Minor tidy up and refactor to improve consistency.

Finished initial implementation of circle endpoints
Fixed issues regarding claim verification in ORM
2026-03-03 00:17:46 +00:00 · 2026-03-02 23:52:12 +00:00 · 2026-02-24 00:03:06 +00:00 · 2026-02-23 20:48:52 +00:00 · 2026-02-22 12:02:05 +00:00 · 2026-02-22 02:07:50 +00:00
50 changed files with 1393 additions and 397 deletions
--- a/Tests/BGApp/Circle/Create.yml
+++ b/Tests/BGApp/Circle/Create.yml
@@ -0,0 +1,30 @@
+info:
+  name: Create
+  type: http
+  seq: 1
+
+http:
+  method: POST
+  url: "{{BASE_URL}}/{{SECTOR}}"
+  body:
+    type: json
+    data: |-
+      {
+          "name": "{{Name}}",
+          "isPublic": {{IsPublic}},
+          "colour": "#FFFFFF"
+      }
+  auth: inherit
+
+runtime:
+  variables:
+    - name: Name
+      value: Test Private Circle
+    - name: IsPublic
+      value: "false"
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Circle/Delete.yml
+++ b/Tests/BGApp/Circle/Delete.yml
@@ -0,0 +1,20 @@
+info:
+  name: Delete
+  type: http
+  seq: 4
+
+http:
+  method: DELETE
+  url: "{{BASE_URL}}/{{SECTOR}}/{{CircleID}}"
+  auth: inherit
+
+runtime:
+  variables:
+    - name: CircleID
+      value: 6Z4214
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Circle/Get.yml
+++ b/Tests/BGApp/Circle/Get.yml
@@ -0,0 +1,20 @@
+info:
+  name: Get
+  type: http
+  seq: 2
+
+http:
+  method: GET
+  url: "{{BASE_URL}}/{{SECTOR}}/{{CircleID}}"
+  auth: inherit
+
+runtime:
+  variables:
+    - name: CircleID
+      value: P17GOJ
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Circle/Search.yml
+++ b/Tests/BGApp/Circle/Search.yml
@@ -0,0 +1,24 @@
+info:
+  name: Search
+  type: http
+  seq: 5
+
+http:
+  method: GET
+  url: "{{BASE_URL}}/{{SECTOR}}/search/{{Query}}/{{PageSize}}/{{Page}}"
+  auth: inherit
+
+runtime:
+  variables:
+    - name: Query
+      value: test
+    - name: PageSize
+      value: "5"
+    - name: Page
+      value: "1"
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Circle/Update.yml
+++ b/Tests/BGApp/Circle/Update.yml
@@ -0,0 +1,28 @@
+info:
+  name: Update
+  type: http
+  seq: 3
+
+http:
+  method: PATCH
+  url: "{{BASE_URL}}/{{SECTOR}}/{{CircleID}}"
+  body:
+    type: json
+    data: |-
+      {
+        "name":"{{Name}}"
+      }
+  auth: inherit
+
+runtime:
+  variables:
+    - name: CircleID
+      value: 6Z4214
+    - name: Name
+      value: Test update
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Circle/folder.yml
+++ b/Tests/BGApp/Circle/folder.yml
@@ -0,0 +1,10 @@
+info:
+  name: Circle
+  type: folder
+  seq: 1
+
+request:
+  auth: inherit
+  variables:
+    - name: SECTOR
+      value: circles
--- a/Tests/BGApp/Game/Update.yml
+++ b/Tests/BGApp/Game/Update.yml
@@ -17,9 +17,9 @@ http:
 runtime:
  variables:
    - name: GameID
-      value: ""
+      value: DM5GMY
    - name: Name
-      value: ""
+      value: Update test

 settings:
  encodeUrl: true
--- a/Tests/BGApp/Matches/Create.yml
+++ b/Tests/BGApp/Matches/Create.yml
@@ -0,0 +1,35 @@
+info:
+  name: Create
+  type: http
+  seq: 1
+
+http:
+  method: POST
+  url: "{{BASE_URL}}/{{SECTOR}}"
+  body:
+    type: json
+    data: |-
+      {
+        "gameId": "RM089N",
+        "participants": [
+          {"playerId": "Q3M1PR", "standing": 0},
+          {"playerId": "539DPX", "standing": 1},
+          {"playerId": "JZ7939", "standing": 2}
+        ]
+      }
+  auth: inherit
+
+runtime:
+  variables:
+    - name: Email
+      value: ""
+    - name: Password
+      value: ""
+    - name: PlayerID
+      value: ""
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Matches/Delete.yml
+++ b/Tests/BGApp/Matches/Delete.yml
@@ -0,0 +1,20 @@
+info:
+  name: Delete
+  type: http
+  seq: 3
+
+http:
+  method: DELETE
+  url: "{{BASE_URL}}/{{SECTOR}}/{{MatchID}}"
+  auth: inherit
+
+runtime:
+  variables:
+    - name: MatchID
+      value: 846M1L
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Matches/Get.yml
+++ b/Tests/BGApp/Matches/Get.yml
@@ -0,0 +1,20 @@
+info:
+  name: Get
+  type: http
+  seq: 2
+
+http:
+  method: GET
+  url: "{{BASE_URL}}/{{SECTOR}}/{{MatchID}}"
+  auth: inherit
+
+runtime:
+  variables:
+    - name: MatchID
+      value: 848O12
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Matches/Leave.yml
+++ b/Tests/BGApp/Matches/Leave.yml
@@ -0,0 +1,23 @@
+info:
+  name: Leave
+  type: http
+  seq: 4
+
+http:
+  method: POST
+  url: "{{BASE_URL}}/{{SECTOR}}/{{MatchID}}/leave"
+  body:
+    type: json
+    data: ""
+  auth: inherit
+
+runtime:
+  variables:
+    - name: MatchID
+      value: 848O12
+
+settings:
+  encodeUrl: true
+  timeout: 0
+  followRedirects: true
+  maxRedirects: 5
--- a/Tests/BGApp/Matches/folder.yml
+++ b/Tests/BGApp/Matches/folder.yml
@@ -0,0 +1,10 @@
+info:
+  name: Matches
+  type: folder
+  seq: 1
+
+request:
+  auth: inherit
+  variables:
+    - name: SECTOR
+      value: matches
--- a/Tests/BGApp/Players/Get.yml
+++ b/Tests/BGApp/Players/Get.yml
@@ -11,7 +11,7 @@ http:
 runtime:
  variables:
    - name: PlayerID
-      value: ""
+      value: 539DPX

 settings:
  encodeUrl: true
--- a/Tests/BGApp/environments/BGApp.yml
+++ b/Tests/BGApp/environments/BGApp.yml
@@ -1,3 +1,4 @@
+#file: noinspection SpellCheckingInspection
 name: BGApp
 variables:
  - name: BEARER_TOKEN
--- a/Tests/BGApp/opencollection.yml
+++ b/Tests/BGApp/opencollection.yml
@@ -18,16 +18,6 @@ request:
  auth:
    type: bearer
    token: "{{BEARER_TOKEN}}"
-  actions:
-    - type: set-variable
-      phase: after-response
-      selector:
-        expression: ${token}
-        method: jsonq
-      variable:
-        name: Token
-        scope: runtime
-      disabled: true
 bundled: false
 extensions:
  bruno:
--- a/scripts/dbCreate.sql
+++ b/scripts/dbCreate.sql
@@ -1,3 +1,81 @@
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
+-- noinspection SpellCheckingInspectionForFile
+
 --
 -- PostgreSQL database dump
 --
--- a/src/emails/invite.tsx
+++ b/src/emails/invite.tsx
@@ -1,6 +1,5 @@
 import * as React from 'react';
 import { brandColours } from '../utilities/helpers';
-import { size } from 'lodash';

 interface InviteEmailProperties {
    playerName: string;
@@ -21,6 +20,7 @@ export const InviteEmail = (props: InviteEmailProperties) => (
            cellSpacing={0}
            cellPadding={0}
        >
+            <tbody>
                <tr>
                    <td align="center">
                        <div
@@ -72,6 +72,7 @@ export const InviteEmail = (props: InviteEmailProperties) => (
                        </div>
                    </td>
                </tr>
+            </tbody>
        </table>
    </div>
 );
--- a/src/endpoints/auth.ts
+++ b/src/endpoints/auth.ts
@@ -20,7 +20,7 @@ async function login(request: UnwrappedRequest<LoginRequest>): Promise<Response>
        const tokenLifeSpanInDays = 30;
        const token = jwt.sign(
            {
-                u: verify.userId.raw,
+                u: verify.userId,
                r: verify.refreshCount,
            },
            process.env.JWT_REFRESH_KEY as string,
@@ -33,9 +33,9 @@ async function login(request: UnwrappedRequest<LoginRequest>): Promise<Response>
            httpOnly: true,
            secure: true,
            maxAge: tokenLifeSpanInDays * 24 * 60 * 60,
-            path: '/api/auth/token'
+            path: '/api/auth/token',
        });
-        return new OkResponse();
+        return new OkResponse({ token });
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
@@ -54,13 +54,13 @@ async function token(request: UnwrappedRequest): Promise<Response> {
            r: string;
        } = jwt.verify(refreshCookie, process.env.JWT_REFRESH_KEY as string) as { u: string; r: string };

-        if (!(await orm.users.verifyRefreshCount(UserId.fromID(refreshToken.u), refreshToken.r))) {
+        if (!(await orm.users.verifyRefreshCount(UserId.fromHash(refreshToken.u), refreshToken.r))) {
            const response = new UnauthorizedResponse('Invalid refresh token');
            response.headers.set('Clear-Site-Data', '"cookies","cache","storage","executionContexts"');
            return response;
        }

