESC`

 	rows, err := s.DB.QueryContext(ctx, q, userID)
@@ -69,7 +70,7 @@ func (s *Service) GetByID(userID, id int64) (*domain.Notification, error) {
 	const q = `
 SELECT id, title, body, is_read, created_at
 FROM notifications
-WHERE user_id = ? AND id = ?`
+WHERE userId = ? AND id = ?`

 	var n domain.Notification
 	err := s.DB.QueryRowContext(ctx, q, userID, id).
--- a/internal/storage/messages/create.go
+++ b/internal/storage/messages/create.go
@@ -4,10 +4,10 @@ import (
 	"database/sql"
 )

-func SendMessage(db *sql.DB, senderID, recipientID int, subject, message string) error {
+func SendMessage(db *sql.DB, senderID, recipientID int, subject, body string) error {
 	_, err := db.Exec(`
-		INSERT INTO users_messages (senderId, recipientId, subject, message)
+		INSERT INTO user_messages (senderId, recipientId, subject, body)
 		VALUES (?, ?, ?, ?)
-	`, senderID, recipientID, subject, message)
+	`, senderID, recipientID, subject, body)
 	return err
 }
--- a/internal/storage/messages/read.go
+++ b/internal/storage/messages/read.go
@@ -9,7 +9,7 @@ import (
 func GetMessageCount(db *sql.DB, userID int) (int, error) {
 	var count int
 	err := db.QueryRow(`
-		SELECT COUNT(*) FROM users_messages 
+		SELECT COUNT(*) FROM user_messages 
 		WHERE recipientId = ? AND is_read = FALSE AND is_archived = FALSE
 	`, userID).Scan(&count)
 	return count, err
@@ -17,8 +17,8 @@ func GetMessageCount(db *sql.DB, userID int) (int, error) {

 func GetRecentMessages(db *sql.DB, userID int, limit int) []models.Message {
 	rows, err := db.Query(`
-		SELECT id, senderId, recipientId, subject, message, is_read, created_at
-		FROM users_messages
+		SELECT id, senderId, recipientId, subject, body, is_read, created_at
+		FROM user_messages
 		WHERE recipientId = ? AND is_archived = FALSE
 		ORDER BY created_at DESC
 		LIMIT ?
@@ -36,7 +36,7 @@ func GetRecentMessages(db *sql.DB, userID int, limit int) []models.Message {
 			&m.SenderId,
 			&m.RecipientId,
 			&m.Subject,
-			&m.Message,
+			&m.Body,
 			&m.IsRead,
 			&m.CreatedAt,
 		)
@@ -49,13 +49,13 @@ func GetRecentMessages(db *sql.DB, userID int, limit int) []models.Message {

 func GetMessageByID(db *sql.DB, userID, messageID int) (*models.Message, error) {
 	row := db.QueryRow(`
-		SELECT id, senderId, recipientId, subject, message, is_read, created_at
-		FROM users_messages
+		SELECT id, senderId, recipientId, subject, body, is_read, created_at
+		FROM user_messages
 		WHERE id = ? AND recipientId = ?
 	`, messageID, userID)

