Add Angular frontend with Authentik OIDC authentication

- Angular 17 with standalone components
- Angular Material + Tailwind CSS
- OIDC authorization code flow with Authentik
- Role-based access control (USER, DEVELOPER, APPROVER, ADMIN)
- Dashboard with pending requests, tunnel list, and create mapping
- Nginx reverse proxy to backend API
- Multi-container Docker Compose setup (frontend, backend, postgres)
- Environment-based configuration (local, test, prod)

.dockerignore

@@ -0,0 +1,28 @@
+# Frontend
+frontend/
+node_modules/
+dist/
+.angular/
+
+# IDE
+.idea/
+.vscode/
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Logs
+*.log
+npm-debug.log*
+
+# Build
+build/
+.gradle/
+
+# Test
+coverage/
+
+# Environment
+.env
+*.env

.env.example

@@ -0,0 +1,4 @@
+CLOUDFLARE_ACCOUNT_ID="<cloudflare account id>"
+CLOUDFLARE_API_KEY="<cloudflare account key>"
+CLOUDFLARE_EMAIL="<cloudflare email>"
+ENV="<deployment env>"

.gitea/workflows/integration_test.yaml

@@ -0,0 +1,26 @@
+name: Daily cloudflare API integration test
+on:
+  push:
+    branches: [ main ]
+  schedule:
+    - cron: '0 */12 * * *' # Every hour
+  workflow_dispatch:
+
+jobs:
+  cloudflare-api-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: JDK setup
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+      - name: Run integration tests with Cloudflare API
+        env:
+          SPRING_PROFILES_ACTIVE: integration
+          CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
+          CLOUDFLARE_API_KEY: ${{ secrets.CLOUDFLARE_API_KEY }}
+          CLOUDFLARE_EMAIL: hitanshu98@gmail.com
+        run: ./gradlew integrationTestOnly

.gitea/workflows/prod_image_tag_promote.yaml

@@ -0,0 +1,57 @@
+name: Promote image with tag test to prod
+run-name: Build started by $ {{gitea.actor}}
+on:
+  push:
+    branches: [main]
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    outputs:
+      new_version: ${{ steps.new_version.outputs.new_version }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Get new version
+        id: new_version
+        run: |
+          VERSION=$(git describe --tags --abbrev=0)
+          echo ${VERSION}
+          MAJOR=$(echo ${VERSION} | cut -d "." -f 1)
+          MINOR=$(echo ${VERSION} | cut -d "." -f 2)
+          PATCH=0
+          NEW_MINOR=$(( ${MINOR} + 1))
+          echo ${NEW_MINOR}
+          echo "new_version=$(echo "${MAJOR}.${NEW_MINOR}.${PATCH}")" >> $GITHUB_OUTPUT
+  build_tag_push:
+    runs-on: ubuntu-latest
+    needs: tag
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Create and push tag
+        run: |
+          echo "NEW_VERSION=${{ needs.tag.outputs.new_version }}"
+          git config --global user.name "${{gitea.actor}}"
+          git config --global user.email "${{ gitea.actor }}@users.noreply.github.com"
+          git tag -a ${{ needs.tag.outputs.new_version }} -m "Pushing new version ${{ needs.tag.outputs.new_version }}"
+          git push origin ${{ needs.tag.outputs.new_version }}
+      - name: Log in to Gitea Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: 'http://192.168.0.100:8928'
+          username: hitanshu
+          password: ${{ secrets.TOKEN }}
+      - name: Tag prod image
+        run: |
+          docker tag 192.168.0.100:8928/hithomelabs/cftunnels:test 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }}
+          docker tag 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }} 192.168.0.100:8928/hithomelabs/cftunnels:prod
+      - name: Push to Gitea Registry
+        run: |
+          docker push 192.168.0.100:8928/hithomelabs/cftunnels:prod
+          docker push 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }}

.gitea/workflows/test_build.yml

@@ -0,0 +1,20 @@
+name: sample gradle build and test
+run-name: Build started by $ {{gitea.actor}}
+on:
+  pull_request:
+    branches: [test]
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+      - name: JDK setup
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+      - name: Validate Gradle Wrapper
+        uses: gradle/actions/wrapper-validation@v3
+      - name: Gradle build
+        run: ./gradlew build --info

.gitea/workflows/test_image_build_push.yml

@@ -0,0 +1,67 @@
+name: sample gradle build and test
+run-name: Build started by ${{ gitea.actor }}
+on:
+  push:
+    branches: [test]
+jobs:
+  tag:
+    runs-on: ubuntu-latest
+    outputs:
+      new_version: ${{ steps.new_version.outputs.new_version }}
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Get new version
+        id: new_version
+        run: |
+          VERSION=$(git describe --tags --abbrev=0)
+          echo "Current version: ${VERSION}"
+          MAJOR=$(echo ${VERSION} | cut -d "." -f 1)
+          MINOR=$(echo ${VERSION} | cut -d "." -f 2)
+          PATCH=$(echo ${VERSION} | cut -d "." -f 3)
+          NEW_PATCH=$((PATCH + 1))
+          NEW_VERSION="${MAJOR}.${MINOR}.${NEW_PATCH}"
+          echo "New version: ${NEW_VERSION}"
+          echo "new_version=${NEW_VERSION}" >> $GITHUB_OUTPUT
+  build_tag_push:
+    runs-on: ubuntu-latest
+    needs: tag
+    container:
+      image: catthehacker/ubuntu:act-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: JDK setup
+        uses: actions/setup-java@v4
+        with:
+          distribution: 'zulu'
+          java-version: '17'
+      - name: Validate Gradle Wrapper
+        uses: gradle/actions/wrapper-validation@v3
+      - name: Create and push tag
+        run: |
+          echo "New version: ${{ needs.tag.outputs.new_version }}"
+          git config --global user.name "${{ gitea.actor }}"
+          git config --global user.email "${{ gitea.actor }}@users.noreply.github.com"
+          git tag -a "${{ needs.tag.outputs.new_version }}" -m "Pushing new version ${{ needs.tag.outputs.new_version }}"
+          git push origin "${{ needs.tag.outputs.new_version }}"
+      - name: Log in to Gitea Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: 'http://192.168.0.100:8928'
+          username: hitanshu
+          password: ${{ secrets.TOKEN }}
+      - name: Gradle build
+        run: ./gradlew bootBuildImage --imageName=192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }}
+      - name: Tag image as test
+        run: docker tag 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }} 192.168.0.100:8928/hithomelabs/cftunnels:test
+      - name: Push to Gitea Registry
+        run: |
+          docker push 192.168.0.100:8928/hithomelabs/cftunnels:test
+          docker push 192.168.0.100:8928/hithomelabs/cftunnels:${{ needs.tag.outputs.new_version }}
+  

.gitignore

@@ -1,6 +1,8 @@
 HELP.md
 .gradle
+.run
 build/
+.env*
 !gradle/wrapper/gradle-wrapper.jar
 !**/src/main/**/build/
 !**/src/test/**/build/

CFTunnels/Get tunnels.bru

@@ -1,11 +0,0 @@
-meta {
-  name: Get tunnels
-  type: http
-  seq: 4
-}
-
-get {
-  url: http://localhost8080/cloudflare/tunnels
-  body: none
-  auth: none
-}

CFTunnels/Tunnel.bru

@@ -1,11 +0,0 @@
-meta {
-  name: Tunnel
-  type: http
-  seq: 5
-}
-
-get {
-  url: http://localhost:8080/cloudflare/tunnel/{{tunnel_id}}
-  body: none
-  auth: none
-}

CFTunnels/Write ingress.bru

@@ -1,11 +0,0 @@
-meta {
-  name: Write ingress
-  type: http
-  seq: 2
-}
-
-post {
-  url: http://localhost:8080/cloudflare/tunnel/50df9101-f625-4618-b7c5-100338a57124
-  body: none
-  auth: none
-}

CFTunnels/bruno.json

@@ -1,9 +0,0 @@
-{
-  "version": "1",
-  "name": "CFTunnels",
-  "type": "collection",
-  "ignore": [
-    "node_modules",
-    ".git"
-  ]
-}

CFTunnels/delete mapping.bru

@@ -1,11 +0,0 @@
-meta {
-  name: delete mapping
-  type: http
-  seq: 3
-}
-
-put {
-  url: http://localhost:8080/cloudflare/tunnel/50df9101-f625-4618-b7c5-100338a57124/add
-  body: none
-  auth: none
-}

CFTunnels/environments/CFTunnels.bru

@@ -1,3 +0,0 @@
-vars {
-  tunnel_id: 50df9101-f625-4618-b7c5-100338a57124
-}

build.gradle

@@ -13,15 +13,48 @@ java {
 	}
 }
 
+test {
+	systemProperty 'spring.profiles.active', 'ci'
+	useJUnitPlatform {
+		excludeTags 'integration'
+	}
+	testLogging {
+		events "passed", "skipped", "failed", "standardOut", "standardError"
+		exceptionFormat "full" // shows full stack trace
+		showStandardStreams = true // shows println/log output
+	}
+}
+
+tasks.register('integrationTestOnly', Test) {
+	useJUnitPlatform {
+		includeTags 'integration'
+	}
+	description = 'Runs only integration tests tagged with @Tag("integration")'
+	group = 'verification'
+	testLogging {
+		events "passed", "skipped", "failed"
+		exceptionFormat "full"
+		showStandardStreams = true
+	}
+}
+
 repositories {
 	mavenCentral()
 }
 
 dependencies {
-	implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.0.3'
+	implementation group: 'org.springdoc', name: 'springdoc-openapi-starter-webmvc-ui', version: '2.8.5'
+	implementation group: 'org.springframework.boot', name:'spring-boot-starter-oauth2-client', version: '3.5.5'
+	compileOnly 'org.projectlombok:lombok:1.18.30'
+	annotationProcessor 'org.projectlombok:lombok:1.18.30'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
 	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 	testRuntimeOnly 'org.junit.platform:junit-platform-launcher'
+	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
+	runtimeOnly 'org.postgresql:postgresql'
+	implementation 'org.hibernate.validator:hibernate-validator'
+    runtimeOnly 'com.h2database:h2'
 }
 
 tasks.named('test') {

docker-compose.yaml

@@ -0,0 +1,61 @@
+services:
+  frontend:
+    build:
+      context: ./frontend
+      args:
+        - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
+        - OAUTH_REDIRECT_URI=${OAUTH_REDIRECT_URI}
+    container_name: cftunnels-frontend_${ENV}
+    ports:
+      - "${FRONTEND_PORT:-80}:80"
+    environment:
+      - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
+      - OAUTH_REDIRECT_URI=${OAUTH_REDIRECT_URI}
+    depends_on:
+      - app
+    restart: unless-stopped
+    networks:
+      - cftunnels-network
+
+  app:
+    image: gitea.hithomelabs.com/hithomelabs/cftunnels:${ENV}
+    container_name: cftunnels_${ENV}
+    ports:
+      - "${HOST_PORT:-8080}:8080"
+    environment:
+      - CLOUDFLARE_ACCOUNT_ID=${CLOUDFLARE_ACCOUNT_ID}
+      - CLOUDFLARE_API_KEY=${CLOUDFLARE_API_KEY}
+      - CLOUDFLARE_EMAIL=${CLOUDFLARE_EMAIL}
+      - ENV=${ENV}
+      - OAUTH_CLIENT_ID=${OAUTH_CLIENT_ID}
+      - OAUTH_CLIENT_SECRET=${OAUTH_CLIENT_SECRET}
+      - HOST_PORT=${HOST_PORT}
+      - POSTGRES_USER=${POSTGRES_USERNAME}
+      - POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
+      - SWAGGER_OAUTH_CLIENT_ID=${SWAGGER_OAUTH_CLIENT_ID}
+    env_file:
+      - stack.env
+    depends_on:
+      - postgres
+    restart: unless-stopped
+    networks:
+      - cftunnels-network
+
+  postgres:
+    image: postgres:15-alpine
+    container_name: cftunnel-db-${ENV}
+    environment:
+      POSTGRES_DB: cftunnel
+      POSTGRES_USER: ${POSTGRES_USERNAME}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    restart: unless-stopped
+    ports:
+      - "${DB_PORT:-5432}:5432"
+    volumes:
+      - ${DB_PATH}:/var/lib/postgresql/data
+    networks:
+      - cftunnels-network
+
+networks:
+  cftunnels-network:
+    driver: bridge

frontend/.dockerignore

@@ -0,0 +1,24 @@
+# Dependencies
+node_modules/
+
+# Build output
+dist/
+.angular/
+
+# IDE
+.idea/
+.vscode/
+
+# OS
+.DS_Store
+
+# Logs
+*.log
+npm-debug.log*
+
+# Test
+coverage/
+
+# Misc
+*.tgz
+.cache/

frontend/.gitignore

@@ -0,0 +1,32 @@
+# Dependencies
+node_modules/
+
+# Build output
+dist/
+.angular/
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Environment files (keep template)
+# environment.ts is generated from environment.*.ts by Angular CLI
+
+# Test coverage
+coverage/
+
+# Logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+
+# Misc
+*.tgz
+.cache/

frontend/Dockerfile

@@ -0,0 +1,38 @@
+FROM node:20-alpine AS build
+
+WORKDIR /app
+
+# Copy package files
+COPY package.json package-lock.json ./
+
+# Install dependencies
+RUN npm ci
+
+# Copy source files
+COPY . .
+
+# Build arguments for OIDC config
+ARG OAUTH_CLIENT_ID=cftunnels
+ARG OAUTH_REDIRECT_URI=http://localhost:80/login
+
+# Set build-time environment variables
+ENV OAUTH_CLIENT_ID=$OAUTH_CLIENT_ID
+ENV OAUTH_REDIRECT_URI=$OAUTH_REDIRECT_URI
+
+# Build the application
+RUN npm run build
+
+# Production stage
+FROM nginx:alpine
+
+# Copy built files
+COPY --from=build /app/dist/cftunnels-frontend/browser /usr/share/nginx/html
+
+# Copy nginx configuration
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+# Expose port
+EXPOSE 80
+
+# Start nginx
+CMD ["nginx", "-g", "daemon off;"]

frontend/angular.json

@@ -0,0 +1,121 @@
+{
+  "$schema": "./node_modules/@angular/cli/lib/config/schema.json",
+  "version": 1,
+  "newProjectRoot": "projects",
+  "projects": {
+    "cftunnels-frontend": {
+      "projectType": "application",
+      "schematics": {
+        "@schematics/angular:component": {
+          "style": "scss",
+          "standalone": true
+        },
+        "@schematics/angular:directive": {
+          "standalone": true
+        },
+        "@schematics/angular:pipe": {
+          "standalone": true
+        }
+      },
+      "root": "",
+      "sourceRoot": "src",
+      "prefix": "app",
+      "architect": {
+        "build": {
+          "builder": "@angular-devkit/build-angular:application",
+          "options": {
+            "outputPath": "dist/cftunnels-frontend",
+            "index": "src/index.html",
+            "browser": "src/main.ts",
+            "polyfills": ["zone.js"],
+            "tsConfig": "tsconfig.app.json",
+            "inlineStyleLanguage": "scss",
+            "assets": ["src/favicon.ico", "src/assets"],
+            "styles": ["src/styles.scss"],
+            "scripts": []
+          },
+          "configurations": {
+            "production": {
+              "budgets": [
+                {
+                  "type": "initial",
+                  "maximumWarning": "500kb",
+                  "maximumError": "1mb"
+                },
+                {
+                  "type": "anyComponentStyle",
+                  "maximumWarning": "2kb",
+                  "maximumError": "4kb"
+                }
+              ],
+              "outputHashing": "all",
+              "fileReplacements": [
+                {
+                  "replace": "src/environments/environment.ts",
+                  "with": "src/environments/environment.prod.ts"
+                }
+              ]
+            },
+            "development": {
+              "optimization": false,
+              "extractLicenses": false,
+              "sourceMap": true
+            },
+            "local": {
+              "optimization": false,
+              "extractLicenses": false,
+              "sourceMap": true,
+              "fileReplacements": [
+                {
+                  "replace": "src/environments/environment.ts",
+                  "with": "src/environments/environment.local.ts"
+                }
+              ]
+            },
+            "test": {
+              "optimization": false,
+              "extractLicenses": false,
+              "sourceMap": true,
+              "fileReplacements": [
+                {
+                  "replace": "src/environments/environment.ts",
+                  "with": "src/environments/environment.test.ts"
+                }
+              ]
+            }
+          },
+          "defaultConfiguration": "production"
+        },
+        "serve": {
+          "builder": "@angular-devkit/build-angular:dev-server",
+          "configurations": {
+            "production": {
+              "buildTarget": "cftunnels-frontend:build:production"
+            },
+            "development": {
+              "buildTarget": "cftunnels-frontend:build:development"
+            },
+            "local": {
+              "buildTarget": "cftunnels-frontend:build:local"
+            },
+            "test": {
+              "buildTarget": "cftunnels-frontend:build:test"
+            }
+          },
+          "defaultConfiguration": "development"
+        },
+        "test": {
+          "builder": "@angular-devkit/build-angular:karma",
+          "options": {
+            "polyfills": ["zone.js", "zone.js/testing"],
+            "tsConfig": "tsconfig.spec.json",
+            "inlineStyleLanguage": "scss",
+            "assets": ["src/favicon.ico", "src/assets"],
+            "styles": ["src/styles.scss"],
+            "scripts": []
+          }
+        }
+      }
+    }
+  }
+}

frontend/nginx.conf

@@ -0,0 +1,40 @@
+server {
+    listen 80;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Gzip compression
+    gzip on;
+    gzip_vary on;
+    gzip_min_length 1024;
+    gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json application/javascript;
+
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Proxy API calls to backend
+    location /cloudflare/ {
+        proxy_pass http://app:8080/cloudflare/;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        
+        # Timeouts
+        proxy_connect_timeout 60s;
+        proxy_send_timeout 60s;
+        proxy_read_timeout 60s;
+    }
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff|woff2|ttf|eot)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # Security headers
+    add_header X-Frame-Options "DENY" always;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-XSS-Protection "1; mode=block" always;
+}