-        const claims: Claims | null = await orm.claims.getByUserId(refreshToken.u);
+        const claims: Claims | null = await orm.claims.getByUserId(UserId.fromHash(refreshToken.u));

        const token = jwt.sign({ ...claims }, process.env.JWT_SECRET_KEY as string, {
            expiresIn: process.env.JWT_LIFESPAN as any,
--- a/src/endpoints/circles.ts
+++ b/src/endpoints/circles.ts
@@ -0,0 +1,74 @@
+import { orm } from '../orm/orm';
+import { UnwrappedRequest } from '../utilities/guard';
+import { CreatedResponse, ErrorResponse, OkResponse, PagedResponse } from '../utilities/responseHelper';
+import { CreateCircleRequest, InviteToCircleRequest, UpdateCircleRequest } from '../utilities/requestModels';
+import { CircleId, PlayerId, UserId } from '../utilities/secureIds';
+
+async function create(request: UnwrappedRequest<CreateCircleRequest>): Promise<Response> {
+    try {
+        return new CreatedResponse(await orm.circles.create(request.body, request.claims));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function invite(request: UnwrappedRequest<InviteToCircleRequest>): Promise<Response> {
+    try {
+        let relatedEntityId: UserId | PlayerId | string | undefined;
+        if (request.body.userId) {
+            relatedEntityId = UserId.fromHash(request.body.userId);
+        } else if (request.body.playerId) {
+            relatedEntityId = PlayerId.fromHash(request.body.playerId);
+        } else {
+            relatedEntityId = request.body.email;
+        }
+        return new CreatedResponse(
+            await orm.circles.invite(CircleId.fromHash(request.params.id), relatedEntityId, request.claims),
+        );
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function get(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new OkResponse(await orm.circles.get(CircleId.fromHash(request.params.id)));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function update(request: UnwrappedRequest<UpdateCircleRequest>): Promise<Response> {
+    try {
+        return new OkResponse(
+            await orm.circles.update(CircleId.fromHash(request.params.id), request.body),
+        );
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function drop(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new OkResponse(await orm.circles.drop(CircleId.fromHash(request.params.id)));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function query(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new PagedResponse(request, await orm.circles.query(request.params.query));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+export default {
+    create,
+    get,
+    update,
+    drop,
+    query,
+    invite,
+};
--- a/src/endpoints/collections.ts
+++ b/src/endpoints/collections.ts
@@ -1,17 +1,12 @@
 import { orm } from '../orm/orm';
 import { UnwrappedRequest } from '../utilities/guard';
 import { CreatedResponse, ErrorResponse, OkResponse, PagedResponse } from '../utilities/responseHelper';
-import {
-    GameToCollectionRequest,
-    CreateCollectionRequest,
-    UpdateCollectionRequest,
-} from '../utilities/requestModels';
+import { GameToCollectionRequest, CreateCollectionRequest, UpdateCollectionRequest } from '../utilities/requestModels';
 import { CollectionId, GameId } from '../utilities/secureIds';

 async function create(request: UnwrappedRequest<CreateCollectionRequest>): Promise<Response> {
    try {
-        const newPlayer = await orm.collections.create(request.body, request.claims);
-        return new CreatedResponse(newPlayer);
+        return new CreatedResponse(await orm.collections.create(request.body, request.claims));
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
--- a/src/endpoints/games.ts
+++ b/src/endpoints/games.ts
@@ -1,23 +1,21 @@
 import { orm } from '../orm/orm';
 import { UnwrappedRequest } from '../utilities/guard';
 import { CreatedResponse, ErrorResponse, OkResponse, PagedResponse } from '../utilities/responseHelper';
-import {
-    CreateGameRequest,
-    UpdateGameRequest,
-} from '../utilities/requestModels';
+import { CreateGameRequest, UpdateGameRequest } from '../utilities/requestModels';
 import { GameId } from '../utilities/secureIds';

 async function create(request: UnwrappedRequest<CreateGameRequest>): Promise<Response> {
    try {
-        const newUser = await orm.games.create(
+        return new CreatedResponse(
+            await orm.games.create(
                {
                    name: request.body.name,
                    bggId: request.body.bggId,
                    imagePath: request.body.imagePath,
                },
                request.claims,
+            ),
        );
-        return new CreatedResponse(newUser);
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
@@ -33,13 +31,7 @@ async function get(request: UnwrappedRequest): Promise<Response> {

 async function update(request: UnwrappedRequest<UpdateGameRequest>): Promise<Response> {
    try {
-        return new OkResponse(
-            await orm.games.update(
-                GameId.fromHash(request.params.id),
-                request.body,
-                request.claims,
-            ),
-        );
+        return new OkResponse(await orm.games.update(GameId.fromHash(request.params.id), request.body, request.claims));
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
--- a/src/endpoints/invites.ts
+++ b/src/endpoints/invites.ts
@@ -1,22 +1,18 @@
 import { orm } from '../orm/orm';
 import { UnwrappedRequest } from '../utilities/guard';
 import { CreatedResponse, ErrorResponse } from '../utilities/responseHelper';
-import {
-    AcceptInviteRequest,
-    InviteUserRequest,
-} from '../utilities/requestModels';
+import { AcceptInviteRequest, InviteUserRequest } from '../utilities/requestModels';
 import { PlayerId, UserId } from '../utilities/secureIds';

 async function create(request: UnwrappedRequest<InviteUserRequest>): Promise<Response> {
    try {
-        const newUser = await orm.invites.create(
-            {
+        return new CreatedResponse(
+            await orm.invites.create({
                ...request.body,
                playerId: PlayerId.fromHash(request.body.playerId),
                invitedByUserId: request.claims.userId as UserId,
-            },
+            }),
        );
-        return new CreatedResponse(newUser);
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
@@ -24,8 +20,7 @@ async function create(request: UnwrappedRequest<InviteUserRequest>): Promise<Res

 async function accept(request: UnwrappedRequest<AcceptInviteRequest>): Promise<Response> {
    try {
-        const newUser = await orm.invites.accept(request.body);
-        return new CreatedResponse(newUser);
+        return new CreatedResponse(await orm.invites.accept(request.body));
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
--- a/src/endpoints/matches.ts
+++ b/src/endpoints/matches.ts
@@ -0,0 +1,55 @@
+import { orm } from '../orm/orm';
+import { UnwrappedRequest } from '../utilities/guard';
+import { CreatedResponse, ErrorResponse, OkResponse } from '../utilities/responseHelper';
+import { CreateMatchRequest } from '../utilities/requestModels';
+import { GameId, MatchId, PlayerId, UserId } from '../utilities/secureIds';
+import { MatchParticipant } from '../orm/matches';
+
+async function create(request: UnwrappedRequest<CreateMatchRequest>): Promise<Response> {
+    try {
+        return new CreatedResponse(
+            await orm.matches.create({
+                gameId: GameId.fromHash(request.body.gameId),
+                ownerId: request.claims.userId as UserId,
+                participants: request.body.participants.map(
+                    (x) => new MatchParticipant(PlayerId.fromHash(x.playerId), x.standing),
+                ),
+            }),
+        );
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function get(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new OkResponse(await orm.matches.get(MatchId.fromHash(request.params.id), request.claims));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function drop(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new OkResponse(await orm.matches.drop(MatchId.fromHash(request.params.id), request.claims));
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+async function leave(request: UnwrappedRequest): Promise<Response> {
+    try {
+        return new OkResponse(
+            await orm.matches.removePlayer(MatchId.fromHash(request.params.id), request.claims.userId as UserId),
+        );
+    } catch (error: any) {
+        return new ErrorResponse(error as Error);
+    }
+}
+
+export default {
+    create,
+    get,
+    drop,
+    leave,
+};
--- a/src/endpoints/players.ts
+++ b/src/endpoints/players.ts
@@ -6,8 +6,7 @@ import { PlayerId } from '../utilities/secureIds';

 async function create(request: UnwrappedRequest<CreatePlayerRequest>): Promise<Response> {
    try {
-        const newPlayer = await orm.players.create(request.body);
-        return new CreatedResponse(newPlayer);
+        return new CreatedResponse(await orm.players.create(request.body));
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
--- a/src/endpoints/users.ts
+++ b/src/endpoints/users.ts
@@ -6,13 +6,12 @@ import { PlayerId, UserId } from '../utilities/secureIds';

 async function create(request: UnwrappedRequest<CreateUserRequest>): Promise<Response> {
    try {
-        const newUser = await orm.users.create(
-            {
+        return new CreatedResponse(
+            await orm.users.create({
                ...request.body,
                playerId: PlayerId.fromHash(request.body.playerId),
-            }
+            }),
        );
-        return new CreatedResponse(newUser);
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
@@ -28,9 +27,7 @@ async function get(request: UnwrappedRequest): Promise<Response> {

 async function update(request: UnwrappedRequest<UpdateUserRequest>): Promise<Response> {
    try {
-        return new OkResponse(
-            await orm.users.update(UserId.fromHash(request.params.id), request.body, request.claims),
-        );
+        return new OkResponse(await orm.users.update(UserId.fromHash(request.params.id), request.body, request.claims));
    } catch (error: any) {
        return new ErrorResponse(error as Error);
    }
--- a/src/index.ts
+++ b/src/index.ts
@@ -6,20 +6,25 @@ import games from './routes/games';
 import invites from './routes/invites';
 import collections from './routes/collections';
 import { buildRoute } from './utilities/routeBuilder';
+import { MatchId } from './utilities/secureIds';
+import matches from './routes/matches';
+import circles from './routes/circles';