 	var m models.Message
-	err := row.Scan(&m.ID, &m.SenderId, &m.RecipientId, &m.Subject, &m.Message, &m.IsRead, &m.CreatedAt)
+	err := row.Scan(&m.ID, &m.SenderId, &m.RecipientId, &m.Subject, &m.Body, &m.IsRead, &m.CreatedAt)
 	if err != nil {
 		return nil, err
 	}
@@ -65,8 +65,8 @@ func GetMessageByID(db *sql.DB, userID, messageID int) (*models.Message, error)
 func GetArchivedMessages(db *sql.DB, userID int, page, perPage int) []models.Message {
 	offset := (page - 1) * perPage
 	rows, err := db.Query(`
-		SELECT id, senderId, recipientId, subject, message, is_read, created_at, archived_at
-		FROM users_messages
+		SELECT id, senderId, recipientId, subject, body, is_read, created_at, archived_at
+		FROM user_messages
 		WHERE recipientId = ? AND is_archived = TRUE
 		ORDER BY archived_at DESC
 		LIMIT ? OFFSET ?
@@ -81,7 +81,7 @@ func GetArchivedMessages(db *sql.DB, userID int, page, perPage int) []models.Mes
 		var m models.Message
 		err := rows.Scan(
 			&m.ID, &m.SenderId, &m.RecipientId,
-			&m.Subject, &m.Message, &m.IsRead,
+			&m.Subject, &m.Body, &m.IsRead,
 			&m.CreatedAt, &m.ArchivedAt,
 		)
 		if err == nil {
@@ -94,8 +94,8 @@ func GetArchivedMessages(db *sql.DB, userID int, page, perPage int) []models.Mes
 func GetInboxMessages(db *sql.DB, userID int, page, perPage int) []models.Message {
 	offset := (page - 1) * perPage
 	rows, err := db.Query(`
-		SELECT id, senderId, recipientId, subject, message, is_read, created_at
-		FROM users_messages
+		SELECT id, senderId, recipientId, subject, body, is_read, created_at
+		FROM user_messages
 		WHERE recipientId = ? AND is_archived = FALSE
 		ORDER BY created_at DESC
 		LIMIT ? OFFSET ?
@@ -110,7 +110,7 @@ func GetInboxMessages(db *sql.DB, userID int, page, perPage int) []models.Messag
 		var m models.Message
 		err := rows.Scan(
 			&m.ID, &m.SenderId, &m.RecipientId,
-			&m.Subject, &m.Message, &m.IsRead, &m.CreatedAt,
+			&m.Subject, &m.Body, &m.IsRead, &m.CreatedAt,
 		)
 		if err == nil {
 			messages = append(messages, m)
@@ -122,7 +122,7 @@ func GetInboxMessages(db *sql.DB, userID int, page, perPage int) []models.Messag
 func GetInboxMessageCount(db *sql.DB, userID int) int {
 	var count int
 	err := db.QueryRow(`
-		SELECT COUNT(*) FROM users_messages
+		SELECT COUNT(*) FROM user_messages
 		WHERE recipientId = ? AND is_archived = FALSE
 	`, userID).Scan(&count)
 	if err != nil {
--- a/internal/storage/messages/update.go
+++ b/internal/storage/messages/update.go
@@ -7,7 +7,7 @@ import (

 func ArchiveMessage(db *sql.DB, userID, messageID int) error {
 	_, err := db.Exec(`
-		UPDATE users_messages
+		UPDATE user_messages
 		SET is_archived = TRUE, archived_at = CURRENT_TIMESTAMP
 		WHERE id = ? AND recipientId = ?
 	`, messageID, userID)
@@ -16,7 +16,7 @@ func ArchiveMessage(db *sql.DB, userID, messageID int) error {

 func MarkMessageAsRead(db *sql.DB, messageID, userID int) error {
 	result, err := db.Exec(`
-		UPDATE users_messages
+		UPDATE user_messages
 		SET is_read = TRUE
 		WHERE id = ? AND recipientId = ?
 	`, messageID, userID)
@@ -36,7 +36,7 @@ func MarkMessageAsRead(db *sql.DB, messageID, userID int) error {

 func RestoreMessage(db *sql.DB, userID, messageID int) error {
 	_, err := db.Exec(`
-		UPDATE users_messages
+		UPDATE user_messages
 		SET is_archived = FALSE, archived_at = NULL
 		WHERE id = ? AND recipientId = ?
 	`, messageID, userID)
--- a/internal/storage/migrations/0001_initial_create.up.sql
+++ b/internal/storage/migrations/0001_initial_create.up.sql
@@ -140,20 +140,20 @@ CREATE TABLE IF NOT EXISTS my_tickets (
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

