diff --git a/cmd/main-migration/migrations/atlas.sum b/cmd/main-migration/migrations/atlas.sum
index f59b4131..8c3dedc2 100644
--- a/cmd/main-migration/migrations/atlas.sum
+++ b/cmd/main-migration/migrations/atlas.sum
@@ -1,5 +1,4 @@
-h1:3V3a/T/te8iQqsolgRAJKr99GePHgSN9miJHUNngJ74=
-h1:IAvX8SEd9TnVqJ7EYac7IGQ2CGS+5RhltXZ10G5+w7s=
+h1:eTC10wvsOLnENRLwgViQvRs0NYu3w94Ah1fOaGCqFEg=
 20250904105930.sql h1:MEM6blCgke9DzWQSTnLzasbPIrcHssNNrJqZpSkEo6k=
 20250904141448.sql h1:J8cmYNk4ZrG9fhfbi2Z1IWz7YkfvhFqTzrLFo58BPY0=
 20250908062237.sql h1:Pu23yEW/aKkwozHoOuROvHS/GK4ngARJGdO7FB7HZuI=
@@ -109,9 +108,10 @@ h1:IAvX8SEd9TnVqJ7EYac7IGQ2CGS+5RhltXZ10G5+w7s=
 20251110093522.sql h1:nsz8jCxGjEdr/bz9g+4ozfZzIP803xONjVmucad1GMc=
 20251110100258.sql h1:IBqt1VZj5WjQ+l9aAFGHOCCBtzb03KlLLihFLut7itg=
 20251110100545.sql h1:6/LV7751iyKxE2xI6vO1zly+aHUwxXD/IBwLcVpKxqM=
-20251111072601.sql h1:dEhwrkT0hJ06/YcvQd5alvdskimcHcYT27QKAzVY5+8=
-20251111073546.sql h1:JnJZ4SdOObSe6Jf8v/i/KiRxoCz5KMeXCYytQMZgkZM=
-20251111074148.sql h1:95Ui1eo1P68itOz5kZDNFi2ha0ZhUF4gMYiYVcip6fo=
-20251111074652.sql h1:vUZbN0qgktRQ2GAlCpdYrbld2grPiSbvcMePEQMfxPs=
-20251111082257.sql h1:Zr3Xg5n+p4C8F6Evqm5PVC0pqUvPTBcq692PiUEJlT8=
-20251111111017.sql h1:8Kr6FFtkSeaenB/n/aKlOaz/K33SqazxMuH26oI0JI4=
+20251110155448.sql h1:kFPobJB+cpflsXBAWUwy3lohuWvrb/VRlXnhJWl7i3Y=
+20251111072601.sql h1:ch8F+yVhsSM5xY+TwMLY3PxdLa4Wuhtj76oyw79R7Js=
+20251111073546.sql h1:cCv0NPscADAOBahRVqtDWFs6G2t7n+4a+RwlF8vk/c4=
+20251111074148.sql h1:70TsV83u1gQ5TktI13K7NQiyCCa35Td2aR6CNtKUa4U=
+20251111074652.sql h1:ddfQ/sRKMezPM75xBFTGytUQX5AwZ3znrJVpg73gKPA=
+20251111082257.sql h1:ZsdLY1ROouos0l3oS0lkeSiuKLEUGbVvBhpcM2AVhkw=
+20251111111017.sql h1:qrJ93dNtQwcuAvpsP/lAK/H63C4cinXrsVaPmWsTqkU=
diff --git a/internal/lib/auth/tycovar.go b/internal/lib/auth/tycovar.go
index 467bd1b6..3567cd61 100644
--- a/internal/lib/auth/tycovar.go
+++ b/internal/lib/auth/tycovar.go
@@ -11,7 +11,7 @@ type AuthInfo struct {
 	Uuid                       string
 	User_Id                    uint
 	User_Name                  string
-	User_ContractPosition_code string
+	User_ContractPosition_Code string
 	Employee_Position_Code     *string
 	Employee_Id                *uint
 	Doctor_Code                *string
diff --git a/internal/use-case/main-use-case/authentication/case.go b/internal/use-case/main-use-case/authentication/case.go
index 15f18ef8..db83d315 100644
--- a/internal/use-case/main-use-case/authentication/case.go
+++ b/internal/use-case/main-use-case/authentication/case.go
@@ -205,7 +205,7 @@ func ExtractToken(r *http.Request, tokenType TokenType) (data *pa.AuthInfo, err
 			User_Name: fmt.Sprintf("%v", claims["user_name"]),
 		}
 
-		data.User_ContractPosition_code = checkStrClaims(claims, "contractPosition_code")
+		data.User_ContractPosition_Code = checkStrClaims(claims, "contractPosition_code")
 		data.Employee_Position_Code = checkStrPtrClaims(claims, "employee_position_code")
 		data.Doctor_Code = checkStrPtrClaims(claims, "doctor_code")
 		data.Nurse_Code = checkStrPtrClaims(claims, "nurse_code")
diff --git a/internal/use-case/main-use-case/authentication/case.go.bu b/internal/use-case/main-use-case/authentication/case.go.bu
new file mode 100644
index 00000000..1743407a
--- /dev/null
+++ b/internal/use-case/main-use-case/authentication/case.go.bu
@@ -0,0 +1,463 @@
+package authentication
+
+import (
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
+	a "github.com/karincake/apem"
+	dg "github.com/karincake/apem/db-gorm-pg"
+	ms "github.com/karincake/apem/ms-redis"
+	d "github.com/karincake/dodol"
+	l "github.com/karincake/lepet"
+
+	pa "simrs-vx/internal/lib/auth"