 const server = Bun.serve({
    routes: buildRoute({
-        [process.env.API_ROOT_PATH ?? '']:{
+        [process.env.API_ROOT_PATH ?? '']: {
            auth,
            users,
            players,
            games,
            invites,
            collections,
+            matches,
+            circles,
        },
-        'test': {
+        test: {
            GET: () => {
-                return new OkResponse();
+                return new OkResponse(MatchId.fromID('2').value);
            },
        },
    }) as any,
--- a/src/orm/circles.ts
+++ b/src/orm/circles.ts
@@ -0,0 +1,192 @@
+import { Claims } from './claims';
+import { sql } from 'bun';
+import { first } from 'lodash';
+import { BadRequestError, NotFoundError, UnauthorizedError } from '../utilities/errors';
+import { CreateCircleRequest, UpdateCircleRequest } from '../utilities/requestModels';
+import { memo } from '../utilities/helpers';
+import { CircleId, PlayerId, UserId } from '../utilities/secureIds';
+import { orm } from './orm';
+import { User } from './user';
+
+export class Circle {
+    id: CircleId;
+    owningUserId: UserId;
+    name: string;
+    isPublic: boolean;
+    imagePath?: string;
+    colour?: string;
+
+    constructor({
+        id,
+        owningUserId,
+        name,
+        isPublic,
+        imagePath,
+        colour,
+    }: {
+        id: CircleId;
+        owningUserId: UserId;
+        name: string;
+        isPublic: boolean;
+        imagePath?: string;
+        colour?: string;
+    }) {
+        this.id = id;
+        this.owningUserId = owningUserId;
+        this.name = name;
+        this.isPublic = isPublic;
+        this.imagePath = imagePath;
+        this.colour = colour;
+    }
+}
+
+export class CircleOrm {
+    async create(model: CreateCircleRequest, claims?: Claims): Promise<Circle> {
+        if (model.isPublic && claims && !claims.test(Claims.ADMIN, Claims.CIRCLES.PUBLIC.CREATE)) {
+            throw new UnauthorizedError();
+        }
+
+        await sql`INSERT INTO circles (owning_user_id, name, is_public, colour)
+                  VALUES (${claims?.userId.raw},
+                          ${model.name},
+                          ${model.isPublic},
+                          ${model.colour})`;
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
+
+        return await this.get(CircleId.fromID(newRecordId));
+    }
+
+    async get(id: CircleId, claims?: Claims): Promise<Circle> {
+        const record: any = first(
+            await sql`SELECT *
+                      FROM circles
+                      WHERE id = ${id.raw}
+                      LIMIT 1`,
+        );
+
+        if (!record) {
+            throw new NotFoundError('No matching game exists');
+        }
+
+        let user: User;
+        if (
+            claims &&
+            !claims.test(Claims.ADMIN) &&
+            !(claims.test(Claims.CIRCLES.PUBLIC.READ) && record.is_public) &&
+            !(claims.test(Claims.CIRCLES.OWNED.READ) && record.owning_user_id === claims.userId.raw) &&
+            !(
+                claims.test(Claims.CIRCLES.PRIVATE.READ_IF_MEMBER) &&
+                (user = await orm.users.get(claims.userId)) &&
+                (await sql`SELECT * FROM player_circles WHERE circle_id = ${id.raw}`).some(
+                    (x: { player_id: string }) => x.player_id === user.playerId.raw,
+                )
+            )
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        return new Circle({
+            id: CircleId.fromID(record.id),
+            owningUserId: UserId.fromID(record.owning_user_id),
+            name: record.name,
+            isPublic: record.is_public,
+            imagePath: record.image_path,
+            colour: record.colour,
+        });
+    }
+
+    async update(id: CircleId, patch: UpdateCircleRequest): Promise<Circle> {
+        const circle = await this.get(id);
+        circle.name = patch.name ?? circle.name;
+        circle.colour = patch.colour ?? circle.colour;
+        circle.imagePath = patch.imagePath ?? circle.imagePath;
+
+        await sql`UPDATE circles
+                  SET name=${circle.name},
+                      colour=${circle.colour},
+                      image_path=${circle.imagePath}
+                  WHERE id = ${id.raw}`;
+
+        return await this.get(id);
+    }
+
+    async drop(id: CircleId): Promise<void> {
+        // Ensure record exists before attempting to delete
+        await this.get(id);
+        await sql.transaction(async (tx) => {
+            await tx`DELETE
+                     FROM player_circles
+                     WHERE circle_id = ${id.raw}`;
+            await tx`DELETE
+                     FROM circle_invites
+                     WHERE circle_id = ${id.raw}`;
+            await tx`DELETE
+                     FROM circle_comments
+                     WHERE circle_id = ${id.raw}`;
+            await tx`DELETE
+                     FROM circles
+                     WHERE id = ${id.raw}`;
+        });
+
+        return;
+    }
+
+    async invite(
+        circleId: CircleId,
+        relatedRecord: PlayerId | UserId | string | undefined,
+        claims: Claims,
+    ): Promise<void> {
+        if (relatedRecord === undefined) {
+            throw new BadRequestError();
+        }
+
+        const circle = await this.get(circleId, claims);
+        if (
+            claims &&
+            ((circle.isPublic && !claims.test(Claims.CIRCLES.PUBLIC.USERS.INVITE)) ||
+                (!circle.isPublic &&
+                    !(claims.test(Claims.CIRCLES.OWNED.USERS.INVITE) && circle.owningUserId === claims.userId)))
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        let invitedUserId: UserId | undefined;
+        if (relatedRecord instanceof UserId) {
+            invitedUserId = relatedRecord;
+        } else if (relatedRecord instanceof PlayerId) {
+            invitedUserId = (await orm.users.getByPlayer(relatedRecord))?.id;
+        } else {
+            invitedUserId = (await orm.users.getByEmail(relatedRecord))?.id;
+        }
+
+        if (!invitedUserId) {
+            throw new BadRequestError();
+        }
+        await sql`INSERT INTO circle_invites(invited_user_id, invited_by_user_id, circle_id)
+                  VALUES (${invitedUserId.raw}, ${claims.userId.raw}, ${circleId.raw})`;
+    }
+
+    query: (query: string) => Promise<Circle[]> = memo<(query: string) => Promise<Circle[]>, Circle[]>(this.#query);
+    async #query(query: string): Promise<Circle[]> {
+        const queryResult: any = await sql` SELECT
+                           id, name, owning_user_id, is_public
+                       FROM (SELECT *, SIMILARITY(${query}, name) as similarity FROM circles WHERE is_public=true)
+                       WHERE similarity > 0
+                       ORDER BY similarity
+                       LIMIT 5;`;
+
+        if (!queryResult) {
+            throw new NotFoundError('No matching circles exists');
+        }
+
+        return queryResult.map(
+            (x: { id: string; name: string; owning_user_id: string; is_public: boolean }) =>
+                new Circle({
+                    id: CircleId.fromID(x.id),
+                    name: x.name,
+                    isPublic: x.is_public,
+                    owningUserId: UserId.fromID(x.owning_user_id),
+                }),
+        );
+    }
+}
--- a/src/orm/claims.ts
+++ b/src/orm/claims.ts
@@ -3,36 +3,47 @@ import { ClaimDefinition } from '../utilities/claimDefinitions';
 import { UserId } from '../utilities/secureIds';

 export class Claims extends ClaimDefinition {
-    userId?: UserId;
+    userId: UserId;
    claims: string[] = [];

-    constructor(raw?: { userId?: string; claims?: string[] }) {
+    constructor(raw?: { userId?: string | UserId; claims?: string[] }) {
        super();
-        this.userId = raw?.userId ? UserId.fromHash(raw.userId) : undefined;
+        if (raw?.userId instanceof UserId) {
+            this.userId = raw.userId;
+        } else {
+            this.userId = UserId.fromHash(raw?.userId ?? '');
+        }
        this.claims = raw?.claims ?? [];
    }

-    public static test(guardClaim: string, userClaims?: Claims): Boolean {
-        return userClaims === undefined || userClaims.claims.some((x) => x === guardClaim);
+    test(...guardClaims: string[]): Boolean {
+        return Claims.test(this, ...guardClaims);
+    }
+
+    public static test(userClaims?: Claims, ...guardClaims: string[]): Boolean {
+        return (
+            userClaims === undefined ||
+            userClaims.claims.some((x: string): boolean => guardClaims.some((y: string): boolean => x === y))
+        );
    }
 }

 export class ClaimsOrm {
-    async getByUserId(userId: string): Promise<Claims> {
-        const dbResults: any[] = await sql`SELECT c.name
+    async getByUserId(userId: UserId): Promise<Claims> {
+        const records: any[] = await sql`SELECT c.name
                                           from user_claims as uc
                                                    JOIN claims as c on uc.claim_id = c.id
-                                           where uc.user_id = ${userId};`;
-        const claims = new Claims();
-        claims.userId = UserId.fromID(userId);
-        claims.claims = dbResults.map((x) => x.name);
-        return claims;
+                                           where uc.user_id = ${userId.raw};`;
+        return new Claims({
+            userId: userId,
+            claims: records.map((x) => x.name),
+        });
    }

    async getDefaultClaims(): Promise<number[]> {
-        const dbResults: any[] = await sql`SELECT id
+        const records: any[] = await sql`SELECT id
                                           FROM claims
                                           WHERE is_default = true;`;
-        return dbResults.map((x) => x.id);
+        return records.map((x) => x.id);
    }
 }
--- a/src/orm/collections.ts
+++ b/src/orm/collections.ts
@@ -4,16 +4,18 @@ import { first } from 'lodash';
 import { NotFoundError, UnauthorizedError } from '../utilities/errors';
 import { UpdateCollectionRequest } from '../utilities/requestModels';
 import { Game } from './games';
-import { CollectionId, GameId } from '../utilities/secureIds';
+import { CollectionId, GameId, UserId } from '../utilities/secureIds';

 export class Collection {
    id: CollectionId;
    name: string;
+    ownerId: UserId;
    games: Game[];

-    constructor(input: { id: CollectionId; name: string; games?: Game[] }) {
+    constructor(input: { id: CollectionId; name: string; ownerId:UserId; games?: Game[] }) {
        this.id = input.id;
        this.name = input?.name;
+        this.ownerId = input.ownerId;
        this.games = input.games ?? [];
    }
 }
@@ -22,13 +24,13 @@ export class CollectionsOrm {
    async create(model: { name: string }, claims: Claims): Promise<Collection> {
        await sql`INSERT INTO collections (name, user_id)
                         VALUES (${model.name}, ${claims?.userId?.raw})`;
-        const newPCollectionId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;

-        return await this.get(CollectionId.fromID(newPCollectionId));
+        return await this.get(CollectionId.fromID(newRecordId));
    }

    async get(id: CollectionId, claims?: Claims): Promise<Collection> {
-        const dbResult: any = await sql`SELECT
+        const records: any = await sql`SELECT
                          c.id AS collection_id,
                          c.name AS collection_name,
                          c.user_id AS user_id,
@@ -38,25 +40,26 @@ export class CollectionsOrm {
                           LEFT JOIN collection_games cg ON cg.collection_id = c.id
                           LEFT JOIN games g ON g.id = cg.game_id
                      WHERE c.id = ${id.raw}`;
-
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.COLLECTIONS.UNOWNED.READ, claims))) {
-            throw new UnauthorizedError();
-        } else if (
-            Claims.test(Claims.COLLECTIONS.OWNED.READ, claims) &&
-            claims?.userId &&
-            dbResult?.[0]?.user_id !== claims.userId.raw
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN, Claims.COLLECTIONS.UNOWNED.READ) ||
+                (Claims.test(claims, Claims.COLLECTIONS.OWNED.READ) &&
+                    records?.[0]?.user_id === claims?.userId?.raw)
+            )
        ) {
            throw new UnauthorizedError();
        }

-        if (!dbResult?.length) {
+        if (!records?.length) {
            throw new NotFoundError('No matching player exists');
        }

        return new Collection({
-            id: CollectionId.fromID(dbResult[0].collection_id),
-            name: dbResult[0].collection_name,
-            games: dbResult
+            id: CollectionId.fromID(records[0].collection_id),
+            name: records[0].collection_name,
+            ownerId: UserId.fromID(records[0].user_id),
+            games: records
                .filter((x: { game_id: string; game_name: string }) => x.game_id)
                .map(
                    (x: { game_id: string; game_name: string }) =>
@@ -69,25 +72,27 @@ export class CollectionsOrm {
    }

    async list(claims?: Claims): Promise<Collection[]> {
-        if (!claims || Claims.test(Claims.ADMIN, claims)) {
+        if (!claims || claims?.test(Claims.ADMIN)) {
            return (await sql`SELECT * FROM collections`).map(
-                (x: { id: string; name: string }) =>
+                (x: { id: string; name: string, user_id: string }) =>
                    new Collection({
                        id: CollectionId.fromID(x.id),
                        name: x.name,
+                        ownerId: UserId.fromID(x.user_id)
                    }),
            );
        }

-        if (!Claims.test(Claims.COLLECTIONS.OWNED.LIST, claims)) {
+        if (!claims.test(Claims.COLLECTIONS.OWNED.LIST)) {
            throw new UnauthorizedError();
        }

        return (await sql`SELECT * FROM collections WHERE user_id=${claims.userId?.raw}`).map(
-            (x: { id: string; name: string }) =>
+            (x: { id: string; name: string; user_id: string }) =>
                new Collection({
                    id: CollectionId.fromID(x.id),
                    name: x.name,
+                    ownerId: UserId.fromID(x.user_id)
                }),
        );
    }
@@ -95,15 +100,17 @@ export class CollectionsOrm {
    async update(id: CollectionId, patch: UpdateCollectionRequest, claims?: Claims): Promise<Collection> {
        const collection = await this.get(id);