frontend/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "cftunnels-frontend",
+  "version": "1.0.0",
+  "scripts": {
+    "ng": "ng",
+    "start": "ng serve",
+    "build": "ng build",
+    "watch": "ng build --watch --configuration development",
+    "test": "ng test"
+  },
+  "private": true,
+  "dependencies": {
+    "@angular/animations": "^17.3.0",
+    "@angular/cdk": "^17.3.0",
+    "@angular/common": "^17.3.0",
+    "@angular/compiler": "^17.3.0",
+    "@angular/core": "^17.3.0",
+    "@angular/forms": "^17.3.0",
+    "@angular/material": "^17.3.0",
+    "@angular/platform-browser": "^17.3.0",
+    "@angular/platform-browser-dynamic": "^17.3.0",
+    "@angular/router": "^17.3.0",
+    "angular-oauth2-oidc": "^17.0.0",
+    "rxjs": "~7.8.0",
+    "tslib": "^2.6.0",
+    "zone.js": "~0.14.0"
+  },
+  "devDependencies": {
+    "@angular-devkit/build-angular": "^17.3.0",
+    "@angular/cli": "^17.3.0",
+    "@angular/compiler-cli": "^17.3.0",
+    "@types/node": "^20.0.0",
+    "autoprefixer": "^10.4.0",
+    "postcss": "^8.4.0",
+    "tailwindcss": "^3.4.0",
+    "typescript": "~5.4.0"
+  }
+}

frontend/postcss.config.js

@@ -0,0 +1,6 @@
+module.exports = {
+  plugins: {
+    tailwindcss: {},
+    autoprefixer: {},
+  },
+}

frontend/src/app/app.component.ts

@@ -0,0 +1,10 @@
+import { Component } from '@angular/core';
+import { RouterOutlet } from '@angular/router';
+
+@Component({
+  selector: 'app-root',
+  standalone: true,
+  imports: [RouterOutlet],
+  template: `<router-outlet></router-outlet>`,
+})
+export class AppComponent {}

frontend/src/app/app.config.ts

@@ -0,0 +1,28 @@
+import { ApplicationConfig, importProvidersFrom } from '@angular/core';
+import { provideRouter } from '@angular/router';
+import { provideHttpClient, withInterceptors } from '@angular/common/http';
+import { provideAnimations } from '@angular/platform-browser/animations';
+import { OAuthModule } from 'angular-oauth2-oidc';
+
+import { routes } from './app/app.routes';
+import { authInterceptor } from './app/core/auth/auth.interceptor';
+
+export const appConfig: ApplicationConfig = {
+  providers: [
+    provideRouter(routes),
+    provideHttpClient(withInterceptors([authInterceptor])),
+    provideAnimations(),
+    importProvidersFrom(
+      OAuthModule.forRoot({
+        config: {
+          issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+          redirectUri: window.location.origin + '/login',
+          clientId: 'cftunnels',
+          scope: 'openid profile email offline_access',
+          responseType: 'code',
+          showDebugInformation: true,
+        },
+      })
+    ),
+  ],
+};

frontend/src/app/app.routes.ts

@@ -0,0 +1,24 @@
+import { Routes } from '@angular/router';
+import { authGuard } from './core/auth/auth.guard';
+import { loginGuard } from './core/auth/login.guard';
+
+export const routes: Routes = [
+  {
+    path: '',
+    canActivate: [authGuard],
+    loadComponent: () =>
+      import('./features/dashboard/dashboard.component').then(
+        (m) => m.DashboardComponent
+      ),
+  },
+  {
+    path: 'login',
+    canActivate: [loginGuard],
+    loadComponent: () =>
+      import('./features/login/login.component').then((m) => m.LoginComponent),
+  },
+  {
+    path: '**',
+    redirectTo: '',
+  },
+];

frontend/src/app/core/auth/auth.guard.ts

@@ -0,0 +1,17 @@
+import { inject } from '@angular/core';
+import { Router, CanActivateFn } from '@angular/router';
+import { AuthService } from './auth.service';
+
+export const authGuard: CanActivateFn = (route, state) => {
+  const authService = inject(AuthService);
+  const router = inject(Router);
+
+  if (authService['oauthService'].isAuthenticated()) {
+    return true;
+  }
+
+  router.navigate(['/login'], {
+    queryParams: { returnUrl: state.url },
+  });
+  return false;
+};

frontend/src/app/core/auth/auth.interceptor.ts

@@ -0,0 +1,30 @@
+import { HttpInterceptorFn, HttpErrorResponse } from '@angular/common/http';
+import { inject } from '@angular/core';
+import { Router } from '@angular/router';
+import { catchError, throwError } from 'rxjs';
+import { AuthService } from './auth.service';
+
+export const authInterceptor: HttpInterceptorFn = (req, next) => {
+  const authService = inject(AuthService);
+  const router = inject(Router);
+
+  const token = authService.getAccessToken();
+
+  if (token && req.url.includes('/cloudflare/')) {
+    req = req.clone({
+      setHeaders: {
+        Authorization: `Bearer ${token}`,
+      },
+    });
+  }
+
+  return next(req).pipe(
+    catchError((error: HttpErrorResponse) => {
+      if (error.status === 401) {
+        authService.logout();
+        router.navigate(['/login']);
+      }
+      return throwError(() => error);
+    })
+  );
+};

frontend/src/app/core/auth/auth.service.ts

@@ -0,0 +1,99 @@
+import { Injectable, signal } from '@angular/core';
+import { Router } from '@angular/router';
+import {
+  OAuthService,
+  AuthConfig,
+} from 'angular-oauth2-oidc';
+import { BehaviorSubject, Observable } from 'rxjs';
+import { User } from '../shared/models';
+
+@Injectable({
+  providedIn: 'root',
+})
+export class AuthService {
+  private userSubject = new BehaviorSubject<User | null>(null);
+  public user$ = this.userSubject.asObservable();
+
+  private isAuthenticatedSubject = new BehaviorSubject<boolean>(false);
+  public isAuthenticated$ = this.isAuthenticatedSubject.asObservable();
+
+  constructor(
+    private oauthService: OAuthService,
+    private router: Router
+  ) {}
+
+  configure(): void {
+    const authCodeFlowConfig: AuthConfig = {
+      issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+      redirectUri: window.location.origin + '/login',
+      clientId: 'cftunnels',
+      scope: 'openid profile email offline_access',
+      responseType: 'code',
+      showDebugInformation: true,
+      strictDiscoveryDocumentValidation: false,
+      useSilentRefresh: true,
+    };
+
+    this.oauthService.configure(authCodeFlowConfig);
+    this.oauthService.loadDiscoveryDocumentAndTryLogin();
+  }
+
+  async login(): Promise<void> {
+    await this.oauthService.loadDiscoveryDocument();
+    await this.oauthService.initCodeFlow();
+  }
+
+  async handleLoginCallback(): Promise<void> {
+    await this.oauthService.loadDiscoveryDocumentAndTryLogin();
+    if (this.oauthService.isAuthenticated()) {
+      await this.fetchUserInfo();
+      this.isAuthenticatedSubject.next(true);
+    }
+  }
+
+  private async fetchUserInfo(): Promise<void> {
+    try {
+      const claims = await this.oauthService.loadUserProfile();
+      const userInfo = claims as unknown as {
+        info: { email: string; name: string };
+        groups: string[];
+      };
+
+      const user: User = {
+        username: userInfo.info?.name || userInfo.info?.email || 'Unknown',
+        roles: userInfo.groups || [],
+      };
+
+      this.userSubject.next(user);
+    } catch (error) {
+      console.error('Error fetching user info:', error);
+    }
+  }
+
+  logout(): void {
+    this.oauthService.logOut();
+    this.userSubject.next(null);
+    this.isAuthenticatedSubject.next(false);
+    this.router.navigate(['/login']);
+  }
+
+  getAccessToken(): string | null {
+    return this.oauthService.getAccessToken();
+  }
+
+  hasRole(role: string): boolean {
+    const user = this.userSubject.getValue();
+    if (!user) return false;
+    return user.roles.some(
+      (r) => r === role || r === `ROLE_${role}` || r === `ROLE_${role.toUpperCase()}`
+    );
+  }
+
+  hasAnyRole(roles: string[]): boolean {
+    return roles.some((role) => this.hasRole(role));
+  }
+
+  getUser(): User | null {
+    return this.userSubject.getValue();
+  }
+}

frontend/src/app/core/auth/login.guard.ts

@@ -0,0 +1,15 @@
+import { inject } from '@angular/core';
+import { Router, CanActivateFn } from '@angular/router';
+import { AuthService } from './auth.service';
+
+export const loginGuard: CanActivateFn = (route, state) => {
+  const authService = inject(AuthService);
+  const router = inject(Router);
+
+  if (authService['oauthService'].isAuthenticated()) {
+    router.navigate(['/']);
+    return false;
+  }
+
+  return true;
+};

frontend/src/app/core/services/api.service.ts

@@ -0,0 +1,63 @@
+import { Injectable } from '@angular/core';
+import { HttpClient } from '@angular/common/http';
+import { Observable } from 'rxjs';
+import {
+  ApiResponse,
+  User,
+  Request,
+  Tunnel,
+  Mapping,
+} from '../../shared/models';
+
+@Injectable({
+  providedIn: 'root',
+})
+export class ApiService {
+  private baseUrl = '/cloudflare';
+
+  constructor(private http: HttpClient) {}
+
+  whoami(): Observable<ApiResponse<User>> {
+    return this.http.get<ApiResponse<User>>(`${this.baseUrl}/whoami`);
+  }
+
+  getRequests(): Observable<ApiResponse<Request[]>> {
+    return this.http.get<ApiResponse<Request[]>>(`${this.baseUrl}/requests`);
+  }
+
+  approveRequest(requestId: string): Observable<Request> {
+    return this.http.put<Request>(
+      `${this.baseUrl}/requests/${requestId}/approve`,
+      {}
+    );
+  }
+
+  rejectRequest(requestId: string): Observable<Request> {
+    return this.http.put<Request>(
+      `${this.baseUrl}/requests/${requestId}/reject`,
+      {}
+    );
+  }
+
+  getConfiguredTunnels(): Observable<ApiResponse<Tunnel[]>> {
+    return this.http.get<ApiResponse<Tunnel[]>>(
+      `${this.baseUrl}/configured/tunnels`
+    );
+  }
+
+  getTunnelMappings(tunnelId: string): Observable<ApiResponse<Mapping[]>> {
+    return this.http.get<ApiResponse<Mapping[]>>(
+      `${this.baseUrl}/tunnels/${tunnelId}/mappings`
+    );
+  }
+
+  createMappingRequest(
+    tunnelId: string,
+    mapping: { subdomain: string; protocol: string; port: number }
+  ): Observable<Request> {
+    return this.http.post<Request>(
+      `${this.baseUrl}/tunnels/${tunnelId}/requests`,
+      mapping
+    );
+  }
+}

frontend/src/app/features/dashboard/create-mapping/create-mapping.component.ts

@@ -0,0 +1,220 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormBuilder, FormGroup, ReactiveFormsModule, Validators } from '@angular/forms';
+import { MatCardModule } from '@angular/material/card';
+import { MatFormFieldModule } from '@angular/material/form-field';
+import { MatInputModule } from '@angular/material/input';
+import { MatSelectModule } from '@angular/material/select';
+import { MatButtonModule } from '@angular/material/button';
+import { MatIconModule } from '@angular/material/icon';
+import { MatSnackBar, MatSnackBarModule } from '@angular/material/snack-bar';
+import { MatProgressSpinnerModule } from '@angular/material/progress-spinner';
+import { Tunnel } from '../../../shared/models';
+import { ApiService } from '../../../core/services/api.service';
+
+@Component({
+  selector: 'app-create-mapping',
+  standalone: true,
+  imports: [
+    CommonModule,
+    ReactiveFormsModule,
+    MatCardModule,
+    MatFormFieldModule,
+    MatInputModule,
+    MatSelectModule,
+    MatButtonModule,
+    MatIconModule,
+    MatSnackBarModule,
+    MatProgressSpinnerModule,
+  ],
+  template: `
+    <mat-card class="create-card">
+      <mat-card-header>
+        <mat-icon mat-card-avatar>add_circle</mat-icon>
+        <mat-card-title>Create New Mapping Request</mat-card-title>
+        <mat-card-subtitle>Request a new subdomain mapping</mat-card-subtitle>
+      </mat-card-header>
+
+      <mat-card-content>
+        <form [formGroup]="mappingForm" (ngSubmit)="onSubmit()">
+          <div class="form-row">
+            <mat-form-field appearance="outline">
+              <mat-label>Subdomain</mat-label>
+              <input
+                matInput
+                formControlName="subdomain"
+                placeholder="myapp"
+              />
+              <span matSuffix>.hithomelabs.com</span>
+              @if (mappingForm.get('subdomain')?.hasError('required')) {
+                <mat-error>Subdomain is required</mat-error>
+              }
+            </mat-form-field>
+          </div>
+
+          <div class="form-row">
+            <mat-form-field appearance="outline">
+              <mat-label>Tunnel</mat-label>
+              <mat-select formControlName="tunnelId">
+                @for (tunnel of tunnels; track tunnel.id) {
+                  <mat-option [value]="tunnel.id">
+                    {{ tunnel.name }} ({{ tunnel.environment }})
+                  </mat-option>
+                }
+              </mat-select>
+              @if (mappingForm.get('tunnelId')?.hasError('required')) {
+                <mat-error>Tunnel is required</mat-error>
+              }
+            </mat-form-field>
+          </div>
+
+          <div class="form-row two-columns">
+            <mat-form-field appearance="outline">
+              <mat-label>Protocol</mat-label>
+              <mat-select formControlName="protocol">
+                <mat-option value="http">HTTP</mat-option>
+                <mat-option value="https">HTTPS</mat-option>
+                <mat-option value="ssh">SSH</mat-option>
+                <mat-option value="tcp">TCP</mat-option>
+              </mat-select>
+            </mat-form-field>
+
+            <mat-form-field appearance="outline">
+              <mat-label>Port</mat-label>
+              <input
+                matInput
+                type="number"
+                formControlName="port"
+                placeholder="8080"
+              />
+              @if (mappingForm.get('port')?.hasError('required')) {
+                <mat-error>Port is required</mat-error>
+              }
+              @if (mappingForm.get('port')?.hasError('min')) {
+                <mat-error>Port must be greater than 0</mat-error>
+              }
+              @if (mappingForm.get('port')?.hasError('max')) {
+                <mat-error>Port must be less than 65535</mat-error>
+              }
+            </mat-form-field>
+          </div>
+
+          <div class="form-actions">
+            <button
+              mat-raised-button
+              color="primary"
+              type="submit"
+              [disabled]="mappingForm.invalid || isSubmitting"
+            >
+              @if (isSubmitting) {
+                <mat-spinner diameter="20"></mat-spinner>
+              } @else {
+                <mat-icon>send</mat-icon>
+              }
+              Submit Request
+            </button>
+          </div>
+        </form>
+      </mat-card-content>
+    </mat-card>
+  `,
+  styles: [
+    `
+      .create-card {
+        margin-bottom: 1.5rem;
+      }
+
+      .form-row {
+        margin-bottom: 1rem;
+      }
+
+      .two-columns {
+        display: grid;
+        grid-template-columns: 1fr 1fr;
+        gap: 1rem;
+      }
+
+      mat-form-field {
+        width: 100%;
+      }
+
+      .form-actions {
+        display: flex;
+        justify-content: flex-end;
+        margin-top: 1.5rem;
+      }
+
+      button[mat-raised-button] {
+        min-width: 150px;
+      }
+
+      button mat-spinner {
+        display: inline-block;
+      }
+    `,
+  ],
+})
+export class CreateMappingComponent implements OnInit {
+  mappingForm: FormGroup;
+  tunnels: Tunnel[] = [];
+  isSubmitting = false;
+
+  constructor(
+    private fb: FormBuilder,
+    private apiService: ApiService,
+    private snackBar: MatSnackBar
+  ) {
+    this.mappingForm = this.fb.group({
+      subdomain: ['', [Validators.required, Validators.pattern(/^[a-z0-9-]+$/)]],
+      tunnelId: ['', Validators.required],
+      protocol: ['http', Validators.required],
+      port: ['', [Validators.required, Validators.min(1), Validators.max(65535)]],
+    });
+  }
+
+  ngOnInit(): void {
+    this.loadTunnels();
+  }
+
+  loadTunnels(): void {
+    this.apiService.getConfiguredTunnels().subscribe({
+      next: (response) => {
+        this.tunnels = response.data;
+      },
+      error: (err) => {
+        console.error('Error loading tunnels:', err);
+        this.snackBar.open('Failed to load tunnels', 'Close', {
+          duration: 3000,
+        });
+      },
+    });
+  }
+
+  onSubmit(): void {
+    if (this.mappingForm.invalid) return;
+
+    this.isSubmitting = true;
+    const { subdomain, tunnelId, protocol, port } = this.mappingForm.value;
+
+    this.apiService.createMappingRequest(tunnelId, {
+      subdomain,
+      protocol,
+      port,
+    }).subscribe({
+      next: () => {
+        this.snackBar.open('Mapping request submitted successfully!', 'Close', {
+          duration: 3000,
+        });
+        this.mappingForm.reset({ protocol: 'http' });
+        this.isSubmitting = false;
+      },
+      error: (err) => {
+        console.error('Error creating mapping request:', err);
+        this.snackBar.open('Failed to submit mapping request', 'Close', {
+          duration: 3000,
+        });
+        this.isSubmitting = false;
+      },
+    });
+  }
+}