+	pl "simrs-vx/pkg/logger"
+	p "simrs-vx/pkg/password"
+
+<<<<<<< HEAD
+	ed "simrs-vx/internal/domain/main-entities/doctor"
+	ee "simrs-vx/internal/domain/main-entities/employee"
+	"simrs-vx/internal/domain/main-entities/intern"
+	em "simrs-vx/internal/domain/main-entities/midwife"
+	en "simrs-vx/internal/domain/main-entities/nurse"
+	ep "simrs-vx/internal/domain/main-entities/pharmacist"
+	eu "simrs-vx/internal/domain/main-entities/user"
+
+=======
+	eu "simrs-vx/internal/domain/main-entities/user"
+	euf "simrs-vx/internal/domain/main-entities/user-fes"
+>>>>>>> fc7e74b (feat/sso-auth: wip)
+	erc "simrs-vx/internal/domain/references/common"
+)
+
+const source = "authentication"
+
+var authCfg AuthCfg
+
+func init() {
+	a.RegisterExtCall(GetConfig)
+}
+
+// Generates token and store in redis at one place
+// just return the error code
+func GenToken(input eu.LoginDto) (*d.Data, error) {
+	event := pl.Event{
+		Feature: "Create",
+		Source:  source,
+	}
+
+	// Get User
+	user := &eu.User{Name: input.Name}
+	// if input.Position_Code != "" {
+	// 	user.Position_Code = input.Position_Code
+	// }
+	if errCode := getAndCheck(user, user); errCode != "" {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: errCode, Message: pl.GenMessage(errCode)}}
+	}
+
+	if user.LoginAttemptCount > 5 {
+		if user.LastSuccessLogin != nil {
+			now := time.Now()
+			lastAllowdLogin := user.LastAllowdLogin
+			if lastAllowdLogin.After(now.Add(-time.Hour * 1)) {
+				return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-login-tooMany", Message: pl.GenMessage("auth-login-tooMany")}}
+			} else {
+				tn := time.Now()
+				user.LastAllowdLogin = &tn
+				user.LoginAttemptCount = 0
+				dg.I.Save(&user)
+			}
+		} else {
+			tn := time.Now()
+			user.LastAllowdLogin = &tn
+			dg.I.Save(&user)
+			return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-login-tooMany", Message: pl.GenMessage("auth-login-tooMany")}}
+		}
+	}
+
+	if !p.Check(input.Password, user.Password) {
+		user.LoginAttemptCount++
+		dg.I.Save(&user)
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-login-incorrect", Message: pl.GenMessage("auth-login-incorrect")}}
+	} else if user.Status_Code == erc.USCBlocked {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-login-blocked", Message: pl.GenMessage("auth-login-blocked")}}
+	} else if user.Status_Code == erc.USCNew {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-login-unverified", Message: pl.GenMessage("auth-login-unverified")}}
+	}
+
+	// Access token prep
+	id, err := uuid.NewRandom()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("uuid-gen-fail"), err))
+	}
+	if input.Duration == 0 {
+		input.Duration = 24 * 60
+	}
+	duration := time.Minute * time.Duration(input.Duration)
+	aUuid := id.String()
+	atExpires := time.Now().Add(duration).Unix()
+	atSecretKey := authCfg.AtSecretKey
+
+	// Create Claim
+	atClaims := jwt.MapClaims{}
+	atClaims["user_id"] = user.Id
+	atClaims["user_name"] = user.Name
+	atClaims["user_contractPosition_code"] = user.ContractPosition_Code
+	atClaims["uuid"] = aUuid
+	atClaims["exp"] = atExpires
+
+	// Create output
+	outputData := d.II{
+		"user_id":                    strconv.Itoa(int(user.Id)),
+		"user_name":                  user.Name,
+		"user_contractPosition_code": user.ContractPosition_Code,
+	}
+
+	// extra
+	// role := []string{}
+	// switch user.ContractPosition_Code {
+	// case erg.CSCEmp:
+	// 	// employee
+	// 	employee := ee.Employee{}
+	// 	dg.I.Where("\"User_Id\" = ?", user.Id).First(&employee)
+	// 	if employee.Id == 0 {
+	// 		return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noEmployee", Message: pl.GenMessage("auth-noEmployee")}}