 -- USERS MESSAGES
-CREATE TABLE IF NOT EXISTS users_messages (
+CREATE TABLE IF NOT EXISTS user_messages (
  id           BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
  senderId     BIGINT UNSIGNED NOT NULL,
  recipientId  BIGINT UNSIGNED NOT NULL,
  subject      VARCHAR(255) NOT NULL,
-  message      MEDIUMTEXT,
+  body      MEDIUMTEXT,
  is_read      TINYINT(1) NOT NULL DEFAULT 0,
  is_archived  TINYINT(1) NOT NULL DEFAULT 0,
  created_at   DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
  archived_at  DATETIME NULL,
-  CONSTRAINT fk_users_messages_sender
+  CONSTRAINT fk_user_messages_sender
    FOREIGN KEY (senderId) REFERENCES users(id)
      ON UPDATE CASCADE ON DELETE CASCADE,
-  CONSTRAINT fk_users_messages_recipient
+  CONSTRAINT fk_user_messages_recipient
    FOREIGN KEY (recipientId) REFERENCES users(id)
      ON UPDATE CASCADE ON DELETE CASCADE
 ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
--- a/internal/storage/notifications/read.go
+++ b/internal/storage/notifications/read.go
@@ -16,7 +16,7 @@ func GetNotificationByID(db *sql.DB, userID, notificationID int) (*models.Notifi
 	`, notificationID, userID)

 	var n models.Notification
-	err := row.Scan(&n.ID, &n.UserId, &n.Subject, &n.Body, &n.IsRead)
+	err := row.Scan(&n.ID, &n.UserId, &n.Title, &n.Body, &n.IsRead)
 	if err != nil {
 		return nil, err
 	}
@@ -27,7 +27,7 @@ func GetNotificationCount(db *sql.DB, userID int) int {
 	var count int
 	err := db.QueryRow(`
 		SELECT COUNT(*) FROM users_notification
-		WHERE user_id = ? AND is_read = FALSE`, userID).Scan(&count)
+		WHERE user_Id = ? AND is_read = FALSE`, userID).Scan(&count)

 	if err != nil {
 		log.Println("⚠️ Failed to count notifications:", err)
@@ -41,7 +41,7 @@ func GetRecentNotifications(db *sql.DB, userID int, limit int) []models.Notifica
 	rows, err := db.Query(`
 		SELECT id, subject, body, is_read, created_at
 		FROM users_notification
-		WHERE user_id = ?
+		WHERE user_Id = ?
 		ORDER BY created_at DESC
 		LIMIT ?`, userID, limit)
 	if err != nil {
@@ -54,7 +54,7 @@ func GetRecentNotifications(db *sql.DB, userID int, limit int) []models.Notifica

 	for rows.Next() {
 		var n models.Notification
-		if err := rows.Scan(&n.ID, &n.Subject, &n.Body, &n.IsRead, &n.CreatedAt); err == nil {
+		if err := rows.Scan(&n.ID, &n.Title, &n.Body, &n.IsRead, &n.CreatedAt); err == nil {
 			notifications = append(notifications, n)
 		}
 	}
--- a/web/templates/account/messages/archived.html
+++ b/web/templates/account/messages/archived.html
@@ -7,30 +7,37 @@
      <div class="card mb-3">
        <div class="card-body">
          <h5 class="card-title">{{ .Subject }}</h5>
-          <p class="card-text">{{ .Message }}</p>
+          <p class="card-text">{{ .Body }}</p>
          <p class="card-text">
-            <small class="text-muted">Archived: {{ .ArchivedAt.Format "02 Jan 2006 15:04" }}</small>
+            <small class="text-muted">
+              Archived:
+              {{ with .ArchivedAt }}
+                {{ .Format "02 Jan 2006 15:04" }}
+              {{ else }}
+                —
+              {{ end }}
+            </small>
          </p>
-        </div>
-      </div>
          <form method="POST" action="/account/messages/restore" class="m-0">
-        {{ $.CSRFField }}
+            <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
            <input type="hidden" name="id" value="{{ .ID }}">
            <button type="submit" class="btn btn-sm btn-outline-success">Restore</button>
          </form>
+        </div>
+      </div>
    {{ end }}