frontend/src/app/features/dashboard/dashboard.component.ts

@@ -0,0 +1,167 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { MatToolbarModule } from '@angular/material/toolbar';
+import { MatButtonModule } from '@angular/material/button';
+import { MatIconModule } from '@angular/material/icon';
+import { MatSidenavModule } from '@angular/material/sidenav';
+import { MatListModule } from '@angular/material/list';
+import { MatCardModule } from '@angular/material/card';
+import { AuthService } from '../../core/auth/auth.service';
+import { ApiService } from '../../core/services/api.service';
+import { User, Request, Tunnel } from '../../shared/models';
+import { PendingRequestsComponent } from './pending-requests/pending-requests.component';
+import { TunnelListComponent } from './tunnel-list/tunnel-list.component';
+import { CreateMappingComponent } from './create-mapping/create-mapping.component';
+
+@Component({
+  selector: 'app-dashboard',
+  standalone: true,
+  imports: [
+    CommonModule,
+    MatToolbarModule,
+    MatButtonModule,
+    MatIconModule,
+    MatSidenavModule,
+    MatListModule,
+    MatCardModule,
+    PendingRequestsComponent,
+    TunnelListComponent,
+    CreateMappingComponent,
+  ],
+  template: `
+    <mat-toolbar color="primary" class="toolbar">
+      <span class="title">
+        <mat-icon>hub</mat-icon>
+        CFTunnels
+      </span>
+      <span class="spacer"></span>
+      <span class="user-info" *ngIf="user">
+        {{ user.username }}
+        <span class="roles">({{ user.roles.join(', ') }})</span>
+      </span>
+      <button mat-icon-button (click)="logout()" title="Logout">
+        <mat-icon>logout</mat-icon>
+      </button>
+    </mat-toolbar>
+
+    <div class="dashboard-container">
+      <div class="dashboard-content">
+        <!-- Pending Requests Section - APPROVER/ADMIN only -->
+        @if (canApprove()) {
+          <app-pending-requests
+            [requests]="pendingRequests"
+            (requestUpdated)="loadRequests()"
+          ></app-pending-requests>
+        }
+
+        <!-- Tunnel List Section - DEVELOPER+ -->
+        @if (canViewTunnels()) {
+          <app-tunnel-list [tunnels]="tunnels"></app-tunnel-list>
+        }
+
+        <!-- Create Mapping Section - USER+ -->
+        <app-create-mapping></app-create-mapping>
+      </div>
+    </div>
+  `,
+  styles: [
+    `
+      .toolbar {
+        position: sticky;
+        top: 0;
+        z-index: 1000;
+      }
+
+      .title {
+        display: flex;
+        align-items: center;
+        gap: 0.5rem;
+        font-weight: 500;
+      }
+
+      .spacer {
+        flex: 1 1 auto;
+      }
+
+      .user-info {
+        display: flex;
+        align-items: center;
+        gap: 0.5rem;
+        margin-right: 1rem;
+        font-size: 0.9rem;
+      }
+
+      .roles {
+        color: rgba(255, 255, 255, 0.7);
+        font-size: 0.8rem;
+      }
+
+      .dashboard-container {
+        display: flex;
+        justify-content: center;
+        padding: 1.5rem;
+      }
+
+      .dashboard-content {
+        width: 100%;
+        max-width: 900px;
+      }
+    `,
+  ],
+})
+export class DashboardComponent implements OnInit {
+  user: User | null = null;
+  pendingRequests: Request[] = [];
+  tunnels: Tunnel[] = [];
+
+  constructor(
+    private authService: AuthService,
+    private apiService: ApiService
+  ) {}
+
+  ngOnInit(): void {
+    this.authService.user$.subscribe((user) => {
+      this.user = user;
+      if (user) {
+        this.loadData();
+      }
+    });
+  }
+
+  loadData(): void {
+    this.loadRequests();
+    this.loadTunnels();
+  }
+
+  loadRequests(): void {
+    this.apiService.getRequests().subscribe({
+      next: (response) => {
+        this.pendingRequests = response.data.filter(
+          (r) => r.status === 'PENDING'
+        );
+      },
+      error: (err) => console.error('Error loading requests:', err),
+    });
+  }
+
+  loadTunnels(): void {
+    this.apiService.getConfiguredTunnels().subscribe({
+      next: (response) => {
+        this.tunnels = response.data;
+      },
+      error: (err) => console.error('Error loading tunnels:', err),
+    });
+  }
+
+  canApprove(): boolean {
+    return this.authService.hasAnyRole(['APPROVER', 'ADMIN']);
+  }
+
+  canViewTunnels(): boolean {
+    return this.authService.hasAnyRole(['DEVELOPER', 'APPROVER', 'ADMIN']);
+  }
+
+  logout(): void {
+    this.authService.logout();
+  }
+}

frontend/src/app/features/dashboard/pending-requests/pending-requests.component.ts

@@ -0,0 +1,174 @@
+import { Component, Input, Output, EventEmitter, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { MatCardModule } from '@angular/material/card';
+import { MatButtonModule } from '@angular/material/button';
+import { MatIconModule } from '@angular/material/icon';
+import { MatChipsModule } from '@angular/material/chips';
+import { MatProgressBarModule } from '@angular/material/progress-bar';
+import { Request } from '../../../shared/models';
+import { ApiService } from '../../../core/services/api.service';
+
+@Component({
+  selector: 'app-pending-requests',
+  standalone: true,
+  imports: [
+    CommonModule,
+    MatCardModule,
+    MatButtonModule,
+    MatIconModule,
+    MatChipsModule,
+    MatProgressBarModule,
+  ],
+  template: `
+    <mat-card class="requests-card">
+      <mat-card-header>
+        <mat-icon mat-card-avatar>pending_actions</mat-icon>
+        <mat-card-title>Pending Requests</mat-card-title>
+        <mat-card-subtitle
+          >{{ requests.length }} request(s) awaiting approval</mat-card-subtitle
+        >
+      </mat-card-header>
+
+      <mat-card-content>
+        @if (isLoading) {
+          <mat-progress-bar mode="indeterminate"></mat-progress-bar>
+        }
+
+        @if (!isLoading && requests.length === 0) {
+          <div class="empty-state">
+            <mat-icon>check_circle</mat-icon>
+            <p>No pending requests</p>
+          </div>
+        }
+
+        @for (request of requests; track request.id) {
+          <div class="request-item">
+            <div class="request-info">
+              <span class="subdomain">{{ request.mapping.subdomain }}.hithomelabs.com</span>
+              <span class="tunnel">→ {{ request.mapping.tunnel.name }}</span>
+              <span class="port">Port: {{ request.mapping.port }}</span>
+            </div>
+            <div class="request-actions">
+              <button
+                mat-mini-fab
+                color="primary"
+                (click)="approve(request.id)"
+                [disabled]="actionInProgress"
+                title="Approve"
+              >
+                <mat-icon>check</mat-icon>
+              </button>
+              <button
+                mat-mini-fab
+                color="warn"
+                (click)="reject(request.id)"
+                [disabled]="actionInProgress"
+                title="Reject"
+              >
+                <mat-icon>close</mat-icon>
+              </button>
+            </div>
+          </div>
+        }
+      </mat-card-content>
+    </mat-card>
+  `,
+  styles: [
+    `
+      .requests-card {
+        margin-bottom: 1.5rem;
+      }
+
+      .empty-state {
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        padding: 2rem;
+        color: #4caf50;
+      }
+
+      .empty-state mat-icon {
+        font-size: 48px;
+        width: 48px;
+        height: 48px;
+      }
+
+      .request-item {
+        display: flex;
+        justify-content: space-between;
+        align-items: center;
+        padding: 1rem;
+        border-bottom: 1px solid #eee;
+      }
+
+      .request-item:last-child {
+        border-bottom: none;
+      }
+
+      .request-info {
+        display: flex;
+        flex-direction: column;
+        gap: 0.25rem;
+      }
+
+      .subdomain {
+        font-weight: 500;
+        color: #1976d2;
+      }
+
+      .tunnel {
+        color: #666;
+        font-size: 0.9rem;
+      }
+
+      .port {
+        color: #999;
+        font-size: 0.85rem;
+      }
+
+      .request-actions {
+        display: flex;
+        gap: 0.5rem;
+      }
+    `,
+  ],
+})
+export class PendingRequestsComponent implements OnInit {
+  @Input() requests: Request[] = [];
+  @Output() requestUpdated = new EventEmitter<void>();
+
+  isLoading = false;
+  actionInProgress = false;
+
+  constructor(private apiService: ApiService) {}
+
+  ngOnInit(): void {}
+
+  approve(requestId: string): void {
+    this.actionInProgress = true;
+    this.apiService.approveRequest(requestId).subscribe({
+      next: () => {
+        this.requestUpdated.emit();
+        this.actionInProgress = false;
+      },
+      error: (err) => {
+        console.error('Error approving request:', err);
+        this.actionInProgress = false;
+      },
+    });
+  }
+
+  reject(requestId: string): void {
+    this.actionInProgress = true;
+    this.apiService.rejectRequest(requestId).subscribe({
+      next: () => {
+        this.requestUpdated.emit();
+        this.actionInProgress = false;
+      },
+      error: (err) => {
+        console.error('Error rejecting request:', err);
+        this.actionInProgress = false;
+      },
+    });
+  }
+}

frontend/src/app/features/dashboard/tunnel-list/tunnel-list.component.ts

@@ -0,0 +1,182 @@
+import { Component, Input, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { MatCardModule } from '@angular/material/card';
+import { MatButtonModule } from '@angular/material/button';
+import { MatIconModule } from '@angular/material/icon';
+import { MatExpansionModule } from '@angular/material/expansion';
+import { MatProgressSpinnerModule } from '@angular/material/progress-spinner';
+import { Tunnel, Mapping } from '../../../shared/models';
+import { ApiService } from '../../../core/services/api.service';
+
+@Component({
+  selector: 'app-tunnel-list',
+  standalone: true,
+  imports: [
+    CommonModule,
+    MatCardModule,
+    MatButtonModule,
+    MatIconModule,
+    MatExpansionModule,
+    MatProgressSpinnerModule,
+  ],
+  template: `
+    <mat-card class="tunnels-card">
+      <mat-card-header>
+        <mat-icon mat-card-avatar>dns</mat-icon>
+        <mat-card-title>Tunnels</mat-card-title>
+        <mat-card-subtitle
+          >{{ tunnels.length }} tunnel(s) configured</mat-card-subtitle
+        >
+      </mat-card-header>
+
+      <mat-card-content>
+        @if (isLoading) {
+          <div class="loading-container">
+            <mat-spinner diameter="30"></mat-spinner>
+          </div>
+        }
+
+        @if (!isLoading && tunnels.length === 0) {
+          <div class="empty-state">
+            <mat-icon>info</mat-icon>
+            <p>No tunnels configured</p>
+          </div>
+        }
+
+        <mat-accordion>
+          @for (tunnel of tunnels; track tunnel.id) {
+            <mat-expansion-panel>
+              <mat-expansion-panel-header>
+                <mat-panel-title>
+                  <mat-icon class="tunnel-icon">hub</mat-icon>
+                  {{ tunnel.name }}
+                </mat-panel-title>
+                <mat-panel-description>
+                  {{ tunnel.environment }}
+                </mat-panel-description>
+              </mat-expansion-panel-header>
+
+              @if (expandedTunnelId === tunnel.id) {
+                @if (mappingsLoading) {
+                  <mat-spinner diameter="20"></mat-spinner>
+                } @else if (tunnelMappings[tunnel.id]?.length === 0) {
+                  <p class="no-mappings">No mappings for this tunnel</p>
+                } @else {
+                  @for (mapping of tunnelMappings[tunnel.id]; track mapping.id) {
+                    <div class="mapping-item">
+                      <span class="hostname"
+                        >{{ mapping.subdomain }}.hithomelabs.com</span
+                      >
+                      <span class="service"
+                        >→ {{ mapping.protocol }}://192.168.0.100:{{
+                          mapping.port
+                        }}</span
+                      >
+                    </div>
+                  }
+                }
+              } @else {
+                <button
+                  mat-button
+                  color="primary"
+                  (click)="loadMappings(tunnel.id)"
+                >
+                  <mat-icon>visibility</mat-icon>
+                  View Mappings
+                </button>
+              }
+            </mat-expansion-panel>
+          }
+        </mat-accordion>
+      </mat-card-content>
+    </mat-card>
+  `,
+  styles: [
+    `
+      .tunnels-card {
+        margin-bottom: 1.5rem;
+      }
+
+      .loading-container {
+        display: flex;
+        justify-content: center;
+        padding: 2rem;
+      }
+
+      .empty-state {
+        display: flex;
+        flex-direction: column;
+        align-items: center;
+        padding: 2rem;
+        color: #666;
+      }
+
+      .empty-state mat-icon {
+        font-size: 48px;
+        width: 48px;
+        height: 48px;
+      }
+
+      .tunnel-icon {
+        margin-right: 0.5rem;
+      }
+
+      .mapping-item {
+        display: flex;
+        flex-direction: column;
+        padding: 0.75rem;
+        margin: 0.5rem 0;
+        background: #f5f5f5;
+        border-radius: 4px;
+      }
+
+      .hostname {
+        font-weight: 500;
+        color: #1976d2;
+      }
+
+      .service {
+        color: #666;
+        font-size: 0.9rem;
+      }
+
+      .no-mappings {
+        color: #999;
+        font-style: italic;
+      }
+
+      mat-panel-title {
+        display: flex;
+        align-items: center;
+      }
+    `,
+  ],
+})
+export class TunnelListComponent implements OnInit {
+  @Input() tunnels: Tunnel[] = [];
+
+  isLoading = false;
+  mappingsLoading = false;
+  expandedTunnelId: string | null = null;
+  tunnelMappings: { [key: string]: Mapping[] } = {};
+
+  constructor(private apiService: ApiService) {}
+
+  ngOnInit(): void {}
+
+  loadMappings(tunnelId: string): void {
+    this.expandedTunnelId = tunnelId;
+    this.mappingsLoading = true;
+
+    this.apiService.getTunnelMappings(tunnelId).subscribe({
+      next: (response) => {
+        this.tunnelMappings[tunnelId] = response.data;
+        this.mappingsLoading = false;
+      },
+      error: (err) => {
+        console.error('Error loading mappings:', err);
+        this.mappingsLoading = false;
+      },
+    });
+  }
+}

frontend/src/app/features/login/login.component.ts

@@ -0,0 +1,127 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { Router } from '@angular/router';
+import { MatButtonModule } from '@angular/material/button';
+import { MatCardModule } from '@angular/material/card';
+import { MatIconModule } from '@angular/material/icon';
+import { MatProgressSpinnerModule } from '@angular/material/progress-spinner';
+import { AuthService } from '../../core/auth/auth.service';
+
+@Component({
+  selector: 'app-login',
+  standalone: true,
+  imports: [
+    CommonModule,
+    MatButtonModule,
+    MatCardModule,
+    MatIconModule,
+    MatProgressSpinnerModule,
+  ],
+  template: `
+    <div class="login-container">
+      <mat-card class="login-card">
+        <mat-card-header>
+          <mat-card-title>
+            <mat-icon class="logo-icon">hub</mat-icon>
+            CFTunnels
+          </mat-card-title>
+          <mat-card-subtitle>Cloudflare Tunnel Management</mat-card-subtitle>
+        </mat-card-header>
+
+        <mat-card-content>
+          <p>Sign in to manage your Cloudflare Tunnels and mappings.</p>
+
+          @if (isLoading) {
+            <div class="spinner-container">
+              <mat-spinner diameter="40"></mat-spinner>
+            </div>
+          } @else {
+            <button
+              mat-raised-button
+              color="primary"
+              class="login-button"
+              (click)="login()"
+            >
+              <mat-icon>login</mat-icon>
+              Login with Authentik
+            </button>
+          }
+        </mat-card-content>
+      </mat-card>
+    </div>
+  `,
+  styles: [
+    `
+      .login-container {
+        display: flex;
+        justify-content: center;
+        align-items: center;
+        min-height: 100vh;
+        background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+      }
+
+      .login-card {
+        width: 400px;
+        padding: 2rem;
+        text-align: center;
+      }
+
+      .logo-icon {
+        font-size: 48px;
+        width: 48px;
+        height: 48px;
+        margin-bottom: 1rem;
+        color: #667eea;
+      }
+
+      mat-card-title {
+        font-size: 2rem;
+        margin-bottom: 0.5rem;
+      }
+
+      mat-card-subtitle {
+        margin-bottom: 2rem;
+      }
+
+      p {
+        color: #666;
+        margin-bottom: 2rem;
+      }
+
+      .login-button {
+        width: 100%;
+        padding: 1rem;
+        font-size: 1.1rem;
+      }
+
+      .spinner-container {
+        display: flex;
+        justify-content: center;
+        margin-top: 2rem;
+      }
+    `,
+  ],
+})
+export class LoginComponent implements OnInit {
+  isLoading = false;
+
+  constructor(
+    private authService: AuthService,
+    private router: Router
+  ) {}
+
+  ngOnInit(): void {
+    const urlParams = new URLSearchParams(window.location.search);
+    if (urlParams.has('code') || urlParams.has('state')) {
+      this.isLoading = true;
+      this.authService.handleLoginCallback().then(() => {
+        this.router.navigate(['/']);
+      });
+    }
+  }
+
+  async login(): Promise<void> {
+    this.isLoading = true;
+    await this.authService.login();
+  }
+}

frontend/src/app/shared/models/index.ts

@@ -0,0 +1,35 @@
+export interface User {
+  username: string;
+  roles: string[];
+}
+
+export interface Tunnel {
+  id: string;
+  name: string;
+  environment: string;
+}
+
+export interface Mapping {
+  id: string;
+  subdomain: string;
+  protocol: string;
+  port: number;
+  tunnel: Tunnel;
+}
+
+export interface Request {
+  id: string;
+  mapping: Mapping;
+  createdBy: User;
+  acceptedBy?: User;
+  status: 'PENDING' | 'APPROVED' | 'REJECTED';
+}
+
+export interface ApiResponse<T> {
+  status: string;
+  data: T;
+}
+
+export interface TunnelWithMappings extends Tunnel {
+  mappings?: Mapping[];
+}

frontend/src/environments/environment.local.ts

@@ -0,0 +1,7 @@
+export const environment = {
+  production: false,
+  apiUrl: '/cloudflare',
+  issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+  oauthClientId: 'cftunnels',
+  redirectUri: 'http://localhost:80/login'
+};

frontend/src/environments/environment.prod.ts

@@ -0,0 +1,7 @@
+export const environment = {
+  production: true,
+  apiUrl: '/cloudflare',
+  issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+  oauthClientId: 'cftunnels',
+  redirectUri: 'https://cftunnels.hithomelabs.com/login'
+};

frontend/src/environments/environment.test.ts

@@ -0,0 +1,7 @@
+export const environment = {
+  production: false,
+  apiUrl: '/cloudflare',
+  issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+  oauthClientId: 'cftunnels',
+  redirectUri: 'https://testcf.hithomelabs.com/login'
+};

frontend/src/environments/environment.ts

@@ -0,0 +1,7 @@
+export const environment = {
+  production: false,
+  apiUrl: '/cloudflare',
+  issuer: 'https://auth.hithomelabs.com/application/o/cftunnels/',
+  oauthClientId: 'cftunnels',
+  redirectUri: '/login'
+};

frontend/src/index.html

@@ -0,0 +1,16 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <title>CFTunnels</title>
+  <base href="/">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <link rel="icon" type="image/x-icon" href="favicon.ico">
+  <link rel="preconnect" href="https://fonts.gstatic.com">
+  <link href="https://fonts.googleapis.com/css2?family=Roboto:wght@300;400;500&display=swap" rel="stylesheet">
+  <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+</head>
+<body class="mat-typography">
+  <app-root></app-root>
+</body>
+</html>