+	// 	}
+	// 	atClaims["employee_id"] = employee.Id
+	// 	outputData["employee_id"] = employee.Id
+	// 	role = append(role, "emp-"+string(*employee.Position_Code))
+
+	// 	//if employee.Division_Code != nil {
+	// 	//	atClaims["employee_division_code"] = employee.Division_Code
+	// 	//	outputData["employee_division_code"] = employee.Division_Code
+	// 	//}
+
+	// 	// employee position
+	// 	if employee.Id > 0 && employee.Position_Code != nil {
+	// 		atClaims["employee_position_code"] = *employee.Position_Code
+	// 		switch *employee.Position_Code {
+	// 		case erg.EPCDoc:
+	// 			doctor := ed.Doctor{}
+	// 			dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&doctor)
+	// 			if doctor.Id == 0 {
+	// 				return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noDoctor", Message: pl.GenMessage("auth-noDoctor")}}
+	// 			}
+	// 			atClaims["doctor_code"] = doctor.Code
+	// 			outputData["doctor_code"] = doctor.Code
+
+<<<<<<< HEAD
+				// specialist
+				if doctor.Specialist_Code != nil {
+					atClaims["specialist_code"] = doctor.Specialist_Code
+					outputData["specialist_code"] = doctor.Specialist_Code
+				}
+				if doctor.Subspecialist_Code != nil {
+					atClaims["subspecialist_code"] = doctor.Subspecialist_Code
+					outputData["subspecialist_code"] = doctor.Subspecialist_Code
+				}
+			case erg.EPCNur:
+				empData := en.Nurse{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+				if empData.Id == 0 {
+					return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noNurse", Message: pl.GenMessage("auth-noNurse")}}
+				}
+				atClaims["nurse_code"] = empData.Code
+				outputData["nurse_code"] = empData.Code
+			case erg.EPCMwi:
+				empData := em.Midwife{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+				if empData.Id == 0 {
+					return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noMidwife", Message: pl.GenMessage("auth-noMidwife")}}
+				}
+				atClaims["midwife_code"] = empData.Code
+				outputData["midwife_code"] = empData.Code
+			case erg.EPCPha:
+				empData := ep.Pharmacist{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+				if empData.Id == 0 {
+					return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noPharmacist", Message: pl.GenMessage("auth-noPharmacist")}}
+				}
+				atClaims["pharmacist_code"] = empData.Code
+				outputData["pharmacist_code"] = empData.Code
+			}
+=======
+	// 			// specialist
+	// 			if doctor.Specialist_Code != nil {
+	// 				atClaims["specialist_code"] = doctor.Specialist_Code
+	// 				outputData["specialist_code"] = doctor.Specialist_Code
+	// 			}
+	// 			if doctor.Subspecialist_Code != nil {
+	// 				atClaims["subspecialist_code"] = doctor.Subspecialist_Code
+	// 				outputData["subspecialist_code"] = doctor.Subspecialist_Code
+	// 			}
+	// 		case erg.EPCNur:
+	// 			empData := en.Nurse{}
+	// 			dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+	// 			if empData.Id == 0 {
+	// 				return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noNurse", Message: pl.GenMessage("auth-noNurse")}}
+	// 			}
+	// 			atClaims["nurse_code"] = empData.Code
+	// 			outputData["nurse_code"] = empData.Code
+	// 		case erg.EPCMwi:
+	// 			empData := em.Midwife{}
+	// 			dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+	// 			if empData.Id == 0 {
+	// 				return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-noMidwife", Message: pl.GenMessage("auth-noMidwife")}}
+	// 			}
+	// 			atClaims["midwife_code"] = empData.Code
+	// 			outputData["midwife_code"] = empData.Code
+	// 		}
+>>>>>>> fc7e74b (feat/sso-auth: wip)
+
+	// 		errorGetPosition := d.FieldErrors{"authentication": d.FieldError{Code: "auth-getData-failed", Message: pl.GenMessage("auth-getData-failed")}}