-    <!-- Pagination Controls -->
+    <!-- Pagination Controls (keep if your funcs exist) -->
  <nav>
    <ul class="pagination">
-        {{ if gt .Page 1 }}
+      {{ if gt .CurrentPage 1 }}
        <li class="page-item">
-          <a class="page-link" href="?page={{ minus1 .Page }}">Previous</a>
+          <a class="page-link" href="?page={{ sub .CurrentPage 1 }}">Previous</a>
        </li>
      {{ end }}
-        {{ if .HasMore }}
+      {{ if lt .CurrentPage .TotalPages }}
        <li class="page-item">
-          <a class="page-link" href="?page={{ plus1 .Page }}">Next</a>
+          <a class="page-link" href="?page={{ add .CurrentPage 1 }}">Next</a>
        </li>
      {{ end }}
    </ul>
--- a/web/templates/account/messages/index.html
+++ b/web/templates/account/messages/index.html
@@ -1,26 +1,42 @@
 {{ define "content" }}
-<!-- Todo lists messages but doesn't show which ones have been read and unread-->
 <div class="container py-5">
  <h2>Your Inbox</h2>
+
  {{ if .Messages }}
    <ul class="list-group mb-4">
      {{ range .Messages }}
-    <li class="list-group-item d-flex justify-content-between align-items-center">
+        <li class="list-group-item d-flex justify-content-between align-items-center {{ if .IsRead }}read{{ end }}" data-msg-id="{{ .ID }}">
          <div>
-        <a href="/account/messages/read?id={{ .ID }}" class="fw-bold text-dark">{{ .Subject }}</a>
-        <br>
+            <a href="/account/messages/read?id={{ .ID }}" class="fw-bold text-dark">{{ .Subject }}</a><br>
            <small class="text-muted">{{ .CreatedAt.Format "02 Jan 2006 15:04" }}</small>
          </div>
-      <form method="POST" action="/account/messages/archive?id={{ .ID }}" class="m-0">
-        {{ $.CSRFField }}
+
+          <div class="d-flex gap-2 align-items-center">
+
+            {{/* Archive form (existing) */}}
+            <form method="POST" action="/account/messages/archive" class="m-0">
+              <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
              <input type="hidden" name="id" value="{{ .ID }}">
              <button type="submit" class="btn btn-sm btn-outline-secondary">Archive</button>
            </form>
+
+            {{/* Mark-read: only show when unread */}}
+            {{ if not .IsRead }}
+              <!-- Non-AJAX fallback form (submit will refresh) -->
+              <form method="POST" action="/account/messages/mark-read" class="m-0 d-inline-block mark-read-form">
+                <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
+                <input type="hidden" name="id" value="{{ .ID }}">
+                <button type="submit" class="btn btn-sm btn-outline-primary mark-read-btn"
+                        data-msg-id="{{ .ID }}"
+                        data-csrf="{{ $.CSRFToken }}">Mark read</button>
+              </form>
+            {{ end }}
+          </div>
        </li>
      {{ end }}
    </ul>
-<!-- Pagination -->
-<nav>
+
+    <nav>
      <ul class="pagination">
        {{ if gt .CurrentPage 1 }}
        <li class="page-item">
@@ -40,16 +56,84 @@
        </li>
        {{ end }}
      </ul>
-</nav>
-
-
+    </nav>
  {{ else }}
-  <div class="alert alert-info">No messages found.</div>
+    <div class="alert alert-info text-center">No messages found.</div>
  {{ end }}