frontend/src/main.ts

@@ -0,0 +1,6 @@
+import { bootstrapApplication } from '@angular/platform-browser';
+import { appConfig } from './app/app.config';
+import { AppComponent } from './app/app.component';
+
+bootstrapApplication(AppComponent, appConfig)
+  .catch((err) => console.error(err));

frontend/src/styles.scss

@@ -0,0 +1,17 @@
+@tailwind base;
+@tailwind components;
+@tailwind utilities;
+
+html, body {
+  height: 100%;
+}
+
+body {
+  margin: 0;
+  font-family: Roboto, "Helvetica Neue", sans-serif;
+  background-color: #f5f5f5;
+}
+
+.spacer {
+  flex: 1 1 auto;
+}

frontend/tailwind.config.js

@@ -0,0 +1,10 @@
+/** @type {import('tailwindcss').Config} */
+module.exports = {
+  content: [
+    "./src/**/*.{html,ts}",
+  ],
+  theme: {
+    extend: {},
+  },
+  plugins: [],
+}

frontend/tsconfig.app.json

@@ -0,0 +1,9 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./out-tsc/app",
+    "types": []
+  },
+  "files": ["src/main.ts"],
+  "include": ["src/**/*.d.ts"]
+}

frontend/tsconfig.json

@@ -0,0 +1,28 @@
+{
+  "compileOnSave": false,
+  "compilerOptions": {
+    "outDir": "./dist/out-tsc",
+    "strict": true,
+    "noImplicitOverride": true,
+    "noPropertyAccessFromIndexSignature": true,
+    "noImplicitReturns": true,
+    "noFallthroughCasesInSwitch": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true,
+    "sourceMap": true,
+    "declaration": false,
+    "experimentalDecorators": true,
+    "moduleResolution": "bundler",
+    "importHelpers": true,
+    "target": "ES2022",
+    "module": "ES2022",
+    "lib": ["ES2022", "dom"],
+    "useDefineForClassFields": false
+  },
+  "angularCompilerOptions": {
+    "enableI18nLegacyMessageIdFormat": false,
+    "strictInjectionParameters": true,
+    "strictInputAccessModifiers": true,
+    "strictTemplates": true
+  }
+}

frontend/tsconfig.spec.json

@@ -0,0 +1,8 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "outDir": "./out-tsc/spec",
+    "types": ["jasmine"]
+  },
+  "include": ["src/**/*.spec.ts", "src/**/*.d.ts"]
+}

settings.gradle

@@ -1 +0,0 @@
-rootProject.name = 'CFTunnels'

src/main/java/com/hithomelabs/CFTunnels/Config/AuthoritiesToGroupMapping.java

@@ -0,0 +1,28 @@
+package com.hithomelabs.CFTunnels.Config;
+
+import com.hithomelabs.CFTunnels.Models.Authorities;
+import com.hithomelabs.CFTunnels.Models.Groups;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+
+import java.util.HashMap;
+import java.util.HashSet;
+import java.util.Map;
+import java.util.Set;
+
+@Configuration
+public class AuthoritiesToGroupMapping {
+
+    public Map<String, Set<GrantedAuthority>> getAuthorityForGroup(){
+        HashMap<String, Set<GrantedAuthority>> mappings = new HashMap<>();
+        mappings.put(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
+        mappings.put(Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))));
+        mappings.put(Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))));
+        mappings.put(Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN))));
+        return mappings;
+    }
+
+
+
+}

src/main/java/com/hithomelabs/CFTunnels/Config/CustomOidcUserConfiguration.java

@@ -0,0 +1,45 @@
+package com.hithomelabs.CFTunnels.Config;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserRequest;
+import org.springframework.security.oauth2.client.oidc.userinfo.OidcUserService;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+@Configuration
+public class CustomOidcUserConfiguration extends OidcUserService {
+
+        @Autowired
+        AuthoritiesToGroupMapping authoritiesToGroupMapping;
+
+        @Override
+        public OidcUser loadUser(OidcUserRequest userRequest) {
+            // * * Delegate to the default implementation for loading user and claims
+            OidcUser oidcUser = super.loadUser(userRequest);
+
+            // * * Copy existing authorities (e.g. scopes → authorities)
+            Set<GrantedAuthority> mappedAuthorities = new HashSet<>();
+
+            // * * Extract your custom claim (change "roles" to your claim name)
+            List<String> groups = oidcUser.getClaimAsStringList("groups");
+            if (groups != null) {
+                groups.forEach(group ->
+                        mappedAuthorities.addAll(authoritiesToGroupMapping.getAuthorityForGroup().get(group))
+                );
+            }
+
+            // * * Return a new DefaultOidcUser with merged authorities
+            return new DefaultOidcUser(
+                    mappedAuthorities,
+                    oidcUser.getIdToken(),
+                    oidcUser.getUserInfo()
+            );
+        }
+    }
+

src/main/java/com/hithomelabs/CFTunnels/Config/OpenApiConfig.java

@@ -0,0 +1,54 @@
+package com.hithomelabs.CFTunnels.Config;
+
+import io.swagger.v3.oas.models.Components;
+import io.swagger.v3.oas.models.OpenAPI;
+import io.swagger.v3.oas.models.security.*;
+import io.swagger.v3.oas.models.servers.Server;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+
+import java.util.ArrayList;
+
+@Configuration
+@Profile("!integration")
+public class OpenApiConfig {
+
+    @Value("${api.baseUrl}")
+    private String baseUrl;
+
+    @Value("${springdoc.swagger-ui.oauth.authorization-url}")
+    private String authorizationUri;
+
+    @Value("${springdoc.swagger-ui.oauth.token-url}")
+    private String tokenUri;
+
+    @Bean
+    public OpenAPI openAPI() {
+        Server httpsServer = new Server().url(baseUrl);
+        OpenAPI openApi = new OpenAPI();
+        ArrayList<Server> servers = new ArrayList<>();
+        servers.add(httpsServer);
+        openApi.setServers(servers);
+        openApi.addSecurityItem(new SecurityRequirement().addList("oidcAuth"))
+                .components(new Components()
+                        .addSecuritySchemes("oidcAuth",
+                                new SecurityScheme()
+                                        .type(SecurityScheme.Type.OAUTH2)
+                                        .flows(new OAuthFlows()
+                                                .authorizationCode(new OAuthFlow()
+                                                        .authorizationUrl(authorizationUri)
+                                                        .tokenUrl(tokenUri)
+                                                        .scopes(new Scopes()
+                                                                .addString("openid", "OpenID scope")
+                                                                .addString("profile", "OpenID profile")
+                                                                .addString("email", "OpenID email"))
+                                                )
+                                        )
+                        )
+                )
+                .addSecurityItem(new SecurityRequirement().addList("oidcAuth"));
+        return openApi;
+    }
+}

src/main/java/com/hithomelabs/CFTunnels/Config/Security/SecuirtyConfig.java

@@ -0,0 +1,41 @@
+package com.hithomelabs.CFTunnels.Config.Security;
+
+import com.hithomelabs.CFTunnels.Config.CustomOidcUserConfiguration;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configurers.oauth2.client.OAuth2LoginConfigurer;
+import org.springframework.security.web.SecurityFilterChain;
+
+
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity(
+        prePostEnabled = true,
+        securedEnabled = true,
+        jsr250Enabled = true
+)
+public class SecuirtyConfig {
+
+    @Autowired
+    private CustomOidcUserConfiguration customOidcUserConfiguration;
+
+    @Bean
+    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+        http
+                .authorizeHttpRequests(auth -> auth
+                        //.requestMatchers( "/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html" ).permitAll()
+                        .anyRequest().authenticated()
+                ).csrf(csrf -> csrf.disable())
+                .with(new OAuth2LoginConfigurer<>(),
+                        oauth2 -> oauth2.userInfoEndpoint(u -> u.oidcUserService(customOidcUserConfiguration)));
+
+
+        return http.build();
+    }
+
+}

src/main/java/com/hithomelabs/CFTunnels/Controllers/TunnelController.java

@@ -1,30 +1,50 @@
 package com.hithomelabs.CFTunnels.Controllers;
 
 import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
+import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping;
-import com.fasterxml.jackson.databind.SerializationFeature;
 import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
 import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
+import com.hithomelabs.CFTunnels.Entity.Request;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Entity.User;
 import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
 import com.hithomelabs.CFTunnels.Models.Config;
 import com.hithomelabs.CFTunnels.Models.Ingress;
 import com.hithomelabs.CFTunnels.Models.TunnelResponse;
+import com.hithomelabs.CFTunnels.Models.TunnelsResponse;
+import com.hithomelabs.CFTunnels.Repositories.UserRepository;
+import com.hithomelabs.CFTunnels.Services.CloudflareAPIService;
+import com.hithomelabs.CFTunnels.Services.MappingRequestService;
+import io.swagger.v3.oas.annotations.Operation;
+import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.boot.web.servlet.error.ErrorController;
+import org.springframework.dao.DataAccessException;
 import org.springframework.http.*;
-import org.springframework.http.converter.HttpMessageConverter;
+import org.springframework.http.*;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.client.RestTemplate;
 
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
+import java.util.NoSuchElementException;
+import java.util.UUID;
 
 @RestController
 @RequestMapping("/cloudflare")
-public class TunnelController {
+public class TunnelController implements ErrorController {
 
     private final RestTemplate restTemplate = new RestTemplate();
+    private static final String ERROR_PATH = "/error";
 
+    @Autowired
+    private AuthoritiesToGroupMapping authoritiesToGroupMapping;
     @Autowired
     private CloudflareConfig cloudflareConfig;
 
@@ -34,15 +54,37 @@ public class TunnelController {
     @Autowired
     private RestTemplateConfig restTemplateConfig;
 
+    @Autowired
+    CloudflareAPIService cloudflareAPIService;
+
+    @Autowired
+    MappingRequestService mappingRequestService;
+
+    @Autowired
+    private UserRepository userRepository;
+
+    @Value("${spring.profiles.active}")
+    private String environment;
+
+    @PreAuthorize("hasAnyRole('USER')")
+    @GetMapping("/whoami")
+    public Map<String,Object> whoAmI(@AuthenticationPrincipal OidcUser oidcUser) {
+
+        List<String> authorities = oidcUser.getAuthorities().stream()
+                .map(GrantedAuthority::getAuthority)
+                .toList();
+        return Map.of(
+                "username", oidcUser.getPreferredUsername(),
+                "roles", authorities
+        );
+    }
+
+    @PreAuthorize("hasAnyRole('USER')")
     @GetMapping("/tunnels")
+    @Operation( security = { @SecurityRequirement(name = "oidcAuth") } )
     public ResponseEntity<Map<String,Object>> getTunnels(){
 
-        // * * Resource URL to hit get request at
+        ResponseEntity<TunnelsResponse> responseEntity = cloudflareAPIService.getCloudflareTunnels();
-        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel";
-
-        HttpEntity<String> httpEntity = new HttpEntity<>("",authKeyEmailHeader.getHttpHeaders());
-        ResponseEntity<Map> responseEntity = restTemplate.exchange(url, HttpMethod.GET, httpEntity, Map.class);
-
         Map<String, Object> jsonResponse = new HashMap<>();
         jsonResponse.put("status", "success");
         jsonResponse.put("data", responseEntity.getBody());
@@ -50,15 +92,39 @@ public class TunnelController {
         return ResponseEntity.ok(jsonResponse);
     }
 
-    @GetMapping("/tunnel/{tunnelId}")
+    @PreAuthorize("hasAnyRole('USER')")
-    public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) throws JsonProcessingException {
+    @GetMapping("/configured/tunnels")
+    public ResponseEntity<Map<String,Object>> getConfiguredTunnels(){
+        try {
+            List<Tunnel> tunnels = cloudflareAPIService.getAllConfiguredTunnels();
+            Map<String, Object> jsonResponse = new HashMap<>();
+            jsonResponse.put("status", "success");
+            jsonResponse.put("data", tunnels);
+            return ResponseEntity.ok(jsonResponse);
+        } catch (DataAccessException e) {
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
 
-        // * * Resource URL to hit get request at
+    @PreAuthorize("hasAnyRole('USER')")
-        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel/" + tunnelId + "/configurations";
+    @GetMapping("/requests")
+    public ResponseEntity<Map<String,Object>> getAllRequests() {
+        try {
+            List<Request> requests = mappingRequestService.getAllRequests();
+            Map<String, Object> jsonResponse = new HashMap<>();
+            jsonResponse.put("status", "success");
+            jsonResponse.put("data", requests);
+            return ResponseEntity.ok(jsonResponse);
+        } catch (DataAccessException e) {
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
 
-        HttpEntity<String> httpEntity = new HttpEntity<>("",authKeyEmailHeader.getHttpHeaders());
+    @PreAuthorize("hasAnyRole('DEVELOPER')")
-        ResponseEntity<Map> responseEntity = restTemplate.exchange(url, HttpMethod.GET, httpEntity, Map.class);
+    @GetMapping("/tunnels/{tunnelId}/mappings")
+    public ResponseEntity<Map<String,Object>> getTunnelConfigurations(@PathVariable String tunnelId) {
 
+        ResponseEntity<Map> responseEntity = cloudflareAPIService.getCloudflareTunnelConfigurations(tunnelId, restTemplate, Map.class);
         Map<String, Object> jsonResponse = new HashMap<>();
         jsonResponse.put("status", "success");
         jsonResponse.put("data", responseEntity.getBody());
@@ -66,16 +132,12 @@ public class TunnelController {
         return ResponseEntity.ok(jsonResponse);
     }
 
-// 50df9101-f625-4618-b7c5-100338a57124
+    // 50df9101-f625-4618-b7c5-100338a57124
-    @PutMapping("/tunnel/{tunnelId}/add")
+    @PreAuthorize("hasAnyRole('ADMIN')")
+    @PostMapping("/tunnels/{tunnelId}/mappings")
     public ResponseEntity<Map<String, Object>> addTunnelconfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
 
-        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel/" + tunnelId + "/configurations";
+        ResponseEntity<TunnelResponse> responseEntity = cloudflareAPIService.getCloudflareTunnelConfigurations(tunnelId, restTemplateConfig.restTemplate(), TunnelResponse.class);
-
-        // * * Getting existing public hostname mappings
-        HttpHeaders httpHeaders = authKeyEmailHeader.getHttpHeaders();
-        HttpEntity<String> httpEntity = new HttpEntity<>("",httpHeaders);
-        ResponseEntity<TunnelResponse> responseEntity = restTemplateConfig.restTemplate().exchange(url, HttpMethod.GET, httpEntity, TunnelResponse.class);
 
         // * * Inserting new ingress value at second-to last position in list
         Config config = responseEntity.getBody().getResult().getConfig();
@@ -83,9 +145,7 @@ public class TunnelController {
         response_ingress.add(response_ingress.size()-1, ingress);
 
         // * * Hitting put endpoint
-        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
+        ResponseEntity<TunnelResponse> response = cloudflareAPIService.putCloudflareTunnelConfigurations(tunnelId, restTemplateConfig.restTemplate(), TunnelResponse.class, config);
-        HttpEntity<Config> entity = new HttpEntity<>(config, httpHeaders);
-        ResponseEntity<Map> response = restTemplateConfig.restTemplate().exchange(url, HttpMethod.PUT, entity, Map.class);
 
         // * * Displaying response
         Map<String, Object> jsonResponse = new HashMap<>();
@@ -95,15 +155,11 @@ public class TunnelController {
         return ResponseEntity.ok(jsonResponse);
     }
 
-    @PutMapping("/tunnel/{tunnelId}/delete")
+    @PreAuthorize("hasAnyRole('DEVELOPER')")
+    @DeleteMapping("/tunnels/{tunnelId}/mappings")
     public ResponseEntity<Map<String, Object>> deleteTunnelConfiguration(@PathVariable String tunnelId, @RequestBody Ingress ingress) throws JsonProcessingException {
 
-        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel/" + tunnelId + "/configurations";
+        ResponseEntity<TunnelResponse> responseEntity = cloudflareAPIService.getCloudflareTunnelConfigurations(tunnelId, restTemplateConfig.restTemplate(), TunnelResponse.class);
-
-        // * * Getting existing public hostname mappings
-        HttpHeaders httpHeaders = authKeyEmailHeader.getHttpHeaders();
-        HttpEntity<String> httpEntity = new HttpEntity<>("",httpHeaders);
-        ResponseEntity<TunnelResponse> responseEntity = restTemplateConfig.restTemplate().exchange(url, HttpMethod.GET, httpEntity, TunnelResponse.class);
 
         // * * Deleting the selected ingress value
         Config config = responseEntity.getBody().getResult().getConfig();
@@ -111,9 +167,7 @@ public class TunnelController {
         Boolean result = Ingress.deleteByHostName(response_ingress, ingress.getHostname());
 
         // * * Hitting put endpoint
-        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
+        ResponseEntity<TunnelResponse> response = cloudflareAPIService.putCloudflareTunnelConfigurations(tunnelId, restTemplateConfig.restTemplate(), TunnelResponse.class, config);
-        HttpEntity<Config> entity = new HttpEntity<>(config, httpHeaders);
-        ResponseEntity<Map> response = restTemplateConfig.restTemplate().exchange(url, HttpMethod.PUT, entity, Map.class);
 