-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.COLLECTIONS.UNOWNED.UPDATE, claims))) {
-            throw new UnauthorizedError();
-        } else if (
-            Claims.test(Claims.COLLECTIONS.OWNED.UPDATE, claims) &&
-            claims?.userId &&
-            collection.id !== claims.userId
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN, Claims.COLLECTIONS.UNOWNED.UPDATE) ||
+                (Claims.test(claims, Claims.COLLECTIONS.OWNED.UPDATE) &&
+                    collection.ownerId === claims?.userId)
+            )
        ) {
            throw new UnauthorizedError();
        }
+
        collection.name = patch.name ?? collection.name;

        await sql`UPDATE collections SET name=${collection.name} WHERE id=${id.raw}`;
@@ -113,12 +120,14 @@ export class CollectionsOrm {

    async drop(id: CollectionId, claims?: Claims): Promise<void> {
        const collection = await this.get(id);
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.COLLECTIONS.UNOWNED.DELETE, claims))) {
-            throw new UnauthorizedError();
-        } else if (
-            Claims.test(Claims.COLLECTIONS.OWNED.DELETE, claims) &&
-            claims?.userId &&
-            collection.id !== claims.userId
+
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN, Claims.COLLECTIONS.UNOWNED.DELETE) ||
+                (Claims.test(claims, Claims.COLLECTIONS.OWNED.DELETE) &&
+                    collection.ownerId === claims?.userId)
+            )
        ) {
            throw new UnauthorizedError();
        }
@@ -130,12 +139,14 @@ export class CollectionsOrm {

    async addGame(id: CollectionId, gameId: GameId, claims: Claims): Promise<void> {
        const collection = await this.get(id);
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.COLLECTIONS.UNOWNED.GAME.ADD, claims))) {
-            throw new UnauthorizedError();
-        } else if (
-            Claims.test(Claims.COLLECTIONS.OWNED.GAME.ADD, claims) &&
-            claims?.userId &&
-            collection.id !== claims.userId
+
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN) ||
+                (Claims.test(claims, Claims.COLLECTIONS.OWNED.GAME.ADD) &&
+                    collection.ownerId === claims?.userId)
+            )
        ) {
            throw new UnauthorizedError();
        }
@@ -147,12 +158,14 @@ export class CollectionsOrm {
    }
    async removeGame(id: CollectionId, gameId: GameId, claims: Claims): Promise<void> {
        const collection = await this.get(id);
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.COLLECTIONS.UNOWNED.GAME.REMOVE, claims))) {
-            throw new UnauthorizedError();
-        } else if (
-            Claims.test(Claims.COLLECTIONS.OWNED.GAME.REMOVE, claims) &&
-            claims?.userId &&
-            collection.id !== claims.userId
+
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN) ||
+                (Claims.test(claims, Claims.COLLECTIONS.OWNED.GAME.REMOVE) &&
+                    collection.ownerId === claims?.userId)
+            )
        ) {
            throw new UnauthorizedError();
        }
--- a/src/orm/games.ts
+++ b/src/orm/games.ts
@@ -23,45 +23,45 @@ export class Game {
 export class GamesOrm {
    async create(model: CreateGameRequest, claims?: Claims): Promise<Game> {
        await sql`INSERT INTO games (name, image_path, bgg_id)
-                         VALUES (${model.name}, ${Claims.test(Claims.GAMES.MANAGE_IMAGES, claims) ? model.imagePath : null}, ${model.bggId})`;
-        const newGameId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
+                         VALUES (${model.name}, ${claims?.test(Claims.GAMES.MANAGE_IMAGES) ? model.imagePath : null}, ${model.bggId})`;
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;

-        return await this.get(GameId.fromID(newGameId));
+        return await this.get(GameId.fromID(newRecordId));
    }

    async get(id: GameId): Promise<Game> {
-        const dbResult: any = first(
+        const record: any = first(
            await sql`SELECT *
                      FROM games
                      WHERE id = ${id.raw}
                      LIMIT 1`,
        );

-        if (!dbResult) {
+        if (!record) {
            throw new NotFoundError('No matching game exists');
        }

        return new Game({
-            id: GameId.fromID(dbResult.id),
-            name: dbResult.name,
-            bggId: dbResult.bgg_id,
-            imagePath: dbResult.image_path,
+            id: GameId.fromID(record.id),
+            name: record.name,
+            bggId: record.bgg_id,
+            imagePath: record.image_path,
        });
    }

    async update(id: GameId, patch: UpdateGameRequest, claims?: Claims): Promise<Game> {
-        const gameToUpdate = await this.get(id);
-        gameToUpdate.name = patch.name ?? gameToUpdate.name;
-        gameToUpdate.bggId = patch.bggId ?? gameToUpdate.bggId;
+        const game = await this.get(id);
+        game.name = patch.name ?? game.name;
+        game.bggId = patch.bggId ?? game.bggId;

-        if (Claims.test(Claims.GAMES.MANAGE_IMAGES, claims)) {
-            gameToUpdate.imagePath = patch.imagePath ?? gameToUpdate.imagePath;
+        if (claims?.test(Claims.GAMES.MANAGE_IMAGES)) {
+            game.imagePath = patch.imagePath ?? game.imagePath;
        }

        await sql`UPDATE games
-                  SET name=${gameToUpdate.name},
-                      bgg_id=${gameToUpdate.bggId},
-                      image_path=${gameToUpdate.imagePath}
+                  SET name=${game.name},
+                      bgg_id=${game.bggId},
+                      image_path=${game.imagePath}
                  WHERE id = ${id.raw}`;

        return await this.get(id);
@@ -90,18 +90,18 @@ export class GamesOrm {

    query: (query: string) => Promise<Game[]> = memo<(query: string) => Promise<Game[]>, Game[]>(this.#query);
    async #query(query: string): Promise<Game[]> {
-        const dbResult: any = await sql` SELECT
+        const records: any = await sql` SELECT
                           id, name
                       FROM (SELECT *, SIMILARITY(${query}, name) as similarity FROM games)
                       WHERE similarity > 0
                       ORDER BY similarity
                       LIMIT 5;`;

-        if (!dbResult) {
+        if (!records) {
            throw new NotFoundError('No matching game exists');
        }

-        return dbResult.map(
+        return records.map(
            (x: { id: string; name: string }) =>
                new Game({
                    id: GameId.fromID(x.id),
--- a/src/orm/invites.ts
+++ b/src/orm/invites.ts
@@ -22,7 +22,7 @@ export class InvitesOrm {
        },
        claims?: Claims,
    ): Promise<void> {
-        if (!Claims.test(Claims.ADMIN, claims)) {
+        if (!claims?.test(Claims.ADMIN)) {
            const userInviteCount = (
                first(
                    await sql`SELECT COUNT(*) AS count
@@ -35,7 +35,7 @@ export class InvitesOrm {
                throw new UnauthorizedError('Invite allowance reached.');
            }

-            const inviteExists = (
+            const doesInviteExist = (
                first(
                    await sql`SELECT COUNT(*) > 0 AS exists
                            FROM user_invites
@@ -45,12 +45,12 @@ export class InvitesOrm {
                    exists: boolean;
                }
            )?.exists;
-            if (inviteExists) {
+            if (doesInviteExist) {
                throw new BadRequestError('Player has already been invited.');
            }
        }

-        const playerHasUser = (
+        const isPlayerAssociatedWithUser = (
            first(
                await sql`SELECT COUNT(*) > 0 AS exists
                          FROM users
@@ -60,7 +60,7 @@ export class InvitesOrm {
                exists: boolean;
            }
        )?.exists;
-        if (playerHasUser) {
+        if (isPlayerAssociatedWithUser) {
            throw new BadRequestError('User has already been invited.');
        }

@@ -69,7 +69,7 @@ export class InvitesOrm {
        const invitationCode = createRandomString(6);
        await sql`INSERT INTO user_invites (invite_code, email, player_id, invited_by_user_id)
            VALUES (${invitationCode}, ${email}, ${playerId.raw}, ${invitedByUserId.raw})`;
-        const newInviteId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;

        const resend = new Resend(process.env.RESEND_KEY);
        const resendResponse = await resend.emails.send({
@@ -83,51 +83,51 @@ export class InvitesOrm {
            throw new InternalServerError();
        }

-        await sql`UPDATE user_invites SET was_email_sent = true WHERE id=${newInviteId}`;
+        await sql`UPDATE user_invites SET was_email_sent = true WHERE id=${newRecordId}`;

        return;
    }

    async accept({ inviteCode, password }: { inviteCode: string; password: string }): Promise<User> {
-        const invite: {
+        const record: {
            id: string;
            email: string;
            player_id: string;
            accepted: boolean;
        } = first(await sql`SELECT * FROM user_invites WHERE invite_code=${inviteCode} LIMIT 1`);

-        if (!invite) {
+        if (!record) {
            throw new NotFoundError('Invalid invite code');
        }

-        if (invite.accepted) {
+        if (record.accepted) {
            throw new UnauthorizedError('Invite already accepted');
        }

-        const playerHasUser = (
+        const isPlayerAssociatedWithUser = (
            first(
                await sql`SELECT COUNT(*) > 0 AS exists
                          FROM users
-                          WHERE player_id = ${invite.player_id}
-                             OR email = ${invite.email}`,
+                          WHERE player_id = ${record.player_id}
+                             OR email = ${record.email}`,
            ) as {
                exists: boolean;
            }
        )?.exists;
-        if (playerHasUser) {
+        if (isPlayerAssociatedWithUser) {
            throw new BadRequestError('User has already been invited.');
        }

-        const createdUser = await orm.users.create({
-            email: invite.email,
-            playerId: PlayerId.fromID(invite.player_id),
+        const user = await orm.users.create({
+            email: record.email,
+            playerId: PlayerId.fromID(record.player_id),
            password,
        });

        await sql`UPDATE user_invites
                  SET accepted = true
-                  WHERE id = ${invite.id}`;
+                  WHERE id = ${record.id}`;