+
+	// 		// division position
+	// 		divisionPositions, err := getDivisionPosition(employee.Id, &event)
+	// 		if err != nil {
+	// 			return nil, errorGetPosition
+	// 		}
+
+	// 		// installation position
+	// 		installationPositions, err := getInstallationPosition(employee.Id, &event)
+	// 		if err != nil {
+	// 			return nil, errorGetPosition
+	// 		}
+
+	// 		// unit position
+	// 		unitPositions, err := getUnitPosition(employee.Id, &event)
+	// 		if err != nil {
+	// 			return nil, errorGetPosition
+	// 		}
+
+	// 		// specialist position
+	// 		specialistPositions, err := getSpecialistPosition(employee.Id, &event)
+	// 		if err != nil {
+	// 			return nil, errorGetPosition
+	// 		}
+
+	// 		// subspecialist position
+	// 		subspecialistPositions, err := getSubspecialistPosition(employee.Id, &event)
+	// 		if err != nil {
+	// 			return nil, errorGetPosition
+	// 		}
+
+	// 		role = append(role, divisionPositions...)
+	// 		role = append(role, installationPositions...)
+	// 		role = append(role, unitPositions...)
+	// 		role = append(role, specialistPositions...)
+	// 		role = append(role, subspecialistPositions...)
+	// 		// atClaims["division_positions"] = divsionPositions
+	// 		// outputData["division_positions"] = divsionPositions
+	// 	}
+	// case erg.CSCInt:
+	// 	intern := intern.Intern{}
+	// 	dg.I.Where("\"User_Id\" = ?", user.Id).First(&intern)
+	// 	role = append(role, "int-"+string(*intern.Position_Code))
+	// case erg.CSCSys:
+	// 	role = append(role, "system")
+	// }
+	// atClaims["roles"] = role
+	// outputData["roles"] = role
+	if err := populateRoles(user, atClaims, outputData, event); err != nil {
+		return nil, err
+	}
+
+	// Generate jwt
+	at := jwt.NewWithClaims(jwt.SigningMethodHS256, atClaims)
+	ats, err := at.SignedString([]byte(atSecretKey))
+	if err != nil {
+		return nil, d.FieldErrors{"user": d.FieldError{Code: "token-sign-err", Message: pl.GenMessage("token-sign-err")}}
+	}
+	outputData["accessToken"] = ats
+
+	// Save to redis
+	now := time.Now()
+	atx := time.Unix(atExpires, 0) //converting Unix to UTC(to Time object)
+	err = ms.I.Set(aUuid, strconv.Itoa(int(user.Id)), atx.Sub(now)).Err()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("redis-store-fail"), err.Error()))
+	}
+
+	tn := time.Now()
+	user.LoginAttemptCount = 0
+	user.LastSuccessLogin = &tn
+	user.LastAllowdLogin = &tn
+	dg.I.Save(&user)
+
+	// Current data
+	return &d.Data{
+		Meta: d.IS{
+			"source":    "authentication",
+			"structure": "single-data",
+			"status":    "verified",
+		},
+		Data: outputData,
+	}, nil
+}
+
+func RevokeToken(uuid string) {
+	ms.I.Del(uuid)
+}
+
+func VerifyToken(r *http.Request, tokenType TokenType) (data *jwt.Token, errCode, errDetail string) {
+	auth := r.Header.Get("Authorization")
+	if auth == "" {
+		return nil, "auth-missingHeader", ""
+	}
+	authArr := strings.Split(auth, " ")
+	if len(authArr) == 2 {
+		auth = authArr[1]
+	}
+
+	token, err := jwt.Parse(auth, func(token *jwt.Token) (any, error) {
+		//Make sure that the token method conform to "SigningMethodHMAC"
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf(l.I.Msg("token-sign-unexcpeted"), token.Header["alg"])
+		}
+		if tokenType == AccessToken {
+			return []byte(authCfg.AtSecretKey), nil
+		} else {
+			return []byte(authCfg.RtSecretKey), nil
+		}
+	})
+	if err != nil {
+		return nil, "token-parse-fail", err.Error()
+	}
+	return token, "", ""
+}
+
+func ExtractToken(r *http.Request, tokenType TokenType) (data *pa.AuthInfo, err error) {
+	token, errCode, errDetail := VerifyToken(r, tokenType)
+	if errCode != "" {