         // * * Displaying response
         Map<String, Object> jsonResponse = new HashMap<>();
@@ -129,4 +183,70 @@ public class TunnelController {
 
         return ResponseEntity.ok(jsonResponse);
     }
+
+    @PreAuthorize("hasAnyRole('DEVELOPER')")
+    @PostMapping("/tunnels/configure/{tunnelId}/requests")
+    public ResponseEntity<Request> createTunnelMappingRequest(@PathVariable String tunnelId, @AuthenticationPrincipal OidcUser oidcUser, @RequestBody Ingress ingess){
+        Request request = mappingRequestService.createMappingRequest(tunnelId, ingess, oidcUser);
+        if(request.getId() != null)
+            return ResponseEntity.status(HttpStatus.CREATED).body(request);
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).build();
+    }
+
+    @PreAuthorize("hasAnyRole('APPROVER')")
+    @PutMapping("/requests/{requestId}/approve")
+    public ResponseEntity<Request> approveMappingRequest(@PathVariable UUID requestId, @AuthenticationPrincipal OidcUser oidcUser) {
+        try {
+            User approver = userRepository.findByEmail(oidcUser.getEmail())
+                    .orElseThrow(() -> new RuntimeException("Approver not found"));
+            Request request = mappingRequestService.approveRequest(requestId, approver);
+            return ResponseEntity.ok(request);
+        } catch (NoSuchElementException e) {
+            return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+        } catch (IllegalStateException e) {
+            return ResponseEntity.status(HttpStatus.CONFLICT).build();
+        } catch (RuntimeException e) {
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    @PreAuthorize("hasAnyRole('APPROVER')")
+    @PutMapping("/requests/{requestId}/reject")
+    public ResponseEntity<Request> rejectMappingRequest(@PathVariable UUID requestId, @AuthenticationPrincipal OidcUser oidcUser) {
+        try {
+            User rejecter = userRepository.findByEmail(oidcUser.getEmail())
+                    .orElseThrow(() -> new RuntimeException("Rejecter not found"));
+            Request request = mappingRequestService.rejectRequest(requestId, rejecter);
+            return ResponseEntity.ok(request);
+        } catch (NoSuchElementException e) {
+            return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+        } catch (IllegalStateException e) {
+            return ResponseEntity.status(HttpStatus.CONFLICT).build();
+        } catch (RuntimeException e) {
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
+    @PreAuthorize("hasAnyRole('ADMIN')")
+    @PutMapping("/tunnels/configure/{tunnelId}")
+    public ResponseEntity<Tunnel> configureTunnelForEnvironment(@PathVariable String tunnelId, @AuthenticationPrincipal OidcUser user) {
+        /*
+         *  * Returns 200 if an object is created or updated with a new representation of the object
+         *  * Returns 204 if the object state did not need any changing.
+         *  * Returns 404 if the tunnelId is not valid
+         */
+
+        try {
+            Tunnel tunnel = cloudflareAPIService.createOrUpdateTunnel(tunnelId, environment);
+            if (tunnel == null)
+                return ResponseEntity.status(HttpStatus.NO_CONTENT).build();
+            else
+                return ResponseEntity.ok(tunnel);
+        } catch (NoSuchElementException e) {
+            return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+        } catch (RuntimeException e) {
+            return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR).build();
+        }
+    }
+
 }

src/main/java/com/hithomelabs/CFTunnels/Entity/Mapping.java

@@ -0,0 +1,38 @@
+package com.hithomelabs.CFTunnels.Entity;
+
+import jakarta.persistence.*;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+
+import java.util.UUID;
+
+@Entity
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name = "mappings")
+public class Mapping {
+
+    @Id
+    @GeneratedValue
+    @Column(columnDefinition = "uuid", nullable = false, unique = true)
+    private UUID id;
+
+    @Column(nullable = false)
+    private int port;
+
+    @Enumerated(EnumType.STRING)
+    @Column(length = 10, nullable = false)
+    private Protocol protocol;
+
+    @Column(length = 50, nullable = false)
+    private String subdomain;
+
+    @ManyToOne(fetch = FetchType.LAZY)
+    @JoinColumn(name = "tunnel_id", nullable = false)
+    private Tunnel tunnel;
+}

src/main/java/com/hithomelabs/CFTunnels/Entity/Protocol.java

@@ -0,0 +1,8 @@
+package com.hithomelabs.CFTunnels.Entity;
+
+public enum Protocol {
+    HTTP,
+    HTTPS,
+    TCP,
+    SSH
+}

src/main/java/com/hithomelabs/CFTunnels/Entity/Request.java

@@ -0,0 +1,45 @@
+package com.hithomelabs.CFTunnels.Entity;
+
+import jakarta.persistence.*;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.UUID;
+
+@Entity
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name = "requests")
+public class Request {
+
+    @Id
+    @GeneratedValue
+    @Column(columnDefinition = "uuid", unique = true, nullable = false)
+    private UUID id;
+
+    @OneToOne
+    @JoinColumn(name = "mapping_id", unique = true, nullable = false)
+    private Mapping mapping;
+
+    @ManyToOne
+    @JoinColumn(name = "created_by", nullable = false)
+    private User createdBy;
+
+    @ManyToOne
+    @JoinColumn(name = "accepted_by")
+    private User acceptedBy;
+
+    public enum RequestStatus {
+        PENDING,
+        APPROVED,
+        REJECTED
+    }
+
+    @Enumerated(EnumType.STRING)
+    @Column(length = 10, nullable = false)
+    private RequestStatus status;
+}

src/main/java/com/hithomelabs/CFTunnels/Entity/Tunnel.java

@@ -0,0 +1,28 @@
+package com.hithomelabs.CFTunnels.Entity;
+
+import jakarta.persistence.*;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.UUID;
+
+@Entity
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name="tunnels")
+public class Tunnel {
+
+    @Id
+    @Column(columnDefinition = "uuid", insertable = false, updatable = false, nullable = false)
+    private UUID id;
+
+    @Column(length = 10, unique = true, nullable = false)
+    private String environment;
+
+    @Column(length = 50, unique = true, nullable = false)
+    private String name;
+}

src/main/java/com/hithomelabs/CFTunnels/Entity/User.java

@@ -0,0 +1,30 @@
+package com.hithomelabs.CFTunnels.Entity;
+import jakarta.persistence.*;
+import jakarta.validation.constraints.Size;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.UUID;
+
+@Entity
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+@Table(name = "users")
+public class User {
+    @Id
+    @GeneratedValue
+    @Column(columnDefinition = "uuid", insertable = false, updatable = false, nullable = false)
+    private UUID id;
+
+    @Column(length = 50, nullable = false)
+    @Size(max = 50)
+    private String name;
+
+    @Column(length = 50, nullable = false)
+    @Size(max = 50)
+    private String email;
+}

src/main/java/com/hithomelabs/CFTunnels/Exceptions/ExternalServiceException.java

@@ -0,0 +1,5 @@
+package com.hithomelabs.CFTunnels.Exceptions;
+
+public class ExternalServiceException extends RuntimeException {
+    public ExternalServiceException(String message) { super(message); }
+}

src/main/java/com/hithomelabs/CFTunnels/Models/Authorities.java

@@ -0,0 +1,10 @@
+package com.hithomelabs.CFTunnels.Models;
+
+public class Authorities {
+
+    public static final String ROLE_ADMIN = "ROLE_ADMIN";
+    public static final String ROLE_DEVELOPER = "ROLE_DEVELOPER";
+    public static final String ROLE_USER = "ROLE_USER";
+    public static final String ROLE_APPROVER = "ROLE_APPROVER";
+
+}

src/main/java/com/hithomelabs/CFTunnels/Models/Groups.java

@@ -0,0 +1,10 @@
+package com.hithomelabs.CFTunnels.Models;
+
+public class Groups {
+
+    public static final String HOMELAB_DEVELOPER = "homelab developer";
+    public static final String SYSTEM_ADMIN = "authentik Admins";
+    public static final String POWER_USER = "arr premium";
+    public static final String GITEA_USER = "gitrestricted";
+
+}

src/main/java/com/hithomelabs/CFTunnels/Models/Ingress.java

@@ -1,39 +1,26 @@
 package com.hithomelabs.CFTunnels.Models;
 
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
 import java.util.List;
 import java.util.Map;
 
+@NoArgsConstructor
+@AllArgsConstructor
+@Getter
+@Setter
 public class Ingress {
 
     private String service;
     private String hostname;
     private Map<String, Object> originRequest;
+    private String path;
 
     public static boolean deleteByHostName(List<Ingress> ingressList, String toBeDeleted){
          return ingressList.removeIf(ingress -> ingress.getHostname() != null && ingress.getHostname().equals(toBeDeleted));
     }
 
-    public String getService() {
-        return service;
-    }
-
-    public void setService(String service) {
-        this.service = service;
-    }
-
-    public String getHostname() {
-        return hostname;
-    }
-
-    public void setHostname(String hostname) {
-        this.hostname = hostname;
-    }
-
-    public Map<String, Object> getOriginRequest() {
-        return originRequest;
-    }
-
-    public void setOriginRequest(Map<String, Object> originRequest) {
-        this.originRequest = originRequest;
-    }
 }

src/main/java/com/hithomelabs/CFTunnels/Models/TunnelResponse.java

@@ -1,8 +1,17 @@
 package com.hithomelabs.CFTunnels.Models;
 
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
 import java.util.List;
 import java.util.Map;
 
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
 public class TunnelResponse {
 
     private List<Map<String, Object>> errors;
@@ -12,45 +21,4 @@ public class TunnelResponse {
     private Boolean success;
 
     private Result result;
-
-    public Result getResult() {
-        return result;
-    }
-
-    public void setResult(Result result) {
-        this.result = result;
-    }
-
-    public List<Map<String, Object>> getErrors() {
-        return errors;
-    }
-
-    public void setErrors(List<Map<String, Object>> errors) {
-        this.errors = errors;
-    }
-
-    public List<Map<String, Object>> getMessages() {
-        return messages;
-    }
-
-    public void setMessages(List<Map<String, Object>> messages) {
-        this.messages = messages;
-    }
-
-    public boolean isSuccess() {
-        return success;
-    }
-
-    public void setSuccess(boolean success) {
-        this.success = success;
-    }
-
-    public Boolean getSuccess() {
-        return success;
-    }
-
-    public void setSuccess(Boolean success) {
-        this.success = success;
-    }
-
 }

src/main/java/com/hithomelabs/CFTunnels/Models/TunnelResult.java

@@ -0,0 +1,19 @@
+package com.hithomelabs.CFTunnels.Models;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+public class TunnelResult {
+
+    private String id;
+
+    private String name;
+}

src/main/java/com/hithomelabs/CFTunnels/Models/TunnelsResponse.java

@@ -0,0 +1,28 @@
+package com.hithomelabs.CFTunnels.Models;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import lombok.AllArgsConstructor;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
+
+import java.util.List;
+import java.util.Map;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+@Getter
+@Setter
+@NoArgsConstructor
+@AllArgsConstructor
+public class TunnelsResponse {
+
+    private List<TunnelResult> result;
+
+    private List<Map<String, Object>> errors;
+
+    private List<Map<String, Object>> messages;
+
+    private Boolean success;
+
+
+}

src/main/java/com/hithomelabs/CFTunnels/Repositories/MappingRepository.java

@@ -0,0 +1,11 @@
+package com.hithomelabs.CFTunnels.Repositories;
+
+import com.hithomelabs.CFTunnels.Entity.Mapping;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.UUID;
+
+@Repository
+public interface MappingRepository extends JpaRepository<Mapping, UUID> {
+}

src/main/java/com/hithomelabs/CFTunnels/Repositories/RequestRepository.java

@@ -0,0 +1,24 @@
+package com.hithomelabs.CFTunnels.Repositories;
+
+import com.hithomelabs.CFTunnels.Entity.Request;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.data.repository.query.Param;
+import org.springframework.stereotype.Repository;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+@Repository
+public interface RequestRepository extends JpaRepository<Request, UUID> {
+    Page<Request> findByStatus(Request.RequestStatus status, Pageable pageable);
+
+    @Query("SELECT r FROM Request r JOIN FETCH r.mapping m JOIN FETCH m.tunnel JOIN FETCH r.createdBy LEFT JOIN FETCH r.acceptedBy")
+    List<Request> findAllWithDetails();
+
+    @Query("SELECT r FROM Request r JOIN FETCH r.mapping m JOIN FETCH m.tunnel JOIN FETCH r.createdBy LEFT JOIN FETCH r.acceptedBy WHERE r.id = :id")
+    Optional<Request> findByIdWithDetails(@Param("id") UUID id);
+}

src/main/java/com/hithomelabs/CFTunnels/Repositories/TunnelRepository.java

@@ -0,0 +1,12 @@
+package com.hithomelabs.CFTunnels.Repositories;
+
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+@Repository
+public interface TunnelRepository extends JpaRepository<Tunnel, UUID> {
+}

src/main/java/com/hithomelabs/CFTunnels/Repositories/UserRepository.java

@@ -0,0 +1,14 @@
+package com.hithomelabs.CFTunnels.Repositories;
+
+import com.hithomelabs.CFTunnels.Entity.User;
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+@Repository
+public interface UserRepository extends JpaRepository<User, UUID> {
+
+    Optional<User> findByEmail(String email);
+}

src/main/java/com/hithomelabs/CFTunnels/Services/CloudflareAPIService.java

@@ -0,0 +1,108 @@
+package com.hithomelabs.CFTunnels.Services;
+
+import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Exceptions.ExternalServiceException;
+import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
+import com.hithomelabs.CFTunnels.Models.Config;
+import com.hithomelabs.CFTunnels.Models.Ingress;
+import com.hithomelabs.CFTunnels.Models.TunnelResponse;
+import com.hithomelabs.CFTunnels.Models.TunnelResult;
+import com.hithomelabs.CFTunnels.Models.TunnelsResponse;
+import com.hithomelabs.CFTunnels.Repositories.TunnelRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.dao.DataAccessException;
+import org.springframework.http.*;
+import org.springframework.stereotype.Service;
+import org.springframework.web.client.RestTemplate;
+
+import java.util.List;
+import java.util.Map;
+import java.util.NoSuchElementException;
+import java.util.Optional;
+import java.util.UUID;
+
+@Service
+public class CloudflareAPIService {
+
+    @Autowired
+    CloudflareConfig cloudflareConfig;
+
+    @Autowired
+    AuthKeyEmailHeader authKeyEmailHeader;
+
+    @Autowired
+    RestTemplate restTemplate;
+
+    @Autowired
+    TunnelRepository tunnelRepository;
+
+    public ResponseEntity<TunnelsResponse> getCloudflareTunnels() {
+
+        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel";
+
+        HttpEntity<String> httpEntity = new HttpEntity<>("", authKeyEmailHeader.getHttpHeaders());
+        ResponseEntity<TunnelsResponse> responseEntity = restTemplate.exchange(url, HttpMethod.GET, httpEntity, TunnelsResponse.class);
+        return responseEntity;
+    }
+
+    public <T> ResponseEntity<T> getCloudflareTunnelConfigurations(String tunnelId, RestTemplate restTemplate, Class<T> responseType) {
+
+        // * * Resource URL to hit get request at
+        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel/" + tunnelId + "/configurations";
+
+        HttpEntity<String> httpEntity = new HttpEntity<>("",authKeyEmailHeader.getHttpHeaders());
+        ResponseEntity<T> responseEntity = restTemplate.exchange(url, HttpMethod.GET, httpEntity, responseType);
+        return responseEntity;
+    }
+
+    public <T> ResponseEntity<T> putCloudflareTunnelConfigurations(String tunnelId, RestTemplate restTemplate, Class<T> responseType, Config config) {
+
+        // * * Resource URL to hit get request at
+        String url = "https://api.cloudflare.com/client/v4/accounts/" + cloudflareConfig.getAccountId() + "/cfd_tunnel/" + tunnelId + "/configurations";
+
+        HttpHeaders httpHeaders = authKeyEmailHeader.getHttpHeaders();
+        httpHeaders.setContentType(MediaType.APPLICATION_JSON);
+        HttpEntity<Config> entity = new HttpEntity<>(config, httpHeaders);
+        ResponseEntity<T> responseEntity = restTemplate.exchange(url, HttpMethod.PUT, entity, responseType);
+        return responseEntity;
+    }
+
+    private Tunnel getTunnelFromTunnelResponse(TunnelResult tunnelResult, String env){
+        return new Tunnel(UUID.fromString(tunnelResult.getId()), env, tunnelResult.getName());
+    }
+
+    public Tunnel createOrUpdateTunnel(String tunnelId, String environment) throws ExternalServiceException, NoSuchElementException  {
+
+        ResponseEntity<TunnelsResponse> responseEntity = getCloudflareTunnels();
+
+        if (responseEntity.getStatusCode().isError())
+            throw new ExternalServiceException("Cloudflare API error: " + responseEntity.getStatusCode());
+
+        TunnelResult tunnelResult = responseEntity.getBody().getResult().stream().filter(t -> t.getId().equals(tunnelId)).findFirst().orElse(null);
+        if (tunnelResult == null)
+            throw new NoSuchElementException();
+
+        Tunnel toBeConfigured = getTunnelFromTunnelResponse(tunnelResult, environment);
+        Tunnel fromDatabase = tunnelRepository.findById(UUID.fromString(tunnelId)).orElse(null);
+
+        if (fromDatabase != null)
+            tunnelRepository.deleteById(UUID.fromString(tunnelId));
+        tunnelRepository.save(toBeConfigured);
+        return toBeConfigured;
+    }
+
+    public List<Tunnel> getAllConfiguredTunnels() {
+        return tunnelRepository.findAll();
+    }
+
+    public ResponseEntity<TunnelResponse> addTunnelIngress(String tunnelId, Ingress ingress) {
+        ResponseEntity<TunnelResponse> currentConfig = getCloudflareTunnelConfigurations(tunnelId, restTemplate, TunnelResponse.class);
+        
+        Config config = currentConfig.getBody().getResult().getConfig();
+        List<Ingress> ingressList = config.getIngress();
+        ingressList.add(ingressList.size() - 1, ingress);
+        
+        return putCloudflareTunnelConfigurations(tunnelId, restTemplate, TunnelResponse.class, config);
+    }
+}