-        return createdUser;
+        return user;
    }
 }
--- a/src/orm/matches.ts
+++ b/src/orm/matches.ts
@@ -0,0 +1,205 @@
+import { Claims } from './claims';
+import { sql } from 'bun';
+import { first, orderBy } from 'lodash';
+import { BadRequestError, NotFoundError, UnauthorizedError } from '../utilities/errors';
+import { GameId, MatchId, PlayerId, UserId } from '../utilities/secureIds';
+import { calculateElos } from '../utilities/elo';
+import { orm } from './orm';
+
+export class MatchParticipant {
+    matchId?: MatchId;
+    playerId: PlayerId;
+    gamesPlayed?: number;
+    standing: number;
+    elo: number;
+    eloChange: number;
+    isRatingLocked?: boolean;
+
+    constructor(
+        playerId: PlayerId,
+        standing: number,
+        eloChange: number = 0,
+        gamesPlayed?: number,
+        elo: number = 1000,
+        matchId?: MatchId,
+    ) {
+        this.matchId = matchId;
+        this.playerId = playerId;
+        this.standing = standing;
+        this.elo = elo;
+        this.gamesPlayed = gamesPlayed;
+        this.eloChange = eloChange;
+    }
+}
+
+export class Match {
+    id: MatchId;
+    gameId: GameId;
+    players: MatchParticipant[];
+    owner: UserId;
+
+    constructor(id: MatchId, gameId: GameId, players: MatchParticipant[], owner: UserId) {
+        this.id = id;
+        this.gameId = gameId;
+        this.players = players;
+        this.owner = owner;
+    }
+}
+
+export class MatchOrm {
+    async create({
+        gameId,
+        participants,
+        ownerId,
+    }: {
+        gameId: GameId;
+        participants: MatchParticipant[];
+        ownerId: UserId;
+    }): Promise<Match> {
+        await sql`INSERT INTO matches (game_id, owning_user_id) VALUES (${gameId.raw}, ${ownerId.raw})`;
+        const newMatchId = MatchId.fromID((first(await sql`SELECT lastval();`) as any)?.lastval as string);
+
+        const players = await sql`
+                SELECT p.id,
+                       p.is_rating_locked,
+                       (CASE WHEN p.is_rating_locked THEN 1000 ELSE 1000 + COALESCE(sum(mp.elo_change), 0) END) as elo,
+                       (CASE WHEN p.is_rating_locked THEN 0 ELSE count(mp.*) END)                               as games_played
+                FROM players p
+                         LEFT JOIN match_players mp ON mp.player_id = p.id
+                WHERE p.id IN ${sql(participants.map((x) => x.playerId.raw))}
+                GROUP BY p.id;`;
+
+        for (let i in participants) {
+            const player = players.find((x: any) => x.id === participants[i].playerId.raw);
+            participants[i].elo = parseInt(player.elo);
+            participants[i].gamesPlayed = parseInt(player.games_played);
+            participants[i].isRatingLocked = player.is_rating_locked;
+        }
+
+        const amendedPlayers = calculateElos(participants);
+
+        await sql.transaction(async (tx) => {
+            for (let i in amendedPlayers) {
+                await tx`
+                    INSERT INTO match_players(match_id, player_id, standing, elo_change)
+                    VALUES (${newMatchId.raw},
+                            ${amendedPlayers[i].playerId.raw},
+                            ${amendedPlayers[i].standing},
+                            ${amendedPlayers[i].isRatingLocked ? 0 : amendedPlayers[i].eloChange})`;
+
+                if (amendedPlayers[i].isRatingLocked) {
+                    continue;
+                }
+
+                await tx`UPDATE players SET elo=${amendedPlayers[i].elo} WHERE id=${amendedPlayers[i].playerId.raw}`;
+            }
+        });
+
+        return await this.get(newMatchId);
+    }
+
+    async get(id: MatchId, claims?: Claims): Promise<Match> {
+        const dbResult = await sql`
+            SELECT m.id             as match_id,
+                   m.owning_user_id as owner_id,
+                   g.id             as game_id,
+                   g.name           as game_name,
+                   p.id             as player_id,
+                   p.name           as player_name,
+                   p.elo            as elo,
+                   mp.standing      as standing,
+                   mp.elo_change    as elo_change
+            FROM matches m
+                     LEFT JOIN games g ON g.id = m.game_id
+                     LEFT JOIN match_players mp ON mp.match_id = m.id
+                     LEFT JOIN players p ON p.id = mp.player_id
+            WHERE m.id = ${id.raw}`;
+
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN) ||
+                (claims.test(Claims.MATCHES.OWNED.READ) && dbResult?.[0]?.owner_id === claims?.userId?.raw) ||
+                (claims.test(Claims.MATCHES.PARTICIPANT.READ) &&
+                    dbResult?.some((x: any) => x.player_id === claims?.userId?.raw))
+            )
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        const matchData = dbResult?.find((x: any) => x.match_id);
+        if (!matchData?.match_id) {
+            throw new NotFoundError('No matching match exists');
+        }
+
+        return new Match(
+            MatchId.fromID(matchData?.match_id),
+            GameId.fromID(matchData?.game_id),
+            orderBy(
+                dbResult
+                    .filter((x: any) => x.player_id)
+                    .map(
+                        (x: any) =>
+                            new MatchParticipant(
+                                PlayerId.fromID(x.player_id),
+                                parseInt(x.standing),
+                                parseInt(x.elo_change),
+                                undefined,
+                                parseInt(x.elo),
+                            ),
+                    ),
+                'standing',
+                'asc',
+            ),
+            UserId.fromID(dbResult?.[0]?.owner_id),
+        );
+    }
+
+    async drop(id: MatchId, claims?: Claims): Promise<void> {
+        const match = await this.get(id);
+        if (
+            claims &&
+            !(claims.test(Claims.ADMIN) || (claims.test(Claims.MATCHES.OWNED.DELETE) && match.owner === claims?.userId))
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        await sql.transaction(async (tx) => {
+            await tx`DELETE
+                     FROM match_players
+                     WHERE match_id = ${id.raw}`;
+            await tx`DELETE
+                     FROM matches
+                     WHERE id = ${id.raw}`;
+        });
+
+        return;
+    }
+
+    async removePlayer(matchId: MatchId, participantId: UserId | PlayerId): Promise<void> {
+        let playerId: PlayerId;
+        if (participantId instanceof PlayerId) {
+            playerId = participantId;
+        } else {
+            playerId = (await orm.users.get(participantId))?.playerId;
+            if (!playerId) {
+                throw new BadRequestError('User is not a participant');
+            }
+        }
+
+        const player = await orm.players.get(playerId);
+
+        await sql.transaction(async (tx) => {
+            const eloRefund = parseInt(
+                (
+                    await tx`SELECT elo_change FROM public.match_players WHERE match_id=${matchId.raw} AND player_id = ${playerId.raw}`
+                )?.[0]?.elo_change ?? 0,
+            );
+            await tx`DELETE FROM match_players WHERE match_id=${matchId.raw} AND player_id=${playerId.raw}`;
+            if (!player.isRatingLocked) {
+                await tx`UPDATE players SET elo=${player.elo - eloRefund} WHERE id=${playerId.raw}`;
+            }
+        });
+        return;
+    }
+}
--- a/src/orm/orm.ts
+++ b/src/orm/orm.ts
@@ -4,6 +4,8 @@ import { PlayersOrm } from './players';
 import { GamesOrm } from './games';
 import { InvitesOrm } from './invites';
 import { CollectionsOrm } from './collections';
+import { MatchOrm } from './matches';
+import { CircleOrm } from './circles';

 class Orm {
    readonly claims: ClaimsOrm = new ClaimsOrm();
@@ -12,6 +14,8 @@ class Orm {
    readonly games: GamesOrm = new GamesOrm();
    readonly invites: InvitesOrm = new InvitesOrm();
    readonly collections: CollectionsOrm = new CollectionsOrm();
+    readonly matches: MatchOrm = new MatchOrm();
+    readonly circles: CircleOrm = new CircleOrm();
 }

 export const orm = new Orm();
--- a/src/orm/players.ts
+++ b/src/orm/players.ts
@@ -32,42 +32,43 @@ export class PlayersOrm {
    async create(model: { name: string }): Promise<Player> {
        await sql`INSERT INTO players (name)
                         VALUES (${model.name})`;
-        const newPlayerId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;

-        return await this.get(PlayerId.fromID(newPlayerId));
+        return await this.get(PlayerId.fromID(newRecordId));
    }

    async get(id: PlayerId, claims?: Claims): Promise<Player> {
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.PLAYERS.OTHER.READ, claims))) {
-            throw new UnauthorizedError();
-        } else if (Claims.test(Claims.PLAYERS.SELF.READ, claims) && claims?.userId) {
+        if(claims) {
            const user = await orm.users.get(claims.userId);
-            if (id.raw !== user.playerId.raw) {
+            if(!(claims.test(Claims.ADMIN, Claims.PLAYERS.OTHER.READ) ||
+                claims.test(Claims.PLAYERS.SELF.READ) && id === user.playerId)) {
                throw new UnauthorizedError();
+
            }
        }
-        const dbResult: any = first(
+
+        const record: any = first(
            await sql`SELECT *
                      FROM players
                      WHERE id = ${id.raw}
                      LIMIT 1`,
        );

-        if (!dbResult) {
+        if (!record) {
            throw new NotFoundError('No matching player exists');
        }

        return new Player({
-            id: PlayerId.fromID(dbResult.id),
-            name: dbResult.name,
-            elo: parseInt(dbResult.elo),
-            isRatingLocked: dbResult.is_rating_locked,
-            canBeMultiple: dbResult.can_be_multiple,
+            id: PlayerId.fromID(record.id),
+            name: record.name,
+            elo: parseInt(record.elo),
+            isRatingLocked: record.is_rating_locked,
+            canBeMultiple: record.can_be_multiple,
        });
    }

    async list(claims?: Claims): Promise<Player[]> {
-        if (!claims || Claims.test(Claims.ADMIN, claims)) {
+        if (!claims || claims.test(Claims.ADMIN)) {
            return (await sql`SELECT * FROM players`).map(
                (x: { id: string; name: string; elo: string; is_rating_locked: boolean; can_be_multiple: boolean }) =>
                    new Player({
@@ -80,7 +81,7 @@ export class PlayersOrm {
            );
        }

-        if (!Claims.test(Claims.PLAYERS.OTHER.READ, claims)) {
+        if (!claims.test(Claims.PLAYERS.OTHER.READ)) {
            throw new UnauthorizedError();
        }

@@ -109,35 +110,35 @@ export class PlayersOrm {
    }

    async update(id: PlayerId, patch: UpdatePlayerRequest, claims?: Claims): Promise<Player> {
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.PLAYERS.OTHER.UPDATE, claims))) {
-            throw new UnauthorizedError();
-        } else if (Claims.test(Claims.PLAYERS.SELF.UPDATE, claims) && claims?.userId) {
+        if(claims) {
            const user = await orm.users.get(claims.userId);
-            if (id.raw !== user.playerId.raw) {
+            if(!(claims.test(Claims.ADMIN, Claims.PLAYERS.OTHER.UPDATE) ||
+                (claims.test(Claims.PLAYERS.SELF.UPDATE) && id === user.playerId)
+            )) {
                throw new UnauthorizedError();
            }
        }

-        const playerToUpdate = await this.get(id);
-        playerToUpdate.name = patch.name ?? playerToUpdate.name;
-        playerToUpdate.isRatingLocked = patch.isRatingLocked ?? playerToUpdate.isRatingLocked;
-        playerToUpdate.canBeMultiple = patch.canBeMultiple ?? playerToUpdate.canBeMultiple;
+        const player = await this.get(id);
+        player.name = patch.name ?? player.name;
+        player.isRatingLocked = patch.isRatingLocked ?? player.isRatingLocked;
+        player.canBeMultiple = patch.canBeMultiple ?? player.canBeMultiple;

        await sql`UPDATE players
-                  SET name=${playerToUpdate.name},
-                      is_rating_locked=${playerToUpdate.isRatingLocked},
-                      can_be_multiple=${playerToUpdate.canBeMultiple}
+                  SET name=${player.name},
+                      is_rating_locked=${player.isRatingLocked},
+                      can_be_multiple=${player.canBeMultiple}
                  WHERE id = ${id.raw}`;

        return await this.get(id);
    }

    async drop(id: PlayerId, claims?: Claims): Promise<void> {
-        if (!(Claims.test(Claims.ADMIN, claims) || Claims.test(Claims.PLAYERS.OTHER.DELETE, claims))) {
-            throw new UnauthorizedError();
-        } else if (Claims.test(Claims.PLAYERS.SELF.DELETE, claims) && claims?.userId) {
+        if(claims) {
            const user = await orm.users.get(claims.userId);
-            if (id.raw !== user.playerId.raw) {
+            if(!(claims.test(Claims.ADMIN, Claims.PLAYERS.OTHER.DELETE) ||
+                (claims.test(Claims.PLAYERS.SELF.DELETE) && id === user.playerId)
+            )) {
                throw new UnauthorizedError();
            }
        }
--- a/src/orm/user.ts
+++ b/src/orm/user.ts
@@ -24,9 +24,15 @@ export class User {
 }

 export class UsersOrm {
-    async create(
-        { email, password, playerId }: { email: string; password: string; playerId: PlayerId },
-    ): Promise<User> {
+    async create({
+        email,
+        password,
+        playerId,
+    }: {
+        email: string;
+        password: string;
+        playerId: PlayerId;
+    }): Promise<User> {
        const existingUser: any = first(
            await sql`SELECT id
                      FROM users
@@ -41,29 +47,29 @@ export class UsersOrm {
        const passwordHash = await argon2.hash(password);
        await sql`INSERT INTO users (email, pass_hash, player_id)
                  VALUES (${email}, ${passwordHash}, ${playerId.raw})`;
-        const newUserId: UserId = UserId.fromID((first(await sql`SELECT lastval();`) as any)?.lastval as string);
+        const newRecordId: string = (first(await sql`SELECT lastval();`) as any)?.lastval as string;
        await sql.transaction(async (tx) => {
            for (let i in defaultClaims) {
                await tx`INSERT INTO user_claims (user_id, claim_id)
-                         VALUES (${newUserId.raw}, ${defaultClaims[i]})`;
+                         VALUES (${newRecordId}, ${defaultClaims[i]})`;
            }
        });