  <div class="mt-3">
    <a href="/account/messages/send" class="btn btn-primary">Compose Message</a>
-    <a href="/account/messages/archived" class="btn btn-outline-secondary ms-2">View Archived</a>
+    <a href="/account/messages/archive" class="btn btn-outline-secondary ms-2">View Archived</a>
  </div>
 </div>
+
+{{/* AJAX enhancement: unobtrusive — safe fallback to regular form when JS disabled */}}
+<script>
+;(function(){
+  // Ensure browser supports fetch + FormData; otherwise we fallback to regular form submit.
+  if (!window.fetch || !window.FormData) return;
+
+  // Helper to decrement topbar message count badge (assumes badge element id="message-count")
+  function decrementMessageCount() {
+    var el = document.getElementById('message-count');
+    if (!el) return;
+    var current = parseInt(el.textContent || el.innerText || '0', 10) || 0;
+    var next = Math.max(0, current - 1);
+    if (next <= 0) {
+      // remove badge or hide it
+      el.remove();
+    } else {
+      el.textContent = String(next);
+    }
+  }
+
+  // Handle clicks on mark-read buttons, submit via fetch, update DOM
+  document.addEventListener('click', function(e){
+    var btn = e.target.closest('.mark-read-btn');
+    if (!btn) return;
+
+    // Prevent the default form POST (non-AJAX fallback)
+    e.preventDefault();
+
+    var msgID = btn.dataset.msgId;
+    var csrf  = btn.dataset.csrf;
+
+    if (!msgID) {
+      // fallback to normal submit if something's wrong
+      var frm = btn.closest('form');
+      if (frm) frm.submit();
+      return;
+    }
+
+    // Build urlencoded body like a regular form
+    var body = new URLSearchParams();
+    body.append('id', msgID);
+    if (csrf) body.append('csrf_token', csrf);
+
+    fetch('/account/messages/mark-read', {
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/x-www-form-urlencoded'
+      },
+      body: body.toString(),
+      credentials: 'same-origin'
+    }).then(function(resp){
+      if (resp.ok) {
+        // UI update: remove the mark-read button, give item a .read class, update topbar count
+        var li = document.querySelector('li[data-msg-id="' + msgID + '"]');
+        if (li) {
+          li.classList.add('read');
+          // remove any mark-read form/button inside
+          var form = li.querySelector('.mark-read-form');
+          if (form) form.remove();
+        }
+        decrementMessageCount();
+      } else {
+        // If server returned non-2xx, fall back to full reload to show flash
+        resp.text().then(function(){ window.location.reload(); }).catch(function(){ window.location.reload(); });
+      }
+    }).catch(function(){ window.location.reload(); });
+  }, false);
+})();
+</script>
 {{ end }}
--- a/web/templates/account/messages/read.html
+++ b/web/templates/account/messages/read.html
@@ -4,12 +4,65 @@
    <h2>{{ .Message.Subject }}</h2>
    <p class="text-muted">Received: {{ .Message.CreatedAt.Format "02 Jan 2006 15:04" }}</p>
    <hr>
-    <p>{{ .Message.Message }}</p>
-    <a href="/account/messages" class="btn btn-secondary mt-4">Back to Inbox</a> <a href="/account/messages/archive?id={{ .Message.ID }}" class="btn btn-outline-danger mt-3">Archive</a>
+    <p>{{ .Message.Body }}</p>
+
+    <div class="mt-4">
+      <button id="mark-read-btn" data-id="{{ .Message.ID }}" class="btn btn-outline-success">Mark As Read</button>
+
+      <form method="POST" action="/account/messages/archive" class="d-inline">
+        <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">
+        <input type="hidden" name="id" value="{{ .Message.ID }}">
+        <button type="submit" class="btn btn-outline-danger">Archive</button>
+      </form>
+
+      <a href="/account/messages" class="btn btn-secondary">Back to Inbox</a>
+    </div>
  {{ else }}
    <div class="alert alert-danger text-center">
      Message not found or access denied.
    </div>
  {{ end }}
 </div>
+
+<script>
+document.addEventListener("DOMContentLoaded", function () {
+  const btn = document.getElementById("mark-read-btn");
+  if (!btn) return;
+
+  btn.addEventListener("click", async function () {
+    const id = this.dataset.id;
+    const res = await fetch("/account/messages/mark-read", {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: new URLSearchParams({
+        id: id,
+        csrf_token: "{{ $.CSRFToken }}"
+      })
+    });
+
+    if (res.ok) {
+      this.classList.remove("btn-outline-success");
+      this.classList.add("btn-success");
+      this.textContent = "Marked As Read ✔";
+
+      const badge = document.getElementById("message-count");
+      if (badge) {
+        let count = parseInt(badge.textContent);
+        if (!isNaN(count)) {
+          count = Math.max(count - 1, 0);
+          if (count === 0) {
+            badge.remove();
+          } else {
+            badge.textContent = count;
+          }
+        }
+      }
+    } else {
+      alert("Failed to mark as read.");
+    }
+  });
+});
+</script>
 {{ end }}
--- a/web/templates/account/messages/send.html
+++ b/web/templates/account/messages/send.html
@@ -1,24 +1,32 @@
 {{ define "content" }}
 <div class="container py-5">
  <h2>Send a Message</h2>
+
  {{ if .Flash }}
    <div class="alert alert-info">{{ .Flash }}</div>
  {{ end }}
+  {{ if .Error }}
+    <div class="alert alert-danger">{{ .Error }}</div>
+  {{ end }}