+		return nil, d.FieldError{Code: errCode, Message: pl.GenMessage(errCode, errDetail)}
+	}
+	claims, ok := token.Claims.(jwt.MapClaims)
+	if ok && token.Valid {
+		accessUuid, ok := claims["uuid"].(string)
+		if !ok {
+			return nil, d.FieldError{Code: "token-invalid", Message: pl.GenMessage("token-invalid", "uuid not available")}
+		}
+		user_id, myErr := strconv.ParseInt(fmt.Sprintf("%.f", claims["user_id"]), 10, 64)
+		if myErr != nil {
+			return nil, d.FieldError{Code: "token-invalid", Message: pl.GenMessage("token-invalid", "uuid is not available")}
+		}
+		accessUuidRedis := ms.I.Get(accessUuid)
+		if accessUuidRedis.String() == "" {
+			return nil, d.FieldError{Code: "token-unidentified", Message: pl.GenMessage("token-unidentified")}
+		}
+
+		data = &pa.AuthInfo{
+			Uuid:      accessUuid,
+			User_Id:   uint(user_id),
+			User_Name: fmt.Sprintf("%v", claims["user_name"]),
+		}
+
+		data.User_ContractPosition_code = checkStrClaims(claims, "contractPosition_code")
+		data.Employee_Position_Code = checkStrPtrClaims(claims, "employee_position_code")
+		data.Doctor_Code = checkStrPtrClaims(claims, "doctor_code")
+		data.Nurse_Code = checkStrPtrClaims(claims, "nurse_code")
+		data.Midwife_Code = checkStrPtrClaims(claims, "midwife_code")
+		data.Nutritionist_Code = checkStrPtrClaims(claims, "nutritionist_code")
+		data.Laborant_Code = checkStrPtrClaims(claims, "laborant_code")
+		data.Pharmachist_Code = checkStrPtrClaims(claims, "pharmachist_code")
+		data.Intern_Position_Code = checkStrPtrClaims(claims, "intern_position_code")
+		data.Employee_Id = checkUntPtrClaims(claims, "employee_id")
+		return
+	}
+	return nil, d.FieldError{Code: "token", Message: "token-invalid"}
+}
+
+func GetConfig() {
+	a.ParseCfg(&authCfg)
+}
+
+func GenTokenFes(input euf.LoginDto) (*d.Data, error) {
+	event := pl.Event{
+		Feature: "Create",
+		Source:  source,
+	}
+
+	// Get User Fes
+	userFes := &euf.UserFes{Name: input.Name, AuthPartner_Code: input.AuthPartner_Code}
+	if errCode := getAndCheck(userFes, userFes); errCode != "" {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: errCode, Message: pl.GenMessage(errCode)}}
+	}
+	if userFes.AuthPartner.SecretKey != input.AuthPartner_SecretKey {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: "auth-secretKey-invalid", Message: pl.GenMessage("auth-secretKey-invalid")}}
+	}
+
+	user := &eu.User{Name: userFes.User_Name}
+	if errCode := getAndCheck(user, user); errCode != "" {
+		return nil, d.FieldErrors{"authentication": d.FieldError{Code: errCode, Message: pl.GenMessage(errCode)}}
+	}
+
+	// Access token prep
+	id, err := uuid.NewRandom()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("uuid-gen-fail"), err))
+	}
+	if input.Duration == 0 {
+		input.Duration = 24 * 60
+	}
+	duration := time.Minute * time.Duration(input.Duration)
+	aUuid := id.String()
+	atExpires := time.Now().Add(duration).Unix()
+	atSecretKey := authCfg.AtSecretKey
+
+	// Create Claim
+	atClaims := jwt.MapClaims{}
+	atClaims["user_id"] = user.Id
+	atClaims["user_name"] = user.Name
+	atClaims["user_contractPosition_code"] = user.ContractPosition_Code
+	atClaims["uuid"] = aUuid
+	atClaims["exp"] = atExpires
+
+	// Create output
+	outputData := d.II{
+		"user_id":                    strconv.Itoa(int(user.Id)),
+		"user_name":                  user.Name,
+		"user_contractPosition_code": user.ContractPosition_Code,
+	}
+
+	// extra
+	if err := populateRoles(user, atClaims, outputData, event); err != nil {
+		return nil, err
+	}
+
+	// Generate jwt
+	at := jwt.NewWithClaims(jwt.SigningMethodHS256, atClaims)
+	ats, err := at.SignedString([]byte(atSecretKey))
+	if err != nil {