-        return await this.get(newUserId);
+        return await this.get(UserId.fromID(newRecordId));
    }

    async get(id: UserId, claims?: Claims): Promise<User> {
        if (
+            claims &&
            !(
-                Claims.test(Claims.ADMIN, claims) ||
-                Claims.test(Claims.USERS.OTHER.READ, claims) ||
-                (Claims.test(Claims.USERS.SELF.READ, claims) && id === claims?.userId)
+                claims.test(Claims.ADMIN, Claims.USERS.OTHER.READ) ||
+                (claims.test(Claims.USERS.SELF.READ) && id === claims?.userId)
            )
        ) {
            throw new UnauthorizedError();
        }

-        const dbResult: any = first(
+        const record: any = first(
            await sql`SELECT *
                      FROM users
                      WHERE id = ${id.raw}
@@ -71,38 +77,100 @@ export class UsersOrm {
                      LIMIT 1`,
        );

-        if (!dbResult) {
+        if (!record) {
            throw new NotFoundError('No matching user exists');
        }

        return new User(
-            UserId.fromID(dbResult.id),
-            PlayerId.fromID(dbResult.player_id),
-            dbResult.email,
-            dbResult.is_admin,
+            UserId.fromID(record.id),
+            PlayerId.fromID(record.player_id),
+            record.email,
+            record.is_admin,
        );
    }

-    async update(id: UserId, patch: UpdateUserRequest, claims?: Claims): Promise<User> {
+    async getByPlayer(id: PlayerId, claims?: Claims): Promise<User> {
+        const record: any = first(
+            await sql`SELECT *
+                      FROM users
+                      WHERE player_id = ${id.raw}
+                        AND is_active = true
+                      LIMIT 1`,
+        );
+
+        if (!record) {
+            throw new NotFoundError('No matching user exists');
+        }
+
        if (
+            claims &&
            !(
-                Claims.test(Claims.ADMIN, claims) ||
-                Claims.test(Claims.USERS.OTHER.UPDATE, claims) ||
-                (Claims.test(Claims.USERS.SELF.UPDATE, claims) && id === claims?.userId)
+                claims.test(Claims.ADMIN, Claims.USERS.OTHER.READ) ||
+                (claims.test(Claims.USERS.SELF.READ) && record.id === claims?.userId.raw)
            )
        ) {
            throw new UnauthorizedError();
        }

-        const userToUpdate = await this.get(id);
-        if (Claims.test(Claims.ADMIN, claims)) {
-            userToUpdate.isActive = patch.isActive ?? userToUpdate.isActive;
-            userToUpdate.isAdmin = patch.isAdmin ?? userToUpdate.isAdmin;
+        return new User(
+            UserId.fromID(record.id),
+            PlayerId.fromID(record.player_id),
+            record.email,
+            record.is_admin,
+        );
+    }
+
+    async getByEmail(email: string, claims?: Claims): Promise<User> {
+        const record: any = first(
+            await sql`SELECT *
+                      FROM users
+                      WHERE email = ${email}
+                        AND is_active = true
+                      LIMIT 1`,
+        );
+
+        if (!record) {
+            throw new NotFoundError('No matching user exists');
+        }
+
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN, Claims.USERS.OTHER.READ) ||
+                (claims.test(Claims.USERS.SELF.READ) && record.id === claims?.userId.raw)
+            )
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        return new User(
+            UserId.fromID(record.id),
+            PlayerId.fromID(record.player_id),
+            record.email,
+            record.is_admin,
+        );
+    }
+
+    async update(id: UserId, patch: UpdateUserRequest, claims?: Claims): Promise<User> {
+        if (
+            claims &&
+            !(
+                claims.test(Claims.ADMIN, Claims.USERS.OTHER.UPDATE) ||
+                (claims.test(Claims.USERS.SELF.UPDATE) && id === claims?.userId)
+            )
+        ) {
+            throw new UnauthorizedError();
+        }
+
+        const user = await this.get(id);
+        if (!claims || claims.test(Claims.ADMIN)) {
+            user.isActive = patch.isActive ?? user.isActive;
+            user.isAdmin = patch.isAdmin ?? user.isAdmin;
        }

        await sql`UPDATE users
-                  SET is_active=${userToUpdate.isActive},
-                      is_admin=${userToUpdate.isAdmin}
+                      SET is_active=${user.isActive},
+                          is_admin=${user.isAdmin}
                      WHERE id = ${id.raw}`;

        return await this.get(id);
@@ -110,10 +178,10 @@ export class UsersOrm {

    async drop(id: UserId, claims?: Claims): Promise<void> {
        if (
+            claims &&
            !(
-                Claims.test(Claims.ADMIN, claims) ||
-                Claims.test(Claims.USERS.OTHER.DELETE, claims) ||
-                (Claims.test(Claims.USERS.SELF.DELETE, claims) && id === claims?.userId)
+                claims.test(Claims.ADMIN, Claims.USERS.OTHER.DELETE) ||
+                (claims.test(Claims.USERS.SELF.DELETE) && id === claims?.userId)
            )
        ) {
            throw new UnauthorizedError();
@@ -133,49 +201,41 @@ export class UsersOrm {
        return;
    }

-    async verifyCredentials(
-        email: string,
-        password: string,
-    ): Promise<{ userId: UserId; refreshCount: string } | null> {
-        const dbResult: any = first(
+    async verifyCredentials(email: string, password: string): Promise<{ userId: UserId; refreshCount: string } | null> {
+        const record: any = first(
            await sql`SELECT *
                      FROM users
                      WHERE email = ${email}
                      AND is_active = true
                      limit 1`,
        );
-        if (!dbResult) {
+        if (!record) {
            throw new UnauthorizedError();
        }

-        if (!(await argon2.verify(dbResult.pass_hash, password))) {
+        if (!(await argon2.verify(record.pass_hash, password))) {
            return null;
        }

        return {
-            userId: UserId.fromID(dbResult.id),
-            refreshCount: dbResult.refresh_count,
+            userId: UserId.fromID(record.id),
+            refreshCount: record.refresh_count,
        };
    }

    async verifyRefreshCount(id: UserId, refreshCount: string): Promise<boolean> {
-        const dbResult: any = first(
+        const record: any = first(
            await sql`SELECT *
                      FROM users
                      WHERE id = ${id.raw}
                      LIMIT 1`,
        );
-        return dbResult.refresh_count === refreshCount;
+        return record.refresh_count === refreshCount;
    }

-    async changePassword(
-        id: UserId,
-        oldPassword: string | null,
-        newPassword: string,
-        claims?: Claims,
-    ): Promise<void> {
-        const isAdmin = Claims.test(Claims.ADMIN, claims);
-        if (!(isAdmin || (Claims.test(Claims.USERS.SELF.UPDATE, claims) && id === claims?.userId))) {
+    async changePassword(id: UserId, oldPassword: string | null, newPassword: string, claims?: Claims): Promise<void> {
+        const isAdmin = claims?.test(Claims.ADMIN) ?? true;
+        if (!(isAdmin || (claims?.test(Claims.USERS.SELF.UPDATE) && id === claims?.userId))) {
            throw new UnauthorizedError();
        }

@@ -183,14 +243,14 @@ export class UsersOrm {
            throw new BadRequestError('Password is required');
        }

-        const dbUser: any = first(
+        const record: any = first(
            await sql`SELECT *
                      FROM users
                      WHERE id = ${id.raw}
                      LIMIT 1`,
        );

-        if (!isAdmin && !(await argon2.verify(dbUser.pass_hash, oldPassword as string))) {
+        if (!isAdmin && !(await argon2.verify(record.pass_hash, oldPassword as string))) {
            throw new UnauthorizedError();
        }

--- a/src/routes/auth.ts
+++ b/src/routes/auth.ts
@@ -14,7 +14,7 @@ export default {
    },
    changePassword: {
        ':id': {
-            PATCH: guard(auth.changePassword, [Claims.ADMIN, Claims.USERS.SELF.UPDATE]),
+            PATCH: guard(auth.changePassword, Claims.ADMIN, Claims.USERS.SELF.UPDATE),
        },
    },
 };
--- a/src/routes/circles.ts
+++ b/src/routes/circles.ts
@@ -0,0 +1,32 @@
+import { guard } from '../utilities/guard';
+import { Claims } from '../orm/claims';
+import circles from '../endpoints/circles';
+
+export default {
+    'POST': guard(circles.create, Claims.ADMIN, Claims.CIRCLES.PUBLIC.CREATE, Claims.CIRCLES.PRIVATE.CREATE),
+    ':id': {
+        GET: guard(
+            circles.get,
+            Claims.ADMIN,
+            Claims.CIRCLES.PUBLIC.READ,
+            Claims.CIRCLES.PRIVATE.READ,
+            Claims.CIRCLES.PRIVATE.READ_IF_MEMBER,
+        ),
+        PATCH: guard(circles.update, Claims.ADMIN, Claims.CIRCLES.OWNED.UPDATE),
+        DELETE: guard(circles.drop, Claims.ADMIN, Claims.CIRCLES.OWNED.DELETE),
+        invite: {
+            POST: guard(
+                circles.invite,
+                Claims.ADMIN,
+                Claims.CIRCLES.PUBLIC.USERS.INVITE,
+                Claims.CIRCLES.OWNED.USERS.INVITE,
+            ),
+        },
+    },
+    'search': {
+        ':query': {
+            variants: [':pageSize/:page', ':page'],
+            GET: guard(circles.query, Claims.ADMIN, Claims.CIRCLES.PUBLIC.READ),
+        },
+    },
+};
--- a/src/routes/collections.ts
+++ b/src/routes/collections.ts
@@ -3,28 +3,20 @@ import { Claims } from '../orm/claims';
 import collections from '../endpoints/collections';