  <form method="POST" action="/account/messages/send">
-    {{ .CSRFField }}
+    <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
+
    <div class="mb-3">
-      <label for="recipient_id" class="form-label">Recipient User ID</label>
-      <input type="number" class="form-control" name="recipient_id" required>
+      <label for="recipientId" class="form-label">Recipient User ID</label>
+      <input type="number" class="form-control" name="recipientId" value="{{ with .Form }}{{ .RecipientID }}{{ end }}" required>
    </div>
+
    <div class="mb-3">
      <label for="subject" class="form-label">Subject</label>
-      <input type="text" class="form-control" name="subject" required>
+      <input type="text" class="form-control" name="subject" value="{{ with .Form }}{{ .Subject }}{{ end }}" required>
    </div>
+
    <div class="mb-3">
-      <label for="message" class="form-label">Message</label>
-      <textarea class="form-control" name="message" rows="5" required></textarea>
+      <label for="body" class="form-label">Message</label>
+      <textarea class="form-control" name="body" rows="5" required>{{ with .Form }}{{ .Body }}{{ end }}</textarea>
    </div>
+
    <button type="submit" class="btn btn-primary">Send</button>
  </form>

--- a/web/templates/account/tickets/add_ticket.html
+++ b/web/templates/account/tickets/add_ticket.html
@@ -3,7 +3,7 @@
 <h2>Log My Ticket</h2>

 <form method="POST" action="/account/tickets/add_ticket" enctype="multipart/form-data" id="ticketForm">
-  {{ .csrfField }}
+ <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

  <div class="form-section">
    <label>Game:
@@ -49,7 +49,7 @@
  </div>

  <div id="ticketLinesContainer">
-    <!-- JS will insert ticket lines here -->
+    <!-- todo, maybe ajax so it doesnt refresh?-->
  </div>