+		return nil, d.FieldErrors{"user": d.FieldError{Code: "token-sign-err", Message: pl.GenMessage("token-sign-err")}}
+	}
+	outputData["accessToken"] = ats
+
+	// Save to redis
+	now := time.Now()
+	atx := time.Unix(atExpires, 0) //converting Unix to UTC(to Time object)
+	err = ms.I.Set(aUuid, strconv.Itoa(int(user.Id)), atx.Sub(now)).Err()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("redis-store-fail"), err.Error()))
+	}
+
+	tn := time.Now()
+	user.LoginAttemptCount = 0
+	user.LastSuccessLogin = &tn
+	user.LastAllowdLogin = &tn
+	dg.I.Save(&user)
+
+	// Current data
+	return &d.Data{
+		Meta: d.IS{
+			"source":    "authentication",
+			"structure": "single-data",
+			"status":    "verified",
+		},
+		Data: outputData,
+	}, nil
+}
diff --git a/internal/use-case/main-use-case/authentication/helper.go.bu b/internal/use-case/main-use-case/authentication/helper.go.bu
new file mode 100644
index 00000000..b7ccc660
--- /dev/null
+++ b/internal/use-case/main-use-case/authentication/helper.go.bu
@@ -0,0 +1,323 @@
+package authentication
+
+import (
+	"fmt"
+	"strconv"
+	"time"
+
+	"github.com/golang-jwt/jwt"
+	"github.com/google/uuid"
+	dg "github.com/karincake/apem/db-gorm-pg"
+	ms "github.com/karincake/apem/ms-redis"
+	d "github.com/karincake/dodol"
+	l "github.com/karincake/lepet"
+
+	pl "simrs-vx/pkg/logger"
+
+	edp "simrs-vx/internal/domain/main-entities/division-position"
+	ed "simrs-vx/internal/domain/main-entities/doctor"
+	ee "simrs-vx/internal/domain/main-entities/employee"
+	eip "simrs-vx/internal/domain/main-entities/installation-position"
+	"simrs-vx/internal/domain/main-entities/intern"
+	em "simrs-vx/internal/domain/main-entities/midwife"
+	en "simrs-vx/internal/domain/main-entities/nurse"
+	esp "simrs-vx/internal/domain/main-entities/specialist-position"
+	essp "simrs-vx/internal/domain/main-entities/subspecialist-position"
+	eup "simrs-vx/internal/domain/main-entities/unit-position"
+	eu "simrs-vx/internal/domain/main-entities/user"
+	erg "simrs-vx/internal/domain/references/organization"
+
+	udp "simrs-vx/internal/use-case/main-use-case/division-position"
+	uip "simrs-vx/internal/use-case/main-use-case/installation-position"
+	usp "simrs-vx/internal/use-case/main-use-case/specialist-position"
+	ussp "simrs-vx/internal/use-case/main-use-case/subspecialist-position"
+	uup "simrs-vx/internal/use-case/main-use-case/unit-position"
+)
+
+// just return the error code
+func getAndCheck(input, condition any, includes any) (eCode string) {
+	qry := dg.I.Where(condition)
+
+	// WARNING THIS PRELOAD FAILS
+	if includes != nil {
+		if val := includes.(string); val != "" {
+			qry = qry.Preload(val)
+		} else if vals := includes.([]string); len(vals) > 0 {
+			for _, val := range vals {
+				qry = qry.Preload(val)
+			}
+		}
+	}
+
+	result := qry.First(&input)
+	if result.Error != nil {
+		return "fetch-fail"
+	} else if result.RowsAffected == 0 {
+		return "auth-login-incorrect"
+	}
+
+	return ""
+}
+
+func getDivisionPosition(employee_id uint, event *pl.Event) ([]string, error) {
+	var result []string
+
+	// get data division_position based on employee_id
+	data, _, err := udp.ReadListData(edp.ReadListDto{FilterDto: edp.FilterDto{Employee_Id: &employee_id}}, event)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) > 0 {
+		for _, dp := range data {
+			result = append(result, "div-"+*dp.Division_Code)
+		}
+	}
+
+	return result, nil
+}
+
+func getInstallationPosition(employeeId uint, event *pl.Event) ([]string, error) {
+	var result []string
+
+	// get data unit_position based on employee_id
+	data, _, err := uip.ReadListData(eip.ReadListDto{
+		FilterDto: eip.FilterDto{Employee_Id: &employeeId},