 export default {
-    'POST': guard(collections.create, [Claims.ADMIN, Claims.COLLECTIONS.CREATE]),
+    'POST': guard(collections.create, Claims.ADMIN, Claims.COLLECTIONS.CREATE),
    ':id': {
-        GET: guard(collections.get, [Claims.ADMIN, Claims.COLLECTIONS.UNOWNED.READ, Claims.COLLECTIONS.OWNED.READ]),
-        PATCH: guard(collections.update, [Claims.ADMIN, Claims.PLAYERS.OTHER.UPDATE, Claims.PLAYERS.SELF.UPDATE]),
-        DELETE: guard(collections.drop, [Claims.ADMIN, Claims.PLAYERS.OTHER.DELETE, Claims.PLAYERS.SELF.DELETE]),
+        GET: guard(collections.get, Claims.ADMIN, Claims.COLLECTIONS.UNOWNED.READ, Claims.COLLECTIONS.OWNED.READ),
+        PATCH: guard(collections.update, Claims.ADMIN, Claims.PLAYERS.OTHER.UPDATE, Claims.PLAYERS.SELF.UPDATE),
+        DELETE: guard(collections.drop, Claims.ADMIN, Claims.PLAYERS.OTHER.DELETE, Claims.PLAYERS.SELF.DELETE),
        add: {
-            POST: guard(collections.addGame, [
-                Claims.ADMIN,
-                Claims.COLLECTIONS.UNOWNED.GAME.ADD,
-                Claims.COLLECTIONS.OWNED.GAME.ADD,
-            ]),
+            POST: guard(collections.addGame, Claims.ADMIN, Claims.COLLECTIONS.OWNED.GAME.ADD),
        },
        remove: {
-            POST: guard(collections.removeGame, [
-                Claims.ADMIN,
-                Claims.COLLECTIONS.UNOWNED.GAME.REMOVE,
-                Claims.COLLECTIONS.OWNED.GAME.REMOVE,
-            ]),
+            POST: guard(collections.removeGame, Claims.ADMIN, Claims.COLLECTIONS.OWNED.GAME.REMOVE),
        },
    },
    'list': {
        variants: [':pageSize/:page', ':page'],
-        GET: guard(collections.list, [Claims.ADMIN, Claims.COLLECTIONS.OWNED.LIST]),
+        GET: guard(collections.list, Claims.ADMIN, Claims.COLLECTIONS.OWNED.LIST),
    },
 };
--- a/src/routes/games.ts
+++ b/src/routes/games.ts
@@ -3,16 +3,16 @@ import { Claims } from '../orm/claims';
 import games from '../endpoints/games';

 export default {
-    'POST': guard(games.create, [Claims.ADMIN, Claims.GAMES.CREATE]),
+    'POST': guard(games.create, Claims.ADMIN, Claims.GAMES.CREATE),
    ':id': {
-        GET: guard(games.get, [Claims.ADMIN, Claims.GAMES.READ]),
-        PATCH: guard(games.update, [Claims.ADMIN, Claims.GAMES.UPDATE]),
-        DELETE: guard(games.drop, [Claims.ADMIN, Claims.GAMES.DELETE]),
+        GET: guard(games.get, Claims.ADMIN, Claims.GAMES.READ),
+        PATCH: guard(games.update, Claims.ADMIN, Claims.GAMES.UPDATE),
+        DELETE: guard(games.drop, Claims.ADMIN, Claims.GAMES.DELETE),
    },
    'search': {
        ':query': {
            variants: [':pageSize/:page', ':page'],
-            GET: guard(games.query, [Claims.ADMIN, Claims.GAMES.READ]),
+            GET: guard(games.query, Claims.ADMIN, Claims.GAMES.READ),
        },
    },
 };
--- a/src/routes/invites.ts
+++ b/src/routes/invites.ts
@@ -3,7 +3,7 @@ import { Claims } from '../orm/claims';
 import invite from '../endpoints/invites';

 export default {
-    POST: guard(invite.create, [Claims.ADMIN, Claims.USERS.INVITE]),
+    POST: guard(invite.create, Claims.ADMIN, Claims.USERS.INVITE),
    accept: {
        POST: unwrapMethod(invite.accept),
    },
--- a/src/routes/matches.ts
+++ b/src/routes/matches.ts
@@ -0,0 +1,14 @@
+import { guard } from '../utilities/guard';
+import matches from '../endpoints/matches';
+import { Claims } from '../orm/claims';
+
+export default {
+    'POST': guard(matches.create, Claims.ADMIN, Claims.MATCHES.CREATE),
+    ':id': {
+        GET: guard(matches.get, Claims.ADMIN, Claims.MATCHES.OWNED.READ, Claims.MATCHES.PARTICIPANT.READ),
+        DELETE: guard(matches.drop, Claims.ADMIN, Claims.MATCHES.OWNED.DELETE, Claims.USERS.SELF.UPDATE),
+        leave: {
+            POST: guard(matches.leave, Claims.MATCHES.PARTICIPANT.LEAVE),
+        },
+    },
+};
--- a/src/routes/players.ts
+++ b/src/routes/players.ts
@@ -3,14 +3,14 @@ import { Claims } from '../orm/claims';
 import player from '../endpoints/players';

 export default {
-    'POST': guard(player.create, [Claims.ADMIN, Claims.PLAYERS.CREATE]),
+    'POST': guard(player.create, Claims.ADMIN, Claims.PLAYERS.CREATE),
    ':id': {
-        GET: guard(player.get, [Claims.ADMIN, Claims.PLAYERS.OTHER.READ, Claims.PLAYERS.SELF.READ]),
-        PATCH: guard(player.update, [Claims.ADMIN, Claims.PLAYERS.OTHER.UPDATE, Claims.PLAYERS.SELF.UPDATE]),
-        DELETE: guard(player.drop, [Claims.ADMIN, Claims.PLAYERS.OTHER.DELETE, Claims.PLAYERS.SELF.DELETE]),
+        GET: guard(player.get, Claims.ADMIN, Claims.PLAYERS.OTHER.READ, Claims.PLAYERS.SELF.READ),
+        PATCH: guard(player.update, Claims.ADMIN, Claims.PLAYERS.OTHER.UPDATE, Claims.PLAYERS.SELF.UPDATE),
+        DELETE: guard(player.drop, Claims.ADMIN, Claims.PLAYERS.OTHER.DELETE, Claims.PLAYERS.SELF.DELETE),
    },
    'list': {
        variants: [':pageSize/:page', ':page'],
-        GET: guard(player.list, [Claims.ADMIN, Claims.PLAYERS.OTHER.READ]),
+        GET: guard(player.list, Claims.ADMIN, Claims.PLAYERS.OTHER.READ),
    },
 };
--- a/src/routes/users.ts
+++ b/src/routes/users.ts
@@ -3,10 +3,10 @@ import user from '../endpoints/users';
 import { Claims } from '../orm/claims';

 export default {
-    'POST': guard(user.create, [Claims.ADMIN, Claims.USERS.CREATE]),
+    'POST': guard(user.create, Claims.ADMIN, Claims.USERS.CREATE),
    ':id': {
-        GET: guard(user.get, [Claims.ADMIN, Claims.USERS.OTHER.READ, Claims.USERS.SELF.READ]),
-        PATCH: guard(user.update, [Claims.ADMIN, Claims.USERS.OTHER.UPDATE, Claims.USERS.SELF.UPDATE]),
-        DELETE: guard(user.drop, [Claims.ADMIN, Claims.USERS.OTHER.UPDATE, Claims.USERS.SELF.UPDATE]),
+        GET: guard(user.get, Claims.ADMIN, Claims.USERS.OTHER.READ, Claims.USERS.SELF.READ),
+        PATCH: guard(user.update, Claims.ADMIN, Claims.USERS.OTHER.UPDATE, Claims.USERS.SELF.UPDATE),
+        DELETE: guard(user.drop, Claims.ADMIN, Claims.USERS.OTHER.UPDATE, Claims.USERS.SELF.UPDATE),
    },
 };
--- a/src/utilities/claimDefinitions.ts
+++ b/src/utilities/claimDefinitions.ts
@@ -29,49 +29,41 @@ export class ClaimDefinition {
    };
    public static readonly CIRCLES = {
        PUBLIC: {
+            READ: 'CIRCLES_OWNED_READ',
            CREATE: 'CIRCLES_PUBLIC_CREATE',
            JOIN: 'CIRCLES_PUBLIC_JOIN',
-            USERS: {
-                ADD: 'CIRCLES_PUBLIC_USER_ADD',
-                LIST: 'CIRCLES_PUBLIC_USER_LIST',
-                INVITE: 'CIRCLES_PUBLIC_USER_INVITE',
-            },
            COMMENTS: {
                ADD: 'CIRCLES_PUBLIC_COMMENTS_ADD',
-                DELETE: 'CIRCLES_PUBLIC_COMMENTS_DELETE',
+            },
+            USERS: {
+                INVITE: 'CIRCLES_PUBLIC_USER_INVITE',
+                LIST: 'CIRCLES_PUBLIC_USER_LIST',
            },
        },
        PRIVATE: {
+            READ: 'CIRCLES_PRIVATE_READ',
+            READ_IF_MEMBER: 'CIRCLES_PRIVATE_READ_IF_MEMBER',
            CREATE: 'CIRCLES_PRIVATE_CREATE',
-            USERS: {
-                INVITE: 'CIRCLES_PRIVATE_USER_INVITE',
+            COMMENTS: {
+                ADD: 'CIRCLES_PRIVATE_COMMENTS_ADD',
            },
        },
        OWNED: {
            READ: 'CIRCLES_OWNED_READ',
            UPDATE: 'CIRCLES_OWNED_UPDATE',
            DELETE: 'CIRCLES_OWNED_DELETE',
-            USERS: {
+            PLAYERS: {
                ADD: 'CIRCLES_OWNED_USER_ADD',
                LIST: 'CIRCLES_OWNED_USER_LIST',
+            },
            USERS: {
                INVITE: 'CIRCLES_OWNED_USER_INVITE',
            },
-            },
            COMMENTS: {
                ADD: 'CIRCLES_OWNED_COMMENTS_ADD',
                DELETE: 'CIRCLES_OWNED_COMMENTS_DELETE',
            },
        },
-        UNOWNED: {
-            READ: 'CIRCLES_UNOWNED_READ',
-            UPDATE: 'CIRCLES_UNOWNED_UPDATE',
-            DELETE: 'CIRCLES_UNOWNED_DELETE',
-            COMMENTS: {
-                ADD: 'CIRCLES_UNOWNED_COMMENTS_ADD',
-                DELETE: 'CIRCLES_UNOWNED_COMMENTS_DELETE',
-            },
-        },
    };
    public static readonly GAMES = {
        CREATE: 'GAMES_CREATE',
@@ -82,24 +74,24 @@ export class ClaimDefinition {
    };
    public static readonly MATCHES = {
        CREATE: 'MATCHES_CREATE',
+        COMMENTS: {
+            ADD: 'MATCHES_UNOWNED_COMMENTS_ADD',
+        },
        OWNED: {
            READ: 'MATCHES_OWNED_READ',
-            UPDATE: 'MATCHES_OWNED_UPDATE',
            DELETE: 'MATCHES_OWNED_DELETE',
            COMMENTS: {
                ADD: 'MATCHES_OWNED_COMMENTS_ADD',
                DELETE: 'MATCHES_OWNED_COMMENTS_DELETE',
            },
        },
-        UNOWNED: {
-            READ: 'MATCHES_UNOWNED_READ',
-            UPDATE: 'MATCHES_UNOWNED_UPDATE',
-            DELETE: 'MATCHES_UNOWNED_DELETE',
+        PARTICIPANT: {
+            READ: 'MATCHES_PARTICIPANT_READ',
+            LEAVE: 'MATCHES_LEAVE',
            COMMENTS: {
-                ADD: 'MATCHES_UNOWNED_COMMENTS_ADD',
-                DELETE: 'MATCHES_UNOWNED_COMMENTS_DELETE',
-            },
+                ADD: 'MATCHES_PARTICIPANT_COMMENTS_ADD',
            },
+        }
    };
    public static readonly COLLECTIONS = {
        CREATE: 'COLLECTIONS_CREATE',
@@ -120,10 +112,6 @@ export class ClaimDefinition {
            READ: 'COLLECTIONS_UNOWNED_READ',
            UPDATE: 'COLLECTIONS_UNOWNED_UPDATE',
            DELETE: 'COLLECTIONS_UNOWNED_DELETE',
-            GAME: {
-                ADD: 'COLLECTIONS_UNOWNED_GAME_ADD',
-                REMOVE: 'COLLECTIONS_UNOWNED_GAME_REMOVE',
-            },
        },
    };
    public static readonly COMMENTS = {
--- a/src/utilities/elo.ts
+++ b/src/utilities/elo.ts
@@ -1,32 +1,26 @@
 import { orderBy } from 'lodash';
+import { MatchParticipant } from '../orm/matches';