src/main/java/com/hithomelabs/CFTunnels/Services/MappingRequestService.java

@@ -0,0 +1,152 @@
+package com.hithomelabs.CFTunnels.Services;
+
+import com.hithomelabs.CFTunnels.Entity.Mapping;
+import com.hithomelabs.CFTunnels.Entity.Protocol;
+import com.hithomelabs.CFTunnels.Entity.Request;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Entity.User;
+import com.hithomelabs.CFTunnels.Models.Ingress;
+import com.hithomelabs.CFTunnels.Repositories.MappingRepository;
+import com.hithomelabs.CFTunnels.Repositories.RequestRepository;
+import com.hithomelabs.CFTunnels.Repositories.TunnelRepository;
+import com.hithomelabs.CFTunnels.Repositories.UserRepository;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.oauth2.core.oidc.user.OidcUser;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+
+import java.util.List;
+import java.util.Map;
+import java.util.NoSuchElementException;
+import java.util.UUID;
+
+@Service
+public class MappingRequestService {
+
+    @Autowired
+    UserRepository userRepository;
+
+    @Autowired
+    MappingRepository mappingRepository;
+
+    @Autowired
+    RequestRepository requestRepository;
+
+    @Autowired
+    TunnelRepository tunnelRepository;
+
+    @Autowired
+    CloudflareAPIService cloudflareAPIService;
+
+    public Mapping createMapping(UUID tunnelId, Ingress ingress){
+        Tunnel tunnel = tunnelRepository.findById(tunnelId).orElseThrow(() -> new RuntimeException("Tunnel not found"));
+        Mapping mapping = createMappingFromTunnelIngress(tunnel, ingress);
+        return mappingRepository.save(mapping);
+    }
+
+    public Request createRequest(Mapping mapping, User user){
+        Request request = new Request();
+        request.setMapping(mapping);
+        request.setCreatedBy(user);
+        request.setStatus(Request.RequestStatus.PENDING);
+        return requestRepository.save(request);
+    }
+
+    public Request createMappingRequest(String tunnelId, Ingress ingress, OidcUser oidcUser){
+        User user = userRepository.findByEmail(oidcUser.getEmail()).orElseGet(()-> mapUser(oidcUser));
+        Mapping mapping = createMapping(UUID.fromString(tunnelId), ingress);
+        return createRequest(mapping, user);
+    }
+
+    @Transactional(readOnly = true)
+    public List<Request> getAllRequests() {
+        return requestRepository.findAllWithDetails();
+    }
+
+    public User mapUser(OidcUser oidcUser){
+        String email = oidcUser.getEmail();
+        String name = oidcUser.getNickName();
+        User user = new User();
+        user.setEmail(email);
+        user.setName(name);
+        userRepository.save(user);
+        return user;
+    }
+
+    public Mapping createMappingFromTunnelIngress(Tunnel tunnel, Ingress ingress){
+        Mapping mapping = new Mapping();
+        mapping.setTunnel(tunnel);
+        
+        String serviceString = ingress.getService().toLowerCase();
+        Protocol protocol = parseProtocol(serviceString);
+        mapping.setProtocol(protocol);
+        
+        mapping.setPort(Integer.parseInt(ingress.getService().split(":")[2]));
+        mapping.setSubdomain(ingress.getHostname().split("\\.")[0]);
+        return mapping;
+    }
+
+    private Protocol parseProtocol(String serviceString) {
+        if (serviceString.startsWith("https://")) {
+            return Protocol.HTTPS;
+        } else if (serviceString.startsWith("tcp://")) {
+            return Protocol.TCP;
+        } else if (serviceString.startsWith("ssh://")) {
+            return Protocol.SSH;
+        }
+        return Protocol.HTTP;
+    }
+
+    @Transactional
+    public Request approveRequest(UUID requestId, User approver) {
+        Request request = requestRepository.findByIdWithDetails(requestId)
+                .orElseThrow(() -> new NoSuchElementException("Request not found"));
+
+        if (request.getStatus() != Request.RequestStatus.PENDING) {
+            throw new IllegalStateException("Request is not in PENDING status");
+        }
+
+        Mapping mapping = request.getMapping();
+        Tunnel tunnel = mapping.getTunnel();
+        
+        Ingress ingress = createIngressFromMapping(mapping);
+        
+        ResponseEntity<?> response = cloudflareAPIService.addTunnelIngress(
+                tunnel.getId().toString(), 
+                ingress
+        );
+
+        if (!response.getStatusCode().is2xxSuccessful()) {
+            throw new RuntimeException("Failed to add mapping to Cloudflare");
+        }
+
+        request.setStatus(Request.RequestStatus.APPROVED);
+        request.setAcceptedBy(approver);
+        return requestRepository.save(request);
+    }
+
+    @Transactional
+    public Request rejectRequest(UUID requestId, User rejecter) {
+        Request request = requestRepository.findByIdWithDetails(requestId)
+                .orElseThrow(() -> new NoSuchElementException("Request not found"));
+
+        if (request.getStatus() != Request.RequestStatus.PENDING) {
+            throw new IllegalStateException("Request is not in PENDING status");
+        }
+
+        request.setStatus(Request.RequestStatus.REJECTED);
+        request.setAcceptedBy(rejecter);
+        return requestRepository.save(request);
+    }
+
+    private static final String SERVER_IP = "192.168.0.100";
+
+    private Ingress createIngressFromMapping(Mapping mapping) {
+        Tunnel tunnel = mapping.getTunnel();
+        String protocol = mapping.getProtocol().name().toLowerCase();
+        String service = protocol + "://" + SERVER_IP + ":" + mapping.getPort();
+        String hostname = mapping.getSubdomain() + ".hithomelabs.com";
+        return new Ingress(service, hostname, null, null);
+    }
+}

src/main/resources/application-ci.properties

@@ -0,0 +1,7 @@
+api.baseUrl=https://testcf.hithomelabs.com
+
+spring.datasource.url=jdbc:h2:mem:testdb
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+spring.jpa.hibernate.ddl-auto=none

src/main/resources/application-integration.properties

@@ -0,0 +1,9 @@
+cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID}
+cloudflare.apiKey=${CLOUDFLARE_API_KEY}
+cloudflare.email=${CLOUDFLARE_EMAIL}
+
+spring.datasource.url=jdbc:h2:mem:testdb
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+spring.jpa.hibernate.ddl-auto=none

src/main/resources/application-local.properties

@@ -0,0 +1,12 @@
+api.baseUrl=http://localhost:8080
+
+management.health.db.enabled=true
+management.endpoints.web.exposure.include=health
+management.endpoint.health.show-details=always
+
+logging.level.org.hibernate.SQL=DEBUG
+debug=true
+
+spring.jpa.hibernate.ddl-auto=update
+spring.jpa.show-sql=true
+spring.datasource.url=jdbc:postgresql://localhost:5432/cftunnel

src/main/resources/application-prod.properties

@@ -0,0 +1,12 @@
+api.baseUrl=https://cftunnels.hithomelabs.com
+
+# Production Database Configuration
+spring.datasource.url=jdbc:postgresql://postgres:5432/cftunnel
+spring.datasource.username=${POSTGRES_USERNAME}
+spring.datasource.password=${POSTGRES_PASSWORD}
+spring.datasource.driver-class-name=org.postgresql.Driver
+
+# JPA Configuration
+spring.jpa.hibernate.ddl-auto=create-drop
+spring.jpa.show-sql=false
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect

src/main/resources/application-test.properties

@@ -0,0 +1,12 @@
+api.baseUrl=https://testcf.hithomelabs.com
+
+# Test Database Configuration - Same as Production
+spring.datasource.url=jdbc:postgresql://postgres:5432/cftunnel
+spring.datasource.username=${POSTGRES_USERNAME}
+spring.datasource.password=${POSTGRES_PASSWORD}
+spring.datasource.driver-class-name=org.postgresql.Driver
+
+# JPA Configuration
+spring.jpa.hibernate.ddl-auto=update
+spring.jpa.show-sql=true
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect

src/main/resources/application.properties

@@ -2,3 +2,37 @@ spring.application.name=CFTunnels
 cloudflare.accountId=${CLOUDFLARE_ACCOUNT_ID}
 cloudflare.apiKey=${CLOUDFLARE_API_KEY}
 cloudflare.email=${CLOUDFLARE_EMAIL}
+spring.profiles.active=${ENV}
+
+/ * * Masking sure app works behind a reverse proxy
+server.forward-headers-strategy=framework
+
+spring.security.oauth2.client.registration.cftunnels.client-id=${OAUTH_CLIENT_ID}
+spring.security.oauth2.client.registration.cftunnels.client-secret=${OAUTH_CLIENT_SECRET}
+spring.security.oauth2.client.registration.cftunnels.authorization-grant-type=authorization_code
+spring.security.oauth2.client.registration.cftunnels.redirect-uri={baseUrl}/login/oauth2/code/cftunnels
+spring.security.oauth2.client.registration.cftunnels.scope=openid,profile,email,offline_access,cftunnels
+spring.security.oauth2.client.provider.cftunnels.authorization-uri=https://auth.hithomelabs.com/application/o/authorize/
+spring.security.oauth2.client.provider.cftunnels.token-uri=https://auth.hithomelabs.com/application/o/token/
+spring.security.oauth2.client.provider.cftunnels.user-info-uri=https://auth.hithomelabs.com/application/o/userinfo/
+spring.security.oauth2.client.provider.cftunnels.jwk-set-uri=https://auth.hithomelabs.com/application/o/cftunnels/jwks/
+spring.security.oauth2.client.provider.cftunnels.issuer-uri=https://auth.hithomelabs.com/application/o/cftunnels/
+
+springdoc.swagger-ui.oauth.client-id=${SWAGGER_OAUTH_CLIENT_ID}
+springdoc.swagger-ui.oauth.client-secret= # leave empty for public client
+springdoc.swagger-ui.oauth.use-pkce=true
+springdoc.swagger-ui.oauth.scopes=openid,profile,email
+springdoc.swagger-ui.oauth.authorization-url=https://auth.hithomelabs.com/application/o/authorize/
+springdoc.swagger-ui.oauth.token-url=https://auth.hithomelabs.com/application/o/token/
+
+spring.datasource.url=jdbc:postgresql://192.168.0.100:5432/cftunnel
+spring.datasource.username=${POSTGRES_USERNAME}
+spring.datasource.password=${POSTGRES_PASSWORD}
+spring.datasource.driver-class-name=org.postgresql.Driver
+spring.sql.init.mode=never
+
+spring.jpa.hibernate.ddl-auto=update
+spring.jpa.show-sql=true
+spring.jpa.properties.hibernate.dialect=org.hibernate.dialect.PostgreSQLDialect
+
+spring.jpa.open-in-view=false

src/main/resources/schema.sql

@@ -0,0 +1,29 @@
+CREATE EXTENSION IF NOT EXISTS "pgcrypto";
+
+CREATE TABLE IF NOT EXISTS tunnels (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    environment VARCHAR(10) NOT NULL,
+    cf_tunnel_id UUID UNIQUE NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS users (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    name VARCHAR(50) NOT NULL
+);
+
+CREATE TABLE IF NOT EXISTS mappings (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    tunnel_id UUID NOT NULL REFERENCES tunnels(id) ON DELETE CASCADE,
+    port INT NOT NULL,
+    subdomain VARCHAR(50) NOT NULL
+--    UNIQUE (tunnel_id, port),
+--    UNIQUE (tunnel_id, subdomain)
+);
+
+CREATE TABLE IF NOT EXISTS requests (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    mapping_id UUID NOT NULL REFERENCES mappings(id) ON DELETE CASCADE,
+    created_by UUID NOT NULL REFERENCES users(id) ON DELETE RESTRICT,
+    accepted_by UUID REFERENCES users(id) ON DELETE SET NULL,
+    status VARCHAR(20) NOT NULL CHECK (status IN ('PENDING', 'APPROVED', 'REJECTED'))
+);