  <div class="form-section">
--- a/web/templates/main/footer.html
+++ b/web/templates/main/footer.html
@@ -13,7 +13,7 @@
    <a href="/legal/terms">Terms & Conditions</a> |
    <a href="/contact">Contact Us</a>
    <br>
-    The content and operations of this website have not been approved or endorsed by {{ $lotteryOperator }} or the {{ $commisionName }}.
+   
  </small>
 </footer>
 {{ end }}
--- a/web/templates/main/topbar.html
+++ b/web/templates/main/topbar.html
@@ -31,7 +31,8 @@
          aria-expanded="false">
          <i class="bi bi-bell fs-5 position-relative">
            {{ if gt .NotificationCount 0 }}
-            <span class="position-absolute top-0 start-0 translate-middle badge rounded-pill bg-warning text-dark badge-small">
+            <span id="notification-count"
+              class="position-absolute top-0 start-0 translate-middle badge rounded-pill bg-warning text-dark badge-small">
              {{ if gt .NotificationCount 15 }}15+{{ else }}{{ .NotificationCount }}{{ end }}
            </span>
            {{ end }}
@@ -41,7 +42,6 @@
          aria-labelledby="notificationDropdown">
          <li class="dropdown-header text-center fw-bold">Notifications</li>
          <li><hr class="dropdown-divider"></li>
-
          {{ $total := len .Notifications }}
          {{ range $i, $n := .Notifications }}
          <li class="px-3 py-2">
@@ -55,15 +55,11 @@
              </div>
            </a>
          </li>
-          {{ if lt (add $i 1) $total }}
-          <li><hr class="dropdown-divider"></li>
+          {{ if lt (add $i 1) $total }}<li><hr class="dropdown-divider"></li>{{ end }}
          {{ end }}
-          {{ end }}
-
          {{ if not .Notifications }}
          <li class="text-center text-muted py-2">No notifications</li>
          {{ end }}
-
          <li><hr class="dropdown-divider"></li>
          <li class="text-center"><a href="/account/notifications" class="dropdown-item">View all notifications</a></li>
        </ul>
@@ -75,7 +71,8 @@
          aria-expanded="false">
          <i class="bi bi-envelope fs-5 position-relative">
            {{ if gt .MessageCount 0 }}
-            <span class="position-absolute top-0 start-0 translate-middle badge rounded-pill bg-danger text-dark badge-small">
+            <span id="message-count"
+              class="position-absolute top-0 start-0 translate-middle badge rounded-pill bg-danger text-dark badge-small">
              {{ if gt .MessageCount 15 }}15+{{ else }}{{ .MessageCount }}{{ end }}
            </span>
            {{ end }}
@@ -85,7 +82,6 @@
          aria-labelledby="messageDropdown">
          <li class="dropdown-header text-center fw-bold">Messages</li>
          <li><hr class="dropdown-divider"></li>
-
          {{ if .Messages }}
            {{ range $i, $m := .Messages }}
            <li class="px-3 py-2">
@@ -94,7 +90,7 @@
                  <i class="bi bi-person-circle me-2 fs-4 text-secondary"></i>
                  <div>
                    <div class="fw-semibold">{{ $m.Subject }}</div>
-                    <small class="text-muted">{{ truncate $m.Message 40 }}</small>
+                    <small class="text-muted">{{ truncate $m.Body 40 }}</small>
                  </div>
                </div>
              </a>
@@ -103,15 +99,15 @@
          {{ else }}
            <li class="text-center text-muted py-2">No messages</li>
          {{ end }}
-
          <li><hr class="dropdown-divider"></li>
          <li class="text-center"><a href="/account/messages" class="dropdown-item">View all messages</a></li>
        </ul>
      </div>

-      <!-- User Greeting/Dropdown -->
+      <!-- User Dropdown -->
      <div class="dropdown">
-        <a class="nav-link dropdown-toggle text-dark" href="#" id="userDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
+        <a class="nav-link dropdown-toggle text-dark" href="#" id="userDropdown" role="button"
+           data-bs-toggle="dropdown" aria-expanded="false">
          Hello, {{ .User.Username }}
        </a>
        <ul class="dropdown-menu dropdown-menu-end shadow-sm" aria-labelledby="userDropdown">
Author	SHA1	Message	Date
H3ALY	cc759ec694	Fix csrf	2025-11-02 09:50:50 +00:00
H3ALY	f0fc70eac6	Add in mark as reaad button to list view, use ajax to preform the action without page refresh.	2025-11-02 09:11:48 +00:00
H3ALY	61ad033520	Fix archiving and unarchiving functionality.	2025-11-01 22:37:47 +00:00
H3ALY	9dc01f925a	Changes to pagination and fixing archive messages in progress	2025-10-31 22:55:04 +00:00
H3ALY	8529116ad2	Messages now sending/loading and populating on message dropdown	2025-10-31 12:08:38 +00:00
H3ALY	776ea53a66	Formatting	2025-10-31 12:00:43 +00:00
H3ALY	5880d1ca43	Fix reading of messages.	2025-10-31 12:00:08 +00:00
H3ALY	da365aa9ef	Remove unused functions.	2025-10-31 11:57:39 +00:00
H3ALY	5177194895	Add sender	2025-10-31 09:45:20 +00:00
H3ALY	a7a5169c67	Fix model issues.	2025-10-30 22:19:48 +00:00
H3ALY	262536135d	Still working through messages and notifications.	2025-10-30 17:22:52 +00:00