+		Includes:  "installation"}, event)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) > 0 {
+		for _, dp := range data {
+			result = append(result, "inst-"+*dp.Installation_Code+"-"+dp.Code)
+		}
+	}
+
+	return result, nil
+}
+
+func getUnitPosition(employeeId uint, event *pl.Event) ([]string, error) {
+	var result []string
+
+	// get data unit_position based on employee_id
+	data, _, err := uup.ReadListData(eup.ReadListDto{FilterDto: eup.FilterDto{Employee_Id: &employeeId}}, event)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) > 0 {
+		for _, dp := range data {
+			result = append(result, "unit-"+*dp.Unit_Code+"-"+dp.Code)
+		}
+	}
+
+	return result, nil
+}
+
+func getSpecialistPosition(employeeId uint, event *pl.Event) ([]string, error) {
+	var result []string
+
+	// get data unit_position based on employee_id
+	data, _, err := usp.ReadListData(esp.ReadListDto{FilterDto: esp.FilterDto{Employee_Id: &employeeId}}, event)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) > 0 {
+		for _, dp := range data {
+			result = append(result, "spec-"+*dp.Specialist_Code+"-"+dp.Code)
+		}
+	}
+
+	return result, nil
+}
+
+func getSubspecialistPosition(employeeId uint, event *pl.Event) ([]string, error) {
+	var result []string
+
+	// get data unit_position based on employee_id
+	data, _, err := ussp.ReadListData(essp.ReadListDto{
+		FilterDto: essp.FilterDto{Employee_Id: &employeeId},
+		Includes:  "subspecialist"}, event)
+	if err != nil {
+		return nil, err
+	}
+
+	if len(data) > 0 {
+		for _, dp := range data {
+			result = append(result, "subspec-"+dp.Subspecialist.Code+"-"+dp.Code)
+		}
+	}
+
+	return result, nil
+}
+
+func checkStrClaims(claim map[string]interface{}, key string) string {
+	if v, exist := claim[key]; exist && v != nil {
+		return v.(string)
+	}
+	return ""
+}
+
+func checkStrPtrClaims(claim map[string]interface{}, key string) *string {
+	if v, exist := claim[key]; exist && v != nil {
+		val := v.(string)
+		return &val
+	}
+	return nil
+}
+
+func checkUntPtrClaims(claim map[string]interface{}, key string) *uint {
+	if v, exist := claim[key]; exist && v != nil {
+		val := uint(v.(float64))
+		return &val
+	}
+	return nil
+}
+
+func populateRoles(user *eu.User, input eu.LoginDto, atClaims jwt.MapClaims, outputData d.II, event pl.Event) error {
+	id, err := uuid.NewRandom()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("uuid-gen-fail"), err))
+	}
+	if input.Duration == 0 {
+		input.Duration = 24 * 60
+	}
+	duration := time.Minute * time.Duration(input.Duration)
+	aUuid := id.String()
+	atExpires := time.Now().Add(duration).Unix()
+
+	atClaims["uuid"] = aUuid
+	atClaims["exp"] = atExpires
+	atClaims["user_id"] = user.Id
+	atClaims["user_name"] = user.Name
+	atClaims["user_contractPosition_code"] = user.ContractPosition_Code
+
+	outputData["user_id"] = user.Id
+	outputData["user_name"] = user.Name
+	outputData["user_contractPosition_code"] = user.ContractPosition_Code
+
+	roles := []string{}
+	switch user.ContractPosition_Code {
+	case erg.CSCEmp:
+		// employee
+		employee := ee.Employee{}
+		dg.I.Where("\"User_Id\" = ?", user.Id).First(&employee)
+		if employee.Id == 0 {
+			return d.FieldErrors{"authentication": d.FieldError{Code: "auth-noEmployee", Message: pl.GenMessage("auth-noEmployee")}}
+		}
+		atClaims["employee_id"] = employee.Id
+		outputData["employee_id"] = employee.Id
+		roles = append(roles, "emp-"+string(*employee.Position_Code))
+
+		// employee position
+		if employee.Id > 0 && employee.Position_Code != nil {
+			atClaims["employee_position_code"] = *employee.Position_Code
+			switch *employee.Position_Code {
+			case erg.EPCDoc:
+				doctor := ed.Doctor{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&doctor)
+				if doctor.Id == 0 {
+					return d.FieldErrors{"authentication": d.FieldError{Code: "auth-noDoctor", Message: pl.GenMessage("auth-noDoctor")}}
+				}
+				atClaims["doctor_code"] = doctor.Code
+				outputData["doctor_code"] = doctor.Code
+
+				// specialist
+				if doctor.Specialist_Code != nil {
+					atClaims["specialist_code"] = doctor.Specialist_Code
+					outputData["specialist_code"] = doctor.Specialist_Code
+				}
+				if doctor.Subspecialist_Code != nil {
+					atClaims["subspecialist_code"] = doctor.Subspecialist_Code
+					outputData["subspecialist_code"] = doctor.Subspecialist_Code
+				}
+			case erg.EPCNur:
+				empData := en.Nurse{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+				if empData.Id == 0 {
+					return d.FieldErrors{"authentication": d.FieldError{Code: "auth-noNurse", Message: pl.GenMessage("auth-noNurse")}}
+				}
+				atClaims["nurse_code"] = empData.Code
+				outputData["nurse_code"] = empData.Code
+			case erg.EPCMwi:
+				empData := em.Midwife{}
+				dg.I.Where("\"Employee_Id\" = ?", employee.Id).First(&empData)
+				if empData.Id == 0 {
+					return d.FieldErrors{"authentication": d.FieldError{Code: "auth-noMidwife", Message: pl.GenMessage("auth-noMidwife")}}
+				}
+				atClaims["midwife_code"] = empData.Code
+				outputData["midwife_code"] = empData.Code
+			}
+
+			errorGetPosition := d.FieldErrors{"authentication": d.FieldError{Code: "auth-getData-failed", Message: pl.GenMessage("auth-getData-failed")}}
+
+			// division position
+			divisionPositions, err := getDivisionPosition(employee.Id, &event)
+			if err != nil {
+				return errorGetPosition
+			}
+
+			// installation position
+			installationPositions, err := getInstallationPosition(employee.Id, &event)
+			if err != nil {
+				return errorGetPosition
+			}
+
+			// unit position
+			unitPositions, err := getUnitPosition(employee.Id, &event)
+			if err != nil {
+				return errorGetPosition
+			}
+
+			// specialist position
+			specialistPositions, err := getSpecialistPosition(employee.Id, &event)
+			if err != nil {
+				return errorGetPosition
+			}
+
+			// subspecialist position
+			subspecialistPositions, err := getSubspecialistPosition(employee.Id, &event)
+			if err != nil {
+				return errorGetPosition
+			}
+
+			roles = append(roles, divisionPositions...)
+			roles = append(roles, installationPositions...)
+			roles = append(roles, unitPositions...)
+			roles = append(roles, specialistPositions...)
+			roles = append(roles, subspecialistPositions...)
+			// atClaims["division_positions"] = divsionPositions
+			// outputData["division_positions"] = divsionPositions
+		}
+	case erg.CSCInt:
+		intern := intern.Intern{}
+		dg.I.Where("\"User_Id\" = ?", user.Id).First(&intern)
+		roles = append(roles, "int-"+string(*intern.Position_Code))
+	case erg.CSCSys:
+		roles = append(roles, "system")
+	}
+	atClaims["roles"] = roles
+	outputData["roles"] = roles
+
+	// Generate jwt
+	atSecretKey := authCfg.AtSecretKey
+	at := jwt.NewWithClaims(jwt.SigningMethodHS256, atClaims)
+	ats, err := at.SignedString([]byte(atSecretKey))
+	if err != nil {
+		return d.FieldErrors{"user": d.FieldError{Code: "token-sign-err", Message: pl.GenMessage("token-sign-err")}}
+	}
+	outputData["accessToken"] = ats
+
+	// Save to redis
+	exp, _ := atClaims["exp"].(int64)
+	now := time.Now()
+	atx := time.Unix(exp, 0) //converting Unix to UTC(to Time object)
+	err = ms.I.Set(atClaims["uuid"].(string), strconv.Itoa(int(user.Id)), atx.Sub(now)).Err()
+	if err != nil {
+		panic(fmt.Sprintf(l.I.Msg("redis-store-fail"), err.Error()))
+	}
+
+	return nil
+}