src/test/java/com/hithomelabs/CFTunnels/Controllers/TunnelControllerTest.java

@@ -0,0 +1,495 @@
+package com.hithomelabs.CFTunnels.Controllers;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.hithomelabs.CFTunnels.Config.AuthoritiesToGroupMapping;
+import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
+import com.hithomelabs.CFTunnels.Config.RestTemplateConfig;
+import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
+import com.hithomelabs.CFTunnels.Entity.Request;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Models.Authorities;
+import com.hithomelabs.CFTunnels.Models.Config;
+import com.hithomelabs.CFTunnels.Models.Groups;
+import com.hithomelabs.CFTunnels.Models.TunnelResponse;
+import com.hithomelabs.CFTunnels.Models.TunnelResult;
+import com.hithomelabs.CFTunnels.Models.TunnelsResponse;
+import com.hithomelabs.CFTunnels.Repositories.UserRepository;
+import com.hithomelabs.CFTunnels.Services.CloudflareAPIService;
+import com.hithomelabs.CFTunnels.Services.MappingRequestService;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest;
+import org.springframework.http.*;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.authority.SimpleGrantedAuthority;
+import org.springframework.security.oauth2.core.oidc.OidcIdToken;
+import org.springframework.security.oauth2.core.oidc.user.DefaultOidcUser;
+import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.test.web.servlet.MockMvc;
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.time.Instant;
+import java.util.*;
+
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.PageRequest;
+
+import static com.hithomelabs.CFTunnels.TestUtils.Util.getClassPathDataResource;
+import static org.hamcrest.core.IsIterableContaining.hasItem;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.when;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.csrf;
+import static org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.oauth2Login;
+import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.*;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath;
+import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.*;
+import static org.hamcrest.Matchers.not;
+
+
+@WebMvcTest(TunnelController.class)
+class TunnelControllerTest {
+
+    @Autowired
+    MockMvc mockMvc;
+
+    @MockitoBean
+    AuthoritiesToGroupMapping authoritiesToGroupMapping;
+
+    @MockitoBean
+    CloudflareConfig cloudflareConfig;
+
+    @MockitoBean
+    AuthKeyEmailHeader authKeyEmailHeader;
+
+    @MockitoBean
+    RestTemplate restTemplate;
+
+    @MockitoBean
+    CloudflareAPIService cloudflareAPIService;
+
+    @MockitoBean
+    RestTemplateConfig restTemplateConfig;
+
+    @MockitoBean
+    MappingRequestService mappingRequestService;
+
+    @MockitoBean
+    UserRepository userRepository;
+
+    private static final String tunnelResponseSmallIngressFile = "tunnelResponseSmallIngress.json";
+
+    private static final String tunnelResponseLargeIngressFile = "tunnelResponseLargeIngress.json";
+
+    private static final String withAdditionalIngress;
+
+    static {
+        try {
+            withAdditionalIngress = getClassPathDataResource(tunnelResponseLargeIngressFile);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    public static final String withoutAdditionalIngress;
+    static {
+        try {
+            withoutAdditionalIngress = getClassPathDataResource(tunnelResponseSmallIngressFile);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    private static final String ingressJson = """
+            {
+                "service": "http://192.168.0.100:3457",
+                "hostname": "random.hithomelabs.com",
+                "originRequest": {}
+            }
+            """;
+
+    private DefaultOidcUser buildOidcUser(String username, String role) {
+
+        when(authoritiesToGroupMapping.getAuthorityForGroup()).thenReturn(Map.of(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))),
+                Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))),
+                Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))),
+                Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN)))));
+
+        Map<String, Set<GrantedAuthority>> roleAuthorityMapping = authoritiesToGroupMapping.getAuthorityForGroup();
+        List<GrantedAuthority> authorities = roleAuthorityMapping.get(role).stream().toList();
+
+        OidcIdToken idToken = new OidcIdToken(
+                "mock-token",
+                Instant.now(),
+                Instant.now().plusSeconds(3600),
+                Map.of("preferred_username", username, "sub", username)
+        );
+
+        return new DefaultOidcUser(authorities, idToken, "preferred_username");
+    }
+
+    private DefaultOidcUser buildOidcUserWithEmail(String username, String role, String email) {
+
+        when(authoritiesToGroupMapping.getAuthorityForGroup()).thenReturn(Map.of(Groups.GITEA_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))),
+                Groups.POWER_USER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_USER))),
+                Groups.HOMELAB_DEVELOPER, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_DEVELOPER))),
+                Groups.SYSTEM_ADMIN, new HashSet<>(Set.of(new SimpleGrantedAuthority(Authorities.ROLE_APPROVER), new SimpleGrantedAuthority(Authorities.ROLE_ADMIN)))));
+
+        Map<String, Set<GrantedAuthority>> roleAuthorityMapping = authoritiesToGroupMapping.getAuthorityForGroup();
+        List<GrantedAuthority> authorities = roleAuthorityMapping.get(role).stream().toList();
+
+        OidcIdToken idToken = new OidcIdToken(
+                "mock-token",
+                Instant.now(),
+                Instant.now().plusSeconds(3600),
+                Map.of("preferred_username", username, "sub", username, "email", email)
+        );
+
+        return new DefaultOidcUser(authorities, idToken, "preferred_username");
+    }
+
+    @Test
+    @DisplayName("should return appropriate user roles when use belongs to group GITEA_USER")
+    public void testWhoAmI_user() throws Exception {
+        mockMvc.perform(get("/cloudflare/whoami")
+                        .with(oauth2Login().oauth2User(buildOidcUser("username", Groups.GITEA_USER))))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.username").value("username"))
+                .andExpect(jsonPath("$.roles", hasItem("ROLE_USER")));
+    }
+
+    @Test
+    @DisplayName("should hit tunnels endpoint successfully with ROLE_USER")
+    public void testGetTunnelsForRoleUser() throws Exception {
+
+        when(cloudflareConfig.getAccountId()).thenReturn("abc123");
+        HttpHeaders headers = new HttpHeaders();
+        headers.set("X-Auth-Email", "me@example.com");
+        when(authKeyEmailHeader.getHttpHeaders()).thenReturn(headers);
+
+        List<TunnelResult> tunnelResults = List.of(new TunnelResult("50df9101-f625-4618-b7c5-100338a57124", "test-tunnel"));
+        TunnelsResponse tunnelsResponse = new TunnelsResponse(tunnelResults, null, null, true);
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(tunnelsResponse, HttpStatus.OK);
+
+        when(cloudflareAPIService.getCloudflareTunnels()).thenReturn(mockResponse);
+
+        mockMvc.perform(get("/cloudflare/tunnels")
+                        .with(oauth2Login().oauth2User(buildOidcUser("username", Groups.GITEA_USER))))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.data.result[0].id").value("50df9101-f625-4618-b7c5-100338a57124"));
+
+    }
+
+    @Test
+    @DisplayName("should return list of configured tunnels from database")
+    void getConfiguredTunnels() throws Exception {
+        List<Tunnel> tunnels = List.of(
+                new Tunnel(UUID.fromString("50df9101-f625-4618-b7c5-100338a57124"), "dev", "devtunnel"),
+                new Tunnel(UUID.fromString("60df9101-f625-4618-b7c5-100338a57125"), "prod", "prodtunnel")
+        );
+        when(cloudflareAPIService.getAllConfiguredTunnels()).thenReturn(tunnels);
+
+        mockMvc.perform(get("/cloudflare/configured/tunnels")
+                        .with(oauth2Login().oauth2User(buildOidcUser("username", Groups.GITEA_USER))))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.status").value("success"))
+                .andExpect(jsonPath("$.data[*].name", hasItem("devtunnel")))
+                .andExpect(jsonPath("$.data[*].name", hasItem("prodtunnel")));
+    }
+
+    @Test
+    @DisplayName("should return list of requests")
+    void getAllRequests_Success() throws Exception {
+        List<com.hithomelabs.CFTunnels.Entity.Request> requests = Arrays.asList(
+                createTestRequest(UUID.randomUUID(), com.hithomelabs.CFTunnels.Entity.Request.RequestStatus.PENDING),
+                createTestRequest(UUID.randomUUID(), com.hithomelabs.CFTunnels.Entity.Request.RequestStatus.APPROVED)
+        );
+        
+        when(mappingRequestService.getAllRequests()).thenReturn(requests);
+
+        mockMvc.perform(get("/cloudflare/requests")
+                        .with(oauth2Login().oauth2User(buildOidcUser("username", Groups.GITEA_USER))))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.status").value("success"))
+                .andExpect(jsonPath("$.data").isArray())
+                .andExpect(jsonPath("$.data.length()").value(2));
+    }
+
+    @Test
+    @DisplayName("should create mapping request successfully")
+    void createTunnelMappingRequest_Success() throws Exception {
+        UUID tunnelId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.Request createdRequest = new com.hithomelabs.CFTunnels.Entity.Request();
+        createdRequest.setId(UUID.randomUUID());
+        createdRequest.setStatus(com.hithomelabs.CFTunnels.Entity.Request.RequestStatus.PENDING);
+
+        when(mappingRequestService.createMappingRequest(any(String.class), any(com.hithomelabs.CFTunnels.Models.Ingress.class), any())).thenReturn(createdRequest);
+
+        mockMvc.perform(post("/cloudflare/tunnels/configure/{tunnelId}/requests", tunnelId.toString())
+                        .with(oauth2Login().oauth2User(buildOidcUser("developer", Groups.HOMELAB_DEVELOPER)))
+                        .with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ingressJson))
+                .andExpect(status().isCreated())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.status").value("PENDING"));
+    }
+
+    @Test
+    @DisplayName("should approve mapping request successfully")
+    void approveMappingRequest_Success() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User approverUser = new com.hithomelabs.CFTunnels.Entity.User();
+        approverUser.setEmail("approver@example.com");
+        approverUser.setName("Approver");
+
+        com.hithomelabs.CFTunnels.Entity.Request approvedRequest = new com.hithomelabs.CFTunnels.Entity.Request();
+        approvedRequest.setId(requestId);
+        approvedRequest.setStatus(com.hithomelabs.CFTunnels.Entity.Request.RequestStatus.APPROVED);
+
+        when(mappingRequestService.approveRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenReturn(approvedRequest);
+        when(userRepository.findByEmail("approver@example.com"))
+                .thenReturn(java.util.Optional.of(approverUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/approve", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("approver", Groups.SYSTEM_ADMIN, "approver@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.status").value("APPROVED"));
+    }
+
+    @Test
+    @DisplayName("should return 404 when request not found")
+    void approveMappingRequest_NotFound() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User approverUser = new com.hithomelabs.CFTunnels.Entity.User();
+        approverUser.setEmail("approver@example.com");
+        approverUser.setName("Approver");
+
+        when(mappingRequestService.approveRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenThrow(new NoSuchElementException("Request not found"));
+        when(userRepository.findByEmail("approver@example.com"))
+                .thenReturn(java.util.Optional.of(approverUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/approve", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("approver", Groups.SYSTEM_ADMIN, "approver@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @DisplayName("should return 500 when mapping creation fails")
+    void approveMappingRequest_InternalServerError() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User approverUser = new com.hithomelabs.CFTunnels.Entity.User();
+        approverUser.setEmail("approver@example.com");
+        approverUser.setName("Approver");
+
+        when(mappingRequestService.approveRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenThrow(new RuntimeException("Failed to add mapping to Cloudflare"));
+        when(userRepository.findByEmail("approver@example.com"))
+                .thenReturn(java.util.Optional.of(approverUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/approve", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("approver", Groups.SYSTEM_ADMIN, "approver@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isInternalServerError());
+    }
+
+    @Test
+    @DisplayName("should reject mapping request successfully")
+    void rejectMappingRequest_Success() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User rejecterUser = new com.hithomelabs.CFTunnels.Entity.User();
+        rejecterUser.setEmail("rejecter@example.com");
+        rejecterUser.setName("Rejecter");
+
+        com.hithomelabs.CFTunnels.Entity.Request rejectedRequest = new com.hithomelabs.CFTunnels.Entity.Request();
+        rejectedRequest.setId(requestId);
+        rejectedRequest.setStatus(com.hithomelabs.CFTunnels.Entity.Request.RequestStatus.REJECTED);
+
+        when(mappingRequestService.rejectRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenReturn(rejectedRequest);
+        when(userRepository.findByEmail("rejecter@example.com"))
+                .thenReturn(java.util.Optional.of(rejecterUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/reject", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("rejecter", Groups.SYSTEM_ADMIN, "rejecter@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.status").value("REJECTED"));
+    }
+
+    @Test
+    @DisplayName("should return 404 when rejecting non-existent request")
+    void rejectMappingRequest_NotFound() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User rejecterUser = new com.hithomelabs.CFTunnels.Entity.User();
+        rejecterUser.setEmail("rejecter@example.com");
+        rejecterUser.setName("Rejecter");
+
+        when(mappingRequestService.rejectRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenThrow(new NoSuchElementException("Request not found"));
+        when(userRepository.findByEmail("rejecter@example.com"))
+                .thenReturn(java.util.Optional.of(rejecterUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/reject", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("rejecter", Groups.SYSTEM_ADMIN, "rejecter@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @DisplayName("should return 409 when rejecting already processed request")
+    void rejectMappingRequest_Conflict() throws Exception {
+        UUID requestId = UUID.randomUUID();
+        com.hithomelabs.CFTunnels.Entity.User rejecterUser = new com.hithomelabs.CFTunnels.Entity.User();
+        rejecterUser.setEmail("rejecter@example.com");
+        rejecterUser.setName("Rejecter");
+
+        when(mappingRequestService.rejectRequest(eq(requestId), any(com.hithomelabs.CFTunnels.Entity.User.class)))
+                .thenThrow(new IllegalStateException("Request is not in PENDING status"));
+        when(userRepository.findByEmail("rejecter@example.com"))
+                .thenReturn(java.util.Optional.of(rejecterUser));
+
+        mockMvc.perform(put("/cloudflare/requests/{requestId}/reject", requestId)
+                        .with(oauth2Login().oauth2User(buildOidcUserWithEmail("rejecter", Groups.SYSTEM_ADMIN, "rejecter@example.com")))
+                        .with(csrf()))
+                .andExpect(status().isConflict());
+    }
+
+    @Test
+    void getTunnelConfigurations() throws Exception {
+
+        Map<String, Object> tunnelData = Map.of("config", Map.of("result", "success", "ingress", "sample ingress object"));
+        ResponseEntity<Map> mockResponse = new ResponseEntity<>(tunnelData, HttpStatus.OK);
+
+        when(cloudflareAPIService.getCloudflareTunnelConfigurations(eq("sampleTunnelId"), any(RestTemplate.class), eq(Map.class))).thenReturn(mockResponse);
+
+        mockMvc.perform(get("/cloudflare/tunnels/{tunnelId}/mappings", "sampleTunnelId")
+                        .with(oauth2Login().oauth2User(buildOidcUser("username", Groups.HOMELAB_DEVELOPER))))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.data.config.ingress").value("sample ingress object"));
+    }
+
+    @Test
+    void addTunnelconfiguration() throws Exception {
+
+        when(restTemplateConfig.restTemplate()).thenReturn(new RestTemplate());
+
+        ObjectMapper mapper = new ObjectMapper();
+        TunnelResponse tunnelStateBefore = mapper.readValue(withoutAdditionalIngress, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> tunnelResponseBefore = new ResponseEntity<>(tunnelStateBefore, HttpStatus.OK);
+
+        when(cloudflareAPIService.getCloudflareTunnelConfigurations(eq("sampleTunnelId"), any(RestTemplate.class), eq(TunnelResponse.class))).thenReturn(tunnelResponseBefore);
+
+        TunnelResponse expectedTunnelConfig = mapper.readValue(withAdditionalIngress, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> expectedHttpTunnelResponse = new ResponseEntity<>(expectedTunnelConfig, HttpStatus.OK);
+        when(cloudflareAPIService.putCloudflareTunnelConfigurations(eq("sampleTunnelId"), any(RestTemplate.class), eq(TunnelResponse.class), any(Config.class))).thenReturn(expectedHttpTunnelResponse);
+
+        mockMvc.perform(post("/cloudflare/tunnels/{tunnelId}/mappings", "sampleTunnelId")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ingressJson))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.data.result.config.ingress[*].hostname", hasItem("random.hithomelabs.com")));
+    }
+
+    private Request createTestRequest(UUID id, Request.RequestStatus status) {
+        Request request = new Request();
+        request.setId(id);
+        request.setStatus(status);
+        return request;
+    }
+
+    @Test
+    void deleteTunnelConfiguration() throws Exception {
+
+        when(restTemplateConfig.restTemplate()).thenReturn(new RestTemplate());
+
+        ObjectMapper mapper = new ObjectMapper();
+        TunnelResponse tunnelStateBefore = mapper.readValue(withAdditionalIngress, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> tunnelResponseBefore = new ResponseEntity<>(tunnelStateBefore, HttpStatus.OK);
+
+        when(cloudflareAPIService.getCloudflareTunnelConfigurations(eq("sampleTunnelId"), any(RestTemplate.class), eq(TunnelResponse.class))).thenReturn(tunnelResponseBefore);
+
+        TunnelResponse expectedTunnelConfig = mapper.readValue(withoutAdditionalIngress, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> expectedHttpTunnelResponse = new ResponseEntity<>(expectedTunnelConfig, HttpStatus.OK);
+        when(cloudflareAPIService.putCloudflareTunnelConfigurations(eq("sampleTunnelId"), any(RestTemplate.class), eq(TunnelResponse.class), any(Config.class))).thenReturn(expectedHttpTunnelResponse);
+
+        mockMvc.perform(delete("/cloudflare/tunnels/{tunnelId}/mappings", "sampleTunnelId")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content(ingressJson))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.data.result.config.ingress[*].hostname", not(hasItem("random.hithomelabs.com"))));
+    }
+
+    @Test
+    @DisplayName("should return 200 OK with tunnel when tunnel is successfully updated")
+    void configureTunnelForEnvironment_Success() throws Exception {
+        Tunnel tunnel = new Tunnel(UUID.randomUUID(), "dev", "test-tunnel");
+        when(cloudflareAPIService.createOrUpdateTunnel(eq("test-tunnel-id"), any(String.class))).thenReturn(tunnel);
+
+        mockMvc.perform(put("/cloudflare/tunnels/configure/{tunnelId}", "test-tunnel-id")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf()))
+                .andExpect(status().isOk())
+                .andExpect(MockMvcResultMatchers.content().contentType(MediaType.APPLICATION_JSON))
+                .andExpect(jsonPath("$.name").value("test-tunnel"))
+                .andExpect(jsonPath("$.environment").value("dev"));
+    }
+
+    @Test
+    @DisplayName("should return 204 NO_CONTENT when tunnel does not need changes")
+    void configureTunnelForEnvironment_NoContent() throws Exception {
+        when(cloudflareAPIService.createOrUpdateTunnel(eq("test-tunnel-id"), any(String.class))).thenReturn(null);
+
+        mockMvc.perform(put("/cloudflare/tunnels/configure/{tunnelId}", "test-tunnel-id")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf()))
+                .andExpect(status().isNoContent());
+    }
+
+    @Test
+    @DisplayName("should return 404 NOT_FOUND when tunnelId is not valid")
+    void configureTunnelForEnvironment_NotFound() throws Exception {
+        when(cloudflareAPIService.createOrUpdateTunnel(eq("invalid-tunnel-id"), any(String.class)))
+                .thenThrow(new NoSuchElementException("Tunnel not found"));
+
+        mockMvc.perform(put("/cloudflare/tunnels/configure/{tunnelId}", "invalid-tunnel-id")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf()))
+                .andExpect(status().isNotFound());
+    }
+
+    @Test
+    @DisplayName("should return 500 INTERNAL_SERVER_ERROR when runtime exception occurs")
+    void configureTunnelForEnvironment_InternalServerError() throws Exception {
+        when(cloudflareAPIService.createOrUpdateTunnel(eq("test-tunnel-id"), any(String.class)))
+                .thenThrow(new RuntimeException("Internal error"));
+
+        mockMvc.perform(put("/cloudflare/tunnels/configure/{tunnelId}", "test-tunnel-id")
+                        .with(oauth2Login().oauth2User(buildOidcUser("admin", Groups.SYSTEM_ADMIN)))
+                        .with(csrf()))
+                .andExpect(status().isInternalServerError());
+    }
+
+
+}

src/test/java/com/hithomelabs/CFTunnels/Integration/CoudflareApiIntegrationTest.java

@@ -0,0 +1,108 @@
+package com.hithomelabs.CFTunnels.Integration;
+
+import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
+import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
+import com.hithomelabs.CFTunnels.Models.Config;
+import com.hithomelabs.CFTunnels.Models.Ingress;
+import com.hithomelabs.CFTunnels.Models.TunnelResponse;
+import com.hithomelabs.CFTunnels.Models.TunnelResult;
+import com.hithomelabs.CFTunnels.Models.TunnelsResponse;
+import com.hithomelabs.CFTunnels.Services.CloudflareAPIService;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Tag;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.ResponseEntity;
+import org.springframework.test.context.ActiveProfiles;
+import org.springframework.web.client.RestTemplate;
+
+import java.util.List;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+@SpringBootTest(webEnvironment = SpringBootTest.WebEnvironment.RANDOM_PORT)
+@ActiveProfiles("integration")
+@Tag("integration")
+public class CoudflareApiIntegrationTest {
+
+    @Autowired
+    RestTemplate restTemplate;
+
+    @Autowired
+    AuthKeyEmailHeader authKeyEmailHeader;
+
+    @Autowired
+    CloudflareConfig cloudflareConfig;
+
+    @Autowired
+    CloudflareAPIService cloudflareAPIService;
+
+    private static final String DEV_TUNNEL_ID = "50df9101-f625-4618-b7c5-100338a57124";
+
+    @Test
+    @DisplayName("Calls cloudflare cfd tunnels API and checks that dev tunnel should be a part of the response")
+    public void testGetTunnelsTest() {
+
+        ResponseEntity<TunnelsResponse> response = cloudflareAPIService.getCloudflareTunnels();
+
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+
+        List<TunnelResult> tunnelList = response.getBody().getResult();
+        boolean hasName = tunnelList.stream()
+                .anyMatch(tunnel -> "devtunnel".equals(tunnel.getName()));
+
+        assertTrue(hasName);
+    }
+
+    @Test
+    @DisplayName("Calls cloudflare API to get mappings for devtunnel tunnel")
+    public void testTunnelConfigurations() {
+
+        ResponseEntity<TunnelResponse> responseEntity = cloudflareAPIService.getCloudflareTunnelConfigurations(DEV_TUNNEL_ID, restTemplate, TunnelResponse.class);
+
+        // * * Check if status code is 200
+        assertEquals(HttpStatus.OK, responseEntity.getStatusCode());
+
+        // * * Checking if mapping for devdocker exists
+        TunnelResponse tunnelResponse = responseEntity.getBody();
+        boolean hasMatch = tunnelResponse.getResult().getConfig().getIngress().stream()
+                .anyMatch(ingress -> "devdocker.hithomelabs.com".equals(ingress.getHostname()));
+        assertTrue(hasMatch);
+    }
+
+    @Test
+    @DisplayName("Inserts and deletes a mapping using Cloudflare API")
+    public void testAddAndDeleteMapping() {
+
+        ResponseEntity<TunnelResponse> beforeMapping = cloudflareAPIService.getCloudflareTunnelConfigurations(DEV_TUNNEL_ID, restTemplate, TunnelResponse.class);
+
+        assertEquals(HttpStatus.OK, beforeMapping.getStatusCode());
+
+        Ingress ingress = new Ingress();
+        ingress.setHostname("random.hithomelabs.com");
+        ingress.setService("http://192.168.0.100:3457");
+
+        Config beforeInsertConfig = beforeMapping.getBody().getResult().getConfig();
+        List<Ingress> beforeInsert = beforeInsertConfig.getIngress();
+        beforeInsert.add(beforeInsert.size() - 1, ingress);
+
+        ResponseEntity<TunnelResponse> afterInsert = cloudflareAPIService.putCloudflareTunnelConfigurations(DEV_TUNNEL_ID, restTemplate, TunnelResponse.class, beforeInsertConfig);
+
+        assertEquals(HttpStatus.OK, afterInsert.getStatusCode());
+        Config afterInsertConfig = afterInsert.getBody().getResult().getConfig();
+        List<Ingress> ingressList = afterInsertConfig.getIngress();
+
+        boolean hasIngress = ingressList.get(ingressList.size() - 2 ).getHostname().equals("random.hithomelabs.com");
+        assertTrue(hasIngress);
+
+        Boolean deleteSuccess = Ingress.deleteByHostName(ingressList, ingress.getHostname());
+        assertTrue(deleteSuccess);
+
+        ResponseEntity<TunnelResponse> afterDelete = cloudflareAPIService.putCloudflareTunnelConfigurations(DEV_TUNNEL_ID, restTemplate, TunnelResponse.class, afterInsertConfig);
+        assertEquals(HttpStatus.OK, afterDelete.getStatusCode());
+        assertFalse(afterDelete.getBody().getResult().getConfig().getIngress().stream().anyMatch(anyIngress -> "random.hithomelabs.com".equals(anyIngress.getHostname())));
+    }
+
+}