-interface GamePlayer {
-    id: string;
-    elo: number;
-    gamesPlayed: number;
-    standing: number;
-    eloChange?: number;
-}
-export interface GamePlayed {
-    players: GamePlayer[];
-}
-
-export function calculateElos(game: GamePlayed, provisionalPeriod: number = 1): GamePlayed {
-    const orderedResults = orderBy(game.players, 'standing', 'asc');
+export function calculateElos(players: MatchParticipant[], provisionalPeriod: number = 1): MatchParticipant[] {
+    const orderedResults = orderBy(players, (x:any) => parseInt(x.standing ?? 0), 'asc');
    for (let i = 0; i < orderedResults.length - 1; i++) {
        for (let j = i + 1; j < orderedResults.length; j++) {
-            const challengerResults = calculateEloChange(orderedResults[i].elo, orderedResults[j].elo);
+            const challengerResults = calculateEloChange(
+                orderedResults[i].elo,
+                orderedResults[j].elo,
+                orderedResults[i].standing === orderedResults[j].standing,
+            );
            orderedResults[i].eloChange =
                (orderedResults[i].eloChange ?? 0) +
-                challengerResults.winnerChange * Math.min(1, orderedResults[j].gamesPlayed / provisionalPeriod);
+                challengerResults.winnerChange *
+                    Math.min(1, ((orderedResults[j].gamesPlayed as number) + 1) / provisionalPeriod);
            orderedResults[j].eloChange =
                (orderedResults[j].eloChange ?? 0) +
-                challengerResults.loserChange * Math.min(1, orderedResults[i].gamesPlayed / provisionalPeriod);
+                challengerResults.loserChange *
+                    Math.min(1, ((orderedResults[i].gamesPlayed as number) + 1) / provisionalPeriod);
        }
    }
-    return {
-        players: orderedResults,
-    };
+    return orderedResults;
 }

 interface EloResult {
--- a/src/utilities/guard.ts
+++ b/src/utilities/guard.ts
@@ -6,10 +6,10 @@ import { Claims } from '../orm/claims';
 export function guardRedirect(
    method: (request: UnwrappedRequest<any>) => Promise<Response> | Response,
    redirectMethod: Function,
-    guardedClaims: string[],
+    ...guardedClaims: string[]
 ) {
    try {
-        return guard(method, guardedClaims);
+        return guard(method, ...guardedClaims);
    } catch (e) {
        return redirectMethod();
    }
@@ -17,19 +17,21 @@ export function guardRedirect(

 export function guard(
    method: (request: UnwrappedRequest<any>) => Promise<Response> | Response,
-    guardedClaims: string[],
+    ...guardedClaims: string[]
 ): (r: Request) => Promise<Response> {
    return async (request: Request): Promise<Response> => {
        const authHeader: string | null =
            (request.headers.get('Authorization')?.replace(/^Bearer /, '') as string) ?? null;
        try {
-            const userClaims: Claims = new Claims(jwt.verify(authHeader as string, process.env.JWT_SECRET_KEY as string) as any);
-            if (!userClaims.claims.some((x: string): boolean => guardedClaims.includes(x))) {
+            const userClaims: Claims = new Claims(
+                jwt.verify(authHeader as string, process.env.JWT_SECRET_KEY as string) as any,
+            );
+            if (!userClaims.userId.raw || !userClaims.claims.some((x: string): boolean => guardedClaims.includes(x))) {
                return new UnauthorizedResponse('Unauthorized');
            }
            return method(await unwrap(request, userClaims));
        } catch (error: any) {
-            console.log(error)
+            console.log(error);
            if (error instanceof TokenExpiredError) {
                return new UnauthorizedResponse(error.message);
            }
@@ -66,6 +68,6 @@ export function unwrapMethod<T = {}>(
 ): (r: Request) => Promise<Response> {
    return async (request: Request) => {
        const unwrappedRequest = await unwrap<T>(request);
-        return await methodToUnwrap(unwrappedRequest);
+        return methodToUnwrap(unwrappedRequest);
    };
 }
--- a/src/utilities/requestModels.ts
+++ b/src/utilities/requestModels.ts
@@ -50,3 +50,23 @@ export interface UpdateCollectionRequest {
 export interface GameToCollectionRequest {
    gameId: string;
 }
+export interface CreateMatchRequest {
+    gameId: string;
+    participants: { playerId: string; standing: number }[];
+}
+export interface CreateCircleRequest {
+    name: string;
+    isPublic: boolean;
+    imagePath?: string;
+    colour: string;
+}
+export interface UpdateCircleRequest {
+    name: string;
+    imagePath?: string;
+    colour: string;
+}
+export interface InviteToCircleRequest {
+    email?:string;
+    userId?:string;
+    playerId?:string;
+}
--- a/src/utilities/responseHelper.ts
+++ b/src/utilities/responseHelper.ts
@@ -1,5 +1,5 @@
 import { BadRequestError, NotFoundError, UnauthorizedError } from './errors';
-import { clamp, isArray } from 'lodash';
+import { clamp, isArray, isObject } from 'lodash';
 import { UnwrappedRequest } from './guard';

 export class ErrorResponse extends Response {
@@ -52,11 +52,11 @@ export class OkResponse extends Response {
    constructor(body?: any) {
        if (body) {
            return Response.json(
-                isArray(body)
-                    ? body
-                    : {
+                isObject(body) && !isArray(body)
+                    ? {
                          ...body,
-                      },
+                      }
+                    : body,
                {
                    status: 200,
                    headers: {
--- a/src/utilities/routeBuilder.ts
+++ b/src/utilities/routeBuilder.ts
@@ -28,6 +28,7 @@ export function buildRoute(
        const endpointDefinition = {
            POST: route.POST,
            GET: route.GET,
+            PATCH: route.PATCH,
            PUT: route.PUT,
            DELETE: route.DELETE,
        };
--- a/src/utilities/secureIds.ts
+++ b/src/utilities/secureIds.ts
@@ -17,7 +17,7 @@ class SecureId {
    constructor(id: { public?: string; secure?: string }, hashScheme?: HashIds) {
        this.#hashScheme = hashScheme ?? (this.constructor as any).hashScheme;

-        if (id.public) {
+        if (id.public !== undefined) {
            this.value = id.public;
        } else if (id.secure) {
            this.raw = id.secure;
@@ -66,59 +66,104 @@ class SecureId {
 export class UserId extends SecureId {
    protected static override hashPrefix: string = 'UserId';

+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodUser(){}
+
    public static fromHash(hash: string): UserId {
-        return super.fromHash(hash, UserId);
+        return super.fromHash(hash, UserId) as UserId;
    }

    public static fromID(id: string): UserId {
-        return super.fromID(id, UserId);
+        return super.fromID(id, UserId) as UserId;
    }
 }

 export class PlayerId extends SecureId {
    protected static override hashPrefix: string = 'PlayerId';

+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodPlayer(){}
+
    public static fromHash(hash: string): PlayerId {
-        return super.fromHash(hash, PlayerId);
+        return super.fromHash(hash, PlayerId) as PlayerId;
    }

    public static fromID(id: string): PlayerId {
-        return super.fromID(id, PlayerId);
+        return super.fromID(id, PlayerId) as PlayerId;
    }
 }

 export class InviteId extends SecureId {
    protected static override hashPrefix: string = 'InviteId';

+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodInvite(){}
+
    public static fromHash(hash: string): InviteId {
-        return super.fromHash(hash, InviteId);
+        return super.fromHash(hash, InviteId) as InviteId;
    }

    public static fromID(id: string): InviteId {
-        return super.fromID(id, InviteId);
+        return super.fromID(id, InviteId) as InviteId;
    }
 }

 export class GameId extends SecureId {
    protected static override hashPrefix: string = 'GameId';

+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodGame(){}
+
    public static fromHash(hash: string): GameId {
-        return super.fromHash(hash, GameId);
+        return super.fromHash(hash, GameId) as GameId;
    }

    public static fromID(id: string): GameId {
-        return super.fromID(id, GameId);
+        return super.fromID(id, GameId) as GameId;
    }
 }

 export class CollectionId extends SecureId {
    protected static override hashPrefix: string = 'CollectionId';

+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodCollection(){}
+
    public static fromHash(hash: string): CollectionId {
-        return super.fromHash(hash, CollectionId);
+        return super.fromHash(hash, CollectionId) as CollectionId;
    }

    public static fromID(id: string): CollectionId {
-        return super.fromID(id, CollectionId);
+        return super.fromID(id, CollectionId) as CollectionId;
+    }
+}
+
+export class MatchId extends SecureId {
+    protected static override hashPrefix: string = 'MatchId';
+
+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodMatch(){}
+
+    public static fromHash(hash: string): MatchId {
+        return super.fromHash(hash, MatchId) as MatchId;
+    }
+
+    public static fromID(id: string): MatchId {
+        return super.fromID(id, MatchId) as MatchId;
+    }
+}
+
+export class CircleId extends SecureId {
+    protected static override hashPrefix: string = 'CircleId';
+
+    // This method exists to force type errors when using an incorrect ID class.
+    #uniqueMethodCircle(){}
+
+    public static fromHash(hash: string): CircleId {
+        return super.fromHash(hash, CircleId) as CircleId;
+    }
+
+    public static fromID(id: string): CircleId {
+        return super.fromID(id, CircleId) as CircleId;
    }
 }
Author	SHA1	Message	Date
jd	c4a37f13be	Minor tidy up and refactor to improve consistency.	2026-03-03 00:17:46 +00:00
jd	c23536b3ed	Finished initial implementation of circle endpoints	2026-03-02 23:52:12 +00:00
jd	dee5b2429d	Fixed issues regarding claim verification in ORM	2026-02-24 00:03:06 +00:00
jd	df60ad4552	Added ability for users to update their password. Minor tidy up.	2026-02-23 20:48:52 +00:00
jd	872a79663b	Finished implementing match endpoints	2026-02-22 12:02:05 +00:00
jd	0fa00e6759	Fixed some behaviour in Elo calculation. Began implement match logic.	2026-02-22 02:07:50 +00:00
jd	564ffe7c8c	Fixed some behaviour in Elo calculation. Began implement match logic.	2026-02-22 02:07:44 +00:00