src/test/java/com/hithomelabs/CFTunnels/Repositories/RequestRepositoryTest.java

@@ -0,0 +1,179 @@
+package com.hithomelabs.CFTunnels.Repositories;
+
+import com.hithomelabs.CFTunnels.Entity.Mapping;
+import com.hithomelabs.CFTunnels.Entity.Protocol;
+import com.hithomelabs.CFTunnels.Entity.Request;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Entity.User;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.DisplayName;
+import org.junit.jupiter.api.Test;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.autoconfigure.orm.jpa.DataJpaTest;
+import org.springframework.boot.test.autoconfigure.jdbc.AutoConfigureTestDatabase;
+import org.springframework.test.annotation.DirtiesContext;
+import org.springframework.test.context.TestPropertySource;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.assertj.core.api.Assertions.assertThat;
+
+@DataJpaTest
+@AutoConfigureTestDatabase(replace = AutoConfigureTestDatabase.Replace.ANY)
+@DirtiesContext(classMode = DirtiesContext.ClassMode.AFTER_EACH_TEST_METHOD)
+@TestPropertySource(properties = {
+    "spring.jpa.hibernate.ddl-auto=create-drop",
+    "spring.jpa.show-sql=false",
+    "spring.sql.init.mode=never"
+})
+class RequestRepositoryTest {
+
+    @Autowired
+    private RequestRepository requestRepository;
+
+    @Autowired
+    private TunnelRepository tunnelRepository;
+
+    @Autowired
+    private MappingRepository mappingRepository;
+
+    @Autowired
+    private UserRepository userRepository;
+
+    private Tunnel tunnel;
+    private User createdByUser;
+    private User acceptedByUser;
+    private Mapping mapping;
+
+    @BeforeEach
+    void setUp() {
+        tunnel = new Tunnel();
+        tunnel.setId(UUID.randomUUID());
+        tunnel.setEnvironment("test");
+        tunnel.setName("test-tunnel");
+        tunnel = tunnelRepository.save(tunnel);
+
+        createdByUser = new User();
+        createdByUser.setEmail("creator@example.com");
+        createdByUser.setName("Creator User");
+        createdByUser = userRepository.save(createdByUser);
+
+        acceptedByUser = new User();
+        acceptedByUser.setEmail("approver@example.com");
+        acceptedByUser.setName("Approver User");
+        acceptedByUser = userRepository.save(acceptedByUser);
+
+        mapping = new Mapping();
+        mapping.setTunnel(tunnel);
+        mapping.setPort(8080);
+        mapping.setProtocol(Protocol.HTTP);
+        mapping.setSubdomain("test-subdomain");
+        mapping = mappingRepository.save(mapping);
+    }
+
+    @Test
+    @DisplayName("findAllWithDetails should return requests with all relationships loaded")
+    void findAllWithDetails_ShouldReturnRequestsWithAllRelationships() {
+        Request request = new Request();
+        request.setMapping(mapping);
+        request.setCreatedBy(createdByUser);
+        request.setAcceptedBy(acceptedByUser);
+        request.setStatus(Request.RequestStatus.PENDING);
+        requestRepository.save(request);
+
+        List<Request> results = requestRepository.findAllWithDetails();
+
+        assertThat(results).hasSize(1);
+        Request result = results.get(0);
+        assertThat(result.getMapping()).isNotNull();
+        assertThat(result.getMapping().getTunnel()).isNotNull();
+        assertThat(result.getCreatedBy()).isNotNull();
+        assertThat(result.getAcceptedBy()).isNotNull();
+    }
+
+    @Test
+    @DisplayName("findByIdWithDetails should return request with all relationships loaded")
+    void findByIdWithDetails_ShouldReturnRequestWithAllRelationships() {
+        Request request = new Request();
+        request.setMapping(mapping);
+        request.setCreatedBy(createdByUser);
+        request.setAcceptedBy(acceptedByUser);
+        request.setStatus(Request.RequestStatus.PENDING);
+        UUID requestId = requestRepository.save(request).getId();
+
+        Optional<Request> result = requestRepository.findByIdWithDetails(requestId);
+
+        assertThat(result).isPresent();
+        assertThat(result.get().getMapping()).isNotNull();
+        assertThat(result.get().getMapping().getTunnel()).isNotNull();
+        assertThat(result.get().getCreatedBy()).isNotNull();
+        assertThat(result.get().getAcceptedBy()).isNotNull();
+    }
+
+    @Test
+    @DisplayName("findByIdWithDetails should return empty for non-existent id")
+    void findByIdWithDetails_ShouldReturnEmptyForNonExistentId() {
+        Optional<Request> result = requestRepository.findByIdWithDetails(UUID.randomUUID());
+
+        assertThat(result).isEmpty();
+    }
+
+    @Test
+    @DisplayName("findAllWithDetails should return empty list when no requests exist")
+    void findAllWithDetails_ShouldReturnEmptyListWhenNoRequests() {
+        List<Request> results = requestRepository.findAllWithDetails();
+
+        assertThat(results).isEmpty();
+    }
+
+    @Test
+    @DisplayName("findAllWithDetails should handle multiple requests with different statuses")
+    void findAllWithDetails_ShouldHandleMultipleRequests() {
+        Mapping mapping1 = new Mapping();
+        mapping1.setTunnel(tunnel);
+        mapping1.setPort(8080);
+        mapping1.setProtocol(Protocol.HTTP);
+        mapping1.setSubdomain("pending-subdomain");
+        mapping1 = mappingRepository.save(mapping1);
+
+        Mapping mapping2 = new Mapping();
+        mapping2.setTunnel(tunnel);
+        mapping2.setPort(8081);
+        mapping2.setProtocol(Protocol.HTTP);
+        mapping2.setSubdomain("approved-subdomain");
+        mapping2 = mappingRepository.save(mapping2);
+
+        Mapping mapping3 = new Mapping();
+        mapping3.setTunnel(tunnel);
+        mapping3.setPort(8082);
+        mapping3.setProtocol(Protocol.HTTP);
+        mapping3.setSubdomain("rejected-subdomain");
+        mapping3 = mappingRepository.save(mapping3);
+
+        Request pendingRequest = new Request();
+        pendingRequest.setMapping(mapping1);
+        pendingRequest.setCreatedBy(createdByUser);
+        pendingRequest.setStatus(Request.RequestStatus.PENDING);
+        requestRepository.save(pendingRequest);
+
+        Request approvedRequest = new Request();
+        approvedRequest.setMapping(mapping2);
+        approvedRequest.setCreatedBy(createdByUser);
+        approvedRequest.setAcceptedBy(acceptedByUser);
+        approvedRequest.setStatus(Request.RequestStatus.APPROVED);
+        requestRepository.save(approvedRequest);
+
+        Request rejectedRequest = new Request();
+        rejectedRequest.setMapping(mapping3);
+        rejectedRequest.setCreatedBy(createdByUser);
+        rejectedRequest.setAcceptedBy(acceptedByUser);
+        rejectedRequest.setStatus(Request.RequestStatus.REJECTED);
+        requestRepository.save(rejectedRequest);
+
+        List<Request> results = requestRepository.findAllWithDetails();
+
+        assertThat(results).hasSize(3);
+    }
+}

src/test/java/com/hithomelabs/CFTunnels/Services/CloudflareAPIServiceTest.java

@@ -0,0 +1,265 @@
+package com.hithomelabs.CFTunnels.Services;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import com.hithomelabs.CFTunnels.Config.CloudflareConfig;
+import com.hithomelabs.CFTunnels.Entity.Tunnel;
+import com.hithomelabs.CFTunnels.Exceptions.ExternalServiceException;
+import com.hithomelabs.CFTunnels.Headers.AuthKeyEmailHeader;
+import com.hithomelabs.CFTunnels.Models.Config;
+import com.hithomelabs.CFTunnels.Models.Ingress;
+import com.hithomelabs.CFTunnels.Models.TunnelResponse;
+import com.hithomelabs.CFTunnels.Models.TunnelResult;
+import com.hithomelabs.CFTunnels.Models.TunnelsResponse;
+import com.hithomelabs.CFTunnels.Repositories.TunnelRepository;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import org.springframework.http.*;
+import org.springframework.web.client.RestTemplate;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.NoSuchElementException;
+import java.util.Optional;
+import java.util.UUID;
+
+import static com.hithomelabs.CFTunnels.TestUtils.Util.getClassPathDataResource;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.eq;
+import static org.mockito.Mockito.verify;
+import static org.mockito.Mockito.when;
+
+@ExtendWith(MockitoExtension.class)
+class CloudflareAPIServiceTest {
+
+    @InjectMocks
+    private CloudflareAPIService cloudflareAPIService;
+
+    @Mock
+    AuthKeyEmailHeader authKeyEmailHeader;
+
+    @Mock
+    private RestTemplate restTemplate;
+
+    @Mock
+    CloudflareConfig cloudflareConfig;
+
+    @Mock
+    TunnelRepository tunnelRepository;
+
+    private static final String tunnelResponseLargeIngressFile = "tunnelResponseLargeIngress.json";
+
+    private static final String bigTunnelResponse;
+
+    static {
+        try {
+            bigTunnelResponse = getClassPathDataResource(tunnelResponseLargeIngressFile);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+
+    @Test
+    void testGetCloudflareTunnels() {
+
+        when(cloudflareConfig.getAccountId()).thenReturn("account-123");
+        when(authKeyEmailHeader.getHttpHeaders()).thenReturn(new HttpHeaders());
+        List<TunnelResult> tunnelResults = List.of(new TunnelResult("t1", "test-tunnel"));
+        TunnelsResponse mockBody = new TunnelsResponse(tunnelResults, null, null, true);
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(mockBody, HttpStatus.OK);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelsResponse.class)
+        )).thenReturn(mockResponse);
+
+        ResponseEntity<TunnelsResponse> response = cloudflareAPIService.getCloudflareTunnels();
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+    }
+
+
+    @Test
+    void getCloudflareTunnelConfigurations() throws JsonProcessingException {
+
+        when(cloudflareConfig.getAccountId()).thenReturn("account-123");
+        when(authKeyEmailHeader.getHttpHeaders()).thenReturn(new HttpHeaders());
+
+        TunnelResponse tunnelResponse = new ObjectMapper().readValue(bigTunnelResponse, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> tunnelResponseResponseEntity = new ResponseEntity<>(tunnelResponse, HttpStatus.OK);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelResponse.class)
+        )).thenReturn(tunnelResponseResponseEntity);
+
+        ResponseEntity<TunnelResponse> response = cloudflareAPIService.getCloudflareTunnelConfigurations("sampleTunnelID", restTemplate, TunnelResponse.class);
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(response.getBody().getResult().getConfig().getIngress().get(0).getHostname(), "giteabkp.hithomelabs.com");
+    }
+
+    @Test
+    void putCloudflareTunnelConfigurations() throws JsonProcessingException {
+
+        when(cloudflareConfig.getAccountId()).thenReturn("account-123");
+        when(authKeyEmailHeader.getHttpHeaders()).thenReturn(new HttpHeaders());
+
+        TunnelResponse tunnelResponse = new ObjectMapper().readValue(bigTunnelResponse, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> tunnelResponseResponseEntity = new ResponseEntity<>(tunnelResponse, HttpStatus.OK);
+
+        Config config = tunnelResponse.getResult().getConfig();
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.PUT),
+                any(HttpEntity.class),
+                eq(TunnelResponse.class)
+        )).thenReturn(tunnelResponseResponseEntity);
+
+        ResponseEntity<TunnelResponse> response = cloudflareAPIService.putCloudflareTunnelConfigurations("sampleTunnelID", restTemplate, TunnelResponse.class, config);
+        assertEquals(HttpStatus.OK, response.getStatusCode());
+        assertEquals(response.getBody().getResult().getConfig().getIngress().get(2).getHostname(), "random.hithomelabs.com");
+    }
+
+    @Test
+    void createOrUpdateTunnel_Success() {
+        String tunnelId = "50df9101-f625-4618-b7c5-100338a57124";
+        String environment = "dev";
+
+        List<TunnelResult> tunnelResults = List.of(new TunnelResult(tunnelId, "devtunnel"));
+        TunnelsResponse mockBody = new TunnelsResponse(tunnelResults, null, null, true);
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(mockBody, HttpStatus.OK);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelsResponse.class)
+        )).thenReturn(mockResponse);
+
+        when(tunnelRepository.findById(UUID.fromString(tunnelId))).thenReturn(Optional.empty());
+
+        Tunnel result = cloudflareAPIService.createOrUpdateTunnel(tunnelId, environment);
+
+        assertEquals(UUID.fromString(tunnelId), result.getId());
+        assertEquals("devtunnel", result.getName());
+        assertEquals(environment, result.getEnvironment());
+        verify(tunnelRepository).save(any(Tunnel.class));
+    }
+
+    @Test
+    void createOrUpdateTunnel_UpdatesExistingTunnel() {
+        String tunnelId = "50df9101-f625-4618-b7c5-100338a57124";
+        String environment = "prod";
+
+        List<TunnelResult> tunnelResults = List.of(new TunnelResult(tunnelId, "devtunnel"));
+        TunnelsResponse mockBody = new TunnelsResponse(tunnelResults, null, null, true);
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(mockBody, HttpStatus.OK);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelsResponse.class)
+        )).thenReturn(mockResponse);
+
+        Tunnel existingTunnel = new Tunnel(UUID.fromString(tunnelId), "dev", "oldname");
+        when(tunnelRepository.findById(UUID.fromString(tunnelId))).thenReturn(Optional.of(existingTunnel));
+
+        cloudflareAPIService.createOrUpdateTunnel(tunnelId, environment);
+
+        verify(tunnelRepository).deleteById(UUID.fromString(tunnelId));
+        verify(tunnelRepository).save(any(Tunnel.class));
+    }
+
+    @Test
+    void createOrUpdateTunnel_ThrowsExternalServiceExceptionOnApiError() {
+        String tunnelId = "50df9101-f625-4618-b7c5-100338a57124";
+
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(null, HttpStatus.INTERNAL_SERVER_ERROR);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelsResponse.class)
+        )).thenReturn(mockResponse);
+
+        assertThrows(ExternalServiceException.class, () ->
+                cloudflareAPIService.createOrUpdateTunnel(tunnelId, "dev")
+        );
+    }
+
+    @Test
+    void createOrUpdateTunnel_ThrowsNoSuchElementExceptionWhenTunnelNotFound() {
+        String tunnelId = "50df9101-f625-4618-b7c5-100338a57124";
+
+        List<TunnelResult> tunnelResults = List.of(new TunnelResult("other-tunnel-id", "othertunnel"));
+        TunnelsResponse mockBody = new TunnelsResponse(tunnelResults, null, null, true);
+        ResponseEntity<TunnelsResponse> mockResponse = new ResponseEntity<>(mockBody, HttpStatus.OK);
+
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelsResponse.class)
+        )).thenReturn(mockResponse);
+
+        assertThrows(NoSuchElementException.class, () ->
+                cloudflareAPIService.createOrUpdateTunnel(tunnelId, "dev")
+        );
+    }
+
+    @Test
+    void getAllConfiguredTunnels_ReturnsAllTunnels() {
+        List<Tunnel> tunnels = List.of(
+                new Tunnel(UUID.fromString("50df9101-f625-4618-b7c5-100338a57124"), "dev", "devtunnel"),
+                new Tunnel(UUID.fromString("60df9101-f625-4618-b7c5-100338a57125"), "prod", "prodtunnel")
+        );
+        when(tunnelRepository.findAll()).thenReturn(tunnels);
+
+        List<Tunnel> result = cloudflareAPIService.getAllConfiguredTunnels();
+
+        assertEquals(2, result.size());
+        assertEquals("devtunnel", result.get(0).getName());
+        assertEquals("prodtunnel", result.get(1).getName());
+    }
+
+    @Test
+    void addTunnelIngress_Success() throws JsonProcessingException {
+        String tunnelId = "50df9101-f625-4618-b7c5-100338a57124";
+        Ingress ingress = new Ingress("http://192.168.0.100:8080", "test.hithomelabs.com", null, null);
+
+        when(cloudflareConfig.getAccountId()).thenReturn("account-123");
+        when(authKeyEmailHeader.getHttpHeaders()).thenReturn(new HttpHeaders());
+
+        TunnelResponse tunnelResponse = new ObjectMapper().readValue(bigTunnelResponse, TunnelResponse.class);
+        ResponseEntity<TunnelResponse> getResponse = new ResponseEntity<>(tunnelResponse, HttpStatus.OK);
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.GET),
+                any(HttpEntity.class),
+                eq(TunnelResponse.class)
+        )).thenReturn(getResponse);
+
+        ResponseEntity<TunnelResponse> putResponse = new ResponseEntity<>(tunnelResponse, HttpStatus.OK);
+        when(restTemplate.exchange(
+                any(String.class),
+                eq(HttpMethod.PUT),
+                any(HttpEntity.class),
+                eq(TunnelResponse.class)
+        )).thenReturn(putResponse);
+
+        ResponseEntity<TunnelResponse> result = cloudflareAPIService.addTunnelIngress(tunnelId, ingress);
+
+        assertEquals(HttpStatus.OK, result.getStatusCode());
+    }
+}

src/test/java/com/hithomelabs/CFTunnels/TestUtils/Util.java

@@ -0,0 +1,17 @@
+package com.hithomelabs.CFTunnels.TestUtils;
+
+import org.springframework.core.io.ClassPathResource;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
+
+public class Util {
+
+    public static String getClassPathDataResource(String filename) throws IOException {
+        return Files.readString(
+                new ClassPathResource(String.format("data/%s", filename)).getFile().toPath(),
+                StandardCharsets.UTF_8);
+    }
+
+}

src/test/resources/data/tunnelResponseLargeIngress.json

@@ -0,0 +1,38 @@
+{
+  "success": true,
+  "errors": [],
+  "messages": [],
+  "result": {
+    "tunnel_id": "50df9101-f625-4618-b7c5-100338a57124",
+    "version": 63,
+    "config": {
+      "ingress": [
+        {
+          "service": "http://192.168.0.100:8928",
+          "hostname": "giteabkp.hithomelabs.com",
+          "originRequest": {}
+        },
+        {
+          "service": "https://192.168.0.100:9442",
+          "hostname": "devdocker.hithomelabs.com",
+          "originRequest": {
+            "noTLSVerify": true
+          }
+        },
+        {
+          "service": "http://192.168.0.100:3457",
+          "hostname": "random.hithomelabs.com",
+          "originRequest": {}
+        },
+        {
+          "service": "http_status:404"
+        }
+      ],
+      "warp-routing": {
+        "enabled": false
+      }
+    },
+    "source": "cloudflare",
+    "created_at": "2025-10-24T18:17:26.914217Z"
+  }
+}

src/test/resources/data/tunnelResponseSmallIngress.json

@@ -0,0 +1,33 @@
+{
+  "success": true,
+  "errors": [],
+  "messages": [],
+  "result": {
+    "tunnel_id": "50df9101-f625-4618-b7c5-100338a57124",
+    "version": 63,
+    "config": {
+      "ingress": [
+        {
+          "service": "http://192.168.0.100:8928",
+          "hostname": "giteabkp.hithomelabs.com",
+          "originRequest": {}
+        },
+        {
+          "service": "https://192.168.0.100:9442",
+          "hostname": "devdocker.hithomelabs.com",
+          "originRequest": {
+            "noTLSVerify": true
+          }
+        },
+        {
+          "service": "http_status:404"
+        }
+      ],
+      "warp-routing": {
+        "enabled": false
+      }
+    },
+    "source": "cloudflare",
+    "created_at": "2025-10-24T18:17:26.914217Z"
+  }
+}

src/test/resources/docker-compose.yaml

@@ -0,0 +1,13 @@
+services:
+  postgres:
+    image: postgres:15-alpine
+    container_name: cftunnel-db-${ENV}
+    environment:
+      POSTGRES_DB: cftunnel
+      POSTGRES_USER: ${POSTGRES_USERNAME}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    restart: unless-stopped
+    ports:
+      - "${DB_PORT}:5432"
+    volumes:
+      - ${DB_PATH}:/var/lib/postgresql/data